search for: ctproto

https://bugzilla.netfilter.org/show_bug.cgi?id=873 Summary: iptables -I CHAIN -m conntrack ! --ctproto 0 is intended to produce an error message, but it doesn't (usually) Product: iptables Version: 1.4.x Platform: All OS/Version: All Status: NEW Severity: normal Priority: P5 C...

https://bugzilla.netfilter.org/show_bug.cgi?id=873 Fabio <pedretti.fabio at gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED CC| |pedretti.fabio at gmail.com Resolution|---

Hi All How to classify packets belonging to a FTP session? Port 21 session is easy. but what about data transfers? Their port numbers (both) are above 1024. I was thinking about ip_conntrack_ftp. Something like: iptables -A FORWARD -p tcp --sport 1024: --dport 1024: \ -m state --state ESTABLISHED,RELATED -j CLASSIFY --set-class X:Y But what if I also have ip_conntrack_irc, for instance.

...ALID In the kernel net/netfilter/xt_conntrack.c function conntrack_mt, if there is no conntrack entry, the state is considered invalid. Then, a further check for no conntrack entry causes a return, before any other checks are made. An example is: iptables -A CHAIN -m conntrack --ctstate INVALID --ctproto tcp which would match a udp packet (or any other protocol), and could cause considerable confusion. To circumvent the problem of matches being specified, but that are not checked, if the state match is a positive match of INVALID, do not allow any other conntrack tests. The attached patch adds th...

I am working on a split route and ShoreWall system. I reviewed the lartc documentation but have a few areas that I still need help on. Here is my network: 64.xxx.xxx.1/25 66.xxx.xxx.129/26 | | ################################################# # Eth2 64.xxx.xxx.2 eth0 66.xxx.xxx.130 # #