hi there i have been trying to apply the string match or external wurlmatch to my NAT environment. but the matches was not valid in NAT or tproxy so i tried to verify TCP payload with debugging code in the string match during runtime, and then i found there is no TCP data in skbuff the string match works well in filter table, but it does not work in NAT. i want to know why the string match does not work in NAT. if you know that reason, please let me know i used following iptables rules # iptables -A PREROUTING -t nat -p tcp --dport 80 -m string --string "goole.com" --algo bm -j DNAT --to-destination 10.10.10.125:80 10.10.10.125 is IP address of my linux router and there is HTTP proxy server -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html