114cb4a2fSGleb Smirnoff.\" Copyright (c) 2005 Gleb Smirnoff 214cb4a2fSGleb Smirnoff.\" All rights reserved. 314cb4a2fSGleb Smirnoff.\" 414cb4a2fSGleb Smirnoff.\" Redistribution and use in source and binary forms, with or without 514cb4a2fSGleb Smirnoff.\" modification, are permitted provided that the following conditions 614cb4a2fSGleb Smirnoff.\" are met: 714cb4a2fSGleb Smirnoff.\" 1. Redistributions of source code must retain the above copyright 814cb4a2fSGleb Smirnoff.\" notice, this list of conditions and the following disclaimer. 914cb4a2fSGleb Smirnoff.\" 2. Redistributions in binary form must reproduce the above copyright 1014cb4a2fSGleb Smirnoff.\" notice, this list of conditions and the following disclaimer in the 1114cb4a2fSGleb Smirnoff.\" documentation and/or other materials provided with the distribution. 1214cb4a2fSGleb Smirnoff.\" 1314cb4a2fSGleb Smirnoff.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 1414cb4a2fSGleb Smirnoff.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 1514cb4a2fSGleb Smirnoff.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 1614cb4a2fSGleb Smirnoff.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 1714cb4a2fSGleb Smirnoff.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 1814cb4a2fSGleb Smirnoff.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 1914cb4a2fSGleb Smirnoff.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 2014cb4a2fSGleb Smirnoff.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 2114cb4a2fSGleb Smirnoff.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 2214cb4a2fSGleb Smirnoff.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 2314cb4a2fSGleb Smirnoff.\" SUCH DAMAGE. 2414cb4a2fSGleb Smirnoff.\" 2514cb4a2fSGleb Smirnoff.\" $FreeBSD$ 2614cb4a2fSGleb Smirnoff.\" 2778e58b87SGleb Smirnoff.Dd March 2, 2010 2814cb4a2fSGleb Smirnoff.Dt NG_IPFW 4 2914cb4a2fSGleb Smirnoff.Os 3014cb4a2fSGleb Smirnoff.Sh NAME 3114cb4a2fSGleb Smirnoff.Nm ng_ipfw 3214cb4a2fSGleb Smirnoff.Nd interface between netgraph and IP firewall 3314cb4a2fSGleb Smirnoff.Sh SYNOPSIS 3478e58b87SGleb Smirnoff.In netinet/ip_var.h 3514cb4a2fSGleb Smirnoff.In netgraph/ng_ipfw.h 3614cb4a2fSGleb Smirnoff.Sh DESCRIPTION 3714cb4a2fSGleb SmirnoffThe 3814cb4a2fSGleb Smirnoff.Nm ipfw 3937e90a8cSGleb Smirnoffnode implements interface between 4014cb4a2fSGleb Smirnoff.Xr ipfw 4 4114cb4a2fSGleb Smirnoffand 4214cb4a2fSGleb Smirnoff.Xr netgraph 4 4314cb4a2fSGleb Smirnoffsubsystems. 4414cb4a2fSGleb Smirnoff.Sh HOOKS 4514cb4a2fSGleb SmirnoffThe 4614cb4a2fSGleb Smirnoff.Nm ipfw 4714cb4a2fSGleb Smirnoffnode supports an arbitrary number of hooks, 4814cb4a2fSGleb Smirnoffwhich must be named using only numeric characters. 4914cb4a2fSGleb Smirnoff.Sh OPERATION 5037e90a8cSGleb SmirnoffOnce the 5114cb4a2fSGleb Smirnoff.Nm 5214cb4a2fSGleb Smirnoffmodule is loaded into the kernel, a single node named 5337e90a8cSGleb Smirnoff.Va ipfw 5414cb4a2fSGleb Smirnoffis automatically created. 5514cb4a2fSGleb SmirnoffNo more 5614cb4a2fSGleb Smirnoff.Nm ipfw 5714cb4a2fSGleb Smirnoffnodes can be created. 5837e90a8cSGleb SmirnoffOnce destroyed, the only way to recreate the node is to reload the 5914cb4a2fSGleb Smirnoff.Nm 6014cb4a2fSGleb Smirnoffmodule. 6114cb4a2fSGleb Smirnoff.Pp 6237e90a8cSGleb SmirnoffPackets can be injected into 6337e90a8cSGleb Smirnoff.Xr netgraph 4 6437e90a8cSGleb Smirnoffusing either the 6514cb4a2fSGleb Smirnoff.Cm netgraph 6614cb4a2fSGleb Smirnoffor 6714cb4a2fSGleb Smirnoff.Cm ngtee 6837e90a8cSGleb Smirnoffcommands of the 6914cb4a2fSGleb Smirnoff.Xr ipfw 8 7014cb4a2fSGleb Smirnoffutility. 7137e90a8cSGleb SmirnoffThese commands require a numeric cookie to be supplied as an argument. 7237e90a8cSGleb SmirnoffPackets are sent out of the hook whose name equals the cookie value. 7314cb4a2fSGleb SmirnoffIf no hook matches, packets are discarded. 7437e90a8cSGleb SmirnoffPackets injected via the 7514cb4a2fSGleb Smirnoff.Cm netgraph 7614cb4a2fSGleb Smirnoffcommand are tagged with 7778e58b87SGleb Smirnoff.Vt "struct ipfw_rule_ref" . 7837e90a8cSGleb SmirnoffThis tag contains information that helps the packet to re-enter 7914cb4a2fSGleb Smirnoff.Xr ipfw 4 8037e90a8cSGleb Smirnoffprocessing, should the packet come back from 8137e90a8cSGleb Smirnoff.Xr netgraph 4 8237e90a8cSGleb Smirnoffto 8337e90a8cSGleb Smirnoff.Xr ipfw 4 . 8414cb4a2fSGleb Smirnoff.Pp 8537e90a8cSGleb SmirnoffPackets received by a node from 8637e90a8cSGleb Smirnoff.Xr netgraph 4 8778e58b87SGleb Smirnoffsubsystem must be tagged with 8878e58b87SGleb Smirnoff.Vt "struct ipfw_rule_ref" 8914cb4a2fSGleb Smirnofftag. 9037e90a8cSGleb SmirnoffPackets re-enter IP firewall processing at the next rule. 9114cb4a2fSGleb SmirnoffIf no tag is supplied, packets are discarded. 9214cb4a2fSGleb Smirnoff.Sh CONTROL MESSAGES 9337e90a8cSGleb SmirnoffThis node type supports only the generic control messages. 9414cb4a2fSGleb Smirnoff.Sh SHUTDOWN 9514cb4a2fSGleb SmirnoffThis node shuts down upon receipt of a 9614cb4a2fSGleb Smirnoff.Dv NGM_SHUTDOWN 9714cb4a2fSGleb Smirnoffcontrol message. 9837e90a8cSGleb SmirnoffDo not do this, since the new 9914cb4a2fSGleb Smirnoff.Nm ipfw 10037e90a8cSGleb Smirnoffnode can only be created by reloading the 10114cb4a2fSGleb Smirnoff.Nm 10214cb4a2fSGleb Smirnoffmodule. 10314cb4a2fSGleb Smirnoff.Sh SEE ALSO 10414cb4a2fSGleb Smirnoff.Xr ipfw 4 , 10537e90a8cSGleb Smirnoff.Xr netgraph 4 , 10614cb4a2fSGleb Smirnoff.Xr ipfw 8 , 10737e90a8cSGleb Smirnoff.Xr mbuf_tags 9 10814cb4a2fSGleb Smirnoff.Sh HISTORY 10914cb4a2fSGleb SmirnoffThe 11014cb4a2fSGleb Smirnoff.Nm ipfw 11114cb4a2fSGleb Smirnoffnode type was implemented in 11214cb4a2fSGleb Smirnoff.Fx 6.0 . 11314cb4a2fSGleb Smirnoff.Sh AUTHORS 11414cb4a2fSGleb SmirnoffThe 11514cb4a2fSGleb Smirnoff.Nm ipfw 11614cb4a2fSGleb Smirnoffnode was written by 11714cb4a2fSGleb Smirnoff.An "Gleb Smirnoff" Aq glebius@FreeBSD.org . 118