Hello Charles, > > > can anyone comment on potential problems/dangers/issues from such a > > > --jump? > > > > An infinite loop, maybe? Also, OUTPUT is before routing anyway... > Actually it is not [1], and thusly, the source of many of my problems. I OK. According to Stef's diagram it is after routing (it might explain why DNAT in OUTPUT was broken in the beginning). Unless there is some hack for DNAT in OUTPUT to make it work, I don't understand how the routing of the new DNAT'ed packet works then... > am very curious though, about your thought of a loop -- could you give a > bit more detail? i *thought* that a lookup would have been independant > from netfilter Well, what I said about the infinite loop, is just a thought. I have actually not looked in the code to see whether your assumption is correct. I think your best bet would be the devel mailing list (where the people with a good insight of the actual code and the internals could help you). Good luck and please let us know your findings. Ramin > -- that is -- that the packet would be checked with its > fwmark, src ip, dst, ip, etc, and an interface determined (and perhaps a > new src ip) ... > > many thanks for your thoughts > > charles > > [1] http://www.docum.org/stef.coene/qos/kptd/ >