NAME

SYNOPSIS

DESCRIPTION

Each node allows an arbitrary number of connections to arbitrarily named hooks. With each hook is associated a tag which will be searched in the list of all tags attached to a packet incoming to this hook, a destination hook for matching packets, a destination hook for non-matching packets, a tag which will be appended to data leaving node through this hook, and various statistics counters.

The list of incoming packet's tags is traversed to find a tag with specified type and cookie values. Upon match, if specified tag_len is non-zero, tag_data of tag is checked to be identical to that specified in the hook structure. Packets with matched tags are forwarded to “match” destination hook, or forwarded to “non-match” hook otherwise. Either or both destination hooks can be an empty string, or may not exist, in which case the packet is dropped.

Tag list of packets leaving the node is extended with a new tag specified in outgoing hook structure (it is possible to avoid appending a new tag to pass packet completely unchanged by specifying zero type and cookie values in the structure of the corresponding outgoing hook). Additionally, a tag can be stripped from incoming packet after match if strip flag is set. This can be used for simple tag removal or tag replacement, if combined with tag addition on outgoing matching hook. Note that new tag is appended unconditionally, without checking if such a tag is already present in the list (it is up to user to check if this is a concern).

New hooks are initially configured to drop all incoming packets (as all hook names are empty strings; zero values can be specified to forward all packets to non-matching hook), and to forward all outgoing packets without any tag appending.

Data payload of packets passing through the node is completely unchanged, all operations can affect tag list only.

HOOKS

CONTROL MESSAGES

NGM_TAG_SET_HOOKIN (sethookin)

This command sets tag values which will be searched in the tag list of incoming packets on a hook. The following structure must be supplied as an argument:

struct ng_tag_hookin {
  char		  thisHook[NG_HOOKSIZ];     /* name of hook */
  char		  ifMatch[NG_HOOKSIZ];	    /* match dest hook */
  char		  ifNotMatch[NG_HOOKSIZ];   /* !match dest hook */
  uint8_t	  strip;		    /* strip tag if found */
  uint32_t	  tag_cookie;		    /* ABI/Module ID */
  uint16_t	  tag_id;		    /* tag ID */
  uint16_t	  tag_len;		    /* length of data */
  uint8_t	  tag_data[0];		    /* tag data */
};
    

The hook to be updated is specified in thisHook. Data bytes of tag corresponding to specified tag_id (type) and tag_cookie are placed in the tag_data array; there must be tag_len of them. Matching and non-matching incoming packets are delivered out the hooks named ifMatch and ifNotMatch, respectively. If strip flag is non-zero, then found tag is deleted from list of packet tags.

NGM_TAG_GET_HOOKIN (gethookin)

This command takes an ASCII string argument, the hook name, and returns the corresponding struct ng_tag_hookin as shown above.

NGM_TAG_SET_HOOKOUT (sethookout)

This command sets tags values which will be applied to outgoing packets. The following structure must be supplied as an argument:

struct ng_tag_hookout {
  char		  thisHook[NG_HOOKSIZ];     /* name of hook */
  uint32_t	  tag_cookie;		    /* ABI/Module ID */
  uint16_t	  tag_id;		    /* tag ID */
  uint16_t	  tag_len;		    /* length of data */
  uint8_t	  tag_data[0];		    /* tag data */
};
    

The hook to be updated is specified in thisHook. Other variables mean basically the same as in struct ng_tag_hookin shown above, except used for setting values in a new tag.

NGM_TAG_GET_HOOKOUT (gethookout)

This command takes an ASCII string argument, the hook name, and returns the corresponding struct ng_tag_hookout as shown above.

NGM_TAG_GET_STATS (getstats)

This command takes an ASCII string argument, the hook name, and returns the statistics associated with the hook as a struct ng_tag_hookstat.

NGM_TAG_CLR_STATS (clrstats)

This command takes an ASCII string argument, the hook name, and clears the statistics associated with the hook.

NGM_TAG_GETCLR_STATS (getclrstats)

This command is identical to NGM_TAG_GET_STATS, except that the statistics are also atomically cleared.

Note: statistics counters as well as three statistics messages above work only if code was compiled with the NG_TAG_DEBUG option. The reason for this is that statistics is rarely used in practice, but still consumes CPU cycles for every packet. Moreover, it is even not accurate on SMP systems due to lack of synchronization between threads, as this is very expensive.

SHUTDOWN

EXAMPLES

So, this is ngctl(8) script for nodes creating and naming for easier access:

/usr/sbin/ngctl -f- <<-SEQ
	mkpeer ipfw: bpf 41 ipfw
	name ipfw:41 dcbpf
	mkpeer dcbpf: tag matched th1
	name dcbpf:matched ngdc
SEQ

Now “ngdc” node (which is of type ng_tag) must be programmed to echo all packets received on the “th1” hook back, with the ipfw(8) tag 412 attached. MTAG_IPFW value for tag_cookie was taken from file <netinet/ip_fw.h> and value for tag_id is tag number (412), with zero tag length:

ngctl msg ngdc: sethookin { thisHook=\"th1\" ifNotMatch=\"th1\" }
ngctl msg ngdc: sethookout { thisHook=\"th1\" \
  tag_cookie=1148380143 \
  tag_id=412 }

Do not forget to program ng_bpf(4) “ipfw” hook with the above expression (see ng_bpf(4) for script doing this) and “matched” hook with an empty expression:

ngctl msg dcbpf: setprogram { thisHook=\"matched\" ifMatch=\"ipfw\" \
  bpf_prog_len=1 bpf_prog=[ { code=6 k=8192 } ] }

After finishing with netgraph(4) nodes, ipfw(8) rules must be added to enable packet flow:

ipfw add 100 netgraph 41 tcp from any to any iplen 46
ipfw add 110 reset tcp from any to any tagged 412

Note: one should ensure that packets are returned to ipfw after processing inside netgraph(4), by setting appropriate sysctl(8) variable:

sysctl net.inet.ip.fw.one_pass=0

SEE ALSO

HISTORY

AUTHORS

BUGS