[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: userland packet filtering

On Wed, May 30, 2001 at 07:22:20PM -0400, Angelos D. Keromytis wrote:
> Actually, bpf is not too horrible an idea if we get the one-copy BPF
> stuff in the tree. The advantage is that all you have to do is turn
> forwarding off, and start tapping all interfaces. No other kernel
> support needed.

I was hoping to be able to reinject the packets before the routing
code so it wouldn't be necessary to implement routing in user code.
I also wanted to be able to protect local applications using the
user mode filter.  This is not possible with bpf, correct?

Aside from that, it would be a quick way to get started.

> That said, writing such a device is a matter of less than 500 lines of
> code (having done it twice, in different contexts). One that uses
> memory mapping for data transfers is larger, but not too horrible.

Is memory mapping going to be the fastest method performance-wise?  Can
anybody point me torwards a driver or sample code that might be a good 
place to start?

> Nota benne: porting a userland filter to the kernel is not as trivial
> as you might think at first, if only because you don't have to deal
> with mbufs in userland (and one tends to "cheat" in those
> circumstances, by using indices in the packet etc.) Not
> insurmountable, but you have to keep that in mind.

In order to more discipline the programmers of such an interface, 
perhaps the packets could be left in mbuf chains (or at least something
very similar passed to user space).

Brandin Claar
Network Analyst 
Penn State Applied Research Lab