FTP connection tracking module

Ceache ceache@club-internet.fr
Tue, 23 Oct 2001 01:57:58 +0200

I'm using netfilter on my personnal lan at home and I'm greatly satisfied 
with it.
But, I miss a feature and I was thinking about implementing it. But first, 
since I am an *ok* (I think ;p) programmer in C but I have never touched 
anything like the linux kernel/modules nor firewalling solutions, I would 
like some advice.

My idea is that, right now FTP conntrack is only listenning on port 21 (a 
simple test against htons(21)).
I would like to change that so that netfilter at best detects FTP trafics 
automaticly or at least that there are some /proc trics to had some ports.

I would ten times prefer the first behavior. I look into it and one of the 
idea I thought of was to use dsniff type of mecanisism to guess the 
protocol. Then creating a prerouting target that would mark packets 
depending on protocols. (in my opinion, this sound like something really 
neat for routing/filtering/QoS etc... than just rules based on port matching).
But now I'm facing some problems :

- I can only analyse the protocol once the connection is established and 
that is a pain. If any of you had an idea about how to do it sooner...
- I have no idea about the performance impact and I'm kinda afraid of it ;p

I would really greatly appriciate anytime of comment about it (you can tell 
me if you think I'm crazy ;P)

P.S. I'm french and, well, I'm sorry if my english sounds weird or if I 
can't speel properly.

Charles-Henri de Boysson
Student in 4th year of computer science ingenering at EPITA, Paris.
(Ecole Pour l'Informatique et les Techniques Avancees)
(School for computer science and advanced technologies)