d/freebsd-skq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update to reflect new api

Browse Source 
Submitted by:	Max Laier <max@love2party.net>
Obtained from:	NetBSD (with changes)
This commit is contained in:
Sam Leffler 2003-09-25 20:49:28 +00:00
parent 8019c643f1
commit 89a688272a
1 changed files with 105 additions and 80 deletions

185
share/man/man9/pfil.9

@ -1,3 +1,5 @@
.\" $NetBSD: pfil.9,v 1.22 2003/07/01 13:04:06 wiz Exp $
.\"
.\" Copyright (c) 1996 Matthew R. Green .\" Copyright (c) 1996 Matthew R. Green
.\" All rights reserved. .\" All rights reserved.
.\" .\"
@ -25,105 +27,109 @@
.\" SUCH DAMAGE. .\" SUCH DAMAGE.
.\" .\"
.\" $FreeBSD$ .\" $FreeBSD$
.Dd August 4, 1996 .Dd September 8, 2003
.Dt PFIL 9 .Dt PFIL 9
.Os .Os
.Sh NAME .Sh NAME
.Nm pfil , .Nm pfil ,
.Nm pfil_head_register ,
.Nm pfil_head_unregister ,
.Nm pfil_head_get ,
.Nm pfil_hook_get , .Nm pfil_hook_get ,
.Nm pfil_add_hook , .Nm pfil_add_hook ,
.Nm pfil_remove_hook .Nm pfil_remove_hook ,
.Nm pfil_run_hooks
.Nd packet filter interface .Nd packet filter interface
.Sh SYNOPSIS .Sh SYNOPSIS
.In sys/param.h .In sys/param.h
.In sys/mbuf.h .In sys/mbuf.h
.In sys/socket.h
.In net/if.h .In net/if.h
.In net/pfil.h .In net/pfil.h
.Ft "struct packet_filter_hook *"
.Fn pfil_hook_get "int flag" "struct pfil_head *ph"
.Ft int .Ft int
.Fo pfil_add_hook .Fn pfil_head_register "struct pfil_head *head"
.Fa "int \*[lp]*func\*[rp]\*[lp]void *, int, struct ifnet *, int, struct mbuf **\*[rp]"
.Fa "int flags"
.Fa "struct pfil_head *ph"
.Fc
.Ft int .Ft int
.Fo pfil_remove_hook .Fn pfil_head_unregister "struct pfil_head *head"
.Fa "int \*[lp]*func\*[rp]\*[lp]void *, int, struct ifnet *, int, struct mbuf **\*[rp]" .Ft struct pfil_head *
.Fa "int flags" .Fn pfil_head_get "int af" "u_long dlt"
.Fa "struct pfil_head *ph" .Ft struct packet_filter_hook *
.Fc .Fn pfil_hook_get "int dir" "struct pfil_head *head"
.Ft void
.Fn pfil_add_hook "int (*func)()" "void *arg" "int flags" "struct pfil_head *"
.Ft void
.Fn pfil_remove_hook "int (*func)()" "void *arg" "int flags" "struct pfil_head *"
.Ft int
.Fn (*func) "void *arg" "struct mbuf **mp" "struct ifnet *" "int dir"
.Ft int
.Fn pfil_run_hooks "struct pfil_head *head" "struct mbuf **mp" "struct ifnet *" "int dir"
.Sh DESCRIPTION .Sh DESCRIPTION
The The
.Nm .Nm
interface allows a function to be called on every incoming or outgoing framework allows for a specified function to be invoked for every
packets. incoming or outgoing packet for a particular network I/O stream.
The hooks for these are embedded in the These hooks may be used to implement a firewall or perform packet
.Fn ip_input transformations.
and
.Fn ip_output
routines.
The
.Fn pfil_hook_get
function returns the first member of a particular hook, either the in or out
list.
The
.Fn pfil_add_hook
function takes a function of the form below as its first argument, and the
flags for which lists to add the function to.
The possible values for these
flags are some combination of
.Dv PFIL_IN
and
.Dv PFIL_OUT .
The
.Fn pfil_remove_hook
removes a hook from the specified lists.
.Pp .Pp
The Packet filtering points are registered with
.Fa func .Fn pfil_head_register .
argument is a function with the following prototype. Filtering points are identified by a key (void *) and a data link type
.Pp (int) in the
.Ft int .Em pfil_head
.Fn func "void *data" "int hlen" "struct ifnet *net" "int dir" "struct mbuf **m"
.Pp
The
.Fa data
describes the packet.
Currently, this may only be a pointer to an
.Vt ip
structure. structure.
The Packet filters use the key and data link type to look up the filtering
.Fa net point with which they register themselves.
The key is unique to the filtering point.
The data link type is a
.Xr bpf 4
DLT constant indicating what kind of header is present on the packet
at the filtering point.
Filtering points may be unregistered with the
.Fn pfil_head_unregister
function.
.Pp
Packet filters register/unregister themselves with a filtering point
with the
.Fn pfil_add_hook
and and
.Fa m .Fn pfil_remove_hook
arguments describe the network interface and the mbuf holding data for this functions, respectively.
packet. The head is looked up using the
The .Fn pfil_head_get
.Fa dir function, which takes the key and data link type that the packet filter
is the direction; 0 for incoming packets and 1 for outgoing packets. expects.
If the function Filters may provide an argument to be passed to the filter when
returns non-zero, this signals an error and no further processing of this packet is invoked on a packet.
performed. .Pp
The function should set When a filter is invoked, the packet appears just as if it
.Va errno .Dq came off the wire .
to indicate the nature of the error. That is, all protocol fields are in network byte order.
It is the hook's responsibility to free the chain if the packet is being dropped. The filter is called with its specified argument, the pointer to the
pointer to the mbuf containing the packet, the pointer to the network
interface that the packet is traversing, and the direction (PFIL_IN
or PFIL_OUT) that the packet is traveling.
The filter may change which mbuf the mbuf ** argument references.
The filter returns an errno if the packet processing is to stop, or 0
if the processing is to continue.
If the packet processing is to stop, it is the responsibility of the
filter to free the packet.
.Pp .Pp
The The
.Nm .Nm
interface is enabled in the kernel via the interface is enabled in the kernel via the
.Cd PFIL_HOOKS .Sy PFIL_HOOKS
option. option.
.Sh RETURN VALUES .Sh RETURN VALUES
If successful, If successful,
.Fn pfil_hook_get .Fn pfil_head_get
returns the first member of the packet filter list, returns the pfil_head structure for the given key/dlt.
.Fn pfil_add_hook .Fn pfil_add_hook
and and
.Fn pfil_remove_hook .Fn pfil_remove_hook
are expected to always succeed. return 0 if successful. If called with flag PFIL_WAITOK,
.Fn pfil_remove_hook
is expected to always succeed.
.Pp
.Fn pfil_head_unregister
might sleep!
.Sh HISTORY .Sh HISTORY
The The
.Nm .Nm
@ -132,7 +138,7 @@ interface first appeared in
The The
.Nm .Nm
input and output lists were originally implemented as input and output lists were originally implemented as
.In sys/queue.h .Fd \*[Lt]sys/queue.h\*[Gt]
.Dv LIST .Dv LIST
structures; structures;
however this was changed in however this was changed in
@ -140,9 +146,8 @@ however this was changed in
to to
.Dv TAILQ .Dv TAILQ
structures. structures.
This change was to allow the input and output filters to be This change was to allow the input and output filters to be processed in
processed in reverse order, to allow the same path to be taken, in or out reverse order, to allow the same path to be taken, in or out of the kernel.
of the kernel.
.Pp .Pp
The The
.Nm .Nm
@ -151,11 +156,31 @@ interface was changed in 1.4T to accept a 3rd parameter to both
and and
.Fn pfil_remove_hook , .Fn pfil_remove_hook ,
introducing the capability of per-protocol filtering. introducing the capability of per-protocol filtering.
This was done This was done primarily in order to support filtering of IPv6.
primarily in order to support filtering of IPv6. .Pp
.Sh BUGS In 1.5K, the
The current
.Nm .Nm
implementation will need changes to suit a threaded kernel model. framework was changed to work with an arbitrary number of filtering points,
as well as be less IP-centric.
.Pp
Fine-grained locking was adding in FreeBSD 5.2.
.Sh BUGS
.Fn pfil_hook_get
is only safe for internal use.
.Pp
FreeBSD implements only hooks for AF_INET and AF_INET6.
Packets diverted through these hooks have data in
host byte order contrary to the above statements.
.Pp
The
.Xr bridge 4
diverts inbound AF_INET traffic, but contrary to the above
statements, the data is provided in host byte order.
.Pp
When a pfil_head is being modified no traffic is diverted
(to avoid deadlock).
This means that unwanted traffic may flow for a short period
of time.
.Sh SEE ALSO .Sh SEE ALSO
.Xr bpf 4 .Xr bpf 4 ,
.Xr bridge 4