RE: netfilter query

From: Stuart Macdonald
Date: Mon Nov 22 2004 - 20:49:48 EST

Next message: Adrian Bunk: "Re: why use ACPI (Re: 2.6.10-rc2 doesn't boot (if no floppy device))"
Previous message: john cooper: "Re: Priority Inheritance Test (Real-Time Preemption)"
In reply to: Henrik Nordstrom: "Re: netfilter query"
Next in thread: cranium2003: "RE: netfilter query"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Just a parallel thought here,

A different approach is to implement the Netfilter Bridge hooks and run a
box as a bridge. This requires a kernel parameter for Bridge to be enabled
when the kernel is built and then the brctl utility to setup the bridge. In
this manner, your bridge netfilter hooks always receive packets starting at
the MAC headers. You can parse from there to derive subsequent protocols:
IP, IPX, LLC, SNAP, NETBEUI...

Stuart

-----Original Message-----
From: kernelnewbies-bounce@xxxxxxxxxxxx
[mailto:kernelnewbies-bounce@xxxxxxxxxxxx]On Behalf Of Henrik Nordstrom
Sent: Monday, November 22, 2004 5:03 AM
To: cranium2003
Cc: kernelnewbies@xxxxxxxxxxxx; netdev@xxxxxxxxxxx;
netfilter-devel@xxxxxxxxxxxxxxxxxxx; linux-kernel@xxxxxxxxxxxxxxx
Subject: Re: netfilter query

On Sun, 21 Nov 2004, cranium2003 wrote:

> Also,which headers are added when packet
> reaches to netfilter hook NF_IP_LOCAL_OUT? I found
> TCP/UDP/ICMP ,IP. Is that correct?

Yes.

netfilter is running at the IP layer and only reliably have access to IP
headers and up. Lower level headers such as Ethernet MAC header is
transport dependent and not always available, and certainly not available
in NF_IP_LOCAL_OUT as it is not yet known the packet will be sent to an
Ethernet.

In some netfilter hooks it is possible to rewind back to the Ethernet MAC
header but one must be careful to verify that it really is an Ethernet
packet one is looking at when doing this. Unfortunately there is no
perfect solution how to detect this.. For an example of how one may try to
look at the Ethernet MAC header see ipt_mac.c. But be warned that it is
possible for non-Ethernet frames to pass the simple checks done there..

Regards
Henrik

--
Kernelnewbies: Help each other learn about the Linux kernel.
Archive: http://mail.nl.linux.org/kernelnewbies/
FAQ: http://kernelnewbies.org/faq/

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Adrian Bunk: "Re: why use ACPI (Re: 2.6.10-rc2 doesn't boot (if no floppy device))"
Previous message: john cooper: "Re: Priority Inheritance Test (Real-Time Preemption)"
In reply to: Henrik Nordstrom: "Re: netfilter query"
Next in thread: cranium2003: "RE: netfilter query"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]