On Mon, Nov 1, 2010 at 11:00 PM, Changli Gao <xiaosuo@xxxxxxxxx> wrote: > On Mon, Nov 1, 2010 at 10:29 PM, Stephen Clark <sclark46@xxxxxxxxxxxxx> wrote: >> >> I am not sure on how to go about doing that, looking at the code for TEE it >> looks >> like the cloned packet bypasses any of the remaining iptables chains. > > It isn't true. The cloned packet only bypasses the iptables rule where > it is generated. > >> So >> where >> would I change the destination address? Also if I am mistaken and it does >> hit >> one of the remaining iptables chains how do I tell it is not the original >> but the >> cloned packet I want to change to the new destination address? >> > > I think you can use the RAWSNAT xtables-addon to change the > destination address. Since the new skb is attached to untracked ct, > you can use match conntrack --ctstate UNTRACKED to filter it out. > s/SNAT/DNAT/g . -- Regards, Changli Gao(xiaosuo@xxxxxxxxx) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
