From owner-freebsd-hackers Fri Mar 14 09:45:06 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id JAA01135 for hackers-outgoing; Fri, 14 Mar 1997 09:45:06 -0800 (PST) Received: from freefall.freebsd.org (localhost.cdrom.com [127.0.0.1]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id JAA01129 for ; Fri, 14 Mar 1997 09:45:04 -0800 (PST) Message-Id: <199703141745.JAA01129@freefall.freebsd.org> To: freebsd-hackers Subject: Pre/Post processing IP packets Date: Fri, 14 Mar 1997 09:45:03 -0800 From: "John H. Aughey" Sender: owner-hackers@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk I want to be able to pre-process and post-process IP packets which are received by a network interface or are going out a network interface. Basically I want to be able to look at an IP packet immediately after it's received by an interface, fiddle around with the packet, and then pass the modified packet back to the kernel for further processing. In the same way I want to look at a packet that is going out an interface, fiddle around with the packet, and then pass the modified packet back to the kernel for actual transmission. This is for some experimental work I want to do with IPSec. I really want all this processing to be done in user land. It looks like the bpf is close, but it appears it's passive rather than active. There is some code written for Linux which runs entirely in kernel mode which frankly scares me, especially if more of the IPSec is implemented. Does anyone have any suggestions? Originally I was using the tunnel device and would setup static routes which would work if it's being used as a security gateway, but causes problems if you want to have packets IPSec'ed that originate from or are destined to the local host. Overall, it seemed possible, but difficult to use a tunnel device for this. -John