fxr.watson.org: FREEBSD-3-STABLE sys/netinet/ip

FreeBSD/Linux Kernel Cross Reference
sys/netinet/ip_fw.h

Version: - FREEBSD - FREEBSD-13-STABLE - FREEBSD-13-0 - FREEBSD-12-STABLE - FREEBSD-12-0 - FREEBSD-11-STABLE - FREEBSD-11-0 - FREEBSD-10-STABLE - FREEBSD-10-0 - FREEBSD-9-STABLE - FREEBSD-9-0 - FREEBSD-8-STABLE - FREEBSD-8-0 - FREEBSD-7-STABLE - FREEBSD-7-0 - FREEBSD-6-STABLE - FREEBSD-6-0 - FREEBSD-5-STABLE - FREEBSD-5-0 - FREEBSD-4-STABLE - FREEBSD-3-STABLE - FREEBSD22 - l41 - OPENBSD - linux-2.6 - MK84 - PLAN9 - xnu-8792
SearchContext: - none - 3 - 10

1 /* 2 * Copyright (c) 1993 Daniel Boulet 3 * Copyright (c) 1994 Ugen J.S.Antsilevich 4 * 5 * Redistribution and use in source forms, with and without modification, 6 * are permitted provided that this entire comment appears intact. 7 * 8 * Redistribution in binary form may occur without any restrictions. 9 * Obviously, it would be nice if you gave credit where credit is due 10 * but requiring it would be too onerous. 11 * 12 * This software is provided ``AS IS'' without any warranties of any kind. 13 * 14 * $FreeBSD$ 15 */ 16 17 #ifndef _IP_FW_H 18 #define _IP_FW_H 19 20 #include <sys/queue.h> 21 22 /* 23 * This union structure identifies an interface, either explicitly 24 * by name or implicitly by IP address. The flags IP_FW_F_IIFNAME 25 * and IP_FW_F_OIFNAME say how to interpret this structure. An 26 * interface unit number of -1 matches any unit number, while an 27 * IP address of 0.0.0.0 indicates matches any interface. 28 * 29 * The receive and transmit interfaces are only compared against the 30 * the packet if the corresponding bit (IP_FW_F_IIFACE or IP_FW_F_OIFACE) 31 * is set. Note some packets lack a receive or transmit interface 32 * (in which case the missing "interface" never matches). 33 */ 34 35 union ip_fw_if { 36 struct in_addr fu_via_ip; /* Specified by IP address */ 37 struct { /* Specified by interface name */ 38 #define FW_IFNLEN 10 /* need room ! was IFNAMSIZ */ 39 char name[FW_IFNLEN]; 40 short unit; /* -1 means match any unit */ 41 } fu_via_if; 42 }; 43 44 /* 45 * Format of an IP firewall descriptor 46 * 47 * fw_src, fw_dst, fw_smsk, fw_dmsk are always stored in network byte order. 48 * fw_flg and fw_n*p are stored in host byte order (of course). 49 * Port numbers are stored in HOST byte order. 50 * Warning: setsockopt() will fail if sizeof(struct ip_fw) > MLEN (108) 51 */ 52 53 struct ip_fw { 54 u_int64_t fw_pcnt,fw_bcnt; /* Packet and byte counters */ 55 struct in_addr fw_src, fw_dst; /* Source and destination IP addr */ 56 struct in_addr fw_smsk, fw_dmsk; /* Mask for src and dest IP addr */ 57 u_short fw_number; /* Rule number */ 58 u_int fw_flg; /* Flags word */ 59 #define IP_FW_MAX_PORTS 10 /* A reasonable maximum */ 60 union { 61 u_short fw_pts[IP_FW_MAX_PORTS]; /* Array of port numbers to match */ 62 #define IP_FW_ICMPTYPES_MAX 128 63 #define IP_FW_ICMPTYPES_DIM (IP_FW_ICMPTYPES_MAX / (sizeof(unsigned) * 8)) 64 unsigned fw_icmptypes[IP_FW_ICMPTYPES_DIM]; /* ICMP types bitmap */ 65 } fw_uar; 66 u_char fw_ipflg; /* IP flags word */ 67 u_char fw_ipopt,fw_ipnopt; /* IP options set/unset */ 68 u_char fw_tcpf,fw_tcpnf; /* TCP flags set/unset */ 69 long timestamp; /* timestamp (tv_sec) of last match */ 70 union ip_fw_if fw_in_if, fw_out_if; /* Incoming and outgoing interfaces */ 71 union { 72 u_short fu_divert_port; /* Divert/tee port (options IPDIVERT) */ 73 u_short fu_pipe_nr; /* pipe number (option DUMMYNET) */ 74 u_short fu_skipto_rule; /* SKIPTO command rule number */ 75 u_short fu_reject_code; /* REJECT response code */ 76 struct sockaddr_in fu_fwd_ip; 77 } fw_un; 78 u_char fw_prot; /* IP protocol */ 79 /* 80 * N'of src ports and # of dst ports in ports array (dst ports 81 * follow src ports; max of 10 ports in all; count of 0 means 82 * match all ports) 83 */ 84 u_char fw_nports; 85 void *pipe_ptr; /* Pipe ptr in case of dummynet pipe */ 86 void *next_rule_ptr ; /* next rule in case of match */ 87 uid_t fw_uid; /* uid to match */ 88 gid_t fw_gid; /* gid to match */ 89 int fw_logamount; /* amount to log */ 90 u_int64_t fw_loghighest; /* highest number packet to log */ 91 }; 92 93 /* 94 * extended ipfw structure... some fields in the original struct 95 * can be used to pass parameters up/down, namely pointers 96 * void *pipe_ptr 97 * void *next_rule_ptr 98 * some others can be used to pass parameters down, namely counters etc. 99 * u_int64_t fw_pcnt,fw_bcnt; 100 * long timestamp; 101 */ 102 103 struct ip_fw_ext { /* extended structure */ 104 struct ip_fw rule; /* must be at offset 0 */ 105 long dont_match_prob; /* 0x7fffffff means 1.0, always fail */ 106 u_int dyn_type; /* type for dynamic rule */ 107 }; 108 109 #define IP_FW_GETNSRCP(rule) ((rule)->fw_nports & 0x0f) 110 #define IP_FW_SETNSRCP(rule, n) do { \ 111 (rule)->fw_nports &= ~0x0f; \ 112 (rule)->fw_nports |= (n); \ 113 } while (0) 114 #define IP_FW_GETNDSTP(rule) ((rule)->fw_nports >> 4) 115 #define IP_FW_SETNDSTP(rule, n) do { \ 116 (rule)->fw_nports &= ~0xf0; \ 117 (rule)->fw_nports |= (n) << 4;\ 118 } while (0) 119 120 #define fw_divert_port fw_un.fu_divert_port 121 #define fw_skipto_rule fw_un.fu_skipto_rule 122 #define fw_reject_code fw_un.fu_reject_code 123 #define fw_pipe_nr fw_un.fu_pipe_nr 124 #define fw_fwd_ip fw_un.fu_fwd_ip 125 126 struct ip_fw_chain { 127 LIST_ENTRY(ip_fw_chain) chain; 128 struct ip_fw *rule; 129 }; 130 131 /* 132 * Flow mask/flow id for each queue. 133 */ 134 struct ipfw_flow_id { 135 u_int32_t dst_ip, src_ip ; 136 u_int16_t dst_port, src_port ; 137 u_int8_t proto ; 138 u_int8_t flags ; /* protocol-specific flags */ 139 } ; 140 141 /* 142 * dynamic ipfw rule 143 */ 144 struct ipfw_dyn_rule { 145 struct ipfw_dyn_rule *next ; 146 147 struct ipfw_flow_id id ; 148 struct ipfw_flow_id mask ; 149 struct ip_fw_chain *chain ; /* pointer to parent rule */ 150 u_int32_t type ; /* rule type */ 151 u_int32_t expire ; /* expire time */ 152 u_int64_t pcnt, bcnt; /* match counters */ 153 u_int32_t bucket ; /* which bucket in hash table */ 154 u_int32_t state ; /* state of this rule (typ. a */ 155 /* combination of TCP flags) */ 156 } ; 157 158 /* 159 * Values for "flags" field . 160 */ 161 #define IP_FW_F_COMMAND 0x000000ff /* Mask for type of chain entry: */ 162 #define IP_FW_F_DENY 0x00000000 /* This is a deny rule */ 163 #define IP_FW_F_REJECT 0x00000001 /* Deny and send a response packet */ 164 #define IP_FW_F_ACCEPT 0x00000002 /* This is an accept rule */ 165 #define IP_FW_F_COUNT 0x00000003 /* This is a count rule */ 166 #define IP_FW_F_DIVERT 0x00000004 /* This is a divert rule */ 167 #define IP_FW_F_TEE 0x00000005 /* This is a tee rule */ 168 #define IP_FW_F_SKIPTO 0x00000006 /* This is a skipto rule */ 169 #define IP_FW_F_FWD 0x00000007 /* This is a "change forwarding address" rule */ 170 #define IP_FW_F_PIPE 0x00000008 /* This is a dummynet rule */ 171 172 #define IP_FW_F_IN 0x00000100 /* Check inbound packets */ 173 #define IP_FW_F_OUT 0x00000200 /* Check outbound packets */ 174 #define IP_FW_F_IIFACE 0x00000400 /* Apply inbound interface test */ 175 #define IP_FW_F_OIFACE 0x00000800 /* Apply outbound interface test */ 176 177 #define IP_FW_F_PRN 0x00001000 /* Print if this rule matches */ 178 179 #define IP_FW_F_SRNG 0x00002000 /* The first two src ports are a min * 180 * and max range (stored in host byte * 181 * order). */ 182 183 #define IP_FW_F_DRNG 0x00004000 /* The first two dst ports are a min * 184 * and max range (stored in host byte * 185 * order). */ 186 187 #define IP_FW_F_FRAG 0x00008000 /* Fragment */ 188 189 #define IP_FW_F_IIFNAME 0x00010000 /* In interface by name/unit (not IP) */ 190 #define IP_FW_F_OIFNAME 0x00020000 /* Out interface by name/unit (not IP) */ 191 192 #define IP_FW_F_INVSRC 0x00040000 /* Invert sense of src check */ 193 #define IP_FW_F_INVDST 0x00080000 /* Invert sense of dst check */ 194 195 #define IP_FW_F_ICMPBIT 0x00100000 /* ICMP type bitmap is valid */ 196 197 #define IP_FW_F_UID 0x00200000 /* filter by uid */ 198 199 #define IP_FW_F_GID 0x00400000 /* filter by gid */ 200 201 #define IP_FW_F_RND_MATCH 0x00800000 /* probabilistic rule match */ 202 #define IP_FW_F_SMSK 0x01000000 /* src-port + mask */ 203 #define IP_FW_F_DMSK 0x02000000 /* dst-port + mask */ 204 #define IP_FW_BRIDGED 0x04000000 /* only match bridged packets */ 205 #define IP_FW_F_KEEP_S 0x08000000 /* keep state */ 206 #define IP_FW_F_CHECK_S 0x10000000 /* check state */ 207 208 #define IP_FW_F_MASK 0x1FFFFFFF /* All possible flag bits mask */ 209 210 /* 211 * Flags for the 'fw_ipflg' field, for comparing values of IP and its protocols 212 */ 213 #define IP_FW_IF_TCPEST 0x00000020 /* established TCP connection */ 214 #define IP_FW_IF_TCPMSK 0x00000020 /* mask of all TCP values */ 215 216 /* 217 * For backwards compatibility with rules specifying "via iface" but 218 * not restricted to only "in" or "out" packets, we define this combination 219 * of bits to represent this configuration. 220 */ 221 222 #define IF_FW_F_VIAHACK (IP_FW_F_IN|IP_FW_F_OUT|IP_FW_F_IIFACE|IP_FW_F_OIFACE) 223 224 /* 225 * Definitions for REJECT response codes. 226 * Values less than 256 correspond to ICMP unreachable codes. 227 */ 228 #define IP_FW_REJECT_RST 0x0100 /* TCP packets: send RST */ 229 230 /* 231 * Definitions for IP option names. 232 */ 233 #define IP_FW_IPOPT_LSRR 0x01 234 #define IP_FW_IPOPT_SSRR 0x02 235 #define IP_FW_IPOPT_RR 0x04 236 #define IP_FW_IPOPT_TS 0x08 237 238 /* 239 * Definitions for TCP flags. 240 */ 241 #define IP_FW_TCPF_FIN TH_FIN 242 #define IP_FW_TCPF_SYN TH_SYN 243 #define IP_FW_TCPF_RST TH_RST 244 #define IP_FW_TCPF_PSH TH_PUSH 245 #define IP_FW_TCPF_ACK TH_ACK 246 #define IP_FW_TCPF_URG TH_URG 247 248 /* 249 * Main firewall chains definitions and global var's definitions. 250 */ 251 #ifdef KERNEL 252 253 #define IP_FW_PORT_DYNT_FLAG 0x10000 254 #define IP_FW_PORT_TEE_FLAG 0x20000 255 256 /* 257 * Function definitions. 258 */ 259 void ip_fw_init __P((void)); 260 261 /* Firewall hooks */ 262 struct ip; 263 struct sockopt; 264 typedef int ip_fw_chk_t __P((struct ip **, int, struct ifnet *, u_int16_t *, 265 struct mbuf **, struct ip_fw_chain **, struct sockaddr_in **)); 266 typedef int ip_fw_ctl_t __P((struct sockopt *)); 267 extern ip_fw_chk_t *ip_fw_chk_ptr; 268 extern ip_fw_ctl_t *ip_fw_ctl_ptr; 269 extern int fw_one_pass; 270 extern int fw_enable; 271 extern struct ipfw_flow_id last_pkt ; 272 #endif /* KERNEL */ 273 274 #endif /* _IP_FW_H */

Cache object: 3143241714871b4a2b5bd6e7a5794db8

FreeBSD/Linux Kernel Cross Reference sys/netinet/ip_fw.h

FreeBSD/Linux Kernel Cross Reference
sys/netinet/ip_fw.h