Vadim Goncharov wrote: > Hello All! > > I wrote new netgraph(4) node, called ng_tag, able to match packets by > their mbuf_tags(9) and assign new tags to mbufs. This can be used for > many things in the kernel network subsystem, but particularly useful > with recently added ipfw(8) tag/tagged functionality (will be MFCed to > RELENG_6 after Jun 24). > > With this node, in conjunction with ng_bpf(4), I was able to match and > block (perhaps shaping is also possible, but this relies solely on > ipfw) DirectConnect P2P data connections traffic - you know, they're > using random ports, so you can't match them with usual firewall rules > and must check data payload contents of the packets. See man page for > example of how to do this. > > Download files from here: http://antigreen.org/vadim/freebsd/ng_tag/ > Then do: > > make > kldload ./ng_tag.ko > > Man page can be viewed as: > > cat ng_tag.4 | /usr/bin/tbl | /usr/bin/groff -S -Wall -mtty-char -man \ > -Tascii | /usr/bin/col | more -s > > Please especially test tags with non-zero tag_len, if you can (though > it's > not needed for ipfw). > > P.S. BTW, what is correct subject prefix for new contributions? I think > [PATCH] is not correct as these are new files, not patch :) You mentioned about L7 filtering possibility, is it possible to filter skype, msn, yahoo messenger traffics using ng_tag? If you can put some additional examples how to block above that would be great. This is just my thought. thanks, Ganbold > > --WBR, Vadim Goncharov > _______________________________________________ > freebsd-net_at_freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe_at_freebsd.org" > > >Received on Mon Jun 12 2006 - 01:12:42 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:57 UTC