How to add data to connection tracker

How to add data to connection tracker

[Nils Rennebarth]

Hi,

I am developing a netfilter target extension synproxy, that will work similar to the openbsd pf synproxy,
i.e. it will (if a synflood to the destination address is detected) block the syn packet and answer with a
syn cookie. If a correct ACK to the cookie is found it will send the syn packet to the actual server, intercepts the
reply and then pass packets in both directions, only translating sequence numbers. The extension could
then be used on a firewall to protect systems behind it from synflood attacks.

I need to store some additional data to a connection in the connection tracker. Although infrastructure to do that
appears to be in place, I could not find an obvious way to do that. I *did* read the kernel source and already know
how to write and register a new netfilter extension.

Btw, the netfilter hacking howto appears to be thoroughly outdated. I managed to find http://jengelh.medozas.de/documents/Netfilter_Modules.pdf which helped a lot, but not in this particular area.
______________________________________________________
GRATIS für alle WEB.DE-Nutzer: Die maxdome Movie-FLAT!
Jetzt freischalten unter http://movieflat.web.de

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: How to add data to connection tracker

[Saikiran Madugula]

Nils Rennebarth wrote:
> Hi,
> 
>
> I need to store some additional data to a connection in the connection tracker. Although infrastructure to do that
> appears to be in place, I could not find an obvious way to do that. I *did* read the kernel source and already know
> how to write and register a new netfilter extension.
> 

You can utilize netfilter conntrack's extension infrastructure. Look at
nf_conntrack_acct.c to how its done. I am pretty sure you would receive better
solutions from the list.