On 12/01/11 22:25, Sam Roberts wrote: > I'm working on a connection tracker for a RPC-like protocol (over TCP). > > I believe that by inspecting packets using nfqueue, and > creating/destroying expectations using nfconntrack, I can do a > connection tracker in user-space. > > In order to remove nfqueue from the mix, I've been looking at the > conntrack code, trying to figure out whether even notifications about > connection status can include the TCP data that I need to inspect, the > data that's in the skbs provided to kernel module conntrack helpers. I > haven't been able to be certain what libnfconntrack can/cannot do, but > it seems outside of the usage that the command line tools and > conntrack daemon need, so I suspect its not possible. > > Can somebody confirm my suspicions? You can implement a user-space conntrack helper with NFQUEUE and libnetfilter_conntrack: http://people.netfilter.org/pablo/userspace-conntrack-helpers/ That's a proof-of-concept, ideally there would be a generic daemon so you can develop your own plugins for state tracking upon it. That daemon's on my TODO list. You require Linux kernel >= 2.6.37 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
