ng_tag - mbuf tags manipulating netgraph node type
Each node allows an arbitrary number of connections to arbitrarily named hooks. With each hook is associated a tag which will be searched in the list of all tags attached to a packet incoming to this hook, a destination hook for matching packets, a destination hook for non-matching packets, a tag which will be appended to data leaving node through this hook, and various statistics counters.
The list of incoming packet's tags is traversed to find a tag with specified type and cookie values. Upon match, if specified tag_len is non-zero, tag_data of tag is checked to be identical to that specified in the hook structure. Packets with matched tags are forwarded to ``match'' destination hook, or forwarded to ``non-match'' hook otherwise. Either or both destination hooks can be an empty string, or may not exist, in which case the packet is dropped.
Tag list of packets leaving the node is extended with a new tag specified in outgoing hook structure (it is possible to avoid appending a new tag to pass packet completely unchanged by specifying zero type and cookie values in the structure of the corresponding outgoing hook). Additionally, a tag can be stripped from incoming packet after match if strip flag is set. This can be used for simple tag removal or tag replacement, if combined with tag addition on outgoing matching hook. Note that new tag is appended unconditionally, without checking if such a tag is already present in the list (it is up to user to check if this is a concern).
New hooks are initially configured to drop all incoming packets (as all hook names are empty strings; zero values can be specified to forward all packets to non-matching hook), and to forward all outgoing packets without any tag appending.
Data payload of packets passing through the node is completely unchanged, all operations can affect tag list only.
struct ng_tag_hookin { char thisHook[NG_HOOKSIZ]; /* name of hook */ char ifMatch[NG_HOOKSIZ]; /* match dest hook */ char ifNotMatch[NG_HOOKSIZ]; /* !match dest hook */ uint8_t strip; /* strip tag if found */ uint32_t tag_cookie; /* ABI/Module ID */ uint16_t tag_id; /* tag ID */ uint16_t tag_len; /* length of data */ uint8_t tag_data[0]; /* tag data */ };
The hook to be updated is specified in thisHook Data bytes of tag corresponding to specified tag_id (type) and tag_cookie are placed in the tag_data array; there must be tag_len of them. Matching and non-matching incoming packets are delivered out the hooks named ifMatch and ifNotMatch respectively. If strip flag is non-zero, then found tag is deleted from list of packet tags.
struct ng_tag_hookout { char thisHook[NG_HOOKSIZ]; /* name of hook */ uint32_t tag_cookie; /* ABI/Module ID */ uint16_t tag_id; /* tag ID */ uint16_t tag_len; /* length of data */ uint8_t tag_data[0]; /* tag data */ };
The hook to be updated is specified in thisHook Other variables mean basically the same as in Vt struct ng_tag_hookin shown above, except used for setting values in a new tag.
Note: statistics counters as well as three statistics messages above work only if code was compiled with the NG_TAG_DEBUG option. The reason for this is that statistics is rarely used in practice, but still consumes CPU cycles for every packet. Moreover, it is even not accurate on SMP systems due to lack of synchronization between threads, as this is very expensive.
So, this is ngctl(8) script for nodes creating and naming for easier access:
/usr/sbin/ngctl -f- <<-SEQ mkpeer ipfw: bpf 41 ipfw name ipfw:41 dcbpf mkpeer dcbpf: tag matched th1 name dcbpf:matched ngdc SEQ
Now
``ngdc
''
node (which is of type
)
must be programmed to echo all packets received on the
``th1
''
hook back, with the
ipfw(8)
tag 412 attached.
MTAG_IPFW
value for
tag_cookie
was taken from file
#include <netinet/ip_fw.h>
and value for
tag_id
is tag number (412), with zero tag length:
ngctl msg ngdc: sethookin { thisHook=\"th1\" ifNotMatch=\"th1\" } ngctl msg ngdc: sethookout { thisHook=\"th1\" \ tag_cookie=1148380143 \ tag_id=412 }
Don't forget to program ng_bpf4 ``ipfw '' hook with the above expression (see ng_bpf4 for script doing this) and ``matched '' hook with an empty expression:
ngctl msg dcbpf: setprogram { thisHook=\"matched\" ifMatch=\"ipfw\" \ bpf_prog_len=1 bpf_prog=[ { code=6 k=8192 } ] }
After finishing with netgraph(4) nodes, ipfw(8) rules must be added to enable packet flow:
ipfw add 100 netgraph 41 tcp from any to any iplen 46 ipfw add 110 reset tcp from any to any tagged 412
Note: one should ensure that packets are returned to ipfw after processing inside netgraph(4), by setting appropriate sysctl(8) variable:
sysctl net.inet.ip.fw.one_pass=0
Закладки на сайте Проследить за страницей |
Created 1996-2024 by Maxim Chirkov Добавить, Поддержать, Вебмастеру |