>> I want to convey some packets from kernel to user space applicatoin
>> which is an intrusion detection system(IDS).
>> If IDS finds malicious packets, it will drop them, otherwise, it
>> will pass them to kernel again.

> I don't know about divert sockets, but I see two alternatives:
> 1) the standard bpf interface as used e.g. by IDS systems like
>    snort (it's in pkgsrc)
> 2) the tun(4) tunnel device

Neither alone will do, but together they can.

The IDS can pick up incoming packets with bpf, and if it likes them it
can reinject them through a tun.

However, this works only for IP.  If you want to support other Ethernet
protocols, you need something akin to tun, only that takes Ethernet
packets rather than IP packets.  This would be fairly easy to do, but
AFAIK is not yet done - I'm sure someone will correct me if this is
out-of-date.

If anyone wants, I can have a stab at doing it, though the result would
be for 1.4T, not -current.

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML	       mouse@rodents.montreal.qc.ca
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B