From owner-freebsd-net@FreeBSD.ORG Tue Feb 8 19:40:16 2011 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F2ADE106566C for ; Tue, 8 Feb 2011 19:40:16 +0000 (UTC) (envelope-from sem@FreeBSD.org) Received: from sunner.semmy.ru (sunner.semmy.ru [IPv6:2a00:14d0:0:20::3]) by mx1.freebsd.org (Postfix) with ESMTP id AA2EB8FC22 for ; Tue, 8 Feb 2011 19:40:16 +0000 (UTC) Received: from dhcp170-205-red.yandex.net ([95.108.170.205]) by sunner.semmy.ru with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.74 (FreeBSD)) (envelope-from ) id 1PmtQ7-0005jt-BR; Tue, 08 Feb 2011 22:40:15 +0300 Message-ID: <4D519C1F.9020205@FreeBSD.org> Date: Tue, 08 Feb 2011 22:40:15 +0300 From: Sergey Matveychuk User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7 MIME-Version: 1.0 To: Rozhuk.IM@gmail.com References: <4D4DCD1E.1050906@freebsd.org> <4D4DFC95.9010804@freebsd.org> <4D501198.6090901@FreeBSD.org> <4d516a6a.8937e30a.0996.2f26@mx.google.com> <4D51750A.3070303@FreeBSD.org> <4d518fba.26ead80a.02ff.1058@mx.google.com> In-Reply-To: <4d518fba.26ead80a.02ff.1058@mx.google.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-net@freebsd.org Subject: Re: divert rewrite X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Feb 2011 19:40:17 -0000 08.02.2011 21:47, rozhuk.im@gmail.com пишет: >> -----Original Message----- >> From: Sergey Matveychuk [mailto:sem@FreeBSD.org] >> Sent: Wednesday, February 09, 2011 12:53 AM >> To: Rozhuk.IM@gmail.com >> Cc: freebsd-net@freebsd.org >> Subject: Re: divert rewrite >> >> 08.02.2011 19:08, rozhuk.im@gmail.com wrote: >>> Did you try ng_ether + ng_ksocket? >>> It can translate Ethernet frames incapsulated to udp to user space >> receiver. >> >> The idea is catch packets from firewall (ng_ipfw, ng_nat was mentioned >> by mistake) and pass them to user space module that do some processing >> and puts back the packets into firewall (for rules with `diverted' >> keyword). >> >> It works now for IPv4 with `divert' and doesn't with IPv6. > > I know how divert works, google: uTPControl ;) > Its simple for developmet, stable, but uses many CPU. > > With ng_ether + ng_ksocket you can send custom Ethernet frames. > There is some node that can filter traffic, for IPv6 you need allow 1 or 2 ethernet types to pass. I know. But I've written a module for conjunction with ipfw. It makes a decision by some criteria to pass a traffic or to block it. Administrators in our nets decide what kind traffic to pass to my module (mostly TCP SYN and few UDP) in their firewalls. So a conjection with ipfw is the goal.