LSM for packet filtering

• Previous message: Antony Stone: "Re: LSM for packet filtering"
• Next in thread: Russell Coker: "Re: LSM for packet filtering"
• Reply: Russell Coker: "Re: LSM for packet filtering"
• Reply: James Morris: "Re: LSM for packet filtering"
• Reply: Jesse Pollard: "Re: LSM for packet filtering"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I apologize for providing little information in my
question and before I ask the next question I thought
I will read through the docs. Now LSM makes a little
sense to me :-). I will try my best to ask the same
question in another way.

Consider a linux router. I want to implement certain
packet classification and filtering algorithms for the
packets coming in on an interface and leaving from
another interface. These packet algorithms can be as
simple as classifying the incoming traffic into
mail-traffic or web-traffic etc and filtering them
based on certain policies or any other complex
algorithm. I can use Netfilter hooks to recieve
packets and implement any such algorithms (which may
be straight forward). 

From the docs I understand that "LSM allows modules to
mediate access to kernel objects by placing hooks in
the kernel code just ahead of the access", and as a
part of the IPv4 networking hooks Netfilter API is
used for intercepting  packets as they traverse the IP
layer. At each Netfilter hook, LSM hook is called
before and after packets are passed to the Netfilter
framework. 

So what kind of acess control does LSM envision? (what
can preroute_first or preroute_last etc. do?)

Can this access control be based on the header field
values of the IPv4 packets? 

If it is possible to perform access control based on
header field values of the IPv4 packets, then is there
any need for Netfilter? 

I dont know if these questions make any sense. 
Thanks in advance for any replies.

--brk



-------------------------------------
On Tuesday 13 August 2002 7:57 pm, lists brk wrote:

> Hi! I am a newbie to LSM. I have a linux router and
> was wondering if it is possible to use LSM to insert
> new algorithms for packet filtering?

What do you mean by 'new algorithms' ?

Have you tried playing with netfilter (and the many
and varied user-supplied 
extensions to that) and found something you need which
it can't do ?

What do you want to do ?

 

Antony.




__________________________________________________
Do You Yahoo!?
HotJobs - Search Thousands of New Jobs
http://www.hotjobs.com
_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Russell Coker: "Re: LSM for packet filtering"
• Previous message: Antony Stone: "Re: LSM for packet filtering"
• Next in thread: Russell Coker: "Re: LSM for packet filtering"
• Reply: Russell Coker: "Re: LSM for packet filtering"
• Reply: James Morris: "Re: LSM for packet filtering"
• Reply: Jesse Pollard: "Re: LSM for packet filtering"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Aug 13 2002 - 16:15:37 PDT