SocketFilter - inserting data packet using mbufs

Subject: SocketFilter - inserting data packet using mbufs
From: Ron Anderson <email@hidden>
Date: Tue, 21 Nov 2006 12:04:52 -0500

I have a socket filter that watches outgoing sockets. On some of them, I want to inject some of my own data. For instance, for an HTTPS connection, i want to tunnel through a proxy, so I need to send a CONNECT message to the proxy before continuing with the normal data flow. For the most part, the code that I have written works, but I am getting some weird side-effects highlighted in the mbuf stats (displayed by executing "netstat -m"). It seems I am leaking an mbuf everytime I "CONNECT" to the proxy server. So, I am thinking I may not be creating the new mbuf packet 100% properly. Given there is no documentation whatsoever regarding creating mbufs, the only direction given is from sample code (very little) or kernel code (very specific cases).

So, if I were to query the mbuf_stats to find out the minimum cluster size, and I knew my data was smaller than that size, would the following code be proper for generating an mbuf that could be safely injected into the socket data out?

mbuf_t new_data = NULL;

uint8_t *buffer = NULL;

size_t buffer_len;

... buffer is allocated and filled with data ...

err = mbuf_gethdr(MBUF_WAITOK, MBUF_TYPE_DATA, &new_data);

if (err == noErr)

{

err = mbuf_copyback(new_data, 0, buffer_len, buffer, MBUF_WAITOK);

}

After calling the sock_inject_data_out, the documentation says the mbuf is freed, regardless of error. Looking in the kernel code, this seems to be true. So, why is it that I see:

(before)

148 mbufs in use:

144 mbus allocated to data

3 mbufs allocated to socket names and addresses

1 mbufs allocated to Appletalk data blocks

178/374 mbuf clusters in use

0/16 mbuf 4KB clusters in use

849 Kbytes allocated to network (46% in use)

0 requests for memory denied

0 requests for memory delayed

0 calls to protocol drain routines

(after)

149 mbufs in use:

145 mbus allocated to data