screen - Gateway packet screening facility
#include <sys/types.h> #include <net/gw_screen.h>
int mode; struct screen_data sdata; struct screen_stats
sstats;
ioctl(s, SIOCSCREENON, (caddr_t)&mode); ioctl(s, SIOCSCREEN,
(caddr_t)&data); ioctl(s, SIOCSCREENSTATS,
(caddr_t)&sstats);
The interface to the gateway screen facility is a set of
ioctl requests.
All these requests are meant to be used on a file
descriptor created by the socket() system call. The mode
parameter, passed by reference, can be SCREENMODE_OFF,
SCREENMODE_ON, or SCREENMODE_NOCHANGE. Upon completion of
the system call, the mode parameter contains the previous
value of the screen mode. Unprivileged users may only use
the SCREENMODE_NOCHANGE request. This is the most important
request and is described below. Only the super-user
may make this request. Returns, by reference using the
sstats parameter, statistics in this structure:
struct screen_stats {
u_long ss_packets; /* total packets screened
*/
u_long ss_nobuffer; /* dropped, buffer was full
*/
u_long ss_accept; /* total accepted */
u_long ss_reject; /* total rejected */
u_long ss_badsync; /* dropped, user was out of
sync */
u_long ss_stale; /* dropped, too old */ };
The gateway screen facility allows a user-level process to
decide which network packets should be forwarded by the
kernel (when the system is acting as a gateway). When the
screen mode is set to "off," all packets are forwarded
normally; when the screen mode is set to "on," all packets
that would be forwarded must be approved through the use
of this facility.
Use of SIOCSCREEN [Toc] [Back]
The SIOCSCREEN request is used in the main loop of the
user-level daemon. Each time it is called, it returns (by
reference using the sdata parameter) a screen_data structure
containing a prefix of a packet (normally containing
the packet headers) and some additional information:
struct screen_data_hdr {
short sdh_count; /* length of entire record */
short sdh_dlen; /* bytes of packet header */
u_int sdh_xid; /* transaction ID */
struct timeval sdh_arrival; /* time packet
arrived */
short sdh_family; /* address family */
int sdh_action; /* disposition for packet */
#define SCREEN_ACCEPT 0x0001 /* Accept this packet */
#define SCREEN_DROP 0x0000 /* Do not accept this packet
*/ #define SCREEN_NOTIFY 0x0002 /* Notify sender of failure
*/ #define SCREEN_NONOTIFY 0x0000 /* Do not
notify sender */ };
struct screen_data {
struct screen_data_hdr sd_hdr;
char sd_data[SCREEN_DATALEN]; /* sd_dlen bytes of
packet header */ };
#define sd_count sd_hdr.sdh_count #define sd_dlen
sd_hdr.sdh_dlen #define sd_xid sd_hdr.sdh_xid
#define sd_action sd_hdr.sdh_action #define sd_arrival
sd_hdr.sdh_arrival #define sd_family sd_hdr.sdh_family
The sd_family field indicates the protocol family (for
example, AF_INET) under which the packet is being handled;
there is no protocol-specific code in the kernel implementation
of the gateway screen. Either the sd_family field
should be initialized to a specific family before the
request is invoked (indicating that the user process is
willing to handle requests for this family only), or it
should be set to AF_UNSPEC (indicating that the user process
is willing to handle all protocols).
The user-level process examines the packet headers and
decides whether or not the packet should be forwarded. It
communicates this decision to the kernel by filling in the
sd_action field in the screen_data structure with either
SCREEN_ACCEPT, SCREEN_DROP, or SCREEN_DROP bit-wise ORed
with SCREEN_NOTIFY; the last choice causes the gateway to
drop the packet but send an error packet to the source
host (if this is supported in the protocol family). The
process then passes that structure back to the kernel in
another invocation of the SIOCSCREEN request. That ioctl
call then blocks until a new packet is available, at which
point the cycle repeats.
Note that two actions are being carried out through one
system call, and that each cycle starts mid-way through a
system call. Thus, the first time a daemon uses this
ioctl request, it has to pass in a no-op decision to complete
the first (half) cycle. The kernel matches incoming
decisions with pending packets by comparing both the
transaction id (sd_xid) field, and the user's process id
(so one process cannot provide decisions on packets presented
to a different process). Decisions must be supplied
in first-in, first-out order; decisions supplied in
the wrong order may result in packets being dropped.
If an error has occurred, a value of -1 is returned and
errno is set to indicate the error.
In addition to those error codes described for ioctl(),
the SIOCSCREEN request can also return: If the screen mode
is set to SCREENMODE_OFF, the SIOCSCREEN request is meaningless.
If an operation reserved for the superuser is
attempted by a non-superuser.
Functions: ioctl(2)
Daemons: screenmode(8), screend(8), screenstat(8)
screen(2)
[ Back ] |
