From owner-freebsd-hackers Fri Mar 14 14:17:58 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id OAA15089 for hackers-outgoing; Fri, 14 Mar 1997 14:17:58 -0800 (PST) Received: from whistle.com (s205m131.whistle.com [207.76.205.131]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id OAA15083; Fri, 14 Mar 1997 14:17:55 -0800 (PST) Received: (from smap@localhost) by whistle.com (8.7.5/8.6.12) id OAA04565; Fri, 14 Mar 1997 14:17:24 -0800 (PST) Received: from bubba.whistle.com(207.76.205.7) by whistle.com via smap (V1.3) id sma004563; Fri Mar 14 14:17:01 1997 Received: (from archie@localhost) by bubba.whistle.com (8.7.5/8.6.12) id OAA17382; Fri, 14 Mar 1997 14:17:01 -0800 (PST) From: Archie Cobbs Message-Id: <199703142217.OAA17382@bubba.whistle.com> Subject: Re: Pre/Post processing IP packets In-Reply-To: <199703141745.JAA01129@freefall.freebsd.org> from "John H. Aughey" at "Mar 14, 97 09:45:03 am" To: jha@freefall.freebsd.org (John H. Aughey) Date: Fri, 14 Mar 1997 14:17:00 -0800 (PST) Cc: freebsd-hackers@freefall.freebsd.org X-Mailer: ELM [version 2.4ME+ PL25 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-hackers@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > I want to be able to pre-process and post-process IP packets which > are received by a network interface or are going out a network > interface. Basically I want to be able to look at an IP packet > immediately after it's received by an interface, fiddle around with > the packet, and then pass the modified packet back to the kernel > for further processing. In the same way I want to look at a packet > that is going out an interface, fiddle around with the packet, and > then pass the modified packet back to the kernel for actual > transmission. > > This is for some experimental work I want to do with IPSec. I > really want all this processing to be done in user land. It looks > like the bpf is close, but it appears it's passive rather than > active. There is some code written for Linux which runs entirely > in kernel mode which frankly scares me, especially if more of the > IPSec is implemented. > > Does anyone have any suggestions? Originally I was using the tunnel > device and would setup static routes which would work if it's being > used as a security gateway, but causes problems if you want to have > packets IPSec'ed that originate from or are destined to the local > host. Overall, it seemed possible, but difficult to use a tunnel > device for this. man divert :-) -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com