From owner-freebsd-net@FreeBSD.ORG  Wed Mar 10 11:17:30 2004
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 2AD7316A4CF; Wed, 10 Mar 2004 11:17:30 -0800 (PST)
Received: from cell.sick.ru (cell.sick.ru [217.72.144.68])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 495BD43D2F; Wed, 10 Mar 2004 11:17:29 -0800 (PST)
	(envelope-from glebius@cell.sick.ru)
Received: from cell.sick.ru (glebius@localhost [127.0.0.1])
	by cell.sick.ru (8.12.9/8.12.8) with ESMTP id i2AJHEQE082056
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Wed, 10 Mar 2004 22:17:15 +0300 (MSK)
	(envelope-from glebius@cell.sick.ru)
Received: (from glebius@localhost)
	by cell.sick.ru (8.12.9/8.12.6/Submit) id i2AJGvPO082055;
	Wed, 10 Mar 2004 22:16:57 +0300 (MSK)
Date: Wed, 10 Mar 2004 22:16:57 +0300
From: Gleb Smirnoff <glebius@cell.sick.ru>
To: Julian Elischer <julian@elischer.org>
Message-ID: <20040310191657.GB81980@cell.sick.ru>
Mail-Followup-To: Gleb Smirnoff <glebius@cell.sick.ru>,
	Julian Elischer <julian@elischer.org>,
	Vasenin Alexander aka BlackSir <blacksir@number.ru>,
	freebsd-isp@freebsd.org,
	"Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>,
	freebsd-net@freebsd.org
References: <NKEJKOHEKMBIMCCEHEPKAECNCFAA.blacksir@number.ru>
	<Pine.BSF.4.21.0402231538140.67378-100000@InterJet.elischer.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=koi8-r
Content-Disposition: inline
In-Reply-To: <Pine.BSF.4.21.0402231538140.67378-100000@InterJet.elischer.org>
User-Agent: Mutt/1.5.6i
cc: freebsd-isp@freebsd.org
cc: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net>
cc: Vasenin Alexander aka BlackSir <blacksir@number.ru>
cc: freebsd-net@freebsd.org
Subject: Re: ng_netflow: testers are welcome
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Mar 2004 19:17:30 -0000

On Mon, Feb 23, 2004 at 03:47:55PM -0800, Julian Elischer wrote:
J> > All I've need - just create ksocket with inet/rawip/divert hook connected to
J> > ng_netflow iface0 hook (mkpeer netflow: ksocket iface0 inet/raw/divert),
J> > then "msg netflow: setdlt { iface=0 dlt=12 }" (Raw ip instead of ethernet),
J> > then "msg divert: bind inet/0.0.0.0:8888". And after all add ipfw rule "tee
J> > 8888 ip from any to any in"(One may need "via $oif") instead of final allow
J> > (or, better, before it).

<==skip==>

J> This used to work but I have not tried it for some time
J> and it may have been broken in ipfw2, as I never tested it..
J>  natd is supposed to do this..  Since you can not do a "sendto()"
J> in netgraph, you have to have done a "connect" on the socket
J> to set the port number ahead of time..
J> 
J> Other things are also in the sockaddr..
J> in the 8 "unused" bytes of the sockaddr we "hide" the incoming interface
J> name (for example)  netgraph cannot change that but it should not need
J> this as it has the actual mbufs and can just set th eiface pointer in
J> the packet header.. (assuming divert doesn't clear it..
J> once again, you'll need to look at  the code).

I have finally tried this out on CURRENT. Everything works fine as expected:
ng_ksocket in divert mode reinjects packets back into the proper firewall
rule, netflow collects info about demasqueraded IPs... OK.

Here is my config:

netgraph:

        mkpeer tee dummy right2left
        name .:dummy divert_tee_in
        mkpeer divert_tee_in: echo right echo
        mkpeer divert_tee_in: ksocket left inet/raw/divert
        name divert_tee_in:left divert_sock_in
        msg divert_sock_in: bind inet/0.0.0.0:8669

        disconnect dummy

        mkpeer divert_tee_in: netflow left2right iface0
        name divert_tee_in:left2right netflow

        msg netflow: setdlt { iface=0 dlt=12 }
        msg netflow: setifindex { iface=0 index=6 }

        mkpeer netflow: ksocket export inet/dgram/udp
        msg netflow:export connect inet/127.0.0.1:4444

ipfw:

00200 divert 8668 ip from any to any in via ${nat_if}
00201 divert 8669 ip from any to any in via ${nat_if}
.... some other stuff
00600 divert 8668 ip from any to any out via ${nat_if}


-- 
Totus tuus, Glebius.
GLEBIUS-RIPN GLEB-RIPE