From owner-freebsd-ipfw@FreeBSD.ORG  Sun Oct  8 08:20:49 2006
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
X-Original-To: freebsd-ipfw@freebsd.org
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 087B516A407
	for <freebsd-ipfw@freebsd.org>; Sun,  8 Oct 2006 08:20:49 +0000 (UTC)
	(envelope-from dudu.meyer@gmail.com)
Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.169])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4507943D4C
	for <freebsd-ipfw@freebsd.org>; Sun,  8 Oct 2006 08:20:48 +0000 (GMT)
	(envelope-from dudu.meyer@gmail.com)
Received: by ug-out-1314.google.com with SMTP id m2so452689uge
	for <freebsd-ipfw@freebsd.org>; Sun, 08 Oct 2006 01:20:47 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;
	h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition;
	b=FbMdLB4G+HX59Xvxv89MHAJiM6d41rSP2ykrEj6/YdX+0kwxWNbjpB2oXvzQGoitadoFB8+okEwdMDwwM2ziAkDZTgLvUHmGjtjM+fYjocBqTWghXEAfcbbdQ1Je9h/J/lVOoZwGPw+gHnSSsCq5tbW3h2lfVCciOWxOVech1pY=
Received: by 10.67.89.5 with SMTP id r5mr5377572ugl;
	Sun, 08 Oct 2006 01:20:44 -0700 (PDT)
Received: by 10.66.248.4 with HTTP; Sun, 8 Oct 2006 01:20:44 -0700 (PDT)
Message-ID: <d3ea75b30610080120l2e0d935ev7ce2e44c2175a5c3@mail.gmail.com>
Date: Sun, 8 Oct 2006 05:20:44 -0300
From: "Eduardo Meyer" <dudu.meyer@gmail.com>
To: freebsd-ipfw@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Subject: ipfw tag and ng_tag
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Oct 2006 08:20:49 -0000

Hello,

Finally with -BETA2 I can try ng_tag and ipfw tag.

I have a certain unusual need to filter DNS queries which return
NXDomain. Before filtering, I will make some cacti graphs. So I need
to count packets with "NXDomain" expression on Layer 7.

With tcpdump -X I can see that NXDomain alwas shows up perfectly, so
this is the kind of L7 pattern which will be safe to filter. With
hexdump(1) I found out the hex sequence for NXDomain expression to be:

4e 58 44 6f 6d 61 69 6e  0a

I have the needed kernel modules loaded. What should I do next? I know
I am supposed to create a ng_bpf pattern, similar to

PATTERN="(ether[40:4]=0x134e5844 &&
          ether[44:4]=0x6f6d6169 &&
          ether[48:4]=0x6e0a)"

I did it, and execute it in the following script:


PATTERN="(ether[40:4]=0x134e5844 &&
          ether[44:4]=0x6f6d6169 &&
          ether[48:4]=0x6e0a)"

 NODEPATH="my_node:"
 INHOOK="hook1"
 MATCHHOOK="hook2"
 NOTMATCHHOOK="hook3"

 cat > /tmp/bpf.awk << xxENDxx
 {
   if (!init) {
     printf "bpf_prog_len=%d bpf_prog=[", \$1;
     init=1;
   } else {
     printf " { code=%d jt=%d jf=%d k=%d }", \$1, \$2, \$3, \$4;
   }
 }
 END {
   print " ]"
 }
 xxENDxx

         BPFPROG=`tcpdump -s 8192 -ddd ${PATTERN} | awk -f /tmp/bpf.awk`
         ngctl msg ${NODEPATH} setprogram { thisHook=\"${INHOOK}\" \
   ifMatch=\"${MATCHHOOK}\" \
   ifNotMatch=\"${NOTMATCHHOOK}\" \
   ${BPFPROG} } }

BUT,

Here I get my first problem. Script returns:

ngctl: send msg: No such file or directory

I printed the full commands that returns the error, it is:

ngctl msg setprogram { thisHook="" ifMatch="" ifNotMatch=""
bpf_prog_len=8 bpf_prog=[ { code=32 jt=0 jf=0 k=40 } { code=21 jt=0
jf=5 k=323901508 } { code=32 jt=0 jf=0 k=44 } { code=21 jt=0 jf=3
k=1869439337 } { code=32 jt=0 jf=0 k=48 } { code=21 jt=0 jf=1 k=28170
} { code=6 jt=0 jf=0 k=8192 } { code=6 jt=0 jf=0 k=0 } ] } }

Running  tcpdump -s 8192 -ddd $PATTERN manually I get:

8
32 0 0 40
21 0 5 323901508
32 0 0 44
21 0 3 1869439337
32 0 0 48
21 0 1 28170
6 0 0 8192
6 0 0 0

Which looks that the ngctl data (code, kt, jf and k) are correct. But
the command returns that error for some reason. The script was taken
from ng_blf(4) man page.

I am all new to this netgraph thing, and I couldnt even get to the
ng_tag phase (stopped in ng_bpf).

I would like to have your help to work it out, please. Thank you.