On Monday 2010-01-25 17:50, Patrick McHardy wrote: >>>> http://l7-filter.sourceforge.net/FAQ#usage >>> Right, thanks! >>> >>> But I just don't see the point of letting all the http traffic flows >>> through squid since it'll only care about a handful of domains... >>> >>> I don't suppose there is a way of "putting" the connection back on >>> the forwarding-state on the bridge after ebtables already dropped it >>> on the broute table, is there? >> >> Once you decided which machine handles the packet stream, it's decided. >> The twist is, you have to decide when you see the very first packet. > >CT actually doesn't really care, it should be possible with TPROXY >if the local socket could be persuaded to close silently. The issue is that you would need to replay the tcp handshake. Case 1: - do TCP handshake - read out Host: header - if proxied - good - if not, - have to replay TCP handshake to next host (eww :-) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
