Hi, I would like to have a specific connection act like an "authentication" service; that is, when a connection to a specific port is made and once the required data has passed between the 2 hosts, the client is now authenticated, permitting access to other network services which are flagged with the RELATED state (and not the NEW one). I implemented this in a very simple conntrack module. For example, I can use something like when the module is in place: iptables -A INPUT -p tcp --dport 22 -m state --state ESTABLISHED,RELATED -j ACCEPT ...and it works once the "parent" connection has "authenticated" the client. However, currently it seems I can only specify 1 single destination port in the expectation (this would be port 22 in my example above), wherever I would like to be able to support *any* port (as we can with the source port). The filtering would then be made using subsequent iptables rules. Is this possible? It seems it was possible a while ago (while exp->mask.dst was still present), but this was removed and I don't see how I can achieve the same functionality with the current structures. Am I missing something? Thanks a lot! -- Simon Labrecque -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
