1d359a62dSAndrey V. Elsukov.\" Copyright (c) 2010 Maxim Ignatenko <gelraen.ua@gmail.com> 2d359a62dSAndrey V. Elsukov.\" Copyright (c) 2010 Vadim Goncharov <vadimnuclight@tpu.ru> 3d359a62dSAndrey V. Elsukov.\" All rights reserved. 4d359a62dSAndrey V. Elsukov.\" 5d359a62dSAndrey V. Elsukov.\" Redistribution and use in source and binary forms, with or without 6d359a62dSAndrey V. Elsukov.\" modification, are permitted provided that the following conditions 7d359a62dSAndrey V. Elsukov.\" are met: 8d359a62dSAndrey V. Elsukov.\" 1. Redistributions of source code must retain the above copyright 9d359a62dSAndrey V. Elsukov.\" notice, this list of conditions and the following disclaimer. 10d359a62dSAndrey V. Elsukov.\" 2. Redistributions in binary form must reproduce the above copyright 11d359a62dSAndrey V. Elsukov.\" notice, this list of conditions and the following disclaimer in the 12d359a62dSAndrey V. Elsukov.\" documentation and/or other materials provided with the distribution. 13d359a62dSAndrey V. Elsukov.\" 14d359a62dSAndrey V. Elsukov.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15d359a62dSAndrey V. Elsukov.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16d359a62dSAndrey V. Elsukov.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17d359a62dSAndrey V. Elsukov.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18d359a62dSAndrey V. Elsukov.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19d359a62dSAndrey V. Elsukov.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20d359a62dSAndrey V. Elsukov.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21d359a62dSAndrey V. Elsukov.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22d359a62dSAndrey V. Elsukov.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23d359a62dSAndrey V. Elsukov.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24d359a62dSAndrey V. Elsukov.\" SUCH DAMAGE. 25d359a62dSAndrey V. Elsukov.\" 26d359a62dSAndrey V. Elsukov.\" $FreeBSD$ 27d359a62dSAndrey V. Elsukov.\" 28*2875b4b9SGleb Smirnoff.Dd March 5, 2012 29d359a62dSAndrey V. Elsukov.Dt NG_PATCH 4 30d359a62dSAndrey V. Elsukov.Os 31d359a62dSAndrey V. Elsukov.Sh NAME 32d359a62dSAndrey V. Elsukov.Nm ng_patch 33d359a62dSAndrey V. Elsukov.Nd "trivial mbuf data modifying netgraph node type" 34d359a62dSAndrey V. Elsukov.Sh SYNOPSIS 35d359a62dSAndrey V. Elsukov.In netgraph/ng_patch.h 36d359a62dSAndrey V. Elsukov.Sh DESCRIPTION 37d359a62dSAndrey V. ElsukovThe 38d359a62dSAndrey V. Elsukov.Nm patch 39d359a62dSAndrey V. Elsukovnode performs data modification of packets passing through it. 40d359a62dSAndrey V. ElsukovModifications are restricted to a subset of C language operations 41d359a62dSAndrey V. Elsukovon unsigned integers of 8, 16, 32 or 64 bit size. 42d359a62dSAndrey V. ElsukovThese are: set to new value (=), addition (+=), subtraction (-=), 43d359a62dSAndrey V. Elsukovmultiplication (*=), division (/=), negation (= -), 44d359a62dSAndrey V. Elsukovbitwise AND (&=), bitwise OR (|=), bitwise eXclusive OR (^=), 45d359a62dSAndrey V. Elsukovshift left (<<=), shift right (>>=). 46d359a62dSAndrey V. ElsukovA negation operation is the one exception: integer is treated as signed 47d359a62dSAndrey V. Elsukovand second operand (the 48d359a62dSAndrey V. Elsukov.Va value ) 49d359a62dSAndrey V. Elsukovis not used. 50d359a62dSAndrey V. ElsukovThere may be several modification operations, they are all applied 51d359a62dSAndrey V. Elsukovto a packet sequentially in order they were specified by user. 52d359a62dSAndrey V. ElsukovData payload of packet is viewed as array of bytes, with zero offset 53d359a62dSAndrey V. Elsukovcorresponding to the very first byte of packet headers, and 54d359a62dSAndrey V. Elsukov.Va length 55d359a62dSAndrey V. Elsukovbytes beginning from 56d359a62dSAndrey V. Elsukov.Va offset 57d359a62dSAndrey V. Elsukovare taken as a single integer in network byte order. 58d359a62dSAndrey V. Elsukov.Sh HOOKS 59d359a62dSAndrey V. ElsukovThis node type has two hooks: 60d359a62dSAndrey V. Elsukov.Bl -tag -width indent 61d359a62dSAndrey V. Elsukov.It Va in 62d359a62dSAndrey V. ElsukovPackets received on this hook are modified according to rules specified 63d359a62dSAndrey V. Elsukovin config and then forwarded to 64d359a62dSAndrey V. Elsukov.Ar out 65d359a62dSAndrey V. Elsukovhook, if it exists and connected. 66d359a62dSAndrey V. ElsukovOtherwise they are reflected back to the 67d359a62dSAndrey V. Elsukov.Ar in 68d359a62dSAndrey V. Elsukovhook. 69d359a62dSAndrey V. Elsukov.It Va out 70d359a62dSAndrey V. ElsukovPackets received on this hook are forwarded to 71d359a62dSAndrey V. Elsukov.Ar in 72d359a62dSAndrey V. Elsukovhook without any changes. 73d359a62dSAndrey V. Elsukov.El 74d359a62dSAndrey V. Elsukov.Sh CONTROL MESSAGES 75d359a62dSAndrey V. ElsukovThis node type supports the generic control messages, plus the following: 76d359a62dSAndrey V. Elsukov.Bl -tag -width indent 77d359a62dSAndrey V. Elsukov.It Dv NGM_PATCH_SETCONFIG Pq Li setconfig 78d359a62dSAndrey V. ElsukovThis command sets the sequence of modify operations 79d359a62dSAndrey V. Elsukovthat will be applied to incoming data on a hook. 80d359a62dSAndrey V. ElsukovThe following 81d359a62dSAndrey V. Elsukov.Vt "struct ng_patch_config" 82d359a62dSAndrey V. Elsukovmust be supplied as an argument: 83d359a62dSAndrey V. Elsukov.Bd -literal -offset 4n 84d359a62dSAndrey V. Elsukovstruct ng_patch_op { 85d359a62dSAndrey V. Elsukov uint64_t value; 86d359a62dSAndrey V. Elsukov uint32_t offset; 87d359a62dSAndrey V. Elsukov uint16_t length; /* 1,2,4 or 8 bytes */ 88d359a62dSAndrey V. Elsukov uint16_t mode; 89d359a62dSAndrey V. Elsukov}; 90d359a62dSAndrey V. Elsukov/* Patching modes */ 91d359a62dSAndrey V. Elsukov#define NG_PATCH_MODE_SET 1 92d359a62dSAndrey V. Elsukov#define NG_PATCH_MODE_ADD 2 93d359a62dSAndrey V. Elsukov#define NG_PATCH_MODE_SUB 3 94d359a62dSAndrey V. Elsukov#define NG_PATCH_MODE_MUL 4 95d359a62dSAndrey V. Elsukov#define NG_PATCH_MODE_DIV 5 96d359a62dSAndrey V. Elsukov#define NG_PATCH_MODE_NEG 6 97d359a62dSAndrey V. Elsukov#define NG_PATCH_MODE_AND 7 98d359a62dSAndrey V. Elsukov#define NG_PATCH_MODE_OR 8 99d359a62dSAndrey V. Elsukov#define NG_PATCH_MODE_XOR 9 100d359a62dSAndrey V. Elsukov#define NG_PATCH_MODE_SHL 10 101d359a62dSAndrey V. Elsukov#define NG_PATCH_MODE_SHR 11 102d359a62dSAndrey V. Elsukov 103d359a62dSAndrey V. Elsukovstruct ng_patch_config { 104d359a62dSAndrey V. Elsukov uint32_t count; 105d359a62dSAndrey V. Elsukov uint32_t csum_flags; 106d359a62dSAndrey V. Elsukov struct ng_patch_op ops[]; 107d359a62dSAndrey V. Elsukov}; 108d359a62dSAndrey V. Elsukov.Ed 109d359a62dSAndrey V. Elsukov.Pp 110d359a62dSAndrey V. ElsukovThe 111d359a62dSAndrey V. Elsukov.Va csum_flags 112d359a62dSAndrey V. Elsukovcan be set to any combination of CSUM_IP, CSUM_TCP, CSUM_SCTP and CSUM_UDP 113d359a62dSAndrey V. Elsukov(other values are ignored) for instructing the IP stack to recalculate the 114d359a62dSAndrey V. Elsukovcorresponding checksum before transmitting packet on output interface. 115d359a62dSAndrey V. ElsukovThe 116d359a62dSAndrey V. Elsukov.Nm 117d359a62dSAndrey V. Elsukovnode does not do any checksum correction by itself. 118d359a62dSAndrey V. Elsukov.It Dv NGM_PATCH_GETCONFIG Pq Li getconfig 119d359a62dSAndrey V. ElsukovThis control message obtains current set of modify operations, 120d359a62dSAndrey V. Elsukovreturned as 121d359a62dSAndrey V. Elsukov.Vt "struct ng_patch_config" . 122d359a62dSAndrey V. Elsukov.It Dv NGM_PATCH_GET_STATS Pq Li getstats 123d359a62dSAndrey V. ElsukovReturns node statistics as a 124d359a62dSAndrey V. Elsukov.Vt "struct ng_patch_stats" . 125d359a62dSAndrey V. Elsukov.It Dv NGM_PATCH_CLR_STATS Pq Li clrstats 126d359a62dSAndrey V. ElsukovClear node statistics. 127d359a62dSAndrey V. Elsukov.It Dv NGM_PATCH_GETCLR_STATS Pq Li getclrstats 128d359a62dSAndrey V. ElsukovThis command is identical to 129d359a62dSAndrey V. Elsukov.Dv NGM_PATCH_GET_STATS , 130d359a62dSAndrey V. Elsukovexcept that the statistics are also atomically cleared. 131d359a62dSAndrey V. Elsukov.El 132d359a62dSAndrey V. Elsukov.Sh SHUTDOWN 133d359a62dSAndrey V. ElsukovThis node shuts down upon receipt of a 134d359a62dSAndrey V. Elsukov.Dv NGM_SHUTDOWN 135d359a62dSAndrey V. Elsukovcontrol message, or when all hooks have been disconnected. 136d359a62dSAndrey V. Elsukov.Sh EXAMPLES 137d359a62dSAndrey V. ElsukovThe 138d359a62dSAndrey V. Elsukov.Nm 139d359a62dSAndrey V. Elsukovnode allows to modify TTL and TOS/DSCP fields in IP packets. 140d359a62dSAndrey V. ElsukovSuppose you have two adjacent simplex links to remote network 141d359a62dSAndrey V. Elsukov(e.g.\& satellite), so that the packets expiring in between 142d359a62dSAndrey V. Elsukovwill generate unwanted ICMP-replies which have to go forth, not back. 143d359a62dSAndrey V. ElsukovThus you need to raise TTL of every packet entering link link by 2 144d359a62dSAndrey V. Elsukovto ensure the TTL will not reach zero there. 145d359a62dSAndrey V. ElsukovSo you setup 146d359a62dSAndrey V. Elsukov.Xr ipfw 8 147d359a62dSAndrey V. Elsukovrule with 148d359a62dSAndrey V. Elsukov.Cm netgraph 149d359a62dSAndrey V. Elsukovaction to inject packets going to other end of simplex link by the 150d359a62dSAndrey V. Elsukovfollowing 151d359a62dSAndrey V. Elsukov.Xr ngctl 8 152d359a62dSAndrey V. Elsukovscript: 153d359a62dSAndrey V. Elsukov.Bd -literal -offset 4n 154d359a62dSAndrey V. Elsukov/usr/sbin/ngctl -f- <<-SEQ 155d359a62dSAndrey V. Elsukov mkpeer ipfw: patch 200 in 156d359a62dSAndrey V. Elsukov name ipfw:200 ttl_add 157d359a62dSAndrey V. Elsukov msg ttl_add: setconfig { count=1 csum_flags=1 ops=[ \e 158d359a62dSAndrey V. Elsukov { mode=2 value=3 length=1 offset=8 } ] } 159d359a62dSAndrey V. ElsukovSEQ 160d359a62dSAndrey V. Elsukov/sbin/ipfw add 150 netgraph 200 ip from any to simplex.remote.net 161d359a62dSAndrey V. Elsukov.Ed 162d359a62dSAndrey V. Elsukov.Pp 163d359a62dSAndrey V. ElsukovHere 164d359a62dSAndrey V. Elsukov.Dq Li ttl_add 165d359a62dSAndrey V. Elsukovnode of type 166d359a62dSAndrey V. Elsukov.Nm 167d359a62dSAndrey V. Elsukovconfigured to add (mode 168d359a62dSAndrey V. Elsukov.Dv NG_PATCH_MODE_ADD ) 169d359a62dSAndrey V. Elsukova 170d359a62dSAndrey V. Elsukov.Va value 171d359a62dSAndrey V. Elsukovof 3 to a one-byte TTL field, which is 9th byte of IP packet header. 172d359a62dSAndrey V. Elsukov.Pp 173d359a62dSAndrey V. ElsukovAnother example would be two consecutive modifications of packet TOS 174d359a62dSAndrey V. Elsukovfield: say, you need to clear the 175d359a62dSAndrey V. Elsukov.Dv IPTOS_THROUGHPUT 176d359a62dSAndrey V. Elsukovbit and set the 177d359a62dSAndrey V. Elsukov.Dv IPTOS_MINCOST 178d359a62dSAndrey V. Elsukovbit. 179d359a62dSAndrey V. ElsukovSo you do: 180d359a62dSAndrey V. Elsukov.Bd -literal -offset 4n 181d359a62dSAndrey V. Elsukov/usr/sbin/ngctl -f- <<-SEQ 182d359a62dSAndrey V. Elsukov mkpeer ipfw: patch 300 in 183d359a62dSAndrey V. Elsukov name ipfw:300 tos_chg 184d359a62dSAndrey V. Elsukov msg tos_chg: setconfig { count=2 csum_flags=1 ops=[ \e 185d359a62dSAndrey V. Elsukov { mode=7 value=0xf7 length=1 offset=1 } \e 186d359a62dSAndrey V. Elsukov { mode=8 value=0x02 length=1 offset=1 } ] } 187d359a62dSAndrey V. ElsukovSEQ 188*2875b4b9SGleb Smirnoff/sbin/ipfw add 160 netgraph 300 ip from any to any not dst-port 80 189d359a62dSAndrey V. Elsukov.Ed 190d359a62dSAndrey V. Elsukov.Pp 191d359a62dSAndrey V. ElsukovThis first does 192d359a62dSAndrey V. Elsukov.Dv NG_PATCH_MODE_AND 193d359a62dSAndrey V. Elsukovclearing the fourth bit and then 194d359a62dSAndrey V. Elsukov.Dv NG_PATCH_MODE_OR 195d359a62dSAndrey V. Elsukovsetting the third bit. 196d359a62dSAndrey V. Elsukov.Pp 197d359a62dSAndrey V. ElsukovIn both examples the 198d359a62dSAndrey V. Elsukov.Va csum_flags 199d359a62dSAndrey V. Elsukovfield indicates that IP checksum (but not TCP or UDP checksum) should be 200d359a62dSAndrey V. Elsukovrecalculated before transmit. 201d359a62dSAndrey V. Elsukov.Pp 202d359a62dSAndrey V. ElsukovNote: one should ensure that packets are returned to ipfw after processing 203d359a62dSAndrey V. Elsukovinside 204d359a62dSAndrey V. Elsukov.Xr netgraph 4 , 205d359a62dSAndrey V. Elsukovby setting appropriate 206d359a62dSAndrey V. Elsukov.Xr sysctl 8 207d359a62dSAndrey V. Elsukovvariable: 208d359a62dSAndrey V. Elsukov.Bd -literal -offset 4n 209d359a62dSAndrey V. Elsukovsysctl net.inet.ip.fw.one_pass=0 210d359a62dSAndrey V. Elsukov.Ed 211d359a62dSAndrey V. Elsukov.Sh SEE ALSO 212d359a62dSAndrey V. Elsukov.Xr netgraph 4 , 213d359a62dSAndrey V. Elsukov.Xr ng_ipfw 4 , 214d359a62dSAndrey V. Elsukov.Xr ngctl 8 215d359a62dSAndrey V. Elsukov.Sh HISTORY 216d359a62dSAndrey V. ElsukovThe 217d359a62dSAndrey V. Elsukov.Nm 218d359a62dSAndrey V. Elsukovnode type was implemented in 219d359a62dSAndrey V. Elsukov.Fx 8.1 . 220d359a62dSAndrey V. Elsukov.Sh AUTHORS 221d359a62dSAndrey V. Elsukov.An "Maxim Ignatenko" Aq gelraen.ua@gmail.com . 222d359a62dSAndrey V. ElsukovThis manual page was written by 223d359a62dSAndrey V. Elsukov.An "Vadim Goncharov" Aq vadimnuclight@tpu.ru . 224d359a62dSAndrey V. Elsukov.Sh BUGS 225d359a62dSAndrey V. ElsukovNode blindly tries to apply every patching operation to each packet 226d359a62dSAndrey V. Elsukov(except those which offset if greater than length of the packet), 227d359a62dSAndrey V. Elsukovso be sure that you supply only the right packets to it (e.g. changing 228d359a62dSAndrey V. Elsukovbytes in the ARP packets meant to be in IP header could corrupt 229d359a62dSAndrey V. Elsukovthem and make your machine unreachable from the network). 230d359a62dSAndrey V. Elsukov.Pp 231d359a62dSAndrey V. Elsukov.Em !!! WARNING !!! 232d359a62dSAndrey V. Elsukov.Pp 233d359a62dSAndrey V. ElsukovOutput path of the IP stack assumes correct fields and lengths in the 234d359a62dSAndrey V. Elsukovpackets - changing them by mistake to incorrect values can cause 235d359a62dSAndrey V. Elsukovunpredictable results including kernel panics. 236