[Oisf-devel] [PATCH 0/3] Add set_mark option

Victor Julien victor at inliniac.net
Thu Mar 10 09:48:46 UTC 2011 

On 03/09/2011 01:09 AM, Nick Rogness wrote:
> On Tue, Mar 8, 2011 at 3:12 PM, Victor Julien <victor at inliniac.net> wrote:
>> On 03/08/2011 08:11 PM, Nick Rogness wrote:
>>> On Mon, Mar 7, 2011 at 2:18 PM, Eric Leblond <eric at regit.org> wrote:
>>>>
>>>>>  I wonder if we should make name it something like
>>>>> nfq_set_mark? It's specific to NFQ. I don't think we can translate it to
>>>>> IPFW for example... What do you think?
>>>>
>>>> You're right. I don't think this is possible on *BSD. I will modify the
>>>> option name before sesending the patch.
>>>>
>>>
>>> FreeBSD's IPFW has a similar option called tag, but the kernel strips
>>> this tag when sending to suricata on the divert socket.
>>>
>>> However, there are several other things with the IPFW firewall which could
>>> be set based on specific suricata rules match, i.e. which IPFW rule to reinsert
>>> the packet, etc.
>>
>> How would that work? Have it reinject on specific line numbers based on
>> the signatures that match in Suricata? Or something we can do the packet
>> that IPFW understands?
> 
>   On the call to sendto() on reinjection from suricata back to ipfw,
> the port part of
>   the structure (sin.sin_port) can be change to indicate to ipfw which
> firewall rule
>   number to start processing the packet.
> 
>   I don't think you could 'tag' the packet in suricata, then send back
> to ipfw without
>   modifying the headers/payload. The divert (FreeBSD) code is just a socket so
>   you loose context when it enters the kernel.  However, you could reinject the
>   packet back into IPFW at a specific rule, and the ipfw rule itself
> could 'tag'
>   the packet.  This tag is then maintained in the kernel and is
> accessible to other
>   ipfw rules.  Or more simply, just reinject the packet to a specific
> IPFW firewall
>   rule which is constructed to log, block, etc.

That would be an interesting addition to Suricata.

>   I still think the whole FreeBSD IPFW code should be reworked to
> utilize netgraph,
>   a far more flexible subsystem. I just wish I had the time to do the
> work.  Sorry man!

No problem! Appreciate the work you are doing a lot!

>   Or the PF folks build a way to to divert packets inline to a
> userland process without
>   the necessity of pflog.

I saw some implementation floating a around for OpenBSD's pf (was it
called pq?) not sure if that ever got anywhere...

I think we can conclude that we can't at this point abstract the
set_mark idea into something that would work on both linux and bsd. So I
think we should call it nfq_set_mark then. Any objections?

Cheers,
Victor

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-devel mailing list