10 Nov
2004
10 Nov
'04
10:55 a.m.
Hello! --- KOVACS Krisztian <hidden@balabit.hu> wrote:
Before using TPROXY_FLAGS you should specify the other endpoint of the new connection using TPROXY_CONNECT.
This works up to a point, but we run into trouble if the destination address is subject to a DNAT rule. In that case, if we use TPROXY_CONNECT to specify the remote endpoint, we kind of shoot ourselves in the foot because by the time TPROXY sees the packet in POSTROUTING, the packet's destination address will have changed. The workaround of playing games with SO_REUSEADDR seems to do OK in this situation, but it's ugly and I'm not sure what the side effects might be. Tim __________________________________ Do you Yahoo!? Check out the new Yahoo! Front Page. www.yahoo.com