Stéphane Veyret <> wrote:
> A few words on the specs I imagined for the port triggering:
> table ip trigger {
>      chain postrouting {
>           type filter hook postrouting priority 0;
>           ip dport 554 trigger open rtsp timeout 300 # Open the
> trigger named rtsp if packet arrives for port 554 - trigger will close
> in 300s if not refreshed. This will record source (client) and target
> (server) address
>      }
> }
> table ip nat {
>      chain prerouting {
>           type nat hook prerouting priority 0;
>           ip dport 6970-7170 trigger dnat rtsp # If trigger is open
> and source is recorded server address, DNAT the packet to recorded
> client address
>      }
> }

You might already be able to do this with maps, however it looks
like it might be better to just allow to set conntrack expectations from
nftables rules/packet path instead.

(Or i still fail to understand what you want to do, it does
 sound exactly like expectations, e.g. for ftp data channel in
 response to PASV command on ftp control channel).

Something like:

chain postrouting {
        type filter hook postrouting priority 0;
        # tell kernel to install an expectation
        # arriving on udp ports 6970-7170
        # expectation will follow whatever NAT transformation
        # is active on master connection
        # expectation is removed after 5 minutes
        # (we could of course also allow to install an expectation
        # for 'foreign' addresses as well but I don't think its needed
        # yet
        ip dport 554 ct expectation set udp dport 6970-7170 timeout 5m

table ip filter {
      chain forward {
           ip dport 6970-7170 ct status expected accept

To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to
More majordomo info at

Reply via email to