They let you enter a firewall rule that pushes packets into a program. The main use for this in Freebsd (that I’ve used) is natd, which provides NAT for private networks.
This has been modified from their documentation section off of SF.Net to one very broken sentence. I broke the sentence; however, you should get the idea of the bsd sockets under linux.
“you could intercept packets traveling up or down the IP stack of your host; literally stopping the packet from further propagating through the IP stack and then (possibly after some changes), reinjecting it back”
——————————————————-
The orginal paragraph is listed below:
“Ever wish you could intercept packets traveling up or down the IP stack of your host? And I’m not talking about listening in, like raw sockets or libpcap (tcpdump). I mean literally stop the packet from further propagating through the IP stack and then (possibly after some changes), reinjecting it back? Well, the time to dream is over, because divert sockets for Linux are here!”
The sentence “possibly after some changes” is no longer applicable – it works great with Snort 2.3.3 and includes documentation on how to build it. No code changes, just need to make sure your include files are all set up. The only limitation with Snort at this point is you cannot yet block. It will in fact block the offending packet, but Snort segfaults on the command line. It will work properly soon though!
As one of the authors of the BSD divert sockets some 10 years ago, (ok, 8 or 9 I think) this is quite a nice surprise. I’m a little surprised by one of the comments above however.. “It’s like the Linux divert sockets, only they are adding the BSD ones…”
I haven’t been following.. does linux have divert sockets? and how are they different?
Linux doesn’t have divert sockets, or didn’t before this. Keep in mind this was implemented for 2.4 and has now been ported to 2.6. The source code is quite different but the functional API is similar enough that applications that will work with normal BSD divert sockets will work with the Linux implementation without any source code modifications.
There is a net divert, but honestly I am not sure what that does or what it is for. Definitely not compatible at all with the *bsd divert sockets. This implementation is similar to the *bsd in that it works off of a FW statement, iptables in this case, and is functionaly equivalent to the *bsd implementation as to be compatible with *bsd applications compiled on linux. For example:
Please at least give once sentance description of what a BSD divert socket is.
They let you enter a firewall rule that pushes packets into a program. The main use for this in Freebsd (that I’ve used) is natd, which provides NAT for private networks.
http://www.freebsd.org/cgi/man.cgi
divert(4) and natd(8)
need to fix that typo.
Is it like linux’s iptables? what are the diferencies?
It’s like the Linux divert sockets, only they are adding the BSD ones so that things written for BSD kernels can be used on the Linux kernel.
Can we now run PF as a firewall ?
This has been modified from their documentation section off of SF.Net to one very broken sentence. I broke the sentence; however, you should get the idea of the bsd sockets under linux.
“you could intercept packets traveling up or down the IP stack of your host; literally stopping the packet from further propagating through the IP stack and then (possibly after some changes), reinjecting it back”
——————————————————-
The orginal paragraph is listed below:
“Ever wish you could intercept packets traveling up or down the IP stack of your host? And I’m not talking about listening in, like raw sockets or libpcap (tcpdump). I mean literally stop the packet from further propagating through the IP stack and then (possibly after some changes), reinjecting it back? Well, the time to dream is over, because divert sockets for Linux are here!”
The sentence “possibly after some changes” is no longer applicable – it works great with Snort 2.3.3 and includes documentation on how to build it. No code changes, just need to make sure your include files are all set up. The only limitation with Snort at this point is you cannot yet block. It will in fact block the offending packet, but Snort segfaults on the command line. It will work properly soon though!
As one of the authors of the BSD divert sockets some 10 years ago, (ok, 8 or 9 I think) this is quite a nice surprise. I’m a little surprised by one of the comments above however.. “It’s like the Linux divert sockets, only they are adding the BSD ones…”
I haven’t been following.. does linux have divert sockets? and how are they different?
Julian at Freebsd dot org
Linux doesn’t have divert sockets, or didn’t before this. Keep in mind this was implemented for 2.4 and has now been ported to 2.6. The source code is quite different but the functional API is similar enough that applications that will work with normal BSD divert sockets will work with the Linux implementation without any source code modifications.
There is a net divert, but honestly I am not sure what that does or what it is for. Definitely not compatible at all with the *bsd divert sockets. This implementation is similar to the *bsd in that it works off of a FW statement, iptables in this case, and is functionaly equivalent to the *bsd implementation as to be compatible with *bsd applications compiled on linux. For example:
-A FORWARD -p tcp -j DIVERT –div-port 1
I’m probably not ‘getting it’, but isn’t this what TUN/TAP does?