On Mon, Nov 1, 2010 at 10:29 PM, Stephen Clark <sclark46@xxxxxxxxxxxxx> wrote: > > I am not sure on how to go about doing that, looking at the code for TEE it > looks > like the cloned packet bypasses any of the remaining iptables chains. It isn't true. The cloned packet only bypasses the iptables rule where it is generated. > So > where > would I change the destination address? Also if I am mistaken and it does > hit > one of the remaining iptables chains how do I tell it is not the original > but the > cloned packet I want to change to the new destination address? > I think you can use the RAWSNAT xtables-addon to change the destination address. Since the new skb is attached to untracked ct, you can use match conntrack --ctstate UNTRACKED to filter it out. -- Regards, Changli Gao(xiaosuo@xxxxxxxxx) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
