From: Patrick McHardy <kaber@trash.net>
To: Thomas Jarosch <thomas.jarosch@intra2net.com>
Cc: netfilter-devel@lists.netfilter.org
Subject: Re: 2.6.20: ipt_owner match and INPUT chain
Date: Thu, 08 Mar 2007 19:01:19 +0100 [thread overview]
Message-ID: <45F04F6F.5020103@trash.net> (raw)
In-Reply-To: <200703081636.03226.thomas.jarosch@intra2net.com>
Thomas Jarosch wrote:
> Hello Patrick,
>
> On Monday, 5. March 2007, you wrote:
>
>>>I'm not sure if I understand you correctly, shouldn't it already be
>>>possible to add an expectation via "conntrack -I expect"?
>>
>>Yes, but currently expectations always need a master connection
>>with a helper assigned.
>
>
> Thanks for clearing this up. Is this change easy to do, like it would
> take you ten minutes or is it a more complex task?
Without having looked into this in detail, I guess it should be
in the tens of minutes range. We need this anyway for state
synchronization since the H.323 helper manually assigns
unregistered helpers to its children.
>>>Another idea came to my mind today: If the socks server needs to be
>>>patched anyway, would it be useful to set a connmark via an ioctl on the
>>>socket?
>>
>>connmark isn't possible since the sending side of the socket
>>only deals with packets before the have been associated with
>>a conntrack entry. But you could use normal marks, IIRC
>>Balazs Scheidler <bazsi@balabit.hu> posted a patch for this
>>to netdev about 1.5 years ago.
>
>
> I was unable to find the patch, too bad the lovely patchwork system wasn't in
> place at that time. Anyway, ipt_owner works for outgoing connections so after
> giving it another thought it a) already works b) is one patch less to the
> socks proxy -> ipt_owner is fine for this.
Great. Just for reference, this is the patch I was talking about:
http://marc.theaimsgroup.com/?l=linux-netdev&m=112870885111441&w=4
> I'm still wondering how other people are running a socks server
> together with an iptables firewall. I can't imagine
> they leave all incoming ports open...
I have no idea. I can only assume most people simply don't allow
users to open their own external ports on a firewall at all.
next prev parent reply other threads:[~2007-03-08 18:01 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-03-02 8:46 2.6.20: ipt_owner match and INPUT chain Thomas Jarosch
2007-03-02 11:57 ` Patrick McHardy
2007-03-02 12:59 ` Thomas Jarosch
2007-03-03 16:24 ` Patrick McHardy
2007-03-05 17:06 ` Thomas Jarosch
2007-03-05 18:11 ` Patrick McHardy
2007-03-08 15:36 ` Thomas Jarosch
2007-03-08 18:01 ` Patrick McHardy [this message]
2007-03-09 10:38 ` Thomas Jarosch
2007-03-15 17:04 ` Thomas Jarosch
2007-03-16 4:06 ` Patrick McHardy
2007-03-16 12:52 ` Thomas Jarosch
2007-03-16 13:00 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=45F04F6F.5020103@trash.net \
--to=kaber@trash.net \
--cc=netfilter-devel@lists.netfilter.org \
--cc=thomas.jarosch@intra2net.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.