193 lines
6.5 KiB
Groff
193 lines
6.5 KiB
Groff
.\" Copyright (c) 1999 Whistle Communications, Inc.
|
|
.\" All rights reserved.
|
|
.\"
|
|
.\" Subject to the following obligations and disclaimer of warranty, use and
|
|
.\" redistribution of this software, in source or object code forms, with or
|
|
.\" without modifications are expressly permitted by Whistle Communications;
|
|
.\" provided, however, that:
|
|
.\" 1. Any and all reproductions of the source or object code must include the
|
|
.\" copyright notice above and the following disclaimer of warranties; and
|
|
.\" 2. No rights are granted, in any manner or form, to use Whistle
|
|
.\" Communications, Inc. trademarks, including the mark "WHISTLE
|
|
.\" COMMUNICATIONS" on advertising, endorsements, or otherwise except as
|
|
.\" such appears in the above copyright notice or in the software.
|
|
.\"
|
|
.\" THIS SOFTWARE IS BEING PROVIDED BY WHISTLE COMMUNICATIONS "AS IS", AND
|
|
.\" TO THE MAXIMUM EXTENT PERMITTED BY LAW, WHISTLE COMMUNICATIONS MAKES NO
|
|
.\" REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED, REGARDING THIS SOFTWARE,
|
|
.\" INCLUDING WITHOUT LIMITATION, ANY AND ALL IMPLIED WARRANTIES OF
|
|
.\" MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT.
|
|
.\" WHISTLE COMMUNICATIONS DOES NOT WARRANT, GUARANTEE, OR MAKE ANY
|
|
.\" REPRESENTATIONS REGARDING THE USE OF, OR THE RESULTS OF THE USE OF THIS
|
|
.\" SOFTWARE IN TERMS OF ITS CORRECTNESS, ACCURACY, RELIABILITY OR OTHERWISE.
|
|
.\" IN NO EVENT SHALL WHISTLE COMMUNICATIONS BE LIABLE FOR ANY DAMAGES
|
|
.\" RESULTING FROM OR ARISING OUT OF ANY USE OF THIS SOFTWARE, INCLUDING
|
|
.\" WITHOUT LIMITATION, ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
|
|
.\" PUNITIVE, OR CONSEQUENTIAL DAMAGES, PROCUREMENT OF SUBSTITUTE GOODS OR
|
|
.\" SERVICES, LOSS OF USE, DATA OR PROFITS, HOWEVER CAUSED AND UNDER ANY
|
|
.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
|
|
.\" THIS SOFTWARE, EVEN IF WHISTLE COMMUNICATIONS IS ADVISED OF THE POSSIBILITY
|
|
.\" OF SUCH DAMAGE.
|
|
.\"
|
|
.\" Author: Archie Cobbs <archie@FreeBSD.org>
|
|
.\"
|
|
.\" $FreeBSD$
|
|
.\" $Whistle: ng_bpf.8,v 1.2 1999/12/03 01:57:12 archie Exp $
|
|
.\"
|
|
.Dd December 2, 1999
|
|
.Dt NG_BPF 4
|
|
.Os
|
|
.Sh NAME
|
|
.Nm ng_bpf
|
|
.Nd Berkeley packet filter netgraph node type
|
|
.Sh SYNOPSIS
|
|
.Fd #include <net/bpf.h>
|
|
.Fd #include <netgraph/ng_bpf.h>
|
|
.Sh DESCRIPTION
|
|
The
|
|
.Nm bpf
|
|
node type allows Berkeley Packet Filter (see
|
|
.Xr bpf 4 )
|
|
filters to be applied to data travelling through a Netgraph network.
|
|
Each node allows an arbitrary number of connections to arbitrarily
|
|
named hooks. With each hook is associated a
|
|
.Xr bpf 4
|
|
filter program which is applied to incoming data only, a destination hook
|
|
for matching packets, a destination hook for non-matching packets,
|
|
and various statistics counters.
|
|
.Pp
|
|
A
|
|
.Xr bpf 4
|
|
program returns an unsigned integer, which is normally interpreted as
|
|
the length of the prefix of the packet to return. In the context of this
|
|
node type, returning zero is considered a non-match, in which case the
|
|
entire packet is delivered out the non-match destination hook.
|
|
Returning a value greater than zero causes the packet to be truncated
|
|
to that length and delivered out the match destination hook.
|
|
Either or both destination hooks may be the empty string, or may
|
|
not exist, in which case the packet is dropped.
|
|
.Pp
|
|
New hooks are initially configured to drop all packets.
|
|
A new filter program may be installed using the
|
|
.Dv NGM_BPF_SET_PROGRAM
|
|
control message.
|
|
.Sh HOOKS
|
|
This node type supports any number of hooks having arbitrary names.
|
|
.Sh CONTROL MESSAGES
|
|
This node type supports the generic control messages, plus the following:
|
|
.Bl -tag -width foo
|
|
.It Dv NGM_BPF_SET_PROGRAM
|
|
This command sets the filter program that will be applied to incoming
|
|
data on a hook. The following structure must be supplied as an argument:
|
|
.Bd -literal -offset 4n
|
|
struct ng_bpf_hookprog {
|
|
char thisHook[NG_HOOKLEN+1]; /* name of hook */
|
|
char ifMatch[NG_HOOKLEN+1]; /* match dest hook */
|
|
char ifNotMatch[NG_HOOKLEN+1]; /* !match dest hook */
|
|
int32_t bpf_prog_len; /* #isns in program */
|
|
struct bpf_insn bpf_prog[0]; /* bpf program */
|
|
};
|
|
.Ed
|
|
.Pp
|
|
The hook to be updated is specified in
|
|
.Dv thisHook .
|
|
The BPF program is the sequence of instructions in the
|
|
.Dv bpf_prog
|
|
array; there must be
|
|
.Dv bpf_prog_len
|
|
of them.
|
|
Matching and non-matching incoming packets are delivered out the hooks named
|
|
.Dv ifMatch
|
|
and
|
|
.Dv ifNotMatch ,
|
|
respectively. The program must be a valid
|
|
.Xr bpf 4
|
|
program or else
|
|
.Er EINVAL
|
|
is returned.
|
|
.It Dv NGM_BPF_GET_PROGRAM
|
|
This command takes an
|
|
.Tn ASCII
|
|
string argument, the hook name, and returns the
|
|
corresponding
|
|
.Dv "struct ng_bpf_hookprog"
|
|
as shown above.
|
|
.It Dv NGM_BPF_GET_STATS
|
|
This command takes an
|
|
.Tn ASCII
|
|
string argument, the hook name, and returns the
|
|
statistics associated with the hook as a
|
|
.Dv "struct ng_bpf_hookstat" .
|
|
.It Dv NGM_BPF_CLR_STATS
|
|
This command takes an
|
|
.Tn ASCII
|
|
string argument, the hook name, and clears the
|
|
statistics associated with the hook.
|
|
.It Dv NGM_BPF_GETCLR_STATS
|
|
This command is identical to
|
|
.Dv NGM_BPF_GET_STATS ,
|
|
except that the statistics are also atomically cleared.
|
|
.El
|
|
.Sh SHUTDOWN
|
|
This node shuts down upon receipt of a
|
|
.Dv NGM_SHUTDOWN
|
|
control message, or when all hooks have been disconnected.
|
|
.Sh EXAMPLES
|
|
It is possible to configure a node from the command line, using
|
|
.Xr tcpdump 1
|
|
to generate raw BPF instructions which are then fed into an
|
|
.Xr awk 1
|
|
script to create the ASCII form of a
|
|
.Dv NGM_BPF_SET_PROGRAM
|
|
control message, as demonstrated here:
|
|
.Bd -literal -offset 4n
|
|
#!/bin/sh
|
|
|
|
PATTERN="tcp dst port 80"
|
|
NODEPATH="my_node:"
|
|
INHOOK="hook1"
|
|
MATCHHOOK="hook2"
|
|
NOTMATCHHOOK="hook3"
|
|
|
|
cat > /tmp/bpf.awk << xxENDxx
|
|
{
|
|
if (!init) {
|
|
printf "bpf_prog_len=%d bpf_prog=[", \\$1;
|
|
init=1;
|
|
} else {
|
|
printf " { code=%d jt=%d jf=%d k=%d }", \\$1, \\$2, \\$3, \\$4;
|
|
}
|
|
}
|
|
END {
|
|
print " ]"
|
|
}
|
|
xxENDxx
|
|
|
|
BPFPROG=`tcpdump -s 8192 -ddd ${PATTERN} | awk -f /tmp/bpf.awk`
|
|
|
|
ngctl msg ${NODEPATH} setprogram { thisHook=\\"${INHOOK}\\" \\
|
|
ifMatch=\\"${MATCHHOOK}\\" \\
|
|
ifNotMatch=\\"${NOTMATCHHOOK}\\" \\
|
|
${BPFPROG} } }
|
|
.Ed
|
|
.Sh BUGS
|
|
When built as a loadable kernel module, this module includes the file
|
|
.Pa net/bpf_filter.c .
|
|
Although loading the module should fail if
|
|
.Pa net/bpf_filter.c
|
|
already exists in the kernel, currently it does not, and the duplicate
|
|
copies of the file do not interfere.
|
|
However, this may change in the future.
|
|
.Sh HISTORY
|
|
The
|
|
.Nm
|
|
node type was implemented in
|
|
.Fx 4.0 .
|
|
.Sh SEE ALSO
|
|
.Xr bpf 4 ,
|
|
.Xr netgraph 4 ,
|
|
.Xr ngctl 8
|
|
.Sh AUTHORS
|
|
.An Archie Cobbs Aq archie@FreeBSD.org
|