|
Sean Boudreau(deleted)
|
Re: Converting io-net filter to pfil hook
|
|
Sean Boudreau(deleted)
03/12/2010 3:37 PM
post49388
|
Re: Converting io-net filter to pfil hook
On Fri, Mar 12, 2010 at 03:31:08PM -0500, Mark Dowdy wrote:
> We are attempting to migrate an io-net filter to an io-pkt pfil hook.
> Thus far, we've only had limited success. When we try to mount our hook,
> we end up with quite a few undefined symbols. These symbols are defined
> in shared libraries that we build from our sources and then link into
> the hook. The LD_LIBRARY_PATH variable is set to the location of the
> required shared object files. Unfortunately, mount can't seem to find
> them. Is there some other way to specify where mount should look for
> shared libraries or is shared library use by LSM's just not supported?
You need to set LD_LIBRARY path on io-pkt, not mount.
>
>
>
> The answer to the question above seems be "LSM's can load shared
> modules" because when we tried starting a second instance of io-pkt we
> were able to mount our pfil hook. Unfortunately, the second instance of
> io-pkt didn't have any interfaces. Additionally, starting the second
> instance of io-pkt seems to kill the existing, working interfaces (i.e.
> we can no longer telnet into the box, ifconfig only lists lo0). So,
> mounting our hook onto a second io-pkt instance doesn't do us much good
> because there are no interfaces for data. When we try to mount a driver
> onto the second io-pkt instance, the mount fails (Can't mount / (type
> io-pkt2)). We tried creating the second instance of io-pkt because we
> were using a second instance of io-net for our filter. Having two
> instances of the stack probably doesn't make much sense because we want
> to attach our hook to one interface on an Intel 82563 dual interface
> NIC.
Check out the io-pkt docs for the options that control
targeting multiple stacks. In particular
# io-pkt -i1 -ptcpip prefix=/alt ...
# mount -T io-pkt1 ...
# SOCK=/alt ifconfig
Regards,
-seanb
|
|
|
|
|
