Page MenuHomeFreeBSD
Differential D30175

Add netgraph BFP rc.d script
Needs RevisionPublic
Actions

Authored by rozhuk.im-gmail.com on May 8 2021, 1:05 PM.
Tags
Referenced Files
F81507267: D30175.diff
Wed, Apr 17, 8:23 AM
Unknown Object (File)
Sun, Apr 14, 3:24 PM
Unknown Object (File)
Sun, Apr 14, 10:26 AM
Unknown Object (File)
Sun, Mar 24, 7:01 PM
Unknown Object (File)
Feb 14 2024, 4:06 AM
Unknown Object (File)
Jan 16 2024, 8:30 AM
Unknown Object (File)
Jan 14 2024, 3:26 PM
Unknown Object (File)
Dec 28 2023, 2:00 AM
View All 49 Files
Subscribers
donner
guest-patmaddox
imp
zarychtam_plan-b.pwste.edu.pl

Details

Reviewers
donner
Group Reviewers
network
Summary

This script allow attach to any ng_ether capable network interface BFP filters with tcpdump syntax.

For example, I use it at home to drop evil TCP RST packets that my ISP send to block access to some sites:
ng_bpf_enable="YES"
ng_bpf_profiles="vlan886"
ng_bpf_vlan886_in="ip and tcp and ip[6] & 64 = 0 and ip[8]>128 and tcp[tcpflags] == tcp-rst"

Also this can filter any L2 traffic.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

rozhuk.im-gmail.com requested review of this revision.May 8 2021, 1:05 PM
rozhuk.im-gmail.com created this revision.
zarychtam_plan-b.pwste.edu.pl added a subscriber: zarychtam_plan-b.pwste.edu.pl.May 8 2021, 1:07 PM
rozhuk.im-gmail.com added a reviewer: network.Jun 21 2021, 12:17 PM
donner added a subscriber: donner.Jun 21 2021, 1:08 PM

First I'm happy to see such a sophisticated use of netgraph in the default rc context.
Thank you for this idea.

May I ask you to provide a full context diff, please?
It's much easier to review.

May you please add a paragraph to the rc man page, too?

libexec/rc/rc.d/ng_bpf
99

Where is the variable pidfile used?

rozhuk.im-gmail.com added a comment.Jun 22 2021, 10:22 AM
In D30175#693715, @donner wrote:

May I ask you to provide a full context diff, please?
It's much easier to review.

If you mean: "why I do this" - because my internet service provider block some sites.
For block https provider send 3 fake tcp rst packets. My home router is FBSD based and only PF used. PF can not block (or I do not dig enough) and I do not want use ipfw only for this.

May you please add a paragraph to the rc man page, too?

I am not native speaker, it is a bit hard to me to write for humans.

libexec/rc/rc.d/ng_bpf
99

In /etc/rc.subr, like other sripts: /etc/rc.d/tlsservd (example)

rozhuk.im-gmail.com updated this revision to Diff 91231.Jun 22 2021, 7:18 PM
donner requested changes to this revision.Jun 22 2021, 10:21 PM

Thank you for adding context to the diff.

libexec/rc/rc.d/ng_bpf
99

pidfile is only used for the default "stop" and "status" functions. Because there are explicit functions available, pidfile will never be used. It will never be filled on disk, so the variable causes confusion. Please remove it.

This revision now requires changes to proceed.Jun 22 2021, 10:21 PM
donner added a comment.Jun 22 2021, 10:24 PM
In D30175#694137, @rozhuk.im-gmail.com wrote:
In D30175#693715, @donner wrote:

May you please add a paragraph to the rc man page, too?

I am not native speaker, it is a bit hard to me to write for humans.

This does not matter. Others will rephrase your input, if necessary.

0mp added a project: rc.Jul 26 2022, 2:23 PM
Herald added a subscriber: imp. · View Herald TranscriptJul 26 2022, 2:23 PM
guest-patmaddox added a subscriber: guest-patmaddox.Mar 27 2023, 6:47 AM
zarychtam_plan-b.pwste.edu.pl added a comment.Nov 26 2023, 8:34 PM

This script looks very promising, but it won't be easy to fulfill all committers' needs, but perhaps it would be easier to make it available as a port, for example, net-mgmt/ng_bpf_firewall ?

Revision Contents
Changeset List

PathSize
libexec/
rc/
rc.d/
4 lines
126 lines
tools/
build/
mk/
1 line

Diff 91231

View Options

libexec/rc/rc.d/Makefile

Loading...
View Options

libexec/rc/rc.d/ng_bpf

Loading...
View Options

tools/build/mk/OptionalObsoleteFiles.inc

Loading...