ng_netflow: testers are welcome

Gleb Smirnoff glebius at
Wed Mar 10 11:17:30 PST 2004

On Mon, Feb 23, 2004 at 03:47:55PM -0800, Julian Elischer wrote:
J> > All I've need - just create ksocket with inet/rawip/divert hook connected to
J> > ng_netflow iface0 hook (mkpeer netflow: ksocket iface0 inet/raw/divert),
J> > then "msg netflow: setdlt { iface=0 dlt=12 }" (Raw ip instead of ethernet),
J> > then "msg divert: bind inet/". And after all add ipfw rule "tee
J> > 8888 ip from any to any in"(One may need "via $oif") instead of final allow
J> > (or, better, before it).


J> This used to work but I have not tried it for some time
J> and it may have been broken in ipfw2, as I never tested it..
J>  natd is supposed to do this..  Since you can not do a "sendto()"
J> in netgraph, you have to have done a "connect" on the socket
J> to set the port number ahead of time..
J> Other things are also in the sockaddr..
J> in the 8 "unused" bytes of the sockaddr we "hide" the incoming interface
J> name (for example)  netgraph cannot change that but it should not need
J> this as it has the actual mbufs and can just set th eiface pointer in
J> the packet header.. (assuming divert doesn't clear it..
J> once again, you'll need to look at  the code).

I have finally tried this out on CURRENT. Everything works fine as expected:
ng_ksocket in divert mode reinjects packets back into the proper firewall
rule, netflow collects info about demasqueraded IPs... OK.

Here is my config:


        mkpeer tee dummy right2left
        name .:dummy divert_tee_in
        mkpeer divert_tee_in: echo right echo
        mkpeer divert_tee_in: ksocket left inet/raw/divert
        name divert_tee_in:left divert_sock_in
        msg divert_sock_in: bind inet/

        disconnect dummy

        mkpeer divert_tee_in: netflow left2right iface0
        name divert_tee_in:left2right netflow

        msg netflow: setdlt { iface=0 dlt=12 }
        msg netflow: setifindex { iface=0 index=6 }

        mkpeer netflow: ksocket export inet/dgram/udp
        msg netflow:export connect inet/


00200 divert 8668 ip from any to any in via ${nat_if}
00201 divert 8669 ip from any to any in via ${nat_if}
.... some other stuff
00600 divert 8668 ip from any to any out via ${nat_if}

Totus tuus, Glebius.

More information about the freebsd-net mailing list