The main idea is to capture events coming from userspace, whenever a processus is doing some network syscall (sys_listen, sys_bind, ..). For that, it's seems that LSM structure is the most simple, as far as we just have to connect on LSM hooks with struct security_operations {}

snet is divided in two codes, a kernel part and a userspace part.
kernel code is using LSM, and communicate with userspace with libnl. userspace code is build as a library, so it's easy to use it in you own code, in order to intercept "event". here are some example of data you will get thanks to the library callback function:

verdict_id=0xd syscall=CONNECT protocol=6 [tcp] family=2 uid=256 id=23886 [tcpconnect] 0.0.0.0:0->127.0.0.1:80
verdict_id=0x4 syscall=LISTEN protocol=6 [tcp] family=2 uid=123 pid=5059 [tcplisten] 127.0.0.1:10000->0.0.0.0:0

As you can guess, at this point it's really easy to log this into database or build a personnal firewall.
The great improvement is that it's supporting transparently all network protocols and all network family.

This version is quite stable for me, but it needs more users than me.

• kernel patch for 2.6.27 snet.patch
• userpace tarball snetd-0.1.tar.bz2

• kernel
  apply kernel patch (version 2.6.27, but latest git shoud apply and work), compile, install, reboot
  
  there are 3 important kernel parameters when booting:
  • snet_debug: printk more debug (0 not active, 1 active)
  • snet_verdict_delay: the time in seconds before applying a default policy to the event
  • snet_verdict_policy: the default behavior when delay is reached. 0 -> accept, 1 -> deny
  
  
• userspace
  be sure to use libnl-devel-1.1
  extract tarball, run make.
  
  All you need is in the example directory. "main.c" is a simple code providing sample for using library.

All the code (kernel patch and the tarball snetd-0.1.tar.bz2) is release under the GPLv2

• Netfilter workshop 2007 résumé
• lwn.net article about snet
• snet patch on lwn.net

Samir Bellabes <sam at synack dot fr>