0dded3391e
PR: 167810 Submitted by: Bryan Drewery {bryan!shatow%net} (hackers lounge) Found with: textproc/igor MFC after: 3 days
236 lines
7.3 KiB
Groff
236 lines
7.3 KiB
Groff
.\" Copyright (c) 2010 Maxim Ignatenko <gelraen.ua@gmail.com>
|
|
.\" Copyright (c) 2010 Vadim Goncharov <vadimnuclight@tpu.ru>
|
|
.\" All rights reserved.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
.\" SUCH DAMAGE.
|
|
.\"
|
|
.\" $FreeBSD$
|
|
.\"
|
|
.Dd March 5, 2012
|
|
.Dt NG_PATCH 4
|
|
.Os
|
|
.Sh NAME
|
|
.Nm ng_patch
|
|
.Nd "trivial mbuf data modifying netgraph node type"
|
|
.Sh SYNOPSIS
|
|
.In netgraph/ng_patch.h
|
|
.Sh DESCRIPTION
|
|
The
|
|
.Nm patch
|
|
node performs data modification of packets passing through it.
|
|
Modifications are restricted to a subset of C language operations
|
|
on unsigned integers of 8, 16, 32 or 64 bit size.
|
|
These are: set to new value (=), addition (+=), subtraction (-=),
|
|
multiplication (*=), division (/=), negation (= -),
|
|
bitwise AND (&=), bitwise OR (|=), bitwise eXclusive OR (^=),
|
|
shift left (<<=), shift right (>>=).
|
|
A negation operation is the one exception: integer is treated as signed
|
|
and second operand (the
|
|
.Va value )
|
|
is not used.
|
|
There may be several modification operations, they are all applied
|
|
to a packet sequentially in order they were specified by user.
|
|
Data payload of packet is viewed as array of bytes, with zero offset
|
|
corresponding to the very first byte of packet headers, and
|
|
.Va length
|
|
bytes beginning from
|
|
.Va offset
|
|
are taken as a single integer in network byte order.
|
|
.Sh HOOKS
|
|
This node type has two hooks:
|
|
.Bl -tag -width indent
|
|
.It Va in
|
|
Packets received on this hook are modified according to rules specified
|
|
in config and then forwarded to
|
|
.Ar out
|
|
hook, if it exists and connected.
|
|
Otherwise they are reflected back to the
|
|
.Ar in
|
|
hook.
|
|
.It Va out
|
|
Packets received on this hook are forwarded to
|
|
.Ar in
|
|
hook without any changes.
|
|
.El
|
|
.Sh CONTROL MESSAGES
|
|
This node type supports the generic control messages, plus the following:
|
|
.Bl -tag -width indent
|
|
.It Dv NGM_PATCH_SETCONFIG Pq Li setconfig
|
|
This command sets the sequence of modify operations
|
|
that will be applied to incoming data on a hook.
|
|
The following
|
|
.Vt "struct ng_patch_config"
|
|
must be supplied as an argument:
|
|
.Bd -literal -offset 4n
|
|
struct ng_patch_op {
|
|
uint64_t value;
|
|
uint32_t offset;
|
|
uint16_t length; /* 1,2,4 or 8 bytes */
|
|
uint16_t mode;
|
|
};
|
|
/* Patching modes */
|
|
#define NG_PATCH_MODE_SET 1
|
|
#define NG_PATCH_MODE_ADD 2
|
|
#define NG_PATCH_MODE_SUB 3
|
|
#define NG_PATCH_MODE_MUL 4
|
|
#define NG_PATCH_MODE_DIV 5
|
|
#define NG_PATCH_MODE_NEG 6
|
|
#define NG_PATCH_MODE_AND 7
|
|
#define NG_PATCH_MODE_OR 8
|
|
#define NG_PATCH_MODE_XOR 9
|
|
#define NG_PATCH_MODE_SHL 10
|
|
#define NG_PATCH_MODE_SHR 11
|
|
|
|
struct ng_patch_config {
|
|
uint32_t count;
|
|
uint32_t csum_flags;
|
|
struct ng_patch_op ops[];
|
|
};
|
|
.Ed
|
|
.Pp
|
|
The
|
|
.Va csum_flags
|
|
can be set to any combination of CSUM_IP, CSUM_TCP, CSUM_SCTP and CSUM_UDP
|
|
(other values are ignored) for instructing the IP stack to recalculate the
|
|
corresponding checksum before transmitting packet on output interface.
|
|
The
|
|
.Nm
|
|
node does not do any checksum correction by itself.
|
|
.It Dv NGM_PATCH_GETCONFIG Pq Li getconfig
|
|
This control message obtains current set of modify operations,
|
|
returned as
|
|
.Vt "struct ng_patch_config" .
|
|
.It Dv NGM_PATCH_GET_STATS Pq Li getstats
|
|
Returns node statistics as a
|
|
.Vt "struct ng_patch_stats" .
|
|
.It Dv NGM_PATCH_CLR_STATS Pq Li clrstats
|
|
Clear node statistics.
|
|
.It Dv NGM_PATCH_GETCLR_STATS Pq Li getclrstats
|
|
This command is identical to
|
|
.Dv NGM_PATCH_GET_STATS ,
|
|
except that the statistics are also atomically cleared.
|
|
.El
|
|
.Sh SHUTDOWN
|
|
This node shuts down upon receipt of a
|
|
.Dv NGM_SHUTDOWN
|
|
control message, or when all hooks have been disconnected.
|
|
.Sh EXAMPLES
|
|
The
|
|
.Nm
|
|
node allows to modify TTL and TOS/DSCP fields in IP packets.
|
|
Suppose you have two adjacent simplex links to remote network
|
|
(e.g.\& satellite), so that the packets expiring in between
|
|
will generate unwanted ICMP-replies which have to go forth, not back.
|
|
Thus you need to raise TTL of every packet entering link by 2
|
|
to ensure the TTL will not reach zero there.
|
|
So you setup
|
|
.Xr ipfw 8
|
|
rule with
|
|
.Cm netgraph
|
|
action to inject packets going to other end of simplex link by the
|
|
following
|
|
.Xr ngctl 8
|
|
script:
|
|
.Bd -literal -offset 4n
|
|
/usr/sbin/ngctl -f- <<-SEQ
|
|
mkpeer ipfw: patch 200 in
|
|
name ipfw:200 ttl_add
|
|
msg ttl_add: setconfig { count=1 csum_flags=1 ops=[ \e
|
|
{ mode=2 value=3 length=1 offset=8 } ] }
|
|
SEQ
|
|
/sbin/ipfw add 150 netgraph 200 ip from any to simplex.remote.net
|
|
.Ed
|
|
.Pp
|
|
Here
|
|
.Dq Li ttl_add
|
|
node of type
|
|
.Nm
|
|
configured to add (mode
|
|
.Dv NG_PATCH_MODE_ADD )
|
|
a
|
|
.Va value
|
|
of 3 to a one-byte TTL field, which is 9th byte of IP packet header.
|
|
.Pp
|
|
Another example would be two consecutive modifications of packet TOS
|
|
field: say, you need to clear the
|
|
.Dv IPTOS_THROUGHPUT
|
|
bit and set the
|
|
.Dv IPTOS_MINCOST
|
|
bit.
|
|
So you do:
|
|
.Bd -literal -offset 4n
|
|
/usr/sbin/ngctl -f- <<-SEQ
|
|
mkpeer ipfw: patch 300 in
|
|
name ipfw:300 tos_chg
|
|
msg tos_chg: setconfig { count=2 csum_flags=1 ops=[ \e
|
|
{ mode=7 value=0xf7 length=1 offset=1 } \e
|
|
{ mode=8 value=0x02 length=1 offset=1 } ] }
|
|
SEQ
|
|
/sbin/ipfw add 160 netgraph 300 ip from any to any not dst-port 80
|
|
.Ed
|
|
.Pp
|
|
This first does
|
|
.Dv NG_PATCH_MODE_AND
|
|
clearing the fourth bit and then
|
|
.Dv NG_PATCH_MODE_OR
|
|
setting the third bit.
|
|
.Pp
|
|
In both examples the
|
|
.Va csum_flags
|
|
field indicates that IP checksum (but not TCP or UDP checksum) should be
|
|
recalculated before transmit.
|
|
.Pp
|
|
Note: one should ensure that packets are returned to ipfw after processing
|
|
inside
|
|
.Xr netgraph 4 ,
|
|
by setting appropriate
|
|
.Xr sysctl 8
|
|
variable:
|
|
.Bd -literal -offset 4n
|
|
sysctl net.inet.ip.fw.one_pass=0
|
|
.Ed
|
|
.Sh SEE ALSO
|
|
.Xr netgraph 4 ,
|
|
.Xr ng_ipfw 4 ,
|
|
.Xr ngctl 8
|
|
.Sh HISTORY
|
|
The
|
|
.Nm
|
|
node type was implemented in
|
|
.Fx 8.1 .
|
|
.Sh AUTHORS
|
|
.An "Maxim Ignatenko" Aq gelraen.ua@gmail.com .
|
|
This manual page was written by
|
|
.An "Vadim Goncharov" Aq vadimnuclight@tpu.ru .
|
|
.Sh BUGS
|
|
Node blindly tries to apply every patching operation to each packet
|
|
(except those which offset if greater than length of the packet),
|
|
so be sure that you supply only the right packets to it (e.g. changing
|
|
bytes in the ARP packets meant to be in IP header could corrupt
|
|
them and make your machine unreachable from the network).
|
|
.Pp
|
|
.Em !!! WARNING !!!
|
|
.Pp
|
|
Output path of the IP stack assumes correct fields and lengths in the
|
|
packets - changing them by mistake to incorrect values can cause
|
|
unpredictable results including kernel panics.
|