Differential D26488 Diff 77312 head/share/man/man4/ng_bpf.4

Changeset View

Standalone View

head/share/man/man4/ng_bpf.4

	Show All 29 Lines
	.\" THIS SOFTWARE, EVEN IF WHISTLE COMMUNICATIONS IS ADVISED OF THE POSSIBILITY			.\" THIS SOFTWARE, EVEN IF WHISTLE COMMUNICATIONS IS ADVISED OF THE POSSIBILITY
	.\" OF SUCH DAMAGE.			.\" OF SUCH DAMAGE.
	.\"			.\"
	.\" Author: Archie Cobbs <archie@FreeBSD.org>			.\" Author: Archie Cobbs <archie@FreeBSD.org>
	.\"			.\"
	.\" $FreeBSD$			.\" $FreeBSD$
	.\" $Whistle: ng_bpf.8,v 1.2 1999/12/03 01:57:12 archie Exp $			.\" $Whistle: ng_bpf.8,v 1.2 1999/12/03 01:57:12 archie Exp $
	.\"			.\"
	.Dd April 29, 2020			.Dd September 20, 2020
	.Dt NG_BPF 4			.Dt NG_BPF 4
	.Os			.Os
	.Sh NAME			.Sh NAME
	.Nm ng_bpf			.Nm ng_bpf
	.Nd Berkeley packet filter netgraph node type			.Nd Berkeley packet filter netgraph node type
	.Sh SYNOPSIS			.Sh SYNOPSIS
	.In sys/types.h			.In sys/types.h
	.In net/bpf.h			.In net/bpf.h
	▲ Show 20 Lines • Show All 61 Lines • ▼ Show 20 Lines
	.Dv ifNotMatch ,			.Dv ifNotMatch ,
	respectively.			respectively.
	The program must be a valid			The program must be a valid
	.Xr bpf 4			.Xr bpf 4
	program or else			program or else
	.Er EINVAL			.Er EINVAL
	is returned.			is returned.
	.It Dv NGM_BPF_GET_PROGRAM Pq Ic getprogram			.It Dv NGM_BPF_GET_PROGRAM Pq Ic getprogram
	This command takes an			This command takes an ASCII
	.Tn ASCII
	string argument, the hook name, and returns the			string argument, the hook name, and returns the
	corresponding			corresponding
	.Dv "struct ng_bpf_hookprog"			.Dv "struct ng_bpf_hookprog"
	as shown above.			as shown above.
	.It Dv NGM_BPF_GET_STATS Pq Ic getstats			.It Dv NGM_BPF_GET_STATS Pq Ic getstats
	This command takes an			This command takes an ASCII
	.Tn ASCII
	string argument, the hook name, and returns the			string argument, the hook name, and returns the
	statistics associated with the hook as a			statistics associated with the hook as a
	.Dv "struct ng_bpf_hookstat" .			.Dv "struct ng_bpf_hookstat" .
	.It Dv NGM_BPF_CLR_STATS Pq Ic clrstats			.It Dv NGM_BPF_CLR_STATS Pq Ic clrstats
	This command takes an			This command takes an ASCII
	.Tn ASCII
	string argument, the hook name, and clears the			string argument, the hook name, and clears the
	statistics associated with the hook.			statistics associated with the hook.
	.It Dv NGM_BPF_GETCLR_STATS Pq Ic getclrstats			.It Dv NGM_BPF_GETCLR_STATS Pq Ic getclrstats
	This command is identical to			This command is identical to
	.Dv NGM_BPF_GET_STATS ,			.Dv NGM_BPF_GET_STATS ,
	except that the statistics are also atomically cleared.			except that the statistics are also atomically cleared.
	.El			.El
	.Sh SHUTDOWN			.Sh SHUTDOWN
	This node shuts down upon receipt of a			This node shuts down upon receipt of a
	.Dv NGM_SHUTDOWN			.Dv NGM_SHUTDOWN
	control message, or when all hooks have been disconnected.			control message, or when all hooks have been disconnected.
	.Sh EXAMPLES			.Sh EXAMPLES
	It is possible to configure a node from the command line, using			It is possible to configure a node from the command line, using
	.Xr tcpdump 1			.Xr tcpdump 1
	to generate raw BPF instructions which are then fed into an			to generate raw BPF instructions which are then transformed
	.Xr awk 1			into the ASCII form of a
	script to create the ASCII form of a
	.Dv NGM_BPF_SET_PROGRAM			.Dv NGM_BPF_SET_PROGRAM
	control message, as demonstrated here:			control message, as demonstrated here:
	.Bd -literal -offset 4n			.Bd -literal -offset 4n
	#!/bin/sh			#!/bin/sh

	PATTERN="tcp dst port 80"			PATTERN="tcp dst port 80"
	NODEPATH="my_node:"			NODEPATH="my_node:"
	INHOOK="hook1"			INHOOK="hook1"
	MATCHHOOK="hook2"			MATCHHOOK="hook2"
	NOTMATCHHOOK="hook3"			NOTMATCHHOOK="hook3"

	BPFPROG=$( tcpdump -s 8192 -p -ddd ${PATTERN} \| \\			BPFPROG=$( tcpdump -s 8192 -p -ddd ${PATTERN} \| \\
	( read len ; \\			( read len ; \\
	echo -n "bpf_prog_len=$len " ; \\			echo -n "bpf_prog_len=$len " ; \\
	echo -n "bpf_prog=[" ; \\			echo -n "bpf_prog=[" ; \\
	while read code jt jf k ; do \\			while read code jt jf k ; do \\
	echo -n " { code=$code jt=$jt jf=$jf k=$k }" ; \\			echo -n " { code=$code jt=$jt jf=$jf k=$k }" ; \\
	done ; \\			done ; \\
	echo " ]" ) )			echo " ]" ) )

	ngctl msg ${NODEPATH} setprogram { thisHook=\\"${INHOOK}\\" \\			ngctl msg ${NODEPATH} setprogram { thisHook=\\"${INHOOK}\\" \\
	ifMatch=\\"${MATCHHOOK}\\" \\			ifMatch=\\"${MATCHHOOK}\\" \\
	ifNotMatch=\\"${NOTMATCHHOOK}\\" \\			ifNotMatch=\\"${NOTMATCHHOOK}\\" \\
	${BPFPROG} }			${BPFPROG} }
				.Ed
				.Pp
				Based on the previous example, it is possible to prevent a jail (or a VM)
				from spoofing by allowing only traffic that has the expected ethernet and
				IP addresses:
				.Bd -literal -offset 4n
				#!/bin/sh

				NODEPATH="my_node:"
				JAIL_MAC="0a:00:de:ad:be:ef"
				JAIL_IP="128.66.1.42"
				JAIL_HOOK="jail"
				HOST_HOOK="host"
				DEBUG_HOOK="nomatch"

				bpf_prog() {
				local PATTERN=$1

				tcpdump -s 8192 -p -ddd ${PATTERN} \| (
				read len
				echo -n "bpf_prog_len=$len "
				echo -n "bpf_prog=["
				while read code jt jf k ; do
				echo -n " { code=$code jt=$jt jf=$jf k=$k }"
				done
				echo " ]"
				)
				}

				# Prevent jail from spoofing (filter packets coming from jail)
				ngctl msg ${NODEPATH} setprogram { \\
				thisHook=\\"${JAIL_HOOK}\\" \\
				ifMatch=\\"${HOST_HOOK}\\" \\
				ifNotMatch=\\"${DEBUG_HOOK}\\" \\
				$(bpf_prog "ether src ${JAIL_MAC} && src ${JAIL_IP}") \\
				}

				# Prevent jail from receiving spoofed packets (filter packets
				# coming from host)
				ngctl msg ${NODEPATH} setprogram { \\
				thisHook=\\"${HOST_HOOK}\\" \\
				ifMatch=\\"${JAIL_HOOK}\\" \\
				ifNotMatch=\\"${DEBUG_HOOK}\\" \\
				$(bpf_prog "ether dst ${JAIL_MAC} && dst ${JAIL_IP}") \\
				}
	.Ed			.Ed
	.Sh SEE ALSO			.Sh SEE ALSO
	.Xr bpf 4 ,			.Xr bpf 4 ,
	.Xr netgraph 4 ,			.Xr netgraph 4 ,
	.Xr ngctl 8			.Xr ngctl 8
	.Sh HISTORY			.Sh HISTORY
	The			The
	.Nm			.Nm
	Show All 12 Lines