Hi, On h, júl 21, 2008 at 04:49:43 +0200, NTPT wrote:
Redirecting ICMP related traffic - I am not an kernel / netfilter hacker, but what to extend netfilter CONNMARK for that purpose ?
Addition of --restore-mark-related option to CONNMARK target , witch copy connmark from master connection to related traffic probably will do this job.
so then it could look like this ?
iptables -t mangle -N DIVERT iptables -t mangle -A PREROUTING -p tcpo -m socket -j DIVERT iptables -t mangle -A DIVERT -j MARK --set-xmark 0x1/0xffffffff iptables -t mangle -j CONNMARK ---save-mark // save mark on connection iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -p icmp -j CONNMARK --restore-mark-related // copy connmark from master conenction to its related stuff
// now related ICMP traffic is marked too and can be directed by routing code
Yes, you're right but this requires connection tracking -- while we would like to be able to use tproxy without conntrack. But I like the idea... ;) -- KOVACS Krisztian