Once the
ng_ipfw
module is loaded into the kernel, a single node named
ipfw
is automatically created.
No more
ipfw
nodes can be created.
Once destroyed, the only way to recreate the node is to reload the
ng_ipfw
module.
Packets can be injected into
netgraph(4)
using either the
netgraph
or
ngtee
commands of the
ipfw(8)
utility.
These commands require a numeric cookie to be supplied as an argument.
Packets are sent out of the hook whose name equals the cookie value.
If no hook matches, packets are discarded.
Packets injected via the
netgraph
command are tagged with
struct ipfw_rule_ref.
This tag contains information that helps the packet to re-enter
ipfw(4)
processing, should the packet come back from
netgraph(4)
to
ipfw(4).
Packets received by a node from
netgraph(4)
subsystem must be tagged with
struct ipfw_rule_ref
tag.
Packets re-enter IP firewall processing at the next rule.
If no tag is supplied, packets are discarded.
