Re: Selectively refusing TCP connections
On Thu, May 24, 2001 at 12:15:44PM -0700, David Ford wrote: > Is there an example somewhere of this? I don't have one handy, but basically you have to hack libpcap a bit to push the generated filters using SO_ATTACH_FILTER onto a socket. The format (LPF) understood by the kernel is a superset of the BPF stack machine code generated by libpcap. See linux/filter.h and the BPF documentation. It's main drawback is that it doesn't support variable length headers properly. -Andi - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: Selectively refusing TCP connections
Is there an example somewhere of this? David >You can push a BPF (LPF) filter expression onto a LISTEN socket that checks >every incoming packet using SO_ATTACH_FILTER. > - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: Selectively refusing TCP connections
On Wed, May 23, 2001 at 06:59:02PM +0100, Ben Mansell wrote: > Hi all, > > Is there any mechanism in Linux for refusing incoming TCP connections? > I'd like to be able to fetch the next incoming connection on a listen > queue, and selectively accept or reject it based on the IP address of the > client. I know this could be done via firewall rules, but for this case, > I'd like an application to have the final say on whether the connection > will be accepted. You can push a BPF (LPF) filter expression onto a LISTEN socket that checks every incoming packet using SO_ATTACH_FILTER. The only way to do it fully in an application is probably to set up netfilter NAT to forward the connection to some local process; or alternative push the packets using a netfilter queue target to a user process and forward/ disable firewall rules dynamically. -Andi - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Selectively refusing TCP connections
Hi all, Is there any mechanism in Linux for refusing incoming TCP connections? I'd like to be able to fetch the next incoming connection on a listen queue, and selectively accept or reject it based on the IP address of the client. I know this could be done via firewall rules, but for this case, I'd like an application to have the final say on whether the connection will be accepted. I think XTI used to offer this kind of thing, you could get notification of a new connection when the initial SYN was received, so you could send back a RST and finish it there and then. Otherwise, you have to go through the bother of accepting the connection then closing it down properly. Of course, since everyone uses sockets, and the socket API doesn't provide this facility, it looks like this feature has ben dropped almost everywhere. So, any suggestions? Thanks, Ben - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
