2013/2/28 Rob Sterenborg (lists) <lists@xxxxxxxxxxxxxxx>
>
> On 02/28/2013 07:26 AM, Donghua Liu wrote:
>>
>> Hi,
>>
>> Say if I set a netfilter rule by "iptables -t nat -A custom_chain -p
>> tcp -dport 80 -j DNAT --to-destination 127.0.0.1:1234" for some
>> requirement.
>>
>> I also have a LKM which will check the availablity of service
>> "127.0.0.1:1234" and how can I cancel the rule's operation(Do NOT
>> delete this rule), let the packet go as usual ignore the nat.
>
>
> man iptables says there is a -R command to replace rules:
>
> ----
> -R, --replace chain rulenum rule-specification
> Replace a rule in the selected chain. If the source and/or
> destination names resolve to multiple addresses, the command will fail.
> Rules are numbered starting at 1.
> ----
>
> Assuming you know which rulenum must be changed, you can do this:
>
> iptables -t nat -R custom_chain 1 -p tcp -dport 80
>
> IOW, lose the -j parameter from the rule, keeping the others. The result
> is that the rule will still be there, but effectively won't do anything
> except for matching and updating packet/byte counting.
>
>
> --
> Rob
>
Replace rules maybe solve my problem, but I must do it in kernelspace.
Now I have some ideas
Maybe I should extend the netfilter/xtables like
iptables -t nat -A custom_chain -p tcp -dport 80 -m
process_available --process_name some_process_name -j DNAT
--to-destination 127.0.0.1:1234
or
iptables -t nat -A custom_chain -p tcp -dport 80 -j SAFE_DNAT
--to-destination 127.0.0.1:1234
But how can I implement these.
Can anyone provide me some tutorial or write a small example to explain this.
Thanks in advance!
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
