Re: NKE stacking order
Re: NKE stacking order
- Subject: Re: NKE stacking order
- From: "Peter Sichel" <email@hidden>
- Date: Thu, 1 Dec 2005 10:45:18 -0500
On 11/30/05, Josh Graessley wrote:
>Apple's built-in internet sharing uses divert sockets. Divert sockets
>are part of the ipfw mechanism. ipfw runs as part of ip_input an
>ip_output. This happens between the interface/protocol filters and
>the ip filters.
>On Tiger, SharedIP is implemented as an IP filter. This solves some
>problems while creating others.
Can you help elaborate on this?
SharedIP was previously an Interface Filter which from your comment on
divert sockets meant the built-in internet sharing and firewall did not
apply to Classic applications. By changing SharedIP to an IP filter
which sits above ipfw, the built-in firewall can process Classic network
packets.
Presumably this change might break some existing Classic configurations.
The stack order in Tiger is:
TCP/UDP
IP filter
IPSec (if enabled)
IP filter (if IPSec enabled)
fragment assembly
ip forwarding
ipfw (including divert)
protocol plumbers
protocol and interface filters
bpf tap (IOKit)
IOKit driver
In the NKE Programming Guide there's a "Common Caveat" for Interface
Filters which reads:
Your filter's output callback receives the entire packet in the
mbuf chain. To get the protocol layer information, your filter
must know how to parse the link-layer header. For this reason,
if you are writing a filter that needs to work with IP packets,
you should consider writing an IP filter unless it is absolutely
necessary to access link-layer information.
The other issue besides link-layer information is whether you need to
sit below IP forwarding as needed for internet sharing or NAT.
Did I miss anything?
- Peter
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden