How/where does the kernel map packets to an application ...

How/where does the kernel map packets to an application ...

[Andrej Ricnik]

Hi Guys,

and sorry for asking this here, I'm aware of the fact that
this isn't quite the right list to do so, in fact, I don't even
know how to word my question properly, so please bear
with me.

Since you're pretty close to what I suspect to be the right
layer to be looking at I hope someone might understand
what I'm on about :)

My idea is to write an addition to netfilter that will check 
the originating application of an IP request against a list
of allowed files, and if I handle that well enough, integrate
a roster of user/application to check whether a request is
legal or not.

My question is:
At which point does the kernel determine which application
a incoming packet is meant for? Imagine one user having
mozilla and opera open, using both for browsing. Another
user having a links session in a console. How does the
kernel determine which application is meant to receive
a incoming packet on port 80? I hope that once I under-
stand how this works I could for instance use lsof or a
tool the like to intercept illegal requests by matching 
against application name/path ...

If this is a FAQ, or just plain stupid, please throw me a
link to appropriate documentation.

Thanks in advance, and thanks for your patience,
Cheers,
Tink

Re: How/where does the kernel map packets to an application ...

[Pablo Neira]

Hi Andrei,

Andrej Ricnik wrote:

>Hi Guys,
>
>and sorry for asking this here, I'm aware of the fact that
>this isn't quite the right list to do so, in fact, I don't even
>know how to word my question properly, so please bear
>with me.
>
>Since you're pretty close to what I suspect to be the right
>layer to be looking at I hope someone might understand
>what I'm on about :)
>
>My idea is to write an addition to netfilter that will check 
>the originating application of an IP request against a list
>of allowed files, and if I handle that well enough, integrate
>a roster of user/application to check whether a request is
>legal or not.
>
>My question is:
>At which point does the kernel determine which application
>a incoming packet is meant for?
>

Actually, netfilter can't know for which application is that packet 
coming for, because it works in the network/transport (level 3/4 of OSI 
model) layer, I mean that netfilter can only manages data packets (they 
are contained in a network buffer, see the structure skbuff). What you 
want do is packet filtering from the application layer.

> Imagine one user having
>mozilla and opera open, using both for browsing. Another
>user having a links session in a console. How does the
>kernel determine which application is meant to receive
>a incoming packet on port 80? I hope that once I under-
>stand how this works I could for instance use lsof or a
>tool the like to intercept illegal requests by matching 
>against application name/path ...
>
if it's only web traffic, it will be a good idea performing the 
filtering via proxy.

cheers,
Pablo

Re: How/where does the kernel map packets to an application ...

[Henrik Nordstrom]

On Thu, 15 Jan 2004, Andrej Ricnik wrote:

> My idea is to write an addition to netfilter that will check 
> the originating application of an IP request against a list
> of allowed files, and if I handle that well enough, integrate
> a roster of user/application to check whether a request is
> legal or not.

Doesn't this exists already.. checking. You should be able to use the
owner match for this purpose.

> At which point does the kernel determine which application
> a incoming packet is meant for?

Ah, incoming packets. Then the situation is a little harder. The owner 
match only works on outgoing packets.

> Imagine one user having mozilla and opera open, using both for browsing.
> Another user having a links session in a console.

For this, matching outgoing packets is sufficient. Allows you to control 
which applications are allowed to initiate sessions to the network.

For incoming packets you use conntrack to allow only packets belonging to 
sessions accepted above.

> How does the kernel determine which application is meant to receive a
> incoming packet on port 80?

By the socket the packet belongs to. Known to iptables on outgoing 
packets, but on incoming packets the socket is not yet known as this 
is determined by the TCP/UDP layers which are after iptables.

Regards
Henrik

Re: How/where does the kernel map packets to an application ...

[Martin Josefsson]

[-- Attachment #1: Type: text/plain, Size: 451 bytes --]

On Thu, 2004-01-15 at 08:10, Henrik Nordstrom wrote:

> > At which point does the kernel determine which application
> > a incoming packet is meant for?
> 
> Ah, incoming packets. Then the situation is a little harder. The owner 
> match only works on outgoing packets.

extra/owner-socketlookup.patch from patch-o-matic adds support for
looking it up for incoming packets.
It's basicly a layering violation but it works...

-- 
/Martin

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]