Jan Engelhardt wrote: > On Monday 2010-01-25 17:50, Patrick McHardy wrote: >>>>> http://l7-filter.sourceforge.net/FAQ#usage >>>> Right, thanks! >>>> >>>> But I just don't see the point of letting all the http traffic flows >>>> through squid since it'll only care about a handful of domains... >>>> >>>> I don't suppose there is a way of "putting" the connection back on >>>> the forwarding-state on the bridge after ebtables already dropped it >>>> on the broute table, is there? >>> Once you decided which machine handles the packet stream, it's decided. >>> The twist is, you have to decide when you see the very first packet. >> CT actually doesn't really care, it should be possible with TPROXY >> if the local socket could be persuaded to close silently. > > The issue is that you would need to replay the tcp handshake. > > Case 1: > - do TCP handshake > - read out Host: header > - if proxied > - good > - if not, > - have to replay TCP handshake to next host (eww :-) You're right, that wouldn't work without even mory ugly. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
