On 11/02/2010 09:46 AM, Jan Engelhardt wrote:
On Tuesday 2010-11-02 14:44, Stephen Clark wrote:
Also if I am mistaken and it does hit one of the remaining iptables
chains how do I tell it is not the original but the cloned packet I
want to change to the new destination address?
Good question. Given the possibilities I think an extra route towards
the logging server that specifies a realm value, that is then
matchable in -A OUTPUT -m realm, is in order.
Hmm...,
Sounds like maybe an easier way to do this is to use libipq and the
QUEUE target to select the packets of interest - then make a copy
of the packet in userspace and use a raw socket to send the copy
with the new destination address on its way.
Does this sound reasonable?
The roundtrip over userspace sounds unnecessarily imperformant.
I would agree but it keeps me from being dependent on a particular
kernel version
and we are only concerned with less than 10 packets per second.
--
"They that give up essential liberty to obtain temporary safety,
deserve neither liberty nor safety." (Ben Franklin)
"The course of history shows that as a government grows, liberty
decreases." (Thomas Jefferson)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
