Hi, I am a iptables newbie so pardon if I am missing something basic. I am trying to write an xtables addon that re-writes certain fields in an application header and sends the packet to a newer IP. Essentially an application proxy. The application protocol is UDP based. The packets are destined a local IP. I need to also change the outbound source IP, when talking to the new address. I do not need connection tracking. There are ids in the application header that allow me to determine the eventual destination. If I copy the skb, call skb_dst_set and dst_output on the new skb and return NF_DROP for the old skb, the proxy works. However If I just change the saddr/daddr of the same skb and call NF_ACCEPT, the packet does not go out and Udp.NoPorts increments. I looked at xt_REDIRECT/NETMAP for inspiration to see what other skb fields need to be set. E.g. dst. However they seem to be using some specific functionality (nf_nat_setup_info) to do the final processing before the NF_ACCEPT. I am not sure if I need the connection tracking overhead just to use that. This code works: new_skb = skb_copy(orig_skb...); <change application fields (fixed offsets)> <set the src ip to a different interface. set dst ip to a new server> ip_route_output_key() skb_dst_set() This does NOT work: skb_make_writable() iph->saddr and daddr modified return NF_ACCEPT I am using PREROUTING chain in mangle. I tried using INPUT too, to no avail. Thanks in advance Pratik -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
