New netgraph node type, ng_bpf(8). This node type allows you to

apply bpf(4) filters to data travelling through a netgraph network.

3 files changed, 297 insertions, 0 deletions

diff --git a/sys/modules/netgraph/bpf/Makefile b/sys/modules/netgraph/bpf/Makefile
new file mode 100644
index 0000000..6f1714c
--- /dev/null
+++ b/sys/modules/netgraph/bpf/Makefile
@@ -0,0 +1,11 @@
+# $FreeBSD$
+# $Whistle: Makefile,v 1.1 1999/12/03 01:44:28 archie Exp $
+
+KMOD=		ng_bpf
+SRCS= 		ng_bpf.c bpf_filter.c
+MAN8=		ng_bpf.8
+KMODDEPS=	netgraph
+
+.PATH:		../../../net
+
+.include <bsd.kmod.mk>
diff --git a/sys/modules/netgraph/bpf/ng_bpf.4 b/sys/modules/netgraph/bpf/ng_bpf.4
new file mode 100644
index 0000000..e9079ea
--- /dev/null
+++ b/sys/modules/netgraph/bpf/ng_bpf.4
@@ -0,0 +1,143 @@
+.\" Copyright (c) 1999 Whistle Communications, Inc.
+.\" All rights reserved.
+.\" 
+.\" Subject to the following obligations and disclaimer of warranty, use and
+.\" redistribution of this software, in source or object code forms, with or
+.\" without modifications are expressly permitted by Whistle Communications;
+.\" provided, however, that:
+.\" 1. Any and all reproductions of the source or object code must include the
+.\"    copyright notice above and the following disclaimer of warranties; and
+.\" 2. No rights are granted, in any manner or form, to use Whistle
+.\"    Communications, Inc. trademarks, including the mark "WHISTLE
+.\"    COMMUNICATIONS" on advertising, endorsements, or otherwise except as
+.\"    such appears in the above copyright notice or in the software.
+.\" 
+.\" THIS SOFTWARE IS BEING PROVIDED BY WHISTLE COMMUNICATIONS "AS IS", AND
+.\" TO THE MAXIMUM EXTENT PERMITTED BY LAW, WHISTLE COMMUNICATIONS MAKES NO
+.\" REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED, REGARDING THIS SOFTWARE,
+.\" INCLUDING WITHOUT LIMITATION, ANY AND ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT.
+.\" WHISTLE COMMUNICATIONS DOES NOT WARRANT, GUARANTEE, OR MAKE ANY
+.\" REPRESENTATIONS REGARDING THE USE OF, OR THE RESULTS OF THE USE OF THIS
+.\" SOFTWARE IN TERMS OF ITS CORRECTNESS, ACCURACY, RELIABILITY OR OTHERWISE.
+.\" IN NO EVENT SHALL WHISTLE COMMUNICATIONS BE LIABLE FOR ANY DAMAGES
+.\" RESULTING FROM OR ARISING OUT OF ANY USE OF THIS SOFTWARE, INCLUDING
+.\" WITHOUT LIMITATION, ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+.\" PUNITIVE, OR CONSEQUENTIAL DAMAGES, PROCUREMENT OF SUBSTITUTE GOODS OR
+.\" SERVICES, LOSS OF USE, DATA OR PROFITS, HOWEVER CAUSED AND UNDER ANY
+.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+.\" THIS SOFTWARE, EVEN IF WHISTLE COMMUNICATIONS IS ADVISED OF THE POSSIBILITY
+.\" OF SUCH DAMAGE.
+.\" 
+.\" Author: Archie Cobbs <archie@whistle.com>
+.\"
+.\" $FreeBSD$
+.\" $Whistle: ng_bpf.8,v 1.2 1999/12/03 01:57:12 archie Exp $
+.\"
+.Dd December 2, 1999
+.Dt NG_BPF 8
+.Os FreeBSD 4.0
+.Sh NAME
+.Nm ng_bpf
+.Nd Berkeley packet filter netgraph node type
+.Sh SYNOPSIS
+.Fd #include <net/bpf.h>
+.Fd #include <netgraph/ng_bpf.h>
+.Sh DESCRIPTION
+The
+.Nm bpf
+node type allows Berkeley Packet Filter (see
+.Xr bpf 8 )
+filters to be applied to data travelling through a Netgraph network.
+Each node allows an arbitrary number of connections to arbitrarily
+named hooks.  With each hook is associated a
+.Xf bpf 8
+filter program which is applied to incoming data only, a destination hook
+for matching packets, a destination hook for non-matching packets,
+and various statistics counters.
+.Pp
+A
+.Xr bpf 8
+program returns an unsigned integer, which is normally interpreted as
+the length of the prefix of the packet to return.  In the context of this
+node type, returning zero is considered a non-match, in which case the
+entire packet is delivered out the non-match destination hook.
+Returning a value greater than zero causes the packet to be truncated
+to that length and delivered out the match destination hook.
+Either or both destination hooks may be the empty string, or may
+not exist, in which case the packet is dropped.
+.Pp
+New hooks are initially configured to drop all packets.
+A new filter may be installed using the
+.Dv NGM_BPF_SET_FILTER
+control message.
+.Sh HOOKS
+This node type supports any number of hooks having arbitrary names.
+.Sh CONTROL MESSAGES
+This node type supports the generic control messages, plus the following:
+.Bl -tag -width foo
+.It Dv NGM_BPF_SET_FILTER
+This command sets the filter program that will be applied to incoming
+data on a hook.  The following structure must be supplied as an argument:
+.Bd -literal -offset 4n
+struct ngm_bpf_hookprog {
+  char            thisHook[NG_HOOKLEN+1];   /* name of hook */
+  char            ifMatch[NG_HOOKLEN+1];    /* match dest hook */
+  char            ifNotMatch[NG_HOOKLEN+1]; /* !match dest hook */
+  int32_t         bpf_prog_len;             /* #isns in program */
+  struct bpf_insn bpf_prog[0];              /* bpf program */
+};
+.Ed
+.Pp
+The hook to be updated is specified in
+.Dv thisHook .
+The BPF program is the sequence of instructions in the
+.Dv bpf_prog
+array; there must be
+.Dv bpf_prog_len
+of them.
+Matching and non-matching incoming packets are delivered out the hooks named
+.Dv ifMatch
+and
+.Dv ifNotMatch ,
+respectively.  The program must be a valid
+.Xr bpf 8
+program or else
+.Er EINVAL
+is returned.
+.It Dv NGM_BPF_GET_FILTER
+This command takes an ASCII string argument, the hook name, and returns the
+corresponding
+.Dv "struct ngm_bpf_hookprog"
+as shown above.
+.It Dv NGM_BPF_GET_STATS
+This command takes an ASCII string argument, the hook name, and returns the
+statistics associated with the hook as a
+.Dv "struct ng_bpf_hookstat" .
+.It Dv NGM_BPF_CLR_STATS
+This command takes an ASCII string argument, the hook name, and clears the
+statistics associated with the hook.
+.It Dv NGM_BPF_GETCLR_STATS
+This command is identical to
+.Dv NGM_BPF_GET_STATS ,
+except that the statistics are also atomically cleared.
+.El
+.Sh SHUTDOWN
+This node shuts down upon receipt of a
+.Dv NGM_SHUTDOWN
+control message, or when all hooks have been disconnected.
+.Sh BUGS
+When built as a loadable kernel module, this module includes the file
+.Dv "net/bpf_filter.c" .
+Although loading the module should fail if
+.Dv "net/bpf_filter.c"
+already exists in the kernel, currently it does not, and the duplicate
+copies of the file do not interfere.
+However, this may change in the future.
+.Sh SEE ALSO
+.Xr netgraph 4 ,
+.Xr bpf 4 ,
+.Xr ngctl 8 .
+.Sh AUTHOR
+Archie Cobbs <archie@whistle.com>
diff --git a/sys/modules/netgraph/bpf/ng_bpf.8 b/sys/modules/netgraph/bpf/ng_bpf.8
new file mode 100644
index 0000000..e9079ea
--- /dev/null
+++ b/sys/modules/netgraph/bpf/ng_bpf.8
@@ -0,0 +1,143 @@
+.\" Copyright (c) 1999 Whistle Communications, Inc.
+.\" All rights reserved.
+.\" 
+.\" Subject to the following obligations and disclaimer of warranty, use and
+.\" redistribution of this software, in source or object code forms, with or
+.\" without modifications are expressly permitted by Whistle Communications;
+.\" provided, however, that:
+.\" 1. Any and all reproductions of the source or object code must include the
+.\"    copyright notice above and the following disclaimer of warranties; and
+.\" 2. No rights are granted, in any manner or form, to use Whistle
+.\"    Communications, Inc. trademarks, including the mark "WHISTLE
+.\"    COMMUNICATIONS" on advertising, endorsements, or otherwise except as
+.\"    such appears in the above copyright notice or in the software.
+.\" 
+.\" THIS SOFTWARE IS BEING PROVIDED BY WHISTLE COMMUNICATIONS "AS IS", AND
+.\" TO THE MAXIMUM EXTENT PERMITTED BY LAW, WHISTLE COMMUNICATIONS MAKES NO
+.\" REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED, REGARDING THIS SOFTWARE,
+.\" INCLUDING WITHOUT LIMITATION, ANY AND ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT.
+.\" WHISTLE COMMUNICATIONS DOES NOT WARRANT, GUARANTEE, OR MAKE ANY
+.\" REPRESENTATIONS REGARDING THE USE OF, OR THE RESULTS OF THE USE OF THIS
+.\" SOFTWARE IN TERMS OF ITS CORRECTNESS, ACCURACY, RELIABILITY OR OTHERWISE.
+.\" IN NO EVENT SHALL WHISTLE COMMUNICATIONS BE LIABLE FOR ANY DAMAGES
+.\" RESULTING FROM OR ARISING OUT OF ANY USE OF THIS SOFTWARE, INCLUDING
+.\" WITHOUT LIMITATION, ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+.\" PUNITIVE, OR CONSEQUENTIAL DAMAGES, PROCUREMENT OF SUBSTITUTE GOODS OR
+.\" SERVICES, LOSS OF USE, DATA OR PROFITS, HOWEVER CAUSED AND UNDER ANY
+.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+.\" THIS SOFTWARE, EVEN IF WHISTLE COMMUNICATIONS IS ADVISED OF THE POSSIBILITY
+.\" OF SUCH DAMAGE.
+.\" 
+.\" Author: Archie Cobbs <archie@whistle.com>
+.\"
+.\" $FreeBSD$
+.\" $Whistle: ng_bpf.8,v 1.2 1999/12/03 01:57:12 archie Exp $
+.\"
+.Dd December 2, 1999
+.Dt NG_BPF 8
+.Os FreeBSD 4.0
+.Sh NAME
+.Nm ng_bpf
+.Nd Berkeley packet filter netgraph node type
+.Sh SYNOPSIS
+.Fd #include <net/bpf.h>
+.Fd #include <netgraph/ng_bpf.h>
+.Sh DESCRIPTION
+The
+.Nm bpf
+node type allows Berkeley Packet Filter (see
+.Xr bpf 8 )
+filters to be applied to data travelling through a Netgraph network.
+Each node allows an arbitrary number of connections to arbitrarily
+named hooks.  With each hook is associated a
+.Xf bpf 8
+filter program which is applied to incoming data only, a destination hook
+for matching packets, a destination hook for non-matching packets,
+and various statistics counters.
+.Pp
+A
+.Xr bpf 8
+program returns an unsigned integer, which is normally interpreted as
+the length of the prefix of the packet to return.  In the context of this
+node type, returning zero is considered a non-match, in which case the
+entire packet is delivered out the non-match destination hook.
+Returning a value greater than zero causes the packet to be truncated
+to that length and delivered out the match destination hook.
+Either or both destination hooks may be the empty string, or may
+not exist, in which case the packet is dropped.
+.Pp
+New hooks are initially configured to drop all packets.
+A new filter may be installed using the
+.Dv NGM_BPF_SET_FILTER
+control message.
+.Sh HOOKS
+This node type supports any number of hooks having arbitrary names.
+.Sh CONTROL MESSAGES
+This node type supports the generic control messages, plus the following:
+.Bl -tag -width foo
+.It Dv NGM_BPF_SET_FILTER
+This command sets the filter program that will be applied to incoming
+data on a hook.  The following structure must be supplied as an argument:
+.Bd -literal -offset 4n
+struct ngm_bpf_hookprog {
+  char            thisHook[NG_HOOKLEN+1];   /* name of hook */
+  char            ifMatch[NG_HOOKLEN+1];    /* match dest hook */
+  char            ifNotMatch[NG_HOOKLEN+1]; /* !match dest hook */
+  int32_t         bpf_prog_len;             /* #isns in program */
+  struct bpf_insn bpf_prog[0];              /* bpf program */
+};
+.Ed
+.Pp
+The hook to be updated is specified in
+.Dv thisHook .
+The BPF program is the sequence of instructions in the
+.Dv bpf_prog
+array; there must be
+.Dv bpf_prog_len
+of them.
+Matching and non-matching incoming packets are delivered out the hooks named
+.Dv ifMatch
+and
+.Dv ifNotMatch ,
+respectively.  The program must be a valid
+.Xr bpf 8
+program or else
+.Er EINVAL
+is returned.
+.It Dv NGM_BPF_GET_FILTER
+This command takes an ASCII string argument, the hook name, and returns the
+corresponding
+.Dv "struct ngm_bpf_hookprog"
+as shown above.
+.It Dv NGM_BPF_GET_STATS
+This command takes an ASCII string argument, the hook name, and returns the
+statistics associated with the hook as a
+.Dv "struct ng_bpf_hookstat" .
+.It Dv NGM_BPF_CLR_STATS
+This command takes an ASCII string argument, the hook name, and clears the
+statistics associated with the hook.
+.It Dv NGM_BPF_GETCLR_STATS
+This command is identical to
+.Dv NGM_BPF_GET_STATS ,
+except that the statistics are also atomically cleared.
+.El
+.Sh SHUTDOWN
+This node shuts down upon receipt of a
+.Dv NGM_SHUTDOWN
+control message, or when all hooks have been disconnected.
+.Sh BUGS
+When built as a loadable kernel module, this module includes the file
+.Dv "net/bpf_filter.c" .
+Although loading the module should fail if
+.Dv "net/bpf_filter.c"
+already exists in the kernel, currently it does not, and the duplicate
+copies of the file do not interfere.
+However, this may change in the future.
+.Sh SEE ALSO
+.Xr netgraph 4 ,
+.Xr bpf 4 ,
+.Xr ngctl 8 .
+.Sh AUTHOR
+Archie Cobbs <archie@whistle.com>