On 2/20/06, Mayank <linuxblr_in@xxxxxxxxx> wrote: > Well, I want to make a blocking call, for example, if > the netfilter finds a TCP SYN packet, I want to > execute user defined program and this program will in > turn do some processing (which may include some > communication with some other system on lan) > > Basically, I am looking for some sort of a target > match code, "-j exec /usr/bin/myprog" , as soon as > myprog gets the control I want to do some processing > and then tell the netfilter whether what to do with > the packet, which could be allow, drop, reject etc. You could use libipq, and a QUEUE, or NF_QUEUE target. You start up your userspace program, and it will receive each packet via libipq (each packet that reaches the QUEUE rule). You can then do whatever processing you want, and then set the verdict (allow/deny,...). While you are processing other packets keep arriving, and get queued, so you will want to make that processing fast enough, so you don't get the queue filled up. You can take a look at fireflier (fireflier.sourceforge.net), to see how to do userspace packet filtering. But keep in mind, that the proper place to do this kind of filtering is inside the kernel. Fireflier itself is going to need a kernel module (in the future) to do its job, since not everything is possibble (or efficient) from userspace. I'd suggest writing a kernel module, and register with netfilter hooks. Cheers, Edwin
