From owner-freebsd-net@FreeBSD.ORG Tue Jan 18 18:31:53 2005 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 768BF16A4CE; Tue, 18 Jan 2005 18:31:53 +0000 (GMT) Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1727043D1D; Tue, 18 Jan 2005 18:31:53 +0000 (GMT) (envelope-from brdavis@odin.ac.hmc.edu) Received: from odin.ac.hmc.edu (localhost.localdomain [127.0.0.1]) by odin.ac.hmc.edu (8.13.0/8.13.0) with ESMTP id j0IIZxHT019848; Tue, 18 Jan 2005 10:35:59 -0800 Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.13.0/8.13.0/Submit) id j0IIZxuN019847; Tue, 18 Jan 2005 10:35:59 -0800 Date: Tue, 18 Jan 2005 10:35:59 -0800 From: Brooks Davis To: Gleb Smirnoff Message-ID: <20050118183558.GA15150@odin.ac.hmc.edu> References: <20050117200610.GA90866@cell.sick.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050117200610.GA90866@cell.sick.ru> User-Agent: Mutt/1.4.1i X-Virus-Scanned: by amavisd-new X-Spam-Status: No, hits=0.0 required=8.0 tests=none autolearn=no version=2.63 X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on odin.ac.hmc.edu cc: current@freebsd.org cc: net@freebsd.org Subject: Re: [TEST/REVIEW] ng_ipfw: node to glue together ipfw(4) and netgraph(4) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jan 2005 18:31:53 -0000 On Mon, Jan 17, 2005 at 11:06:10PM +0300, Gleb Smirnoff wrote: > Dear collegues, > > here is quite a simple node for direct interaction between ipfw(4) > and netgraph(4). It is going to be more effective and error-prone > than a complicated construction around divert socket and ng_ksocket[1]. > > The semantics of node operation are quite simple. There is one node > per system, which accepts any hooks with numeric names. Packets > can be sent to netgraph(4) using ipfw 'netgraph' action, followed > by a numeric cookie. Matched packets are sent out from corresponding > hook of ng_ipfw node. These packets are tagged with information which > helps them later to reenter ipfw processing. Tagged packets received on > any node hook reenter IP stack. If net.inet.ip.fw.one_pass sysctl is non > zero they are accepted, otherwise they continue with next rule. Non-tagged > packets (not originating from ng_ipfw node) are discarded. > > Here is sample configuration. ng_echo(4) echoes packets back from netgraph > to ipfw thru a tee node, which allows to sniff traffic. > > ngctl > + ls > There are 4 total nodes: > Name: ngctl6138 Type: socket ID: 0000000c Num hooks: 0 > Name: ipfw Type: ipfw ID: 00000009 Num hooks: 1 > Name: Type: echo ID: 00000006 Num hooks: 1 > Name: tee Type: tee ID: 00000005 Num hooks: 2 > + show ipfw: > Name: ipfw Type: ipfw ID: 00000009 Num hooks: 1 > Local hook Peer name Peer type Peer ID Peer hook > ---------- --------- --------- ------- --------- > 666 tee tee 00000005 left > + show tee: > Name: tee Type: tee ID: 00000005 Num hooks: 2 > Local hook Peer name Peer type Peer ID Peer hook > ---------- --------- --------- ------- --------- > left ipfw ipfw 00000009 666 > right echo 00000006 echi > > root@jujik:/usr/src:|>ipfw show > 00100 292 40304 allow ip from any to any via lo0 > 00200 0 0 deny ip from any to 127.0.0.0/8 > 00300 0 0 deny ip from 127.0.0.0/8 to any > 00350 290730 661428793 netgraph 666 ip from any to any > 65000 627921 1896034399 allow ip from any to any > 65535 0 0 deny ip from any to any > > The patch [2] is applicable only to HEAD, sorry. The target users are > the ones, who are now running ip_accounting/netflow using diverted > ng_ksocket, and just netgraph geeks. I like the idea and I've glanced at the patch. You should put the new op-code at the end of the list to avoid breaking the IPFW ABI. There should probably be a comment about this in ip_fw.h. -- Brooks