Menu
▾
▴
Re: [Snort-inline-users] pf divert sockets and OpenBSD
|
From: Will M. <wil...@gm...> - 2004-09-18 02:27:50
|
Jason, Sounds good to me, and sounds much more graceful than pflog0. Let me know if there is anything I can do to help. Regards, Will On Fri, 17 Sep 2004 15:31:06 -0600, Jason Ish <ja...@co...> wrote: > > > On Fri, Sep 17, 2004 at 02:10:41PM -0500, Will Metcalf wrote: > > List, > > > > Any brilliant *BSD pf programmers out there have any bright idea's how > > we can get pf traffic sent to user space? The only thing I can find > > so far that looks somewhat useful is the pflog0 interface. From what > > I can see we can block out traffic, grab it from pflog0, rewrite it in > > user space and re-inject it via pcap or libnet. This is a really bad > > solution, and I really don't want to write an interface for > > snort_inline to use this. I'm taking suggestions...... > > There exists a patch out there that adds a new rule 'pf-ask'. It > logged the rule with pflog0 (I believe), you sniffed there and it came > with an ID. You then ioctl()'d back on /dev/pf if you wanted to pass > the packet, or just handle it in userland. > > Latency was really bad.. > > I've very slowly been working on a 'pipe' option to 'pipe' out packets > to userland and not retain the packet in an in-kernel queue. Not sure > if this is any more graceful than the pflog option (but you can tell > whats to be piped and whats just being dropped/logged). But the idea > is to be able to pipe the packet back into pf for forwarding so all > state data is retained. Not sured if this would be blessed by the > proper pf people or not. > |
