Matching by packet connection

Matching by packet connection

[Gilad Benjamini]

Is there a way to match a packet against a connection's direction ?

e.g. apply this rule
iptables -A chain --destination mymachine -m state --state ESTABLISHED
-j another_chain
only to packets belonging to CONNECTIONS with destination mymachine

conntrack definitely knows has this information.

Re: Matching by packet connection

[Pascal Hambourg]

Hello,

Gilad Benjamini a écrit :
> Is there a way to match a packet against a connection's direction ?
> 
> e.g. apply this rule
> iptables -A chain --destination mymachine -m state --state ESTABLISHED
> -j another_chain
> only to packets belonging to CONNECTIONS with destination mymachine

I think the 'conntrack' match is what you need.

-m conntrack --ctorigdst <mymachine> --ctstate ESTABLISHED

Re: Matching by packet connection

[Gilad Benjamini]

>Hello,
>
>Gilad Benjamini a écrit :
>> Is there a way to match a packet against a connection's direction ?
>>
>> e.g. apply this rule
>> iptables -A chain --destination mymachine -m state --state ESTABLISHED
>> -j another_chain
>> only to packets belonging to CONNECTIONS with destination mymachine
>
>I think the 'conntrack' match is what you need.
>
>-m conntrack --ctorigdst <mymachine> --ctstate ESTABLISHED

This would work in the specific example but not in the more general case.
Suppose my rule is based on interface, port, or any other thing that
does not include the source and/or destination.
I am looking for a more generic approach
"If a packet matches <condition> and the state is ESTABLISHED and the
packet is in the same direction as the connection, then do
<something>"

Re: Matching by packet connection

[Pascal Hambourg]

Gilad Benjamini a écrit :
> 
> "If a packet matches <condition> and the state is ESTABLISHED and the
> packet is in the same direction as the connection, then do
> <something>"

If I understand correctly, you want to match packets which are in the 
original direction of the connection they belong to (i.e. the same 
direction as the first packet) ?

Re: Matching by packet connection

[Philip Craig]

Gilad Benjamini wrote:
> Is there a way to match a packet against a connection's direction ?
> 
> e.g. apply this rule
> iptables -A chain --destination mymachine -m state --state ESTABLISHED
> -j another_chain
> only to packets belonging to CONNECTIONS with destination mymachine
> 
> conntrack definitely knows has this information.

Yes it does, but I don't think anyone has written a match to access it.
Can you give an example of what action another_chain does that you
only want to do for one direction?  Maybe there is another way to solve
your problem.