Netgraph plumbing question
Rajkumar S
rajkumars at gmail.com
Tue Aug 29 14:09:06 UTC 2006
On 8/28/06, Rajkumar S <rajkumars at gmail.com> wrote:
> On 8/26/06, Ruslan Ermilov <ru at freebsd.org> wrote:
> > + msg bpf: setprogram { thisHook="in1" ifNotMatch="mixed" }
>
> This is not working, and I get an error:
> ngctl: send msg: Invalid argument
Did some more work on this. It seems the full commands needs to be given.
The following commands are working fine, and I am able to ping form an
external machine to my box.
+ mkpeer rl0: bpf lower from_lower
+ name rl0:lower bpf
+ connect rl0: bpf: upper to_upper
+ mkpeer bpf: hole discard discard
+ msg bpf: setprogram { thisHook="from_lower" ifMatch="discard"
ifNotMatch="to_upper" bpf_prog_len=1 bpf_prog=[ { code=6 jt=0 jf=0 k=0
} ] }
+ msg bpf: setprogram { thisHook="to_upper" ifMatch="discard"
ifNotMatch="from_lower" bpf_prog_len=1 bpf_prog=[ { code=6 jt=0 jf=0
k=0 } ] }
Now I am trying to allow only icmp
+ msg bpf: setprogram { thisHook="from_lower" ifMatch="to_upper"
ifNotMatch="discard" bpf_prog_len=6 bpf_prog=[ { code=40 jt=0 jf=0
k=12 } { code=21 jt=0 jf=3 k=2048 } { code=48 jt=0 jf=0 k=23 } {
code=21 jt=0 jf=1 k=1 } { code=6 jt=0 jf=0 k=8192 } { code=6 jt=0 jf=0
k=0 } ] }
+ msg bpf: setprogram { thisHook="to_upper" ifMatch="from_lower"
ifNotMatch="discard" bpf_prog_len=6 bpf_prog=[ { code=40 jt=0 jf=0
k=12 } { code=21 jt=0 jf=3 k=2048 } { code=48 jt=0 jf=0 k=23 } {
code=21 jt=0 jf=1 k=1 } { code=6 jt=0 jf=0 k=8192 } { code=6 jt=0 jf=0
k=0 } ] }
which also works.
I will try with C code also tomorrow.
raj
More information about the freebsd-net
mailing list