[TEST/REVIEW] ng_ipfw: node to glue together ipfw(4) and netgraph(4)

Brooks Davis brooks at one-eyed-alien.net
Tue Jan 18 10:31:53 PST 2005 

On Mon, Jan 17, 2005 at 11:06:10PM +0300, Gleb Smirnoff wrote:
>   Dear collegues,
> 
> here is quite a simple node for direct interaction between ipfw(4)
> and netgraph(4). It is going to be more effective and error-prone
> than a complicated construction around divert socket and ng_ksocket[1].   
> 
> The semantics of node operation are quite simple. There is one node
> per system, which accepts any hooks with numeric names. Packets
> can be sent to netgraph(4) using ipfw 'netgraph' action, followed
> by a numeric cookie. Matched packets are sent out from corresponding
> hook of ng_ipfw node. These packets are tagged with information which
> helps them later to reenter ipfw processing. Tagged packets received on  
> any node hook reenter IP stack. If net.inet.ip.fw.one_pass sysctl is non 
> zero they are accepted, otherwise they continue with next rule. Non-tagged
> packets (not originating from ng_ipfw node) are discarded.
>   
> Here is sample configuration. ng_echo(4) echoes packets back from netgraph
> to ipfw thru a tee node, which allows to sniff traffic.
>   
> ngctl
> + ls
> There are 4 total nodes:
>   Name: ngctl6138       Type: socket          ID: 0000000c   Num hooks: 0
>   Name: ipfw            Type: ipfw            ID: 00000009   Num hooks: 1
>   Name: <unnamed>       Type: echo            ID: 00000006   Num hooks: 1 
>   Name: tee             Type: tee             ID: 00000005   Num hooks: 2
> + show ipfw:
>   Name: ipfw            Type: ipfw            ID: 00000009   Num hooks: 1
>   Local hook      Peer name       Peer type    Peer ID         Peer hook
>   ----------      ---------       ---------    -------         ---------
>   666             tee             tee          00000005        left  
> + show tee:
>   Name: tee             Type: tee             ID: 00000005   Num hooks: 2
>   Local hook      Peer name       Peer type    Peer ID         Peer hook  
>   ----------      ---------       ---------    -------         ---------
>   left            ipfw            ipfw         00000009        666
>   right           <unnamed>       echo         00000006        echi
> 
> root at jujik:/usr/src:|>ipfw show
> 00100    292      40304 allow ip from any to any via lo0
> 00200      0          0 deny ip from any to 127.0.0.0/8
> 00300      0          0 deny ip from 127.0.0.0/8 to any
> 00350 290730  661428793 netgraph 666 ip from any to any
> 65000 627921 1896034399 allow ip from any to any
> 65535      0          0 deny ip from any to any
>   
> The patch [2] is applicable only to HEAD, sorry. The target users are     
> the ones, who are now running ip_accounting/netflow using diverted
> ng_ksocket, and just netgraph geeks.

I like the idea and I've glanced at the patch.  You should put the new
op-code at the end of the list to avoid breaking the IPFW ABI.  There
should probably be a comment about this in ip_fw.h.

-- Brooks

More information about the freebsd-net mailing list