From owner-freebsd-net@FreeBSD.ORG Mon Jan 24 10:07:22 2005 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E8E6B16A4CE; Mon, 24 Jan 2005 10:07:21 +0000 (GMT) Received: from relay.bestcom.ru (relay.bestcom.ru [217.72.144.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 233C743D46; Mon, 24 Jan 2005 10:07:21 +0000 (GMT) (envelope-from glebius@freebsd.org) Received: from cell.sick.ru (root@cell.sick.ru [217.72.144.68]) by relay.bestcom.ru (8.13.1/8.12.9) with ESMTP id j0OA7I0e019596 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Mon, 24 Jan 2005 13:07:19 +0300 (MSK) (envelope-from glebius@freebsd.org) Received: from cell.sick.ru (glebius@localhost [127.0.0.1]) by cell.sick.ru (8.12.11/8.12.8) with ESMTP id j0OA7IC5047896 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 24 Jan 2005 13:07:18 +0300 (MSK) (envelope-from glebius@freebsd.org) Received: (from glebius@localhost) by cell.sick.ru (8.12.11/8.12.11/Submit) id j0OA7IcK047895; Mon, 24 Jan 2005 13:07:18 +0300 (MSK) (envelope-from glebius@freebsd.org) X-Authentication-Warning: cell.sick.ru: glebius set sender to glebius@freebsd.org using -f Date: Mon, 24 Jan 2005 13:07:17 +0300 From: Gleb Smirnoff To: julian@freebsd.org, brooks@freebsd.org, andre@freebsd.org Message-ID: <20050124100717.GA47663@cell.sick.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline User-Agent: Mutt/1.5.6i X-Virus-Scanned: ClamAV version devel-20050119, clamav-milter version 0.80ff on relay.bestcom.ru X-Virus-Status: Clean cc: net@freebsd.org Subject: [TEST/REVIEW #2] ng_ipfw: node to glue together ipfw(4) and netgraph(4) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Jan 2005 10:07:22 -0000 Dear collegues, pls review an updated patch bringing in ng_ipfw node. Differencies against previous patch: - packets coming from netgraph are queued, and later serviced by netisr - "ngtee" keyword introduced. A copy of packet is made, and it is sent into netgraph. No tagging is done. Original packet is either accepted or continues check against rules, depending on net.inet.ip.fw.one_pass. Target users are the ones, who are going to do ip accounting/netflow via ng_ipfw. - a bit more comments in code URL: http://people.freebsd.org/~glebius/totest/ng_ipfw.patch A sample setup: + ls There are 6 total nodes: Name: Type: hole ID: 00000009 Num hooks: 1 Name: netflow Type: netflow ID: 00000008 Num hooks: 2 Name: ngctl768 Type: socket ID: 00000007 Num hooks: 0 Name: Type: hole ID: 00000006 Num hooks: 1 Name: Type: echo ID: 00000004 Num hooks: 1 Name: ipfw Type: ipfw ID: 00000001 Num hooks: 3 + show ipfw: Name: ipfw Type: ipfw ID: 00000001 Num hooks: 3 Local hook Peer name Peer type Peer ID Peer hook ---------- --------- --------- ------- --------- 555 netflow netflow 00000008 iface0 666 hole 00000006 qqq 100 echo 00000004 qqq + root@jujik:~:|>ipfw show 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00400 14927 61918948 netgraph 100 ip from any to any 00500 14927 61918948 ngtee 666 ip from any to any 00600 7477 1067060 ngtee 555 ip from any to any in 65000 14927 61918948 allow ip from any to any 65535 0 0 deny ip from any to any root@jujik:~:|>sysctl net.inet.ip.fw.one_pass net.inet.ip.fw.one_pass: 0 On Mon, Jan 17, 2005 at 11:06:10PM +0300, Gleb Smirnoff wrote: > Dear collegues, > > here is quite a simple node for direct interaction between ipfw(4) > and netgraph(4). It is going to be more effective and error-prone > than a complicated construction around divert socket and ng_ksocket[1]. > > The semantics of node operation are quite simple. There is one node > per system, which accepts any hooks with numeric names. Packets > can be sent to netgraph(4) using ipfw 'netgraph' action, followed > by a numeric cookie. Matched packets are sent out from corresponding > hook of ng_ipfw node. These packets are tagged with information which > helps them later to reenter ipfw processing. Tagged packets received on > any node hook reenter IP stack. If net.inet.ip.fw.one_pass sysctl is non > zero they are accepted, otherwise they continue with next rule. Non-tagged > packets (not originating from ng_ipfw node) are discarded. > > Here is sample configuration. ng_echo(4) echoes packets back from netgraph > to ipfw thru a tee node, which allows to sniff traffic. > > ngctl > + ls > There are 4 total nodes: > Name: ngctl6138 Type: socket ID: 0000000c Num hooks: 0 > Name: ipfw Type: ipfw ID: 00000009 Num hooks: 1 > Name: Type: echo ID: 00000006 Num hooks: 1 > Name: tee Type: tee ID: 00000005 Num hooks: 2 > + show ipfw: > Name: ipfw Type: ipfw ID: 00000009 Num hooks: 1 > Local hook Peer name Peer type Peer ID Peer hook > ---------- --------- --------- ------- --------- > 666 tee tee 00000005 left > + show tee: > Name: tee Type: tee ID: 00000005 Num hooks: 2 > Local hook Peer name Peer type Peer ID Peer hook > ---------- --------- --------- ------- --------- > left ipfw ipfw 00000009 666 > right echo 00000006 echi > > root@jujik:/usr/src:|>ipfw show > 00100 292 40304 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00300 0 0 deny ip from 127.0.0.0/8 to any > 00350 290730 661428793 netgraph 666 ip from any to any > 65000 627921 1896034399 allow ip from any to any > 65535 0 0 deny ip from any to any > > The patch [2] is applicable only to HEAD, sorry. The target users are > the ones, who are now running ip_accounting/netflow using diverted > ng_ksocket, and just netgraph geeks. -- Totus tuus, Glebius. GLEBIUS-RIPN GLEB-RIPE