On Friday 2011-06-10 11:26, Amos Jeffries wrote: > >Just to clarify; what I read you asking about was this scenario: >When layer-7 software (proxy) does a NAPT mapping of text syntax >IP1:port1 -> IP2:port2 sent out on IP3:port3 (proxy->server control >control). > How to implement a layer-2 software (netfilter) to figure out this mapping >and to do the reverse IP2:port2 -> IP1:port1 mapping on the text data inside >the TCP packet body of packets returning on IP4:port4 (client->proxy control >channel). >So the packet flow is: > control: client--nf_nat (DNAT/REDIRECT)-->proxy->server > data: client<--nf_nat (SNAT)----server > >Keep in mind that websense proxy terminates a TCP connection and generates a >completely separate independent TCP connection from itself to the source >server. Whether that is FTP origin or other proxy. > >So that the client->proxy information is in the INPUT tables. The >server->proxy response is in the OUTPUT tables. And NAT is done in a third >place the proxy normally does not have write access to. > >So to me those factors all mean layer-2 where netfilter modules operate is a >very hard place to figure out what the correct mapping should be. tl;dr. FTP has nothing to do with L2. >(Jan, please correct me if you have some advanced magic voodoo that lets INPUT >and OUTPUT chain connections link as RELATED state) Why should it, your proxy seems to be creating a new set of logically dinstinct connections. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
