* Matching by packet connection
@ 2007-11-16 8:41 Gilad Benjamini
2007-11-16 9:31 ` Pascal Hambourg
2007-11-20 1:13 ` Philip Craig
0 siblings, 2 replies; 5+ messages in thread
From: Gilad Benjamini @ 2007-11-16 8:41 UTC (permalink / raw)
To: netfilter
Is there a way to match a packet against a connection's direction ?
e.g. apply this rule
iptables -A chain --destination mymachine -m state --state ESTABLISHED
-j another_chain
only to packets belonging to CONNECTIONS with destination mymachine
conntrack definitely knows has this information.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Matching by packet connection
2007-11-16 8:41 Matching by packet connection Gilad Benjamini
@ 2007-11-16 9:31 ` Pascal Hambourg
2007-11-20 1:13 ` Philip Craig
1 sibling, 0 replies; 5+ messages in thread
From: Pascal Hambourg @ 2007-11-16 9:31 UTC (permalink / raw)
To: netfilter
Hello,
Gilad Benjamini a écrit :
> Is there a way to match a packet against a connection's direction ?
>
> e.g. apply this rule
> iptables -A chain --destination mymachine -m state --state ESTABLISHED
> -j another_chain
> only to packets belonging to CONNECTIONS with destination mymachine
I think the 'conntrack' match is what you need.
-m conntrack --ctorigdst <mymachine> --ctstate ESTABLISHED
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Matching by packet connection
2007-11-16 8:41 Matching by packet connection Gilad Benjamini
2007-11-16 9:31 ` Pascal Hambourg
@ 2007-11-20 1:13 ` Philip Craig
1 sibling, 0 replies; 5+ messages in thread
From: Philip Craig @ 2007-11-20 1:13 UTC (permalink / raw)
To: Gilad Benjamini; +Cc: netfilter
Gilad Benjamini wrote:
> Is there a way to match a packet against a connection's direction ?
>
> e.g. apply this rule
> iptables -A chain --destination mymachine -m state --state ESTABLISHED
> -j another_chain
> only to packets belonging to CONNECTIONS with destination mymachine
>
> conntrack definitely knows has this information.
Yes it does, but I don't think anyone has written a match to access it.
Can you give an example of what action another_chain does that you
only want to do for one direction? Maybe there is another way to solve
your problem.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Matching by packet connection
@ 2007-11-16 20:24 Gilad Benjamini
2007-11-16 21:18 ` Pascal Hambourg
0 siblings, 1 reply; 5+ messages in thread
From: Gilad Benjamini @ 2007-11-16 20:24 UTC (permalink / raw)
To: netfilter
>Hello,
>
>Gilad Benjamini a écrit :
>> Is there a way to match a packet against a connection's direction ?
>>
>> e.g. apply this rule
>> iptables -A chain --destination mymachine -m state --state ESTABLISHED
>> -j another_chain
>> only to packets belonging to CONNECTIONS with destination mymachine
>
>I think the 'conntrack' match is what you need.
>
>-m conntrack --ctorigdst <mymachine> --ctstate ESTABLISHED
This would work in the specific example but not in the more general case.
Suppose my rule is based on interface, port, or any other thing that
does not include the source and/or destination.
I am looking for a more generic approach
"If a packet matches <condition> and the state is ESTABLISHED and the
packet is in the same direction as the connection, then do
<something>"
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2007-11-20 1:13 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-11-16 8:41 Matching by packet connection Gilad Benjamini
2007-11-16 9:31 ` Pascal Hambourg
2007-11-20 1:13 ` Philip Craig
-- strict thread matches above, loose matches on Subject: below --
2007-11-16 20:24 Gilad Benjamini
2007-11-16 21:18 ` Pascal Hambourg
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox