Date: Fri, 30 Jul 2004 11:47:13 +0400 From: "Alexander Vasenin aka BlackSir" <blacksir@number.ru> To: "Glenn Dawson" <glenn@antimatter.net>, <stable@freebsd.org> Subject: RE: clarification regarding netgraph and ipfw Message-ID: <NKEJKOHEKMBIMCCEHEPKKENODGAA.blacksir@number.ru> In-Reply-To: <6.1.0.6.2.20040729234631.04717bc8@cobalt.antimatter.net>
index | next in thread | previous in thread | raw e-mail
Maybe this is rather crucial solution, but ng_netflow can deal with raw IP (and not only ethernet), so, you can set 'divert' or 'tee' rule for passing traffic from arbitrary place in ipfw to ng_ksocket, which connected to ng_netflow (which export NetFlow through another ng_ksocket). I use tee (with 'tee' patch, described in PR/60377). Alexander Vasenin aka BlackSir > -----Original Message----- > From: owner-freebsd-stable@freebsd.org > [mailto:owner-freebsd-stable@freebsd.org]On Behalf Of Glenn Dawson > Sent: Friday, July 30, 2004 11:00 AM > To: stable@freebsd.org > Subject: clarification regarding netgraph and ipfw > > > > Greetings, > > I have a firewall running -STABLE. I'm using ipfw2 for filtering and > ng_netgraph (via ng_tee) to export netflow data. > > According to the man page for ng_ether, the lower hook gets raw ethernet > frames as they come off the wire. Reading the man page for ipfw it seems > to say that if I turn on net.link.ether.ipfw in sysctl that it will also > get things as they come off the wire. > > So my question is, which one gets them first? > > The reason I ask is that if I have an ipfw rule to block traffic from an > IP, will it get counted by ng_netgraph? Or will ipfw drop the packet > before it even gets to ng_ether? > > If the packets go through ng_ether first and then through ipfw, does anyone > know if it's possible to reverse that behavior? I'm doing billing based on > traffic and don't want the netflow data to include packets that were > dropped by ipfw. > > Thanks in advance for any insight. > > -Glenn > > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" >home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?NKEJKOHEKMBIMCCEHEPKKENODGAA.blacksir>