• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: NKE packet insertion.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: NKE packet insertion.

  • Subject: Re: NKE packet insertion.
  • From: "Peter Sichel" <email@hidden>
  • Date: Mon, 2 Jan 2006 09:49:31 -0500
On 1/2/06, Lasaro Camargos wrote:

>I am trying to write a NKE that make my XServe box an ethernet
>bridge.

I've done this in IPNetRouterX and IPNetSentryX available from
my website.

>I am doing it as an Interface Filter. In doing so I face the
>following problems:
>
>- Lack of examples. Can someone provide me with a correct/simple
>Interface Filter that successfully inserts packets in the network?

You can look at my NKE framework here:
ftp://sustworks.com/open_source_IPNetRouter_TNKE.dmg

This just shows an Interface filter framework, it doesn't include
the bridging code.  DTS has some sample code as well.

>I wrote a code that gets the frames but I have problems injecting
>them as I explain below.

There are many subtle details you have to get right to make this
work.

1) You need to enable promiscuous mode on the corresponding
   interfaces to get the packets you want.

2) For any packets you inject upstream, you need to turn off
   the MBUF_PROMISC flag so the packet won't be deleted.

3) You need to tag the packet correctly for the direction you
   are injecting it so your NKE won't process it again.

4) If you are changing the packet direction, you need to re-arrange
   the Ethernet frame header.  Outbound packets include the frame header,
   inbound packets give you a pointer to the frame header you'll need to
   prepend.

5) You'll need to turn off the hardware checksum flags.
   Apple's documentation and KPIs don't quite get this right.
   You'll probably want to do something like this:

		if (packet->direction == kDirectionInbound) {
			mbuf_inbound_modified(mbuf_ref);		// mbuf->m_pkthdr.csum_flags = 0;
			mbuf_clear_csum_requested(mbuf_ref);	// mbuf->m_pkthdr.csum_data = 0;
		}
		else {
			mbuf_outbound_finalize(mbuf_ref, AF_INET, packet->ipOffset);
			mbuf_inbound_modified(mbuf_ref);		// mbuf->m_pkthdr.csum_flags = 0;
			mbuf_clear_csum_requested(mbuf_ref);	// mbuf->m_pkthdr.csum_data = 0;
  }

6) You'll probably want a lock to protect your data, and need to unlock it
   before you inject.

7) For injecting inbound:
   You need to call mbuf_pkthdr_setheader() to set the frame header.
   You need to call mbuf_pkthdr_setrcvif() to set the receive interface
   even though ifnet_input() specifies this.

>- How to scrutiny the frame I got on my input function? If I want the
>filter some frames, where to look for such information? Are there any
>helper functions to extract IP headers, for example, from a Ethernet
>frame (if the frame has an IP packet, of course)?

It's Open Source so you can look at what others have done.

I don't know of any KPI support functions that will help you in this case.
If you used a protocol filter, it would be easier to get the IP datagram,
but you need the frame headers to do Ethernet bridging.

If you just want a solution rather than to write it all yourself,
check out IPNetSentryX or contact me directly.  IPNetSentryX includes
some pretty powerful IP filtering including TCP rate limiting
(bandwidth allocation).

>- How to inject frames? I am using "ifnet_output_raw(interface,
>protocol, mbuf)" to inject a copy packets received on one ethernet
>into the others. The documentation says that if the function do not
>succeed, mbuf will be freed.

Yes, if there's an error doing an inject, the mbuf will be released.

> Does that mean that if it succeeds mbuf
>won't be freed?

Yes. The mbuf will be passed up/down the network stack.  Even though
it hasn't been released yet, as far your code is concerned, it has
been consumed so your code should return EJUSTRETURN.

> Why should mbuf be freed in case of an error?  In that
>situation I could want to change something in the packet and resend
>it. And if the packet was sent, why should I keep it?

Once you inject an mbuf, it's not "yours" anymore.  If you want
to do something else with it, you need to keep a copy.

I hope this helps.

- Peter Sichel
  Sustainable Softworks
  www.sustworks.com



 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
  • Follow-Ups:
    • multicast routing support.
      • From: Lasaro Camargos <email@hidden>
    • multicast routing support.
      • From: Lasaro Camargos <email@hidden>
References: 
 >NKE packet insertion. (From: Lasaro Camargos <email@hidden>)

  • Prev by Date: NKE packet insertion.
  • Next by Date: Adding IGMP version 3 support
  • Previous by thread: NKE packet insertion.
  • Next by thread: multicast routing support.
  • Index(es):
    • Date
    • Thread