Hi, Sorry for previous answer, Florian, I didn't see I was answering to your own address and not to the full list. Port triggering is a basic feature that we can find in most hardware routers. Unfortunately, people wanting to build their own software router on Linux, mostly using netfilter, do not have easy solution for that. > It should be possible to replicate pknock-like function via > ipset or nftables. > > (If not, would be interesting to learn what we're missing on nftables > side plumbing). After reading docs on nftables and ipset, I think that there is a missing feature indeed: * it is possible to store source and destination address when packet arrive to the router and is targeted to a given port ; * it is possible to match an incoming packet if it is coming from the recorded destination address ; * it does not seem easily possible to DNAT this packet to the recorded source address taken from ipset (at least, I didn't find how to do it). Anyway, even if it would be possible, I would personally see it as a workaround for a missing feature. So I think that such a basic thing as is port triggering should be implemented in netfilter. But, as I said in my previous e-mail (sent only to Florian), I was years late with my add-on on Xtables. So I suggest that I create a new module for netfilter/nftables instead. In order to create it I would like to find an up to date doc as there is for Xtables-addon (http://inai.de/documents/Netfilter_Modules.pdf). Can someone tell me what I should start reading for that? A few words on the specs I imagined for the port triggering: table ip trigger { chain postrouting { type filter hook postrouting priority 0; ip dport 554 trigger open rtsp timeout 300 # Open the trigger named rtsp if packet arrives for port 554 - trigger will close in 300s if not refreshed. This will record source (client) and target (server) address } } table ip nat { chain prerouting { type nat hook prerouting priority 0; ip dport 6970-7170 trigger dnat rtsp # If trigger is open and source is recorded server address, DNAT the packet to recorded client address } } table ip filter { chain forward { type filter hook forward priority 0; ip dport 6970-7170 trigger filter rtsp # If trigger is open and source is recorded server address, accept the packet, continue otherwise drop } } Regards, -- Bien cordialement, / Plej kore, Stéphane Veyret -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
