Socket Filter Framework and KSSL Framework

This morning two changes found their way into Opensolaris - “PSARC/2009/590 Socket Filter Framework” and “convert KSSL into a socket filter”. The first change introduces a new framework for package filtering and manipulation. The design document states:

A filter is configured to work with one or more non-STREAM sockets and it can be attached either automatically to all matching sockets or programmatically to a specific socket by the request of an application. Once attached, the filter exists in the socket layer, but sits logically in between the socket and transport layers where it is notified of user requests and transport events via callback functions. The action a filter can take depend on the callback. But typically a filter can modify or deny socket operations, transform, delay and inject data, as well as defer the notification of new connections.

The first usage of this framework is a new implementation of kssl, the in-kernel SSL proxy of Solaris.