Balazs Scheidler wrote: > On Wed, 2007-01-10 at 07:46 +0100, Patrick McHardy wrote: > >>I'm wondering if it would be possible to use normal input routing >>combined with netfilter marks to do the diversion .. > > > The problem is that userspace proxies open ports dynamically (think of > FTP data channels), you cannot add iptables rule for every such > redirection. So one rule for every dynamic redirection is a no-go. > > If we'd add a single rule, which would do some kind of lookup and then > mark packets, would again introduce a state inside tproxy that'd need to > be synchronized with the socket table. We explicitly wanted to avoid > such tables.
How exactly are dynamic ports handled? Do you just add a catch-all rule that filters based on socket lookups? In that case you could do something like this: ip route add local default dev lo scope host table 1 ip rule add fwmark 0x1 lookup 1 and still use the socket lookups for marking, which would (without the socket caching) remove the need for this patch entirely. > And additionally, using the mark this way would prevent the admin to use > it they way he/she likes. We support bitwise use of the mark everywhere in current kernels, so that shouldn't be a problem anymore. - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
