From: Stephen Clark <sclark46@earthlink.net>
To: Changli Gao <xiaosuo@gmail.com>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: clone packet with new destination address
Date: Mon, 01 Nov 2010 08:46:19 -0400 [thread overview]
Message-ID: <4CCEB69B.5080905@earthlink.net> (raw)
In-Reply-To: <AANLkTi=T3QwJp-yVT3GNk46mjmudQ5CrE71YnMqWfsOh@mail.gmail.com>
On 10/22/2010 09:36 AM, Changli Gao wrote:
> On Fri, Oct 22, 2010 at 9:24 PM, Changli Gao<xiaosuo@gmail.com> wrote:
>
>> On Fri, Oct 22, 2010 at 8:31 PM, Stephen Clark<sclark46@earthlink.net> wrote:
>>
>>> Hello,
>>>
>>> Problem:
>>> I have a two monitoring servers behind a a linux firewall, one is primary
>>> and one is backup.
>>> In the field we have units sending udp informational packet to the primary
>>> server. On the
>>> linux firewall I would like to copy this packet and change the destination
>>> address of the copied
>>> packet to point to the backup server. Is there a way to do this without
>>> writing any code?
>>>
>>> NOTE:
>>> Currently the firewall is FreeBSD and we accomplish this rather easily using
>>> ipfw along with natd, but we want to move to linux for our firewall.
>>>
>>>
>> I think you can use tc action mirred to mirror the packets to a fake
>> NIC device ifb, and use tc action nat to dnat the packets received
>> from ifb.
>>
>>
> Oh, iptables can also do it. Please see iptables target TEE and RAWNAT
> in xtables-addons. http://xtables-addons.sourceforge.net/
>
>
In testing this it looks like, to me anyhow, that the cloned packet gets
sent to the new gw with the original destination address, so now the
destination address has to get fixed up on the gw, this seems pretty
kludgy to me. Why can't the cloned packet simply have its destination
address replaced with the new destination address? This seems to me
like it would make a lot more sense, instead of having to make changes to
the packet on two different systems.
--
"They that give up essential liberty to obtain temporary safety,
deserve neither liberty nor safety." (Ben Franklin)
"The course of history shows that as a government grows, liberty
decreases." (Thomas Jefferson)
next prev parent reply other threads:[~2010-11-01 12:46 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-10-22 12:31 clone packet with new destination address Stephen Clark
2010-10-22 13:24 ` Changli Gao
2010-10-22 13:36 ` Changli Gao
2010-10-22 14:16 ` Stephen Clark
2010-11-01 12:46 ` Stephen Clark [this message]
2010-11-01 13:09 ` Jan Engelhardt
2010-11-01 14:29 ` Stephen Clark
2010-11-01 15:00 ` Changli Gao
2010-11-01 15:02 ` Changli Gao
2010-11-01 15:16 ` Stephen Clark
2010-11-01 19:37 ` Jan Engelhardt
2010-11-01 19:29 ` Jan Engelhardt
2010-11-02 13:44 ` Stephen Clark
2010-11-02 13:46 ` Jan Engelhardt
2010-11-02 13:53 ` Stephen Clark
2010-11-02 22:35 ` Changli Gao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4CCEB69B.5080905@earthlink.net \
--to=sclark46@earthlink.net \
--cc=netfilter-devel@vger.kernel.org \
--cc=xiaosuo@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.