Date: Mon, 23 Feb 2004 15:47:55 -0800 (PST) From: Julian Elischer <julian@elischer.org> To: Vasenin Alexander aka BlackSir <blacksir@number.ru> Cc: freebsd-net@freebsd.org Subject: RE: ng_netflow: testers are welcome Message-ID: <Pine.BSF.4.21.0402231538140.67378-100000@InterJet.elischer.org> In-Reply-To: <NKEJKOHEKMBIMCCEHEPKAECNCFAA.blacksir@number.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 23 Feb 2004, Vasenin Alexander aka BlackSir wrote:
> YES! IT WORKS!
> All I've need - just create ksocket with inet/rawip/divert hook connected to
> ng_netflow iface0 hook (mkpeer netflow: ksocket iface0 inet/raw/divert),
> then "msg netflow: setdlt { iface=0 dlt=12 }" (Raw ip instead of ethernet),
> then "msg divert: bind inet/0.0.0.0:8888". And after all add ipfw rule "tee
> 8888 ip from any to any in"(One may need "via $oif") instead of final allow
> (or, better, before it).
> But there is bug in "ipfw tee" - packets is always immediately accepted
> instead of continue going through the ruleset, so tee must be the last
> rule(So, ng_netflow never see packets that denied by ipfw before tee rule).
> Maybe there is way to use 'divert'? I've tried - packets going to divert
> socket,then ng_netflow... and never come back... Actually I'm not quite
> understand mechanism of returning from divert - ng_ksocket have only one
> hook...
Ok, THEORETICALLY, the sockaddr of the packet read from a divert socket
has a 'port number' set to the ipfw rule that caused the diversion.
i.e. if you do a recvfrom() the port number of the sender address should
include the rule number of the diversion..
when you do a "sendto()" into a divert socket, the port number
in the destination addr is supposed to be a rule number AFTER WHICH
processing should restart.. in other words teh packet is injected into
teh IP stack, and when it enters ipfw it should IMMEDIATLY do a "skipto
NNN+1" where NNN is the last rule numbe ryou want to skip over..
if you get a sockaddr with port 8686 becasue it was diverted by rule
8686 then re-using that sockaddr should ensure that processing in the
ipfw list should start at teh first rule number AFTER 8686.
This used to work but I have not tried it for some time
and it may have been broken in ipfw2, as I never tested it..
natd is supposed to do this.. Since you can not do a "sendto()"
in netgraph, you have to have done a "connect" on the socket
to set the port number ahead of time..
Other things are also in the sockaddr..
in the 8 "unused" bytes of the sockaddr we "hide" the incoming interface
name (for example) netgraph cannot change that but it should not need
this as it has the actual mbufs and can just set th eiface pointer in
the packet header.. (assuming divert doesn't clear it..
once again, you'll need to look at the code).
>
> Great thanks to Julian & Gleb & all who helped!
> 2Gleb: It would be pleasure for me to write a little example based on our
> discussion for README if you need.
> Vasenin Alexander aka BlackSir
>
> > -----Original Message-----
> > From: owner-freebsd-isp@freebsd.org
> > [mailto:owner-freebsd-isp@freebsd.org]On Behalf Of Gleb Smirnoff
> > Sent: Monday, February 23, 2004 1:43 PM
> > To: Julian Elischer
> > Cc: freebsd-isp@freebsd.org; Bjoern A. Zeeb; Vasenin Alexander aka
> > BlackSir; freebsd-net@freebsd.org
> > Subject: Re: ng_netflow: testers are welcome
>
> > On Sun, Feb 22, 2004 at 03:17:38PM -0800, Julian Elischer wrote:
> > J> you can open a divert socket as a netgraph node by openning a ksocket
> > J> node with protocol 'divert'.
>
> > Really one can use "ipfw tee" to pass demasqueraded traffic to
> > ng_netflow.
>
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0402231538140.67378-100000>