Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 12 May 2006 20:20:13 +0700
From:      "Vadim Goncharov" <vadim_nuclight@mail.ru>
To:        freebsd-net@freebsd.org, freebsd-ipfw@freebsd.org
Subject:   [patch] ipfw packet tagging
Message-ID:  <ops9fwnzbw17d6mn@nuclight.avtf.net>

next in thread | raw e-mail | index | archive | help
Hi, All!

I've tried Andrey Elsukov's ipfw "tag/tagged" patches from:
http://butcher.heavennet.ru/patches/kernel/ipfw_tags/

Tested on 5.5-PRERELEASE production server with moderate
load - rock stable [I've also looked through the code - patch
is small, so it simply can't be any bugs there ;)].

Personally I very like the idea from original Andrey's letter
about possibility to make a netgraph(4) node able to mark
packets: this is a potential ability to build fast (in-kernel)
level 7 firewall / traffic filter without need to fully duplicate
entire TCP/IP stack in this marking node - that's ipfw's work.

For example, rules can look like this:

# node marks traffic as good or bad based on first packets in the flow
node=300
good=1
bad=2

check-state				# here most sorted traffic goes
netgraph $node all from any to any	# divert unmarked traffic to node
deny all from any to any tagged $bad
allow all from any to any tagged $good keep-state

-- 
WBR, Vadim Goncharov



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ops9fwnzbw17d6mn>