Mr. Stone,
Userspace: ipq_set_verdict()
Kernelspace: nf_reinject()
You call ipq_set_verdict() to set a verdict for the packet AND optionally
return a modified version of the packet (i.e. for virus scanners that
can clean
files). ipq_set_verdict() talks to ip_queue, which calls nf_reinject(),
which returns
the packet to the mainstream.
As for implementing your suggestion with the e-mail header idea, try
this:
iptables -t mangle -A PREROUTING -p tcp --dport 110 -j QUEUE
iptables -t mangle -A POSTROUTING -p tcp --sport 110 -j QUEUE
Then hack a userspace daemon together, and call it something
informative, like
"Xhdrstripd", and when you get a packet, snoop the payload for your
various X- headers.
Strip them, ipq_set_verdict() them, and wait for the next packet.
For more info on libipq, run make install-devel in your iptables dir,
then read
man 3 libipq.
Brad
Antony Stone wrote:
> At 13:06 on 30 Jul 01, Brad Chapman wrote about Re: packets scan:
>
>> Don't. The virus scanner just acts as a proxy. It gets queued e-mail
>> message from connection, then scans it and reinjects it.
>
>
> Hi Brad.
>
> Can you explain what "reinjects it" involves ? I think there is
> obviously something I don't understand about the QUEUE target, because
> what you say sounds so simple, yet I don't understand how the userspace
> program puts stuff back into the network stream.
>
>> The rules to do it are below:
>>
>> iptables -t mangle -A PREROUTING -p tcp --sport 110 -j QUEUE
>> iptables -t mangle -A POSTROUTING -p tcp --dport 110 -j QUEUE
>>
>> To do this, Mr. Florent would need my mangle5hooks patch from the
>> archives, since Mr. Harald is still really busy and hasn't sorted out the
>> priority issue ;-)
>
>
> I am already using the mangle5hooks patch for other reasons, so that's not
> a problem for me.
>
> I understand the rules shown above okay, but what do I do with (to ?) my
> userspace program in order to get the data fed into it, and what do I do
> in my userspace program to "reinject" the data back to the network stream
> afterwards ? For example, I don't see anything in the QUEUE target above
> saying what user process the packets should be sent to ? How does
> iptables know which program I want to use (for filtering email, in this
> example) ?
>
> Say I wanted to do a really quick and dirty email filter which stripped
> out any mail headers beginning with "X-" (and I didn't bother about
> whether I was processing headers or message body), using something like
> grep -v "^X-" How would that get fitted in with the iptables rules you
> showed above ?
>
> I'm sure the answer to my question is very easy, but I just don't see it
> yet...
>
>
> Antony.
>
>
>
Userspace: ipq_set_verdict()
Kernelspace: nf_reinject()
You call ipq_set_verdict() to set a verdict for the packet AND optionally
return a modified version of the packet (i.e. for virus scanners that
can clean
files). ipq_set_verdict() talks to ip_queue, which calls nf_reinject(),
which returns
the packet to the mainstream.
As for implementing your suggestion with the e-mail header idea, try
this:
iptables -t mangle -A PREROUTING -p tcp --dport 110 -j QUEUE
iptables -t mangle -A POSTROUTING -p tcp --sport 110 -j QUEUE
Then hack a userspace daemon together, and call it something
informative, like
"Xhdrstripd", and when you get a packet, snoop the payload for your
various X- headers.
Strip them, ipq_set_verdict() them, and wait for the next packet.
For more info on libipq, run make install-devel in your iptables dir,
then read
man 3 libipq.
Brad
Antony Stone wrote:
> At 13:06 on 30 Jul 01, Brad Chapman wrote about Re: packets scan:
>
>> Don't. The virus scanner just acts as a proxy. It gets queued e-mail
>> message from connection, then scans it and reinjects it.
>
>
> Hi Brad.
>
> Can you explain what "reinjects it" involves ? I think there is
> obviously something I don't understand about the QUEUE target, because
> what you say sounds so simple, yet I don't understand how the userspace
> program puts stuff back into the network stream.
>
>> The rules to do it are below:
>>
>> iptables -t mangle -A PREROUTING -p tcp --sport 110 -j QUEUE
>> iptables -t mangle -A POSTROUTING -p tcp --dport 110 -j QUEUE
>>
>> To do this, Mr. Florent would need my mangle5hooks patch from the
>> archives, since Mr. Harald is still really busy and hasn't sorted out the
>> priority issue ;-)
>
>
> I am already using the mangle5hooks patch for other reasons, so that's not
> a problem for me.
>
> I understand the rules shown above okay, but what do I do with (to ?) my
> userspace program in order to get the data fed into it, and what do I do
> in my userspace program to "reinject" the data back to the network stream
> afterwards ? For example, I don't see anything in the QUEUE target above
> saying what user process the packets should be sent to ? How does
> iptables know which program I want to use (for filtering email, in this
> example) ?
>
> Say I wanted to do a really quick and dirty email filter which stripped
> out any mail headers beginning with "X-" (and I didn't bother about
> whether I was processing headers or message body), using something like
> grep -v "^X-" How would that get fitted in with the iptables rules you
> showed above ?
>
> I'm sure the answer to my question is very easy, but I just don't see it
> yet...
>
>
> Antony.
>
>
>