From owner-freebsd-net@FreeBSD.ORG Sun Jul 3 01:04:05 2005 Return-Path: X-Original-To: net@freebsd.org Delivered-To: freebsd-net@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E891B16A643; Sun, 3 Jul 2005 01:03:19 +0000 (GMT) (envelope-from ps@mu.org) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id A763E44D64; Sun, 3 Jul 2005 00:56:21 +0000 (GMT) (envelope-from ps@mu.org) Received: by elvis.mu.org (Postfix, from userid 1000) id 1CF6861704; Sat, 2 Jul 2005 17:17:36 -0700 (PDT) X-Original-To: ps@mu.org Delivered-To: ps@mu.org Received: from mx2.freebsd.org (mx2.freebsd.org [216.136.204.119]) by elvis.mu.org (Postfix) with ESMTP id 470935CA03; Mon, 17 Jan 2005 12:07:25 -0800 (PST) Received: from hub.freebsd.org (hub.freebsd.org [216.136.204.18]) by mx2.freebsd.org (Postfix) with ESMTP id 638E155915; Mon, 17 Jan 2005 20:06:23 +0000 (GMT) (envelope-from owner-freebsd-current@freebsd.org) Received: from hub.freebsd.org (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 4AAB016A4FE; Mon, 17 Jan 2005 20:06:19 +0000 (GMT) Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D038816A4CE; Mon, 17 Jan 2005 20:06:14 +0000 (GMT) Received: from relay.bestcom.ru (relay.bestcom.ru [217.72.144.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0245743D53; Mon, 17 Jan 2005 20:06:14 +0000 (GMT) (envelope-from glebius@freebsd.org) Received: from cell.sick.ru (root@cell.sick.ru [217.72.144.68]) by relay.bestcom.ru (8.13.1/8.12.9) with ESMTP id j0HK6BCO043812 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Mon, 17 Jan 2005 23:06:12 +0300 (MSK) (envelope-from glebius@freebsd.org) Received: from cell.sick.ru (glebius@localhost [127.0.0.1]) by cell.sick.ru (8.12.11/8.12.8) with ESMTP id j0HK6BKi090882 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 17 Jan 2005 23:06:11 +0300 (MSK) (envelope-from glebius@freebsd.org) Received: (from glebius@localhost) by cell.sick.ru (8.12.11/8.12.11/Submit) id j0HK6B45090881; Mon, 17 Jan 2005 23:06:11 +0300 (MSK) (envelope-from glebius@freebsd.org) X-Authentication-Warning: cell.sick.ru: glebius set sender to glebius@freebsd.org using -f From: Gleb Smirnoff To: current@freebsd.org, net@freebsd.org Message-ID: <20050117200610.GA90866@cell.sick.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline User-Agent: Mutt/1.5.6i X-Virus-Scanned: clamd / ClamAV version devel-20041013, clamav-milter version 0.75l on 127.0.0.1 X-Virus-Status: Clean X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Sender: owner-freebsd-current@freebsd.org Errors-To: owner-freebsd-current@freebsd.org X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on elvis.mu.org X-Spam-Status: No, score=-2.6 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=3.0.1 X-Spam-Level: Cc: Subject: [TEST/REVIEW] ng_ipfw: node to glue together ipfw(4) and netgraph(4) X-BeenThere: freebsd-net@freebsd.org List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Sun, 03 Jul 2005 01:04:05 -0000 X-Original-Date: Mon, 17 Jan 2005 23:06:10 +0300 X-List-Received-Date: Sun, 03 Jul 2005 01:04:05 -0000 Dear collegues, here is quite a simple node for direct interaction between ipfw(4) and netgraph(4). It is going to be more effective and error-prone than a complicated construction around divert socket and ng_ksocket[1]. The semantics of node operation are quite simple. There is one node per system, which accepts any hooks with numeric names. Packets can be sent to netgraph(4) using ipfw 'netgraph' action, followed by a numeric cookie. Matched packets are sent out from corresponding hook of ng_ipfw node. These packets are tagged with information which helps them later to reenter ipfw processing. Tagged packets received on any node hook reenter IP stack. If net.inet.ip.fw.one_pass sysctl is non zero they are accepted, otherwise they continue with next rule. Non-tagged packets (not originating from ng_ipfw node) are discarded. Here is sample configuration. ng_echo(4) echoes packets back from netgraph to ipfw thru a tee node, which allows to sniff traffic. ngctl + ls There are 4 total nodes: Name: ngctl6138 Type: socket ID: 0000000c Num hooks: 0 Name: ipfw Type: ipfw ID: 00000009 Num hooks: 1 Name: Type: echo ID: 00000006 Num hooks: 1 Name: tee Type: tee ID: 00000005 Num hooks: 2 + show ipfw: Name: ipfw Type: ipfw ID: 00000009 Num hooks: 1 Local hook Peer name Peer type Peer ID Peer hook ---------- --------- --------- ------- --------- 666 tee tee 00000005 left + show tee: Name: tee Type: tee ID: 00000005 Num hooks: 2 Local hook Peer name Peer type Peer ID Peer hook ---------- --------- --------- ------- --------- left ipfw ipfw 00000009 666 right echo 00000006 echi root@jujik:/usr/src:|>ipfw show 00100 292 40304 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00350 290730 661428793 netgraph 666 ip from any to any 65000 627921 1896034399 allow ip from any to any 65535 0 0 deny ip from any to any The patch [2] is applicable only to HEAD, sorry. The target users are the ones, who are now running ip_accounting/netflow using diverted ng_ksocket, and just netgraph geeks. Any kind of feedback is welcome via email with cc: net@. [1] http://freebsd.rambler.ru/bsdmail/freebsd-net_2004/msg03199.html [2] http://people.freebsd.org/~glebius/totest/ng_ipfw.patch -- Totus tuus, Glebius. GLEBIUS-RIPN GLEB-RIPE _______________________________________________ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org"