Yes, For this reason, i should add conntrack entry before the kernel
do in my userspace project. Because i have to forward the packet to
another destination, i used --src-nat and --dst-nat options while
adding new conntrack entry. Just like as obvious in below code:
nfct_set_attr_u8(ct, ATTR_L3PROTO, AF_INET);
nfct_set_attr_u32(ct, ATTR_IPV4_SRC, inet_addr("192.168.133.140"));
nfct_set_attr_u32(ct, ATTR_IPV4_DST, inet_addr("192.168.133.108"));
nfct_set_attr_u8(ct, ATTR_L4PROTO, IPPROTO_UDP);
nfct_set_attr_u16(ct, ATTR_PORT_SRC, htons(6000));
nfct_set_attr_u16(ct, ATTR_PORT_DST, htons(5005));
nfct_setobjopt(ct, NFCT_SOPT_SETUP_REPLY);
nfct_set_attr_u32(ct, ATTR_TIMEOUT, 60);
nfct_set_attr_u32(ct, ATTR_SNAT_IPV4, inet_addr("192.168.133.108"));
nfct_set_attr_u32(ct, ATTR_DNAT_IPV4, inet_addr("192.168.133.150"));
nfct_set_attr_u16(ct, ATTR_SNAT_PORT, htons(5070));
nfct_set_attr_u16(ct, ATTR_DNAT_PORT, htons(6000));
As far as i know, it is possible to delegate verdict of packets to
user-space, Here is the main point that is deriving me confused.
Suppose i used this rule in IPTABLE:
iptables -A INPUT -p udp --dport 5005 -j NQUEUE --queue-num 0
Then how we could make verdict to forward the packet to another
destination? Do i could implement my solution in this way or i have
to use libnetfilter_contrack like as above sample code?
WIth Best Regards.Mojtaba
On Tue, Jun 18, 2019 at 2:20 PM Florian Westphal <fw@xxxxxxxxx> wrote:
>
> Mojtaba <mespio@xxxxxxxxx> wrote:
> > I am working for a while on two projects (libnetfilter_queue and
> > linbetfilter_contrack) to get the decision of destined of packets that
> > arrived in our project. It greats to get the control of all packets.
> > But I confused a little.
> > In my solution i just want to forward all packets that are in the same
> > conditions (for example: all packets are received from specific
> > IP:PORT address) to another destination. I could add simply add new
> > rule in llinbetfilter_contrack list (like the samples that are exist
> > in linbetfilter_contrack/utility project).
> > But actually i want to use NFQUEUE to get all packets in my user-space
> > and then add new rule in linbetfilter_contrack list. In other words,
> > the verdict in my sulotions is not ACCEPT or DROP the packet, it
> > should add new rule in linbetfilter_contrack list if it is not exist.
> > Is it possible?
>
> Yes, but that doesn't make sense because the kernel will add a conntrack
> entry itself if no entry existed.
> Or are you dropping packets in NEW state?
> Or are you talking about conntrack expectations?
>
> A conntrack entry itself doesn't accept or forward a packet.
>
> It just means that next packet of same flow will find the entry and
> rules like iptables ... -m conntrack --ctstate NEW/ESTABLISHED etc.
> will match.
--
--Mojtaba Esfandiari.S
