Divert code
Clement Laforet
sheepkiller at cultdeadsheep.org
Wed Sep 17 08:52:59 PDT 2003
On Wed, 17 Sep 2003 00:06:43 -0600 (MDT)
Nick Rogness <nick at rogness.net> wrote:
>
> Without knowing much about the kernel ipfw divert code, what would it
> take to make it skip the ipfw divert rule if the app that's listening
> on that port dies? Besides 'a miracle' or an 'act of god' =) Some
> general ideas or thoughts would be nice.
you need to write a daemon which removes divert rules, or, simply use
supervise.
> The reason I ask is I've added a FreeBSD divert hook into the
> snort_inline code which reads from a divert socket. If snort_inline
> dies, the gateway dies (which is understandable) :-(
in fact, all diverted packets are sent to a divert socket, and the
userland app reads (modifies) and reinjects packets into IP stack. if
your daemon dies, packets will never be reinjected.
If I were you, I would use netgraph (se ng_tee code) or bpf to implement
this kind of daemon.
regards,
clem
More information about the freebsd-ipfw
mailing list