From owner-freebsd-net@FreeBSD.ORG Fri Sep 12 06:17:32 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6B9DC106566B for ; Fri, 12 Sep 2008 06:17:32 +0000 (UTC) (envelope-from andrew@modulus.org) Received: from email.octopus.com.au (host-122-100-2-232.octopus.com.au [122.100.2.232]) by mx1.freebsd.org (Postfix) with ESMTP id 24ACA8FC33 for ; Fri, 12 Sep 2008 06:17:31 +0000 (UTC) (envelope-from andrew@modulus.org) Received: by email.octopus.com.au (Postfix, from userid 1002) id F170A17E3D; Fri, 12 Sep 2008 16:17:46 +1000 (EST) X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on email.octopus.com.au X-Spam-Level: X-Spam-Status: No, score=-1.4 required=10.0 tests=ALL_TRUSTED autolearn=failed version=3.2.3 Received: from [10.1.50.60] (ppp121-44-8-108.lns10.syd7.internode.on.net [121.44.8.108]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: admin@email.octopus.com.au) by email.octopus.com.au (Postfix) with ESMTP id C03C9178A7; Fri, 12 Sep 2008 16:17:37 +1000 (EST) Message-ID: <48CA0952.50804@modulus.org> Date: Fri, 12 Sep 2008 16:16:50 +1000 From: Andrew Snow User-Agent: Thunderbird 2.0.0.14 (X11/20080523) MIME-Version: 1.0 To: Julian Elischer References: <48C97AB3.6040907@elischer.org> <20080912054832.Q65801@maildrop.int.zabbadoz.net> In-Reply-To: <20080912054832.Q65801@maildrop.int.zabbadoz.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: FreeBSD Net , ipfw@freebsd.org Subject: Re: anyone have a netgraph node to do ipfw filtering? X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Sep 2008 06:17:32 -0000 I think what you ask can be done by: 1. sending the packet through ng_mbuf to tag it 2. sending it to ng_ipfw to be sent through IPFW 3. use IPFW rules to operate on packets with the particular tag you attached in #1 4. as the final IPFW rule, pass the packet back in to netgraph via a 'netgraph' IPFW rule. I have not tried this, no idea if it would work Best of luck! :-) - Andrew