On Fri, Jul 25, 2003 at 08:21:21PM -0600, George wrote:
> Is there currently a way for iptables to force another packet stream conntrack entry to be RELATED without having to look inside of the packet data?
>
> For example: If a 10.0.0.2 client behind an iptables firewall were to send an IMCP echo to 10.20.30.1, could a rule be set up so that after the firewall see this packet, all udp packets sent to dport=45678 would be DNATed to 10.0.0.2?
>
> The designated RELATED stream would in general then be just like any other conntrack entry.
>
> My guess is that this would require a generic force-related module.
Let me see if I understood you well. You want something like this:
if (the firewall sees this traffic) then
apply that rule
fi
I don't think we have something like this but I think this is very
helpful. Specially if the IF-test could pass some parameters to the
THEN-body. You might want to take this to the devel mailing list.
Ramin
