[TEST/REVIEW] ng_ipfw: node to glue together ipfw(4) and netgraph(4)

Gleb Smirnoff glebius at freebsd.org
Mon Jan 17 12:06:15 PST 2005 

  Dear collegues,

here is quite a simple node for direct interaction between ipfw(4)
and netgraph(4). It is going to be more effective and error-prone
than a complicated construction around divert socket and ng_ksocket[1].   

The semantics of node operation are quite simple. There is one node
per system, which accepts any hooks with numeric names. Packets
can be sent to netgraph(4) using ipfw 'netgraph' action, followed
by a numeric cookie. Matched packets are sent out from corresponding
hook of ng_ipfw node. These packets are tagged with information which
helps them later to reenter ipfw processing. Tagged packets received on  
any node hook reenter IP stack. If net.inet.ip.fw.one_pass sysctl is non 
zero they are accepted, otherwise they continue with next rule. Non-tagged
packets (not originating from ng_ipfw node) are discarded.
  
Here is sample configuration. ng_echo(4) echoes packets back from netgraph
to ipfw thru a tee node, which allows to sniff traffic.
  
ngctl
+ ls
There are 4 total nodes:
  Name: ngctl6138       Type: socket          ID: 0000000c   Num hooks: 0
  Name: ipfw            Type: ipfw            ID: 00000009   Num hooks: 1
  Name: <unnamed>       Type: echo            ID: 00000006   Num hooks: 1 
  Name: tee             Type: tee             ID: 00000005   Num hooks: 2
+ show ipfw:
  Name: ipfw            Type: ipfw            ID: 00000009   Num hooks: 1
  Local hook      Peer name       Peer type    Peer ID         Peer hook
  ----------      ---------       ---------    -------         ---------
  666             tee             tee          00000005        left  
+ show tee:
  Name: tee             Type: tee             ID: 00000005   Num hooks: 2
  Local hook      Peer name       Peer type    Peer ID         Peer hook  
  ----------      ---------       ---------    -------         ---------
  left            ipfw            ipfw         00000009        666
  right           <unnamed>       echo         00000006        echi

root at jujik:/usr/src:|>ipfw show
00100    292      40304 allow ip from any to any via lo0
00200      0          0 deny ip from any to 127.0.0.0/8
00300      0          0 deny ip from 127.0.0.0/8 to any
00350 290730  661428793 netgraph 666 ip from any to any
65000 627921 1896034399 allow ip from any to any
65535      0          0 deny ip from any to any
  
The patch [2] is applicable only to HEAD, sorry. The target users are     
the ones, who are now running ip_accounting/netflow using diverted
ng_ksocket, and just netgraph geeks.
  
Any kind of feedback is welcome via email with cc: net at .

[1] http://freebsd.rambler.ru/bsdmail/freebsd-net_2004/msg03199.html
[2] http://people.freebsd.org/~glebius/totest/ng_ipfw.patch

-- 
Totus tuus, Glebius.
GLEBIUS-RIPN GLEB-RIPE

More information about the freebsd-current mailing list