Menu
▾
▴
Re: [Snort-inline-users] pf divert sockets and OpenBSD
|
From: Jason I. <ja...@co...> - 2004-09-17 21:30:09
|
On Fri, Sep 17, 2004 at 02:10:41PM -0500, Will Metcalf wrote: > List, > > Any brilliant *BSD pf programmers out there have any bright idea's how > we can get pf traffic sent to user space? The only thing I can find > so far that looks somewhat useful is the pflog0 interface. From what > I can see we can block out traffic, grab it from pflog0, rewrite it in > user space and re-inject it via pcap or libnet. This is a really bad > solution, and I really don't want to write an interface for > snort_inline to use this. I'm taking suggestions...... There exists a patch out there that adds a new rule 'pf-ask'. It logged the rule with pflog0 (I believe), you sniffed there and it came with an ID. You then ioctl()'d back on /dev/pf if you wanted to pass the packet, or just handle it in userland. Latency was really bad.. I've very slowly been working on a 'pipe' option to 'pipe' out packets to userland and not retain the packet in an in-kernel queue. Not sure if this is any more graceful than the pflog option (but you can tell whats to be piped and whats just being dropped/logged). But the idea is to be able to pipe the packet back into pf for forwarding so all state data is retained. Not sured if this would be blessed by the proper pf people or not. |