Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]
FreeBSD/Linux Kernel Cross Reference
sys/netinet/ip_fw.h
Version:
- FREEBSD - FREEBSD-13-STABLE - FREEBSD-13-0 - FREEBSD-12-STABLE - FREEBSD-12-0 - FREEBSD-11-STABLE - FREEBSD-11-0 - FREEBSD-10-STABLE - FREEBSD-10-0 - FREEBSD-9-STABLE - FREEBSD-9-0 - FREEBSD-8-STABLE - FREEBSD-8-0 - FREEBSD-7-STABLE - FREEBSD-7-0 - FREEBSD-6-STABLE - FREEBSD-6-0 - FREEBSD-5-STABLE - FREEBSD-5-0 - FREEBSD-4-STABLE - FREEBSD-3-STABLE - FREEBSD22 - l41 - OPENBSD - linux-2.6 - MK84 - PLAN9 - xnu-8792
SearchContext: - none - 3 - 10
SearchContext: - none - 3 - 10
1 /* 2 * Copyright (c) 1993 Daniel Boulet 3 * Copyright (c) 1994 Ugen J.S.Antsilevich 4 * 5 * Redistribution and use in source forms, with and without modification, 6 * are permitted provided that this entire comment appears intact. 7 * 8 * Redistribution in binary form may occur without any restrictions. 9 * Obviously, it would be nice if you gave credit where credit is due 10 * but requiring it would be too onerous. 11 * 12 * This software is provided ``AS IS'' without any warranties of any kind. 13 * 14 * $FreeBSD: src/sys/netinet/ip_fw.h,v 1.23.2.5 1999/09/05 08:18:29 peter Exp $ 15 */ 16 17 #ifndef _IP_FW_H 18 #define _IP_FW_H 19 20 #include <net/if.h> 21 22 /* 23 * This union structure identifies an interface, either explicitly 24 * by name or implicitly by IP address. The flags IP_FW_F_IIFNAME 25 * and IP_FW_F_OIFNAME say how to interpret this structure. An 26 * interface unit number of -1 matches any unit number, while an 27 * IP address of 0.0.0.0 indicates matches any interface. 28 * 29 * The receive and transmit interfaces are only compared against the 30 * the packet if the corresponding bit (IP_FW_F_IIFACE or IP_FW_F_OIFACE) 31 * is set. Note some packets lack a receive or transmit interface 32 * (in which case the missing "interface" never matches). 33 */ 34 35 union ip_fw_if { 36 struct in_addr fu_via_ip; /* Specified by IP address */ 37 struct { /* Specified by interface name */ 38 #define FW_IFNLEN 10 /* need room ! was IFNAMSIZ */ 39 char name[FW_IFNLEN]; 40 short unit; /* -1 means match any unit */ 41 } fu_via_if; 42 }; 43 44 /* 45 * Format of an IP firewall descriptor 46 * 47 * fw_src, fw_dst, fw_smsk, fw_dmsk are always stored in network byte order. 48 * fw_flg and fw_n*p are stored in host byte order (of course). 49 * Port numbers are stored in HOST byte order. 50 * Warning: setsockopt() will fail if sizeof(struct ip_fw) > MLEN (108) 51 */ 52 53 struct ip_fw { 54 u_long fw_pcnt,fw_bcnt; /* Packet and byte counters */ 55 struct in_addr fw_src, fw_dst; /* Source and destination IP addr */ 56 struct in_addr fw_smsk, fw_dmsk; /* Mask for src and dest IP addr */ 57 u_short fw_number; /* Rule number */ 58 u_short fw_flg; /* Flags word */ 59 #define IP_FW_MAX_PORTS 10 /* A reasonable maximum */ 60 u_short fw_pts[IP_FW_MAX_PORTS]; /* Array of port numbers to match */ 61 u_char fw_ipopt,fw_ipnopt; /* IP options set/unset */ 62 u_char fw_tcpf,fw_tcpnf; /* TCP flags set/unset */ 63 #define IP_FW_ICMPTYPES_DIM (32 / (sizeof(unsigned) * 8)) 64 unsigned fw_icmptypes[IP_FW_ICMPTYPES_DIM]; /* ICMP types bitmap */ 65 long timestamp; /* timestamp (tv_sec) of last match */ 66 union ip_fw_if fw_in_if, fw_out_if; /* Incoming and outgoing interfaces */ 67 union { 68 u_short fu_divert_port; /* Divert/tee port (options IPDIVERT) */ 69 u_short fu_pipe_nr; /* pipe number (options DUMMYNET) */ 70 u_short fu_skipto_rule; /* SKIPTO command rule number */ 71 u_short fu_reject_code; /* REJECT response code */ 72 } fw_un; 73 u_char fw_prot; /* IP protocol */ 74 u_char fw_nports; /* N'of src ports and # of dst ports */ 75 /* in ports array (dst ports follow */ 76 /* src ports; max of 10 ports in all; */ 77 /* count of 0 means match all ports) */ 78 void *pipe_ptr; /* Pipe ptr in case of dummynet pipe */ 79 void *next_rule_ptr ; /* next rule in case of match */ 80 }; 81 82 #define IP_FW_GETNSRCP(rule) ((rule)->fw_nports & 0x0f) 83 #define IP_FW_SETNSRCP(rule, n) do { \ 84 (rule)->fw_nports &= ~0x0f; \ 85 (rule)->fw_nports |= (n); \ 86 } while (0) 87 #define IP_FW_GETNDSTP(rule) ((rule)->fw_nports >> 4) 88 #define IP_FW_SETNDSTP(rule, n) do { \ 89 (rule)->fw_nports &= ~0xf0; \ 90 (rule)->fw_nports |= (n) << 4;\ 91 } while (0) 92 93 #define fw_divert_port fw_un.fu_divert_port 94 #define fw_skipto_rule fw_un.fu_skipto_rule 95 #define fw_reject_code fw_un.fu_reject_code 96 #define fw_pipe_nr fw_un.fu_pipe_nr 97 98 struct ip_fw_chain { 99 LIST_ENTRY(ip_fw_chain) chain; 100 struct ip_fw *rule; 101 }; 102 103 /* 104 * Values for "flags" field . 105 */ 106 #define IP_FW_F_IN 0x0001 /* Check inbound packets */ 107 #define IP_FW_F_OUT 0x0002 /* Check outbound packets */ 108 #define IP_FW_F_IIFACE 0x0004 /* Apply inbound interface test */ 109 #define IP_FW_F_OIFACE 0x0008 /* Apply outbound interface test */ 110 111 #define IP_FW_F_COMMAND 0x0070 /* Mask for type of chain entry: */ 112 #define IP_FW_F_DENY 0x0000 /* This is a deny rule */ 113 #define IP_FW_F_REJECT 0x0010 /* Deny and send a response packet */ 114 #define IP_FW_F_ACCEPT 0x0020 /* This is an accept rule */ 115 #define IP_FW_F_COUNT 0x0030 /* This is a count rule */ 116 #define IP_FW_F_DIVERT 0x0040 /* This is a divert rule */ 117 #define IP_FW_F_TEE 0x0050 /* This is a tee rule */ 118 #define IP_FW_F_SKIPTO 0x0060 /* This is a skipto rule */ 119 #define IP_FW_F_PIPE 0x0070 /* This is a 'pipe' rule (dummynet) */ 120 121 #define IP_FW_F_PRN 0x0080 /* Print if this rule matches */ 122 123 #define IP_FW_F_SRNG 0x0100 /* The first two src ports are a min * 124 * and max range (stored in host byte * 125 * order). */ 126 127 #define IP_FW_F_DRNG 0x0200 /* The first two dst ports are a min * 128 * and max range (stored in host byte * 129 * order). */ 130 131 #define IP_FW_F_IIFNAME 0x0400 /* In interface by name/unit (not IP) */ 132 #define IP_FW_F_OIFNAME 0x0800 /* Out interface by name/unit (not IP) */ 133 134 #define IP_FW_F_INVSRC 0x1000 /* Invert sense of src check */ 135 #define IP_FW_F_INVDST 0x2000 /* Invert sense of dst check */ 136 137 #define IP_FW_F_FRAG 0x4000 /* Fragment */ 138 139 #define IP_FW_F_ICMPBIT 0x8000 /* ICMP type bitmap is valid */ 140 141 #define IP_FW_F_MASK 0xFFFF /* All possible flag bits mask */ 142 143 /* 144 * For backwards compatibility with rules specifying "via iface" but 145 * not restricted to only "in" or "out" packets, we define this combination 146 * of bits to represent this configuration. 147 */ 148 149 #define IF_FW_F_VIAHACK (IP_FW_F_IN|IP_FW_F_OUT|IP_FW_F_IIFACE|IP_FW_F_OIFACE) 150 151 /* 152 * Definitions for REJECT response codes. 153 * Values less than 256 correspond to ICMP unreachable codes. 154 */ 155 #define IP_FW_REJECT_RST 0x0100 /* TCP packets: send RST */ 156 157 /* 158 * Definitions for IP option names. 159 */ 160 #define IP_FW_IPOPT_LSRR 0x01 161 #define IP_FW_IPOPT_SSRR 0x02 162 #define IP_FW_IPOPT_RR 0x04 163 #define IP_FW_IPOPT_TS 0x08 164 165 /* 166 * Definitions for TCP flags. 167 */ 168 #define IP_FW_TCPF_FIN TH_FIN 169 #define IP_FW_TCPF_SYN TH_SYN 170 #define IP_FW_TCPF_RST TH_RST 171 #define IP_FW_TCPF_PSH TH_PUSH 172 #define IP_FW_TCPF_ACK TH_ACK 173 #define IP_FW_TCPF_URG TH_URG 174 #define IP_FW_TCPF_ESTAB 0x40 175 176 /* 177 * Main firewall chains definitions and global var's definitions. 178 */ 179 #ifdef KERNEL 180 181 /* 182 * Function definitions. 183 */ 184 void ip_fw_init(void); 185 186 #endif /* KERNEL */ 187 188 #endif /* _IP_FW_H */
Cache object: 6fece33c0ebe31041ba042d4d82d38b5
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]