* newbie question on netfilter-conntrack @ 2010-06-20 11:41 Pete Kay 2010-06-20 11:56 ` Andrew Beverley 2010-06-20 12:15 ` Jan Engelhardt 0 siblings, 2 replies; 7+ messages in thread From: Pete Kay @ 2010-06-20 11:41 UTC (permalink / raw) To: netfilter Hi, I am new to netfilter-conntrack so please excuse me for my simple question. I am trying to set up a rule such that any UDP packet coming from a specific IP:port will be redirected to another IP:port. Could someone please give me an example how this can be done? Also, I would like to know if it is possible to monitor the proxying of the UDP packet to obtain information such as jitter and packet lost. How can I do that? Thanks, P ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: newbie question on netfilter-conntrack 2010-06-20 11:41 newbie question on netfilter-conntrack Pete Kay @ 2010-06-20 11:56 ` Andrew Beverley 2010-06-20 12:15 ` Jan Engelhardt 1 sibling, 0 replies; 7+ messages in thread From: Andrew Beverley @ 2010-06-20 11:56 UTC (permalink / raw) To: Pete Kay; +Cc: netfilter Pete, > I am trying to set up a rule such that any UDP packet coming from a > specific IP:port will be redirected to another IP:port. Could someone > please give me an example how this can be done? You'll need something like: iptables -t nat -A PREROUTING -p udp --sport 1234 --source 1.2.3.4 \ -j DNAT --to-destination 4.3.2.1:4321 If you do 'man iptables' you will see details of all these options. You may also find that this simple kernel routing diagram helps: http://www.docum.org/docum.org/kptd/ > Also, I would like to know if it is possible to monitor the proxying > of the UDP packet to obtain information such as jitter and packet > lost. How can I do that? Not sure about that I'm afraid; maybe somebody else can help. Andy ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: newbie question on netfilter-conntrack 2010-06-20 11:41 newbie question on netfilter-conntrack Pete Kay 2010-06-20 11:56 ` Andrew Beverley @ 2010-06-20 12:15 ` Jan Engelhardt 2010-06-21 2:53 ` Pete Kay 2010-06-21 7:49 ` Pete Kay 1 sibling, 2 replies; 7+ messages in thread From: Jan Engelhardt @ 2010-06-20 12:15 UTC (permalink / raw) To: Pete Kay; +Cc: netfilter On Sunday 2010-06-20 13:41, Pete Kay wrote: >Hi, > >I am new to netfilter-conntrack so please excuse me for my simple question. > >I am trying to set up a rule such that any UDP packet coming from a >specific IP:port will be redirected to another IP:port. Could someone >please give me an example how this can be done? Why not just directly connect to the right tuple? ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: newbie question on netfilter-conntrack 2010-06-20 12:15 ` Jan Engelhardt @ 2010-06-21 2:53 ` Pete Kay 2010-06-21 7:49 ` Pete Kay 1 sibling, 0 replies; 7+ messages in thread From: Pete Kay @ 2010-06-21 2:53 UTC (permalink / raw) To: Jan Engelhardt; +Cc: netfilter Hi, I need to do a fast UDP proxy, so i am looking for ways that I can insert/remove 1000 entries/s. I tried iptable but it is too slow. Therefore, I am looking to use conntrack-tool to insert the entry to see if it can be faster. Does anyone know if that is possible? I have trouble figure out how to use the conntrack-tool's conntrack command ( -I option). Can someone please give me an example? Thanks, P On Sun, Jun 20, 2010 at 8:15 PM, Jan Engelhardt <jengelh@medozas.de> wrote: > On Sunday 2010-06-20 13:41, Pete Kay wrote: > >>Hi, >> >>I am new to netfilter-conntrack so please excuse me for my simple question. >> >>I am trying to set up a rule such that any UDP packet coming from a >>specific IP:port will be redirected to another IP:port. Could someone >>please give me an example how this can be done? > > Why not just directly connect to the right tuple? > ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: newbie question on netfilter-conntrack 2010-06-20 12:15 ` Jan Engelhardt 2010-06-21 2:53 ` Pete Kay @ 2010-06-21 7:49 ` Pete Kay 2010-06-21 9:20 ` Pete Kay 1 sibling, 1 reply; 7+ messages in thread From: Pete Kay @ 2010-06-21 7:49 UTC (permalink / raw) To: Jan Engelhardt; +Cc: netfilter Hi Jan, Thanks for your hint. Could you share with me how to "connect to the right tuple"? Is there any C library that I can use? thanks, P On Sun, Jun 20, 2010 at 8:15 PM, Jan Engelhardt <jengelh@medozas.de> wrote: > On Sunday 2010-06-20 13:41, Pete Kay wrote: > >>Hi, >> >>I am new to netfilter-conntrack so please excuse me for my simple question. >> >>I am trying to set up a rule such that any UDP packet coming from a >>specific IP:port will be redirected to another IP:port. Could someone >>please give me an example how this can be done? > > Why not just directly connect to the right tuple? > ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: newbie question on netfilter-conntrack 2010-06-21 7:49 ` Pete Kay @ 2010-06-21 9:20 ` Pete Kay 2010-06-21 9:50 ` Pablo Neira Ayuso 0 siblings, 1 reply; 7+ messages in thread From: Pete Kay @ 2010-06-21 9:20 UTC (permalink / raw) To: netfilter Hi, Sorry for posting multiple times. This should be my last one. I modified the conntrack_create_nat.c to redirect udp traffic coming from a specific IP:port to another IP, but the program gives error, the result of ret is (-1). Does anyone know what's wrong? #include <stdio.h> #include <stdlib.h> #include <errno.h> #include <libnetfilter_conntrack/libnetfilter_conntrack.h> #include <libnetfilter_conntrack/libnetfilter_conntrack_udp.h> int main() { int ret; struct nfct_handle *h; struct nf_conntrack *ct; ct = nfct_new(); if (!ct) { perror("nfct_new"); return 0; } nfct_set_attr_u8(ct, ATTR_L3PROTO, AF_INET); nfct_set_attr_u32(ct, ATTR_IPV4_SRC, inet_addr("192.168.1.12")); nfct_set_attr_u32(ct, ATTR_IPV4_DST, inet_addr("192.168.1.102")); nfct_set_attr_u8(ct, ATTR_L4PROTO, IPPROTO_UDP); nfct_set_attr_u16(ct, ATTR_PORT_SRC, htons(5060)); nfct_set_attr_u16(ct, ATTR_PORT_DST, htons(5060)); nfct_setobjopt(ct, NFCT_SOPT_SETUP_REPLY); //nfct_set_atrr_u8(ct, ATTR_UDP_STATE, UDP_CONNTRACK_SYN_SENT); //nfct_set_attr_u8(ct, ATTR_TCP_STATE, TCP_CONNTRACK_SYN_SENT); nfct_set_attr_u32(ct, ATTR_TIMEOUT, 100); nfct_set_attr_u32(ct, ATTR_SNAT_IPV4, inet_addr("192.168.1.13")); h = nfct_open(CONNTRACK, 0); if (!h) { perror("nfct_open"); return -1; } ret = nfct_query(h, NFCT_Q_CREATE, ct); printf("TEST: create conntrack "); if (ret == -1) printf("(%d)\n", ret); else printf("(OK)\n"); nfct_close(h); ret == -1 ? exit(EXIT_FAILURE) : exit(EXIT_SUCCESS); } ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: newbie question on netfilter-conntrack 2010-06-21 9:20 ` Pete Kay @ 2010-06-21 9:50 ` Pablo Neira Ayuso 0 siblings, 0 replies; 7+ messages in thread From: Pablo Neira Ayuso @ 2010-06-21 9:50 UTC (permalink / raw) To: Pete Kay; +Cc: netfilter Pete Kay wrote: > Hi, > > Sorry for posting multiple times. This should be my last one. > > I modified the conntrack_create_nat.c to redirect udp traffic coming > from a specific IP:port to another IP, but the program gives error, > the result of ret is (-1). Does anyone know what's wrong? # ./a.out TEST: create conntrack (OK) decadence:/tmp# conntrack -L -p udp udp 17 92 src=192.168.1.12 dst=192.168.1.102 sport=5060 dport=5060 packets=0 bytes=0 [UNREPLIED] src=192.168.1.102 dst=192.168.1.13 sport=5060 dport=5060 packets=0 bytes=0 mark=0 secmark=0 use=2 conntrack v0.9.14 (conntrack-tools): 1 flow entries have been shown. It works fine here with 2.6.34 and libnetfilter_conntrack 0.0.101 ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2010-06-21 9:50 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2010-06-20 11:41 newbie question on netfilter-conntrack Pete Kay 2010-06-20 11:56 ` Andrew Beverley 2010-06-20 12:15 ` Jan Engelhardt 2010-06-21 2:53 ` Pete Kay 2010-06-21 7:49 ` Pete Kay 2010-06-21 9:20 ` Pete Kay 2010-06-21 9:50 ` Pablo Neira Ayuso
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.