Check connection state in libipq hook

Check connection state in libipq hook

[switcher]

Hi All,

 I'm coding a software that check if an incoming packet is part of an active
 connection.
 I'm using libipq to get the packet and I tried to submit it to
 ip_conntrack_find_get() as a tuple create with ip_conntrack_tuple but it
 doesn't work so I have some questions about that.

 I'm creating the tuple and submitting it with that piece of code :
 --------
 struct ip_conntrack_tuple *tuple;
 tuple->src.ip                 = iph->saddr;
 tuple->src.u.tcp.port         = tcp->source;
 tuple->dst.ip                 = iph->daddr;
 tuple->dst.u.tcp.port         = tcp->dest;
 tuple->dst.protonum         = iph->protocol;
 tuple->dst.dir                = 0;
 if (NULL == ip_conntrack_find_get(tuple, NULL))
 {
      fprintf(stdout, "tuple IS NOT part of an active connection");
 }
 else {
      fprintf(stdout, "tuple IS part of an active connection");
 }
 --------
 But I don't know what to put in tuple->dst.dir value... is it a static value ?

 Moreover, I included <linux/netfilter.h>,
 <linux/netfilter_ipv4/ip_conntrack_tuple.h> and
 <linux/netfilter_ipv4/ip_conntrack_core.h> (kernel 2.6.17.7) but when I try to
 compile it, I have an error message :
 --------
 /usr/include/linux/netfilter_ipv4/ip_conntrack_core.h: In function
 'ip_conntrack_confirm':
 /usr/include/linux/netfilter_ipv4/ip_conntrack_core.h:44: error: dereferencing
 pointer to incomplete type
 /usr/include/linux/netfilter_ipv4/ip_conntrack_core.h: At top level:
 /usr/include/linux/netfilter_ipv4/ip_conntrack_core.h:59: error: syntax error
 before 'ip_conntrack_lock'
 --------

 I'm not manipulating 'ip_conntrack_confirm' nor 'ip_conntrack_lock' so I guess
 I've made a mistake somewhere but I don't know where...
 Could you help me ?

 Thanks,
 julien

Re: Check connection state in libipq hook

[Pablo Neira Ayuso]

switcher wrote:
>  I'm coding a software that check if an incoming packet is part of an active
>  connection.
>  I'm using libipq to get the packet and I tried to submit it to
>  ip_conntrack_find_get() as a tuple create with ip_conntrack_tuple but it
>  doesn't work so I have some questions about that.
> 
>  I'm creating the tuple and submitting it with that piece of code :
>  --------
>  struct ip_conntrack_tuple *tuple;
>  tuple->src.ip                 = iph->saddr;
>  tuple->src.u.tcp.port         = tcp->source;
>  tuple->dst.ip                 = iph->daddr;
>  tuple->dst.u.tcp.port         = tcp->dest;
>  tuple->dst.protonum         = iph->protocol;
>  tuple->dst.dir                = 0;
>  if (NULL == ip_conntrack_find_get(tuple, NULL))
>  {
>       fprintf(stdout, "tuple IS NOT part of an active connection");
>  }
>  else {
>       fprintf(stdout, "tuple IS part of an active connection");
>  }
>  --------
>  But I don't know what to put in tuple->dst.dir value... is it a static value ?
> 
>  Moreover, I included <linux/netfilter.h>,
>  <linux/netfilter_ipv4/ip_conntrack_tuple.h> and
>  <linux/netfilter_ipv4/ip_conntrack_core.h> (kernel 2.6.17.7) but when I try to
>  compile it, I have an error message :
>  --------
>  /usr/include/linux/netfilter_ipv4/ip_conntrack_core.h: In function
>  'ip_conntrack_confirm':
>  /usr/include/linux/netfilter_ipv4/ip_conntrack_core.h:44: error: dereferencing
>  pointer to incomplete type
>  /usr/include/linux/netfilter_ipv4/ip_conntrack_core.h: At top level:
>  /usr/include/linux/netfilter_ipv4/ip_conntrack_core.h:59: error: syntax error
>  before 'ip_conntrack_lock'
>  --------
> 
>  I'm not manipulating 'ip_conntrack_confirm' nor 'ip_conntrack_lock' so I guess
>  I've made a mistake somewhere but I don't know where...
>  Could you help me ?

Misconception: The connection tracking is a kernel module. libipq is a 
userspace library. You can't invoke such functions from userspace.

-- 
The dawn of the fourth age of Linux firewalling is coming; a time of 
great struggle and heroic deeds -- J.Kadlecsik got inspired by J.Morris

Re: Check connection state in libipq hook

[switcher]

Pablo Neira Ayuso <pablo@netfilter.org> a écrit :

> switcher wrote:
>>  I'm coding a software that check if an incoming packet is part of an active
>>  connection.
>>  I'm using libipq to get the packet and I tried to submit it to
>>  ip_conntrack_find_get() as a tuple create with ip_conntrack_tuple but it
>>  doesn't work so I have some questions about that.
>>
>>  I'm creating the tuple and submitting it with that piece of code :
>>  --------
>>  struct ip_conntrack_tuple *tuple;
>>  tuple->src.ip                 = iph->saddr;
>>  tuple->src.u.tcp.port         = tcp->source;
>>  tuple->dst.ip                 = iph->daddr;
>>  tuple->dst.u.tcp.port         = tcp->dest;
>>  tuple->dst.protonum         = iph->protocol;
>>  tuple->dst.dir                = 0;
>>  if (NULL == ip_conntrack_find_get(tuple, NULL))
>>  {
>>       fprintf(stdout, "tuple IS NOT part of an active connection");
>>  }
>>  else {
>>       fprintf(stdout, "tuple IS part of an active connection");
>>  }
>>  --------
>>  But I don't know what to put in tuple->dst.dir value... is it a
>> static value ?
>>
>>  Moreover, I included <linux/netfilter.h>,
>>  <linux/netfilter_ipv4/ip_conntrack_tuple.h> and
>>  <linux/netfilter_ipv4/ip_conntrack_core.h> (kernel 2.6.17.7) but
>> when I try to
>>  compile it, I have an error message :
>>  --------
>>  /usr/include/linux/netfilter_ipv4/ip_conntrack_core.h: In function
>>  'ip_conntrack_confirm':
>>  /usr/include/linux/netfilter_ipv4/ip_conntrack_core.h:44: error:
>> dereferencing
>>  pointer to incomplete type
>>  /usr/include/linux/netfilter_ipv4/ip_conntrack_core.h: At top level:
>>  /usr/include/linux/netfilter_ipv4/ip_conntrack_core.h:59: error:
>> syntax error
>>  before 'ip_conntrack_lock'
>>  --------
>>
>>  I'm not manipulating 'ip_conntrack_confirm' nor 'ip_conntrack_lock'
>> so I guess
>>  I've made a mistake somewhere but I don't know where...
>>  Could you help me ?
>
> Misconception: The connection tracking is a kernel module. libipq is
> a userspace library. You can't invoke such functions from userspace.
>

Errr...
So, do you know another technique that I can use to do so in userspace ?
I could maintain a connection state table in userspace but I think it's
a waste
of time to redo netfilter's job...


thanks,
julien

Re: Check connection state in libipq hook

[Pablo Neira Ayuso]

switcher wrote:
> Pablo Neira Ayuso <pablo@netfilter.org> a écrit :
>> Misconception: The connection tracking is a kernel module. libipq is 
>> a userspace library. You can't invoke such functions from userspace.
> 
> Errr...
> So, do you know another technique that I can use to do so in userspace ?
> I could maintain a connection state table in userspace but I think it's 
> a waste of time to redo netfilter's job...

Well, it depends on what you want to do. Anyway, you may also use 
libnetfilter_conntrack to listen to conntrack events. BTW, libipq has 
been superseded by libnetfilter_queue and the NFQUEUE target.

-- 
The dawn of the fourth age of Linux firewalling is coming; a time of 
great struggle and heroic deeds -- J.Kadlecsik got inspired by J.Morris

Re: Check connection state in libipq hook

[switcher]

Pablo Neira Ayuso <pablo@netfilter.org> a écrit :

> switcher wrote:
>> Pablo Neira Ayuso <pablo@netfilter.org> a écrit :
>>> Misconception: The connection tracking is a kernel module. libipq
>>> is a userspace library. You can't invoke such functions from
>>> userspace.
>>
>> Errr...
>> So, do you know another technique that I can use to do so in userspace ?
>> I could maintain a connection state table in userspace but I think
>> it's a waste of time to redo netfilter's job...
>
> Well, it depends on what you want to do. Anyway, you may also use
> libnetfilter_conntrack to listen to conntrack events. BTW, libipq has
> been superseded by libnetfilter_queue and the NFQUEUE target.
>

Alright, I'm reading libnetfilter_conntrack utils right now, but it
sounds like
you forgot to add some comments :p
I want to check if an incoming packet is part of an active (tcp & udp)
connection. With util should I follow ?

Thanks,
julien