From owner-freebsd-net@FreeBSD.ORG Sat Jun 10 19:43:02 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AFB4316A6D7; Sat, 10 Jun 2006 19:43:02 +0000 (UTC) (envelope-from vadimnuclight@tpu.ru) Received: from relay1.tpu.ru (relay1.tpu.ru [213.183.112.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0393D45316; Sat, 10 Jun 2006 19:16:19 +0000 (GMT) (envelope-from vadimnuclight@tpu.ru) Received: by relay1.tpu.ru (Postfix, from userid 501) id F0B4B10D2E4; Sun, 11 Jun 2006 02:16:16 +0700 (NOVST) Received: from mail.main.tpu.ru (mail.main.tpu.ru [10.0.0.3]) by relay1.tpu.ru (Postfix) with ESMTP id BC0EF10D2E3; Sun, 11 Jun 2006 02:16:16 +0700 (NOVST) Received: from mail.tpu.ru ([213.183.112.105]) by mail.main.tpu.ru with Microsoft SMTPSVC(6.0.3790.1830); Sun, 11 Jun 2006 02:16:16 +0700 Received: from nuclight.avtf.net ([82.117.64.107]) by mail.tpu.ru over TLS secured channel with Microsoft SMTPSVC(6.0.3790.1830); Sun, 11 Jun 2006 02:16:16 +0700 Date: Sun, 11 Jun 2006 02:16:09 +0700 To: "freebsd-net@freebsd.org" From: "Vadim Goncharov" Organization: AVTF TPU Hostel Content-Type: text/plain; format=flowed; delsp=yes; charset=koi8-r MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-ID: User-Agent: Opera M2/7.54 (Win32, build 3865) X-OriginalArrivalTime: 10 Jun 2006 19:16:16.0027 (UTC) FILETIME=[5856DEB0:01C68CC2] Cc: "freebsd-current@freebsd.org" Subject: [PATCH] ng_tag - new netgraph node, please test (L7 filtering possibility) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Jun 2006 19:43:02 -0000 Hello All! I wrote new netgraph(4) node, called ng_tag, able to match packets by their mbuf_tags(9) and assign new tags to mbufs. This can be used for many things in the kernel network subsystem, but particularly useful with recently added ipfw(8) tag/tagged functionality (will be MFCed to RELENG_6 after Jun 24). With this node, in conjunction with ng_bpf(4), I was able to match and block (perhaps shaping is also possible, but this relies solely on ipfw) DirectConnect P2P data connections traffic - you know, they're using random ports, so you can't match them with usual firewall rules and must check data payload contents of the packets. See man page for example of how to do this. Download files from here: http://antigreen.org/vadim/freebsd/ng_tag/ Then do: make kldload ./ng_tag.ko Man page can be viewed as: cat ng_tag.4 | /usr/bin/tbl | /usr/bin/groff -S -Wall -mtty-char -man \ -Tascii | /usr/bin/col | more -s Please especially test tags with non-zero tag_len, if you can (though it's not needed for ipfw). P.S. BTW, what is correct subject prefix for new contributions? I think [PATCH] is not correct as these are new files, not patch :) -- WBR, Vadim Goncharov