[Sis-SCPS-INTEREST] divert sockets VS TUN

Feighery, Patrick D. feighery at mitre.org
Thu Mar 16 13:06:48 EST 2006 

Well, to answer your question, let me give you some background.
Initially the SCPS gateway was developed for the FreeBSD operating
system (8+ years ago).  Back then FreeBSD's divert mechanism allowed me
to pass packets back and forth between user and kernel space.  (as a
side note, divert also took care of reassembly..)  When I originally
tried to port the gateway functionality to linux (6+ years ago) , I
found the following web site
http://www.anr.mcnc.org/~divert/index.shtml which Ilia Baldine ported
divert to Linux.  The divert function was bunch of patch changes to a
2.2.[12|15|16|18] Linux kernel (if my memory serves me right.)  It
worked, but was awkward and clunky in my opinion to get the kernel
right.  A year or two layer, somebody showed me how to port the gateway
code the tun interface.  Of the top of my head I can't recall the
person's name to give him credit.  This much cleaner because the kernel
did not required patching.

However it looks like Ilia has been working on the divert stuff and it
now can be found at http://sourceforge.net/projects/ipdivert/.
Honestly I have not cracked this new divert stuff.  If you have and can
provide any insight I would greatly appreciate it.

As for what changes would need to be made.  Not sure, but here is a
list of things that needs to be looked at.

	1)  Opening up and managing the divert socket.  The code may be
fine as written, but one needs to make sure the syntax has not changed.
You may need to munge the ifdefs as well.

	2)  Setting up the firewall rules. The commands that are issued
via the system() call to create/manipulate/remove the divert rules
definitely need to be changed.  If you are familiar with the
instantiation of divert rules with iptables and ipchains it should a
syntax mapping from one to the other.

	3)  I'm sure this is probably something that I am forgetting...

Does this make sense...

Best Regards

	Pat

>>-----Original Message-----
>>From: sis-scps-interest-bounces at mailman.ccsds.org 
>>[mailto:sis-scps-interest-bounces at mailman.ccsds.org] On 
>>Behalf Of Walid Assafiri
>>Sent: Thursday, March 16, 2006 6:20 AM
>>To: sis-scps-interest at mailman.ccsds.org
>>Subject: [Sis-SCPS-INTEREST] divert sockets VS TUN
>>
>>Hi guys, 
>>
>>I'm just wondering why divert sockets on linux is not 
>>recommended (As mentioned in the user pdf document). I found 
>>that when using TUN that the packets traverse iptables more 
>>than once and this is not what I want. Also, can divert 
>>sockets be used on linux using iptables rather than the older 
>>ipchains? What changes would need to be made?
>>
>>Thanks.
>>
>>Kind Regards,
>>Walid
>>
>>
>>_______________________________________________
>>Sis-SCPS-INTEREST mailing list
>>Sis-SCPS-INTEREST at mailman.ccsds.org
>>http://mailman.ccsds.org/cgi-bin/mailman/listinfo/sis-scps-interest
>>

More information about the Sis-SCPS-INTEREST mailing list