Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote: > I think my proposal provides a simple way to support this, it just a > new flag in the NAT engine, few lines to handle it and new userspace > code to handle -/+offset in a map. Yes, thanks for clarifying this. I'm fine with your proposal. I think it might even be possible to rework the iptables target (the only user of the current shift/offset infra) to work with the 'new' delta approach, to avoid cluttering the NAT engine with both appraoaches. > Your idea of doing it via payload + math is also good, but it would > just require more work to support this NAT port-shift feature in > userspace. Indeed, its a lot more work. > Does this help clarify? I am talking about a completely different > design for this feature, not so iptablish. Yes, it does. Agree its better solution compared to the existing one.
