Jason,
Sounds good to me, and sounds much more graceful than pflog0. Let me
know if there is anything I can do to help.
Regards,
Will
On Fri, 17 Sep 2004 15:31:06 -0600, Jason Ish <ja...@co...> wrote:
>
>
> On Fri, Sep 17, 2004 at 02:10:41PM -0500, Will Metcalf wrote:
> > List,
> >
> > Any brilliant *BSD pf programmers out there have any bright idea's how
> > we can get pf traffic sent to user space? The only thing I can find
> > so far that looks somewhat useful is the pflog0 interface. From what
> > I can see we can block out traffic, grab it from pflog0, rewrite it in
> > user space and re-inject it via pcap or libnet. This is a really bad
> > solution, and I really don't want to write an interface for
> > snort_inline to use this. I'm taking suggestions......
>
> There exists a patch out there that adds a new rule 'pf-ask'. It
> logged the rule with pflog0 (I believe), you sniffed there and it came
> with an ID. You then ioctl()'d back on /dev/pf if you wanted to pass
> the packet, or just handle it in userland.
>
> Latency was really bad..
>
> I've very slowly been working on a 'pipe' option to 'pipe' out packets
> to userland and not retain the packet in an in-kernel queue. Not sure
> if this is any more graceful than the pflog option (but you can tell
> whats to be piped and whats just being dropped/logged). But the idea
> is to be able to pipe the packet back into pf for forwarding so all
> state data is retained. Not sured if this would be blessed by the
> proper pf people or not.
>
|
