diff options
author | archie <archie@FreeBSD.org> | 1999-12-03 21:21:49 +0000 |
---|---|---|
committer | archie <archie@FreeBSD.org> | 1999-12-03 21:21:49 +0000 |
commit | 1edd13e295e6ccc9fabae6f5d194ea28e5360dd6 (patch) | |
tree | 88a42530b337289bae509596b18b3655989a24c9 /sys/modules/netgraph | |
parent | 2bb264d4df9f7a0124b3916344d7be225c4dda75 (diff) | |
download | FreeBSD-src-1edd13e295e6ccc9fabae6f5d194ea28e5360dd6.zip FreeBSD-src-1edd13e295e6ccc9fabae6f5d194ea28e5360dd6.tar.gz |
New netgraph node type, ng_bpf(8). This node type allows you to
apply bpf(4) filters to data travelling through a netgraph network.
Diffstat (limited to 'sys/modules/netgraph')
-rw-r--r-- | sys/modules/netgraph/Makefile | 2 | ||||
-rw-r--r-- | sys/modules/netgraph/bpf/Makefile | 11 | ||||
-rw-r--r-- | sys/modules/netgraph/bpf/ng_bpf.4 | 143 | ||||
-rw-r--r-- | sys/modules/netgraph/bpf/ng_bpf.8 | 143 |
4 files changed, 298 insertions, 1 deletions
diff --git a/sys/modules/netgraph/Makefile b/sys/modules/netgraph/Makefile index b3fe13f..ab3e9ed 100644 --- a/sys/modules/netgraph/Makefile +++ b/sys/modules/netgraph/Makefile @@ -1,7 +1,7 @@ # $Whistle: Makefile,v 1.5 1999/01/24 06:48:37 archie Exp $ # $FreeBSD$ -SUBDIR= async cisco echo frame_relay hole iface ksocket lmi netgraph \ +SUBDIR= async bpf cisco echo frame_relay hole iface ksocket lmi netgraph \ ppp pppoe rfc1490 socket tee tty UI vjc .include <bsd.subdir.mk> diff --git a/sys/modules/netgraph/bpf/Makefile b/sys/modules/netgraph/bpf/Makefile new file mode 100644 index 0000000..6f1714c --- /dev/null +++ b/sys/modules/netgraph/bpf/Makefile @@ -0,0 +1,11 @@ +# $FreeBSD$ +# $Whistle: Makefile,v 1.1 1999/12/03 01:44:28 archie Exp $ + +KMOD= ng_bpf +SRCS= ng_bpf.c bpf_filter.c +MAN8= ng_bpf.8 +KMODDEPS= netgraph + +.PATH: ../../../net + +.include <bsd.kmod.mk> diff --git a/sys/modules/netgraph/bpf/ng_bpf.4 b/sys/modules/netgraph/bpf/ng_bpf.4 new file mode 100644 index 0000000..e9079ea --- /dev/null +++ b/sys/modules/netgraph/bpf/ng_bpf.4 @@ -0,0 +1,143 @@ +.\" Copyright (c) 1999 Whistle Communications, Inc. +.\" All rights reserved. +.\" +.\" Subject to the following obligations and disclaimer of warranty, use and +.\" redistribution of this software, in source or object code forms, with or +.\" without modifications are expressly permitted by Whistle Communications; +.\" provided, however, that: +.\" 1. Any and all reproductions of the source or object code must include the +.\" copyright notice above and the following disclaimer of warranties; and +.\" 2. No rights are granted, in any manner or form, to use Whistle +.\" Communications, Inc. trademarks, including the mark "WHISTLE +.\" COMMUNICATIONS" on advertising, endorsements, or otherwise except as +.\" such appears in the above copyright notice or in the software. +.\" +.\" THIS SOFTWARE IS BEING PROVIDED BY WHISTLE COMMUNICATIONS "AS IS", AND +.\" TO THE MAXIMUM EXTENT PERMITTED BY LAW, WHISTLE COMMUNICATIONS MAKES NO +.\" REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED, REGARDING THIS SOFTWARE, +.\" INCLUDING WITHOUT LIMITATION, ANY AND ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. +.\" WHISTLE COMMUNICATIONS DOES NOT WARRANT, GUARANTEE, OR MAKE ANY +.\" REPRESENTATIONS REGARDING THE USE OF, OR THE RESULTS OF THE USE OF THIS +.\" SOFTWARE IN TERMS OF ITS CORRECTNESS, ACCURACY, RELIABILITY OR OTHERWISE. +.\" IN NO EVENT SHALL WHISTLE COMMUNICATIONS BE LIABLE FOR ANY DAMAGES +.\" RESULTING FROM OR ARISING OUT OF ANY USE OF THIS SOFTWARE, INCLUDING +.\" WITHOUT LIMITATION, ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, +.\" PUNITIVE, OR CONSEQUENTIAL DAMAGES, PROCUREMENT OF SUBSTITUTE GOODS OR +.\" SERVICES, LOSS OF USE, DATA OR PROFITS, HOWEVER CAUSED AND UNDER ANY +.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +.\" THIS SOFTWARE, EVEN IF WHISTLE COMMUNICATIONS IS ADVISED OF THE POSSIBILITY +.\" OF SUCH DAMAGE. +.\" +.\" Author: Archie Cobbs <archie@whistle.com> +.\" +.\" $FreeBSD$ +.\" $Whistle: ng_bpf.8,v 1.2 1999/12/03 01:57:12 archie Exp $ +.\" +.Dd December 2, 1999 +.Dt NG_BPF 8 +.Os FreeBSD 4.0 +.Sh NAME +.Nm ng_bpf +.Nd Berkeley packet filter netgraph node type +.Sh SYNOPSIS +.Fd #include <net/bpf.h> +.Fd #include <netgraph/ng_bpf.h> +.Sh DESCRIPTION +The +.Nm bpf +node type allows Berkeley Packet Filter (see +.Xr bpf 8 ) +filters to be applied to data travelling through a Netgraph network. +Each node allows an arbitrary number of connections to arbitrarily +named hooks. With each hook is associated a +.Xf bpf 8 +filter program which is applied to incoming data only, a destination hook +for matching packets, a destination hook for non-matching packets, +and various statistics counters. +.Pp +A +.Xr bpf 8 +program returns an unsigned integer, which is normally interpreted as +the length of the prefix of the packet to return. In the context of this +node type, returning zero is considered a non-match, in which case the +entire packet is delivered out the non-match destination hook. +Returning a value greater than zero causes the packet to be truncated +to that length and delivered out the match destination hook. +Either or both destination hooks may be the empty string, or may +not exist, in which case the packet is dropped. +.Pp +New hooks are initially configured to drop all packets. +A new filter may be installed using the +.Dv NGM_BPF_SET_FILTER +control message. +.Sh HOOKS +This node type supports any number of hooks having arbitrary names. +.Sh CONTROL MESSAGES +This node type supports the generic control messages, plus the following: +.Bl -tag -width foo +.It Dv NGM_BPF_SET_FILTER +This command sets the filter program that will be applied to incoming +data on a hook. The following structure must be supplied as an argument: +.Bd -literal -offset 4n +struct ngm_bpf_hookprog { + char thisHook[NG_HOOKLEN+1]; /* name of hook */ + char ifMatch[NG_HOOKLEN+1]; /* match dest hook */ + char ifNotMatch[NG_HOOKLEN+1]; /* !match dest hook */ + int32_t bpf_prog_len; /* #isns in program */ + struct bpf_insn bpf_prog[0]; /* bpf program */ +}; +.Ed +.Pp +The hook to be updated is specified in +.Dv thisHook . +The BPF program is the sequence of instructions in the +.Dv bpf_prog +array; there must be +.Dv bpf_prog_len +of them. +Matching and non-matching incoming packets are delivered out the hooks named +.Dv ifMatch +and +.Dv ifNotMatch , +respectively. The program must be a valid +.Xr bpf 8 +program or else +.Er EINVAL +is returned. +.It Dv NGM_BPF_GET_FILTER +This command takes an ASCII string argument, the hook name, and returns the +corresponding +.Dv "struct ngm_bpf_hookprog" +as shown above. +.It Dv NGM_BPF_GET_STATS +This command takes an ASCII string argument, the hook name, and returns the +statistics associated with the hook as a +.Dv "struct ng_bpf_hookstat" . +.It Dv NGM_BPF_CLR_STATS +This command takes an ASCII string argument, the hook name, and clears the +statistics associated with the hook. +.It Dv NGM_BPF_GETCLR_STATS +This command is identical to +.Dv NGM_BPF_GET_STATS , +except that the statistics are also atomically cleared. +.El +.Sh SHUTDOWN +This node shuts down upon receipt of a +.Dv NGM_SHUTDOWN +control message, or when all hooks have been disconnected. +.Sh BUGS +When built as a loadable kernel module, this module includes the file +.Dv "net/bpf_filter.c" . +Although loading the module should fail if +.Dv "net/bpf_filter.c" +already exists in the kernel, currently it does not, and the duplicate +copies of the file do not interfere. +However, this may change in the future. +.Sh SEE ALSO +.Xr netgraph 4 , +.Xr bpf 4 , +.Xr ngctl 8 . +.Sh AUTHOR +Archie Cobbs <archie@whistle.com> diff --git a/sys/modules/netgraph/bpf/ng_bpf.8 b/sys/modules/netgraph/bpf/ng_bpf.8 new file mode 100644 index 0000000..e9079ea --- /dev/null +++ b/sys/modules/netgraph/bpf/ng_bpf.8 @@ -0,0 +1,143 @@ +.\" Copyright (c) 1999 Whistle Communications, Inc. +.\" All rights reserved. +.\" +.\" Subject to the following obligations and disclaimer of warranty, use and +.\" redistribution of this software, in source or object code forms, with or +.\" without modifications are expressly permitted by Whistle Communications; +.\" provided, however, that: +.\" 1. Any and all reproductions of the source or object code must include the +.\" copyright notice above and the following disclaimer of warranties; and +.\" 2. No rights are granted, in any manner or form, to use Whistle +.\" Communications, Inc. trademarks, including the mark "WHISTLE +.\" COMMUNICATIONS" on advertising, endorsements, or otherwise except as +.\" such appears in the above copyright notice or in the software. +.\" +.\" THIS SOFTWARE IS BEING PROVIDED BY WHISTLE COMMUNICATIONS "AS IS", AND +.\" TO THE MAXIMUM EXTENT PERMITTED BY LAW, WHISTLE COMMUNICATIONS MAKES NO +.\" REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED, REGARDING THIS SOFTWARE, +.\" INCLUDING WITHOUT LIMITATION, ANY AND ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. +.\" WHISTLE COMMUNICATIONS DOES NOT WARRANT, GUARANTEE, OR MAKE ANY +.\" REPRESENTATIONS REGARDING THE USE OF, OR THE RESULTS OF THE USE OF THIS +.\" SOFTWARE IN TERMS OF ITS CORRECTNESS, ACCURACY, RELIABILITY OR OTHERWISE. +.\" IN NO EVENT SHALL WHISTLE COMMUNICATIONS BE LIABLE FOR ANY DAMAGES +.\" RESULTING FROM OR ARISING OUT OF ANY USE OF THIS SOFTWARE, INCLUDING +.\" WITHOUT LIMITATION, ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, +.\" PUNITIVE, OR CONSEQUENTIAL DAMAGES, PROCUREMENT OF SUBSTITUTE GOODS OR +.\" SERVICES, LOSS OF USE, DATA OR PROFITS, HOWEVER CAUSED AND UNDER ANY +.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +.\" THIS SOFTWARE, EVEN IF WHISTLE COMMUNICATIONS IS ADVISED OF THE POSSIBILITY +.\" OF SUCH DAMAGE. +.\" +.\" Author: Archie Cobbs <archie@whistle.com> +.\" +.\" $FreeBSD$ +.\" $Whistle: ng_bpf.8,v 1.2 1999/12/03 01:57:12 archie Exp $ +.\" +.Dd December 2, 1999 +.Dt NG_BPF 8 +.Os FreeBSD 4.0 +.Sh NAME +.Nm ng_bpf +.Nd Berkeley packet filter netgraph node type +.Sh SYNOPSIS +.Fd #include <net/bpf.h> +.Fd #include <netgraph/ng_bpf.h> +.Sh DESCRIPTION +The +.Nm bpf +node type allows Berkeley Packet Filter (see +.Xr bpf 8 ) +filters to be applied to data travelling through a Netgraph network. +Each node allows an arbitrary number of connections to arbitrarily +named hooks. With each hook is associated a +.Xf bpf 8 +filter program which is applied to incoming data only, a destination hook +for matching packets, a destination hook for non-matching packets, +and various statistics counters. +.Pp +A +.Xr bpf 8 +program returns an unsigned integer, which is normally interpreted as +the length of the prefix of the packet to return. In the context of this +node type, returning zero is considered a non-match, in which case the +entire packet is delivered out the non-match destination hook. +Returning a value greater than zero causes the packet to be truncated +to that length and delivered out the match destination hook. +Either or both destination hooks may be the empty string, or may +not exist, in which case the packet is dropped. +.Pp +New hooks are initially configured to drop all packets. +A new filter may be installed using the +.Dv NGM_BPF_SET_FILTER +control message. +.Sh HOOKS +This node type supports any number of hooks having arbitrary names. +.Sh CONTROL MESSAGES +This node type supports the generic control messages, plus the following: +.Bl -tag -width foo +.It Dv NGM_BPF_SET_FILTER +This command sets the filter program that will be applied to incoming +data on a hook. The following structure must be supplied as an argument: +.Bd -literal -offset 4n +struct ngm_bpf_hookprog { + char thisHook[NG_HOOKLEN+1]; /* name of hook */ + char ifMatch[NG_HOOKLEN+1]; /* match dest hook */ + char ifNotMatch[NG_HOOKLEN+1]; /* !match dest hook */ + int32_t bpf_prog_len; /* #isns in program */ + struct bpf_insn bpf_prog[0]; /* bpf program */ +}; +.Ed +.Pp +The hook to be updated is specified in +.Dv thisHook . +The BPF program is the sequence of instructions in the +.Dv bpf_prog +array; there must be +.Dv bpf_prog_len +of them. +Matching and non-matching incoming packets are delivered out the hooks named +.Dv ifMatch +and +.Dv ifNotMatch , +respectively. The program must be a valid +.Xr bpf 8 +program or else +.Er EINVAL +is returned. +.It Dv NGM_BPF_GET_FILTER +This command takes an ASCII string argument, the hook name, and returns the +corresponding +.Dv "struct ngm_bpf_hookprog" +as shown above. +.It Dv NGM_BPF_GET_STATS +This command takes an ASCII string argument, the hook name, and returns the +statistics associated with the hook as a +.Dv "struct ng_bpf_hookstat" . +.It Dv NGM_BPF_CLR_STATS +This command takes an ASCII string argument, the hook name, and clears the +statistics associated with the hook. +.It Dv NGM_BPF_GETCLR_STATS +This command is identical to +.Dv NGM_BPF_GET_STATS , +except that the statistics are also atomically cleared. +.El +.Sh SHUTDOWN +This node shuts down upon receipt of a +.Dv NGM_SHUTDOWN +control message, or when all hooks have been disconnected. +.Sh BUGS +When built as a loadable kernel module, this module includes the file +.Dv "net/bpf_filter.c" . +Although loading the module should fail if +.Dv "net/bpf_filter.c" +already exists in the kernel, currently it does not, and the duplicate +copies of the file do not interfere. +However, this may change in the future. +.Sh SEE ALSO +.Xr netgraph 4 , +.Xr bpf 4 , +.Xr ngctl 8 . +.Sh AUTHOR +Archie Cobbs <archie@whistle.com> |