Re: [HELP] why the string match does not work in nat tables?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



hello Pablo

i have two more questions

On Mon, Jan 31, 2011 at 6:35 PM, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> On 31/01/11 03:47, JeHo Park wrote:
>> hello jan
>> i see, i took mistake. Ccs.. :-)
>> anyway, i wonder why there is no TCP payload in the skb of the string
>> or wurl match.
>
> Because you only see the first packet of the flow in the NAT table.
>
first, i thought or assumed what you said like above is from the
reason that NAT mapping is first started from L3 IP connection mapping
[origin and expect tuples..] and from TCP helper [for TCP port
infomation ..etc] but it is not based on TCP contents.
so you said it is not possible to rediect such connection.
is it right?

> You should use the string match in the filter or raw tables.
>

and second,
i think some people might also want such a functionality like what i
want to do,
redirection some connection to other server judging from its TCP
contents infomation.
[in this case, the URI  infomation of the HTTP transaction]
i want to know how you think about ..

previously thanks ~
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux