Netfilter as an application.

Netfilter as an application.

[kernel_learner]

Dear All,

 How's it going! I am looking for something that I am
not sure currently exists. Basically I want to make a
version of netfilter that's free from all the
kernel-level and networking stack hooks. I am looking
for a plain simpler version of netfilter which does
not interact with the kernel or the networking stack
in any way. It would be a standard user program which
a person with normal privelges could compile and run.
What would it do? It could do the same things that
netfilter does...i.e. filter packets/NAT etc. However
the input could be driven from a "main" function which
"fakes" packets arriving on the network (this could be
driven from a trace).

Does such a thing exist?

How easy/difficult would it be to hack into the
current netfilter code to remove all the
networking/kernel hooks it has?

Could someone guide me as to how exactly to go about
doing this? i.e. where the hooks are..in the code?

I was also looking for documentation on the code...I
mean is there a documentation that explains the
software architecture?

Sorry for too many questions! :|

Cheers!
KeRNEL_LeaRNER

"Metallica- The mother of all ye metal bands."






__________________________________
Do you Yahoo!?
Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes
http://hotjobs.sweepstakes.yahoo.com/signingbonus

Netfilter as an application

[kernel_learner]

Dear All,

 How's it going! I am looking for something that I am
not sure currently exists. Basically I want to make a
version of netfilter that's free from all the
kernel-level and networking stack hooks. I am looking
for a plain simpler version of netfilter which does
not interact with the kernel or the networking stack
in any way. It would be a standard user program which
a person with normal privelges could compile and run.
What would it do? It could do the same things that
netfilter does...i.e. filter packets/NAT etc. However
the input could be driven from a "main" function which
"fakes" packets arriving on the network (this could be
driven from a trace).

Does such a thing exist?

How easy/difficult would it be to hack into the
current netfilter code to remove all the
networking/kernel hooks it has?

Could someone guide me as to how exactly to go about
doing this? i.e. where the hooks are..in the code?

Sorry for too many questions! :|

Cheers!
KeRNEL_LeaRNER

P.S: SORRY for first Posting to Users...didn't realise
it was the wrong place to post such a question.

__________________________________
Do you Yahoo!?
Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes
http://hotjobs.sweepstakes.yahoo.com/signingbonus

Re: Netfilter as an application

[Allen Francom]

Um...

One way or another I think the "user" will at least
have to have "root" privileges.

Netfilter I don't think will do what you want, I think
it is totally dependent on the kernel.

You might look at Snort.  www.snort.org

-AEF

On Fri, 16 Jan 2004, kernel_learner wrote:
>  How's it going! I am looking for something that I am
> not sure currently exists. Basically I want to make a
> version of netfilter that's free from all the
> kernel-level and networking stack hooks. I am looking
> for a plain simpler version of netfilter which does
> not interact with the kernel or the networking stack
> in any way. It would be a standard user program which
> a person with normal privelges could compile and run.

Re: Netfilter as an application

[kernel_learner]

Thanks Allen,

 However I am not sure why you think user should have
user priveleges. I am not saying I will use netfilter
as it is. I am thinking of modifying netfilter so that
I can use it as a user application just for
demonstration purposes. I just need some initial
guidance to start off in the right direction:

What exactly does the netfilter use from the Linux
kernel?

Where exactly does it interact with the kernel? 

I am wading through the source code right now but I am
unable to find those exact points.

Most of the extensions are modules..which is fine..I
can easily convert them to user-application-code.

I hope I am making myself clear...

_LEARNer



--- Allen Francom <aef@tempest.prismnet.com> wrote:
> 
> Um...
> 
> One way or another I think the "user" will at least
> have to have "root" privileges.
> 
> Netfilter I don't think will do what you want, I
> think
> it is totally dependent on the kernel.
> 
> You might look at Snort.  www.snort.org
> 
> -AEF
> 
> On Fri, 16 Jan 2004, kernel_learner wrote:
> >  How's it going! I am looking for something that I
> am
> > not sure currently exists. Basically I want to
> make a
> > version of netfilter that's free from all the
> > kernel-level and networking stack hooks. I am
> looking
> > for a plain simpler version of netfilter which
> does
> > not interact with the kernel or the networking
> stack
> > in any way. It would be a standard user program
> which
> > a person with normal privelges could compile and
> run.
> 


__________________________________
Do you Yahoo!?
Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes
http://hotjobs.sweepstakes.yahoo.com/signingbonus

Re: Netfilter as an application

[Henrik Nordstrom]

On Fri, 16 Jan 2004, kernel_learner wrote:

> What exactly does the netfilter use from the Linux kernel?

Not much. It is essentially a separate entity called by the hooks in the 
Linux TCP/IP stack.

There is some dependencies on routing etc, but this is only relevant if
you are planning on doing stuff related to routing such as mangle or NAT.

> Where exactly does it interact with the kernel? 

The kernel sends packets to the Netfilter modules via the netfilter 
hooks.

If netfilter selects to delay a packet then the packet is later 
reintroduced to the kernel via the nf_reinject() function.

The userspace communicates with iptables via getsockopt() calls to install 
iptables rulesets etc.

Netfilter is fully contained in the netfilter directories and headers,
plus some support functions in net/core/netfilter.c taking care of the
gory details of registering new hook handlers, getsockopt operations etc.


The Netfilter hacking howto guide has some good information on how a 
Netfilter module such as iptables interacts with the kernel.



Personally I find using the user-mode-linux approach very suitable if one
want to use netfilter as an application. You then have a 100% complete
application running iptables (or whatever) with all of the support given
by the kernel without requiring any root privileges. Root is only required
if you want to set up network connectivity to the host, not for
communication between user-mode-linux nodes.

Regards
Henrik

Re: Netfilter as an application

[Jeremy Kerr]

> Basically I want to make a
> version of netfilter that's free from all the
> kernel-level and networking stack hooks. 

The Netfilter Simulation Environment (nfsim) provides exactly that - a 
userspace environment for running and testing netfilter code. It's up at:

http://ozlabs.org/~jk/projects/nfsim/


Jeremy

Re: Netfilter as an application

[Allen Francom]

Hi,

Well, in order for a user-space application to get
at the raw packets and presumably do things like
set promiscuous mode on ethernet adapter(s), that
takes root privileges for one thing ( last I tried )

Netfilter, what I know of it and what I've tried,
has cornfused me because it seemed intertwined
/ interdependent with kernel code and libraries
and gets packets in a structure that is generated
by the kernel etc., and so on.  ( too much for
me to try and deal with given limited time )

To me, netfilter does not look or feel like an
application having much if anything to do with
user-space.

However, I have done a few things with the IPQUEUE
"userspace module" extension ability.

This is where you can run a user program that gets
packets out of the kernel NETFILTER via a -j IPQUEUE
rule and it goes to your listening program.

Then you can in your program inspect the packets,
Accept, Deny or Drop them, and even modify the packets.

That's one thing.

I suggested Snort because it is all user-space and might
be more appropriate for your tinkerings due to the
way your request sounded.

Snort I believe throws promiscous mode on the
adapters and that takes root privileges.

Netfilter code itself to me ( and I'm no genius here )
but it is not what I'd start with for anything in
user-space, and from what I've seen I wouldn't even
try to fanagle the code to working in user-space.

It is kernel stuff with some command-line utilities
to manipulate the rules.  That's how I look at
netfilter.

Indeed, build a linux kernel and see all the kernel
modules.  Then look at the code to those modules
and see all the dependencies on other kernel code.

If I'm not mistaken, netfilter relies entirely on
the kernel network stack and cannot "stand-alone".

Too yucky to try in my book.

So I second my own recommendation to look at things
like Snort instead.

Also maybe try hogwash, and there are a couple other similar
projects.

Perhaps though what you want after reflecting on it
is to use the Netfilter IPQUEUE extension.

But not if you truly need or want an entirely
userspace self-contained something.

IMHO
-AEF


On Fri, 16 Jan 2004, kernel_learner wrote:

> Thanks Allen,
>
>  However I am not sure why you think user should have
> user priveleges. I am not saying I will use netfilter
> as it is.

> What exactly does the netfilter use from the Linux
> kernel?
>
> Where exactly does it interact with the kernel?
>
> Most of the extensions are modules..which is fine..I
> can easily convert them to user-application-code.
> I hope I am making myself clear...