[TEST/REVIEW #2] ng_ipfw: node to glue together ipfw(4) and
netgraph(4)
Andre Oppermann
andre at freebsd.org
Tue Jan 25 00:09:53 PST 2005
Gleb Smirnoff wrote:
>
> Dear collegues,
>
> pls review an updated patch bringing in ng_ipfw node. Differencies against
> previous patch:
>
> - packets coming from netgraph are queued, and later serviced by netisr
> - "ngtee" keyword introduced. A copy of packet is made, and it is sent
> into netgraph. No tagging is done. Original packet is either accepted or
> continues check against rules, depending on net.inet.ip.fw.one_pass.
> Target users are the ones, who are going to do ip accounting/netflow via
> ng_ipfw.
> - a bit more comments in code
>
> URL: http://people.freebsd.org/~glebius/totest/ng_ipfw.patch
Style-wise there is only the space after "(void )..." in ip_fw_pfil.c
for the ng_tee case which is too much.
I don't like the arbitrary back-passing of errors from ng_ipfw. I'm
fine with EACCES, ENOMEM and ESRCH (if hook not connected) but nothing
else. Getting back any other error is very confusing and non-intuitive
when looking at the error of an application having packets sunk there.
Why don't you prepend the m_tag within ip_fw2.c as altq and divert are
doing it? Dummynet should do the same to get it consistent again.
Just to confirm it, NG_SEND_DATA_ONLY() queues the packet unconditionally
to unwind the stack?
PS: I'm out of town until tomorrow afternoon. I'll have only limited
email access until then.
--
Andre
> A sample setup:
>
> + ls
> There are 6 total nodes:
> Name: <unnamed> Type: hole ID: 00000009 Num hooks: 1
> Name: netflow Type: netflow ID: 00000008 Num hooks: 2
> Name: ngctl768 Type: socket ID: 00000007 Num hooks: 0
> Name: <unnamed> Type: hole ID: 00000006 Num hooks: 1
> Name: <unnamed> Type: echo ID: 00000004 Num hooks: 1
> Name: ipfw Type: ipfw ID: 00000001 Num hooks: 3
> + show ipfw:
> Name: ipfw Type: ipfw ID: 00000001 Num hooks: 3
> Local hook Peer name Peer type Peer ID Peer hook
> ---------- --------- --------- ------- ---------
> 555 netflow netflow 00000008 iface0
> 666 <unnamed> hole 00000006 qqq
> 100 <unnamed> echo 00000004 qqq
> +
>
> root at jujik:~:|>ipfw show
> 00100 0 0 allow ip from any to any via lo0
> 00200 0 0 deny ip from any to 127.0.0.0/8
> 00300 0 0 deny ip from 127.0.0.0/8 to any
> 00400 14927 61918948 netgraph 100 ip from any to any
> 00500 14927 61918948 ngtee 666 ip from any to any
> 00600 7477 1067060 ngtee 555 ip from any to any in
> 65000 14927 61918948 allow ip from any to any
> 65535 0 0 deny ip from any to any
>
> root at jujik:~:|>sysctl net.inet.ip.fw.one_pass
> net.inet.ip.fw.one_pass: 0
>
> On Mon, Jan 17, 2005 at 11:06:10PM +0300, Gleb Smirnoff wrote:
> > Dear collegues,
> >
> > here is quite a simple node for direct interaction between ipfw(4)
> > and netgraph(4). It is going to be more effective and error-prone
> > than a complicated construction around divert socket and ng_ksocket[1].
> >
> > The semantics of node operation are quite simple. There is one node
> > per system, which accepts any hooks with numeric names. Packets
> > can be sent to netgraph(4) using ipfw 'netgraph' action, followed
> > by a numeric cookie. Matched packets are sent out from corresponding
> > hook of ng_ipfw node. These packets are tagged with information which
> > helps them later to reenter ipfw processing. Tagged packets received on
> > any node hook reenter IP stack. If net.inet.ip.fw.one_pass sysctl is non
> > zero they are accepted, otherwise they continue with next rule. Non-tagged
> > packets (not originating from ng_ipfw node) are discarded.
> >
> > Here is sample configuration. ng_echo(4) echoes packets back from netgraph
> > to ipfw thru a tee node, which allows to sniff traffic.
> >
> > ngctl
> > + ls
> > There are 4 total nodes:
> > Name: ngctl6138 Type: socket ID: 0000000c Num hooks: 0
> > Name: ipfw Type: ipfw ID: 00000009 Num hooks: 1
> > Name: <unnamed> Type: echo ID: 00000006 Num hooks: 1
> > Name: tee Type: tee ID: 00000005 Num hooks: 2
> > + show ipfw:
> > Name: ipfw Type: ipfw ID: 00000009 Num hooks: 1
> > Local hook Peer name Peer type Peer ID Peer hook
> > ---------- --------- --------- ------- ---------
> > 666 tee tee 00000005 left
> > + show tee:
> > Name: tee Type: tee ID: 00000005 Num hooks: 2
> > Local hook Peer name Peer type Peer ID Peer hook
> > ---------- --------- --------- ------- ---------
> > left ipfw ipfw 00000009 666
> > right <unnamed> echo 00000006 echi
> >
> > root at jujik:/usr/src:|>ipfw show
> > 00100 292 40304 allow ip from any to any via lo0
> > 00200 0 0 deny ip from any to 127.0.0.0/8
> > 00300 0 0 deny ip from 127.0.0.0/8 to any
> > 00350 290730 661428793 netgraph 666 ip from any to any
> > 65000 627921 1896034399 allow ip from any to any
> > 65535 0 0 deny ip from any to any
> >
> > The patch [2] is applicable only to HEAD, sorry. The target users are
> > the ones, who are now running ip_accounting/netflow using diverted
> > ng_ksocket, and just netgraph geeks.
>
> --
> Totus tuus, Glebius.
> GLEBIUS-RIPN GLEB-RIPE
More information about the freebsd-net
mailing list