Re: Selectively refusing TCP connections

Andi Kleen (ak@suse.de)
Wed, 23 May 2001 20:23:32 +0200

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Andries.Brouwer@cwi.nl: "Re: [PATCH] struct char_device"
Previous message: G. Hugh Song: "Swap strangeness using 2.4.5pre2aa1"

On Wed, May 23, 2001 at 06:59:02PM +0100, Ben Mansell wrote:
> Hi all,
>
> Is there any mechanism in Linux for refusing incoming TCP connections?
> I'd like to be able to fetch the next incoming connection on a listen
> queue, and selectively accept or reject it based on the IP address of the
> client. I know this could be done via firewall rules, but for this case,
> I'd like an application to have the final say on whether the connection
> will be accepted.

You can push a BPF (LPF) filter expression onto a LISTEN socket that checks
every incoming packet using SO_ATTACH_FILTER.

The only way to do it fully in an application is probably to set up netfilter
NAT to forward the connection to some local process; or alternative push
the packets using a netfilter queue target to a user process and forward/
disable firewall rules dynamically.

-Andi

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Andries.Brouwer@cwi.nl: "Re: [PATCH] struct char_device"
Previous message: G. Hugh Song: "Swap strangeness using 2.4.5pre2aa1"