2005-02-05 17:53:44 +00:00
|
|
|
.\" Copyright (c) 2005 Gleb Smirnoff
|
|
|
|
.\" All rights reserved.
|
|
|
|
.\"
|
|
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
|
|
.\" modification, are permitted provided that the following conditions
|
|
|
|
.\" are met:
|
|
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
|
|
.\"
|
|
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
|
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
|
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
|
|
.\" SUCH DAMAGE.
|
|
|
|
.\"
|
|
|
|
.\" $FreeBSD$
|
|
|
|
.\"
|
|
|
|
.Dd February 5, 2005
|
|
|
|
.Dt NG_IPFW 4
|
|
|
|
.Os
|
|
|
|
.Sh NAME
|
|
|
|
.Nm ng_ipfw
|
|
|
|
.Nd interface between netgraph and IP firewall
|
|
|
|
.Sh SYNOPSIS
|
|
|
|
.In netgraph/ng_ipfw.h
|
|
|
|
.Sh DESCRIPTION
|
|
|
|
The
|
|
|
|
.Nm ipfw
|
2005-02-07 08:17:51 +00:00
|
|
|
node implements interface between
|
2005-02-05 17:53:44 +00:00
|
|
|
.Xr ipfw 4
|
|
|
|
and
|
|
|
|
.Xr netgraph 4
|
|
|
|
subsystems.
|
|
|
|
.Sh HOOKS
|
|
|
|
The
|
|
|
|
.Nm ipfw
|
|
|
|
node supports an arbitrary number of hooks,
|
|
|
|
which must be named using only numeric characters.
|
|
|
|
.Sh OPERATION
|
2005-02-07 08:17:51 +00:00
|
|
|
Once the
|
2005-02-05 17:53:44 +00:00
|
|
|
.Nm
|
|
|
|
module is loaded into the kernel, a single node named
|
2005-02-07 08:17:51 +00:00
|
|
|
.Va ipfw
|
2005-02-05 17:53:44 +00:00
|
|
|
is automatically created.
|
|
|
|
No more
|
|
|
|
.Nm ipfw
|
|
|
|
nodes can be created.
|
2005-02-07 08:17:51 +00:00
|
|
|
Once destroyed, the only way to recreate the node is to reload the
|
2005-02-05 17:53:44 +00:00
|
|
|
.Nm
|
|
|
|
module.
|
|
|
|
.Pp
|
2005-02-07 08:17:51 +00:00
|
|
|
Packets can be injected into
|
|
|
|
.Xr netgraph 4
|
|
|
|
using either the
|
2005-02-05 17:53:44 +00:00
|
|
|
.Cm netgraph
|
|
|
|
or
|
|
|
|
.Cm ngtee
|
2005-02-07 08:17:51 +00:00
|
|
|
commands of the
|
2005-02-05 17:53:44 +00:00
|
|
|
.Xr ipfw 8
|
|
|
|
utility.
|
2005-02-07 08:17:51 +00:00
|
|
|
These commands require a numeric cookie to be supplied as an argument.
|
|
|
|
Packets are sent out of the hook whose name equals the cookie value.
|
2005-02-05 17:53:44 +00:00
|
|
|
If no hook matches, packets are discarded.
|
2005-02-07 08:17:51 +00:00
|
|
|
Packets injected via the
|
2005-02-05 17:53:44 +00:00
|
|
|
.Cm netgraph
|
|
|
|
command are tagged with
|
|
|
|
.Vt "struct ng_ipfw_tag" .
|
2005-02-07 08:17:51 +00:00
|
|
|
This tag contains information that helps the packet to re-enter
|
2005-02-05 17:53:44 +00:00
|
|
|
.Xr ipfw 4
|
2005-02-07 08:17:51 +00:00
|
|
|
processing, should the packet come back from
|
|
|
|
.Xr netgraph 4
|
|
|
|
to
|
|
|
|
.Xr ipfw 4 .
|
2005-02-05 17:53:44 +00:00
|
|
|
.Bd -literal -offset 4n
|
|
|
|
struct ng_ipfw_tag {
|
|
|
|
struct m_tag mt; /* tag header */
|
|
|
|
struct ip_fw *rule; /* matching rule */
|
|
|
|
struct ifnet *ifp; /* interface, for ip_output */
|
|
|
|
int dir; /* packet direction */
|
|
|
|
#define NG_IPFW_OUT 0
|
|
|
|
#define NG_IPFW_IN 1
|
|
|
|
int flags; /* flags, for ip_output() */
|
|
|
|
};
|
|
|
|
.Ed
|
|
|
|
.Pp
|
2005-02-07 08:17:51 +00:00
|
|
|
Packets received by a node from
|
|
|
|
.Xr netgraph 4
|
|
|
|
must be tagged with
|
2005-02-05 17:53:44 +00:00
|
|
|
.Vt "struct ng_ipfw_tag"
|
|
|
|
tag.
|
2005-02-07 08:17:51 +00:00
|
|
|
Packets re-enter IP firewall processing at the next rule.
|
2005-02-05 17:53:44 +00:00
|
|
|
If no tag is supplied, packets are discarded.
|
|
|
|
.Sh CONTROL MESSAGES
|
2005-02-07 08:17:51 +00:00
|
|
|
This node type supports only the generic control messages.
|
2005-02-05 17:53:44 +00:00
|
|
|
.Sh SHUTDOWN
|
|
|
|
This node shuts down upon receipt of a
|
|
|
|
.Dv NGM_SHUTDOWN
|
|
|
|
control message.
|
2005-02-07 08:17:51 +00:00
|
|
|
Do not do this, since the new
|
2005-02-05 17:53:44 +00:00
|
|
|
.Nm ipfw
|
2005-02-07 08:17:51 +00:00
|
|
|
node can only be created by reloading the
|
2005-02-05 17:53:44 +00:00
|
|
|
.Nm
|
|
|
|
module.
|
|
|
|
.Sh SEE ALSO
|
|
|
|
.Xr ipfw 4 ,
|
2005-02-07 08:17:51 +00:00
|
|
|
.Xr netgraph 4 ,
|
2005-02-05 17:53:44 +00:00
|
|
|
.Xr ipfw 8 ,
|
2005-02-07 08:17:51 +00:00
|
|
|
.Xr mbuf_tags 9
|
2005-02-05 17:53:44 +00:00
|
|
|
.Sh HISTORY
|
|
|
|
The
|
|
|
|
.Nm ipfw
|
|
|
|
node type was implemented in
|
|
|
|
.Fx 6.0 .
|
|
|
|
.Sh AUTHORS
|
|
|
|
The
|
|
|
|
.Nm ipfw
|
|
|
|
node was written by
|
|
|
|
.An "Gleb Smirnoff" Aq glebius@FreeBSD.org .
|