Date: Fri, 22 Dec 2006 15:40:15 -0800 From: Julian Elischer <julian@elischer.org> To: Julian Elischer <julian@elischer.org> Cc: Kevin Sanders <newroswell@gmail.com>, Fabr?cio Barros Cabral <fxcabral@yahoo.com.br>, freebsd-net@freebsd.org Subject: Re: Intercepting a packet, changing it and re-injecting into the network Message-ID: <458C6CDF.4010203@elischer.org> In-Reply-To: <458C6ACC.2020605@elischer.org> References: <1166802209.7642.17.camel@hades.no-ip.org> <20061222160550.GD47710@lor.one-eyed-alien.net> <375baf50612220932m30f84567jdda28b7fc0e62e61@mail.gmail.com> <458C6ACC.2020605@elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Julian Elischer wrote: > Kevin Sanders wrote: >> On 12/22/06, Brooks Davis <brooks@one-eyed-alien.net> wrote: >>> >>> On Fri, Dec 22, 2006 at 12:43:29PM -0300, Fabr?cio Barros Cabral wrote: >>> > Hello everybody! >>> > >>> > I'm developing a network application which needs *to intercept* a >>> packet >>> > (not just *copy* a packet, like libpcap does), move this packet >>> into my >>> > application (userland), do some checking in the packet and according >>> > with some heuristics, the application may change the payload and >>> > re-inject the modified packet into the network. Note that sometimes, >>> > I'll change the payload, drop the packet or just let it go. >>> > >>> > So, how can a I do that in FreeBSD? I can use 6.1, 7.1, any version. >>> >>> The feature you're looking for is divert(4) sockets. You use IPFW to >>> decide which packets to divert to userland and can reinject them as >>> needed. >>> >>> -- Brooks >>> >>> >>> >> >> I'm actually working on something with a similar need. How would this >> perform compared to a kld module that is using the pfil(9) framework? >> I'm >> looking to support very high bandwidth networks, with 400mpbs or more >> over >> gig ethernet. In my case I'm looking at HTTP requests and not >> necessarily >> every packet once I've done what I need to the actual http >> request/headers. >> Obviousely, if I grow or shrink the HTTP request, I then have to >> "massage" >> the seq/ack to keep the two talking, but this is only for a small >> percentage >> of the sessions, and I didn't want to be hit with a kernel -> user >> space -> >> kernel transition for every packet. > > Divert is designed for diverting from the IP layer, to the user layer > for processing (and returning the packet to be sent out/in). It is fast > enough for most WAN applications. > > I use patches to allow me to divert from a bridge (Ethernet layer) > but it's still going to userland. BTW I was able to do several hundred Mb/Sec through userland.. (largish packets though) > > > I have the same thing.. which is why I divert from ethernet layer. > There are some tricks that can be done to really speat that up however.. > for example you only need to look at the first syn packet.. all the rest > don't need to be looked at or diverted. just as a reference point, Using ipfw I was able to saturate a Gb bridge (between 2 bge interfaces) while filtereing against a table of 128000 addresses. (in FreeBSD 4.8) using 30% cpu.. machines have gotten faster since then but the OS has slowed a bit.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?458C6CDF.4010203>