Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 4 Mar 2011 12:01:56 -0700
From:      JJC <cummingsj@gmail.com>
To:        freebsd-ipfw@freebsd.org
Subject:   if_bridge and ipdivert oddity?
Message-ID:  <AANLkTi=u7N7SRHH1LxMmRZ0qpbuyw-cVEwyB=rnH8oGC@mail.gmail.com>

Next in thread | Raw E-Mail | Index | Archive | Help
I have been trying to make this work for a while now and am having
unexpected results, as follows:

FreeBSD 8.1 Release i386 setup with 3 nics.. em0 is numbered for management,
em1 and em2 are physically between hostA and hostB and are members of
bridge0, all unnumbered to allow for transparent bridging.

Example scenarios:

basic test

   - ipfw has an allow any any rule in it:
   - send icmp between hostA and hostB (I'm just gonna call these A and B)
   and everything looks good

divert test (note divert and bridge are built into the kernel)

   - add an ipfw divert rule, or series of for counting and testing purposes
      - divert 8000 ip4 from any to any via bridge0  (this was tried with
      all, ip and ip4 and on em1 and em2 also)
   - do not have a process yet listening on *:8000 to do something with the
   packets that are sent to it
   - start icmp from A to B
   - icmp gets through and the divert counters do not increment?
   - start a simple perl script that takes the diverted packets(code below)
   and re-injects them
   - icmp is still getting through but not hitting the perl process and
   divert counters still not incrementing
   - down em2, icmp does not flow (perl process still running)
   - bring up em2 -arp and now the perl process shows that it's receiving /
   transmitting the icmp packets, divert counters stop incrementing
   - notable latency increase on the icmp roundtrip
   - kill the perl process that the packets are flowing through, icmp
   continues to flow through the interfaces, divert still increments, packet
   latency decreases?

I have tried playing with loads of sysctl knobs to see if that would help,
different flavors of divert rules etc...  any help would be greatly
appreciated.

The ultimate goal here is to have snort run inline transparently on fBSD

** begin perl snippet**
#!/usr/bin/perl -w
use Net::Divert;

select STDERR; $| = 1;

my $divobj = Net::Divert->new('localhost',8000);

printf(STDERR "open new divobj\n");

$divobj->getPackets(\&alterPacket);

sub alterPacket { my($packet,$fwtag) = @_;
        printf(STDERR "i");
        $divobj->putPacket($packet,$fwtag);
        printf(STDERR "o");
}



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?AANLkTi=u7N7SRHH1LxMmRZ0qpbuyw-cVEwyB=rnH8oGC>