From: Andi Kleen <andi@firstfloor.org>
To: Stephen Hemminger <stephen@networkplumber.org>
Cc: Christian Grothoff <grothoff@in.tum.de>,
David Miller <davem@davemloft.net>,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
knock@gnunet.org, jacob@appelbaum.net
Subject: Re: [PATCH] TCP: add option for silent port knocking with integrity protection
Date: Wed, 11 Dec 2013 13:25:22 -0800 [thread overview]
Message-ID: <87bo0nulkt.fsf@tassilo.jf.intel.com> (raw)
In-Reply-To: <20131211122637.75b09074@nehalam.linuxnetplumber.net> (Stephen Hemminger's message of "Wed, 11 Dec 2013 12:26:37 -0800")
Stephen Hemminger <stephen@networkplumber.org> writes:
>
> The point is that doing it outside of TCP core is safer, less error prone
> and more flexible.
Or to put the question differently: what hooks would be needed to make
this efficiently work in user space?
It could be something like this: Firewall the port with forwarding the
SYN packets using nfqueue, check for the SYN having the right magic,
change a firewall rule, re-inject using nfqueue (not fully sure how
well that works)
-Andi
--
ak@linux.intel.com -- Speaking for myself only
next prev parent reply other threads:[~2013-12-11 21:25 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-12-10 18:35 [PATCH] TCP: add option for silent port knocking with integrity protection Christian Grothoff
2013-12-11 20:01 ` David Miller
2013-12-11 20:19 ` Christian Grothoff
2013-12-11 20:26 ` Stephen Hemminger
2013-12-11 20:39 ` Christian Grothoff
2013-12-11 21:25 ` Andi Kleen [this message]
2013-12-11 22:53 ` Christian Grothoff
2013-12-12 1:23 ` Andi Kleen
2013-12-12 10:19 ` Jacob Appelbaum
2013-12-12 11:43 ` Christian Grothoff
2013-12-12 12:23 ` Jacob Appelbaum
2013-12-12 14:34 ` Eric Dumazet
2013-12-12 15:07 ` Christian Grothoff
2013-12-12 15:33 ` Eric Dumazet
2013-12-12 15:46 ` Hannes Frederic Sowa
2013-12-13 3:07 ` Hannes Frederic Sowa
2014-08-19 19:36 ` Alexander Holler
2014-08-20 8:24 ` Hagen Paul Pfeifer
2014-08-20 9:07 ` Alexander Holler
2014-08-20 9:28 ` Hagen Paul Pfeifer
2014-08-20 9:47 ` Alexander Holler
2014-08-20 10:20 ` Alexander Holler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87bo0nulkt.fsf@tassilo.jf.intel.com \
--to=andi@firstfloor.org \
--cc=davem@davemloft.net \
--cc=grothoff@in.tum.de \
--cc=jacob@appelbaum.net \
--cc=knock@gnunet.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stephen@networkplumber.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.