analysing packets in user space process
I would like to do some content analysis on packets from a user space process, something like a L7 filter. rdr seems the way to go, but I cannot understand how to get the packets back into pf so it can continue with the rules and maintain state info. Suggestions? TIA /ED
Re: Warning: Sangoma S518 DSL card no longer OpenBSD compatible
On Tue, 2006-01-17 at 15:27:20 -0700, Chris 'Xenon' Hanson proclaimed... I just bought a Sangoma S518 ADSL card to replace my external Cisco 678, hoping to realize numerous benefits. Unfortunately, after receiving it, I discover that the new smaller-form-factor version of the card is different internally from the original hardware, and the existing drivers for all the BSDs no longer will work with it. Sangoma told me on the phone that they plan to have BSD drivers again maybe this year but not anytime soon. Now maybe post this to the correct forum. misc@openbsd.org
Re: analysing packets in user space process
You get a packet into pf by sending the packet. There is no easy way to resume processing. Once it has been sent to userland, processing is over. There's nothing to resume. If you're asking about this, you're probably out of your depth. You might wish to look at the ftp proxy to see how that works. -- If I could remember the names of these particles, I would have been a botanist -- Enrico Fermi -- http://www.lightconsulting.com/~travis/ GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B
Re: analysing packets in user space process
On 1/17/06, Edmond Dantes [EMAIL PROTECTED] wrote: I would like to do some content analysis on packets from a user space process, something like a L7 filter. rdr seems the way to go, but I cannot understand how to get the packets back into pf so it can continue with the rules and maintain state info. Suggestions? Since you only seem to be doing filtering, and not modification, the easiest method for this is likely to read in the flow via BPF then if there's an action needing to be taken, use pfioctl() to match your flow against the state table and delete the associated state. This parts the hard one, there's currently only an IOCTL (DIOCKILLSTATES) that will kill all states between two hosts, not just a single one. --Bill
