packets scan

[Brad Chapman]

Mr. Stone,

   Userspace: ipq_set_verdict()
   Kernelspace: nf_reinject()

   You call ipq_set_verdict() to set a verdict for the packet AND optionally
return a modified version of the packet (i.e. for virus scanners that 
can clean
files). ipq_set_verdict() talks to ip_queue, which calls nf_reinject(), 
which returns
the packet to the mainstream.

   As for implementing your suggestion with the e-mail header idea, try 
this:

   iptables -t mangle -A PREROUTING  -p tcp --dport 110 -j QUEUE
   iptables -t mangle -A POSTROUTING -p tcp --sport 110 -j QUEUE

   Then hack a userspace daemon together, and call it something 
informative, like
"Xhdrstripd", and when you get a packet, snoop the payload for your 
various X- headers.
Strip them, ipq_set_verdict() them, and wait for the next packet.

   For more info on libipq, run make install-devel in your iptables dir, 
then read
man 3 libipq.

Brad

Antony Stone wrote:

> At 13:06 on 30 Jul 01, Brad Chapman wrote about Re: packets scan:
> 
>>    Don't. The virus scanner just acts as a proxy. It gets queued e-mail
>> message from connection, then scans it and reinjects it.
> 
> 
> Hi Brad.
> 
> Can you explain what "reinjects it" involves ?   I think there is
> obviously something I don't understand about the QUEUE target, because
> what you say sounds so simple, yet I don't understand how the userspace
> program puts stuff back into the network stream.
> 
>> The rules to do it are below:
>> 
>>    iptables -t mangle -A PREROUTING  -p tcp --sport 110 -j QUEUE
>>    iptables -t mangle -A POSTROUTING -p tcp --dport 110 -j QUEUE
>> 
>>    To do this, Mr. Florent would need my mangle5hooks patch from the
>> archives, since Mr. Harald is still really busy and hasn't sorted out the
>> priority issue ;-)
> 
> 
> I am already using the mangle5hooks patch for other reasons, so that's not 
> a problem for me.
> 
> I understand the rules shown above okay, but what do I do with (to ?) my 
> userspace program in order to get the data fed into it, and what do I do 
> in my userspace program to "reinject" the data back to the network stream 
> afterwards ?   For example, I don't see anything in the QUEUE target above 
> saying what user process the packets should be sent to ?   How does 
> iptables know which program I want to use (for filtering email, in this 
> example) ?
> 
> Say I wanted to do a really quick and dirty email filter which stripped 
> out any mail headers beginning with "X-" (and I didn't bother about 
> whether I was processing headers or message body), using something like 
> grep -v "^X-"   How would that get fitted in with the iptables rules you 
> showed above ?
> 
> I'm sure the answer to my question is very easy, but I just don't see it 
> yet...
> 
> 
> Antony.
> 
> 
>