Mojtaba <mespio@xxxxxxxxx> wrote: > I am working for a while on two projects (libnetfilter_queue and > linbetfilter_contrack) to get the decision of destined of packets that > arrived in our project. It greats to get the control of all packets. > But I confused a little. > In my solution i just want to forward all packets that are in the same > conditions (for example: all packets are received from specific > IP:PORT address) to another destination. I could add simply add new > rule in llinbetfilter_contrack list (like the samples that are exist > in linbetfilter_contrack/utility project). > But actually i want to use NFQUEUE to get all packets in my user-space > and then add new rule in linbetfilter_contrack list. In other words, > the verdict in my sulotions is not ACCEPT or DROP the packet, it > should add new rule in linbetfilter_contrack list if it is not exist. > Is it possible? Yes, but that doesn't make sense because the kernel will add a conntrack entry itself if no entry existed. Or are you dropping packets in NEW state? Or are you talking about conntrack expectations? A conntrack entry itself doesn't accept or forward a packet. It just means that next packet of same flow will find the entry and rules like iptables ... -m conntrack --ctstate NEW/ESTABLISHED etc. will match.
