d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Gleb committed an intermediary version, commit the right one now.

Browse Source 
Submitted by:	Vadim Goncharov
This commit is contained in:
ru 2006-06-30 11:35:35 +00:00
parent 7adc3589c2
commit 671ef276e8
1 changed files with 11 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
share/man/man4/ng_tag.4
View File

@ -25,6 +25,7 @@
.\" $FreeBSD$ .\" $FreeBSD$
.\" .\"
.Dd June 10, 2006 .Dd June 10, 2006
.Dt NG_TAG 4
.Os .Os
.Sh NAME .Sh NAME
.Nm ng_tag .Nm ng_tag
@ -217,13 +218,13 @@ It is possible to do a simple L7 filtering by using
tags in conjunction with tags in conjunction with
.Xr ng_bpf 4 .Xr ng_bpf 4
traffic analyzer. traffic analyzer.
Let us suppose we need to filter DirectConnect P2P network data traffic, Example below explains how to filter DirectConnect P2P network data traffic,
which cannot be done by usual means as it uses random ports. which cannot be done by usual means as it uses random ports.
It is known that such data connection always contains a TCP packet with It is known that such data connection always contains a TCP packet with
6-byte payload string "$Send|". 6-byte payload string "$Send|".
So we will use ipfw's So ipfw's
.Cm netgraph .Cm netgraph
action to divert all TCP packets to an action will be used to divert all TCP packets to an
.Xr ng_bpf 4 .Xr ng_bpf 4
node which will check for the specified string and return non-matching node which will check for the specified string and return non-matching
packets to packets to
@ -234,17 +235,17 @@ node, which will set a tag and pass them back to
.Xr ng_bpf 4 .Xr ng_bpf 4
node on a hook programmed to accept all packets and pass them back to node on a hook programmed to accept all packets and pass them back to
.Xr ipfw 8 . .Xr ipfw 8 .
We will use a script provided in A script provided in
.Xr ng_bpf 4 .Xr ng_bpf 4
manual page for programming node. manual page will be used for programming node.
Note that packets diverted from Note that packets diverted from
.Xr ipfw 8 .Xr ipfw 8
to Netgraph have no link-level header, so offsets in to Netgraph have no link-level header, so offsets in
.Xr tcpdump 1 .Xr tcpdump 1
expressions must be altered accordingly. expressions must be altered accordingly.
Thus, we will have expression Thus, there will be expression
.Dq Li "ether[40:2]=0x244c && ether[42:4]=0x6f636b20" .Dq Li "ether[40:2]=0x244c && ether[42:4]=0x6f636b20"
on incoming from hook and empty expression to match all packets from on incoming hook and empty expression to match all packets from
.Xr ng_tag 4 . .Xr ng_tag 4 .
.Pp .Pp
So, this is So, this is
@ -298,15 +299,15 @@ ngctl msg dcbpf: setprogram { thisHook=\e"matched\e" ifMatch=\e"ipfw\e" \e
.Pp .Pp
After finishing with After finishing with
.Xr netgraph 4 .Xr netgraph 4
nodes, add nodes,
.Xr ipfw 8 .Xr ipfw 8
rules to enable packet flow: rules must be added to enable packet flow:
.Bd -literal -offset 4n .Bd -literal -offset 4n
ipfw add 100 netgraph 41 tcp from any to any iplen 46 ipfw add 100 netgraph 41 tcp from any to any iplen 46
ipfw add 110 reset tcp from any to any tagged 412 ipfw add 110 reset tcp from any to any tagged 412
.Ed .Ed
.Pp .Pp
Note: you should ensure that packets are returned to ipfw after processing Note: one should ensure that packets are returned to ipfw after processing
inside inside
.Xr netgraph 4 , .Xr netgraph 4 ,
by setting appropriate by setting appropriate