[tproxy] A general question on xt_socket
Balazs Scheidler
bazsi at balabit.hu
Wed Oct 29 18:49:17 CET 2008
On Wed, 2008-10-29 at 20:57 +0530, Arun Srinivasan wrote:
> Does this mean, there is an appropriate listening socket in the user space?
not necessarily listening socket, but yes. a socket that is bound to the
same address as the destination of the incoming packet.
>
> Apart from IP_TRANSPARENT for the socket option, is there any thing
> else to be done before binding a socket?
no.
>
> TIA
>
> 2008/10/29 Balazs Scheidler <bazsi at balabit.hu>:
> > On Tue, 2008-10-28 at 18:22 +0530, Arun Srinivasan wrote:
> >> Hi all,
> >>
> >> A general question:
> >>
> >> Say I have the following rules configured:
> >>
> >> +++++++++++++++++++++++++++++
> >> iptables -t mangle -N DIVERT
> >> iptables -t mangle -I PREROUTING -p tcp -m socket -j DIVERT
> >> iptables -t mangle -A DIVERT -j MARK --set-mark 0x1
> >> iptables -t mangle -A DIVERT -j ACCEPT
> >> ++++++++++++++++++++++++++++++++++++
> >>
> >> In which case can the tcp packets go without hitting the rule
> >> "iptables -t mangle -I PREROUTING -p tcp -m socket -j DIVERT"?
> >>
> >
> > if there's no applicable local socket to the packet in question, then -m
> > socket will not match.
> >
> > a socket is applicable if the associated tuple (local ip:port, remote
> > ip:port) matches the packet.
> >
> > related ICMP packets also match.
> >
> > --
> > Bazsi
> >
> >
>
>
>
--
Bazsi
More information about the tproxy
mailing list