An application may be interested in multiple flows. Flows are captured
from a raw input stream in four steps. Firstly, a flow handle is
created with the flow_create()
operation. Creating a flow
handle sets up a user-space data structure which is used as an
identifier in all future operations on the flow, but does not result
in any packets being captured. Secondly, the flow handle structure is
populated using the flow_populate()
operation by
specifying for instance the graph of connected filters, callback
functions and other parameters to be associated with the flow. The
result is a flow definition in user space consisting of a graph
of filters that will capture the flow, associated callbacks,
etc. Thirdly, the flow definition is used as blue print to instantiate a `flow grabber' which is done by calling the
flow_instantiate()
operation. Only at instantiation time are
the filters that capture the flow instantiated and connected,
provided the flow definition passes the authorisation control check
(Section 3.4). Fourthly, an instantiated flow grabber by
itself still does not capture packets; the flow grabber first needs to
be activated. Conversely, an activated flow can be paused
(and subsequently re-activated). Flow activation and pausing is
performed using the flow_activate()
and flow_pause()
operations. Finally, a flow can be closed
(flow_close()
). When a flow is closed (or the corresponding
application crashes), all flow state is destroyed. In the remainder of
this paper, we will use the term `flow' to refer both to the flow
grabber (the code in the kernel that captures the flow), and to the
packets captured by the flow grabber (the real `flow'), except where
the distinction is important.
Instantiation is a separate step, because the flow specification is sent in its entirety to authorisation control, so that we can enforce that a packet function (e.g., payload scanning) be allowed if and only if another function (e.g., a filter passing only traffic from a specific subnet) is applied before (or after) . Flow activation is also a separate step, as it gives administrators more accurate control over the start time (flow activation is more light-weight than flow instantiation).