From owner-freebsd-current@FreeBSD.ORG Sun Jun 11 23:02:39 2006 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1EECE16A479 for ; Sun, 11 Jun 2006 23:02:39 +0000 (UTC) (envelope-from dudu.meyer@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.173]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9BD2743D55 for ; Sun, 11 Jun 2006 23:02:37 +0000 (GMT) (envelope-from dudu.meyer@gmail.com) Received: by ug-out-1314.google.com with SMTP id j40so2024231ugd for ; Sun, 11 Jun 2006 16:02:36 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=n4we/hpc7rGR2K9cxSI977nOQuocfhQ+/8A2l1YwPc7xZEHrrg05x4+5kUfI8qAz8CGgsMiyPWuw74rPtEYgTnbZKwyKVRuBUVg5JDYNDYFS+3zZd/G1xRJxBuyHLCmNEA94/K/4D1MLWLiNuPfZ96/Wn4pvh0mtaXrA9Q6MaZQ= Received: by 10.67.103.7 with SMTP id f7mr4564196ugm; Sun, 11 Jun 2006 15:34:20 -0700 (PDT) Received: by 10.66.222.15 with HTTP; Sun, 11 Jun 2006 15:34:20 -0700 (PDT) Message-ID: Date: Sun, 11 Jun 2006 19:34:20 -0300 From: "Eduardo Meyer" To: freebsd-current@freebsd.org In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <70e8236f0606110836j38f7ca33wa3058eaecf386fb5@mail.gmail.com> Subject: Re: [PATCH] ng_tag - new netgraph node, please test (L7 filtering possibility) X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Jun 2006 23:02:39 -0000 Hello Vadim, I read the messages and man page but did not understand. Maybe it is my lack of knowledge regarding netgraph? Well, in man page it seems that you looked at ipfw source code (.h in fact) to find out the tag number. Can you explain this? A practical example, how could I, for example, block Kazaa or bittorrent based on L7 with ng_tag? Can you please explain the steps on how to do this? I don't run -CURRENT but I need this kind of feature very much, I am downloading a 7.0 snapshot just to test this with ipfw tag. How this addresses the problem on system level L7 filtering? I always though that someone would show up with a userland application that tags packets and returns the tag to ipfw filtering, but you came up with a kernel approach. How better and why it is when compared to evil regexp evaluation on kernel or how efficient is this when compared to Linux L7 which is know to fail a lot (let a number of packets pass)? Sorry for all those questions, but I am an end user in the average, so, I can not understand it myself only reading the code. Thank you for your work and help. It seems that I will have a 7.0 snapshot doing this job to me untill the ipfw tag MFC happens, if I can understand this approach.