From owner-freebsd-net@FreeBSD.ORG Tue Jun 15 09:01:48 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A980116A4CE for ; Tue, 15 Jun 2004 09:01:48 +0000 (GMT) Received: from phuket.psconsult.nl (ps226.psconsult.nl [213.222.19.226]) by mx1.FreeBSD.org (Postfix) with ESMTP id A180543D49 for ; Tue, 15 Jun 2004 09:01:46 +0000 (GMT) (envelope-from fb-net@psconsult.nl) Received: from phuket.psconsult.nl (localhost [127.0.0.1]) by phuket.psconsult.nl (8.12.8p2/8.12.8) with ESMTP id i5F91ZYe043867 for ; Tue, 15 Jun 2004 11:01:35 +0200 (CEST) (envelope-from fb-net@psconsult.nl) Received: (from paul@localhost) by phuket.psconsult.nl (8.12.8p2/8.12.8/Submit) id i5F91Zfp043866 for freebsd-net@freebsd.org; Tue, 15 Jun 2004 11:01:35 +0200 (CEST) Date: Tue, 15 Jun 2004 11:01:34 +0200 From: Paul Schenkeveld To: freebsd-net@freebsd.org Message-ID: <20040615090134.GA43670@psconsult.nl> Mail-Followup-To: freebsd-net@freebsd.org References: <40CDE026.3040502@Thehousleys.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <40CDE026.3040502@Thehousleys.net> User-Agent: Mutt/1.5.6i Subject: Re: Using netgraph for filtering/modifing packets X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Jun 2004 09:01:48 -0000 On Mon, Jun 14, 2004 at 01:28:06PM -0400, James Housley wrote: > Julian Elischer wrote: > > > >On Mon, 14 Jun 2004, James Housley wrote: > > > > > >>For testing of a product I would like to be able to modify or even drop > >>packets based on their content. What I have in mind is forcing the > >>packets through a firewall that would redirect all packet to a netgraph > >>node that would either pass unchanged, drop or change the contents to > >>assist in testing some corner cases in the code. > >> > >>1) is this something doable with netgraph, I believe it is. > > > > > >yes > > > > > > > >>2) what might be a good place to start? Have done some searching, but > >>haven't found any example code I thought I could start from. > > > > > >What sort of filter do you need? > > > >you can pass packets to netgraph from ipfw by diverting them and > >openning a divert socket with teh ksocket node.. > > > >Or you can pick them directly from the network interface > >and filter yourself using the 'bpf' node type to select > >on something. > >or you can use the etf type of node to filter on a particular > >ethertype.. > > > >there are a lot of options but I don't knw your application enough :-) > > > > I have a product that is connected to a PC via eithernet. The product > runs FBSD, but I would likely put another FBSD box in the middle. I want > to be able modify packets for good and evil based on the data portion of > the packet. > > For example to ocasionally drop a packet that is acking some command. Or > send an ack for a command that was never sent. Or just change data to be > invalid. > > Then after messing with the data portion put it back in the queue to be > sent, if it wasn't just dropped. If you are talking about a TCP based protocol and you want to change the conversation between the client and the server, you probably don't want to drop or alter packets at the network level or you'd have to recalculate sequence numbers and checksums. To modify the client-server conversation (e.g. to see if evil clients can hack your server) it might be much easier to write a small application level proxy to alter or drop packets. With TCP based protocols this is (I think) the easiest solution, with UDP is is probably a bit easier than the netgraph approach. > > Jim Regards, Paul Schenkeveld, Consultant PSconsult ICT Services BV