All of lore.kernel.org
 help / color / mirror / Atom feed
From: Patrick McHardy <kaber@trash.net>
To: Patrick Schaaf <bof@bof.de>
Cc: Ethan Dameron <efd@duke.edu>, netfilter-devel@lists.netfilter.org
Subject: Re: Raw Sockets and Netfiter
Date: Tue, 25 Mar 2003 09:05:56 +0100	[thread overview]
Message-ID: <3E800DE4.9070000@trash.net> (raw)
In-Reply-To: <20030325072544.GI18652@oknodo.bof.de>

Patrick Schaaf wrote:

>On Tue, Mar 25, 2003 at 02:06:59AM -0500, Ethan Dameron wrote:
>  
>
>>If I have a an IP datagram in userspace and I send it via a raw socket
>>created with socket(PF_INET, SOCK_RAW, IPPROTO_RAW) using the send()
>>system call, will this packet traverse the netfilter chains?
>>    
>>
>
>No. Raw sockets bypass the TCP/IP stack. Netfilter hooks, and
>consequently iptables, sit inside the IP stack.
>

Then what is the purpose of ip_conntrack_local:

static unsigned int ip_conntrack_local(...)
{
        /* root is playing with raw sockets. */
        if ((*pskb)->len < sizeof(struct iphdr)
            || (*pskb)->nh.iph->ihl * 4 < sizeof(struct iphdr)) {
                if (net_ratelimit())
                        printk("ipt_hook: happy cracking.\n");
                return NF_ACCEPT;
        }
        return ip_conntrack_in(hooknum, pskb, in, out, okfn);
}

Seems like it could be eliminated entirely if you're correct.

Regards,
Patrick

  reply	other threads:[~2003-03-25  8:05 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-03-25  7:06 Raw Sockets and Netfiter Ethan Dameron
2003-03-25  7:25 ` Patrick Schaaf
2003-03-25  8:05   ` Patrick McHardy [this message]
2003-03-25  8:12     ` Patrick Schaaf
2003-03-25  9:11       ` Patrick McHardy
2003-03-26 15:32   ` Harald Welte
2003-03-26 16:13     ` David Poole
2003-03-25 14:30 ` David Poole
  -- strict thread matches above, loose matches on Subject: below --
2014-01-16 16:12 Albert López
2014-01-16 16:53 ` Phil Oester

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3E800DE4.9070000@trash.net \
    --to=kaber@trash.net \
    --cc=bof@bof.de \
    --cc=efd@duke.edu \
    --cc=netfilter-devel@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.