From owner-freebsd-net@FreeBSD.ORG Sat Sep 26 02:46:25 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9F521106566B for ; Sat, 26 Sep 2009 02:46:25 +0000 (UTC) (envelope-from remodeler@alentogroup.org) Received: from courriel.marmotmail.com (courriel.marmotmail.com [85.17.36.172]) by mx1.freebsd.org (Postfix) with ESMTP id 6216F8FC1C for ; Sat, 26 Sep 2009 02:46:25 +0000 (UTC) Received: from bruce.epifora.com (localhost.local [127.0.0.1]) by courriel.marmotmail.com (Postfix) with ESMTP id 89D5F239928 for ; Sat, 26 Sep 2009 05:43:02 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by bruce.epifora.com (Postfix) with ESMTP id D2CD14761F9 for ; Fri, 25 Sep 2009 22:40:12 -0400 (EDT) Received: from bruce.epifora.com ([127.0.0.1]) by localhost (bruce.epifora.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 20235-04 for ; Fri, 25 Sep 2009 22:40:11 -0400 (EDT) Received: from alentogroup.org (localhost [127.0.0.1]) by bruce.epifora.com (Postfix) with ESMTP id 41F7B4761F8 for ; Fri, 25 Sep 2009 22:40:11 -0400 (EDT) From: "remodeler" To: freebsd-net@freebsd.org Date: Fri, 25 Sep 2009 22:40:11 -0400 Message-Id: <20090926022715.M6906@alentogroup.org> X-OriginatingIP: 127.0.0.1 MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Subject: Help "layering hooks" to network stack - ngctl X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Sep 2009 02:46:25 -0000 I am running a vimage-enabled kernel (8.0) for host/jails, and routing the service jail's vnets with netgraph to a central ng_bridge. I would like to use a SSL VPN to attach remote connections to the ng_bridge after nat'ing. The three following pseudodevices seem to me like they are interacting with the active network stack (vnet[null]?), but what I am hoping someone can tell me is what order they interact with the packet-flow, or how I control that (or am on a completely wrong track): (*) OpenVPN uses a tun(4) virtual interface, which is a cloned interface of the physical ethernet interface. (*) natd(8) uses a divert(4) socket, so it is hooking into the network stack. I could move this out into the netgraph architecture w/ ng_nat, but wonder if natd can be used. (*) ng_ether, which is a virtual interface and node. If I enable all three devices (tun, divert, ng_ether) on the network stack, can I control the flow of packets through them (i.e. NIC --> tun --> divert --> ng_ether)? Thank you in advance.