next up previous
Next: Filter expressions Up: FFPF high-level overview Previous: FFPF high-level overview


Receiving packets in a flow

An application may be interested in multiple flows. Flows are captured from a raw input stream in four steps. Firstly, a flow handle is created with the flow_create() operation. Creating a flow handle sets up a user-space data structure which is used as an identifier in all future operations on the flow, but does not result in any packets being captured. Secondly, the flow handle structure is populated using the flow_populate() operation by specifying for instance the graph of connected filters, callback functions and other parameters to be associated with the flow. The result is a flow definition in user space consisting of a graph of filters that will capture the flow, associated callbacks, etc. Thirdly, the flow definition is used as blue print to instantiate a `flow grabber' which is done by calling the flow_instantiate() operation. Only at instantiation time are the filters that capture the flow instantiated and connected, provided the flow definition passes the authorisation control check (Section 3.4). Fourthly, an instantiated flow grabber by itself still does not capture packets; the flow grabber first needs to be activated. Conversely, an activated flow can be paused (and subsequently re-activated). Flow activation and pausing is performed using the flow_activate() and flow_pause() operations. Finally, a flow can be closed (flow_close()). When a flow is closed (or the corresponding application crashes), all flow state is destroyed. In the remainder of this paper, we will use the term `flow' to refer both to the flow grabber (the code in the kernel that captures the flow), and to the packets captured by the flow grabber (the real `flow'), except where the distinction is important.

Instantiation is a separate step, because the flow specification is sent in its entirety to authorisation control, so that we can enforce that a packet function $f$ (e.g., payload scanning) be allowed if and only if another function $g$ (e.g., a filter passing only traffic from a specific subnet) is applied before (or after) $f$. Flow activation is also a separate step, as it gives administrators more accurate control over the start time (flow activation is more light-weight than flow instantiation).


next up previous
Next: Filter expressions Up: FFPF high-level overview Previous: FFPF high-level overview
Herbert Bos 2004-10-06