*sigh* don't strip the Ccs On Monday 2011-01-31 03:24, JeHo Park wrote: >On Mon, Jan 31, 2011 at 11:09 AM, Jan Engelhardt <jengelh@xxxxxxxxxx> wrote: >> On Monday 2011-01-31 02:53, JeHo Park wrote: >>> >>>the string match works well in filter table, but it does not work in NAT. >> >> Oh it _does_ work in nat. >> >> But given that the nat table is an abstract configuration database >> rather than a filter, not all packets do a lookup. > >but i found in runtime with debugging code, there is no TCP data but >only TCP header in the skbuff of string match. Good, then this issue is resolved. >>>i used following iptables rules >>># Âiptables -A PREROUTING -t nat -p tcp --dport 80 -m string --string >>>"goole.com" --algo bm -j DNAT --to-destination 10.10.10.125:80 -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
