how to execute command on match?

how to execute command on match?

[linux blr]

hi all, 

plz let me know how can i execute a program everytime
there is a match, for example, 
everytime my Linux box receives a packet with SYN bit
ON, instead of taking normal actions like
ALLOW,DROP,REJECT, i want to execute a command.

google wasn't able to help me, hope this list will..

cheers,
mayank.

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: how to execute command on match?

[vikrant]

linux blr wrote:

>hi all, 
>
>plz let me know how can i execute a program everytime
>there is a match, for example, 
>everytime my Linux box receives a packet with SYN bit
>ON, instead of taking normal actions like
>ALLOW,DROP,REJECT, i want to execute a command.
>
>google wasn't able to help me, hope this list will..
>
>cheers,
>mayank.
>
>__________________________________________________
>Do You Yahoo!?
>Tired of spam?  Yahoo! Mail has the best spam protection around 
>http://mail.yahoo.com 
>
>
>
>  
>
Hi,
I am not a netfilter guru .So, the information i am giving may be wrong .
You need to write a program in which u register to the netfiler hooks 
and then do what  u wanna do.
Read the article at following link:-
_http://www.linuxjournal.com/article/7184

_Here, main_hook is replace with ur function which perform the operation 
that u wanna do .

netfilter_ops_out.hook = main_hook;

Thanks,
Vikrant

Re: how to execute command on match?

[David Vogt]

Do you need the actual program for the packet? Or is it just some kind
of trigger you want?

2006/2/19, linux blr <linuxblr_in@yahoo.com>:
> hi all,
>
> plz let me know how can i execute a program everytime
> there is a match, for example,
> everytime my Linux box receives a packet with SYN bit
> ON, instead of taking normal actions like
> ALLOW,DROP,REJECT, i want to execute a command.
>
> google wasn't able to help me, hope this list will..
>
> cheers,
> mayank.
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
>

Re: how to execute command on match?

[Mayank]

Well, I want to make a blocking call, for example, if
the netfilter finds a TCP SYN packet, I want to
execute user defined program and this program will in
turn do some processing (which may include some
communication with some other system on lan) 

Basically, I am looking for some sort of a target
match code, “-j exec /usr/bin/myprog” , as soon as
myprog gets the control I want to do some processing
and then tell the netfilter whether what to do with
the packet, which could be allow, drop, reject etc.

Please help.

Cheers,
Mayank.

--- David Vogt <beunlovable@gmail.com> wrote:

> Do you need the actual program for the packet? Or is
> it just some kind
> of trigger you want?
> 
> 2006/2/19, linux blr <linuxblr_in@yahoo.com>:
> > hi all,
> >
> > plz let me know how can i execute a program
> everytime
> > there is a match, for example,
> > everytime my Linux box receives a packet with SYN
> bit
> > ON, instead of taking normal actions like
> > ALLOW,DROP,REJECT, i want to execute a command.
> >
> > google wasn't able to help me, hope this list
> will..
> >
> > cheers,
> > mayank.
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam?  Yahoo! Mail has the best spam
> protection around
> > http://mail.yahoo.com
> >
> >
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: how to execute command on match?

[Török Edvin]

On 2/20/06, Mayank <linuxblr_in@yahoo.com> wrote:
> Well, I want to make a blocking call, for example, if
> the netfilter finds a TCP SYN packet, I want to
> execute user defined program and this program will in
> turn do some processing (which may include some
> communication with some other system on lan)
>
> Basically, I am looking for some sort of a target
> match code, "-j exec /usr/bin/myprog" , as soon as
> myprog gets the control I want to do some processing
> and then tell the netfilter whether what to do with
> the packet, which could be allow, drop, reject etc.

You could use libipq, and a QUEUE, or NF_QUEUE target. You start up
your userspace program, and it will receive each packet via libipq
(each packet that reaches the QUEUE rule). You can then do whatever
processing you want, and then set the verdict (allow/deny,...). While
you are processing other packets keep arriving, and get queued, so you
will want to make that processing fast enough, so you don't get the
queue filled up.

You can take a look at fireflier (fireflier.sourceforge.net), to see
how to do userspace packet filtering.
But keep in mind, that the proper place to do this kind of filtering
is inside the kernel. Fireflier itself is going to need a kernel
module (in the future) to do its job, since not everything is
possibble (or efficient) from userspace. I'd suggest writing a kernel
module, and register with netfilter hooks.

Cheers,
Edwin