GLAUME Vincent wrote: > Hi there, > > I'm currently trying to figure out how the whole libnetfilter_conntrack > works, and more precisely the expect part of the lib. > My aim is to be able to create new expectation entries with this lib in > an application that would inspect packets (either coming from a > pcap-based sniffer or from netfilter via the nfqueue mechanism) : thus > I'd like to allow connections related to the inspected (and already > allowed) connections. > > My various tests make me think that to create such an expectation entry, > a kernel module related to the master connection is required: am I right? > For instance, the "expect_create" app in the libnetfilter_conntrack > "utils" subdirectory works fine, unless I modify the destination port of > the master conntrack structure... then it's no longer related to the FTP > conntrack mechanism... > Same thing happens when using the conntrack app. from the conntrack-tools. > > So, I'd like to know how to do this the right way, without coding the > whole inspection thing in a kernel module (if this is possible). Is > there any generic tcp conntrack system that could help here? > As I'm not too sure to fully understand the whole mechanism of expected > connection creation, any hint is welcome! > I hope this is not too confused... Thanks, IIRC, this requires a couple of patches for the kernel to fully support conntrack helpers in user-space, which seems to be what you need. So this is not support until the appropriate patches go into the kernel. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
