Subhash Gopinath wrote:
Thanks, looks interesting.
But I was looking at processing the packets in userspace. Sorry I
didn't mention it clearly.
Ah ok. I didn't get that from your initial email. Have you looked at the
firewall (ipfw and/or pf) code at all? I believe you can use mechanisms
like divert sockets (man 4 divert) to pass packets up from the kernel to
userspace for processing, and then reinject the packets into the stack
if they pass whatever criteria is required. I'm sure there are other
mechanisms for getting packets up into userspace as well, but firewall
code is probably a good place to start looking for ideas.
Thanks,
-Subhash
On Jan 11, 2008 10:32 PM, Lawrence Stewart <[EMAIL PROTECTED]> wrote:
Hi Subhash,
Subhash Gopinath wrote:
Hello folks,
I am looking at writing an application program to tap certain ipv6 packets
(say icmpv6)
using netgraph. The application has to do some processing, before kernel can
proceed
with those packets.
I have vaguely understood netgraph, and I see that I need a ng_socket node
in the application, an ng_bpf node, and an ng_ether or ng_iface node in the
kernel.
My question is. would I need to create such nodes for each interface. Then
it becomes unscalable..
Can I have just one socket, bpf, iface node that can tap icmpv6 packets on
all interfaces?
The PFIL(9) interface might also be of interest to you. If all you need
to do is packet interception and then allow/deny packets based on the
results of some processing, PFIL might be the way to go. We wrote some
code (SIFTR [1]) which uses PFIL in a similar capacity and you may want
to refer to it as an example.
Cheers,
Lawrence
[1] http://caia.swin.edu.au/urp/newtcp/tools.html
Cheers,
Lawrence
_______________________________________________
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
