librelist archives

« back to archive

click not routing pkts on the same interface it received

click not routing pkts on the same interface it received

From:
sri
Date:
2014-03-24 @ 06:41
// ========================== Flag ================================

ha_flag::Flag;
master_flag::Flag;
role_info::RoleInfo;
user_flag::Flag;
discard::Discard;

// ====================== Address Info ============================

AddressInfo
(
  extern_addr   192.168.102.1 eth0:eth, 
  intern_addr   192.168.103.1 eth1:eth,
  extern_vaddr  192.168.102.3 eth0:eth,
  intern_vaddr  192.168.103.3 eth1:eth
);

// ======================== Device Setup ==========================

toLinux :: ToHost(ALLOW_NONEXISTENT 1);
toLinuxFilter :: ToHostSniffers(fake3);
ethToLinux :: EnsureEther2(0x0800, 00:01:02:03:04:05, 00:01:02:03:04:05) 
  -> toLinux;

intern_dev :: Queue(4000) -> toWireless :: ToDevice(eth1, BURST 8, QUIET 1);
extern_dev :: Queue(2000) -> toWired :: ToDevice(eth0, BURST 8, QUIET 1);

//extern_rip2 ::RIPSend2(extern_vaddr, 192.168.102.255, 192.168.103.0/255.255.25
5.0, 1) 
//  -> EtherEncap(0x0800, extern_vaddr:eth, ff:ff:ff:ff:ff:ff)
//  -> extern_dev;

// ==================== kernel firewall filter =================

mac_throttle :: MacThrottle();
os_detector :: OsDetector();
kernel_filter :: IPClassifier(
  udp port bootps or bootpc, 
  -);
kernel_filter[0] -> toLinuxFilter;  
kernel_filter[1] -> ethToLinux;

extern_swiss_rewriter :: IPRewriter(
  pattern - - extern_vaddr 8901 0 1,
  pattern - - extern_vaddr 8902 0 1
);
extern_kernel_filter :: IPClassifier(
  dst port 1723 or 1701 or 1241 or 8910,
  dst tcp port 82 or 880,
  dst udp port 8900 or 8901 or 8902 or 8903,
  dst tcp port 80 or 443,
  dst udp port 8995,
  dst udp port 8996,
  -); 
extern_kernel_filter[0] -> discard;
extern_kernel_filter[1] -> discard;
extern_kernel_filter[2] -> discard;
extern_kernel_filter[3] -> [0]mac_throttle[0] -> ethToLinux;
extern_kernel_filter[4] -> [0]extern_swiss_rewriter[0] -> ethToLinux;
extern_kernel_filter[5] -> [1]extern_swiss_rewriter;
extern_kernel_filter[6] -> ethToLinux;

intern_kernel_filter :: IPClassifier(
  dst port 1701,
  dst tcp port 82 or 880,
  dst tcp port 80 or 443,
  udp port bootps or bootpc, 
  -);
intern_kernel_filter[0] -> discard;
intern_kernel_filter[1] -> discard;
intern_kernel_filter[2] -> [0]os_detector[0] -> [0]mac_throttle;
//[0]os_detector[0] -> [0]mac_throttle;
intern_kernel_filter[3] -> toLinuxFilter; 
intern_kernel_filter[4] -> ethToLinux;

// ======================== ARP querier ===========================

extern_arpq :: ARPQuerier2(extern_addr);
extern_arpq[0] -> extern_dev; 

intern_arpq :: ARPQuerier3(intern_addr);

ipToIntern :: StripToNetworkHeader -> [0]intern_arpq;
ipToExtern :: StripToNetworkHeader -> [0]extern_arpq;

arp_switch :: PaintSwitch;

  intern_arpq[4] -> Paint(0) -> arp_switch;

  intern_arpq[0] -> intern_dev;
  

// ======================== Http Rewriter =========================

http_rewrite :: IPRewriter(
  pattern - - 192.168.103.3 9090 0 1,   // http
  passthrough 2,                // passthrough
  pattern - - 192.168.103.3 880 0 1, // proxy  
  pattern - - 192.168.103.3 9443 0 1,  // https
  TCP_TIMEOUT 30,
  TCP_DONE_TIMEOUT 10,
  REAP_TCP 30,
  REAP_TCP_DONE 10
);

http_filter :: IPClassifier(
  (src host 192.168.103.3) and 
  (src tcp port www or https or 82 or 880 or 9090 or 9443),
  - 
);  
        
// ========================== IP Routing ===========================

// IP routing table. Outputs:
// 0: packets for this machine.
// 1: packets for extern_addr
// 2: packets for intern_addr
// All other packets are sent to output 1

real_routing_table :: LinearIPLookup(
 192.168.103.1/32 0,
 192.168.102.1/32 0,
 192.168.103.0/255.255.255.0 2,
 192.168.102.0/255.255.255.0 1,
 192.168.103.255/32 0,
 192.168.103.0/32 0,
 192.168.102.255/32 0,
 192.168.102.0/32 0,
 255.255.255.255/32 0.0.0.0 0,
 0.0.0.0/32 0,
 0.0.0.0/0 192.168.102.254 1);

//up_shaper::BWShaper(192.168.102.3 192.168.103.3 192.168.102.1 192.168.103.1);
//dn_shaper::BWShaper(192.168.102.3 192.168.103.3 192.168.102.1 192.168.103.1);
up_shaper::BWShaper(EXEMPTADDRS 192.168.102.3 192.168.103.3 192.168.102.1 192.16
8.103.1);
dn_shaper::BWShaper(EXEMPTADDRS 192.168.102.3 192.168.103.3 192.168.102.1 192.16
8.103.1);

real_routing_table[0] -> kernel_filter;
real_routing_table[1] 
-> [0]up_shaper[0]
  -> ipToExtern;
real_routing_table[2] 
    -> [1]dn_shaper[1] -> ipToIntern;

Idle -> [0]dn_shaper[0] -> discard;

routing_table:: {input -> output};
routing_table
  -> nt_login_detector::NtlmLoginDetector()
  -> real_routing_table;

// ======================== Filters ===========================

intern_filter_group :: IPFilterGroup(3,0,0 all,-); 

extern_filter_group :: IPFilterGroup(3,0,1 all,-); 

dnshandler :: DnsHandler();

intern_filter :: IPClassifier(
  (dst host 192.168.102.3 or 192.168.103.3) and (dst tcp port www or https),
  dst tcp www or https,
  dst udp port dns,
  (src udp port bootpc) and (dst udp port bootps),
  -
);

www_filter :: IPClassifier(
  dst tcp www or https,
  -
);

https_filter :: IPClassifier(
  dst tcp www,
  dst tcp  https,
  -
);

https_filter_proxy :: IPClassifier(
  dst tcp www,
  dst tcp https,
  -
);

proxy_filter :: IPPortLookup();
intern_filter_group[0] -> routing_table;
intern_filter_group[1] -> [1]dnshandler[1] -> proxy_filter;
proxy_filter[0] -> [3]mac_throttle[3]
                -> [2]http_rewrite;
proxy_filter[1] -> intern_filter;
intern_filter_group[2] -> [2]dnshandler[2] -> www_filter;
dnshandler[4] -> routing_table;

extern_filter_group[0] -> [0]dnshandler[0]
                       -> routing_table;
extern_filter_group[1] -> [3]dnshandler[3] -> discard;
extern_filter_group[2] -> [3]dnshandler;

intern_filter[0] -> ethToLinux;
intern_filter[1] -> [1]mac_throttle[1] -> https_filter_proxy[0] -> [0]http_rewri
te;
        https_filter_proxy[1] -> [3]http_rewrite;
        https_filter_proxy[2] -> [0]http_rewrite;

  http_rewrite[0] -> ethToLinux; 
intern_filter[2] -> routing_table;
intern_filter[3] -> discard; //routing_table;
ip_notifier::IPNotifier(65);
intern_filter[4] -> [0]ip_notifier[0] -> discard;



www_filter[0] -> [2]mac_throttle[2] -> https_filter[0] -> [0]http_rewrite;
https_filter[1] -> [3]http_rewrite;
https_filter[2] -> discard;

www_filter[1] -> discard;

// ======================= Validation Table =========================

intern_validation_table :: HashIPLookup3(); //check mac and ip
intern_validation_table[0] -> intern_filter_group; 

kernel_validation_table :: HashIPLookup5(); //check ip
kernel_validation_table[0] -> intern_filter_group; 

extern_validation_table :: HashIPLookup5();
  extern_validation_table[1] -> extern_filter_group;

Idle -> [0]extern_validation_table[0] -> discard;

// ========================= ip subnet filter ================

// 0 - just block
// 1 - just allow
// 2 - login check (default)
// 3 - role check
filter_table :: LinearIPFilter2();
// intern
filter_table[0] -> discard;
filter_table[1] -> routing_table; 
filter_table[2] -> [0]intern_validation_table;
filter_table[3] -> intern_filter_group;
// extern
filter_table[4] -> discard;
filter_table[5] -> routing_table; 
filter_table[6] -> [1]extern_validation_table;
filter_table[7] -> extern_filter_group;
// kernel
filter_table[8] -> discard;
filter_table[9] -> routing_table; 
filter_table[10] -> [0]kernel_validation_table;
filter_table[11] -> intern_filter_group;

// ======================= MAC Filter Table ========================

certified_mac_table :: HashMacTable();

// 0 - just block
// 1 - just allow
// 2 - subnet check (default)
// 3 - role check
// 4 - posture assesment 
mac_validation_table :: HashMACLookup5();

// intern
mac_validation_table[0] -> discard;
mac_validation_table[1] -> routing_table;
mac_validation_table[2] -> [0]filter_table;
mac_validation_table[3] -> intern_filter_group; 
mac_validation_table[4] -> [0]certified_mac_table;
  certified_mac_table[0] -> intern_filter_group; 
  certified_mac_table[1] -> [0]filter_table; 
// extern
mac_validation_table[5] -> discard;
mac_validation_table[6] -> routing_table;
mac_validation_table[7] -> [1]filter_table;
mac_validation_table[8] -> extern_filter_group; 
mac_validation_table[9] -> extern_filter_group;
// kernel
mac_validation_table[10] -> discard;
mac_validation_table[11] -> routing_table;
mac_validation_table[12] -> [2]filter_table;
mac_validation_table[13] -> intern_filter_group; 
mac_validation_table[14] -> intern_filter_group;

// =================== S/WISS packet rewrite ==================
swiss_filter :: IPClassifier(
  dst udp port 8900 or 8901 or 8902 or 8903 or 8995,
  dst udp port 8996,
  dst tcp port 8999,
  -
);

swiss_rewriter :: IPRewriter(
  pattern - - 192.168.103.3 - 0 1,
  passthrough 2
);

 swiss_filter[1] -> discard;

// ===================== Kernel IP filter =====================

//0 - non local
//1 - local (ip)
//2 - local (pptp, l2tp)
//3 - bc
intern_local_filter:: HashIPTable2(
  192.168.103.1 1,
  192.168.102.1 1,
  192.168.103.255 3,
  255.255.255.255 3
);
kernel_local_filter:: HashIPTable2(
  192.168.103.1 1,
  192.168.102.1 1
);

intern_local_filter[0] -> [0]mac_validation_table;
intern_local_filter[1] -> intern_kernel_filter;
intern_local_filter[2] -> discard;
intern_local_filter[3] -> intern_kernel_filter;

swiss_filter[0] -> [0]swiss_rewriter;
swiss_filter[2] -> [0]swiss_rewriter;
swiss_filter[3] -> intern_local_filter;

swiss_rewriter[0] -> [0]intern_local_filter;
swiss_rewriter[1] -> routing_table;
swiss_rewriter[2] -> routing_table;

Idle -> [0]kernel_local_filter;

kernel_local_filter[0] -> discard;
Idle -> [2]mac_validation_table;
kernel_local_filter[1] -> [1]swiss_rewriter;
kernel_local_filter[2] -> discard;
kernel_local_filter[3] -> discard;

extern_local_filter:: HashIPTable2(
  192.168.103.1 1,
  192.168.102.1 1,
  192.168.102.255 3,
  255.255.255.255 3
);
extern_local_filter[0] -> [1]mac_validation_table;
extern_local_filter[1] -> extern_kernel_filter;
extern_local_filter[2] -> ethToLinux;
extern_local_filter[3] -> extern_kernel_filter;


// ========================== Classfier =============================

// 0800 IP
// 0806/0001 arp query
// 0806/0002 arp response
// 8100 vlan


extern_classifier :: Classifier(12/0800,
                                12/0806 20/0001,
                                12/0806 20/0002,
                                12/8100 16/0800,
                                12/8100 16/0806 24/0001,
                                12/8100 16/0806 24/0002,
                                12/00%F8 14/AAAA 16/0300 18/000C 20/011D,
                                12/8100 16/00%F8 18/AAAA 20/0300 22/000C 24/011D
,
                                -);

extern_classifier[0] -> [3]extern_arpq[3] -> extern_local_filter;
extern_classifier[1] -> [2]extern_arpq[2] -> earp::ARPResponder3(extern_addr)
  -> extern_dev;
extern_classifier[2] -> [1]extern_arpq[1] -> ethToLinux; 

extern_classifier[3] -> [3]extern_arpq;
extern_classifier[4] -> [2]extern_arpq;
extern_classifier[5] -> [1]extern_arpq; 
extern_classifier[6] -> ethToLinux;
extern_classifier[7] -> ethToLinux;
extern_classifier[8] -> discard;

intern_classifier :: Classifier(12/0800,
12/0806 20/0001,
                                12/0806 20/0002,
                                12/8100 16/0800,
                                12/8100 16/0806 24/0001,
                                12/8100 16/0806 24/0002,
                                -);

iarp::ARPResponder3(intern_addr);
  iarp[0] -> Paint(0) -> arp_switch;

  iarp[1] -> arp_switch;

iarp_tee::Tee(2);
  iarp_tee[0] -> ethToLinux;
  iarp_tee[1] -> arp_switch;

intern_classifier[0] -> [3]intern_arpq[3] -> swiss_filter;
intern_classifier[1] -> iarpq_paint :: Paint(1) -> [2]intern_arpq; 
    intern_arpq[2] -> iarpq_ps :: PaintSwitch;
         iarpq_ps[0] -> iarp
         iarpq_ps[1] -> Paint(2) -> arp_switch;

intern_classifier[2] -> iarpr_paint :: Paint(1) 
                     -> [1]intern_arpq[1] -> iarp_tee; 

intern_classifier[3] -> [3]intern_arpq;
intern_classifier[4] -> iarpq_paint;
intern_classifier[5] -> iarpr_paint;
intern_classifier[6] -> discard;

arp_switch[0] -> intern_dev;
arp_switch[1] -> discard;
arp_switch[2] -> Paint(1) -> iarp;

extern_swiss_filter :: IPClassifier(
  src udp port 8901,
  src udp port 8902,
  -);

extern_swiss_rewriter[1] -> routing_table;
extern_swiss_filter[0] -> [0]extern_swiss_rewriter;
extern_swiss_filter[1] -> [1]extern_swiss_rewriter;
extern_swiss_filter[2] -> [1]kernel_local_filter;

kernel_classifier :: Classifier(12/0800,
                               12/0806 20/0001,
                               -);

kernel_classifier[0] -> CheckIPHeader2(,14) -> http_filter;
http_filter[0] -> [1]http_rewrite;
    http_rewrite[1] -> routing_table;
    http_rewrite[2] -> routing_table;
  http_filter[1] -> extern_swiss_filter; 
kernel_classifier[1] -> FakeARPResponder(00:01:02:03:04:05) -> toLinux;
kernel_classifier[2] -> discard;

fromWired :: FromDevice(eth0, BURST 8, QUIET 1) -> extern_classifier;
fromWireless :: FromDevice(eth1, BURST 8, QUIET 1) -> intern_classifier;

FromHost(fake0, 192.168.102.1/0.0.0.0) -> kernel_classifier;
FromHost(fake2, 192.168.103.3/0.0.0.0) -> discard;
FromHost(fake3, 192.168.103.3/0.0.0.0) -> intern_dev;
FromHost(fake4, 192.168.102.3/0.0.0.0) -> discard;

FromHost(fake1, 192.168.103.1/255.255.255.0) -> kernel_classifier;

Re: click not routing pkts on the same interface it received

From:
sri
Date:
2014-03-26 @ 14:14
// ========================== Flag ================================

ha_flag::Flag;
master_flag::Flag;
role_info::RoleInfo;
user_flag::Flag;
discard::Discard;

// ====================== Address Info ============================

AddressInfo
(
  extern_addr   192.168.102.1 eth0:eth, 
  intern_addr   192.168.103.1 eth1:eth,
  extern_vaddr  192.168.102.3 eth0:eth,
  intern_vaddr  192.168.103.3 eth1:eth
);

// ======================== Device Setup ==========================

toLinux :: ToHost(ALLOW_NONEXISTENT 1);
toLinuxFilter :: ToHostSniffers(fake3);
ethToLinux :: EnsureEther2(0x0800, 00:01:02:03:04:05, 00:01:02:03:04:05) 
  -> toLinux;

intern_dev :: Queue(4000) -> toWireless :: ToDevice(eth1, BURST 8, QUIET 1);
extern_dev :: Queue(2000) -> toWired :: ToDevice(eth0, BURST 8, QUIET 1);

//extern_rip2 ::RIPSend2(extern_vaddr, 192.168.102.255, 192.168.103.0/255.255.25
5.0, 1) 
//  -> EtherEncap(0x0800, extern_vaddr:eth, ff:ff:ff:ff:ff:ff)
//  -> extern_dev;

// ==================== kernel firewall filter =================

mac_throttle :: MacThrottle();
os_detector :: OsDetector();
kernel_filter :: IPClassifier(
  udp port bootps or bootpc, 
  -);
kernel_filter[0] -> toLinuxFilter;  
kernel_filter[1] -> ethToLinux;

extern_swiss_rewriter :: IPRewriter(
  pattern - - extern_vaddr 8901 0 1,
  pattern - - extern_vaddr 8902 0 1
);
extern_kernel_filter :: IPClassifier(
  dst port 1723 or 1701 or 1241 or 8910,
  dst tcp port 82 or 880,
  dst udp port 8900 or 8901 or 8902 or 8903,
  dst tcp port 80 or 443,
  dst udp port 8995,
  dst udp port 8996,
  -); 
extern_kernel_filter[0] -> discard;
extern_kernel_filter[1] -> discard;
extern_kernel_filter[2] -> discard;
extern_kernel_filter[3] -> [0]mac_throttle[0] -> ethToLinux;
extern_kernel_filter[4] -> [0]extern_swiss_rewriter[0] -> ethToLinux;
extern_kernel_filter[5] -> [1]extern_swiss_rewriter;
extern_kernel_filter[6] -> ethToLinux;

intern_kernel_filter :: IPClassifier(
  dst port 1701,
  dst tcp port 82 or 880,
  dst tcp port 80 or 443,
  udp port bootps or bootpc, 
  -);
intern_kernel_filter[0] -> discard;
intern_kernel_filter[1] -> discard;
intern_kernel_filter[2] -> [0]os_detector[0] -> [0]mac_throttle;
//[0]os_detector[0] -> [0]mac_throttle;
intern_kernel_filter[3] -> toLinuxFilter; 
intern_kernel_filter[4] -> ethToLinux;

// ======================== ARP querier ===========================

extern_arpq :: ARPQuerier2(extern_addr);
extern_arpq[0] -> extern_dev; 

intern_arpq :: ARPQuerier3(intern_addr);

ipToIntern :: StripToNetworkHeader -> [0]intern_arpq;
ipToExtern :: StripToNetworkHeader -> [0]extern_arpq;

arp_switch :: PaintSwitch;

  intern_arpq[4] -> Paint(0) -> arp_switch;

  intern_arpq[0] -> intern_dev;
  

// ======================== Http Rewriter =========================

http_rewrite :: IPRewriter(
  pattern - - 192.168.103.3 9090 0 1,   // http
  passthrough 2,                // passthrough
  pattern - - 192.168.103.3 880 0 1, // proxy  
  pattern - - 192.168.103.3 9443 0 1,  // https
  TCP_TIMEOUT 30,
  TCP_DONE_TIMEOUT 10,
  REAP_TCP 30,
  REAP_TCP_DONE 10
);

http_filter :: IPClassifier(
  (src host 192.168.103.3) and 
  (src tcp port www or https or 82 or 880 or 9090 or 9443),
  - 
);  
        
// ========================== IP Routing ===========================

// IP routing table. Outputs:
// 0: packets for this machine.
// 1: packets for extern_addr
// 2: packets for intern_addr
// All other packets are sent to output 1

real_routing_table :: LinearIPLookup(
 192.168.103.1/32 0,
 192.168.102.1/32 0,
 192.168.103.0/255.255.255.0 2,
 192.168.102.0/255.255.255.0 1,
 192.168.103.255/32 0,
 192.168.103.0/32 0,
 192.168.102.255/32 0,
 192.168.102.0/32 0,
 255.255.255.255/32 0.0.0.0 0,
 0.0.0.0/32 0,
 0.0.0.0/0 192.168.102.254 1);

//up_shaper::BWShaper(192.168.102.3 192.168.103.3 192.168.102.1 192.168.103.1);
//dn_shaper::BWShaper(192.168.102.3 192.168.103.3 192.168.102.1 192.168.103.1);
up_shaper::BWShaper(EXEMPTADDRS 192.168.102.3 192.168.103.3 192.168.102.1 192.16
8.103.1);
dn_shaper::BWShaper(EXEMPTADDRS 192.168.102.3 192.168.103.3 192.168.102.1 192.16
8.103.1);

real_routing_table[0] -> kernel_filter;
real_routing_table[1] 
-> [0]up_shaper[0]
  -> ipToExtern;
real_routing_table[2] 
    -> [1]dn_shaper[1] -> ipToIntern;

Idle -> [0]dn_shaper[0] -> discard;

routing_table:: {input -> output};
routing_table
  -> nt_login_detector::NtlmLoginDetector()
  -> real_routing_table;

// ======================== Filters ===========================

intern_filter_group :: IPFilterGroup(3,0,0 all,-); 

extern_filter_group :: IPFilterGroup(3,0,1 all,-); 

dnshandler :: DnsHandler();

intern_filter :: IPClassifier(
  (dst host 192.168.102.3 or 192.168.103.3) and (dst tcp port www or https),
  dst tcp www or https,
  dst udp port dns,
  (src udp port bootpc) and (dst udp port bootps),
  -
);

www_filter :: IPClassifier(
  dst tcp www or https,
  -
);

https_filter :: IPClassifier(
  dst tcp www,
  dst tcp  https,
  -
);

https_filter_proxy :: IPClassifier(
  dst tcp www,
  dst tcp https,
  -
);

proxy_filter :: IPPortLookup();
intern_filter_group[0] -> routing_table;
intern_filter_group[1] -> [1]dnshandler[1] -> proxy_filter;
proxy_filter[0] -> [3]mac_throttle[3]
                -> [2]http_rewrite;
proxy_filter[1] -> intern_filter;
intern_filter_group[2] -> [2]dnshandler[2] -> www_filter;
dnshandler[4] -> routing_table;

extern_filter_group[0] -> [0]dnshandler[0]
                       -> routing_table;
extern_filter_group[1] -> [3]dnshandler[3] -> discard;
extern_filter_group[2] -> [3]dnshandler;

intern_filter[0] -> ethToLinux;
intern_filter[1] -> [1]mac_throttle[1] -> https_filter_proxy[0] -> [0]http_rewri
te;
        https_filter_proxy[1] -> [3]http_rewrite;
        https_filter_proxy[2] -> [0]http_rewrite;

  http_rewrite[0] -> ethToLinux; 
intern_filter[2] -> routing_table;
intern_filter[3] -> discard; //routing_table;
ip_notifier::IPNotifier(65);
intern_filter[4] -> [0]ip_notifier[0] -> discard;



www_filter[0] -> [2]mac_throttle[2] -> https_filter[0] -> [0]http_rewrite;
https_filter[1] -> [3]http_rewrite;
https_filter[2] -> discard;

www_filter[1] -> discard;

// ======================= Validation Table =========================

intern_validation_table :: HashIPLookup3(); //check mac and ip
intern_validation_table[0] -> intern_filter_group; 

kernel_validation_table :: HashIPLookup5(); //check ip
kernel_validation_table[0] -> intern_filter_group; 

extern_validation_table :: HashIPLookup5();
  extern_validation_table[1] -> extern_filter_group;

Idle -> [0]extern_validation_table[0] -> discard;

// ========================= ip subnet filter ================

// 0 - just block
// 1 - just allow
// 2 - login check (default)
// 3 - role check
filter_table :: LinearIPFilter2();
// intern
filter_table[0] -> discard;
filter_table[1] -> routing_table; 
filter_table[2] -> [0]intern_validation_table;
filter_table[3] -> intern_filter_group;
// extern
filter_table[4] -> discard;
filter_table[5] -> routing_table; 
filter_table[6] -> [1]extern_validation_table;
filter_table[7] -> extern_filter_group;
// kernel
filter_table[8] -> discard;
filter_table[9] -> routing_table; 
filter_table[10] -> [0]kernel_validation_table;
filter_table[11] -> intern_filter_group;

// ======================= MAC Filter Table ========================

certified_mac_table :: HashMacTable();

// 0 - just block
// 1 - just allow
// 2 - subnet check (default)
// 3 - role check
// 4 - posture assesment 
mac_validation_table :: HashMACLookup5();

// intern
mac_validation_table[0] -> discard;
mac_validation_table[1] -> routing_table;
mac_validation_table[2] -> [0]filter_table;
mac_validation_table[3] -> intern_filter_group; 
mac_validation_table[4] -> [0]certified_mac_table;
  certified_mac_table[0] -> intern_filter_group; 
  certified_mac_table[1] -> [0]filter_table; 
// extern
mac_validation_table[5] -> discard;
mac_validation_table[6] -> routing_table;
mac_validation_table[7] -> [1]filter_table;
mac_validation_table[8] -> extern_filter_group; 
mac_validation_table[9] -> extern_filter_group;
// kernel
mac_validation_table[10] -> discard;
mac_validation_table[11] -> routing_table;
mac_validation_table[12] -> [2]filter_table;
mac_validation_table[13] -> intern_filter_group; 
mac_validation_table[14] -> intern_filter_group;

// =================== S/WISS packet rewrite ==================
swiss_filter :: IPClassifier(
  dst udp port 8900 or 8901 or 8902 or 8903 or 8995,
  dst udp port 8996,
  dst tcp port 8999,
  -
);

swiss_rewriter :: IPRewriter(
  pattern - - 192.168.103.3 - 0 1,
  passthrough 2
);

 swiss_filter[1] -> discard;

// ===================== Kernel IP filter =====================

//0 - non local
//1 - local (ip)
//2 - local (pptp, l2tp)
//3 - bc
intern_local_filter:: HashIPTable2(
  192.168.103.1 1,
  192.168.102.1 1,
  192.168.103.255 3,
  255.255.255.255 3
);
kernel_local_filter:: HashIPTable2(
  192.168.103.1 1,
  192.168.102.1 1
);

intern_local_filter[0] -> [0]mac_validation_table;
intern_local_filter[1] -> intern_kernel_filter;
intern_local_filter[2] -> discard;
intern_local_filter[3] -> intern_kernel_filter;

swiss_filter[0] -> [0]swiss_rewriter;
swiss_filter[2] -> [0]swiss_rewriter;
swiss_filter[3] -> intern_local_filter;

swiss_rewriter[0] -> [0]intern_local_filter;
swiss_rewriter[1] -> routing_table;
swiss_rewriter[2] -> routing_table;

Idle -> [0]kernel_local_filter;

kernel_local_filter[0] -> discard;
Idle -> [2]mac_validation_table;
kernel_local_filter[1] -> [1]swiss_rewriter;
kernel_local_filter[2] -> discard;
kernel_local_filter[3] -> discard;

extern_local_filter:: HashIPTable2(
  192.168.103.1 1,
  192.168.102.1 1,
  192.168.102.255 3,
  255.255.255.255 3
);
extern_local_filter[0] -> [1]mac_validation_table;
extern_local_filter[1] -> extern_kernel_filter;
extern_local_filter[2] -> ethToLinux;
extern_local_filter[3] -> extern_kernel_filter;


// ========================== Classfier =============================

// 0800 IP
// 0806/0001 arp query
// 0806/0002 arp response
// 8100 vlan


extern_classifier :: Classifier(12/0800,
                                12/0806 20/0001,
                                12/0806 20/0002,
                                12/8100 16/0800,
                                12/8100 16/0806 24/0001,
                                12/8100 16/0806 24/0002,
                                12/00%F8 14/AAAA 16/0300 18/000C 20/011D,
                                12/8100 16/00%F8 18/AAAA 20/0300 22/000C 24/011D
,
                                -);

extern_classifier[0] -> [3]extern_arpq[3] -> extern_local_filter;
extern_classifier[1] -> [2]extern_arpq[2] -> earp::ARPResponder3(extern_addr)
  -> extern_dev;
extern_classifier[2] -> [1]extern_arpq[1] -> ethToLinux; 

extern_classifier[3] -> [3]extern_arpq;
extern_classifier[4] -> [2]extern_arpq;
extern_classifier[5] -> [1]extern_arpq; 
extern_classifier[6] -> ethToLinux;
extern_classifier[7] -> ethToLinux;
extern_classifier[8] -> discard;

intern_classifier :: Classifier(12/0800,
12/0806 20/0001,
                                12/0806 20/0002,
                                12/8100 16/0800,
                                12/8100 16/0806 24/0001,
                                12/8100 16/0806 24/0002,
                                -);

iarp::ARPResponder3(intern_addr);
  iarp[0] -> Paint(0) -> arp_switch;

  iarp[1] -> arp_switch;

iarp_tee::Tee(2);
  iarp_tee[0] -> ethToLinux;
  iarp_tee[1] -> arp_switch;

intern_classifier[0] -> [3]intern_arpq[3] -> swiss_filter;
intern_classifier[1] -> iarpq_paint :: Paint(1) -> [2]intern_arpq; 
    intern_arpq[2] -> iarpq_ps :: PaintSwitch;
         iarpq_ps[0] -> iarp
         iarpq_ps[1] -> Paint(2) -> arp_switch;

intern_classifier[2] -> iarpr_paint :: Paint(1) 
                     -> [1]intern_arpq[1] -> iarp_tee; 

intern_classifier[3] -> [3]intern_arpq;
intern_classifier[4] -> iarpq_paint;
intern_classifier[5] -> iarpr_paint;
intern_classifier[6] -> discard;

arp_switch[0] -> intern_dev;
arp_switch[1] -> discard;
arp_switch[2] -> Paint(1) -> iarp;

extern_swiss_filter :: IPClassifier(
  src udp port 8901,
  src udp port 8902,
  -);

extern_swiss_rewriter[1] -> routing_table;
extern_swiss_filter[0] -> [0]extern_swiss_rewriter;
extern_swiss_filter[1] -> [1]extern_swiss_rewriter;
extern_swiss_filter[2] -> [1]kernel_local_filter;

kernel_classifier :: Classifier(12/0800,
                               12/0806 20/0001,
                               -);

kernel_classifier[0] -> CheckIPHeader2(,14) -> http_filter;
http_filter[0] -> [1]http_rewrite;
    http_rewrite[1] -> routing_table;
    http_rewrite[2] -> routing_table;
  http_filter[1] -> extern_swiss_filter; 
kernel_classifier[1] -> FakeARPResponder(00:01:02:03:04:05) -> toLinux;
kernel_classifier[2] -> discard;

fromWired :: FromDevice(eth0, BURST 8, QUIET 1) -> extern_classifier;
fromWireless :: FromDevice(eth1, BURST 8, QUIET 1) -> intern_classifier;

FromHost(fake0, 192.168.102.1/0.0.0.0) -> kernel_classifier;
FromHost(fake2, 192.168.103.3/0.0.0.0) -> discard;
FromHost(fake3, 192.168.103.3/0.0.0.0) -> intern_dev;
FromHost(fake4, 192.168.102.3/0.0.0.0) -> discard;

FromHost(fake1, 192.168.103.1/255.255.255.0) -> kernel_classifier;

Re: [click] Re: click not routing pkts on the same interface it received

From:
Lars Bro
Date:
2014-03-27 @ 08:12
Maybe you should put in some Counter() elements instead of the chatter.
These can sometime help figure out where the packets are lost. It is of
course specially inrteresting to have a Counter right before ToDevice.

Lars Bro


On Wed, Mar 26, 2014 at 3:14 PM, sri <bskmohan@gmail.com> wrote:

> resending for any pointers....
>
> ---------- Forwarded message ----------
> From: sri <bskmohan@gmail.com>
> Date: Wed, Feb 26, 2014 at 12:59 AM
> Subject: click not routing pkts on the same interface it received
> To: click@amsterdam.lcs.mit.edu, click@pdos.csail.mit.edu
>
>
> Hello Click users/developers,
>
> Am working on a project that has click linux module as a router. There is
> an issue recently that click is not responding on the same interface on
> which it received packets. This is seen by observing the RX and TX metrics.
> TX count much lesser than RX count.
>
> Attached is the click config.
> Tried to add "click_chatter" logs in LinearIPLookup's push() method, but
> that made click & the device very slow.
> ---- snip of click_chatter logs ----
>
> click_chatter("FromHost::run_task: Src (%s) and Dst (%s) for Sri\n",
> (p->ip_header())->ip_src.s_addr, (p->ip_header())->ip_dst.s_addr);
>
> ---- snip of click_chatter logs ----
>
> Would request any pointers on what to verify and how to debug further.
>
> Thanks,
> Sri
>
>
>
> --
> --
>  Krishna Mohan B
>
>
> // ========================== Flag ================================
>
> ha_flag::Flag;
> master_flag::Flag;
> role_info::RoleInfo;
> user_flag::Flag;
> discard::Discard;
>
> // ====================== Address Info ============================
>
> AddressInfo
> (
>   extern_addr   192.168.102.1 eth0:eth,
>   intern_addr   192.168.103.1 eth1:eth,
>   extern_vaddr  192.168.102.3 eth0:eth,
>   intern_vaddr  192.168.103.3 eth1:eth
> );
>
> // ======================== Device Setup ==========================
>
> toLinux :: ToHost(ALLOW_NONEXISTENT 1);
> toLinuxFilter :: ToHostSniffers(fake3);
> ethToLinux :: EnsureEther2(0x0800, 00:01:02:03:04:05, 00:01:02:03:04:05)
>   -> toLinux;
>
> intern_dev :: Queue(4000) -> toWireless :: ToDevice(eth1, BURST 8, QUIET
> 1);
> extern_dev :: Queue(2000) -> toWired :: ToDevice(eth0, BURST 8, QUIET 1);
>
> //extern_rip2 ::RIPSend2(extern_vaddr, 192.168.102.255,
> 192.168.103.0/255.255.25
> 5.0, 1)
> //  -> EtherEncap(0x0800, extern_vaddr:eth, ff:ff:ff:ff:ff:ff)
> //  -> extern_dev;
>
> // ==================== kernel firewall filter =================
>
> mac_throttle :: MacThrottle();
> os_detector :: OsDetector();
> kernel_filter :: IPClassifier(
>   udp port bootps or bootpc,
>   -);
> kernel_filter[0] -> toLinuxFilter;
> kernel_filter[1] -> ethToLinux;
>
> extern_swiss_rewriter :: IPRewriter(
>   pattern - - extern_vaddr 8901 0 1,
>   pattern - - extern_vaddr 8902 0 1
> );
> extern_kernel_filter :: IPClassifier(
>   dst port 1723 or 1701 or 1241 or 8910,
>   dst tcp port 82 or 880,
>   dst udp port 8900 or 8901 or 8902 or 8903,
>   dst tcp port 80 or 443,
>   dst udp port 8995,
>   dst udp port 8996,
>   -);
> extern_kernel_filter[0] -> discard;
> extern_kernel_filter[1] -> discard;
> extern_kernel_filter[2] -> discard;
> extern_kernel_filter[3] -> [0]mac_throttle[0] -> ethToLinux;
> extern_kernel_filter[4] -> [0]extern_swiss_rewriter[0] -> ethToLinux;
> extern_kernel_filter[5] -> [1]extern_swiss_rewriter;
> extern_kernel_filter[6] -> ethToLinux;
>
> intern_kernel_filter :: IPClassifier(
>   dst port 1701,
>   dst tcp port 82 or 880,
>   dst tcp port 80 or 443,
>   udp port bootps or bootpc,
>   -);
> intern_kernel_filter[0] -> discard;
> intern_kernel_filter[1] -> discard;
> intern_kernel_filter[2] -> [0]os_detector[0] -> [0]mac_throttle;
> //[0]os_detector[0] -> [0]mac_throttle;
> intern_kernel_filter[3] -> toLinuxFilter;
> intern_kernel_filter[4] -> ethToLinux;
>
> // ======================== ARP querier ===========================
>
> extern_arpq :: ARPQuerier2(extern_addr);
> extern_arpq[0] -> extern_dev;
>
> intern_arpq :: ARPQuerier3(intern_addr);
>
> ipToIntern :: StripToNetworkHeader -> [0]intern_arpq;
> ipToExtern :: StripToNetworkHeader -> [0]extern_arpq;
>
> arp_switch :: PaintSwitch;
>
>   intern_arpq[4] -> Paint(0) -> arp_switch;
>
>   intern_arpq[0] -> intern_dev;
>
>
> // ======================== Http Rewriter =========================
>
> http_rewrite :: IPRewriter(
>   pattern - - 192.168.103.3 9090 0 1,   // http
>   passthrough 2,                // passthrough
>   pattern - - 192.168.103.3 880 0 1, // proxy
>   pattern - - 192.168.103.3 9443 0 1,  // https
>   TCP_TIMEOUT 30,
>   TCP_DONE_TIMEOUT 10,
>   REAP_TCP 30,
>   REAP_TCP_DONE 10
> );
>
> http_filter :: IPClassifier(
>   (src host 192.168.103.3) and
>   (src tcp port www or https or 82 or 880 or 9090 or 9443),
>   -
> );
>
> // ========================== IP Routing ===========================
>
> // IP routing table. Outputs:
> // 0: packets for this machine.
> // 1: packets for extern_addr
> // 2: packets for intern_addr
> // All other packets are sent to output 1
>
> real_routing_table :: LinearIPLookup(
>  192.168.103.1/32 0,
>  192.168.102.1/32 0,
>  192.168.103.0/255.255.255.0 2,
>  192.168.102.0/255.255.255.0 1,
>  192.168.103.255/32 0,
>  192.168.103.0/32 0,
>  192.168.102.255/32 0,
>  192.168.102.0/32 0,
>  255.255.255.255/32 0.0.0.0 0,
>  0.0.0.0/32 0,
>  0.0.0.0/0 192.168.102.254 1);
>
> //up_shaper::BWShaper(192.168.102.3 192.168.103.3 192.168.102.1
> 192.168.103.1);
> //dn_shaper::BWShaper(192.168.102.3 192.168.103.3 192.168.102.1
> 192.168.103.1);
> up_shaper::BWShaper(EXEMPTADDRS 192.168.102.3 192.168.103.3 192.168.102.1
> 192.16
> 8.103.1);
> dn_shaper::BWShaper(EXEMPTADDRS 192.168.102.3 192.168.103.3 192.168.102.1
> 192.16
> 8.103.1);
>
> real_routing_table[0] -> kernel_filter;
> real_routing_table[1]
> -> [0]up_shaper[0]
>   -> ipToExtern;
> real_routing_table[2]
>     -> [1]dn_shaper[1] -> ipToIntern;
>
> Idle -> [0]dn_shaper[0] -> discard;
>
> routing_table:: {input -> output};
> routing_table
>   -> nt_login_detector::NtlmLoginDetector()
>   -> real_routing_table;
>
> // ======================== Filters ===========================
>
> intern_filter_group :: IPFilterGroup(3,0,0 all,-);
>
> extern_filter_group :: IPFilterGroup(3,0,1 all,-);
>
> dnshandler :: DnsHandler();
>
> intern_filter :: IPClassifier(
>   (dst host 192.168.102.3 or 192.168.103.3) and (dst tcp port www or
> https),
>   dst tcp www or https,
>   dst udp port dns,
>   (src udp port bootpc) and (dst udp port bootps),
>   -
> );
>
> www_filter :: IPClassifier(
>   dst tcp www or https,
>   -
> );
>
> https_filter :: IPClassifier(
>   dst tcp www,
>   dst tcp  https,
>   -
> );
>
> https_filter_proxy :: IPClassifier(
>   dst tcp www,
>   dst tcp https,
>   -
> );
>
> proxy_filter :: IPPortLookup();
> intern_filter_group[0] -> routing_table;
> intern_filter_group[1] -> [1]dnshandler[1] -> proxy_filter;
> proxy_filter[0] -> [3]mac_throttle[3]
>                 -> [2]http_rewrite;
> proxy_filter[1] -> intern_filter;
> intern_filter_group[2] -> [2]dnshandler[2] -> www_filter;
> dnshandler[4] -> routing_table;
>
> extern_filter_group[0] -> [0]dnshandler[0]
>                        -> routing_table;
> extern_filter_group[1] -> [3]dnshandler[3] -> discard;
> extern_filter_group[2] -> [3]dnshandler;
>
> intern_filter[0] -> ethToLinux;
> intern_filter[1] -> [1]mac_throttle[1] -> https_filter_proxy[0] ->
> [0]http_rewri
> te;
>         https_filter_proxy[1] -> [3]http_rewrite;
>         https_filter_proxy[2] -> [0]http_rewrite;
>
>   http_rewrite[0] -> ethToLinux;
> intern_filter[2] -> routing_table;
> intern_filter[3] -> discard; //routing_table;
> ip_notifier::IPNotifier(65);
> intern_filter[4] -> [0]ip_notifier[0] -> discard;
>
>
>
> www_filter[0] -> [2]mac_throttle[2] -> https_filter[0] -> [0]http_rewrite;
> https_filter[1] -> [3]http_rewrite;
> https_filter[2] -> discard;
>
> www_filter[1] -> discard;
>
> // ======================= Validation Table =========================
>
> intern_validation_table :: HashIPLookup3(); //check mac and ip
> intern_validation_table[0] -> intern_filter_group;
>
> kernel_validation_table :: HashIPLookup5(); //check ip
> kernel_validation_table[0] -> intern_filter_group;
>
> extern_validation_table :: HashIPLookup5();
>   extern_validation_table[1] -> extern_filter_group;
>
> Idle -> [0]extern_validation_table[0] -> discard;
>
> // ========================= ip subnet filter ================
>
> // 0 - just block
> // 1 - just allow
> // 2 - login check (default)
> // 3 - role check
> filter_table :: LinearIPFilter2();
> // intern
> filter_table[0] -> discard;
> filter_table[1] -> routing_table;
> filter_table[2] -> [0]intern_validation_table;
> filter_table[3] -> intern_filter_group;
> // extern
> filter_table[4] -> discard;
> filter_table[5] -> routing_table;
> filter_table[6] -> [1]extern_validation_table;
> filter_table[7] -> extern_filter_group;
> // kernel
> filter_table[8] -> discard;
> filter_table[9] -> routing_table;
> filter_table[10] -> [0]kernel_validation_table;
> filter_table[11] -> intern_filter_group;
>
> // ======================= MAC Filter Table ========================
>
> certified_mac_table :: HashMacTable();
>
> // 0 - just block
> // 1 - just allow
> // 2 - subnet check (default)
> // 3 - role check
> // 4 - posture assesment
> mac_validation_table :: HashMACLookup5();
>
> // intern
> mac_validation_table[0] -> discard;
> mac_validation_table[1] -> routing_table;
> mac_validation_table[2] -> [0]filter_table;
> mac_validation_table[3] -> intern_filter_group;
> mac_validation_table[4] -> [0]certified_mac_table;
>   certified_mac_table[0] -> intern_filter_group;
>   certified_mac_table[1] -> [0]filter_table;
> // extern
> mac_validation_table[5] -> discard;
> mac_validation_table[6] -> routing_table;
> mac_validation_table[7] -> [1]filter_table;
> mac_validation_table[8] -> extern_filter_group;
> mac_validation_table[9] -> extern_filter_group;
> // kernel
> mac_validation_table[10] -> discard;
> mac_validation_table[11] -> routing_table;
> mac_validation_table[12] -> [2]filter_table;
> mac_validation_table[13] -> intern_filter_group;
> mac_validation_table[14] -> intern_filter_group;
>
> // =================== S/WISS packet rewrite ==================
> swiss_filter :: IPClassifier(
>   dst udp port 8900 or 8901 or 8902 or 8903 or 8995,
>   dst udp port 8996,
>   dst tcp port 8999,
>   -
> );
>
> swiss_rewriter :: IPRewriter(
>   pattern - - 192.168.103.3 - 0 1,
>   passthrough 2
> );
>
>  swiss_filter[1] -> discard;
>
> // ===================== Kernel IP filter =====================
>
> //0 - non local
> //1 - local (ip)
> //2 - local (pptp, l2tp)
> //3 - bc
> intern_local_filter:: HashIPTable2(
>   192.168.103.1 1,
>   192.168.102.1 1,
>   192.168.103.255 3,
>   255.255.255.255 3
> );
> kernel_local_filter:: HashIPTable2(
>   192.168.103.1 1,
>   192.168.102.1 1
> );
>
> intern_local_filter[0] -> [0]mac_validation_table;
> intern_local_filter[1] -> intern_kernel_filter;
> intern_local_filter[2] -> discard;
> intern_local_filter[3] -> intern_kernel_filter;
>
> swiss_filter[0] -> [0]swiss_rewriter;
> swiss_filter[2] -> [0]swiss_rewriter;
> swiss_filter[3] -> intern_local_filter;
>
> swiss_rewriter[0] -> [0]intern_local_filter;
> swiss_rewriter[1] -> routing_table;
> swiss_rewriter[2] -> routing_table;
>
> Idle -> [0]kernel_local_filter;
>
> kernel_local_filter[0] -> discard;
> Idle -> [2]mac_validation_table;
> kernel_local_filter[1] -> [1]swiss_rewriter;
> kernel_local_filter[2] -> discard;
> kernel_local_filter[3] -> discard;
>
> extern_local_filter:: HashIPTable2(
>   192.168.103.1 1,
>   192.168.102.1 1,
>   192.168.102.255 3,
>   255.255.255.255 3
> );
> extern_local_filter[0] -> [1]mac_validation_table;
> extern_local_filter[1] -> extern_kernel_filter;
> extern_local_filter[2] -> ethToLinux;
> extern_local_filter[3] -> extern_kernel_filter;
>
>
> // ========================== Classfier =============================
>
> // 0800 IP
> // 0806/0001 arp query
> // 0806/0002 arp response
> // 8100 vlan
>
>
> extern_classifier :: Classifier(12/0800,
>                                 12/0806 20/0001,
>                                 12/0806 20/0002,
>                                 12/8100 16/0800,
>                                 12/8100 16/0806 24/0001,
>                                 12/8100 16/0806 24/0002,
>                                 12/00%F8 14/AAAA 16/0300 18/000C 20/011D,
>                                 12/8100 16/00%F8 18/AAAA 20/0300 22/000C
> 24/011D
> ,
>                                 -);
>
> extern_classifier[0] -> [3]extern_arpq[3] -> extern_local_filter;
> extern_classifier[1] -> [2]extern_arpq[2] ->
> earp::ARPResponder3(extern_addr)
>   -> extern_dev;
> extern_classifier[2] -> [1]extern_arpq[1] -> ethToLinux;
>
> extern_classifier[3] -> [3]extern_arpq;
> extern_classifier[4] -> [2]extern_arpq;
> extern_classifier[5] -> [1]extern_arpq;
> extern_classifier[6] -> ethToLinux;
> extern_classifier[7] -> ethToLinux;
> extern_classifier[8] -> discard;
>
> intern_classifier :: Classifier(12/0800,
> 12/0806 20/0001,
>                                 12/0806 20/0002,
>                                 12/8100 16/0800,
>                                 12/8100 16/0806 24/0001,
>                                 12/8100 16/0806 24/0002,
>                                 -);
>
> iarp::ARPResponder3(intern_addr);
>   iarp[0] -> Paint(0) -> arp_switch;
>
>   iarp[1] -> arp_switch;
>
> iarp_tee::Tee(2);
>   iarp_tee[0] -> ethToLinux;
>   iarp_tee[1] -> arp_switch;
>
> intern_classifier[0] -> [3]intern_arpq[3] -> swiss_filter;
> intern_classifier[1] -> iarpq_paint :: Paint(1) -> [2]intern_arpq;
>     intern_arpq[2] -> iarpq_ps :: PaintSwitch;
>          iarpq_ps[0] -> iarp
>          iarpq_ps[1] -> Paint(2) -> arp_switch;
>
> intern_classifier[2] -> iarpr_paint :: Paint(1)
>                      -> [1]intern_arpq[1] -> iarp_tee;
>
> intern_classifier[3] -> [3]intern_arpq;
> intern_classifier[4] -> iarpq_paint;
> intern_classifier[5] -> iarpr_paint;
> intern_classifier[6] -> discard;
>
> arp_switch[0] -> intern_dev;
> arp_switch[1] -> discard;
> arp_switch[2] -> Paint(1) -> iarp;
>
> extern_swiss_filter :: IPClassifier(
>   src udp port 8901,
>   src udp port 8902,
>   -);
>
> extern_swiss_rewriter[1] -> routing_table;
> extern_swiss_filter[0] -> [0]extern_swiss_rewriter;
> extern_swiss_filter[1] -> [1]extern_swiss_rewriter;
> extern_swiss_filter[2] -> [1]kernel_local_filter;
>
> kernel_classifier :: Classifier(12/0800,
>                                12/0806 20/0001,
>                                -);
>
> kernel_classifier[0] -> CheckIPHeader2(,14) -> http_filter;
> http_filter[0] -> [1]http_rewrite;
>     http_rewrite[1] -> routing_table;
>     http_rewrite[2] -> routing_table;
>   http_filter[1] -> extern_swiss_filter;
> kernel_classifier[1] -> FakeARPResponder(00:01:02:03:04:05) -> toLinux;
> kernel_classifier[2] -> discard;
>
> fromWired :: FromDevice(eth0, BURST 8, QUIET 1) -> extern_classifier;
> fromWireless :: FromDevice(eth1, BURST 8, QUIET 1) -> intern_classifier;
>
> FromHost(fake0, 192.168.102.1/0.0.0.0) -> kernel_classifier;
> FromHost(fake2, 192.168.103.3/0.0.0.0) -> discard;
> FromHost(fake3, 192.168.103.3/0.0.0.0) -> intern_dev;
> FromHost(fake4, 192.168.102.3/0.0.0.0) -> discard;
>
> FromHost(fake1, 192.168.103.1/255.255.255.0) -> kernel_classifier;
>