• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Fwd: Socket Filtering NKE
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Fwd: Socket Filtering NKE

  • Subject: Re: Fwd: Socket Filtering NKE
  • From: Peter Lovell <email@hidden>
  • Date: Thu, 04 Dec 2014 11:20:48 -0500
Matt Slot <email@hidden> wrote:

>More importantly, content filtering from an NKE is _hard_. You can perform
>simple transforms on the data, but if really want to filter the contents in
>a meaningful way, it doesn't scale well: memory is tighter, bugs are much
>more serious, and debugging is much harder.
>
>From your description, it sounds like you want to modify certain web
>requests -- change the outgoing URL or perhaps insert certain headers. In
>this case, I'd recommend proxying the data to a helper process in user
>land. Instead of packet injection, use the sf_connect_out_func callback to
>change the remote address to localhost -- use sock_connect() to redirect the
>connection to a listen() socket within your helper process!
>
>This helper process can then parse and manipulate the outgoing request,
>send it to the desired server, and then proxy the response back as normal.
>Besides making it easier to debug, a user land process also has access to
>virtual memory (for buffering), the file system (for logging and
>preferences), and the full suite of MacOS X APIs.


I disagree. It's not "hard". It's "really, REALLY hard".

Having done this for a few years, let me reassure you that this is not for the faint of heart. You'll learn lots of new skills such as two-machine debugging and recovering from kernel crashes. And reading kernel dumps.

I wholeheartedly support Matt's recommendation to do this in user-land. You can use a proxy or do in-kernel work to redirect to user space. This still requires an NKE but is much simpler than doing the whole thing there. If your user-interaction allows it, a proxy is better but there used to be some cases where that was problematic. I've been out of this area for a while so I'm not current with the situation now.

Cheers.....Peter


 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
References: 
 >Socket Filtering NKE (From: Madhavi Gundeti <email@hidden>)
 >Fwd: Socket Filtering NKE (From: Matt Slot <email@hidden>)

  • Prev by Date: Fwd: Socket Filtering NKE
  • Next by Date: How to prevent a POSIX socket from using a cellular connection?
  • Previous by thread: Fwd: Socket Filtering NKE
  • Next by thread: How to prevent a POSIX socket from using a cellular connection?
  • Index(es):
    • Date
    • Thread