ng_tag.4 (159979) | ng_tag.4 (160050) |
---|---|
1.\" Copyright (c) 2006 Vadim Goncharov <vadimnuclight@tpu.ru> 2.\" All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. --- 8 unchanged lines hidden (view full) --- 17.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 18.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 19.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 20.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 21.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 22.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 23.\" SUCH DAMAGE. 24.\" | 1.\" Copyright (c) 2006 Vadim Goncharov <vadimnuclight@tpu.ru> 2.\" All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. --- 8 unchanged lines hidden (view full) --- 17.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 18.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 19.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 20.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 21.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 22.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 23.\" SUCH DAMAGE. 24.\" |
25.\" $FreeBSD: head/share/man/man4/ng_tag.4 159979 2006-06-27 12:45:28Z glebius $ | 25.\" $FreeBSD: head/share/man/man4/ng_tag.4 160050 2006-06-30 11:35:35Z ru $ |
26.\" 27.Dd June 10, 2006 | 26.\" 27.Dd June 10, 2006 |
28.Dt NG_TAG 4 |
|
28.Os 29.Sh NAME 30.Nm ng_tag 31.Nd "mbuf tags manipulating netgraph node type" 32.Sh SYNOPSIS 33.In netgraph/ng_tag.h 34.Sh DESCRIPTION 35The --- 176 unchanged lines hidden (view full) --- 212.Dv NGM_SHUTDOWN 213control message, or when all hooks have been disconnected. 214.Sh EXAMPLES 215It is possible to do a simple L7 filtering by using 216.Xr ipfw 8 217tags in conjunction with 218.Xr ng_bpf 4 219traffic analyzer. | 29.Os 30.Sh NAME 31.Nm ng_tag 32.Nd "mbuf tags manipulating netgraph node type" 33.Sh SYNOPSIS 34.In netgraph/ng_tag.h 35.Sh DESCRIPTION 36The --- 176 unchanged lines hidden (view full) --- 213.Dv NGM_SHUTDOWN 214control message, or when all hooks have been disconnected. 215.Sh EXAMPLES 216It is possible to do a simple L7 filtering by using 217.Xr ipfw 8 218tags in conjunction with 219.Xr ng_bpf 4 220traffic analyzer. |
220Let us suppose we need to filter DirectConnect P2P network data traffic, | 221Example below explains how to filter DirectConnect P2P network data traffic, |
221which cannot be done by usual means as it uses random ports. 222It is known that such data connection always contains a TCP packet with 2236-byte payload string "$Send|". | 222which cannot be done by usual means as it uses random ports. 223It is known that such data connection always contains a TCP packet with 2246-byte payload string "$Send|". |
224So we will use ipfw's | 225So ipfw's |
225.Cm netgraph | 226.Cm netgraph |
226action to divert all TCP packets to an | 227action will be used to divert all TCP packets to an |
227.Xr ng_bpf 4 228node which will check for the specified string and return non-matching 229packets to 230.Xr ipfw 8 . 231Matching packets are passed to 232.Xr ng_tag 4 233node, which will set a tag and pass them back to 234.Xr ng_bpf 4 235node on a hook programmed to accept all packets and pass them back to 236.Xr ipfw 8 . | 228.Xr ng_bpf 4 229node which will check for the specified string and return non-matching 230packets to 231.Xr ipfw 8 . 232Matching packets are passed to 233.Xr ng_tag 4 234node, which will set a tag and pass them back to 235.Xr ng_bpf 4 236node on a hook programmed to accept all packets and pass them back to 237.Xr ipfw 8 . |
237We will use a script provided in | 238A script provided in |
238.Xr ng_bpf 4 | 239.Xr ng_bpf 4 |
239manual page for programming node. | 240manual page will be used for programming node. |
240Note that packets diverted from 241.Xr ipfw 8 242to Netgraph have no link-level header, so offsets in 243.Xr tcpdump 1 244expressions must be altered accordingly. | 241Note that packets diverted from 242.Xr ipfw 8 243to Netgraph have no link-level header, so offsets in 244.Xr tcpdump 1 245expressions must be altered accordingly. |
245Thus, we will have expression | 246Thus, there will be expression |
246.Dq Li "ether[40:2]=0x244c && ether[42:4]=0x6f636b20" | 247.Dq Li "ether[40:2]=0x244c && ether[42:4]=0x6f636b20" |
247on incoming from hook and empty expression to match all packets from | 248on incoming hook and empty expression to match all packets from |
248.Xr ng_tag 4 . 249.Pp 250So, this is 251.Xr ngctl 8 252script for nodes creating and naming for easier access: 253.Bd -literal -offset 4n 254/usr/sbin/ngctl -f- <<-SEQ 255 mkpeer ipfw: bpf 41 ipfw --- 37 unchanged lines hidden (view full) --- 293hook with an empty expression: 294.Bd -literal -offset 4n 295ngctl msg dcbpf: setprogram { thisHook=\e"matched\e" ifMatch=\e"ipfw\e" \e 296 bpf_prog_len=1 bpf_prog=[ { code=6 k=8192 } ] } 297.Ed 298.Pp 299After finishing with 300.Xr netgraph 4 | 249.Xr ng_tag 4 . 250.Pp 251So, this is 252.Xr ngctl 8 253script for nodes creating and naming for easier access: 254.Bd -literal -offset 4n 255/usr/sbin/ngctl -f- <<-SEQ 256 mkpeer ipfw: bpf 41 ipfw --- 37 unchanged lines hidden (view full) --- 294hook with an empty expression: 295.Bd -literal -offset 4n 296ngctl msg dcbpf: setprogram { thisHook=\e"matched\e" ifMatch=\e"ipfw\e" \e 297 bpf_prog_len=1 bpf_prog=[ { code=6 k=8192 } ] } 298.Ed 299.Pp 300After finishing with 301.Xr netgraph 4 |
301nodes, add | 302nodes, |
302.Xr ipfw 8 | 303.Xr ipfw 8 |
303rules to enable packet flow: | 304rules must be added to enable packet flow: |
304.Bd -literal -offset 4n 305ipfw add 100 netgraph 41 tcp from any to any iplen 46 306ipfw add 110 reset tcp from any to any tagged 412 307.Ed 308.Pp | 305.Bd -literal -offset 4n 306ipfw add 100 netgraph 41 tcp from any to any iplen 46 307ipfw add 110 reset tcp from any to any tagged 412 308.Ed 309.Pp |
309Note: you should ensure that packets are returned to ipfw after processing | 310Note: one should ensure that packets are returned to ipfw after processing |
310inside 311.Xr netgraph 4 , 312by setting appropriate 313.Xr sysctl 8 314variable: 315.Bd -literal -offset 4n 316sysctl net.inet.ip.fw.one_pass=0 317.Ed --- 20 unchanged lines hidden --- | 311inside 312.Xr netgraph 4 , 313by setting appropriate 314.Xr sysctl 8 315variable: 316.Bd -literal -offset 4n 317sysctl net.inet.ip.fw.one_pass=0 318.Ed --- 20 unchanged lines hidden --- |