[Oisf-devel] [PATCH 0/3] Add set_mark option

Nick Rogness oisf at rogness.net
Wed Mar 9 00:09:29 UTC 2011

On Tue, Mar 8, 2011 at 3:12 PM, Victor Julien <victor at inliniac.net> wrote:
> On 03/08/2011 08:11 PM, Nick Rogness wrote:
>> On Mon, Mar 7, 2011 at 2:18 PM, Eric Leblond <eric at regit.org> wrote:
>>>>  I wonder if we should make name it something like
>>>> nfq_set_mark? It's specific to NFQ. I don't think we can translate it to
>>>> IPFW for example... What do you think?
>>> You're right. I don't think this is possible on *BSD. I will modify the
>>> option name before sesending the patch.
>> FreeBSD's IPFW has a similar option called tag, but the kernel strips
>> this tag when sending to suricata on the divert socket.
>> However, there are several other things with the IPFW firewall which could
>> be set based on specific suricata rules match, i.e. which IPFW rule to reinsert
>> the packet, etc.
> How would that work? Have it reinject on specific line numbers based on
> the signatures that match in Suricata? Or something we can do the packet
> that IPFW understands?

  On the call to sendto() on reinjection from suricata back to ipfw,
the port part of
  the structure (sin.sin_port) can be change to indicate to ipfw which
firewall rule
  number to start processing the packet.

  I don't think you could 'tag' the packet in suricata, then send back
to ipfw without
  modifying the headers/payload. The divert (FreeBSD) code is just a socket so
  you loose context when it enters the kernel.  However, you could reinject the
  packet back into IPFW at a specific rule, and the ipfw rule itself
could 'tag'
  the packet.  This tag is then maintained in the kernel and is
accessible to other
  ipfw rules.  Or more simply, just reinject the packet to a specific
IPFW firewall
  rule which is constructed to log, block, etc.

  I still think the whole FreeBSD IPFW code should be reworked to
utilize netgraph,
  a far more flexible subsystem. I just wish I had the time to do the
work.  Sorry man!
  Or the PF folks build a way to to divert packets inline to a
userland process without
  the necessity of pflog.


Nick Rogness

More information about the Oisf-devel mailing list