• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: URL filtering / IP Filter NKE
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: URL filtering / IP Filter NKE

  • Subject: Re: URL filtering / IP Filter NKE
  • From: Nick <email@hidden>
  • Date: Thu, 23 Jun 2011 03:15:28 +0300
Deena, 
you do not necessarily have to get friendly with the kernel. 
As an another option, you can simply use a built-in IPFW functionality and
1) either add a divert rule (and continue like you do, but in usermode, which is much much easier to debug)
2) or add a forward rule (and write a proxy, which would be a better choice, since it is more natural, and you don't get your hands dirty with low level TCP details - like counting tcp/ip checksums and values for seq and ack fields of the http header).

You have to add the rule everytime the system boots (but you have to load the NKE everytime the system boots, so you are losing nothing). 
The good thing is you eliminate daemon-to-nke communication, and can do all the work in usermode, avoiding panics and crashes.

That's how I achieved exactly the same thing as you are trying to do.
Nick

2011/6/21 Deena Awate <email@hidden>

Hello,


Aim is to achieve URL filtering. For this I have written an IP Filter NKE. Currently the packets that I get in the IP filter in the IPF_output callback are passed to the user mode daemon using Kernel Control API and I wait in the callback to get the result. The daemon processes the packet to extract the URL and decides whether to block it or not. This result is passed down to the IP filter. If the result is to BLOCK access then the IP filter should deny access for the connection.


I have tried returning -1, ECONNABORT and many other return values. What I observe is I keep on getting the packet in the IP filter and after sometime connection is refused for the URL and the reason that safari shows is "The server where this page is located is not responding"


Is what I am trying to do feasible with the way I am doing it. What is the return value to be returned from ipf_output callback to deny access.


Thanks,

Deena 


 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden


 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
References: 
 >URL filtering / IP Filter NKE (From: Deena Awate <email@hidden>)

  • Prev by Date: Re(2): URL filtering / IP Filter NKE
  • Next by Date: Tweaking TCP windowsize
  • Previous by thread: Re: URL filtering / IP Filter NKE
  • Next by thread: Re: URL filtering / IP Filter NKE
  • Index(es):
    • Date
    • Thread