Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 14 Jun 2004 13:28:06 -0400
From:      James Housley <jim@Thehousleys.net>
To:        freebsd-net@FreeBSD.org
Subject:   Re: Using netgraph for filtering/modifing packets
Message-ID:  <40CDE026.3040502@Thehousleys.net>
In-Reply-To: <Pine.BSF.4.21.0406141016280.30464-100000@InterJet.elischer.org>
References:  <Pine.BSF.4.21.0406141016280.30464-100000@InterJet.elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
This is a cryptographically signed message in MIME format.

--------------ms000506070009080700090807
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Julian Elischer wrote:
> 
> On Mon, 14 Jun 2004, James Housley wrote:
> 
> 
>>For testing of a product I would like to be able to modify or even drop
>>packets based on their content.  What I have in mind is forcing the
>>packets through a firewall that would redirect all packet to a netgraph
>>node that would either pass unchanged, drop or change the contents to
>>assist in testing some corner cases in the code.
>>
>>1) is this something doable with netgraph, I believe it is.
> 
> 
> yes
> 
> 
> 
>>2) what might be a good place to start?  Have done some searching, but
>>haven't found any example code I thought I could start from.
> 
> 
> What sort of filter do you need?
> 
> you can pass packets to netgraph from ipfw by diverting them and
> openning a divert socket with teh ksocket node..
> 
> Or you can pick them directly from the network interface
> and filter yourself using the 'bpf' node type to select 
> on something.
> or you can use the etf type of node to filter on a particular 
> ethertype..
> 
> there are a lot of options but I don't knw your application enough :-)
> 

I have a product that is connected to a PC via eithernet.  The product 
runs FBSD, but I would likely put another FBSD box in the middle.  I want 
to be able modify packets for good and evil based on the data portion of 
the packet.

For example to ocasionally drop a packet that is acking some command.  Or 
send an ack for a command that was never sent.  Or just change data to be 
invalid.

Then after messing with the data portion put it back in the queue to be 
sent, if it wasn't just dropped.

Jim

-- 
/"\   ASCII Ribbon Campaign  .
\ / - NO HTML/RTF in e-mail  .
  X  - NO Word docs in e-mail .
/ \ -----------------------------------------------------------------
jeh@FreeBSD.org      http://www.FreeBSD.org     The Power to Serve
jim@TheHousleys.Net  http://www.TheHousleys.net
---------------------------------------------------------------------
"Eagles may soar, but weasels don't get sucked into jet engines"
     -- Anon

--------------ms000506070009080700090807
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJIzCC
AuwwggJVoAMCAQICAwucmTANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJaQTElMCMGA1UE
ChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNv
bmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDQwMTMxMTkxMTAwWhcNMDUwMTMwMTkxMTAw
WjBeMRAwDgYDVQQEEwdIb3VzbGV5MQ4wDAYDVQQqEwVKYW1lczEWMBQGA1UEAxMNSmFtZXMg
SG91c2xleTEiMCAGCSqGSIb3DQEJARYTamltQHRoZWhvdXNsZXlzLm5ldDCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAM70siVrpNeIN29fGXTeZx4DuD8BQDzS4F9QLhypRRv2
aL+B1DvaX3spU9O7TktIKeXwJ4pN7iiL6RFXX53QdyXht96ILFVuSsYxM3vaAI+M446KmMKL
1PT033SFCQVb8/DsbJPGQqMauWfon9hdjx8B+PqZyMDRoprj2mJrlUtaGwUGDMYzsE+qG+dY
v20Z9JH1nXVxMpsktz1kON2oFWmemobcoGO2swhb5CmG7KYiKKZW/ItsDwhu5ZebeB63UkUl
SL/+GiUPiieGxnptEDYf5RH/wdN/29I7IeZuab8YajAk2WO+68vAYA3+d/nTgX9YCeGdkPS6
9KxDELa7c8MCAwEAAaMwMC4wHgYDVR0RBBcwFYETamltQHRoZWhvdXNsZXlzLm5ldDAMBgNV
HRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUAA4GBALGpfU4DorG1pNJyzuGAeJY0QWUrZMDmryk/
r08DfcBpE/BicfJXEuee41NWh+7Y2Y4fVdaAo5UAtjDjj8novARRt2rtGv9M9+7OKoTsx20O
JKNBCiJWc53MscEapsc4fvvCl2Cf/TBl1AESJgTkjHHxoyTDNaadvV0lowHakwhOMIIC7DCC
AlWgAwIBAgIDC5yZMA0GCSqGSIb3DQEBBAUAMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxU
aGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwg
RnJlZW1haWwgSXNzdWluZyBDQTAeFw0wNDAxMzExOTExMDBaFw0wNTAxMzAxOTExMDBaMF4x
EDAOBgNVBAQTB0hvdXNsZXkxDjAMBgNVBCoTBUphbWVzMRYwFAYDVQQDEw1KYW1lcyBIb3Vz
bGV5MSIwIAYJKoZIhvcNAQkBFhNqaW1AdGhlaG91c2xleXMubmV0MIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAzvSyJWuk14g3b18ZdN5nHgO4PwFAPNLgX1AuHKlFG/Zov4HU
O9pfeylT07tOS0gp5fAnik3uKIvpEVdfndB3JeG33ogsVW5KxjEze9oAj4zjjoqYwovU9PTf
dIUJBVvz8Oxsk8ZCoxq5Z+if2F2PHwH4+pnIwNGimuPaYmuVS1obBQYMxjOwT6ob51i/bRn0
kfWddXEymyS3PWQ43agVaZ6ahtygY7azCFvkKYbspiIoplb8i2wPCG7ll5t4HrdSRSVIv/4a
JQ+KJ4bGem0QNh/lEf/B03/b0jsh5m5pvxhqMCTZY77ry8BgDf53+dOBf1gJ4Z2Q9Lr0rEMQ
trtzwwIDAQABozAwLjAeBgNVHREEFzAVgRNqaW1AdGhlaG91c2xleXMubmV0MAwGA1UdEwEB
/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEAsal9TgOisbWk0nLO4YB4ljRBZStkwOavKT+vTwN9
wGkT8GJx8lcS557jU1aH7tjZjh9V1oCjlQC2MOOPyei8BFG3au0a/0z37s4qhOzHbQ4ko0EK
IlZzncyxwRqmxzh++8KXYJ/9MGXUARImBOSMcfGjJMM1pp29XSWjAdqTCE4wggM/MIICqKAD
AgECAgENMA0GCSqGSIb3DQEBBQUAMIHRMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVy
biBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0ZSBDb25zdWx0aW5n
MSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQwIgYDVQQDExtU
aGF3dGUgUGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNvbmFsLWZy
ZWVtYWlsQHRoYXd0ZS5jb20wHhcNMDMwNzE3MDAwMDAwWhcNMTMwNzE2MjM1OTU5WjBiMQsw
CQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoG
A1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBAMSmPFVzVftOucqZWh5owHUEcJ3f6f+jHuy9zfVb8hp2vX8MOmHy
v1HOAdTlUAow1wJjWiyJFXCO3cnwK4Vaqj9xVsuvPAsH5/EfkTYkKhPPK9Xzgnc9A74r/rsY
Pge/QIACZNenprufZdHFKlSFD0gEf6e20TxhBEAeZBlyYLf7AgMBAAGjgZQwgZEwEgYDVR0T
AQH/BAgwBgEB/wIBADBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8vY3JsLnRoYXd0ZS5jb20v
VGhhd3RlUGVyc29uYWxGcmVlbWFpbENBLmNybDALBgNVHQ8EBAMCAQYwKQYDVR0RBCIwIKQe
MBwxGjAYBgNVBAMTEVByaXZhdGVMYWJlbDItMTM4MA0GCSqGSIb3DQEBBQUAA4GBAEiM0VCD
6gsuzA2jZqxnD3+vrL7CF6FDlpSdf0whuPg2H6otnzYvwPQcUCCTcDz9reFhYsPZOhl+hLGZ
GwDFGguCdJ4lUJRix9sncVcljd2pnDmOjCBPZV+V2vf3h9bGCE6u9uo05RAaWzVNd+NWIXiC
3CEZNd4ksdMdRv9dX2VPMYIDOzCCAzcCAQEwaTBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMc
VGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFs
IEZyZWVtYWlsIElzc3VpbmcgQ0ECAwucmTAJBgUrDgMCGgUAoIIBpzAYBgkqhkiG9w0BCQMx
CwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wNDA2MTQxNzI4MDdaMCMGCSqGSIb3DQEJ
BDEWBBQ0ImqciWgqokQMUu2aXxQol30eSDBSBgkqhkiG9w0BCQ8xRTBDMAoGCCqGSIb3DQMH
MA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIB
KDB4BgkrBgEEAYI3EAQxazBpMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29u
c3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwg
SXNzdWluZyBDQQIDC5yZMHoGCyqGSIb3DQEJEAILMWugaTBiMQswCQYDVQQGEwJaQTElMCMG
A1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBl
cnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECAwucmTANBgkqhkiG9w0BAQEFAASCAQA8Tol3
+QoAOCENab4Auny3IwcirOI9PKpZmZk2KbgodPl/aB9sEp0kobVU7GVFkwvWiVpIUv2uoGR4
1kdbzlUFvWyHmM9FQX3GPe+ZFWFxIWUnzoBP2nBsf/drPvqJCx7fVzTIReyUfl4LXspNolB+
bUHKzMeCGqg6YWgE/EXjSH1QhXYHXcovb4cE/BN3XYN5dwwpFwyC7ii1J4VvN02KSBwFSboU
QwYILOwMeL+yU4IZ09BbT1NJ/L7c9yj+0vUDQf3bTXZs47dZBAoA/VYFiO2gzFWUgYGi1uHb
BmWEV2L+TaW4ie7SMa2ry9/9oP5RxJKCL7gVmS+iyZIF2w4DAAAAAAAA
--------------ms000506070009080700090807--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?40CDE026.3040502>