> rules :) If the netfilter gurus don't find it useful, no problem :)
Well, this is right. I join their opinion too. :-)
> Of course, the SNAT-ing process may be needs correct routing (may be
> a new "ROUTING" chain) and little routing code changes (I have it in some
> my patches).
BTW this is puzzle for me: how do they block redirects?
This was another big problem with masquerading in 2.2 and in fact another
advantage of controlling masquearding via routing, when all such things
went right automatically.
> May be I have the rules with same priority, anyways :)
This is one of the things to prohibit, priority will be handle
of rule in fact. It is the only predictable way to distinguish such
objects. (BTW this applies to iptables too.) Sigh, lots of scripts will break.
So, it is not so bad idea to install some filter dropping panic emails
to /dev/null before an attempt to sanitize this. :-)