volunteer tcl script writer needed for iptables application

volunteer tcl script writer needed for iptables application

[John A. Sullivan III]

The ISCS open source network security management project
(http://iscs.sourceforge.net) could use some volunteer assistance from
someone who can adapt bash scripts to tcl for the creation of iptables
configuration files and implementing dynamic iptables changes on
production devices.  If you are interested and able to assist, please
contact me using the details in my signature below.  For more details,
please continue reading.

We have added support for the Secure Computing / CyberGuard / SnapGear
SG series of devices so that they can be managed using ISCS with no
change to firmware.  The SG580 devices are working fine in production
but the SG570 devices use sash instead of bash.  We can get around the
limitations of bash by using the tcl interpreter.  However, we have no
one on the team with tcl experience.

ISCS could be described as an open source alternative to very expensive
products for managing large, enterprise network security deployments
such as Solsoft or Provider1.  Actually, it does much more and has no
commercial equivalent.  It has allowed us to implement complex,
perimeter style security within the perimeter to affordably create truly
segmented and multi-layered networks with a minimum of labor.

To give an idea of what it does, a recent production deployment of
internal network security for a global manufacturer would have required
well in excess of 100,000 iptables rules.  ISCS reduced that rule set to
roughly 13,000 rules, only requires traversal of a small subset of those
rules for any new packet, generated those rules in a couple of hours and
distributed them to all devices automatically at the click of a button
within a couple of minutes.  ipset could probably reduce the rule set
tenfold again.  Any ipset experts out there interested in helping?

In comparison, if one had to write 13,000 rules at 20 seconds per rule,
that would be 72 hours -- at one minute per rule, 217 hours.  150,000
rules would take 833 hours at 20 seconds and 2,500 hours at one minute
per rule.

All this with a dramatic reduction in exposure to human error (one can
imagine the danger of a typo or out of order rule in 150,000 line rule
set). That's just the beginning.

If you are interested and can help, we would greatly appreciate your
assistance.  Thanks - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

Financially sustainable open source development
http://www.opensourcedevel.com
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan@opensourcedevel.com

Financially sustainable open source development
http://www.opensourcedevel.com

netfilter_queue reinjecting packets

[aton]

[-- Attachment #1: Type: text/plain, Size: 1131 bytes --]

has anyone used netfilter_queue and successfully re-injected packets into the net?

i want to write sort of a userspace routing application. 

host A is my workstation, it has host B as default gateway.

on host B my routing application runs. 
it receives packets from netfilter_queue using libnetfilter_queue.
this works very well and i can display the whole packets.

now i just want to send them back into the net, so that they reach their destination.

i modified the main loop in the source of nfqnl_test.c in the libnetfilter_queue package:

	while ((rv=recv(fd, buf, sizeof(buf), 0)) >= 0)
	{
		printf("pkt received:\n");
		
		printf("sending packet back\n");
		
		if ((sv=send(fd, buf, sizeof(buf), 0))==-1)
		{
			perror("send");
			exit(EXIT_FAILURE);
		}
		printf("done\n");
	}

this should send every packet back to... where? 
it seems the packets are just sent into nirvana, i cannot sniff them, and i dont get an error from send().

is this the way to go, or should i make two raw sockets, one for tcp and one for udp packets and send the incoming packets on these?

greetings, aton

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: netfilter_queue reinjecting packets

[Patrick McHardy]

aton wrote:
> has anyone used netfilter_queue and successfully re-injected packets into the net?
> 
> i want to write sort of a userspace routing application. 
> 
> host A is my workstation, it has host B as default gateway.
> 
> on host B my routing application runs. 
> it receives packets from netfilter_queue using libnetfilter_queue.
> this works very well and i can display the whole packets.
> 
> now i just want to send them back into the net, so that they reach their destination.
> 
> i modified the main loop in the source of nfqnl_test.c in the libnetfilter_queue package:
> 
> 	while ((rv=recv(fd, buf, sizeof(buf), 0)) >= 0)
> 	{
> 		printf("pkt received:\n");
> 		
> 		printf("sending packet back\n");
> 		
> 		if ((sv=send(fd, buf, sizeof(buf), 0))==-1)
> 		{
> 			perror("send");
> 			exit(EXIT_FAILURE);
> 		}
> 		printf("done\n");
> 	}
> 
> this should send every packet back to... where? 
> it seems the packets are just sent into nirvana, i cannot sniff them, and i dont get an error from send().

nfnql_test already reinjects packets by the call to nfq_issue_verdict.
It seems you need to read the documentation ..

Re: netfilter_queue reinjecting packets

[aton]

[-- Attachment #1: Type: text/plain, Size: 1920 bytes --]

On Sun, 12 Mar 2006 15:44:18 +0100
Patrick McHardy <kaber@trash.net> wrote:

> aton wrote:
> > has anyone used netfilter_queue and successfully re-injected packets into the net?
> > 
> > i want to write sort of a userspace routing application. 
> > 
> > host A is my workstation, it has host B as default gateway.
> > 
> > on host B my routing application runs. 
> > it receives packets from netfilter_queue using libnetfilter_queue.
> > this works very well and i can display the whole packets.
> > 
> > now i just want to send them back into the net, so that they reach their destination.
> > 
> > i modified the main loop in the source of nfqnl_test.c in the libnetfilter_queue package:
> > 
> > 	while ((rv=recv(fd, buf, sizeof(buf), 0)) >= 0)
> > 	{
> > 		printf("pkt received:\n");
> > 		
> > 		printf("sending packet back\n");
> > 		
> > 		if ((sv=send(fd, buf, sizeof(buf), 0))==-1)
> > 		{
> > 			perror("send");
> > 			exit(EXIT_FAILURE);
> > 		}
> > 		printf("done\n");
> > 	}
> > 
> > this should send every packet back to... where? 
> > it seems the packets are just sent into nirvana, i cannot sniff them, and i dont get an error from send().
> 
> nfnql_test already reinjects packets by the call to nfq_issue_verdict.
> It seems you need to read the documentation ..
> 
> 

sorry, but i cannot find any call to nfq_issue_verdict in this file.
perhaps you mean nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL); ?

i thought nfq_set_verdict was used to specify a handling routine for the packets... in the case of nfq_test.c set the handling routine for packets to the print_pkt() function.
am i wrong?

what documentation? i would _love_ to read some documentation about libnetfilter_queue. 
i have looked through http://netfilter.org/documentation/index.html#documentation-howto but i cannot find anything specific about libnetfilter_queue...

greetings, aton

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: netfilter_queue reinjecting packets

[Patrick McHardy]

aton wrote:
>>nfnql_test already reinjects packets by the call to nfq_issue_verdict.
>>It seems you need to read the documentation ..
>>
> 
> sorry, but i cannot find any call to nfq_issue_verdict in this file.
> perhaps you mean nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL); ?

Yes, thats what I meant.

> i thought nfq_set_verdict was used to specify a handling routine for the packets... in the case of nfq_test.c set the handling routine for packets to the print_pkt() function.
> am i wrong?

Yes. nfq_set_verdict is used to tell the kernel to pass the packet
on and possibly exchange it. Both print_pkt and nfq_set_verdict
are called from the packet callback in the example code.

> what documentation? i would _love_ to read some documentation about libnetfilter_queue. 
> i have looked through http://netfilter.org/documentation/index.html#documentation-howto but i cannot find anything specific about libnetfilter_queue...

I don't think there is specific libnetfilter_queue documentation yet
(but its very simple and exports only a few functions, look at the
code). But we have ip_queue documentation, which should at least
help you understand it better conceptually.

Re: netfilter_queue reinjecting packets

[aton]

[-- Attachment #1: Type: text/plain, Size: 1649 bytes --]

On Sun, 12 Mar 2006 20:35:40 +0100
Patrick McHardy <kaber@trash.net> wrote:

> aton wrote:
> >>nfnql_test already reinjects packets by the call to nfq_issue_verdict.
> >>It seems you need to read the documentation ..
> >>
> > 
> > sorry, but i cannot find any call to nfq_issue_verdict in this file.
> > perhaps you mean nfq_set_verdict(qh, id, NF_ACCEPT, 0, NULL); ?
> 
> Yes, thats what I meant.
> 
> > i thought nfq_set_verdict was used to specify a handling routine for the packets... in the case of nfq_test.c set the handling routine for packets to the print_pkt() function.
> > am i wrong?
> 
> Yes. nfq_set_verdict is used to tell the kernel to pass the packet
> on and possibly exchange it. Both print_pkt and nfq_set_verdict
> are called from the packet callback in the example code.
> 
> > what documentation? i would _love_ to read some documentation about libnetfilter_queue. 
> > i have looked through http://netfilter.org/documentation/index.html#documentation-howto but i cannot find anything specific about libnetfilter_queue...
> 
> I don't think there is specific libnetfilter_queue documentation yet
> (but its very simple and exports only a few functions, look at the
> code). But we have ip_queue documentation, which should at least
> help you understand it better conceptually.
> 

okay i seem to understand how it works a bit better now. 
what i dont understand is how to get the ethernet header from the library.
i tried nfq_get_packet_hw(), but it always returns NULL, is that correct?

here is the modified source and the output: http://rafb.net/paste/results/pb8tD850.html

greetings

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: netfilter_queue reinjecting packets

[Patrick McHardy]

aton wrote:
> okay i seem to understand how it works a bit better now. 
> what i dont understand is how to get the ethernet header from the library.
> i tried nfq_get_packet_hw(), but it always returns NULL, is that correct?

The hardware header is only included for packets queued on
the input path.