Balazs Scheidler wrote: > * use a new state (called TPROXY), which would be applied to all TPROXYed > packets (might interact badly with nat/conntrack).
It will in no doubt interact badly with connection tracking (and therefore NAT). > * have the tproxy framework mark all packets with an fwmark, and let the > packets in based on the value of fwmark Will interact badly with fwmark based routing. > * have a separate match (called tproxy), which matches tproxied sessions > based on some value stored in the associated conntrack entry Defenitely my preference, but I might be biased as I make heavy use of connection tracking and fwmark based routing in combination. Regards Henrik
