From: Michal Martinek <michal.martinek@siemens.com>
To: Cedric Blancher <blancher@cartel-securite.fr>
Cc: netfilter@lists.netfilter.org
Subject: Re: netfilter_queue: how to obtain address info from queued packet
Date: Tue, 23 Jan 2007 13:50:31 +0100 [thread overview]
Message-ID: <45B60497.5050100@siemens.com> (raw)
In-Reply-To: <1169555626.4178.78.camel@anduril.intranet.cartel-securite.net>
Thanks a lot!
The solution with CONNMARK seems to be exactly what I need. It is also
much better than drop everything on a given port :-).
Have a nice day,
Michal
Cedric Blancher wrote:
> Le mardi 23 janvier 2007 à 12:53 +0100, Michal Martinek a écrit :
>> Thanks for help, I've already written some userspace packet analyzer
>> acting as a NFQUEUE target, but the problem is, that not all of the
>> packets I'd like to handle (mostly drop) are recognizable. It is a video
>> stream, in which I can detect only some "key packets", but the rest
>> remains unclear.
>
> OK, so if I understand you correctly... You have a video stream
> containing key packets you can spot. This video stream occurs on non
> predictable ports.
>
> First solution, and apologies to Gáspár, use string match to identify
> your key packets. Then mark the entire connection using CONNMARK and
> drop it.
>
> Something like:
>
> iptables -t mangle -A FORWARD -m string --string "yourmagic" \
> -j CONNMARK --set-mark 0x1
> iptables -A FORWARD -m connmark --mark 0x1 -j DROP
>
> This means once you've detected a key packet, you'll drop it as well as
> all further packets from the same connection.
>
> Second solution, you write a helper. Maybe I don't quite well get your
> situation, but this stream does not come from nowhere. It's ports have
> to be negociated in some previous connection so your client application
> can open the right port. Thus, your helper would follow this negociation
> connection to identify on the fly streaming ports and block the entire
> video stream.
>
>
prev parent reply other threads:[~2007-01-23 12:50 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-01-23 10:03 netfilter_queue: how to obtain address info from queued packet Michal Martinek
2007-01-23 10:10 ` Gáspár Lajos
2007-01-23 10:18 ` Michal Martinek
2007-01-23 10:27 ` Gáspár Lajos
2007-01-23 10:40 ` Michal Martinek
2007-01-23 11:49 ` Gáspár Lajos
2007-01-23 10:31 ` Cedric Blancher
2007-01-23 11:53 ` Michal Martinek
2007-01-23 12:33 ` Cedric Blancher
2007-01-23 12:50 ` Michal Martinek [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=45B60497.5050100@siemens.com \
--to=michal.martinek@siemens.com \
--cc=blancher@cartel-securite.fr \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.