Brad Chapman wrote:
>
> OK. I understand this analysis, but to me, it doesn't explain why
>this conntracker is needed. AFAICT on my system, everything is handled by
>the basic UDP conntrack code. Could you explain it a little better, please?
>
Ok, I'll try.
There is no problem playing Quake III behind a firewall that has an
"allow all UDP traffic" policy. However, when you want to trim down
the number of UDP ports to allow through your firewall, you run into
the following issue: over a third of the Internet Quake III servers
run on totally random ports, ie they don't use the default port 27960.
Yet, the IP addresses and ports are registered with a master server,
and that server can be queried by a Quake III client.
So tightening the security policy would mean you couldn't connect to
those servers anymore, hence the use of a connection tracking module
that tracks the query responses from a master server and
tags any future connection attempts as EXPECTED... As Harald noted,
You can now just add one line to allow UDP traffic to the master
server and then use --state RELATED for all the other game traffic.
Granted, this is not a conntracker that solves any problematic issues
with this protocol like there are with ftp, irc, H.323, etc., but I
just figured it would be a safe bet for a first attempt at writing
a netfilter module. Once I get the NAT thing sorted out, I'll have
a go at something more useful :-)
Regards,
Filip
Title: RE: [PATCH] Quake III Arena conntracker
- [PATCH] Quake III Arena conntracker Filip Sneppe
- Re: [PATCH] Quake III Arena conntracker Harald Welte
- Re: [PATCH] Quake III Arena conntracker Brad Chapman
- RE: [PATCH] Quake III Arena conntracker Sneppe Filip
- RE: [PATCH] Quake III Arena conntracker Sneppe Filip
- RE: [PATCH] Quake III Arena conntracker Brad Chapman
