Is there any way that my application can look in the table and see the real
destination? I've seen several things in patch-o-matic that do things with
conntrack but there doesn't seem to be any command, /proc or /dev entry
available to query "i have a connection from host foo, iptables, who was foo
really wanting to speak too?".
well, in the case of you example port (80), if you're talking about an HTTP request, the original destination of the request is preserved in the "Host: " header. this is how transparent proxying works.
in the general case, i don't suppose there's anything stopping you from performing a lookup against /proc/net/ip_conntrack within your app to find the original dst ip (although it's been pointed out here recently that lookups against /proc/net/ip_conntrack are a bad idea--check the archives).
-j
Couple follow ups. I searched back the last two or three months and didn't find any "no nos" on using /proc/net/ip_conntrack. All I can figure is that it could be a hit to read through if very large. Not sure yet how /proc fs might lock things either (if that might be an issue). So any reason for using this to be a "bad thing" please provide some sort of hint if possible.
Another. If I do something to read in the contents of /proc/net/ip_conntrack and then do something to send some output to stdin of iptables-restore/iptables does my app need to be GPL based? Boarders here seem rather grey. I am not modifying any GPL code nor extending it so it doesn't seem to me be something that "modifies" and thus requires to be released under the GPL.
Thanks, Jason
