Dear collegues, here is quite a simple node for direct interaction between ipfw(4) and netgraph(4). It is going to be more effective and error-prone than a complicated construction around divert socket and ng_ksocket[1]. The semantics of node operation are quite simple. There is one node per system, which accepts any hooks with numeric names. Packets can be sent to netgraph(4) using ipfw 'netgraph' action, followed by a numeric cookie. Matched packets are sent out from corresponding hook of ng_ipfw node. These packets are tagged with information which helps them later to reenter ipfw processing. Tagged packets received on any node hook reenter IP stack. If net.inet.ip.fw.one_pass sysctl is non zero they are accepted, otherwise they continue with next rule. Non-tagged packets (not originating from ng_ipfw node) are discarded. Here is sample configuration. ng_echo(4) echoes packets back from netgraph to ipfw thru a tee node, which allows to sniff traffic. ngctl + ls There are 4 total nodes: Name: ngctl6138 Type: socket ID: 0000000c Num hooks: 0 Name: ipfw Type: ipfw ID: 00000009 Num hooks: 1 Name: <unnamed> Type: echo ID: 00000006 Num hooks: 1 Name: tee Type: tee ID: 00000005 Num hooks: 2 + show ipfw: Name: ipfw Type: ipfw ID: 00000009 Num hooks: 1 Local hook Peer name Peer type Peer ID Peer hook ---------- --------- --------- ------- --------- 666 tee tee 00000005 left + show tee: Name: tee Type: tee ID: 00000005 Num hooks: 2 Local hook Peer name Peer type Peer ID Peer hook ---------- --------- --------- ------- --------- left ipfw ipfw 00000009 666 right <unnamed> echo 00000006 echi root_at_jujik:/usr/src:|>ipfw show 00100 292 40304 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 00350 290730 661428793 netgraph 666 ip from any to any 65000 627921 1896034399 allow ip from any to any 65535 0 0 deny ip from any to any The patch [2] is applicable only to HEAD, sorry. The target users are the ones, who are now running ip_accounting/netflow using diverted ng_ksocket, and just netgraph geeks. Any kind of feedback is welcome via email with cc: net_at_. [1] http://freebsd.rambler.ru/bsdmail/freebsd-net_2004/msg03199.html [2] http://people.freebsd.org/~glebius/totest/ng_ipfw.patch -- Totus tuus, Glebius. GLEBIUS-RIPN GLEB-RIPEReceived on Mon Jan 17 2005 - 19:06:14 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:26 UTC