On Monday 2010-11-01 15:29, Stephen Clark wrote: > On 11/01/2010 09:09 AM, Jan Engelhardt wrote: >> >>> This seems to me like it would make a lot more sense, instead of >>> having to make changes to the packet on two different systems. >> >> You can do the changes on a single machine if you want to. > >I am not sure on how to go about doing that, looking at the code for >TEE it looks like the cloned packet bypasses any of the remaining >iptables chains. So where would I change the destination address? Right. You need a kernel >= 2.6.35 (xt_TEE is included) for cloned packets to go through the tables again. >Also if I am mistaken and it does hit one of the remaining iptables >chains how do I tell it is not the original but the cloned packet I >want to change to the new destination address? Good question. Given the possibilities I think an extra route towards the logging server that specifies a realm value, that is then matchable in -A OUTPUT -m realm, is in order. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
