:man| Alphabetical   Categories   About us 
 
NG_BPF (4) | Special files and drivers | Unix Manual Pages | :man

NAME

ng_bpf - Berkeley packet filter netgraph node type

CONTENTS

Synopsis
Description
Hooks
Control Messages
Shutdown
Examples
See Also
History
Authors
Bugs

SYNOPSIS


.In sys/types.h
.In net/bpf.h
.In netgraph.h
.In netgraph/ng_bpf.h

DESCRIPTION

The bpf node type allows Berkeley Packet Filter (see bpf(4)) filters to be applied to data travelling through a Netgraph network. Each node allows an arbitrary number of connections to arbitrarily named hooks. With each hook is associated a bpf(4) filter program which is applied to incoming data only, a destination hook for matching packets, a destination hook for non-matching packets, and various statistics counters.

A bpf(4) program returns an unsigned integer, which is normally interpreted as the length of the prefix of the packet to return. In the context of this node type, returning zero is considered a non-match, in which case the entire packet is delivered out the non-match destination hook. Returning a value greater than zero causes the packet to be truncated to that length and delivered out the match destination hook. Either or both destination hooks may be the empty string, or may not exist, in which case the packet is dropped.

New hooks are initially configured to drop all packets. A new filter program may be installed using the NGM_BPF_SET_PROGRAM control message.

HOOKS

This node type supports any number of hooks having arbitrary names.

CONTROL MESSAGES

This node type supports the generic control messages, plus the following:
NGM_BPF_SET_PROGRAM
This command sets the filter program that will be applied to incoming data on a hook. The following structure must be supplied as an argument:
struct ng_bpf_hookprog {
char thisHook[NG_HOOKSIZ];/* name of hook */
char ifMatch[NG_HOOKSIZ]; /* match dest hook */
char ifNotMatch[NG_HOOKSIZ]; /* !match dest hook */
int32_t bpf_prog_len; /* #isns in program */
struct bpf_insn bpf_prog[0]; /* bpf program */
};

The hook to be updated is specified in thisHook. The BPF program is the sequence of instructions in the bpf_prog array; there must be bpf_prog_len of them. Matching and non-matching incoming packets are delivered out the hooks named ifMatch and ifNotMatch, respectively. The program must be a valid bpf(4) program or else EINVAL is returned.

NGM_BPF_GET_PROGRAM
This command takes an ASCII string argument, the hook name, and returns the corresponding "struct ng_bpf_hookprog" as shown above.
NGM_BPF_GET_STATS
This command takes an ASCII string argument, the hook name, and returns the statistics associated with the hook as a "struct ng_bpf_hookstat".
NGM_BPF_CLR_STATS
This command takes an ASCII string argument, the hook name, and clears the statistics associated with the hook.
NGM_BPF_GETCLR_STATS
This command is identical to NGM_BPF_GET_STATS, except that the statistics are also atomically cleared.

SHUTDOWN

This node shuts down upon receipt of a NGM_SHUTDOWN control message, or when all hooks have been disconnected.

EXAMPLES

It is possible to configure a node from the command line, using tcpdump(1) to generate raw BPF instructions which are then fed into an awk(1) script to create the ASCII form of a NGM_BPF_SET_PROGRAM control message, as demonstrated here:
#!/bin/sh


PATTERN="tcp dst port 80"
NODEPATH="my_node:"
INHOOK="hook1"
MATCHHOOK="hook2"
NOTMATCHHOOK="hook3"


cat > /tmp/bpf.awk << xxENDxx
{
if (!init) {
printf "bpf_prog_len=%d bpf_prog=[", \$1;
init=1;
} else {
printf " { code=%d jt=%d jf=%d k=%d }", \$1, \$2, \$3, \$4;
}
}
END {
print " ]"
}
xxENDxx


BPFPROG=‘tcpdump -s 8192 -ddd ${PATTERN} | awk -f /tmp/bpf.awk‘


ngctl msg ${NODEPATH} setprogram { thisHook=\"${INHOOK}\" \
ifMatch=\"${MATCHHOOK}\" \
ifNotMatch=\"${NOTMATCHHOOK}\" \
${BPFPROG} } }

SEE ALSO

bpf(4), netgraph(4), ngctl(8)

HISTORY

AUTHORS

BUGS

 
Created by Blin Media, 2008-2013