FreeBSD/Linux Kernel Cross Reference
sys/netinet/ip_fw.h
1 /*
2 * Copyright (c) 1993 Daniel Boulet
3 * Copyright (c) 1994 Ugen J.S.Antsilevich
4 *
5 * Redistribution and use in source forms, with and without modification,
6 * are permitted provided that this entire comment appears intact.
7 *
8 * Redistribution in binary form may occur without any restrictions.
9 * Obviously, it would be nice if you gave credit where credit is due
10 * but requiring it would be too onerous.
11 *
12 * This software is provided ``AS IS'' without any warranties of any kind.
13 *
14 * $FreeBSD$
15 */
16
17 #ifndef _IP_FW_H
18 #define _IP_FW_H
19
20 #if IPFW2
21 #include <netinet/ip_fw2.h>
22 #else /* !IPFW2, good old ipfw */
23
24 #include <sys/queue.h>
25
26 /*
27 * This union structure identifies an interface, either explicitly
28 * by name or implicitly by IP address. The flags IP_FW_F_IIFNAME
29 * and IP_FW_F_OIFNAME say how to interpret this structure. An
30 * interface unit number of -1 matches any unit number, while an
31 * IP address of 0.0.0.0 indicates matches any interface.
32 *
33 * The receive and transmit interfaces are only compared against the
34 * the packet if the corresponding bit (IP_FW_F_IIFACE or IP_FW_F_OIFACE)
35 * is set. Note some packets lack a receive or transmit interface
36 * (in which case the missing "interface" never matches).
37 */
38
39 union ip_fw_if {
40 struct in_addr fu_via_ip; /* Specified by IP address */
41 struct { /* Specified by interface name */
42 #define FW_IFNLEN 10 /* need room ! was IFNAMSIZ */
43 char name[FW_IFNLEN];
44 short unit; /* -1 means match any unit */
45 } fu_via_if;
46 };
47
48 /*
49 * Format of an IP firewall descriptor
50 *
51 * fw_src, fw_dst, fw_smsk, fw_dmsk are always stored in network byte order.
52 * fw_flg and fw_n*p are stored in host byte order (of course).
53 * Port numbers are stored in HOST byte order.
54 */
55
56 struct ip_fw {
57 LIST_ENTRY(ip_fw) next; /* bidirectional list of rules */
58 u_int32_t fw_flg; /* Operational Flags word */
59 u_int64_t fw_pcnt; /* Packet counters */
60 u_int64_t fw_bcnt; /* Byte counters */
61 struct in_addr fw_src; /* Source IP address */
62 struct in_addr fw_dst; /* Destination IP address */
63 struct in_addr fw_smsk; /* Mask for source IP address */
64 struct in_addr fw_dmsk; /* Mask for destination address */
65 u_short fw_number; /* Rule number */
66 u_char fw_prot; /* IP protocol */
67 #if 1
68 u_char fw_nports; /* # of src/dst port in array */
69 #define IP_FW_GETNSRCP(rule) ((rule)->fw_nports & 0x0f)
70 #define IP_FW_SETNSRCP(rule, n) do { \
71 (rule)->fw_nports &= ~0x0f; \
72 (rule)->fw_nports |= (n); \
73 } while (0)
74 #define IP_FW_GETNDSTP(rule) ((rule)->fw_nports >> 4)
75 #define IP_FW_SETNDSTP(rule, n) do { \
76 (rule)->fw_nports &= ~0xf0; \
77 (rule)->fw_nports |= (n) << 4;\
78 } while (0)
79 #define IP_FW_HAVEPORTS(rule) ((rule)->fw_nports != 0)
80 #else
81 u_char __pad[1];
82 u_int _nsrcp;
83 u_int _ndstp;
84 #define IP_FW_GETNSRCP(rule) (rule)->_nsrcp
85 #define IP_FW_SETNSRCP(rule,n) (rule)->_nsrcp = n
86 #define IP_FW_GETNDSTP(rule) (rule)->_ndstp
87 #define IP_FW_SETNDSTP(rule,n) (rule)->_ndstp = n
88 #define IP_FW_HAVEPORTS(rule) ((rule)->_ndstp + (rule)->_nsrcp != 0)
89 #endif
90 #define IP_FW_MAX_PORTS 10 /* A reasonable maximum */
91 union {
92 u_short fw_pts[IP_FW_MAX_PORTS]; /* port numbers to match */
93 #define IP_FW_ICMPTYPES_MAX 128
94 #define IP_FW_ICMPTYPES_DIM (IP_FW_ICMPTYPES_MAX / (sizeof(unsigned) * 8))
95 unsigned fw_icmptypes[IP_FW_ICMPTYPES_DIM]; /*ICMP types bitmap*/
96 } fw_uar;
97
98 u_int fw_ipflg; /* IP flags word */
99 u_short fw_iplen; /* IP length XXX */
100 u_short fw_ipid; /* Identification XXX */
101
102 u_char fw_ipopt; /* IP options set */
103 u_char fw_ipnopt; /* IP options unset */
104 u_char fw_iptos; /* IP type of service set XXX */
105 u_char fw_ipntos; /* IP type of service unset XXX */
106
107 u_char fw_ipttl; /* IP time to live XXX */
108 u_char fw_ipver:4; /* IP version XXX */
109 u_char fw_tcpopt; /* TCP options set */
110 u_char fw_tcpnopt; /* TCP options unset */
111
112 u_char fw_tcpf; /* TCP flags set/unset */
113 u_char fw_tcpnf; /* TCP flags set/unset */
114 u_short fw_tcpwin; /* TCP window size XXX */
115
116 u_int32_t fw_tcpseq; /* TCP sequence XXX */
117 u_int32_t fw_tcpack; /* TCP acknowledgement XXX */
118
119 long timestamp; /* timestamp (tv_sec) of last match */
120 union ip_fw_if fw_in_if; /* Incoming interfaces */
121 union ip_fw_if fw_out_if; /* Outgoing interfaces */
122 union {
123 u_short fu_divert_port; /* Divert/tee port (options IPDIVERT) */
124 u_short fu_pipe_nr; /* queue number (option DUMMYNET) */
125 u_short fu_skipto_rule; /* SKIPTO command rule number */
126 u_short fu_reject_code; /* REJECT response code */
127 struct sockaddr_in fu_fwd_ip;
128 } fw_un;
129
130 /*
131 * N'of src ports and # of dst ports in ports array (dst ports
132 * follow src ports; max of 10 ports in all; count of 0 means
133 * match all ports)
134 */
135 void *pipe_ptr; /* flow_set ptr for dummynet pipe */
136 void *next_rule_ptr; /* next rule in case of match */
137 uid_t fw_uid; /* uid to match */
138 gid_t fw_gid; /* gid to match */
139 int fw_logamount; /* amount to log */
140 u_int64_t fw_loghighest; /* highest number packet to log */
141
142 long dont_match_prob; /* 0x7fffffff means 1.0-always fail */
143 u_char dyn_type; /* type for dynamic rule */
144
145 #define DYN_KEEP_STATE 0 /* type for keep-state rules */
146 #define DYN_LIMIT 1 /* type for limit connection rules */
147 #define DYN_LIMIT_PARENT 2 /* parent entry for limit connection rules */
148
149 /*
150 * following two fields are used to limit number of connections
151 * basing on either src, srcport, dst, dstport.
152 */
153 u_char limit_mask; /* mask type for limit rule, can
154 * have many.
155 */
156 #define DYN_SRC_ADDR 0x1
157 #define DYN_SRC_PORT 0x2
158 #define DYN_DST_ADDR 0x4
159 #define DYN_DST_PORT 0x8
160
161 u_short conn_limit; /* # of connections for limit rule */
162 };
163
164 #define fw_divert_port fw_un.fu_divert_port
165 #define fw_skipto_rule fw_un.fu_skipto_rule
166 #define fw_reject_code fw_un.fu_reject_code
167 #define fw_pipe_nr fw_un.fu_pipe_nr
168 #define fw_fwd_ip fw_un.fu_fwd_ip
169
170 /*
171 *
172 * rule_ptr -------------+
173 * V
174 * [ next.le_next ]---->[ next.le_next ]---- [ next.le_next ]--->
175 * [ next.le_prev ]<----[ next.le_prev ]<----[ next.le_prev ]<---
176 * [ <ip_fw> body ] [ <ip_fw> body ] [ <ip_fw> body ]
177 *
178 */
179
180 /*
181 * Flow mask/flow id for each queue.
182 */
183 struct ipfw_flow_id {
184 u_int32_t dst_ip;
185 u_int32_t src_ip;
186 u_int16_t dst_port;
187 u_int16_t src_port;
188 u_int8_t proto;
189 u_int8_t flags; /* protocol-specific flags */
190 };
191
192 /*
193 * dynamic ipfw rule
194 */
195 struct ipfw_dyn_rule {
196 struct ipfw_dyn_rule *next;
197 struct ipfw_flow_id id; /* (masked) flow id */
198 struct ip_fw *rule; /* pointer to rule */
199 struct ipfw_dyn_rule *parent; /* pointer to parent rule */
200 u_int32_t expire; /* expire time */
201 u_int64_t pcnt; /* packet match counters */
202 u_int64_t bcnt; /* byte match counters */
203 u_int32_t bucket; /* which bucket in hash table */
204 u_int32_t state; /* state of this rule (typically a
205 * combination of TCP flags)
206 */
207 u_int16_t dyn_type; /* rule type */
208 u_int16_t count; /* refcount */
209 };
210
211 /*
212 * Values for "flags" field .
213 */
214 #define IP_FW_F_COMMAND 0x000000ff /* Mask for type of chain entry: */
215 #define IP_FW_F_DENY 0x00000000 /* This is a deny rule */
216 #define IP_FW_F_REJECT 0x00000001 /* Deny and send a response packet */
217 #define IP_FW_F_ACCEPT 0x00000002 /* This is an accept rule */
218 #define IP_FW_F_COUNT 0x00000003 /* This is a count rule */
219 #define IP_FW_F_DIVERT 0x00000004 /* This is a divert rule */
220 #define IP_FW_F_TEE 0x00000005 /* This is a tee rule */
221 #define IP_FW_F_SKIPTO 0x00000006 /* This is a skipto rule */
222 #define IP_FW_F_FWD 0x00000007 /* This is a "change forwarding
223 * address" rule
224 */
225 #define IP_FW_F_PIPE 0x00000008 /* This is a dummynet rule */
226 #define IP_FW_F_QUEUE 0x00000009 /* This is a dummynet queue */
227
228 #define IP_FW_F_IN 0x00000100 /* Check inbound packets */
229 #define IP_FW_F_OUT 0x00000200 /* Check outbound packets */
230 #define IP_FW_F_IIFACE 0x00000400 /* Apply inbound interface test */
231 #define IP_FW_F_OIFACE 0x00000800 /* Apply outbound interface test */
232 #define IP_FW_F_PRN 0x00001000 /* Print if this rule matches */
233 #define IP_FW_F_SRNG 0x00002000 /* The first two src ports are a min
234 * and max range (stored in host byte
235 * order).
236 */
237 #define IP_FW_F_DRNG 0x00004000 /* The first two dst ports are a min
238 * and max range (stored in host byte
239 * order).
240 */
241 #define IP_FW_F_FRAG 0x00008000 /* Fragment */
242 #define IP_FW_F_IIFNAME 0x00010000 /* In interface by name/unit (not IP) */
243 #define IP_FW_F_OIFNAME 0x00020000 /* Out interface by name/unit (not IP)*/
244 #define IP_FW_F_INVSRC 0x00040000 /* Invert sense of src check */
245 #define IP_FW_F_INVDST 0x00080000 /* Invert sense of dst check */
246 #define IP_FW_F_ICMPBIT 0x00100000 /* ICMP type bitmap is valid */
247 #define IP_FW_F_UID 0x00200000 /* filter by uid */
248 #define IP_FW_F_GID 0x00400000 /* filter by gid */
249 #define IP_FW_F_RND_MATCH 0x00800000 /* probabilistic rule match */
250 #define IP_FW_F_SMSK 0x01000000 /* src-port + mask */
251 #define IP_FW_F_DMSK 0x02000000 /* dst-port + mask */
252 #define IP_FW_BRIDGED 0x04000000 /* only match bridged packets */
253 #define IP_FW_F_KEEP_S 0x08000000 /* keep state */
254 #define IP_FW_F_CHECK_S 0x10000000 /* check state */
255 #define IP_FW_F_SME 0x20000000 /* source = me */
256 #define IP_FW_F_DME 0x40000000 /* destination = me */
257
258 #define IP_FW_F_MASK 0x7FFFFFFF /* All possible flag bits mask */
259
260 /*
261 * Flags for the 'fw_ipflg' field, for comparing values
262 * of ip and its protocols. Not all are currently used,
263 * IP_FW_IF_*MSK list the one actually used.
264 */
265 #define IP_FW_IF_TCPOPT 0x00000001 /* tcp options */
266 #define IP_FW_IF_TCPFLG 0x00000002 /* tcp flags */
267 #define IP_FW_IF_TCPSEQ 0x00000004 /* tcp sequence number */
268 #define IP_FW_IF_TCPACK 0x00000008 /* tcp acknowledgement number */
269 #define IP_FW_IF_TCPWIN 0x00000010 /* tcp window size */
270 #define IP_FW_IF_TCPEST 0x00000020 /* established TCP connection */
271 #define IP_FW_IF_TCPMSK 0x00000020 /* mask of all tcp values */
272
273 #define IP_FW_IF_IPOPT 0x00000100 /* ip options */
274 #define IP_FW_IF_IPLEN 0x00000200 /* ip length */
275 #define IP_FW_IF_IPID 0x00000400 /* ip identification */
276 #define IP_FW_IF_IPTOS 0x00000800 /* ip type of service */
277 #define IP_FW_IF_IPTTL 0x00001000 /* ip time to live */
278 #define IP_FW_IF_IPVER 0x00002000 /* ip version */
279 #define IP_FW_IF_IPMSK 0x00000000 /* mask of all ip values */
280
281 #define IP_FW_IF_MSK 0x00000020 /* All possible bits mask */
282
283 /*
284 * For backwards compatibility with rules specifying "via iface" but
285 * not restricted to only "in" or "out" packets, we define this combination
286 * of bits to represent this configuration.
287 */
288
289 #define IF_FW_F_VIAHACK (IP_FW_F_IN|IP_FW_F_OUT|IP_FW_F_IIFACE|IP_FW_F_OIFACE)
290
291 /*
292 * Definitions for REJECT response codes.
293 * Values less than 256 correspond to ICMP unreachable codes.
294 */
295 #define IP_FW_REJECT_RST 0x0100 /* TCP packets: send RST */
296
297 /*
298 * Definitions for IP option names.
299 */
300 #define IP_FW_IPOPT_LSRR 0x01
301 #define IP_FW_IPOPT_SSRR 0x02
302 #define IP_FW_IPOPT_RR 0x04
303 #define IP_FW_IPOPT_TS 0x08
304
305 /*
306 * Definitions for TCP option names.
307 */
308 #define IP_FW_TCPOPT_MSS 0x01
309 #define IP_FW_TCPOPT_WINDOW 0x02
310 #define IP_FW_TCPOPT_SACK 0x04
311 #define IP_FW_TCPOPT_TS 0x08
312 #define IP_FW_TCPOPT_CC 0x10
313
314 /*
315 * Definitions for TCP flags.
316 */
317 #define IP_FW_TCPF_FIN TH_FIN
318 #define IP_FW_TCPF_SYN TH_SYN
319 #define IP_FW_TCPF_RST TH_RST
320 #define IP_FW_TCPF_PSH TH_PUSH
321 #define IP_FW_TCPF_ACK TH_ACK
322 #define IP_FW_TCPF_URG TH_URG
323
324 /*
325 * Main firewall chains definitions and global var's definitions.
326 */
327 #ifdef _KERNEL
328
329 #define IP_FW_PORT_DYNT_FLAG 0x10000
330 #define IP_FW_PORT_TEE_FLAG 0x20000
331 #define IP_FW_PORT_DENY_FLAG 0x40000
332
333 /*
334 * arguments for calling ipfw_chk() and dummynet_io(). We put them
335 * all into a structure because this way it is easier and more
336 * efficient to pass variables around and extend the interface.
337 */
338 struct ip_fw_args {
339 struct mbuf *m; /* the mbuf chain */
340 struct ifnet *oif; /* output interface */
341 struct sockaddr_in *next_hop; /* forward address */
342 struct ip_fw *rule; /* matching rule */
343 struct ether_header *eh; /* for bridged packets */
344
345 struct route *ro; /* for dummynet */
346 struct sockaddr_in *dst; /* for dummynet */
347 int flags; /* for dummynet */
348
349 struct ipfw_flow_id f_id; /* grabbed from IP header */
350 u_int16_t divert_rule; /* divert cookie */
351 u_int32_t retval;
352 };
353
354 /*
355 * Function definitions.
356 */
357 void ip_fw_init __P((void));
358
359 /* Firewall hooks */
360 struct sockopt;
361 struct dn_flow_set;
362 void flush_pipe_ptrs(struct dn_flow_set *match); /* used by dummynet */
363
364 typedef int ip_fw_chk_t (struct ip_fw_args *args);
365 typedef int ip_fw_ctl_t (struct sockopt *);
366 extern ip_fw_chk_t *ip_fw_chk_ptr;
367 extern ip_fw_ctl_t *ip_fw_ctl_ptr;
368 extern int fw_one_pass;
369 extern int fw_enable;
370 extern struct ipfw_flow_id last_pkt;
371 #define IPFW_LOADED (ip_fw_chk_ptr != NULL)
372 #endif /* _KERNEL */
373
374 #endif /* !IPFW2 */
375 #endif /* _IP_FW_H */
Cache object: 42465d2332e51571e296ffbc0d563dd3
|