Date: Tue, 13 Jun 2006 01:45:44 +0400 From: "Alexander V. Chernikov" <melifaro@su29.net> To: Vadim Goncharov <vadimnuclight@tpu.ru> Cc: "freebsd-net@freebsd.org" <freebsd-net@freebsd.org>, "freebsd-current@freebsd.org" <freebsd-current@freebsd.org> Subject: Re: [PATCH] ng_tag - new netgraph node, please test (L7 filtering possibility) Message-ID: <448DE088.8070700@su29.net> In-Reply-To: <optax2g7jq4fjv08@nuclight.avtf.net> References: <optax2g7jq4fjv08@nuclight.avtf.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi,
I have recent 7.0-current and this node seems to work for me.
Node code compiles and loads into kernel without any problems.
After some time experimenting with ng_bpf(4) i was able to tag
packets matched by bpf filter.
Of course, the following is not a real-world example, but it
confirms module is working. Great job!
[root@ws /home/melifaro/ng]# make
@ -> /usr/src/sys
machine -> /usr/src/sys/i386/include
touch opt_netgraph.h
cc -O2 -fno-strict-aliasing -pipe -g -Werror -D_KERNEL -DKLD_MODULE
-nostdinc -I- -I/usr/home/melifaro/ng -I. -I@ -I@/contrib/altq
-finline-limit=8000 --param inline-unit-growth=100 --param
large-function-growth=1000 -fno-common -mno-align-long-strings
-mpreferred-stack-boundary=2 -mno-mmx -mno-3dnow -mno-sse -mno-sse2
-mno-sse3 -ffreestanding -Wall -Wredundant-decls -Wnested-externs
-Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Winline
-Wcast-qual -Wundef -fformat-extensions -std=c99 -c ng_tag.c
ld -d -warn-common -r -d -o ng_tag.kld ng_tag.o
touch export_syms
awk -f /sys/conf/kmod_syms.awk ng_tag.kld export_syms | xargs -J%
objcopy % ng_tag.kld
ld -Bshareable -d -warn-common -o ng_tag.ko ng_tag.kld
objcopy --strip-debug ng_tag.ko
[root@ws /home/melifaro/ng]# make load
/sbin/kldload -v /usr/home/melifaro/ng/ng_tag.ko
Loaded /usr/home/melifaro/ng/ng_tag.ko, id=14
[root@ws /usr/home/melifaro/ng]# sysctl -w net.inet.ip.fw.one_pass=0
net.inet.ip.fw.one_pass: 1 -> 0
[root@ws /home/melifaro/ng]# ngctl mkpeer ipfw: bpf 41 ipfw
[root@ws /home/melifaro/ng]# ngctl name ipfw:41 dcbpf
[root@ws /home/melifaro/ng]# ngctl mkpeer dcbpf: tag matched th1
[root@ws /home/melifaro/ng]# ngctl name dcbpf:matched ngdc
root@ws /usr/home/melifaro/ng]#
[root@ws /home/melifaro/ng]# ngctl msg ngdc: sethookin {
thisHook=\"th1\" ifNotMatch=\"th1\" }
[root@ws /home/melifaro/ng]# ngctl msg ngdc: sethookout {
thisHook=\"th1\" tag_cookie=1148380143 tag_id=412 }
root@ws /usr/home/melifaro/ng]#
[root@ws /home/melifaro/ng]# ngctl msg dcbpf: setprogram '{
thisHook="matched" ifMatch="ipfw" bpf_prog_len=1 bpf_prog=[ { code=6
k=8192 } ] }'
root@ws /usr/home/melifaro/ng]#
; Matching part now, generated by script from ng_bpf(4) man page
; We are trying to tag all packets with dst port = 8888
; link layer is cut, so offset is 20 + 2
[root@ws /usr/home/melifaro/ng]# head -n 5 bpf.script
PATTERN="ether[22:2]=8888"
NODEPATH="dcbpf:"
INHOOK="ipfw"
MATCHHOOK="matched"
NOTMATCHHOOK="ipfw"
root@ws /usr/home/melifaro/ng]# ./bpf.script
root@ws /usr/home/melifaro/ng]#
[root@ws /usr/home/melifaro/ng]# ipfw add 100 netgraph 41 tcp from me to
1.2.3.4 8888
00100 netgraph 41 tcp from me to 1.2.3.4 dst-port 8888
[root@ws /usr/home/melifaro/ng]# ipfw add 110 reset tcp from any to any
tagged 412
00110 reset tcp from any to any tagged 412
[root@ws /usr/home/melifaro/ng]#
[root@ws /usr/home/melifaro/ng]# telnet 1.2.3.4 8888
Trying 1.2.3.4...
telnet: connect to address 1.2.3.4: Connection refused
telnet: Unable to connect to remote host
[root@ws /usr/home/melifaro/ng]# ipfw show 100-110
00100 1 64 netgraph 41 tcp from me to 1.2.3.4 dst-port 8888
00110 1 64 reset tcp from any to any tagged 412
Vadim Goncharov wrote:
> Hello All!
>
> I wrote new netgraph(4) node, called ng_tag, able to match packets by
> their mbuf_tags(9) and assign new tags to mbufs. This can be used for
> many things in the kernel network subsystem, but particularly useful
> with recently added ipfw(8) tag/tagged functionality (will be MFCed to
> RELENG_6 after Jun 24).
>
> With this node, in conjunction with ng_bpf(4), I was able to match and
> block (perhaps shaping is also possible, but this relies solely on ipfw)
> DirectConnect P2P data connections traffic - you know, they're using
> random ports, so you can't match them with usual firewall rules and must
> check data payload contents of the packets. See man page for example of
> how to do this.
>
> Download files from here: http://antigreen.org/vadim/freebsd/ng_tag/
> Then do:
>
> make
> kldload ./ng_tag.ko
>
> Man page can be viewed as:
>
> cat ng_tag.4 | /usr/bin/tbl | /usr/bin/groff -S -Wall -mtty-char -man \
> -Tascii | /usr/bin/col | more -s
>
> Please especially test tags with non-zero tag_len, if you can (though it's
> not needed for ipfw).
>
> P.S. BTW, what is correct subject prefix for new contributions? I think
> [PATCH] is not correct as these are new files, not patch :)
>
> --WBR, Vadim Goncharov
> _______________________________________________
> freebsd-net@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org"
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?448DE088.8070700>