Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]
FreeBSD/Linux Kernel Cross Reference
sys/netinet/ip_fil.h
Version:
- FREEBSD - FREEBSD-13-STABLE - FREEBSD-13-0 - FREEBSD-12-STABLE - FREEBSD-12-0 - FREEBSD-11-STABLE - FREEBSD-11-0 - FREEBSD-10-STABLE - FREEBSD-10-0 - FREEBSD-9-STABLE - FREEBSD-9-0 - FREEBSD-8-STABLE - FREEBSD-8-0 - FREEBSD-7-STABLE - FREEBSD-7-0 - FREEBSD-6-STABLE - FREEBSD-6-0 - FREEBSD-5-STABLE - FREEBSD-5-0 - FREEBSD-4-STABLE - FREEBSD-3-STABLE - FREEBSD22 - l41 - OPENBSD - linux-2.6 - MK84 - PLAN9 - xnu-8792
SearchContext: - none - 3 - 10
SearchContext: - none - 3 - 10
1 /* $NetBSD: ip_fil.h,v 1.54.2.2 2004/08/13 03:55:14 jmc Exp $ */ 2 3 /* 4 * Copyright (C) 1993-2001, 2003 by Darren Reed. 5 * 6 * See the IPFILTER.LICENCE file for details on licencing. 7 * 8 * @(#)ip_fil.h 1.35 6/5/96 9 * Id: ip_fil.h,v 2.170.2.5 2004/06/08 13:14:17 darrenr Exp 10 */ 11 12 #ifndef _NETINET_IP_FIL_H_ 13 #define _NETINET_IP_FIL_H_ 14 15 #ifndef SOLARIS 16 # define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4))) 17 #endif 18 19 #ifndef __P 20 # ifdef __STDC__ 21 # define __P(x) x 22 # else 23 # define __P(x) () 24 # endif 25 #endif 26 27 #if defined(__STDC__) || defined(__GNUC__) 28 # define SIOCADAFR _IOW('r', 60, struct ipfobj) 29 # define SIOCRMAFR _IOW('r', 61, struct ipfobj) 30 # define SIOCSETFF _IOW('r', 62, u_int) 31 # define SIOCGETFF _IOR('r', 63, u_int) 32 # define SIOCGETFS _IOWR('r', 64, struct ipfobj) 33 # define SIOCIPFFL _IOWR('r', 65, int) 34 # define SIOCIPFFB _IOR('r', 66, int) 35 # define SIOCADIFR _IOW('r', 67, struct ipfobj) 36 # define SIOCRMIFR _IOW('r', 68, struct ipfobj) 37 # define SIOCSWAPA _IOR('r', 69, u_int) 38 # define SIOCINAFR _IOW('r', 70, struct ipfobj) 39 # define SIOCINIFR _IOW('r', 71, struct ipfobj) 40 # define SIOCFRENB _IOW('r', 72, u_int) 41 # define SIOCFRSYN _IOW('r', 73, u_int) 42 # define SIOCFRZST _IOWR('r', 74, struct ipfobj) 43 # define SIOCZRLST _IOWR('r', 75, struct ipfobj) 44 # define SIOCAUTHW _IOWR('r', 76, struct ipfobj) 45 # define SIOCAUTHR _IOWR('r', 77, struct ipfobj) 46 # define SIOCATHST _IOWR('r', 78, struct ipfobj) 47 # define SIOCSTLCK _IOWR('r', 79, u_int) 48 # define SIOCSTPUT _IOWR('r', 80, struct ipfobj) 49 # define SIOCSTGET _IOWR('r', 81, struct ipfobj) 50 # define SIOCSTGSZ _IOWR('r', 82, struct ipfobj) 51 # define SIOCGFRST _IOWR('r', 83, struct ipfobj) 52 # define SIOCSETLG _IOWR('r', 84, int) 53 # define SIOCGETLG _IOWR('r', 85, int) 54 # define SIOCFUNCL _IOWR('r', 86, struct ipfunc_resolve) 55 # define SIOCIPFGETNEXT _IOWR('r', 87, struct ipfobj) 56 # define SIOCIPFGET _IOWR('r', 88, struct ipfobj) 57 # define SIOCIPFSET _IOWR('r', 89, struct ipfobj) 58 # define SIOCIPFL6 _IOWR('r', 90, int) 59 #else 60 # define SIOCADAFR _IOW(r, 60, struct ipfobj) 61 # define SIOCRMAFR _IOW(r, 61, struct ipfobj) 62 # define SIOCSETFF _IOW(r, 62, u_int) 63 # define SIOCGETFF _IOR(r, 63, u_int) 64 # define SIOCGETFS _IOWR(r, 64, struct ipfobj) 65 # define SIOCIPFFL _IOWR(r, 65, int) 66 # define SIOCIPFFB _IOR(r, 66, int) 67 # define SIOCADIFR _IOW(r, 67, struct ipfobj) 68 # define SIOCRMIFR _IOW(r, 68, struct ipfobj) 69 # define SIOCSWAPA _IOR(r, 69, u_int) 70 # define SIOCINAFR _IOW(r, 70, struct ipfobj) 71 # define SIOCINIFR _IOW(r, 71, struct ipfobj) 72 # define SIOCFRENB _IOW(r, 72, u_int) 73 # define SIOCFRSYN _IOW(r, 73, u_int) 74 # define SIOCFRZST _IOWR(r, 74, struct ipfobj) 75 # define SIOCZRLST _IOWR(r, 75, struct ipfobj) 76 # define SIOCAUTHW _IOWR(r, 76, struct ipfobj) 77 # define SIOCAUTHR _IOWR(r, 77, struct ipfobj) 78 # define SIOCATHST _IOWR(r, 78, struct ipfobj) 79 # define SIOCSTLCK _IOWR(r, 79, u_int) 80 # define SIOCSTPUT _IOWR(r, 80, struct ipfobj) 81 # define SIOCSTGET _IOWR(r, 81, struct ipfobj) 82 # define SIOCSTGSZ _IOWR(r, 82, struct ipfobj) 83 # define SIOCGFRST _IOWR(r, 83, struct ipfobj) 84 # define SIOCSETLG _IOWR(r, 84, int) 85 # define SIOCGETLG _IOWR(r, 85, int) 86 # define SIOCFUNCL _IOWR(r, 86, struct ipfunc_resolve) 87 # define SIOCIPFGETNEXT _IOWR(r, 87, struct ipfobj) 88 # define SIOCIPFGET _IOWR(r, 88, struct ipfobj) 89 # define SIOCIPFSET _IOWR(r, 89, struct ipfobj) 90 # define SIOCIPFL6 _IOWR(r, 90, int) 91 #endif 92 #define SIOCADDFR SIOCADAFR 93 #define SIOCDELFR SIOCRMAFR 94 #define SIOCINSFR SIOCINAFR 95 96 97 struct ipscan; 98 struct ifnet; 99 100 101 typedef int (* lookupfunc_t) __P((void *, int, void *)); 102 103 /* 104 * i6addr is used as a container for both IPv4 and IPv6 addresses, as well 105 * as other types of objects, depending on its qualifier. 106 */ 107 #ifdef USE_INET6 108 typedef union i6addr { 109 u_32_t i6[4]; 110 struct in_addr in4; 111 struct in6_addr in6; 112 void *vptr[2]; 113 lookupfunc_t lptr[2]; 114 } i6addr_t; 115 #else 116 typedef union i6addr { 117 u_32_t i6[4]; 118 struct in_addr in4; 119 void *vptr[2]; 120 lookupfunc_t lptr[2]; 121 } i6addr_t; 122 #endif 123 #define in4_addr in4.s_addr 124 #define iplookupnum i6[0] 125 #define iplookuptype i6[1] 126 /* 127 * NOTE: These DO overlap the above on 64bit systems and this IS recognised. 128 */ 129 #define iplookupptr vptr[0] 130 #define iplookupfunc lptr[1] 131 132 #define I60(x) (((i6addr_t *)(x))->i6[0]) 133 #define I61(x) (((i6addr_t *)(x))->i6[1]) 134 #define I62(x) (((i6addr_t *)(x))->i6[2]) 135 #define I63(x) (((i6addr_t *)(x))->i6[3]) 136 #define HI60(x) ntohl(((i6addr_t *)(x))->i6[0]) 137 #define HI61(x) ntohl(((i6addr_t *)(x))->i6[1]) 138 #define HI62(x) ntohl(((i6addr_t *)(x))->i6[2]) 139 #define HI63(x) ntohl(((i6addr_t *)(x))->i6[3]) 140 141 #define IP6_EQ(a,b) ((I63(a) == I63(b)) && (I62(a) == I62(b)) && \ 142 (I61(a) == I61(b)) && (I60(a) == I60(b))) 143 #define IP6_NEQ(a,b) ((I63(a) != I63(b)) || (I62(a) != I62(b)) || \ 144 (I61(a) != I61(b)) || (I60(a) != I60(b))) 145 #define IP6_ISZERO(a) ((I60(a) | I61(a) | I62(a) | I63(a)) == 0) 146 #define IP6_NOTZERO(a) ((I60(a) | I61(a) | I62(a) | I63(a)) != 0) 147 #define IP6_GT(a,b) (HI60(a) > HI60(b) || (HI60(a) == HI60(b) && \ 148 (HI61(a) > HI61(b) || (HI61(a) == HI61(b) && \ 149 (HI62(a) > HI62(b) || (HI62(a) == HI62(b) && \ 150 HI63(a) > HI63(b))))))) 151 #define IP6_LT(a,b) (HI60(a) < HI60(b) || (HI60(a) == HI60(b) && \ 152 (HI61(a) < HI61(b) || (HI61(a) == HI61(b) && \ 153 (HI62(a) < HI62(b) || (HI62(a) == HI62(b) && \ 154 HI63(a) < HI63(b))))))) 155 #define NLADD(n,x) htonl(ntohl(n) + (x)) 156 #define IP6_INC(a) \ 157 { i6addr_t *_i6 = (i6addr_t *)(a); \ 158 _i6->i6[0] = NLADD(_i6->i6[0], 1); \ 159 if (_i6->i6[0] == 0) { \ 160 _i6->i6[0] = NLADD(_i6->i6[1], 1); \ 161 if (_i6->i6[1] == 0) { \ 162 _i6->i6[0] = NLADD(_i6->i6[2], 1); \ 163 if (_i6->i6[2] == 0) { \ 164 _i6->i6[0] = NLADD(_i6->i6[3], 1); \ 165 } \ 166 } \ 167 } \ 168 } 169 #define IP6_ADD(a,x,d) \ 170 { i6addr_t *_s = (i6addr_t *)(a); \ 171 i6addr_t *_d = (i6addr_t *)(d); \ 172 _d->i6[0] = NLADD(_s->i6[0], x); \ 173 if (ntohl(_d->i6[0]) < ntohl(_s->i6[0])) { \ 174 _d->i6[1] = NLADD(_d->i6[1], 1); \ 175 if (ntohl(_d->i6[1]) < ntohl(_s->i6[1])) { \ 176 _d->i6[2] = NLADD(_d->i6[2], 1); \ 177 if (ntohl(_d->i6[2]) < ntohl(_s->i6[2])) { \ 178 _d->i6[3] = NLADD(_d->i6[3], 1); \ 179 } \ 180 } \ 181 } \ 182 } 183 #define IP6_AND(a,b,d) { i6addr_t *_s1 = (i6addr_t *)(a); \ 184 i6addr_t *_s2 = (i6addr_t *)(d); \ 185 i6addr_t *_d = (i6addr_t *)(d); \ 186 _d->i6[0] = _s1->i6[0] & _s2->i6[0]; \ 187 _d->i6[1] = _s1->i6[1] & _s2->i6[1]; \ 188 _d->i6[2] = _s1->i6[2] & _s2->i6[2]; \ 189 _d->i6[3] = _s1->i6[3] & _s2->i6[3]; \ 190 } 191 #define IP6_MERGE(a,b,c) \ 192 { i6addr_t *_d, *_s1, *_s2; \ 193 _d = (i6addr_t *)(a); \ 194 _s1 = (i6addr_t *)(b); \ 195 _s2 = (i6addr_t *)(c); \ 196 _d->i6[0] |= _s1->i6[0] & ~_s2->i6[0]; \ 197 _d->i6[1] |= _s1->i6[1] & ~_s2->i6[1]; \ 198 _d->i6[2] |= _s1->i6[2] & ~_s2->i6[2]; \ 199 _d->i6[2] |= _s1->i6[3] & ~_s2->i6[3]; \ 200 } 201 202 203 typedef struct fr_ip { 204 u_32_t fi_v:4; /* IP version */ 205 u_32_t fi_xx:4; /* spare */ 206 u_32_t fi_tos:8; /* IP packet TOS */ 207 u_32_t fi_ttl:8; /* IP packet TTL */ 208 u_32_t fi_p:8; /* IP packet protocol */ 209 u_32_t fi_optmsk; /* bitmask composed from IP options */ 210 i6addr_t fi_src; /* source address from packet */ 211 i6addr_t fi_dst; /* destination address from packet */ 212 u_short fi_secmsk; /* bitmask composed from IP security options */ 213 u_short fi_auth; /* authentication code from IP sec. options */ 214 u_32_t fi_flx; /* packet flags */ 215 u_32_t fi_tcpmsk; /* TCP options set/reset */ 216 u_32_t fi_res1; /* RESERVED */ 217 } fr_ip_t; 218 219 /* 220 * For use in fi_flx 221 */ 222 #define FI_TCPUDP 0x0001 /* TCP/UCP implied comparison*/ 223 #define FI_OPTIONS 0x0002 224 #define FI_FRAG 0x0004 225 #define FI_SHORT 0x0008 226 #define FI_NATED 0x0010 227 #define FI_MULTICAST 0x0020 228 #define FI_BROADCAST 0x0040 229 #define FI_MBCAST 0x0080 230 #define FI_STATE 0x0100 231 #define FI_BADNAT 0x0200 232 #define FI_BAD 0x0400 233 #define FI_OOW 0x0800 /* Out of state window, else match */ 234 #define FI_ICMPERR 0x1000 235 #define FI_FRAGTAIL 0x2000 236 #define FI_BADSRC 0x4000 237 #define FI_LOWTTL 0x8000 238 #define FI_CMP 0xcff3 /* Not FI_FRAG,FI_FRAGTAIL */ 239 #define FI_ICMPCMP 0x0003 /* Flags we can check for ICMP error packets */ 240 #define FI_WITH 0xeffe /* Not FI_TCPUDP */ 241 #define FI_V6EXTHDR 0x10000 242 #define FI_COALESCE 0x20000 243 #define FI_NOCKSUM 0x20000000 /* don't do a L4 checksum validation */ 244 #define FI_DONTCACHE 0x40000000 /* don't cache the result */ 245 #define FI_IGNORE 0x80000000 246 247 #define fi_saddr fi_src.in4.s_addr 248 #define fi_daddr fi_dst.in4.s_addr 249 #define fi_srcnum fi_src.iplookupnum 250 #define fi_dstnum fi_dst.iplookupnum 251 #define fi_srctype fi_src.iplookuptype 252 #define fi_dsttype fi_dst.iplookuptype 253 #define fi_srcptr fi_src.iplookupptr 254 #define fi_dstptr fi_dst.iplookupptr 255 #define fi_srcfunc fi_src.iplookupfunc 256 #define fi_dstfunc fi_dst.iplookupfunc 257 258 259 /* 260 * These are both used by the state and NAT code to indicate that one port or 261 * the other should be treated as a wildcard. 262 * NOTE: When updating, check bit masks in ip_state.h and update there too. 263 */ 264 #define SI_W_SPORT 0x00000100 265 #define SI_W_DPORT 0x00000200 266 #define SI_WILDP (SI_W_SPORT|SI_W_DPORT) 267 #define SI_W_SADDR 0x00000400 268 #define SI_W_DADDR 0x00000800 269 #define SI_WILDA (SI_W_SADDR|SI_W_DADDR) 270 #define SI_NEWFR 0x00001000 271 #define SI_CLONE 0x00002000 272 #define SI_CLONED 0x00004000 273 274 275 typedef struct fr_info { 276 void *fin_ifp; /* interface packet is `on' */ 277 fr_ip_t fin_fi; /* IP Packet summary */ 278 union { 279 u_short fid_16[2]; /* TCP/UDP ports, ICMP code/type */ 280 u_32_t fid_32; 281 } fin_dat; 282 int fin_out; /* in or out ? 1 == out, 0 == in */ 283 int fin_rev; /* state only: 1 = reverse */ 284 u_short fin_hlen; /* length of IP header in bytes */ 285 u_char fin_tcpf; /* TCP header flags (SYN, ACK, etc) */ 286 u_char fin_icode; /* ICMP error to return */ 287 u_32_t fin_rule; /* rule # last matched */ 288 char fin_group[FR_GROUPLEN]; /* group number, -1 for none */ 289 struct frentry *fin_fr; /* last matching rule */ 290 void *fin_dp; /* start of data past IP header */ 291 int fin_dlen; /* length of data portion of packet */ 292 int fin_plen; 293 int fin_ipoff; /* # bytes from buffer start to hdr */ 294 u_short fin_id; /* IP packet id field */ 295 u_short fin_off; 296 int fin_depth; /* Group nesting depth */ 297 int fin_error; /* Error code to return */ 298 void *fin_nat; 299 void *fin_state; 300 void *fin_nattag; 301 ip_t *fin_ip; 302 mb_t **fin_mp; /* pointer to pointer to mbuf */ 303 mb_t *fin_m; /* pointer to mbuf */ 304 #ifdef MENTAT 305 mb_t *fin_qfm; /* pointer to mblk where pkt starts */ 306 void *fin_qpi; 307 #endif 308 } fr_info_t; 309 310 #define fin_v fin_fi.fi_v 311 #define fin_p fin_fi.fi_p 312 #define fin_flx fin_fi.fi_flx 313 #define fin_optmsk fin_fi.fi_optmsk 314 #define fin_secmsk fin_fi.fi_secmsk 315 #define fin_auth fin_fi.fi_auth 316 #define fin_src fin_fi.fi_src.in4 317 #define fin_src6 fin_fi.fi_src.in6 318 #define fin_saddr fin_fi.fi_saddr 319 #define fin_dst fin_fi.fi_dst.in4 320 #define fin_dst6 fin_fi.fi_dst.in6 321 #define fin_daddr fin_fi.fi_daddr 322 #define fin_data fin_dat.fid_16 323 #define fin_sport fin_dat.fid_16[0] 324 #define fin_dport fin_dat.fid_16[1] 325 #define fin_ports fin_dat.fid_32 326 327 #define IPF_IN 0 328 #define IPF_OUT 1 329 330 typedef struct frentry *(*ipfunc_t) __P((fr_info_t *, u_32_t *)); 331 typedef int (*ipfuncinit_t) __P((struct frentry *)); 332 333 typedef struct ipfunc_resolve { 334 char ipfu_name[32]; 335 ipfunc_t ipfu_addr; 336 ipfuncinit_t ipfu_init; 337 } ipfunc_resolve_t; 338 339 /* 340 * Size for compares on fr_info structures 341 */ 342 #define FI_CSIZE offsetof(fr_info_t, fin_icode) 343 #define FI_LCSIZE offsetof(fr_info_t, fin_dp) 344 345 /* 346 * Size for copying cache fr_info structure 347 */ 348 #define FI_COPYSIZE offsetof(fr_info_t, fin_dp) 349 350 /* 351 * Structure for holding IPFilter's tag information 352 */ 353 #define IPFTAG_LEN 16 354 typedef struct { 355 union { 356 u_32_t iptu_num[4]; 357 char iptu_tag[IPFTAG_LEN]; 358 } ipt_un; 359 int ipt_not; 360 } ipftag_t; 361 362 #define ipt_tag ipt_un.iptu_tag 363 #define ipt_num ipt_un.iptu_num 364 365 366 /* 367 * This structure is used to hold information about the next hop for where 368 * to forward a packet. 369 */ 370 typedef struct frdest { 371 void *fd_ifp; 372 i6addr_t fd_ip6; 373 char fd_ifname[LIFNAMSIZ]; 374 } frdest_t; 375 376 #define fd_ip fd_ip6.in4 377 378 379 /* 380 * This structure holds information about a port comparison. 381 */ 382 typedef struct frpcmp { 383 int frp_cmp; /* data for port comparisons */ 384 u_short frp_port; /* top port for <> and >< */ 385 u_short frp_top; /* top port for <> and >< */ 386 } frpcmp_t; 387 388 #define FR_NONE 0 389 #define FR_EQUAL 1 390 #define FR_NEQUAL 2 391 #define FR_LESST 3 392 #define FR_GREATERT 4 393 #define FR_LESSTE 5 394 #define FR_GREATERTE 6 395 #define FR_OUTRANGE 7 396 #define FR_INRANGE 8 397 #define FR_INCRANGE 9 398 399 /* 400 * Structure containing all the relevant TCP things that can be checked in 401 * a filter rule. 402 */ 403 typedef struct frtuc { 404 u_char ftu_tcpfm; /* tcp flags mask */ 405 u_char ftu_tcpf; /* tcp flags */ 406 frpcmp_t ftu_src; 407 frpcmp_t ftu_dst; 408 } frtuc_t; 409 410 #define ftu_scmp ftu_src.frp_cmp 411 #define ftu_dcmp ftu_dst.frp_cmp 412 #define ftu_sport ftu_src.frp_port 413 #define ftu_dport ftu_dst.frp_port 414 #define ftu_stop ftu_src.frp_top 415 #define ftu_dtop ftu_dst.frp_top 416 417 #define FR_TCPFMAX 0x3f 418 419 /* 420 * This structure makes up what is considered to be the IPFilter specific 421 * matching components of a filter rule, as opposed to the data structures 422 * used to define the result which are in frentry_t and not here. 423 */ 424 typedef struct fripf { 425 fr_ip_t fri_ip; 426 fr_ip_t fri_mip; /* mask structure */ 427 428 u_short fri_icmpm; /* data for ICMP packets (mask) */ 429 u_short fri_icmp; 430 431 frtuc_t fri_tuc; 432 int fri_satype; /* addres type */ 433 int fri_datype; /* addres type */ 434 int fri_sifpidx; /* doing dynamic addressing */ 435 int fri_difpidx; /* index into fr_ifps[] to use when */ 436 } fripf_t; 437 438 #define fri_dstnum fri_ip.fi_dstnum 439 #define fri_srcnum fri_mip.fi_srcnum 440 #define fri_dstptr fri_ip.fi_dstptr 441 #define fri_srcptr fri_mip.fi_srcptr 442 443 #define FRI_NORMAL 0 /* Normal address */ 444 #define FRI_DYNAMIC 1 /* dynamic address */ 445 #define FRI_LOOKUP 2 /* address is a pool # */ 446 #define FRI_RANGE 3 /* address/mask is a range */ 447 #define FRI_NETWORK 4 /* network address from if */ 448 #define FRI_BROADCAST 5 /* broadcast address from if */ 449 #define FRI_PEERADDR 6 /* Peer address for P-to-P */ 450 #define FRI_NETMASKED 7 /* network address with netmask from if */ 451 452 453 typedef struct frentry * (* frentfunc_t) __P((fr_info_t *)); 454 455 typedef struct frentry { 456 ipfmutex_t fr_lock; 457 struct frentry *fr_next; 458 struct frentry **fr_grp; 459 struct ipscan *fr_isc; 460 void *fr_ifas[4]; 461 void *fr_ptr; /* for use with fr_arg */ 462 char *fr_comment; /* text comment for rule */ 463 int fr_ref; /* reference count - for grouping */ 464 int fr_statecnt; /* state count - for limit rules */ 465 /* 466 * These are only incremented when a packet matches this rule and 467 * it is the last match 468 */ 469 U_QUAD_T fr_hits; 470 U_QUAD_T fr_bytes; 471 472 /* 473 * For PPS rate limiting 474 */ 475 struct timeval fr_lastpkt; 476 int fr_curpps; 477 478 union { 479 void *fru_data; 480 caddr_t fru_caddr; 481 fripf_t *fru_ipf; 482 frentfunc_t fru_func; 483 } fr_dun; 484 485 /* 486 * Fields after this may not change whilst in the kernel. 487 */ 488 ipfunc_t fr_func; /* call this function */ 489 int fr_dsize; 490 int fr_pps; 491 int fr_statemax; /* max reference count */ 492 int fr_flineno; /* line number from conf file */ 493 u_32_t fr_type; 494 u_32_t fr_flags; /* per-rule flags && options (see below) */ 495 u_32_t fr_logtag; /* user defined log tag # */ 496 u_32_t fr_collect; /* collection number */ 497 u_int fr_arg; /* misc. numeric arg for rule */ 498 u_int fr_loglevel; /* syslog log facility + priority */ 499 u_int fr_age[2]; /* non-TCP timeouts */ 500 u_char fr_v; 501 u_char fr_icode; /* return ICMP code */ 502 char fr_group[FR_GROUPLEN]; /* group to which this rule belongs */ 503 char fr_grhead[FR_GROUPLEN]; /* group # which this rule starts */ 504 ipftag_t fr_nattag; 505 char fr_ifnames[4][LIFNAMSIZ]; 506 char fr_isctag[16]; 507 frdest_t fr_tifs[2]; /* "to"/"reply-to" interface */ 508 frdest_t fr_dif; /* duplicate packet interface */ 509 /* 510 * This must be last and will change after loaded into the kernel. 511 */ 512 u_int fr_cksum; /* checksum on filter rules for performance */ 513 } frentry_t; 514 515 #define fr_caddr fr_dun.fru_caddr 516 #define fr_data fr_dun.fru_data 517 #define fr_dfunc fr_dun.fru_func 518 #define fr_ipf fr_dun.fru_ipf 519 #define fr_ip fr_ipf->fri_ip 520 #define fr_mip fr_ipf->fri_mip 521 #define fr_icmpm fr_ipf->fri_icmpm 522 #define fr_icmp fr_ipf->fri_icmp 523 #define fr_tuc fr_ipf->fri_tuc 524 #define fr_satype fr_ipf->fri_satype 525 #define fr_datype fr_ipf->fri_datype 526 #define fr_sifpidx fr_ipf->fri_sifpidx 527 #define fr_difpidx fr_ipf->fri_difpidx 528 #define fr_proto fr_ip.fi_p 529 #define fr_mproto fr_mip.fi_p 530 #define fr_ttl fr_ip.fi_ttl 531 #define fr_mttl fr_mip.fi_ttl 532 #define fr_tos fr_ip.fi_tos 533 #define fr_mtos fr_mip.fi_tos 534 #define fr_tcpfm fr_tuc.ftu_tcpfm 535 #define fr_tcpf fr_tuc.ftu_tcpf 536 #define fr_scmp fr_tuc.ftu_scmp 537 #define fr_dcmp fr_tuc.ftu_dcmp 538 #define fr_dport fr_tuc.ftu_dport 539 #define fr_sport fr_tuc.ftu_sport 540 #define fr_stop fr_tuc.ftu_stop 541 #define fr_dtop fr_tuc.ftu_dtop 542 #define fr_dst fr_ip.fi_dst.in4 543 #define fr_daddr fr_ip.fi_dst.in4.s_addr 544 #define fr_src fr_ip.fi_src.in4 545 #define fr_saddr fr_ip.fi_src.in4.s_addr 546 #define fr_dmsk fr_mip.fi_dst.in4 547 #define fr_dmask fr_mip.fi_dst.in4.s_addr 548 #define fr_smsk fr_mip.fi_src.in4 549 #define fr_smask fr_mip.fi_src.in4.s_addr 550 #define fr_dstnum fr_ip.fi_dstnum 551 #define fr_srcnum fr_ip.fi_srcnum 552 #define fr_dsttype fr_ip.fi_dsttype 553 #define fr_srctype fr_ip.fi_srctype 554 #define fr_dstptr fr_mip.fi_dstptr 555 #define fr_srcptr fr_mip.fi_srcptr 556 #define fr_dstfunc fr_mip.fi_dstfunc 557 #define fr_srcfunc fr_mip.fi_srcfunc 558 #define fr_optbits fr_ip.fi_optmsk 559 #define fr_optmask fr_mip.fi_optmsk 560 #define fr_secbits fr_ip.fi_secmsk 561 #define fr_secmask fr_mip.fi_secmsk 562 #define fr_authbits fr_ip.fi_auth 563 #define fr_authmask fr_mip.fi_auth 564 #define fr_flx fr_ip.fi_flx 565 #define fr_mflx fr_mip.fi_flx 566 #define fr_ifname fr_ifnames[0] 567 #define fr_oifname fr_ifnames[2] 568 #define fr_ifa fr_ifas[0] 569 #define fr_oifa fr_ifas[2] 570 #define fr_tif fr_tifs[0] 571 #define fr_rif fr_tifs[1] 572 573 #define FR_NOLOGTAG 0 574 575 #ifndef offsetof 576 #define offsetof(t,m) (int)((&((t *)0L)->m)) 577 #endif 578 #define FR_CMPSIZ (sizeof(struct frentry) - \ 579 offsetof(struct frentry, fr_dsize)) 580 581 /* 582 * fr_type 583 */ 584 #define FR_T_NONE 0 585 #define FR_T_IPF 1 /* IPF structures */ 586 #define FR_T_BPFOPC 2 /* BPF opcode */ 587 #define FR_T_CALLFUNC 3 /* callout to function in fr_func only */ 588 #define FR_T_COMPIPF 4 /* compiled C code */ 589 #define FR_T_BUILTIN 0x80000000 /* rule is in kernel space */ 590 591 /* 592 * fr_flags 593 */ 594 #define FR_CALL 0x00000 /* call rule */ 595 #define FR_BLOCK 0x00001 /* do not allow packet to pass */ 596 #define FR_PASS 0x00002 /* allow packet to pass */ 597 #define FR_AUTH 0x00003 /* use authentication */ 598 #define FR_PREAUTH 0x00004 /* require preauthentication */ 599 #define FR_ACCOUNT 0x00005 /* Accounting rule */ 600 #define FR_SKIP 0x00006 /* skip rule */ 601 #define FR_DIVERT 0x00007 /* divert rule */ 602 #define FR_CMDMASK 0x0000f 603 #define FR_LOG 0x00010 /* Log */ 604 #define FR_LOGB 0x00011 /* Log-fail */ 605 #define FR_LOGP 0x00012 /* Log-pass */ 606 #define FR_LOGMASK (FR_LOG|FR_CMDMASK) 607 #define FR_CALLNOW 0x00020 /* call another function (fr_func) if matches */ 608 #define FR_NOTSRCIP 0x00040 609 #define FR_NOTDSTIP 0x00080 610 #define FR_QUICK 0x00100 /* match & stop processing list */ 611 #define FR_KEEPFRAG 0x00200 /* keep fragment information */ 612 #define FR_KEEPSTATE 0x00400 /* keep `connection' state information */ 613 #define FR_FASTROUTE 0x00800 /* bypass normal routing */ 614 #define FR_RETRST 0x01000 /* Return TCP RST packet - reset connection */ 615 #define FR_RETICMP 0x02000 /* Return ICMP unreachable packet */ 616 #define FR_FAKEICMP 0x03000 /* Return ICMP unreachable with fake source */ 617 #define FR_OUTQUE 0x04000 /* outgoing packets */ 618 #define FR_INQUE 0x08000 /* ingoing packets */ 619 #define FR_LOGBODY 0x10000 /* Log the body */ 620 #define FR_LOGFIRST 0x20000 /* Log the first byte if state held */ 621 #define FR_LOGORBLOCK 0x40000 /* block the packet if it can't be logged */ 622 #define FR_DUP 0x80000 /* duplicate packet */ 623 #define FR_FRSTRICT 0x100000 /* strict frag. cache */ 624 #define FR_STSTRICT 0x200000 /* strict keep state */ 625 #define FR_NEWISN 0x400000 /* new ISN for outgoing TCP */ 626 #define FR_NOICMPERR 0x800000 /* do not match ICMP errors in state */ 627 #define FR_NOMATCH 0x8000000 /* no match occured */ 628 /* 0x10000000 FF_LOGPASS */ 629 /* 0x20000000 FF_LOGBLOCK */ 630 /* 0x40000000 FF_LOGNOMATCH */ 631 /* 0x80000000 FF_BLOCKNONIP */ 632 #define FR_COPIED 0x40000000 /* copied from user space */ 633 #define FR_INACTIVE 0x80000000 /* only used when flush'ing rules */ 634 635 #define FR_RETMASK (FR_RETICMP|FR_RETRST|FR_FAKEICMP) 636 #define FR_ISBLOCK(x) (((x) & FR_CMDMASK) == FR_BLOCK) 637 #define FR_ISPASS(x) (((x) & FR_CMDMASK) == FR_PASS) 638 #define FR_ISAUTH(x) (((x) & FR_CMDMASK) == FR_AUTH) 639 #define FR_ISPREAUTH(x) (((x) & FR_CMDMASK) == FR_PREAUTH) 640 #define FR_ISACCOUNT(x) (((x) & FR_CMDMASK) == FR_ACCOUNT) 641 #define FR_ISSKIP(x) (((x) & FR_CMDMASK) == FR_SKIP) 642 #define FR_ISNOMATCH(x) ((x) & FR_NOMATCH) 643 #define FR_INOUT (FR_INQUE|FR_OUTQUE) 644 645 /* 646 * recognized flags for SIOCGETFF and SIOCSETFF, and get put in fr_flags 647 */ 648 #define FF_LOGPASS 0x10000000 649 #define FF_LOGBLOCK 0x20000000 650 #define FF_LOGNOMATCH 0x40000000 651 #define FF_LOGGING (FF_LOGPASS|FF_LOGBLOCK|FF_LOGNOMATCH) 652 #define FF_BLOCKNONIP 0x80000000 /* Solaris2 Only */ 653 654 655 /* 656 * Structure that passes information on what/how to flush to the kernel. 657 */ 658 typedef struct ipfflush { 659 int ipflu_how; 660 int ipflu_arg; 661 } ipfflush_t; 662 663 664 /* 665 * 666 */ 667 typedef struct ipfgetctl { 668 u_int ipfg_min; /* min value */ 669 u_int ipfg_current; /* current value */ 670 u_int ipfg_max; /* max value */ 671 u_int ipfg_default; /* default value */ 672 u_int ipfg_steps; /* value increments */ 673 char ipfg_name[40]; /* tag name for this control */ 674 } ipfgetctl_t; 675 676 typedef struct ipfsetctl { 677 int ipfs_which; /* 0 = min 1 = current 2 = max 3 = default */ 678 u_int ipfs_value; /* min value */ 679 char ipfs_name[40]; /* tag name for this control */ 680 } ipfsetctl_t; 681 682 683 /* 684 * Some of the statistics below are in their own counters, but most are kept 685 * in this single structure so that they can all easily be collected and 686 * copied back as required. 687 */ 688 typedef struct filterstats { 689 u_long fr_pass; /* packets allowed */ 690 u_long fr_block; /* packets denied */ 691 u_long fr_nom; /* packets which don't match any rule */ 692 u_long fr_short; /* packets which are short */ 693 u_long fr_ppkl; /* packets allowed and logged */ 694 u_long fr_bpkl; /* packets denied and logged */ 695 u_long fr_npkl; /* packets unmatched and logged */ 696 u_long fr_pkl; /* packets logged */ 697 u_long fr_skip; /* packets to be logged but buffer full */ 698 u_long fr_ret; /* packets for which a return is sent */ 699 u_long fr_acct; /* packets for which counting was performed */ 700 u_long fr_bnfr; /* bad attempts to allocate fragment state */ 701 u_long fr_nfr; /* new fragment state kept */ 702 u_long fr_cfr; /* add new fragment state but complete pkt */ 703 u_long fr_bads; /* bad attempts to allocate packet state */ 704 u_long fr_ads; /* new packet state kept */ 705 u_long fr_chit; /* cached hit */ 706 u_long fr_tcpbad; /* TCP checksum check failures */ 707 u_long fr_pull[2]; /* good and bad pullup attempts */ 708 u_long fr_badsrc; /* source received doesn't match route */ 709 u_long fr_badttl; /* TTL in packet doesn't reach minimum */ 710 u_long fr_bad; /* bad IP packets to the filter */ 711 u_long fr_ipv6; /* IPv6 packets in/out */ 712 u_long fr_ppshit; /* dropped because of pps ceiling */ 713 u_long fr_ipud; /* IP id update failures */ 714 } filterstats_t; 715 716 /* 717 * Log structure. Each packet header logged is prepended by one of these. 718 * Following this in the log records read from the device will be an ipflog 719 * structure which is then followed by any packet data. 720 */ 721 typedef struct iplog { 722 u_32_t ipl_magic; 723 u_int ipl_count; 724 struct timeval ipl_time; 725 size_t ipl_dsize; 726 struct iplog *ipl_next; 727 } iplog_t; 728 729 #define ipl_sec ipl_time.tv_sec 730 #define ipl_usec ipl_time.tv_usec 731 732 #define IPL_MAGIC 0x49504c4d /* 'IPLM' */ 733 #define IPL_MAGIC_NAT 0x49504c4e /* 'IPLN' */ 734 #define IPL_MAGIC_STATE 0x49504c53 /* 'IPLS' */ 735 #define IPLOG_SIZE sizeof(iplog_t) 736 737 typedef struct ipflog { 738 #if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603)) || \ 739 (defined(OpenBSD) && (OpenBSD >= 199603)) 740 #else 741 u_int fl_unit; 742 #endif 743 u_32_t fl_rule; 744 u_32_t fl_flags; 745 u_32_t fl_lflags; 746 u_32_t fl_logtag; 747 ipftag_t fl_nattag; 748 u_short fl_plen; /* extra data after hlen */ 749 u_short fl_loglevel; /* syslog log level */ 750 char fl_group[FR_GROUPLEN]; 751 u_char fl_hlen; /* length of IP headers saved */ 752 u_char fl_dir; 753 u_char fl_xxx[2]; /* pad */ 754 char fl_ifname[LIFNAMSIZ]; 755 } ipflog_t; 756 757 #ifndef IPF_LOGGING 758 # define IPF_LOGGING 0 759 #endif 760 #ifndef IPF_DEFAULT_PASS 761 # define IPF_DEFAULT_PASS FR_PASS 762 #endif 763 764 #define DEFAULT_IPFLOGSIZE 8192 765 #ifndef IPFILTER_LOGSIZE 766 # define IPFILTER_LOGSIZE DEFAULT_IPFLOGSIZE 767 #else 768 # if IPF_LOGSIZE < DEFAULT_IPFLOGSIZE 769 # error IPFILTER_LOGSISZE too small. Must be >= DEFAULT_IPFLOGSIZE 770 # endif 771 #endif 772 773 #define IPF_OPTCOPY 0x07ff00 /* bit mask of copied options */ 774 775 /* 776 * Device filenames for reading log information. Use ipf on Solaris2 because 777 * ipl is already a name used by something else. 778 */ 779 #ifndef IPL_NAME 780 # if SOLARIS 781 # define IPL_NAME "/dev/ipf" 782 # else 783 # define IPL_NAME "/dev/ipl" 784 # endif 785 #endif 786 /* 787 * Pathnames for various IP Filter control devices. Used by LKM 788 * and userland, so defined here. 789 */ 790 #define IPNAT_NAME "/dev/ipnat" 791 #define IPSTATE_NAME "/dev/ipstate" 792 #define IPAUTH_NAME "/dev/ipauth" 793 #define IPSYNC_NAME "/dev/ipsync" 794 #define IPSCAN_NAME "/dev/ipscan" 795 #define IPLOOKUP_NAME "/dev/iplookup" 796 797 #define IPL_LOGIPF 0 /* Minor device #'s for accessing logs */ 798 #define IPL_LOGNAT 1 799 #define IPL_LOGSTATE 2 800 #define IPL_LOGAUTH 3 801 #define IPL_LOGSYNC 4 802 #define IPL_LOGSCAN 5 803 #define IPL_LOGLOOKUP 6 804 #define IPL_LOGCOUNT 7 805 #define IPL_LOGMAX 7 806 #define IPL_LOGSIZE IPL_LOGMAX + 1 807 #define IPL_LOGALL -1 808 #define IPL_LOGNONE -2 809 810 /* 811 * For SIOCGETFS 812 */ 813 typedef struct friostat { 814 struct filterstats f_st[2]; 815 struct frentry *f_ipf[2][2]; 816 struct frentry *f_acct[2][2]; 817 struct frentry *f_ipf6[2][2]; 818 struct frentry *f_acct6[2][2]; 819 struct frentry *f_auth; 820 struct frgroup *f_groups[IPL_LOGSIZE][2]; 821 u_long f_froute[2]; 822 u_long f_ticks; 823 int f_locks[IPL_LOGMAX]; 824 size_t f_kmutex_sz; 825 size_t f_krwlock_sz; 826 int f_defpass; /* default pass - from fr_pass */ 827 int f_active; /* 1 or 0 - active rule set */ 828 int f_running; /* 1 if running, else 0 */ 829 int f_logging; /* 1 if enabled, else 0 */ 830 int f_features; 831 char f_version[32]; /* version string */ 832 } friostat_t; 833 834 #define f_fin f_ipf[0] 835 #define f_fin6 f_ipf6[0] 836 #define f_fout f_ipf[1] 837 #define f_fout6 f_ipf6[1] 838 #define f_acctin f_acct[0] 839 #define f_acctin6 f_acct6[0] 840 #define f_acctout f_acct[1] 841 #define f_acctout6 f_acct6[1] 842 843 #define IPF_FEAT_LKM 0x001 844 #define IPF_FEAT_LOG 0x002 845 #define IPF_FEAT_LOOKUP 0x004 846 #define IPF_FEAT_BPF 0x008 847 #define IPF_FEAT_COMPILED 0x010 848 #define IPF_FEAT_CKSUM 0x020 849 #define IPF_FEAT_SYNC 0x040 850 #define IPF_FEAT_SCAN 0x080 851 #define IPF_FEAT_IPV6 0x100 852 853 typedef struct optlist { 854 u_short ol_val; 855 int ol_bit; 856 } optlist_t; 857 858 859 /* 860 * Group list structure. 861 */ 862 typedef struct frgroup { 863 struct frgroup *fg_next; 864 struct frentry *fg_head; 865 struct frentry *fg_start; 866 u_32_t fg_flags; 867 int fg_ref; 868 char fg_name[FR_GROUPLEN]; 869 } frgroup_t; 870 871 #define FG_NAME(g) (*(g)->fg_name == '\0' ? "" : (g)->fg_name) 872 873 874 /* 875 * Used by state and NAT tables 876 */ 877 typedef struct icmpinfo { 878 u_short ici_id; 879 u_short ici_seq; 880 u_char ici_type; 881 } icmpinfo_t; 882 883 typedef struct udpinfo { 884 u_short us_sport; 885 u_short us_dport; 886 } udpinfo_t; 887 888 889 typedef struct tcpdata { 890 u_32_t td_end; 891 u_32_t td_maxend; 892 u_32_t td_maxwin; 893 u_32_t td_winscale; 894 u_32_t td_maxseg; 895 int td_winflags; 896 } tcpdata_t; 897 898 #define TCP_WSCALE_MAX 14 899 900 #define TCP_WSCALE_SEEN 0x00000001 901 #define TCP_WSCALE_FIRST 0x00000002 902 903 904 typedef struct tcpinfo { 905 u_short ts_sport; 906 u_short ts_dport; 907 tcpdata_t ts_data[2]; 908 } tcpinfo_t; 909 910 typedef struct greinfo { 911 u_short gs_flags; 912 u_short gs_ptype; 913 u_short gs_call; 914 } greinfo_t; 915 916 typedef struct grehdr { 917 union { 918 struct grebits { 919 u_32_t grub_C:1; 920 u_32_t grub_R:1; 921 u_32_t grub_K:1; 922 u_32_t grub_S:1; 923 u_32_t grub_s:1; 924 u_32_t grub_recur:1; 925 u_32_t grub_A:1; 926 u_32_t grub_flags:3; 927 u_32_t grub_ver:3; 928 u_short grub_ptype; 929 } gru_bits; 930 u_short gru_flags; 931 } gr_un; 932 u_short gr_len; 933 u_short gr_call; 934 } grehdr_t; 935 936 #define gr_flags gr_un.gru_flags 937 #define gr_bits gr_un.gru_bits 938 #define gr_ptype gr_bits.grub_ptype 939 #define gr_C gr_bits.grub_C 940 #define gr_R gr_bits.grub_R 941 #define gr_K gr_bits.grub_K 942 #define gr_S gr_bits.grub_S 943 #define gr_s gr_bits.grub_s 944 #define gr_recur gr_bits.grub_recur 945 #define gr_A gr_bits.grub_A 946 #define gr_ver gr_bits.grub_ver 947 948 949 /* 950 * Timeout tail queue list member 951 */ 952 typedef struct ipftqent { 953 struct ipftqent **tqe_pnext; 954 struct ipftqent *tqe_next; 955 struct ipftq *tqe_ifq; 956 void *tqe_parent; /* pointer back to NAT/state struct */ 957 u_long tqe_die; /* when this entriy is to die */ 958 u_long tqe_touched; 959 int tqe_flags; 960 int tqe_state[2]; /* current state of this entry */ 961 } ipftqent_t; 962 963 #define TQE_RULEBASED 0x00000001 964 965 966 /* 967 * Timeout tail queue head for IPFilter 968 */ 969 typedef struct ipftq { 970 ipfmutex_t ifq_lock; 971 u_int ifq_ttl; 972 ipftqent_t *ifq_head; 973 ipftqent_t **ifq_tail; 974 struct ipftq *ifq_next; 975 struct ipftq **ifq_pnext; 976 int ifq_ref; 977 u_int ifq_flags; 978 } ipftq_t; 979 980 #define IFQF_USER 0x01 /* User defined aging */ 981 982 #define IPF_HZ_MULT 1 983 #define IPF_HZ_DIVIDE 2 /* How many times a second ipfilter */ 984 /* checks its timeout queues. */ 985 #define IPF_TTLVAL(x) (((x) / IPF_HZ_MULT) * IPF_HZ_DIVIDE) 986 987 /* 988 * Structure to define address for pool lookups. 989 */ 990 typedef struct { 991 u_char adf_len; 992 i6addr_t adf_addr; 993 } addrfamily_t; 994 995 996 /* 997 * Object structure description. For passing through in ioctls. 998 */ 999 typedef struct ipfobj { 1000 u_32_t ipfo_rev; /* IPFilter version number */ 1001 u_32_t ipfo_size; /* size of object at ipfo_ptr */ 1002 void *ipfo_ptr; /* pointer to object */ 1003 int ipfo_type; /* type of object being pointed to */ 1004 int ipfo_offset; /* bytes from ipfo_ptr where to start */ 1005 u_char ipfo_xxxpad[32]; /* reserved for future use */ 1006 } ipfobj_t; 1007 1008 #define IPFOBJ_FRENTRY 0 /* struct frentry */ 1009 #define IPFOBJ_IPFSTAT 1 /* struct friostat */ 1010 #define IPFOBJ_IPFINFO 2 /* struct fr_info */ 1011 #define IPFOBJ_AUTHSTAT 3 /* struct fr_authstat */ 1012 #define IPFOBJ_FRAGSTAT 4 /* struct ipfrstat */ 1013 #define IPFOBJ_IPNAT 5 /* struct ipnat */ 1014 #define IPFOBJ_NATSTAT 6 /* struct natstat */ 1015 #define IPFOBJ_STATESAVE 7 /* struct ipstate_save */ 1016 #define IPFOBJ_NATSAVE 8 /* struct nat_save */ 1017 #define IPFOBJ_NATLOOKUP 9 /* struct natlookup */ 1018 #define IPFOBJ_IPSTATE 10 /* struct ipstate */ 1019 #define IPFOBJ_STATESTAT 11 /* struct ips_stat */ 1020 #define IPFOBJ_FRAUTH 12 /* struct frauth */ 1021 #define IPFOBJ_TUNEABLE 13 /* struct ipftune */ 1022 1023 1024 typedef union ipftunevalptr { 1025 void *ipftp_void; 1026 u_long *ipftp_long; 1027 u_int *ipftp_int; 1028 u_short *ipftp_short; 1029 u_char *ipftp_char; 1030 } ipftunevalptr_t; 1031 1032 typedef struct ipftuneable { 1033 ipftunevalptr_t ipft_una; 1034 char *ipft_name; 1035 u_long ipft_min; 1036 u_long ipft_max; 1037 int ipft_sz; 1038 int ipft_flags; 1039 } ipftuneable_t; 1040 1041 #define ipft_addr ipft_una.ipftp_void 1042 #define ipft_plong ipft_una.ipftp_long 1043 #define ipft_pint ipft_una.ipftp_int 1044 #define ipft_pshort ipft_una.ipftp_short 1045 #define ipft_pchar ipft_una.ipftp_char 1046 1047 #define IPFT_RDONLY 1 /* read-only */ 1048 #define IPFT_WRDISABLED 2 /* write when disabled only */ 1049 1050 typedef union ipftuneval { 1051 u_long ipftu_long; 1052 u_int ipftu_int; 1053 u_short ipftu_short; 1054 u_char ipftu_char; 1055 } ipftuneval_t; 1056 1057 typedef struct ipftune { 1058 void *ipft_cookie; 1059 ipftuneval_t ipft_un; 1060 u_long ipft_min; 1061 u_long ipft_max; 1062 int ipft_sz; 1063 int ipft_flags; 1064 char ipft_name[80]; 1065 } ipftune_t; 1066 1067 #define ipft_vlong ipft_un.ipftu_long 1068 #define ipft_vint ipft_un.ipftu_int 1069 #define ipft_vshort ipft_un.ipftu_short 1070 #define ipft_vchar ipft_un.ipftu_char 1071 1072 1073 /* 1074 ** HPUX Port 1075 */ 1076 #ifdef __hpux 1077 /* HP-UX locking sequence deadlock detection module lock MAJOR ID */ 1078 # define IPF_SMAJ 0 /* temp assignment XXX, not critical */ 1079 #endif 1080 1081 #if !defined(CDEV_MAJOR) && defined (__FreeBSD_version) && \ 1082 (__FreeBSD_version >= 220000) 1083 # define CDEV_MAJOR 79 1084 #endif 1085 1086 /* 1087 * Post NetBSD 1.2 has the PFIL interface for packet filters. This turns 1088 * on those hooks. We don't need any special mods in non-IP Filter code 1089 * with this! 1090 */ 1091 #if (defined(NetBSD) && (NetBSD > 199609) && (NetBSD <= 1991011)) || \ 1092 (defined(NetBSD1_2) && NetBSD1_2 > 1) || \ 1093 (defined(__FreeBSD__) && (__FreeBSD_version >= 500043)) 1094 # if (NetBSD >= 199905) 1095 # define PFIL_HOOKS 1096 # endif 1097 # ifdef PFIL_HOOKS 1098 # define NETBSD_PF 1099 # endif 1100 #endif 1101 1102 #ifndef _KERNEL 1103 extern int fr_check __P((struct ip *, int, void *, int, mb_t **)); 1104 extern int (*fr_checkp) __P((ip_t *, int, void *, int, mb_t **)); 1105 extern int ipf_log __P((void)); 1106 extern struct ifnet *get_unit __P((char *, int)); 1107 extern char *get_ifname __P((struct ifnet *)); 1108 # if defined(__NetBSD__) || defined(__OpenBSD__) || \ 1109 (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000) 1110 extern int iplioctl __P((int, ioctlcmd_t, caddr_t, int)); 1111 # else 1112 extern int iplioctl __P((int, ioctlcmd_t, caddr_t, int)); 1113 # endif 1114 extern int iplopen __P((dev_t, int)); 1115 extern int iplclose __P((dev_t, int)); 1116 extern void m_freem __P((mb_t *)); 1117 #else /* #ifndef _KERNEL */ 1118 extern void *fr_pullup __P((mb_t *, fr_info_t *, int)); 1119 # if defined(__NetBSD__) && defined(PFIL_HOOKS) 1120 extern void ipfilterattach __P((int)); 1121 # endif 1122 extern int ipl_enable __P((void)); 1123 extern int ipl_disable __P((void)); 1124 # ifdef MENTAT 1125 extern int fr_check __P((struct ip *, int, void *, int, void *, 1126 mblk_t **)); 1127 # if SOLARIS 1128 # if SOLARIS2 >= 7 1129 extern int iplioctl __P((dev_t, int, intptr_t, int, cred_t *, int *)); 1130 # else 1131 extern int iplioctl __P((dev_t, int, int *, int, cred_t *, int *)); 1132 # endif 1133 extern int iplopen __P((dev_t *, int, int, cred_t *)); 1134 extern int iplclose __P((dev_t, int, int, cred_t *)); 1135 extern int iplread __P((dev_t, uio_t *, cred_t *)); 1136 # endif 1137 # ifdef __hpux 1138 extern int iplopen __P((dev_t, int, intptr_t, int)); 1139 extern int iplclose __P((dev_t, int, int)); 1140 extern int iplioctl __P((dev_t, int, caddr_t, int)); 1141 extern int iplread __P((dev_t, uio_t *)); 1142 extern int iplselect __P((dev_t, int)); 1143 # endif 1144 extern int ipfsync __P((void)); 1145 extern int fr_qout __P((queue_t *, mblk_t *)); 1146 # else /* MENTAT */ 1147 extern int fr_check __P((struct ip *, int, void *, int, mb_t **)); 1148 extern int (*fr_checkp) __P((ip_t *, int, void *, int, mb_t **)); 1149 extern size_t mbufchainlen __P((mb_t *)); 1150 # ifdef __sgi 1151 # include <sys/cred.h> 1152 extern int iplioctl __P((dev_t, int, caddr_t, int, cred_t *, int *)); 1153 extern int iplopen __P((dev_t *, int, int, cred_t *)); 1154 extern int iplclose __P((dev_t, int, int, cred_t *)); 1155 extern int iplread __P((dev_t, uio_t *, cred_t *)); 1156 extern int ipfsync __P((void)); 1157 extern int ipfilter_sgi_attach __P((void)); 1158 extern void ipfilter_sgi_detach __P((void)); 1159 extern void ipfilter_sgi_intfsync __P((void)); 1160 # else 1161 # ifdef IPFILTER_LKM 1162 extern int iplidentify __P((char *)); 1163 # endif 1164 # if (_BSDI_VERSION >= 199510) || (__FreeBSD_version >= 220000) || \ 1165 (NetBSD >= 199511) || defined(__OpenBSD__) 1166 # if defined(__NetBSD__) || (_BSDI_VERSION >= 199701) || \ 1167 defined(__OpenBSD__) || (__FreeBSD_version >= 300000) 1168 # if (__FreeBSD_version >= 500024) 1169 extern int iplioctl __P((dev_t, u_long, caddr_t, int, struct thread *)); 1170 # else 1171 extern int iplioctl __P((dev_t, u_long, caddr_t, int, struct proc *)); 1172 # endif /* __FreeBSD_version >= 500024 */ 1173 # else 1174 extern int iplioctl __P((dev_t, int, caddr_t, int, struct proc *)); 1175 # endif 1176 # if (__FreeBSD_version >= 500024) 1177 extern int iplopen __P((dev_t, int, int, struct thread *)); 1178 extern int iplclose __P((dev_t, int, int, struct thread *)); 1179 # else 1180 extern int iplopen __P((dev_t, int, int, struct proc *)); 1181 extern int iplclose __P((dev_t, int, int, struct proc *)); 1182 # endif /* __FreeBSD_version >= 500024 */ 1183 # else 1184 # ifdef linux 1185 extern int iplioctl __P((struct inode *, struct file *, u_int, u_long)); 1186 # else 1187 extern int iplopen __P((dev_t, int)); 1188 extern int iplclose __P((dev_t, int)); 1189 extern int iplioctl __P((dev_t, int, caddr_t, int)); 1190 # endif 1191 # endif /* (_BSDI_VERSION >= 199510) */ 1192 # if BSD >= 199306 1193 extern int iplread __P((dev_t, struct uio *, int)); 1194 extern int iplwrite __P((dev_t, struct uio *, int)); 1195 # else 1196 # ifndef linux 1197 extern int iplread __P((dev_t, struct uio *)); 1198 extern int iplwrite __P((dev_t, struct uio *)); 1199 # endif 1200 # endif /* BSD >= 199306 */ 1201 # endif /* __ sgi */ 1202 # endif /* MENTAT */ 1203 1204 #endif /* #ifndef _KERNEL */ 1205 1206 extern ipfmutex_t ipl_mutex, ipf_authmx, ipf_rw, ipf_hostmap; 1207 extern ipfmutex_t ipf_timeoutlock, ipf_stinsert, ipf_natio, ipf_nat_new; 1208 extern ipfrwlock_t ipf_mutex, ipf_global, ip_poolrw, ipf_ipidfrag; 1209 extern ipfrwlock_t ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth; 1210 1211 extern char *memstr __P((char *, char *, int, int)); 1212 extern int count4bits __P((u_32_t)); 1213 extern int frrequest __P((int, ioctlcmd_t, caddr_t, int, int)); 1214 extern char *getifname __P((struct ifnet *)); 1215 extern int iplattach __P((void)); 1216 extern int ipldetach __P((void)); 1217 extern u_short ipf_cksum __P((u_short *, int)); 1218 extern int copyinptr __P((void *, void *, size_t)); 1219 extern int copyoutptr __P((void *, void *, size_t)); 1220 extern int fr_inobj __P((void *, void *, int)); 1221 extern int fr_inobjsz __P((void *, void *, int, int)); 1222 extern int fr_ioctlswitch __P((int, void *, ioctlcmd_t, int)); 1223 extern int fr_ipftune __P((ioctlcmd_t, void *)); 1224 extern int fr_outobj __P((void *, void *, int)); 1225 extern int fr_outobjsz __P((void *, void *, int, int)); 1226 extern int fr_send_reset __P((fr_info_t *)); 1227 extern int fr_send_icmp_err __P((int, fr_info_t *, int)); 1228 extern void fr_resolvdest __P((struct frdest *, int)); 1229 extern int fr_resolvefunc __P((void *)); 1230 extern int fr_fastroute __P((mb_t *, mb_t **, fr_info_t *, frdest_t *)); 1231 #if (__FreeBSD_version < 490000) || !defined(_KERNEL) 1232 extern int ppsratecheck __P((struct timeval *, int *, int)); 1233 #endif 1234 extern ipftq_t *fr_addtimeoutqueue __P((ipftq_t **, u_int)); 1235 extern void fr_deletetimeoutqueue __P((ipftq_t *)); 1236 extern void fr_movequeue __P((ipftqent_t *, ipftq_t *, ipftq_t *)); 1237 extern void fr_queueappend __P((ipftqent_t *, ipftq_t *, void *)); 1238 extern void fr_queueback __P((ipftqent_t *)); 1239 extern void fr_queuefront __P((ipftqent_t *)); 1240 extern void fr_checkv4sum __P((fr_info_t *)); 1241 extern int fr_checkl4sum __P((fr_info_t *)); 1242 extern int fr_ifpfillv4addr __P((int, struct sockaddr_in *, 1243 struct sockaddr_in *, struct in_addr *, 1244 struct in_addr *)); 1245 extern int fr_coalesce __P((fr_info_t *)); 1246 #ifdef USE_INET6 1247 extern void fr_checkv6sum __P((fr_info_t *)); 1248 extern int fr_ifpfillv6addr __P((int, struct sockaddr_in6 *, 1249 struct sockaddr_in6 *, struct in_addr *, 1250 struct in_addr *)); 1251 #endif 1252 1253 extern int frflush __P((minor_t, int, int)); 1254 extern void frsync __P((void)); 1255 extern frgroup_t *fr_addgroup __P((char *, void *, u_32_t, minor_t, int)); 1256 extern int fr_derefrule __P((frentry_t **)); 1257 extern void fr_delgroup __P((char *, minor_t, int)); 1258 extern frgroup_t *fr_findgroup __P((char *, minor_t, int, frgroup_t ***)); 1259 1260 extern int fr_loginit __P((void)); 1261 extern int ipflog_clear __P((minor_t)); 1262 extern int ipflog_read __P((minor_t, uio_t *)); 1263 extern int ipflog __P((fr_info_t *, u_int)); 1264 extern int ipllog __P((int, fr_info_t *, void **, size_t *, int *, int)); 1265 extern void fr_logunload __P((void)); 1266 1267 extern frentry_t *fr_acctpkt __P((fr_info_t *, u_32_t *)); 1268 extern int fr_copytolog __P((int, char *, int)); 1269 extern u_short fr_cksum __P((mb_t *, ip_t *, int, void *)); 1270 extern void fr_deinitialise __P((void)); 1271 extern frentry_t *fr_dolog __P((fr_info_t *, u_32_t *)); 1272 extern frentry_t *fr_dstgrpmap __P((fr_info_t *, u_32_t *)); 1273 extern void fr_fixskip __P((frentry_t **, frentry_t *, int)); 1274 extern void fr_forgetifp __P((void *)); 1275 extern frentry_t *fr_getrulen __P((int, char *, u_32_t)); 1276 extern void fr_getstat __P((struct friostat *)); 1277 extern int fr_ifpaddr __P((int, int, void *, 1278 struct in_addr *, struct in_addr *)); 1279 extern int fr_initialise __P((void)); 1280 extern void fr_lock __P((caddr_t, int *)); 1281 extern int fr_makefrip __P((int, ip_t *, fr_info_t *)); 1282 extern int fr_matchtag __P((ipftag_t *, ipftag_t *)); 1283 extern int fr_matchicmpqueryreply __P((int, icmpinfo_t *, 1284 struct icmp *, int)); 1285 extern u_32_t fr_newisn __P((fr_info_t *)); 1286 extern u_short fr_nextipid __P((fr_info_t *)); 1287 extern int fr_rulen __P((int, frentry_t *)); 1288 extern int fr_scanlist __P((fr_info_t *, u_32_t)); 1289 extern frentry_t *fr_srcgrpmap __P((fr_info_t *, u_32_t *)); 1290 extern int fr_tcpudpchk __P((fr_info_t *, frtuc_t *)); 1291 extern int fr_verifysrc __P((fr_info_t *fin)); 1292 extern int fr_zerostats __P((char *)); 1293 1294 extern int fr_unreach; 1295 extern int fr_running; 1296 extern u_long fr_frouteok[2]; 1297 extern int fr_pass; 1298 extern int fr_flags; 1299 extern int fr_active; 1300 extern int fr_chksrc; 1301 extern int fr_minttl; 1302 extern int fr_refcnt; 1303 extern int fr_control_forwarding; 1304 extern int fr_update_ipid; 1305 extern int nat_logging; 1306 extern int ipstate_logging; 1307 extern int ipl_suppress; 1308 extern int ipl_buffer_sz; 1309 extern int ipl_logmax; 1310 extern int ipl_logall; 1311 extern u_long fr_ticks; 1312 extern fr_info_t frcache[2][8]; 1313 extern char ipfilter_version[]; 1314 extern iplog_t **iplh[IPL_LOGMAX+1], *iplt[IPL_LOGMAX+1]; 1315 extern int iplused[IPL_LOGMAX + 1]; 1316 extern struct frentry *ipfilter[2][2], *ipacct[2][2]; 1317 #ifdef USE_INET6 1318 extern struct frentry *ipfilter6[2][2], *ipacct6[2][2]; 1319 extern int icmptoicmp6types[ICMP_MAXTYPE+1]; 1320 extern int icmptoicmp6unreach[ICMP_MAX_UNREACH]; 1321 extern int icmpreplytype6[ICMP6_MAXTYPE + 1]; 1322 #endif 1323 extern int icmpreplytype4[ICMP_MAXTYPE + 1]; 1324 extern struct frgroup *ipfgroups[IPL_LOGSIZE][2]; 1325 extern struct filterstats frstats[]; 1326 extern frentry_t *ipfrule_match __P((fr_info_t *)); 1327 extern u_char ipf_iss_secret[32]; 1328 extern ipftuneable_t ipf_tuneables[]; 1329 1330 #endif /* _NETINET_IP_FIL_H_ */
Cache object: f3d5237059d32e468750a902778660f0
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]