Need Netgraph Help

John Lyon johnllyon at gmail.com
Mon Dec 18 14:17:56 UTC 2017 

Harry,

Thanks for the help.  I haven't had the chance to sit down and tinker over
the weekend, but I hope I may get sometime in the next day or two.  I will
see what happens when I try to connect my filter as you suggested.

My intention is essentially to use NetGraph in order to add some simple
layer 2 firewalling capabilities to my PFSense router (FreeBSD + pf +
pretty GUI for other functions) on my network.  Unfortunately, pf on
FreeBSD only appears to filter at layers 3 and 4.  I need to also filter
and redirect layer 2 traffic.

I'm aware that IPFW can probably do what I want (filter and redirect based
on MAC address and ethernet frame type).  However, I prefer the pretty GUI
of PFSense for convenience and time saving (I could duplicate all of the
rules and functionality in the command line, but the GUI makes
administration a lot easier).  However, I don't want to hack together a
solution that involves two firewalls running on the same box when I was
hoping to use Netgraph to filter at layer 2 before passing other traffic up
to pf for layer 3 and 4 filtering.  However, this may be the route I have
to go (PFSense does use both PF and IPFW when the "captive portal"
functionality is enabled, so it is technically possible).

Thanks for the link to the NetBSD presentation.  I'm already aware of it,
it was one of the first things I found when I googled about netgraph trying
to sort through this whole mess. :-)

--------------------------------
John L. Lyon
PGP Key Available At:
https://www.dropbox.com/s/skmedtscs0tgex7/02150BFE.asc

On Sat, Dec 16, 2017 at 4:30 AM, Harry Schmalzbauer <freebsd at omnilan.de>
wrote:

> Bezüglich John Lyon's Nachricht vom 15.12.2017 19:59 (localtime):
> > Harry and Eugene (and others),
> >
> > I appreciate all of your help.  It's been really insightful.  Although I
> > feel like I'm getting much closer to the solution, I don't think my
> problem
> > has been diagnosed.  I've outlined my thought process below.  Can you
> > please tell me if I am misunderstanding something?  Admittedly, I am not
> a
> > kernel developer and my C language skills have atrophied the last few
> > years.  However, I've reviewed my script and I looked in the code for
> > ng_etf.c and I don't think I am violating any of the requirements for
> > linking a hook for no match.
> >
> > As Eugene stated:
> >
> >>> 1) referenced "matchook" exists and you should not use "indirect name"
> > here,
> >>> only hook own name, or else you get error ENOENT (No such file or
> > directory);
> >
> > This does not seem to be a problem as the upper and lower hooks for the
> em1
> > already exist (I can confirm this).
> >
> >>> 2) referenced "matchook" is *not* downstream hook, or else you get
> error
> >>> EINVAL (Invalid argument);
> >
> > I read the ng_etf.c file in the source tree and found this little
> snippet:
> >
> > /* and is not the downstream hook */
> > if (hook == etfp->downstream_hook.hook) {
> >     error = EINVAL;
> >     break;
> > }
> >
> > This appears to be an error check to make sure you are not creating a
> cycle
> > in the graph by referencing the ETF node's own downstream hook (i.e.
> > filtering incoming traffic and circularly feeding non-matching frames
> back
> > into the ETF's own filter).  I'm not doing this.  I am feeding
> non-matching
> > packets into the *lower* hook of another ether node and not back into the
> > *downstream* hook of the etf node I am creating.  As a result, my
> netgraph
>
> Ah, sorry, I was reading your setup too quickly and missed that em0|em1
> detail.
> Since I'm no netgraph expert and also no kernel hacker due to C skills,
> and on top I don't have any ng_etf experience, I'm out at this point
> unfortunately.  I just remembered the shell quoting issue I had once
> myself and thougth this would be an easy one ;-)
>
> I _think_ it's not possible to redierct the packets that way with
> ng_etf.  You'd need at least to add the third hook to ng_etf.  In the
> manpage, it's a user land hook.
> Have you tried if
> ngctl connect em1: lan_filter: lower mydrain
> works?
> If so, your "setfilter" message might also work.
> I think the missing third hook is the key to your solution – while I
> don't know your intention, but I guess you want to get specific
> type-tagged frames beeing transmitted on a dedicated interface.
>
> Pleas see
> http://www.netbsd.org/gallery/presentations/ast/2012_
> AsiaBSDCon/Tutorial_NETGRAPH.pdf
> on page 32+33.  That example corresponds to the man page.
>
> Hope that helps,
>
> -harry
>

More information about the freebsd-net mailing list