Conntrack + Connection owner

Conntrack + Connection owner

[Mikado 4VN]

Hi,
Is it possible for conntrack to dump process ID that created the
connection to userpsace (via libnetfilter_conntrack or etc...)? If
there is one, please tell me how!
Thank you!

Re: Conntrack + Connection owner

[Pablo Neira Ayuso]

Mikado 4VN wrote:
> Is it possible for conntrack to dump process ID that created the
> connection to userpsace (via libnetfilter_conntrack or etc...)? If
> there is one, please tell me how!
> Thank you!

There's something incomplete here: Do you mean to include the ID in the
event information or in the conntrack table dumping?

-- 
Pablo

Re: Conntrack + Connection owner

[Pablo Neira Ayuso]

Pablo Neira Ayuso wrote:
> Mikado 4VN wrote:
> 
>>Is it possible for conntrack to dump process ID that created the
>>connection to userpsace (via libnetfilter_conntrack or etc...)? If
>>there is one, please tell me how!
> 
> There's something incomplete here: Do you mean to include the ID in the
> event information or in the conntrack table dumping?

Oh, now I understand. You mean the process ID that owns the connection,
don't you? In that case the answer is no.

-- 
Pablo

Re: Conntrack + Connection owner

[Mikado]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Oh yes, I want the process ID that owns the connection included in the
event information. Is there another way to do this (maybe not using
conntrack, but it must be programable)

I also need libnfnetlink + libnetfilter_conntrack documents/API
references/guides/tutorials. If you have one, please send me.

Thank you.

Pablo Neira Ayuso wrote:
> Pablo Neira Ayuso wrote:
> 
>>Mikado 4VN wrote:
>>
>>
>>>Is it possible for conntrack to dump process ID that created the
>>>connection to userpsace (via libnetfilter_conntrack or etc...)? If
>>>there is one, please tell me how!
>>
>>There's something incomplete here: Do you mean to include the ID in the
>>event information or in the conntrack table dumping?
> 
> 
> Oh, now I understand. You mean the process ID that owns the connection,
> don't you? In that case the answer is no.
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDp3FBmS/zF9V69ugRArRMAKCFnaN/3T9KcLUuWJiyMvgYZZiCDACdEhQP
op909blJQNW7lwL19toG+zw=
=uG+P
-----END PGP SIGNATURE-----

How to obtain process ID that created connection or owns one packet

[Mikado]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I need to know a packet or a connection related to what process ID. In
Netfilter there is a match called 'owner' but I dont know how it
actually works. Can somebody tell me these informations?

Thank you.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDq+1HmS/zF9V69ugRAsmNAJ4p2oVqxg+Iz+dC0JgfsQSWh0/gbQCfdeJE
irX6H+I0gvtSfhzHNxnbqzY=
=03tK
-----END PGP SIGNATURE-----

Re: How to obtain process ID that created connection or owns one packet

[Edmundo Carmona]

Processes related to connections can be seen with netstat -p:

netstat -np
netstat -nlp

and so on

On 12/23/05, Mikado <mikado4vn@gmail.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi,
>
> I need to know a packet or a connection related to what process ID. In
> Netfilter there is a match called 'owner' but I dont know how it
> actually works. Can somebody tell me these informations?
>
> Thank you.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFDq+1HmS/zF9V69ugRAsmNAJ4p2oVqxg+Iz+dC0JgfsQSWh0/gbQCfdeJE
> irX6H+I0gvtSfhzHNxnbqzY=
> =03tK
> -----END PGP SIGNATURE-----
>
>

Re: How to obtain process ID that created connection or owns one packet

[Mikado]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks, but I want get it in kernel space. Any ideas?

Edmundo Carmona wrote:
> Processes related to connections can be seen with netstat -p:
> 
> netstat -np
> netstat -nlp
> 
> and so on
> 
> On 12/23/05, Mikado <mikado4vn@gmail.com> wrote:
> 
> Hi,
> 
> I need to know a packet or a connection related to what process ID. In
> Netfilter there is a match called 'owner' but I dont know how it
> actually works. Can somebody tell me these informations?
> 
> Thank you.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDrAqQmS/zF9V69ugRAihMAJ98jsewpBeRvPzPi7iHUhldG2+lTwCdFO52
x+TrWOQiS5A1TTIDDgrxahE=
=qSec
-----END PGP SIGNATURE-----

Re: How to obtain process ID that created connection or owns one packet

[Mikado]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks all! Finally I found the answer in 'struct sk_buff':

struct sk_buff ( #include <linux/skbuff.h> )
|_struct sock ( #include <net/sock.h> )
  |_struct socket ( #include <linux/net.h> )
    |_struct file ( #include <linux/fs.h> )
      |_struct fown_struct ( #include <linux/fs.h> )
        |_int pid

Bye.

Mikado wrote:
> Hi,
> 
> I need to know a packet or a connection related to what process ID. In
> Netfilter there is a match called 'owner' but I dont know how it
> actually works. Can somebody tell me these informations?
> 
> Thank you.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDrCY+mS/zF9V69ugRAobiAJ9lv0ohom3ALFrDM0Thcuq3xI8RbACfZ6Fp
eLnw35D1WRgJkA19nh77GsA=
=wKst
-----END PGP SIGNATURE-----

Re: How to obtain process ID that created connection or owns one packet

[Pablo Neira Ayuso]

Mikado wrote:
> Thanks all! Finally I found the answer in 'struct sk_buff':
> 
> struct sk_buff ( #include <linux/skbuff.h> )
> |_struct sock ( #include <net/sock.h> )
>   |_struct socket ( #include <linux/net.h> )
>     |_struct file ( #include <linux/fs.h> )
>       |_struct fown_struct ( #include <linux/fs.h> )
>         |_int pid

Yes, but AFAIK you can only use that in the OUTPUT hook, not in the
INPUT path. If my mind serves well, I remember that Patrick McHardy
posted some patches to add support for socket filtering some time ago. I
don't know what is the status of such work.

-- 
Pablo

Re: How to obtain process ID that created connection or owns one packet

[Mikado]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Pablo Neira Ayuso wrote:
> Mikado wrote:
> 
>>Thanks all! Finally I found the answer in 'struct sk_buff':
>>
>>struct sk_buff ( #include <linux/skbuff.h> )
>>|_struct sock ( #include <net/sock.h> )
>>  |_struct socket ( #include <linux/net.h> )
>>    |_struct file ( #include <linux/fs.h> )
>>      |_struct fown_struct ( #include <linux/fs.h> )
>>        |_int pid
> 
> 
> Yes, but AFAIK you can only use that in the OUTPUT hook, not in the
> INPUT path. If my mind serves well, I remember that Patrick McHardy
> posted some patches to add support for socket filtering some time ago. I
> don't know what is the status of such work.
> 

Oh, I'm wrong. Below is definition of 'struct fown_struct':

struct fown_struct {
	rwlock_t lock;          /* protects pid, uid, euid fields */
	int pid;		/* pid or -pgrp where SIGIO should be sent */
	uid_t uid, euid;	/* uid/euid of process setting the owner */
	void *security;
	int signum;		/* posix.1b rt signal to be delivered on IO */
};

'pid' field is not PID of the process created packet. Is there any way
to catch REAL pid from 'struct sk_buff', 'struct sock', 'struct socket',
'struct file'?

Thanks in advanced!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDsBBsmS/zF9V69ugRAge6AJ9w+KlpK5t8P0sNUBYfLWEn6qU+XwCcDLSt
QH0ZLpwbqKocgGhRbzCQJso=
=mqxD
-----END PGP SIGNATURE-----

Re: How to obtain process ID that created connection or owns one packet

[Marcus Sundberg]

Pablo Neira Ayuso wrote:
> Mikado wrote:
> 
>>Thanks all! Finally I found the answer in 'struct sk_buff':
>>
>>struct sk_buff ( #include <linux/skbuff.h> )
>>|_struct sock ( #include <net/sock.h> )
>>  |_struct socket ( #include <linux/net.h> )
>>    |_struct file ( #include <linux/fs.h> )
>>      |_struct fown_struct ( #include <linux/fs.h> )
>>        |_int pid
> 
> 
> Yes, but AFAIK you can only use that in the OUTPUT hook, not in the
> INPUT path.

...and if using SMP you can't use it at all in netfilter context.

//Marcus
-- 
---------------------------------------+--------------------------
   Marcus Sundberg <marcus@ingate.com>  | Firewalls with SIP & NAT
  Software Developer, Ingate Systems AB |  http://www.ingate.com/

Re: How to obtain process ID that created connection or owns one packet

[Pablo Neira Ayuso]

Marcus Sundberg wrote:
> Pablo Neira Ayuso wrote:
> 
>> Mikado wrote:
>>
>>> Thanks all! Finally I found the answer in 'struct sk_buff':
>>>
>>> struct sk_buff ( #include <linux/skbuff.h> )
>>> |_struct sock ( #include <net/sock.h> )
>>>  |_struct socket ( #include <linux/net.h> )
>>>    |_struct file ( #include <linux/fs.h> )
>>>      |_struct fown_struct ( #include <linux/fs.h> )
>>>        |_int pid
>>
>>
>>
>> Yes, but AFAIK you can only use that in the OUTPUT hook, not in the
>> INPUT path.
> 
> ...and if using SMP you can't use it at all in netfilter context.

And there's still some work in progress about this:

http://lwn.net/Articles/157137/

-- 
Pablo