Le 19/08/2017 à 16:16, khawar shehzad a écrit :
3- Once the packet is accepted by the FILTER chain (i.e. there is a
mapping in the verdict map), I want to do DNAT (i.e. changing the
destination address of the packet)
DNAT makes sense only before the decision routing (so that the routing
can be adapted to the new destination). So iptables allowed it only in
the PREROUTING and OUTPUT chains.
My solution is like the following, which is not working.
table ip6 natcap {
map natcap_vmap {
type ipv6_addr . ipv6_addr : verdict
elements = { 2001::20 . 2001::1:0:0:2 : accept}
}
chain prerouting_filter {
type filter hook prerouting priority -101; policy drop;
ip6 saddr . ip6 daddr vmap @natcap_vmap
}
(...)
What is this syntax ? This is not iptables.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
