Date: Fri, 14 Mar 1997 14:17:00 -0800 (PST) From: Archie Cobbs <archie@whistle.com> To: jha@freefall.freebsd.org (John H. Aughey) Cc: freebsd-hackers@freefall.freebsd.org Subject: Re: Pre/Post processing IP packets Message-ID: <199703142217.OAA17382@bubba.whistle.com> In-Reply-To: <199703141745.JAA01129@freefall.freebsd.org> from "John H. Aughey" at "Mar 14, 97 09:45:03 am"
next in thread | previous in thread | raw e-mail | index | archive | help
> I want to be able to pre-process and post-process IP packets which > are received by a network interface or are going out a network > interface. Basically I want to be able to look at an IP packet > immediately after it's received by an interface, fiddle around with > the packet, and then pass the modified packet back to the kernel > for further processing. In the same way I want to look at a packet > that is going out an interface, fiddle around with the packet, and > then pass the modified packet back to the kernel for actual > transmission. > > This is for some experimental work I want to do with IPSec. I > really want all this processing to be done in user land. It looks > like the bpf is close, but it appears it's passive rather than > active. There is some code written for Linux which runs entirely > in kernel mode which frankly scares me, especially if more of the > IPSec is implemented. > > Does anyone have any suggestions? Originally I was using the tunnel > device and would setup static routes which would work if it's being > used as a security gateway, but causes problems if you want to have > packets IPSec'ed that originate from or are destined to the local > host. Overall, it seemed possible, but difficult to use a tunnel > device for this. man divert :-) -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199703142217.OAA17382>