[tproxy] Merging tproxy patch to standard kernel ?
KOVACS Krisztian
hidden at sch.bme.hu
Wed Jul 23 14:40:05 CEST 2008
Hi,
On h, júl 21, 2008 at 04:49:43 +0200, NTPT wrote:
> Redirecting ICMP related traffic - I am not an kernel / netfilter hacker, but what to extend netfilter CONNMARK for that purpose ?
>
> Addition of --restore-mark-related option to CONNMARK target , witch copy connmark from master connection to related traffic probably will do this job.
>
>
> so then it could look like this ?
>
> iptables -t mangle -N DIVERT
> iptables -t mangle -A PREROUTING -p tcpo -m socket -j DIVERT
> iptables -t mangle -A DIVERT -j MARK --set-xmark 0x1/0xffffffff
> iptables -t mangle -j CONNMARK ---save-mark // save mark on connection
> iptables -t mangle -A DIVERT -j ACCEPT
> iptables -t mangle -p icmp -j CONNMARK --restore-mark-related // copy connmark from master conenction to its related stuff
>
> // now related ICMP traffic is marked too and can be directed by routing code
Yes, you're right but this requires connection tracking -- while we would
like to be able to use tproxy without conntrack.
But I like the idea... ;)
--
KOVACS Krisztian
More information about the tproxy
mailing list