[prev in list] [next in list] [prev in thread] [next in thread] 

List:       netfilter-devel
Subject:    Re: Modifying netfilter tables from kernelspace
From:       Richard Guy Briggs <rgb () conscoop ! ottawa ! on ! ca>
Date:       2001-05-30 8:47:53
[Download RAW message or body]

On Tue, May 29, 2001 at 02:40:01PM +0200, Henrik Nordstrom wrote:
> Richard Guy Briggs wrote:
> 
> > In designing a new netfilter target, I am assuming that it is possible
> > to have the target add a new entry into an existing netfilter table.
> > This is a fairly important part of the design.
> 
> It might be possible, but probably not a very easy task. The structures are
> somewhat complex to manage, and there is strong layering abstracting the
> tables from targets/matches.

Hmmm... I would still like to investigate this possibility further.

Here is the circumstance for opportunistic encryption:

- put in a "TRAP" target, that gets sent any packets that match....
	- it sends up a PF_KEYv2 ACQUIRE message to all listening Key
	Managements Daemons requesting a secure connection be negotiated
	for that packet...
	- it then puts in place a rule to a "HOLD" target that I'll
	describe in a sec...
	- it then stores that skb with that "HOLD"...
	- it then returns NF_STOLEN...

- the KMd goes away and starts to negotiate...

- a packet comes in identical to the first...

- the rule matches and the skb gets sent to the HOLD target...
	- the skb replaces the last stored one for that HOLD...
	- the previous skb is discarded...
	- the HOLD target returns NF_STOLEN...

- the KMd finishes negotiating...

- the KMd puts in new Security Associations to be accessed by the IPSEC
target

- the KMd replaces the HOLD with an IPSEC target...

- the deletion of the HOLD target causes the last skb held by the HOLD
to be re-released at the beginning of the chain, caught this time by the
IPSEC target.



> Other modules doing similar things maintain their own state, and uses a match
> to look into this state. See for example "psd" or "pool". Such a design is
> well supported by the framework.

I tried to find some documentation (other than the source ;-) for ippool
and assume there are README, INSTALL and other docs in the 0.0.2 and
0.0.3 versions of ippool, but there is no such thing in the ippool
directory of iptables-1.2.

> Henrik Nordstrom

	slainte mhath, RGB
-- 
Richard Guy Briggs -- PGP key available            Auto-Free Ottawa! Canada
<www.conscoop.ottawa.on.ca/rgb/>                       <www.flora.org/afo/>
Prevent Internet Wiretapping!        --        FreeS/WAN:<www.freeswan.org>
Thanks for voting Green! -- <green.ca>      Marillion:<www.marillion.co.uk>

[prev in list] [next in list] [prev in thread] [next in thread]