thanks pablo, pascal i just want the client who try to connect any specified site to redirect my HTTP proxy server. but judging from your answers, it seems impossible to filter that client packets in the NAT table. anyway thanks On Mon, Jan 31, 2011 at 7:33 PM, Pascal Hambourg <pascal.mail@xxxxxxxxxxxxxxx> wrote: > Hello, > > Pablo Neira Ayuso a Ãcrit : >> On 31/01/11 03:47, JeHo Park wrote: >>> anyway, i wonder why there is no TCP payload in the skb of the string >>> or wurl match. >> >> Because you only see the first packet of the flow in the NAT table. > > And the first packet of a TCP connection usually carries no data. > If you what you want to achieve is NAT a TCP connection based on the > payload, I am afraid this is not possible because the definitive NAT > mapping is defined from the first packet only. > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at Âhttp://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
