can a netfilter hook interact with userspace ?

can a netfilter hook interact with userspace ?

[Horton, Dave]

I want to write a netfilter hook to do some specialized packet routing with
greatest efficiency.  However, the actions taken in my netfilter hook need
to be driven by decisions made in a user process (ie which ports to forward,
etc change based on knowledge only known to my user process).  

By what means can my userspace program call into my netfilter hook to
communicate this information?

Re: can a netfilter hook interact with userspace ?

[Pablo Neira]

Horton, Dave wrote:

>By what means can my userspace program call into my netfilter hook to
>communicate this information?
>  
>

You can use nf_register_sockopt/nf_unregister_sockopt to do so. See Sect 
4.6. Writing New modules -> Receiving Commands From Userspace in the 
netfilter hacking how to. You can find an example in ip_tables.c.

If you don't like using getsocksopt/setsocksopt to pass information to 
kernel space, you could also use netlinks sockets.

regards,
Pablo

RE: can a netfilter hook interact with userspace ?

[Horton, Dave]

>>By what means can my userspace program call into my netfilter hook to
>>communicate this information?
>>  
>>

>You can use nf_register_sockopt/nf_unregister_sockopt to do so. See Sect 
>4.6. Writing New modules -> Receiving Commands From Userspace in the 
>netfilter hacking how to. You can find an example in ip_tables.c.

>If you don't like using getsocksopt/setsocksopt to pass information to 
>kernel space, you could also use netlinks sockets.

Thank you, both the example code and the netfilter hacking how to were
helpful as far as how to write the kernel side of things.  However, I'm
unclear how the user program needs to be written, and the how-to doesn't
seem to address this.  I'm quite familiar with sockets programming, though
not in this context (user-kernel communication), and I am wondering exactly
how the user program creates the socket (via socket() I assume, but what
params?) in such a way as to "connect" to my kernel module, such that calls
it issues to getsockopt and setsockopt call my handler.  Sorry for the dumb
question and I will gladly read the relevant docs (or even better: sample
code) if someone can point me to them, but I scoured the netfilter hacking
howto and didn't find the info I need.

Thank you.

Re: can a netfilter hook interact with userspace ?

[Pablo Neira]

Hi Dave,

Horton, Dave wrote:

>Thank you, both the example code and the netfilter hacking how to were
>helpful as far as how to write the kernel side of things.  However, I'm
>unclear how the user program needs to be written, and the how-to doesn't
>seem to address this.  I'm quite familiar with sockets programming, though
>not in this context (user-kernel communication), and I am wondering exactly
>how the user program creates the socket (via socket() I assume, but what
>params?) in such a way as to "connect" to my kernel module, such that calls
>it issues to getsockopt and setsockopt call my handler.  Sorry for the dumb
>question and I will gladly read the relevant docs (or even better: sample
>code) if someone can point me to them, but I scoured the netfilter hacking
>howto and didn't find the info I need.
>
>  
>

Krisztian Kovacs wrote some time ago an user space program and the 
kernel part (patch) to send information to the connection tracking 
system via getsockopt/setsockopt. I think that it's a nice sample code 
of how to use getsockopt/setsockopt to retrieve/pass information from/to 
kernel space.

http://lists.netfilter.org/pipermail/netfilter-devel/2004-May/015385.html

hope that it helps.

regards,
Pablo