* Reg:Conntrack-tool for packet dropping? [not found] <CAAG0ft6yyx+PzcvxpfsnCTok7U+cdx3mnsU4gyJMk=zqCOn45A@mail.gmail.com> @ 2011-10-04 14:09 ` Manikandan R 2011-10-04 18:34 ` Ed W 0 siblings, 1 reply; 3+ messages in thread From: Manikandan R @ 2011-10-04 14:09 UTC (permalink / raw) To: netfilter-devel Hi, I am developing application monitoring tool. When I gothru http://netfilter.org/, I come to know about the conntrack-tool which can be used for monitoring new connection. I used "conntrackd"(conntrack deamon) for monitoring the packets. Using nfct_callback_register2() am able to handle new packets also, but I need to drop this packet if its related to particular pid/process. Is there is any way/api to drop packets? Hope am clear about my need, Thanks in advance. Regards, Manikandan R ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Reg:Conntrack-tool for packet dropping? 2011-10-04 14:09 ` Reg:Conntrack-tool for packet dropping? Manikandan R @ 2011-10-04 18:34 ` Ed W 2011-10-06 8:07 ` Manikandan R 0 siblings, 1 reply; 3+ messages in thread From: Ed W @ 2011-10-04 18:34 UTC (permalink / raw) To: Manikandan R; +Cc: netfilter-devel On 04/10/2011 15:09, Manikandan R wrote: > Hi, > I am developing application monitoring tool. When I gothru > http://netfilter.org/, I come to know about the conntrack-tool which > can be used for monitoring new connection. > I used "conntrackd"(conntrack deamon) for monitoring the packets. > Using nfct_callback_register2() am able to handle new packets also, > but I need to drop this packet if its related to particular > pid/process. Is there is any way/api to drop packets? > Conntrack doesn't quite track all packets - see my previous questions about this... I think also if you need to examine all packets and decide their fate ahead of allowing them through then you need to look at userspace queue stuff? Note you can setup some extremely clever filtering using iptables. That has the ability to filter based on local user id, possibly process id and also your app can set firewall marks on each packet that can be easily filtered on later? Good luck Ed E ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Reg:Conntrack-tool for packet dropping? 2011-10-04 18:34 ` Ed W @ 2011-10-06 8:07 ` Manikandan R 0 siblings, 0 replies; 3+ messages in thread From: Manikandan R @ 2011-10-06 8:07 UTC (permalink / raw) To: Ed W; +Cc: netfilter-devel Hi Ed W, Thanks a lot for you reply. Do you mean userspace queues like libpcap, libnetfilter queue, if not please correct me. All my need is to block the application before it establish a connection with net. My initial idea is ,by using libpcap or libnetfilter queue do packet monitoring and form iptables and block them. But I need to monitor each and every packets, draw back is before I form iptables connection will be established by the application. As we discussed before, then I go for conntrack, there also i failed. Can you please help me on this. Thanks and Regards, Manikandan R On 10/5/11, Ed W <lists@wildgooses.com> wrote: > On 04/10/2011 15:09, Manikandan R wrote: >> Hi, >> I am developing application monitoring tool. When I gothru >> http://netfilter.org/, I come to know about the conntrack-tool which >> can be used for monitoring new connection. >> I used "conntrackd"(conntrack deamon) for monitoring the packets. >> Using nfct_callback_register2() am able to handle new packets also, >> but I need to drop this packet if its related to particular >> pid/process. Is there is any way/api to drop packets? >> > > Conntrack doesn't quite track all packets - see my previous questions > about this... > > I think also if you need to examine all packets and decide their fate > ahead of allowing them through then you need to look at userspace queue > stuff? > > Note you can setup some extremely clever filtering using iptables. That > has the ability to filter based on local user id, possibly process id > and also your app can set firewall marks on each packet that can be > easily filtered on later? > > Good luck > > Ed E > ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2011-10-06 8:07 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <CAAG0ft6yyx+PzcvxpfsnCTok7U+cdx3mnsU4gyJMk=zqCOn45A@mail.gmail.com>
2011-10-04 14:09 ` Reg:Conntrack-tool for packet dropping? Manikandan R
2011-10-04 18:34 ` Ed W
2011-10-06 8:07 ` Manikandan R
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.