18aaffd78SIgor Ostapenko.\" 28aaffd78SIgor Ostapenko.\" SPDX-License-Identifier: BSD-2-Clause 38aaffd78SIgor Ostapenko.\" 48aaffd78SIgor Ostapenko.\" Copyright (c) 2024 Igor Ostapenko <pm@igoro.pro> 58aaffd78SIgor Ostapenko.\" 68aaffd78SIgor Ostapenko.\" Redistribution and use in source and binary forms, with or without 78aaffd78SIgor Ostapenko.\" modification, are permitted provided that the following conditions 88aaffd78SIgor Ostapenko.\" are met: 98aaffd78SIgor Ostapenko.\" 1. Redistributions of source code must retain the above copyright 108aaffd78SIgor Ostapenko.\" notice, this list of conditions and the following disclaimer. 118aaffd78SIgor Ostapenko.\" 2. Redistributions in binary form must reproduce the above copyright 128aaffd78SIgor Ostapenko.\" notice, this list of conditions and the following disclaimer in the 138aaffd78SIgor Ostapenko.\" documentation and/or other materials provided with the distribution. 148aaffd78SIgor Ostapenko.\" 158aaffd78SIgor Ostapenko.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 168aaffd78SIgor Ostapenko.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 178aaffd78SIgor Ostapenko.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 188aaffd78SIgor Ostapenko.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 198aaffd78SIgor Ostapenko.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 208aaffd78SIgor Ostapenko.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 218aaffd78SIgor Ostapenko.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 228aaffd78SIgor Ostapenko.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 238aaffd78SIgor Ostapenko.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 248aaffd78SIgor Ostapenko.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 258aaffd78SIgor Ostapenko.\" SUCH DAMAGE. 268aaffd78SIgor Ostapenko.\" 278aaffd78SIgor Ostapenko.\" Note: The date here should be updated whenever a non-trivial 288aaffd78SIgor Ostapenko.\" change is made to the manual page. 29*76e00c72SKristof Provost.Dd January 6, 2025 308aaffd78SIgor Ostapenko.Dt DUMMYMBUF 4 318aaffd78SIgor Ostapenko.Os 328aaffd78SIgor Ostapenko.Sh NAME 338aaffd78SIgor Ostapenko.Nm dummymbuf 348aaffd78SIgor Ostapenko.Nd "mbuf alteration pfil hooks" 358aaffd78SIgor Ostapenko.Sh SYNOPSIS 368aaffd78SIgor OstapenkoTo compile the driver into the kernel, 378aaffd78SIgor Ostapenkoplace the following line in the 388aaffd78SIgor Ostapenkokernel configuration file: 398aaffd78SIgor Ostapenko.Bd -ragged -offset indent 408aaffd78SIgor Ostapenko.Cd "device dummymbuf" 418aaffd78SIgor Ostapenko.Ed 428aaffd78SIgor Ostapenko.Pp 438aaffd78SIgor OstapenkoAlternatively, to load the driver as a 448aaffd78SIgor Ostapenkomodule at boot time, place the following line in 458aaffd78SIgor Ostapenko.Xr loader.conf 5 : 468aaffd78SIgor Ostapenko.Bd -literal -offset indent 478aaffd78SIgor Ostapenkodummymbuf_load="YES" 488aaffd78SIgor Ostapenko.Ed 498aaffd78SIgor Ostapenko.Sh DESCRIPTION 508aaffd78SIgor OstapenkoThis module is intended to test networking code in the face of unusual mbuf 518aaffd78SIgor Ostapenkolayouts. 528aaffd78SIgor OstapenkoThe special 538aaffd78SIgor Ostapenko.Xr pfil 9 548aaffd78SIgor Ostapenkohooks are provided for mbuf alteration and can be listed with 558aaffd78SIgor Ostapenko.Xr pfilctl 8 568aaffd78SIgor Ostapenkoas follows: 578aaffd78SIgor Ostapenko.Bd -literal -offset indent 588aaffd78SIgor Ostapenko Hook Type 598aaffd78SIgor Ostapenko dummymbuf:ethernet Ethernet 608aaffd78SIgor Ostapenko dummymbuf:inet6 IPv6 618aaffd78SIgor Ostapenko dummymbuf:inet IPv4 628aaffd78SIgor Ostapenko.Ed 638aaffd78SIgor Ostapenko.Pp 648aaffd78SIgor OstapenkoTo activate a hook it must be linked to the respective 658aaffd78SIgor Ostapenko.Xr pfil 9 668aaffd78SIgor Ostapenkohead. 678aaffd78SIgor Ostapenko.Xr pfilctl 8 688aaffd78SIgor Ostapenkocan be used for the linking. 698aaffd78SIgor Ostapenko.Pp 708aaffd78SIgor OstapenkoEach time a hook is invoked it reads a single shared set of 718aaffd78SIgor Ostapenko.Sx RULES 728aaffd78SIgor Ostapenkofrom 738aaffd78SIgor Ostapenko.Va net.dummymbuf.rules 748aaffd78SIgor Ostapenkosysctl. 758aaffd78SIgor OstapenkoThe rules are evaluated sequentially and each matching rule performs the 768aaffd78SIgor Ostapenkospecified operation over the mbuf. 778aaffd78SIgor Ostapenko.Pp 788aaffd78SIgor OstapenkoAfter every successfully applied operation the 798aaffd78SIgor Ostapenko.Va net.dummymbuf.hits 808aaffd78SIgor Ostapenkosysctl counter is increased. 818aaffd78SIgor Ostapenko.Pp 828aaffd78SIgor OstapenkoA hook returns an altered mbuf for further processing, but it drops a packet 838aaffd78SIgor Ostapenkoif rules parsing or an operation fails. 848aaffd78SIgor OstapenkoAlso, the first mbuf of the original chain may be changed. 858aaffd78SIgor Ostapenko.Pp 868aaffd78SIgor OstapenkoThe module is 878aaffd78SIgor Ostapenko.Xr VNET 9 888aaffd78SIgor Ostapenkobased, hence every 898aaffd78SIgor Ostapenko.Xr jail 2 908aaffd78SIgor Ostapenkoprovides its own set of hooks and sysctl variables. 918aaffd78SIgor Ostapenko.Sh RULES 928aaffd78SIgor OstapenkoThe set of rules is a semicolon separated list. 938aaffd78SIgor OstapenkoAn empty string is treated as a parsing failure. 948aaffd78SIgor OstapenkoA rule conceptually has two parts, filter and operation, with the following 958aaffd78SIgor Ostapenkosyntax: 968aaffd78SIgor Ostapenko.Bd -literal -offset indent 978aaffd78SIgor Ostapenko{inet | inet6 | ethernet} {in | out} <ifname> <opname>[ <opargs>]; 988aaffd78SIgor Ostapenko.Ed 998aaffd78SIgor Ostapenko.Ss Filter 1008aaffd78SIgor OstapenkoThe first word of a rule matches 1018aaffd78SIgor Ostapenko.Xr pfil 9 1028aaffd78SIgor Ostapenkotype. 1038aaffd78SIgor OstapenkoThe second matches packet's direction, and the third matches the network 1048aaffd78SIgor Ostapenkointerface a packet is coming from. 1058aaffd78SIgor Ostapenko.Ss Operation 1068aaffd78SIgor OstapenkoAn operation may have arguments separated from its name by space. 1078aaffd78SIgor OstapenkoThe available operations are: 1088aaffd78SIgor Ostapenko.Bl -tag -width indent 1098aaffd78SIgor Ostapenko.It pull-head <number-of-bytes> 1108aaffd78SIgor OstapenkoUnconditionally creates a brand new cluster-based mbuf and links it to be the 1118aaffd78SIgor Ostapenkofirst mbuf of the original mbuf chain, with respective packet header moving. 1128aaffd78SIgor OstapenkoAfter, the given number of bytes are pulled from the original mbuf chain. 1138aaffd78SIgor Ostapenko.Pp 1148aaffd78SIgor OstapenkoIf it is asked to pull 0 bytes then the first mbuf of the resulting chain will 1158aaffd78SIgor Ostapenkobe left empty. 1168aaffd78SIgor OstapenkoAsking to pull more than 1178aaffd78SIgor Ostapenko.Dv MCLBYTES 1188aaffd78SIgor Ostapenkois treated as an operation failure. 1198aaffd78SIgor OstapenkoIf a mbuf chain has less data than asked then the entire packet is pulled with 1208aaffd78SIgor Ostapenkotail mbuf(s) left empty. 1218aaffd78SIgor Ostapenko.Pp 1228aaffd78SIgor OstapenkoAs a result, only the layout of a mbuf chain is altered, its content logically 1238aaffd78SIgor Ostapenkois left intact. 124*76e00c72SKristof Provost.It enlarge <number-of-bytes> 125*76e00c72SKristof ProvostUnconditionally replace the mbuf with an mbuf of the specified size. 1268aaffd78SIgor Ostapenko.El 1278aaffd78SIgor Ostapenko.Sh SYSCTL VARIABLES 1288aaffd78SIgor OstapenkoThe following variables are available: 1298aaffd78SIgor Ostapenko.Bl -tag -width indent 1308aaffd78SIgor Ostapenko.It Va net.dummymbuf.rules 1318aaffd78SIgor OstapenkoA string representing a single set of 1328aaffd78SIgor Ostapenko.Sx RULES 1338aaffd78SIgor Ostapenkoshared among all 1348aaffd78SIgor Ostapenko.Nm 1358aaffd78SIgor Ostapenkohooks. 1368aaffd78SIgor Ostapenko.It Va net.dummymbuf.hits 1378aaffd78SIgor OstapenkoNumber of times a rule has been applied. 1388aaffd78SIgor OstapenkoIt is reset to zero upon writing. 1398aaffd78SIgor Ostapenko.El 1408aaffd78SIgor Ostapenko.Sh EXAMPLES 1418aaffd78SIgor OstapenkoAs it was intended, 1428aaffd78SIgor Ostapenko.Nm 1438aaffd78SIgor Ostapenkocan be found useful for firewall testing. 1448aaffd78SIgor OstapenkoA mbuf chain could be altered before it hits a firewall to test that the latter 1458aaffd78SIgor Ostapenkocan handle a case respectively. 1468aaffd78SIgor OstapenkoThus, it is important to have correct sequence of hooks. 1478aaffd78SIgor OstapenkoA test case should prepare and enable a firewall first to get its hooks linked. 1488aaffd78SIgor OstapenkoAfter, the 1498aaffd78SIgor Ostapenko.Xr pfilctl 8 1508aaffd78SIgor Ostapenkoshould be used to link 1518aaffd78SIgor Ostapenko.Nm 1528aaffd78SIgor Ostapenkohook(s) to put them in front of a firewall. 1538aaffd78SIgor Ostapenko.Pp 1548aaffd78SIgor OstapenkoThe following links 1558aaffd78SIgor Ostapenko.Va dummymbuf:inet6 1568aaffd78SIgor Ostapenkohook for inbound and puts it in front of other hooks: 1578aaffd78SIgor Ostapenko.Bd -literal -offset indent 1588aaffd78SIgor Ostapenkopfilctl link -i dummymbuf:inet6 inet6 1598aaffd78SIgor Ostapenko.Ed 1608aaffd78SIgor Ostapenko.Pp 1618aaffd78SIgor OstapenkoAnd this does the same for outbound: 1628aaffd78SIgor Ostapenko.Bd -literal -offset indent 1638aaffd78SIgor Ostapenkopfilctl link -o -a dummymbuf:inet6 inet6 1648aaffd78SIgor Ostapenko.Ed 1658aaffd78SIgor Ostapenko.Pp 1668aaffd78SIgor OstapenkoFor instance, we want to test a scenario in which the very first mbuf in a 1678aaffd78SIgor Ostapenkochain has zero m_len, to verify that a firewall can correctly read the 1688aaffd78SIgor Ostapenkopacket data despite that. 1698aaffd78SIgor OstapenkoThe following set of rules does it for inbound and outbound: 1708aaffd78SIgor Ostapenko.Bd -literal -offset indent 1718aaffd78SIgor Ostapenkosysctl net.dummymbuf.rules="inet6 in em0 pull-head 0; inet6 out em0 pull-head 0;" 1728aaffd78SIgor Ostapenko.Ed 1738aaffd78SIgor Ostapenko.Pp 1748aaffd78SIgor OstapenkoIt is encouraged to verify 1758aaffd78SIgor Ostapenko.Va net.dummymbuf.hits 1768aaffd78SIgor Ostapenkosysctl counter along with other test assertions to make sure that 1778aaffd78SIgor Ostapenko.Nm 1788aaffd78SIgor Ostapenkoreally does its work and there is no false positive due to misconfiguration. 1798aaffd78SIgor OstapenkoIt is a good idea to reset it before the action: 1808aaffd78SIgor Ostapenko.Bd -literal -offset indent 1818aaffd78SIgor Ostapenkosysctl net.dummymbuf.hits=0 1828aaffd78SIgor Ostapenko.Ed 1838aaffd78SIgor Ostapenko.Pp 1848aaffd78SIgor OstapenkoIt is equally important to cleanup the things after the test case: 1858aaffd78SIgor Ostapenko.Bd -literal -offset indent 1868aaffd78SIgor Ostapenkopfilctl unlink -i dummymbuf:inet6 inet6 1878aaffd78SIgor Ostapenkopfilctl unlink -o dummymbuf:inet6 inet6 1888aaffd78SIgor Ostapenkosysctl net.dummymbuf.rules="" 1898aaffd78SIgor Ostapenko.Ed 1908aaffd78SIgor Ostapenko.Pp 1918aaffd78SIgor OstapenkoIf a test case operates within a temporary vnet then explicit cleanup can be 1928aaffd78SIgor Ostapenkoomitted, the 1938aaffd78SIgor Ostapenko.Nm 1948aaffd78SIgor Ostapenkofacilities will vanish along with its vnet instance. 1958aaffd78SIgor Ostapenko.Sh DIAGNOSTICS 1968aaffd78SIgor Ostapenko.Bl -diag 1978aaffd78SIgor Ostapenko.It "dummymbuf: <filter match>: rule parsing failed: <the rule in question>" 1988aaffd78SIgor OstapenkoIf everything looks fine then extra spaces removal may help due to the parser 1998aaffd78SIgor Ostapenkois kept very simple. 2008aaffd78SIgor Ostapenko.It "dummymbuf: <filter match>: mbuf operation failed: <the rule in question>" 2018aaffd78SIgor OstapenkoIncorrect operation argument has been found, mbuf allocation has failed, etc. 2028aaffd78SIgor Ostapenko.El 2038aaffd78SIgor Ostapenko.Sh SEE ALSO 2048aaffd78SIgor Ostapenko.Xr jail 2 , 2058aaffd78SIgor Ostapenko.Xr pfilctl 8 , 2068aaffd78SIgor Ostapenko.Xr mbuf 9 , 2078aaffd78SIgor Ostapenko.Xr pfil 9 , 2088aaffd78SIgor Ostapenko.Xr VNET 9 2098aaffd78SIgor Ostapenko.Sh AUTHORS 2108aaffd78SIgor OstapenkoThe module and this manual page were written by 2118aaffd78SIgor Ostapenko.An Igor Ostapenko Aq Mt pm@igoro.pro . 212