Btw, the manpage for 'socket' match should clearly specify that
an 'open socket' means socket in either listening or established state.
I was first puzzled by what 'open socket' really means...
Now that you mention it, I guess it's "any socket" :-/
On the upside, more feature flags for xt_socket! :)
Indeed. To simulate xt_stealth, we first need xt_socket to allow for
clearly distinguishing tcp sockets in 'listening' state only, and udp
sockets in 'existing' state I guess (see xt_stealth.c). Separate,
per-"state" match should be possible, though.
I suggest adding support to xt_socket for something like
--sockstate listening
--sockstate established
--sockstate exists
Then, I could write:
iptables -N socktest
iptables -A socktest -p tcp --syn -m socket --sockstate listening -j RETURN
iptables -A socktest -p udp -m socket --sockstate exists -j RETURN
iptables -A socktest -j DROP
iptables -A INPUT -j socktest
Jan
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
