Mailing List Archive: Questions regarding pf

Questions regarding pf_ring software hash filters

Apr 12, 2016, 4:01 AM

Post #1 of 4 (739 views)

Hi,

I'm using pf_ring software hash filters in my user-space process.
1. Is there a possibility that while the process is down (e.g. by "kill -9"
or crash), the filters are still active in the pf_ring driver, so that when
a new instance of the same process is up, traffic is still filtered by the
rules of its own previous instance?
2. What is the easiest way or the right way to have a list of all active sw
hash filters, not within the same process that put them. Preferably by
using some command-line script.

Thanks,
Amir

Re: Questions regarding pf_ring software hash filters [ In reply to ]

cardigliano at ntop

Apr 12, 2016, 6:12 AM

Post #2 of 4 (727 views)

Permalink

> On 12 Apr 2016, at 13:01, Amir Kaduri <akaduri75@gmail.com> wrote:
>
> Hi,
>
> I'm using pf_ring software hash filters in my user-space process.
> 1. Is there a possibility that while the process is down (e.g. by "kill -9" or crash), the filters are still active in the pf_ring driver, so that when a new instance of the same process is up, traffic is still filtered by the rules of its own previous instance?

This is not possible as filtering rules are bound to the socket, not to the interface.

> 2. What is the easiest way or the right way to have a list of all active sw hash filters, not within the same process that put them. Preferably by using some command-line script.

They should be exported by the kernel module through the /proc filesystem, at the moment we provide just the number of rules, not the list.

Alfredo

>
> Thanks,
> Amir
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc

Re: Questions regarding pf_ring software hash filters [ In reply to ]

ClarkEJ1 at state

Apr 12, 2016, 6:18 AM

Post #3 of 4 (728 views)

Permalink

Wouldn't this be in the /proc/net/pf_ring/rules file? Assumably if they are there, they are active on the socket....

-----Original Message-----
From: ntop-misc-bounces@listgateway.unipi.it [mailto:ntop-misc-bounces@listgateway.unipi.it] On Behalf Of Alfredo Cardigliano
Sent: Tuesday, April 12, 2016 9:12 AM
To: ntop-misc@listgateway.unipi.it
Subject: Re: [Ntop-misc] Questions regarding pf_ring software hash filters

> On 12 Apr 2016, at 13:01, Amir Kaduri <akaduri75@gmail.com> wrote:
>
> Hi,
>
> I'm using pf_ring software hash filters in my user-space process.
> 1. Is there a possibility that while the process is down (e.g. by "kill -9" or crash), the filters are still active in the pf_ring driver, so that when a new instance of the same process is up, traffic is still filtered by the rules of its own previous instance?

This is not possible as filtering rules are bound to the socket, not to the interface.

> 2. What is the easiest way or the right way to have a list of all active sw hash filters, not within the same process that put them. Preferably by using some command-line script.

They should be exported by the kernel module through the /proc filesystem, at the moment we provide just the number of rules, not the list.

Alfredo

>
> Thanks,
> Amir
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it
> http://redirect.state.sbu/?url=http://listgateway.unipi.it/mailman/listinfo/ntop-misc

_______________________________________________
Ntop-misc mailing list
Ntop-misc@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop-misc

Re: Questions regarding pf_ring software hash filters [ In reply to ]

cardigliano at ntop

Apr 12, 2016, 6:24 AM

Post #4 of 4 (727 views)

Permalink

Something like that, but should be a file per socket, something like /proc/net/pf_ring/rules/<socket>

Alfredo

> On 12 Apr 2016, at 15:18, Clark, Erik J <ClarkEJ1@state.gov> wrote:
>
> Wouldn't this be in the /proc/net/pf_ring/rules file? Assumably if they are there, they are active on the socket....
>
> -----Original Message-----
> From: ntop-misc-bounces@listgateway.unipi.it <mailto:ntop-misc-bounces@listgateway.unipi.it> [mailto:ntop-misc-bounces@listgateway.unipi.it <mailto:ntop-misc-bounces@listgateway.unipi.it>] On Behalf Of Alfredo Cardigliano
> Sent: Tuesday, April 12, 2016 9:12 AM
> To: ntop-misc@listgateway.unipi.it <mailto:ntop-misc@listgateway.unipi.it>
> Subject: Re: [Ntop-misc] Questions regarding pf_ring software hash filters
>
>
>> On 12 Apr 2016, at 13:01, Amir Kaduri <akaduri75@gmail.com> wrote:
>>
>> Hi,
>>
>> I'm using pf_ring software hash filters in my user-space process.
>> 1. Is there a possibility that while the process is down (e.g. by "kill -9" or crash), the filters are still active in the pf_ring driver, so that when a new instance of the same process is up, traffic is still filtered by the rules of its own previous instance?
>
> This is not possible as filtering rules are bound to the socket, not to the interface.
>
>> 2. What is the easiest way or the right way to have a list of all active sw hash filters, not within the same process that put them. Preferably by using some command-line script.
>
> They should be exported by the kernel module through the /proc filesystem, at the moment we provide just the number of rules, not the list.
>
> Alfredo
>
>>
>> Thanks,
>> Amir
>> _______________________________________________
>> Ntop-misc mailing list
>> Ntop-misc@listgateway.unipi.it
>> http://redirect.state.sbu/?url=http://listgateway.unipi.it/mailman/listinfo/ntop-misc <http://redirect.state.sbu/?url=http://listgateway.unipi.it/mailman/listinfo/ntop-misc>
>
> _______________________________________________
> Ntop-misc mailing list
> Ntop-misc@listgateway.unipi.it <mailto:Ntop-misc@listgateway.unipi.it>
> http://listgateway.unipi.it/mailman/listinfo/ntop-misc <http://listgateway.unipi.it/mailman/listinfo/ntop-misc>

Mailing List Archive

Attached Files:

Attached Files: