FreeBSD/Linux Kernel Cross Reference
sys/netinet/ip_fw.h
1 /*
2 * Copyright (c) 1993 Daniel Boulet
3 * Copyright (c) 1994 Ugen J.S.Antsilevich
4 *
5 * Redistribution and use in source forms, with and without modification,
6 * are permitted provided that this entire comment appears intact.
7 *
8 * Redistribution in binary form may occur without any restrictions.
9 * Obviously, it would be nice if you gave credit where credit is due
10 * but requiring it would be too onerous.
11 *
12 * This software is provided ``AS IS'' without any warranties of any kind.
13 *
14 * $FreeBSD: src/sys/netinet/ip_fw.h,v 1.23.2.5 1999/09/05 08:18:29 peter Exp $
15 */
16
17 #ifndef _IP_FW_H
18 #define _IP_FW_H
19
20 #include <net/if.h>
21
22 /*
23 * This union structure identifies an interface, either explicitly
24 * by name or implicitly by IP address. The flags IP_FW_F_IIFNAME
25 * and IP_FW_F_OIFNAME say how to interpret this structure. An
26 * interface unit number of -1 matches any unit number, while an
27 * IP address of 0.0.0.0 indicates matches any interface.
28 *
29 * The receive and transmit interfaces are only compared against the
30 * the packet if the corresponding bit (IP_FW_F_IIFACE or IP_FW_F_OIFACE)
31 * is set. Note some packets lack a receive or transmit interface
32 * (in which case the missing "interface" never matches).
33 */
34
35 union ip_fw_if {
36 struct in_addr fu_via_ip; /* Specified by IP address */
37 struct { /* Specified by interface name */
38 #define FW_IFNLEN 10 /* need room ! was IFNAMSIZ */
39 char name[FW_IFNLEN];
40 short unit; /* -1 means match any unit */
41 } fu_via_if;
42 };
43
44 /*
45 * Format of an IP firewall descriptor
46 *
47 * fw_src, fw_dst, fw_smsk, fw_dmsk are always stored in network byte order.
48 * fw_flg and fw_n*p are stored in host byte order (of course).
49 * Port numbers are stored in HOST byte order.
50 * Warning: setsockopt() will fail if sizeof(struct ip_fw) > MLEN (108)
51 */
52
53 struct ip_fw {
54 u_long fw_pcnt,fw_bcnt; /* Packet and byte counters */
55 struct in_addr fw_src, fw_dst; /* Source and destination IP addr */
56 struct in_addr fw_smsk, fw_dmsk; /* Mask for src and dest IP addr */
57 u_short fw_number; /* Rule number */
58 u_short fw_flg; /* Flags word */
59 #define IP_FW_MAX_PORTS 10 /* A reasonable maximum */
60 u_short fw_pts[IP_FW_MAX_PORTS]; /* Array of port numbers to match */
61 u_char fw_ipopt,fw_ipnopt; /* IP options set/unset */
62 u_char fw_tcpf,fw_tcpnf; /* TCP flags set/unset */
63 #define IP_FW_ICMPTYPES_DIM (32 / (sizeof(unsigned) * 8))
64 unsigned fw_icmptypes[IP_FW_ICMPTYPES_DIM]; /* ICMP types bitmap */
65 long timestamp; /* timestamp (tv_sec) of last match */
66 union ip_fw_if fw_in_if, fw_out_if; /* Incoming and outgoing interfaces */
67 union {
68 u_short fu_divert_port; /* Divert/tee port (options IPDIVERT) */
69 u_short fu_pipe_nr; /* pipe number (options DUMMYNET) */
70 u_short fu_skipto_rule; /* SKIPTO command rule number */
71 u_short fu_reject_code; /* REJECT response code */
72 } fw_un;
73 u_char fw_prot; /* IP protocol */
74 u_char fw_nports; /* N'of src ports and # of dst ports */
75 /* in ports array (dst ports follow */
76 /* src ports; max of 10 ports in all; */
77 /* count of 0 means match all ports) */
78 void *pipe_ptr; /* Pipe ptr in case of dummynet pipe */
79 void *next_rule_ptr ; /* next rule in case of match */
80 };
81
82 #define IP_FW_GETNSRCP(rule) ((rule)->fw_nports & 0x0f)
83 #define IP_FW_SETNSRCP(rule, n) do { \
84 (rule)->fw_nports &= ~0x0f; \
85 (rule)->fw_nports |= (n); \
86 } while (0)
87 #define IP_FW_GETNDSTP(rule) ((rule)->fw_nports >> 4)
88 #define IP_FW_SETNDSTP(rule, n) do { \
89 (rule)->fw_nports &= ~0xf0; \
90 (rule)->fw_nports |= (n) << 4;\
91 } while (0)
92
93 #define fw_divert_port fw_un.fu_divert_port
94 #define fw_skipto_rule fw_un.fu_skipto_rule
95 #define fw_reject_code fw_un.fu_reject_code
96 #define fw_pipe_nr fw_un.fu_pipe_nr
97
98 struct ip_fw_chain {
99 LIST_ENTRY(ip_fw_chain) chain;
100 struct ip_fw *rule;
101 };
102
103 /*
104 * Values for "flags" field .
105 */
106 #define IP_FW_F_IN 0x0001 /* Check inbound packets */
107 #define IP_FW_F_OUT 0x0002 /* Check outbound packets */
108 #define IP_FW_F_IIFACE 0x0004 /* Apply inbound interface test */
109 #define IP_FW_F_OIFACE 0x0008 /* Apply outbound interface test */
110
111 #define IP_FW_F_COMMAND 0x0070 /* Mask for type of chain entry: */
112 #define IP_FW_F_DENY 0x0000 /* This is a deny rule */
113 #define IP_FW_F_REJECT 0x0010 /* Deny and send a response packet */
114 #define IP_FW_F_ACCEPT 0x0020 /* This is an accept rule */
115 #define IP_FW_F_COUNT 0x0030 /* This is a count rule */
116 #define IP_FW_F_DIVERT 0x0040 /* This is a divert rule */
117 #define IP_FW_F_TEE 0x0050 /* This is a tee rule */
118 #define IP_FW_F_SKIPTO 0x0060 /* This is a skipto rule */
119 #define IP_FW_F_PIPE 0x0070 /* This is a 'pipe' rule (dummynet) */
120
121 #define IP_FW_F_PRN 0x0080 /* Print if this rule matches */
122
123 #define IP_FW_F_SRNG 0x0100 /* The first two src ports are a min *
124 * and max range (stored in host byte *
125 * order). */
126
127 #define IP_FW_F_DRNG 0x0200 /* The first two dst ports are a min *
128 * and max range (stored in host byte *
129 * order). */
130
131 #define IP_FW_F_IIFNAME 0x0400 /* In interface by name/unit (not IP) */
132 #define IP_FW_F_OIFNAME 0x0800 /* Out interface by name/unit (not IP) */
133
134 #define IP_FW_F_INVSRC 0x1000 /* Invert sense of src check */
135 #define IP_FW_F_INVDST 0x2000 /* Invert sense of dst check */
136
137 #define IP_FW_F_FRAG 0x4000 /* Fragment */
138
139 #define IP_FW_F_ICMPBIT 0x8000 /* ICMP type bitmap is valid */
140
141 #define IP_FW_F_MASK 0xFFFF /* All possible flag bits mask */
142
143 /*
144 * For backwards compatibility with rules specifying "via iface" but
145 * not restricted to only "in" or "out" packets, we define this combination
146 * of bits to represent this configuration.
147 */
148
149 #define IF_FW_F_VIAHACK (IP_FW_F_IN|IP_FW_F_OUT|IP_FW_F_IIFACE|IP_FW_F_OIFACE)
150
151 /*
152 * Definitions for REJECT response codes.
153 * Values less than 256 correspond to ICMP unreachable codes.
154 */
155 #define IP_FW_REJECT_RST 0x0100 /* TCP packets: send RST */
156
157 /*
158 * Definitions for IP option names.
159 */
160 #define IP_FW_IPOPT_LSRR 0x01
161 #define IP_FW_IPOPT_SSRR 0x02
162 #define IP_FW_IPOPT_RR 0x04
163 #define IP_FW_IPOPT_TS 0x08
164
165 /*
166 * Definitions for TCP flags.
167 */
168 #define IP_FW_TCPF_FIN TH_FIN
169 #define IP_FW_TCPF_SYN TH_SYN
170 #define IP_FW_TCPF_RST TH_RST
171 #define IP_FW_TCPF_PSH TH_PUSH
172 #define IP_FW_TCPF_ACK TH_ACK
173 #define IP_FW_TCPF_URG TH_URG
174 #define IP_FW_TCPF_ESTAB 0x40
175
176 /*
177 * Main firewall chains definitions and global var's definitions.
178 */
179 #ifdef KERNEL
180
181 /*
182 * Function definitions.
183 */
184 void ip_fw_init(void);
185
186 #endif /* KERNEL */
187
188 #endif /* _IP_FW_H */
Cache object: 6fece33c0ebe31041ba042d4d82d38b5
|