Hi,
I have recent 7.0-current and this node seems to work for me.
Node code compiles and loads into kernel without any problems.
After some time experimenting with ng_bpf(4) i was able to tag
packets matched by bpf filter.
Of course, the following is not a real-world example, but it
confirms module is working. Great job!
[EMAIL PROTECTED] /home/melifaro/ng]# make
@ -> /usr/src/sys
machine -> /usr/src/sys/i386/include
touch opt_netgraph.h
cc -O2 -fno-strict-aliasing -pipe -g -Werror -D_KERNEL -DKLD_MODULE
-nostdinc -I- -I/usr/home/melifaro/ng -I. -I@ -I@/contrib/altq
-finline-limit=8000 --param inline-unit-growth=100 --param
large-function-growth=1000 -fno-common -mno-align-long-strings
-mpreferred-stack-boundary=2 -mno-mmx -mno-3dnow -mno-sse -mno-sse2
-mno-sse3 -ffreestanding -Wall -Wredundant-decls -Wnested-externs
-Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Winline
-Wcast-qual -Wundef -fformat-extensions -std=c99 -c ng_tag.c
ld -d -warn-common -r -d -o ng_tag.kld ng_tag.o
touch export_syms
awk -f /sys/conf/kmod_syms.awk ng_tag.kld export_syms | xargs -J%
objcopy % ng_tag.kld
ld -Bshareable -d -warn-common -o ng_tag.ko ng_tag.kld
objcopy --strip-debug ng_tag.ko
[EMAIL PROTECTED] /home/melifaro/ng]# make load
/sbin/kldload -v /usr/home/melifaro/ng/ng_tag.ko
Loaded /usr/home/melifaro/ng/ng_tag.ko, id=14
[EMAIL PROTECTED] /usr/home/melifaro/ng]# sysctl -w net.inet.ip.fw.one_pass=0
net.inet.ip.fw.one_pass: 1 -> 0
[EMAIL PROTECTED] /home/melifaro/ng]# ngctl mkpeer ipfw: bpf 41 ipfw
[EMAIL PROTECTED] /home/melifaro/ng]# ngctl name ipfw:41 dcbpf
[EMAIL PROTECTED] /home/melifaro/ng]# ngctl mkpeer dcbpf: tag matched th1
[EMAIL PROTECTED] /home/melifaro/ng]# ngctl name dcbpf:matched ngdc
[EMAIL PROTECTED] /usr/home/melifaro/ng]#
[EMAIL PROTECTED] /home/melifaro/ng]# ngctl msg ngdc: sethookin {
thisHook=\"th1\" ifNotMatch=\"th1\" }
[EMAIL PROTECTED] /home/melifaro/ng]# ngctl msg ngdc: sethookout {
thisHook=\"th1\" tag_cookie=1148380143 tag_id=412 }
[EMAIL PROTECTED] /usr/home/melifaro/ng]#
[EMAIL PROTECTED] /home/melifaro/ng]# ngctl msg dcbpf: setprogram '{
thisHook="matched" ifMatch="ipfw" bpf_prog_len=1 bpf_prog=[ { code=6
k=8192 } ] }'
[EMAIL PROTECTED] /usr/home/melifaro/ng]#
; Matching part now, generated by script from ng_bpf(4) man page
; We are trying to tag all packets with dst port = 8888
; link layer is cut, so offset is 20 + 2
[EMAIL PROTECTED] /usr/home/melifaro/ng]# head -n 5 bpf.script
PATTERN="ether[22:2]=8888"
NODEPATH="dcbpf:"
INHOOK="ipfw"
MATCHHOOK="matched"
NOTMATCHHOOK="ipfw"
[EMAIL PROTECTED] /usr/home/melifaro/ng]# ./bpf.script
[EMAIL PROTECTED] /usr/home/melifaro/ng]#
[EMAIL PROTECTED] /usr/home/melifaro/ng]# ipfw add 100 netgraph 41 tcp from me to
1.2.3.4 8888
00100 netgraph 41 tcp from me to 1.2.3.4 dst-port 8888
[EMAIL PROTECTED] /usr/home/melifaro/ng]# ipfw add 110 reset tcp from any to any
tagged 412
00110 reset tcp from any to any tagged 412
[EMAIL PROTECTED] /usr/home/melifaro/ng]#
[EMAIL PROTECTED] /usr/home/melifaro/ng]# telnet 1.2.3.4 8888
Trying 1.2.3.4...
telnet: connect to address 1.2.3.4: Connection refused
telnet: Unable to connect to remote host
[EMAIL PROTECTED] /usr/home/melifaro/ng]# ipfw show 100-110
00100 1 64 netgraph 41 tcp from me to 1.2.3.4 dst-port 8888
00110 1 64 reset tcp from any to any tagged 412
Vadim Goncharov wrote:
Hello All!
I wrote new netgraph(4) node, called ng_tag, able to match packets by
their mbuf_tags(9) and assign new tags to mbufs. This can be used for
many things in the kernel network subsystem, but particularly useful
with recently added ipfw(8) tag/tagged functionality (will be MFCed to
RELENG_6 after Jun 24).
With this node, in conjunction with ng_bpf(4), I was able to match and
block (perhaps shaping is also possible, but this relies solely on ipfw)
DirectConnect P2P data connections traffic - you know, they're using
random ports, so you can't match them with usual firewall rules and must
check data payload contents of the packets. See man page for example of
how to do this.
Download files from here: http://antigreen.org/vadim/freebsd/ng_tag/
Then do:
make
kldload ./ng_tag.ko
Man page can be viewed as:
cat ng_tag.4 | /usr/bin/tbl | /usr/bin/groff -S -Wall -mtty-char -man \
-Tascii | /usr/bin/col | more -s
Please especially test tags with non-zero tag_len, if you can (though it's
not needed for ipfw).
P.S. BTW, what is correct subject prefix for new contributions? I think
[PATCH] is not correct as these are new files, not patch :)
--WBR, Vadim Goncharov
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
