Iptables Match on Direction (IP_CT_IS_REPLY)

Iptables Match on Direction (IP_CT_IS_REPLY)

[Peter Lenci]

Hi there

Is there a possibility to access flag IP_CT_IS_REPLY from an iptables
command?

I have only spotted the "--direction original|reply|both" option from
the connbytes patch
(http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extra-connbytes)
but then I would prefer not to waste memory by counting bytes.

Regards
Peter

______________________________________________________________________ 
Post your free ad now! http://personals.yahoo.ca

Re: Iptables Match on Direction (IP_CT_IS_REPLY)

[Filip Sneppe]

Hi Peter,

On Sat, 26 Feb 2005 07:43:03 -0500 (EST), Peter Lenci
<peterlenci@yahoo.ca> wrote:
> Hi there
> 
> Is there a possibility to access flag IP_CT_IS_REPLY from an iptables
> command?
> 
> I have only spotted the "--direction original|reply|both" option from
> the connbytes patch
> (http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extra-connbytes)
> but then I would prefer not to waste memory by counting bytes.
> 

The "conntrack" match should do what you are looking for. From the help
option:

conntrack match v1.2.11 options:
 [!] --ctstate [INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED|SNAT|DNAT][,...]
				State(s) to match
 [!] --ctproto	proto		Protocol to match; by number or name, eg. `tcp'
     --ctorigsrc  [!] address[/mask]
				Original source specification
     --ctorigdst  [!] address[/mask]
				Original destination specification
     --ctreplsrc  [!] address[/mask]
				Reply source specification
     --ctrepldst  [!] address[/mask]
				Reply destination specification
 [!] --ctstatus [NONE|EXPECTED|SEEN_REPLY|ASSURED|CONFIRMED][,...]
				Status(es) to match
 [!] --ctexpire time[:time]	Match remaining lifetime in seconds against
				value or range of values (inclusive)

Regards,
Filip

Re: Iptables Match on Direction (IP_CT_IS_REPLY)

[Peter Lenci]

Hi Filip

 --- Filip Sneppe <filip.sneppe@gmail.com> wrote: 
> On Sat, 26 Feb 2005 07:43:03 -0500 (EST), Peter Lenci
> <peterlenci@yahoo.ca> wrote:
> > Is there a possibility to access flag IP_CT_IS_REPLY from an iptables
> > command?
> > 
> > I have only spotted the "--direction original|reply|both" option from
> > the connbytes patch
> > (http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extra-connbytes)
> > but then I would prefer not to waste memory by counting bytes.
> > 
> 
> The "conntrack" match should do what you are looking for. From the help
> option:

I studied conntrack but didn't find a way to read the direction
of the packet. In fact I was thinking about writing a patch for that
module to add an option "--direction original|reply|both".

How exactly would you determine the direction with conntrack?

Regards
Peter

______________________________________________________________________ 
Post your free ad now! http://personals.yahoo.ca

Re: Iptables Match on Direction (IP_CT_IS_REPLY)

[Patrick McHardy]

Peter Lenci wrote:
> I studied conntrack but didn't find a way to read the direction
> of the packet. In fact I was thinking about writing a patch for that
> module to add an option "--direction original|reply|both".
> 
> How exactly would you determine the direction with conntrack?

CTINFO2DIR(ctinfo) of ctinfo returned by ip_conntrack_get gives you the
direction. If you want to make a patch for ipt_conntrack it should be
similar to Rusty's recent patch "Add bitops to ipt_MARK without breaking
compatbility".

Regards
Patrick