From: Nils Ohlmeier <lists@ohlmeier.de>
To: netfilter-devel@lists.netfilter.org
Subject: conntrack manipulation
Date: Thu, 8 May 2003 23:47:41 +0200 [thread overview]
Message-ID: <200305082347.41709.lists@ohlmeier.de> (raw)
Hi all,
short question: is it possible to manipulate the entrys of the connection
tracking (specialy adding and removing entrys) from user space?
In more details:
we try to get an over SIP signaled RTP stream (Voice over IP) through
netfilter NAT. Some time ago we coded the fcpd (http://fcpd.berlios.de) which
enables applications to maipulate packet filter and NAT rules. Now the SIP
Express Router (http://www.iptel.org/ser) has support for this netfilter
manipulation. But after long testing sessions we came to the following
result:
phone1 ------ NAT ------- Internet ----- phone2
Phone1 starts a call to phone2 (INVITE message). Phone2 confirms the call (200
OK message) after the user picked up and starts to send RTP packets to the
public NAT address immediately. Now the comfirmation message hits the SIP
proxy at the NAT box and will be processed. The proxy requests at the fcpd to
insert S- and D-NAT rules for the RTP stream. The fpcd processes the request
and inserts the rules.
But during all this process time the first RTP packets allready hit the NAT
box. And if this packets are not droped by a rule, they will create a new
conntrack entry. Now the insertion of the S/DNAT rules comes too late because
all the packets of the stream will be intercepted by the conntrack before
they hit our new rules.
Ok if the NAT box drops every packet which is not explictly allowed everything
should work fine. But i think this is somewhat unrealistic, because most NATs
will at least accept all packets from the private side to the Internet.
So my question is if it is possible that the fcpd deletes connection tracking
entrys from the early packets. And if the fcpd could just insert a connection
tracking entry for the stream it could omit the insertion of three normal
rules (SNAT, DNAT and FORWARD).
I know that i could explicitly drop the packets from the stream until the
connection is confirmed. But i dont like this idea because it complicates the
rule handling from the fcpd a much. And because of the details in the SIP
protocol we could only drop packets with some wildcards in the matching
rules.
Thanks for any comments and ideas.
Greetings
Nils Ohlmeier
next reply other threads:[~2003-05-08 21:47 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-05-08 21:47 Nils Ohlmeier [this message]
2003-05-09 12:36 ` conntrack manipulation Jozsef Kadlecsik
2003-05-09 22:21 ` Nils Ohlmeier
2003-05-12 7:35 ` Jozsef Kadlecsik
2003-05-12 18:15 ` Nils Ohlmeier
-- strict thread matches above, loose matches on Subject: below --
2003-05-12 23:35 Ian Latter
2003-05-13 13:52 ` Nils Ohlmeier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200305082347.41709.lists@ohlmeier.de \
--to=lists@ohlmeier.de \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.