Add rule information into ip_conntrack in the match module
Yasuyuki KOZAKAI
yasuyuki.kozakai at toshiba.co.jp
Wed Jan 25 02:30:54 CET 2006
Hi,
From: "Vincent" <cs83152 at csie.chu.edu.tw>
Date: Wed, 25 Jan 2006 09:10:25 +0800
> Hello folks
>
> I am writing a match module (ex. XYZ match) currently. One of the
> important feature is while the specified iptable rule(ex. Rule1)
> included XYZ match (-m XYZ) hit the packet.
> I hope the match module will "remember" the status and will always hit
> the continous packets of the same connection.
> Besides, only the match module of original hitting rule(Rule1) can
> return true for the packets of the same connection.
> Other iptable rule which also have XYZ match can not hit the packets of
> the same connection anymore.
>
> One method to solve this problem I have known is we can record the
> iptables rule (ex. ipt_entry) information into ip_conntrack data
> structure.
> And we can use the rule-info of ip_conntrack in the later match function
> comparison. But one critical point is that we can not get the ipt_entry
> (or other similar info) in the match function of match module... :(
>
> So I am thinking whether exist any other method or substitute one to
> solve the problem.
> Any suggestion or idea is welcome, thanks
How about using 'connmark' match and 'CONNMARK' target ? For example,
iptables -A INPUT ... -m XYZ ... -j CONNMARK --set-mark 1
iptables -A INPUT ... -m connmark --mark 1 -j ...
-- Yasuyuki Kozakai
More information about the netfilter-devel
mailing list