diff options
author | darrenr <darrenr@FreeBSD.org> | 2000-05-10 13:37:51 +0000 |
---|---|---|
committer | darrenr <darrenr@FreeBSD.org> | 2000-05-10 13:37:51 +0000 |
commit | 5419f3d5951bfa7ddfea18f6623c918e633fe2de (patch) | |
tree | c3a4574b3bb25074705fc76c643ac47195c55d27 /share/man/man9/pfil.9 | |
parent | bc4bf27e62e20a5e26c1bd5352624188be07c599 (diff) | |
download | FreeBSD-src-5419f3d5951bfa7ddfea18f6623c918e633fe2de.zip FreeBSD-src-5419f3d5951bfa7ddfea18f6623c918e633fe2de.tar.gz |
Add pfil(9) subroutines and manpage from NetBSD.
Diffstat (limited to 'share/man/man9/pfil.9')
-rw-r--r-- | share/man/man9/pfil.9 | 134 |
1 files changed, 134 insertions, 0 deletions
diff --git a/share/man/man9/pfil.9 b/share/man/man9/pfil.9 new file mode 100644 index 0000000..a7eb36f --- /dev/null +++ b/share/man/man9/pfil.9 @@ -0,0 +1,134 @@ +.\" $FreeBSD$ +.\" +.\" Copyright (c) 1996 Matthew R. Green +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" 3. The name of the author may not be used to endorse or promote products +.\" derived from this software without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, +.\" BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED +.\" AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +.\" OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.Dd August 4, 1996 +.Dt PFIL 9 +.Os +.Sh NAME +.Nm pfil , +.Nm pfil_hook_get , +.Nm pfil_add_hook , +.Nm pfil_remove_hook +.Nd packet filter interface +.Sh SYNOPSIS +.Fd #include <sys/param.h> +.Fd #include <sys/mbuf.h> +.Fd #include <net/if.h> +.Fd #include <net/pfil.h> +.Ft struct packet_filter_hook * +.Fn pfil_hook_get "int" "struct pfil_head *" +.Ft void +.Fn pfil_add_hook "int (*func)()" "int flags" "struct pfil_head *" +.Ft void +.Fn pfil_remove_hook "int (*func)()" "int flags" "struct pfil_head *" +.\"(void *, int, struct ifnet *, int, struct mbuf **) +.Sh DESCRIPTION +The +.Nm +interface allows a function to be called on every incoming or outgoing +packets. The hooks for these are embedded in the +.Fn ip_input +and +.Fn ip_output +routines. The +.Fn pfil_hook_get +function returns the first member of a particular hook, either the in or out +list. The +.Fn pfil_add_hook +function takes a function of the form below as it's first argument, and the +flags for which lists to add the function to. The possible values for these +flags are some combination of PFIL_IN and PFIL_OUT. The +.Fn pfil_remove_hook +removes a hook from the specified lists. +.Pp +The +.Va func +argument is a function with the following prototype. +.Pp +.Fn func "void *data" "int hlen" "struct ifnet *net" "int dir" "struct mbuf **m" +.Pp +The +.Va data +describes the packet. Currently, this may only be a pointer to a ip structure. The +.Va net +and +.Va m +arguments describe the network interface and the mbuf holding data for this +packet. The +.Va dir +is the direction; 0 for incoming packets and 1 for outgoing packets. if the function +returns non-zero, this signals an error and no further processing of this packet is +performed. The function should set errno to indicate the nature of the error. +It is the hook's responsibiliy to free the chain if the packet is being dropped. +.Pp +The +.Nm +interface is enabled in the kernel via the +.Sy PFIL_HOOKS +option. +.Sh RETURN VALUES +If successful +.Fn pfil_hook_get +returns the first member of the packet filter list, +.Fn pfil_add_hook +and +.Fn pfil_remove_hook +are expected to always succeed. +.Sh HISTORY +The +.Nm +interface first appeared in +.Nx 1.3 . +The +.Nm +input and output lists were originally implemented as +.Fd <sys/queue.h> +.Dv LIST +structures; +however this was changed in +.Nx 1.4 +to +.Dv TAILQ +structures. This change was to allow the input and output filters to be +processed in reverse order, to allow the same path to be taken, in or out +of the kernel. +.Pp +The +.Nm +interface was changed in 1.4T to accept a 3rd parameter to both +.Fn pfil_add_hook +and +.Fn pfil_remove_hook +, introducing the capability of per-protocol filtering. This was done +primarily in order to support filtering of IPv6. +.Sh BUGS +The current +.Nm +implementation will need changes to suit a threaded kernel model. +.Sh SEE ALSO +.Xr bpf 4 |