Hi, I am writing a custom filter using libnetfilter_queue. This library supports NF_ACCEPT and NF_DROP verdicts, but I also need to be able to REJECT and REDIRECT. So what I'm planning to do instead is to use NFQUEUE to mark packets in the mangle table, then post-process them with iptables in the nat and filter tables. Something like this: iptables -t mangle -A PREROUTING -p tcp --dport 1234 -j NFQUEUE --queue-balance 1:10 # all packets NF_ACCEPT'ed but marked appropriately iptables -t nat -A PREROUTING -p tcp -m mark --mark 4 -j REDIRECT iptables -t filter -A FORWARD -p tcp -m mark --mark 1 -j ACCEPT iptables -t filter -A FORWARD -p tcp -m mark --mark 2 -j REJECT iptables -t filter -A FORWARD -p tcp -m mark --mark 3 -j DROP Does this sound like a reasonable approach? thanks, Eugene -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
