Re: debug and notrack tables - proposal and questions

Fri, 19 Apr 2002 14:11:12 -0700 

Mr. Jozsef,

--- Jozsef Kadlecsik <[EMAIL PROTECTED]> wrote:
> On Wed, 17 Apr 2002, Brad Chapman wrote:
> 
> > > So we need to filter them out before conntrack and currently that seems
> > > impossible without adding the notrack/prestate table.
> 
> >         Everyone so far seems to be thinking about adding a new
> > autonomous table with separate hooks positioned at a priority
> > NF_IP_PRI_FIRST < x < NF_IP_PRI_CONNTRACK (where x is the priority of
> > the new table) for the purposes of selecting which packets to exempt
> > from the conntrack system. What about hooking the table directly into
> > the conntrack core, and simply calling ipt_do_table() _before_ the
> > ip_conntrack_in() function is entered, either directly at
> > NF_IP_PRE_ROUTING, or after ip_conntrack_local() at NF_IP_LOCAL_OUT?
> 
> It would be confusing. One could think: the 'conntrack' table is for
> adjusting the conntrack subsystem. But we are not going to do that (only
> indirectly, by selecting packets *not* to enter conntrack).

       Huh? What we're discussing with the notrack table sounds very much like
direct conntrack adjustment. The advantage with attaching the table directly to
the conntrack module is that later on, conntrack-specific matches and targets
can be created solely for the conntrack table (again, precendent: SNAT, DNAT,
and NETMAP). One such item is something that would deprecate module command-line
arguments for the conntrack/NAT helpers. Example:

       To track non-standard port numbers for the FTP and IRC conntrack/NAT helpers,
you do this:

       modprobe ip_conntrack_[ftp,irc] ports=X,X,X,etc....
       modprobe ip_nat_[ftp,irc] ports=X,X,X,etc....

       Instead, with a conntrack table, you could do this:

       iptables -t conntrack -A PREROUTING -p tcp --sport X[,X,X]
                -j HELPER --helper ftp (or irc, talk, H.323, etc....)

       That is one reason why a conntrack table should be created - it creates
a ready system for doing all kinds of sensitive connnection tracking manipulations.

> 
> Regards,
> Jozsef
> -

Brad


=====
Brad Chapman

Permanent e-mail: [EMAIL PROTECTED]
Current e-mail: [EMAIL PROTECTED]
Alternate e-mail: [EMAIL PROTECTED]

__________________________________________________
Do You Yahoo!?
Yahoo! Tax Center - online filing with TurboTax
http://taxes.yahoo.com/

Reply via email to