12.06.06 @ 10:12 Ganbold wrote:
Vadim Goncharov wrote:
Hello All!
I wrote new netgraph(4) node, called ng_tag, able to match packets by
their mbuf_tags(9) and assign new tags to mbufs. This can be used for
many things in the kernel network subsystem, but particularly useful
with recently added ipfw(8) tag/tagged functionality (will be MFCed to
RELENG_6 after Jun 24).
With this node, in conjunction with ng_bpf(4), I was able to match and
block (perhaps shaping is also possible, but this relies solely on
ipfw) DirectConnect P2P data connections traffic - you know, they're
using random ports, so you can't match them with usual firewall rules
and must check data payload contents of the packets. See man page for
example of how to do this.
Download files from here: http://antigreen.org/vadim/freebsd/ng_tag/
Then do:
make
kldload ./ng_tag.ko
Man page can be viewed as:
cat ng_tag.4 | /usr/bin/tbl | /usr/bin/groff -S -Wall -mtty-char \
-man -Tascii | /usr/bin/col | more -s
Please especially test tags with non-zero tag_len, if you can (though
it's not needed for ipfw).
P.S. BTW, what is correct subject prefix for new contributions? I think
[PATCH] is not correct as these are new files, not patch :)
You mentioned about L7 filtering possibility, is it possible to filter
skype, msn, yahoo messenger traffics using ng_tag?
No. True L7 filtering requires complete flow analysis (especially for
skype), and in kernel we only can do per-packet analysis - but that's
enough for simple things, like most P2P networks.
If you can put some additional examples how to block above that would be
great. This is just my thought.
No. Man page is an example of using ng_tag node only, and creating
matching patterns for another nodes is another great topic.
--
WBR, Vadim Goncharov
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
