Porting NDIS intermediate driver to Linux

Anybody has any ideas what's involved in getting the NDIS intermediate
driver equivalent functionality in Linux?

How would you go about it?

It is for monitoring firewall app and driver has to be high performance.
NDIS is just fine for it.

I'd like it to sit just above the network card driver on the stack.

--
Programmer's Goldmine collections:

http://preciseinfo.org

Tens of thousands of code examples and expert discussions on
C++, MFC, VC, ATL, STL, templates, Java, Python, Javascript,
organized by major topics of language, tools, methods, techniques.

In article <7e4f100a-310a-44ea-b40b->, Burkhardt Braun <> wrote:
>Hi,
>On Dec 28, 8:58=A0am, ta...@mongo.net (tanix) wrote:

>> Anybody has any ideas what's involved in getting the NDIS intermediate
>> driver equivalent functionality in Linux?

>> How would you go about it?

>I would first try ndiswrapper and

Oh, cool. I DO like that one. That saves the day.

>> It is for monitoring firewall app and driver has to be high performance.
>> NDIS is just fine for it.

>deal with performance issues later on.

Well, not sure there are going to be any performance issues with NDIS
driver if that wrapper is not lame.

But who knows, there ARE some nasty issues with spinlocks, etc.

Did you have any experience with ndiswrapper?
What kinds of problems can I expect with it?

And I'd like to know how much performance suffers.

>Burkhardt Braun

>> I'd like it to sit just above the network card driver on the stack.

--
Programmer's Goldmine collections:

http://preciseinfo.org

Tens of thousands of code examples and expert discussions on
C++, MFC, VC, ATL, STL, templates, Java, Python, Javascript,
organized by major topics of language, tools, methods, techniques.

In article <64281802-8548-462c-9ee7->, Nike Chen <> wrote:
>On 12=E6=9C=8828=E6=97=A5, =E4=B8=8B=E5=8D=884=E6=99=8258=E5=88=86, ta...@m=
>ongo.net (tanix) wrote:
>> Anybody has any ideas what's involved in getting the NDIS intermediate
>> driver equivalent functionality in Linux?
>>
>> How would you go about it?
>>
>> It is for monitoring firewall app and driver has to be high performance.
>> NDIS is just fine for it.
>>
>> I'd like it to sit just above the network card driver on the stack.
>
>Why do you just use netfilter mechanism in Linux kernel?

Well, I looked at it in passing a while back.
Did not have an impression it was either low enough on the stack
or could support things I need to do.

The rules need to be uploaded to the low level driver.
At high bandwidths, some queues, that hold some pending packets
may have to stay on that queue for minutes if not longer.
If some packet arrives and there is no rule for it,
the packet is not simply dropped because the user mode, the app
may be in a prompted mode. Meaning, until user comes back from
kitchen and clicks on one of the choices for unknown packet,
that packet is held in the driver queue untill either user
responds and a new rule is created and passed to a driver,
and a packed is allowed to pass through, or it simply times out.

Furethermore, I have at least 4 distinct rulesets, such as
Stealth, Trusted, Policy and per adapter. Some of these rulesets
are big. So performance at high bandwidth is a must.

And there are all sorts of intricate mechanisms in the driver.
My impression was that netfilter is a gadget on the user level.
Not that I ever remember anything of significance of it.
It was a couple of years ago.

Also, I need to control everything on the box as far as network
traffic goes. I should be able to intercept even a strandard
firewall traffic, such as netfilter. This is important.

For example, under Windows, this particular NDIS driver is
the only properly written and fully compliant driver in any
firewall I know off and does not violate the fundamental
principles of OS and driver design. All other drivers I saw
used hacks, poking into kernel mode data structures and ugly
things like that. As a result, you could not install more than
one of those net apps because your box would blue screen,
and I have verify it first hand.

So...

Things are a bit intricate and highest level of performance
and control of the wire are a must.

For example, if you simply click a single checkbox, you can
see every single packet in the monitor window, and that is
a LOT of processing. If a single element in the chaing of
events, interfaces is not up to snuff, you'll lock up your
box within milliseconds.

Things like that.
I did not have an impression that netfilter is going to do
the trick even though I am just beginning to look into this
port issue. Right now trying to get some bits and pieces of
info from people that know what they are talking about.

--
Programmer's Goldmine collections:

http://preciseinfo.org

Tens of thousands of code examples and expert discussions on
C++, MFC, VC, ATL, STL, templates, Java, Python, Javascript,
organized by major topics of language, tools, methods, techniques.

In article <hha7f3$9fh$>, (tanix) wrote:
>In article <64281802-8548-462c-9ee7->,
> Nike Chen <> wrote:
>>On 12=E6=9C=8828=E6=97=A5, =E4=B8=8B=E5=8D=884=E6=99=8258=E5=88=86, ta...@m=
>>ongo.net (tanix) wrote:
>>> Anybody has any ideas what's involved in getting the NDIS intermediate
>>> driver equivalent functionality in Linux?
>>>
>>> How would you go about it?
>>>
>>> It is for monitoring firewall app and driver has to be high performance.
>>> NDIS is just fine for it.
>>>
>>> I'd like it to sit just above the network card driver on the stack.
>>
>>Why do you just use netfilter mechanism in Linux kernel?
>
>Well, I looked at it in passing a while back.
>Did not have an impression it was either low enough on the stack
>or could support things I need to do.
>
>The rules need to be uploaded to the low level driver.
>At high bandwidths, some queues, that hold some pending packets
>may have to stay on that queue for minutes if not longer.
>If some packet arrives and there is no rule for it,
>the packet is not simply dropped because the user mode, the app
>may be in a prompted mode. Meaning, until user comes back from
>kitchen and clicks on one of the choices for unknown packet,
>that packet is held in the driver queue untill either user
>responds and a new rule is created and passed to a driver,
>and a packed is allowed to pass through, or it simply times out.
>
>Furethermore, I have at least 4 distinct rulesets, such as
>Stealth, Trusted, Policy and per adapter. Some of these rulesets
>are big. So performance at high bandwidth is a must.
>
>And there are all sorts of intricate mechanisms in the driver.
>My impression was that netfilter is a gadget on the user level.
>Not that I ever remember anything of significance of it.
>It was a couple of years ago.
>
>Also, I need to control everything on the box as far as network
>traffic goes. I should be able to intercept even a strandard
>firewall traffic, such as netfilter. This is important.
>
>For example, under Windows, this particular NDIS driver is
>the only properly written and fully compliant driver in any
>firewall I know off and does not violate the fundamental
>principles of OS and driver design. All other drivers I saw
>used hacks, poking into kernel mode data structures and ugly
>things like that. As a result, you could not install more than
>one of those net apps because your box would blue screen,
>and I have verify it first hand.
>
>So...
>
>Things are a bit intricate and highest level of performance
>and control of the wire are a must.
>
>For example, if you simply click a single checkbox, you can
>see every single packet in the monitor window, and that is
>a LOT of processing. If a single element in the chaing of
>events, interfaces is not up to snuff, you'll lock up your
>box within milliseconds.
>
>Things like that.
>I did not have an impression that netfilter is going to do
>the trick even though I am just beginning to look into this
>port issue. Right now trying to get some bits and pieces of
>info from people that know what they are talking about.

Btw, does netfilter support the IOCTL mechanism?

--
Programmer's Goldmine collections:

http://preciseinfo.org

Tens of thousands of code examples and expert discussions on
C++, MFC, VC, ATL, STL, templates, Java, Python, Javascript,
organized by major topics of language, tools, methods, techniques.

In article <850ab8f4-2fdc-44fc-a416->, Burkhardt Braun <> wrote:
>Hello,
>On Dec 28, 10:58=A0am, ta...@mongo.net (tanix) wrote:
>> In article <7e4f100a-310a-44ea-b40b-e56a4c868...@s31g2000yqs.googlegroups=
>..com>, Burkhardt Braun <burkhardt.br...@gmx.net> wrote:
>>
>> >Hi,
>> >On Dec 28, 8:58=3DA0am, ta...@mongo.net (tanix) wrote:

>> >> Anybody has any ideas what's involved in getting the NDIS intermediate
>> >> driver equivalent functionality in Linux?
>> >> How would you go about it?

>> >I would first try ndiswrapper and

>> Oh, cool. I DO like that one. That saves the day.

>that is at least presumable.

Actually, looks like a pretty comple set in terms of supporting
NDIS. Actually, I saw more stuff handled than I saw in other places.

I looked for a sec at a couple of performance critical routines
and so far, does not look like it should be a bottleneck.

>> >> It is for monitoring firewall app and driver has to be high performance.
>> >> NDIS is just fine for it.

>> >deal with performance issues later on.

>> Well, not sure there are going to be any performance issues with NDIS
>> driver if that wrapper is not lame.

>> But who knows, there ARE some nasty issues with spinlocks, etc.
>> Did you have any experience with ndiswrapper?

>No not know, I guess I make some expreiences mid of 2010.

>> What kinds of problems can I expect with it?

>I know the existence of this kind of wrapper a few years now and bugs
>should be fixed nowadays.
>If you figure out problems, it is a good idea to let us know about it.

How much do you pay?
:--}

>Regards
>Burkhardt Braun

>>
>> And I'd like to know how much performance suffers.
>>
>> >Burkhardt Braun
>> >> I'd like it to sit just above the network card driver on the stack.

--
Programmer's Goldmine collections:

http://preciseinfo.org

Tens of thousands of code examples and expert discussions on
C++, MFC, VC, ATL, STL, templates, Java, Python, Javascript,
organized by major topics of language, tools, methods, techniques.

"tanix" <> wrote in message
news:hh9rvh$5fe$...
> Anybody has any ideas what's involved in getting the NDIS intermediate
> driver equivalent functionality in Linux?
>
> How would you go about it?

In Linux, you don't. You just have the source of the netcard driver
and the OS kernel, and can hack it as you like.

Good luck.
--pa

In article <250B1BB6-B22F-4942-9805->, "Pavel A." <> wrote:
>"tanix" <> wrote in message
>news:hh9rvh$5fe$...
>> Anybody has any ideas what's involved in getting the NDIS intermediate
>> driver equivalent functionality in Linux?
>>
>> How would you go about it?
>
>In Linux, you don't. You just have the source of the netcard driver
>and the OS kernel, and can hack it as you like.

That is what I was afraid of.
So, is there such a thing as stack?

Btw, there is this ndiswrapper thing if you know.
They claim they can run the NDIS driver.
I spent a few minutes on this. But still do not see how it sits in
the network stack.

>Good luck.
>--pa
>
>

--
Programmer's Goldmine collections:

http://preciseinfo.org

Tens of thousands of code examples and expert discussions on
C++, MFC, VC, ATL, STL, templates, Java, Python, Javascript,
organized by major topics of language, tools, methods, techniques.

"tanix" <> wrote in message
news:hhcgc5$n2d$...

<snip>
> So, is there such a thing as stack?

AFAIK, no. It is a Windoze bloatware thing; we don't need this in Linux.

> Btw, there is this ndiswrapper thing if you know.
> They claim they can run the NDIS driver.
> I spent a few minutes on this. But still do not see how it sits in
> the network stack.

AFAIK, ndiswrapper just converts a miniport to a Linux network device
driver, nothing more,
It does not support IMs.

--pa

In article <27DC2A4A-93DD-481C-AFF1->, "Pavel A." <> wrote:
>"tanix" <> wrote in message
>news:hhcgc5$n2d$...
>
><snip>
>> So, is there such a thing as stack?
>
>AFAIK, no. It is a Windoze bloatware thing; we don't need this in Linux.

WHAT?

So, how do I install my driver so it intercepts all the network
traffic from anything in the system?

You think the network stack is some kind of "bloatware" idea?

I do not belive what I am seeing here.

>> Btw, there is this ndiswrapper thing if you know.
>> They claim they can run the NDIS driver.
>> I spent a few minutes on this. But still do not see how it sits in
>> the network stack.
>
>AFAIK, ndiswrapper just converts a miniport to a Linux network device
>driver, nothing more,
>It does not support IMs.

What?

And what about PROTOCOL part of im driver?

>--pa
>
>

--
Programmer's Goldmine collections:

http://preciseinfo.org

Tens of thousands of code examples and expert discussions on
C++, MFC, VC, ATL, STL, templates, Java, Python, Javascript,
organized by major topics of language, tools, methods, techniques.

> So, how do I install my driver so it intercepts all the network
> traffic from anything in the system?

I think that Linux possibly has its own packet filtering platform, which is more like WFP then like NDIS IM.

--
Maxim S. Shatskih
Windows DDK MVP

http://www.storagecraft.com