From owner-freebsd-net@FreeBSD.ORG  Mon Jan 17 20:06:14 2005
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id D038816A4CE; Mon, 17 Jan 2005 20:06:14 +0000 (GMT)
Received: from relay.bestcom.ru (relay.bestcom.ru [217.72.144.5])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 0245743D53; Mon, 17 Jan 2005 20:06:14 +0000 (GMT)
	(envelope-from glebius@freebsd.org)
Received: from cell.sick.ru (root@cell.sick.ru [217.72.144.68])
	by relay.bestcom.ru (8.13.1/8.12.9) with ESMTP id j0HK6BCO043812
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL);
	Mon, 17 Jan 2005 23:06:12 +0300 (MSK)
	(envelope-from glebius@freebsd.org)
Received: from cell.sick.ru (glebius@localhost [127.0.0.1])
	by cell.sick.ru (8.12.11/8.12.8) with ESMTP id j0HK6BKi090882
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Mon, 17 Jan 2005 23:06:11 +0300 (MSK)
	(envelope-from glebius@freebsd.org)
Received: (from glebius@localhost)
	by cell.sick.ru (8.12.11/8.12.11/Submit) id j0HK6B45090881;
	Mon, 17 Jan 2005 23:06:11 +0300 (MSK)
	(envelope-from glebius@freebsd.org)
X-Authentication-Warning: cell.sick.ru: glebius set sender to
	glebius@freebsd.org using -f
Date: Mon, 17 Jan 2005 23:06:10 +0300
From: Gleb Smirnoff <glebius@freebsd.org>
To: current@freebsd.org, net@freebsd.org
Message-ID: <20050117200610.GA90866@cell.sick.ru>
Mime-Version: 1.0
Content-Type: text/plain; charset=koi8-r
Content-Disposition: inline
User-Agent: Mutt/1.5.6i
X-Virus-Scanned: clamd / ClamAV version devel-20041013, clamav-milter version
	0.75l	on 127.0.0.1
X-Virus-Status: Clean
Subject: 
	[TEST/REVIEW] ng_ipfw: node to glue together ipfw(4) and netgraph(4)
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jan 2005 20:06:15 -0000

  Dear collegues,

here is quite a simple node for direct interaction between ipfw(4)
and netgraph(4). It is going to be more effective and error-prone
than a complicated construction around divert socket and ng_ksocket[1].   

The semantics of node operation are quite simple. There is one node
per system, which accepts any hooks with numeric names. Packets
can be sent to netgraph(4) using ipfw 'netgraph' action, followed
by a numeric cookie. Matched packets are sent out from corresponding
hook of ng_ipfw node. These packets are tagged with information which
helps them later to reenter ipfw processing. Tagged packets received on  
any node hook reenter IP stack. If net.inet.ip.fw.one_pass sysctl is non 
zero they are accepted, otherwise they continue with next rule. Non-tagged
packets (not originating from ng_ipfw node) are discarded.
  
Here is sample configuration. ng_echo(4) echoes packets back from netgraph
to ipfw thru a tee node, which allows to sniff traffic.
  
ngctl
+ ls
There are 4 total nodes:
  Name: ngctl6138       Type: socket          ID: 0000000c   Num hooks: 0
  Name: ipfw            Type: ipfw            ID: 00000009   Num hooks: 1
  Name: <unnamed>       Type: echo            ID: 00000006   Num hooks: 1 
  Name: tee             Type: tee             ID: 00000005   Num hooks: 2
+ show ipfw:
  Name: ipfw            Type: ipfw            ID: 00000009   Num hooks: 1
  Local hook      Peer name       Peer type    Peer ID         Peer hook
  ----------      ---------       ---------    -------         ---------
  666             tee             tee          00000005        left  
+ show tee:
  Name: tee             Type: tee             ID: 00000005   Num hooks: 2
  Local hook      Peer name       Peer type    Peer ID         Peer hook  
  ----------      ---------       ---------    -------         ---------
  left            ipfw            ipfw         00000009        666
  right           <unnamed>       echo         00000006        echi

root@jujik:/usr/src:|>ipfw show
00100    292      40304 allow ip from any to any via lo0
00200      0          0 deny ip from any to 127.0.0.0/8
00300      0          0 deny ip from 127.0.0.0/8 to any
00350 290730  661428793 netgraph 666 ip from any to any
65000 627921 1896034399 allow ip from any to any
65535      0          0 deny ip from any to any
  
The patch [2] is applicable only to HEAD, sorry. The target users are     
the ones, who are now running ip_accounting/netflow using diverted
ng_ksocket, and just netgraph geeks.
  
Any kind of feedback is welcome via email with cc: net@.

[1] http://freebsd.rambler.ru/bsdmail/freebsd-net_2004/msg03199.html
[2] http://people.freebsd.org/~glebius/totest/ng_ipfw.patch

-- 
Totus tuus, Glebius.
GLEBIUS-RIPN GLEB-RIPE