Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 28 Mar 2000 12:32:43 +0930
From:      Ian West <ian@niw.com.au>
To:        freebsd-net@freebsd.org
Subject:   ipfw tee
Message-ID:  <20000328123243.I78585@rose.niw.com.au>
next in thread | raw e-mail | index | archive | help 

Hi, I have been looking at ipfw tee operation, specifically to see if I
can make it tee to a divert socket without terminating. I would like to
use this for logging traffic with more detail as to source and
destination addresses without running through and processing syslog
files :-).

My though is to be able to tee traffic outbound prior to nat, and inbound
after nat so that I can see the real source and dest addresses.

It seems from a couple of hours (minimal) looking at it that by 'teeing'
in the ip_fw_chk itself, we can just 'continue' as per count, and all
works well. I have tested this briefly, and it doesn;t seem to kill
anything. Can anyone point me at other important things to look at ?

vmstat -m does not show any mbuf's going missing. netstat -m shows no
slow increase. Everything still seems to work :-)

Output from ipfw -a l on the box I am testing with..

01000 110270 149841377 tee 12345 ip from any to any
65000 110270 149841377 allow ip from any to any
65535      0         0 deny ip from any to any

This suggests that it is doing roughly what I want, although I have not
hooked anything onto the divert socket so I cannot say for sure.

Is what I am doing valid ? (close ?)

The diff that I have been testing with is below..

Index: ip_fw.c
===================================================================
RCS file: /cvs/freebsd/src/sys/netinet/ip_fw.c,v
retrieving revision 1.132
diff -u -r1.132 ip_fw.c
--- ip_fw.c     2000/03/14 14:11:53     1.132
+++ ip_fw.c     2000/03/28 02:39:16
@@ -1278,8 +1278,17 @@
                        *cookie = f->fw_number;
                        return(f->fw_divert_port);
                case IP_FW_F_TEE:
-                       *cookie = f->fw_number;
-                       return(f->fw_divert_port | IP_FW_PORT_TEE_FLAG);
+                       {
+                               struct mbuf *clone;
+                               struct ip *cip;
+                               *cookie = f->fw_number;
+                               clone=m_dup(*m, M_DONTWAIT);
+                               cip = mtod(clone, struct ip *);
+                               HTONS(cip->ip_len);
+                               HTONS(cip->ip_off);
+                               divert_packet(clone,0,f->fw_divert_port);
+                       }
+                       continue;
 #endif
                case IP_FW_F_SKIPTO: /* XXX check */
                        if ( f->next_rule_ptr )



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000328123243.I78585>