Launch script when packet is received
Amin Azez
azez at ufomechanic.net
Tue Mar 6 13:53:24 CET 2007
* octane indice wrote, On 05/03/07 23:03:
> Hello
>
> Is there any way to do something like this:
>
> iptables -A INPUT <packet> -j ACTION --script /sbin/myscript.sh
>
> And better, with myscript.sh called with arguments like IP src or dest or
> protocol or type of packet?
err.... crikey!
The short answer is: Thankfully not.
The longer answer is yeee-ee-e-es.
You can either use -j LOG and fiddle with your syslog.conf file so that
the logged messages that match are written to a named pipe, and you have
a dispatch daemon that listens on the pipe (you can write this in bash)
and calls your scripts.
Or you could use the depracated ULOG v1 target which receives packets
over netlink and hack the ulog daemon to do your bidding launching scripts.
Or you could use the QUEUE target to queue whole packets to user space
and then use a perl NF QUEUE hander to do your work for you.
I'm sure you have an interesting reason for wanting to do it.
Just don't ask for shell script matches where the exit code of the shell
script is taken as the match result. Although you could probably do this
using the NF QUEUE method you would also have bad dreams. Or something.
Sam
More information about the netfilter-devel
mailing list