can tcp stream reassembly be done in netfilter

All of lore.kernel.org
 help / color / mirror / Atom feed

* can tcp stream reassembly be done in netfilter
@ 2003-08-26  2:21 zhengchuanbo
  2003-08-27  8:35 ` Oskar Andreasson
  0 siblings, 1 reply; 6+ messages in thread
From: zhengchuanbo @ 2003-08-26  2:21 UTC (permalink / raw)
  To: netfilter-devel


	Can netfilter do the tcp stream reassembly? I mean something like what snort
do in the stream process. I wish this could be done in the kernel.
	
regards,
chuanbo zheng
zhengchuanbo@sina.com
	
	
	

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: can tcp stream reassembly be done in netfilter
  2003-08-27  8:35 ` Oskar Andreasson
@ 2003-08-26 20:38   ` Evrim ULU
  2003-08-27  2:16     ` New netfilter module Christian Hentschel
  2003-08-30 19:06   ` can tcp stream reassembly be done in netfilter Harald Welte
  1 sibling, 1 reply; 6+ messages in thread
From: Evrim ULU @ 2003-08-26 20:38 UTC (permalink / raw)
  To: netfilter-devel

Oskar Andreasson wrote:

>On Tue, 26 Aug 2003, zhengchuanbo wrote:
>  
>
>>	Can netfilter do the tcp stream reassembly? I mean something like
>>what snort do in the stream process. I wish this could be done in the
>>kernel.
>>    
>>
>
>No, netfilter is a packet filter. It works on a per packet basis, below
>
>streams. That's when you should use snort or proxy solutions of one sort
>or another.
>
>  
>
Hi,

I am considering to try this one. Snort is a crap on behalf of my 
examinations about tcpreassambly code. (see state evasion bug) Linux 
kernel includes tcp reassembly thing and one can use it to glue data for 
signature check. The only reason for this is, *why don't we have a 
kernel based signature ids?*. Anybody interested in discussion may mail 
me, don't want to abuse ppl here.

Evrim.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* New netfilter module.
  2003-08-26 20:38   ` Evrim ULU
@ 2003-08-27  2:16     ` Christian Hentschel
  0 siblings, 0 replies; 6+ messages in thread
From: Christian Hentschel @ 2003-08-27  2:16 UTC (permalink / raw)
  To: netfilter-devel

Please , 
     I\'m trying to write a new module and i need some help ;). 
     What i need to do is a module for dnat UDP packets but always to the same IP if they came from a determinated IP.. i don\'t know if i\'m clear.. but the idea is to use it for UDP RAS msgs in an h323 session... haveing a proxy that balance all those msgs to some RAS servers.
     well i thougth to write an nat-helper module.. but i don;t know if it\'s right.. may be the right thing is to write a new target module?.. 
    Please can someone give me a hand with this? 

Thanks a lot in advance. 
Christian.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: can tcp stream reassembly be done in netfilter
  2003-08-26  2:21 can tcp stream reassembly be done in netfilter zhengchuanbo
@ 2003-08-27  8:35 ` Oskar Andreasson
  2003-08-26 20:38   ` Evrim ULU
  2003-08-30 19:06   ` can tcp stream reassembly be done in netfilter Harald Welte
  0 siblings, 2 replies; 6+ messages in thread
From: Oskar Andreasson @ 2003-08-27  8:35 UTC (permalink / raw)
  To: zhengchuanbo; +Cc: netfilter-devel

On Tue, 26 Aug 2003, zhengchuanbo wrote:

> 	Can netfilter do the tcp stream reassembly? I mean something like
> what snort do in the stream process. I wish this could be done in the
> kernel.

No, netfilter is a packet filter. It works on a per packet basis, below
the transport layer. Actually it does do some work on the transport layer,
but not much, and definitely not a lot of work on the application layers.

All of this comes down to one thing, netfilter simply doesnt care about
streams. That's when you should use snort or proxy solutions of one sort
or another.

>
> regards,
> chuanbo zheng
> zhengchuanbo@sina.com
>
>
>
>
>
>
>
>

----
Oskar Andreasson
http://www.frozentux.net
http://iptables-tutorial.frozentux.net
http://ipsysctl-tutorial.frozentux.net
mailto:blueflux@koffein.net

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: can tcp stream reassembly be done in netfilter
  2003-08-27  8:35 ` Oskar Andreasson
  2003-08-26 20:38   ` Evrim ULU
@ 2003-08-30 19:06   ` Harald Welte
  2003-08-31 20:14     ` Oskar Andreasson
  1 sibling, 1 reply; 6+ messages in thread
From: Harald Welte @ 2003-08-30 19:06 UTC (permalink / raw)
  To: Oskar Andreasson; +Cc: zhengchuanbo, netfilter-devel

[-- Attachment #1: Type: text/plain, Size: 1217 bytes --]

On Wed, Aug 27, 2003 at 10:35:10AM +0200, Oskar Andreasson wrote:
> On Tue, 26 Aug 2003, zhengchuanbo wrote:
> 
> > 	Can netfilter do the tcp stream reassembly? I mean something like
> > what snort do in the stream process. I wish this could be done in the
> > kernel.
> 
> No, netfilter is a packet filter. It works on a per packet basis, below
> the transport layer. Actually it does do some work on the transport layer,
> but not much, and definitely not a lot of work on the application layers.
> 
> All of this comes down to one thing, netfilter simply doesnt care about
> streams. That's when you should use snort or proxy solutions of one sort
> or another.

Thanks for this excellent reply.  

I have to add that there is a project for linux kernel stream reassembly
and pattern-matching:  libqsearch.  Try google :)

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: can tcp stream reassembly be done in netfilter
  2003-08-30 19:06   ` can tcp stream reassembly be done in netfilter Harald Welte
@ 2003-08-31 20:14     ` Oskar Andreasson
  0 siblings, 0 replies; 6+ messages in thread
From: Oskar Andreasson @ 2003-08-31 20:14 UTC (permalink / raw)
  To: Harald Welte; +Cc: zhengchuanbo, netfilter-devel

On Sat, 30 Aug 2003, Harald Welte wrote:

>
> I have to add that there is a project for linux kernel stream reassembly
> and pattern-matching:  libqsearch.  Try google :)
>

Hmmm, but does this hock into netfilter in any way, or does it have any
kind of interface for tcp/ip or socket filtering etcetera? Curiosity you
know.

Sidenote, is the netfilter.org lists extremely dead, or is it just me not
getting any mails...?


----
Oskar Andreasson
http://www.frozentux.net
http://iptables-tutorial.frozentux.net
http://ipsysctl-tutorial.frozentux.net
mailto:blueflux@koffein.net

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2003-08-31 20:14 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-08-26  2:21 can tcp stream reassembly be done in netfilter zhengchuanbo
2003-08-27  8:35 ` Oskar Andreasson
2003-08-26 20:38   ` Evrim ULU
2003-08-27  2:16     ` New netfilter module Christian Hentschel
2003-08-30 19:06   ` can tcp stream reassembly be done in netfilter Harald Welte
2003-08-31 20:14     ` Oskar Andreasson

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.