Hey, I am planning to write a "redirection" extension that based on a match will copy the matched packet to other interfaces. The extension should work both on input chains and output chains (ingress and egress traffic), and will be able to copy the packet as egress or ingress of the selected interface. I currently have a basic working POC, but I have some concerns. 1. When dealing with egress traffic (OUTPUT/POSTROUTING), the packet is lacking the Ethernet layer headers. So, as I see it, I can either fetch those fields by myself which is inefficient, or somehow change only the output device we are dealing with and call the function following the NF_HOOK. The latter option requires me to pass the okfn pointer somehow into the target handling code. 2. An skb received on a bridge needs to be stripped from its nf_bridge fields, can it cause any problems after the redirect? 3. I'd like to support multiple redirects per-match, currently I use skb_clone before each redirect (otherwise, the original skb is being freed), is that the best way to do it? The current api I'm looking into is: "iptables -A INPUT -i eth2 -j REROUTE --actions input:eth0,output:veth0,continue". Upon packet received on eth2 it will redirect the packet into eth0 rx queue, veth1 tx queue, and will continue the packet handling on eth2 (return XT_CONTINUE). Any suggestions or comments will be appreciated. Thanks, Eddie -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
