Sometimes we do not need to feed ng_ipacct with all traffic going via network interface but want to filter it with ng_bpf(8) before. We can easily insert ng_bpf between ng_tee and ng_ipacct but ng_bpf needs filters to be loaded into it to work. The following patch adds possibility to automatically load filters into ng_bpf(8) node using ng_ipacct_${iface}_afterstart_script that is supplied with interface name and is invoked just after ng_ipacct is started. This script runs when ng_bpf is fully initialized and may load filters into it. See patch for additional details, it contains an example of using new feature. Fix: Eugene Grosbein--ekJGNJenaXRvTUYaDSOa6ZCmMPXkZ4qVZftoddhSzcjstdSQ Content-Type: text/plain; name="file.diff" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="file.diff" diff -ur ng_ipacct.orig/Makefile ng_ipacct/Makefile --- ng_ipacct/Makefile Tue Aug 2 00:31:50 2005 +++ ng_ipacct.new/Makefile Fri Sep 1 16:59:45 2006 @@ -7,6 +7,7 @@ PORTNAME= ng_ipacct PORTVERSION= 20050731 +PORTREVISION= 1 CATEGORIES= net-mgmt MASTER_SITES= ftp://ftp.wuppy.net.ru/pub/FreeBSD/local/kernel/ng_ipacct/ diff -ur ng_ipacct.orig/files/ng_ipacct.conf ng_ipacct/files/ng_ipacct.conf --- ng_ipacct/files/ng_ipacct.conf Wed Apr 13 08:31:57 2005 +++ ng_ipacct.new/files/ng_ipacct.conf Fri Sep 1 17:00:37 2006 @@ -44,6 +44,27 @@ shutdown %%iface%%: ' +ng_ipacct_bpf_ether_start=' + mkpeer %%iface%%: tee lower right + name %%iface%%:lower %%iface%%_tee + connect %%iface%%: lower upper left + + mkpeer %%iface%%_tee: bpf right2left %%iface%%_in + name %%iface%%_tee:right2left %%iface%%_bpf + connect %%iface%%_tee: right2left left2right %%iface%%_out + + mkpeer %%iface%%_bpf: ipacct %%iface%%_match_in %%iface%%_in + name %%iface%%_bpf:%%iface%%_match_in %%iface%%_ip_acct + connect %%iface%%_bpf: %%iface%%_ip_acct: %%iface%%_match_out %%iface%%_out +' + +ng_ipacct_bpf_ether_stop=' + shutdown %%iface%%_ip_acct: + shutdown %%iface%%_bpf: + shutdown %%iface%%_tee: + shutdown %%iface%%: +' + # EXAMPLE 1. Ethernet interface # +-------------------------------+ @@ -147,3 +168,36 @@ ng_ipacct_vpn0_stop=' shutdown %%iface%%_ip_acct: ' + +# EXAMPLE 4. Ethernet interface with BPF + +# +-------------------------------+ +# | | +# (upper) (left2right)-----(xl0_in) (xl0_match_in)----(xl0_in) +# | | | | | | +# xl0 +--(left)-xl0_tee-(right) xl0_bpf xl0_ip_acct +# | | | | | | +# (lower) | (right2left)----(xl0_out) (xl0_match_out)--(xl0_out) +# | | +# +----------+ +# +# xl0 - ng_ether +# xl0_tee - ng_tee +# xl0_bpf - ng_bpf +# xl0_ip_acct - ng_ipacct + +# Configuration for 'xl0_ip_acct' node: + +ng_ipacct_xl0_dlt="EN10MB" # required line; see ipacctctl(8) +ng_ipacct_xl0_threshold="15000" # '5000' by default +ng_ipacct_xl0_verbose="yes" # 'yes' by default +ng_ipacct_xl0_saveuid="yes" # 'no' by default +ng_ipacct_xl0_savetime="no" # 'no' by default +ng_ipacct_xl0_start=${ng_ipacct_bpf_ether_start} +ng_ipacct_xl0_stop=${ng_ipacct_bpf_ether_stop} +ng_ipacct_xl0_checkpoint_script="path/to/your/script --checkpoint-and-save xl0" + # this script is called on stop (to save accumulated + # data) or via "rc.d/ng_ipacct.sh checkpoint" +ng_ipacct_xl0_afterstart_script="path/to/your/script --load-bpf-filters xl0" + # this script is called just after initialization + # of nodes to load filters into xl0_bpf diff -ur ng_ipacct.orig/files/ng_ipacct.sh.in ng_ipacct/files/ng_ipacct.sh.in --- ng_ipacct/files/ng_ipacct.sh.in Sun Apr 3 08:31:43 2005 +++ ng_ipacct.new/files/ng_ipacct.sh.in Fri Sep 1 17:08:19 2006 @@ -114,6 +114,13 @@ ${ipacctctl} ${iface}_ip_acct:${iface} verbose ${verbose} ${ipacctctl} ${iface}_ip_acct:${iface} saveuid ${saveuid} ${ipacctctl} ${iface}_ip_acct:${iface} savetime ${savetime} + + eval afterstart_script=\$ng_ipacct_${iface}_afterstart_script + if [ -n "${afterstart_script}" ]; then + (set -T + trap 'exit 1' 2 + ${afterstart_script} ${iface}) + fi fi done } How-To-Repeat: N/A
Responsible Changed From-To: freebsd-ports-bugs->skv Over to maintainer
Hi! There is one more issue with ng_ipacct. Its startup/shutdown script runs checkpoint_script too late during stop_cmd() sequence, after stop_script has completed and (possibly) destroyed ng_ipacct(4) node. checkpoint_script invocation should be moved before stop_script. Here is the obvious patch for this movement: diff -ur ng_ipacct.orig/files/ng_ipacct.sh.in ng_ipacct/files/ng_ipacct.sh.in --- ng_ipacct.orig/files/ng_ipacct.sh.in Sun Apr 3 08:31:43 2005 +++ ng_ipacct/files/ng_ipacct.sh.in Sun Sep 3 19:20:51 2006 @@ -146,14 +146,15 @@ eval checkpoint_script=\$ng_ipacct_${iface}_checkpoint_script if ${ngctl} show ${iface}_ip_acct: >/dev/null 2>&1; then - ${sed} "s!%%iface%%!${iface}!g" <<-EOF | ${ngctl_batch} -$stop_script -EOF if [ -n "${checkpoint_script}" ]; then (set -T trap 'exit 1' 2 ${checkpoint_script}) fi + + ${sed} "s!%%iface%%!${iface}!g" <<-EOF | ${ngctl_batch} +$stop_script +EOF if ${ngctl} show ${iface}_ip_acct: >/dev/null 2>&1; then warn "netgraph node '${iface}_ip_acct' did not destroyed!" Eugene Grosbein
State Changed From-To: open->closed Committed, thank you!