blob: d11fb74847d5e7602877234fad90ce26ddac8f80 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
|
<table class="head">
<tr>
<td class="head-ltitle">NG_IPFW(4)</td>
<td class="head-vol">Device Drivers Manual</td>
<td class="head-rtitle">NG_IPFW(4)</td>
</tr>
</table>
<div class="manual-text">
<section class="Sh">
<h1 class="Sh" id="NAME"><a class="permalink" href="#NAME">NAME</a></h1>
<p class="Pp"><code class="Nm">ng_ipfw</code> —
<span class="Nd">interface between netgraph and IP firewall</span></p>
</section>
<section class="Sh">
<h1 class="Sh" id="SYNOPSIS"><a class="permalink" href="#SYNOPSIS">SYNOPSIS</a></h1>
<p class="Pp"><code class="In">#include
<<a class="In">netinet/ip_var.h</a>></code>
<br/>
<code class="In">#include
<<a class="In">netgraph/ng_ipfw.h</a>></code></p>
</section>
<section class="Sh">
<h1 class="Sh" id="DESCRIPTION"><a class="permalink" href="#DESCRIPTION">DESCRIPTION</a></h1>
<p class="Pp">The <code class="Nm">ipfw</code> node implements interface between
<a class="Xr">ipfw(4)</a> and <a class="Xr">netgraph(4)</a> subsystems.</p>
</section>
<section class="Sh">
<h1 class="Sh" id="HOOKS"><a class="permalink" href="#HOOKS">HOOKS</a></h1>
<p class="Pp">The <code class="Nm">ipfw</code> node supports an arbitrary number
of hooks, which must be named using only numeric characters.</p>
</section>
<section class="Sh">
<h1 class="Sh" id="OPERATION"><a class="permalink" href="#OPERATION">OPERATION</a></h1>
<p class="Pp">Once the <code class="Nm">ng_ipfw</code> module is loaded into the
kernel, a single node named <var class="Va">ipfw</var> is automatically
created. No more <code class="Nm">ipfw</code> nodes can be created. Once
destroyed, the only way to recreate the node is to reload the
<code class="Nm">ng_ipfw</code> module.</p>
<p class="Pp">Packets can be injected into <a class="Xr">netgraph(4)</a> using
either the <code class="Cm">netgraph</code> or <code class="Cm">ngtee</code>
commands of the <a class="Xr">ipfw(8)</a> utility. These commands require a
numeric cookie to be supplied as an argument. Packets are sent out of the
hook whose name equals the cookie value. If no hook matches, packets are
discarded. Packets injected via the <code class="Cm">netgraph</code> command
are tagged with <var class="Vt">struct ipfw_rule_ref</var>. This tag
contains information that helps the packet to re-enter
<a class="Xr">ipfw(4)</a> processing, should the packet come back from
<a class="Xr">netgraph(4)</a> to <a class="Xr">ipfw(4)</a>.</p>
<p class="Pp">Packets received by a node from <a class="Xr">netgraph(4)</a>
subsystem must be tagged with <var class="Vt">struct ipfw_rule_ref</var>
tag. Packets re-enter IP firewall processing at the next rule. If no tag is
supplied, packets are discarded.</p>
</section>
<section class="Sh">
<h1 class="Sh" id="CONTROL_MESSAGES"><a class="permalink" href="#CONTROL_MESSAGES">CONTROL
MESSAGES</a></h1>
<p class="Pp">This node type supports only the generic control messages.</p>
</section>
<section class="Sh">
<h1 class="Sh" id="SHUTDOWN"><a class="permalink" href="#SHUTDOWN">SHUTDOWN</a></h1>
<p class="Pp">This node shuts down upon receipt of a
<code class="Dv">NGM_SHUTDOWN</code> control message. Do not do this, since
the new <code class="Nm">ipfw</code> node can only be created by reloading
the <code class="Nm">ng_ipfw</code> module.</p>
</section>
<section class="Sh">
<h1 class="Sh" id="SEE_ALSO"><a class="permalink" href="#SEE_ALSO">SEE
ALSO</a></h1>
<p class="Pp"><a class="Xr">ipfw(4)</a>, <a class="Xr">netgraph(4)</a>,
<a class="Xr">ipfw(8)</a>, <a class="Xr">mbuf_tags(9)</a></p>
</section>
<section class="Sh">
<h1 class="Sh" id="HISTORY"><a class="permalink" href="#HISTORY">HISTORY</a></h1>
<p class="Pp">The <code class="Nm">ipfw</code> node type was implemented in
<span class="Ux">FreeBSD 6.0</span>.</p>
</section>
<section class="Sh">
<h1 class="Sh" id="AUTHORS"><a class="permalink" href="#AUTHORS">AUTHORS</a></h1>
<p class="Pp">The <code class="Nm">ipfw</code> node was written by
<span class="An">Gleb Smirnoff</span>
<<a class="Mt" href="mailto:glebius@FreeBSD.org">glebius@FreeBSD.org</a>>.</p>
</section>
</div>
<table class="foot">
<tr>
<td class="foot-date">March 2, 2010</td>
<td class="foot-os">FreeBSD 15.0</td>
</tr>
</table>
|
