I'm doing some brainstorming related to a 464XLAT client, which provides virtual IPv4 connectivity to devices that are otherwise IPv6-only. Currently, this works by creating a TUN interface to receive the local IPv4 packets, but to preserve compatibility, it'd be better if I could bind to an existing IPv6-only interface and suck up any IPv4 packets sent there. I think the netfilter NFQUEUE target almost allows this, but the problem is, sometimes there's a MASQUERADE target installed in the "nat POSTROUTING" table, and I need to steal the packets *after* the NAT occurs. The following diagram indicates that "nat POSTROUTING" is the final step: http://www.faqs.org/docs/iptables/traversingoftables.html Additionally, it appears that any rule listed after MASQUERADE is never executed. Is there any possible way to attach an NFQUEUE such that it receives *all* of an interface's IPv4 packets? I considered using a PF_PACKET socket, analogous to tcpdump, but that merely provides a copy of the packets; I haven't found a hook to prevent those packets from reaching the physical interface. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
