Re: Basic Question: Internet Content Filter
Re: Basic Question: Internet Content Filter
- Subject: Re: Basic Question: Internet Content Filter
- From: Joshua Graessley <email@hidden>
- Date: Tue, 13 Jan 2004 17:44:01 -0800
On Jan 13, 2004, at 1:25 PM, Peter Sichel wrote:
>
>> Hi,
>
>>
>
>> I want to create software that can intercept HTTP packets before they
>
>> reach the browser and have the ability to change the data in the
>
>> packets. It seems to me that this software would have to operate at a
>
>> fairly low level, but I don't necessarily need to have any TCP/IP
>
>> information. I am hoping that some of you might be able to point me
>
>> in
>
>> the right direction for how to get started. It appears that Network
>
>> Kernel Extensions might be able to do the job, but I can't find any
>
>> good documentation.
>
>
A socket filter NKE should work well for this.
>
I'm not sure where the documentation went.
>
There used to be a file named "nke.pdf" included under
>
/developer/documentation. It might have been pulled
>
because it was old and needs updating. It should still
>
be available on a 10.1 or 10.2 installer CDs.
I have no idea what happened to the document, but as Peter Sichel
noted, it's way out of date.
>
>> I've read some posts which seem to indicate that
>
>> NKEs are not officially supported anymore.
>
>
That would be surprising since Apple and several 3rd party products
>
make heavy use of them. NKEs are a central feature of the Mac OS X
>
network implementation.
The NKE APIs are not officially supported. If you write an NKE, there
is a very good chance that your kext may break in the future release
(we don't guarantee binary compatibility). I think you might also have
trouble getting support from DTS. As we mentioned at WWDC last year,
we're working on some "KPIs (Kernel Programming Interfaces)" that will
enable us to guarantee binary compatibility in the future and give you
a better API to work with.
>
>> Could I do what I want with
>
>> the IOKit or is there something else that I'm missing? I have worked
>
>> a
>
>> lot with Cocoa, but have limited knowledge about these networking
>
>> technologies. Thank You for your assistance.
>
>>
>
>
>
> You can probably get somewhere by adding a rule to the firewall
>
> telling it to divert incoming traffic to a port of your choice, and
>
> then listening on that port, forwarding on or filtering or blocking
>
> packets as your app sees fit.
>
>
This would be a two address space solution making it slower than the
>
NKE approach (but also easier).
In addition, the divert sockets are less likely to break. You are
likely to run in to conflicts with rules that are set by the personal
firewall and Internet Sharing features of Mac OS X. If the personal
firewall detects that rules have been changed, it will assume a third
party firewall product is installed. I think this causes it to disable
itself, but I don't remember the details.
If you can avoid working in the kernel, I would strongly advise you to
do so. It makes this easier to debug and gives you a better chance of
compatibility with future releases.
-josh
[demime 0.98b removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
_______________________________________________
macnetworkprog mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/macnetworkprog
Do not post admin requests to the list. They will be ignored.