1.\" Copyright (c) 2012-2017 Pekka Nikander 2.\" Copyright (c) 2018 Retina b.v. 3.\" All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 1. Redistributions of source code must retain the above copyright 9.\" notice, this list of conditions and the following disclaimer. 10.\" 2. Redistributions in binary form must reproduce the above copyright 11.\" notice, this list of conditions and the following disclaimer in the 12.\" documentation and/or other materials provided with the distribution. 13.\" 3. Neither the name of the University nor the names of its contributors 14.\" may be used to endorse or promote products derived from this software 15.\" without specific prior written permission. 16.\" 17.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 18.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 21.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27.\" SUCH DAMAGE. 28.\" 29.Dd December 10, 2018 30.Dt NG_MACFILTER 4 31.Os 32.Sh NAME 33.Nm ng_macfilter 34.Nd packet filtering netgraph node using ethernet MAC addresses 35.Sh SYNOPSIS 36.In sys/types.h 37.In netgraph/ng_macfilter.h 38.Sh DESCRIPTION 39The 40.Nm macfilter 41allows routing ethernet packets over different hooks based on the sender MAC 42address. 43.Pp 44This processing is done when traffic flows from the 45.Dq ether 46hook through 47.Nm macfilter 48to one of the outgoing hooks. 49Outbound hooks can be added to and remove from 50.Nm macfilter 51and arbitrarily named. 52By default one hook called 53.Dq default 54is present and used for all packets which have no MAC address in the MAC table. 55By adding MAC addresses to the MAC table traffic coming from this host can be 56directed out other hooks. 57.Nm macfilter 58keeps track of packets and bytes from and to this MAC address in the MAC table. 59.Pp 60Packets are not altered in any way. 61If hooks are not connected, packets are 62dropped. 63.Sh HOOKS 64This node type by default has an 65.Dv ether 66hook, to be connected to the 67.Dv lower 68hook of the NIC, and a 69.Dv default 70hook where packets are sent if the MAC adddress is not found in the table. 71.Nm macfilter 72supports up to 73.Dv NG_MACFILTER_UPPER_NUM 74hooks to be connected to the NIC's upper hook. 75Other nodes can be inserted to provide additional processing. 76All outbound can be combined back into one by using 77.Dv ng_one2many . 78.Sh CONTROL MESSAGES 79This node type supports the generic control messages, plus the 80following: 81.Bl -tag -width foo 82.It Dv NGM_MACFILTER_RESET Pq Ic reset 83Resets the MAC table in the node. 84.It Dv NGM_MACFILTER_DIRECT Pq Ic direct 85Takes the following argument struct: 86.Bd -literal -offset indent 87struct ngm_macfilter_direct { 88 u_char ether[ETHER_ADDR_LEN]; /* MAC address */ 89 u_char hookname[NG_HOOKSIZ]; /* Upper hook name*/ 90}; 91.Ed 92The given ethernet MAC address will be forwarded out the named hook. 93.It Dv NGM_MACFILTER_DIRECT_HOOKID Pq Ic directi 94Takes the following argument struct: 95.Bd -literal -offset indent 96struct ngm_macfilter_direct_hookid { 97 u_char ether[ETHER_ADDR_LEN]; /* MAC address */ 98 u_int16_t hookid; /* Upper hook hookid */ 99}; 100.Ed 101The given ethernet MAC address will be forwarded out the hook at id 102.Dv hookid . 103.It Dv NGM_MACFILTER_GET_MACS Pq Ic getmacs 104Returns the list of MAC addresses in the node in the following structure: 105.Bd -literal -offset indent 106struct ngm_macfilter_mac { 107 u_char ether[ETHER_ADDR_LEN]; /* MAC address */ 108 u_int16_t hookid; /* Upper hook hookid */ 109 u_int64_t packets_in; /* packets in from downstream */ 110 u_int64_t bytes_in; /* bytes in from upstream */ 111 u_int64_t packets_out; /* packets out towards downstream */ 112 u_int64_t bytes_out; /* bytes out towards downstream */ 113}; 114struct ngm_macfilter_macs { 115 u_int32_t n; /* Number of entries in macs */ 116 struct ngm_macfilter_mac macs[]; /* Macs table */ 117}; 118.Ed 119.It Dv NGM_MACFILTER_GETCLR_MACS Pq Ic getclrmacs 120Same as above, but will also atomically clear the 121.Dv packets_in , 122.Dv bytes_in , 123.Dv packets_out , and 124.Dv bytes_out 125fields in the table. 126.It Dv NGM_MACFILTER_CLR_STATS Pq Ic clrmacs 127Will clear the per MAC address packet and byte counters. 128.It Dv NGM_MACFILTER_GET_HOOKS Pq Ic gethooks 129Will return a list of hooks and their hookids in an array of the following struct's: 130.Bd -literal -offset indent 131struct ngm_macfilter_hook { 132 u_char hookname[NG_HOOKSIZ]; /* Upper hook name*/ 133 u_int16_t hookid; /* Upper hook hookid */ 134 u_int32_t maccnt; /* Number of mac addresses associated with hook */ 135}; 136.Ed 137.El 138.Sh SHUTDOWN 139This node shuts down upon receipt of a 140.Dv NGM_SHUTDOWN 141control message or when all have been disconnected. 142.Sh EXAMPLES 143The following netgraph configuration will apply 144.Xr ipfw 8 145tag 42 to each packet that is routed over the 146.Dq accepted 147hook. 148The graph looks like the following: 149.Bd -literal -offset indent 150 /------<one>-[combiner]-<many1>--------\\ 151<upper> | <out> 152 / <many0> \\ 153[em0] | [tagger] 154 \\ <default> / 155<lower> | <in> 156 \\----<ether>-[macfilter]-<accepted>-----/ 157.Ed 158.Pp 159Commands: 160.Bd -literal -offset indent 161 ngctl mkpeer em0: macfilter lower ether 162 ngctl name em0:lower macfilter 163 164 # Funnel both streams back into ether:upper 165 ngctl mkpeer em0: one2many upper one 166 ngctl name em0:upper recombiner 167 # Connect macfilter:default to recombiner:many0 168 ngctl connect macfilter: recombiner: default many0 169 # Connect macfilter:accepted to tagger:in 170 ngctl mkpeer macfilter: tag accepted in 171 ngctl name macfilter:accepted tagger 172 # Connect tagger:out to recombiner:many1 173 ngctl connect tagger: recombiner: out many1 174 175 # Mark tag all traffic through tagger in -> out with an ipfw tag 42 176 ngctl msg tagger: sethookin '{ thisHook="in" ifNotMatch="out" }' 177 ngctl msg tagger: sethookout '{ thisHook="out" tag_cookie=1148380143 tag_id=42 }' 178 179 # Pass traffic from ether:upper / combiner:one via combiner:many0 on to 180 # macfilter:default and on to ether:lower. 181 ngctl msg recombiner: setconfig '{ xmitAlg=3 failAlg=1 enabledLinks=[ 1 1 ] }' 182.Ed 183.Pp 184.Em Note : 185The tag_cookie 1148380143 was retrieved from 186.Dv MTAG_IPFW 187in 188.Pa /usr/include/netinet/ip_var.h . 189.Pp 190The following command can be used to add a MAC address to be output via 191.Dv macfilter:accepted : 192.Bd -literal -offset indent 193 ngctl msg macfilter: direct '{ hookname="known" ether=08:00:27:92:eb:aa }' 194.Ed 195.Pp 196The following command can be used to retrieve the packet and byte counters : 197.Bd -literal -offset indent 198 ngctl msg macfilter: getmacs 199.Ed 200.Pp 201It will return the contents of the MAC table: 202.Bd -literal -offset indent 203 Rec'd response "getmacs" (4) from "[54]:": 204 Args: { n=1 macs=[ { ether=08:00:27:92:eb:aa hookid=1 packets_in=3571 bytes_in=592631 packets_out=3437 bytes_out=777142 } ] } 205.Ed 206.Sh SEE ALSO 207.Xr divert 4 , 208.Xr ipfw 4 , 209.Xr netgraph 4 , 210.Xr ng_ether 4 , 211.Xr ng_one2many 4 , 212.Xr ng_tag 4 , 213.Xr ngctl 8 214.Sh AUTHORS 215.An -nosplit 216The original version of this code was written by Pekka Nikander, and 217subsequently modified heavily by 218.An Nick Hibma Aq Mt n_hibma@FreeBSD.org . 219.Sh BUGS 220None known. 221