Do pfil(9) hooks receive TCP retransmissions?

R. Tyler Croy tyler at monkeypox.org
Mon Nov 25 19:14:49 UTC 2013 

On Mon, 25 Nov 2013, Frank Knobbe wrote:

> On Mon, Nov 25, 2013 at 10:12:32AM -0800, R. Tyler Croy wrote:
> > I'm looking at the pfil(9) interface to accomplish some packet inspection
> > tasks, but the man page leaves some ambiguity in this case.
> > 
> > If the hooks are not invoked multiple times for retransmissions then I can
> > imagine it being relatively "simple" to implement a basic firewall with these
> > hooks without implementing loads of state tracking for packets.
> 
> I'm not sure if I follow. Typically you only have one function that gets
> "hooked" into the pfil chain. That function will receive ALL packets leaving
> or entering the system. It's up to your code to check for the interface,
> apply state tracking, or whatever other checks need to be performed. For a
> very basic firewall (just dropping traffic from/to a certain IP address or
> a certain port or protocol) you probably don't need to track state.
> 
> If the packet passes your filter criteria and is to be passed on (down the
> chain of other firewalls), your function is to return 0. If you need to
> filter the packet, your function needs to a) m_freem the mbuf, and 
> b) return -1. That'll drop the packet and it won't be passed on to other
> firewalls in the chain or the system.


Let's say for example I wanted to filter out a specific HTTP response, just as
a more complex kind of traffic on top of the TCP stream. Would my hook be
invoked for packets 1-100 of the HTTP response 100 times, or could it be
invoked any number of times depending on whether there are retransmissions of
various packets?


My goal is not necessarily to write a simple firewall at an IP level, but
prototype a slightly more complex firewall filtering of application layer
traffic. I'm not 100% certain pfil(9) is the right way to do this, but it's the
first useful API I've stumbled across.


> Hope that helps.

Most certainly :)

- R. Tyler Croy
--------------------------------------
    Code: https://github.com/rtyler
 Chatter: https://twitter.com/agentdero
          rtyler at jabber.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20131125/6d7f7dbc/attachment.sig>

More information about the freebsd-hackers mailing list