IP filter: dropped packets sent to filter again
IP filter: dropped packets sent to filter again
- Subject: IP filter: dropped packets sent to filter again
- From: Bogdan Harjoc <email@hidden>
- Date: Fri, 16 Jul 2010 14:58:58 +0300
Hi,
I'm using the ipf_filter KPI for delaying some TCP packets, by
returning EJUSTRETURN or some other non-zero value from the ipf_input
callback. Apparently the callback receives the same mbuf (20 times in
less than a second) unless I reinject the packet in the next 100msecs
or so.
I am clearly misunderstanding the way packets should be dropped, so
I'd appreciate a hint. Minimal 1-page source code that shows what I'm
doing is attached.
Thanks,
Bogdan Harjoc
#include <mach/mach_types.h>
#include <libkern/libkern.h>
#include <sys/systm.h>
#include <sys/kpi_mbuf.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <netinet/kpi_ipfilter.h>
static ipfilter_t ip_filter_ipv4_ref = NULL;
static
errno_t pr_ip_input(void* cookie, mbuf_t *data, int offset, u_int8_t protocol)
{
struct ip *ih;
struct tcphdr *th;
if (! (data && *data))
return 0;
if (protocol != IPPROTO_TCP)
return 0;
ih = mbuf_data(*data);
th = (struct tcphdr *)(((char *)ih) + offset);
#define F(v) !!(th->th_flags & v)
printf("in: %p syn=%d ack=%d fin=%d rst=%d\n", *data,
F(TH_SYN), F(TH_ACK), F(TH_FIN), F(TH_RST));
if (th->th_flags & TH_FIN)
return EINVAL;
else
return 0;
}
static
errno_t pr_ip_output(void* cookie, mbuf_t *data, ipf_pktopts_t options)
{
return 0;
}
static
void pr_ip_detach(void* cookie)
{
}
static struct ipf_filter ip_filter_ipv4 = {
.name = "ipftest",
.ipf_input = pr_ip_input,
.ipf_output = pr_ip_output,
.ipf_detach = pr_ip_detach,
};
kern_return_t ipftest_start(kmod_info_t * ki, void * d)
{
printf("=== start\n");
return ipf_addv4(&ip_filter_ipv4, &ip_filter_ipv4_ref);
}
kern_return_t ipftest_stop(kmod_info_t * ki, void * d)
{
printf("=== stop\n");
return ipf_remove(ip_filter_ipv4_ref);
}
extern kern_return_t _start(kmod_info_t *ki, void *data);
extern kern_return_t _stop(kmod_info_t *ki, void *data);
__private_extern__ kern_return_t ipftest_start(kmod_info_t *ki, void *data);
__private_extern__ kern_return_t ipftest_stop(kmod_info_t *ki, void *data);
KMOD_EXPLICIT_DECL(dsd.kext.ipftest, "1.0.0d1", _start, _stop)
__private_extern__ kmod_start_func_t *_realmain = ipftest_start;
__private_extern__ kmod_stop_func_t *_antimain = ipftest_stop;
__private_extern__ int _kext_apple_cc = __APPLE_CC__;
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden