On Sunday 07 April 2002 00:09, Eric Wirt wrote: > 1) I'm not terribly familiar with the netfilter architecture. > Maybe one of the netfilter developers can chime in and tell me what > the proper way to hook into netfilter would be?
Not being a core developer, but clearly the correct approach to UPnP is a userspace daemon responding to UPnP messages, and reconfiguring the iptables kernel as needed. I don't think there is a clean way to fully ensure the port is free short of having the application actually open the port. If the application has the port open then it is guaranteed not to be assigned by the kernel or netfilter for anything else, but still allowing you to install DNAT rules forwarding any connections to the client. When receiving a request for N ports, open N sockets and bind them to allocate ports. Then install DNAT rules on these ip:ports to forwarding any connections in to the client as required. I am not 100% sure the IP kernel is aware of port allocations done by netfilter however.. The ports do not need to be opened in the INPUT chain. DNAT intercepts them in PREROUTE. The only relevance with INPUT is that as a safety measure you might want to add filter rules in INPUT dropping/rejecting any traffic hitting these ports when/if there is no active DNAT rule. Regards Henrik Nordström MARA Systems AB, Sweden
