From owner-freebsd-net@FreeBSD.ORG Mon Feb 23 11:32:59 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CB8BD16A4CE; Mon, 23 Feb 2004 11:32:59 -0800 (PST) Received: from mail.zvezda.number.ru (unknown [213.247.150.169]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8F37143D1D; Mon, 23 Feb 2004 11:32:59 -0800 (PST) (envelope-from blacksir@number.ru) Received: from host212-5-99-220.izmaylovo.ru ([212.5.99.220] helo=blacksir) by mail.zvezda.number.ru with smtp (Exim) id 1AvLow-000GiU-Q9; Mon, 23 Feb 2004 22:32:50 +0300 From: "Vasenin Alexander aka BlackSir" To: "Gleb Smirnoff" , "Julian Elischer" Date: Mon, 23 Feb 2004 22:32:42 +0300 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <20040223104322.GA69982@cell.sick.ru> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300 Importance: Normal X-Spam-Score: -100.0 (---------------------------------------------------) X-Spam-Report: Spam detection software, running on the system "inet.zvezda.number.ru", hasmessageblock similar future email. If you have any questions, see the administrator of that system for details.with inet/rawip/divert hook connected to ng_netflow iface0 hook (mkpeer netflow: ksocket iface0 inet/raw/divert), then "msg netflow: setdlt { iface=0 dlt }" (Raw ip instead of ethernet), then "msg divert: bind inet/0.0.0.0:8888". And after all add ipfw rule "tee 8888 ip from any better, before it). But there is bug in "ipfw tee" - packets is alwaysso denied by ipfw before tee rule). Maybe there is way to use 'divert'? I've tried - packets going to divert socket,then ng_netflow... and never come back... Actually I'm not quite understand mechanism of returning from divert - ng_ksocket have only one hook... [...] Content analysis details: (-100.0 points, 5.0 required) pts rule name description -------------------------------------------------- -100 USER_IN_WHITELIST From: address is in the user's white-list cc: freebsd-isp@freebsd.org cc: "Bjoern A. Zeeb" cc: freebsd-net@freebsd.org Subject: RE: ng_netflow: testers are welcome X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Feb 2004 19:33:00 -0000 YES! IT WORKS! All I've need - just create ksocket with inet/rawip/divert hook connected to ng_netflow iface0 hook (mkpeer netflow: ksocket iface0 inet/raw/divert), then "msg netflow: setdlt { iface=0 dlt=12 }" (Raw ip instead of ethernet), then "msg divert: bind inet/0.0.0.0:8888". And after all add ipfw rule "tee 8888 ip from any to any in"(One may need "via $oif") instead of final allow (or, better, before it). But there is bug in "ipfw tee" - packets is always immediately accepted instead of continue going through the ruleset, so tee must be the last rule(So, ng_netflow never see packets that denied by ipfw before tee rule). Maybe there is way to use 'divert'? I've tried - packets going to divert socket,then ng_netflow... and never come back... Actually I'm not quite understand mechanism of returning from divert - ng_ksocket have only one hook... Great thanks to Julian & Gleb & all who helped! 2Gleb: It would be pleasure for me to write a little example based on our discussion for README if you need. Vasenin Alexander aka BlackSir > -----Original Message----- > From: owner-freebsd-isp@freebsd.org > [mailto:owner-freebsd-isp@freebsd.org]On Behalf Of Gleb Smirnoff > Sent: Monday, February 23, 2004 1:43 PM > To: Julian Elischer > Cc: freebsd-isp@freebsd.org; Bjoern A. Zeeb; Vasenin Alexander aka > BlackSir; freebsd-net@freebsd.org > Subject: Re: ng_netflow: testers are welcome > On Sun, Feb 22, 2004 at 03:17:38PM -0800, Julian Elischer wrote: > J> you can open a divert socket as a netgraph node by openning a ksocket > J> node with protocol 'divert'. > Really one can use "ipfw tee" to pass demasqueraded traffic to > ng_netflow.