HElp with script execution!!

HElp with script execution!!

[Visham Ramsurrun]

Hi to all,

I wanted to ask if it is possible to get a signal (i don't know from
where, maybe a function in the kernel or from the NIC) just before
every packet is sent out the NIC. The signal then causes a script to
execute. I basically want to execute a script on a per-packet basis.
But I don't know how to go about it. I thought about the QUEUE target
but i'm not sure. What things I should be looking at?

Thx in advance..

Warm regards,
Visham

Re: HElp with script execution!!

[Christian Theil]

You can definitely do this with the QUEUE target. You're going to need
(to write) a userspace application that retrieves the packets using
libipq. See "man libipq" for an example on how to do this.

Regards,
Christian Theil Have.

On 7/27/05, Visham Ramsurrun <vishamr2000@gmail.com> wrote:
> Hi to all,
> 
> I wanted to ask if it is possible to get a signal (i don't know from
> where, maybe a function in the kernel or from the NIC) just before
> every packet is sent out the NIC. The signal then causes a script to
> execute. I basically want to execute a script on a per-packet basis.
> But I don't know how to go about it. I thought about the QUEUE target
> but i'm not sure. What things I should be looking at?
> 
> Thx in advance..
> 
> Warm regards,
> Visham
> 
>

Bug Report: IPtables 1.2.* segfaulted by iptables 1.3.*

[Robert de Bath]

Hi all,
I've been mixing iptables 1.2.8/1.2.11 and 1.3.1/2 tools and unlike I 
would expect I know that the tables created by 1.3.x tools will segfault 
any 1.2.x based tool that's later runon the table.

It appears that this is because iptables 1.3.x no longer sorts the hooked 
chains to the begining of the table. The kernel has no problem with this
but old versions of iptables do.

Is there any reason iptables-1.3 couldn't be changed so it doesn't crash 
version 1.2.x, I assume by putting the sort order back as it was ?

-- 
Rob.                          (Robert de Bath <robert$ @ debath.co.uk>)
                                              <http://www.debath.co.uk/>

Re: Bug Report: IPtables 1.2.* segfaulted by iptables 1.3.*

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 1229 bytes --]

On Thu, Jul 28, 2005 at 11:53:49AM +0100, Robert de Bath wrote:
> Hi all,
> I've been mixing iptables 1.2.8/1.2.11 and 1.3.1/2 tools and unlike I would 
> expect I know that the tables created by 1.3.x tools will segfault any 1.2.x 
> based tool that's later runon the table.

mh, mixing multiple versions of the tools is a bad idea anyway.  We have
other issues with this as well (one has been added to INCOMPATIBILITIES
recently).

> Is there any reason iptables-1.3 couldn't be changed so it doesn't crash 
> version 1.2.x, I assume by putting the sort order back as it was ?

If the fix is non-intrusive and doesn't reaquire a lot of additional
computational complexity, I would accept such a patch.  Otherwise I
don't really think it's worth supporting such a setup.  Usually you have
one version of iptables installed, not multiple.

-- 
- Harald Welte <laforge@netfilter.org>                 http://netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: Bug Report: IPtables 1.2.* segfaulted by iptables 1.3.* [PATCH]

[Robert de Bath]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 872 bytes --]

On Fri, 29 Jul 2005, Harald Welte wrote:

> On Thu, Jul 28, 2005 at 11:53:49AM +0100, Robert de Bath wrote:
>> Hi all,
>> I've been mixing iptables 1.2.8/1.2.11 and 1.3.1/2 tools and unlike I would

> other issues with this as well (one has been added to INCOMPATIBILITIES
> recently).
Yup, spotted that but nfcache is per entry so it doesn't break _this_.

> If the fix is non-intrusive and doesn't reaquire a lot of additional
> computational complexity, I would accept such a patch.  Otherwise I
> don't really think it's worth supporting such a setup.  Usually you have
> one version of iptables installed, not multiple.

<grin> The change was a _lot_ easier than I thought, looks like it's a
real bug too. [attached]

-- 
Rob.                          (Robert de Bath <robert$ @ debath.co.uk>)
                                              <http://www.debath.co.uk/>

[-- Attachment #2: Type: TEXT/PLAIN, Size: 422 bytes --]

--- libiptc/libiptc.c.orig	2005-07-19 23:03:49.000000000 +0100
+++ libiptc/libiptc.c	2005-07-30 07:59:06.312238644 +0100
@@ -399,7 +399,7 @@
 	/* sort only user defined chains */
 	if (!c->hooknum) {
 		list_for_each_entry(tmp, &h->chains, list) {
-			if (strcmp(c->name, tmp->name) <= 0) {
+			if (!tmp->hooknum && strcmp(c->name, tmp->name) <= 0) {
 				list_add(&c->list, tmp->list.prev);
 				return;
 			}

Re: Bug Report: IPtables 1.2.* segfaulted by iptables 1.3.* [PATCH]

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 967 bytes --]

On Sat, Jul 30, 2005 at 08:12:31AM +0100, Robert de Bath wrote:

> >If the fix is non-intrusive and doesn't reaquire a lot of additional
> >computational complexity, I would accept such a patch.  Otherwise I
> >don't really think it's worth supporting such a setup.  Usually you have
> >one version of iptables installed, not multiple.
> 
> <grin> The change was a _lot_ easier than I thought, looks like it's a
> real bug too. [attached]

thanks,
Committed revision 4207.

Unfortunately too late for 1.3.3 :(
I don't think it's serious enough to justify an early 1.3.4 release.

-- 
- Harald Welte <laforge@netfilter.org>                 http://netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: Bug Report: IPtables 1.2.* segfaulted by iptables 1.3.*

[Jan Engelhardt]

>mh, mixing multiple versions of the tools is a bad idea anyway.  We have

There are .version members in the info struct of both userspace and 
kernelspace modules - if they are different, why did not iptables catch this?



Jan Engelhardt
-- 

Re: Bug Report: IPtables 1.2.* segfaulted by iptables 1.3.*

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 768 bytes --]

On Mon, Aug 01, 2005 at 09:19:48AM +0200, Jan Engelhardt wrote:
> 
> >mh, mixing multiple versions of the tools is a bad idea anyway.  We have
> 
> There are .version members in the info struct of both userspace and 
> kernelspace modules - if they are different, why did not iptables catch this?

sorry, this is for different layout of the 'per match' or 'per target'
data structures.

-- 
- Harald Welte <laforge@netfilter.org>                 http://netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]