There is a packet filter interface (pfil) in the kernel that allows a pseudo
   device to intercept ip packets with pfil_add_hook.  Does it make sense to
   extend this to capture ARP packets as well as IP packets?  pfil_add_hook
   could take a flag to specify which list of hooks you want to add yourself
   to - PFIL_IPIN, PFIL_IPOUT, PFIL_ARPIN, and PFIL_ARPOUT (just like the
   direction flag now).  I figured I could copy the for loop idea from
   ip_input/output to in_arpinput/output and add some arp stuff to the
   pfil.c/pfil.h.
   
   Mostly I'm asking because I have written (with help from David Maxwell) a
   pseudo device for the kernel that uses the pfil_add_hook to let me play with
   packets as they come in and go out (for a project at work), but I also need
   to play with ARP.  Should I just hack the ARP for my own purposes, or does a
   pfil type interface for arp make sense that I could submit as a PR when I'm
   done?
   
   I'm very new to the kernel so I just wanted to get an idea as to whether or
   not this is a good way to go ;o)



hi!


pfil was originally designed to be network-independant, not just for IP..
IP is just the only implemented filter.  it is probably an OK idea to add
new types for arp (i like your names) -- i originally envisioned pfil
hooks being added across much of the network stack..


.mrg.