osdir.com
mailing list archive

Subject: [patch] ipfw packet tagging - msg#00016

List: os.freebsd.devel.ipfw

Date: Prev Next Index Thread: Prev Next Index
Hi, All!

I've tried Andrey Elsukov's ipfw "tag/tagged" patches from:
http://butcher.heavennet.ru/patches/kernel/ipfw_tags/

Tested on 5.5-PRERELEASE production server with moderate
load - rock stable [I've also looked through the code - patch
is small, so it simply can't be any bugs there ;)].

Personally I very like the idea from original Andrey's letter
about possibility to make a netgraph(4) node able to mark
packets: this is a potential ability to build fast (in-kernel)
level 7 firewall / traffic filter without need to fully duplicate
entire TCP/IP stack in this marking node - that's ipfw's work.

For example, rules can look like this:

# node marks traffic as good or bad based on first packets in the flow
node=300
good=1
bad=2

check-state # here most sorted traffic goes
netgraph $node all from any to any # divert unmarked traffic to node
deny all from any to any tagged $bad
allow all from any to any tagged $good keep-state

--
WBR, Vadim Goncharov
_______________________________________________
freebsd-net@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscribe@xxxxxxxxxxx"



Was this page helpful?
Yes No
Thread at a glance:

Previous Message by Date: click to view message preview

dropped traffic

Hi Just a quick question if dummynet is dropping traffic every now and again what can I do make this more stable? Another question can anyone explain what the following output means "3 600" Does that mean 3 packets dropped and each packet is of size 600 bytes ? 00005: 20.500 Mbit/s 0 ms 50 sl. 0 queues (1 buckets) droptail q00009: weight 100 pipe 5 50 sl. 1 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 0 udp 213.50.110.36/17934 81.191.155.252/16388 2874772593 573860667243 3 600 22378844 q00010: weight 100 pipe 5 50 sl. 1 queues (1 buckets) droptail mask: 0x00 0x00000000/0x0000 -> 0x00000000/0x0000 BKT Prot ___Source IP/port____ ____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp 0 icmp 213.50.110.1/0 213.50.110.36/0 2855219376 569375967599 1 200 19707214 TeleCityRedbus Sverige Visit: Mariehällsvägen 36 Address: P.O.Box 20165, 161 02 Bromma, SWEDEN Phone: +46 8 799 38 00 - Direct: +46 8 799 38 07 Email: tyrone@xxxxxxxxxxx Internet: http://www.telecity.se <http://www.telecity.se/> TelecityRedbus is an ISO 9001:2000 & BS7799 certified company Winner - Best Practice in Network and Infrastructure Security 2005, Aberdeen Group This e-mail is intended only for the use of the addressees named above and may be confidential. If you are not an addressee you must not use any information contained in nor copy it nor inform any person other than the addressees of its existence or contents. If you have received this e-mail in error, please contact the IT department on +44 207 001 0090 _______________________________________________ freebsd-ipfw@xxxxxxxxxxx mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@xxxxxxxxxxx"

Next Message by Date: click to view message preview

Re: [patch] ipfw packet tagging

Vadim Goncharov wrote: Hi, All! I've tried Andrey Elsukov's ipfw "tag/tagged" patches from: http://butcher.heavennet.ru/patches/kernel/ipfw_tags/ Tested on 5.5-PRERELEASE production server with moderate load - rock stable [I've also looked through the code - patch is small, so it simply can't be any bugs there ;)]. Personally I very like the idea from original Andrey's letter I have tested on 6.1 and works fine too. Hope it gets commited. Very useful for altq/dummynet flexibility too. -- Patrick Tracanelli _______________________________________________ freebsd-ipfw@xxxxxxxxxxx mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@xxxxxxxxxxx"

Previous Message by Thread: click to view message preview

[patch] ipfw packet tagging

Hi, All! I have written a small patch for a packets tagging with ipfw. The description of OpenBSD packet tagging is here: http://www.openbsd.org/faq/pf/tagging.html An IPFW tags is not compatible with PF tags. This feature can be usable with some netgraph modules. We can create a netgraph node that marks packets with some tags and use this node with other nodes. IPFW can detect and filter packets with tags. Also we can mark packets before NAT and detect tagged packets after translation. NAT based on divert sockets do not allow this, but i think ng_nat can.. Patches can be found here: http://butcher.heavennet.ru/patches/kernel/ipfw_tags/ -- WBR, Andrey V. Elsukov _______________________________________________ freebsd-ipfw@xxxxxxxxxxx mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@xxxxxxxxxxx"

Next Message by Thread: click to view message preview

Re: [patch] ipfw packet tagging

Vadim Goncharov wrote: Hi, All! I've tried Andrey Elsukov's ipfw "tag/tagged" patches from: http://butcher.heavennet.ru/patches/kernel/ipfw_tags/ Tested on 5.5-PRERELEASE production server with moderate load - rock stable [I've also looked through the code - patch is small, so it simply can't be any bugs there ;)]. Personally I very like the idea from original Andrey's letter I have tested on 6.1 and works fine too. Hope it gets commited. Very useful for altq/dummynet flexibility too. -- Patrick Tracanelli _______________________________________________ freebsd-ipfw@xxxxxxxxxxx mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@xxxxxxxxxxx"
Sign up for updates to this mailing list. email:
Loading Comments...
Home | News | Patents | Sitemap | FAQ | advertise

Advertising by