Fwd: 回复: 回复: question about IPS with PF_RING
130 views
Skip to first unread message
Livio Ricciulli
Mar 14, 2012, 12:46:43 AM3/14/12
to meta...@googlegroups.com
-------- Original Message --------
| Subject: | 回复: 回复: question about IPS with PF_RING |
|---|---|
| Date: | Wed, 14 Mar 2012 12:27:08 +0800 (CST) |
| From: | s f <fang...@yahoo.com.cn> |
| Reply-To: | s f <fang...@yahoo.com.cn> |
| To: | livio Ricciulli <li...@metaflows.com> |
hello,livio.I test it successly ,thank you for you help.
________________________________
发件人: livio Ricciulli <li...@metaflows.com>
收件人: s f <fang...@yahoo.com.cn>
发送日期: 2012年3月14日, 星期三, 上午 1:15
主题: Re: 回复: question about IPS with PF_RING
Sorry, I have not looked at the code in a while but wouldn't is_valid_skb_direction return 0 if pf_ring is loaded with enable_tx_capture=0?
On 03/13/2012 05:51 AM, s f wrote:
Hello,Livio,I have seen PF_RING code,During the PF_RING initialization,It registered prot_hook. Itsfunctionpointspacket_rcv function:
>When the packetentersLinuxnetwork protocol stack andqueue,netif_receive_skbwill traversetheregistered Hook.
>int netif_receive_skb(struct sk_buff *skb)
>{
> list_for_each_entry_rcu(ptype, &ptype_all, list)
{
> if (ptype->dev == null_or_orig ||
ptype->dev == skb->dev ||
> ptype->dev == orig_dev) {
> if (pt_prev)
> ret = deliver_skb(skb,
pt_prev, orig_dev);
> pt_prev = ptype;
> }
> }
>}
>
>static int packet_rcv(struct sk_buff *skb, struct net_device *dev,
> struct packet_type *pt, struct
net_device *orig_dev)
>{
> int rc;
> //忽略本地环回报文
> if(skb->pkt_type != PACKET_LOOPBACK) {
>
//进一步转向,最后一个参数直接使用-1,从上下文来看,写为RING_ANY_CHANNEL(其实也是-1) 似乎可读性更强,
>
//这里表示,如果从packet_rcv进入队列,由通道ID是“未指定的”,由 skb_ring_handler来处理
> rc = skb_ring_handler(skb,
> (skb->pkt_type ==
PACKET_OUTGOING) ? 0 : 1,
> 1, -1 /* unknown channel */);
> } else
> rc = 0;
> kfree_skb(skb); //所以,这里要做相应的减少
> return(rc);
>}
>the function packet_rev firstly traverse the filter rule and hash rule,then decide whether add the packet to the ring or not, int the function packet_rev call the skb_copy_bits function(copy the data to the ring). today I test PF_RING Snort Inline ,I use the ICMP FLOOD ,the snort can detect the packet ,but I still connect the host.
>
>
>
>发件人: Livio Ricciulli <li...@metaflows.com>
>收件人: s f <fang...@yahoo.com.cn>
>发送日期: 2012年3月12日, 星期一, 下午 3:34
>主题: Re: question about IPS with PF_RING
>
>
>It does not copy the packet, if snort says no, the packet is not forwarded.
>
>On 3/10/2012 6:36 PM, s f wrote:
> Hello,I have seen the paper ,PF_RING_Snort_Inline_Instructions,but ,I have a question about it.I do not understand how the IPS block the packet,because the PF_RING only copys the packet,there are two identical packet,the other packet still go though the linux net stack, as we known ,IPS often work with iptables ,we config out firewall with the rule ,for example, iptables -I FORWARD -j QUEUE.
>> In the end, can you tell me how the IPS block the packet.thanks.
>
>
>
________________________________
发件人: livio Ricciulli <li...@metaflows.com>
收件人: s f <fang...@yahoo.com.cn>
发送日期: 2012年3月14日, 星期三, 上午 1:15
主题: Re: 回复: question about IPS with PF_RING
Sorry, I have not looked at the code in a while but wouldn't is_valid_skb_direction return 0 if pf_ring is loaded with enable_tx_capture=0?
On 03/13/2012 05:51 AM, s f wrote:
Hello,Livio,I have seen PF_RING code,During the PF_RING initialization,It registered prot_hook. Itsfunctionpointspacket_rcv function:
>When the packetentersLinuxnetwork protocol stack andqueue,netif_receive_skbwill traversetheregistered Hook.
>int netif_receive_skb(struct sk_buff *skb)
>{
> list_for_each_entry_rcu(ptype, &ptype_all, list)
{
> if (ptype->dev == null_or_orig ||
ptype->dev == skb->dev ||
> ptype->dev == orig_dev) {
> if (pt_prev)
> ret = deliver_skb(skb,
pt_prev, orig_dev);
> pt_prev = ptype;
> }
> }
>}
>
>static int packet_rcv(struct sk_buff *skb, struct net_device *dev,
> struct packet_type *pt, struct
net_device *orig_dev)
>{
> int rc;
> //忽略本地环回报文
> if(skb->pkt_type != PACKET_LOOPBACK) {
>
//进一步转向,最后一个参数直接使用-1,从上下文来看,写为RING_ANY_CHANNEL(其实也是-1) 似乎可读性更强,
>
//这里表示,如果从packet_rcv进入队列,由通道ID是“未指定的”,由 skb_ring_handler来处理
> rc = skb_ring_handler(skb,
> (skb->pkt_type ==
PACKET_OUTGOING) ? 0 : 1,
> 1, -1 /* unknown channel */);
> } else
> rc = 0;
> kfree_skb(skb); //所以,这里要做相应的减少
> return(rc);
>}
>the function packet_rev firstly traverse the filter rule and hash rule,then decide whether add the packet to the ring or not, int the function packet_rev call the skb_copy_bits function(copy the data to the ring). today I test PF_RING Snort Inline ,I use the ICMP FLOOD ,the snort can detect the packet ,but I still connect the host.
>
>
>
>发件人: Livio Ricciulli <li...@metaflows.com>
>收件人: s f <fang...@yahoo.com.cn>
>发送日期: 2012年3月12日, 星期一, 下午 3:34
>主题: Re: question about IPS with PF_RING
>
>
>It does not copy the packet, if snort says no, the packet is not forwarded.
>
>On 3/10/2012 6:36 PM, s f wrote:
> Hello,I have seen the paper ,PF_RING_Snort_Inline_Instructions,but ,I have a question about it.I do not understand how the IPS block the packet,because the PF_RING only copys the packet,there are two identical packet,the other packet still go though the linux net stack, as we known ,IPS often work with iptables ,we config out firewall with the rule ,for example, iptables -I FORWARD -j QUEUE.
>> In the end, can you tell me how the IPS block the packet.thanks.
>
>
>
Reply all
Reply to author
Forward
0 new messages