Absolutely, the NKE can reject any traffic at any stage of the conversation. Of course, the trick is, as you suggested, that the userspace application needs to react nicely. In theory they should, a network connection is transient and can disappear at any time, but I have seen applications wait for time outs when errors are returned. It depends on what you are trying to do. For our NKE, we generate SSL alerts to interrupt SSL streams "nicely". This ensures that browsers doing async IO terminate the connection promptly, whereas, returning an error caused a timeout in some browsers IIRC (and it was a while back).
Unless someone has a better idea, I think you will have to try it and see. Without knowing more about your specific use case, it is hard to say.
Cheers
Nick
On 15/06/2013, at 9:26 AM, Craig Davison wrote: Is there a way to block/interrupt an existing TCP connection from a NKE (network kernel extension)? I have a socket filter registered that can prevent outbound/inbound
connections from being made by returning nonzero from connect_out and
accept handlers. But if I allow a connection to proceed, is there a way
to block/reject it later? I considered writing a PF rule, but am not sure if I can make it
match on one connection specifically (ports, hosts, PID) and am not sure
if it applies to already-established connections. Also I would have to
be sure to clean up the rule when the process exits. I also considered returning nonzero on all subsequent
data_in/data_out socket operations, but I'm not sure how a userspace
program would react to having all of its read/write calls on that socket
suddenly start failing. Thank you
|