How to take over TCP connection from userspace process?

How to take over TCP connection from userspace process?

[yangrunhua]

Hi all,
	With the help of netfilter/iptables, is there any way to high-speed forwarding between 2 already-connected TCP connections in the kernel?
	Thanks,
				Runhua Yang

Re: How to take over TCP connection from userspace process?

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 748 bytes --]

On Tue, Oct 21, 2003 at 03:33:22PM +0800, yangrunhua wrote:
> Hi all,
> 	With the help of netfilter/iptables, is there any way to high-speed forwarding between 2 already-connected TCP connections in the kernel?

I don't see how this could be related to netfilter/iptables at all.
The normal sendfile() systemcall may be helpful to you.

> 	Thanks,
> 				Runhua Yang

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: How to take over TCP connection from userspace process?

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 1609 bytes --]

On Tue, Oct 21, 2003 at 11:55:37AM -0300, Diego Woitasen (Lanux) wrote:
> Runhua is talking about other issue, I think. He is talking about
> forward quickly ESTABLISHED connections, without traversing all rules.

this is policy, not mechanism.  ip_conntrack provides a mechanism (for
tracking connections).  How you use that information, is policy.  Policy
is expressed by the ruleset or other local configuration.

> I think that this will be implemented in the new version of iptables (I
> thought about this from time ago). For example, for every connection we
> have an entry in conntrack table, the entry must hold information about
> filter rules that was consulted in the first packet of that connection.
> Then the packets of an ESTABLISHED connection will be pass directly
> without rule check.
> For this we need a new field(s) en struct skb that hold the necessary
> info, and the nf_hook() will  check this field(s) for a quickly return.

no new field required at all.  That is exactly how ip_conntrack is used
today.  Your first (or one of the first) rules willbe 'accept all
ESTABLSHED' traffic.  Thus, you iterate only over a single rule for
every _but_ the first packet.

> Diego Woitasen
> LUGar
-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

RE: How to take over TCP connection from userspace process?

[yangrunhua]

But sendfile() system call could not support copying from socket to socket, and only transfer in one direction.

What I need is: after I authenticated TCP connection A(host A connected to me) and TCP connection B(host B connected to me), then let what host A send (through TCP connection A)directly forward to host B(through TCP connection B) in the kernel ,meanwhile, what host B send directly forward to host A in the kernel.

That's much like MSN Messenger Server's relaying webcam video stream between two peers after authenticated them. I want to do this relay in kernel space and auth in the userspace. It's much like NGN softswitch's theory: control and auth separate from transfer.

That's much useful functionality. Can netfilter/iptables help this? done this by writing a new target or something?

Thanks,
	Runhua Yang


-----Original Message-----
From: Harald Welte [mailto:laforge@netfilter.org] 
Sent: Tuesday, October 21, 2003 9:47 PM
To: yangrunhua
Cc: netfilter-devel@lists.netfilter.org
Subject: Re: How to take over TCP connection from userspace process?

On Tue, Oct 21, 2003 at 03:33:22PM +0800, yangrunhua wrote:
> Hi all,
> 	With the help of netfilter/iptables, is there any way to high-speed forwarding between 2 already-connected TCP connections in the kernel?

I don't see how this could be related to netfilter/iptables at all.
The normal sendfile() systemcall may be helpful to you.

> 	Thanks,
> 				Runhua Yang

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

RE: How to take over TCP connection from userspace process?

[yangrunhua]

But sendfile() system call could not support copying from socket to socket, and only transfer in one direction.

What I need is: after I authenticated TCP connection A(host A connected to me) and TCP connection B(host B connected to me), then let what host A send (through TCP connection A)directly forward to host B(through TCP connection B) in the kernel ,meanwhile, what host B send directly forward to host A in the kernel.

That's much like MSN Messenger Server's relaying webcam video stream between two peers after authenticated them. I want to do this relay in kernel space and auth in the userspace. It's much like NGN softswitch's theory: control and auth separate from transfer.

That's much useful functionality. Can netfilter/iptables help this? done this by writing a new target or something?

Thanks,
	Runhua Yang


-----Original Message-----
From: Harald Welte [mailto:laforge@netfilter.org] 
Sent: Tuesday, October 21, 2003 9:47 PM
To: yangrunhua
Cc: netfilter-devel@lists.netfilter.org
Subject: Re: How to take over TCP connection from userspace process?

On Tue, Oct 21, 2003 at 03:33:22PM +0800, yangrunhua wrote:
> Hi all,
> 	With the help of netfilter/iptables, is there any way to high-speed forwarding between 2 already-connected TCP connections in the kernel?

I don't see how this could be related to netfilter/iptables at all.
The normal sendfile() systemcall may be helpful to you.

> 	Thanks,
> 				Runhua Yang

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

Re: How to take over TCP connection from userspace process?

[Jeremy Kerr]

> What I need is: after I authenticated TCP connection A(host A connected to
> me) and TCP connection B(host B connected to me), then let what host A send
> (through TCP connection A)directly forward to host B(through TCP connection
> B) in the kernel ,meanwhile, what host B send directly forward to host A in
> the kernel.

Sounds like the LVS project's TCP splicing code is what you're after:

http://www.linuxvirtualserver.org/software/tcpsp/index.html

This allows you to connect ('splice') two sockets together in userspace, so 
the subsequent forwarding is handled within the kernel. I've never used it 
myself though.


Jeremy

Re: How to take over TCP connection from userspace process?

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 2264 bytes --]

On Wed, Oct 22, 2003 at 11:44:56AM +0800, yangrunhua wrote:

> What I need is: after I authenticated TCP connection A(host A
> connected to me) and TCP connection B(host B connected to me), then
> let what host A send (through TCP connection A)directly forward to
> host B(through TCP connection B) in the kernel ,meanwhile, what host B
> send directly forward to host A in the kernel.

> That's much like MSN Messenger Server's relaying webcam video stream
> between two peers after authenticated them. I want to do this relay in
> kernel space and auth in the userspace. It's much like NGN
> softswitch's theory: control and auth separate from transfer.

> 
> That's much useful functionality. Can netfilter/iptables help this?
> done this by writing a new target or something?

no, it doesn't help.  What you are trying is intermixing of
packet-oriented paradigm with connection/stream oriented paradigm.

netfilter/iptables deals with individual packets.  So if you do NAT or
something, every packet that we receive is transmited  as another
packet.  

If you accept a socket from userspace, than there's no more packets.  At
socket level you have a bidirectional stream of bytes.  So in order to
send the same data oever another socket, you need to re-packetize that
stream. In the end, you will have different packets with different
flags, sequencenumber, and eventually size (depending on mtu), window
scaling, options, ...

so _either_ you authenticate based on layer2 - layer4 addresses, and you
deal with packets, _or_ you authenticate somehow witin the TCP stream,
but than you don't have packets of a single connection, but rather two
seperate connections with each a stream of bytes in each direction.

This is not a limitation by netfitler/iptables.  It's about the
fundamentals of networking protocol layers.

> Thanks,
> 	Runhua Yang

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]