Balazs Scheidler <bazsi77@xxxxxxxxx> wrote: > I think this is not correct. TPROXY can be used from output as well to > divert locally generated traffic. I didn't look into the output null > reference case posted earlier but that's also a use case to redirect local > output to a proxy. Are you sure? The upstreamed TPROXY doesn't support this. xt_TPROXY sets: .hooks = 1 << NF_INET_PRE_ROUTING, and the backend code assumes that the inout device in the hook state is available, which is only guaranteed in prerouting and input hooks.
