using ip_queue in kernel space

using ip_queue in kernel space

[Unit Zero]

I've been curious for a while about the viability of using ip_queue from 
a kernel module, without any userland side. It seems that ip_queue is 
really only used for deferring the verdict on packets to a userspace 
program, but if I simply install a queue handler in the module init 
entrypoint and then install a netfilter hook that returns a QUEUE verdict 
on packets I want, and then do whatever in my queue handler, (kick off 
timer tasks to issue verdicts or some other such thing) will this work? 

I've been meaning to just throw together a quickie test module, strap on 
my kernel-panic helmet and give it a spin, but haven't gotten around to 
it, since I've been busy developing alot of traffic/bandwidth stuff 
(hashing dest-host/port pairs in a netfilter hook and counting total 
incoming/outgoing traffic per port on a server is fun!)

- Vic M. Condino

Re: using ip_queue in kernel space

[Henrik Nordstrom]

On Thu, 4 Mar 2004, Unit Zero wrote:

> I've been curious for a while about the viability of using ip_queue from 
> a kernel module, without any userland side. It seems that ip_queue is 
> really only used for deferring the verdict on packets to a userspace 
> program

This is the purpose of the ip_queue module yes, but another QUEUE handlers
may be installed if you prefer differently.

QUEUE is a function of netfilter to defer the verdict of a packet.

ip_queue is a QUEUE handler communicating to userspace to get the 
verdirct.

As long as your QUEUE handler follows the defined API for QUEUE handlers 
it should work. Netfilter does not care what the QUEUE handler does, only 
that there is a handler and how/when it returns the verdict.

Regards
Henrik

Re: using ip_queue in kernel space

[Jon Webb]

Unit Zero wrote:

>I've been curious for a while about the viability of using ip_queue from 
>a kernel module, without any userland side. It seems that ip_queue is 
>really only used for deferring the verdict on packets to a userspace 
>program, but if I simply install a queue handler in the module init 
>entrypoint and then install a netfilter hook that returns a QUEUE verdict 
>on packets I want, and then do whatever in my queue handler, (kick off 
>timer tasks to issue verdicts or some other such thing) will this work? 
>
>  
>
Of course, there are kernel level calls for getting packets out and 
reinjecting them... They can be called from a kernel module. I tried to 
do this once, and it worked ok, except that I needed access to the 
kernel routing table flags to decide what to do with the packets, and I 
could only get at those from userspace (ironically), so I had to abandon 
that implementation.

- Jon Webb

Re: using ip_queue in kernel space

[Unit Zero]

Great, thanks. This is exactly what I wanted to know. Well, time to go 
play with queue handler code I guess :)

- Vic M. Condino

On Thu, 4 Mar 2004, Henrik Nordstrom wrote:

> On Thu, 4 Mar 2004, Unit Zero wrote:
> 
> > I've been curious for a while about the viability of using ip_queue from 
> > a kernel module, without any userland side. It seems that ip_queue is 
> > really only used for deferring the verdict on packets to a userspace 
> > program
> 
> This is the purpose of the ip_queue module yes, but another QUEUE handlers
> may be installed if you prefer differently.
> 
> QUEUE is a function of netfilter to defer the verdict of a packet.
> 
> ip_queue is a QUEUE handler communicating to userspace to get the 
> verdirct.
> 
> As long as your QUEUE handler follows the defined API for QUEUE handlers 
> it should work. Netfilter does not care what the QUEUE handler does, only 
> that there is a handler and how/when it returns the verdict.
> 
> Regards
> Henrik