Date: Fri, 1 Sep 2006 17:22:47 +0800 (KRAST) From: Eugene Grosbein <eugen@grosbein.pp.ru> To: FreeBSD-gnats-submit@FreeBSD.org Cc: skv@FreeBSD.org Subject: ports/102742: [patch] add support for ng_bpf to ports/net-mgmt/ng_ipacct scripts Message-ID: <200609010922.k819MlXI085604@www.svzserv.kemerovo.su> Resent-Message-ID: <200609010930.k819UJrI094525@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 102742
>Category: ports
>Synopsis: [patch] add support for ng_bpf to ports/net-mgmt/ng_ipacct scripts
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Sep 01 09:30:18 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator: Eugene Grosbein
>Release: FreeBSD 4.11-STABLE i386
>Organization:
Svyaz Service JSC
>Environment:
System: FreeBSD www.svzserv.kemerovo.su 4.11-STABLE FreeBSD 4.11-STABLE #13: Sun Jul 2 16:11:30 KRAST 2006 eu@www.svzserv.kemerovo.su:/home4/obj/home/src/sys/WWW i386
>Description:
Sometimes we do not need to feed ng_ipacct with all traffic
going via network interface but want to filter it with ng_bpf(8)
before. We can easily insert ng_bpf between ng_tee and ng_ipacct
but ng_bpf needs filters to be loaded into it to work.
The following patch adds possibility to automatically
load filters into ng_bpf(8) node using
ng_ipacct_${iface}_afterstart_script that is supplied with
interface name and is invoked just after ng_ipacct is started.
This script runs when ng_bpf is fully initialized and may
load filters into it. See patch for additional details,
it contains an example of using new feature.
>How-To-Repeat:
N/A
>Fix:
diff -ur ng_ipacct.orig/Makefile ng_ipacct/Makefile
--- ng_ipacct/Makefile Tue Aug 2 00:31:50 2005
+++ ng_ipacct.new/Makefile Fri Sep 1 16:59:45 2006
@@ -7,6 +7,7 @@
PORTNAME= ng_ipacct
PORTVERSION= 20050731
+PORTREVISION= 1
CATEGORIES= net-mgmt
MASTER_SITES= ftp://ftp.wuppy.net.ru/pub/FreeBSD/local/kernel/ng_ipacct/
diff -ur ng_ipacct.orig/files/ng_ipacct.conf ng_ipacct/files/ng_ipacct.conf
--- ng_ipacct/files/ng_ipacct.conf Wed Apr 13 08:31:57 2005
+++ ng_ipacct.new/files/ng_ipacct.conf Fri Sep 1 17:00:37 2006
@@ -44,6 +44,27 @@
shutdown %%iface%%:
'
+ng_ipacct_bpf_ether_start='
+ mkpeer %%iface%%: tee lower right
+ name %%iface%%:lower %%iface%%_tee
+ connect %%iface%%: lower upper left
+
+ mkpeer %%iface%%_tee: bpf right2left %%iface%%_in
+ name %%iface%%_tee:right2left %%iface%%_bpf
+ connect %%iface%%_tee: right2left left2right %%iface%%_out
+
+ mkpeer %%iface%%_bpf: ipacct %%iface%%_match_in %%iface%%_in
+ name %%iface%%_bpf:%%iface%%_match_in %%iface%%_ip_acct
+ connect %%iface%%_bpf: %%iface%%_ip_acct: %%iface%%_match_out %%iface%%_out
+'
+
+ng_ipacct_bpf_ether_stop='
+ shutdown %%iface%%_ip_acct:
+ shutdown %%iface%%_bpf:
+ shutdown %%iface%%_tee:
+ shutdown %%iface%%:
+'
+
# EXAMPLE 1. Ethernet interface
# +-------------------------------+
@@ -147,3 +168,36 @@
ng_ipacct_vpn0_stop='
shutdown %%iface%%_ip_acct:
'
+
+# EXAMPLE 4. Ethernet interface with BPF
+
+# +-------------------------------+
+# | |
+# (upper) (left2right)-----(xl0_in) (xl0_match_in)----(xl0_in)
+# | | | | | |
+# xl0 +--(left)-xl0_tee-(right) xl0_bpf xl0_ip_acct
+# | | | | | |
+# (lower) | (right2left)----(xl0_out) (xl0_match_out)--(xl0_out)
+# | |
+# +----------+
+#
+# xl0 - ng_ether
+# xl0_tee - ng_tee
+# xl0_bpf - ng_bpf
+# xl0_ip_acct - ng_ipacct
+
+# Configuration for 'xl0_ip_acct' node:
+
+ng_ipacct_xl0_dlt="EN10MB" # required line; see ipacctctl(8)
+ng_ipacct_xl0_threshold="15000" # '5000' by default
+ng_ipacct_xl0_verbose="yes" # 'yes' by default
+ng_ipacct_xl0_saveuid="yes" # 'no' by default
+ng_ipacct_xl0_savetime="no" # 'no' by default
+ng_ipacct_xl0_start=${ng_ipacct_bpf_ether_start}
+ng_ipacct_xl0_stop=${ng_ipacct_bpf_ether_stop}
+ng_ipacct_xl0_checkpoint_script="path/to/your/script --checkpoint-and-save xl0"
+ # this script is called on stop (to save accumulated
+ # data) or via "rc.d/ng_ipacct.sh checkpoint"
+ng_ipacct_xl0_afterstart_script="path/to/your/script --load-bpf-filters xl0"
+ # this script is called just after initialization
+ # of nodes to load filters into xl0_bpf
diff -ur ng_ipacct.orig/files/ng_ipacct.sh.in ng_ipacct/files/ng_ipacct.sh.in
--- ng_ipacct/files/ng_ipacct.sh.in Sun Apr 3 08:31:43 2005
+++ ng_ipacct.new/files/ng_ipacct.sh.in Fri Sep 1 17:08:19 2006
@@ -114,6 +114,13 @@
${ipacctctl} ${iface}_ip_acct:${iface} verbose ${verbose}
${ipacctctl} ${iface}_ip_acct:${iface} saveuid ${saveuid}
${ipacctctl} ${iface}_ip_acct:${iface} savetime ${savetime}
+
+ eval afterstart_script=\$ng_ipacct_${iface}_afterstart_script
+ if [ -n "${afterstart_script}" ]; then
+ (set -T
+ trap 'exit 1' 2
+ ${afterstart_script} ${iface})
+ fi
fi
done
}
Eugene Grosbein
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200609010922.k819MlXI085604>