[fbsd] [patch] ipfw packet tagging
Jeremie Le Hen
jeremie at le-hen.org
Wed Jun 21 09:58:55 UTC 2006
Hi Andrey,
On Wed, May 10, 2006 at 10:41:14AM +0400, Andrey V. Elsukov wrote:
> Hi, All!
>
> I have written a small patch for a packets
> tagging with ipfw.
>
> The description of OpenBSD packet tagging is here:
> http://www.openbsd.org/faq/pf/tagging.html
>
> An IPFW tags is not compatible with PF tags.
>
> This feature can be usable with some netgraph modules.
> We can create a netgraph node that marks packets with some tags
> and use this node with other nodes. IPFW can detect and filter
> packets with tags.
>
> Also we can mark packets before NAT and detect tagged packets
> after translation.
> NAT based on divert sockets do not allow this, but i think
> ng_nat can..
>
> Patches can be found here:
> http://butcher.heavennet.ru/patches/kernel/ipfw_tags/
Looking at the patch lets me see that you are using the generic mbuf
tags. This means the tag should be available along the packet's
trip through the kernel. Would it be possible to slightly modify
the routing code in order to make those tags a routing criteria ?
Julian Elischer also has a neat patch that modifies the ipfw table
but he hasn't provided it so far [1].
[1] http://lists.freebsd.org/pipermail/freebsd-net/2006-May/010563.html
Regards,
--
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >
More information about the freebsd-net
mailing list