[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter-devel
Subject:    Re: Where is conntrack in the iptables chain?
From:       Patrick Schaaf <bof () bof ! de>
Date:       2003-08-25 11:43:22
[Download RAW message or body]

> Yup.  Are there any examples of how to manipulate
> packets prior to conntrack, either as a loadable
> module or via iptables?  I seem to recall a patch
> which added raw tables that acted before anything else
> but do not recall which rev of iptables it acted on...

Hi again,

you want to look at the general netfilter hooks, and how their
priorities work. You can look at the iptables kernel source 
for inspiration, it's rather simple. In net/ipv4/netfilter,
grep for nf_register_hook, and look at the argument to
that function, usually a locally defined constant struct.
The conntrack hooking is in ip_conntrack_standalone.c.
Notice the NF_IP_PRI_CONNTRACK in the struct definition:
this is defined in include/linux/netfilter_ipv4.h, and
represents a numerical priority value; for each
hook that the core network stack runs, the hook
functions for all registered modules, are called
in numerically ascending priority order. Specifically,
NF_IP_PRI_CONNTRACK is the lowest, numerically -200,
so for your own hook, you'll need something even below
that value, e.g. -201.

all the best
  Patrick

[prev in list] [next in list] [prev in thread] [next in thread]