libipq question

libipq question

[Steve Ashley]

Hello all,

I'm using libipq to do some user-space filter stuff.  Everything is
working great and for my application, I'm not taking a significant
enough speed hit to warrant making a new target, iptables kernel module.
However, I am getting one problem.  If my application runs for a long
time ( i.e. several hours or overnight ) with no activity, then filters
packets.  I'm getting the following error messages:

Error in recv().
Broken pipe.

Then the application exits.

I assume this is probably concerning the underlying netlink socket.  How
can I go about catching / trapping this condition?  For some errors, I
can simply destroy my ipq_handle and get a new one and keep going.

Currently I'm using the blocking version of the ipq_read() function,
with no timeout.  Would putting a timeout here, and checking on the
netlink socket every so often be a good idea?  Any thoughts or ideas
would be helpful.

Also, just for information sake.  At some point, if I add more features
into my application, I fear using a userspace application may not be
sufficient.  Where can I find a good example of a new netfilter target
kernel module code?  The most I've ever done in the kernel was to make a
"hello world" kernel module, so any help here would be greatly
appreciated.


Stephen Ashley
Ashley Professional Services, Inc. P.A.
spanishmack@mchsi.com

Re: libipq question

[Pablo Neira]

Hi Steve,

Steve Ashley wrote:

>I'm using libipq to do some user-space filter stuff.  Everything is
>working great and for my application, I'm not taking a significant
>enough speed hit to warrant making a new target, iptables kernel module.
>However, I am getting one problem.  If my application runs for a long
>time ( i.e. several hours or overnight ) with no activity, then filters
>packets.  I'm getting the following error messages:
>
>Error in recv().
>Broken pipe.
>  
>

If I'm not missing anything, I think that you could set the handler of 
the broken pipe signal to an empty function, this way the application 
won't exit.

>Currently I'm using the blocking version of the ipq_read() function,
>with no timeout.  Would putting a timeout here, and checking on the
>netlink socket every so often be a good idea?  Any thoughts or ideas
>would be helpful.
>  
>

Well, you could even use select() to check when the descriptor has new 
data ready to be read. I was told (Richard Steven's books) that 
polling+non blocking sockets are always faster than blocking sockets.

>Also, just for information sake.  At some point, if I add more features
>into my application, I fear using a userspace application may not be
>sufficient.  Where can I find a good example of a new netfilter target
>kernel module code?
>

you want to program a match/target, you can have a look at the 
netfilter-hacking howto:

http://www.netfilter.org/documentation/index.html#documentation-howto

and also you can have a look at source code in kernel and iptables 
trees, there are simple matches/targets.

On the other hand, I suppose that you meant that you wanted to know how 
to add a hook to netfilter, in that case have a look at:

http://www.linuxjournal.com/article.php?sid=7184

I passed that linuxjournal to a friend and he didn't have big problems 
to program a simple hook.

regards,
Pablo

Re: libipq question

[Henrik Nordstrom]

On Fri, 25 Jun 2004, Steve Ashley wrote:

> Error in recv().
> Broken pipe.

Odd.. you should not receive a broken pipe error on the netlink socket
only because your application is running for a long time.. 

The "Error in recv()" seems to be a message from your application? If so 
what is the result in errno at that time? This message does not exists in 
libipq.

I suspect the "Broken pipe." is a sideeffect of the first recv() error 
and the actions taken there, not the cause to your error.

> Then the application exits.

Here is three possible causes, sortet in level of probability

a) The SIGPIPE is not handled. Default signal action for SIGPIPE is to 
immediately terminate the application. If set to SIG_IGN then EPIPE is 
returned by the failing operations instead.

b) The error code dealing with netlink/libipq errors is broken causing 
your application to exit.

c) Your application does willingly exit when encountering netlink/libipq 
errors.

> Also, just for information sake.  At some point, if I add more features
> into my application, I fear using a userspace application may not be
> sufficient.  Where can I find a good example of a new netfilter target
> kernel module code?

There is some documentation in the hacking guide, but the architecture is
fairly simple and my opinion is that it is best studied by reading one of
the simpler existing targets or matches depending on what it is you want
to do. It is not that different from normal programming, except that there
is no mercy on errors.. (kernel panic, not just a segmentation fault or
odd application result).  The use of user-mode-linux greatly helps in
leveling out out the differences in kernel and application programming.

A good understanding of the skbuff also helps understaing how to properly 
access the packet details within the kernel, but if unsure a lot can be 
learned by looking at the existing modules.

If unsure on anything ask here on the mailinglist.

Regards
Henrik

libipq question

[Moshe Ashkenazi]

[-- Attachment #1: Type: text/plain, Size: 826 bytes --]

Hi, List -
 
I'm using QUEUE target in order to send TCP packets to user space, using
"IPQ_COPY_PACKET" I'm telling the kernel that I want the entire packet.
 
I know that the kernel send to user space the following structure
"ipq_packet_msg_t", and this structure include the payload member which
include the optional packet data.
 
When I'm examining the content of the payload array I see that it
include the following:
20 bytes IP header -> 20 bytes TCP header, and 20 bytes????
 
My questions are:
1.	What should the payload include?
2.	What are the last 20 bytes in the payload?
 
Example of payload array:
----- Optional packet data -----
45 10  0 3c f8 f8 40  0 3f  6 6f 64 c2 1d 28 90
c0 a8 27 f9 82 e7  4 d2 cf 1f 40 f5  0  0  0  0
a0  2 16 d0 f7 eb  0  0  2  4  5 b4  4  2  8  a
16 20 b8  d  0  0  0  0  1  3  3  0

[-- Attachment #2: Type: text/html, Size: 8002 bytes --]

libipq question

[Shirshanka Das]

Hi all,
  I'm new to lipipq...
  I tried using the perlipq module.. but I'm unable to figure out
  how to write a "modified" packet back to the queue..
  the documentation says :
  set_verdict(id,verdict,len,buf)

  $msg = $queue->get_message() gives me the packet (i hope)..
  however trying to do
  set_verdict(id,NF_ACCEPT,len,$msg)
  does not work properly...

  does anyone have a piece of working code.. that mangles something in a
packet.. and then writes it out ?

Thanks,
Shanky

Re: libipq question

[Philip Ho]

Hi Shirshanka

I have the exact question as you. I can get the packet to Perl userspace,
but don't know how to modify the packet and put it back into socket. Do you
know the answer?

Regards,
philip



Shirshanka Das wrote:

> Hi all,
>   I'm new to lipipq...
>   I tried using the perlipq module.. but I'm unable to figure out
>   how to write a "modified" packet back to the queue..
>   the documentation says :
>   set_verdict(id,verdict,len,buf)
>
>   $msg = $queue->get_message() gives me the packet (i hope)..
>   however trying to do
>   set_verdict(id,NF_ACCEPT,len,$msg)
>   does not work properly...
>
>   does anyone have a piece of working code.. that mangles something in a
> packet.. and then writes it out ?
>
> Thanks,
> Shanky