Firewall module & packet delay.

=?ISO-8859-1?Q?Janne_P=E4nk=E4l=E4?= (
Tue, 7 Sep 1999 09:26:17 +0300 (EET DST)

I'm trying to implement to my firewall a feature ;) that would delay all
packet for wanted time.
This however would have to happen without blocking entire kernel.
(surprise surprise)

I have done so far following.

struct firewall_ops ip_my_firewall_ops=
        handle_fw_packet, /* fw */
        handle_in_packet, /* in */
        handle_out_packet, /* out */
all of those functions go immediately to 

int check_package(struct iphdr *ip, const char *dev_name, __u16 *redirport, int direction, struct sk_buff *skb) function

I know that to destroy silently incoming packet I have to return FW_BLOCK and for outgoing packets I have to return FW_QUEUE. (other returns icmp packet to kernel).

however trouble is that I'm not quit sure what is the right way to do this.

I have tried to clone outgoing packet and return QUEUE but this does not seem to work. (packet_cb is global)

int check_package(struct iphdr *ip, const char *dev_name,
                  __u16 *redirport, int direction,
                  struct sk_buff *skb)
        else if(ip->daddr == 0x1f00000a) { /* sending to */
                        packet_cb.ip = ip;
                        packet_cb.dev_name = dev_name;
                        packet_cb.redirport = redirport;
                        packet_cb.direction = direction;
                        packet_cb.skb = clone_buffer;

our_timer.function = test_it; = (unsigned long)&packet_cb; our_timer.expires = jiffies + HZ;

add_timer(&our_timer); interruptible_sleep_on(&our_wait);

return FW_QUEUE; /* this one silently kills packet */ }

I thought that this would clone the packet and therefore it would not be
destroyed (data would still exist) and then I could send it off after 2
seconds or so.

Have I misunderstood the use of skb_clone should I really use skb_copy. Is there any chance whatsoever to delay packets effectivily in firewalls.

Thank you.

Janne Pänkälä

- To unsubscribe from this list: send the line "unsubscribe linux-net" in the body of a message to