Reg:Conntrack-tool for packet dropping?

Reg:Conntrack-tool for packet dropping?

[Manikandan R]

 Hi,
    I am developing application monitoring tool. When I gothru
http://netfilter.org/, I come to know about the conntrack-tool which
can be used for monitoring new connection.
    I used "conntrackd"(conntrack deamon) for monitoring the packets.
Using nfct_callback_register2() am able to handle new packets also,
but I need to drop this packet if its related to particular
pid/process. Is there is any way/api to drop packets?

   Hope am clear about my need, Thanks in advance.

 Regards,
 Manikandan R

Re: Reg:Conntrack-tool for packet dropping?

[Ed W]

On 04/10/2011 15:09, Manikandan R wrote:
>  Hi,
>     I am developing application monitoring tool. When I gothru
> http://netfilter.org/, I come to know about the conntrack-tool which
> can be used for monitoring new connection.
>     I used "conntrackd"(conntrack deamon) for monitoring the packets.
> Using nfct_callback_register2() am able to handle new packets also,
> but I need to drop this packet if its related to particular
> pid/process. Is there is any way/api to drop packets?
>

Conntrack doesn't quite track all packets - see my previous questions
about this...

I think also if you need to examine all packets and decide their fate
ahead of allowing them through then you need to look at userspace queue
stuff?

Note you can setup some extremely clever filtering using iptables. That
has the ability to filter based on local user id, possibly process id
and also your app can set firewall marks on each packet that can be
easily filtered on later?

Good luck

Ed E

Re: Reg:Conntrack-tool for packet dropping?

[Manikandan R]

Hi Ed W,

   Thanks a lot for you reply. Do you mean userspace queues like
libpcap, libnetfilter queue, if not please correct me.

   All my need is to block the application before it establish a
connection with net.

   My initial idea is ,by using libpcap or libnetfilter queue do
packet monitoring and form iptables and block them. But I need to
monitor each and every packets, draw back is before I form iptables
connection will be established by the application.  As we discussed
before, then I go for conntrack, there also i failed.

   Can you please help me on this.

Thanks and Regards,
Manikandan R

On 10/5/11, Ed W <lists@wildgooses.com> wrote:
> On 04/10/2011 15:09, Manikandan R wrote:
>>  Hi,
>>     I am developing application monitoring tool. When I gothru
>> http://netfilter.org/, I come to know about the conntrack-tool which
>> can be used for monitoring new connection.
>>     I used "conntrackd"(conntrack deamon) for monitoring the packets.
>> Using nfct_callback_register2() am able to handle new packets also,
>> but I need to drop this packet if its related to particular
>> pid/process. Is there is any way/api to drop packets?
>>
>
> Conntrack doesn't quite track all packets - see my previous questions
> about this...
>
> I think also if you need to examine all packets and decide their fate
> ahead of allowing them through then you need to look at userspace queue
> stuff?
>
> Note you can setup some extremely clever filtering using iptables. That
> has the ability to filter based on local user id, possibly process id
> and also your app can set firewall marks on each packet that can be
> easily filtered on later?
>
> Good luck
>
> Ed E
>