From owner-freebsd-ipfw@FreeBSD.ORG Wed Jun 21 09:58:55 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 55B2616A526; Wed, 21 Jun 2006 09:58:55 +0000 (UTC) (envelope-from tataz@tataz.chchile.org) Received: from smtp4-g19.free.fr (smtp4-g19.free.fr [212.27.42.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1796943D96; Wed, 21 Jun 2006 09:58:51 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (tataz.chchile.org [82.233.239.98]) by smtp4-g19.free.fr (Postfix) with ESMTP id B09C6866C; Wed, 21 Jun 2006 11:58:50 +0200 (CEST) Received: from obiwan.tataz.chchile.org (unknown [192.168.1.25]) by tatooine.tataz.chchile.org (Postfix) with ESMTP id 6F03C9C3C5; Wed, 21 Jun 2006 09:59:20 +0000 (UTC) Received: by obiwan.tataz.chchile.org (Postfix, from userid 1000) id 5EB3D40A5; Wed, 21 Jun 2006 11:41:05 +0200 (CEST) Date: Wed, 21 Jun 2006 11:41:04 +0200 From: Jeremie Le Hen To: "Andrey V. Elsukov" Message-ID: <20060621094104.GB7019@obiwan.tataz.chchile.org> References: <44618B0A.60504@yandex.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <44618B0A.60504@yandex.ru> User-Agent: Mutt/1.5.11 Cc: freebsd-net@freebsd.org, Julian Elischer , freebsd-ipfw@freebsd.org Subject: Re: [fbsd] [patch] ipfw packet tagging X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 21 Jun 2006 09:58:55 -0000 Hi Andrey, On Wed, May 10, 2006 at 10:41:14AM +0400, Andrey V. Elsukov wrote: > Hi, All! > > I have written a small patch for a packets > tagging with ipfw. > > The description of OpenBSD packet tagging is here: > http://www.openbsd.org/faq/pf/tagging.html > > An IPFW tags is not compatible with PF tags. > > This feature can be usable with some netgraph modules. > We can create a netgraph node that marks packets with some tags > and use this node with other nodes. IPFW can detect and filter > packets with tags. > > Also we can mark packets before NAT and detect tagged packets > after translation. > NAT based on divert sockets do not allow this, but i think > ng_nat can.. > > Patches can be found here: > http://butcher.heavennet.ru/patches/kernel/ipfw_tags/ Looking at the patch lets me see that you are using the generic mbuf tags. This means the tag should be available along the packet's trip through the kernel. Would it be possible to slightly modify the routing code in order to make those tags a routing criteria ? Julian Elischer also has a neat patch that modifies the ipfw table but he hasn't provided it so far [1]. [1] http://lists.freebsd.org/pipermail/freebsd-net/2006-May/010563.html Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org >