1.\" Copyright (c) 1996 Matthew R. Green 2.\" All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 3. The name of the author may not be used to endorse or promote products 13.\" derived from this software without specific prior written permission. 14.\" 15.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 16.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 17.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 18.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 19.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 20.\" BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 21.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED 22.\" AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 23.\" OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25.\" SUCH DAMAGE. 26.\" 27.\" $FreeBSD$ 28.Dd August 4, 1996 29.Dt PFIL 9 30.Os 31.Sh NAME 32.Nm pfil , 33.Nm pfil_hook_get , 34.Nm pfil_add_hook , 35.Nm pfil_remove_hook 36.Nd packet filter interface 37.Sh SYNOPSIS 38.In sys/param.h 39.In sys/mbuf.h 40.In sys/socket.h 41.In net/if.h 42.In net/pfil.h 43.Ft "struct packet_filter_hook *" 44.Fn pfil_hook_get "int flag" "struct pfil_head *ph" 45.Ft int 46.Fo pfil_add_hook 47.Fa "int \*[lp]*func\*[rp]\*[lp]void *, int, struct ifnet *, int, struct mbuf **\*[rp]" 48.Fa "int flags" 49.Fa "struct pfil_head *ph" 50.Fc 51.Ft int 52.Fo pfil_remove_hook 53.Fa "int \*[lp]*func\*[rp]\*[lp]void *, int, struct ifnet *, int, struct mbuf **\*[rp]" 54.Fa "int flags" 55.Fa "struct pfil_head *ph" 56.Fc 57.Sh DESCRIPTION 58The 59.Nm 60interface allows a function to be called on every incoming or outgoing 61packets. 62The hooks for these are embedded in the 63.Fn ip_input 64and 65.Fn ip_output 66routines. 67The 68.Fn pfil_hook_get 69function returns the first member of a particular hook, either the in or out 70list. 71The 72.Fn pfil_add_hook 73function takes a function of the form below as its first argument, and the 74flags for which lists to add the function to. 75The possible values for these 76flags are some combination of 77.Dv PFIL_IN 78and 79.Dv PFIL_OUT . 80The 81.Fn pfil_remove_hook 82removes a hook from the specified lists. 83.Pp 84The 85.Fa func 86argument is a function with the following prototype. 87.Pp 88.Ft int 89.Fn func "void *data" "int hlen" "struct ifnet *net" "int dir" "struct mbuf **m" 90.Pp 91The 92.Fa data 93describes the packet. 94Currently, this may only be a pointer to an 95.Vt ip 96structure. 97The 98.Fa net 99and 100.Fa m 101arguments describe the network interface and the mbuf holding data for this 102packet. 103The 104.Fa dir 105is the direction; 0 for incoming packets and 1 for outgoing packets. 106If the function 107returns non-zero, this signals an error and no further processing of this packet is 108performed. 109The function should set 110.Va errno 111to indicate the nature of the error. 112It is the hook's responsibility to free the chain if the packet is being dropped. 113.Pp 114The 115.Nm 116interface is enabled in the kernel via the 117.Cd PFIL_HOOKS 118option. 119.Sh RETURN VALUES 120If successful, 121.Fn pfil_hook_get 122returns the first member of the packet filter list, 123.Fn pfil_add_hook 124and 125.Fn pfil_remove_hook 126are expected to always succeed. 127.Sh HISTORY 128The 129.Nm 130interface first appeared in 131.Nx 1.3 . 132The 133.Nm 134input and output lists were originally implemented as 135.Aq Pa sys/queue.h 136.Dv LIST 137structures; 138however this was changed in 139.Nx 1.4 140to 141.Dv TAILQ 142structures. 143This change was to allow the input and output filters to be 144processed in reverse order, to allow the same path to be taken, in or out 145of the kernel. 146.Pp 147The 148.Nm 149interface was changed in 1.4T to accept a 3rd parameter to both 150.Fn pfil_add_hook 151and 152.Fn pfil_remove_hook , 153introducing the capability of per-protocol filtering. 154This was done 155primarily in order to support filtering of IPv6. 156.Sh BUGS 157The current 158.Nm 159implementation will need changes to suit a threaded kernel model. 160.Sh SEE ALSO 161.Xr bpf 4 162