Re: Intercepting IPv6 ND packets
Re: Intercepting IPv6 ND packets
- Subject: Re: Intercepting IPv6 ND packets
- From: Jonathan Wood <email@hidden>
- Date: Wed, 9 Nov 2005 22:32:02 -0800
[ I should have posted this to the list instead of just to Josh, so
I'm posting my last set of queries and his answers now for public
edification ]
On Nov 9, 2005, at 4:50 PM, Josh Graessley wrote:
You should sends queries like this to the list as others may
benefit from the answers. In addition, information that is not
supposed to be public knowledge should not be disclosed to me in
case Apple chooses to work on anything similar.
To answer your questions:
1) The bpf filter functions aren't available through the KPI.
[ Background - I am interested in using BPF so that this KEXT can be
generally useful, not just specific to my own project. ]
Any suggestions? I am tempted to write a BPF KEXT that would export
the needed functionality, rather than try to reinvent it...
2) The header thing makes the interface filters very difficult to
handle in a non interface-specific manner. There isn't a good way
to do this. If I had a chance to do the KPIs over again, I would
have eliminated the goofy handling of headers. Unfortunately, this
handling of headers goes all the way down to the drivers.
3) mutexs are appropriate for protecting data structures in such a
scenario.
Thanks,
-josh
On Nov 9, 2005, at 4:22 PM, Jonathan Wood wrote:
Finally finding some time to work on this...
So far it seems like it should be pretty straightforward. Here's a
high-level proposal:
The NKE attaches an IP filter when a user application requests it
via a socket option on its control socket. The user app socket
option contains a description of the packets it is interested in.
When the NKE IP filter input or output function is called with a
packet, it compares the packet against the user app description.
If it does not match, the NKE filter function returns 0, and the
packet proceeds through the IP filter chain.
If the packet does match the user app's description, it is sent up
the control socket belonging to the user app, and the NKE filter
function returns EJUSTRETURN. The packet sent up the control
socket has some prepended meta data containing info like interface
info and packet direction.
Once the user app is done processing the received packet, it sends
it down the control socket, prepended with meta data indicating
packet direction.
When the NKE receives a packet on the control socket, it tags the
mbuf and reinjects it via ipf_inject_output or ipf_inject_input.
When the user app closes its socket or removes the filter via a
socket option, the NKE detaches the IP filter.
Questions:
1. Regarding the packet description: BPF seems ideal. The BSD
kernel has the necessary functions: bpf_validate() and bpf_filter
(). However, I can't find these in the KPI. Are these functions
available to a NKE?
2. It doesn't seem like it would be too hard to include interface
filters as well. Reading the NKE programming guide, one problem
seems to be setting the packet header field before reinjecting -
this could be a problem if a user app is sending down arbitrary
packets. Is there a way to do this reliably? Also, is this a
something I need to worry about for IP filters too?
3. Concurrency - when the control sockopt modifies the packet
filter description, I assume I will need to synchronize this
against access by the IP filter callback. Are mutexes appropriate?
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
- Follow-Ups:
- LDAP
- From: Martin Crane <email@hidden>