site_archiver@lists.apple.com Delivered-To: darwin-kernel@lists.apple.com Thread-index: AcUjXMYARi31fnluS2CDue/HH55eoAAAIfTg Thread-topic: Logging NKE filter events, not working. Well being new to this all, can you tell me how you specify a global or programmatic filter? If you are referring to where do I set up the structs, sockutil and sockif, they are global. But from your statement one thing might be in some test cases I am not running my user land app. I wanted to get the NKE to just load and start filtering without the userland app being there. So does that mean I would have to set up the socket from within the NKE? Carl -----Original Message----- From: darwin-kernel-bounces+csmith=fortresstech.com@lists.apple.com [mailto:darwin-kernel-bounces+csmith=fortresstech.com@lists.apple.com] On Behalf Of Josh Graessley Sent: Monday, March 07, 2005 4:30 PM To: darwinKernel Dev Subject: Re: Logging NKE filter events, not working. Are you specifying a global filter or a programatic filter? If you specify a global filter it will be attached to new sockets that match the protows you attached your filter to. For programatic filters, your filter will only ever be attached if someone uses the SO_NKE socket option and specifies the handle for your socket filter. -josh On Mar 7, 2005, at 1:16 PM, Carl Smith wrote:
I have been writing my NKE and so far have my userland and NKE talking back and forth. That works fine.
Now I am trying to do some filtering using a combination of some of the techniques from SharedIP and TCPlogger.
Basically I just put a bunch of printf statements in all my dispatch vector calls, struct sockif, and struct sockutil.
I open my terminal window with tail -f /var/log/system.log. Now on other calls, like start stop, from my NKE I can see all my printf statements that I have inserted into these start/stop function, but now matter what I do I can not see any printf statements coming from my sockif/sockutil intercept calls. I am doing some pining, web searching and etc. so I would think I would see something. Of course there must be something wrong with the way I have the filtering set up.
Following is the basic flow I use to get the filtering started.
In the struct sockif I over-ride the soreceive, solisten, sosend, soconnect and so on. In the sockutil struct I just over ride the sbappend.
To kick things off I do the pp = pffindproto(PF_NDRV, 0, SOCK_RAW), but I have tried many variations, i.e. (PF_INET, IPPROTO_RAW, SOCK_RAW), (PF_NDRV 0, SOCK_RAW) and so on.
Then I do my register_sockfilter(&myNFDescriptor, 0, pp, &ctlref) trying both NFF_BEFORE and NFF_AFTER
Then if all succeeds, I call my ctl_register(KernCtlReg ,0, g_ctlref);
Now everything shows up as loading and unloading fine, using kextload
and kextunload, but as I said I just do not see any of my intercepts being hit.
Any suggestions?
Thanks All.
_______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-kernel mailing list (Darwin-kernel@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-kernel/jgraessley% 40apple.com
This email sent to jgraessley@apple.com
_______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-kernel mailing list (Darwin-kernel@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-kernel/site_archiver%40lists.a... This email sent to site_archiver@lists.apple.com