From: John Heffner <johnwheffner-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
To: Eric Dumazet <eric.dumazet-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Cc: Eric B Munson <emunson-JqFfY2XvxFXQT0dZR+AlfA@public.gmane.org>,
Tom Herbert <tom-BjP2VixgY4xUbtYUoyoikg@public.gmane.org>,
"David S. Miller" <davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org>,
linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
netdev <netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>
Subject: Re: [PATCH net-next] tcp: provide SYN headers for passive connections
Date: Mon, 4 May 2015 10:41:26 -0400 [thread overview]
Message-ID: <CABrhC0nmsfAyHgJX8zEBDBVfFN=2qXKy7cO0Kbp9R9UCeEYowg@mail.gmail.com> (raw)
In-Reply-To: <1430714086.3711.165.camel-XN9IlZ5yJG9HTL0Zs8A6p/gx64E7kk8eUsxypvmhUTTZJqsBc5GL+g@public.gmane.org>
On Mon, May 4, 2015 at 12:34 AM, Eric Dumazet <eric.dumazet-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>
> From: Eric Dumazet <edumazet-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
>
> This patch allows a server application to get the TCP SYN headers for
> its passive connections. This is useful if the server is doing
> fingerprinting of clients based on SYN packet contents.
>
> Two socket options are added: TCP_SAVE_SYN and TCP_SAVED_SYN.
>
> The first is used on a socket to enable saving the SYN headers
> for child connections. This can be set before or after the listen()
> call.
>
> The latter is used to retrieve the SYN headers for passive connections,
> if the parent listener has enabled TCP_SAVE_SYN.
>
> TCP_SAVED_SYN is read once, it frees the saved SYN headers.
>
> The data returned in TCP_SAVED_SYN are network (IPv4/IPv6) and TCP
> headers.
>
> Original patch was written by Tom Herbert, I changed it to not hold
> a full skb (and associated dst and conntracking reference).
>
> We have used such patch for about 3 years at Google.
Nice idea, seems handy. But a couple (somewhat related) questions:
* Other than convenience, are there reasons not use an existing, more
general-purpose and portable mechanism like pcap? (Permissions, I
guess?)
* Are there conditions where, for security purposes, you don't want an
application to have access to the raw SYNs?
Thanks,
-John
next prev parent reply other threads:[~2015-05-04 14:41 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-01 17:43 [PATCH] Allow TCP connections to cache SYN packet for userspace inspection Eric B Munson
[not found] ` <1430502237-5619-1-git-send-email-emunson-JqFfY2XvxFXQT0dZR+AlfA@public.gmane.org>
2015-05-01 18:42 ` Eric Dumazet
[not found] ` <1430505777.3711.135.camel-XN9IlZ5yJG9HTL0Zs8A6p/gx64E7kk8eUsxypvmhUTTZJqsBc5GL+g@public.gmane.org>
2015-05-01 19:55 ` Tom Herbert
[not found] ` <CALx6S34ftz_wDoPwcJg_cMQu4QtnBJF-=d+gF5ieTA=d=r31-Q-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-05-01 20:14 ` Eric B Munson
[not found] ` <20150501201417.GB6113-JqFfY2XvxFXQT0dZR+AlfA@public.gmane.org>
2015-05-01 20:23 ` Eric Dumazet
[not found] ` <1430511800.3711.138.camel-XN9IlZ5yJG9HTL0Zs8A6p/gx64E7kk8eUsxypvmhUTTZJqsBc5GL+g@public.gmane.org>
2015-05-01 20:29 ` Eric B Munson
[not found] ` <20150501202908.GC6113-JqFfY2XvxFXQT0dZR+AlfA@public.gmane.org>
2015-05-01 20:41 ` Eric Dumazet
[not found] ` <1430512894.3711.140.camel-XN9IlZ5yJG9HTL0Zs8A6p/gx64E7kk8eUsxypvmhUTTZJqsBc5GL+g@public.gmane.org>
2015-05-04 4:34 ` [PATCH net-next] tcp: provide SYN headers for passive connections Eric Dumazet
[not found] ` <1430714086.3711.165.camel-XN9IlZ5yJG9HTL0Zs8A6p/gx64E7kk8eUsxypvmhUTTZJqsBc5GL+g@public.gmane.org>
2015-05-04 6:47 ` Michael Kerrisk (man-pages)
[not found] ` <CAKgNAkiUOkjsE96E1DN_zwJAjJGLWME7-XGnFDszic7p7C=g7g-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-05-04 13:53 ` Eric Dumazet
2015-05-04 14:02 ` Neal Cardwell
2015-05-04 14:21 ` Eric B Munson
[not found] ` <20150504142155.GD6113-JqFfY2XvxFXQT0dZR+AlfA@public.gmane.org>
2015-05-04 14:31 ` Eric Dumazet
[not found] ` <1430749912.3711.173.camel-XN9IlZ5yJG9HTL0Zs8A6p/gx64E7kk8eUsxypvmhUTTZJqsBc5GL+g@public.gmane.org>
2015-05-04 14:36 ` Eric Dumazet
2015-05-04 14:41 ` John Heffner [this message]
[not found] ` <CABrhC0nmsfAyHgJX8zEBDBVfFN=2qXKy7cO0Kbp9R9UCeEYowg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-05-04 14:58 ` Eric B Munson
2015-05-04 15:12 ` Eric Dumazet
[not found] ` <1430752330.3711.180.camel-XN9IlZ5yJG9HTL0Zs8A6p/gx64E7kk8eUsxypvmhUTTZJqsBc5GL+g@public.gmane.org>
2015-05-05 3:07 ` John Heffner
2015-05-05 20:05 ` David Miller
[not found] ` <20150505.160535.1034497188259706110.davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org>
2015-05-05 21:02 ` Eric Dumazet
2015-05-01 19:27 ` [PATCH] Allow TCP connections to cache SYN packet for userspace inspection Andy Lutomirski
[not found] ` <CALCETrWi6h3DRu6Z8jJ_-MiWqRRyKZHntpJFNON=GpAjMDYXmQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2015-05-01 20:01 ` Eric B Munson
2015-05-01 20:28 ` Andy Lutomirski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CABrhC0nmsfAyHgJX8zEBDBVfFN=2qXKy7cO0Kbp9R9UCeEYowg@mail.gmail.com' \
--to=johnwheffner-re5jqeeqqe8avxtiumwx3w@public.gmane.org \
--cc=davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org \
--cc=emunson-JqFfY2XvxFXQT0dZR+AlfA@public.gmane.org \
--cc=eric.dumazet-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
--cc=linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=netdev-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=tom-BjP2VixgY4xUbtYUoyoikg@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).