Firewall module & packet delay.

=?ISO-8859-1?Q?Janne_P=E4nk=E4l=E4?= (epankala@cc.hut.fi)
Tue, 7 Sep 1999 09:26:17 +0300 (EET DST)


I'm trying to implement to my firewall a feature ;) that would delay all
packet for wanted time.
This however would have to happen without blocking entire kernel.
(surprise surprise)

I have done so far following.

--
struct firewall_ops ip_my_firewall_ops=
{
        NULL,
        handle_fw_packet, /* fw */
        handle_in_packet, /* in */
        handle_out_packet, /* out */
        PF_INET,
        1
};
--
all of those functions go immediately to 

int check_package(struct iphdr *ip, const char *dev_name, __u16 *redirport, int direction, struct sk_buff *skb) function

I know that to destroy silently incoming packet I have to return FW_BLOCK and for outgoing packets I have to return FW_QUEUE. (other returns icmp packet to kernel).

however trouble is that I'm not quit sure what is the right way to do this.

I have tried to clone outgoing packet and return QUEUE but this does not seem to work. (packet_cb is global)

---
int check_package(struct iphdr *ip, const char *dev_name,
                  __u16 *redirport, int direction,
                  struct sk_buff *skb)
{
.
.
.
        else if(ip->daddr == 0x1f00000a) { /* sending to */
                        clone_buffer=skb_clone(skb,GFP_ATOMIC);
                        packet_cb.ip = ip;
                        packet_cb.dev_name = dev_name;
                        packet_cb.redirport = redirport;
                        packet_cb.direction = direction;
                        packet_cb.skb = clone_buffer;

our_timer.function = test_it; our_timer.data = (unsigned long)&packet_cb; our_timer.expires = jiffies + HZ;

add_timer(&our_timer); interruptible_sleep_on(&our_wait);

return FW_QUEUE; /* this one silently kills packet */ }

---
I thought that this would clone the packet and therefore it would not be
destroyed (data would still exist) and then I could send it off after 2
seconds or so.

Have I misunderstood the use of skb_clone should I really use skb_copy. Is there any chance whatsoever to delay packets effectivily in firewalls.

Thank you.

-- 
Janne Pänkälä

- To unsubscribe from this list: send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.rutgers.edu