divert rewrite
Sergey Matveychuk
sem at FreeBSD.org
Tue Feb 8 19:40:17 UTC 2011
08.02.2011 21:47, rozhuk.im at gmail.com пишет:
>> -----Original Message-----
>> From: Sergey Matveychuk [mailto:sem at FreeBSD.org]
>> Sent: Wednesday, February 09, 2011 12:53 AM
>> To: Rozhuk.IM at gmail.com
>> Cc: freebsd-net at freebsd.org
>> Subject: Re: divert rewrite
>>
>> 08.02.2011 19:08, rozhuk.im at gmail.com wrote:
>>> Did you try ng_ether + ng_ksocket?
>>> It can translate Ethernet frames incapsulated to udp to user space
>> receiver.
>>
>> The idea is catch packets from firewall (ng_ipfw, ng_nat was mentioned
>> by mistake) and pass them to user space module that do some processing
>> and puts back the packets into firewall (for rules with `diverted'
>> keyword).
>>
>> It works now for IPv4 with `divert' and doesn't with IPv6.
>
> I know how divert works, google: uTPControl ;)
> Its simple for developmet, stable, but uses many CPU.
>
> With ng_ether + ng_ksocket you can send custom Ethernet frames.
> There is some node that can filter traffic, for IPv6 you need allow 1 or 2 ethernet types to pass.
I know. But I've written a module for conjunction with ipfw. It makes a
decision by some criteria to pass a traffic or to block it.
Administrators in our nets decide what kind traffic to pass to my module
(mostly TCP SYN and few UDP) in their firewalls.
So a conjection with ipfw is the goal.
More information about the freebsd-net
mailing list