Conntrack helper question

Conntrack helper question

[Sebastian Zander]

Hi netfilter devs,

In current Netfilter is there still a way for a conntrack helper to 
listen to all TCP traffic _independent_ of ports to look for primary 
connections (other than registering with 65535 tuples)? Not that I 
advocate this, I just have some old piece of code that apparently did 
that in ancient 2.6 kernels (ports set to zero in the tuple).

Please cc me, since I'm not on the list. Many thanks in advance!

Cheers,

Sebastian

Re: Conntrack helper question

[Pablo Neira Ayuso]

On Tue, Nov 27, 2012 at 12:03:31PM +1100, Sebastian Zander wrote:
> Hi netfilter devs,
> 
> In current Netfilter is there still a way for a conntrack helper to
> listen to all TCP traffic _independent_ of ports to look for primary
> connections (other than registering with 65535 tuples)? Not that I
> advocate this, I just have some old piece of code that apparently
> did that in ancient 2.6 kernels (ports set to zero in the tuple).

With recent kernels you can attach your helper via -j CT --helper ...
to all ports for some specific layer 4 protocol, eg. TCP.

The ports specified in the registration are simply ignored, we still
keep them there to support for old behaviour for quite some time
though.