FreeBSD/Linux Kernel Cross Reference
sys/netinet/ip_fil.h
1 /*
2 * Copyright (C) 1993-1997 by Darren Reed.
3 *
4 * Redistribution and use in source and binary forms are permitted
5 * provided that this notice is preserved and due credit is given
6 * to the original author and the contributors.
7 *
8 * @(#)ip_fil.h 1.35 6/5/96
9 * $FreeBSD$
10 */
11
12 #ifndef __IP_FIL_H__
13 #define __IP_FIL_H__
14
15 /*
16 * Pathnames for various IP Filter control devices. Used by LKM
17 * and userland, so defined here.
18 */
19 #define IPNAT_NAME "/dev/ipnat"
20 #define IPSTATE_NAME "/dev/ipstate"
21 #define IPAUTH_NAME "/dev/ipauth"
22
23 #ifndef SOLARIS
24 #define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
25 #endif
26
27 #if defined(KERNEL) && !defined(_KERNEL)
28 #define _KERNEL
29 #endif
30
31 #ifndef __P
32 # ifdef __STDC__
33 # define __P(x) x
34 # else
35 # define __P(x) ()
36 # endif
37 #endif
38
39 #if defined(__STDC__) || defined(__GNUC__)
40 #define SIOCADAFR _IOW('r', 60, struct frentry)
41 #define SIOCRMAFR _IOW('r', 61, struct frentry)
42 #define SIOCSETFF _IOW('r', 62, u_int)
43 #define SIOCGETFF _IOR('r', 63, u_int)
44 #define SIOCGETFS _IOR('r', 64, struct friostat)
45 #define SIOCIPFFL _IOWR('r', 65, int)
46 #define SIOCIPFFB _IOR('r', 66, int)
47 #define SIOCADIFR _IOW('r', 67, struct frentry)
48 #define SIOCRMIFR _IOW('r', 68, struct frentry)
49 #define SIOCSWAPA _IOR('r', 69, u_int)
50 #define SIOCINAFR _IOW('r', 70, struct frentry)
51 #define SIOCINIFR _IOW('r', 71, struct frentry)
52 #define SIOCFRENB _IOW('r', 72, u_int)
53 #define SIOCFRSYN _IOW('r', 73, u_int)
54 #define SIOCFRZST _IOWR('r', 74, struct friostat)
55 #define SIOCZRLST _IOWR('r', 75, struct frentry)
56 #define SIOCAUTHW _IOWR('r', 76, struct fr_info)
57 #define SIOCAUTHR _IOWR('r', 77, struct fr_info)
58 #define SIOCATHST _IOWR('r', 78, struct fr_authstat)
59 #else
60 #define SIOCADAFR _IOW(r, 60, struct frentry)
61 #define SIOCRMAFR _IOW(r, 61, struct frentry)
62 #define SIOCSETFF _IOW(r, 62, u_int)
63 #define SIOCGETFF _IOR(r, 63, u_int)
64 #define SIOCGETFS _IOR(r, 64, struct friostat)
65 #define SIOCIPFFL _IOWR(r, 65, int)
66 #define SIOCIPFFB _IOR(r, 66, int)
67 #define SIOCADIFR _IOW(r, 67, struct frentry)
68 #define SIOCRMIFR _IOW(r, 68, struct frentry)
69 #define SIOCSWAPA _IOR(r, 69, u_int)
70 #define SIOCINAFR _IOW(r, 70, struct frentry)
71 #define SIOCINIFR _IOW(r, 71, struct frentry)
72 #define SIOCFRENB _IOW(r, 72, u_int)
73 #define SIOCFRSYN _IOW(r, 73, u_int)
74 #define SIOCFRZST _IOWR(r, 74, struct friostat)
75 #define SIOCZRLST _IOWR(r, 75, struct frentry)
76 #define SIOCAUTHW _IOWR(r, 76, struct fr_info)
77 #define SIOCAUTHR _IOWR(r, 77, struct fr_info)
78 #define SIOCATHST _IOWR(r, 78, struct fr_authstat)
79 #endif
80 #define SIOCADDFR SIOCADAFR
81 #define SIOCDELFR SIOCRMAFR
82 #define SIOCINSFR SIOCINAFR
83
84 typedef struct fr_ip {
85 u_int fi_v:4; /* IP version */
86 u_int fi_fl:4; /* packet flags */
87 u_char fi_tos;
88 u_char fi_ttl;
89 u_char fi_p;
90 struct in_addr fi_src;
91 struct in_addr fi_dst;
92 u_32_t fi_optmsk; /* bitmask composed from IP options */
93 u_short fi_secmsk; /* bitmask composed from IP security options */
94 u_short fi_auth;
95 } fr_ip_t;
96
97 #define FI_OPTIONS (FF_OPTIONS >> 24)
98 #define FI_TCPUDP (FF_TCPUDP >> 24) /* TCP/UCP implied comparison*/
99 #define FI_FRAG (FF_FRAG >> 24)
100 #define FI_SHORT (FF_SHORT >> 24)
101
102 typedef struct fr_info {
103 struct fr_ip fin_fi;
104 u_short fin_data[2];
105 u_short fin_out;
106 u_short fin_hlen;
107 u_char fin_tcpf;
108 u_char fin_icode; /* From here on is packet specific */
109 u_short fin_rule;
110 u_short fin_group;
111 u_short fin_dlen;
112 u_short fin_id;
113 void *fin_ifp;
114 struct frentry *fin_fr;
115 char *fin_dp; /* start of data past IP header */
116 void *fin_mp;
117 } fr_info_t;
118
119 /*
120 * Size for compares on fr_info structures
121 */
122 #define FI_CSIZE (sizeof(struct fr_ip) + sizeof(u_short) * 4 + \
123 sizeof(u_char))
124 /*
125 * Size for copying cache fr_info structure
126 */
127 #define FI_COPYSIZE (sizeof(fr_info_t) - sizeof(void *) * 2)
128
129 typedef struct frdest {
130 void *fd_ifp;
131 struct in_addr fd_ip;
132 char fd_ifname[IFNAMSIZ];
133 } frdest_t;
134
135 typedef struct frentry {
136 struct frentry *fr_next;
137 u_short fr_group; /* group to which this rule belongs */
138 u_short fr_grhead; /* group # which this rule starts */
139 struct frentry *fr_grp;
140 int fr_ref; /* reference count - for grouping */
141 void *fr_ifa;
142 /*
143 * These are only incremented when a packet matches this rule and
144 * it is the last match
145 */
146 U_QUAD_T fr_hits;
147 U_QUAD_T fr_bytes;
148 /*
149 * Fields after this may not change whilst in the kernel.
150 */
151 struct fr_ip fr_ip;
152 struct fr_ip fr_mip; /* mask structure */
153
154 u_char fr_tcpfm; /* tcp flags mask */
155 u_char fr_tcpf; /* tcp flags */
156
157 u_short fr_icmpm; /* data for ICMP packets (mask) */
158 u_short fr_icmp;
159
160 u_char fr_scmp; /* data for port comparisons */
161 u_char fr_dcmp;
162 u_short fr_dport;
163 u_short fr_sport;
164 u_short fr_stop; /* top port for <> and >< */
165 u_short fr_dtop; /* top port for <> and >< */
166 u_32_t fr_flags; /* per-rule flags && options (see below) */
167 int fr_skip; /* # of rules to skip */
168 int (*fr_func) __P((int, ip_t *, fr_info_t *)); /* call this function */
169 char fr_icode; /* return ICMP code */
170 char fr_ifname[IFNAMSIZ];
171 struct frdest fr_tif; /* "to" interface */
172 struct frdest fr_dif; /* duplicate packet interfaces */
173 } frentry_t;
174
175 #define fr_proto fr_ip.fi_p
176 #define fr_ttl fr_ip.fi_ttl
177 #define fr_tos fr_ip.fi_tos
178 #define fr_dst fr_ip.fi_dst
179 #define fr_src fr_ip.fi_src
180 #define fr_dmsk fr_mip.fi_dst
181 #define fr_smsk fr_mip.fi_src
182
183 #ifndef offsetof
184 #define offsetof(t,m) (int)((&((t *)0L)->m))
185 #endif
186 #define FR_CMPSIZ (sizeof(struct frentry) - offsetof(frentry_t, fr_ip))
187
188 /*
189 * fr_flags
190 */
191 #define FR_BLOCK 0x00001 /* do not allow packet to pass */
192 #define FR_PASS 0x00002 /* allow packet to pass */
193 #define FR_OUTQUE 0x00004 /* outgoing packets */
194 #define FR_INQUE 0x00008 /* ingoing packets */
195 #define FR_LOG 0x00010 /* Log */
196 #define FR_LOGB 0x00011 /* Log-fail */
197 #define FR_LOGP 0x00012 /* Log-pass */
198 #define FR_LOGBODY 0x00020 /* Log the body */
199 #define FR_LOGFIRST 0x00040 /* Log the first byte if state held */
200 #define FR_RETRST 0x00080 /* Return TCP RST packet - reset connection */
201 #define FR_RETICMP 0x00100 /* Return ICMP unreachable packet */
202 #define FR_NOMATCH 0x00200 /* no match occured */
203 #define FR_ACCOUNT 0x00400 /* count packet bytes */
204 #define FR_KEEPFRAG 0x00800 /* keep fragment information */
205 #define FR_KEEPSTATE 0x01000 /* keep `connection' state information */
206 #define FR_INACTIVE 0x02000
207 #define FR_QUICK 0x04000 /* match & stop processing list */
208 #define FR_FASTROUTE 0x08000 /* bypass normal routing */
209 #define FR_CALLNOW 0x10000 /* call another function (fr_func) if matches */
210 #define FR_DUP 0x20000 /* duplicate packet */
211 #define FR_LOGORBLOCK 0x40000 /* block the packet if it can't be logged */
212 #define FR_NOTSRCIP 0x80000 /* not the src IP# */
213 #define FR_NOTDSTIP 0x100000 /* not the dst IP# */
214 #define FR_AUTH 0x200000 /* use authentication */
215 #define FR_PREAUTH 0x400000 /* require preauthentication */
216
217 #define FR_LOGMASK (FR_LOG|FR_LOGP|FR_LOGB)
218
219 /*
220 * These correspond to #define's for FI_* and are stored in fr_flags
221 */
222 #define FF_OPTIONS 0x01000000
223 #define FF_TCPUDP 0x02000000
224 #define FF_FRAG 0x04000000
225 #define FF_SHORT 0x08000000
226 /*
227 * recognized flags for SIOCGETFF and SIOCSETFF, and get put in fr_flags
228 */
229 #define FF_LOGPASS 0x10000000
230 #define FF_LOGBLOCK 0x20000000
231 #define FF_LOGNOMATCH 0x40000000
232 #define FF_LOGGING (FF_LOGPASS|FF_LOGBLOCK|FF_LOGNOMATCH)
233 #define FF_BLOCKNONIP 0x80000000 /* Solaris2 Only */
234
235 #define FR_NONE 0
236 #define FR_EQUAL 1
237 #define FR_NEQUAL 2
238 #define FR_LESST 3
239 #define FR_GREATERT 4
240 #define FR_LESSTE 5
241 #define FR_GREATERTE 6
242 #define FR_OUTRANGE 7
243 #define FR_INRANGE 8
244
245 typedef struct filterstats {
246 u_long fr_pass; /* packets allowed */
247 u_long fr_block; /* packets denied */
248 u_long fr_nom; /* packets which don't match any rule */
249 u_long fr_ppkl; /* packets allowed and logged */
250 u_long fr_bpkl; /* packets denied and logged */
251 u_long fr_npkl; /* packets unmatched and logged */
252 u_long fr_pkl; /* packets logged */
253 u_long fr_skip; /* packets to be logged but buffer full */
254 u_long fr_ret; /* packets for which a return is sent */
255 u_long fr_acct; /* packets for which counting was performed */
256 u_long fr_bnfr; /* bad attempts to allocate fragment state */
257 u_long fr_nfr; /* new fragment state kept */
258 u_long fr_cfr; /* add new fragment state but complete pkt */
259 u_long fr_bads; /* bad attempts to allocate packet state */
260 u_long fr_ads; /* new packet state kept */
261 u_long fr_chit; /* cached hit */
262 u_long fr_tcpbad; /* TCP checksum check failures */
263 u_long fr_pull[2]; /* good and bad pullup attempts */
264 #if SOLARIS
265 u_long fr_bad; /* bad IP packets to the filter */
266 u_long fr_notip; /* packets passed through no on ip queue */
267 u_long fr_drop; /* packets dropped - no info for them! */
268 #endif
269 } filterstats_t;
270
271 /*
272 * For SIOCGETFS
273 */
274 typedef struct friostat {
275 struct filterstats f_st[2];
276 struct frentry *f_fin[2];
277 struct frentry *f_fout[2];
278 struct frentry *f_acctin[2];
279 struct frentry *f_acctout[2];
280 struct frentry *f_auth;
281 u_long f_froute[2];
282 int f_active;
283 } friostat_t;
284
285 typedef struct optlist {
286 u_short ol_val;
287 int ol_bit;
288 } optlist_t;
289
290
291 /*
292 * Group list structure.
293 */
294 typedef struct frgroup {
295 u_short fg_num;
296 struct frgroup *fg_next;
297 struct frentry *fg_head;
298 struct frentry **fg_start;
299 } frgroup_t;
300
301
302 /*
303 * Log structure. Each packet header logged is prepended by one of these.
304 * Following this in the log records read from the device will be an ipflog
305 * structure which is then followed by any packet data.
306 */
307 typedef struct iplog {
308 u_long ipl_magic;
309 u_long ipl_sec;
310 u_long ipl_usec;
311 u_int ipl_len;
312 u_int ipl_count;
313 size_t ipl_dsize;
314 struct iplog *ipl_next;
315 } iplog_t;
316
317 #define IPL_MAGIC 0x49504c4d /* 'IPLM' */
318
319 typedef struct ipflog {
320 #if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603)) || \
321 (defined(OpenBSD) && (OpenBSD >= 199603))
322 u_char fl_ifname[IFNAMSIZ];
323 #else
324 u_int fl_unit;
325 u_char fl_ifname[4];
326 #endif
327 u_char fl_plen; /* extra data after hlen */
328 u_char fl_hlen; /* length of IP headers saved */
329 u_short fl_rule; /* assume never more than 64k rules, total */
330 u_short fl_group;
331 u_32_t fl_flags;
332 } ipflog_t;
333
334
335 #ifndef ICMP_UNREACH_FILTER
336 #define ICMP_UNREACH_FILTER 13
337 #endif
338
339 #ifndef IPF_LOGGING
340 #define IPF_LOGGING 0
341 #endif
342 #ifndef IPF_DEFAULT_PASS
343 #define IPF_DEFAULT_PASS FR_PASS
344 #endif
345
346 #define IPMINLEN(i, h) ((i)->ip_len >= ((i)->ip_hl * 4 + sizeof(struct h)))
347 #define IPLLOGSIZE 8192
348
349 /*
350 * Device filenames for reading log information. Use ipf on Solaris2 because
351 * ipl is already a name used by something else.
352 */
353 #ifndef IPL_NAME
354 # if SOLARIS
355 # define IPL_NAME "/dev/ipf"
356 # else
357 # define IPL_NAME "/dev/ipl"
358 # endif
359 #endif
360 #define IPL_NAT IPNAT_NAME
361 #define IPL_STATE IPSTATE_NAME
362 #define IPL_AUTH IPAUTH_NAME
363
364 #define IPL_LOGIPF 0 /* Minor device #'s for accessing logs */
365 #define IPL_LOGNAT 1
366 #define IPL_LOGSTATE 2
367 #define IPL_LOGAUTH 3
368 #define IPL_LOGMAX 3
369
370 #if !defined(CDEV_MAJOR) && defined (__FreeBSD_version) && \
371 (__FreeBSD_version >= 220000)
372 # define CDEV_MAJOR 79
373 #endif
374
375 #ifndef _KERNEL
376 struct ifnet;
377 extern int fr_check __P((ip_t *, int, void *, int, mb_t **));
378 extern int (*fr_checkp) __P((ip_t *, int, void *, int, mb_t **));
379 extern int send_reset __P((ip_t *, struct ifnet *));
380 extern int icmp_error __P((ip_t *, struct ifnet *));
381 extern int ipf_log __P((void));
382 extern void ipfr_fastroute __P((ip_t *, fr_info_t *, frdest_t *));
383 extern struct ifnet *get_unit __P((char *));
384 # define FR_SCANLIST(p, ip, fi, m) fr_scanlist(p, ip, fi, m)
385 # if defined(__NetBSD__) || defined(__OpenBSD__) || \
386 (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300003)
387 extern int iplioctl __P((dev_t, u_long, caddr_t, int));
388 # else
389 extern int iplioctl __P((dev_t, int, caddr_t, int));
390 # endif
391 extern int iplopen __P((dev_t, int));
392 extern int iplclose __P((dev_t, int));
393 #else /* #ifndef _KERNEL */
394 # if defined(__NetBSD__) && defined(PFIL_HOOKS)
395 extern int ipfilterattach __P((int));
396 # endif
397 extern int iplattach __P((void));
398 extern int ipl_enable __P((void));
399 extern int ipl_disable __P((void));
400 extern void ipflog_init __P((void));
401 extern int ipflog_clear __P((int));
402 extern int ipflog_read __P((int, struct uio *));
403 extern int ipflog __P((u_int, ip_t *, fr_info_t *, mb_t *));
404 extern int ipllog __P((int, u_long, void **, size_t *, int *, int));
405 # if SOLARIS
406 extern int fr_check __P((ip_t *, int, void *, int, qif_t *, mb_t **));
407 extern int (*fr_checkp) __P((ip_t *, int, void *,
408 int, qif_t *, mb_t **));
409 extern int icmp_error __P((ip_t *, int, int, qif_t *,
410 struct in_addr));
411 extern int iplioctl __P((dev_t, int, int, int, cred_t *, int *));
412 extern int iplopen __P((dev_t *, int, int, cred_t *));
413 extern int iplclose __P((dev_t, int, int, cred_t *));
414 extern int ipfsync __P((void));
415 extern int send_reset __P((ip_t *, qif_t *));
416 extern int ipfr_fastroute __P((qif_t *, ip_t *, mblk_t *, mblk_t **,
417 fr_info_t *, frdest_t *));
418 extern void copyin_mblk __P((mblk_t *, int, int, char *));
419 extern void copyout_mblk __P((mblk_t *, int, int, char *));
420 extern int fr_qin __P((queue_t *, mblk_t *));
421 extern int fr_qout __P((queue_t *, mblk_t *));
422 # ifdef IPFILTER_LOG
423 extern int iplread __P((dev_t, struct uio *, cred_t *));
424 # endif
425 # else /* SOLARIS */
426 extern int fr_check __P((ip_t *, int, void *, int, mb_t **));
427 extern int (*fr_checkp) __P((ip_t *, int, void *, int, mb_t **));
428 # ifdef linux
429 extern int send_reset __P((tcpiphdr_t *, struct ifnet *));
430 # else
431 extern int send_reset __P((tcpiphdr_t *));
432 # endif
433 extern void ipfr_fastroute __P((mb_t *, fr_info_t *, frdest_t *));
434 extern size_t mbufchainlen __P((mb_t *));
435 # ifdef __sgi
436 # include <sys/cred.h>
437 extern int iplioctl __P((dev_t, int, caddr_t, int, cred_t *, int *));
438 extern int iplopen __P((dev_t *, int, int, cred_t *));
439 extern int iplclose __P((dev_t, int, int, cred_t *));
440 extern int iplread __P((dev_t, struct uio *, cred_t *));
441 extern int ipfsync __P((void));
442 extern int ipfilter_sgi_attach __P((void));
443 extern void ipfilter_sgi_detach __P((void));
444 extern void ipfilter_sgi_intfsync __P((void));
445 # else
446 # ifdef IPFILTER_LKM
447 extern int iplidentify __P((char *));
448 # endif
449 # if (_BSDI_VERSION >= 199510) || (__FreeBSD_version >= 220000) || \
450 (NetBSD >= 199511)
451 # if defined(__NetBSD__) || (_BSDI_VERSION >= 199701) || \
452 (__FreeBSD_version >= 300003)
453 extern int iplioctl __P((dev_t, u_long, caddr_t, int, struct proc *));
454 # else
455 extern int iplioctl __P((dev_t, int, caddr_t, int, struct proc *));
456 # endif
457 extern int iplopen __P((dev_t, int, int, struct proc *));
458 extern int iplclose __P((dev_t, int, int, struct proc *));
459 # else
460 # if defined(__OpenBSD__)
461 extern int iplioctl __P((dev_t, u_long, caddr_t, int));
462 # else /* __OpenBSD__ */
463 # ifndef linux
464 extern int iplioctl __P((dev_t, int, caddr_t, int));
465 # else
466 extern int iplioctl(struct inode *, struct file *, u_int, u_long);
467 # endif
468 # endif /* __OpenBSD__ */
469 # ifndef linux
470 extern int iplopen __P((dev_t, int));
471 extern int iplclose __P((dev_t, int));
472 # else
473 extern int iplopen __P((struct inode *, struct file *));
474 extern void iplclose __P((struct inode *, struct file *));
475 # endif /* !linux */
476 # endif /* (_BSDI_VERSION >= 199510) */
477 # if BSD >= 199306
478 extern int iplread __P((dev_t, struct uio *, int));
479 # else
480 # ifndef linux
481 extern int iplread __P((dev_t, struct uio *));
482 # else
483 extern int iplread(struct inode *, struct file *, char *, int);
484 # endif /* !linux */
485 # endif /* BSD >= 199306 */
486 # endif /* __ sgi */
487 # endif /* SOLARIS */
488 #endif /* #ifndef _KERNEL */
489
490 /*
491 * Post NetBSD 1.2 has the PFIL interface for packet filters. This turns
492 * on those hooks. We don't need any special mods in non-IP Filter code
493 * with this!
494 */
495 #if (defined(NetBSD) && (NetBSD > 199609) && (NetBSD <= 1991011)) || \
496 (defined(NetBSD1_2) && NetBSD1_2 > 1)
497 # define NETBSD_PF
498 #endif
499
500 extern int ipldetach __P((void));
501 extern u_short fr_tcpsum __P((mb_t *, ip_t *, tcphdr_t *, int));
502 #define FR_SCANLIST(p, ip, fi, m) fr_scanlist(p, ip, fi, m)
503 extern int fr_scanlist __P((int, ip_t *, fr_info_t *, void *));
504 extern u_short ipf_cksum __P((u_short *, int));
505 extern int fr_copytolog __P((int, char *, int));
506 extern void frflush __P((int, int *));
507 extern frgroup_t *fr_addgroup __P((u_short, frentry_t *, int, int));
508 extern frgroup_t *fr_findgroup __P((u_short, u_32_t, int, int, frgroup_t ***));
509 extern void fr_delgroup __P((u_short, u_32_t, int, int));
510 extern int ipl_unreach;
511 extern int ipl_inited;
512 extern u_long ipl_frouteok[2];
513 extern int fr_pass;
514 extern int fr_flags;
515 extern int fr_active;
516 extern fr_info_t frcache[2];
517 #ifdef IPFILTER_LOG
518 extern iplog_t **iplh[IPL_LOGMAX+1], *iplt[IPL_LOGMAX+1];
519 extern int iplused[IPL_LOGMAX + 1];
520 #endif
521 extern struct frentry *ipfilter[2][2], *ipacct[2][2];
522 extern struct frgroup *ipfgroups[3][2];
523 extern struct filterstats frstats[];
524
525 #endif /* __IP_FIL_H__ */
Cache object: c02e187c672c9f7f35affa53c6bfe32f
|