Re: "Late REDIRECT" - Menno Smits

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Menno Smits <menno@netboxblue.com>
To: Pablo Neira Ayuso <pablo@eurodev.net>
Cc: Netfilter Development Mailinglist <netfilter-devel@lists.netfilter.org>
Subject: Re: "Late REDIRECT"
Date: Tue, 14 Mar 2006 12:50:32 +1000	[thread overview]
Message-ID: <44162F78.50203@netboxblue.com> (raw)
In-Reply-To: <441550F6.7060609@eurodev.net>

Hi Pablo,

Pablo Neira Ayuso wrote:
>>
>> Is something like this feasible? How difficult would it be implement? Am
>> I barking up the wrong tree?
> 
> Ick, this seems frigthening. Why don't you filter in the raw PREROUTING?

Two reasons:

1) You can't do REJECT in raw, only DROP.

2) You still need to use convoluted rules to figure out where packets 
are going to go. In the filter table you know what's being forwarded and 
what is local and in filter FORWARD you know both the source and 
destination interface. Currently we use an intricate arrangement of 
chains and rules in mangle PREROUTING to determine the marks to set 
based on the known IPs, networks and routes for each interface. Packets 
then get handled according to their marks in the filter and nat tables.

Regards,
Menno

Scanned by the NetBox from NetBox Blue
(http://netboxblue.com/)

next prev parent reply	other threads:[~2006-03-14  2:50 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-03-13  9:06 "Late REDIRECT" Menno Smits
2006-03-13 11:01 ` Pablo Neira Ayuso
2006-03-14  2:50   ` Menno Smits [this message]
2006-03-16  9:14 ` mud dog

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=44162F78.50203@netboxblue.com \
    --to=menno@netboxblue.com \
    --cc=netfilter-devel@lists.netfilter.org \
    --cc=pablo@eurodev.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.