State Table Manipulation

Wed, 11 Dec 2002 13:22:33 -0800

I'm setting up a system where the client needs to have the ability to forcibly block existing connections to a specific port from arbitrary IP addresses. The context is that the client has customers that pay based on time, and when time runs out, their connection gets dumped. Unfortunately, we don't have access right now to the source code for the service, so instead of having the service disconnect them, we're going to put ipfilter on the server, and use it to forcibly close the connection. There's also an activation process, but that's easy enough to figure out, based on how we do the disconnect.

In order to do all this, we have a daemon running on the machine that takes information from the billing system and sends it to what's currently a stub that, when filled in, is going to interact with ipfilter.

My job is to fill in this stub. :)

Now, from what I can tell, the easy way to do this would be to start with something like:
block in on eth0 from any to 1.2.3.4 port = 5678

Then, when a connection is activated:
pass in on eth0 from 9.10.11.12 to 1.2.3.4 port = 5678
pass out on eth0 from 1.2.3.4 to 9.10.11.12


And, having kept track of all the connection rules in our daemon, rebuild the rules without the two above when the connection is to be dropped.

My problem with this is that I'd like to be able to use state tables, but in order to do so, I'd have to be able to manipulate them to remove each entry. I suppose I could rebuild the rules and flush the table, thereby forcing each current connection to hit the rules at least once, but that seems less than elegant, and I don't even know for sure whether the other connections would even revert back to the tables, since by that point, I have to assume we're well into data transmission, and I remember reading something about assembling the tables depending on at least part of the handshake.

So, to make a long story short (too late) is there any way to remove a specific state entry, or am I stuck doing things the easy way?

Thanks in advance,

-Matt


Reply via email to