Date: Mon, 12 Jun 2006 17:09:19 +0700 From: "Vadim Goncharov" <vadimnuclight@tpu.ru> To: Ganbold <ganbold@micom.mng.net> Cc: freebsd-isp@freebsd.org, "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>, "freebsd-current@freebsd.org" <freebsd-current@freebsd.org> Subject: Re: [PATCH] ng_tag - new netgraph node, please test (L7 filtering possibility) Message-ID: <opta02htoc4fjv08@nuclight.avtf.net> In-Reply-To: <448CDBA0.2010203@micom.mng.net> References: <optax2g7jq4fjv08@nuclight.avtf.net> <448CDBA0.2010203@micom.mng.net>
next in thread | previous in thread | raw e-mail | index | archive | help
12.06.06 @ 10:12 Ganbold wrote: > Vadim Goncharov wrote: >> Hello All! >> >> I wrote new netgraph(4) node, called ng_tag, able to match packets by >> their mbuf_tags(9) and assign new tags to mbufs. This can be used for >> many things in the kernel network subsystem, but particularly useful >> with recently added ipfw(8) tag/tagged functionality (will be MFCed to >> RELENG_6 after Jun 24). >> >> With this node, in conjunction with ng_bpf(4), I was able to match and >> block (perhaps shaping is also possible, but this relies solely on >> ipfw) DirectConnect P2P data connections traffic - you know, they're >> using random ports, so you can't match them with usual firewall rules >> and must check data payload contents of the packets. See man page for >> example of how to do this. >> >> Download files from here: http://antigreen.org/vadim/freebsd/ng_tag/ >> Then do: >> >> make >> kldload ./ng_tag.ko >> >> Man page can be viewed as: >> >> cat ng_tag.4 | /usr/bin/tbl | /usr/bin/groff -S -Wall -mtty-char \ >> -man -Tascii | /usr/bin/col | more -s >> >> Please especially test tags with non-zero tag_len, if you can (though >> it's not needed for ipfw). >> >> P.S. BTW, what is correct subject prefix for new contributions? I think >> [PATCH] is not correct as these are new files, not patch :) > You mentioned about L7 filtering possibility, is it possible to filter > skype, msn, yahoo messenger traffics using ng_tag? No. True L7 filtering requires complete flow analysis (especially for skype), and in kernel we only can do per-packet analysis - but that's enough for simple things, like most P2P networks. > If you can put some additional examples how to block above that would be > great. This is just my thought. No. Man page is an example of using ng_tag node only, and creating matching patterns for another nodes is another great topic. -- WBR, Vadim Goncharov
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?opta02htoc4fjv08>