1.\" Copyright (c) 2006 Vadim Goncharov <vadimnuclight@tpu.ru>
2.\" All rights reserved.
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, are permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\" notice, this list of conditions and the following disclaimer.
--- 8 unchanged lines hidden (view full) ---
17.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
23.\" SUCH DAMAGE.
24.\"
25.\" $FreeBSD: head/share/man/man4/ng_tag.4 159979 2006-06-27 12:45:28Z glebius $
26.\"
27.Dd June 10, 2006
28.Os
29.Sh NAME
30.Nm ng_tag
31.Nd "mbuf tags manipulating netgraph node type"
32.Sh SYNOPSIS
33.In netgraph/ng_tag.h
34.Sh DESCRIPTION
35The
--- 176 unchanged lines hidden (view full) ---
212.Dv NGM_SHUTDOWN
213control message, or when all hooks have been disconnected.
214.Sh EXAMPLES
215It is possible to do a simple L7 filtering by using
216.Xr ipfw 8
217tags in conjunction with
218.Xr ng_bpf 4
219traffic analyzer.
220Let us suppose we need to filter DirectConnect P2P network data traffic,
221which cannot be done by usual means as it uses random ports.
222It is known that such data connection always contains a TCP packet with
2236-byte payload string "$Send|".
224So we will use ipfw's
225.Cm netgraph
226action to divert all TCP packets to an
227.Xr ng_bpf 4
228node which will check for the specified string and return non-matching
229packets to
230.Xr ipfw 8 .
231Matching packets are passed to
232.Xr ng_tag 4
233node, which will set a tag and pass them back to
234.Xr ng_bpf 4
235node on a hook programmed to accept all packets and pass them back to
236.Xr ipfw 8 .
237We will use a script provided in
238.Xr ng_bpf 4
239manual page for programming node.
240Note that packets diverted from
241.Xr ipfw 8
242to Netgraph have no link-level header, so offsets in
243.Xr tcpdump 1
244expressions must be altered accordingly.
245Thus, we will have expression
246.Dq Li "ether[40:2]=0x244c && ether[42:4]=0x6f636b20"
247on incoming from hook and empty expression to match all packets from
248.Xr ng_tag 4 .
249.Pp
250So, this is
251.Xr ngctl 8
252script for nodes creating and naming for easier access:
253.Bd -literal -offset 4n
254/usr/sbin/ngctl -f- <<-SEQ
255 mkpeer ipfw: bpf 41 ipfw
--- 37 unchanged lines hidden (view full) ---
293hook with an empty expression:
294.Bd -literal -offset 4n
295ngctl msg dcbpf: setprogram { thisHook=\e"matched\e" ifMatch=\e"ipfw\e" \e
296 bpf_prog_len=1 bpf_prog=[ { code=6 k=8192 } ] }
297.Ed
298.Pp
299After finishing with
300.Xr netgraph 4
301nodes, add
302.Xr ipfw 8
303rules to enable packet flow:
304.Bd -literal -offset 4n
305ipfw add 100 netgraph 41 tcp from any to any iplen 46
306ipfw add 110 reset tcp from any to any tagged 412
307.Ed
308.Pp
309Note: you should ensure that packets are returned to ipfw after processing
310inside
311.Xr netgraph 4 ,
312by setting appropriate
313.Xr sysctl 8
314variable:
315.Bd -literal -offset 4n
316sysctl net.inet.ip.fw.one_pass=0
317.Ed
--- 20 unchanged lines hidden ---
2.\" All rights reserved.
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, are permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\" notice, this list of conditions and the following disclaimer.
--- 8 unchanged lines hidden (view full) ---
17.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
23.\" SUCH DAMAGE.
24.\"
25.\" $FreeBSD: head/share/man/man4/ng_tag.4 159979 2006-06-27 12:45:28Z glebius $
26.\"
27.Dd June 10, 2006
28.Os
29.Sh NAME
30.Nm ng_tag
31.Nd "mbuf tags manipulating netgraph node type"
32.Sh SYNOPSIS
33.In netgraph/ng_tag.h
34.Sh DESCRIPTION
35The
--- 176 unchanged lines hidden (view full) ---
212.Dv NGM_SHUTDOWN
213control message, or when all hooks have been disconnected.
214.Sh EXAMPLES
215It is possible to do a simple L7 filtering by using
216.Xr ipfw 8
217tags in conjunction with
218.Xr ng_bpf 4
219traffic analyzer.
220Let us suppose we need to filter DirectConnect P2P network data traffic,
221which cannot be done by usual means as it uses random ports.
222It is known that such data connection always contains a TCP packet with
2236-byte payload string "$Send|".
224So we will use ipfw's
225.Cm netgraph
226action to divert all TCP packets to an
227.Xr ng_bpf 4
228node which will check for the specified string and return non-matching
229packets to
230.Xr ipfw 8 .
231Matching packets are passed to
232.Xr ng_tag 4
233node, which will set a tag and pass them back to
234.Xr ng_bpf 4
235node on a hook programmed to accept all packets and pass them back to
236.Xr ipfw 8 .
237We will use a script provided in
238.Xr ng_bpf 4
239manual page for programming node.
240Note that packets diverted from
241.Xr ipfw 8
242to Netgraph have no link-level header, so offsets in
243.Xr tcpdump 1
244expressions must be altered accordingly.
245Thus, we will have expression
246.Dq Li "ether[40:2]=0x244c && ether[42:4]=0x6f636b20"
247on incoming from hook and empty expression to match all packets from
248.Xr ng_tag 4 .
249.Pp
250So, this is
251.Xr ngctl 8
252script for nodes creating and naming for easier access:
253.Bd -literal -offset 4n
254/usr/sbin/ngctl -f- <<-SEQ
255 mkpeer ipfw: bpf 41 ipfw
--- 37 unchanged lines hidden (view full) ---
293hook with an empty expression:
294.Bd -literal -offset 4n
295ngctl msg dcbpf: setprogram { thisHook=\e"matched\e" ifMatch=\e"ipfw\e" \e
296 bpf_prog_len=1 bpf_prog=[ { code=6 k=8192 } ] }
297.Ed
298.Pp
299After finishing with
300.Xr netgraph 4
301nodes, add
302.Xr ipfw 8
303rules to enable packet flow:
304.Bd -literal -offset 4n
305ipfw add 100 netgraph 41 tcp from any to any iplen 46
306ipfw add 110 reset tcp from any to any tagged 412
307.Ed
308.Pp
309Note: you should ensure that packets are returned to ipfw after processing
310inside
311.Xr netgraph 4 ,
312by setting appropriate
313.Xr sysctl 8
314variable:
315.Bd -literal -offset 4n
316sysctl net.inet.ip.fw.one_pass=0
317.Ed
--- 20 unchanged lines hidden ---