114cb4a2fSGleb Smirnoff.\" Copyright (c) 2005 Gleb Smirnoff 214cb4a2fSGleb Smirnoff.\" All rights reserved. 314cb4a2fSGleb Smirnoff.\" 414cb4a2fSGleb Smirnoff.\" Redistribution and use in source and binary forms, with or without 514cb4a2fSGleb Smirnoff.\" modification, are permitted provided that the following conditions 614cb4a2fSGleb Smirnoff.\" are met: 714cb4a2fSGleb Smirnoff.\" 1. Redistributions of source code must retain the above copyright 814cb4a2fSGleb Smirnoff.\" notice, this list of conditions and the following disclaimer. 914cb4a2fSGleb Smirnoff.\" 2. Redistributions in binary form must reproduce the above copyright 1014cb4a2fSGleb Smirnoff.\" notice, this list of conditions and the following disclaimer in the 1114cb4a2fSGleb Smirnoff.\" documentation and/or other materials provided with the distribution. 1214cb4a2fSGleb Smirnoff.\" 1314cb4a2fSGleb Smirnoff.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 1414cb4a2fSGleb Smirnoff.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 1514cb4a2fSGleb Smirnoff.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 1614cb4a2fSGleb Smirnoff.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 1714cb4a2fSGleb Smirnoff.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 1814cb4a2fSGleb Smirnoff.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 1914cb4a2fSGleb Smirnoff.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 2014cb4a2fSGleb Smirnoff.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 2114cb4a2fSGleb Smirnoff.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 2214cb4a2fSGleb Smirnoff.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 2314cb4a2fSGleb Smirnoff.\" SUCH DAMAGE. 2414cb4a2fSGleb Smirnoff.\" 2578e58b87SGleb Smirnoff.Dd March 2, 2010 2614cb4a2fSGleb Smirnoff.Dt NG_IPFW 4 2714cb4a2fSGleb Smirnoff.Os 2814cb4a2fSGleb Smirnoff.Sh NAME 2914cb4a2fSGleb Smirnoff.Nm ng_ipfw 3014cb4a2fSGleb Smirnoff.Nd interface between netgraph and IP firewall 3114cb4a2fSGleb Smirnoff.Sh SYNOPSIS 3278e58b87SGleb Smirnoff.In netinet/ip_var.h 3314cb4a2fSGleb Smirnoff.In netgraph/ng_ipfw.h 3414cb4a2fSGleb Smirnoff.Sh DESCRIPTION 3514cb4a2fSGleb SmirnoffThe 3614cb4a2fSGleb Smirnoff.Nm ipfw 3737e90a8cSGleb Smirnoffnode implements interface between 3814cb4a2fSGleb Smirnoff.Xr ipfw 4 3914cb4a2fSGleb Smirnoffand 4014cb4a2fSGleb Smirnoff.Xr netgraph 4 4114cb4a2fSGleb Smirnoffsubsystems. 4214cb4a2fSGleb Smirnoff.Sh HOOKS 4314cb4a2fSGleb SmirnoffThe 4414cb4a2fSGleb Smirnoff.Nm ipfw 4514cb4a2fSGleb Smirnoffnode supports an arbitrary number of hooks, 4614cb4a2fSGleb Smirnoffwhich must be named using only numeric characters. 4714cb4a2fSGleb Smirnoff.Sh OPERATION 4837e90a8cSGleb SmirnoffOnce the 4914cb4a2fSGleb Smirnoff.Nm 5014cb4a2fSGleb Smirnoffmodule is loaded into the kernel, a single node named 5137e90a8cSGleb Smirnoff.Va ipfw 5214cb4a2fSGleb Smirnoffis automatically created. 5314cb4a2fSGleb SmirnoffNo more 5414cb4a2fSGleb Smirnoff.Nm ipfw 5514cb4a2fSGleb Smirnoffnodes can be created. 5637e90a8cSGleb SmirnoffOnce destroyed, the only way to recreate the node is to reload the 5714cb4a2fSGleb Smirnoff.Nm 5814cb4a2fSGleb Smirnoffmodule. 5914cb4a2fSGleb Smirnoff.Pp 6037e90a8cSGleb SmirnoffPackets can be injected into 6137e90a8cSGleb Smirnoff.Xr netgraph 4 6237e90a8cSGleb Smirnoffusing either the 6314cb4a2fSGleb Smirnoff.Cm netgraph 6414cb4a2fSGleb Smirnoffor 6514cb4a2fSGleb Smirnoff.Cm ngtee 6637e90a8cSGleb Smirnoffcommands of the 6714cb4a2fSGleb Smirnoff.Xr ipfw 8 6814cb4a2fSGleb Smirnoffutility. 6937e90a8cSGleb SmirnoffThese commands require a numeric cookie to be supplied as an argument. 7037e90a8cSGleb SmirnoffPackets are sent out of the hook whose name equals the cookie value. 7114cb4a2fSGleb SmirnoffIf no hook matches, packets are discarded. 7237e90a8cSGleb SmirnoffPackets injected via the 7314cb4a2fSGleb Smirnoff.Cm netgraph 7414cb4a2fSGleb Smirnoffcommand are tagged with 7578e58b87SGleb Smirnoff.Vt "struct ipfw_rule_ref" . 7637e90a8cSGleb SmirnoffThis tag contains information that helps the packet to re-enter 7714cb4a2fSGleb Smirnoff.Xr ipfw 4 7837e90a8cSGleb Smirnoffprocessing, should the packet come back from 7937e90a8cSGleb Smirnoff.Xr netgraph 4 8037e90a8cSGleb Smirnoffto 8137e90a8cSGleb Smirnoff.Xr ipfw 4 . 8214cb4a2fSGleb Smirnoff.Pp 8337e90a8cSGleb SmirnoffPackets received by a node from 8437e90a8cSGleb Smirnoff.Xr netgraph 4 8578e58b87SGleb Smirnoffsubsystem must be tagged with 8678e58b87SGleb Smirnoff.Vt "struct ipfw_rule_ref" 8714cb4a2fSGleb Smirnofftag. 8837e90a8cSGleb SmirnoffPackets re-enter IP firewall processing at the next rule. 8914cb4a2fSGleb SmirnoffIf no tag is supplied, packets are discarded. 9014cb4a2fSGleb Smirnoff.Sh CONTROL MESSAGES 9137e90a8cSGleb SmirnoffThis node type supports only the generic control messages. 9214cb4a2fSGleb Smirnoff.Sh SHUTDOWN 9314cb4a2fSGleb SmirnoffThis node shuts down upon receipt of a 9414cb4a2fSGleb Smirnoff.Dv NGM_SHUTDOWN 9514cb4a2fSGleb Smirnoffcontrol message. 9637e90a8cSGleb SmirnoffDo not do this, since the new 9714cb4a2fSGleb Smirnoff.Nm ipfw 9837e90a8cSGleb Smirnoffnode can only be created by reloading the 9914cb4a2fSGleb Smirnoff.Nm 10014cb4a2fSGleb Smirnoffmodule. 10114cb4a2fSGleb Smirnoff.Sh SEE ALSO 10214cb4a2fSGleb Smirnoff.Xr ipfw 4 , 10337e90a8cSGleb Smirnoff.Xr netgraph 4 , 10414cb4a2fSGleb Smirnoff.Xr ipfw 8 , 10537e90a8cSGleb Smirnoff.Xr mbuf_tags 9 10614cb4a2fSGleb Smirnoff.Sh HISTORY 10714cb4a2fSGleb SmirnoffThe 10814cb4a2fSGleb Smirnoff.Nm ipfw 10914cb4a2fSGleb Smirnoffnode type was implemented in 11014cb4a2fSGleb Smirnoff.Fx 6.0 . 11114cb4a2fSGleb Smirnoff.Sh AUTHORS 11214cb4a2fSGleb SmirnoffThe 11314cb4a2fSGleb Smirnoff.Nm ipfw 11414cb4a2fSGleb Smirnoffnode was written by 115*6c899950SBaptiste Daroussin.An Gleb Smirnoff Aq Mt glebius@FreeBSD.org . 116