Re: 5.4 -- bridging, ipfw, dot1q

[Julian Elischer]

Dan Mahoney, System Admin wrote:
should be in -net not -hackers

cc's changed accordingly..



After all, the demuxing is nothing more than ignoring a few extra bits 
at the beginning of the packet.  Which all my BPF stuff is doing nicely. 
Snort, trafshow, etc all work fine and don't seem to choke on the extra 
frames.


I'd personally just be happy if ipfw was smart enough to know that if I 
was using ip-type rules on something that's not ip...that it would 
handle the demuxing automagically.


i.e. ipfw add 100 deny ip from any to 192.168.1.1 mac-type vlan via em1

or maybe

i.e. ipfw add 100 deny ip from any to 192.168.1.1 mac-type vlan-as-inet 
via em1




Hi Dan.

What it comes down to is just that no-one who has worked in ipfw
has had your particular problem to solve. O/S gets done when people
have a particular problem to solve.

As for demultiplexing, well, you COULD pass it out to a netgraph
node that strips off the header
and stores the info in a tag, and then passes it back to ipfw, but
I don't know how the details would work. (I haven't been in ifpw since
it was rewritten). Alternatively you could use netgraph bridging and
tehnetgraph vlan node type to achieve some sort of stripping..
(Once again, I'm just pointing you in this direction, not providing a
full answer.)
In 6.x netgraph has more options for this sort of thing with
a direct interface between ipfw and netgraph.

So, if you want to fix it, you could either
do some work on ipfw or do some work on netgraph,
but either way
you'll probably need to do some work.

Julian


___
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: 5.4 -- bridging, ipfw, dot1q

[Dan Mahoney, System Admin]

On Fri, 12 Aug 2005, Luigi Rizzo wrote:


On Sat, Aug 13, 2005 at 12:49:56AM +0200, Jeremie Le Hen wrote:

Hi,


I am afraid the existing code cannot help you.
The packets you see are encapsulated in 802.1q aka VLAN frames,
and since ipfw2 does not try to decapsulate the packets, you
don't get to see the IP headers.

Your most reasonable option would be to write a new ipufw2 opcode,
say something like 'vlan-decap x-y', which succeeds if the packet has
a vlan header in the range x to y, and in this case skips the VLAN header,
tries to re-parse the header fields as in the beginning of
ip_fw_chk() after the section

/*
 * Collect parameters into local variables for faster matching.
 */

and then continues.
It's not a lot of code, in the worst case you can just cut&paste
the relevant 50-60 lines from the beginning of the code
(though of course it would be nice to rearrange the code to
reduce duplication).

By doing this you can do something like

ipfw add skipto 1000 vlan-decap 1-50

and then process vlans 1 to 50 at line 1000.
Maybe it is a good idea to split the vlan-id matching and the decapsulation.


Isn't it posible to cheat using vlan(4) interface ?  I think it's
possible to create them in order to use its code to zap the VLAN header
and then use ipfw to filter on these vlan(4) interfaces.  This isn't
more than a workaround, but it might help.


After all, the demuxing is nothing more than ignoring a few extra bits at 
the beginning of the packet.  Which all my BPF stuff is doing nicely. 
Snort, trafshow, etc all work fine and don't seem to choke on the extra 
frames.


I'd personally just be happy if ipfw was smart enough to know that if I 
was using ip-type rules on something that's not ip...that it would handle 
the demuxing automagically.


i.e. ipfw add 100 deny ip from any to 192.168.1.1 mac-type vlan via em1

or maybe

i.e. ipfw add 100 deny ip from any to 192.168.1.1 mac-type vlan-as-inet 
via em1


assuming mac-type vlan is, of course, dot1q trunk traffic.

or better still...

ipfw add 200 deny ip from any to 10.2.2.2 mac-type vlan vlan-id 400 via 
em1


I'd also really like it if non-bridged interfaces kept their arp table 
separate from normal interfaces -- but that's a separate issue I'm 
experiencing when the management subnet (on a dedicated non-bridged nic) 
also happens to be one of the vlans within the dot1q trunk.


A spanning tree daemon (user or kernelspace) wouldn't be bad either.



well it would be painful to configure, because the number of vlans is
(according to what Dan says) is large, and he would have to define
N vlan interfaces on each of the physical ones, then define
N bridges between the corresponding vlans (and i think there is
a limit on how large N can be).


It's worse than that.  The device has four bridged interfaces.  One up, 
three down to three switches.  Each switch holds 24 vlans.  That QUICKLY 
becomes a nightmare when bridging actually works without doing this.  It's 
just ipfw saying "nope, there's no possible way for me to look




Additionally demuxing incoming packets would take O(N) time.

cheers
luigi



--

"I hate Windows"

-Tigerwolf, Anthrocon 2004

Dan Mahoney
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---

___
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: 5.4 -- bridging, ipfw, dot1q

[Luigi Rizzo]

On Sat, Aug 13, 2005 at 12:49:56AM +0200, Jeremie Le Hen wrote:
> Hi,
> 
> > I am afraid the existing code cannot help you.
> > The packets you see are encapsulated in 802.1q aka VLAN frames,
> > and since ipfw2 does not try to decapsulate the packets, you
> > don't get to see the IP headers.
> > 
> > Your most reasonable option would be to write a new ipufw2 opcode,
> > say something like 'vlan-decap x-y', which succeeds if the packet has
> > a vlan header in the range x to y, and in this case skips the VLAN header,
> > tries to re-parse the header fields as in the beginning of
> > ip_fw_chk() after the section
> > 
> > /*
> >  * Collect parameters into local variables for faster matching.
> >  */
> > 
> > and then continues.
> > It's not a lot of code, in the worst case you can just cut&paste
> > the relevant 50-60 lines from the beginning of the code
> > (though of course it would be nice to rearrange the code to
> > reduce duplication).
> > 
> > By doing this you can do something like
> > 
> > ipfw add skipto 1000 vlan-decap 1-50
> > 
> > and then process vlans 1 to 50 at line 1000.
> > Maybe it is a good idea to split the vlan-id matching and the decapsulation.
> 
> Isn't it posible to cheat using vlan(4) interface ?  I think it's
> possible to create them in order to use its code to zap the VLAN header
> and then use ipfw to filter on these vlan(4) interfaces.  This isn't
> more than a workaround, but it might help.

well it would be painful to configure, because the number of vlans is
(according to what Dan says) is large, and he would have to define
N vlan interfaces on each of the physical ones, then define
N bridges between the corresponding vlans (and i think there is
a limit on how large N can be).
Additionally demuxing incoming packets would take O(N) time.

cheers
luigi

___
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: 5.4 -- bridging, ipfw, dot1q

[Jeremie Le Hen]

Hi,

> I am afraid the existing code cannot help you.
> The packets you see are encapsulated in 802.1q aka VLAN frames,
> and since ipfw2 does not try to decapsulate the packets, you
> don't get to see the IP headers.
> 
> Your most reasonable option would be to write a new ipufw2 opcode,
> say something like 'vlan-decap x-y', which succeeds if the packet has
> a vlan header in the range x to y, and in this case skips the VLAN header,
> tries to re-parse the header fields as in the beginning of
> ip_fw_chk() after the section
> 
> /*
>  * Collect parameters into local variables for faster matching.
>  */
> 
> and then continues.
> It's not a lot of code, in the worst case you can just cut&paste
> the relevant 50-60 lines from the beginning of the code
> (though of course it would be nice to rearrange the code to
> reduce duplication).
> 
> By doing this you can do something like
> 
>   ipfw add skipto 1000 vlan-decap 1-50
> 
> and then process vlans 1 to 50 at line 1000.
> Maybe it is a good idea to split the vlan-id matching and the decapsulation.

Isn't it posible to cheat using vlan(4) interface ?  I think it's
possible to create them in order to use its code to zap the VLAN header
and then use ipfw to filter on these vlan(4) interfaces.  This isn't
more than a workaround, but it might help.

Regards,
-- 
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >
___
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: 5.4 -- bridging, ipfw, dot1q

[Luigi Rizzo]

I am afraid the existing code cannot help you.
The packets you see are encapsulated in 802.1q aka VLAN frames,
and since ipfw2 does not try to decapsulate the packets, you
don't get to see the IP headers.

Your most reasonable option would be to write a new ipufw2 opcode,
say something like 'vlan-decap x-y', which succeeds if the packet has
a vlan header in the range x to y, and in this case skips the VLAN header,
tries to re-parse the header fields as in the beginning of
ip_fw_chk() after the section

/*
 * Collect parameters into local variables for faster matching.
 */

and then continues.
It's not a lot of code, in the worst case you can just cut&paste
the relevant 50-60 lines from the beginning of the code
(though of course it would be nice to rearrange the code to
reduce duplication).

By doing this you can do something like

ipfw add skipto 1000 vlan-decap 1-50

and then process vlans 1 to 50 at line 1000.
Maybe it is a good idea to split the vlan-id matching and the decapsulation.

cheers
luigi

On Fri, Aug 12, 2005 at 05:07:13AM -0400, Dan Mahoney, System Admin wrote:
> Note:  I posted this to questions@ earlier, but upon further investigation 
> of the issue, I realize that I basically need a "hack".
> 
> Warning, long.
> 
> My original question:
> 
> [begin]
> 
> I'm setting up a bridging firewall where the packets are passing through 
> on dot1q trunks.  Figure sixty or so.  Too many to create separate 
> interfaces.
> 
> The bridge works.  Packet counts in the default match rule work (so I 
> assume the bridge at least sees the packets).
> 
> Problem is, any "reasonable" rules (such as those which actually say to 
> block traffic by ip or port or anything) aren't working
> at all.  Not even logging counts.
> 
> Setting the "bridged" flag doesn't seem to help.
> 
> My only guess is that ipfw doesn't have the brains to look beyond the VLAN 
> tags.  Is this the case?  Is this supported under 4.x (I'm using 5, but 
> can downgrade), or is there any way AT ALL that I can get this to work?
> 
> As a note, snort and trafshow and everything else work fine analyzing the 
> bridge traffic, it seems only the kernel has an issue.
> 
> [end]
> 
> Now my plea to hackers@:
> 
> >From what I can see, the packet type is mac, and that's the only rules 
> that match.   I'm not 100 percent sure if this is because of the point at 
> which this is being received, or because of the dot1q headers.  I have to 
> assume it's the headers because, well, otherwise putting ipfw on a bridge 
> would seem pretty silly to me.
> 
> I basically need minor mods done to the kernel code so that dot1q trunked 
> traffic seen through a bridge is seen by ipfw rules (and matched by the 
> same)...
> 
> I basically assume this doesn't work because of this post made by Ted 
> Middelstadt a couple years ago
> 
> http://groups-beta.google.com/group/mailing.freebsd.questions/browse_frm/thread/79d023785ddc58ed/4e280a013b6325d4?tvc=1&q=vlan+trunk+ipfw+bridge+ted&hl=en#4e280a013b6325d4
> 
> Of course, he says this:
> 
> The biggest loss of NOT having an Ethernet-specific ipfw-like filtering
> program, is that there's no convenient vehicle to use for adding in code
> for filtering based on MAC addresses, which is certainly the domain of
> a bridge.
> 
> And ipfw2 basically addresses this.
> 
> This is what I see on my bridged packets with log:
> 
> Aug 11 23:38:43 fwi kernel: ipfw: 360 Accept MAC in via em1
> 
> I've tried every possible combination of arguments to ipfw which seem to 
> match. 
> None are hitting:
> 
> 00305  00 count ip from any to 56.199.242.178 layer2 
> mac-type 0x8100
> 00305  00 count ip from any to 56.199.242.178 mac-type 
> 0x8100
> 00305  00 count ip from any to 56.199.242.178 mac-type 
> 0x8100
> 00305  00 count ip from any to 56.199.242.178 mac-type 
> 0x8100 via em1
> 00305  00 count ip from any to 56.199.242.82 mac-type 
> 0x8100 via em1
> 00305  00 count ip from any to 56.199.242.82 layer2 
> mac-type 0x
> 
> If this is possible with standard vanilla bridging and standard ipfw, 
> please let me know, of course.  I'm guessing dot1q encapsulated traffic 
> just doesn't match this.  I can match traffic with an "any to any mac-type 
> vlan" or an "any to any layer2" rule.  But I think I can't match on more 
> specific criteria (like an IP address) because the ipfw layer sees it as 
> non-ip traffic, and doesn't even attempt to match it (even though I'm 
> telling it specifically to do so), so it falls into the "silently passed" 
> portion.
> 
> I don't know c.  And this is a bad time and place to learn.  The kernel 
> code is also fairly streamlined, and I *really* don't have the time to 
> learn structures and the like.  It's on my long-term to-do list, I swear.
> 
> Otherwise, I'm relatively sure this is less than an hour's worth of work, 
> please someone let me k

5.4 -- bridging, ipfw, dot1q

[Dan Mahoney, System Admin]

Note:  I posted this to questions@ earlier, but upon further investigation 
of the issue, I realize that I basically need a "hack".


Warning, long.

My original question:

[begin]

I'm setting up a bridging firewall where the packets are passing through 
on dot1q trunks.  Figure sixty or so.  Too many to create separate 
interfaces.


The bridge works.  Packet counts in the default match rule work (so I 
assume the bridge at least sees the packets).


Problem is, any "reasonable" rules (such as those which actually say to 
block traffic by ip or port or anything) aren't working

at all.  Not even logging counts.

Setting the "bridged" flag doesn't seem to help.

My only guess is that ipfw doesn't have the brains to look beyond the VLAN 
tags.  Is this the case?  Is this supported under 4.x (I'm using 5, but 
can downgrade), or is there any way AT ALL that I can get this to work?


As a note, snort and trafshow and everything else work fine analyzing the 
bridge traffic, it seems only the kernel has an issue.


[end]

Now my plea to hackers@:

From what I can see, the packet type is mac, and that's the only rules 
that match.   I'm not 100 percent sure if this is because of the point at 
which this is being received, or because of the dot1q headers.  I have to 
assume it's the headers because, well, otherwise putting ipfw on a bridge 
would seem pretty silly to me.


I basically need minor mods done to the kernel code so that dot1q trunked 
traffic seen through a bridge is seen by ipfw rules (and matched by the 
same)...


I basically assume this doesn't work because of this post made by Ted 
Middelstadt a couple years ago


http://groups-beta.google.com/group/mailing.freebsd.questions/browse_frm/thread/79d023785ddc58ed/4e280a013b6325d4?tvc=1&q=vlan+trunk+ipfw+bridge+ted&hl=en#4e280a013b6325d4

Of course, he says this:

The biggest loss of NOT having an Ethernet-specific ipfw-like filtering
program, is that there's no convenient vehicle to use for adding in code
for filtering based on MAC addresses, which is certainly the domain of
a bridge.

And ipfw2 basically addresses this.

This is what I see on my bridged packets with log:

Aug 11 23:38:43 fwi kernel: ipfw: 360 Accept MAC in via em1

I've tried every possible combination of arguments to ipfw which seem to 
match. 
None are hitting:


00305  00 count ip from any to 56.199.242.178 layer2 
mac-type 0x8100
00305  00 count ip from any to 56.199.242.178 mac-type 
0x8100
00305  00 count ip from any to 56.199.242.178 mac-type 
0x8100
00305  00 count ip from any to 56.199.242.178 mac-type 
0x8100 via em1
00305  00 count ip from any to 56.199.242.82 mac-type 
0x8100 via em1
00305  00 count ip from any to 56.199.242.82 layer2 
mac-type 0x


If this is possible with standard vanilla bridging and standard ipfw, 
please let me know, of course.  I'm guessing dot1q encapsulated traffic 
just doesn't match this.  I can match traffic with an "any to any mac-type 
vlan" or an "any to any layer2" rule.  But I think I can't match on more 
specific criteria (like an IP address) because the ipfw layer sees it as 
non-ip traffic, and doesn't even attempt to match it (even though I'm 
telling it specifically to do so), so it falls into the "silently passed" 
portion.


I don't know c.  And this is a bad time and place to learn.  The kernel 
code is also fairly streamlined, and I *really* don't have the time to 
learn structures and the like.  It's on my long-term to-do list, I swear.


Otherwise, I'm relatively sure this is less than an hour's worth of work, 
please someone let me know what it's worth to you and I'll make it happen.


(While I'lll be happy with a quick hack, this really is something that 
should probably at least have a sysctl or hooks in ipfw or something -- 
assuming anyone else finds it useful).


Thanks,

Dan Mahoney

--

"We need another cat.  This one's retarded."

-Cali, March 8, 2003 (3:43 AM)

Dan Mahoney
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---

___
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[EMAIL PROTECTED]"