On 11/01/2010 03:29 PM, Jan Engelhardt wrote:
On Monday 2010-11-01 15:29, Stephen Clark wrote:
On 11/01/2010 09:09 AM, Jan Engelhardt wrote:
This seems to me like it would make a lot more sense, instead of
having to make changes to the packet on two different systems.
You can do the changes on a single machine if you want to.
I am not sure on how to go about doing that, looking at the code for
TEE it looks like the cloned packet bypasses any of the remaining
iptables chains. So where would I change the destination address?
Right. You need a kernel>= 2.6.35 (xt_TEE is included)
for cloned packets to go through the tables again.
Also if I am mistaken and it does hit one of the remaining iptables
chains how do I tell it is not the original but the cloned packet I
want to change to the new destination address?
Good question. Given the possibilities I think an extra route towards
the logging server that specifies a realm value, that is then
matchable in -A OUTPUT -m realm, is in order.
Hmm...,
Sounds like maybe an easier way to do this is to use libipq and the
QUEUE target to
select the packets of interest - then make a copy of the packet in
userspace and
use a raw socket to send the copy with the new destination address on
its way.
Does this sound reasonable?
--
"They that give up essential liberty to obtain temporary safety,
deserve neither liberty nor safety." (Ben Franklin)
"The course of history shows that as a government grows, liberty
decreases." (Thomas Jefferson)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html