ipfw tag and ng_tag

Eduardo Meyer dudu.meyer at gmail.com
Sun Oct 8 01:20:49 PDT 2006 

Hello,

Finally with -BETA2 I can try ng_tag and ipfw tag.

I have a certain unusual need to filter DNS queries which return
NXDomain. Before filtering, I will make some cacti graphs. So I need
to count packets with "NXDomain" expression on Layer 7.

With tcpdump -X I can see that NXDomain alwas shows up perfectly, so
this is the kind of L7 pattern which will be safe to filter. With
hexdump(1) I found out the hex sequence for NXDomain expression to be:

4e 58 44 6f 6d 61 69 6e  0a

I have the needed kernel modules loaded. What should I do next? I know
I am supposed to create a ng_bpf pattern, similar to

PATTERN="(ether[40:4]=0x134e5844 &&
          ether[44:4]=0x6f6d6169 &&
          ether[48:4]=0x6e0a)"

I did it, and execute it in the following script:


PATTERN="(ether[40:4]=0x134e5844 &&
          ether[44:4]=0x6f6d6169 &&
          ether[48:4]=0x6e0a)"

 NODEPATH="my_node:"
 INHOOK="hook1"
 MATCHHOOK="hook2"
 NOTMATCHHOOK="hook3"

 cat > /tmp/bpf.awk << xxENDxx
 {
   if (!init) {
     printf "bpf_prog_len=%d bpf_prog=[", \$1;
     init=1;
   } else {
     printf " { code=%d jt=%d jf=%d k=%d }", \$1, \$2, \$3, \$4;
   }
 }
 END {
   print " ]"
 }
 xxENDxx

         BPFPROG=`tcpdump -s 8192 -ddd ${PATTERN} | awk -f /tmp/bpf.awk`
         ngctl msg ${NODEPATH} setprogram { thisHook=\"${INHOOK}\" \
   ifMatch=\"${MATCHHOOK}\" \
   ifNotMatch=\"${NOTMATCHHOOK}\" \
   ${BPFPROG} } }

BUT,

Here I get my first problem. Script returns:

ngctl: send msg: No such file or directory

I printed the full commands that returns the error, it is:

ngctl msg setprogram { thisHook="" ifMatch="" ifNotMatch=""
bpf_prog_len=8 bpf_prog=[ { code=32 jt=0 jf=0 k=40 } { code=21 jt=0
jf=5 k=323901508 } { code=32 jt=0 jf=0 k=44 } { code=21 jt=0 jf=3
k=1869439337 } { code=32 jt=0 jf=0 k=48 } { code=21 jt=0 jf=1 k=28170
} { code=6 jt=0 jf=0 k=8192 } { code=6 jt=0 jf=0 k=0 } ] } }

Running  tcpdump -s 8192 -ddd $PATTERN manually I get:

8
32 0 0 40
21 0 5 323901508
32 0 0 44
21 0 3 1869439337
32 0 0 48
21 0 1 28170
6 0 0 8192
6 0 0 0

Which looks that the ngctl data (code, kt, jf and k) are correct. But
the command returns that error for some reason. The script was taken
from ng_blf(4) man page.

I am all new to this netgraph thing, and I couldnt even get to the
ng_tag phase (stopped in ng_bpf).

I would like to have your help to work it out, please. Thank you.

More information about the freebsd-ipfw mailing list