FreeBSD/Linux Kernel Cross Reference
sys/netinet/ip_fil.h
1 /* $NetBSD: ip_fil.h,v 1.54.2.2 2004/08/13 03:55:14 jmc Exp $ */
2
3 /*
4 * Copyright (C) 1993-2001, 2003 by Darren Reed.
5 *
6 * See the IPFILTER.LICENCE file for details on licencing.
7 *
8 * @(#)ip_fil.h 1.35 6/5/96
9 * Id: ip_fil.h,v 2.170.2.5 2004/06/08 13:14:17 darrenr Exp
10 */
11
12 #ifndef _NETINET_IP_FIL_H_
13 #define _NETINET_IP_FIL_H_
14
15 #ifndef SOLARIS
16 # define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
17 #endif
18
19 #ifndef __P
20 # ifdef __STDC__
21 # define __P(x) x
22 # else
23 # define __P(x) ()
24 # endif
25 #endif
26
27 #if defined(__STDC__) || defined(__GNUC__)
28 # define SIOCADAFR _IOW('r', 60, struct ipfobj)
29 # define SIOCRMAFR _IOW('r', 61, struct ipfobj)
30 # define SIOCSETFF _IOW('r', 62, u_int)
31 # define SIOCGETFF _IOR('r', 63, u_int)
32 # define SIOCGETFS _IOWR('r', 64, struct ipfobj)
33 # define SIOCIPFFL _IOWR('r', 65, int)
34 # define SIOCIPFFB _IOR('r', 66, int)
35 # define SIOCADIFR _IOW('r', 67, struct ipfobj)
36 # define SIOCRMIFR _IOW('r', 68, struct ipfobj)
37 # define SIOCSWAPA _IOR('r', 69, u_int)
38 # define SIOCINAFR _IOW('r', 70, struct ipfobj)
39 # define SIOCINIFR _IOW('r', 71, struct ipfobj)
40 # define SIOCFRENB _IOW('r', 72, u_int)
41 # define SIOCFRSYN _IOW('r', 73, u_int)
42 # define SIOCFRZST _IOWR('r', 74, struct ipfobj)
43 # define SIOCZRLST _IOWR('r', 75, struct ipfobj)
44 # define SIOCAUTHW _IOWR('r', 76, struct ipfobj)
45 # define SIOCAUTHR _IOWR('r', 77, struct ipfobj)
46 # define SIOCATHST _IOWR('r', 78, struct ipfobj)
47 # define SIOCSTLCK _IOWR('r', 79, u_int)
48 # define SIOCSTPUT _IOWR('r', 80, struct ipfobj)
49 # define SIOCSTGET _IOWR('r', 81, struct ipfobj)
50 # define SIOCSTGSZ _IOWR('r', 82, struct ipfobj)
51 # define SIOCGFRST _IOWR('r', 83, struct ipfobj)
52 # define SIOCSETLG _IOWR('r', 84, int)
53 # define SIOCGETLG _IOWR('r', 85, int)
54 # define SIOCFUNCL _IOWR('r', 86, struct ipfunc_resolve)
55 # define SIOCIPFGETNEXT _IOWR('r', 87, struct ipfobj)
56 # define SIOCIPFGET _IOWR('r', 88, struct ipfobj)
57 # define SIOCIPFSET _IOWR('r', 89, struct ipfobj)
58 # define SIOCIPFL6 _IOWR('r', 90, int)
59 #else
60 # define SIOCADAFR _IOW(r, 60, struct ipfobj)
61 # define SIOCRMAFR _IOW(r, 61, struct ipfobj)
62 # define SIOCSETFF _IOW(r, 62, u_int)
63 # define SIOCGETFF _IOR(r, 63, u_int)
64 # define SIOCGETFS _IOWR(r, 64, struct ipfobj)
65 # define SIOCIPFFL _IOWR(r, 65, int)
66 # define SIOCIPFFB _IOR(r, 66, int)
67 # define SIOCADIFR _IOW(r, 67, struct ipfobj)
68 # define SIOCRMIFR _IOW(r, 68, struct ipfobj)
69 # define SIOCSWAPA _IOR(r, 69, u_int)
70 # define SIOCINAFR _IOW(r, 70, struct ipfobj)
71 # define SIOCINIFR _IOW(r, 71, struct ipfobj)
72 # define SIOCFRENB _IOW(r, 72, u_int)
73 # define SIOCFRSYN _IOW(r, 73, u_int)
74 # define SIOCFRZST _IOWR(r, 74, struct ipfobj)
75 # define SIOCZRLST _IOWR(r, 75, struct ipfobj)
76 # define SIOCAUTHW _IOWR(r, 76, struct ipfobj)
77 # define SIOCAUTHR _IOWR(r, 77, struct ipfobj)
78 # define SIOCATHST _IOWR(r, 78, struct ipfobj)
79 # define SIOCSTLCK _IOWR(r, 79, u_int)
80 # define SIOCSTPUT _IOWR(r, 80, struct ipfobj)
81 # define SIOCSTGET _IOWR(r, 81, struct ipfobj)
82 # define SIOCSTGSZ _IOWR(r, 82, struct ipfobj)
83 # define SIOCGFRST _IOWR(r, 83, struct ipfobj)
84 # define SIOCSETLG _IOWR(r, 84, int)
85 # define SIOCGETLG _IOWR(r, 85, int)
86 # define SIOCFUNCL _IOWR(r, 86, struct ipfunc_resolve)
87 # define SIOCIPFGETNEXT _IOWR(r, 87, struct ipfobj)
88 # define SIOCIPFGET _IOWR(r, 88, struct ipfobj)
89 # define SIOCIPFSET _IOWR(r, 89, struct ipfobj)
90 # define SIOCIPFL6 _IOWR(r, 90, int)
91 #endif
92 #define SIOCADDFR SIOCADAFR
93 #define SIOCDELFR SIOCRMAFR
94 #define SIOCINSFR SIOCINAFR
95
96
97 struct ipscan;
98 struct ifnet;
99
100
101 typedef int (* lookupfunc_t) __P((void *, int, void *));
102
103 /*
104 * i6addr is used as a container for both IPv4 and IPv6 addresses, as well
105 * as other types of objects, depending on its qualifier.
106 */
107 #ifdef USE_INET6
108 typedef union i6addr {
109 u_32_t i6[4];
110 struct in_addr in4;
111 struct in6_addr in6;
112 void *vptr[2];
113 lookupfunc_t lptr[2];
114 } i6addr_t;
115 #else
116 typedef union i6addr {
117 u_32_t i6[4];
118 struct in_addr in4;
119 void *vptr[2];
120 lookupfunc_t lptr[2];
121 } i6addr_t;
122 #endif
123 #define in4_addr in4.s_addr
124 #define iplookupnum i6[0]
125 #define iplookuptype i6[1]
126 /*
127 * NOTE: These DO overlap the above on 64bit systems and this IS recognised.
128 */
129 #define iplookupptr vptr[0]
130 #define iplookupfunc lptr[1]
131
132 #define I60(x) (((i6addr_t *)(x))->i6[0])
133 #define I61(x) (((i6addr_t *)(x))->i6[1])
134 #define I62(x) (((i6addr_t *)(x))->i6[2])
135 #define I63(x) (((i6addr_t *)(x))->i6[3])
136 #define HI60(x) ntohl(((i6addr_t *)(x))->i6[0])
137 #define HI61(x) ntohl(((i6addr_t *)(x))->i6[1])
138 #define HI62(x) ntohl(((i6addr_t *)(x))->i6[2])
139 #define HI63(x) ntohl(((i6addr_t *)(x))->i6[3])
140
141 #define IP6_EQ(a,b) ((I63(a) == I63(b)) && (I62(a) == I62(b)) && \
142 (I61(a) == I61(b)) && (I60(a) == I60(b)))
143 #define IP6_NEQ(a,b) ((I63(a) != I63(b)) || (I62(a) != I62(b)) || \
144 (I61(a) != I61(b)) || (I60(a) != I60(b)))
145 #define IP6_ISZERO(a) ((I60(a) | I61(a) | I62(a) | I63(a)) == 0)
146 #define IP6_NOTZERO(a) ((I60(a) | I61(a) | I62(a) | I63(a)) != 0)
147 #define IP6_GT(a,b) (HI60(a) > HI60(b) || (HI60(a) == HI60(b) && \
148 (HI61(a) > HI61(b) || (HI61(a) == HI61(b) && \
149 (HI62(a) > HI62(b) || (HI62(a) == HI62(b) && \
150 HI63(a) > HI63(b)))))))
151 #define IP6_LT(a,b) (HI60(a) < HI60(b) || (HI60(a) == HI60(b) && \
152 (HI61(a) < HI61(b) || (HI61(a) == HI61(b) && \
153 (HI62(a) < HI62(b) || (HI62(a) == HI62(b) && \
154 HI63(a) < HI63(b)))))))
155 #define NLADD(n,x) htonl(ntohl(n) + (x))
156 #define IP6_INC(a) \
157 { i6addr_t *_i6 = (i6addr_t *)(a); \
158 _i6->i6[0] = NLADD(_i6->i6[0], 1); \
159 if (_i6->i6[0] == 0) { \
160 _i6->i6[0] = NLADD(_i6->i6[1], 1); \
161 if (_i6->i6[1] == 0) { \
162 _i6->i6[0] = NLADD(_i6->i6[2], 1); \
163 if (_i6->i6[2] == 0) { \
164 _i6->i6[0] = NLADD(_i6->i6[3], 1); \
165 } \
166 } \
167 } \
168 }
169 #define IP6_ADD(a,x,d) \
170 { i6addr_t *_s = (i6addr_t *)(a); \
171 i6addr_t *_d = (i6addr_t *)(d); \
172 _d->i6[0] = NLADD(_s->i6[0], x); \
173 if (ntohl(_d->i6[0]) < ntohl(_s->i6[0])) { \
174 _d->i6[1] = NLADD(_d->i6[1], 1); \
175 if (ntohl(_d->i6[1]) < ntohl(_s->i6[1])) { \
176 _d->i6[2] = NLADD(_d->i6[2], 1); \
177 if (ntohl(_d->i6[2]) < ntohl(_s->i6[2])) { \
178 _d->i6[3] = NLADD(_d->i6[3], 1); \
179 } \
180 } \
181 } \
182 }
183 #define IP6_AND(a,b,d) { i6addr_t *_s1 = (i6addr_t *)(a); \
184 i6addr_t *_s2 = (i6addr_t *)(d); \
185 i6addr_t *_d = (i6addr_t *)(d); \
186 _d->i6[0] = _s1->i6[0] & _s2->i6[0]; \
187 _d->i6[1] = _s1->i6[1] & _s2->i6[1]; \
188 _d->i6[2] = _s1->i6[2] & _s2->i6[2]; \
189 _d->i6[3] = _s1->i6[3] & _s2->i6[3]; \
190 }
191 #define IP6_MERGE(a,b,c) \
192 { i6addr_t *_d, *_s1, *_s2; \
193 _d = (i6addr_t *)(a); \
194 _s1 = (i6addr_t *)(b); \
195 _s2 = (i6addr_t *)(c); \
196 _d->i6[0] |= _s1->i6[0] & ~_s2->i6[0]; \
197 _d->i6[1] |= _s1->i6[1] & ~_s2->i6[1]; \
198 _d->i6[2] |= _s1->i6[2] & ~_s2->i6[2]; \
199 _d->i6[2] |= _s1->i6[3] & ~_s2->i6[3]; \
200 }
201
202
203 typedef struct fr_ip {
204 u_32_t fi_v:4; /* IP version */
205 u_32_t fi_xx:4; /* spare */
206 u_32_t fi_tos:8; /* IP packet TOS */
207 u_32_t fi_ttl:8; /* IP packet TTL */
208 u_32_t fi_p:8; /* IP packet protocol */
209 u_32_t fi_optmsk; /* bitmask composed from IP options */
210 i6addr_t fi_src; /* source address from packet */
211 i6addr_t fi_dst; /* destination address from packet */
212 u_short fi_secmsk; /* bitmask composed from IP security options */
213 u_short fi_auth; /* authentication code from IP sec. options */
214 u_32_t fi_flx; /* packet flags */
215 u_32_t fi_tcpmsk; /* TCP options set/reset */
216 u_32_t fi_res1; /* RESERVED */
217 } fr_ip_t;
218
219 /*
220 * For use in fi_flx
221 */
222 #define FI_TCPUDP 0x0001 /* TCP/UCP implied comparison*/
223 #define FI_OPTIONS 0x0002
224 #define FI_FRAG 0x0004
225 #define FI_SHORT 0x0008
226 #define FI_NATED 0x0010
227 #define FI_MULTICAST 0x0020
228 #define FI_BROADCAST 0x0040
229 #define FI_MBCAST 0x0080
230 #define FI_STATE 0x0100
231 #define FI_BADNAT 0x0200
232 #define FI_BAD 0x0400
233 #define FI_OOW 0x0800 /* Out of state window, else match */
234 #define FI_ICMPERR 0x1000
235 #define FI_FRAGTAIL 0x2000
236 #define FI_BADSRC 0x4000
237 #define FI_LOWTTL 0x8000
238 #define FI_CMP 0xcff3 /* Not FI_FRAG,FI_FRAGTAIL */
239 #define FI_ICMPCMP 0x0003 /* Flags we can check for ICMP error packets */
240 #define FI_WITH 0xeffe /* Not FI_TCPUDP */
241 #define FI_V6EXTHDR 0x10000
242 #define FI_COALESCE 0x20000
243 #define FI_NOCKSUM 0x20000000 /* don't do a L4 checksum validation */
244 #define FI_DONTCACHE 0x40000000 /* don't cache the result */
245 #define FI_IGNORE 0x80000000
246
247 #define fi_saddr fi_src.in4.s_addr
248 #define fi_daddr fi_dst.in4.s_addr
249 #define fi_srcnum fi_src.iplookupnum
250 #define fi_dstnum fi_dst.iplookupnum
251 #define fi_srctype fi_src.iplookuptype
252 #define fi_dsttype fi_dst.iplookuptype
253 #define fi_srcptr fi_src.iplookupptr
254 #define fi_dstptr fi_dst.iplookupptr
255 #define fi_srcfunc fi_src.iplookupfunc
256 #define fi_dstfunc fi_dst.iplookupfunc
257
258
259 /*
260 * These are both used by the state and NAT code to indicate that one port or
261 * the other should be treated as a wildcard.
262 * NOTE: When updating, check bit masks in ip_state.h and update there too.
263 */
264 #define SI_W_SPORT 0x00000100
265 #define SI_W_DPORT 0x00000200
266 #define SI_WILDP (SI_W_SPORT|SI_W_DPORT)
267 #define SI_W_SADDR 0x00000400
268 #define SI_W_DADDR 0x00000800
269 #define SI_WILDA (SI_W_SADDR|SI_W_DADDR)
270 #define SI_NEWFR 0x00001000
271 #define SI_CLONE 0x00002000
272 #define SI_CLONED 0x00004000
273
274
275 typedef struct fr_info {
276 void *fin_ifp; /* interface packet is `on' */
277 fr_ip_t fin_fi; /* IP Packet summary */
278 union {
279 u_short fid_16[2]; /* TCP/UDP ports, ICMP code/type */
280 u_32_t fid_32;
281 } fin_dat;
282 int fin_out; /* in or out ? 1 == out, 0 == in */
283 int fin_rev; /* state only: 1 = reverse */
284 u_short fin_hlen; /* length of IP header in bytes */
285 u_char fin_tcpf; /* TCP header flags (SYN, ACK, etc) */
286 u_char fin_icode; /* ICMP error to return */
287 u_32_t fin_rule; /* rule # last matched */
288 char fin_group[FR_GROUPLEN]; /* group number, -1 for none */
289 struct frentry *fin_fr; /* last matching rule */
290 void *fin_dp; /* start of data past IP header */
291 int fin_dlen; /* length of data portion of packet */
292 int fin_plen;
293 int fin_ipoff; /* # bytes from buffer start to hdr */
294 u_short fin_id; /* IP packet id field */
295 u_short fin_off;
296 int fin_depth; /* Group nesting depth */
297 int fin_error; /* Error code to return */
298 void *fin_nat;
299 void *fin_state;
300 void *fin_nattag;
301 ip_t *fin_ip;
302 mb_t **fin_mp; /* pointer to pointer to mbuf */
303 mb_t *fin_m; /* pointer to mbuf */
304 #ifdef MENTAT
305 mb_t *fin_qfm; /* pointer to mblk where pkt starts */
306 void *fin_qpi;
307 #endif
308 } fr_info_t;
309
310 #define fin_v fin_fi.fi_v
311 #define fin_p fin_fi.fi_p
312 #define fin_flx fin_fi.fi_flx
313 #define fin_optmsk fin_fi.fi_optmsk
314 #define fin_secmsk fin_fi.fi_secmsk
315 #define fin_auth fin_fi.fi_auth
316 #define fin_src fin_fi.fi_src.in4
317 #define fin_src6 fin_fi.fi_src.in6
318 #define fin_saddr fin_fi.fi_saddr
319 #define fin_dst fin_fi.fi_dst.in4
320 #define fin_dst6 fin_fi.fi_dst.in6
321 #define fin_daddr fin_fi.fi_daddr
322 #define fin_data fin_dat.fid_16
323 #define fin_sport fin_dat.fid_16[0]
324 #define fin_dport fin_dat.fid_16[1]
325 #define fin_ports fin_dat.fid_32
326
327 #define IPF_IN 0
328 #define IPF_OUT 1
329
330 typedef struct frentry *(*ipfunc_t) __P((fr_info_t *, u_32_t *));
331 typedef int (*ipfuncinit_t) __P((struct frentry *));
332
333 typedef struct ipfunc_resolve {
334 char ipfu_name[32];
335 ipfunc_t ipfu_addr;
336 ipfuncinit_t ipfu_init;
337 } ipfunc_resolve_t;
338
339 /*
340 * Size for compares on fr_info structures
341 */
342 #define FI_CSIZE offsetof(fr_info_t, fin_icode)
343 #define FI_LCSIZE offsetof(fr_info_t, fin_dp)
344
345 /*
346 * Size for copying cache fr_info structure
347 */
348 #define FI_COPYSIZE offsetof(fr_info_t, fin_dp)
349
350 /*
351 * Structure for holding IPFilter's tag information
352 */
353 #define IPFTAG_LEN 16
354 typedef struct {
355 union {
356 u_32_t iptu_num[4];
357 char iptu_tag[IPFTAG_LEN];
358 } ipt_un;
359 int ipt_not;
360 } ipftag_t;
361
362 #define ipt_tag ipt_un.iptu_tag
363 #define ipt_num ipt_un.iptu_num
364
365
366 /*
367 * This structure is used to hold information about the next hop for where
368 * to forward a packet.
369 */
370 typedef struct frdest {
371 void *fd_ifp;
372 i6addr_t fd_ip6;
373 char fd_ifname[LIFNAMSIZ];
374 } frdest_t;
375
376 #define fd_ip fd_ip6.in4
377
378
379 /*
380 * This structure holds information about a port comparison.
381 */
382 typedef struct frpcmp {
383 int frp_cmp; /* data for port comparisons */
384 u_short frp_port; /* top port for <> and >< */
385 u_short frp_top; /* top port for <> and >< */
386 } frpcmp_t;
387
388 #define FR_NONE 0
389 #define FR_EQUAL 1
390 #define FR_NEQUAL 2
391 #define FR_LESST 3
392 #define FR_GREATERT 4
393 #define FR_LESSTE 5
394 #define FR_GREATERTE 6
395 #define FR_OUTRANGE 7
396 #define FR_INRANGE 8
397 #define FR_INCRANGE 9
398
399 /*
400 * Structure containing all the relevant TCP things that can be checked in
401 * a filter rule.
402 */
403 typedef struct frtuc {
404 u_char ftu_tcpfm; /* tcp flags mask */
405 u_char ftu_tcpf; /* tcp flags */
406 frpcmp_t ftu_src;
407 frpcmp_t ftu_dst;
408 } frtuc_t;
409
410 #define ftu_scmp ftu_src.frp_cmp
411 #define ftu_dcmp ftu_dst.frp_cmp
412 #define ftu_sport ftu_src.frp_port
413 #define ftu_dport ftu_dst.frp_port
414 #define ftu_stop ftu_src.frp_top
415 #define ftu_dtop ftu_dst.frp_top
416
417 #define FR_TCPFMAX 0x3f
418
419 /*
420 * This structure makes up what is considered to be the IPFilter specific
421 * matching components of a filter rule, as opposed to the data structures
422 * used to define the result which are in frentry_t and not here.
423 */
424 typedef struct fripf {
425 fr_ip_t fri_ip;
426 fr_ip_t fri_mip; /* mask structure */
427
428 u_short fri_icmpm; /* data for ICMP packets (mask) */
429 u_short fri_icmp;
430
431 frtuc_t fri_tuc;
432 int fri_satype; /* addres type */
433 int fri_datype; /* addres type */
434 int fri_sifpidx; /* doing dynamic addressing */
435 int fri_difpidx; /* index into fr_ifps[] to use when */
436 } fripf_t;
437
438 #define fri_dstnum fri_ip.fi_dstnum
439 #define fri_srcnum fri_mip.fi_srcnum
440 #define fri_dstptr fri_ip.fi_dstptr
441 #define fri_srcptr fri_mip.fi_srcptr
442
443 #define FRI_NORMAL 0 /* Normal address */
444 #define FRI_DYNAMIC 1 /* dynamic address */
445 #define FRI_LOOKUP 2 /* address is a pool # */
446 #define FRI_RANGE 3 /* address/mask is a range */
447 #define FRI_NETWORK 4 /* network address from if */
448 #define FRI_BROADCAST 5 /* broadcast address from if */
449 #define FRI_PEERADDR 6 /* Peer address for P-to-P */
450 #define FRI_NETMASKED 7 /* network address with netmask from if */
451
452
453 typedef struct frentry * (* frentfunc_t) __P((fr_info_t *));
454
455 typedef struct frentry {
456 ipfmutex_t fr_lock;
457 struct frentry *fr_next;
458 struct frentry **fr_grp;
459 struct ipscan *fr_isc;
460 void *fr_ifas[4];
461 void *fr_ptr; /* for use with fr_arg */
462 char *fr_comment; /* text comment for rule */
463 int fr_ref; /* reference count - for grouping */
464 int fr_statecnt; /* state count - for limit rules */
465 /*
466 * These are only incremented when a packet matches this rule and
467 * it is the last match
468 */
469 U_QUAD_T fr_hits;
470 U_QUAD_T fr_bytes;
471
472 /*
473 * For PPS rate limiting
474 */
475 struct timeval fr_lastpkt;
476 int fr_curpps;
477
478 union {
479 void *fru_data;
480 caddr_t fru_caddr;
481 fripf_t *fru_ipf;
482 frentfunc_t fru_func;
483 } fr_dun;
484
485 /*
486 * Fields after this may not change whilst in the kernel.
487 */
488 ipfunc_t fr_func; /* call this function */
489 int fr_dsize;
490 int fr_pps;
491 int fr_statemax; /* max reference count */
492 int fr_flineno; /* line number from conf file */
493 u_32_t fr_type;
494 u_32_t fr_flags; /* per-rule flags && options (see below) */
495 u_32_t fr_logtag; /* user defined log tag # */
496 u_32_t fr_collect; /* collection number */
497 u_int fr_arg; /* misc. numeric arg for rule */
498 u_int fr_loglevel; /* syslog log facility + priority */
499 u_int fr_age[2]; /* non-TCP timeouts */
500 u_char fr_v;
501 u_char fr_icode; /* return ICMP code */
502 char fr_group[FR_GROUPLEN]; /* group to which this rule belongs */
503 char fr_grhead[FR_GROUPLEN]; /* group # which this rule starts */
504 ipftag_t fr_nattag;
505 char fr_ifnames[4][LIFNAMSIZ];
506 char fr_isctag[16];
507 frdest_t fr_tifs[2]; /* "to"/"reply-to" interface */
508 frdest_t fr_dif; /* duplicate packet interface */
509 /*
510 * This must be last and will change after loaded into the kernel.
511 */
512 u_int fr_cksum; /* checksum on filter rules for performance */
513 } frentry_t;
514
515 #define fr_caddr fr_dun.fru_caddr
516 #define fr_data fr_dun.fru_data
517 #define fr_dfunc fr_dun.fru_func
518 #define fr_ipf fr_dun.fru_ipf
519 #define fr_ip fr_ipf->fri_ip
520 #define fr_mip fr_ipf->fri_mip
521 #define fr_icmpm fr_ipf->fri_icmpm
522 #define fr_icmp fr_ipf->fri_icmp
523 #define fr_tuc fr_ipf->fri_tuc
524 #define fr_satype fr_ipf->fri_satype
525 #define fr_datype fr_ipf->fri_datype
526 #define fr_sifpidx fr_ipf->fri_sifpidx
527 #define fr_difpidx fr_ipf->fri_difpidx
528 #define fr_proto fr_ip.fi_p
529 #define fr_mproto fr_mip.fi_p
530 #define fr_ttl fr_ip.fi_ttl
531 #define fr_mttl fr_mip.fi_ttl
532 #define fr_tos fr_ip.fi_tos
533 #define fr_mtos fr_mip.fi_tos
534 #define fr_tcpfm fr_tuc.ftu_tcpfm
535 #define fr_tcpf fr_tuc.ftu_tcpf
536 #define fr_scmp fr_tuc.ftu_scmp
537 #define fr_dcmp fr_tuc.ftu_dcmp
538 #define fr_dport fr_tuc.ftu_dport
539 #define fr_sport fr_tuc.ftu_sport
540 #define fr_stop fr_tuc.ftu_stop
541 #define fr_dtop fr_tuc.ftu_dtop
542 #define fr_dst fr_ip.fi_dst.in4
543 #define fr_daddr fr_ip.fi_dst.in4.s_addr
544 #define fr_src fr_ip.fi_src.in4
545 #define fr_saddr fr_ip.fi_src.in4.s_addr
546 #define fr_dmsk fr_mip.fi_dst.in4
547 #define fr_dmask fr_mip.fi_dst.in4.s_addr
548 #define fr_smsk fr_mip.fi_src.in4
549 #define fr_smask fr_mip.fi_src.in4.s_addr
550 #define fr_dstnum fr_ip.fi_dstnum
551 #define fr_srcnum fr_ip.fi_srcnum
552 #define fr_dsttype fr_ip.fi_dsttype
553 #define fr_srctype fr_ip.fi_srctype
554 #define fr_dstptr fr_mip.fi_dstptr
555 #define fr_srcptr fr_mip.fi_srcptr
556 #define fr_dstfunc fr_mip.fi_dstfunc
557 #define fr_srcfunc fr_mip.fi_srcfunc
558 #define fr_optbits fr_ip.fi_optmsk
559 #define fr_optmask fr_mip.fi_optmsk
560 #define fr_secbits fr_ip.fi_secmsk
561 #define fr_secmask fr_mip.fi_secmsk
562 #define fr_authbits fr_ip.fi_auth
563 #define fr_authmask fr_mip.fi_auth
564 #define fr_flx fr_ip.fi_flx
565 #define fr_mflx fr_mip.fi_flx
566 #define fr_ifname fr_ifnames[0]
567 #define fr_oifname fr_ifnames[2]
568 #define fr_ifa fr_ifas[0]
569 #define fr_oifa fr_ifas[2]
570 #define fr_tif fr_tifs[0]
571 #define fr_rif fr_tifs[1]
572
573 #define FR_NOLOGTAG 0
574
575 #ifndef offsetof
576 #define offsetof(t,m) (int)((&((t *)0L)->m))
577 #endif
578 #define FR_CMPSIZ (sizeof(struct frentry) - \
579 offsetof(struct frentry, fr_dsize))
580
581 /*
582 * fr_type
583 */
584 #define FR_T_NONE 0
585 #define FR_T_IPF 1 /* IPF structures */
586 #define FR_T_BPFOPC 2 /* BPF opcode */
587 #define FR_T_CALLFUNC 3 /* callout to function in fr_func only */
588 #define FR_T_COMPIPF 4 /* compiled C code */
589 #define FR_T_BUILTIN 0x80000000 /* rule is in kernel space */
590
591 /*
592 * fr_flags
593 */
594 #define FR_CALL 0x00000 /* call rule */
595 #define FR_BLOCK 0x00001 /* do not allow packet to pass */
596 #define FR_PASS 0x00002 /* allow packet to pass */
597 #define FR_AUTH 0x00003 /* use authentication */
598 #define FR_PREAUTH 0x00004 /* require preauthentication */
599 #define FR_ACCOUNT 0x00005 /* Accounting rule */
600 #define FR_SKIP 0x00006 /* skip rule */
601 #define FR_DIVERT 0x00007 /* divert rule */
602 #define FR_CMDMASK 0x0000f
603 #define FR_LOG 0x00010 /* Log */
604 #define FR_LOGB 0x00011 /* Log-fail */
605 #define FR_LOGP 0x00012 /* Log-pass */
606 #define FR_LOGMASK (FR_LOG|FR_CMDMASK)
607 #define FR_CALLNOW 0x00020 /* call another function (fr_func) if matches */
608 #define FR_NOTSRCIP 0x00040
609 #define FR_NOTDSTIP 0x00080
610 #define FR_QUICK 0x00100 /* match & stop processing list */
611 #define FR_KEEPFRAG 0x00200 /* keep fragment information */
612 #define FR_KEEPSTATE 0x00400 /* keep `connection' state information */
613 #define FR_FASTROUTE 0x00800 /* bypass normal routing */
614 #define FR_RETRST 0x01000 /* Return TCP RST packet - reset connection */
615 #define FR_RETICMP 0x02000 /* Return ICMP unreachable packet */
616 #define FR_FAKEICMP 0x03000 /* Return ICMP unreachable with fake source */
617 #define FR_OUTQUE 0x04000 /* outgoing packets */
618 #define FR_INQUE 0x08000 /* ingoing packets */
619 #define FR_LOGBODY 0x10000 /* Log the body */
620 #define FR_LOGFIRST 0x20000 /* Log the first byte if state held */
621 #define FR_LOGORBLOCK 0x40000 /* block the packet if it can't be logged */
622 #define FR_DUP 0x80000 /* duplicate packet */
623 #define FR_FRSTRICT 0x100000 /* strict frag. cache */
624 #define FR_STSTRICT 0x200000 /* strict keep state */
625 #define FR_NEWISN 0x400000 /* new ISN for outgoing TCP */
626 #define FR_NOICMPERR 0x800000 /* do not match ICMP errors in state */
627 #define FR_NOMATCH 0x8000000 /* no match occured */
628 /* 0x10000000 FF_LOGPASS */
629 /* 0x20000000 FF_LOGBLOCK */
630 /* 0x40000000 FF_LOGNOMATCH */
631 /* 0x80000000 FF_BLOCKNONIP */
632 #define FR_COPIED 0x40000000 /* copied from user space */
633 #define FR_INACTIVE 0x80000000 /* only used when flush'ing rules */
634
635 #define FR_RETMASK (FR_RETICMP|FR_RETRST|FR_FAKEICMP)
636 #define FR_ISBLOCK(x) (((x) & FR_CMDMASK) == FR_BLOCK)
637 #define FR_ISPASS(x) (((x) & FR_CMDMASK) == FR_PASS)
638 #define FR_ISAUTH(x) (((x) & FR_CMDMASK) == FR_AUTH)
639 #define FR_ISPREAUTH(x) (((x) & FR_CMDMASK) == FR_PREAUTH)
640 #define FR_ISACCOUNT(x) (((x) & FR_CMDMASK) == FR_ACCOUNT)
641 #define FR_ISSKIP(x) (((x) & FR_CMDMASK) == FR_SKIP)
642 #define FR_ISNOMATCH(x) ((x) & FR_NOMATCH)
643 #define FR_INOUT (FR_INQUE|FR_OUTQUE)
644
645 /*
646 * recognized flags for SIOCGETFF and SIOCSETFF, and get put in fr_flags
647 */
648 #define FF_LOGPASS 0x10000000
649 #define FF_LOGBLOCK 0x20000000
650 #define FF_LOGNOMATCH 0x40000000
651 #define FF_LOGGING (FF_LOGPASS|FF_LOGBLOCK|FF_LOGNOMATCH)
652 #define FF_BLOCKNONIP 0x80000000 /* Solaris2 Only */
653
654
655 /*
656 * Structure that passes information on what/how to flush to the kernel.
657 */
658 typedef struct ipfflush {
659 int ipflu_how;
660 int ipflu_arg;
661 } ipfflush_t;
662
663
664 /*
665 *
666 */
667 typedef struct ipfgetctl {
668 u_int ipfg_min; /* min value */
669 u_int ipfg_current; /* current value */
670 u_int ipfg_max; /* max value */
671 u_int ipfg_default; /* default value */
672 u_int ipfg_steps; /* value increments */
673 char ipfg_name[40]; /* tag name for this control */
674 } ipfgetctl_t;
675
676 typedef struct ipfsetctl {
677 int ipfs_which; /* 0 = min 1 = current 2 = max 3 = default */
678 u_int ipfs_value; /* min value */
679 char ipfs_name[40]; /* tag name for this control */
680 } ipfsetctl_t;
681
682
683 /*
684 * Some of the statistics below are in their own counters, but most are kept
685 * in this single structure so that they can all easily be collected and
686 * copied back as required.
687 */
688 typedef struct filterstats {
689 u_long fr_pass; /* packets allowed */
690 u_long fr_block; /* packets denied */
691 u_long fr_nom; /* packets which don't match any rule */
692 u_long fr_short; /* packets which are short */
693 u_long fr_ppkl; /* packets allowed and logged */
694 u_long fr_bpkl; /* packets denied and logged */
695 u_long fr_npkl; /* packets unmatched and logged */
696 u_long fr_pkl; /* packets logged */
697 u_long fr_skip; /* packets to be logged but buffer full */
698 u_long fr_ret; /* packets for which a return is sent */
699 u_long fr_acct; /* packets for which counting was performed */
700 u_long fr_bnfr; /* bad attempts to allocate fragment state */
701 u_long fr_nfr; /* new fragment state kept */
702 u_long fr_cfr; /* add new fragment state but complete pkt */
703 u_long fr_bads; /* bad attempts to allocate packet state */
704 u_long fr_ads; /* new packet state kept */
705 u_long fr_chit; /* cached hit */
706 u_long fr_tcpbad; /* TCP checksum check failures */
707 u_long fr_pull[2]; /* good and bad pullup attempts */
708 u_long fr_badsrc; /* source received doesn't match route */
709 u_long fr_badttl; /* TTL in packet doesn't reach minimum */
710 u_long fr_bad; /* bad IP packets to the filter */
711 u_long fr_ipv6; /* IPv6 packets in/out */
712 u_long fr_ppshit; /* dropped because of pps ceiling */
713 u_long fr_ipud; /* IP id update failures */
714 } filterstats_t;
715
716 /*
717 * Log structure. Each packet header logged is prepended by one of these.
718 * Following this in the log records read from the device will be an ipflog
719 * structure which is then followed by any packet data.
720 */
721 typedef struct iplog {
722 u_32_t ipl_magic;
723 u_int ipl_count;
724 struct timeval ipl_time;
725 size_t ipl_dsize;
726 struct iplog *ipl_next;
727 } iplog_t;
728
729 #define ipl_sec ipl_time.tv_sec
730 #define ipl_usec ipl_time.tv_usec
731
732 #define IPL_MAGIC 0x49504c4d /* 'IPLM' */
733 #define IPL_MAGIC_NAT 0x49504c4e /* 'IPLN' */
734 #define IPL_MAGIC_STATE 0x49504c53 /* 'IPLS' */
735 #define IPLOG_SIZE sizeof(iplog_t)
736
737 typedef struct ipflog {
738 #if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603)) || \
739 (defined(OpenBSD) && (OpenBSD >= 199603))
740 #else
741 u_int fl_unit;
742 #endif
743 u_32_t fl_rule;
744 u_32_t fl_flags;
745 u_32_t fl_lflags;
746 u_32_t fl_logtag;
747 ipftag_t fl_nattag;
748 u_short fl_plen; /* extra data after hlen */
749 u_short fl_loglevel; /* syslog log level */
750 char fl_group[FR_GROUPLEN];
751 u_char fl_hlen; /* length of IP headers saved */
752 u_char fl_dir;
753 u_char fl_xxx[2]; /* pad */
754 char fl_ifname[LIFNAMSIZ];
755 } ipflog_t;
756
757 #ifndef IPF_LOGGING
758 # define IPF_LOGGING 0
759 #endif
760 #ifndef IPF_DEFAULT_PASS
761 # define IPF_DEFAULT_PASS FR_PASS
762 #endif
763
764 #define DEFAULT_IPFLOGSIZE 8192
765 #ifndef IPFILTER_LOGSIZE
766 # define IPFILTER_LOGSIZE DEFAULT_IPFLOGSIZE
767 #else
768 # if IPF_LOGSIZE < DEFAULT_IPFLOGSIZE
769 # error IPFILTER_LOGSISZE too small. Must be >= DEFAULT_IPFLOGSIZE
770 # endif
771 #endif
772
773 #define IPF_OPTCOPY 0x07ff00 /* bit mask of copied options */
774
775 /*
776 * Device filenames for reading log information. Use ipf on Solaris2 because
777 * ipl is already a name used by something else.
778 */
779 #ifndef IPL_NAME
780 # if SOLARIS
781 # define IPL_NAME "/dev/ipf"
782 # else
783 # define IPL_NAME "/dev/ipl"
784 # endif
785 #endif
786 /*
787 * Pathnames for various IP Filter control devices. Used by LKM
788 * and userland, so defined here.
789 */
790 #define IPNAT_NAME "/dev/ipnat"
791 #define IPSTATE_NAME "/dev/ipstate"
792 #define IPAUTH_NAME "/dev/ipauth"
793 #define IPSYNC_NAME "/dev/ipsync"
794 #define IPSCAN_NAME "/dev/ipscan"
795 #define IPLOOKUP_NAME "/dev/iplookup"
796
797 #define IPL_LOGIPF 0 /* Minor device #'s for accessing logs */
798 #define IPL_LOGNAT 1
799 #define IPL_LOGSTATE 2
800 #define IPL_LOGAUTH 3
801 #define IPL_LOGSYNC 4
802 #define IPL_LOGSCAN 5
803 #define IPL_LOGLOOKUP 6
804 #define IPL_LOGCOUNT 7
805 #define IPL_LOGMAX 7
806 #define IPL_LOGSIZE IPL_LOGMAX + 1
807 #define IPL_LOGALL -1
808 #define IPL_LOGNONE -2
809
810 /*
811 * For SIOCGETFS
812 */
813 typedef struct friostat {
814 struct filterstats f_st[2];
815 struct frentry *f_ipf[2][2];
816 struct frentry *f_acct[2][2];
817 struct frentry *f_ipf6[2][2];
818 struct frentry *f_acct6[2][2];
819 struct frentry *f_auth;
820 struct frgroup *f_groups[IPL_LOGSIZE][2];
821 u_long f_froute[2];
822 u_long f_ticks;
823 int f_locks[IPL_LOGMAX];
824 size_t f_kmutex_sz;
825 size_t f_krwlock_sz;
826 int f_defpass; /* default pass - from fr_pass */
827 int f_active; /* 1 or 0 - active rule set */
828 int f_running; /* 1 if running, else 0 */
829 int f_logging; /* 1 if enabled, else 0 */
830 int f_features;
831 char f_version[32]; /* version string */
832 } friostat_t;
833
834 #define f_fin f_ipf[0]
835 #define f_fin6 f_ipf6[0]
836 #define f_fout f_ipf[1]
837 #define f_fout6 f_ipf6[1]
838 #define f_acctin f_acct[0]
839 #define f_acctin6 f_acct6[0]
840 #define f_acctout f_acct[1]
841 #define f_acctout6 f_acct6[1]
842
843 #define IPF_FEAT_LKM 0x001
844 #define IPF_FEAT_LOG 0x002
845 #define IPF_FEAT_LOOKUP 0x004
846 #define IPF_FEAT_BPF 0x008
847 #define IPF_FEAT_COMPILED 0x010
848 #define IPF_FEAT_CKSUM 0x020
849 #define IPF_FEAT_SYNC 0x040
850 #define IPF_FEAT_SCAN 0x080
851 #define IPF_FEAT_IPV6 0x100
852
853 typedef struct optlist {
854 u_short ol_val;
855 int ol_bit;
856 } optlist_t;
857
858
859 /*
860 * Group list structure.
861 */
862 typedef struct frgroup {
863 struct frgroup *fg_next;
864 struct frentry *fg_head;
865 struct frentry *fg_start;
866 u_32_t fg_flags;
867 int fg_ref;
868 char fg_name[FR_GROUPLEN];
869 } frgroup_t;
870
871 #define FG_NAME(g) (*(g)->fg_name == '\0' ? "" : (g)->fg_name)
872
873
874 /*
875 * Used by state and NAT tables
876 */
877 typedef struct icmpinfo {
878 u_short ici_id;
879 u_short ici_seq;
880 u_char ici_type;
881 } icmpinfo_t;
882
883 typedef struct udpinfo {
884 u_short us_sport;
885 u_short us_dport;
886 } udpinfo_t;
887
888
889 typedef struct tcpdata {
890 u_32_t td_end;
891 u_32_t td_maxend;
892 u_32_t td_maxwin;
893 u_32_t td_winscale;
894 u_32_t td_maxseg;
895 int td_winflags;
896 } tcpdata_t;
897
898 #define TCP_WSCALE_MAX 14
899
900 #define TCP_WSCALE_SEEN 0x00000001
901 #define TCP_WSCALE_FIRST 0x00000002
902
903
904 typedef struct tcpinfo {
905 u_short ts_sport;
906 u_short ts_dport;
907 tcpdata_t ts_data[2];
908 } tcpinfo_t;
909
910 typedef struct greinfo {
911 u_short gs_flags;
912 u_short gs_ptype;
913 u_short gs_call;
914 } greinfo_t;
915
916 typedef struct grehdr {
917 union {
918 struct grebits {
919 u_32_t grub_C:1;
920 u_32_t grub_R:1;
921 u_32_t grub_K:1;
922 u_32_t grub_S:1;
923 u_32_t grub_s:1;
924 u_32_t grub_recur:1;
925 u_32_t grub_A:1;
926 u_32_t grub_flags:3;
927 u_32_t grub_ver:3;
928 u_short grub_ptype;
929 } gru_bits;
930 u_short gru_flags;
931 } gr_un;
932 u_short gr_len;
933 u_short gr_call;
934 } grehdr_t;
935
936 #define gr_flags gr_un.gru_flags
937 #define gr_bits gr_un.gru_bits
938 #define gr_ptype gr_bits.grub_ptype
939 #define gr_C gr_bits.grub_C
940 #define gr_R gr_bits.grub_R
941 #define gr_K gr_bits.grub_K
942 #define gr_S gr_bits.grub_S
943 #define gr_s gr_bits.grub_s
944 #define gr_recur gr_bits.grub_recur
945 #define gr_A gr_bits.grub_A
946 #define gr_ver gr_bits.grub_ver
947
948
949 /*
950 * Timeout tail queue list member
951 */
952 typedef struct ipftqent {
953 struct ipftqent **tqe_pnext;
954 struct ipftqent *tqe_next;
955 struct ipftq *tqe_ifq;
956 void *tqe_parent; /* pointer back to NAT/state struct */
957 u_long tqe_die; /* when this entriy is to die */
958 u_long tqe_touched;
959 int tqe_flags;
960 int tqe_state[2]; /* current state of this entry */
961 } ipftqent_t;
962
963 #define TQE_RULEBASED 0x00000001
964
965
966 /*
967 * Timeout tail queue head for IPFilter
968 */
969 typedef struct ipftq {
970 ipfmutex_t ifq_lock;
971 u_int ifq_ttl;
972 ipftqent_t *ifq_head;
973 ipftqent_t **ifq_tail;
974 struct ipftq *ifq_next;
975 struct ipftq **ifq_pnext;
976 int ifq_ref;
977 u_int ifq_flags;
978 } ipftq_t;
979
980 #define IFQF_USER 0x01 /* User defined aging */
981
982 #define IPF_HZ_MULT 1
983 #define IPF_HZ_DIVIDE 2 /* How many times a second ipfilter */
984 /* checks its timeout queues. */
985 #define IPF_TTLVAL(x) (((x) / IPF_HZ_MULT) * IPF_HZ_DIVIDE)
986
987 /*
988 * Structure to define address for pool lookups.
989 */
990 typedef struct {
991 u_char adf_len;
992 i6addr_t adf_addr;
993 } addrfamily_t;
994
995
996 /*
997 * Object structure description. For passing through in ioctls.
998 */
999 typedef struct ipfobj {
1000 u_32_t ipfo_rev; /* IPFilter version number */
1001 u_32_t ipfo_size; /* size of object at ipfo_ptr */
1002 void *ipfo_ptr; /* pointer to object */
1003 int ipfo_type; /* type of object being pointed to */
1004 int ipfo_offset; /* bytes from ipfo_ptr where to start */
1005 u_char ipfo_xxxpad[32]; /* reserved for future use */
1006 } ipfobj_t;
1007
1008 #define IPFOBJ_FRENTRY 0 /* struct frentry */
1009 #define IPFOBJ_IPFSTAT 1 /* struct friostat */
1010 #define IPFOBJ_IPFINFO 2 /* struct fr_info */
1011 #define IPFOBJ_AUTHSTAT 3 /* struct fr_authstat */
1012 #define IPFOBJ_FRAGSTAT 4 /* struct ipfrstat */
1013 #define IPFOBJ_IPNAT 5 /* struct ipnat */
1014 #define IPFOBJ_NATSTAT 6 /* struct natstat */
1015 #define IPFOBJ_STATESAVE 7 /* struct ipstate_save */
1016 #define IPFOBJ_NATSAVE 8 /* struct nat_save */
1017 #define IPFOBJ_NATLOOKUP 9 /* struct natlookup */
1018 #define IPFOBJ_IPSTATE 10 /* struct ipstate */
1019 #define IPFOBJ_STATESTAT 11 /* struct ips_stat */
1020 #define IPFOBJ_FRAUTH 12 /* struct frauth */
1021 #define IPFOBJ_TUNEABLE 13 /* struct ipftune */
1022
1023
1024 typedef union ipftunevalptr {
1025 void *ipftp_void;
1026 u_long *ipftp_long;
1027 u_int *ipftp_int;
1028 u_short *ipftp_short;
1029 u_char *ipftp_char;
1030 } ipftunevalptr_t;
1031
1032 typedef struct ipftuneable {
1033 ipftunevalptr_t ipft_una;
1034 char *ipft_name;
1035 u_long ipft_min;
1036 u_long ipft_max;
1037 int ipft_sz;
1038 int ipft_flags;
1039 } ipftuneable_t;
1040
1041 #define ipft_addr ipft_una.ipftp_void
1042 #define ipft_plong ipft_una.ipftp_long
1043 #define ipft_pint ipft_una.ipftp_int
1044 #define ipft_pshort ipft_una.ipftp_short
1045 #define ipft_pchar ipft_una.ipftp_char
1046
1047 #define IPFT_RDONLY 1 /* read-only */
1048 #define IPFT_WRDISABLED 2 /* write when disabled only */
1049
1050 typedef union ipftuneval {
1051 u_long ipftu_long;
1052 u_int ipftu_int;
1053 u_short ipftu_short;
1054 u_char ipftu_char;
1055 } ipftuneval_t;
1056
1057 typedef struct ipftune {
1058 void *ipft_cookie;
1059 ipftuneval_t ipft_un;
1060 u_long ipft_min;
1061 u_long ipft_max;
1062 int ipft_sz;
1063 int ipft_flags;
1064 char ipft_name[80];
1065 } ipftune_t;
1066
1067 #define ipft_vlong ipft_un.ipftu_long
1068 #define ipft_vint ipft_un.ipftu_int
1069 #define ipft_vshort ipft_un.ipftu_short
1070 #define ipft_vchar ipft_un.ipftu_char
1071
1072
1073 /*
1074 ** HPUX Port
1075 */
1076 #ifdef __hpux
1077 /* HP-UX locking sequence deadlock detection module lock MAJOR ID */
1078 # define IPF_SMAJ 0 /* temp assignment XXX, not critical */
1079 #endif
1080
1081 #if !defined(CDEV_MAJOR) && defined (__FreeBSD_version) && \
1082 (__FreeBSD_version >= 220000)
1083 # define CDEV_MAJOR 79
1084 #endif
1085
1086 /*
1087 * Post NetBSD 1.2 has the PFIL interface for packet filters. This turns
1088 * on those hooks. We don't need any special mods in non-IP Filter code
1089 * with this!
1090 */
1091 #if (defined(NetBSD) && (NetBSD > 199609) && (NetBSD <= 1991011)) || \
1092 (defined(NetBSD1_2) && NetBSD1_2 > 1) || \
1093 (defined(__FreeBSD__) && (__FreeBSD_version >= 500043))
1094 # if (NetBSD >= 199905)
1095 # define PFIL_HOOKS
1096 # endif
1097 # ifdef PFIL_HOOKS
1098 # define NETBSD_PF
1099 # endif
1100 #endif
1101
1102 #ifndef _KERNEL
1103 extern int fr_check __P((struct ip *, int, void *, int, mb_t **));
1104 extern int (*fr_checkp) __P((ip_t *, int, void *, int, mb_t **));
1105 extern int ipf_log __P((void));
1106 extern struct ifnet *get_unit __P((char *, int));
1107 extern char *get_ifname __P((struct ifnet *));
1108 # if defined(__NetBSD__) || defined(__OpenBSD__) || \
1109 (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000)
1110 extern int iplioctl __P((int, ioctlcmd_t, caddr_t, int));
1111 # else
1112 extern int iplioctl __P((int, ioctlcmd_t, caddr_t, int));
1113 # endif
1114 extern int iplopen __P((dev_t, int));
1115 extern int iplclose __P((dev_t, int));
1116 extern void m_freem __P((mb_t *));
1117 #else /* #ifndef _KERNEL */
1118 extern void *fr_pullup __P((mb_t *, fr_info_t *, int));
1119 # if defined(__NetBSD__) && defined(PFIL_HOOKS)
1120 extern void ipfilterattach __P((int));
1121 # endif
1122 extern int ipl_enable __P((void));
1123 extern int ipl_disable __P((void));
1124 # ifdef MENTAT
1125 extern int fr_check __P((struct ip *, int, void *, int, void *,
1126 mblk_t **));
1127 # if SOLARIS
1128 # if SOLARIS2 >= 7
1129 extern int iplioctl __P((dev_t, int, intptr_t, int, cred_t *, int *));
1130 # else
1131 extern int iplioctl __P((dev_t, int, int *, int, cred_t *, int *));
1132 # endif
1133 extern int iplopen __P((dev_t *, int, int, cred_t *));
1134 extern int iplclose __P((dev_t, int, int, cred_t *));
1135 extern int iplread __P((dev_t, uio_t *, cred_t *));
1136 # endif
1137 # ifdef __hpux
1138 extern int iplopen __P((dev_t, int, intptr_t, int));
1139 extern int iplclose __P((dev_t, int, int));
1140 extern int iplioctl __P((dev_t, int, caddr_t, int));
1141 extern int iplread __P((dev_t, uio_t *));
1142 extern int iplselect __P((dev_t, int));
1143 # endif
1144 extern int ipfsync __P((void));
1145 extern int fr_qout __P((queue_t *, mblk_t *));
1146 # else /* MENTAT */
1147 extern int fr_check __P((struct ip *, int, void *, int, mb_t **));
1148 extern int (*fr_checkp) __P((ip_t *, int, void *, int, mb_t **));
1149 extern size_t mbufchainlen __P((mb_t *));
1150 # ifdef __sgi
1151 # include <sys/cred.h>
1152 extern int iplioctl __P((dev_t, int, caddr_t, int, cred_t *, int *));
1153 extern int iplopen __P((dev_t *, int, int, cred_t *));
1154 extern int iplclose __P((dev_t, int, int, cred_t *));
1155 extern int iplread __P((dev_t, uio_t *, cred_t *));
1156 extern int ipfsync __P((void));
1157 extern int ipfilter_sgi_attach __P((void));
1158 extern void ipfilter_sgi_detach __P((void));
1159 extern void ipfilter_sgi_intfsync __P((void));
1160 # else
1161 # ifdef IPFILTER_LKM
1162 extern int iplidentify __P((char *));
1163 # endif
1164 # if (_BSDI_VERSION >= 199510) || (__FreeBSD_version >= 220000) || \
1165 (NetBSD >= 199511) || defined(__OpenBSD__)
1166 # if defined(__NetBSD__) || (_BSDI_VERSION >= 199701) || \
1167 defined(__OpenBSD__) || (__FreeBSD_version >= 300000)
1168 # if (__FreeBSD_version >= 500024)
1169 extern int iplioctl __P((dev_t, u_long, caddr_t, int, struct thread *));
1170 # else
1171 extern int iplioctl __P((dev_t, u_long, caddr_t, int, struct proc *));
1172 # endif /* __FreeBSD_version >= 500024 */
1173 # else
1174 extern int iplioctl __P((dev_t, int, caddr_t, int, struct proc *));
1175 # endif
1176 # if (__FreeBSD_version >= 500024)
1177 extern int iplopen __P((dev_t, int, int, struct thread *));
1178 extern int iplclose __P((dev_t, int, int, struct thread *));
1179 # else
1180 extern int iplopen __P((dev_t, int, int, struct proc *));
1181 extern int iplclose __P((dev_t, int, int, struct proc *));
1182 # endif /* __FreeBSD_version >= 500024 */
1183 # else
1184 # ifdef linux
1185 extern int iplioctl __P((struct inode *, struct file *, u_int, u_long));
1186 # else
1187 extern int iplopen __P((dev_t, int));
1188 extern int iplclose __P((dev_t, int));
1189 extern int iplioctl __P((dev_t, int, caddr_t, int));
1190 # endif
1191 # endif /* (_BSDI_VERSION >= 199510) */
1192 # if BSD >= 199306
1193 extern int iplread __P((dev_t, struct uio *, int));
1194 extern int iplwrite __P((dev_t, struct uio *, int));
1195 # else
1196 # ifndef linux
1197 extern int iplread __P((dev_t, struct uio *));
1198 extern int iplwrite __P((dev_t, struct uio *));
1199 # endif
1200 # endif /* BSD >= 199306 */
1201 # endif /* __ sgi */
1202 # endif /* MENTAT */
1203
1204 #endif /* #ifndef _KERNEL */
1205
1206 extern ipfmutex_t ipl_mutex, ipf_authmx, ipf_rw, ipf_hostmap;
1207 extern ipfmutex_t ipf_timeoutlock, ipf_stinsert, ipf_natio, ipf_nat_new;
1208 extern ipfrwlock_t ipf_mutex, ipf_global, ip_poolrw, ipf_ipidfrag;
1209 extern ipfrwlock_t ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth;
1210
1211 extern char *memstr __P((char *, char *, int, int));
1212 extern int count4bits __P((u_32_t));
1213 extern int frrequest __P((int, ioctlcmd_t, caddr_t, int, int));
1214 extern char *getifname __P((struct ifnet *));
1215 extern int iplattach __P((void));
1216 extern int ipldetach __P((void));
1217 extern u_short ipf_cksum __P((u_short *, int));
1218 extern int copyinptr __P((void *, void *, size_t));
1219 extern int copyoutptr __P((void *, void *, size_t));
1220 extern int fr_inobj __P((void *, void *, int));
1221 extern int fr_inobjsz __P((void *, void *, int, int));
1222 extern int fr_ioctlswitch __P((int, void *, ioctlcmd_t, int));
1223 extern int fr_ipftune __P((ioctlcmd_t, void *));
1224 extern int fr_outobj __P((void *, void *, int));
1225 extern int fr_outobjsz __P((void *, void *, int, int));
1226 extern int fr_send_reset __P((fr_info_t *));
1227 extern int fr_send_icmp_err __P((int, fr_info_t *, int));
1228 extern void fr_resolvdest __P((struct frdest *, int));
1229 extern int fr_resolvefunc __P((void *));
1230 extern int fr_fastroute __P((mb_t *, mb_t **, fr_info_t *, frdest_t *));
1231 #if (__FreeBSD_version < 490000) || !defined(_KERNEL)
1232 extern int ppsratecheck __P((struct timeval *, int *, int));
1233 #endif
1234 extern ipftq_t *fr_addtimeoutqueue __P((ipftq_t **, u_int));
1235 extern void fr_deletetimeoutqueue __P((ipftq_t *));
1236 extern void fr_movequeue __P((ipftqent_t *, ipftq_t *, ipftq_t *));
1237 extern void fr_queueappend __P((ipftqent_t *, ipftq_t *, void *));
1238 extern void fr_queueback __P((ipftqent_t *));
1239 extern void fr_queuefront __P((ipftqent_t *));
1240 extern void fr_checkv4sum __P((fr_info_t *));
1241 extern int fr_checkl4sum __P((fr_info_t *));
1242 extern int fr_ifpfillv4addr __P((int, struct sockaddr_in *,
1243 struct sockaddr_in *, struct in_addr *,
1244 struct in_addr *));
1245 extern int fr_coalesce __P((fr_info_t *));
1246 #ifdef USE_INET6
1247 extern void fr_checkv6sum __P((fr_info_t *));
1248 extern int fr_ifpfillv6addr __P((int, struct sockaddr_in6 *,
1249 struct sockaddr_in6 *, struct in_addr *,
1250 struct in_addr *));
1251 #endif
1252
1253 extern int frflush __P((minor_t, int, int));
1254 extern void frsync __P((void));
1255 extern frgroup_t *fr_addgroup __P((char *, void *, u_32_t, minor_t, int));
1256 extern int fr_derefrule __P((frentry_t **));
1257 extern void fr_delgroup __P((char *, minor_t, int));
1258 extern frgroup_t *fr_findgroup __P((char *, minor_t, int, frgroup_t ***));
1259
1260 extern int fr_loginit __P((void));
1261 extern int ipflog_clear __P((minor_t));
1262 extern int ipflog_read __P((minor_t, uio_t *));
1263 extern int ipflog __P((fr_info_t *, u_int));
1264 extern int ipllog __P((int, fr_info_t *, void **, size_t *, int *, int));
1265 extern void fr_logunload __P((void));
1266
1267 extern frentry_t *fr_acctpkt __P((fr_info_t *, u_32_t *));
1268 extern int fr_copytolog __P((int, char *, int));
1269 extern u_short fr_cksum __P((mb_t *, ip_t *, int, void *));
1270 extern void fr_deinitialise __P((void));
1271 extern frentry_t *fr_dolog __P((fr_info_t *, u_32_t *));
1272 extern frentry_t *fr_dstgrpmap __P((fr_info_t *, u_32_t *));
1273 extern void fr_fixskip __P((frentry_t **, frentry_t *, int));
1274 extern void fr_forgetifp __P((void *));
1275 extern frentry_t *fr_getrulen __P((int, char *, u_32_t));
1276 extern void fr_getstat __P((struct friostat *));
1277 extern int fr_ifpaddr __P((int, int, void *,
1278 struct in_addr *, struct in_addr *));
1279 extern int fr_initialise __P((void));
1280 extern void fr_lock __P((caddr_t, int *));
1281 extern int fr_makefrip __P((int, ip_t *, fr_info_t *));
1282 extern int fr_matchtag __P((ipftag_t *, ipftag_t *));
1283 extern int fr_matchicmpqueryreply __P((int, icmpinfo_t *,
1284 struct icmp *, int));
1285 extern u_32_t fr_newisn __P((fr_info_t *));
1286 extern u_short fr_nextipid __P((fr_info_t *));
1287 extern int fr_rulen __P((int, frentry_t *));
1288 extern int fr_scanlist __P((fr_info_t *, u_32_t));
1289 extern frentry_t *fr_srcgrpmap __P((fr_info_t *, u_32_t *));
1290 extern int fr_tcpudpchk __P((fr_info_t *, frtuc_t *));
1291 extern int fr_verifysrc __P((fr_info_t *fin));
1292 extern int fr_zerostats __P((char *));
1293
1294 extern int fr_unreach;
1295 extern int fr_running;
1296 extern u_long fr_frouteok[2];
1297 extern int fr_pass;
1298 extern int fr_flags;
1299 extern int fr_active;
1300 extern int fr_chksrc;
1301 extern int fr_minttl;
1302 extern int fr_refcnt;
1303 extern int fr_control_forwarding;
1304 extern int fr_update_ipid;
1305 extern int nat_logging;
1306 extern int ipstate_logging;
1307 extern int ipl_suppress;
1308 extern int ipl_buffer_sz;
1309 extern int ipl_logmax;
1310 extern int ipl_logall;
1311 extern u_long fr_ticks;
1312 extern fr_info_t frcache[2][8];
1313 extern char ipfilter_version[];
1314 extern iplog_t **iplh[IPL_LOGMAX+1], *iplt[IPL_LOGMAX+1];
1315 extern int iplused[IPL_LOGMAX + 1];
1316 extern struct frentry *ipfilter[2][2], *ipacct[2][2];
1317 #ifdef USE_INET6
1318 extern struct frentry *ipfilter6[2][2], *ipacct6[2][2];
1319 extern int icmptoicmp6types[ICMP_MAXTYPE+1];
1320 extern int icmptoicmp6unreach[ICMP_MAX_UNREACH];
1321 extern int icmpreplytype6[ICMP6_MAXTYPE + 1];
1322 #endif
1323 extern int icmpreplytype4[ICMP_MAXTYPE + 1];
1324 extern struct frgroup *ipfgroups[IPL_LOGSIZE][2];
1325 extern struct filterstats frstats[];
1326 extern frentry_t *ipfrule_match __P((fr_info_t *));
1327 extern u_char ipf_iss_secret[32];
1328 extern ipftuneable_t ipf_tuneables[];
1329
1330 #endif /* _NETINET_IP_FIL_H_ */
Cache object: f3d5237059d32e468750a902778660f0
|