Build RELATED rules/bindings from config file at run-time?
Greetings! I've been poking around looking for any sign of a way to create RELATED bindings from a text file at run-time, and/or via command switches. The idea is that some connections involve related traffic which may originate from a different host than the stream of primary interest, e.g. a SMB file/print/whatever server vs. the PDC, or perhaps an IDENT server vs. some other service. Such a beast might also simplify/streamline the current need for specific helper modules, or allow them to be locked down a bit, e.g. narrower port ranges for ftp DATA streams. I've looked through the modules described in the netfilter-extensions-HOWTO.html as well as the threads from the last few months of this list, and from what I can see nothing quite like this exists. I'm thinking that this sort of thing might doable and useful. Perhaps some hack involving mangling and 'recent' could even work... So, my questions are: Have I missed something else I should read or consider which speaks to this concept? and, in the unlikely event that I haven't, well, how 'bout it? :) Best Regards, Pete.
Re: Build RELATED rules/bindings from config file at run-time?
For this you will currently need to build your own conntrack helper. Protocols having port numbers or IP addresses in their payload will require helpers, but any protocol where the port numbers are well defined should be fully usable with such a generic helper I suppose. IDENT presents a bit of a problem for conntrack IIRC, as it applies to all connections in parallell to the actual application protocol. From what I recall there can only be one helper per port number. On Monday 27 May 2002 22:59, Peter Hartzler wrote: Greetings! I've been poking around looking for any sign of a way to create RELATED bindings from a text file at run-time, and/or via command switches. The idea is that some connections involve related traffic which may originate from a different host than the stream of primary interest, e.g. a SMB file/print/whatever server vs. the PDC, or perhaps an IDENT server vs. some other service. Such a beast might also simplify/streamline the current need for specific helper modules, or allow them to be locked down a bit, e.g. narrower port ranges for ftp DATA streams.
