* How to take over TCP connection from userspace process? @ 2003-10-21 7:33 yangrunhua 2003-10-21 13:47 ` Harald Welte 0 siblings, 1 reply; 7+ messages in thread From: yangrunhua @ 2003-10-21 7:33 UTC (permalink / raw) To: netfilter-devel Hi all, With the help of netfilter/iptables, is there any way to high-speed forwarding between 2 already-connected TCP connections in the kernel? Thanks, Runhua Yang ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: How to take over TCP connection from userspace process? 2003-10-21 7:33 How to take over TCP connection from userspace process? yangrunhua @ 2003-10-21 13:47 ` Harald Welte [not found] ` <20031021145537.GA25030@superhijitus.linux.org.ar> ` (2 more replies) 0 siblings, 3 replies; 7+ messages in thread From: Harald Welte @ 2003-10-21 13:47 UTC (permalink / raw) To: yangrunhua; +Cc: netfilter-devel [-- Attachment #1: Type: text/plain, Size: 748 bytes --] On Tue, Oct 21, 2003 at 03:33:22PM +0800, yangrunhua wrote: > Hi all, > With the help of netfilter/iptables, is there any way to high-speed forwarding between 2 already-connected TCP connections in the kernel? I don't see how this could be related to netfilter/iptables at all. The normal sendfile() systemcall may be helpful to you. > Thanks, > Runhua Yang -- - Harald Welte <laforge@netfilter.org> http://www.netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie [-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
[parent not found: <20031021145537.GA25030@superhijitus.linux.org.ar>]
* Re: How to take over TCP connection from userspace process? [not found] ` <20031021145537.GA25030@superhijitus.linux.org.ar> @ 2003-10-21 17:31 ` Harald Welte 0 siblings, 0 replies; 7+ messages in thread From: Harald Welte @ 2003-10-21 17:31 UTC (permalink / raw) To: Diego Woitasen (Lanux); +Cc: Netfilter Development Mailinglist [-- Attachment #1: Type: text/plain, Size: 1609 bytes --] On Tue, Oct 21, 2003 at 11:55:37AM -0300, Diego Woitasen (Lanux) wrote: > Runhua is talking about other issue, I think. He is talking about > forward quickly ESTABLISHED connections, without traversing all rules. this is policy, not mechanism. ip_conntrack provides a mechanism (for tracking connections). How you use that information, is policy. Policy is expressed by the ruleset or other local configuration. > I think that this will be implemented in the new version of iptables (I > thought about this from time ago). For example, for every connection we > have an entry in conntrack table, the entry must hold information about > filter rules that was consulted in the first packet of that connection. > Then the packets of an ESTABLISHED connection will be pass directly > without rule check. > For this we need a new field(s) en struct skb that hold the necessary > info, and the nf_hook() will check this field(s) for a quickly return. no new field required at all. That is exactly how ip_conntrack is used today. Your first (or one of the first) rules willbe 'accept all ESTABLSHED' traffic. Thus, you iterate only over a single rule for every _but_ the first packet. > Diego Woitasen > LUGar -- - Harald Welte <laforge@netfilter.org> http://www.netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie [-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
* RE: How to take over TCP connection from userspace process? 2003-10-21 13:47 ` Harald Welte [not found] ` <20031021145537.GA25030@superhijitus.linux.org.ar> @ 2003-10-22 3:44 ` yangrunhua 2003-10-23 8:53 ` Harald Welte 2003-10-22 3:50 ` yangrunhua 2 siblings, 1 reply; 7+ messages in thread From: yangrunhua @ 2003-10-22 3:44 UTC (permalink / raw) To: 'Harald Welte'; +Cc: netfilter-devel But sendfile() system call could not support copying from socket to socket, and only transfer in one direction. What I need is: after I authenticated TCP connection A(host A connected to me) and TCP connection B(host B connected to me), then let what host A send (through TCP connection A)directly forward to host B(through TCP connection B) in the kernel ,meanwhile, what host B send directly forward to host A in the kernel. That's much like MSN Messenger Server's relaying webcam video stream between two peers after authenticated them. I want to do this relay in kernel space and auth in the userspace. It's much like NGN softswitch's theory: control and auth separate from transfer. That's much useful functionality. Can netfilter/iptables help this? done this by writing a new target or something? Thanks, Runhua Yang -----Original Message----- From: Harald Welte [mailto:laforge@netfilter.org] Sent: Tuesday, October 21, 2003 9:47 PM To: yangrunhua Cc: netfilter-devel@lists.netfilter.org Subject: Re: How to take over TCP connection from userspace process? On Tue, Oct 21, 2003 at 03:33:22PM +0800, yangrunhua wrote: > Hi all, > With the help of netfilter/iptables, is there any way to high-speed forwarding between 2 already-connected TCP connections in the kernel? I don't see how this could be related to netfilter/iptables at all. The normal sendfile() systemcall may be helpful to you. > Thanks, > Runhua Yang -- - Harald Welte <laforge@netfilter.org> http://www.netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: How to take over TCP connection from userspace process? 2003-10-22 3:44 ` yangrunhua @ 2003-10-23 8:53 ` Harald Welte 0 siblings, 0 replies; 7+ messages in thread From: Harald Welte @ 2003-10-23 8:53 UTC (permalink / raw) To: yangrunhua; +Cc: netfilter-devel [-- Attachment #1: Type: text/plain, Size: 2264 bytes --] On Wed, Oct 22, 2003 at 11:44:56AM +0800, yangrunhua wrote: > What I need is: after I authenticated TCP connection A(host A > connected to me) and TCP connection B(host B connected to me), then > let what host A send (through TCP connection A)directly forward to > host B(through TCP connection B) in the kernel ,meanwhile, what host B > send directly forward to host A in the kernel. > That's much like MSN Messenger Server's relaying webcam video stream > between two peers after authenticated them. I want to do this relay in > kernel space and auth in the userspace. It's much like NGN > softswitch's theory: control and auth separate from transfer. > > That's much useful functionality. Can netfilter/iptables help this? > done this by writing a new target or something? no, it doesn't help. What you are trying is intermixing of packet-oriented paradigm with connection/stream oriented paradigm. netfilter/iptables deals with individual packets. So if you do NAT or something, every packet that we receive is transmited as another packet. If you accept a socket from userspace, than there's no more packets. At socket level you have a bidirectional stream of bytes. So in order to send the same data oever another socket, you need to re-packetize that stream. In the end, you will have different packets with different flags, sequencenumber, and eventually size (depending on mtu), window scaling, options, ... so _either_ you authenticate based on layer2 - layer4 addresses, and you deal with packets, _or_ you authenticate somehow witin the TCP stream, but than you don't have packets of a single connection, but rather two seperate connections with each a stream of bytes in each direction. This is not a limitation by netfitler/iptables. It's about the fundamentals of networking protocol layers. > Thanks, > Runhua Yang -- - Harald Welte <laforge@netfilter.org> http://www.netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie [-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --] ^ permalink raw reply [flat|nested] 7+ messages in thread
* RE: How to take over TCP connection from userspace process? 2003-10-21 13:47 ` Harald Welte [not found] ` <20031021145537.GA25030@superhijitus.linux.org.ar> 2003-10-22 3:44 ` yangrunhua @ 2003-10-22 3:50 ` yangrunhua 2003-10-22 4:15 ` Jeremy Kerr 2 siblings, 1 reply; 7+ messages in thread From: yangrunhua @ 2003-10-22 3:50 UTC (permalink / raw) To: 'Harald Welte'; +Cc: netfilter-devel But sendfile() system call could not support copying from socket to socket, and only transfer in one direction. What I need is: after I authenticated TCP connection A(host A connected to me) and TCP connection B(host B connected to me), then let what host A send (through TCP connection A)directly forward to host B(through TCP connection B) in the kernel ,meanwhile, what host B send directly forward to host A in the kernel. That's much like MSN Messenger Server's relaying webcam video stream between two peers after authenticated them. I want to do this relay in kernel space and auth in the userspace. It's much like NGN softswitch's theory: control and auth separate from transfer. That's much useful functionality. Can netfilter/iptables help this? done this by writing a new target or something? Thanks, Runhua Yang -----Original Message----- From: Harald Welte [mailto:laforge@netfilter.org] Sent: Tuesday, October 21, 2003 9:47 PM To: yangrunhua Cc: netfilter-devel@lists.netfilter.org Subject: Re: How to take over TCP connection from userspace process? On Tue, Oct 21, 2003 at 03:33:22PM +0800, yangrunhua wrote: > Hi all, > With the help of netfilter/iptables, is there any way to high-speed forwarding between 2 already-connected TCP connections in the kernel? I don't see how this could be related to netfilter/iptables at all. The normal sendfile() systemcall may be helpful to you. > Thanks, > Runhua Yang -- - Harald Welte <laforge@netfilter.org> http://www.netfilter.org/ ============================================================================ "Fragmentation is like classful addressing -- an interesting early architectural error that shows how much experimentation was going on while IP was being designed." -- Paul Vixie ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: How to take over TCP connection from userspace process? 2003-10-22 3:50 ` yangrunhua @ 2003-10-22 4:15 ` Jeremy Kerr 0 siblings, 0 replies; 7+ messages in thread From: Jeremy Kerr @ 2003-10-22 4:15 UTC (permalink / raw) To: netfilter-devel > What I need is: after I authenticated TCP connection A(host A connected to > me) and TCP connection B(host B connected to me), then let what host A send > (through TCP connection A)directly forward to host B(through TCP connection > B) in the kernel ,meanwhile, what host B send directly forward to host A in > the kernel. Sounds like the LVS project's TCP splicing code is what you're after: http://www.linuxvirtualserver.org/software/tcpsp/index.html This allows you to connect ('splice') two sockets together in userspace, so the subsequent forwarding is handled within the kernel. I've never used it myself though. Jeremy ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2003-10-23 8:53 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-10-21 7:33 How to take over TCP connection from userspace process? yangrunhua
2003-10-21 13:47 ` Harald Welte
[not found] ` <20031021145537.GA25030@superhijitus.linux.org.ar>
2003-10-21 17:31 ` Harald Welte
2003-10-22 3:44 ` yangrunhua
2003-10-23 8:53 ` Harald Welte
2003-10-22 3:50 ` yangrunhua
2003-10-22 4:15 ` Jeremy Kerr
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.