From owner-freebsd-hackers@FreeBSD.ORG Thu Nov 17 19:12:57 2011 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 90633106566C for ; Thu, 17 Nov 2011 19:12:57 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) by mx1.freebsd.org (Postfix) with ESMTP id 63C988FC0A for ; Thu, 17 Nov 2011 19:12:56 +0000 (UTC) Received: from julian-mac.elischer.org (home-nat.elischer.org [67.100.89.137]) (authenticated bits=0) by vps1.elischer.org (8.14.4/8.14.4) with ESMTP id pAHIk1Q6088251 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Thu, 17 Nov 2011 10:46:12 -0800 (PST) (envelope-from julian@freebsd.org) Message-ID: <4EC55669.2060908@freebsd.org> Date: Thu, 17 Nov 2011 10:46:01 -0800 From: Julian Elischer User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.4; en-US; rv:1.9.2.24) Gecko/20111103 Thunderbird/3.1.16 MIME-Version: 1.0 To: freebsd-hackers@freebsd.org References: <201111152218.41031.gelraen.ua@gmail.com> <20111116085508.GF36205@hoeg.nl> In-Reply-To: <20111116085508.GF36205@hoeg.nl> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Communication between kernel and userspace via local socket X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Nov 2011 19:12:57 -0000 On 11/16/11 12:55 AM, Ed Schouten wrote: > * Maxim Ignatenko, 20111115 21:18: >> I'm currently inventing the wheel^W^W^Wwriting a firewall from scratch and >> looking for most convenient way to establish communication between userspace >> processes and kernel part. Communication pattern best fits to listening >> PF_LOCAL socket opened from kernel and userspace processes connecting to it. > What's wrong with a character device? you can't easily have a different character device depending on which jail you are in.. (well, you can but it gets tricky).. see the problem with /dev/pflog and vimages. Maxim, look at the usage of sockets with netgraph ng_socket node.. also divert sockets.