On Monday 2010-11-01 16:00, Changli Gao wrote: >On Mon, Nov 1, 2010 at 10:29 PM, Stephen Clark <sclark46@xxxxxxxxxxxxx> wrote: >> >> I am not sure on how to go about doing that, looking at the code for TEE it >> looks >> like the cloned packet bypasses any of the remaining iptables chains. > >It isn't true. The cloned packet only bypasses the iptables rule where >it is generated. That isn't true either. The cloned packet starts its travel in OUTPUT, not where it left off. >I think you can use the RAWSNAT xtables-addon to change the >destination address. Since the new skb is attached to untracked ct, >you can use match conntrack --ctstate UNTRACKED to filter it out. That may still give false positives if there is other NOTRACK traffic. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
