Filtering UDP loopback on Linux in C

views:

284

answers:

+1 Q:

Filtering UDP loopback on Linux in C

Hi, I have an application bound to eth0, sending UDP packets on port A to 255.255.255.255. At the same time, I have a UDP server bound to eth0, 0.0.0.0 and port A.

What I want to do is to make sure that the server won't receive messages generated by the application (handled purely in software by the kernel) but it will receive messages generated by other hosts in the network.

I can't change the payload of UDP packets nor add any headers to it.

I've already implemented a solution using RTNETLINK to fetch all IP addresses of the machine I'm sitting on (and filter basing on address from recvfrom()), but I'm wondering if there might be a simpler and cleaner solution.

EDIT: I thought about something like tagging the skb - the tag would disappear after leaving a physical interface, but wouldn't if it's just routed in the software.

Any ideas?

You can compute a checksum or CRC (better) over the payload and filter against this.

jldupont 2009-12-09 16:54:37

This could cause invalid behavior - its perfectly possible I receive the same content I've just sent, but from the remote host.

Pawel 2009-12-10 12:17:22

@Pawel: it seems you are faced with an "unfriendly" protocol to say the least. I wish you good luck.

jldupont 2009-12-10 13:46:05

You can do this at the firewall level by dropping packets to broadcast address port A with source address of the eth0.

Nikolai N Fetissov 2009-12-09 17:14:00

It's worse than my current workaround, as this needs root privileges and additional configuration. Actually, I'm already doing a firewall in my software.

Pawel 2009-12-10 12:15:35

Hmm, firewalling is not userland business, not in general case. There's a reason the network stack is implemented in the kernel. That reason is performance. In your setup each packet travels down and up the stack and is subject to at least two copies. You can cut the 'up' part together with the copy back to user space with a simple firewall rule. Looks like your application can use better design.

Nikolai N Fetissov 2009-12-10 14:19:04

Design that you propose impose requirement of having root privileges and making sure my firewall rules won't interfere with rest of the system - what if there is a process that also sends broadcasts and *wants* to have the loopback? Sure, I could use advanced netfilter matches, hack the kernel, etc. for the sake of design purity, but I prefer simple and universal solutions.Besides, speaking of design, system-wide firewall is not the place to implement functionality needed by some userspace program, but thats just my humble opinion.

Pawel 2009-12-10 14:52:58

It's always fun to reinvent the wheel :)

Nikolai N Fetissov 2009-12-10 15:04:42

...and its fun to irritate people on the net not addressing their arguments :) thanks anyway for your time

Pawel 2009-12-10 16:01:59

If you can patch your Linux kernel, you could use a setsockopt() option for choosing if you want to loopback the broadcast packets you're sending or not.

This patch reuse the IP_MULTICAST_LOOP option exactly for this purpose.

Also, instead of "messing" with the IP_MULTICAST_LOOP option, you could easily add your own setsockopt() option, maybe called IP_BROADCAST_NO_LOOP. This would guarantee that you're not changing the behavior for any other application.

Laurent Parenteau 2009-12-15 15:30:22

The answer I was waiting for! Thank you very much! However, I've already found this patch week ago - see my comment :P

Pawel 2009-12-16 12:24:14

@Pawel: Ah yes, you're right, my bad!

Laurent Parenteau 2009-12-16 17:21:27

ansaurus

tags:

views:

answers:

Filtering UDP loopback on Linux in C

related questions