[netnice-users] New VIF modes
Status: Alpha
Brought to you by:
taost6
Menu
▾
▴
[netnice-users] New VIF modes
|
From: Takashi O. <ta...@cs...> - 2004-05-31 22:31:22
|
dear netnice developers, i've committed the latest netnice patch, which supports two new features, "filter" and "port", that realize integration of network QoS and network security. * Filter * filter is packet filter (software firewall) that works inside the kernel, and can filter out packets much faster than other firewall implementation, thanks to its JIT-assember. for testing, use vf command. netnice-2.1/contrib/pcap/vf /proc/network/vif_of_your_choice/filter rule this will compile the rule into filter code, and write it into VIF filter, specified in the 1st argument. write filter rule in BPF filter format. for example, if you want to allow access from a machine, pooh; vf /proc/network/fxp0/filter "src pooh or dst pooh" * Port * port is a BPF compatible packet capture interface. using port, you can tap network I/O of process, socket, etc, with libpcap applications, such as tcpdump and ethereal. for this purpose, you'll need to steal device access of BPS, as follows. % cd /dev/ % rm bpf0 % ln -s /proc/network/vif_of_your_choice/port ./bpf0 * divert VIF * using the mechanisms above, we can use VIF as a diverting interface, which diverts packets from kernel to userspace, and returns them back to the original flow. for testing, use; % netnice-2.1/contrib/pcap/divert /proc/network/vif_of_your_choice to monitor the diverting status, the following option might be useful. % sysctl -w net.netnice.monitor_divert=1 the code is in CVS. i'll take a snapshot and upload it to sourceforge, shortly. enjoy! -- taka |
