Re: interception of socket connections?
Re: interception of socket connections?
- Subject: Re: interception of socket connections?
- From: Douglas Davidson <email@hidden>
- Date: Wed, 27 Aug 2003 12:00:13 -0700
On Wednesday, August 27, 2003, at 11:30 AM, Quinn wrote:
Another option is to use a firewall divert socket. This avoids the
need for messing around with NKEs (which is good for a number of
reasons, see below), at the cost of having to mess around with the
firewall (which, as I mentioned earlier today, has no useful API on
Mac OS X). "man ipfw" gives you more information about the facilities
of the firewall.
NKEs are problematic for a number of reasons:
1. They live in the kernel and, as a general rule, you should avoid
running code in the kernel if you can.
2. They're part of the BSD subsystem, which currently has no binary
compatibility guarantee. Apple is planning on adding a binary
compatibility promise to the BSD parts of the kernel in the future (we
discussed this Kernel Programming Interfaces (KPI) effort at WWDC this
year), but for now NKE developers often have to rev when the system
revs.
There may be other possibilities in userland, e.g. something like what
tcp_wrappers does, but it really depends on the goals and constraints
of the project.
Douglas Davidson
_______________________________________________
macnetworkprog mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/macnetworkprog
Do not post admin requests to the list. They will be ignored.