FreeBSD/Linux Kernel Cross Reference
sys/netinet/ip_fw.h
1 /*
2 * Copyright (c) 1993 Daniel Boulet
3 * Copyright (c) 1994 Ugen J.S.Antsilevich
4 *
5 * Redistribution and use in source forms, with and without modification,
6 * are permitted provided that this entire comment appears intact.
7 *
8 * Redistribution in binary form may occur without any restrictions.
9 * Obviously, it would be nice if you gave credit where credit is due
10 * but requiring it would be too onerous.
11 *
12 * This software is provided ``AS IS'' without any warranties of any kind.
13 *
14 * $FreeBSD$
15 */
16
17 #ifndef _IP_FW_H
18 #define _IP_FW_H
19
20 #include <sys/queue.h>
21
22 /*
23 * This union structure identifies an interface, either explicitly
24 * by name or implicitly by IP address. The flags IP_FW_F_IIFNAME
25 * and IP_FW_F_OIFNAME say how to interpret this structure. An
26 * interface unit number of -1 matches any unit number, while an
27 * IP address of 0.0.0.0 indicates matches any interface.
28 *
29 * The receive and transmit interfaces are only compared against the
30 * the packet if the corresponding bit (IP_FW_F_IIFACE or IP_FW_F_OIFACE)
31 * is set. Note some packets lack a receive or transmit interface
32 * (in which case the missing "interface" never matches).
33 */
34
35 union ip_fw_if {
36 struct in_addr fu_via_ip; /* Specified by IP address */
37 struct { /* Specified by interface name */
38 #define FW_IFNLEN 10 /* need room ! was IFNAMSIZ */
39 char name[FW_IFNLEN];
40 short unit; /* -1 means match any unit */
41 } fu_via_if;
42 };
43
44 /*
45 * Format of an IP firewall descriptor
46 *
47 * fw_src, fw_dst, fw_smsk, fw_dmsk are always stored in network byte order.
48 * fw_flg and fw_n*p are stored in host byte order (of course).
49 * Port numbers are stored in HOST byte order.
50 * Warning: setsockopt() will fail if sizeof(struct ip_fw) > MLEN (108)
51 */
52
53 struct ip_fw {
54 u_int64_t fw_pcnt,fw_bcnt; /* Packet and byte counters */
55 struct in_addr fw_src, fw_dst; /* Source and destination IP addr */
56 struct in_addr fw_smsk, fw_dmsk; /* Mask for src and dest IP addr */
57 u_short fw_number; /* Rule number */
58 u_int fw_flg; /* Flags word */
59 #define IP_FW_MAX_PORTS 10 /* A reasonable maximum */
60 union {
61 u_short fw_pts[IP_FW_MAX_PORTS]; /* Array of port numbers to match */
62 #define IP_FW_ICMPTYPES_MAX 128
63 #define IP_FW_ICMPTYPES_DIM (IP_FW_ICMPTYPES_MAX / (sizeof(unsigned) * 8))
64 unsigned fw_icmptypes[IP_FW_ICMPTYPES_DIM]; /* ICMP types bitmap */
65 } fw_uar;
66 u_char fw_ipflg; /* IP flags word */
67 u_char fw_ipopt,fw_ipnopt; /* IP options set/unset */
68 u_char fw_tcpf,fw_tcpnf; /* TCP flags set/unset */
69 long timestamp; /* timestamp (tv_sec) of last match */
70 union ip_fw_if fw_in_if, fw_out_if; /* Incoming and outgoing interfaces */
71 union {
72 u_short fu_divert_port; /* Divert/tee port (options IPDIVERT) */
73 u_short fu_pipe_nr; /* pipe number (option DUMMYNET) */
74 u_short fu_skipto_rule; /* SKIPTO command rule number */
75 u_short fu_reject_code; /* REJECT response code */
76 struct sockaddr_in fu_fwd_ip;
77 } fw_un;
78 u_char fw_prot; /* IP protocol */
79 /*
80 * N'of src ports and # of dst ports in ports array (dst ports
81 * follow src ports; max of 10 ports in all; count of 0 means
82 * match all ports)
83 */
84 u_char fw_nports;
85 void *pipe_ptr; /* Pipe ptr in case of dummynet pipe */
86 void *next_rule_ptr ; /* next rule in case of match */
87 uid_t fw_uid; /* uid to match */
88 gid_t fw_gid; /* gid to match */
89 int fw_logamount; /* amount to log */
90 u_int64_t fw_loghighest; /* highest number packet to log */
91 };
92
93 /*
94 * extended ipfw structure... some fields in the original struct
95 * can be used to pass parameters up/down, namely pointers
96 * void *pipe_ptr
97 * void *next_rule_ptr
98 * some others can be used to pass parameters down, namely counters etc.
99 * u_int64_t fw_pcnt,fw_bcnt;
100 * long timestamp;
101 */
102
103 struct ip_fw_ext { /* extended structure */
104 struct ip_fw rule; /* must be at offset 0 */
105 long dont_match_prob; /* 0x7fffffff means 1.0, always fail */
106 u_int dyn_type; /* type for dynamic rule */
107 };
108
109 #define IP_FW_GETNSRCP(rule) ((rule)->fw_nports & 0x0f)
110 #define IP_FW_SETNSRCP(rule, n) do { \
111 (rule)->fw_nports &= ~0x0f; \
112 (rule)->fw_nports |= (n); \
113 } while (0)
114 #define IP_FW_GETNDSTP(rule) ((rule)->fw_nports >> 4)
115 #define IP_FW_SETNDSTP(rule, n) do { \
116 (rule)->fw_nports &= ~0xf0; \
117 (rule)->fw_nports |= (n) << 4;\
118 } while (0)
119
120 #define fw_divert_port fw_un.fu_divert_port
121 #define fw_skipto_rule fw_un.fu_skipto_rule
122 #define fw_reject_code fw_un.fu_reject_code
123 #define fw_pipe_nr fw_un.fu_pipe_nr
124 #define fw_fwd_ip fw_un.fu_fwd_ip
125
126 struct ip_fw_chain {
127 LIST_ENTRY(ip_fw_chain) chain;
128 struct ip_fw *rule;
129 };
130
131 /*
132 * Flow mask/flow id for each queue.
133 */
134 struct ipfw_flow_id {
135 u_int32_t dst_ip, src_ip ;
136 u_int16_t dst_port, src_port ;
137 u_int8_t proto ;
138 u_int8_t flags ; /* protocol-specific flags */
139 } ;
140
141 /*
142 * dynamic ipfw rule
143 */
144 struct ipfw_dyn_rule {
145 struct ipfw_dyn_rule *next ;
146
147 struct ipfw_flow_id id ;
148 struct ipfw_flow_id mask ;
149 struct ip_fw_chain *chain ; /* pointer to parent rule */
150 u_int32_t type ; /* rule type */
151 u_int32_t expire ; /* expire time */
152 u_int64_t pcnt, bcnt; /* match counters */
153 u_int32_t bucket ; /* which bucket in hash table */
154 u_int32_t state ; /* state of this rule (typ. a */
155 /* combination of TCP flags) */
156 } ;
157
158 /*
159 * Values for "flags" field .
160 */
161 #define IP_FW_F_COMMAND 0x000000ff /* Mask for type of chain entry: */
162 #define IP_FW_F_DENY 0x00000000 /* This is a deny rule */
163 #define IP_FW_F_REJECT 0x00000001 /* Deny and send a response packet */
164 #define IP_FW_F_ACCEPT 0x00000002 /* This is an accept rule */
165 #define IP_FW_F_COUNT 0x00000003 /* This is a count rule */
166 #define IP_FW_F_DIVERT 0x00000004 /* This is a divert rule */
167 #define IP_FW_F_TEE 0x00000005 /* This is a tee rule */
168 #define IP_FW_F_SKIPTO 0x00000006 /* This is a skipto rule */
169 #define IP_FW_F_FWD 0x00000007 /* This is a "change forwarding address" rule */
170 #define IP_FW_F_PIPE 0x00000008 /* This is a dummynet rule */
171
172 #define IP_FW_F_IN 0x00000100 /* Check inbound packets */
173 #define IP_FW_F_OUT 0x00000200 /* Check outbound packets */
174 #define IP_FW_F_IIFACE 0x00000400 /* Apply inbound interface test */
175 #define IP_FW_F_OIFACE 0x00000800 /* Apply outbound interface test */
176
177 #define IP_FW_F_PRN 0x00001000 /* Print if this rule matches */
178
179 #define IP_FW_F_SRNG 0x00002000 /* The first two src ports are a min *
180 * and max range (stored in host byte *
181 * order). */
182
183 #define IP_FW_F_DRNG 0x00004000 /* The first two dst ports are a min *
184 * and max range (stored in host byte *
185 * order). */
186
187 #define IP_FW_F_FRAG 0x00008000 /* Fragment */
188
189 #define IP_FW_F_IIFNAME 0x00010000 /* In interface by name/unit (not IP) */
190 #define IP_FW_F_OIFNAME 0x00020000 /* Out interface by name/unit (not IP) */
191
192 #define IP_FW_F_INVSRC 0x00040000 /* Invert sense of src check */
193 #define IP_FW_F_INVDST 0x00080000 /* Invert sense of dst check */
194
195 #define IP_FW_F_ICMPBIT 0x00100000 /* ICMP type bitmap is valid */
196
197 #define IP_FW_F_UID 0x00200000 /* filter by uid */
198
199 #define IP_FW_F_GID 0x00400000 /* filter by gid */
200
201 #define IP_FW_F_RND_MATCH 0x00800000 /* probabilistic rule match */
202 #define IP_FW_F_SMSK 0x01000000 /* src-port + mask */
203 #define IP_FW_F_DMSK 0x02000000 /* dst-port + mask */
204 #define IP_FW_BRIDGED 0x04000000 /* only match bridged packets */
205 #define IP_FW_F_KEEP_S 0x08000000 /* keep state */
206 #define IP_FW_F_CHECK_S 0x10000000 /* check state */
207
208 #define IP_FW_F_MASK 0x1FFFFFFF /* All possible flag bits mask */
209
210 /*
211 * Flags for the 'fw_ipflg' field, for comparing values of IP and its protocols
212 */
213 #define IP_FW_IF_TCPEST 0x00000020 /* established TCP connection */
214 #define IP_FW_IF_TCPMSK 0x00000020 /* mask of all TCP values */
215
216 /*
217 * For backwards compatibility with rules specifying "via iface" but
218 * not restricted to only "in" or "out" packets, we define this combination
219 * of bits to represent this configuration.
220 */
221
222 #define IF_FW_F_VIAHACK (IP_FW_F_IN|IP_FW_F_OUT|IP_FW_F_IIFACE|IP_FW_F_OIFACE)
223
224 /*
225 * Definitions for REJECT response codes.
226 * Values less than 256 correspond to ICMP unreachable codes.
227 */
228 #define IP_FW_REJECT_RST 0x0100 /* TCP packets: send RST */
229
230 /*
231 * Definitions for IP option names.
232 */
233 #define IP_FW_IPOPT_LSRR 0x01
234 #define IP_FW_IPOPT_SSRR 0x02
235 #define IP_FW_IPOPT_RR 0x04
236 #define IP_FW_IPOPT_TS 0x08
237
238 /*
239 * Definitions for TCP flags.
240 */
241 #define IP_FW_TCPF_FIN TH_FIN
242 #define IP_FW_TCPF_SYN TH_SYN
243 #define IP_FW_TCPF_RST TH_RST
244 #define IP_FW_TCPF_PSH TH_PUSH
245 #define IP_FW_TCPF_ACK TH_ACK
246 #define IP_FW_TCPF_URG TH_URG
247
248 /*
249 * Main firewall chains definitions and global var's definitions.
250 */
251 #ifdef KERNEL
252
253 #define IP_FW_PORT_DYNT_FLAG 0x10000
254 #define IP_FW_PORT_TEE_FLAG 0x20000
255
256 /*
257 * Function definitions.
258 */
259 void ip_fw_init __P((void));
260
261 /* Firewall hooks */
262 struct ip;
263 struct sockopt;
264 typedef int ip_fw_chk_t __P((struct ip **, int, struct ifnet *, u_int16_t *,
265 struct mbuf **, struct ip_fw_chain **, struct sockaddr_in **));
266 typedef int ip_fw_ctl_t __P((struct sockopt *));
267 extern ip_fw_chk_t *ip_fw_chk_ptr;
268 extern ip_fw_ctl_t *ip_fw_ctl_ptr;
269 extern int fw_one_pass;
270 extern int fw_enable;
271 extern struct ipfw_flow_id last_pkt ;
272 #endif /* KERNEL */
273
274 #endif /* _IP_FW_H */
Cache object: 3143241714871b4a2b5bd6e7a5794db8
|