Netfilter hooks.

Netfilter hooks.

[Simona]

Hi!


I am implementing a kernel module for taking a packet out from the stack
at the IP level, redistributing the packet to another stack and puting
the packet into the new stack.

Question: do I need to register a target for this?
Can I call a hook in the same way that I am getting called if I am
registering to a hook?

Re: Netfilter hooks.

[José Luis Domingo López]

On Tuesday, 04 December 2001, at 14:20:46 +0100,
Simona wrote:

> Question: do I need to register a target for this?
> Can I call a hook in the same way that I am getting called if I am
> registering to a hook?
> 
http://netfilter.samba.org/unreliable-guides/netfilter-hacking-HOWTO

-- 
José Luis Domingo López
Linux Registered User #189436     Debian Linux Woody (P166 64 MB RAM)
 
jdomingo EN internautas PUNTO org  => ¿ Spam ? Atente a las consecuencias
jdomingo AT internautas DOT   org  => Spam at your own risk

Netfilter Hooks

[Tercio F. Gaudencio Filho]

Hi All!

I'm new in Netfilter world and I'm with some doubts...

I want to create "something" that can analyze packets that get in and
get out from my machine, but I want to analyze the packet data not
it's origin or destination, it's content.

Imagine that I want to create a filter, that blocks/allow every packet
that contains the word, for example, "GOOGLE" in it. I don't want to
block a packet deriving from some IP, or something like that, I want
to filter the content. For example, be able to parse a XML file in a
packet, or parse some protocol, something like that.

Question, is it possible to do with netfilter hooks? I read sometime
ago, about netfilter hooks, and it seems to be pretty simple, with
restrictions.... but I'm not sure about that.

If not possible with netfilter hooks, is that possible in another way?
Which way?

Thanks all!

Tercio.

Re: Netfilter Hooks

[Werner Maier]

Hi,

> Imagine that I want to create a filter, that blocks/allow every packet
> that contains the word, for example, "GOOGLE" in it. I don't want to
> block a packet deriving from some IP, or something like that, I want
> to filter the content. For example, be able to parse a XML file in a
> packet, or parse some protocol, something like that.

look for "string" in the manpage to iptables.

iptables ... -m string --string "GOOGLE" --algo bm ...

should be the right pointer for you.

regards

Werner Maier
--
Werner Maier, Dipl.-Ing. Univ.         Friedrich-Bergius-Ring 15
fidion GmbH                            97076 Würzburg

Re: Netfilter Hooks

[Elvir Kuric]

Hi all,

take a look at http://www.squid-cache.org/ .

Squid cache is very good :)

Regards

Elvir Kuric

On 6/21/07, Tercio F. Gaudencio Filho <terciofilho@gmail.com> wrote:
> Hi All!
>
> I'm new in Netfilter world and I'm with some doubts...
>
> I want to create "something" that can analyze packets that get in and
> get out from my machine, but I want to analyze the packet data not
> it's origin or destination, it's content.
>
> Imagine that I want to create a filter, that blocks/allow every packet
> that contains the word, for example, "GOOGLE" in it. I don't want to
> block a packet deriving from some IP, or something like that, I want
> to filter the content. For example, be able to parse a XML file in a
> packet, or parse some protocol, something like that.
>
> Question, is it possible to do with netfilter hooks? I read sometime
> ago, about netfilter hooks, and it seems to be pretty simple, with
> restrictions.... but I'm not sure about that.
>
> If not possible with netfilter hooks, is that possible in another way?
> Which way?
>
> Thanks all!
>
> Tercio.
>
>

Re: Netfilter Hooks

[Jan Kogut]

Hi,
>
> look for "string" in the manpage to iptables.
>
> iptables ... -m string --string "GOOGLE" --algo bm ...
>
> should be the right pointer for you.
>

I am wondering about the usability of the Knuth-Pratt-Morris algorithm 
(--algo kmp).

here 
http://www-igm.univ-mlv.fr/~lecroq/string/node14.html#SECTION00140
vs
http://www-igm.univ-mlv.fr/~lecroq/string/node8.html#SECTION0080

we can see that Boyer-Moore gives definitely better performance than
Knuth-Pratt-Morris.
That is why I am curious about when kmp is better than bm ?

Cheers,
JK

-- 
Regards,

Jan Kogut
Computer Systems Administrator
Laboratory of Bioinformatics and Protein Engineering
International Institute of Molecular and Cell Biology

ul. Ks. Trojdena 4
02-109 Warsaw, Poland 
http://genesilico.pl


:.

Re: Netfilter Hooks

[Juan León]

2007/6/21, Jan Kogut <jkogut@genesilico.pl>:
> Hi,
> >
> > look for "string" in the manpage to iptables.
> >
> > iptables ... -m string --string "GOOGLE" --algo bm ...
> >
> > should be the right pointer for you.
> >
>
> I am wondering about the usability of the Knuth-Pratt-Morris algorithm
> (--algo kmp).
>
> here
> http://www-igm.univ-mlv.fr/~lecroq/string/node14.html#SECTION00140
> vs
> http://www-igm.univ-mlv.fr/~lecroq/string/node8.html#SECTION0080
>
> we can see that Boyer-Moore gives definitely better performance than
> Knuth-Pratt-Morris.
> That is why I am curious about when kmp is better than bm ?
>
> Cheers,
> JK
>
> --
> Regards,
>
> Jan Kogut
> Computer Systems Administrator
> Laboratory of Bioinformatics and Protein Engineering
> International Institute of Molecular and Cell Biology
>
> ul. Ks. Trojdena 4
> 02-109 Warsaw, Poland
> http://genesilico.pl
>
>
> :.
>
>
>

if you use a string match and match for a specific string inside the
packet, lets say get /index.html. Will that work? Normally, yes.
However, if the packet size is very small, it will not. The reason is
that iptables is built to work on a per packet basis, which means that
if the string is split into several separate packets, iptables will
not see that whole string. For this reason, you are much, much better
off using a proxy of some sort for filtering in the application layer.

Use Squid.

Re: Netfilter Hooks

[Jan Kogut]

Hello,
>
> if you use a string match and match for a specific string inside the
> packet, lets say get /index.html. Will that work? Normally, yes.
> However, if the packet size is very small, it will not. The reason is
> that iptables is built to work on a per packet basis, which means that
> if the string is split into several separate packets, iptables will
> not see that whole string. For this reason, you are much, much better
> off using a proxy of some sort for filtering in the application layer.
>
> Use Squid.
That's correct (I hope).
The point is "what is the idea of Knuth-Pratt-Morris algorithm in string
module, if Boyer-Moore works fine?". I assume there should be some pros
and cons of it, hence my curiosity.
Anyway thnx for your indication by demonstration.

Cheers,
JK

-- 
Regards,

Jan Kogut
Computer Systems Administrator
Laboratory of Bioinformatics and Protein Engineering
International Institute of Molecular and Cell Biology

ul. Ks. Trojdena 4
02-109 Warsaw, Poland 
http://genesilico.pl


:.