From: Patrick McHardy <kaber@trash.net>
To: Amin Azez <azez@ufomechanic.net>
Cc: netfilter-devel@lists.netfilter.org
Subject: Re: [PATCH] add direction match to conntrack match
Date: Fri, 01 Jun 2007 18:30:16 +0200 [thread overview]
Message-ID: <46604998.3050602@trash.net> (raw)
In-Reply-To: <46604886.4080400@ufomechanic.net>
Amin Azez wrote:
> This adds the virtual states ORIGINAL and REPLY to the conntrack match,
> making it possible to tell if the packet being compared is part of the
> original flow or the reply flow.
>
> e.g.
>
> iptables -t mangle -A PREROUTING -m conntrack --ctstate REPLY
>
> The patch is against kernel 2.6.17 and iptables 1.3.6, but it is simple
> enough.
I've been using a similar patch at a previous job, I think its quite
useful, so if you send me a patch for current -git I'll queue it
for 2.6.23.
>
> Index: linux-2.6.17.1/include/linux/netfilter/xt_conntrack.h
> ===================================================================
> --- linux-2.6.17.1.orig/include/linux/netfilter/xt_conntrack.h
> +++ linux-2.6.17.1/include/linux/netfilter/xt_conntrack.h
> @@ -14,6 +14,9 @@
> #define XT_CONNTRACK_STATE_SNAT (1 << (IP_CT_NUMBER + 1))
> #define XT_CONNTRACK_STATE_DNAT (1 << (IP_CT_NUMBER + 2))
> #define XT_CONNTRACK_STATE_UNTRACKED (1 << (IP_CT_NUMBER + 3))
> +/* match on direction of packet */
> +#define XT_CONNTRACK_STATE_ORIGINAL (1 << (IP_CT_NUMBER + 4))
> +#define XT_CONNTRACK_STATE_REPLY (1 << (IP_CT_NUMBER + 5))
But I think use should use a regular flag for this. The
XT_CONNTRACK_STATE_SNAT are already a not so great idea
since the same information is in the status bits, which
can also be matched.
next prev parent reply other threads:[~2007-06-01 16:30 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-06-01 16:25 [PATCH] add direction match to conntrack match Amin Azez
2007-06-01 16:30 ` Patrick McHardy [this message]
2007-06-01 19:28 ` Amin Azez
2007-06-02 11:34 ` Henrik Nordstrom
2007-06-03 17:10 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=46604998.3050602@trash.net \
--to=kaber@trash.net \
--cc=azez@ufomechanic.net \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.