Provided by: freebsd-manpages_12.2-1_all 
NAME
ng_patch — trivial mbuf data modifying netgraph node type
SYNOPSIS
#include <netgraph/ng_patch.h>
DESCRIPTION
The patch node performs data modification of packets passing through it. Modifications are restricted to
a subset of C language operations on unsigned integers of 8, 16, 32 or 64 bit size. These are: set to
new value (=), addition (+=), subtraction (-=), multiplication (*=), division (/=), negation (= -),
bitwise AND (&=), bitwise OR (|=), bitwise eXclusive OR (^=), shift left (<<=), shift right (>>=). A
negation operation is the one exception: integer is treated as signed and second operand (the value) is
not used. If there is more than one modification operation, they are applied to packets sequentially in
the order they were specified by the user. The data payload of a packet is viewed as an array of bytes,
with a zero offset corresponding to the very first byte of packet headers, and the length bytes beginning
from offset as a single integer in network byte order. An additional offset can be optionally requested
at configuration time to account for packet type.
HOOKS
This node type has two hooks:
in Packets received on this hook are modified according to rules specified in the configuration and
then forwarded to the out hook, if it exists. Otherwise they are reflected back to the in hook.
out Packets received on this hook are forwarded to the in hook without any changes.
CONTROL MESSAGES
This node type supports the generic control messages, plus the following:
NGM_PATCH_SETDLT (setdlt)
Sets the data link type on the in hook (to help calculate relative offset). Currently, supported
types are DLT_RAW (raw IP datagrams , no offset applied, the default) and DLT_EN10MB (Ethernet).
DLT_ definitions can be found in <net/bpf.h>. If you want to work on the link layer header you must
use no additional offset by specifying DLT_RAW. If EN10MB is specified, then the optional
additional offset will take into account the Ethernet header and a QinQ header if present.
NGM_PATCH_GETDLT (getdlt)
This control message returns the data link type of the in hook.
NGM_PATCH_SETCONFIG (setconfig)
This command sets the sequence of modify operations that will be applied to incoming data on a hook.
The following struct ng_patch_config must be supplied as an argument:
struct ng_patch_op {
uint32_t offset;
uint16_t length; /* 1,2,4 or 8 bytes */
uint16_t mode;
uint64_t value;
};
/* Patching modes */
#define NG_PATCH_MODE_SET 1
#define NG_PATCH_MODE_ADD 2
#define NG_PATCH_MODE_SUB 3
#define NG_PATCH_MODE_MUL 4
#define NG_PATCH_MODE_DIV 5
#define NG_PATCH_MODE_NEG 6
#define NG_PATCH_MODE_AND 7
#define NG_PATCH_MODE_OR 8
#define NG_PATCH_MODE_XOR 9
#define NG_PATCH_MODE_SHL 10
#define NG_PATCH_MODE_SHR 11
struct ng_patch_config {
uint32_t count;
uint32_t csum_flags;
uint32_t relative_offset;
struct ng_patch_op ops[];
};
The csum_flags can be set to any combination of CSUM_IP, CSUM_TCP, CSUM_SCTP and CSUM_UDP (other
values are ignored) for instructing the IP stack to recalculate the corresponding checksum before
transmitting packet on output interface. The ng_patch node does not do any checksum correction by
itself.
NGM_PATCH_GETCONFIG (getconfig)
This control message returns the current set of modify operations, in the form of a struct
ng_patch_config.
NGM_PATCH_GET_STATS (getstats)
Returns the node's statistics as a struct ng_patch_stats.
NGM_PATCH_CLR_STATS (clrstats)
Clears the node's statistics.
NGM_PATCH_GETCLR_STATS (getclrstats)
This command is identical to NGM_PATCH_GET_STATS, except that the statistics are also atomically
cleared.
SHUTDOWN
This node shuts down upon receipt of a NGM_SHUTDOWN control message, or when all hooks have been
disconnected.
EXAMPLES
This ng_patch node was designed to modify TTL and TOS/DSCP fields in IP packets. As an example, suppose
you have two adjacent simplex links to a remote network (e.g. satellite), so that the packets expiring in
between will generate unwanted ICMP-replies which have to go forth, not back. Thus you need to raise TTL
of every packet entering link by 2 to ensure the TTL will not reach zero there. To achieve this you can
set an ipfw(8) rule to use the netgraph action to inject packets which are going to the simplex link into
the patch node, by using the following ngctl(8) script:
/usr/sbin/ngctl -f- <<-SEQ
mkpeer ipfw: patch 200 in
name ipfw:200 ttl_add
msg ttl_add: setconfig { count=1 csum_flags=1 ops=[ \
{ mode=2 value=3 length=1 offset=8 } ] }
SEQ
/sbin/ipfw add 150 netgraph 200 ip from any to simplex.remote.net
Here the “ttl_add” node of type ng_patch is configured to add (mode NG_PATCH_MODE_ADD) a value of 3 to a
one-byte TTL field, which is 9th byte of IP packet header.
Another example would be two consecutive modifications of packet TOS field: say, you need to clear the
IPTOS_THROUGHPUT bit and set the IPTOS_MINCOST bit. So you do:
/usr/sbin/ngctl -f- <<-SEQ
mkpeer ipfw: patch 300 in
name ipfw:300 tos_chg
msg tos_chg: setconfig { count=2 csum_flags=1 ops=[ \
{ mode=7 value=0xf7 length=1 offset=1 } \
{ mode=8 value=0x02 length=1 offset=1 } ] }
SEQ
/sbin/ipfw add 160 netgraph 300 ip from any to any not dst-port 80
This first does NG_PATCH_MODE_AND clearing the fourth bit and then NG_PATCH_MODE_OR setting the third
bit.
In both examples the csum_flags field indicates that IP checksum (but not TCP or UDP checksum) should be
recalculated before transmit.
Note: one should ensure that packets are returned to ipfw after processing inside netgraph(4), by setting
appropriate sysctl(8) variable:
sysctl net.inet.ip.fw.one_pass=0
SEE ALSO
netgraph(4), ng_ipfw(4), ngctl(8)
HISTORY
The ng_patch node type was implemented in FreeBSD 8.1.
AUTHORS
Maxim Ignatenko <gelraen.ua@gmail.com>.
Relative offset code by
DMitry Vagin
This manual page was written by
Vadim Goncharov <vadimnuclight@tpu.ru>.
BUGS
The node blindly tries to apply every patching operation to each packet (except those which offset if
greater than length of the packet), so be sure that you supply only the right packets to it (e.g.
changing bytes in the ARP packets meant to be in IP header could corrupt them and make your machine
unreachable from the network).
!!! WARNING !!!
The output path of the IP stack assumes correct fields and lengths in the packets - changing them by to
incorrect values can cause unpredictable results including kernel panics.
Debian November 17, 2015 NG_PATCH(4)