bidirectional ip_conntrack_irc

bidirectional ip_conntrack_irc

[Sven Wandersleb]

Hi List,

is there any Plans to get ip_conntrack_irc working in both directions?
Its sad to have connections called NEW, if in fact they are RELATED.

I need it, as i want to catch DCC downloads to mark/route them to a
broader link than the default one.

Greetings
Sven Wandersleb

Re: bidirectional ip_conntrack_irc

[Patrick McHardy]

Sven Wandersleb wrote:
> Hi List,
> 
> is there any Plans to get ip_conntrack_irc working in both directions?
> Its sad to have connections called NEW, if in fact they are RELATED.

What do you mean by "both directions"?

> I need it, as i want to catch DCC downloads to mark/route them to a
> broader link than the default one.

Two possibilities:

- mark master conntrack, related connections will inheirit the mark
iptables -t mangle -A POSTROUTING -p tcp --dport 6667 -j CONNMARK 
--set-mark 0x1

- mark related connections registered by the irc helper
iptables -t mangle -A PREROUTING -m state --state RELATED -m helper 
--helper "irc" -j CONNMARK --set-mark 0x1

In both cases you need to set the packet mark from the connection
mark and use that in your routing rules.

Re: bidirectional ip_conntrack_irc

[Sven Wandersleb]

> > is there any Plans to get ip_conntrack_irc working in both directions?
> > Its sad to have connections called NEW, if in fact they are RELATED.
>
> What do you mean by "both directions"?

ip_conntrack_irc only tracks my DCC connections when i send files to
others on  irc. This is necessary because there needs to be a port on
my NAT forwarded to my computer so that the otherone can connect.

If i receive a file from another user its not necesarry to open any
ports, so this is ignored by ip_conntrack_irc. Yet the connection is
(or imho should be considered) related to the main irc connection.

> - mark master conntrack, related connections will inheirit the mark
> iptables -t mangle -A POSTROUTING -p tcp --dport 6667 -j CONNMARK
> --set-mark 0x1

This marks all my normal irc-traffic, but not my incoming DCC transfers

> - mark related connections registered by the irc helper
> iptables -t mangle -A PREROUTING -m state --state RELATED -m helper
> --helper "irc" -j CONNMARK --set-mark 0x1

This worked well for sending files via DCC, but not for receiving.

Its really hard to catch those DCC connections, as they use random ports.

Re: bidirectional ip_conntrack_irc

[Patrick McHardy]

Sven Wandersleb wrote:
>>>is there any Plans to get ip_conntrack_irc working in both directions?
>>>Its sad to have connections called NEW, if in fact they are RELATED.
>>
>>What do you mean by "both directions"?
> 
> 
> ip_conntrack_irc only tracks my DCC connections when i send files to
> others on  irc. This is necessary because there needs to be a port on
> my NAT forwarded to my computer so that the otherone can connect.
> 
> If i receive a file from another user its not necesarry to open any
> ports, so this is ignored by ip_conntrack_irc. Yet the connection is
> (or imho should be considered) related to the main irc connection.

Ah, I see now, the helpers ignores packets in the other direction.
I'm going to look into if its easily possible to change this.