|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Horms wrote:
> I had a brief look over the patches and the seem ok to me. Except
> that I am not clear on the motivation of the following hooks.
> Doesn't this mean that ip_vs_in is registered in three separate
> places? Is this actually what you need?
>
Yes, as I try to redirect forwarded traffic (with addresses not local
to the director), I need to hook into NF_FORWARD. Ideally this has to
be a seperate ip_vs_forward_in function, but these patches are a
concept proof.
This new ip_vs_forward_in function should be limited to matching fwmarks.
Flow with these patches:
incoming packet -> PRE_ROUTING -> FORWARD -> ip_vs_in (returning
NF_ACCEPT, after changing skb->dst) -> POSTROUTING -> outgoing packet.
I'm also looking at the possibility of using the iptables REDIRECT
target to get rid of the forwarding hook and use the normal ip_vs_in,
but I'm not yet sure this will not mangle the original packet (It
should not loose the original destination data). At least reinject
should than be changed to return NF_STOLEN on the INPUT hook, and call
ip_forward() to get the packet on it's way again.
The flow for the packet will then become:
incoming packet -> PRE_ROUTING (REDIRECT)-> INPUT -> ip_vs_in
(returning NF_STOLEN, sending packet to ip_forward()) -> FORWARD ->
POSTROUTING -> outgoing packet.
Greetings,
Ludo.
- --
Ludo Stellingwerff
V&S B.V. The Netherlands
ProTactive firewall solution.
Tel: +31 172 416116
Fax: +31 172 416124
site: www.protactive.nl
demo: http://www.protactive.nl:81/netview.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFC8aowOF3sCpZ+AJgRAlHCAKCB7Oeu/sGztiiPBN/s+E2m0pS/ZQCfU9DH
b0DpbtXMhOXx5pslAphKH7s=
=tW7N
-----END PGP SIGNATURE-----
|
