I'm trying to perform DNAT from within my userspace program to a dynamic host. I have in nat PREROUTING a NFQUEUE rule that gives the packet to my program. I am trying to setup a conntrack rule at this time before accepting the packet. The NFQUEUE part works just fine. However I am having trouble adding the conntrack entry. This is the code I currently have: /* Add a new conntrack entry */ if (!(ct = nfct_new())) { perror("nfct_new"); return -1; } nfct_set_attr_u8(ct, ATTR_ORIG_L3PROTO, AF_INET); nfct_set_attr_u8(ct, ATTR_ORIG_L4PROTO, IPPROTO_TCP); nfct_set_attr_u32(ct, ATTR_ORIG_IPV4_SRC, ip->saddr); nfct_set_attr_u32(ct, ATTR_ORIG_IPV4_DST, ip->daddr); nfct_set_attr_u16(ct, ATTR_ORIG_PORT_SRC, tcp->source); nfct_set_attr_u16(ct, ATTR_ORIG_PORT_SRC, tcp->dest); nfct_setobjopt(ct, NFCT_SOPT_SETUP_REPLY); nfct_set_attr_u32(ct, ATTR_DNAT_IPV4, new_daddr); nfct_set_attr_u16(ct, ATTR_DNAT_PORT, new_dport); //nfct_set_attr_u32(ct, ATTR_TIMEOUT, timeout); if (nfct_query(globals.cth, NFCT_Q_CREATE, ct) < 0) { perror("nfct_query"); return -1; } nfct_destroy(ct); ip is a struct iphdr* pointing to the correct location in the payload from nfqueue tcp is a struct tcphdr* pointing to the correct location in the payload from nfqueue new_daddr is uint32_t from inet_pton() new_dport is uint16_t from htons() Therefore all IPs and ports are already in network byte order. When the above code runs I get the following: nfct_query: Invalid argument Does anyone know what I'm doing wrong? Also, do I need to manually mangle the first packet to perform the DNAT or will netfilter do this for me after I accept the packet due to the conntrack entry? -Steve -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html