1.\" $NetBSD: pfil.9,v 1.22 2003/07/01 13:04:06 wiz Exp $ 2.\" 3.\" Copyright (c) 1996 Matthew R. Green 4.\" All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 3. The name of the author may not be used to endorse or promote products 15.\" derived from this software without specific prior written permission. 16.\" 17.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 18.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 19.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 20.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 21.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 22.\" BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 23.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED 24.\" AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 25.\" OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27.\" SUCH DAMAGE. 28.\" 29.\" $FreeBSD$ 30.\" 31.Dd October 22, 2012 32.Dt PFIL 9 33.Os 34.Sh NAME 35.Nm pfil , 36.Nm pfil_head_register , 37.Nm pfil_head_unregister , 38.Nm pfil_head_get , 39.Nm pfil_hook_get , 40.Nm pfil_add_hook , 41.Nm pfil_remove_hook , 42.Nm pfil_run_hooks , 43.Nm pfil_rlock , 44.Nm pfil_runlock , 45.Nm pfil_wlock , 46.Nm pfil_wunlock 47.Nd packet filter interface 48.Sh SYNOPSIS 49.In sys/param.h 50.In sys/mbuf.h 51.In net/if.h 52.In net/pfil.h 53.Ft int 54.Fn pfil_head_register "struct pfil_head *head" 55.Ft int 56.Fn pfil_head_unregister "struct pfil_head *head" 57.Ft "struct pfil_head *" 58.Fn pfil_head_get "int af" "u_long dlt" 59.Ft "struct packet_filter_hook *" 60.Fn pfil_hook_get "int dir" "struct pfil_head *head" 61.Ft void 62.Fn pfil_add_hook "int (*func)()" "void *arg" "int flags" "struct pfil_head *" 63.Ft void 64.Fn pfil_remove_hook "int (*func)()" "void *arg" "int flags" "struct pfil_head *" 65.Ft int 66.Fn (*func) "void *arg" "struct mbuf **mp" "struct ifnet *" "int dir" "struct inpcb *" 67.Ft int 68.Fn pfil_run_hooks "struct pfil_head *head" "struct mbuf **mp" "struct ifnet *" "int dir" "struct inpcb *" 69.Ft void 70.Fn pfil_rlock "struct pfil_head *" "struct rm_priotracker *" 71.Ft void 72.Fn pfil_runlock "struct pfil_head *" "struct rm_priotracker *" 73.Ft void 74.Fn pfil_wlock "struct pfil_head *" 75.Ft void 76.Fn pfil_wunlock "struct pfil_head *" 77.Sh DESCRIPTION 78The 79.Nm 80framework allows for a specified function to be invoked for every 81incoming or outgoing packet for a particular network I/O stream. 82These hooks may be used to implement a firewall or perform packet 83transformations. 84.Pp 85Packet filtering points are registered with 86.Fn pfil_head_register . 87Filtering points are identified by a key 88.Pq Vt "void *" 89and a data link type 90.Pq Vt int 91in the 92.Vt pfil_head 93structure. 94Packet filters use the key and data link type to look up the filtering 95point with which they register themselves. 96The key is unique to the filtering point. 97The data link type is a 98.Xr bpf 4 99DLT constant indicating what kind of header is present on the packet 100at the filtering point. 101Each filtering point uses common per-VNET rmlock by default. 102This can be changed by specifying 103.Vt PFIL_FLAG_PRIVATE_LOCK 104as 105.Vt "flags" 106field in the 107.Vt pfil_head 108structure. 109Note that specifying private lock can break filters sharing the same 110ruleset and/or state between different data link types. 111Filtering points may be unregistered with the 112.Fn pfil_head_unregister 113function. 114.Pp 115Packet filters register/unregister themselves with a filtering point 116with the 117.Fn pfil_add_hook 118and 119.Fn pfil_remove_hook 120functions, respectively. 121The head is looked up using the 122.Fn pfil_head_get 123function, which takes the key and data link type that the packet filter 124expects. 125Filters may provide an argument to be passed to the filter when 126invoked on a packet. 127.Pp 128When a filter is invoked, the packet appears just as if it 129.Dq came off the wire . 130That is, all protocol fields are in network byte order. 131The filter is called with its specified argument, the pointer to the 132pointer to the 133.Vt mbuf 134containing the packet, the pointer to the network 135interface that the packet is traversing, and the direction 136.Dv ( PFIL_IN 137or 138.Dv PFIL_OUT ) 139that the packet is traveling. 140The filter may change which mbuf the 141.Vt "mbuf\ **" 142argument references. 143The filter returns an error (errno) if the packet processing is to stop, or 0 144if the processing is to continue. 145If the packet processing is to stop, it is the responsibility of the 146filter to free the packet. 147.Pp 148Every filter hook is called with 149.Nm 150read lock held. 151All heads uses the same lock within the same VNET instance. 152Packet filter can use this lock instead of own locking model to 153improve performance. 154Since 155.Nm 156uses 157.Xr rmlock 9 158.Fn pfil_rlock 159and 160.Fn pfil_runlock 161require 162.Va struct rm_priotracker 163to be passed as argument. 164Filter can acquire and release writer lock via 165.Fn pfil_wlock 166and 167.Fn pfil_wunlock 168functions. 169See 170.Xr rmlock 9 171for more details. 172.Sh FILTERING POINTS 173Currently, filtering points are implemented for the following link types: 174.Pp 175.Bl -tag -width "AF_INET6" -offset XXX -compact 176.It AF_INET 177IPv4 packets. 178.It AF_INET6 179IPv6 packets. 180.It AF_LINK 181Link-layer packets. 182.El 183.Sh RETURN VALUES 184If successful, 185.Fn pfil_head_get 186returns the 187.Vt pfil_head 188structure for the given key/dlt. 189The 190.Fn pfil_add_hook 191and 192.Fn pfil_remove_hook 193functions 194return 0 if successful. 195If called with flag 196.Dv PFIL_WAITOK , 197.Fn pfil_remove_hook 198is expected to always succeed. 199.Pp 200The 201.Fn pfil_head_unregister 202function 203might sleep! 204.Sh SEE ALSO 205.Xr bpf 4 , 206.Xr if_bridge 4 207.Xr rmlock 4 208.Sh HISTORY 209The 210.Nm 211interface first appeared in 212.Nx 1.3 . 213The 214.Nm 215input and output lists were originally implemented as 216.In sys/queue.h 217.Dv LIST 218structures; 219however this was changed in 220.Nx 1.4 221to 222.Dv TAILQ 223structures. 224This change was to allow the input and output filters to be processed in 225reverse order, to allow the same path to be taken, in or out of the kernel. 226.Pp 227The 228.Nm 229interface was changed in 1.4T to accept a 3rd parameter to both 230.Fn pfil_add_hook 231and 232.Fn pfil_remove_hook , 233introducing the capability of per-protocol filtering. 234This was done primarily in order to support filtering of IPv6. 235.Pp 236In 1.5K, the 237.Nm 238framework was changed to work with an arbitrary number of filtering points, 239as well as be less IP-centric. 240.Pp 241Fine-grained locking was added in 242.Fx 5.2 . 243.Nm 244lock export was added in 245.Fx 10.0 . 246.Sh BUGS 247The 248.Fn pfil_hook_get 249function 250is only safe for internal use. 251.Pp 252When a 253.Vt pfil_head 254is being modified, no traffic is diverted 255(to avoid deadlock). 256This means that traffic may be dropped unconditionally for a short period 257of time. 258.Fn pfil_run_hooks 259will return 260.Er ENOBUFS 261to indicate this. 262