From owner-freebsd-net  Mon Mar 27 21: 9:16 2000
Delivered-To: freebsd-net@freebsd.org
Received: from rose.niw.com.au (app3022-2.gw.connect.com.au [203.63.119.4])
	by hub.freebsd.org (Postfix) with ESMTP id EACA637BA08
	for <freebsd-net@freebsd.org>; Mon, 27 Mar 2000 21:09:10 -0800 (PST)
	(envelope-from ian@niw.com.au)
Received: by rose.niw.com.au (Postfix, from userid 1000)
	id 8AB3C62D12; Tue, 28 Mar 2000 14:39:00 +0930 (CST)
Date: Tue, 28 Mar 2000 14:39:00 +0930
From: Ian West <ian@niw.com.au>
To: Ian West <freebsd-net@freebsd.org>
Subject: Re: ipfw tee
Message-ID: <20000328143900.L78585@rose.niw.com.au>
References: <20000328123243.I78585@rose.niw.com.au>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0i
In-Reply-To: <20000328123243.I78585@rose.niw.com.au>; from ian@niw.com.au on Tue, Mar 28, 2000 at 12:32:43PM +0930
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

To add to previous, after a bit more testing, the following patch fixes
an issue where the ipfw rule number was not passed through to recvfrom
call in client. I now have a consumer of tee'd packets running, and it
still seems to be working without any problems. I have not yet tried
this in an environment with a real divert (say for nat) working yet.

Index: ip_fw.c
=========================================================================
RCS file: /cvs/freebsd/src/sys/netinet/ip_fw.c,v
retrieving revision 1.132
diff -u -r1.132 ip_fw.c
--- ip_fw.c     2000/03/14 14:11:53     1.132
+++ ip_fw.c     2000/03/28 05:05:35
@@ -1278,8 +1278,20 @@
                        *cookie = f->fw_number;
                        return(f->fw_divert_port);
                case IP_FW_F_TEE:
-                       *cookie = f->fw_number;
-                       return(f->fw_divert_port | IP_FW_PORT_TEE_FLAG);
+                       {
+                               struct mbuf *clone;
+                               struct ip *cip;
+                               u_int16_t divert_cookie;
+                               divert_cookie=ip_divert_cookie;
+                               ip_divert_cookie = f->fw_number;
+                               clone=m_dup(*m, M_DONTWAIT);
+                               cip = mtod(clone, struct ip *);
+                               HTONS(cip->ip_len);
+                               HTONS(cip->ip_off);
+                               divert_packet(clone,0,f->fw_divert_port);
+                               ip_divert_cookie=divert_cookie;
+                       }
+                       continue;
 #endif
                case IP_FW_F_SKIPTO: /* XXX check */
                        if ( f->next_rule_ptr )

=========================================================================
On Tue, Mar 28, 2000 at 12:32:43PM +0930, Ian West wrote:
> Hi, I have been looking at ipfw tee operation, specifically to see if I
> can make it tee to a divert socket without terminating. I would like to
> use this for logging traffic with more detail as to source and
> destination addresses without running through and processing syslog
> files :-).
> 
> My though is to be able to tee traffic outbound prior to nat, and inbound
> after nat so that I can see the real source and dest addresses.
> 
> It seems from a couple of hours (minimal) looking at it that by 'teeing'
> in the ip_fw_chk itself, we can just 'continue' as per count, and all
> works well. I have tested this briefly, and it doesn;t seem to kill
> anything. Can anyone point me at other important things to look at ?
> 
> vmstat -m does not show any mbuf's going missing. netstat -m shows no
> slow increase. Everything still seems to work :-)
> 
> Output from ipfw -a l on the box I am testing with..
> 
> 01000 110270 149841377 tee 12345 ip from any to any
> 65000 110270 149841377 allow ip from any to any
> 65535      0         0 deny ip from any to any
> 
> This suggests that it is doing roughly what I want, although I have not
> hooked anything onto the divert socket so I cannot say for sure.
> 
> Is what I am doing valid ? (close ?)
> 
> The diff that I have been testing with is below..
> 
> Index: ip_fw.c
> ===================================================================
> RCS file: /cvs/freebsd/src/sys/netinet/ip_fw.c,v
> retrieving revision 1.132
> diff -u -r1.132 ip_fw.c
> --- ip_fw.c     2000/03/14 14:11:53     1.132
> +++ ip_fw.c     2000/03/28 02:39:16
> @@ -1278,8 +1278,17 @@
>                         *cookie = f->fw_number;
>                         return(f->fw_divert_port);
>                 case IP_FW_F_TEE:
> -                       *cookie = f->fw_number;
> -                       return(f->fw_divert_port | IP_FW_PORT_TEE_FLAG);
> +                       {
> +                               struct mbuf *clone;
> +                               struct ip *cip;
> +                               *cookie = f->fw_number;
> +                               clone=m_dup(*m, M_DONTWAIT);
> +                               cip = mtod(clone, struct ip *);
> +                               HTONS(cip->ip_len);
> +                               HTONS(cip->ip_off);
> +                               divert_packet(clone,0,f->fw_divert_port);
> +                       }
> +                       continue;
>  #endif
>                 case IP_FW_F_SKIPTO: /* XXX check */
>                         if ( f->next_rule_ptr )
> 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-net" in the body of the message


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message