本文介绍了如果我在套接字过滤器中设置了mbuf标签,以后可以在IP过滤器中找到这些标记的数据包吗?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我正在MacOS上编写一个网络内核扩展,它由一个套接字过滤器和一个IP过滤器组成.我的IP过滤器就像防火墙一样,我只想允许套接字过滤器先前标记为允许的数据包通过.

I am writing a Network Kernel Extension on MacOS that is comprised of a Socket Filter and an IP filter. My IP filter works as a kind of fire-wall, i only want to allow packets through that have been previously tagged as ALLOWED by the socket filter.

在套接字过滤器sf_data_out_func函数中,我成功标记了所有mbuf.但是,在我的ipf_output_func中,我似乎无法使用mbuf_tag_find()找到这些带标签的数据包.

In the socket filter sf_data_out_func function, I successfully tag all the mbufs. However in my ipf_output_func I do not seem to be able to find these tagged packets with a mbuf_tag_find().

我在套接字过滤器中标记数据包,如下所示:

I am tagging the packets in the socket filter as follows:

static errno_t socket_data_out(void *cookie, socket_t so, const struct sockaddr *to, mbuf_t *data, mbuf_t *control, sflt_data_flag_t flags)
{
    if(!cookie)
        return 0;

    struct my_entry *entry = cookie;

    errno_t ret;

    int *tag_ref = NULL;

    // Not used
    int value = 1;

    if((ret = mbuf_tag_allocate(*data, my_tag_id, ALLOWED_PACKET, sizeof(value), MBUF_WAITOK, (void**)&tag_ref)))
    {
        log("mbuf_tag_allocate failed");
    }

    return 0;
}

,并在IP过滤器中如下所示:

and in the IP filter as follows:

static errno_t ipfilter_output(void *cookie, mbuf_t *data, ipf_pktopts_t options)
{
    errno_t    status;
    int        *tag_ref;
    size_t     len;
    int        value = 1;

    status = mbuf_tag_find(*data, my_tag_id, ALLOWED_PACKET, &len, (void**)&tag_ref);
    if(status == 0) 
        log("Found an allowed packet!");

    return 0;
}

但是IP过滤器从不打印找到允许的数据包!".

But the IP filter NEVER prints out "Found an allowed packet!".

IP过滤器能否找到先前在套接字过滤器中标记的数据包?

Can an IP filter find a packet previously tagged in a socket filter?

推荐答案

据我所知,文档中无法保证套接字过滤器所见的mbufmbuf相同.稍后通过IP过滤器.如果将数据从一个mbuf复制到另一个,则标签也不会自动复制.

As far as I see it, there is no guarantee in the documentation, that the mbuf as seen by a socket filter is the same mbuf that later on passes an IP filter. If the data is copied from one mbuf to another one, tags are not automatically copied as well.

套接字过滤器和IP过滤器是两个不同的过滤器概念,不一定能很好地融合在一起.您是否在乎是从哪个套接字数据发送的,还是不在乎.在第一种情况下,您只需要一个套接字过滤器,而在第二种情况下,您只需要一个IP过滤器.

Socket Filter and IP Filter are two different concepts of filters that don't necessarily mix very well. Either you care from which socket data has been sent or you don't. In the first case you only require a Socket Filter and in the later one you only require an IP Filter.

这篇关于如果我在套接字过滤器中设置了mbuf标签,以后可以在IP过滤器中找到这些标记的数据包吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

10-31 10:28