Date: Wed, 17 Sep 2003 17:52:49 +0200 From: Clement Laforet <sheepkiller@cultdeadsheep.org> To: Nick Rogness <nick@rogness.net> Cc: freebsd-ipfw@freebsd.org Subject: Re: Divert code Message-ID: <20030917175249.4df78d7d.sheepkiller@cultdeadsheep.org> In-Reply-To: <20030916235808.X92689-100000@skywalker.rogness.net> References: <20030916235808.X92689-100000@skywalker.rogness.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 17 Sep 2003 00:06:43 -0600 (MDT) Nick Rogness <nick@rogness.net> wrote: > > Without knowing much about the kernel ipfw divert code, what would it > take to make it skip the ipfw divert rule if the app that's listening > on that port dies? Besides 'a miracle' or an 'act of god' =) Some > general ideas or thoughts would be nice. you need to write a daemon which removes divert rules, or, simply use supervise. > The reason I ask is I've added a FreeBSD divert hook into the > snort_inline code which reads from a divert socket. If snort_inline > dies, the gateway dies (which is understandable) :-( in fact, all diverted packets are sent to a divert socket, and the userland app reads (modifies) and reinjects packets into IP stack. if your daemon dies, packets will never be reinjected. If I were you, I would use netgraph (se ng_tee code) or bpf to implement this kind of daemon. regards, clem
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030917175249.4df78d7d.sheepkiller>