Created attachment 175712 [details] add support for ngtee/netgraph ipfw actions for layer-2 frames Currently, kernel part of ipfw for layer-2 (ethernet frames) does not support and ignores ipfw rules other than "pass", "deny" and dummynet-related. Any other rule acts like "pass" for layer-2 packets. That prevents us from selective copying of Ethernet frames for remote traffic analyzing/mirroring purposes. Assume, we have ethernet-like interface (NIC, vlan, tap etc.) and we need to selectively mirror some frames there. In case of vlan900 and assuming ng_ipfw(4) netgraph node has a hook named "900" attached to "lower" hook of vlan900's ng_ether(4) node, that would be as simple as: ipfw add ngtee 900 ip from any to 8.8.8.8 layer2 out xmit igb0 Attached patch makes it work.
Created attachment 180505 [details] add support for ngtee/netgraph ipfw actions for layer-2 frames Patch updated for recent 11-STABLE.
My PR.
A commit references this bug: Author: eugen Date: Sat Oct 27 07:32:26 UTC 2018 New revision: 339810 URL: https://svnweb.freebsd.org/changeset/base/339810 Log: ipfw: implement ngtee/netgraph actions for layer-2 frames. Kernel part of ipfw does not support and ignores rules other than "pass", "deny" and dummynet-related for layer-2 (ethernet frames). Others are processed as "pass". Make it support ngtee/netgraph rules just like they are supported for IP packets. For example, this allows us to mirror some frames selectively to another interface for delivery to remote network analyzer over RSPAN vlan. Assuming ng_ipfw(4) netgraph node has a hook named "900" attached to "lower" hook of vlan900's ng_ether(4) node, that would be as simple as: ipfw add ngtee 900 ip from any to 8.8.8.8 layer2 out xmit igb0 PR: 213452 MFC after: 1 month Tested-by: Fyodor Ustinov <ufm@ufm.su> Changes: head/sys/netpfil/ipfw/ip_fw_pfil.c
A commit references this bug: Author: eugen Date: Mon Nov 26 11:28:35 UTC 2018 New revision: 340955 URL: https://svnweb.freebsd.org/changeset/base/340955 Log: MFC r339810: ipfw: implement ngtee/netgraph actions for layer-2 frames. Kernel part of ipfw does not support and ignores rules other than "pass", "deny" and dummynet-related for layer-2 (ethernet frames). Others are processed as "pass". Make it support ngtee/netgraph rules just like they are supported for IP packets. For example, this allows us to mirror some frames selectively to another interface for delivery to remote network analyzer over RSPAN vlan. Assuming ng_ipfw(4) netgraph node has a hook named "900" attached to "lower" hook of vlan900's ng_ether(4) node, that would be as simple as: ipfw add ngtee 900 ip from any to 8.8.8.8 layer2 out xmit igb0 PR: 213452 Tested-by: Fyodor Ustinov <ufm@ufm.su> Changes: _U stable/12/ stable/12/sys/netpfil/ipfw/ip_fw_pfil.c
A commit references this bug: Author: eugen Date: Mon Nov 26 11:32:22 UTC 2018 New revision: 340956 URL: https://svnweb.freebsd.org/changeset/base/340956 Log: MFC r339810: ipfw: implement ngtee/netgraph actions for layer-2 frames. Kernel part of ipfw does not support and ignores rules other than "pass", "deny" and dummynet-related for layer-2 (ethernet frames). Others are processed as "pass". Make it support ngtee/netgraph rules just like they are supported for IP packets. For example, this allows us to mirror some frames selectively to another interface for delivery to remote network analyzer over RSPAN vlan. Assuming ng_ipfw(4) netgraph node has a hook named "900" attached to "lower" hook of vlan900's ng_ether(4) node, that would be as simple as: ipfw add ngtee 900 ip from any to 8.8.8.8 layer2 out xmit igb0 PR: 213452 Tested-by: Fyodor Ustinov <ufm@ufm.su> Changes: _U stable/11/ stable/11/sys/netpfil/ipfw/ip_fw_pfil.c