1e9c7bebfSDarren Reed.\" Copyright (c) 1996 Matthew R. Green 2e9c7bebfSDarren Reed.\" All rights reserved. 3e9c7bebfSDarren Reed.\" 4e9c7bebfSDarren Reed.\" Redistribution and use in source and binary forms, with or without 5e9c7bebfSDarren Reed.\" modification, are permitted provided that the following conditions 6e9c7bebfSDarren Reed.\" are met: 7e9c7bebfSDarren Reed.\" 1. Redistributions of source code must retain the above copyright 8e9c7bebfSDarren Reed.\" notice, this list of conditions and the following disclaimer. 9e9c7bebfSDarren Reed.\" 2. Redistributions in binary form must reproduce the above copyright 10e9c7bebfSDarren Reed.\" notice, this list of conditions and the following disclaimer in the 11e9c7bebfSDarren Reed.\" documentation and/or other materials provided with the distribution. 12e9c7bebfSDarren Reed.\" 3. The name of the author may not be used to endorse or promote products 13e9c7bebfSDarren Reed.\" derived from this software without specific prior written permission. 14e9c7bebfSDarren Reed.\" 15e9c7bebfSDarren Reed.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 16e9c7bebfSDarren Reed.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 17e9c7bebfSDarren Reed.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 18e9c7bebfSDarren Reed.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 19e9c7bebfSDarren Reed.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 20e9c7bebfSDarren Reed.\" BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 21e9c7bebfSDarren Reed.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED 22e9c7bebfSDarren Reed.\" AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 23e9c7bebfSDarren Reed.\" OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24e9c7bebfSDarren Reed.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25e9c7bebfSDarren Reed.\" SUCH DAMAGE. 26e9c7bebfSDarren Reed.\" 2708aa4ea3SDarren Reed.\" $FreeBSD$ 28e9c7bebfSDarren Reed.Dd August 4, 1996 29e9c7bebfSDarren Reed.Dt PFIL 9 30e9c7bebfSDarren Reed.Os 31e9c7bebfSDarren Reed.Sh NAME 32e9c7bebfSDarren Reed.Nm pfil , 33e9c7bebfSDarren Reed.Nm pfil_hook_get , 34e9c7bebfSDarren Reed.Nm pfil_add_hook , 35e9c7bebfSDarren Reed.Nm pfil_remove_hook 36e9c7bebfSDarren Reed.Nd packet filter interface 37e9c7bebfSDarren Reed.Sh SYNOPSIS 3832eef9aeSRuslan Ermilov.In sys/param.h 3932eef9aeSRuslan Ermilov.In sys/mbuf.h 4032eef9aeSRuslan Ermilov.In net/if.h 4132eef9aeSRuslan Ermilov.In net/pfil.h 42e9c7bebfSDarren Reed.Ft struct packet_filter_hook * 43e9c7bebfSDarren Reed.Fn pfil_hook_get "int" "struct pfil_head *" 44e9c7bebfSDarren Reed.Ft void 45e9c7bebfSDarren Reed.Fn pfil_add_hook "int (*func)()" "int flags" "struct pfil_head *" 46e9c7bebfSDarren Reed.Ft void 47e9c7bebfSDarren Reed.Fn pfil_remove_hook "int (*func)()" "int flags" "struct pfil_head *" 48e9c7bebfSDarren Reed.\"(void *, int, struct ifnet *, int, struct mbuf **) 49e9c7bebfSDarren Reed.Sh DESCRIPTION 50e9c7bebfSDarren ReedThe 51e9c7bebfSDarren Reed.Nm 52e9c7bebfSDarren Reedinterface allows a function to be called on every incoming or outgoing 53e9c7bebfSDarren Reedpackets. The hooks for these are embedded in the 54e9c7bebfSDarren Reed.Fn ip_input 55e9c7bebfSDarren Reedand 56e9c7bebfSDarren Reed.Fn ip_output 57e9c7bebfSDarren Reedroutines. The 58e9c7bebfSDarren Reed.Fn pfil_hook_get 59e9c7bebfSDarren Reedfunction returns the first member of a particular hook, either the in or out 60e9c7bebfSDarren Reedlist. The 61e9c7bebfSDarren Reed.Fn pfil_add_hook 625e75e35cSDima Dorfmanfunction takes a function of the form below as its first argument, and the 63e9c7bebfSDarren Reedflags for which lists to add the function to. The possible values for these 64e9c7bebfSDarren Reedflags are some combination of PFIL_IN and PFIL_OUT. The 65e9c7bebfSDarren Reed.Fn pfil_remove_hook 66e9c7bebfSDarren Reedremoves a hook from the specified lists. 67e9c7bebfSDarren Reed.Pp 68e9c7bebfSDarren ReedThe 69e9c7bebfSDarren Reed.Va func 70e9c7bebfSDarren Reedargument is a function with the following prototype. 71e9c7bebfSDarren Reed.Pp 72e9c7bebfSDarren Reed.Fn func "void *data" "int hlen" "struct ifnet *net" "int dir" "struct mbuf **m" 73e9c7bebfSDarren Reed.Pp 74e9c7bebfSDarren ReedThe 75e9c7bebfSDarren Reed.Va data 76e9c7bebfSDarren Reeddescribes the packet. Currently, this may only be a pointer to a ip structure. The 77e9c7bebfSDarren Reed.Va net 78e9c7bebfSDarren Reedand 79e9c7bebfSDarren Reed.Va m 80e9c7bebfSDarren Reedarguments describe the network interface and the mbuf holding data for this 81e9c7bebfSDarren Reedpacket. The 82e9c7bebfSDarren Reed.Va dir 83e9c7bebfSDarren Reedis the direction; 0 for incoming packets and 1 for outgoing packets. if the function 84e9c7bebfSDarren Reedreturns non-zero, this signals an error and no further processing of this packet is 85e9c7bebfSDarren Reedperformed. The function should set errno to indicate the nature of the error. 86e9c7bebfSDarren ReedIt is the hook's responsibiliy to free the chain if the packet is being dropped. 87e9c7bebfSDarren Reed.Pp 88e9c7bebfSDarren ReedThe 89e9c7bebfSDarren Reed.Nm 90e9c7bebfSDarren Reedinterface is enabled in the kernel via the 91e9c7bebfSDarren Reed.Sy PFIL_HOOKS 92e9c7bebfSDarren Reedoption. 93e9c7bebfSDarren Reed.Sh RETURN VALUES 94e9c7bebfSDarren ReedIf successful 95e9c7bebfSDarren Reed.Fn pfil_hook_get 96e9c7bebfSDarren Reedreturns the first member of the packet filter list, 97e9c7bebfSDarren Reed.Fn pfil_add_hook 98e9c7bebfSDarren Reedand 99e9c7bebfSDarren Reed.Fn pfil_remove_hook 100e9c7bebfSDarren Reedare expected to always succeed. 101e9c7bebfSDarren Reed.Sh HISTORY 102e9c7bebfSDarren ReedThe 103e9c7bebfSDarren Reed.Nm 104e9c7bebfSDarren Reedinterface first appeared in 105e9c7bebfSDarren Reed.Nx 1.3 . 106e9c7bebfSDarren ReedThe 107e9c7bebfSDarren Reed.Nm 108e9c7bebfSDarren Reedinput and output lists were originally implemented as 109d0353b83SRuslan Ermilov.Aq Pa sys/queue.h 110e9c7bebfSDarren Reed.Dv LIST 111e9c7bebfSDarren Reedstructures; 112e9c7bebfSDarren Reedhowever this was changed in 113e9c7bebfSDarren Reed.Nx 1.4 114e9c7bebfSDarren Reedto 115e9c7bebfSDarren Reed.Dv TAILQ 116e9c7bebfSDarren Reedstructures. This change was to allow the input and output filters to be 117e9c7bebfSDarren Reedprocessed in reverse order, to allow the same path to be taken, in or out 118e9c7bebfSDarren Reedof the kernel. 119e9c7bebfSDarren Reed.Pp 120e9c7bebfSDarren ReedThe 121e9c7bebfSDarren Reed.Nm 122e9c7bebfSDarren Reedinterface was changed in 1.4T to accept a 3rd parameter to both 123e9c7bebfSDarren Reed.Fn pfil_add_hook 124e9c7bebfSDarren Reedand 12508aa4ea3SDarren Reed.Fn pfil_remove_hook , 12608aa4ea3SDarren Reedintroducing the capability of per-protocol filtering. This was done 127e9c7bebfSDarren Reedprimarily in order to support filtering of IPv6. 128e9c7bebfSDarren Reed.Sh BUGS 129e9c7bebfSDarren ReedThe current 130e9c7bebfSDarren Reed.Nm 131e9c7bebfSDarren Reedimplementation will need changes to suit a threaded kernel model. 132e9c7bebfSDarren Reed.Sh SEE ALSO 133e9c7bebfSDarren Reed.Xr bpf 4 134