ng_ipfw — interface between netgraph and IP firewall

       The ipfw node was written by Gleb Smirnoff <glebius@FreeBSD.org>.

Debian                                            March 2, 2010                                       NG_IPFW(4)

       This node type supports only the generic control messages.

       The ipfw node implements interface between ipfw(4) and netgraph(4) subsystems.

       The ipfw node type was implemented in FreeBSD 6.0.

       The ipfw node supports an arbitrary number of hooks, which must be named using only numeric characters.

       ng_ipfw — interface between netgraph and IP firewall

       Once the ng_ipfw module is loaded into the kernel, a single node named ipfw is automatically created.  No
       more  ipfw  nodes  can  be  created.   Once destroyed, the only way to recreate the node is to reload the
       ng_ipfw module.

       Packets can be injected into netgraph(4) using either the netgraph  or  ngtee  commands  of  the  ipfw(8)
       utility.  These commands require a numeric cookie to be supplied as an argument.  Packets are sent out of
       the  hook  whose  name  equals  the  cookie  value.   If no hook matches, packets are discarded.  Packets
       injected via the netgraph command are tagged with structipfw_rule_ref.  This  tag  contains  information
       that  helps  the  packet  to re-enter ipfw(4) processing, should the packet come back from netgraph(4) to
       ipfw(4).

       Packets received by a node from netgraph(4) subsystem must  be  tagged  with  structipfw_rule_ref  tag.
       Packets re-enter IP firewall processing at the next rule.  If no tag is supplied, packets are discarded.

ipfw(4), netgraph(4), ipfw(8), mbuf_tags(9)

       This  node shuts down upon receipt of a NGM_SHUTDOWN control message.  Do not do this, since the new ipfw
       node can only be created by reloading the ng_ipfw module.

#include<netinet/ip_var.h>#include<netgraph/ng_ipfw.h>