Re: How to insert layer between network dev driver and IP?

From: Olaf Titz (olaf@bigred.inka.de)
Date: Tue Jan 11 2000 - 06:49:26 EST


> 1. Is it possible to write kernel module which would insert itself in
> between network device driver and IP part?

First attempt at a solution: Write a new network device driver which
does the necessary manipulations[1] and handles off to the real
driver. On the user level, just route outgoing packets via the new
driver.

The hard_start_xmit() of your driver should be able to call the
underlying driver's hard_start_xmit() (see below), or it can build a
new IP packet and handle that to the kernel for forwarding (like done
in the tunnel driver and CIPE).

> 2. For transmission part, can I replace network device hard_start_xmit
> pointer with pointer to my function (which would call the original
> driver's hard_start_xmit, after some processing is done)? Can I do that
> from the initialization routine of my module?

That would be another possibility, but is less generic (it means your
module attaches to one driver exactly).

Note that when you store another driver's function pointer, you must
make sure that if that driver is a module, it is locked down in used
state so nobody can unload it. Proabably the easiest way is to check
in your init() if the peer is already opened (IFF_UP), and intercept
the peer's stop() routine so that closing the peer will close you too.
Beware of race conditions.

> 3. How can I insert new layer in receiving part? I know that driver
> calls netif_rx in order to pass skb to upper level, but how can I change

Now comes the interesting part. It looks like there is no function
pointer via which the data passes after netif_rx() which is generic
enough to intercept at least all IP packets, except probably the
firewall chains. You would have to write a complete new firewall_ops
module (see include/linux/firewall.h and net/core/firewall.c) and
register it for PF_INET. Note that this has nothing to do, and chains
along with, the built-in IP firewall. I'm not sure if it is allowed to
change the data in a firewall chain though, and have not tried this
way at all. (I also don't know if this has changed for 2.3. For 2.0 it
is not available.)

If you have an input firewall chain, you can have an output firewall
chain too and forget about the whole network driver business...

Olaf

[1] Note that a device driver is not allowed to change the data
portion of the sk_buff, starting with the IP address, unless it makes
a copy of it. That cost me and other people some debugging time for CIPE.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/



This archive was generated by hypermail 2b29 : Sat Jan 15 2000 - 21:00:17 EST