Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

ng_ipfw(4) [debian man page]

NG_IPFW(4)						   BSD Kernel Interfaces Manual 						NG_IPFW(4)

NAME

     ng_ipfw -- interface between netgraph and IP firewall

SYNOPSIS

     #include <netgraph/ng_ipfw.h>

DESCRIPTION

     The ipfw node implements interface between ipfw(4) and netgraph(4) subsystems.

HOOKS

     The ipfw node supports an arbitrary number of hooks, which must be named using only numeric characters.

OPERATION

     Once the ng_ipfw module is loaded into the kernel, a single node named ipfw is automatically created.  No more ipfw nodes can be created.
     Once destroyed, the only way to recreate the node is to reload the ng_ipfw module.

     Packets can be injected into netgraph(4) using either the netgraph or ngtee commands of the ipfw(8) utility.  These commands require a
     numeric cookie to be supplied as an argument.  Packets are sent out of the hook whose name equals the cookie value.  If no hook matches,
     packets are discarded.  Packets injected via the netgraph command are tagged with struct ng_ipfw_tag.  This tag contains information that
     helps the packet to re-enter ipfw(4) processing, should the packet come back from netgraph(4) to ipfw(4).

	 struct ng_ipfw_tag {
		 struct m_tag	 mt;		 /* tag header */
		 struct ip_fw	 *rule; 	 /* matching rule */
		 uint32_t	 rule_id;	 /* matching rule id */
		 uint32_t	 chain_id;	 /* ruleset id */
		 struct ifnet	 *ifp;		 /* interface, for ip_output */
		 int		 dir;		 /* packet direction */
	 #define NG_IPFW_OUT	 0
	 #define NG_IPFW_IN	 1
	 };

     Packets received by a node from netgraph(4) must be tagged with struct ng_ipfw_tag tag.  Packets re-enter IP firewall processing at the next
     rule.  If no tag is supplied, packets are discarded.

CONTROL MESSAGES

     This node type supports only the generic control messages.

SHUTDOWN

     This node shuts down upon receipt of a NGM_SHUTDOWN control message.  Do not do this, since the new ipfw node can only be created by reload-
     ing the ng_ipfw module.

SEE ALSO

     ipfw(4), netgraph(4), ipfw(8), mbuf_tags(9)

HISTORY

     The ipfw node type was implemented in FreeBSD 6.0.

AUTHORS

     The ipfw node was written by Gleb Smirnoff <glebius@FreeBSD.org>.

BSD
								   June 10, 2009							       BSD

Check Out this Related Man Page

NG_TCPMSS(4)						   BSD Kernel Interfaces Manual 					      NG_TCPMSS(4)

NAME

     ng_tcpmss -- netgraph node to adjust TCP MSS option

SYNOPSIS

     #include <netgraph.h>
     #include <netgraph/ng_tcpmss.h>

DESCRIPTION

     The tcpmss node type is designed to alter the Maximum Segment Size option of TCP packets.	This node accepts an arbitrary number of hooks.
     Initially a new hook is considered unconfigured.  The NG_TCPMSS_CONFIG control message is used to configure a hook.

CONTROL MESSAGES

     This node type supports the generic control messages, plus the following.

     NGM_TCPMSS_CONFIG (config)
	  This control message configures node to do given MSS adjusting on a particular hook.	It requires the struct ng_tcpmss_config to be sup-
	  plied as an argument:

	  struct ng_tcpmss_config {
		  char		  inHook[NG_HOOKSIZ];
		  char		  outHook[NG_HOOKSIZ];
		  uint16_t	  maxMSS;
	  }

	  This means: packets received on inHook would be checked for TCP MSS option and the latter would be reduced down to maxMSS if it exceeds
	  maxMSS.  After that, packets would be sent to hook outHook.

     NGM_TCPMSS_GET_STATS (getstats)
	  This control message obtains statistics for a given hook.  The statistics are returned in struct ng_tcpmss_hookstat:

	  struct ng_tcpmss_hookstat {
		  uint64_t	  Octets;	  /* total bytes */
		  uint64_t	  Packets;	  /* total packets */
		  uint16_t	  maxMSS;	  /* maximum MSS */
		  uint64_t	  SYNPkts;	  /* TCP SYN packets */
		  uint64_t	  FixedPkts;	  /* changed packets */
	  };

     NGM_TCPMSS_CLR_STATS (clrstats)
	  This control message clears statistics for a given hook.

     NGM_TCPMSS_GETCLR_STATS (getclrstats)
	  This control message obtains and clears statistics for a given hook.

EXAMPLES

     In the following example, packets are injected into the tcpmss node using the ng_ipfw(4) node.

	   # Create tcpmss node and connect it to ng_ipfw node
	   ngctl mkpeer ipfw: tcpmss 100 qqq

	   # Adjust MSS to 1452
	   ngctl msg ipfw:100 config '{ inHook="qqq" outHook="qqq" maxMSS=1452 }'

	   # Divert traffic into tcpmss node
	   ipfw add 300 netgraph 100 tcp from any to any tcpflags syn out via fxp0

	   # Let packets continue with ipfw after being hacked
	   sysctl net.inet.ip.fw.one_pass=0

SHUTDOWN

     This node shuts down upon receipt of an NGM_SHUTDOWN control message, or when all hooks have been disconnected.

SEE ALSO

     netgraph(4), ng_ipfw(4)

HISTORY

     The ng_tcpmss node type was implemented in FreeBSD 6.0.

AUTHORS

     Alexey Popov <lollypop@flexuser.ru>
     Gleb Smirnoff <glebius@FreeBSD.org>

BUGS

     When running on SMP, system statistics may be broken.

BSD
								   June 9, 2005 							       BSD
Man Page