Re: [LARTC] Re: iptables rule not matching after stream begins

To:	"Flophouse Joe" <flophousejoe-lartc-zvbbfzu@halibutdepot.org>
Subject:	Re: [LARTC] Re: iptables rule not matching after stream begins
From:	"Bob Beers" <bob.beers@gmail.com>
Date:	Tue, 21 Nov 2006 09:10:42 -0500
Cc:	lartc@mailman.ds9a.nl
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	lartc-list@securepoint.com
Delivered-to:	lartc@outpost.ds9a.nl
Domainkey-signature:	a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=LijTwbyuxGVaI47LDZMWCCEMoHmn+QX2ZPs4YhL21EhFsbf/KfbDJTDpZZL0kbcrhV5t1CniFXOJ5vpJuF98T0OQdYJnpkx6k7Jc64clTtdFFfFoj4bf8jeFV/pybFfm3ExV34lUvnnndtIIJZ0UugY9fF5LWutHstBb7qGoPT4=
In-reply-to:	<Pine.LNX.4.64.0611201955340.31315@becky16.halibutdepot.org>
List-archive:	<http://mailman.ds9a.nl/pipermail/lartc>
List-help:	<mailto:lartc-request@mailman.ds9a.nl?subject=help>
List-id:	"Mailinglist of the Linux Advanced Routing & Traffic Control project" <lartc.mailman.ds9a.nl>
List-post:	<mailto:lartc@mailman.ds9a.nl>
List-subscribe:	<http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc>, <mailto:lartc-request@mailman.ds9a.nl?subject=subscribe>
List-unsubscribe:	<http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc>, <mailto:lartc-request@mailman.ds9a.nl?subject=unsubscribe>
References:	<4f6ba3b0611200730j337ad29xc69dd63b205060c4@mail.gmail.com> <4f6ba3b0611201646k750995d3oe0cd605890b7f2a7@mail.gmail.com> <Pine.LNX.4.64.0611201955340.31315@becky16.halibutdepot.org>
Sender:	lartc-bounces@mailman.ds9a.nl

Thank you, Joe, for your response

On 11/20/06, Flophouse Joe <flophousejoe-lartc-zvbbfzu@halibutdepot.org> wrote:

Have you considered testing any of the patches from netfilter's
patch-o-matic?


I will consider doing just that.


There are two patches that seem promising.  Quoting from the netfilter
website:

http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extra-rtsp-conntrack

...

http://www.netfilter.org/patch-o-matic/pom-extra.html#pom-extra-sip-conntrack-nat

...

Thanks for the pointers.

But, I think my problem is really more basic.  I only mentioned
that it was SIP related for background.

Let me try to restate my question:

Is it a common problem that inserting a rule after a (UDP) stream is
established does not match the rule, even though the exact same
rule for the exact same stream does match, as long as it is inserted
before the first packet of the stream arrives?

If so, (that it is a common, or at least known, problem), how does
one overcome this problem?  Is there a way to "disconnect" the
stream, once the rule is installed, so that can match?  Like I said
in the original post, everything works right, as long as my rule
wins the race with the first packet.

Any other hints most welcome, meanwhile I will examine the two
patches mentioned. Thanks,

Joe


Bob
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

<Prev in Thread]	Current Thread	[Next in Thread>
[LARTC] Re: iptables rule not matching after stream begins, Bob Beers Re: [LARTC] Re: iptables rule not matching after stream begins, Flophouse Joe Re: [LARTC] Re: iptables rule not matching after stream begins, Bob Beers <= Re: [LARTC] Re: iptables rule not matching after stream begins, Alexey Toptygin Re: [LARTC] Re: iptables rule not matching after stream begins, Bob Beers Re: [LARTC] Re: iptables rule not matching after stream begins, Alexey Toptygin

Previous by Date:	[LARTC] RE: VPN Solution, Rangi Biddle
Next by Date:	Re: [LARTC] Re: iptables rule not matching after stream begins, Alexey Toptygin
Previous by Thread:	Re: [LARTC] Re: iptables rule not matching after stream begins, Flophouse Joe
Next by Thread:	Re: [LARTC] Re: iptables rule not matching after stream begins, Alexey Toptygin
Indexes:	[Date] [Thread] [Top] [All Lists]