How does packet capture interact with firewalls?

[Robert Burgess <burgess () systems cs cornell edu>]

I am writing a program that captures packets, does some processing on each
one, and does not permit it to be delivered on until the processing for
that packet is done.  I can accomplish this easily without pcap using
the Linux kernel 2.6 support for netfilter queues, so if you have any
experience with that you know what I am trying to accomplish.  I wonder
if there is any way to accomplish the same more portably using pcap, by
capturing packets, then having the firewall drop the original (assuming
there is some external, system-dependent administrator who can set this
up), then, when ready, reinjecting the packets (with e.g. pcap_inject)
and having the firewall deliver the injected packets normally.

I have experimented enough to know that I can drop packets (in my Linux
iptables firewall) and they still appear in my pcap program (the first
half), but when I try to reinject, depending on what setup I try, either
the injected packets get dropped too, or they get injected correctly but
also recaptured, leading to an infinite loop.  Is there any way to, say,
capture and drop in one direction, and inject in another direction,
so that they go through different firewall chains and I don't drop
or recapture my own output?  It might of course be that the answer is
dependent on the firewall itself, so if the pcap solution is nonportable
too I might as well stick with netfilter queues.  I just wanted to know
if anybody had the expertise in this sort of pcap-firewall interaction
to help get me to the next step.

Robert.
-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.