blob: 0cd13ecd8cb4553fadc6ccebe61bf1408af753d1 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
Complex protocols such as FTP, H.323, SIP, RTSP, require special treatment by
stateful packet filters and network address translators. Software implementing
such special treatment is often referred to as "application level gateway" (ALG).
In the Linux netfilter world, they are called "conntrack helpers" and "NAT helpers".
So far, the Linux netfilter/iptables subystem, much like it's predecessor
ipchains, only supported such helpers inside kernel space.
However, recent advances in the netfilter world such as nfnetlink_queue,
libnetfilter_queue, nfnetlink_conntrcack and libnetfilter_conntrack provide
almost all the infrastructure required for running conntrack/NAT helpers in
userspace.
At this time, the author is working on the missing tiny additional piece called
nfnetlink_cthelper and libnetfilter_cthelper. At the time the paper will be
finished and presented, it is expected that this code is mainline and the first
userspace conntrack/nat helpers will be available.
|