Re: Forking inside netfilter queue

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Rayed Alrashed <rayed@saudi.net.sa>
To: Alex <alex@hackgod.org>
Cc: netfilter@lists.netfilter.org
Subject: Re: Forking inside netfilter queue
Date: Thu, 03 May 2007 21:39:48 +0300	[thread overview]
Message-ID: <463A2C74.90401@saudi.net.sa> (raw)
In-Reply-To: <13098.213.106.233.77.1178214500.squirrel@xeentech.com>

>
> If you were to do this with the queue lib, then you'd ataualy have to
> either let the client establish the connection OR fake that the connection
> was established, before you get the HTTP request is sent to rule on.
>   

Of course! I want my application to be totally transparent from the 
client. The client will use regular browser without any proxy, and I 
won't inspect TCP handshaking packets, only packets that looks like HTTP 
request.

> Also keep in mind that the servers/client might want to do a Keep-alive or
> long lived HTTP session, with multiple HTTP requests. Keeping track of
> that, from an NFNetlink/Queue based interface would be hecktic.
>   
According to my tests and observations, most HTTP requests reside in a 
single packet, for request that span more than one request, I'll start 
tracking the session when I get a packet that looks like the beginning 
of HTTP request, and stop when I get "Host" header.

For example:
3rd Packet: "GET /ver_long_uri\r\n"
It looks like the start of HTTP request, Start tracking.

4th Packet: "Host: ad-ware.domain\r\n\r\n"
I have URI+HOST, Stop tracking.

In this case I won't have to keep track of the whole TCP session only 
what I need to get URI and HOST.

This will allow me to process more packets with minimal session tracking.

     prev parent reply	other threads:[~2007-05-03 18:39 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-04-30 13:18 Forking inside netfilter queue Rayed
2007-04-30 13:47 ` Jan Engelhardt
2007-05-01  6:30   ` Rayed
2007-05-01  8:32     ` Jan Engelhardt
2007-05-01 18:27       ` Can't get --dport to work Joel Lindsay
2007-05-01 20:28         ` Krishnamoorthy (Siva) Sivakumar
2007-05-03 15:25 ` Forking inside netfilter queue Alex
2007-05-03 19:20   ` Rayed Alrashed
2007-05-03 17:48     ` Alex
2007-05-03 18:39       ` Rayed Alrashed [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=463A2C74.90401@saudi.net.sa \
    --to=rayed@saudi.net.sa \
    --cc=alex@hackgod.org \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.