Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]
FreeBSD/Linux Kernel Cross Reference
sys/netpfil/ipfilter/netinet/ip_fil.h
Version:
- FREEBSD - FREEBSD-13-STABLE - FREEBSD-13-0 - FREEBSD-12-STABLE - FREEBSD-12-0 - FREEBSD-11-STABLE - FREEBSD-11-0 - FREEBSD-10-STABLE - FREEBSD-10-0 - FREEBSD-9-STABLE - FREEBSD-9-0 - FREEBSD-8-STABLE - FREEBSD-8-0 - FREEBSD-7-STABLE - FREEBSD-7-0 - FREEBSD-6-STABLE - FREEBSD-6-0 - FREEBSD-5-STABLE - FREEBSD-5-0 - FREEBSD-4-STABLE - FREEBSD-3-STABLE - FREEBSD22 - l41 - OPENBSD - linux-2.6 - MK84 - PLAN9 - xnu-8792
SearchContext: - none - 3 - 10
SearchContext: - none - 3 - 10
1 /* 2 * Copyright (C) 2012 by Darren Reed. 3 * 4 * See the IPFILTER.LICENCE file for details on licencing. 5 * 6 * @(#)ip_fil.h 1.35 6/5/96 7 * $FreeBSD$ 8 * Id: ip_fil.h,v 2.170.2.51 2007/10/10 09:48:03 darrenr Exp $ 9 */ 10 11 #ifndef __IP_FIL_H__ 12 #define __IP_FIL_H__ 13 14 #include <netinet/in.h> 15 16 #include "netinet/ip_compat.h" 17 #include "netinet/ipf_rb.h" 18 #if NETBSD_GE_REV(104040000) 19 # include <sys/callout.h> 20 #endif 21 #if defined(BSD) && defined(_KERNEL) 22 # include <sys/selinfo.h> 23 #endif 24 25 #ifndef SOLARIS 26 # if defined(sun) && defined(__SVR4) 27 # define SOLARIS 1 28 # else 29 # define SOLARIS 0 30 # endif 31 #endif 32 33 #ifndef __P 34 # define __P(x) x 35 #endif 36 37 #define SIOCADAFR _IOW('r', 60, struct ipfobj) 38 #define SIOCRMAFR _IOW('r', 61, struct ipfobj) 39 #define SIOCSETFF _IOW('r', 62, u_int) 40 #define SIOCGETFF _IOR('r', 63, u_int) 41 #define SIOCGETFS _IOWR('r', 64, struct ipfobj) 42 #define SIOCIPFFL _IOWR('r', 65, int) 43 #define SIOCIPFFB _IOR('r', 66, int) 44 #define SIOCADIFR _IOW('r', 67, struct ipfobj) 45 #define SIOCRMIFR _IOW('r', 68, struct ipfobj) 46 #define SIOCSWAPA _IOR('r', 69, u_int) 47 #define SIOCINAFR _IOW('r', 70, struct ipfobj) 48 #define SIOCINIFR _IOW('r', 71, struct ipfobj) 49 #define SIOCFRENB _IOW('r', 72, u_int) 50 #define SIOCFRSYN _IOW('r', 73, u_int) 51 #define SIOCFRZST _IOWR('r', 74, struct ipfobj) 52 #define SIOCZRLST _IOWR('r', 75, struct ipfobj) 53 #define SIOCAUTHW _IOWR('r', 76, struct ipfobj) 54 #define SIOCAUTHR _IOWR('r', 77, struct ipfobj) 55 #define SIOCSTAT1 _IOWR('r', 78, struct ipfobj) 56 #define SIOCSTLCK _IOWR('r', 79, u_int) 57 #define SIOCSTPUT _IOWR('r', 80, struct ipfobj) 58 #define SIOCSTGET _IOWR('r', 81, struct ipfobj) 59 #define SIOCSTGSZ _IOWR('r', 82, struct ipfobj) 60 #define SIOCSTAT2 _IOWR('r', 83, struct ipfobj) 61 #define SIOCSETLG _IOWR('r', 84, int) 62 #define SIOCGETLG _IOWR('r', 85, int) 63 #define SIOCFUNCL _IOWR('r', 86, struct ipfunc_resolve) 64 #define SIOCIPFGETNEXT _IOWR('r', 87, struct ipfobj) 65 #define SIOCIPFGET _IOWR('r', 88, struct ipfobj) 66 #define SIOCIPFSET _IOWR('r', 89, struct ipfobj) 67 #define SIOCIPFL6 _IOWR('r', 90, int) 68 #define SIOCIPFITER _IOWR('r', 91, struct ipfobj) 69 #define SIOCGENITER _IOWR('r', 92, struct ipfobj) 70 #define SIOCGTABL _IOWR('r', 93, struct ipfobj) 71 #define SIOCIPFDELTOK _IOWR('r', 94, int) 72 #define SIOCLOOKUPITER _IOWR('r', 95, struct ipfobj) 73 #define SIOCGTQTAB _IOWR('r', 96, struct ipfobj) 74 #define SIOCMATCHFLUSH _IOWR('r', 97, struct ipfobj) 75 #define SIOCIPFINTERROR _IOR('r', 98, int) 76 #define SIOCADDFR SIOCADAFR 77 #define SIOCDELFR SIOCRMAFR 78 #define SIOCINSFR SIOCINAFR 79 #define SIOCATHST SIOCSTAT1 80 #define SIOCGFRST SIOCSTAT2 81 82 83 struct ipscan; 84 struct ifnet; 85 struct ipf_main_softc_s; 86 87 typedef int (* lookupfunc_t)(struct ipf_main_softc_s *, void *, 88 int, void *, u_int); 89 90 /* 91 * i6addr is used as a container for both IPv4 and IPv6 addresses, as well 92 * as other types of objects, depending on its qualifier. 93 */ 94 typedef union i6addr { 95 u_32_t i6[4]; 96 struct in_addr in4; 97 #ifdef USE_INET6 98 struct in6_addr in6; 99 #endif 100 void *vptr[2]; 101 lookupfunc_t lptr[2]; 102 struct { 103 u_short type; 104 u_short subtype; 105 int name; 106 } i6un; 107 } i6addr_t; 108 109 #define in4_addr in4.s_addr 110 #define iplookupnum i6[1] 111 #define iplookupname i6un.name 112 #define iplookuptype i6un.type 113 #define iplookupsubtype i6un.subtype 114 /* 115 * NOTE: These DO overlap the above on 64bit systems and this IS recognised. 116 */ 117 #define iplookupptr vptr[0] 118 #define iplookupfunc lptr[1] 119 120 #define I60(x) (((u_32_t *)(x))[0]) 121 #define I61(x) (((u_32_t *)(x))[1]) 122 #define I62(x) (((u_32_t *)(x))[2]) 123 #define I63(x) (((u_32_t *)(x))[3]) 124 #define HI60(x) ntohl(((u_32_t *)(x))[0]) 125 #define HI61(x) ntohl(((u_32_t *)(x))[1]) 126 #define HI62(x) ntohl(((u_32_t *)(x))[2]) 127 #define HI63(x) ntohl(((u_32_t *)(x))[3]) 128 129 #define IP6_EQ(a,b) ((I63(a) == I63(b)) && (I62(a) == I62(b)) && \ 130 (I61(a) == I61(b)) && (I60(a) == I60(b))) 131 #define IP6_NEQ(a,b) ((I63(a) != I63(b)) || (I62(a) != I62(b)) || \ 132 (I61(a) != I61(b)) || (I60(a) != I60(b))) 133 #define IP6_ISZERO(a) ((I60(a) | I61(a) | I62(a) | I63(a)) == 0) 134 #define IP6_NOTZERO(a) ((I60(a) | I61(a) | I62(a) | I63(a)) != 0) 135 #define IP6_ISONES(a) ((I63(a) == 0xffffffff) && (I62(a) == 0xffffffff) && \ 136 (I61(a) == 0xffffffff) && (I60(a) == 0xffffffff)) 137 #define IP6_GT(a,b) (ntohl(HI60(a)) > ntohl(HI60(b)) || \ 138 (HI60(a) == HI60(b) && \ 139 (ntohl(HI61(a)) > ntohl(HI61(b)) || \ 140 (HI61(a) == HI61(b) && \ 141 (ntohl(HI62(a)) > ntohl(HI62(b)) || \ 142 (HI62(a) == HI62(b) && \ 143 ntohl(HI63(a)) > ntohl(HI63(b)))))))) 144 #define IP6_LT(a,b) (ntohl(HI60(a)) < ntohl(HI60(b)) || \ 145 (HI60(a) == HI60(b) && \ 146 (ntohl(HI61(a)) < ntohl(HI61(b)) || \ 147 (HI61(a) == HI61(b) && \ 148 (ntohl(HI62(a)) < ntohl(HI62(b)) || \ 149 (HI62(a) == HI62(b) && \ 150 ntohl(HI63(a)) < ntohl(HI63(b)))))))) 151 #define NLADD(n,x) htonl(ntohl(n) + (x)) 152 #define IP6_INC(a) \ 153 do { u_32_t *_i6 = (u_32_t *)(a); \ 154 _i6[3] = NLADD(_i6[3], 1); \ 155 if (_i6[3] == 0) { \ 156 _i6[2] = NLADD(_i6[2], 1); \ 157 if (_i6[2] == 0) { \ 158 _i6[1] = NLADD(_i6[1], 1); \ 159 if (_i6[1] == 0) { \ 160 _i6[0] = NLADD(_i6[0], 1); \ 161 } \ 162 } \ 163 } \ 164 } while (0) 165 #define IP6_ADD(a,x,d) \ 166 do { i6addr_t *_s = (i6addr_t *)(a); \ 167 i6addr_t *_d = (i6addr_t *)(d); \ 168 _d->i6[0] = NLADD(_s->i6[0], x); \ 169 if (ntohl(_d->i6[0]) < ntohl(_s->i6[0])) { \ 170 _d->i6[1] = NLADD(_d->i6[1], 1); \ 171 if (ntohl(_d->i6[1]) < ntohl(_s->i6[1])) { \ 172 _d->i6[2] = NLADD(_d->i6[2], 1); \ 173 if (ntohl(_d->i6[2]) < ntohl(_s->i6[2])) { \ 174 _d->i6[3] = NLADD(_d->i6[3], 1); \ 175 } \ 176 } \ 177 } \ 178 } while (0) 179 #define IP6_AND(a,b,d) do { i6addr_t *_s1 = (i6addr_t *)(a); \ 180 i6addr_t *_s2 = (i6addr_t *)(b); \ 181 i6addr_t *_d = (i6addr_t *)(d); \ 182 _d->i6[0] = _s1->i6[0] & _s2->i6[0]; \ 183 _d->i6[1] = _s1->i6[1] & _s2->i6[1]; \ 184 _d->i6[2] = _s1->i6[2] & _s2->i6[2]; \ 185 _d->i6[3] = _s1->i6[3] & _s2->i6[3]; \ 186 } while (0) 187 #define IP6_ANDASSIGN(a,m) \ 188 do { i6addr_t *_d = (i6addr_t *)(a); \ 189 i6addr_t *_m = (i6addr_t *)(m); \ 190 _d->i6[0] &= _m->i6[0]; \ 191 _d->i6[1] &= _m->i6[1]; \ 192 _d->i6[2] &= _m->i6[2]; \ 193 _d->i6[3] &= _m->i6[3]; \ 194 } while (0) 195 #define IP6_MASKEQ(a,m,b) \ 196 (((I60(a) & I60(m)) == I60(b)) && \ 197 ((I61(a) & I61(m)) == I61(b)) && \ 198 ((I62(a) & I62(m)) == I62(b)) && \ 199 ((I63(a) & I63(m)) == I63(b))) 200 #define IP6_MASKNEQ(a,m,b) \ 201 (((I60(a) & I60(m)) != I60(b)) || \ 202 ((I61(a) & I61(m)) != I61(b)) || \ 203 ((I62(a) & I62(m)) != I62(b)) || \ 204 ((I63(a) & I63(m)) != I63(b))) 205 #define IP6_MERGE(a,b,c) \ 206 do { i6addr_t *_d, *_s1, *_s2; \ 207 _d = (i6addr_t *)(a); \ 208 _s1 = (i6addr_t *)(b); \ 209 _s2 = (i6addr_t *)(c); \ 210 _d->i6[0] |= _s1->i6[0] & ~_s2->i6[0]; \ 211 _d->i6[1] |= _s1->i6[1] & ~_s2->i6[1]; \ 212 _d->i6[2] |= _s1->i6[2] & ~_s2->i6[2]; \ 213 _d->i6[3] |= _s1->i6[3] & ~_s2->i6[3]; \ 214 } while (0) 215 #define IP6_MASK(a,b,c) \ 216 do { i6addr_t *_d, *_s1, *_s2; \ 217 _d = (i6addr_t *)(a); \ 218 _s1 = (i6addr_t *)(b); \ 219 _s2 = (i6addr_t *)(c); \ 220 _d->i6[0] = _s1->i6[0] & ~_s2->i6[0]; \ 221 _d->i6[1] = _s1->i6[1] & ~_s2->i6[1]; \ 222 _d->i6[2] = _s1->i6[2] & ~_s2->i6[2]; \ 223 _d->i6[3] = _s1->i6[3] & ~_s2->i6[3]; \ 224 } while (0) 225 #define IP6_SETONES(a) \ 226 do { i6addr_t *_d = (i6addr_t *)(a); \ 227 _d->i6[0] = 0xffffffff; \ 228 _d->i6[1] = 0xffffffff; \ 229 _d->i6[2] = 0xffffffff; \ 230 _d->i6[3] = 0xffffffff; \ 231 } while (0) 232 233 typedef union ipso_u { 234 u_short ipso_ripso[2]; 235 u_32_t ipso_doi; 236 } ipso_t; 237 238 typedef struct fr_ip { 239 u_32_t fi_v:4; /* IP version */ 240 u_32_t fi_xx:4; /* spare */ 241 u_32_t fi_tos:8; /* IP packet TOS */ 242 u_32_t fi_ttl:8; /* IP packet TTL */ 243 u_32_t fi_p:8; /* IP packet protocol */ 244 u_32_t fi_optmsk; /* bitmask composed from IP options */ 245 i6addr_t fi_src; /* source address from packet */ 246 i6addr_t fi_dst; /* destination address from packet */ 247 ipso_t fi_ipso; /* IP security options */ 248 u_32_t fi_flx; /* packet flags */ 249 u_32_t fi_tcpmsk; /* TCP options set/reset */ 250 u_32_t fi_ports[2]; /* TCP ports */ 251 u_char fi_tcpf; /* TCP flags */ 252 u_char fi_sensitivity; 253 u_char fi_xxx[2]; /* pad */ 254 } fr_ip_t; 255 256 /* 257 * For use in fi_flx 258 */ 259 #define FI_TCPUDP 0x0001 /* TCP/UCP implied comparison*/ 260 #define FI_OPTIONS 0x0002 261 #define FI_FRAG 0x0004 262 #define FI_SHORT 0x0008 263 #define FI_NATED 0x0010 264 #define FI_MULTICAST 0x0020 265 #define FI_BROADCAST 0x0040 266 #define FI_MBCAST 0x0080 267 #define FI_STATE 0x0100 268 #define FI_BADNAT 0x0200 269 #define FI_BAD 0x0400 270 #define FI_OOW 0x0800 /* Out of state window, else match */ 271 #define FI_ICMPERR 0x1000 272 #define FI_FRAGBODY 0x2000 273 #define FI_BADSRC 0x4000 274 #define FI_LOWTTL 0x8000 275 #define FI_CMP 0x5cfe3 /* Not FI_FRAG,FI_NATED,FI_FRAGTAIL */ 276 #define FI_ICMPCMP 0x0003 /* Flags we can check for ICMP error packets */ 277 #define FI_WITH 0x5effe /* Not FI_TCPUDP */ 278 #define FI_V6EXTHDR 0x10000 279 #define FI_COALESCE 0x20000 280 #define FI_NEWNAT 0x40000 281 #define FI_ICMPQUERY 0x80000 282 #define FI_ENCAP 0x100000 /* encap/decap with NAT */ 283 #define FI_AH 0x200000 /* AH header present */ 284 #define FI_DOCKSUM 0x10000000 /* Proxy wants L4 recalculation */ 285 #define FI_NOCKSUM 0x20000000 /* don't do a L4 checksum validation */ 286 #define FI_NOWILD 0x40000000 /* Do not do wildcard searches */ 287 #define FI_IGNORE 0x80000000 288 289 #define fi_secmsk fi_ipso.ipso_ripso[0] 290 #define fi_auth fi_ipso.ipso_ripso[1] 291 #define fi_doi fi_ipso.ipso_doi 292 #define fi_saddr fi_src.in4.s_addr 293 #define fi_daddr fi_dst.in4.s_addr 294 #define fi_srcnum fi_src.iplookupnum 295 #define fi_dstnum fi_dst.iplookupnum 296 #define fi_srcname fi_src.iplookupname 297 #define fi_dstname fi_dst.iplookupname 298 #define fi_srctype fi_src.iplookuptype 299 #define fi_dsttype fi_dst.iplookuptype 300 #define fi_srcsubtype fi_src.iplookupsubtype 301 #define fi_dstsubtype fi_dst.iplookupsubtype 302 #define fi_srcptr fi_src.iplookupptr 303 #define fi_dstptr fi_dst.iplookupptr 304 #define fi_srcfunc fi_src.iplookupfunc 305 #define fi_dstfunc fi_dst.iplookupfunc 306 307 308 /* 309 * These are both used by the state and NAT code to indicate that one port or 310 * the other should be treated as a wildcard. 311 * NOTE: When updating, check bit masks in ip_state.h and update there too. 312 */ 313 #define SI_W_SPORT 0x00000100 314 #define SI_W_DPORT 0x00000200 315 #define SI_WILDP (SI_W_SPORT|SI_W_DPORT) 316 #define SI_W_SADDR 0x00000400 317 #define SI_W_DADDR 0x00000800 318 #define SI_WILDA (SI_W_SADDR|SI_W_DADDR) 319 #define SI_NEWFR 0x00001000 320 #define SI_CLONE 0x00002000 321 #define SI_CLONED 0x00004000 322 #define SI_NEWCLONE 0x00008000 323 324 typedef struct { 325 u_short fda_ports[2]; 326 u_char fda_tcpf; /* TCP header flags (SYN, ACK, etc) */ 327 } frdat_t; 328 329 typedef enum fr_breasons_e { 330 FRB_BLOCKED = 0, 331 FRB_LOGFAIL = 1, 332 FRB_PPSRATE = 2, 333 FRB_JUMBO = 3, 334 FRB_MAKEFRIP = 4, 335 FRB_STATEADD = 5, 336 FRB_UPDATEIPID = 6, 337 FRB_LOGFAIL2 = 7, 338 FRB_DECAPFRIP = 8, 339 FRB_AUTHNEW = 9, 340 FRB_AUTHCAPTURE = 10, 341 FRB_COALESCE = 11, 342 FRB_PULLUP = 12, 343 FRB_AUTHFEEDBACK = 13, 344 FRB_BADFRAG = 14, 345 FRB_NATV4 = 15, 346 FRB_NATV6 = 16, 347 } fr_breason_t; 348 349 #define FRB_MAX_VALUE 16 350 351 typedef enum ipf_cksum_e { 352 FI_CK_BAD = -1, 353 FI_CK_NEEDED = 0, 354 FI_CK_SUMOK = 1, 355 FI_CK_L4PART = 2, 356 FI_CK_L4FULL = 4 357 } ipf_cksum_t; 358 359 typedef struct fr_info { 360 void *fin_main_soft; 361 #ifdef __FreeBSD__ 362 struct ifnet *fin_ifp; /* interface packet is `on' */ 363 #else 364 void *fin_ifp; /* interface packet is `on' */ 365 #endif 366 struct frentry *fin_fr; /* last matching rule */ 367 int fin_out; /* in or out ? 1 == out, 0 == in */ 368 fr_ip_t fin_fi; /* IP Packet summary */ 369 frdat_t fin_dat; /* TCP/UDP ports, ICMP code/type */ 370 int fin_dlen; /* length of data portion of packet */ 371 int fin_plen; 372 u_32_t fin_rule; /* rule # last matched */ 373 u_short fin_hlen; /* length of IP header in bytes */ 374 char fin_group[FR_GROUPLEN]; /* group number, -1 for none */ 375 void *fin_dp; /* start of data past IP header */ 376 /* 377 * Fields after fin_dp aren't used for compression of log records. 378 * fin_fi contains the IP version (fin_family) 379 * fin_rule isn't included because adding a new rule can change it but 380 * not change fin_fr. fin_rule is the rule number reported. 381 * It isn't necessary to include fin_crc because that is checked 382 * for explicitly, before calling bcmp. 383 */ 384 u_32_t fin_crc; /* Simple calculation for logging */ 385 int fin_family; /* AF_INET, etc. */ 386 int fin_icode; /* ICMP error to return */ 387 int fin_mtu; /* MTU input for ICMP need-frag */ 388 int fin_rev; /* state only: 1 = reverse */ 389 int fin_ipoff; /* # bytes from buffer start to hdr */ 390 u_32_t fin_id; /* IP packet id field */ 391 u_short fin_l4hlen; /* length of L4 header, if known */ 392 u_short fin_off; 393 int fin_depth; /* Group nesting depth */ 394 int fin_error; /* Error code to return */ 395 ipf_cksum_t fin_cksum; /* -1 = bad, 1 = good, 0 = not done */ 396 fr_breason_t fin_reason; /* why auto blocked */ 397 u_int fin_pktnum; 398 void *fin_nattag; 399 struct frdest *fin_dif; 400 struct frdest *fin_tif; 401 union { 402 ip_t *fip_ip; 403 #ifdef USE_INET6 404 ip6_t *fip_ip6; 405 #endif 406 } fin_ipu; 407 mb_t **fin_mp; /* pointer to pointer to mbuf */ 408 mb_t *fin_m; /* pointer to mbuf */ 409 #if SOLARIS 410 mb_t *fin_qfm; /* pointer to mblk where pkt starts */ 411 void *fin_qpi; 412 char fin_ifname[LIFNAMSIZ]; 413 #endif 414 void *fin_fraghdr; /* pointer to start of ipv6 frag hdr */ 415 } fr_info_t; 416 417 #define fin_ip fin_ipu.fip_ip 418 #define fin_ip6 fin_ipu.fip_ip6 419 #define fin_v fin_fi.fi_v 420 #define fin_p fin_fi.fi_p 421 #define fin_flx fin_fi.fi_flx 422 #define fin_optmsk fin_fi.fi_optmsk 423 #define fin_secmsk fin_fi.fi_secmsk 424 #define fin_doi fin_fi.fi_doi 425 #define fin_auth fin_fi.fi_auth 426 #define fin_src fin_fi.fi_src.in4 427 #define fin_saddr fin_fi.fi_saddr 428 #define fin_dst fin_fi.fi_dst.in4 429 #define fin_daddr fin_fi.fi_daddr 430 #define fin_data fin_fi.fi_ports 431 #define fin_sport fin_fi.fi_ports[0] 432 #define fin_dport fin_fi.fi_ports[1] 433 #define fin_tcpf fin_fi.fi_tcpf 434 #define fin_src6 fin_fi.fi_src 435 #define fin_dst6 fin_fi.fi_dst 436 #define fin_srcip6 fin_fi.fi_src.in6 437 #define fin_dstip6 fin_fi.fi_dst.in6 438 439 #define IPF_IN 0 440 #define IPF_OUT 1 441 442 typedef struct frentry *(*ipfunc_t)(fr_info_t *, u_32_t *); 443 typedef int (*ipfuncinit_t)(struct ipf_main_softc_s *, struct frentry *); 444 445 typedef struct ipfunc_resolve { 446 char ipfu_name[32]; 447 ipfunc_t ipfu_addr; 448 ipfuncinit_t ipfu_init; 449 ipfuncinit_t ipfu_fini; 450 } ipfunc_resolve_t; 451 452 /* 453 * Size for compares on fr_info structures 454 */ 455 #define FI_CSIZE offsetof(fr_info_t, fin_icode) 456 #define FI_LCSIZE offsetof(fr_info_t, fin_dp) 457 458 /* 459 * Size for copying cache fr_info structure 460 */ 461 #define FI_COPYSIZE offsetof(fr_info_t, fin_dp) 462 463 /* 464 * Structure for holding IPFilter's tag information 465 */ 466 #define IPFTAG_LEN 16 467 typedef struct { 468 union { 469 u_32_t iptu_num[4]; 470 char iptu_tag[IPFTAG_LEN]; 471 } ipt_un; 472 int ipt_not; 473 } ipftag_t; 474 475 #define ipt_tag ipt_un.iptu_tag 476 #define ipt_num ipt_un.iptu_num 477 478 /* 479 * Structure to define address for pool lookups. 480 */ 481 typedef struct { 482 u_char adf_len; 483 sa_family_t adf_family; 484 u_char adf_xxx[2]; 485 i6addr_t adf_addr; 486 } addrfamily_t; 487 488 489 RBI_LINK(ipf_rb, host_node_s); 490 491 typedef struct host_node_s { 492 RBI_FIELD(ipf_rb) hn_entry; 493 addrfamily_t hn_addr; 494 int hn_active; 495 } host_node_t; 496 497 typedef RBI_HEAD(ipf_rb, host_node_s) ipf_rb_head_t; 498 499 typedef struct host_track_s { 500 ipf_rb_head_t ht_root; 501 int ht_max_nodes; 502 int ht_max_per_node; 503 int ht_netmask; 504 int ht_cur_nodes; 505 } host_track_t; 506 507 508 typedef enum fr_dtypes_e { 509 FRD_NORMAL = 0, 510 FRD_DSTLIST 511 } fr_dtypes_t; 512 /* 513 * This structure is used to hold information about the next hop for where 514 * to forward a packet. 515 */ 516 typedef struct frdest { 517 void *fd_ptr; 518 addrfamily_t fd_addr; 519 fr_dtypes_t fd_type; 520 int fd_name; 521 } frdest_t; 522 523 #define fd_ip6 fd_addr.adf_addr 524 #define fd_ip fd_ip6.in4 525 526 527 typedef enum fr_ctypes_e { 528 FR_NONE = 0, 529 FR_EQUAL, 530 FR_NEQUAL, 531 FR_LESST, 532 FR_GREATERT, 533 FR_LESSTE, 534 FR_GREATERTE, 535 FR_OUTRANGE, 536 FR_INRANGE, 537 FR_INCRANGE 538 } fr_ctypes_t; 539 540 /* 541 * This structure holds information about a port comparison. 542 */ 543 typedef struct frpcmp { 544 fr_ctypes_t frp_cmp; /* data for port comparisons */ 545 u_32_t frp_port; /* low port for <> and >< */ 546 u_32_t frp_top; /* high port for <> and >< */ 547 } frpcmp_t; 548 549 550 /* 551 * Structure containing all the relevant TCP/UDP things that can be checked in 552 * a filter rule. 553 */ 554 typedef struct frtuc { 555 u_char ftu_tcpfm; /* tcp flags mask */ 556 u_char ftu_tcpf; /* tcp flags */ 557 frpcmp_t ftu_src; /* source port */ 558 frpcmp_t ftu_dst; /* destination port */ 559 } frtuc_t; 560 561 #define ftu_scmp ftu_src.frp_cmp 562 #define ftu_dcmp ftu_dst.frp_cmp 563 #define ftu_sport ftu_src.frp_port 564 #define ftu_dport ftu_dst.frp_port 565 #define ftu_stop ftu_src.frp_top 566 #define ftu_dtop ftu_dst.frp_top 567 568 #define FR_TCPFMAX 0x3f 569 570 typedef enum fr_atypes_e { 571 FRI_NONE = -1, /* For LHS of NAT */ 572 FRI_NORMAL = 0, /* Normal address */ 573 FRI_DYNAMIC, /* dynamic address */ 574 FRI_LOOKUP, /* address is a pool # */ 575 FRI_RANGE, /* address/mask is a range */ 576 FRI_NETWORK, /* network address from if */ 577 FRI_BROADCAST, /* broadcast address from if */ 578 FRI_PEERADDR, /* Peer address for P-to-P */ 579 FRI_NETMASKED, /* network address with netmask from if */ 580 FRI_SPLIT, /* For NAT compatibility */ 581 FRI_INTERFACE /* address is based on interface name */ 582 } fr_atypes_t; 583 584 /* 585 * This structure makes up what is considered to be the IPFilter specific 586 * matching components of a filter rule, as opposed to the data structures 587 * used to define the result which are in frentry_t and not here. 588 */ 589 typedef struct fripf { 590 fr_ip_t fri_ip; 591 fr_ip_t fri_mip; /* mask structure */ 592 593 u_short fri_icmpm; /* data for ICMP packets (mask) */ 594 u_short fri_icmp; 595 596 frtuc_t fri_tuc; 597 fr_atypes_t fri_satype; /* addres type */ 598 fr_atypes_t fri_datype; /* addres type */ 599 int fri_sifpidx; /* doing dynamic addressing */ 600 int fri_difpidx; /* index into fr_ifps[] to use when */ 601 } fripf_t; 602 603 #define fri_dlookup fri_mip.fi_dst 604 #define fri_slookup fri_mip.fi_src 605 #define fri_dstnum fri_mip.fi_dstnum 606 #define fri_srcnum fri_mip.fi_srcnum 607 #define fri_dstname fri_mip.fi_dstname 608 #define fri_srcname fri_mip.fi_srcname 609 #define fri_dstptr fri_mip.fi_dstptr 610 #define fri_srcptr fri_mip.fi_srcptr 611 612 613 typedef enum fr_rtypes_e { 614 FR_T_NONE = 0, 615 FR_T_IPF, /* IPF structures */ 616 FR_T_BPFOPC, /* BPF opcode */ 617 FR_T_CALLFUNC, /* callout to function in fr_func only */ 618 FR_T_COMPIPF, /* compiled C code */ 619 FR_T_IPFEXPR, /* IPF expression */ 620 FR_T_BUILTIN = 0x40000000, /* rule is in kernel space */ 621 FR_T_IPF_BUILTIN, 622 FR_T_BPFOPC_BUILTIN, 623 FR_T_CALLFUNC_BUILTIN, 624 FR_T_COMPIPF_BUILTIN, 625 FR_T_IPFEXPR_BUILTIN 626 } fr_rtypes_t; 627 628 typedef struct frentry * (* frentfunc_t)(fr_info_t *); 629 630 typedef struct frentry { 631 ipfmutex_t fr_lock; 632 struct frentry *fr_next; 633 struct frentry **fr_pnext; 634 struct frgroup *fr_grp; 635 struct frgroup *fr_grphead; 636 struct frgroup *fr_icmpgrp; 637 struct ipscan *fr_isc; 638 struct frentry *fr_dnext; /* 2 fr_die linked list pointers */ 639 struct frentry **fr_pdnext; 640 void *fr_ifas[4]; 641 void *fr_ptr; /* for use with fr_arg */ 642 int fr_comment; /* text comment for rule */ 643 int fr_size; /* size of this structure */ 644 int fr_ref; /* reference count */ 645 int fr_statecnt; /* state count - for limit rules */ 646 u_32_t fr_die; /* only used on loading the rule */ 647 u_int fr_cksum; /* checksum on filter rules for performance */ 648 /* 649 * The line number from a file is here because we need to be able to 650 * match the rule generated with ``grep rule ipf.conf | ipf -rf -'' 651 * with the rule loaded using ``ipf -f ipf.conf'' - thus it can't be 652 * on the other side of fr_func. 653 */ 654 int fr_flineno; /* line number from conf file */ 655 /* 656 * These are only incremented when a packet matches this rule and 657 * it is the last match 658 */ 659 U_QUAD_T fr_hits; 660 U_QUAD_T fr_bytes; 661 662 /* 663 * For PPS rate limiting 664 * fr_lpu is used to always have the same size for this field, 665 * allocating 64bits for seconds and 32bits for milliseconds. 666 */ 667 union { 668 struct timeval frp_lastpkt; 669 char frp_bytes[12]; 670 } fr_lpu; 671 int fr_curpps; 672 673 union { 674 void *fru_data; 675 char *fru_caddr; 676 fripf_t *fru_ipf; 677 frentfunc_t fru_func; 678 } fr_dun; 679 680 /* 681 * Fields after this may not change whilst in the kernel. 682 */ 683 ipfunc_t fr_func; /* call this function */ 684 int fr_dsize; 685 int fr_pps; 686 fr_rtypes_t fr_type; 687 u_32_t fr_flags; /* per-rule flags && options (see below) */ 688 u_32_t fr_logtag; /* user defined log tag # */ 689 u_32_t fr_collect; /* collection number */ 690 u_int fr_arg; /* misc. numeric arg for rule */ 691 u_int fr_loglevel; /* syslog log facility + priority */ 692 u_char fr_family; 693 u_char fr_icode; /* return ICMP code */ 694 int fr_group; /* group to which this rule belongs */ 695 int fr_grhead; /* group # which this rule starts */ 696 int fr_isctag; 697 int fr_rpc; /* XID Filtering */ 698 ipftag_t fr_nattag; 699 /* 700 * These are all options related to stateful filtering 701 */ 702 host_track_t fr_srctrack; 703 int fr_nostatelog; 704 int fr_statemax; /* max reference count */ 705 int fr_icmphead; /* ICMP group for state options */ 706 u_int fr_age[2]; /* non-TCP state timeouts */ 707 /* 708 * These are compared separately. 709 */ 710 int fr_ifnames[4]; 711 frdest_t fr_tifs[2]; /* "to"/"reply-to" interface */ 712 frdest_t fr_dif; /* duplicate packet interface */ 713 /* 714 * How big is the name buffer at the end? 715 */ 716 int fr_namelen; 717 char fr_names[1]; 718 } frentry_t; 719 720 #define fr_lastpkt fr_lpu.frp_lastpkt 721 #define fr_caddr fr_dun.fru_caddr 722 #define fr_data fr_dun.fru_data 723 #define fr_dfunc fr_dun.fru_func 724 #define fr_ipf fr_dun.fru_ipf 725 #define fr_ip fr_ipf->fri_ip 726 #define fr_mip fr_ipf->fri_mip 727 #define fr_icmpm fr_ipf->fri_icmpm 728 #define fr_icmp fr_ipf->fri_icmp 729 #define fr_tuc fr_ipf->fri_tuc 730 #define fr_satype fr_ipf->fri_satype 731 #define fr_datype fr_ipf->fri_datype 732 #define fr_sifpidx fr_ipf->fri_sifpidx 733 #define fr_difpidx fr_ipf->fri_difpidx 734 #define fr_proto fr_ip.fi_p 735 #define fr_mproto fr_mip.fi_p 736 #define fr_ttl fr_ip.fi_ttl 737 #define fr_mttl fr_mip.fi_ttl 738 #define fr_tos fr_ip.fi_tos 739 #define fr_mtos fr_mip.fi_tos 740 #define fr_tcpfm fr_tuc.ftu_tcpfm 741 #define fr_tcpf fr_tuc.ftu_tcpf 742 #define fr_scmp fr_tuc.ftu_scmp 743 #define fr_dcmp fr_tuc.ftu_dcmp 744 #define fr_dport fr_tuc.ftu_dport 745 #define fr_sport fr_tuc.ftu_sport 746 #define fr_stop fr_tuc.ftu_stop 747 #define fr_dtop fr_tuc.ftu_dtop 748 #define fr_dst fr_ip.fi_dst.in4 749 #define fr_dst6 fr_ip.fi_dst 750 #define fr_daddr fr_ip.fi_dst.in4.s_addr 751 #define fr_src fr_ip.fi_src.in4 752 #define fr_src6 fr_ip.fi_src 753 #define fr_saddr fr_ip.fi_src.in4.s_addr 754 #define fr_dmsk fr_mip.fi_dst.in4 755 #define fr_dmsk6 fr_mip.fi_dst 756 #define fr_dmask fr_mip.fi_dst.in4.s_addr 757 #define fr_smsk fr_mip.fi_src.in4 758 #define fr_smsk6 fr_mip.fi_src 759 #define fr_smask fr_mip.fi_src.in4.s_addr 760 #define fr_dstnum fr_ip.fi_dstnum 761 #define fr_srcnum fr_ip.fi_srcnum 762 #define fr_dlookup fr_ip.fi_dst 763 #define fr_slookup fr_ip.fi_src 764 #define fr_dstname fr_ip.fi_dstname 765 #define fr_srcname fr_ip.fi_srcname 766 #define fr_dsttype fr_ip.fi_dsttype 767 #define fr_srctype fr_ip.fi_srctype 768 #define fr_dstsubtype fr_ip.fi_dstsubtype 769 #define fr_srcsubtype fr_ip.fi_srcsubtype 770 #define fr_dstptr fr_mip.fi_dstptr 771 #define fr_srcptr fr_mip.fi_srcptr 772 #define fr_dstfunc fr_mip.fi_dstfunc 773 #define fr_srcfunc fr_mip.fi_srcfunc 774 #define fr_optbits fr_ip.fi_optmsk 775 #define fr_optmask fr_mip.fi_optmsk 776 #define fr_secbits fr_ip.fi_secmsk 777 #define fr_secmask fr_mip.fi_secmsk 778 #define fr_authbits fr_ip.fi_auth 779 #define fr_authmask fr_mip.fi_auth 780 #define fr_doi fr_ip.fi_doi 781 #define fr_doimask fr_mip.fi_doi 782 #define fr_flx fr_ip.fi_flx 783 #define fr_mflx fr_mip.fi_flx 784 #define fr_ifa fr_ifas[0] 785 #define fr_oifa fr_ifas[2] 786 #define fr_tif fr_tifs[0] 787 #define fr_rif fr_tifs[1] 788 789 #define FR_NOLOGTAG 0 790 791 #define FR_CMPSIZ (offsetof(struct frentry, fr_ifnames) - \ 792 offsetof(struct frentry, fr_func)) 793 #define FR_NAME(_f, _n) (_f)->fr_names + (_f)->_n 794 #define FR_NUM(_a) (sizeof(_a) / sizeof(*_a)) 795 796 797 /* 798 * fr_flags 799 */ 800 #define FR_BLOCK 0x00001 /* do not allow packet to pass */ 801 #define FR_PASS 0x00002 /* allow packet to pass */ 802 #define FR_AUTH 0x00003 /* use authentication */ 803 #define FR_PREAUTH 0x00004 /* require preauthentication */ 804 #define FR_ACCOUNT 0x00005 /* Accounting rule */ 805 #define FR_SKIP 0x00006 /* skip rule */ 806 #define FR_DECAPSULATE 0x00008 /* decapsulate rule */ 807 #define FR_CALL 0x00009 /* call rule */ 808 #define FR_CMDMASK 0x0000f 809 #define FR_LOG 0x00010 /* Log */ 810 #define FR_LOGB 0x00011 /* Log-fail */ 811 #define FR_LOGP 0x00012 /* Log-pass */ 812 #define FR_LOGMASK (FR_LOG|FR_CMDMASK) 813 #define FR_CALLNOW 0x00020 /* call another function (fr_func) if matches */ 814 #define FR_NOTSRCIP 0x00040 815 #define FR_NOTDSTIP 0x00080 816 #define FR_QUICK 0x00100 /* match & stop processing list */ 817 #define FR_KEEPFRAG 0x00200 /* keep fragment information */ 818 #define FR_KEEPSTATE 0x00400 /* keep `connection' state information */ 819 #define FR_FASTROUTE 0x00800 /* bypass normal routing */ 820 #define FR_RETRST 0x01000 /* Return TCP RST packet - reset connection */ 821 #define FR_RETICMP 0x02000 /* Return ICMP unreachable packet */ 822 #define FR_FAKEICMP 0x03000 /* Return ICMP unreachable with fake source */ 823 #define FR_OUTQUE 0x04000 /* outgoing packets */ 824 #define FR_INQUE 0x08000 /* ingoing packets */ 825 #define FR_LOGBODY 0x10000 /* Log the body */ 826 #define FR_LOGFIRST 0x20000 /* Log the first byte if state held */ 827 #define FR_LOGORBLOCK 0x40000 /* block the packet if it can't be logged */ 828 #define FR_STLOOSE 0x80000 /* loose state checking */ 829 #define FR_FRSTRICT 0x100000 /* strict frag. cache */ 830 #define FR_STSTRICT 0x200000 /* strict keep state */ 831 #define FR_NEWISN 0x400000 /* new ISN for outgoing TCP */ 832 #define FR_NOICMPERR 0x800000 /* do not match ICMP errors in state */ 833 #define FR_STATESYNC 0x1000000 /* synchronize state to slave */ 834 #define FR_COPIED 0x2000000 /* copied from user space */ 835 #define FR_INACTIVE 0x4000000 /* only used when flush'ing rules */ 836 #define FR_NOMATCH 0x8000000 /* no match occurred */ 837 /* 0x10000000 FF_LOGPASS */ 838 /* 0x20000000 FF_LOGBLOCK */ 839 /* 0x40000000 FF_LOGNOMATCH */ 840 /* 0x80000000 FF_BLOCKNONIP */ 841 842 #define FR_RETMASK (FR_RETICMP|FR_RETRST|FR_FAKEICMP) 843 #define FR_ISBLOCK(x) (((x) & FR_CMDMASK) == FR_BLOCK) 844 #define FR_ISPASS(x) (((x) & FR_CMDMASK) == FR_PASS) 845 #define FR_ISAUTH(x) (((x) & FR_CMDMASK) == FR_AUTH) 846 #define FR_ISPREAUTH(x) (((x) & FR_CMDMASK) == FR_PREAUTH) 847 #define FR_ISACCOUNT(x) (((x) & FR_CMDMASK) == FR_ACCOUNT) 848 #define FR_ISSKIP(x) (((x) & FR_CMDMASK) == FR_SKIP) 849 #define FR_ISDECAPS(x) (((x) & FR_CMDMASK) == FR_DECAPSULATE) 850 #define FR_ISNOMATCH(x) ((x) & FR_NOMATCH) 851 #define FR_INOUT (FR_INQUE|FR_OUTQUE) 852 853 /* 854 * recognized flags for SIOCGETFF and SIOCSETFF, and get put in fr_flags 855 */ 856 #define FF_LOGPASS 0x10000000 857 #define FF_LOGBLOCK 0x20000000 858 #define FF_LOGNOMATCH 0x40000000 859 #define FF_LOGGING (FF_LOGPASS|FF_LOGBLOCK|FF_LOGNOMATCH) 860 #define FF_BLOCKNONIP 0x80000000 /* Solaris2 Only */ 861 862 863 /* 864 * Structure that passes information on what/how to flush to the kernel. 865 */ 866 typedef struct ipfflush { 867 int ipflu_how; 868 int ipflu_arg; 869 } ipfflush_t; 870 871 872 /* 873 * 874 */ 875 typedef struct ipfgetctl { 876 u_int ipfg_min; /* min value */ 877 u_int ipfg_current; /* current value */ 878 u_int ipfg_max; /* max value */ 879 u_int ipfg_default; /* default value */ 880 u_int ipfg_steps; /* value increments */ 881 char ipfg_name[40]; /* tag name for this control */ 882 } ipfgetctl_t; 883 884 typedef struct ipfsetctl { 885 int ipfs_which; /* 0 = min 1 = current 2 = max 3 = default */ 886 u_int ipfs_value; /* min value */ 887 char ipfs_name[40]; /* tag name for this control */ 888 } ipfsetctl_t; 889 890 891 /* 892 * Some of the statistics below are in their own counters, but most are kept 893 * in this single structure so that they can all easily be collected and 894 * copied back as required. 895 */ 896 typedef struct ipf_statistics { 897 u_long fr_icmp_coalesce; 898 u_long fr_tcp_frag; 899 u_long fr_tcp_pullup; 900 u_long fr_tcp_short; 901 u_long fr_tcp_small; 902 u_long fr_tcp_bad_flags; 903 u_long fr_udp_pullup; 904 u_long fr_ip_freed; 905 u_long fr_v6_ah_bad; 906 u_long fr_v6_bad; 907 u_long fr_v6_badfrag; 908 u_long fr_v6_dst_bad; 909 u_long fr_v6_esp_pullup; 910 u_long fr_v6_ext_short; 911 u_long fr_v6_ext_pullup; 912 u_long fr_v6_ext_hlen; 913 u_long fr_v6_frag_bad; 914 u_long fr_v6_frag_pullup; 915 u_long fr_v6_frag_size; 916 u_long fr_v6_gre_pullup; 917 u_long fr_v6_icmp6_pullup; 918 u_long fr_v6_rh_bad; 919 u_long fr_v6_badttl; /* TTL in packet doesn't reach minimum */ 920 u_long fr_v4_ah_bad; 921 u_long fr_v4_ah_pullup; 922 u_long fr_v4_esp_pullup; 923 u_long fr_v4_cipso_bad; 924 u_long fr_v4_cipso_tlen; 925 u_long fr_v4_gre_frag; 926 u_long fr_v4_gre_pullup; 927 u_long fr_v4_icmp_frag; 928 u_long fr_v4_icmp_pullup; 929 u_long fr_v4_badttl; /* TTL in packet doesn't reach minimum */ 930 u_long fr_v4_badsrc; /* source received doesn't match route */ 931 u_long fr_l4_badcksum; /* layer 4 header checksum failure */ 932 u_long fr_badcoalesces; 933 u_long fr_pass; /* packets allowed */ 934 u_long fr_block; /* packets denied */ 935 u_long fr_nom; /* packets which don't match any rule */ 936 u_long fr_short; /* packets which are short */ 937 u_long fr_ppkl; /* packets allowed and logged */ 938 u_long fr_bpkl; /* packets denied and logged */ 939 u_long fr_npkl; /* packets unmatched and logged */ 940 u_long fr_ret; /* packets for which a return is sent */ 941 u_long fr_acct; /* packets for which counting was performed */ 942 u_long fr_bnfr; /* bad attempts to allocate fragment state */ 943 u_long fr_nfr; /* new fragment state kept */ 944 u_long fr_cfr; /* add new fragment state but complete pkt */ 945 u_long fr_bads; /* bad attempts to allocate packet state */ 946 u_long fr_ads; /* new packet state kept */ 947 u_long fr_chit; /* cached hit */ 948 u_long fr_cmiss; /* cached miss */ 949 u_long fr_tcpbad; /* TCP checksum check failures */ 950 u_long fr_pull[2]; /* good and bad pullup attempts */ 951 u_long fr_bad; /* bad IP packets to the filter */ 952 u_long fr_ipv6; /* IPv6 packets in/out */ 953 u_long fr_ppshit; /* dropped because of pps ceiling */ 954 u_long fr_ipud; /* IP id update failures */ 955 u_long fr_blocked[FRB_MAX_VALUE + 1]; 956 } ipf_statistics_t; 957 958 /* 959 * Log structure. Each packet header logged is prepended by one of these. 960 * Following this in the log records read from the device will be an ipflog 961 * structure which is then followed by any packet data. 962 */ 963 typedef struct iplog { 964 u_32_t ipl_magic; 965 u_int ipl_count; 966 u_32_t ipl_seqnum; 967 struct timeval ipl_time; 968 size_t ipl_dsize; 969 struct iplog *ipl_next; 970 } iplog_t; 971 972 #define ipl_sec ipl_time.tv_sec 973 #define ipl_usec ipl_time.tv_usec 974 975 #define IPL_MAGIC 0x49504c4d /* 'IPLM' */ 976 #define IPL_MAGIC_NAT 0x49504c4e /* 'IPLN' */ 977 #define IPL_MAGIC_STATE 0x49504c53 /* 'IPLS' */ 978 #define IPLOG_SIZE sizeof(iplog_t) 979 980 typedef struct ipflog { 981 u_int fl_unit; 982 u_32_t fl_rule; 983 u_32_t fl_flags; 984 u_32_t fl_lflags; 985 u_32_t fl_logtag; 986 ipftag_t fl_nattag; 987 u_short fl_plen; /* extra data after hlen */ 988 u_short fl_loglevel; /* syslog log level */ 989 char fl_group[FR_GROUPLEN]; 990 u_char fl_hlen; /* length of IP headers saved */ 991 u_char fl_dir; 992 u_char fl_breason; /* from fin_reason */ 993 u_char fl_family; /* address family of packet logged */ 994 char fl_ifname[LIFNAMSIZ]; 995 } ipflog_t; 996 997 #ifndef IPF_LOGGING 998 # define IPF_LOGGING 0 999 #endif 1000 #ifndef IPF_DEFAULT_PASS 1001 # define IPF_DEFAULT_PASS FR_PASS 1002 #endif 1003 1004 #define DEFAULT_IPFLOGSIZE 32768 1005 #ifndef IPFILTER_LOGSIZE 1006 # define IPFILTER_LOGSIZE DEFAULT_IPFLOGSIZE 1007 #else 1008 # if IPFILTER_LOGSIZE < 8192 1009 # error IPFILTER_LOGSIZE too small. Must be >= 8192 1010 # endif 1011 #endif 1012 1013 #define IPF_OPTCOPY 0x07ff00 /* bit mask of copied options */ 1014 1015 /* 1016 * Device filenames for reading log information. Use ipf on Solaris2 because 1017 * ipl is already a name used by something else. 1018 */ 1019 #ifndef IPL_NAME 1020 # if SOLARIS 1021 # define IPL_NAME "/dev/ipf" 1022 # else 1023 # define IPL_NAME "/dev/ipl" 1024 # endif 1025 #endif 1026 /* 1027 * Pathnames for various IP Filter control devices. Used by LKM 1028 * and userland, so defined here. 1029 */ 1030 #define IPNAT_NAME "/dev/ipnat" 1031 #define IPSTATE_NAME "/dev/ipstate" 1032 #define IPAUTH_NAME "/dev/ipauth" 1033 #define IPSYNC_NAME "/dev/ipsync" 1034 #define IPSCAN_NAME "/dev/ipscan" 1035 #define IPLOOKUP_NAME "/dev/iplookup" 1036 1037 #define IPL_LOGIPF 0 /* Minor device #'s for accessing logs */ 1038 #define IPL_LOGNAT 1 1039 #define IPL_LOGSTATE 2 1040 #define IPL_LOGAUTH 3 1041 #define IPL_LOGSYNC 4 1042 #define IPL_LOGSCAN 5 1043 #define IPL_LOGLOOKUP 6 1044 #define IPL_LOGCOUNT 7 1045 #define IPL_LOGMAX 7 1046 #define IPL_LOGSIZE IPL_LOGMAX + 1 1047 #define IPL_LOGALL -1 1048 #define IPL_LOGNONE -2 1049 1050 /* 1051 * For SIOCGETFS 1052 */ 1053 typedef struct friostat { 1054 ipf_statistics_t f_st[2]; 1055 frentry_t *f_ipf[2][2]; 1056 frentry_t *f_acct[2][2]; 1057 frentry_t *f_auth; 1058 struct frgroup *f_groups[IPL_LOGSIZE][2]; 1059 u_long f_froute[2]; 1060 u_long f_log_ok; 1061 u_long f_log_fail; 1062 u_long f_rb_no_mem; 1063 u_long f_rb_node_max; 1064 u_32_t f_ticks; 1065 int f_locks[IPL_LOGSIZE]; 1066 int f_defpass; /* default pass - from fr_pass */ 1067 int f_active; /* 1 or 0 - active rule set */ 1068 int f_running; /* 1 if running, else 0 */ 1069 int f_logging; /* 1 if enabled, else 0 */ 1070 int f_features; 1071 char f_version[32]; /* version string */ 1072 } friostat_t; 1073 1074 #define f_fin f_ipf[0] 1075 #define f_fout f_ipf[1] 1076 #define f_acctin f_acct[0] 1077 #define f_acctout f_acct[1] 1078 1079 #define IPF_FEAT_LKM 0x001 1080 #define IPF_FEAT_LOG 0x002 1081 #define IPF_FEAT_LOOKUP 0x004 1082 #define IPF_FEAT_BPF 0x008 1083 #define IPF_FEAT_COMPILED 0x010 1084 #define IPF_FEAT_CKSUM 0x020 1085 #define IPF_FEAT_SYNC 0x040 1086 #define IPF_FEAT_SCAN 0x080 1087 #define IPF_FEAT_IPV6 0x100 1088 1089 typedef struct optlist { 1090 u_short ol_val; 1091 int ol_bit; 1092 } optlist_t; 1093 1094 1095 /* 1096 * Group list structure. 1097 */ 1098 typedef struct frgroup { 1099 struct frgroup *fg_next; 1100 struct frentry *fg_head; 1101 struct frentry *fg_start; 1102 struct frgroup **fg_set; 1103 u_32_t fg_flags; 1104 int fg_ref; 1105 char fg_name[FR_GROUPLEN]; 1106 } frgroup_t; 1107 1108 #define FG_NAME(g) (*(g)->fg_name == '\0' ? "" : (g)->fg_name) 1109 1110 1111 /* 1112 * Used by state and NAT tables 1113 */ 1114 typedef struct icmpinfo { 1115 u_short ici_id; 1116 u_short ici_seq; 1117 u_char ici_type; 1118 } icmpinfo_t; 1119 1120 typedef struct udpinfo { 1121 u_short us_sport; 1122 u_short us_dport; 1123 } udpinfo_t; 1124 1125 1126 typedef struct tcpdata { 1127 u_32_t td_end; 1128 u_32_t td_maxend; 1129 u_32_t td_maxwin; 1130 u_32_t td_winscale; 1131 u_32_t td_maxseg; 1132 int td_winflags; 1133 } tcpdata_t; 1134 1135 #define TCP_WSCALE_MAX 14 1136 1137 #define TCP_WSCALE_SEEN 0x00000001 1138 #define TCP_WSCALE_FIRST 0x00000002 1139 #define TCP_SACK_PERMIT 0x00000004 1140 1141 1142 typedef struct tcpinfo { 1143 u_32_t ts_sport; 1144 u_32_t ts_dport; 1145 tcpdata_t ts_data[2]; 1146 } tcpinfo_t; 1147 1148 1149 /* 1150 * Structures to define a GRE header as seen in a packet. 1151 */ 1152 struct grebits { 1153 #if defined(sparc) 1154 u_32_t grb_ver:3; 1155 u_32_t grb_flags:3; 1156 u_32_t grb_A:1; 1157 u_32_t grb_recur:1; 1158 u_32_t grb_s:1; 1159 u_32_t grb_S:1; 1160 u_32_t grb_K:1; 1161 u_32_t grb_R:1; 1162 u_32_t grb_C:1; 1163 #else 1164 u_32_t grb_C:1; 1165 u_32_t grb_R:1; 1166 u_32_t grb_K:1; 1167 u_32_t grb_S:1; 1168 u_32_t grb_s:1; 1169 u_32_t grb_recur:1; 1170 u_32_t grb_A:1; 1171 u_32_t grb_flags:3; 1172 u_32_t grb_ver:3; 1173 #endif 1174 u_short grb_ptype; 1175 }; 1176 1177 typedef struct grehdr { 1178 union { 1179 struct grebits gru_bits; 1180 u_short gru_flags; 1181 } gr_un; 1182 u_short gr_len; 1183 u_short gr_call; 1184 } grehdr_t; 1185 1186 #define gr_flags gr_un.gru_flags 1187 #define gr_bits gr_un.gru_bits 1188 #define gr_ptype gr_bits.grb_ptype 1189 #define gr_C gr_bits.grb_C 1190 #define gr_R gr_bits.grb_R 1191 #define gr_K gr_bits.grb_K 1192 #define gr_S gr_bits.grb_S 1193 #define gr_s gr_bits.grb_s 1194 #define gr_recur gr_bits.grb_recur 1195 #define gr_A gr_bits.grb_A 1196 #define gr_ver gr_bits.grb_ver 1197 1198 /* 1199 * GRE information tracked by "keep state" 1200 */ 1201 typedef struct greinfo { 1202 u_short gs_call[2]; 1203 u_short gs_flags; 1204 u_short gs_ptype; 1205 } greinfo_t; 1206 1207 #define GRE_REV(x) ((ntohs(x) >> 13) & 7) 1208 1209 1210 /* 1211 * Format of an Authentication header 1212 */ 1213 typedef struct authhdr { 1214 u_char ah_next; 1215 u_char ah_plen; 1216 u_short ah_reserved; 1217 u_32_t ah_spi; 1218 u_32_t ah_seq; 1219 /* Following the sequence number field is 0 or more bytes of */ 1220 /* authentication data, as specified by ah_plen - RFC 2402. */ 1221 } authhdr_t; 1222 1223 1224 /* 1225 * Timeout tail queue list member 1226 */ 1227 typedef struct ipftqent { 1228 struct ipftqent **tqe_pnext; 1229 struct ipftqent *tqe_next; 1230 struct ipftq *tqe_ifq; 1231 void *tqe_parent; /* pointer back to NAT/state struct */ 1232 u_32_t tqe_die; /* when this entriy is to die */ 1233 u_32_t tqe_touched; 1234 int tqe_flags; 1235 int tqe_state[2]; /* current state of this entry */ 1236 } ipftqent_t; 1237 1238 #define TQE_RULEBASED 0x00000001 1239 #define TQE_DELETE 0x00000002 1240 1241 1242 /* 1243 * Timeout tail queue head for IPFilter 1244 */ 1245 typedef struct ipftq { 1246 ipfmutex_t ifq_lock; 1247 u_int ifq_ttl; 1248 ipftqent_t *ifq_head; 1249 ipftqent_t **ifq_tail; 1250 struct ipftq *ifq_next; 1251 struct ipftq **ifq_pnext; 1252 int ifq_ref; 1253 u_int ifq_flags; 1254 } ipftq_t; 1255 1256 #define IFQF_USER 0x01 /* User defined aging */ 1257 #define IFQF_DELETE 0x02 /* Marked for deletion */ 1258 #define IFQF_PROXY 0x04 /* Timeout queue in use by a proxy */ 1259 1260 #define IPFTQ_INIT(x,y,z) do { \ 1261 (x)->ifq_ttl = (y); \ 1262 (x)->ifq_head = NULL; \ 1263 (x)->ifq_ref = 1; \ 1264 (x)->ifq_tail = &(x)->ifq_head; \ 1265 MUTEX_INIT(&(x)->ifq_lock, (z)); \ 1266 } while (0) 1267 1268 #define IPF_HZ_MULT 1 1269 #define IPF_HZ_DIVIDE 2 /* How many times a second ipfilter */ 1270 /* checks its timeout queues. */ 1271 #define IPF_TTLVAL(x) (((x) / IPF_HZ_MULT) * IPF_HZ_DIVIDE) 1272 1273 typedef int (*ipftq_delete_fn_t)(struct ipf_main_softc_s *, void *); 1274 1275 1276 /* 1277 * Object structure description. For passing through in ioctls. 1278 */ 1279 typedef struct ipfobj { 1280 u_32_t ipfo_rev; /* IPFilter version number */ 1281 u_32_t ipfo_size; /* size of object at ipfo_ptr */ 1282 void *ipfo_ptr; /* pointer to object */ 1283 int ipfo_type; /* type of object being pointed to */ 1284 int ipfo_offset; /* bytes from ipfo_ptr where to start */ 1285 int ipfo_retval; /* return value */ 1286 u_char ipfo_xxxpad[28]; /* reserved for future use */ 1287 } ipfobj_t; 1288 1289 #define IPFOBJ_FRENTRY 0 /* struct frentry */ 1290 #define IPFOBJ_IPFSTAT 1 /* struct friostat */ 1291 #define IPFOBJ_IPFINFO 2 /* struct fr_info */ 1292 #define IPFOBJ_AUTHSTAT 3 /* struct fr_authstat */ 1293 #define IPFOBJ_FRAGSTAT 4 /* struct ipfrstat */ 1294 #define IPFOBJ_IPNAT 5 /* struct ipnat */ 1295 #define IPFOBJ_NATSTAT 6 /* struct natstat */ 1296 #define IPFOBJ_STATESAVE 7 /* struct ipstate_save */ 1297 #define IPFOBJ_NATSAVE 8 /* struct nat_save */ 1298 #define IPFOBJ_NATLOOKUP 9 /* struct natlookup */ 1299 #define IPFOBJ_IPSTATE 10 /* struct ipstate */ 1300 #define IPFOBJ_STATESTAT 11 /* struct ips_stat */ 1301 #define IPFOBJ_FRAUTH 12 /* struct frauth */ 1302 #define IPFOBJ_TUNEABLE 13 /* struct ipftune */ 1303 #define IPFOBJ_NAT 14 /* struct nat */ 1304 #define IPFOBJ_IPFITER 15 /* struct ipfruleiter */ 1305 #define IPFOBJ_GENITER 16 /* struct ipfgeniter */ 1306 #define IPFOBJ_GTABLE 17 /* struct ipftable */ 1307 #define IPFOBJ_LOOKUPITER 18 /* struct ipflookupiter */ 1308 #define IPFOBJ_STATETQTAB 19 /* struct ipftq * NSTATES */ 1309 #define IPFOBJ_IPFEXPR 20 1310 #define IPFOBJ_PROXYCTL 21 /* strct ap_ctl */ 1311 #define IPFOBJ_FRIPF 22 /* structfripf */ 1312 #define IPFOBJ_COUNT 23 /* How many #defines are above this? */ 1313 1314 1315 typedef union ipftunevalptr { 1316 void *ipftp_void; 1317 u_long *ipftp_long; 1318 u_int *ipftp_int; 1319 u_short *ipftp_short; 1320 u_char *ipftp_char; 1321 u_long ipftp_offset; 1322 } ipftunevalptr_t; 1323 1324 typedef union ipftuneval { 1325 u_long ipftu_long; 1326 u_int ipftu_int; 1327 u_short ipftu_short; 1328 u_char ipftu_char; 1329 } ipftuneval_t; 1330 1331 struct ipftuneable; 1332 typedef int (* ipftunefunc_t)(struct ipf_main_softc_s *, struct ipftuneable *, ipftuneval_t *); 1333 1334 typedef struct ipftuneable { 1335 ipftunevalptr_t ipft_una; 1336 const char *ipft_name; 1337 u_long ipft_min; 1338 u_long ipft_max; 1339 int ipft_sz; 1340 int ipft_flags; 1341 struct ipftuneable *ipft_next; 1342 ipftunefunc_t ipft_func; 1343 } ipftuneable_t; 1344 1345 #define ipft_addr ipft_una.ipftp_void 1346 #define ipft_plong ipft_una.ipftp_long 1347 #define ipft_pint ipft_una.ipftp_int 1348 #define ipft_pshort ipft_una.ipftp_short 1349 #define ipft_pchar ipft_una.ipftp_char 1350 1351 #define IPFT_RDONLY 1 /* read-only */ 1352 #define IPFT_WRDISABLED 2 /* write when disabled only */ 1353 1354 typedef struct ipftune { 1355 void *ipft_cookie; 1356 ipftuneval_t ipft_un; 1357 u_long ipft_min; 1358 u_long ipft_max; 1359 int ipft_sz; 1360 int ipft_flags; 1361 char ipft_name[80]; 1362 } ipftune_t; 1363 1364 #define ipft_vlong ipft_un.ipftu_long 1365 #define ipft_vint ipft_un.ipftu_int 1366 #define ipft_vshort ipft_un.ipftu_short 1367 #define ipft_vchar ipft_un.ipftu_char 1368 1369 /* 1370 * Hash table header 1371 */ 1372 #define IPFHASH(x,y) typedef struct { \ 1373 ipfrwlock_t ipfh_lock; \ 1374 struct x *ipfh_head; \ 1375 } y 1376 1377 /* 1378 ** HPUX Port 1379 */ 1380 1381 #if !defined(CDEV_MAJOR) && defined (__FreeBSD__) 1382 # define CDEV_MAJOR 79 1383 #endif 1384 1385 #ifdef _KERNEL 1386 # define FR_VERBOSE(verb_pr) 1387 # define FR_DEBUG(verb_pr) 1388 #else 1389 extern void ipfkdebug(char *, ...); 1390 extern void ipfkverbose(char *, ...); 1391 # define FR_VERBOSE(verb_pr) ipfkverbose verb_pr 1392 # define FR_DEBUG(verb_pr) ipfkdebug verb_pr 1393 #endif 1394 1395 /* 1396 * 1397 */ 1398 typedef struct ipfruleiter { 1399 int iri_inout; 1400 char iri_group[FR_GROUPLEN]; 1401 int iri_active; 1402 int iri_nrules; 1403 int iri_v; /* No longer used (compatibility) */ 1404 frentry_t *iri_rule; 1405 } ipfruleiter_t; 1406 1407 /* 1408 * Values for iri_inout 1409 */ 1410 #define F_IN 0 1411 #define F_OUT 1 1412 #define F_ACIN 2 1413 #define F_ACOUT 3 1414 1415 1416 typedef struct ipfgeniter { 1417 int igi_type; 1418 int igi_nitems; 1419 void *igi_data; 1420 } ipfgeniter_t; 1421 1422 #define IPFGENITER_IPF 0 1423 #define IPFGENITER_NAT 1 1424 #define IPFGENITER_IPNAT 2 1425 #define IPFGENITER_FRAG 3 1426 #define IPFGENITER_AUTH 4 1427 #define IPFGENITER_STATE 5 1428 #define IPFGENITER_NATFRAG 6 1429 #define IPFGENITER_HOSTMAP 7 1430 #define IPFGENITER_LOOKUP 8 1431 1432 typedef struct ipftable { 1433 int ita_type; 1434 void *ita_table; 1435 } ipftable_t; 1436 1437 #define IPFTABLE_BUCKETS 1 1438 #define IPFTABLE_BUCKETS_NATIN 2 1439 #define IPFTABLE_BUCKETS_NATOUT 3 1440 1441 1442 typedef struct ipf_v4_masktab_s { 1443 u_32_t imt4_active[33]; 1444 int imt4_masks[33]; 1445 int imt4_max; 1446 } ipf_v4_masktab_t; 1447 1448 typedef struct ipf_v6_masktab_s { 1449 i6addr_t imt6_active[129]; 1450 int imt6_masks[129]; 1451 int imt6_max; 1452 } ipf_v6_masktab_t; 1453 1454 1455 /* 1456 * 1457 */ 1458 typedef struct ipftoken { 1459 struct ipftoken *ipt_next; 1460 struct ipftoken **ipt_pnext; 1461 void *ipt_ctx; 1462 void *ipt_data; 1463 u_long ipt_die; 1464 int ipt_type; 1465 int ipt_uid; 1466 int ipt_subtype; 1467 int ipt_ref; 1468 int ipt_complete; 1469 } ipftoken_t; 1470 1471 1472 /* 1473 * 1474 */ 1475 typedef struct ipfexp { 1476 int ipfe_cmd; 1477 int ipfe_not; 1478 int ipfe_narg; 1479 int ipfe_size; 1480 int ipfe_arg0[1]; 1481 } ipfexp_t; 1482 1483 /* 1484 * Currently support commands (ipfe_cmd) 1485 * 32bits is split up follows: 1486 * aabbcccc 1487 * aa = 0 = packet matching, 1 = meta data matching 1488 * bb = IP protocol number 1489 * cccc = command 1490 */ 1491 #define IPF_EXP_IP_PR 0x00000001 1492 #define IPF_EXP_IP_ADDR 0x00000002 1493 #define IPF_EXP_IP_SRCADDR 0x00000003 1494 #define IPF_EXP_IP_DSTADDR 0x00000004 1495 #define IPF_EXP_IP6_ADDR 0x00000005 1496 #define IPF_EXP_IP6_SRCADDR 0x00000006 1497 #define IPF_EXP_IP6_DSTADDR 0x00000007 1498 #define IPF_EXP_TCP_FLAGS 0x00060001 1499 #define IPF_EXP_TCP_PORT 0x00060002 1500 #define IPF_EXP_TCP_SPORT 0x00060003 1501 #define IPF_EXP_TCP_DPORT 0x00060004 1502 #define IPF_EXP_UDP_PORT 0x00110002 1503 #define IPF_EXP_UDP_SPORT 0x00110003 1504 #define IPF_EXP_UDP_DPORT 0x00110004 1505 #define IPF_EXP_IDLE_GT 0x01000001 1506 #define IPF_EXP_TCP_STATE 0x01060002 1507 #define IPF_EXP_END 0xffffffff 1508 1509 #define ONE_DAY IPF_TTLVAL(1 * 86400) /* 1 day */ 1510 #define FIVE_DAYS (5 * ONE_DAY) 1511 1512 typedef struct ipf_main_softc_s { 1513 struct ipf_main_softc_s *ipf_next; 1514 ipfmutex_t ipf_rw; 1515 ipfmutex_t ipf_timeoutlock; 1516 ipfrwlock_t ipf_mutex; 1517 ipfrwlock_t ipf_frag; 1518 ipfrwlock_t ipf_global; 1519 ipfrwlock_t ipf_tokens; 1520 ipfrwlock_t ipf_state; 1521 ipfrwlock_t ipf_nat; 1522 ipfrwlock_t ipf_natfrag; 1523 ipfrwlock_t ipf_poolrw; 1524 int ipf_dynamic_softc; 1525 int ipf_refcnt; 1526 int ipf_running; 1527 int ipf_flags; 1528 int ipf_active; 1529 int ipf_control_forwarding; 1530 int ipf_update_ipid; 1531 int ipf_chksrc; /* causes a system crash if enabled */ 1532 int ipf_pass; 1533 int ipf_minttl; 1534 int ipf_icmpminfragmtu; 1535 int ipf_interror; /* Should be in a struct that is per */ 1536 /* thread or process. Does not belong */ 1537 /* here but there's a lot more work */ 1538 /* in doing that properly. For now, */ 1539 /* it is squatting. */ 1540 u_int ipf_tcpidletimeout; 1541 u_int ipf_tcpclosewait; 1542 u_int ipf_tcplastack; 1543 u_int ipf_tcptimewait; 1544 u_int ipf_tcptimeout; 1545 u_int ipf_tcpsynsent; 1546 u_int ipf_tcpsynrecv; 1547 u_int ipf_tcpclosed; 1548 u_int ipf_tcphalfclosed; 1549 u_int ipf_udptimeout; 1550 u_int ipf_udpacktimeout; 1551 u_int ipf_icmptimeout; 1552 u_int ipf_icmpacktimeout; 1553 u_int ipf_iptimeout; 1554 u_int ipf_large_nat; 1555 u_long ipf_ticks; 1556 u_long ipf_userifqs; 1557 u_long ipf_rb_no_mem; 1558 u_long ipf_rb_node_max; 1559 u_long ipf_frouteok[2]; 1560 ipftuneable_t *ipf_tuners; 1561 void *ipf_frag_soft; 1562 void *ipf_nat_soft; 1563 void *ipf_state_soft; 1564 void *ipf_auth_soft; 1565 void *ipf_proxy_soft; 1566 void *ipf_sync_soft; 1567 void *ipf_lookup_soft; 1568 void *ipf_log_soft; 1569 struct frgroup *ipf_groups[IPL_LOGSIZE][2]; 1570 frentry_t *ipf_rules[2][2]; 1571 frentry_t *ipf_acct[2][2]; 1572 frentry_t *ipf_rule_explist[2]; 1573 ipftoken_t *ipf_token_head; 1574 ipftoken_t **ipf_token_tail; 1575 #if defined(__FreeBSD__) && defined(_KERNEL) 1576 struct callout ipf_slow_ch; 1577 #endif 1578 #if NETBSD_GE_REV(104040000) 1579 struct callout ipf_slow_ch; 1580 #endif 1581 #if SOLARIS 1582 timeout_id_t ipf_slow_ch; 1583 #endif 1584 #if defined(_KERNEL) 1585 # if SOLARIS 1586 struct pollhead ipf_poll_head[IPL_LOGSIZE]; 1587 void *ipf_dip; 1588 # if defined(INSTANCES) 1589 int ipf_get_loopback; 1590 u_long ipf_idnum; 1591 net_handle_t ipf_nd_v4; 1592 net_handle_t ipf_nd_v6; 1593 hook_t *ipf_hk_v4_in; 1594 hook_t *ipf_hk_v4_out; 1595 hook_t *ipf_hk_v4_nic; 1596 hook_t *ipf_hk_v6_in; 1597 hook_t *ipf_hk_v6_out; 1598 hook_t *ipf_hk_v6_nic; 1599 hook_t *ipf_hk_loop_v4_in; 1600 hook_t *ipf_hk_loop_v4_out; 1601 hook_t *ipf_hk_loop_v6_in; 1602 hook_t *ipf_hk_loop_v6_out; 1603 # endif 1604 # else 1605 struct selinfo ipf_selwait[IPL_LOGSIZE]; 1606 # endif 1607 #endif 1608 void *ipf_slow; 1609 ipf_statistics_t ipf_stats[2]; 1610 u_char ipf_iss_secret[32]; 1611 u_short ipf_ip_id; 1612 } ipf_main_softc_t; 1613 1614 #define IPFERROR(_e) do { softc->ipf_interror = (_e); \ 1615 DT1(user_error, int, _e); \ 1616 } while (0) 1617 1618 #ifndef _KERNEL 1619 extern int ipf_check(void *, struct ip *, int, struct ifnet *, int, mb_t **); 1620 extern struct ifnet *get_unit(char *, int); 1621 extern char *get_ifname(struct ifnet *); 1622 extern int ipfioctl(ipf_main_softc_t *, int, ioctlcmd_t, 1623 caddr_t, int); 1624 extern void m_freem(mb_t *); 1625 extern size_t msgdsize(mb_t *); 1626 extern int bcopywrap(void *, void *, size_t); 1627 extern void ip_fillid(struct ip *); 1628 #else /* #ifndef _KERNEL */ 1629 # if defined(__NetBSD__) && defined(PFIL_HOOKS) 1630 extern void ipfilterattach(int); 1631 # endif 1632 extern int ipl_enable(void); 1633 extern int ipl_disable(void); 1634 # if SOLARIS 1635 extern int ipf_check(void *, struct ip *, int, struct ifnet *, int, void *, 1636 mblk_t **); 1637 # if SOLARIS 1638 extern void ipf_prependmbt(fr_info_t *, mblk_t *); 1639 extern int ipfioctl(dev_t, int, intptr_t, int, cred_t *, int *); 1640 # endif 1641 extern int ipf_qout(queue_t *, mblk_t *); 1642 # else /* SOLARIS */ 1643 extern int ipf_check(void *, struct ip *, int, struct ifnet *, int, mb_t **); 1644 extern int (*fr_checkp)(ip_t *, int, void *, int, mb_t **); 1645 extern size_t mbufchainlen(mb_t *); 1646 # ifdef IPFILTER_LKM 1647 extern int ipf_identify(char *); 1648 # endif 1649 # if defined(__FreeBSD__) 1650 extern int ipfioctl(struct cdev*, u_long, caddr_t, int, struct thread *); 1651 # elif defined(__NetBSD__) 1652 extern int ipfioctl(dev_t, u_long, void *, int, struct lwp *); 1653 # endif 1654 # endif /* SOLARIS */ 1655 1656 # if defined(__FreeBSD__) 1657 extern int ipf_pfil_hook(void); 1658 extern int ipf_pfil_unhook(void); 1659 extern void ipf_event_reg(void); 1660 extern void ipf_event_dereg(void); 1661 extern void ipf_fbsd_kenv_get(ipf_main_softc_t *); 1662 # endif 1663 1664 # if defined(INSTANCES) 1665 extern ipf_main_softc_t *ipf_find_softc(u_long); 1666 extern int ipf_set_loopback(ipf_main_softc_t *, ipftuneable_t *, 1667 ipftuneval_t *); 1668 # endif 1669 1670 #endif /* #ifndef _KERNEL */ 1671 1672 extern char *memstr(const char *, char *, size_t, size_t); 1673 extern int count4bits(u_32_t); 1674 #ifdef USE_INET6 1675 extern int count6bits(u_32_t *); 1676 #endif 1677 extern int frrequest(ipf_main_softc_t *, int, ioctlcmd_t, caddr_t, 1678 int, int); 1679 extern char *getifname(struct ifnet *); 1680 extern int ipfattach(ipf_main_softc_t *); 1681 extern int ipfdetach(ipf_main_softc_t *); 1682 extern u_short ipf_cksum(u_short *, int); 1683 extern int copyinptr(ipf_main_softc_t *, void *, void *, size_t); 1684 extern int copyoutptr(ipf_main_softc_t *, void *, void *, size_t); 1685 extern int ipf_fastroute(mb_t *, mb_t **, fr_info_t *, frdest_t *); 1686 extern int ipf_inject(fr_info_t *, mb_t *); 1687 extern int ipf_inobj(ipf_main_softc_t *, void *, ipfobj_t *, 1688 void *, int); 1689 extern int ipf_inobjsz(ipf_main_softc_t *, void *, void *, 1690 int , int); 1691 extern int ipf_ioctlswitch(ipf_main_softc_t *, int, void *, 1692 ioctlcmd_t, int, int, void *); 1693 extern int ipf_ipf_ioctl(ipf_main_softc_t *, caddr_t, ioctlcmd_t, 1694 int, int, void *); 1695 extern int ipf_ipftune(ipf_main_softc_t *, ioctlcmd_t, void *); 1696 extern int ipf_matcharray_load(ipf_main_softc_t *, caddr_t, 1697 ipfobj_t *, int **); 1698 extern int ipf_matcharray_verify(int *, int); 1699 extern int ipf_outobj(ipf_main_softc_t *, void *, void *, int); 1700 extern int ipf_outobjk(ipf_main_softc_t *, ipfobj_t *, void *); 1701 extern int ipf_outobjsz(ipf_main_softc_t *, void *, void *, 1702 int, int); 1703 extern void *ipf_pullup(mb_t *, fr_info_t *, int); 1704 extern int ipf_resolvedest(ipf_main_softc_t *, char *, 1705 struct frdest *, int); 1706 extern int ipf_resolvefunc(ipf_main_softc_t *, void *); 1707 extern void *ipf_resolvenic(ipf_main_softc_t *, char *, int); 1708 extern int ipf_send_icmp_err(int, fr_info_t *, int); 1709 extern int ipf_send_reset(fr_info_t *); 1710 extern void ipf_apply_timeout(ipftq_t *, u_int); 1711 extern ipftq_t *ipf_addtimeoutqueue(ipf_main_softc_t *, ipftq_t **, 1712 u_int); 1713 extern void ipf_deletequeueentry(ipftqent_t *); 1714 extern int ipf_deletetimeoutqueue(ipftq_t *); 1715 extern void ipf_freetimeoutqueue(ipf_main_softc_t *, ipftq_t *); 1716 extern void ipf_movequeue(u_long, ipftqent_t *, ipftq_t *, 1717 ipftq_t *); 1718 extern void ipf_queueappend(u_long, ipftqent_t *, ipftq_t *, void *); 1719 extern void ipf_queueback(u_long, ipftqent_t *); 1720 extern int ipf_queueflush(ipf_main_softc_t *, ipftq_delete_fn_t, 1721 ipftq_t *, ipftq_t *, u_int *, int, int); 1722 extern void ipf_queuefront(ipftqent_t *); 1723 extern int ipf_settimeout_tcp(ipftuneable_t *, ipftuneval_t *, 1724 ipftq_t *); 1725 extern int ipf_checkv4sum(fr_info_t *); 1726 extern int ipf_checkl4sum(fr_info_t *); 1727 extern int ipf_ifpfillv4addr(int, struct sockaddr_in *, 1728 struct sockaddr_in *, struct in_addr *, 1729 struct in_addr *); 1730 extern int ipf_coalesce(fr_info_t *); 1731 #ifdef USE_INET6 1732 extern int ipf_checkv6sum(fr_info_t *); 1733 extern int ipf_ifpfillv6addr(int, struct sockaddr_in6 *, 1734 struct sockaddr_in6 *, i6addr_t *, 1735 i6addr_t *); 1736 #endif 1737 1738 extern int ipf_tune_add(ipf_main_softc_t *, ipftuneable_t *); 1739 extern int ipf_tune_add_array(ipf_main_softc_t *, ipftuneable_t *); 1740 extern int ipf_tune_del(ipf_main_softc_t *, ipftuneable_t *); 1741 extern int ipf_tune_del_array(ipf_main_softc_t *, ipftuneable_t *); 1742 extern int ipf_tune_array_link(ipf_main_softc_t *, ipftuneable_t *); 1743 extern int ipf_tune_array_unlink(ipf_main_softc_t *, 1744 ipftuneable_t *); 1745 extern ipftuneable_t *ipf_tune_array_copy(void *, size_t, 1746 ipftuneable_t *); 1747 1748 extern int ipf_pr_pullup(fr_info_t *, int); 1749 1750 extern int ipf_flush(ipf_main_softc_t *, minor_t, int); 1751 extern frgroup_t *ipf_group_add(ipf_main_softc_t *, char *, void *, 1752 u_32_t, minor_t, int); 1753 extern void ipf_group_del(ipf_main_softc_t *, frgroup_t *, 1754 frentry_t *); 1755 extern int ipf_derefrule(ipf_main_softc_t *, frentry_t **); 1756 extern frgroup_t *ipf_findgroup(ipf_main_softc_t *, char *, minor_t, 1757 int, frgroup_t ***); 1758 1759 extern int ipf_log_init(void); 1760 extern int ipf_log_bytesused(ipf_main_softc_t *, int); 1761 extern int ipf_log_canread(ipf_main_softc_t *, int); 1762 extern int ipf_log_clear(ipf_main_softc_t *, minor_t); 1763 extern u_long ipf_log_failures(ipf_main_softc_t *, int); 1764 extern int ipf_log_read(ipf_main_softc_t *, minor_t, uio_t *); 1765 extern int ipf_log_items(ipf_main_softc_t *, int, fr_info_t *, 1766 void **, size_t *, int *, int); 1767 extern u_long ipf_log_logok(ipf_main_softc_t *, int); 1768 extern void ipf_log_unload(ipf_main_softc_t *); 1769 extern int ipf_log_pkt(fr_info_t *, u_int); 1770 1771 extern frentry_t *ipf_acctpkt(fr_info_t *, u_32_t *); 1772 extern u_short fr_cksum(fr_info_t *, ip_t *, int, void *); 1773 extern void ipf_deinitialise(ipf_main_softc_t *); 1774 extern int ipf_deliverlocal(ipf_main_softc_t *, int, void *, 1775 i6addr_t *); 1776 extern frentry_t *ipf_dstgrpmap(fr_info_t *, u_32_t *); 1777 extern void ipf_fixskip(frentry_t **, frentry_t *, int); 1778 extern void ipf_forgetifp(ipf_main_softc_t *, void *); 1779 extern frentry_t *ipf_getrulen(ipf_main_softc_t *, int, char *, 1780 u_32_t); 1781 extern int ipf_ifpaddr(ipf_main_softc_t *, int, int, void *, 1782 i6addr_t *, i6addr_t *); 1783 extern void ipf_inet_mask_add(int, ipf_v4_masktab_t *); 1784 extern void ipf_inet_mask_del(int, ipf_v4_masktab_t *); 1785 #ifdef USE_INET6 1786 extern void ipf_inet6_mask_add(int, i6addr_t *, 1787 ipf_v6_masktab_t *); 1788 extern void ipf_inet6_mask_del(int, i6addr_t *, 1789 ipf_v6_masktab_t *); 1790 #endif 1791 extern int ipf_initialise(void); 1792 extern int ipf_lock(caddr_t, int *); 1793 extern int ipf_makefrip(int, ip_t *, fr_info_t *); 1794 extern int ipf_matchtag(ipftag_t *, ipftag_t *); 1795 extern int ipf_matchicmpqueryreply(int, icmpinfo_t *, 1796 struct icmp *, int); 1797 extern u_32_t ipf_newisn(fr_info_t *); 1798 extern u_int ipf_pcksum(fr_info_t *, int, u_int); 1799 #ifdef USE_INET6 1800 extern u_int ipf_pcksum6(struct mbuf *, ip6_t *, 1801 u_int32_t, u_int32_t); 1802 #endif 1803 extern void ipf_rule_expire(ipf_main_softc_t *); 1804 extern int ipf_scanlist(fr_info_t *, u_32_t); 1805 extern frentry_t *ipf_srcgrpmap(fr_info_t *, u_32_t *); 1806 extern int ipf_tcpudpchk(fr_ip_t *, frtuc_t *); 1807 extern int ipf_verifysrc(fr_info_t *fin); 1808 extern int ipf_zerostats(ipf_main_softc_t *, char *); 1809 extern int ipf_getnextrule(ipf_main_softc_t *, ipftoken_t *, 1810 void *); 1811 extern int ipf_sync(ipf_main_softc_t *, void *); 1812 extern int ipf_token_deref(ipf_main_softc_t *, ipftoken_t *); 1813 extern void ipf_token_expire(ipf_main_softc_t *); 1814 extern ipftoken_t *ipf_token_find(ipf_main_softc_t *, int, int, 1815 void *); 1816 extern int ipf_token_del(ipf_main_softc_t *, int, int, 1817 void *); 1818 extern void ipf_token_mark_complete(ipftoken_t *); 1819 extern int ipf_genericiter(ipf_main_softc_t *, void *, 1820 int, void *); 1821 #ifdef IPFILTER_LOOKUP 1822 extern void *ipf_resolvelookup(int, u_int, u_int, 1823 lookupfunc_t *); 1824 #endif 1825 extern u_32_t ipf_random(void); 1826 1827 extern int ipf_main_load(void); 1828 extern void *ipf_main_soft_create(void *); 1829 extern void ipf_main_soft_destroy(ipf_main_softc_t *); 1830 extern int ipf_main_soft_init(ipf_main_softc_t *); 1831 extern int ipf_main_soft_fini(ipf_main_softc_t *); 1832 extern int ipf_main_unload(void); 1833 extern int ipf_load_all(void); 1834 extern int ipf_unload_all(void); 1835 extern void ipf_destroy_all(ipf_main_softc_t *); 1836 extern ipf_main_softc_t *ipf_create_all(void *); 1837 extern int ipf_init_all(ipf_main_softc_t *); 1838 extern int ipf_fini_all(ipf_main_softc_t *); 1839 extern void ipf_log_soft_destroy(ipf_main_softc_t *, void *); 1840 extern void *ipf_log_soft_create(ipf_main_softc_t *); 1841 extern int ipf_log_soft_init(ipf_main_softc_t *, void *); 1842 extern int ipf_log_soft_fini(ipf_main_softc_t *, void *); 1843 extern int ipf_log_main_load(void); 1844 extern int ipf_log_main_unload(void); 1845 1846 1847 extern char ipfilter_version[]; 1848 #ifdef USE_INET6 1849 extern int icmptoicmp6types[ICMP_MAXTYPE+1]; 1850 extern int icmptoicmp6unreach[ICMP_MAX_UNREACH]; 1851 extern int icmpreplytype6[ICMP6_MAXTYPE + 1]; 1852 #endif 1853 #ifdef IPFILTER_COMPAT 1854 extern int ipf_in_compat(ipf_main_softc_t *, ipfobj_t *, void *,int); 1855 extern int ipf_out_compat(ipf_main_softc_t *, ipfobj_t *, void *); 1856 #endif 1857 extern int icmpreplytype4[ICMP_MAXTYPE + 1]; 1858 1859 extern int ipf_ht_node_add(ipf_main_softc_t *, host_track_t *, 1860 int, i6addr_t *); 1861 extern int ipf_ht_node_del(host_track_t *, int, i6addr_t *); 1862 extern void ipf_rb_ht_flush(host_track_t *); 1863 extern void ipf_rb_ht_freenode(host_node_t *, void *); 1864 extern void ipf_rb_ht_init(host_track_t *); 1865 1866 #endif /* __IP_FIL_H__ */
Cache object: 529fed577e483b2c7bae17e14258dc76
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]