From owner-freebsd-net@FreeBSD.ORG Mon Jun 12 21:45:48 2006 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1E95F16A46F; Mon, 12 Jun 2006 21:45:48 +0000 (UTC) (envelope-from melifaro@su29.net) Received: from fxng.vds.in (fxng.vds.in [217.199.221.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id A005343D45; Mon, 12 Jun 2006 21:45:47 +0000 (GMT) (envelope-from melifaro@su29.net) Received: from [10.0.0.5] (ppp83-237-7-77.pppoe.mtu-net.ru [83.237.7.77]) by fxng.vds.in (Postfix) with ESMTP id 06A185C36; Tue, 13 Jun 2006 01:46:29 +0400 (MSD) Message-ID: <448DE088.8070700@su29.net> Date: Tue, 13 Jun 2006 01:45:44 +0400 From: "Alexander V. Chernikov" User-Agent: Thunderbird 1.5 (X11/20060330) MIME-Version: 1.0 To: Vadim Goncharov References: In-Reply-To: Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Cc: "freebsd-net@freebsd.org" , "freebsd-current@freebsd.org" Subject: Re: [PATCH] ng_tag - new netgraph node, please test (L7 filtering possibility) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Jun 2006 21:45:48 -0000 Hi, I have recent 7.0-current and this node seems to work for me. Node code compiles and loads into kernel without any problems. After some time experimenting with ng_bpf(4) i was able to tag packets matched by bpf filter. Of course, the following is not a real-world example, but it confirms module is working. Great job! [root@ws /home/melifaro/ng]# make @ -> /usr/src/sys machine -> /usr/src/sys/i386/include touch opt_netgraph.h cc -O2 -fno-strict-aliasing -pipe -g -Werror -D_KERNEL -DKLD_MODULE -nostdinc -I- -I/usr/home/melifaro/ng -I. -I@ -I@/contrib/altq -finline-limit=8000 --param inline-unit-growth=100 --param large-function-growth=1000 -fno-common -mno-align-long-strings -mpreferred-stack-boundary=2 -mno-mmx -mno-3dnow -mno-sse -mno-sse2 -mno-sse3 -ffreestanding -Wall -Wredundant-decls -Wnested-externs -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Winline -Wcast-qual -Wundef -fformat-extensions -std=c99 -c ng_tag.c ld -d -warn-common -r -d -o ng_tag.kld ng_tag.o touch export_syms awk -f /sys/conf/kmod_syms.awk ng_tag.kld export_syms | xargs -J% objcopy % ng_tag.kld ld -Bshareable -d -warn-common -o ng_tag.ko ng_tag.kld objcopy --strip-debug ng_tag.ko [root@ws /home/melifaro/ng]# make load /sbin/kldload -v /usr/home/melifaro/ng/ng_tag.ko Loaded /usr/home/melifaro/ng/ng_tag.ko, id=14 [root@ws /usr/home/melifaro/ng]# sysctl -w net.inet.ip.fw.one_pass=0 net.inet.ip.fw.one_pass: 1 -> 0 [root@ws /home/melifaro/ng]# ngctl mkpeer ipfw: bpf 41 ipfw [root@ws /home/melifaro/ng]# ngctl name ipfw:41 dcbpf [root@ws /home/melifaro/ng]# ngctl mkpeer dcbpf: tag matched th1 [root@ws /home/melifaro/ng]# ngctl name dcbpf:matched ngdc root@ws /usr/home/melifaro/ng]# [root@ws /home/melifaro/ng]# ngctl msg ngdc: sethookin { thisHook=\"th1\" ifNotMatch=\"th1\" } [root@ws /home/melifaro/ng]# ngctl msg ngdc: sethookout { thisHook=\"th1\" tag_cookie=1148380143 tag_id=412 } root@ws /usr/home/melifaro/ng]# [root@ws /home/melifaro/ng]# ngctl msg dcbpf: setprogram '{ thisHook="matched" ifMatch="ipfw" bpf_prog_len=1 bpf_prog=[ { code=6 k=8192 } ] }' root@ws /usr/home/melifaro/ng]# ; Matching part now, generated by script from ng_bpf(4) man page ; We are trying to tag all packets with dst port = 8888 ; link layer is cut, so offset is 20 + 2 [root@ws /usr/home/melifaro/ng]# head -n 5 bpf.script PATTERN="ether[22:2]=8888" NODEPATH="dcbpf:" INHOOK="ipfw" MATCHHOOK="matched" NOTMATCHHOOK="ipfw" root@ws /usr/home/melifaro/ng]# ./bpf.script root@ws /usr/home/melifaro/ng]# [root@ws /usr/home/melifaro/ng]# ipfw add 100 netgraph 41 tcp from me to 1.2.3.4 8888 00100 netgraph 41 tcp from me to 1.2.3.4 dst-port 8888 [root@ws /usr/home/melifaro/ng]# ipfw add 110 reset tcp from any to any tagged 412 00110 reset tcp from any to any tagged 412 [root@ws /usr/home/melifaro/ng]# [root@ws /usr/home/melifaro/ng]# telnet 1.2.3.4 8888 Trying 1.2.3.4... telnet: connect to address 1.2.3.4: Connection refused telnet: Unable to connect to remote host [root@ws /usr/home/melifaro/ng]# ipfw show 100-110 00100 1 64 netgraph 41 tcp from me to 1.2.3.4 dst-port 8888 00110 1 64 reset tcp from any to any tagged 412 Vadim Goncharov wrote: > Hello All! > > I wrote new netgraph(4) node, called ng_tag, able to match packets by > their mbuf_tags(9) and assign new tags to mbufs. This can be used for > many things in the kernel network subsystem, but particularly useful > with recently added ipfw(8) tag/tagged functionality (will be MFCed to > RELENG_6 after Jun 24). > > With this node, in conjunction with ng_bpf(4), I was able to match and > block (perhaps shaping is also possible, but this relies solely on ipfw) > DirectConnect P2P data connections traffic - you know, they're using > random ports, so you can't match them with usual firewall rules and must > check data payload contents of the packets. See man page for example of > how to do this. > > Download files from here: http://antigreen.org/vadim/freebsd/ng_tag/ > Then do: > > make > kldload ./ng_tag.ko > > Man page can be viewed as: > > cat ng_tag.4 | /usr/bin/tbl | /usr/bin/groff -S -Wall -mtty-char -man \ > -Tascii | /usr/bin/col | more -s > > Please especially test tags with non-zero tag_len, if you can (though it's > not needed for ipfw). > > P.S. BTW, what is correct subject prefix for new contributions? I think > [PATCH] is not correct as these are new files, not patch :) > > --WBR, Vadim Goncharov > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >