On Mon, Jul 02, 2001 at 07:32:13PM +0400, Eugene L. Vorokov wrote:
> Hello,
>
> can please someone enlighten me how can a module catch ip packets before
> they actually enter the stack, the way ipfw or ipf does ? I tried to look
> at the sources, but ipfw seems to do it some very specific way which
> is based on some in-kernel hacks to make it possible (ofcourse correct me
> if I'm wrong), and ipf does so many things at startup so I can't figure
> out which function does what :( I just want to add my handler so that
> all packets would be passed to it before entering the kernel ...
the way ipfw or ipf does? by adding hacks^H^H^H^Hooks into ip_{in,out}put()
search for ip_fw_chk_ptr and fr_checkp, those are the money functions.
everything else is just setup and reaction.
as far as non-hacks that do similar things, as alfred points out netgraph
is probably the most modular way to drop in raw-frame-needing-module-X.
--
Bill Fumerola - security yahoo / Yahoo! inc.
- [EMAIL PROTECTED] / [EMAIL PROTECTED]
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message