Writing a match that communicates with userspace

Writing a match that communicates with userspace

[Rennie deGraaf]

[-- Attachment #1: Type: text/plain, Size: 1724 bytes --]

I'm trying to write a match module for iptables that needs to call out
to a userspace application (using netlink) for additional information
before deciding if it should match a given packet or not.  The delay
before the userspace app. responds could be as much as a second or so;
any longer, and the match should fail.  My questions is, how could I
implement such a system?

What I was considering was to put my match() function into some sort of
interruptible wait state after sending the request to userspace, and
having my netlink socket callback wake up the match function.  However,
I haven't been able to figure out what sort of concurrency exists in
netfilter (If one I block in match(), does that tie up the whole system
until resuming, or are all packets handled in their own threads?), and
the kernel debugging code complains whenever I call msleep() or mdelay()
from within match().  I'm not sure how to implement this approach
safely, or even if it is possible to do so.

My other thought was to store packets in an internal queue and hotdrop
them after sending the request to userspace, and having my netlink
callback pull them out and reinject them where they left off, but have
no idea how do the reinjecting or how to put an upper bound on the time
packets wait in my internal queue.  This design also seems to be quite a
kludge.

I suppose it would be possible for me to shoe-horn my match into a
target, or even move the entire system to userspace and use NFQUEUE, but
that would be even more of a kludge.

Does anyone have any suggestions on how I could design and implement
such a system?  I would be grateful for any advice that you can give.

Thanks,
Rennie deGraaf


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Writing a match that communicates with userspace

[Patrick McHardy]

Rennie deGraaf wrote:
> I'm trying to write a match module for iptables that needs to call out
> to a userspace application (using netlink) for additional information
> before deciding if it should match a given packet or not.  The delay
> before the userspace app. responds could be as much as a second or so;
> any longer, and the match should fail.  My questions is, how could I
> implement such a system?
> 
> What I was considering was to put my match() function into some sort of
> interruptible wait state after sending the request to userspace, and
> having my netlink socket callback wake up the match function.  However,
> I haven't been able to figure out what sort of concurrency exists in
> netfilter (If one I block in match(), does that tie up the whole system
> until resuming, or are all packets handled in their own threads?), and
> the kernel debugging code complains whenever I call msleep() or mdelay()
> from within match().  I'm not sure how to implement this approach
> safely, or even if it is possible to do so.
> 
> My other thought was to store packets in an internal queue and hotdrop
> them after sending the request to userspace, and having my netlink
> callback pull them out and reinject them where they left off, but have
> no idea how do the reinjecting or how to put an upper bound on the time
> packets wait in my internal queue.  This design also seems to be quite a
> kludge.
> 
> I suppose it would be possible for me to shoe-horn my match into a
> target, or even move the entire system to userspace and use NFQUEUE, but
> that would be even more of a kludge.
> 
> Does anyone have any suggestions on how I could design and implement
> such a system?  I would be grateful for any advice that you can give.

IIRC the geoip match doesn something similar, I guess you can find
some pointers there.