Hello all, From my reading of the iptables manpage I have come across the "helper" match:
helper
This module matches packets related to a specific conntrack-helper.
--helper string
Matches packets related to the specified conntrack-helper.
string can be "ftp" for packets related to a ftp-session on
default port. For other ports append -portnr to the value, ie.
"ftp-2121".
Same rules apply for other conntrack-helpers.
This seems a very interesting match target. I wonder if all helpers can
be used with this match (i.e. is it built into the conntrack framework
enough that each conntrack module does not need to specifically add
support for it). For example would:
pkts bytes target prot opt in out source destination
0 0 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 helper match "sip"
MARK set 0x1
actually match SIP packets and set the specified (0x1) mark on it? I
understand that RELATED packets inherit the mark too, so this should
also result in the marking of the RTP streams brokered by the SIP
packets, no?
It's getting late here to start playing with this option but I will give
this a spin tomorrow. Of course the relevance to Shorewall is going to
be how to create arbitrary matches like this in Shorewall configurations
files, specifically the tcrules file. :-)
Cheers,
b.
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
