packet drop notifications -?

Hello,
I am looking for the approach to receive notifications in application
code when linux firewall drops the packet.
Can it be done without changes in kernel code?
Thanks....

chcat <(E-Mail Removed)> writes:
> I am looking for the approach to receive notifications in application
> code when linux firewall drops the packet.
> Can it be done without changes in kernel code?
> Thanks....

Add a LOG rule before each DROP rule, and then monitor the kernel log
output.

--
http://www.greenend.org.uk/rjk/

On Thu, 2011-12-08, Richard Kettlewell wrote:
> chcat <(E-Mail Removed)> writes:
>> I am looking for the approach to receive notifications in application
>> code when linux firewall drops the packet.
>> Can it be done without changes in kernel code?
>> Thanks....
>
> Add a LOG rule before each DROP rule, and then monitor the kernel log
> output.

I seem to recall there are other actions which can be used too ...
Depends on what he wants to do.

(I once wanted to play a "plonk" sound every time, but never got
around to implementing it.)

/Jorgen

--
// Jorgen Grahn <grahn@ Oo o. . .
\X/ snipabacken.se> O o .

On Dec 8, 10:43*am, Richard Kettlewell <r...@greenend.org.uk> wrote:
> chcat <vlyamt...@gmail.com> writes:
> > I am looking for the approach to receive notifications in application
> > code when linux firewall drops the packet.
> > Can it be done without changes in kernel code?
> > Thanks....
>
> Add a LOG rule before each DROP rule, and then monitor the kernel log
> output.
>
> --http://www.greenend.org.uk/rjk/

Are there other methods that wouldn't require changes of existing
RULES ? I am interested more in the terms of programmatic "hooks"...
Thanks.

On Sat, 2011-12-10, chcat wrote:
> On Dec 8, 10:43*am, Richard Kettlewell <r...@greenend.org.uk> wrote:
>> chcat <vlyamt...@gmail.com> writes:
>> > I am looking for the approach to receive notifications in application
>> > code when linux firewall drops the packet.
>> > Can it be done without changes in kernel code?
>> > Thanks....
>>
>> Add a LOG rule before each DROP rule, and then monitor the kernel log
>> output.

> Are there other methods that wouldn't require changes of existing
> RULES ? I am interested more in the terms of programmatic "hooks"...

Why would there be one? iptables(8) says

ACCEPT means to let the packet through. DROP means to drop the
packet on the floor. QUEUE means to pass the packet to
userspace.

They have little reason to add this functionality to DROP, when it's
already available and called QUEUE. (Not counting the many extension
targets, one of which may suit you better, depending on what you want
to do.)

/Jorgen

--
// Jorgen Grahn <grahn@ Oo o. . .
\X/ snipabacken.se> O o .

On Dec 10, 11:54*am, Jorgen Grahn <grahn+n...@snipabacken.se> wrote:
> On Sat, 2011-12-10, chcat wrote:
> > On Dec 8, 10:43*am, Richard Kettlewell <r...@greenend.org.uk> wrote:
> >> chcat <vlyamt...@gmail.com> writes:
> >> > I am looking for the approach to receive notifications in application
> >> > code when linux firewall drops the packet.
> >> > Can it be done without changes in kernel code?
> >> > Thanks....
>
> >> Add a LOG rule before each DROP rule, and then monitor the kernel log
> >> output.
> > Are there other methods that wouldn't require changes of existing
> > RULES ? I am interested more in the terms of programmatic "hooks"...
>
> Why would there be one? iptables(8) says
>
> * * * *ACCEPT means to let the packet through. *DROP means to drop the
> * * * *packet on the floor. *QUEUE means to pass the packet to
> * * * *userspace.
>
> They have little reason to add this functionality to DROP, when it's
> already available and called QUEUE. (Not counting the many extension
> targets, one of which may suit you better, depending on what you want
> to do.)
>
> /Jorgen
>
> --
> * // Jorgen Grahn <grahn@ *Oo *o. * . * * .
> \X/ * * snipabacken.se> * O *o * .

Sorry if i did not state the problem clearly enough...
Iptables firewall is already running on the system.
The application in question, or its user cannot change iptables rules.
That's up to firewall admin.
The application needs approximate count of packet drop by firewall per
second.
Any suggestions?
Thanks in any case.

On Sun, 2011-12-11, chcat wrote:
> On Dec 10, 11:54*am, Jorgen Grahn <grahn+n...@snipabacken.se> wrote:
>> On Sat, 2011-12-10, chcat wrote:
>> > On Dec 8, 10:43*am, Richard Kettlewell <r...@greenend.org.uk> wrote:
>> >> chcat <vlyamt...@gmail.com> writes:
>> >> > I am looking for the approach to receive notifications in application
>> >> > code when linux firewall drops the packet.
>> >> > Can it be done without changes in kernel code?
>> >> > Thanks....
>>
>> >> Add a LOG rule before each DROP rule, and then monitor the kernel log
>> >> output.
>> > Are there other methods that wouldn't require changes of existing
>> > RULES ? I am interested more in the terms of programmatic "hooks"...
>>
>> Why would there be one? iptables(8) says
>>
>> * * * *ACCEPT means to let the packet through. *DROP means to drop the
>> * * * *packet on the floor. *QUEUE means to pass the packet to
>> * * * *userspace.
>>
>> They have little reason to add this functionality to DROP, when it's
>> already available and called QUEUE. (Not counting the many extension
>> targets, one of which may suit you better, depending on what you want
>> to do.)

> Sorry if i did not state the problem clearly enough...
> Iptables firewall is already running on the system.
> The application in question, or its user cannot change iptables rules.
> That's up to firewall admin.

This sounds like a problem. I think it is unlikely that you'll find a
way to do things to the iptables which do not require the cooperation
of the admin.

> The application needs approximate count of packet drop by firewall per
> second.

That is a humble wish (little security or privacy impact) but it seems
unlikely that you can do anything unless you at least have access to
the logs.

Note though that I'm not an expert; perhaps someone else can explain
the issues better.

/Jorgen

--
// Jorgen Grahn <grahn@ Oo o. . .
\X/ snipabacken.se> O o .

Hi chcat,

chcat <(E-Mail Removed)> wrote:

> I am looking for the approach to receive notifications in application
> code when linux firewall drops the packet.

You want the notification exactly where? In sending application? Then
don't use DROP, use REJECT. It causes ICMP replies to be sent.

Jamma.

--
"What we nourish flourishes." - "Was wir nähren erblüht."

www.tisc.de