pfil(9) - NetBSD Manual Pages

Command: Section: Arch: Collection:   
PFIL(9)                      NetBSD Kernel Manual                      PFIL(9)


NAME

     pfil, pfil_hook_get, pfil_add_hook, pfil_remove_hook - packet filter in-
     terface


SYNOPSIS

     #include <sys/param.h>
     #include <sys/mbuf.h>
     #include <net/if.h>
     #include <net/pfil.h>

     struct packet_filter_hook *
     pfil_hook_get(int, struct pfil_head *);

     void
     pfil_add_hook(int (*func)(), int flags, struct pfil_head *);

     void
     pfil_remove_hook(int (*func)(), int flags, struct pfil_head *);


DESCRIPTION

     The pfil interface allows a function to be called on every incoming or
     outgoing packets.  The hooks for these are embedded in the ip_input() and
     ip_output() routines.  The pfil_hook_get() function returns the first
     member of a particular hook, either the in or out list.  The
     pfil_add_hook() function takes a function of the form below as it's first
     argument, and the flags for which lists to add the function to.  The pos-
     sible values for these flags are some combination of PFIL_IN and
     PFIL_OUT.  The pfil_remove_hook() removes a hook from the specified
     lists.

     The func argument is a function with the following prototype.

     func(void *data, int hlen, struct ifnet *net, int dir, struct mbuf **m)

     The data describes the packet.  Currently, this may only be a pointer to
     a ip structure.  The net and m arguments describe the network interface
     and the mbuf holding data for this packet.  The dir is the direction; 0
     for incoming packets and 1 for outgoing packets.  if the function returns
     non-zero, this signals an error and no further processing of this packet
     is performed.  The function should set errno to indicate the nature of
     the error.  It is the hook's responsibiliy to free the chain if the pack-
     et is being dropped.

     The pfil interface is enabled in the kernel via the PFIL_HOOKS option.


RETURN VALUES

     If successful pfil_hook_get() returns the first member of the packet fil-
     ter list, pfil_add_hook() and pfil_remove_hook() are expected to always
     succeed.


HISTORY

     The pfil interface first appeared in NetBSD 1.3.  The pfil input and out-
     put lists were originally implemented as <sys/queue.h>
     LIST structures; however this was changed in NetBSD 1.4 to TAILQ struc-
     tures.  This change was to allow the input and output filters to be pro-
     cessed in reverse order, to allow the same path to be taken, in or out of
     the kernel.

     The pfil interface was changed in 1.4T to accept a 3rd parameter to both
     pfil_add_hook() and pfil_remove_hook() , introducing the capability of
     per-protocol filtering.  This was done primarily in order to support fil-
     tering of IPv6.


BUGS

     The current pfil implementation will need changes to suit a threaded ker-
     nel model.


SEE ALSO

     bpf(4)

NetBSD 1.5                      August 4, 1996                               2
Powered by man-cgi (2024-03-20). Maintained for NetBSD by Kimmo Suominen. Based on man-cgi by Panagiotis Christias.