Manpage for ng_ipfw node.

svn path=/head/; revision=141365

share/man/man4/Makefile

@@ -179,6 +179,7 @@ MAN=	aac.4 \
 	ng_hub.4 \
 	ng_iface.4 \
 	ng_ip_input.4 \
+	ng_ipfw.4 \
 	ng_ksocket.4 \
 	ng_l2cap.4 \
 	ng_l2tp.4 \

share/man/man4/ng_ipfw.4

@@ -0,0 +1,123 @@
+.\" Copyright (c) 2005 Gleb Smirnoff
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD$
+.\"
+.Dd February 5, 2005
+.Dt NG_IPFW 4
+.Os
+.Sh NAME
+.Nm ng_ipfw
+.Nd interface between netgraph and IP firewall
+.Sh SYNOPSIS
+.In netgraph/ng_ipfw.h
+.Sh DESCRIPTION
+The
+.Nm ipfw
+node implements an interface between
+.Xr ipfw 4
+and
+.Xr netgraph 4
+subsystems.
+.Sh HOOKS
+The
+.Nm ipfw
+node supports an arbitrary number of hooks,
+which must be named using only numeric characters.
+.Sh OPERATION
+Once
+.Nm
+module is loaded into the kernel, a single node named
+.Qq ipfw
+is automatically created.
+No more
+.Nm ipfw
+nodes can be created.
+Once destroyed, the only way to recreate node is reload
+.Nm
+module.
+.Pp
+Packets can be injected into netgraph using either
+.Cm netgraph
+or
+.Cm ngtee
+commands of
+.Xr ipfw 8
+utility.
+These commands require a numeric cookie to be supplied as argument.
+Packets are sent out of the hook, which name is equal cookie value.
+If no hook matches, packets are discarded.
+Packets injected via
+.Cm netgraph
+command are tagged with
+.Vt "struct ng_ipfw_tag" .
+The tag contains information, which helps node to reenter packet into
+.Xr ipfw 4
+processing, if the packet will come back to node from netgraph.
+.Bd -literal -offset 4n
+struct ng_ipfw_tag {
+	struct m_tag	mt;		/* tag header */
+	struct ip_fw	*rule;		/* matching rule */
+        struct ifnet	*ifp;		/* interface, for ip_output */
+	int		dir;		/* packet direction */
+#define	NG_IPFW_OUT	0
+#define	NG_IPFW_IN	1
+	int		flags;		/* flags, for ip_output() */
+};
+.Ed
+.Pp
+Packets received by node from netgraph must be tagged with
+.Vt "struct ng_ipfw_tag"
+tag.
+Packets reenter IP firewall processing at the next rule.
+If no tag is supplied, packets are discarded.
+.Sh CONTROL MESSAGES
+The
+.Nm ipfw
+node does not have any type specific control messages.
+.Sh SHUTDOWN
+This node shuts down upon receipt of a
+.Dv NGM_SHUTDOWN
+control message.
+Don't do this, since new
+.Nm ipfw
+node can be created only reloading
+.Nm
+module.
+.Sh SEE ALSO
+.Xr netgraph 4 ,
+.Xr ipfw 4 ,
+.Xr ipfw 8 ,
+.Xr mbuf_tags 8
+.Sh HISTORY
+The
+.Nm ipfw
+node type was implemented in
+.Fx 6.0 .
+.Sh AUTHORS
+.An -nosplit
+The
+.Nm ipfw
+node was written by
+.An "Gleb Smirnoff" Aq glebius@FreeBSD.org .