* event-driven connection tracking
@ 2010-10-13 15:24 Mr Dash Four
2010-10-13 15:48 ` Jan Engelhardt
2010-10-14 12:01 ` Pablo Neira Ayuso
0 siblings, 2 replies; 9+ messages in thread
From: Mr Dash Four @ 2010-10-13 15:24 UTC (permalink / raw)
To: Netfilter Developer Mailing List; +Cc: netfilter
Is it possible to use event-driven connection tracking - with
conntrack-utils or by other means?
Ideally, what I would like to do is 'register' a handler for particular
connection events (when new connection is established and then closed
for example) based on particular pre-defined filter (say, by protocol,
source/destination ip etc) and execute a program code/function (if done
programmatically) or a script (if done outside the connection-tracking
domain) to do what I want?
Currently, the only way to track such 'events' is if I include a
separate chain in iptables tracking a particular connection (and logging
the event via a normal log jump), but that is not enough for me as I
also need to trigger a full dump based on that particular 'filter' and
end this dump when the connection is closed. Any ideas?
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: event-driven connection tracking
2010-10-13 15:24 event-driven connection tracking Mr Dash Four
@ 2010-10-13 15:48 ` Jan Engelhardt
2010-10-13 22:18 ` Mr Dash Four
2010-10-14 12:01 ` Pablo Neira Ayuso
1 sibling, 1 reply; 9+ messages in thread
From: Jan Engelhardt @ 2010-10-13 15:48 UTC (permalink / raw)
To: Mr Dash Four; +Cc: Netfilter Developer Mailing List, netfilter
On Wednesday 2010-10-13 17:24, Mr Dash Four wrote:
> Is it possible to use event-driven connection tracking - with conntrack-utils
> or by other means?
>
> Ideally, what I would like to do is 'register' a handler for particular
> connection events (when new connection is established and then closed for
> example) based on particular pre-defined filter (say, by protocol,
> source/destination ip etc) and execute a program code/function (if done
> programmatically) or a script (if done outside the connection-tracking domain)
> to do what I want?
conntrack -Ee NEW,DESTROY
would list you the specified events as they happen. Combined with a
script that reacts when a new line is outputted by conntrack should
do the trick.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: event-driven connection tracking
2010-10-13 15:48 ` Jan Engelhardt
@ 2010-10-13 22:18 ` Mr Dash Four
2010-10-13 22:56 ` Jan Engelhardt
0 siblings, 1 reply; 9+ messages in thread
From: Mr Dash Four @ 2010-10-13 22:18 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Netfilter Developer Mailing List, netfilter
>> Is it possible to use event-driven connection tracking - with conntrack-utils
>> or by other means?
>>
>> Ideally, what I would like to do is 'register' a handler for particular
>> connection events (when new connection is established and then closed for
>> example) based on particular pre-defined filter (say, by protocol,
>> source/destination ip etc) and execute a program code/function (if done
>> programmatically) or a script (if done outside the connection-tracking domain)
>> to do what I want?
>>
>
> conntrack -Ee NEW,DESTROY
>
> would list you the specified events as they happen. Combined with a
> script that reacts when a new line is outputted by conntrack should
> do the trick.
>
That's not what I am after!
If I want to poll a text output every-so-often I can use
/proc/net/nf_conntrack for that. I am after event-driven tracking
(without the polling!), informing me when the conditions I initially set
are satisfied (connection status, source IP, destination IP etc) and I
pick up the rest (again, via a program interface or a script if there is
no other choice). A bit like (ng-)cron, but with set filters which
trigger the events (as oppose to timing as is the case with cron).
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: event-driven connection tracking
2010-10-13 22:18 ` Mr Dash Four
@ 2010-10-13 22:56 ` Jan Engelhardt
2010-10-14 12:04 ` Pablo Neira Ayuso
0 siblings, 1 reply; 9+ messages in thread
From: Jan Engelhardt @ 2010-10-13 22:56 UTC (permalink / raw)
To: Mr Dash Four; +Cc: Netfilter Developer Mailing List, netfilter
On Thursday 2010-10-14 00:18, Mr Dash Four wrote:
>>> Is it possible to use event-driven connection tracking - with conntrack-utils
>>> or by other means?
>>> Ideally, what I would like to do is 'register' a handler for particular
>>> connection events (when new connection is established and then closed for
>>> example) based on particular pre-defined filter (say, by protocol,
>>> source/destination ip etc) and execute a program code/function (if done
>>> programmatically) or a script (if done outside the connection-tracking
>>> domain)
>>> to do what I want?
>>
>> conntrack -Ee NEW,DESTROY
>>
>> would list you the specified events as they happen. Combined with a script
>> that reacts when a new line is outputted by conntrack should
>> do the trick.
>>
> That's not what I am after!
>
> If I want to poll a text output every-so-often I can use /proc/net/nf_conntrack
-E is event driven. (That's why it's got the "E".)
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: event-driven connection tracking
2010-10-13 22:56 ` Jan Engelhardt
@ 2010-10-14 12:04 ` Pablo Neira Ayuso
2010-10-14 13:26 ` Mr Dash Four
0 siblings, 1 reply; 9+ messages in thread
From: Pablo Neira Ayuso @ 2010-10-14 12:04 UTC (permalink / raw)
To: Jan Engelhardt; +Cc: Mr Dash Four, Netfilter Developer Mailing List, netfilter
On 14/10/10 00:56, Jan Engelhardt wrote:
>
> On Thursday 2010-10-14 00:18, Mr Dash Four wrote:
>>>> Is it possible to use event-driven connection tracking - with conntrack-utils
>>>> or by other means?
>>>> Ideally, what I would like to do is 'register' a handler for particular
>>>> connection events (when new connection is established and then closed for
>>>> example) based on particular pre-defined filter (say, by protocol,
>>>> source/destination ip etc) and execute a program code/function (if done
>>>> programmatically) or a script (if done outside the connection-tracking
>>>> domain)
>>>> to do what I want?
>>>
>>> conntrack -Ee NEW,DESTROY
>>>
>>> would list you the specified events as they happen. Combined with a script
>>> that reacts when a new line is outputted by conntrack should
>>> do the trick.
>>>
>> That's not what I am after!
>>
>> If I want to poll a text output every-so-often I can use /proc/net/nf_conntrack
>
> -E is event driven. (That's why it's got the "E".)
Indeed, if you're looking for a tool to listen to event-driven conntrack
notifications, then what Jan suggests is the correct approach. If you
want to make your own handling application, you can use
libnetfilter_conntrack.
For logging, you can use ulogd2.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: event-driven connection tracking
2010-10-14 12:04 ` Pablo Neira Ayuso
@ 2010-10-14 13:26 ` Mr Dash Four
2010-10-15 7:17 ` Pablo Neira Ayuso
0 siblings, 1 reply; 9+ messages in thread
From: Mr Dash Four @ 2010-10-14 13:26 UTC (permalink / raw)
To: Pablo Neira Ayuso
Cc: Jan Engelhardt, Netfilter Developer Mailing List, netfilter
>>>> conntrack -Ee NEW,DESTROY
>>>>
>>>> would list you the specified events as they happen. Combined with a script
>>>> that reacts when a new line is outputted by conntrack should
>>>> do the trick.
>>>>
>>>>
>>> That's not what I am after!
>>>
>>> If I want to poll a text output every-so-often I can use /proc/net/nf_conntrack
>>>
>> -E is event driven. (That's why it's got the "E".)
>>
>
> Indeed, if you're looking for a tool to listen to event-driven conntrack
> notifications, then what Jan suggests is the correct approach. If you
> want to make your own handling application, you can use
> libnetfilter_conntrack.
>
Making my own handling application was the preferred way, though I would
have settled for text-based notifications through the stdin pipe (a bit
clumsy, but doable). As it turns out libnetfilter_conntrack seems to
provide me with what I need, so I would settle for that.
Another constraint I have (which I did not mention in my initial post)
is that, for various reasons, I am using the 2.6.16.60 kernel - the
libnetfilter_conntrack requirements suggest I can get away with it, is
there anything in particular I should be aware of when installing/using
this package with this kernel version (no, I am not in a position to
upgrade - not yet!)?
> For logging, you can use ulogd2.
>
I have been doing the logging and it is not what I need as the 'action'
I take depends on what I find in the event matches - sometimes it is
necessary to just log the necessary data, but sometimes I would need to
initiate process scanning and full packet dumps on a particular
connection - for that to just use logging won't be enough.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: event-driven connection tracking
2010-10-14 13:26 ` Mr Dash Four
@ 2010-10-15 7:17 ` Pablo Neira Ayuso
0 siblings, 0 replies; 9+ messages in thread
From: Pablo Neira Ayuso @ 2010-10-15 7:17 UTC (permalink / raw)
To: Mr Dash Four; +Cc: Jan Engelhardt, Netfilter Developer Mailing List, netfilter
On 14/10/10 15:26, Mr Dash Four wrote:
> Another constraint I have (which I did not mention in my initial post)
> is that, for various reasons, I am using the 2.6.16.60 kernel - the
> libnetfilter_conntrack requirements suggest I can get away with it, is
> there anything in particular I should be aware of when installing/using
> this package with this kernel version (no, I am not in a position to
> upgrade - not yet!)?
Recommended kernel version is >= 2.6.18 (that's on the website and
docs). With such an old kernel version, I think that you may have
problems with NAT conntrack entries.
Let me know anyway how it goes, it would be interesting to know.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: event-driven connection tracking
2010-10-13 15:24 event-driven connection tracking Mr Dash Four
2010-10-13 15:48 ` Jan Engelhardt
@ 2010-10-14 12:01 ` Pablo Neira Ayuso
2010-10-14 13:14 ` Mr Dash Four
1 sibling, 1 reply; 9+ messages in thread
From: Pablo Neira Ayuso @ 2010-10-14 12:01 UTC (permalink / raw)
To: Mr Dash Four; +Cc: Netfilter Developer Mailing List, netfilter
On 13/10/10 17:24, Mr Dash Four wrote:
> Is it possible to use event-driven connection tracking - with
> conntrack-utils or by other means?
>
> Ideally, what I would like to do is 'register' a handler for particular
> connection events (when new connection is established and then closed
> for example) based on particular pre-defined filter (say, by protocol,
> source/destination ip etc) and execute a program code/function (if done
> programmatically) or a script (if done outside the connection-tracking
> domain) to do what I want?
> Currently, the only way to track such 'events' is if I include a
> separate chain in iptables tracking a particular connection (and logging
> the event via a normal log jump), but that is not enough for me as I
> also need to trigger a full dump based on that particular 'filter' and
> end this dump when the connection is closed. Any ideas?
You can use libnetfilter_conntrack for that:
http://www.netfilter.org/projects/libnetfilter_conntrack/index.html
There are several examples under utils/ in the tarballs that are
distributed.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: event-driven connection tracking
2010-10-14 12:01 ` Pablo Neira Ayuso
@ 2010-10-14 13:14 ` Mr Dash Four
0 siblings, 0 replies; 9+ messages in thread
From: Mr Dash Four @ 2010-10-14 13:14 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: Netfilter Developer Mailing List, netfilter
>> Is it possible to use event-driven connection tracking - with
>> conntrack-utils or by other means?
>>
>> Ideally, what I would like to do is 'register' a handler for particular
>> connection events (when new connection is established and then closed
>> for example) based on particular pre-defined filter (say, by protocol,
>> source/destination ip etc) and execute a program code/function (if done
>> programmatically) or a script (if done outside the connection-tracking
>> domain) to do what I want?
>> Currently, the only way to track such 'events' is if I include a
>> separate chain in iptables tracking a particular connection (and logging
>> the event via a normal log jump), but that is not enough for me as I
>> also need to trigger a full dump based on that particular 'filter' and
>> end this dump when the connection is closed. Any ideas?
>>
>
> You can use libnetfilter_conntrack for that:
> http://www.netfilter.org/projects/libnetfilter_conntrack/index.html
>
THAT is exactly what I was after - program interface through which I can
register the events I am interested in and handle them in my own way.
> There are several examples under utils/ in the tarballs that are
> distributed.
>
Yep, conntrack_events.c and expect_events.c seem to be a good match and
provide me with a decent skeleton on which to base my own code. Thanks
for your input, much appreciated.
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2010-10-15 7:17 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-10-13 15:24 event-driven connection tracking Mr Dash Four
2010-10-13 15:48 ` Jan Engelhardt
2010-10-13 22:18 ` Mr Dash Four
2010-10-13 22:56 ` Jan Engelhardt
2010-10-14 12:04 ` Pablo Neira Ayuso
2010-10-14 13:26 ` Mr Dash Four
2010-10-15 7:17 ` Pablo Neira Ayuso
2010-10-14 12:01 ` Pablo Neira Ayuso
2010-10-14 13:14 ` Mr Dash Four
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).