FTP connection tracking module
Tue, 23 Oct 2001 01:57:58 +0200
I'm using netfilter on my personnal lan at home and I'm greatly satisfied
But, I miss a feature and I was thinking about implementing it. But first,
since I am an *ok* (I think ;p) programmer in C but I have never touched
anything like the linux kernel/modules nor firewalling solutions, I would
like some advice.
My idea is that, right now FTP conntrack is only listenning on port 21 (a
simple test against htons(21)).
I would like to change that so that netfilter at best detects FTP trafics
automaticly or at least that there are some /proc trics to had some ports.
I would ten times prefer the first behavior. I look into it and one of the
idea I thought of was to use dsniff type of mecanisism to guess the
protocol. Then creating a prerouting target that would mark packets
depending on protocols. (in my opinion, this sound like something really
neat for routing/filtering/QoS etc... than just rules based on port matching).
But now I'm facing some problems :
- I can only analyse the protocol once the connection is established and
that is a pain. If any of you had an idea about how to do it sooner...
- I have no idea about the performance impact and I'm kinda afraid of it ;p
I would really greatly appriciate anytime of comment about it (you can tell
me if you think I'm crazy ;P)
P.S. I'm french and, well, I'm sorry if my english sounds weird or if I
can't speel properly.
Charles-Henri de Boysson
Student in 4th year of computer science ingenering at EPITA, Paris.
(Ecole Pour l'Informatique et les Techniques Avancees)
(School for computer science and advanced technologies)