On 11/05/2011 01:32, richardvo...@gmail.com wrote: > There's still a large piece of the puzzle missing, namely finding out > what mark is carried by incoming requests, since this determines that > mark that goes on the forwarded query (when it cannot be answered from > cache).
Just to phrase my last response hopefully more clearly: Linux *must* be able to track the response packets to an outgoing udp/icmp packet, otherwise NAT firewalling would not work... (replies would not get delivered back to the correct machine behind the NAT) The "how" this is done is called conntrack (on linux). Also this capability is exposed to userspace and hence you can do some quite clever things if you wish. Cool huh Thanks Ed W
