On Tuesday 2011-02-01 02:50, JeHo Park wrote: >>> anyway, i wonder why there is no TCP payload in the skb of the string >>> or wurl match. >> >> Because you only see the first packet of the flow in the NAT table. >> >first, i thought or assumed what you said like above is from the >reason that NAT mapping is first started from L3 IP connection mapping >[...] but it is not based on TCP contents. >so you said it is not possible to rediect such connection. >is it right? The simple fact is that there is usually no content in the TCP SYN packet that you could possibly match on. >> You should use the string match in the filter or raw tables. >> > >and second, i think some people might also want such a functionality >like what i want to do, redirection some connection to other server >judging from its TCP contents infomation. [in this case, the URI >infomation of the HTTP transaction] That is what proxies like squid are for. See http://l7-filter.sourceforge.net/FAQ#usage for an elaborate answer. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html