[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: packet filtering as a virtual machine



On 10/25/05, Markus Friedl <[email protected]> wrote:
> On Mon, Oct 24, 2005 at 02:38:43AM -0500, Travis H. wrote:
> > Has anyone thought of modeling packet filtering/translation/queueing
> > as a virtual machine?
>
> BSD/OS ipfw (http://www.pix.net/software/ipfw/)
That site has some good code and links to conference papers by the way.
Looking at the filter injection points into the stacks, it looks a lot
like Linux's netfilter.  One potentially powerful change would be to
have the flow of packets through the stacks controlled by a
configurable ruleset, instead of inserting filter code at
semi-arbitrary points in the flow.  I'm not exactly sure how this
would be useful, but it strikes me as the kind of thing that could be
used in a great many ways I can't forsee.  For example, transparent
proxying would be much easier.  Perhaps you could make delivery to
sockets part of the ruleset, and give the user the ability to deliver
a packet to a socket that isn't necessarily bound to that destination
IP, with the original headers available via some socket-level
interface.  This would be similar to, but different than, creating an
"any destination" socket that is mentioned in the BSD/OS paper.
--
http://www.lightconsulting.com/~travis/  -><-
"We already have enough fast, insecure systems." -- Schneier & Ferguson
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B