1.\" Copyright (c) 1996 Matthew R. Green 2.\" All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 3. The name of the author may not be used to endorse or promote products 13.\" derived from this software without specific prior written permission. 14.\" 15.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 16.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 17.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 18.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 19.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 20.\" BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 21.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED 22.\" AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 23.\" OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25.\" SUCH DAMAGE. 26.\" 27.\" $FreeBSD$ 28.Dd August 4, 1996 29.Dt PFIL 9 30.Os 31.Sh NAME 32.Nm pfil , 33.Nm pfil_hook_get , 34.Nm pfil_add_hook , 35.Nm pfil_remove_hook 36.Nd packet filter interface 37.Sh SYNOPSIS 38.In sys/param.h 39.In sys/mbuf.h 40.In sys/socket.h 41.In net/if.h 42.In net/pfil.h 43.Ft struct packet_filter_hook * 44.Fn pfil_hook_get "int flag" "struct pfil_head *ph" 45.Ft int 46.Fo pfil_add_hook 47.Fa "int (*func)(void *, int, struct ifnet *, int, struct mbuf **)" 48.Fa "int flags" 49.Fa "struct pfil_head *ph" 50.Fc 51.Ft int 52.Fo pfil_remove_hook 53.Fa "int (*func)(void *, int, struct ifnet *, int, struct mbuf **)" 54.Fa "int flags" 55.Fa "struct pfil_head *ph" 56.Fc 57.\"(void *, int, struct ifnet *, int, struct mbuf **) 58.Sh DESCRIPTION 59The 60.Nm 61interface allows a function to be called on every incoming or outgoing 62packets. The hooks for these are embedded in the 63.Fn ip_input 64and 65.Fn ip_output 66routines. The 67.Fn pfil_hook_get 68function returns the first member of a particular hook, either the in or out 69list. The 70.Fn pfil_add_hook 71function takes a function of the form below as its first argument, and the 72flags for which lists to add the function to. The possible values for these 73flags are some combination of PFIL_IN and PFIL_OUT. The 74.Fn pfil_remove_hook 75removes a hook from the specified lists. 76.Pp 77The 78.Va func 79argument is a function with the following prototype. 80.Pp 81.Fn func "void *data" "int hlen" "struct ifnet *net" "int dir" "struct mbuf **m" 82.Pp 83The 84.Va data 85describes the packet. Currently, this may only be a pointer to a ip structure. The 86.Va net 87and 88.Va m 89arguments describe the network interface and the mbuf holding data for this 90packet. The 91.Va dir 92is the direction; 0 for incoming packets and 1 for outgoing packets. if the function 93returns non-zero, this signals an error and no further processing of this packet is 94performed. The function should set errno to indicate the nature of the error. 95It is the hook's responsibility to free the chain if the packet is being dropped. 96.Pp 97The 98.Nm 99interface is enabled in the kernel via the 100.Sy PFIL_HOOKS 101option. 102.Sh RETURN VALUES 103If successful 104.Fn pfil_hook_get 105returns the first member of the packet filter list, 106.Fn pfil_add_hook 107and 108.Fn pfil_remove_hook 109are expected to always succeed. 110.Sh HISTORY 111The 112.Nm 113interface first appeared in 114.Nx 1.3 . 115The 116.Nm 117input and output lists were originally implemented as 118.Aq Pa sys/queue.h 119.Dv LIST 120structures; 121however this was changed in 122.Nx 1.4 123to 124.Dv TAILQ 125structures. This change was to allow the input and output filters to be 126processed in reverse order, to allow the same path to be taken, in or out 127of the kernel. 128.Pp 129The 130.Nm 131interface was changed in 1.4T to accept a 3rd parameter to both 132.Fn pfil_add_hook 133and 134.Fn pfil_remove_hook , 135introducing the capability of per-protocol filtering. This was done 136primarily in order to support filtering of IPv6. 137.Sh BUGS 138The current 139.Nm 140implementation will need changes to suit a threaded kernel model. 141.Sh SEE ALSO 142.Xr bpf 4 143