From owner-freebsd-ipfw  Fri Sep  1  6: 9:41 2000
Delivered-To: freebsd-ipfw@freebsd.org
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by hub.freebsd.org (Postfix) with ESMTP id C16C337B423
	for <freebsd-ipfw@FreeBSD.ORG>; Fri,  1 Sep 2000 06:09:38 -0700 (PDT)
Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.9.3/8.9.3) with SMTP id JAA38724;
	Fri, 1 Sep 2000 09:09:21 -0400 (EDT)
	(envelope-from robert@fledge.watson.org)
Date: Fri, 1 Sep 2000 09:09:21 -0400 (EDT)
From: Robert Watson <rwatson@FreeBSD.ORG>
X-Sender: robert@fledge.watson.org
To: Bill Fumerola <billf@chimesnet.com>
Cc: Scott Blachowicz <scott@sabmail.rresearch.com>,
	Daryl Chance <dchance@valuedata.net>,
	FreeBSD IPFW <freebsd-ipfw@FreeBSD.ORG>
Subject: Re: ipfw add exec(blah)....
In-Reply-To: <20000828191926.O33771@jade.chc-chimes.com>
Message-ID: <Pine.NEB.3.96L.1000901090632.38524B-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG


On Mon, 28 Aug 2000, Bill Fumerola wrote:

> On Mon, Aug 28, 2000 at 04:13:44PM -0700, Scott Blachowicz wrote:
> 
> > Well...ipfw can log to syslog and syslogd can run a command on receipt
> > of messages - check 'man syslog.conf' for details.  I'd guess that
> > since the capability is already there in that form, it shouldn't be
> > necessary to stick it in ipfw "itself".
> 
> Yes. Matt Ayres and I discussed this today and we pretty much both agreed
> that this would be the work of an external daemon monitoring the packet
> count or looking for specific syslog type things.
> 
> The logisitics of trying to make ipfw run a program isn't something I'd
> like to think about either.

Another possibility, if you don't mind overhead, is to have a daemon
listening on an IPDIVERT of the relevant packets, and the daemon can
perform whatever action is necessary.  You're already going to have a
transition to userland or even a userland context switch by virtue of the
desire to exec, and managing it this way would provide access to the
packet for the purposes of more complex decision making, as well as
immediate notification as opposed to polling of counters or log entries.
And depending on the requirements, the daemon could exec something, or
perform the action directly itself, and optionally reinsert the packet for
IP stack processing.

  Robert N M Watson 

robert@fledge.watson.org              http://www.watson.org/~robert/
PGP key fingerprint: AF B5 5F FF A6 4A 79 37  ED 5F 55 E9 58 04 6A B1
TIS Labs at Network Associates, Safeport Network Services




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message