Re: ip level NKE - how to trace the process that generates traffic?
Re: ip level NKE - how to trace the process that generates traffic?
- Subject: Re: ip level NKE - how to trace the process that generates traffic?
- From: James J <email@hidden>
- Date: Wed, 28 Mar 2012 17:38:16 +0300
Maybe some else would give me some idea how to do this?
I am trying to figure out in NKE IP filter what application is responsible for generating a packet..
I am writing a transparent proxy server, which is a user mode application, and i need to redirect all the packets to that application except those, that were generated by Proxy App itself (these packets need to be bypassed freely)..
I believe I can redirect packets to the proxy filter by faking the ip address/port in packets (I need to have behavior identical to ipfw fwd).
The only problem I have, is determining, whether the IP packet is generated by the Proxy Application (to which all the other packets should be redirected, in an ipfw manner).
Vincent suggested to mark (tag) the proxy application "traffic" (mbufs that were "generated" by the proxy's socket) within a socket filter, so the underlying NKE IP filter would see which packets belong to the Proxy application.
However, it seems that the mbufs that i tag in Socket NKE are totally different from those that i get in IP NKE. They don't have the tag anymore..
Maybe I could rely on some internal structures that are beyond NKE documentation?... Would there be a way to solve my task, at all?
Thank you
James J <
email@hidden> wrote:
> Hello Vincent,
> before you answered
> "You could use a socket filter NKE that would add a specific mbuf tag
> for traffic being sent by your proxy application. Your IP filter would
> then simply check the presence of this mbuf tag."
>
> I tried this approach but the tag, allocated and attached to a mbuf in
> a socket filter, is not present anymore when i check it within an IP
> filter:
>
> //this is a socket filter's data out function:
> static errno_t data_out_func (void *cookie, socket_t so, const struct
> sockaddr *to, mbuf_t *data, mbuf_t *control, sflt_data_flag_t flags) {
> printf("socket data_out_func for process PID=%d ", proc_selfpid());
>
> errno_t retval;
> if((mbuf_flags(*data) & MBUF_PKTHDR)!=0) { //tags can be attached
> only to mbufs that have MBUF_PKTHDR set
> int *tagReference = NULL;
> retval = mbuf_tag_allocate(*data, tproxynketag, 1, sizeof(int),
> MBUF_WAITOK, (void**)&tagReference);
> if(!retval)
> printf("tag has been allocated ");
> }
> return 0; //normal processing
> //return EJUSTRETURN; //swallow the packet, caller stops processing
> //anything else - data will be freed, caller stops processing
> }
>
> //this is an ip filter's data out function
> static errno_t output_func (void *cookie, mbuf_t *data, ipf_pktopts_t options) {
> printf("ip output_func ");
> size_t len = 0;
> int *value = NULL;
> errno_t retval;
> retval = mbuf_tag_find(*data, tproxynketag, 1, &len, (void**)&value);
> if(!retval) {
> printf("tag HAS BEEN found ");
> } else
> printf("tag not found ");
> return 0;
> }
>
>
>
> I suppose this is because mbufs don't go directly through Socket and
> IP levels and different mbuf's are used on Socket and IP (please
> correct me if i am wrong..)
>
> Maybe there would be some other way to check whether the IP packet was
> generated by a specific application?
>
>>
>> On Mar 3, 2012, at 8:49 AM, James J wrote:
>>
>>> Hello
>>> I am developing a kind of a traffic redirector for transparent proxy
>>> filter, which should redirect all the IP traffic to a proxy (usermode)
>>> application, except the traffic, that is generated by this proxy
>>> application, which should be passed through freely.
>>>
>>> I know I can find out whether the mbufs come from my application or
>>> not in a Socket filter NKE (when the NKE is being attached to the
>>> application socket, by calling proc_selfpid()). However, in IP level
>>> NKE this is impossible.
>>> Would there be a way to trace "the origins" of the mbuf that I receive
>>> in my ipf_output_func() function?
>>
>> You could use a socket filter NKE that would add a specific mbuf tag for traffic being sent by your proxy application. Your IP filter would then simply check the presence of this mbuf ta.
>>
>> Vincent
>>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Macnetworkprog mailing list (
email@hidden)
>
> This email sent to
email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden