Date: Fri, 22 Dec 2006 09:32:05 -0800 From: "Kevin Sanders" <newroswell@gmail.com> To: "Brooks Davis" <brooks@one-eyed-alien.net> Cc: freebsd-net@freebsd.org, Fabr?cio Barros Cabral <fxcabral@yahoo.com.br> Subject: Re: Intercepting a packet, changing it and re-injecting into the network Message-ID: <375baf50612220932m30f84567jdda28b7fc0e62e61@mail.gmail.com> In-Reply-To: <20061222160550.GD47710@lor.one-eyed-alien.net> References: <1166802209.7642.17.camel@hades.no-ip.org> <20061222160550.GD47710@lor.one-eyed-alien.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 12/22/06, Brooks Davis <brooks@one-eyed-alien.net> wrote: > > On Fri, Dec 22, 2006 at 12:43:29PM -0300, Fabr?cio Barros Cabral wrote: > > Hello everybody! > > > > I'm developing a network application which needs *to intercept* a packet > > (not just *copy* a packet, like libpcap does), move this packet into my > > application (userland), do some checking in the packet and according > > with some heuristics, the application may change the payload and > > re-inject the modified packet into the network. Note that sometimes, > > I'll change the payload, drop the packet or just let it go. > > > > So, how can a I do that in FreeBSD? I can use 6.1, 7.1, any version. > > The feature you're looking for is divert(4) sockets. You use IPFW to > decide which packets to divert to userland and can reinject them as > needed. > > -- Brooks > > > I'm actually working on something with a similar need. How would this perform compared to a kld module that is using the pfil(9) framework? I'm looking to support very high bandwidth networks, with 400mpbs or more over gig ethernet. In my case I'm looking at HTTP requests and not necessarily every packet once I've done what I need to the actual http request/headers. Obviousely, if I grow or shrink the HTTP request, I then have to "massage" the seq/ack to keep the two talking, but this is only for a small percentage of the sessions, and I didn't want to be hit with a kernel -> user space -> kernel transition for every packet. It's also important for me to be able to see the ethernet header, because I running in a transparent bridge, and sometimes need to send a redirect back to the client making the request, and it needs to appear to come from the server the client is talking to. Yes, this is a content filter. I actually have all this working, and I'm currently working on the user space "service" which talks to the lermel module and makes decisions to allow, block, or modify the request. Performance is pretty good, but my 10 years of Win32 development experience didn't prepare me for UNIX kernel module development! Kevin
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?375baf50612220932m30f84567jdda28b7fc0e62e61>