The Design and Implementation of the FreeBSD Operating System, Second Edition
Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]

FreeBSD/Linux Kernel Cross Reference
sys/netinet/ip_fw.h

Version: -  FREEBSD  -  FREEBSD-13-STABLE  -  FREEBSD-13-0  -  FREEBSD-12-STABLE  -  FREEBSD-12-0  -  FREEBSD-11-STABLE  -  FREEBSD-11-0  -  FREEBSD-10-STABLE  -  FREEBSD-10-0  -  FREEBSD-9-STABLE  -  FREEBSD-9-0  -  FREEBSD-8-STABLE  -  FREEBSD-8-0  -  FREEBSD-7-STABLE  -  FREEBSD-7-0  -  FREEBSD-6-STABLE  -  FREEBSD-6-0  -  FREEBSD-5-STABLE  -  FREEBSD-5-0  -  FREEBSD-4-STABLE  -  FREEBSD-3-STABLE  -  FREEBSD22  -  l41  -  OPENBSD  -  linux-2.6  -  MK84  -  PLAN9  -  xnu-8792 
SearchContext: -  none  -  3  -  10 

    1 /*
    2  * Copyright (c) 1993 Daniel Boulet
    3  * Copyright (c) 1994 Ugen J.S.Antsilevich
    4  *
    5  * Redistribution and use in source forms, with and without modification,
    6  * are permitted provided that this entire comment appears intact.
    7  *
    8  * Redistribution in binary form may occur without any restrictions.
    9  * Obviously, it would be nice if you gave credit where credit is due
   10  * but requiring it would be too onerous.
   11  *
   12  * This software is provided ``AS IS'' without any warranties of any kind.
   13  *
   14  * $FreeBSD$
   15  */
   16 
   17 #ifndef _IP_FW_H
   18 #define _IP_FW_H
   19 
   20 #if IPFW2
   21 #include <netinet/ip_fw2.h>
   22 #else /* !IPFW2, good old ipfw */
   23 
   24 #include <sys/queue.h>
   25 
   26 /*
   27  * This union structure identifies an interface, either explicitly
   28  * by name or implicitly by IP address. The flags IP_FW_F_IIFNAME
   29  * and IP_FW_F_OIFNAME say how to interpret this structure. An
   30  * interface unit number of -1 matches any unit number, while an
   31  * IP address of 0.0.0.0 indicates matches any interface.
   32  *
   33  * The receive and transmit interfaces are only compared against the
   34  * the packet if the corresponding bit (IP_FW_F_IIFACE or IP_FW_F_OIFACE)
   35  * is set. Note some packets lack a receive or transmit interface
   36  * (in which case the missing "interface" never matches).
   37  */
   38 
   39 union ip_fw_if {
   40         struct in_addr  fu_via_ip;      /* Specified by IP address */
   41         struct {                        /* Specified by interface name */
   42 #define FW_IFNLEN       10              /* need room ! was IFNAMSIZ */
   43                 char    name[FW_IFNLEN];
   44                 short   unit;           /* -1 means match any unit */
   45         } fu_via_if;
   46 };
   47 
   48 /*
   49  * Format of an IP firewall descriptor
   50  *
   51  * fw_src, fw_dst, fw_smsk, fw_dmsk are always stored in network byte order.
   52  * fw_flg and fw_n*p are stored in host byte order (of course).
   53  * Port numbers are stored in HOST byte order.
   54  */
   55 
   56 struct ip_fw {
   57         LIST_ENTRY(ip_fw) next;         /* bidirectional list of rules */
   58         u_int32_t       fw_flg;         /* Operational Flags word */
   59         u_int64_t       fw_pcnt;        /* Packet counters */
   60         u_int64_t       fw_bcnt;        /* Byte counters */
   61         struct in_addr  fw_src;         /* Source IP address */
   62         struct in_addr  fw_dst;         /* Destination IP address */
   63         struct in_addr  fw_smsk;        /* Mask for source IP address */
   64         struct in_addr  fw_dmsk;        /* Mask for destination address */
   65         u_short         fw_number;      /* Rule number */
   66         u_char          fw_prot;        /* IP protocol */
   67 #if 1
   68         u_char          fw_nports;      /* # of src/dst port in array */
   69 #define IP_FW_GETNSRCP(rule)            ((rule)->fw_nports & 0x0f)
   70 #define IP_FW_SETNSRCP(rule, n)         do {                            \
   71                                             (rule)->fw_nports &= ~0x0f; \
   72                                             (rule)->fw_nports |= (n);   \
   73                                         } while (0)
   74 #define IP_FW_GETNDSTP(rule)            ((rule)->fw_nports >> 4)
   75 #define IP_FW_SETNDSTP(rule, n)         do {                              \
   76                                             (rule)->fw_nports &= ~0xf0;   \
   77                                             (rule)->fw_nports |= (n) << 4;\
   78                                         } while (0)
   79 #define IP_FW_HAVEPORTS(rule)           ((rule)->fw_nports != 0)
   80 #else
   81         u_char          __pad[1];
   82         u_int           _nsrcp;
   83         u_int           _ndstp;
   84 #define IP_FW_GETNSRCP(rule)            (rule)->_nsrcp
   85 #define IP_FW_SETNSRCP(rule,n)          (rule)->_nsrcp = n
   86 #define IP_FW_GETNDSTP(rule)            (rule)->_ndstp
   87 #define IP_FW_SETNDSTP(rule,n)          (rule)->_ndstp = n
   88 #define IP_FW_HAVEPORTS(rule)           ((rule)->_ndstp + (rule)->_nsrcp != 0)
   89 #endif
   90 #define IP_FW_MAX_PORTS 10              /* A reasonable maximum */
   91     union {
   92         u_short         fw_pts[IP_FW_MAX_PORTS]; /* port numbers to match */
   93 #define IP_FW_ICMPTYPES_MAX     128
   94 #define IP_FW_ICMPTYPES_DIM     (IP_FW_ICMPTYPES_MAX / (sizeof(unsigned) * 8))
   95         unsigned        fw_icmptypes[IP_FW_ICMPTYPES_DIM]; /*ICMP types bitmap*/
   96     } fw_uar;
   97 
   98         u_int           fw_ipflg;       /* IP flags word */
   99         u_short         fw_iplen;       /* IP length XXX */
  100         u_short         fw_ipid;        /* Identification XXX */
  101 
  102         u_char          fw_ipopt;       /* IP options set */
  103         u_char          fw_ipnopt;      /* IP options unset */
  104         u_char          fw_iptos;       /* IP type of service set XXX */
  105         u_char          fw_ipntos;      /* IP type of service unset XXX */
  106 
  107         u_char          fw_ipttl;       /* IP time to live XXX */
  108         u_char          fw_ipver:4;     /* IP version XXX */
  109         u_char          fw_tcpopt;      /* TCP options set */
  110         u_char          fw_tcpnopt;     /* TCP options unset */
  111 
  112         u_char          fw_tcpf;        /* TCP flags set/unset */
  113         u_char          fw_tcpnf;       /* TCP flags set/unset */
  114         u_short         fw_tcpwin;      /* TCP window size XXX */
  115 
  116         u_int32_t       fw_tcpseq;      /* TCP sequence XXX */
  117         u_int32_t       fw_tcpack;      /* TCP acknowledgement XXX */
  118 
  119         long            timestamp;      /* timestamp (tv_sec) of last match */
  120         union ip_fw_if  fw_in_if;       /* Incoming interfaces */
  121         union ip_fw_if  fw_out_if;      /* Outgoing interfaces */
  122     union {
  123         u_short         fu_divert_port; /* Divert/tee port (options IPDIVERT) */
  124         u_short         fu_pipe_nr;     /* queue number (option DUMMYNET) */
  125         u_short         fu_skipto_rule; /* SKIPTO command rule number */
  126         u_short         fu_reject_code; /* REJECT response code */
  127         struct sockaddr_in fu_fwd_ip;
  128     } fw_un;
  129 
  130         /*
  131          * N'of src ports and # of dst ports in ports array (dst ports
  132          * follow src ports; max of 10 ports in all; count of 0 means
  133          * match all ports)
  134          */
  135         void            *pipe_ptr;      /* flow_set ptr for dummynet pipe */
  136         void            *next_rule_ptr; /* next rule in case of match */
  137         uid_t           fw_uid;         /* uid to match */
  138         gid_t           fw_gid;         /* gid to match */
  139         int             fw_logamount;   /* amount to log */
  140         u_int64_t       fw_loghighest;  /* highest number packet to log */
  141 
  142         long            dont_match_prob; /* 0x7fffffff means 1.0-always fail */
  143         u_char          dyn_type;       /* type for dynamic rule */
  144 
  145 #define DYN_KEEP_STATE  0       /* type for keep-state rules    */
  146 #define DYN_LIMIT       1       /* type for limit connection rules */
  147 #define DYN_LIMIT_PARENT 2      /* parent entry for limit connection rules */
  148 
  149         /*
  150          * following two fields are used to limit number of connections
  151          * basing on either src, srcport, dst, dstport.
  152          */
  153         u_char          limit_mask;     /* mask type for limit rule, can
  154                                          * have many.
  155                                          */
  156 #define DYN_SRC_ADDR    0x1
  157 #define DYN_SRC_PORT    0x2
  158 #define DYN_DST_ADDR    0x4
  159 #define DYN_DST_PORT    0x8
  160 
  161         u_short         conn_limit;     /* # of connections for limit rule */
  162 };
  163 
  164 #define fw_divert_port  fw_un.fu_divert_port
  165 #define fw_skipto_rule  fw_un.fu_skipto_rule
  166 #define fw_reject_code  fw_un.fu_reject_code
  167 #define fw_pipe_nr      fw_un.fu_pipe_nr
  168 #define fw_fwd_ip       fw_un.fu_fwd_ip
  169 
  170 /*
  171  *
  172  *   rule_ptr  -------------+
  173  *                          V
  174  *     [ next.le_next ]---->[ next.le_next ]---- [ next.le_next ]--->
  175  *     [ next.le_prev ]<----[ next.le_prev ]<----[ next.le_prev ]<---
  176  *     [ <ip_fw> body ]     [ <ip_fw> body ]     [ <ip_fw> body ]
  177  *
  178  */
  179  
  180 /*
  181  * Flow mask/flow id for each queue.
  182  */
  183 struct ipfw_flow_id {
  184         u_int32_t       dst_ip;
  185         u_int32_t       src_ip;
  186         u_int16_t       dst_port;
  187         u_int16_t       src_port;
  188         u_int8_t        proto;
  189         u_int8_t        flags;  /* protocol-specific flags */
  190 };
  191 
  192 /*
  193  * dynamic ipfw rule
  194  */
  195 struct ipfw_dyn_rule {
  196         struct ipfw_dyn_rule *next;
  197         struct ipfw_flow_id id;         /* (masked) flow id */
  198         struct ip_fw    *rule;          /* pointer to rule */
  199         struct ipfw_dyn_rule *parent;   /* pointer to parent rule */
  200         u_int32_t       expire;         /* expire time */
  201         u_int64_t       pcnt;           /* packet match counters */
  202         u_int64_t       bcnt;           /* byte match counters */
  203         u_int32_t       bucket;         /* which bucket in hash table */
  204         u_int32_t       state;          /* state of this rule (typically a
  205                                          * combination of TCP flags)
  206                                          */
  207         u_int16_t       dyn_type;       /* rule type */
  208         u_int16_t       count;          /* refcount */
  209 };
  210 
  211 /*
  212  * Values for "flags" field .
  213  */
  214 #define IP_FW_F_COMMAND 0x000000ff      /* Mask for type of chain entry: */
  215 #define IP_FW_F_DENY    0x00000000      /* This is a deny rule */
  216 #define IP_FW_F_REJECT  0x00000001      /* Deny and send a response packet */
  217 #define IP_FW_F_ACCEPT  0x00000002      /* This is an accept rule */
  218 #define IP_FW_F_COUNT   0x00000003      /* This is a count rule */
  219 #define IP_FW_F_DIVERT  0x00000004      /* This is a divert rule */
  220 #define IP_FW_F_TEE     0x00000005      /* This is a tee rule */
  221 #define IP_FW_F_SKIPTO  0x00000006      /* This is a skipto rule */
  222 #define IP_FW_F_FWD     0x00000007      /* This is a "change forwarding
  223                                          * address" rule
  224                                          */
  225 #define IP_FW_F_PIPE    0x00000008      /* This is a dummynet rule */
  226 #define IP_FW_F_QUEUE   0x00000009      /* This is a dummynet queue */
  227 
  228 #define IP_FW_F_IN      0x00000100      /* Check inbound packets */
  229 #define IP_FW_F_OUT     0x00000200      /* Check outbound packets */
  230 #define IP_FW_F_IIFACE  0x00000400      /* Apply inbound interface test */
  231 #define IP_FW_F_OIFACE  0x00000800      /* Apply outbound interface test */
  232 #define IP_FW_F_PRN     0x00001000      /* Print if this rule matches */
  233 #define IP_FW_F_SRNG    0x00002000      /* The first two src ports are a min
  234                                          * and max range (stored in host byte
  235                                          * order).
  236                                          */
  237 #define IP_FW_F_DRNG    0x00004000      /* The first two dst ports are a min
  238                                          * and max range (stored in host byte
  239                                          * order).
  240                                          */
  241 #define IP_FW_F_FRAG    0x00008000      /* Fragment */
  242 #define IP_FW_F_IIFNAME 0x00010000      /* In interface by name/unit (not IP) */
  243 #define IP_FW_F_OIFNAME 0x00020000      /* Out interface by name/unit (not IP)*/
  244 #define IP_FW_F_INVSRC  0x00040000      /* Invert sense of src check */
  245 #define IP_FW_F_INVDST  0x00080000      /* Invert sense of dst check */
  246 #define IP_FW_F_ICMPBIT 0x00100000      /* ICMP type bitmap is valid */
  247 #define IP_FW_F_UID     0x00200000      /* filter by uid */
  248 #define IP_FW_F_GID     0x00400000      /* filter by gid */
  249 #define IP_FW_F_RND_MATCH 0x00800000    /* probabilistic rule match */
  250 #define IP_FW_F_SMSK    0x01000000      /* src-port + mask */
  251 #define IP_FW_F_DMSK    0x02000000      /* dst-port + mask */
  252 #define IP_FW_BRIDGED   0x04000000      /* only match bridged packets */
  253 #define IP_FW_F_KEEP_S  0x08000000      /* keep state */
  254 #define IP_FW_F_CHECK_S 0x10000000      /* check state */
  255 #define IP_FW_F_SME     0x20000000      /* source = me */
  256 #define IP_FW_F_DME     0x40000000      /* destination = me */
  257 
  258 #define IP_FW_F_MASK    0x7FFFFFFF      /* All possible flag bits mask */
  259 
  260 /*
  261  * Flags for the 'fw_ipflg' field, for comparing values
  262  * of ip and its protocols. Not all are currently used,
  263  * IP_FW_IF_*MSK list the one actually used.
  264  */
  265 #define IP_FW_IF_TCPOPT 0x00000001      /* tcp options */
  266 #define IP_FW_IF_TCPFLG 0x00000002      /* tcp flags */
  267 #define IP_FW_IF_TCPSEQ 0x00000004      /* tcp sequence number */
  268 #define IP_FW_IF_TCPACK 0x00000008      /* tcp acknowledgement number */
  269 #define IP_FW_IF_TCPWIN 0x00000010      /* tcp window size */
  270 #define IP_FW_IF_TCPEST 0x00000020      /* established TCP connection */
  271 #define IP_FW_IF_TCPMSK 0x00000020      /* mask of all tcp values */
  272 
  273 #define IP_FW_IF_IPOPT  0x00000100      /* ip options */
  274 #define IP_FW_IF_IPLEN  0x00000200      /* ip length */
  275 #define IP_FW_IF_IPID   0x00000400      /* ip identification */
  276 #define IP_FW_IF_IPTOS  0x00000800      /* ip type of service */
  277 #define IP_FW_IF_IPTTL  0x00001000      /* ip time to live */
  278 #define IP_FW_IF_IPVER  0x00002000      /* ip version */
  279 #define IP_FW_IF_IPMSK  0x00000000      /* mask of all ip values */
  280 
  281 #define IP_FW_IF_MSK    0x00000020      /* All possible bits mask */
  282  
  283 /*
  284  * For backwards compatibility with rules specifying "via iface" but
  285  * not restricted to only "in" or "out" packets, we define this combination
  286  * of bits to represent this configuration.
  287  */
  288 
  289 #define IF_FW_F_VIAHACK (IP_FW_F_IN|IP_FW_F_OUT|IP_FW_F_IIFACE|IP_FW_F_OIFACE)
  290 
  291 /*
  292  * Definitions for REJECT response codes.
  293  * Values less than 256 correspond to ICMP unreachable codes.
  294  */
  295 #define IP_FW_REJECT_RST        0x0100  /* TCP packets: send RST */
  296 
  297 /*
  298  * Definitions for IP option names.
  299  */
  300 #define IP_FW_IPOPT_LSRR        0x01
  301 #define IP_FW_IPOPT_SSRR        0x02
  302 #define IP_FW_IPOPT_RR          0x04
  303 #define IP_FW_IPOPT_TS          0x08
  304 
  305 /*
  306  * Definitions for TCP option names.
  307  */
  308 #define IP_FW_TCPOPT_MSS        0x01
  309 #define IP_FW_TCPOPT_WINDOW     0x02
  310 #define IP_FW_TCPOPT_SACK       0x04
  311 #define IP_FW_TCPOPT_TS         0x08
  312 #define IP_FW_TCPOPT_CC         0x10
  313 
  314 /*
  315  * Definitions for TCP flags.
  316  */
  317 #define IP_FW_TCPF_FIN          TH_FIN
  318 #define IP_FW_TCPF_SYN          TH_SYN
  319 #define IP_FW_TCPF_RST          TH_RST
  320 #define IP_FW_TCPF_PSH          TH_PUSH
  321 #define IP_FW_TCPF_ACK          TH_ACK
  322 #define IP_FW_TCPF_URG          TH_URG
  323 
  324 /*
  325  * Main firewall chains definitions and global var's definitions.
  326  */
  327 #ifdef _KERNEL
  328 
  329 #define IP_FW_PORT_DYNT_FLAG    0x10000
  330 #define IP_FW_PORT_TEE_FLAG     0x20000
  331 #define IP_FW_PORT_DENY_FLAG    0x40000
  332 
  333 /*
  334  * arguments for calling ipfw_chk() and dummynet_io(). We put them
  335  * all into a structure because this way it is easier and more
  336  * efficient to pass variables around and extend the interface.
  337  */
  338 struct ip_fw_args {
  339         struct mbuf     *m;             /* the mbuf chain               */
  340         struct ifnet    *oif;           /* output interface             */
  341         struct sockaddr_in *next_hop;   /* forward address              */
  342         struct ip_fw    *rule;          /* matching rule                */
  343         struct ether_header *eh;        /* for bridged packets          */
  344 
  345         struct route    *ro;            /* for dummynet                 */
  346         struct sockaddr_in *dst;        /* for dummynet                 */
  347         int flags;                      /* for dummynet                 */
  348 
  349         struct ipfw_flow_id f_id;       /* grabbed from IP header       */
  350         u_int16_t       divert_rule;    /* divert cookie                */
  351         u_int32_t       retval;
  352 };
  353 
  354 /*
  355  * Function definitions.
  356  */
  357 void ip_fw_init __P((void));
  358 
  359 /* Firewall hooks */
  360 struct sockopt;
  361 struct dn_flow_set;
  362 void flush_pipe_ptrs(struct dn_flow_set *match); /* used by dummynet */
  363 
  364 typedef int ip_fw_chk_t (struct ip_fw_args *args);
  365 typedef int ip_fw_ctl_t (struct sockopt *);
  366 extern ip_fw_chk_t *ip_fw_chk_ptr;
  367 extern ip_fw_ctl_t *ip_fw_ctl_ptr;
  368 extern int fw_one_pass;
  369 extern int fw_enable;
  370 extern struct ipfw_flow_id last_pkt;
  371 #define IPFW_LOADED     (ip_fw_chk_ptr != NULL)
  372 #endif /* _KERNEL */
  373 
  374 #endif /* !IPFW2 */
  375 #endif /* _IP_FW_H */

Cache object: 42465d2332e51571e296ffbc0d563dd3


[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]


This page is part of the FreeBSD/Linux Linux Kernel Cross-Reference, and was automatically generated using a modified version of the LXR engine.