From owner-freebsd-net@FreeBSD.ORG Tue May 29 20:18:51 2007 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9043316A46B for ; Tue, 29 May 2007 20:18:51 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.227]) by mx1.freebsd.org (Postfix) with ESMTP id 1F26813C46C for ; Tue, 29 May 2007 20:18:50 +0000 (UTC) (envelope-from ermal.luci@gmail.com) Received: by wx-out-0506.google.com with SMTP id h28so1379971wxd for ; Tue, 29 May 2007 13:18:50 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; b=T63WJlWh1PGs6BIWhrnYEdKyz+i7TXrW8eyFtOsJFWdfO0RvQ8FBW7Av8fJQq5FQOfsIShuKIt+iMTWAhG5ZTvatqz2/cbMQs5k54MJbGm+M2pjLu2oko8YZ/pvsak7g6sND1hj2yzsihKzpZsrHN/iZ4sWh49WCz6QoJ5TRTbM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type; b=bRulQYBEFhPK5/YeGLsL5QUsD+62cR6JeopuHDdsQyXcAkZE3fdYFEUdv/ZlqjWsYEerHMpZXMswNB4iYlWr4x8vMdqIT6tcsah2kZia8ys4HFzyyRV02O5UZ9GAzVhxn6X7ZWDe4o3b/B6aHZ6WBRCgPhf39IX37Y3K38lFvoA= Received: by 10.70.47.19 with SMTP id u19mr10785682wxu.1180469930181; Tue, 29 May 2007 13:18:50 -0700 (PDT) Received: by 10.70.73.1 with HTTP; Tue, 29 May 2007 13:18:49 -0700 (PDT) Message-ID: <9a542da30705291318t29b2d956j36b5b3ec2cb6b377@mail.gmail.com> Date: Tue, 29 May 2007 22:18:49 +0200 From: "=?ISO-8859-1?Q?Ermal_Lu=E7i?=" To: freebsd-pf@freebsd.org, freebsd-net@freebsd.org MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_Part_152823_30069899.1180469929739" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: [PATCH] ng_pf and l7 filtering possibility with PF X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 May 2007 20:18:51 -0000 ------=_Part_152823_30069899.1180469929739 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline This is ng_pf node based on ng_ipfw code and idea. It allows interaction of PF and netgraph. Below are the node features and a dummy example of how to use it. Patch is attached. Features, 1- By default it sends any packet that matches the rule to netgraph. Syntax: pass in from any to any netgraph 41 #41 is the hook number(it needs to be a number) 2- You can specify how many packets will be sent to netgraph. This is implemented as a keep state option. Syntax: pass in from any to any netgraph 41 keep state(max-packets-to-netgraph 4) 3- You can specify flags when adding the tag to the node. Syntax ngctl msg pf: addtag { tagname=\"TEST\" tag=60 flags=4 } There are 4 flags for now: NG_PF_KILL_STATE (actually removes state from the state pool directly from the node NG_PF_IGNORE_STATE (it schedules the state to be removed later but behaves as the above and is really faster and safer) NG_PF_SKIP_FIREWALLS (skips firewalls; the way it is implemented this really skips any firewall on freebsd at least ipfw and pf). This is per tag setting meaning you can specify which packet whith a specific tag should skip reparssing the rules. NG_PF_DROP_PACKET (really drops packet; faster than telling a rule on PF to drop it, i don't like it personally cause is kinda magic; but it is there) 4- The node has these messages: NGM_PF_ADD_TAG (needs tagname, tagid, flags) struct ng_pf_command { char name[NG_PF_TAG_NAME_SIZE]; u_int16_t tag; int flags; }; NGM_PF_RMV_TAG, (needs tagname) NGM_PF_GET_TAGS, (no arguments) #ifdef NG_PF_DEBUG NGM_PF_GET_STATS, (number of packets in/out) NGM_PF_CLR_STATS, NGM_PF_GETCLR_STATS, #endif NGM_PF_SET_TAGZONE, NGM_PF_GET_TAGZONE, NGM_PF_DEFAULT_TAGZONE (for help) 5- You can send back and forth a packet(reparse ruleset multiple times) by resending a packet that has already passed once to netgraph by a matching rule with a different hook number. I.e.: .... ..... pass in on $int from any to any netgraph 41 pass in on $int tagged ONCE_TO_NETGRAPH netgraph 42 pass in on $int tagged TWICE_TO_NETGRAPH netgraph 43 .... ... For an example how to find DC++ packets with ng_bpf tag these packets with ng_tag is available at ng_tag manual page. After that just connect a hook to ng_pf and you're done. Surely even the rule that sends the packet to the correct queue on PF side. For more discussion on ng_bpf and packet matching for P2P packets follow, http://lists.freebsd.org/pipermail/freebsd-current/2006-June/063863.html. Sample configuration of the node. 1 - kldload ng_pf (after compiling). 2 - create a sample pf.conf file like the following: pass out quick on $INT all tagged TRY keep state pass out quick on $INT proto tcp from any to any port 80 netgraph 41 # or even this. It does the same thing. pass out on $INT proto tcp from any to any port 80 netgraph 41 pass out on $INT all tagged TRY keep state #The tag TRY is added to ng_pf list of tags to translate and the tag is added to the #packet with ng_tag. 3 - configure netgraph part of things. I used the following commands on my tests: # You understand the first 2 commands :). pfctl -e pfctl -F all -f /etc/pf.test # Here we configure a tag to be translated on ng_pf node. The node translates # tagname=TRY as known by PF. ngctl msg pf: addtag { tagname=\"TRY\" tag=52 flags=0 } # Create a hook with a ng_tag node. ngctl mkpeer pf: tag 41 th1 # Give a name to the hook for simplicity. ngctl name pf:41 match # Configure ng_tag node. # We tell ng_tag to not touch the packets incoming/entering on hook = "th1" ngctl msg match: sethookin { thisHook=\"th1\" ifNotMatch=\"th1\" } # ng_tag will tag packets leaving hook="th1" with tagname=TRY. ngctl msg match: sethookout { \ thisHook=\"th1\" \ #hookname tag_id=24 \ # PACKET_TAG_PF_TAG.(1) tag_len=4 \ # usually 4 bytes since we only pass a number/tag_id. tag_data=[ 52 ] } # the tag we want to apply packets on this hook. { (1) PACKET_TAG_PF_TAG = 24 is taken from sys/mbuf.h } After this if you try to connect to port 80 of any webserver if you check the PF statistics on rule matches with: pfctl -s rules -v you'll see that packets have gone through 'match by tag' rule after passing through netgraph. Feedback is appriciated, Ermali ------=_Part_152823_30069899.1180469929739--