Re: [networking-discuss] Re: Filtering packets under Solaris

Thu, 06 Apr 2006 06:00:11 -0700 

Ivan Wang wrote:


Tom Fortmann wrote:


I have a simple Linux kernel module that uses the

netFilter

API to intercept TCP packets.  I need to port this

driver to a Solaris environment.  I found a lot of
good articles on Solaris Device drivers, but can
anyone point me in the right direction for
intercepting and manipulating TCP packets under
Solaris?




Tom, the document you should start reading can be
found at:

http://www.opensolaris.org/os/community/networking/fil
es/pfhooks-design-2006-03-09.pdf



 Hi, after reading the design document, I got couple of questions.
 Please kindly correct me if some of these questions are not even applicable.
 From what I understand, there is only one callback can register with a 
particular
hook at any time. Is original ipf filtering function counted in this "one hook" constraint? And if multiple vendors wants to hook at the same point, how do these filters get chained together? Or this is not the intended use-case? 

Yes, ipf filtering function would be counted as one hook.

We make it this way because we did not have example of how more
than one hook would be active at one time.

Some problems we have with multiple vendors at one time are:
- who goes first, second, ...
- how do you control who goes first, second, ...

So we decide to make it one-only for now and get input from people
about how they want to use more than one hook.

Do you have some thoughts?
From the document, there isn't a section about framework support for these hook callbacks. Does the ipf framework provide function/data structure for the hook callback to decide whether or not a packet is allowed? If hook callback is responsible for configuring itself, how does it cooperate with original ipf.conf? And, is the original best match ipf.conf behaviour still maintained? This best match behaviour is far better than netfilter first match one, IMHO. 

ipf can do many things but not all are yet possible or supported by Sun.
One such thing is to convert ipf.conf into C code, compile that and load
it into the kernel.  So this method could be used to do many different
things but not yet in Solaris.

In Solaris 10 today, ipf does not provide framework for other function
to be called or data structures.

Do you have some ideas about how to make it better?

What would you like to be able to do?

Darren

_______________________________________________
networking-discuss mailing list
[email protected]

Reply via email to