From owner-freebsd-ipfw@FreeBSD.ORG Fri Mar 4 19:32:24 2011 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A0D9F106566B for ; Fri, 4 Mar 2011 19:32:24 +0000 (UTC) (envelope-from cummingsj@gmail.com) Received: from mail-vw0-f54.google.com (mail-vw0-f54.google.com [209.85.212.54]) by mx1.freebsd.org (Postfix) with ESMTP id 5C1FE8FC0A for ; Fri, 4 Mar 2011 19:32:23 +0000 (UTC) Received: by vws16 with SMTP id 16so2666102vws.13 for ; Fri, 04 Mar 2011 11:32:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:date:message-id:subject:from:to :content-type; bh=4fsMUTVRJrXpSs+pE5kzRPfw58pTlmOlx25/rsxD0Wo=; b=M3oC/K5xPHSEP6i16mIi9YuXneXe/O38NYux9I1HC6b3Z/eVXhIpYjXVPOCw1tJJrx QMvVVHSntMUj+28cgZ915gLOACXZCT5ba6lDWRygIeiXcQhHpP/aI32K9nH4xr9yGtgp EoZjSN88Eeswdgbc4W2L7mXKJBY7lV1JJjPAs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=vvokDXuw9FDZSlBSgYx6swLtUOtJAuSU/QQ25wZc2NpCTD6gZrSseX4bFrY/2wPewL 2KgYuzGzz/9w2P3HQBK4bVGZTg6cubCPkDF41HzuLSgGk28DEZ9W9s4OS/rCwWfc7Hqj +uN7Z87iKFLwWhq8FDrX1N4SJTiR+Swc54oMI= MIME-Version: 1.0 Received: by 10.52.65.20 with SMTP id t20mr1597609vds.22.1299265317163; Fri, 04 Mar 2011 11:01:57 -0800 (PST) Received: by 10.52.160.70 with HTTP; Fri, 4 Mar 2011 11:01:56 -0800 (PST) Date: Fri, 4 Mar 2011 12:01:56 -0700 Message-ID: From: JJC To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: if_bridge and ipdivert oddity? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Mar 2011 19:32:24 -0000 I have been trying to make this work for a while now and am having unexpected results, as follows: FreeBSD 8.1 Release i386 setup with 3 nics.. em0 is numbered for management, em1 and em2 are physically between hostA and hostB and are members of bridge0, all unnumbered to allow for transparent bridging. Example scenarios: basic test - ipfw has an allow any any rule in it: - send icmp between hostA and hostB (I'm just gonna call these A and B) and everything looks good divert test (note divert and bridge are built into the kernel) - add an ipfw divert rule, or series of for counting and testing purposes - divert 8000 ip4 from any to any via bridge0 (this was tried with all, ip and ip4 and on em1 and em2 also) - do not have a process yet listening on *:8000 to do something with the packets that are sent to it - start icmp from A to B - icmp gets through and the divert counters do not increment? - start a simple perl script that takes the diverted packets(code below) and re-injects them - icmp is still getting through but not hitting the perl process and divert counters still not incrementing - down em2, icmp does not flow (perl process still running) - bring up em2 -arp and now the perl process shows that it's receiving / transmitting the icmp packets, divert counters stop incrementing - notable latency increase on the icmp roundtrip - kill the perl process that the packets are flowing through, icmp continues to flow through the interfaces, divert still increments, packet latency decreases? I have tried playing with loads of sysctl knobs to see if that would help, different flavors of divert rules etc... any help would be greatly appreciated. The ultimate goal here is to have snort run inline transparently on fBSD ** begin perl snippet** #!/usr/bin/perl -w use Net::Divert; select STDERR; $| = 1; my $divobj = Net::Divert->new('localhost',8000); printf(STDERR "open new divobj\n"); $divobj->getPackets(\&alterPacket); sub alterPacket { my($packet,$fwtag) = @_; printf(STDERR "i"); $divobj->putPacket($packet,$fwtag); printf(STDERR "o"); }