Date: Mon, 25 Sep 2006 19:00:44 +0200 From: Max Laier <max@love2party.net> To: freebsd-pf@freebsd.org Cc: Ermal =?iso-8859-1?q?Lu=E7i?= <ermal.luci@gmail.com> Subject: Re: netgraph related question Message-ID: <200609251900.50657.max@love2party.net> In-Reply-To: <9a542da30609250749i52f966a3x7a9402872d33b976@mail.gmail.com> References: <9a542da30609250749i52f966a3x7a9402872d33b976@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart1277569.CbP061ISPN Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Monday 25 September 2006 16:49, Ermal Lu=E7i wrote: > I am curios how difficult would it be to write an netgraph module for > pf kinda ng_ipfw. Between 100 and 600 lines of code, depending how far you want to take it -= =20 see below. > And maybe looking for a pointer to which function this hooking needs to > be added. > After studing a little bit ng_ipfw and ipfw functions ipfw_check() is > the function which does the magic by a simple global variable, at least > as far a i can tell. > Now can it be done using the same ideas in PF too! The basic communication between netgraph and ipfw happens via mbuf tags=20 attached to the packet. Read the ng_ipfw(4) manpage for details on this. = =20 It is non-trivial to do something along those lines in pf as ruleset=20 evaluation works completely different from what ipfw does. i.e. the main=20 problem one has to solve is: How do you express the netgraph hook in=20 pf.conf? One possible sollution would be to have it as part of the scrub ruleset. =20 This is quick and easy as the scrub ruleset is always evaluated, but it=20 would be adverse to the general pf idea of stateful-filtering. The more involved sollution is to have the ng-hook as a rule option. This= =20 gives all the benefits of stateful filtering, but requires a lot more=20 changes in pf to make things work together. The basic implementation is=20 quite easy, however. All you need to do is add the option to the=20 pf_rule/pf_state structs and attach a mbuf tag accordingly. The packet=20 is then diverted to netgraph where ng_tag (or any other netgraph node)=20 can have a look at it and eventually sent back. In pf_test it will match=20 the same rule/state again (you'd have to change a couple of things to=20 avoid state irritations) and you can finally pass it, as it has a=20 netgraph tag already attached. Support of divert(4) sockets is something along the same line. It would=20 be nice to have a way to send packets from pf to a divert socket, but the=20 same problem applies: How do you express the hook-point in pf? I'd like to work on both of these problems, provided there is enough=20 interest and we can come up with a proper sollution for the hook-point=20 problem. Any ideas? > Ah, the reason i am asking this is just to integrate PF with ng_tag > which can do L7 filtering. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart1277569.CbP061ISPN Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQBFGAtCXyyEoT62BG0RAlQnAJ9p1MRvPurDu7ebhH24oMBQWIpIJgCfakiO USQVw+0/DSPQfZTC5YwQLc0= =O4GY -----END PGP SIGNATURE----- --nextPart1277569.CbP061ISPN--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200609251900.50657.max>