From mboxrd@z Thu Jan 1 00:00:00 1970 From: Changli Gao Subject: Re: clone packet with new destination address Date: Mon, 1 Nov 2010 23:02:21 +0800 Message-ID: References: <4CC1843F.8050903@earthlink.net> <4CCEB69B.5080905@earthlink.net> <4CCECEDD.2030107@earthlink.net> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Cc: Jan Engelhardt , netfilter-devel@vger.kernel.org To: sclark46@earthlink.net Return-path: Received: from mail-fx0-f46.google.com ([209.85.161.46]:46324 "EHLO mail-fx0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754556Ab0KAPCn (ORCPT ); Mon, 1 Nov 2010 11:02:43 -0400 Received: by fxm16 with SMTP id 16so4942568fxm.19 for ; Mon, 01 Nov 2010 08:02:42 -0700 (PDT) In-Reply-To: Sender: netfilter-devel-owner@vger.kernel.org List-ID: On Mon, Nov 1, 2010 at 11:00 PM, Changli Gao wrote: > On Mon, Nov 1, 2010 at 10:29 PM, Stephen Clark wrote: >> >> I am not sure on how to go about doing that, looking at the code for TEE it >> looks >> like the cloned packet bypasses any of the remaining iptables chains. > > It isn't true. The cloned packet only bypasses the iptables rule where > it is generated. > >> So >> where >> would I change the destination address? Also if I am mistaken and it does >> hit >> one of the remaining iptables chains how do I tell it is not the original >> but the >> cloned packet I want to change to the new destination address? >> > > I think you can use the RAWSNAT xtables-addon to change the > destination address. Since the new skb is attached to untracked ct, > you can use match conntrack --ctstate UNTRACKED to filter it out. > s/SNAT/DNAT/g . -- Regards, Changli Gao(xiaosuo@gmail.com)