Re: ng_netflow: testers are welcome
From: Gleb Smirnoff (glebius_at_cell.sick.ru)
Date: 03/10/04
- Previous message: Artyom V. Viklenko: "Re: ping from jail (fwd)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Wed, 10 Mar 2004 22:16:57 +0300 To: Julian Elischer <julian@elischer.org>
On Mon, Feb 23, 2004 at 03:47:55PM -0800, Julian Elischer wrote:
J> > All I've need - just create ksocket with inet/rawip/divert hook connected to
J> > ng_netflow iface0 hook (mkpeer netflow: ksocket iface0 inet/raw/divert),
J> > then "msg netflow: setdlt { iface=0 dlt=12 }" (Raw ip instead of ethernet),
J> > then "msg divert: bind inet/0.0.0.0:8888". And after all add ipfw rule "tee
J> > 8888 ip from any to any in"(One may need "via $oif") instead of final allow
J> > (or, better, before it).
<==skip==>
J> This used to work but I have not tried it for some time
J> and it may have been broken in ipfw2, as I never tested it..
J> natd is supposed to do this.. Since you can not do a "sendto()"
J> in netgraph, you have to have done a "connect" on the socket
J> to set the port number ahead of time..
J>
J> Other things are also in the sockaddr..
J> in the 8 "unused" bytes of the sockaddr we "hide" the incoming interface
J> name (for example) netgraph cannot change that but it should not need
J> this as it has the actual mbufs and can just set th eiface pointer in
J> the packet header.. (assuming divert doesn't clear it..
J> once again, you'll need to look at the code).
I have finally tried this out on CURRENT. Everything works fine as expected:
ng_ksocket in divert mode reinjects packets back into the proper firewall
rule, netflow collects info about demasqueraded IPs... OK.
Here is my config:
netgraph:
mkpeer tee dummy right2left
name .:dummy divert_tee_in
mkpeer divert_tee_in: echo right echo
mkpeer divert_tee_in: ksocket left inet/raw/divert
name divert_tee_in:left divert_sock_in
msg divert_sock_in: bind inet/0.0.0.0:8669
disconnect dummy
mkpeer divert_tee_in: netflow left2right iface0
name divert_tee_in:left2right netflow
msg netflow: setdlt { iface=0 dlt=12 }
msg netflow: setifindex { iface=0 index=6 }
mkpeer netflow: ksocket export inet/dgram/udp
msg netflow:export connect inet/127.0.0.1:4444
ipfw:
00200 divert 8668 ip from any to any in via ${nat_if}
00201 divert 8669 ip from any to any in via ${nat_if}
.... some other stuff
00600 divert 8668 ip from any to any out via ${nat_if}
-- Totus tuus, Glebius. GLEBIUS-RIPN GLEB-RIPE _______________________________________________ freebsd-isp@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-isp To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org"
- Previous message: Artyom V. Viklenko: "Re: ping from jail (fwd)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
