On Tuesday 2010-11-02 14:44, Stephen Clark wrote: >> >>> Also if I am mistaken and it does hit one of the remaining iptables >>> chains how do I tell it is not the original but the cloned packet I >>> want to change to the new destination address? >>> >> Good question. Given the possibilities I think an extra route towards >> the logging server that specifies a realm value, that is then >> matchable in -A OUTPUT -m realm, is in order. >> > Hmm..., > > Sounds like maybe an easier way to do this is to use libipq and the > QUEUE target to select the packets of interest - then make a copy > of the packet in userspace and use a raw socket to send the copy > with the new destination address on its way. > > Does this sound reasonable? The roundtrip over userspace sounds unnecessarily imperformant. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
