Document how interaction with ng_ipfw node is configured.

1 files changed, 23 insertions, 2 deletions

diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8
index 620f32c..f5471ee 100644
--- a/sbin/ipfw/ipfw.8
+++ b/sbin/ipfw/ipfw.8
@@ -726,6 +726,24 @@ is a number from 0 to 255, or one of these aliases:
 or
 .Cm precedence-cutoff .
 The search terminates.
+.It Cm netgraph Ar cookie
+Divert packet into netgraph with given
+.Ar cookie .
+The search terminates.
+If packet is later returned from netgraph it is either
+accepted or continues with the next rule, depending on
+.Em net.inet.ip.fw.one_pass
+sysctl variable.
+.It Cm ngtee Ar cookie
+A copy of packet is diverted into netgraph, original
+packet continues with next rule.
+See
+.Xr ng_ipfw 4
+for more information on
+.Cm netgraph
+and
+.Cm ngtee
+actions.
 .El
 .Ss RULE BODY
 The body of a rule contains zero or more patterns (such as
@@ -1902,8 +1920,10 @@ firewall even if compiled in.
 .It Em net.inet.ip.fw.one_pass : No 1
 When set, the packet exiting from the
 .Xr dummynet 4
-pipe is not passed though the firewall again.
-Otherwise, after a pipe action, the packet is
+pipe or from
+.Xr ng_ipfw 4
+node is not passed though the firewall again.
+Otherwise, after an action, the packet is
 reinjected into the firewall at the next rule.
 .It Em net.inet.ip.fw.verbose : No 1
 Enables verbose messages.
@@ -2325,6 +2345,7 @@ the sleep terminates thus restoring the previous situation.
 .Xr bridge 4 ,
 .Xr divert 4 ,
 .Xr dummynet 4 ,
+.Xr ng_ipfw 4 ,
 .Xr ip 4 ,
 .Xr ipfirewall 4 ,
 .Xr protocols 5 ,