remove connections notification by conntrack?

remove connections notification by conntrack?

[Thomas Mader]

[-- Attachment #1: Type: text/plain, Size: 1505 bytes --]

Hello,

We wrote a netfilter module which is using conntrack to distinguish different 
connections. We only need this for UDP "connections" and we use the following 
functions from conntrack to achieve that.

	proto = ip_conntrack_proto_find_get(skb->nh.iph->protocol);
	if (ip_ct_get_tuple(skb->nh.iph, skb, skb->nh.iph->ihl*4, &tuple,proto)) {
		h = ip_conntrack_find_get(&tuple, NULL);
		....
	}

We use the connection IDs of conntrack to distinguish between the connections 
within a list.
The problem we are having is that we also need to delete entries out of that 
list if a connection is going to be removed but we didn't find a proper 
solution to that.
We tried to define a function for ip_conntrack_destroyed but this doesn't seem 
to be called properly because when a UDP connection is removed 
from /proc/net/ip_conntrack the function will not be called. Nevertheless the 
function is called but with, for us, unknown connection IDs and to strange 
times.
This method also doesn't seem to be a good solution because NAT seems to be 
using it and this would mean we would get troubles if our module is running 
while NAT is running too.

We also tried the notifier system of conntrack with registering on it. 
(ip_conntrack_register_notifier(&nb);)
But this doesn't seem to give us the needed information.

Now the question for us is, if we can somehow implement a nice solution for 
this.
Does somebody know of such a solution?

Best regards,
Thomas Mader

[-- Attachment #2: Type: application/pgp-signature, Size: 827 bytes --]

Re: remove connections notification by conntrack?

[Pablo Neira Ayuso]

Thomas Mader wrote:
> Hello,
> 
> We wrote a netfilter module which is using conntrack to distinguish different 
> connections. We only need this for UDP "connections" and we use the following 
> functions from conntrack to achieve that.
> 
> 	proto = ip_conntrack_proto_find_get(skb->nh.iph->protocol);
> 	if (ip_ct_get_tuple(skb->nh.iph, skb, skb->nh.iph->ihl*4, &tuple,proto)) {
> 		h = ip_conntrack_find_get(&tuple, NULL);
> 		....
> 	}
> 
> We use the connection IDs of conntrack to distinguish between the connections 
> within a list.
> The problem we are having is that we also need to delete entries out of that 
> list if a connection is going to be removed but we didn't find a proper 
> solution to that.
> We tried to define a function for ip_conntrack_destroyed but this doesn't seem 
> to be called properly because when a UDP connection is removed 
> from /proc/net/ip_conntrack the function will not be called. Nevertheless the 
> function is called but with, for us, unknown connection IDs and to strange 
> times.
> This method also doesn't seem to be a good solution because NAT seems to be 
> using it and this would mean we would get troubles if our module is running 
> while NAT is running too.
> 
> We also tried the notifier system of conntrack with registering on it. 
> (ip_conntrack_register_notifier(&nb);)
> But this doesn't seem to give us the needed information.
> 
> Now the question for us is, if we can somehow implement a nice solution for 
> this.
> Does somebody know of such a solution?

Could you post the code?

-- 
The dawn of the fourth age of Linux firewalling is coming; a time of 
great struggle and heroic deeds -- J.Kadlecsik got inspired by J.Morris

Re: remove connections notification by conntrack?

[Thomas Mader]

[-- Attachment #1: Type: text/plain, Size: 2729 bytes --]

> Could you post the code?

struct conn_id {
	int id;
	struct list_head elem;
	struct list_head tstamps;
};

struct conn_stamp {
	double stamp;
	struct list_head elem;
};

static LIST_HEAD(list);

void destroyed_connect(struct ip_conntrack *conntrack) {
	printk("destroy id %u\n", conntrack->id);
}

static int match(const struct sk_buff *skb,
                 const struct net_device *in,
                 const struct net_device *out,
		 const struct xt_match *match,
                 const void *matchinfo,
                 int offset,
		 unsigned int protoff,
                 int *hotdrop)
{
.....
	proto = ip_conntrack_proto_find_get(skb->nh.iph->protocol);


	if (ip_ct_get_tuple(skb->nh.iph, skb, skb->nh.iph->ihl*4, &tuple,proto)) {

		h = ip_conntrack_find_get(&tuple, NULL);
		if (h) {
			//printk("dstp: %u\n", ntohs(h->tuple.dst.u.udp.port) );
			ipct = tuplehash_to_ctrack(h);
			if (ipct) {
				int found_id = 0;
				struct conn_stamp *new_stamp;
				connection_id = ipct->id;

				if(!list_empty(&list)) {
					struct conn_id *p;
					
					list_for_each_entry(p, &list, elem) {
						if (connection_id == p->id) {
							found_id = 1;
							new_stamp = (struct conn_stamp*)kmalloc(sizeof(struct conn_stamp), 
GFP_KERNEL);
							if(!new_stamp) {
								printk("new_stamp not allocated!\n");
								return 1;
							}
							
							new_stamp->stamp = sec;
							list_add_tail(&new_stamp->elem, &p->tstamps);
							printk("new tstamp added to already existing id %d\n", p->id);
							break;
						}
					}
				}
				if(!found_id) {
					struct conn_id* new_id = (struct conn_id*)kmalloc(sizeof(struct conn_id), 
GFP_KERNEL);
					if(!new_id) {
						printk("new_id not allocated!\n");
						return 1;
					}
					
					new_id->id = connection_id;
					INIT_LIST_HEAD(&new_id->elem);
					list_add_tail(&new_id->elem, &list);
					
					new_stamp = (struct conn_stamp*)kmalloc(sizeof(struct conn_stamp), 
GFP_KERNEL);
					if(!new_stamp) {
						printk("new_stamp not allocated!\n");
						return 1;
					}
							
					new_stamp->stamp = sec;
					INIT_LIST_HEAD(&new_id->tstamps);
					list_add_tail(&new_stamp->elem, &new_id->tstamps);
					printk("new tstamp added to new created id %d\n", new_id->id);
				}
			}
		}
	}
.....
   return 1;
}

int notify(struct notifier_block *nb, unsigned long ul, void *v) {
	printk("We have been notified!\n");	
	
	return 0;
}

struct notifier_block nb = { notify, &nb, 1 }; 


static int __init init(void)
{
	need_conntrack();
	ip_conntrack_register_notifier(&nb);
	ip_conntrack_destroyed = destroyed_connect;

	return ipt_register_match(&ipaddr_match);
}

[-- Attachment #2: Type: application/pgp-signature, Size: 827 bytes --]

Re: remove connections notification by conntrack?

[Pablo Neira Ayuso]

Thomas,

Thomas Mader wrote:
>> Could you post the code?
> 
> struct conn_id {
> 	int id;
> 	struct list_head elem;
> 	struct list_head tstamps;
> };
> 
> struct conn_stamp {
> 	double stamp;
> 	struct list_head elem;
> };
> 
> static LIST_HEAD(list);
> 
> void destroyed_connect(struct ip_conntrack *conntrack) {
> 	printk("destroy id %u\n", conntrack->id);
> }
> 
> static int match(const struct sk_buff *skb,
>                  const struct net_device *in,
>                  const struct net_device *out,
> 		 const struct xt_match *match,
>                  const void *matchinfo,
>                  int offset,
> 		 unsigned int protoff,
>                  int *hotdrop)
> {
> .....
> 	proto = ip_conntrack_proto_find_get(skb->nh.iph->protocol);
> 
> 
> 	if (ip_ct_get_tuple(skb->nh.iph, skb, skb->nh.iph->ihl*4, &tuple,proto)) {
> 
> 		h = ip_conntrack_find_get(&tuple, NULL);
> 		if (h) {
> 			//printk("dstp: %u\n", ntohs(h->tuple.dst.u.udp.port) );
> 			ipct = tuplehash_to_ctrack(h);
> 			if (ipct) {
> 				int found_id = 0;
> 				struct conn_stamp *new_stamp;
> 				connection_id = ipct->id;
> 
> 				if(!list_empty(&list)) {
> 					struct conn_id *p;
> 					
> 					list_for_each_entry(p, &list, elem) {
> 						if (connection_id == p->id) {
> 							found_id = 1;
> 							new_stamp = (struct conn_stamp*)kmalloc(sizeof(struct conn_stamp), 
> GFP_KERNEL);
> 							if(!new_stamp) {
> 								printk("new_stamp not allocated!\n");
> 								return 1;
> 							}
> 							
> 							new_stamp->stamp = sec;
> 							list_add_tail(&new_stamp->elem, &p->tstamps);
> 							printk("new tstamp added to already existing id %d\n", p->id);
> 							break;
> 						}
> 					}
> 				}
> 				if(!found_id) {
> 					struct conn_id* new_id = (struct conn_id*)kmalloc(sizeof(struct conn_id), 
> GFP_KERNEL);
> 					if(!new_id) {
> 						printk("new_id not allocated!\n");
> 						return 1;
> 					}
> 					
> 					new_id->id = connection_id;
> 					INIT_LIST_HEAD(&new_id->elem);
> 					list_add_tail(&new_id->elem, &list);
> 					
> 					new_stamp = (struct conn_stamp*)kmalloc(sizeof(struct conn_stamp), 
> GFP_KERNEL);
> 					if(!new_stamp) {
> 						printk("new_stamp not allocated!\n");
> 						return 1;
> 					}
> 							
> 					new_stamp->stamp = sec;
> 					INIT_LIST_HEAD(&new_id->tstamps);
> 					list_add_tail(&new_stamp->elem, &new_id->tstamps);
> 					printk("new tstamp added to new created id %d\n", new_id->id);
> 				}
> 			}
> 		}
> 	}
> .....
>    return 1;
> }
> 
> int notify(struct notifier_block *nb, unsigned long ul, void *v) {

Use the event API, do not forget to enable it (it's still marked as
experimental): have a look at ctnetlink_conntrack_event inside
ip_conntrack_netlink.c, that will help I think.

Use the unsigned long parameter of your notify function above and wait
for the event IPCT_DESTROY.

BTW, some tips about the code that I hope that you can find useful:

Don't nest the code like that, it is hard to read and really ugly, I
always tell that to my students: invert the logic, check for errors not
for sucess, I don't blame I used to do that time ago.

Don't forget that a foo_get(...) operation usually requires a
foo_put(...) afterwards.

There is no floating point in kernel (double) because of portability issues

And, out of curiosity, what do you want to do? Can't you do it with
ctnetlink and in userspace?

-- 
The dawn of the fourth age of Linux firewalling is coming; a time of
great struggle and heroic deeds -- J.Kadlecsik got inspired by J.Morris

Re: remove connections notification by conntrack?

[Thomas Mader]

[-- Attachment #1: Type: text/plain, Size: 3111 bytes --]

> Use the event API, do not forget to enable it (it's still marked as
> experimental): have a look at ctnetlink_conntrack_event inside
> ip_conntrack_netlink.c, that will help I think.
>
> Use the unsigned long parameter of your notify function above and wait
> for the event IPCT_DESTROY.

Now it looks like this:

int ipaddr_conntrack_event(struct notifier_block *this, unsigned long events, 
void *ptr) {
	struct ip_conntrack *ct = (struct ip_conntrack *)ptr;
	
	if (events == IPCT_DESTROY) {
		printk("We have been notified that connection %d was deleted!\n", ct->id);
	}
	
	return 0;
}


static struct notifier_block ctnl_notifier = { 
	.notifier_call = ipaddr_conntrack_event,
}; 


static int __init init(void)
{
	int ret;
	need_conntrack();
	ret = ip_conntrack_register_notifier(&ctnl_notifier);
	if (ret < 0) {
		printk("ipaddr_init: cannot register notifier.\n");
		goto err_unreg_notifier;
	}
	//ip_conntrack_destroyed = destroyed_connect;
     
	printk(KERN_CRIT "init!\n");
   	return ipt_register_match(&ipaddr_match);
	
err_unreg_notifier:
		ip_conntrack_unregister_notifier(&ctnl_notifier);
		return 1;
}

But the problem remains the same. It works for TCP and I get properly notified 
about those but not about UDP.


> BTW, some tips about the code that I hope that you can find useful:
>
> Don't nest the code like that, it is hard to read and really ugly, I
> always tell that to my students: invert the logic, check for errors not
> for sucess, I don't blame I used to do that time ago.
>
> Don't forget that a foo_get(...) operation usually requires a
> foo_put(...) afterwards.

Thanks for your comments we are hacking kernel stuff for the first time.


> There is no floating point in kernel (double) because of portability issues

We need to save the arriving time of the packets and we need a bit of 
precision.
It would work also when we would save sec and usec separately but this would 
make everything more complicated and for now we are just trying things out.

> And, out of curiosity, what do you want to do? Can't you do it with
> ctnetlink and in userspace?

We thought about that when we started but than it happend that we started 
implementing  as kernel space only. ;)
Our main focus was performance but maybe we need to go into userspace fully 
because we need to save a lot of data.

We try to write a module which detects bursts and if a burst was detected a 
package will be injected at the end of the burst.
We will make a kernel space module first which saves just one time stamp and 
id per connection. (The list I posted earlier makes somthing different but I 
get the idea mentioned right now some time later)
Then we implement a second algorithm for detecting bursts which is much more 
complicated than that and relies on a special container structer which could 
be implemented with lists afair.
The thing is that we will need much memory for this and therefore should be 
placed in userspace maybe.

Is there a general rule when to write something for user/kernel space?

[-- Attachment #2: Type: application/pgp-signature, Size: 827 bytes --]

Re: remove connections notification by conntrack?

[Pablo Neira Ayuso]

Thomas Mader wrote:
>> Use the event API, do not forget to enable it (it's still marked as
>> experimental): have a look at ctnetlink_conntrack_event inside
>> ip_conntrack_netlink.c, that will help I think.
>>
>> Use the unsigned long parameter of your notify function above and wait
>> for the event IPCT_DESTROY.
> 
> Now it looks like this:
> 
> int ipaddr_conntrack_event(struct notifier_block *this, unsigned long events, 
> void *ptr) {
> 	struct ip_conntrack *ct = (struct ip_conntrack *)ptr;
> 	
> 	if (events == IPCT_DESTROY) {

events & IPCT_DESTROY

> 		printk("We have been notified that connection %d was deleted!\n", ct->id);
> 	}
> 	
> 	return 0;
> }
> 
> 
> static struct notifier_block ctnl_notifier = { 
> 	.notifier_call = ipaddr_conntrack_event,
> }; 
> 
> 
> static int __init init(void)
> {
> 	int ret;
> 	need_conntrack();
> 	ret = ip_conntrack_register_notifier(&ctnl_notifier);
> 	if (ret < 0) {
> 		printk("ipaddr_init: cannot register notifier.\n");
> 		goto err_unreg_notifier;
> 	}
> 	//ip_conntrack_destroyed = destroyed_connect;
>      
> 	printk(KERN_CRIT "init!\n");
>    	return ipt_register_match(&ipaddr_match);
> 	
> err_unreg_notifier:
> 		ip_conntrack_unregister_notifier(&ctnl_notifier);
> 		return 1;
> }
> 
> But the problem remains the same. It works for TCP and I get properly notified 
> about those but not about UDP.

Try with what I told you above and let me know if it works

>> BTW, some tips about the code that I hope that you can find useful:
>>
>> Don't nest the code like that, it is hard to read and really ugly, I
>> always tell that to my students: invert the logic, check for errors not
>> for sucess, I don't blame I used to do that time ago.
>>
>> Don't forget that a foo_get(...) operation usually requires a
>> foo_put(...) afterwards.
> 
> Thanks for your comments we are hacking kernel stuff for the first time.

;)

>> There is no floating point in kernel (double) because of portability issues
> 
> We need to save the arriving time of the packets and we need a bit of 
> precision.
> It would work also when we would save sec and usec separately but this would 
> make everything more complicated and for now we are just trying things out.
> 
>> And, out of curiosity, what do you want to do? Can't you do it with
>> ctnetlink and in userspace?
> 
> We thought about that when we started but than it happend that we started 
> implementing  as kernel space only. ;)
> Our main focus was performance but maybe we need to go into userspace fully 
> because we need to save a lot of data.
> 
> We try to write a module which detects bursts and if a burst was detected a 
> package will be injected at the end of the burst.
> We will make a kernel space module first which saves just one time stamp and 
> id per connection. (The list I posted earlier makes somthing different but I 
> get the idea mentioned right now some time later)
> Then we implement a second algorithm for detecting bursts which is much more 
> complicated than that and relies on a special container structer which could 
> be implemented with lists afair.
> The thing is that we will need much memory for this and therefore should be 
> placed in userspace maybe.
> 
> Is there a general rule when to write something for user/kernel space?

Probably this is a good idea, have a look a libnetfilter_queue, there is
some unnofficial docs available on the web to start with.

-- 
The dawn of the fourth age of Linux firewalling is coming; a time of
great struggle and heroic deeds -- J.Kadlecsik got inspired by J.Morris

Re: remove connections notification by conntrack?

[Thomas Mader]

[-- Attachment #1: Type: text/plain, Size: 1164 bytes --]

On Sunday 24 September 2006 05:10, Pablo Neira Ayuso wrote:
> events & IPCT_DESTROY
>
> > 		printk("We have been notified that connection %d was deleted!\n",
> > ct->id); }
> >
> > 	return 0;
> > }
> >
> >
> > static struct notifier_block ctnl_notifier = {
> > 	.notifier_call = ipaddr_conntrack_event,
> > };
> >
> >
> > static int __init init(void)
> > {
> > 	int ret;
> > 	need_conntrack();
> > 	ret = ip_conntrack_register_notifier(&ctnl_notifier);
> > 	if (ret < 0) {
> > 		printk("ipaddr_init: cannot register notifier.\n");
> > 		goto err_unreg_notifier;
> > 	}
> > 	//ip_conntrack_destroyed = destroyed_connect;
> >
> > 	printk(KERN_CRIT "init!\n");
> >    	return ipt_register_match(&ipaddr_match);
> >
> > err_unreg_notifier:
> > 		ip_conntrack_unregister_notifier(&ctnl_notifier);
> > 		return 1;
> > }
> >
> > But the problem remains the same. It works for TCP and I get properly
> > notified about those but not about UDP.
>
> Try with what I told you above and let me know if it works

No it doesn't. I tried "events & IPCT_DESTROY" already and it didn't work. Now 
I tested it once again with same result.


[-- Attachment #2: Type: application/pgp-signature, Size: 827 bytes --]

Re: remove connections notification by conntrack?

[Pablo Neira Ayuso]

[-- Attachment #1: Type: text/plain, Size: 1491 bytes --]

Thomas Mader wrote:
> On Sunday 24 September 2006 05:10, Pablo Neira Ayuso wrote:
>> events & IPCT_DESTROY
>>
>>> 		printk("We have been notified that connection %d was deleted!\n",
>>> ct->id); }
>>>
>>> 	return 0;
>>> }
>>>
>>>
>>> static struct notifier_block ctnl_notifier = {
>>> 	.notifier_call = ipaddr_conntrack_event,
>>> };
>>>
>>>
>>> static int __init init(void)
>>> {
>>> 	int ret;
>>> 	need_conntrack();
>>> 	ret = ip_conntrack_register_notifier(&ctnl_notifier);
>>> 	if (ret < 0) {
>>> 		printk("ipaddr_init: cannot register notifier.\n");
>>> 		goto err_unreg_notifier;
>>> 	}
>>> 	//ip_conntrack_destroyed = destroyed_connect;
>>>
>>> 	printk(KERN_CRIT "init!\n");
>>>    	return ipt_register_match(&ipaddr_match);
>>>
>>> err_unreg_notifier:
>>> 		ip_conntrack_unregister_notifier(&ctnl_notifier);
>>> 		return 1;
>>> }
>>>
>>> But the problem remains the same. It works for TCP and I get properly
>>> notified about those but not about UDP.
>> Try with what I told you above and let me know if it works
> 
> No it doesn't. I tried "events & IPCT_DESTROY" already and it didn't work. Now 
> I tested it once again with same result.

Works fine here with the toy module attached:

Sep 24 17:30:52 Decadence kernel: protonum=17
Sep 24 17:31:26 Decadence last message repeated 2 times
Sep 24 17:31:47 Decadence kernel: protonum=6

-- 
The dawn of the fourth age of Linux firewalling is coming; a time of
great struggle and heroic deeds -- J.Kadlecsik got inspired by J.Morris

[-- Attachment #2: modulo.c --]
[-- Type: text/x-csrc, Size: 781 bytes --]

#include <linux/init.h>
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/netfilter.h>
#include <linux/netfilter_ipv4/ip_conntrack.h>

static int conntrack_event(struct notifier_block *this,
			   unsigned long events, 
			   void *ptr)
{
	struct ip_conntrack *ct = (struct ip_conntrack *)ptr;

	if (events & IPCT_DESTROY)
		printk("protonum=%d\n", ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum);

	return 0;
}

static struct notifier_block ctnl_notifier = { 
	.notifier_call = conntrack_event,
}; 

static int __init hello_init(void)
{
	int ret;

	need_conntrack();
	ret = ip_conntrack_register_notifier(&ctnl_notifier);
	if (ret < 0)
		printk("ipaddr_init: cannot register notifier.\n");

	return ret;
}

module_init(hello_init);

MODULE_LICENSE("GPL");

Re: remove connections notification by conntrack?

[Thomas Mader]

[-- Attachment #1: Type: text/plain, Size: 4453 bytes --]

Hi Pablo,
we figured out what the problem was some time ago, sorry for the delay. We 
forgot to put it back as you said earlier.
We want to publish our code soon here on the mailinglist to finish this topic 
and to help others with our code as an example but we don't find out how to 
send ICMP packets from kernelspace.
Maybe you or somebody else could point us to some code example or something so 
we can implement it? We searched the kernel code and the net for examples but 
we wasn't successful at finding working examples.
We want to send an ICMP echo request to the destination of the UDP flows and 
measure the round-trip-time with the returning echo reply.
Here is something of what we tried to send such a request.

									struct sk_buff *buf;
									struct iphdr* iph = (struct iphdr*)kmalloc(sizeof(struct iphdr), 
GFP_KERNEL);
									struct icmphdr* icmph = (struct icmphdr*)kmalloc(sizeof(struct 
icmphdr), GFP_KERNEL);
									if (!iph || !icmph)
										printk("Could not allocate iph or icmph\n");
								

									buf = alloc_skb(sizeof(struct iphdr) + sizeof(struct icmphdr)+ 
2*(skb->dev->addr_len+4)
											                                 + LL_RESERVED_SPACE(skb->dev), 
GFP_ATOMIC);

									//buf = dev_alloc_skb(sizeof(struct iphdr) + sizeof(struct icmphdr));
									if(!buf)
										printk("error\n");
									
									skb_reserve(buf, LL_RESERVED_SPACE(skb->dev));
									buf->nh.iph = buf->data;
									icmph = (struct icmphdr *) skb_put(buf,sizeof(struct iphdr) + 
sizeof(struct icmphdr) + 2*(skb->dev->addr_len+4));
									buf->dev = skb->dev;
									buf->protocol = htons(ETH_P_IP);
									buf->sk = skb->sk;
									
									icmph->type = ICMP_ECHO; //8
									icmph->code = ICMP_ECHO; //0
									icmph->checksum = 0;
									icmph->un.echo.id = connection_id;
									icmph->un.echo.sequence = 0;
									
									iph->version = 4;
									iph->ihl = 5;
									iph->tos = 0;
									iph->tot_len = sizeof(struct iphdr) + sizeof(struct icmphdr);
									iph->id = htons(0);
									iph->frag_off = 0;
									iph->ttl = 64;
									iph->protocol = IPPROTO_ICMP;
	//								iph->check //in_cksum((unsigned short *)ip, sizeof(struct iphdr));
									iph->saddr = skb->nh.iph->daddr;
									iph->daddr = skb->nh.iph->saddr;

	//								buf.mac.raw =
	//								buf.cb = NULL;

									buf->h.icmph = icmph;
									buf->nh.iph = iph;
									
									p->echo_request = 1;*/
									//TODO send ICMP echo request
									// We are getting a warning for the first arg here, dunno why
									//icmp_send(buf, 8, 0, 0);
									//icmp_send(buf, ICMP_ECHO , ICMP_ECHO , 0);
									skb->sk = icmp_socket->sk;
									icmp_send(skb, ICMP_ECHO, ICMP_ECHO, 0);
									//kfree(buf);
									//kfree(iph);
									//kfree(icmph);

best regards,
Thomas

On Sunday 24 September 2006 17:34, you wrote:
> Thomas Mader wrote:
> > On Sunday 24 September 2006 05:10, Pablo Neira Ayuso wrote:
> >> events & IPCT_DESTROY
> >>
> >>> 		printk("We have been notified that connection %d was deleted!\n",
> >>> ct->id); }
> >>>
> >>> 	return 0;
> >>> }
> >>>
> >>>
> >>> static struct notifier_block ctnl_notifier = {
> >>> 	.notifier_call = ipaddr_conntrack_event,
> >>> };
> >>>
> >>>
> >>> static int __init init(void)
> >>> {
> >>> 	int ret;
> >>> 	need_conntrack();
> >>> 	ret = ip_conntrack_register_notifier(&ctnl_notifier);
> >>> 	if (ret < 0) {
> >>> 		printk("ipaddr_init: cannot register notifier.\n");
> >>> 		goto err_unreg_notifier;
> >>> 	}
> >>> 	//ip_conntrack_destroyed = destroyed_connect;
> >>>
> >>> 	printk(KERN_CRIT "init!\n");
> >>>    	return ipt_register_match(&ipaddr_match);
> >>>
> >>> err_unreg_notifier:
> >>> 		ip_conntrack_unregister_notifier(&ctnl_notifier);
> >>> 		return 1;
> >>> }
> >>>
> >>> But the problem remains the same. It works for TCP and I get properly
> >>> notified about those but not about UDP.
> >>
> >> Try with what I told you above and let me know if it works
> >
> > No it doesn't. I tried "events & IPCT_DESTROY" already and it didn't
> > work. Now I tested it once again with same result.
>
> Works fine here with the toy module attached:
>
> Sep 24 17:30:52 Decadence kernel: protonum=17
> Sep 24 17:31:26 Decadence last message repeated 2 times
> Sep 24 17:31:47 Decadence kernel: protonum=6

[-- Attachment #2: Type: application/pgp-signature, Size: 827 bytes --]

Re: remove connections notification by conntrack?

[Pablo Neira Ayuso]

Thomas Mader wrote:
> we figured out what the problem was some time ago, sorry for the delay. We 
> forgot to put it back as you said earlier.
> We want to publish our code soon here on the mailinglist to finish this topic 
> and to help others with our code as an example but we don't find out how to 
> send ICMP packets from kernelspace.
> Maybe you or somebody else could point us to some code example or something so 
> we can implement it? We searched the kernel code and the net for examples but 
> we wasn't successful at finding working examples.

Is send_icmp what you look for? See ipt_REJECT.c, I think that it can
serve as example.

-- 
The dawn of the fourth age of Linux firewalling is coming; a time of
great struggle and heroic deeds -- J.Kadlecsik got inspired by J.Morris

Re: remove connections notification by conntrack?

[Thomas Mader]

[-- Attachment #1: Type: text/plain, Size: 1222 bytes --]

We started to look into ipt_REJECT.c and searched through the code for 
send_icmp examples but we never were successful on sending paket.
It seems the problems lies in the setup of an skb for send_icmp. As you can 
see from the codesample earlier we played around with setting it up but 
nothing worked. We also tried to generate a raw socket for it but nothing was 
successful.
We also never found a code part in the kernel where the skb is created by 
searching on occurances of send_icmp.

On Sunday 15 October 2006 18:11, you wrote:
> Thomas Mader wrote:
> > we figured out what the problem was some time ago, sorry for the delay.
> > We forgot to put it back as you said earlier.
> > We want to publish our code soon here on the mailinglist to finish this
> > topic and to help others with our code as an example but we don't find
> > out how to send ICMP packets from kernelspace.
> > Maybe you or somebody else could point us to some code example or
> > something so we can implement it? We searched the kernel code and the net
> > for examples but we wasn't successful at finding working examples.
>
> Is send_icmp what you look for? See ipt_REJECT.c, I think that it can
> serve as example.

[-- Attachment #2: Type: application/pgp-signature, Size: 827 bytes --]

Re: remove connections notification by conntrack?

[Alan Ezust]

Hi - i'm rather new to this list and trying to learn as much as I can about 
this API. I see that for this particular function, there are no API docs. You 
make reference to "unofficial API docs" on a website, but shouldn't there be 
actual proper doc comments before the function? i.e.

/** @param  this - a reference to a notifier block, which will be used for ???
     @param events - a bitmask - please see ifnetlink.h for the possible 
values
     @param ptr - a pointer to a struct ip_conntrack for the purposes of ???
     @return it seems to return NOTIFY_DONE under every possible exec path.
*/
static int ctnetlink_conntrack_event(struct notifier_block *this,
                                     unsigned long events, void *ptr)




On Saturday 23 September 2006 02:23, Thomas Mader wrote:
> > Use the event API, do not forget to enable it (it's still marked as
> > experimental): have a look at ctnetlink_conntrack_event inside
> > ip_conntrack_netlink.c, that will help I think.
> >
> > Use the unsigned long parameter of your notify function above and wait
> > for the event IPCT_DESTROY.
>
> Now it looks like this:
>
> int ipaddr_conntrack_event(struct notifier_block *this, unsigned long
> events, void *ptr) {
> 	struct ip_conntrack *ct = (struct ip_conntrack *)ptr;
>
> 	if (events == IPCT_DESTROY) {
> 		printk("We have been notified that connection %d was deleted!\n",
> ct->id); }
>
> 	return 0;
> }