From owner-freebsd-net@FreeBSD.ORG  Fri Sep 12 06:17:32 2008
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 6B9DC106566B
	for <freebsd-net@freebsd.org>; Fri, 12 Sep 2008 06:17:32 +0000 (UTC)
	(envelope-from andrew@modulus.org)
Received: from email.octopus.com.au (host-122-100-2-232.octopus.com.au
	[122.100.2.232])
	by mx1.freebsd.org (Postfix) with ESMTP id 24ACA8FC33
	for <freebsd-net@freebsd.org>; Fri, 12 Sep 2008 06:17:31 +0000 (UTC)
	(envelope-from andrew@modulus.org)
Received: by email.octopus.com.au (Postfix, from userid 1002)
	id F170A17E3D; Fri, 12 Sep 2008 16:17:46 +1000 (EST)
X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on email.octopus.com.au
X-Spam-Level: 
X-Spam-Status: No, score=-1.4 required=10.0 tests=ALL_TRUSTED autolearn=failed
	version=3.2.3
Received: from [10.1.50.60] (ppp121-44-8-108.lns10.syd7.internode.on.net
	[121.44.8.108])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	(Authenticated sender: admin@email.octopus.com.au)
	by email.octopus.com.au (Postfix) with ESMTP id C03C9178A7;
	Fri, 12 Sep 2008 16:17:37 +1000 (EST)
Message-ID: <48CA0952.50804@modulus.org>
Date: Fri, 12 Sep 2008 16:16:50 +1000
From: Andrew Snow <andrew@modulus.org>
User-Agent: Thunderbird 2.0.0.14 (X11/20080523)
MIME-Version: 1.0
To: Julian Elischer <julian@elischer.org>
References: <48C97AB3.6040907@elischer.org>
	<20080912054832.Q65801@maildrop.int.zabbadoz.net>
In-Reply-To: <20080912054832.Q65801@maildrop.int.zabbadoz.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: FreeBSD Net <freebsd-net@freebsd.org>, ipfw@freebsd.org
Subject: Re: anyone have a netgraph node to do ipfw filtering?
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Sep 2008 06:17:32 -0000



I think what you ask can be done by:

1. sending the packet through ng_mbuf to tag it
2. sending it to ng_ipfw to be sent through IPFW
3. use IPFW rules to operate on packets with the particular tag you 
attached in #1
4. as the final IPFW rule, pass the packet back in to netgraph via a 
'netgraph' IPFW rule.

I have not tried this, no idea if it would work

Best of luck! :-)


- Andrew