From owner-freebsd-net@FreeBSD.ORG  Fri May 12 13:21:53 2006
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@freebsd.org
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C25A816A454;
	Fri, 12 May 2006 13:21:53 +0000 (UTC)
	(envelope-from vadim_nuclight@mail.ru)
Received: from mx1.mail.ru (mx1.mail.ru [194.67.23.121])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 65E2B43D68;
	Fri, 12 May 2006 13:21:53 +0000 (GMT)
	(envelope-from vadim_nuclight@mail.ru)
Received: from [82.211.136.13] (port=16166 helo=nuclight.avtf.net)
	by mx1.mail.ru with esmtp 
	id 1FeXaM-000AGA-00; Fri, 12 May 2006 17:21:39 +0400
Date: Fri, 12 May 2006 20:20:13 +0700
To: freebsd-net@freebsd.org, freebsd-ipfw@freebsd.org
From: "Vadim Goncharov" <vadim_nuclight@mail.ru>
Organization: AVTF TPU Hostel
Content-Type: text/plain; format=flowed; delsp=yes; charset=koi8-r
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Message-ID: <ops9fwnzbw17d6mn@nuclight.avtf.net>
User-Agent: Opera M2/7.54 (Win32, build 3865)
Cc: 
Subject: [patch] ipfw packet tagging
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 12 May 2006 13:21:54 -0000

Hi, All!

I've tried Andrey Elsukov's ipfw "tag/tagged" patches from:
http://butcher.heavennet.ru/patches/kernel/ipfw_tags/

Tested on 5.5-PRERELEASE production server with moderate
load - rock stable [I've also looked through the code - patch
is small, so it simply can't be any bugs there ;)].

Personally I very like the idea from original Andrey's letter
about possibility to make a netgraph(4) node able to mark
packets: this is a potential ability to build fast (in-kernel)
level 7 firewall / traffic filter without need to fully duplicate
entire TCP/IP stack in this marking node - that's ipfw's work.

For example, rules can look like this:

# node marks traffic as good or bad based on first packets in the flow
node=300
good=1
bad=2

check-state				# here most sorted traffic goes
netgraph $node all from any to any	# divert unmarked traffic to node
deny all from any to any tagged $bad
allow all from any to any tagged $good keep-state

-- 
WBR, Vadim Goncharov