I'm trying to implement to my firewall a feature ;) that would delay all
packet for wanted time.
This however would have to happen without blocking entire kernel.
(surprise surprise)
I have done so far following.
--
struct firewall_ops ip_my_firewall_ops=
{
NULL,
handle_fw_packet, /* fw */
handle_in_packet, /* in */
handle_out_packet, /* out */
PF_INET,
1
};
--
all of those functions go immediately to
int check_package(struct iphdr *ip, const char *dev_name,
__u16 *redirport, int direction,
struct sk_buff *skb)
function
I know that to destroy silently incoming packet I have to return FW_BLOCK
and for outgoing packets I have to return FW_QUEUE. (other returns icmp
packet to kernel).
however trouble is that I'm not quit sure what is the right way to do
this.
I have tried to clone outgoing packet and return QUEUE but this does not
seem to work. (packet_cb is global)
---
int check_package(struct iphdr *ip, const char *dev_name,
__u16 *redirport, int direction,
struct sk_buff *skb)
{
.
.
.
else if(ip->daddr == 0x1f00000a) { /* sending to */
clone_buffer=skb_clone(skb,GFP_ATOMIC);
packet_cb.ip = ip;
packet_cb.dev_name = dev_name;
packet_cb.redirport = redirport;
packet_cb.direction = direction;
packet_cb.skb = clone_buffer;
our_timer.function = test_it;
our_timer.data = (unsigned long)&packet_cb;
our_timer.expires = jiffies + HZ;
add_timer(&our_timer);
interruptible_sleep_on(&our_wait);
return FW_QUEUE; /* this one silently kills packet */
}
---
I thought that this would clone the packet and therefore it would not be
destroyed (data would still exist) and then I could send it off after 2
seconds or so.
Have I misunderstood the use of skb_clone should I really use skb_copy.
Is there any chance whatsoever to delay packets effectivily in firewalls.
Thank you.
--
Janne P�nk�l�
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
