0

When setting up a counter for a rule in a 'type nat hook prerouting' chain with dnat on a specific port, the counter will only count the initial packet for that rule and the following packets from that same conntrack will not be counted anymore.

I could setup a counter on the forward hook, but it would have to be based on the post dnat destination IP/port. However, I want the counter to apply on the pre-dnat IP/port, because I could have other IP/ports dnat'ing to that same destination IP/port and I want to distinguish the counters based on pre-dnat destination IP/port. Is there a way to achieve that?

Many thanks in advance.

Improve this question

1 Answer 1

Reset to default
1

Creating a separate rule with a counter in a chain of type filter in the prerouting hook, but with an earlier priority than -200 (NF_IP_PRI_CONNTRACK) will count all packets of the conntrack.

Therefore, only set a counter in the dnat rule if you want to count the packets that trigger the DNAT.

Improve this answer
0

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.