Intercepting a packet, changing it and re-injecting into the
network
Julian Elischer
julian at elischer.org
Fri Dec 22 15:40:21 PST 2006
Julian Elischer wrote:
> Kevin Sanders wrote:
>> On 12/22/06, Brooks Davis <brooks at one-eyed-alien.net> wrote:
>>>
>>> On Fri, Dec 22, 2006 at 12:43:29PM -0300, Fabr?cio Barros Cabral wrote:
>>> > Hello everybody!
>>> >
>>> > I'm developing a network application which needs *to intercept* a
>>> packet
>>> > (not just *copy* a packet, like libpcap does), move this packet
>>> into my
>>> > application (userland), do some checking in the packet and according
>>> > with some heuristics, the application may change the payload and
>>> > re-inject the modified packet into the network. Note that sometimes,
>>> > I'll change the payload, drop the packet or just let it go.
>>> >
>>> > So, how can a I do that in FreeBSD? I can use 6.1, 7.1, any version.
>>>
>>> The feature you're looking for is divert(4) sockets. You use IPFW to
>>> decide which packets to divert to userland and can reinject them as
>>> needed.
>>>
>>> -- Brooks
>>>
>>>
>>>
>>
>> I'm actually working on something with a similar need. How would this
>> perform compared to a kld module that is using the pfil(9) framework?
>> I'm
>> looking to support very high bandwidth networks, with 400mpbs or more
>> over
>> gig ethernet. In my case I'm looking at HTTP requests and not
>> necessarily
>> every packet once I've done what I need to the actual http
>> request/headers.
>> Obviousely, if I grow or shrink the HTTP request, I then have to
>> "massage"
>> the seq/ack to keep the two talking, but this is only for a small
>> percentage
>> of the sessions, and I didn't want to be hit with a kernel -> user
>> space ->
>> kernel transition for every packet.
>
> Divert is designed for diverting from the IP layer, to the user layer
> for processing (and returning the packet to be sent out/in). It is fast
> enough for most WAN applications.
>
> I use patches to allow me to divert from a bridge (Ethernet layer)
> but it's still going to userland.
BTW I was able to do several hundred Mb/Sec through userland..
(largish packets though)
>
>
> I have the same thing.. which is why I divert from ethernet layer.
> There are some tricks that can be done to really speat that up however..
> for example you only need to look at the first syn packet.. all the rest
> don't need to be looked at or diverted.
just as a reference point,
Using ipfw I was able to saturate a Gb bridge
(between 2 bge interfaces) while filtereing against a
table of 128000 addresses. (in FreeBSD 4.8) using 30% cpu..
machines have gotten faster since then but the OS has slowed a bit.
More information about the freebsd-net
mailing list