[tproxy] A general question on xt_socket
Balazs Scheidler
bazsi at balabit.hu
Wed Oct 29 14:52:49 CET 2008
On Tue, 2008-10-28 at 18:22 +0530, Arun Srinivasan wrote:
> Hi all,
>
> A general question:
>
> Say I have the following rules configured:
>
> +++++++++++++++++++++++++++++
> iptables -t mangle -N DIVERT
> iptables -t mangle -I PREROUTING -p tcp -m socket -j DIVERT
> iptables -t mangle -A DIVERT -j MARK --set-mark 0x1
> iptables -t mangle -A DIVERT -j ACCEPT
> ++++++++++++++++++++++++++++++++++++
>
> In which case can the tcp packets go without hitting the rule
> "iptables -t mangle -I PREROUTING -p tcp -m socket -j DIVERT"?
>
if there's no applicable local socket to the packet in question, then -m
socket will not match.
a socket is applicable if the associated tuple (local ip:port, remote
ip:port) matches the packet.
related ICMP packets also match.
--
Bazsi
More information about the tproxy
mailing list