Re: Statefull SOCKS filter - Peter Christensen

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Peter Christensen <pch@coolsystems.dk>
To: Alexey Toptygin <alexeyt@freeshell.org>
Cc: netfilter-devel@lists.netfilter.org
Subject: Re: Statefull SOCKS filter
Date: Thu, 09 Mar 2006 14:45:30 +0100	[thread overview]
Message-ID: <4410317A.3070502@coolsystems.dk> (raw)
In-Reply-To: <Pine.NEB.4.62.0603091307110.29872@norge.freeshell.org>

AFAIK libipq is about having filters in user space which really isn't my 
issue. I have no problem writing kernel modules, and moving stuff into 
user space will only make more overhead without actually adding anything 
useful.
What I am searching for is some solution so that I will not have to keep 
track of all undergoing connections manually. I imagine that this is 
already done somewhere in iptables, and if so I find it waste of time to 
do it again, and spend time creating hash tables etc. etc.
As I pointed out, there aren't really much CPU power. Actually, the 
perfect solution was to write my own OS to the bridge, since I can then 
minimize useless overhead all around, but this will without doubt take 
significantly more time than just writing modules for iptables in linux.
Claims are that netfilter have stateful packet filtering, which I 
interpret as an interface which makes it easy to create state machines 
on IPv4 TCP connections, but I probably have misinterpreted the idear of 
"stateful packet filtering". I imagine a callback such as this (simplified):

int stateful_callback (netfilter_conn_t *conn) {
   switch (conn->state) {
     case STATE_1:
       if (foo)
         conn->state = STATE_2;
       else
         conn->state = STATE_2;
       break;

     case STATE_2:
       // Stuff
   ...
   }
   return (conn->state == STATE_n ? NF_DROP : NF_ACCEPT);
}

--
Best regards

Peter Christensen

Developer
------------------
Cool Systems ApS

Tel: +45 2888 1600
  @ : pch@coolsystems.dk
www: www.coolsystems.dk

Alexey Toptygin wrote:
> 
> Perhaps libipq and the QUEUE target will do what you want?
> 
>             Alexey

next prev parent reply	other threads:[~2006-03-09 13:45 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-03-09 12:16 Statefull SOCKS filter Peter Christensen
2006-03-09 13:08 ` Alexey Toptygin
2006-03-09 13:45   ` Peter Christensen [this message]
2006-03-09 16:49 ` Allen Francom
2006-03-10 12:02   ` Peter Christensen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4410317A.3070502@coolsystems.dk \
    --to=pch@coolsystems.dk \
    --cc=alexeyt@freeshell.org \
    --cc=netfilter-devel@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.