* Anyway to add data to connection tracking?
@ 2010-04-19 19:40 Justin Yaple
2010-04-19 21:35 ` James King
0 siblings, 1 reply; 4+ messages in thread
From: Justin Yaple @ 2010-04-19 19:40 UTC (permalink / raw)
To: netfilter-devel
Hi everyone,
I am working on an application that has to track data within
custom/non-standard TCP options within the packets of each TCP
session. It has to check the existence of, and examine the data
within these options then save that data about the session somewhere.
I had previously written my own session tracking system using a large
jump table to linked lists of a custom session structure in case of
collisions with my hashing function.
I was wondering if its possible to use conntrack for this rather than
re-invent the wheel. My application needs to be alerted when a
session is being removed from the conntrack table so it can cleanup
any data related to that session within the program. Given the
particular requirements I was not sure if the existing conntrack table
would be suitable for doing this.
What are your though on trying to use conntrack vs using an internal
connection tracking method within the application?
-Justin.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Anyway to add data to connection tracking?
2010-04-19 19:40 Anyway to add data to connection tracking? Justin Yaple
@ 2010-04-19 21:35 ` James King
2010-04-19 23:07 ` Justin Yaple
0 siblings, 1 reply; 4+ messages in thread
From: James King @ 2010-04-19 21:35 UTC (permalink / raw)
To: Justin Yaple; +Cc: netfilter-devel
On Mon, Apr 19, 2010 at 12:40 PM, Justin Yaple <yaplej@gmail.com> wrote:
> I was wondering if its possible to use conntrack for this rather than
> re-invent the wheel. My application needs to be alerted when a
> session is being removed from the conntrack table so it can cleanup
> any data related to that session within the program. Given the
> particular requirements I was not sure if the existing conntrack table
> would be suitable for doing this.
>
> What are your though on trying to use conntrack vs using an internal
> connection tracking method within the application?
On Mon, Apr 19, 2010 at 12:40 PM, Justin Yaple <yaplej@gmail.com> wrote:
> I am working on an application that has to track data within
> custom/non-standard TCP options within the packets of each TCP
> session. It has to check the existence of, and examine the data
> within these options then save that data about the session somewhere.
> I had previously written my own session tracking system using a large
> jump table to linked lists of a custom session structure in case of
> collisions with my hashing function.
>
> I was wondering if its possible to use conntrack for this rather than
> re-invent the wheel. My application needs to be alerted when a
> session is being removed from the conntrack table so it can cleanup
> any data related to that session within the program. Given the
> particular requirements I was not sure if the existing conntrack table
> would be suitable for doing this.
>
> What are your though on trying to use conntrack vs using an internal
> connection tracking method within the application?
Accounting, NAT, and the conntrack helpers use ct_extend to store
private per-conntrack data. For an out of tree module, you'll need to
maintain a small kernel patch to add an enumeration to
nf_conntrack_extend.h, and add a function call to init_conntrack() and
ctnetlink_create_conntrack() to add the private area when the
conntrack is initialized, as it needs to be allocated before the
conntrack is confirmed. If your private structure contains any
pointers, you'll also have specify a destroy callback in your module's
nf_ct_ext_type structure to make sure memory gets cleaned up properly.
nf_conntrack_acct is probably a good module to look at for usage.
HTH,
James
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Anyway to add data to connection tracking?
2010-04-19 21:35 ` James King
@ 2010-04-19 23:07 ` Justin Yaple
2010-04-20 2:20 ` James King
0 siblings, 1 reply; 4+ messages in thread
From: Justin Yaple @ 2010-04-19 23:07 UTC (permalink / raw)
To: James King; +Cc: netfilter-devel
> Accounting, NAT, and the conntrack helpers use ct_extend to store
> private per-conntrack data. For an out of tree module, you'll need to
> maintain a small kernel patch to add an enumeration to
> nf_conntrack_extend.h, and add a function call to init_conntrack() and
> ctnetlink_create_conntrack() to add the private area when the
> conntrack is initialized, as it needs to be allocated before the
> conntrack is confirmed. If your private structure contains any
> pointers, you'll also have specify a destroy callback in your module's
> nf_ct_ext_type structure to make sure memory gets cleaned up properly.
> nf_conntrack_acct is probably a good module to look at for usage.
>
> HTH,
> James
My pre-alpha application was entirely written as a kernel module, but
I am in the process of writing it as a user space service that uses
libnetfilter_queue to intercept packets, and bring them into user
space to be processed. This is where I need to keep track of the TCP
options in each of the IP packets and track them for each session.
One of my goals is that this will run on pretty much any distro
without needing to recompile the kernel. Being I don't know much
about netfilter I just was not sure if it were possible to use the
existing conntrack table from user space.
Justin.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Anyway to add data to connection tracking?
2010-04-19 23:07 ` Justin Yaple
@ 2010-04-20 2:20 ` James King
0 siblings, 0 replies; 4+ messages in thread
From: James King @ 2010-04-20 2:20 UTC (permalink / raw)
To: Justin Yaple; +Cc: netfilter-devel
On Mon, Apr 19, 2010 at 4:07 PM, Justin Yaple <yaplej@gmail.com> wrote:
> My pre-alpha application was entirely written as a kernel module, but
> I am in the process of writing it as a user space service that uses
> libnetfilter_queue to intercept packets, and bring them into user
> space to be processed. This is where I need to keep track of the TCP
> options in each of the IP packets and track them for each session.
> One of my goals is that this will run on pretty much any distro
> without needing to recompile the kernel. Being I don't know much
> about netfilter I just was not sure if it were possible to use the
> existing conntrack table from user space.
I'm not sure if you can access/modify the conntrack directly from
userspace, but I know you can listen for conntrack events and maintain
your own table passively. The userspace version of l7-filter combines
queuing+events in this way, constructing a unique string based on the
flow tuple and using it for the key to a map that holds a custom
per-conntrack structure. l7-conntrack.* and l7-queue.* are the
interesting bits here, but are missing a bit of locking around the
threaded map access currently.
Cheers,
James
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2010-04-20 2:20 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-04-19 19:40 Anyway to add data to connection tracking? Justin Yaple
2010-04-19 21:35 ` James King
2010-04-19 23:07 ` Justin Yaple
2010-04-20 2:20 ` James King
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.