Well
Sumit and Developers
Let me explain well my questions:
In the tutorials of iptables The packet goes through the different steps in
the following fashion:
see the comments
Step Table Chain Comment
1 On the wire(internet)
2 Comes in on the interface(eth1)
3 mangle PREROUTING Here i cant use the QUEUE for analysis
4 nat PREROUTING
5
6 filter FORWARD Here go to the QUEUE for analysis if ACCEPT or DROP
7 nat POSTROUTING
8 Goes out on the outgoing interface ( eth2 ).
9 Out on the wire again (LAN or anothe computer ).
The program i have
it catch the packets that come from eth1 and go to the QUEUE , compare the
IP of packet with a file with IPs direction and DROP or ACCEPT the packet ,
for it go to the eth2
my question are:
1.- Can i use libiptc or another lib or *.h for enable the ip_queue without
the common script
[root]#modprobe iptable_filter
[root]#modprobe ip_queue
i found int internet this but i can't do working for problems in compilation
2.- Can I use libiptc or another lib or *.h for manipulate the packet and
compare with a file with IP's and enable go to the QUEUE without scripts
below, for example:
iptables -I FORWARD -j QUEUE or
iptables -t mangle -I PREROUTING -j QUEUE
3.- Why using table "mangle" for sent the packet to the QUEUE in
PREROUTING the catch of the packet is more fast than using the QUEUE in
the table "filter" in FORWARD
4.- In the HOW-TO hacking-netfilter i read some functionality using KERNEL
function for add rules i read this but How can I do ?
The objective of this, is for using only one program to enable ip_queue and
add or remove new rules in the tables mangle or filter without scripts
so, Please help me, answer me this question or explain me another good idea
for build it in only one program all this.
Thank you for help a this begining in netfilter with iptables 1.2.5
Paul Villacreses
----- Original Message -----
From: "Sumit Pandya" <[EMAIL PROTECTED]>
To: "PAUL FABRICIO VILLACRESES LEON" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Tuesday, March 26, 2002 9:29 PM
Subject: RE: Request for a Beginning in libiptc and libipq
> -----Original Message-----
> From: PAUL FABRICIO VILLACRESES LEON
> [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, March 26, 2002 10:58 PM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: Request for a Beginning in libiptc and libipq
>
>
> >> I have a program using libipq gived for Sumit and work good(Thank you)
> but a
> So Cheers... ;-)
> >> want to catch the packets before it going to QUEUE for analisys and
> enable
> >> the ip_queue in a c program, i know that using the shared library of
> >> iptables.c and libiptc.h but again i didn't find an example c program
> using
> >> this libiptc. and enable the ip_queue.
> I'm confused with what you wana say and achieved by this. QUEUE is
> basically to take action on packet in user-space. Are you boather of
> unnecessary traversal of your packets to user-space(QUEUE)? If it's so
then,
> there are so many "match extensions" you can take help of them to
> selectively traverse your packets into user-space. Finally GOD of all
these
> "match-extensions" is "string".
> Hope This helps,
> -- Sumit
>
>
