[FUG-BR] ftp-proxy -T tag patch for FBSD

Mario Lobo lobo em bsd.com.br
Quarta Julho 14 16:30:21 BRT 2010 

Alo Gente;

Eu mandei este e-mail para freebsd em hackers mas como não sei se vão usar (pois 
não tive resposta), resolvi postar aqui para ver se tem alguma utilidade para 
voces.

É sobre um patch que fiz para o ftp-proxy, que incorpora a -T tag que já 
existe para o linux mas não existe para o Free, e é extremamente útil para 
traffic shaping no pf. Pelo menos pra mim, está sendo.

Deixei em ingles mesmo. Primemiro porque tive preguiça de traduzir (desculpem) 
e segundo porque acho que quase todo mundo aqui não vai ter problemas com 
isso. Quem tiver, por favor não hesite em me escrever.

Abraços,
-- 
Mario Lobo
http://www.mallavoodoo.com.br
FreeBSD since 2.2.8 [not Pro-Audio.... YET!!] (99% winfoes FREE)


----------------------------------------------------------------------

Hello;

First, forgive me if that's not the right list to post this but I picked the 
most akin list to the subject I was subscribed to. After all, ftp-proxy is 
part of the base system now. If any of you is subscribed to a better list for 
this, please forward it to it.

I felt sorry the -T tag option was present in Linux and not on FBSD because I 
got to a situation where it would really be useful for me. So I decided to 
stuff my hands on the grease can.

What this does is to give the option to put a tag (instead of a queue to the 
dynamic rules that ftp-proxy creates on the fly. The option to put a queue is 
nice but it confines the rule to THAT queue only, and you cannot create queues 
with the same name on different interfaces. You could specify 2 interfaces on 
the same altq rule, but then again, both interfaces will be confined to the 
same queue tunings.

The -T "tag" option  however, besides tagging the packets for the rule, takes 
the "quick" keyword out of it, so rule processing can continue, to later find 
a rule that has the keyword "tagged tag" and be sent to any queue you want. A 
really welcomed flexibility.

The application of nat-anchor "ftp-proxy/*" and rdr-anchor "ftp-proxy/*"
are still as per man pages.

Just make sure you put anchor "ftp-proxy/*" right before the first pass rule

rc.conf example ---------------------------------------------------

ftpproxy_enable="YES"
ftpproxy_flags="-r -v -T ftp_proxy"

pf.conf example ---------------------------------------------------

  # Ftp (it inserts its rules here, like bellow, taken from 
        `pfctl -vv -a ftp-proxy/15780.1 -sr`)

  anchor "ftp-proxy/*"
   
  @0 pass in log inet proto tcp from 172.16.3.145 to 129.128.5.191 port =
  61076 flags S/SA keep state (max 1) tag ftp_proxy rtable 0
  @1 pass out log inet proto tcp from 189.23.180.30 to 129.128.5.191 port =
  61076 flags S/SA keep state (max 1) tag ftp_proxy rtable 0
 
  # first pass rule of pf.conf
  pass in  log quick on $ext_if inet proto icmp from any to ($ext_if) icmp-
  type 8 code 0 keep state queue (icmp)

  ---------
  then way down there... 
  ---------

  pass out log quick on $int_if inet proto tcp tagged ftp_proxy keep state
  queue (ether)

  ---------
  even further down, a different match ... 
  ---------

  pass out log quick on $ext_if inet proto tcp tagged ftp_proxy 
  keep state queue (ftp)

-------------------------------------------------------------------

The lines bellow were taken during an ftp session to ftp.openbsd.com from a 
LAN client station.

================================
# Server [20:14:03]
[~]>pfctl -vv -sA
  ftp-proxy
  ftp-proxy/15780.1

# Server [20:15:01]
[~]> pfctl -vv -a ftp-proxy/15780.1 -sr
@0 pass in log inet proto tcp from 172.16.3.145 to 129.128.5.191 port = 61076 
flags S/SA keep state (max 1) tag ftp_proxy rtable 0
  [ Evaluations: 4         Packets: 0         Bytes: 0           States: 0     
]
  [ Inserted: uid 62 pid 15780 ]
@1 pass out log inet proto tcp from 189.12.120.67 to 129.128.5.191 port = 
61076 flags S/SA keep state (max 1) tag ftp_proxy rtable 0
  [ Evaluations: 4         Packets: 0         Bytes: 0           States: 0     
]
  [ Inserted: uid 62 pid 15780 ]

# Server [20:15:11]
[~]>pfctl -vv -sA
  ftp-proxy
  ftp-proxy/15780.1

# Server [20:15:16]
[~]> pfctl -vv -a ftp-proxy/15780.1 -sn
@0 nat inet proto tcp from 172.16.3.145 to 129.128.5.191 port = 61076 rtable 0 
-> 189.12.120.67
  [ Evaluations: 1         Packets: 0         Bytes: 0           States: 0     
]
  [ Inserted: uid 62 pid 15780 ]
@0 rdr inet proto tcp from 172.16.3.145 to 129.128.5.191 port = 51973 rtable 0 
-> 129.128.5.191 port 61076
  [ Evaluations: 6         Packets: 8         Bytes: 1485        States: 0     
]
  [ Inserted: uid 62 pid 15780 ]

# Server [20:15:23]
[~]> pfctl -vv -a ftp-proxy/15780.1 -sn
pfctl: DIOCGETRULES: Invalid argument

# Server [20:16:12]
[~]>pfctl -vv -sA
  ftp-proxy

================================
The nat, rdr and pass rules are correctly created and tagged.
Observe the times to see that ftp-proxy removes the rule really fast.

To apply the patch, copy it to 
/usr/src/contrib/pf/ftp-proxy/
then,
cd /usr/src/usr.sbin/ftp-proxy/ftp-proxy

make [clean]
make install

Wisdom demands to test it for while before putting into production, but it has 
been working for me for a couple of weeks.

I hope this is useful, because ftp-proxy is really simple. But a great 
program.

-------------- Próxima Parte ----------
Um anexo não texto foi limpo...
Nome  : ftp-proxy.patch
Tipo  : text/x-patch
Tam   : 6032 bytes
Descr.: não disponível
Url   : http://www.fug.com.br/historico/html/freebsd/attachments/20100714/1e57a9fd/attachment-0001.bin

Mais detalhes sobre a lista de discussão freebsd