Date: Wed, 10 Mar 2004 22:16:57 +0300 From: Gleb Smirnoff <glebius@cell.sick.ru> To: Julian Elischer <julian@elischer.org> Cc: freebsd-net@freebsd.org Subject: Re: ng_netflow: testers are welcome Message-ID: <20040310191657.GB81980@cell.sick.ru> In-Reply-To: <Pine.BSF.4.21.0402231538140.67378-100000@InterJet.elischer.org> References: <NKEJKOHEKMBIMCCEHEPKAECNCFAA.blacksir@number.ru> <Pine.BSF.4.21.0402231538140.67378-100000@InterJet.elischer.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Feb 23, 2004 at 03:47:55PM -0800, Julian Elischer wrote:
J> > All I've need - just create ksocket with inet/rawip/divert hook connected to
J> > ng_netflow iface0 hook (mkpeer netflow: ksocket iface0 inet/raw/divert),
J> > then "msg netflow: setdlt { iface=0 dlt=12 }" (Raw ip instead of ethernet),
J> > then "msg divert: bind inet/0.0.0.0:8888". And after all add ipfw rule "tee
J> > 8888 ip from any to any in"(One may need "via $oif") instead of final allow
J> > (or, better, before it).
<==skip==>
J> This used to work but I have not tried it for some time
J> and it may have been broken in ipfw2, as I never tested it..
J> natd is supposed to do this.. Since you can not do a "sendto()"
J> in netgraph, you have to have done a "connect" on the socket
J> to set the port number ahead of time..
J>
J> Other things are also in the sockaddr..
J> in the 8 "unused" bytes of the sockaddr we "hide" the incoming interface
J> name (for example) netgraph cannot change that but it should not need
J> this as it has the actual mbufs and can just set th eiface pointer in
J> the packet header.. (assuming divert doesn't clear it..
J> once again, you'll need to look at the code).
I have finally tried this out on CURRENT. Everything works fine as expected:
ng_ksocket in divert mode reinjects packets back into the proper firewall
rule, netflow collects info about demasqueraded IPs... OK.
Here is my config:
netgraph:
mkpeer tee dummy right2left
name .:dummy divert_tee_in
mkpeer divert_tee_in: echo right echo
mkpeer divert_tee_in: ksocket left inet/raw/divert
name divert_tee_in:left divert_sock_in
msg divert_sock_in: bind inet/0.0.0.0:8669
disconnect dummy
mkpeer divert_tee_in: netflow left2right iface0
name divert_tee_in:left2right netflow
msg netflow: setdlt { iface=0 dlt=12 }
msg netflow: setifindex { iface=0 index=6 }
mkpeer netflow: ksocket export inet/dgram/udp
msg netflow:export connect inet/127.0.0.1:4444
ipfw:
00200 divert 8668 ip from any to any in via ${nat_if}
00201 divert 8669 ip from any to any in via ${nat_if}
.... some other stuff
00600 divert 8668 ip from any to any out via ${nat_if}
--
Totus tuus, Glebius.
GLEBIUS-RIPN GLEB-RIPE
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040310191657.GB81980>