From owner-freebsd-ipfw@FreeBSD.ORG Sun Oct 8 08:20:49 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 087B516A407 for ; Sun, 8 Oct 2006 08:20:49 +0000 (UTC) (envelope-from dudu.meyer@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.169]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4507943D4C for ; Sun, 8 Oct 2006 08:20:48 +0000 (GMT) (envelope-from dudu.meyer@gmail.com) Received: by ug-out-1314.google.com with SMTP id m2so452689uge for ; Sun, 08 Oct 2006 01:20:47 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=FbMdLB4G+HX59Xvxv89MHAJiM6d41rSP2ykrEj6/YdX+0kwxWNbjpB2oXvzQGoitadoFB8+okEwdMDwwM2ziAkDZTgLvUHmGjtjM+fYjocBqTWghXEAfcbbdQ1Je9h/J/lVOoZwGPw+gHnSSsCq5tbW3h2lfVCciOWxOVech1pY= Received: by 10.67.89.5 with SMTP id r5mr5377572ugl; Sun, 08 Oct 2006 01:20:44 -0700 (PDT) Received: by 10.66.248.4 with HTTP; Sun, 8 Oct 2006 01:20:44 -0700 (PDT) Message-ID: Date: Sun, 8 Oct 2006 05:20:44 -0300 From: "Eduardo Meyer" To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: ipfw tag and ng_tag X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Oct 2006 08:20:49 -0000 Hello, Finally with -BETA2 I can try ng_tag and ipfw tag. I have a certain unusual need to filter DNS queries which return NXDomain. Before filtering, I will make some cacti graphs. So I need to count packets with "NXDomain" expression on Layer 7. With tcpdump -X I can see that NXDomain alwas shows up perfectly, so this is the kind of L7 pattern which will be safe to filter. With hexdump(1) I found out the hex sequence for NXDomain expression to be: 4e 58 44 6f 6d 61 69 6e 0a I have the needed kernel modules loaded. What should I do next? I know I am supposed to create a ng_bpf pattern, similar to PATTERN="(ether[40:4]=0x134e5844 && ether[44:4]=0x6f6d6169 && ether[48:4]=0x6e0a)" I did it, and execute it in the following script: PATTERN="(ether[40:4]=0x134e5844 && ether[44:4]=0x6f6d6169 && ether[48:4]=0x6e0a)" NODEPATH="my_node:" INHOOK="hook1" MATCHHOOK="hook2" NOTMATCHHOOK="hook3" cat > /tmp/bpf.awk << xxENDxx { if (!init) { printf "bpf_prog_len=%d bpf_prog=[", \$1; init=1; } else { printf " { code=%d jt=%d jf=%d k=%d }", \$1, \$2, \$3, \$4; } } END { print " ]" } xxENDxx BPFPROG=`tcpdump -s 8192 -ddd ${PATTERN} | awk -f /tmp/bpf.awk` ngctl msg ${NODEPATH} setprogram { thisHook=\"${INHOOK}\" \ ifMatch=\"${MATCHHOOK}\" \ ifNotMatch=\"${NOTMATCHHOOK}\" \ ${BPFPROG} } } BUT, Here I get my first problem. Script returns: ngctl: send msg: No such file or directory I printed the full commands that returns the error, it is: ngctl msg setprogram { thisHook="" ifMatch="" ifNotMatch="" bpf_prog_len=8 bpf_prog=[ { code=32 jt=0 jf=0 k=40 } { code=21 jt=0 jf=5 k=323901508 } { code=32 jt=0 jf=0 k=44 } { code=21 jt=0 jf=3 k=1869439337 } { code=32 jt=0 jf=0 k=48 } { code=21 jt=0 jf=1 k=28170 } { code=6 jt=0 jf=0 k=8192 } { code=6 jt=0 jf=0 k=0 } ] } } Running tcpdump -s 8192 -ddd $PATTERN manually I get: 8 32 0 0 40 21 0 5 323901508 32 0 0 44 21 0 3 1869439337 32 0 0 48 21 0 1 28170 6 0 0 8192 6 0 0 0 Which looks that the ngctl data (code, kt, jf and k) are correct. But the command returns that error for some reason. The script was taken from ng_blf(4) man page. I am all new to this netgraph thing, and I couldnt even get to the ng_tag phase (stopped in ng_bpf). I would like to have your help to work it out, please. Thank you.