packet socket can't steal packets

packet socket can't steal packets

[Dmitrii Tisnek]

hey, I've been trying to change certain network packet mangling software
such that it would not need a kernel module, and it seems to me that,
unfortunately there's no way to make packet socket "steal" packets it
deliveres to the user mode.

The behaviour I see is it gives userland a copy and give the native
network stack a copy.

unless I missed something, perhaps there could be an ioctl/setsockopt
which would turn this behaviour into "pass packet to user mode or drop
altogether" that would never result in network stack getting a packet
directly.

I realise same functionality can be achieved through netfilter QUEUE
command, but that doesn't seem as nice.

cheers, dima

Re: packet socket can't steal packets

[Carl-Johan Bostorp]

On Tue, May 07, 2002 at 09:02:31PM +0300, Dmitrii Tisnek wrote:
> hey, I've been trying to change certain network packet mangling software
> such that it would not need a kernel module, and it seems to me that,
> unfortunately there's no way to make packet socket "steal" packets it
> deliveres to the user mode.

"Divert Sockets for Linux" springs to my mind.. 

http://www.anr.mcnc.org/~divert/index.shtml

---
   Divert sockets enable both IP packet interception and injection on the
   end-hosts as well as on routers. Interception and injection happen at
   the IP layer. The intercepted packets are diverted to sockets in the
   user space, thus they will not be able to reach their destination
   unless they are reinjected by the user space sockets. This allows
   different tricks (e.g., routing and firewall) to be played, outside
   the operating system kernel, in between the packet interception and
   reinjection.
---


-- 
~~~<*>~~~

Web: http://elemental.webservices.se/		   ICQ: 3534707
PGP: 0xA6B5C43B					IRCnet: ctor

~~~<*>~~~

Re: packet socket can't steal packets

[Chris Friesen]

Carl-Johan Bostorp wrote:
> 
> On Tue, May 07, 2002 at 09:02:31PM +0300, Dmitrii Tisnek wrote:
> > hey, I've been trying to change certain network packet mangling software
> > such that it would not need a kernel module, and it seems to me that,
> > unfortunately there's no way to make packet socket "steal" packets it
> > deliveres to the user mode.
> 
> "Divert Sockets for Linux" springs to my mind..
> 
> http://www.anr.mcnc.org/~divert/index.shtml

Except that the original poster is using the 2.4 kernel, for which divert
sockets do not work.

For 2.4 the netfilter module is cleanest, followed by netfilter QUEUE to
userspace (although this will give a performance hit).

When I had to move from 2.2 with divert sockets to 2.4, I used a netfilter
module with commandline parameters to pass in arguments.

Chris

-- 
Chris Friesen                    | MailStop: 043/33/F10  
Nortel Networks                  | work: (613) 765-0557
3500 Carling Avenue              | fax:  (613) 765-2986
Nepean, ON K2H 8E9 Canada        | email: cfriesen@nortelnetworks.com

Re: packet socket can't steal packets

[Thomas 'Dent' Mirlacher]

On Tue, 7 May 2002, Dmitrii Tisnek wrote:

> hey, I've been trying to change certain network packet mangling software
> such that it would not need a kernel module, and it seems to me that,
> unfortunately there's no way to make packet socket "steal" packets it
> deliveres to the user mode.
> 
> The behaviour I see is it gives userland a copy and give the native
> network stack a copy.

right - take a look at net/core/dev.c netif_receive_skb.

> unless I missed something, perhaps there could be an ioctl/setsockopt
> which would turn this behaviour into "pass packet to user mode or drop
> altogether" that would never result in network stack getting a packet
> directly.

well, that would be nice for certain applications, but wouldn't it
also be a security problem?

... well there would be a way how you could implement this kind of
feature now, but you need to write a module also :(

	++dent

-- 
in some way i do, and in some way i don't.

Re: packet socket can't steal packets

[Dmitrii Tisnek]

On Tue, 7 May 2002, Thomas 'Dent' Mirlacher wrote:
>
> > unless I missed something, perhaps there could be an ioctl/setsockopt
> > which would turn this behaviour into "pass packet to user mode or drop
> > altogether" that would never result in network stack getting a packet
> > directly.
>
> well, that would be nice for certain applications, but wouldn't it
> also be a security problem?

no.

read-only access to network traffic already requires priviledges.
and theres' already a way to insert packets via socket send/write.

all I'm proposing is a way to "delete" packets too.

cheers, dima.

Re: packet socket can't steal packets

[Thomas 'Dent' Mirlacher]

On Tue, 7 May 2002, Dmitrii Tisnek wrote:

> On Tue, 7 May 2002, Thomas 'Dent' Mirlacher wrote:
> >
> > > unless I missed something, perhaps there could be an ioctl/setsockopt
> > > which would turn this behaviour into "pass packet to user mode or drop
> > > altogether" that would never result in network stack getting a packet
> > > directly.
> >
> > well, that would be nice for certain applications, but wouldn't it
> > also be a security problem?
> 
> no.
> 
> read-only access to network traffic already requires priviledges.
> and theres' already a way to insert packets via socket send/write.

seen from this perspective you're right.
and seen from the perspective that the kernel should provide functionality
	and the user/admin is responsible for restricting this access,
	you're right too.

> all I'm proposing is a way to "delete" packets too.

well you've a problem here:
	1)	how can you be sure you're the first one to see that packet?
		what about two applications which want to do the same thing?
		should tcpdump (on the local machine of course :) see the
			packet at all?
and the really minor problem is, you've to change all the protocols which
register + af_packet to return an NET_RX_DONTCARE instead of NET_RX_DROP.

	just my $0.02

		++dent
	
-- 
in some way i do, and in some way i don't.