Thank you for your help.
2018-03-12 12:25 GMT+01:00 Florian Westphal <fw@xxxxxxxxx>:
> (Or i still fail to understand what you want to do, it does
> sound exactly like expectations, e.g. for ftp data channel in
> response to PASV command on ftp control channel).
No, what I would like to have is more like FTP *active* connexion. The
(in-lan) client is initiating a connection to the server. The server
replies and the initiate a new connection (data connection for FTP) on
a new port. I want this new connection to be associated to the first
one. This is also what we have with rtsp or battle-net protocols.
> Something like:
>
> chain postrouting {
> type filter hook postrouting priority 0;
> # tell kernel to install an expectation
> # arriving on udp ports 6970-7170
> # expectation will follow whatever NAT transformation
> # is active on master connection
> # expectation is removed after 5 minutes
> # (we could of course also allow to install an expectation
> # for 'foreign' addresses as well but I don't think its needed
> # yet
> ip dport 554 ct expectation set udp dport 6970-7170 timeout 5m
> }
It may be what I'm looking for. But I couldn't find any documentation
about this “ct expectation” command. Or do you mean I should create a
conntrack helper module for that ?
--
Bien cordialement, / Plej kore,
Stéphane Veyret
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
