On 26 February 2018 at 17:21, zrm <zrm@xxxxxxxxxxxxxxx> wrote: > Is there any way for a user process to query whether a hypothetical packet > would be accepted or rejected given the current rules and state? > > I know the transport protocol, source and destination, in-interface etc. I > want to ask the kernel if a packet with those parameters would be forwarded > or dropped. > > The specific thing I'm trying to do is to create a conntrack entry but only > if such a packet would have created it. I know how to create the conntrack > entry, the question is how to evaluate the condition first. > > I'm trying to avoid having to evaluate the rules manually, which is very > complicated and likely to result in bugs. And I'm not even sure how to get > certain information to do that, like whether a packet would currently match > the conntrack RELATED state. > > Is there some API to query this information? I imagine that could be useful > for debugging as well. No such feature exists currently. You could try creating the packet by hand (scapy?) and injecting it to the stack to see where it goes. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
