Thanks a lot!
The solution with CONNMARK seems to be exactly what I need. It is also
much better than drop everything on a given port :-).
Have a nice day,
Michal
Cedric Blancher wrote:
Le mardi 23 janvier 2007 à 12:53 +0100, Michal Martinek a écrit :
Thanks for help, I've already written some userspace packet analyzer
acting as a NFQUEUE target, but the problem is, that not all of the
packets I'd like to handle (mostly drop) are recognizable. It is a video
stream, in which I can detect only some "key packets", but the rest
remains unclear.
OK, so if I understand you correctly... You have a video stream
containing key packets you can spot. This video stream occurs on non
predictable ports.
First solution, and apologies to Gáspár, use string match to identify
your key packets. Then mark the entire connection using CONNMARK and
drop it.
Something like:
iptables -t mangle -A FORWARD -m string --string "yourmagic" \
-j CONNMARK --set-mark 0x1
iptables -A FORWARD -m connmark --mark 0x1 -j DROP
This means once you've detected a key packet, you'll drop it as well as
all further packets from the same connection.
Second solution, you write a helper. Maybe I don't quite well get your
situation, but this stream does not come from nowhere. It's ports have
to be negociated in some previous connection so your client application
can open the right port. Thus, your helper would follow this negociation
connection to identify on the fly streaming ports and block the entire
video stream.
