From owner-freebsd-current@FreeBSD.ORG Mon Jun 12 10:09:37 2006 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7C3C316A41A; Mon, 12 Jun 2006 10:09:37 +0000 (UTC) (envelope-from vadimnuclight@tpu.ru) Received: from relay1.tpu.ru (relay1.tpu.ru [213.183.112.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9A91E43D45; Mon, 12 Jun 2006 10:09:36 +0000 (GMT) (envelope-from vadimnuclight@tpu.ru) Received: by relay1.tpu.ru (Postfix, from userid 501) id 63A9C10D33B; Mon, 12 Jun 2006 17:09:35 +0700 (NOVST) Received: from mail.main.tpu.ru (mail.main.tpu.ru [10.0.0.3]) by relay1.tpu.ru (Postfix) with ESMTP id 49CF410D337; Mon, 12 Jun 2006 17:09:35 +0700 (NOVST) Received: from mail.tpu.ru ([213.183.112.105]) by mail.main.tpu.ru with Microsoft SMTPSVC(6.0.3790.1830); Mon, 12 Jun 2006 17:09:35 +0700 Received: from nuclight.avtf.net ([82.117.64.107]) by mail.tpu.ru over TLS secured channel with Microsoft SMTPSVC(6.0.3790.1830); Mon, 12 Jun 2006 17:09:34 +0700 To: Ganbold References: <448CDBA0.2010203@micom.mng.net> Message-ID: Date: Mon, 12 Jun 2006 17:09:19 +0700 From: "Vadim Goncharov" Organization: AVTF TPU Hostel Content-Type: text/plain; format=flowed; delsp=yes; charset=koi8-r MIME-Version: 1.0 Content-Transfer-Encoding: 8bit In-Reply-To: <448CDBA0.2010203@micom.mng.net> User-Agent: Opera M2/7.54 (Win32, build 3865) X-OriginalArrivalTime: 12 Jun 2006 10:09:35.0066 (UTC) FILETIME=[4E44EBA0:01C68E08] X-Mailman-Approved-At: Mon, 12 Jun 2006 11:42:45 +0000 Cc: freebsd-isp@freebsd.org, "freebsd-net@freebsd.org" , "freebsd-current@freebsd.org" Subject: Re: [PATCH] ng_tag - new netgraph node, please test (L7 filtering possibility) X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Jun 2006 10:09:37 -0000 12.06.06 @ 10:12 Ganbold wrote: > Vadim Goncharov wrote: >> Hello All! >> >> I wrote new netgraph(4) node, called ng_tag, able to match packets by >> their mbuf_tags(9) and assign new tags to mbufs. This can be used for >> many things in the kernel network subsystem, but particularly useful >> with recently added ipfw(8) tag/tagged functionality (will be MFCed to >> RELENG_6 after Jun 24). >> >> With this node, in conjunction with ng_bpf(4), I was able to match and >> block (perhaps shaping is also possible, but this relies solely on >> ipfw) DirectConnect P2P data connections traffic - you know, they're >> using random ports, so you can't match them with usual firewall rules >> and must check data payload contents of the packets. See man page for >> example of how to do this. >> >> Download files from here: http://antigreen.org/vadim/freebsd/ng_tag/ >> Then do: >> >> make >> kldload ./ng_tag.ko >> >> Man page can be viewed as: >> >> cat ng_tag.4 | /usr/bin/tbl | /usr/bin/groff -S -Wall -mtty-char \ >> -man -Tascii | /usr/bin/col | more -s >> >> Please especially test tags with non-zero tag_len, if you can (though >> it's not needed for ipfw). >> >> P.S. BTW, what is correct subject prefix for new contributions? I think >> [PATCH] is not correct as these are new files, not patch :) > You mentioned about L7 filtering possibility, is it possible to filter > skype, msn, yahoo messenger traffics using ng_tag? No. True L7 filtering requires complete flow analysis (especially for skype), and in kernel we only can do per-packet analysis - but that's enough for simple things, like most P2P networks. > If you can put some additional examples how to block above that would be > great. This is just my thought. No. Man page is an example of using ng_tag node only, and creating matching patterns for another nodes is another great topic. -- WBR, Vadim Goncharov