Bas van Sisseren a écrit : > > The problem is that we can't tell the other end to use the first address on > the interface. Some systems use the first address, others use the second > address. When a connection is set up from the remote system to the second > address, the original REDIRECT redirects the connection to the configured > port-number on the first address. > > It seems way more logical to me to keep the destination address the same and > only change the port number if the destination address is locally configured > on that interface. Ok, but again, is this really a problem ? > Assume: > eth0 has these addresses: > 10.1.0.1, netmask 255.255.255.0 (primary address) > 10.2.0.1, netmask 255.255.255.0 > 10.3.0.1, netmask 255.255.255.0 > 10.4.0.1, netmask 255.255.255.0 > > and redirects from.. say.. port 80 to 8080 > > Connections to 10.1.0.1:80 will be redirected to 10.1.0.1:8080 > But also all connections to 10.2.0.1:80, 10.3.0.1:80 and > 10.4.0.1:80 will be redirected to 10.1.0.1:8080 > > With the patch, the connection to 10.2.0.1:80 will be redirected to > 10.2.0.1:8080, 10.3.0.1:80 to 10.3.0.1:8080, etc.. If all you want is to change only the destination port number, you can use "-j DNAT --to :<newport>" so the destination address won't be altered. If the box acts as a router and you also want to REDIRECT packets with a non local address, you can use the addrtype match and DNAT packets with a local destination address and REDIRECT packets with a non local destination address. >>> When redirecting, the destination address is replaced by the first >>> ip-address on the receiving interface. By the way, I wonder what happens if the interface has no IP address (unnumbered). -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html