A temporary resolution to my question, which is far from ideal (not very scalable): Put subnets on the loopback, to accept packets as they come in on 443. Add a DNAT rule, for the but bound port 80 traffic, which routes traffic out to the correct destination. I was really hoping for something far more dynamic than this, but it'll have to do in a pinch. The ideal solution would be to simply accept any packet on a single interface and deliver it as local (without modifying the destination address). That would allow me to simply route new subnets to my stunnel box and have 0 configuration updates on the stunnel box, but alas it doesn't seem feasible. :( If anyone has any suggestions, please let me know. -- <flah@xxxxxxxx> 01101000011000010110110001100110
