Re: [HELP] why the string match does not work in nat tables?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tuesday 2011-02-01 02:50, JeHo Park wrote:
>>> anyway, i wonder why there is no TCP payload in the skb of the string
>>> or wurl match.
>>
>> Because you only see the first packet of the flow in the NAT table.
>>
>first, i thought or assumed what you said like above is from the
>reason that NAT mapping is first started from L3 IP connection mapping
>[...] but it is not based on TCP contents.
>so you said it is not possible to rediect such connection.
>is it right?

The simple fact is that there is usually no content in the
TCP SYN packet that you could possibly match on.

>> You should use the string match in the filter or raw tables.
>>
>
>and second, i think some people might also want such a functionality
>like what i want to do, redirection some connection to other server
>judging from its TCP contents infomation. [in this case, the URI
>infomation of the HTTP transaction]

That is what proxies like squid are for.

See http://l7-filter.sourceforge.net/FAQ#usage for an elaborate
answer.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux