Using netgraph for filtering/modifing packets.

[Julian Elischer]

On Mon, 14 Jun 2004, James Housley wrote:

> 
> I have a product that is connected to a PC via eithernet.  The product 
> runs FBSD, but I would likely put another FBSD box in the middle.  I want 
> to be able modify packets for good and evil based on the data portion of 
> the packet.
> 
> For example to ocasionally drop a packet that is acking some command.  Or 
> send an ack for a command that was never sent.  Or just change data to be 
> invalid.
> 
> Then after messing with the data portion put it back in the queue to be 
> sent, if it wasn't just dropped.
> 
> Jim
> 
Is this product running over..
1/ your own low-level protocol

 use netgraph etf node to divert packets to userland for processing by a
 program (using 'socket' node) 
  example: nghook

or
2/ IP?
2a/ UDP?
or
2b/ some proprietary IP protocol?

use ipfw and 'divert' to divert to a userland program for manipulation
  example: natd or tcpmssd (in ports/net)