clarification regarding netgraph and ipfw

[Alexander Vasenin aka BlackSir]

Maybe this is rather crucial solution, but ng_netflow can deal with raw IP (and not only ethernet), so, you can set 'divert' or 'tee' rule for passing traffic from arbitrary place in ipfw to ng_ksocket, which connected to ng_netflow (which export NetFlow through another ng_ksocket). I use tee (with 'tee' patch, described in PR/60377).

Alexander Vasenin aka BlackSir

> -----Original Message-----
> From: owner-freebsd-stable at freebsd.org 
> [mailto:owner-freebsd-stable at freebsd.org]On Behalf Of Glenn Dawson
> Sent: Friday, July 30, 2004 11:00 AM
> To: stable at freebsd.org
> Subject: clarification regarding netgraph and ipfw
> 
> 
> 
> Greetings,
> 
> I have a firewall running -STABLE.  I'm using ipfw2 for filtering and 
> ng_netgraph (via ng_tee) to export netflow data.
> 
> According to the man page for ng_ether, the lower hook gets raw ethernet 
> frames as they come off the wire.  Reading the man page for ipfw it seems 
> to say that if I turn on net.link.ether.ipfw in sysctl that it will also 
> get things as they come off the wire.
> 
> So my question is, which one gets them first?
> 
> The reason I ask is that if I have an ipfw rule to block traffic from an 
> IP, will it get counted by ng_netgraph?  Or will ipfw drop the packet 
> before it even gets to ng_ether?
> 
> If the packets go through ng_ether first and then through ipfw, does anyone 
> know if it's possible to reverse that behavior?  I'm doing billing based on 
> traffic and don't want the netflow data to include packets that were 
> dropped by ipfw.
> 
> Thanks in advance for any insight.
> 
> -Glenn
> 
> _______________________________________________
> freebsd-stable at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
>