On Thu, Sep 25, 2003 at 02:52:06PM -0500, Duane Cloud wrote: > Hello, > > I was wondering if there was a simple way for a kernel module > to create a NAT rule "on the fly". first, this is a development question. Why don't you ask it on the development list? no, this is absolutely impossible. > Is there a simple way to accomplish this? I was hoping there > would be an insert_rule() function, but it looks like the tables > are modified by a doing a get_table(), modify the local copy, then > replace_table(). yes. the tables are atomically replaced, and there is no functionality for parsing/modifying the table inside the kernel. All the kernel can do is iterating them. the only chance you have is to set up the nat binding by using ip_conntrack_expect_related() - but you need to do that _before_ you have received the first SYN packet. > Thank you, > Duane Cloud -- - Harald Welte <laforge@xxxxxxxxxxxxx> http://www.netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie
Attachment:
pgp00588.pgp
Description: PGP signature
