TPROXY target returns NF_ACCEPT

TPROXY target returns NF_ACCEPT

[Philip Craig]

The TPROXY target returns NF_ACCEPT rather than XT_CONTINUE.
Is there a reason for this, or is it left over from when
there was a tproxy table?  I can place the tproxy rules last
if needed, but this behaviour was unexpected.

Also, does tproxy handle related ICMP packets too?

Re: TPROXY target returns NF_ACCEPT

[KOVACS Krisztian]

Hi,

On k, jún 16, 2009 at 07:09:42 +1000, Philip Craig wrote:
> The TPROXY target returns NF_ACCEPT rather than XT_CONTINUE.
> Is there a reason for this, or is it left over from when
> there was a tproxy table?  I can place the tproxy rules last
> if needed, but this behaviour was unexpected.

It has more to do with the REDIRECT-like functionality of the target.
TPROXY 'redirection' is tricky, since it does not actually touch the skb
but the packet ends up in a local socket with a different address/port.

> Also, does tproxy handle related ICMP packets too?

The 'socket' match matches for related ICMP, so if you use TPROXY in
conjuction with that, then yes, it does handle related ICMP.

-- 
KOVACS Krisztian
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html