Page MenuHomeFreeBSD

Add netgraph BFP rc.d script
Needs RevisionPublic

Authored by rozhuk.im-gmail.com on May 8 2021, 1:05 PM.
Tags
Referenced Files
F104290885: D30175.diff
Thu, Dec 5, 10:36 PM
Unknown Object (File)
Sun, Dec 1, 9:12 AM
Unknown Object (File)
Fri, Nov 29, 8:49 PM
Unknown Object (File)
Fri, Nov 29, 8:49 PM
Unknown Object (File)
Fri, Nov 29, 8:30 PM
Unknown Object (File)
Wed, Nov 27, 3:24 PM
Unknown Object (File)
Wed, Nov 27, 1:01 AM
Unknown Object (File)
Sun, Nov 24, 5:24 AM

Details

Reviewers
donner
Group Reviewers
network
Summary

This script allow attach to any ng_ether capable network interface BFP filters with tcpdump syntax.

For example, I use it at home to drop evil TCP RST packets that my ISP send to block access to some sites:
ng_bpf_enable="YES"
ng_bpf_profiles="vlan886"
ng_bpf_vlan886_in="ip and tcp and ip[6] & 64 = 0 and ip[8]>128 and tcp[tcpflags] == tcp-rst"

Also this can filter any L2 traffic.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

rozhuk.im-gmail.com created this revision.

First I'm happy to see such a sophisticated use of netgraph in the default rc context.
Thank you for this idea.

May I ask you to provide a full context diff, please?
It's much easier to review.

May you please add a paragraph to the rc man page, too?

libexec/rc/rc.d/ng_bpf
99

Where is the variable pidfile used?

May I ask you to provide a full context diff, please?
It's much easier to review.

If you mean: "why I do this" - because my internet service provider block some sites.
For block https provider send 3 fake tcp rst packets. My home router is FBSD based and only PF used. PF can not block (or I do not dig enough) and I do not want use ipfw only for this.

May you please add a paragraph to the rc man page, too?

I am not native speaker, it is a bit hard to me to write for humans.

libexec/rc/rc.d/ng_bpf
99

In /etc/rc.subr, like other sripts: /etc/rc.d/tlsservd (example)

donner requested changes to this revision.Jun 22 2021, 10:21 PM

Thank you for adding context to the diff.

libexec/rc/rc.d/ng_bpf
99

pidfile is only used for the default "stop" and "status" functions. Because there are explicit functions available, pidfile will never be used. It will never be filled on disk, so the variable causes confusion. Please remove it.

This revision now requires changes to proceed.Jun 22 2021, 10:21 PM

May you please add a paragraph to the rc man page, too?

I am not native speaker, it is a bit hard to me to write for humans.

This does not matter. Others will rephrase your input, if necessary.

This script looks very promising, but it won't be easy to fulfill all committers' needs, but perhaps it would be easier to make it available as a port, for example, net-mgmt/ng_bpf_firewall ?