Balazs Scheidler <bazsi@xxxxxxxxxx> wrote: > the destination port in the packet can be different in the two lookups. --on-port tproxy option. Hrm... The initial lookup uses the header ip addresses: sk = nf_tproxy_get_sock_v4(dev_net(skb->dev), iph->protocol, iph->saddr, iph->daddr, hp->source, hp->dest, skb->dev, NFT_LOOKUP_ESTABLISHED); 3 possible cases: - no socket -- try to find listener. This case is not changed by my patch. - sk is normal socket. set nfmark and skb->sk. Also not changed. - sk is in TW state. This is not changed either: tproxy_handle_time_wait4() will check if this is a SYN. If it is, a new listener lookup is made, and TW socket is kicked out. If the packet is not a SYN, then tproxy_handle_time_wait4() won't do anything. Previously, the timewait sk would now be assigned to skb->sk, which my patch prevents. But I don't see where the '--on-port' port number is involved in the TW socket lookup? Thanks for reviwing the patch! -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html