From owner-freebsd-net@FreeBSD.ORG Tue Aug 29 14:09:06 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1907416A4DD for ; Tue, 29 Aug 2006 14:09:06 +0000 (UTC) (envelope-from rajkumars@gmail.com) Received: from nz-out-0102.google.com (nz-out-0102.google.com [64.233.162.193]) by mx1.FreeBSD.org (Postfix) with ESMTP id 99E5143D45 for ; Tue, 29 Aug 2006 14:09:05 +0000 (GMT) (envelope-from rajkumars@gmail.com) Received: by nz-out-0102.google.com with SMTP id 13so1207859nzn for ; Tue, 29 Aug 2006 07:09:05 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=cryTCbodYEdU0TNxqdARztNi9GA3j3hH0jdTTe9v7dlh/GUlwe4W5VIzW6922SBOtap/yQfV1Bh+qePbtq8JHQtKB4o+lHYRi5lJO72r7C1DXwSJ3ZT1l8uhBbxMh0EYLoWDPv1QunDxqkPTjdFve1FBcQWQBgUnyxCuxi2lcS4= Received: by 10.65.119.14 with SMTP id w14mr8411243qbm; Tue, 29 Aug 2006 07:09:04 -0700 (PDT) Received: by 10.65.248.1 with HTTP; Tue, 29 Aug 2006 07:09:04 -0700 (PDT) Message-ID: <64de5c8b0608290709g6a10463dt4667f59ab6c6163e@mail.gmail.com> Date: Tue, 29 Aug 2006 19:39:04 +0530 From: "Rajkumar S" To: freebsd-net@freebsd.org In-Reply-To: <64de5c8b0608280009r52aabb4cl11103635419b845d@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <64de5c8b0608250849p2912457cs84c227cc914d1f10@mail.gmail.com> <20060826144424.GC30165@rambler-co.ru> <64de5c8b0608280009r52aabb4cl11103635419b845d@mail.gmail.com> Subject: Re: Netgraph plumbing question X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Aug 2006 14:09:06 -0000 On 8/28/06, Rajkumar S wrote: > On 8/26/06, Ruslan Ermilov wrote: > > + msg bpf: setprogram { thisHook="in1" ifNotMatch="mixed" } > > This is not working, and I get an error: > ngctl: send msg: Invalid argument Did some more work on this. It seems the full commands needs to be given. The following commands are working fine, and I am able to ping form an external machine to my box. + mkpeer rl0: bpf lower from_lower + name rl0:lower bpf + connect rl0: bpf: upper to_upper + mkpeer bpf: hole discard discard + msg bpf: setprogram { thisHook="from_lower" ifMatch="discard" ifNotMatch="to_upper" bpf_prog_len=1 bpf_prog=[ { code=6 jt=0 jf=0 k=0 } ] } + msg bpf: setprogram { thisHook="to_upper" ifMatch="discard" ifNotMatch="from_lower" bpf_prog_len=1 bpf_prog=[ { code=6 jt=0 jf=0 k=0 } ] } Now I am trying to allow only icmp + msg bpf: setprogram { thisHook="from_lower" ifMatch="to_upper" ifNotMatch="discard" bpf_prog_len=6 bpf_prog=[ { code=40 jt=0 jf=0 k=12 } { code=21 jt=0 jf=3 k=2048 } { code=48 jt=0 jf=0 k=23 } { code=21 jt=0 jf=1 k=1 } { code=6 jt=0 jf=0 k=8192 } { code=6 jt=0 jf=0 k=0 } ] } + msg bpf: setprogram { thisHook="to_upper" ifMatch="from_lower" ifNotMatch="discard" bpf_prog_len=6 bpf_prog=[ { code=40 jt=0 jf=0 k=12 } { code=21 jt=0 jf=3 k=2048 } { code=48 jt=0 jf=0 k=23 } { code=21 jt=0 jf=1 k=1 } { code=6 jt=0 jf=0 k=8192 } { code=6 jt=0 jf=0 k=0 } ] } which also works. I will try with C code also tomorrow. raj