On 1/18/06, Bill Marquette <[EMAIL PROTECTED]> wrote:
> Or because IPFW on FreeBSD has divert() and IP Tables in Linux has
> netlink.  It's a logical question to ask - although a few minutes in
> the man page and a few hours groking the PF source would have been
> enough.

I don't say this to be arrogant.  pf is really good at hiding the
details of the packet path through the kernel, among other things, in
the config file.  But if you know the stack, then it becomes clear why
you can do some things (re-write dest IP on inbound packets) but not
their logical inverse (re-write dest IP on outbound packets, or
perhaps re-write source IP on inbound packets).  netfilter doesn't
have this layer of abstraction, so users have to deal with FORWARD
chains and PREROUTING and such.

Knowing what solution he wants will require knowing some of these
details, of the capabilities at each layer.

Yes, you can drop all packets and use bpf to capture them in userland,
and filter/mangle and reinject.... but copying a lot of data across
the userland/kernel barrier is not terribly efficient, as you've got
the crossing of protection domains, bitblits, and then you've got
latency issues since the userland process has scheduling overhead ---
we receive a packet at interrupt level, queue it for "top half"
kernel, copy it to userland, wait for userland sniffer to be
scheduled, it runs, re-injects packet at which point process reverses.
 It also involves socket coding and manipulating second-class data
objects (in C anyway).  If you go this route, and it is the easiest
solution beyond ftp-proxy, I suggest writing the prototype in a HLL
with a libpcap binding.  If you know python, Impacket is the best I've
seen.  If performance isn't enough (that is, if you are dropping
unacceptable numbers of packets during load), you may have to resort
to C/C++.  C in particular has lots of ways to screw this up, and
remember that you are handling data created by remote, possibly
hostile parties.  So one input validation screwup, one buffer
overflow, and you're harming your overall security, not helping it. 
If the drop rate is still too high, pcap/bpf won't work for you.

The next solution would be changing how the kernel works.  Lots of
learning involved, lots of tedious work, lots of testing, lots of
kernel panics, probably a lot of changes to please the kernel
developers.  Many places to go wrong on this path.  Will require
extensive reading and understanding of kernel source.  Fortunately the
pf code, at least in openbsd, is remarkably clean.  You'll still need
to learn how and where the kernel does 'tings.  You might want to buy
(or borrow) the 4.4 BSD book and read the network stack stuff just to
get a big picture on where things were aeons ago, relatively speaking.
 Then you'll have to read kernel code to come up to speed.

Of course the best solution, and probably the most efficient, would be
to find some underpaid kernel coder (preferably network stack stuff)
and bribe them with beer and pizza.  Or you could post a bounty on one
of the freelancecoder sites (be careful how you word it, specify how
you want it to work and that it must meet openbsd standards, and must
not be written in visual basic, php, or .NET).
--
"If I could remember the names of these particles, I would have been a botanist"
  -- Enrico Fermi -><- http://www.lightconsulting.com/~travis/
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B

Reply via email to