Re: [Shorewall-users] helper match

Thu, 05 Jun 2008 12:26:21 -0700 

On Thu, 2008-06-05 at 11:49 -0400, Brian J. Murrell wrote:
> On Thu, 2008-06-05 at 07:36 -0700, Tom Eastep wrote:
> > 
> > I don't know. I haven't played with it.
> 
> Yeah.  I gave it a quick shot this morning.  No joy yet.

I seem to have proven this works!

Here's my tcfor chain:

Chain tcfor (1 references)
 pkts bytes target     prot opt in     out     source               destination 
        
 4267  945K CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0   
        CONNMARK restore mask 0xff
 3379  670K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0   
        MARK match !0x0/0xff 
    1   200 MARK       all  --  *      *       0.0.0.0/0            0.0.0.0/0   
        helper match "sip" MARK set 0x1 
    1   200 CONNMARK   all  --  *      *       0.0.0.0/0            0.0.0.0/0   
        MARK match !0x0/0xff CONNMARK save mask 0xff 

This was newly loaded right before I placed a SIP call via my Asterisk
PBX.

That "1" packet in the helper match "sip" rule corresponds to the
outgoing SIP packet to a SIP provider and the large count in the first
two rules is the RTP stream.  Here is the ip_conntrack entry for the RTP
stream:

# grep -e 11822 /proc/net/ip_conntrack
udp      17 179 src=64.22.120.13 dst=67.193.220.102 sport=27904 dport=11822 
packets=1255 bytes=251000 src=10.75.22.3 dst=64.22.120.13 sport=11822 
dport=27904 packets=1246 bytes=249200 [ASSURED] mark=257 use=1

The "mark=257" is a result of the mark set above as well as the MultiISP
routing mark.

Sweet.

Is there a short-term hack I can use to insert a rule of the following
form:

# iptables -t mangle -I tcfor 3 -m helper --helper sip -j MARK --set-mark 0x1

Where "3" is the number of rules (or number of the last rule) in the
tcfor chain?

I'm thinking of something in the "start" script, or even a compile-time
script, but I don't know if I have knowledge of the number of rules in a
given chain or not.  I suppose I could just count them in the script,
but that's a bit hacky.  :-)

I'm using shorewall-perl 4.0.6 on the control station and shorewall-lite
4.0.5 on the router.

b.

Attachment: signature.asc
Description: This is a digitally signed message part

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to