| 1.\" Copyright (c) 2006 Vadim Goncharov <vadimnuclight@tpu.ru> 2.\" All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. --- 8 unchanged lines hidden (view full) --- 17.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 18.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 19.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 20.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 21.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 22.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 23.\" SUCH DAMAGE. 24.\" |
| 25.\" $FreeBSD: head/share/man/man4/ng_tag.4 160050 2006-06-30 11:35:35Z ru $ |
| 26.\" 27.Dd June 10, 2006 |
| 28.Dt NG_TAG 4 |
| 29.Os 30.Sh NAME 31.Nm ng_tag 32.Nd "mbuf tags manipulating netgraph node type" 33.Sh SYNOPSIS 34.In netgraph/ng_tag.h 35.Sh DESCRIPTION 36The --- 176 unchanged lines hidden (view full) --- 213.Dv NGM_SHUTDOWN 214control message, or when all hooks have been disconnected. 215.Sh EXAMPLES 216It is possible to do a simple L7 filtering by using 217.Xr ipfw 8 218tags in conjunction with 219.Xr ng_bpf 4 220traffic analyzer. |
| 221Example below explains how to filter DirectConnect P2P network data traffic, |
| 222which cannot be done by usual means as it uses random ports. 223It is known that such data connection always contains a TCP packet with 2246-byte payload string "$Send|". |
| 225So ipfw's |
| 226.Cm netgraph |
| 227action will be used to divert all TCP packets to an |
| 228.Xr ng_bpf 4 229node which will check for the specified string and return non-matching 230packets to 231.Xr ipfw 8 . 232Matching packets are passed to 233.Xr ng_tag 4 234node, which will set a tag and pass them back to 235.Xr ng_bpf 4 236node on a hook programmed to accept all packets and pass them back to 237.Xr ipfw 8 . |
| 238A script provided in |
| 239.Xr ng_bpf 4 |
| 240manual page will be used for programming node. |
| 241Note that packets diverted from 242.Xr ipfw 8 243to Netgraph have no link-level header, so offsets in 244.Xr tcpdump 1 245expressions must be altered accordingly. |
| 246Thus, there will be expression |
| 247.Dq Li "ether[40:2]=0x244c && ether[42:4]=0x6f636b20" |
| 248on incoming hook and empty expression to match all packets from |
| 249.Xr ng_tag 4 . 250.Pp 251So, this is 252.Xr ngctl 8 253script for nodes creating and naming for easier access: 254.Bd -literal -offset 4n 255/usr/sbin/ngctl -f- <<-SEQ 256 mkpeer ipfw: bpf 41 ipfw --- 37 unchanged lines hidden (view full) --- 294hook with an empty expression: 295.Bd -literal -offset 4n 296ngctl msg dcbpf: setprogram { thisHook=\e"matched\e" ifMatch=\e"ipfw\e" \e 297 bpf_prog_len=1 bpf_prog=[ { code=6 k=8192 } ] } 298.Ed 299.Pp 300After finishing with 301.Xr netgraph 4 |
| 302nodes, |
| 303.Xr ipfw 8 |
| 304rules must be added to enable packet flow: |
| 305.Bd -literal -offset 4n 306ipfw add 100 netgraph 41 tcp from any to any iplen 46 307ipfw add 110 reset tcp from any to any tagged 412 308.Ed 309.Pp |
| 310Note: one should ensure that packets are returned to ipfw after processing |
| 311inside 312.Xr netgraph 4 , 313by setting appropriate 314.Xr sysctl 8 315variable: 316.Bd -literal -offset 4n 317sysctl net.inet.ip.fw.one_pass=0 318.Ed --- 20 unchanged lines hidden --- |