URL https://opencores.org/ocsvn/openrisc/openrisc/trunk

Subversion Repositories openrisc

[/] [openrisc/] [trunk/] [gnu-old/] [newlib-1.17.0/] [newlib/] [libc/] [sys/] [linux/] [include/] [netinet/] [ip_fw.h] - Blame information for rev 816

Details | Compare with Previous | View Log


/*
 * Copyright (c) 1993 Daniel Boulet
 * Copyright (c) 1994 Ugen J.S.Antsilevich
 *
 * Redistribution and use in source forms, with and without modification,
 * are permitted provided that this entire comment appears intact.
 *
 * Redistribution in binary form may occur without any restrictions.
 * Obviously, it would be nice if you gave credit where credit is due
 * but requiring it would be too onerous.
 *
 * This software is provided ``AS IS'' without any warranties of any kind.
 *
 * $FreeBSD: src/sys/netinet/ip_fw.h,v 1.66 2002/05/09 10:34:57 luigi Exp $
 */
 
#ifndef _IP_FW_H
#define _IP_FW_H
 
#include <sys/queue.h>
 
/*
 * This union structure identifies an interface, either explicitly
 * by name or implicitly by IP address. The flags IP_FW_F_IIFNAME
 * and IP_FW_F_OIFNAME say how to interpret this structure. An
 * interface unit number of -1 matches any unit number, while an
 * IP address of 0.0.0.0 indicates matches any interface.
 *
 * The receive and transmit interfaces are only compared against the
 * the packet if the corresponding bit (IP_FW_F_IIFACE or IP_FW_F_OIFACE)
 * is set. Note some packets lack a receive or transmit interface
 * (in which case the missing "interface" never matches).
 */
 
union ip_fw_if {
        struct in_addr  fu_via_ip;      /* Specified by IP address */
        struct {                        /* Specified by interface name */
#define FW_IFNLEN       10              /* need room ! was IFNAMSIZ */
                char    name[FW_IFNLEN];
                short   unit;           /* -1 means match any unit */
        } fu_via_if;
};
 
/*
 * Format of an IP firewall descriptor
 *
 * fw_src, fw_dst, fw_smsk, fw_dmsk are always stored in network byte order.
 * fw_flg and fw_n*p are stored in host byte order (of course).
 * Port numbers are stored in HOST byte order.
 */
 
/*
 * To match MAC headers:
 *     12 bytes at fw_mac_hdr contain the dst-src MAC address after masking.
 *     12 bytes at fw_mac_mask contain the mask to apply to dst-src
 *     2 bytes at fw_mac_type contain the mac type after mask (in net format)
 *     2 bytes at fw_mac_type_mask contain the mac type mask
 *         If IP_FW_F_SRNG, the two contain the low-high of a range of types.
 *     IP_FW_F_DRNG is used to indicare we want to match a vlan.
 */
#define fw_mac_hdr              fw_src
#define fw_mac_mask             fw_uar
#define fw_mac_type             fw_iplen
#define fw_mac_mask_type        fw_ipid
 
struct ip_fw {
        LIST_ENTRY(ip_fw) next;         /* bidirectional list of rules */
        u_int           fw_flg;         /* Operational Flags word */
        u_int64_t       fw_pcnt;        /* Packet counters */
        u_int64_t       fw_bcnt;        /* Byte counters */
 
        struct in_addr  fw_src;         /* Source IP address */
        struct in_addr  fw_dst;         /* Destination IP address */
        struct in_addr  fw_smsk;        /* Mask for source IP address */
        struct in_addr  fw_dmsk;        /* Mask for destination address */
        u_short         fw_number;      /* Rule number */
        u_char          fw_prot;        /* IP protocol */
#if 1
        u_char          fw_nports;      /* # of src/dst port in array */
#define IP_FW_GETNSRCP(rule)            ((rule)->fw_nports & 0x0f)
#define IP_FW_SETNSRCP(rule, n)         do {                            \
                                            (rule)->fw_nports &= ~0x0f; \
                                            (rule)->fw_nports |= (n);   \
                                        } while (0)
#define IP_FW_GETNDSTP(rule)            ((rule)->fw_nports >> 4)
#define IP_FW_SETNDSTP(rule, n)         do {                              \
                                            (rule)->fw_nports &= ~0xf0;   \
                                            (rule)->fw_nports |= (n) << 4;\
                                        } while (0)
#define IP_FW_HAVEPORTS(rule)           ((rule)->fw_nports != 0)
#else
        u_char          __pad[1];
        u_int           _nsrcp;
        u_int           _ndstp;
#define IP_FW_GETNSRCP(rule)            (rule)->_nsrcp
#define IP_FW_SETNSRCP(rule,n)          (rule)->_nsrcp = n
#define IP_FW_GETNDSTP(rule)            (rule)->_ndstp
#define IP_FW_SETNDSTP(rule,n)          (rule)->_ndstp = n
#define IP_FW_HAVEPORTS(rule)           ((rule)->_ndstp + (rule)->_nsrcp != 0)
#endif
#define IP_FW_MAX_PORTS 10              /* A reasonable maximum */
    union {
        u_short         fw_pts[IP_FW_MAX_PORTS]; /* port numbers to match */
#define IP_FW_ICMPTYPES_MAX     128
#define IP_FW_ICMPTYPES_DIM     (IP_FW_ICMPTYPES_MAX / (sizeof(unsigned) * 8))
        unsigned        fw_icmptypes[IP_FW_ICMPTYPES_DIM]; /*ICMP types bitmap*/
    } fw_uar;
 
        u_int           fw_ipflg;       /* IP flags word */
        u_short         fw_iplen;       /* IP length */
        u_short         fw_ipid;        /* Identification */
        u_char          fw_ipopt;       /* IP options set */
        u_char          fw_ipnopt;      /* IP options unset */
        u_char          fw_iptos;       /* IP type of service set */
        u_char          fw_ipntos;      /* IP type of service unset */
        u_char          fw_ipttl;       /* IP time to live */
        u_int           fw_ipver:4;     /* IP version */
        u_char          fw_tcpopt;      /* TCP options set */
        u_char          fw_tcpnopt;     /* TCP options unset */
        u_char          fw_tcpf;        /* TCP flags set */
        u_char          fw_tcpnf;       /* TCP flags unset */
        u_short         fw_tcpwin;      /* TCP window size */
        u_int32_t       fw_tcpseq;      /* TCP sequence */
        u_int32_t       fw_tcpack;      /* TCP acknowledgement */
        long            timestamp;      /* timestamp (tv_sec) of last match */
        union ip_fw_if  fw_in_if;       /* Incoming interfaces */
        union ip_fw_if  fw_out_if;      /* Outgoing interfaces */
    union {
        u_short         fu_divert_port; /* Divert/tee port (options IPDIVERT) */
        u_short         fu_pipe_nr;     /* queue number (option DUMMYNET) */
        u_short         fu_skipto_rule; /* SKIPTO command rule number */
        u_short         fu_reject_code; /* REJECT response code */
        struct sockaddr_in fu_fwd_ip;
    } fw_un;
        void            *pipe_ptr;      /* flow_set ptr for dummynet pipe */
        void            *next_rule_ptr; /* next rule in case of match */
        uid_t           fw_uid;         /* uid to match */
        gid_t           fw_gid;         /* gid to match */
        int             fw_logamount;   /* amount to log */
        u_int64_t       fw_loghighest;  /* highest number packet to log */
 
        long            dont_match_prob; /* 0x7fffffff means 1.0, always fail */
        u_char          dyn_type;       /* type for dynamic rule */
 
#define DYN_KEEP_STATE  0        /* type for keep-state rules    */
#define DYN_LIMIT       1       /* type for limit connection rules */
#define DYN_LIMIT_PARENT 2      /* parent entry for limit connection rules */
 
        /* following two fields are used to limit number of connections
         * basing on either src, srcport, dst, dstport.
         */
        u_char          limit_mask;     /* mask type for limit rule, can
                                         * have many.
                                         */
#define DYN_SRC_ADDR    0x1
#define DYN_SRC_PORT    0x2
#define DYN_DST_ADDR    0x4
#define DYN_DST_PORT    0x8
 
        u_short         conn_limit;     /* # of connections for limit rule */
};
 
#define fw_divert_port  fw_un.fu_divert_port
#define fw_skipto_rule  fw_un.fu_skipto_rule
#define fw_reject_code  fw_un.fu_reject_code
#define fw_pipe_nr      fw_un.fu_pipe_nr
#define fw_fwd_ip       fw_un.fu_fwd_ip
 
/*
 *
 *   rule_ptr  -------------+
 *                          V
 *     [ next.le_next ]---->[ next.le_next ]---- [ next.le_next ]--->
 *     [ next.le_prev ]<----[ next.le_prev ]<----[ next.le_prev ]<---
 *     [ <ip_fw> body ]     [ <ip_fw> body ]     [ <ip_fw> body ]
 *
 */
 
/*
 * Flow mask/flow id for each queue.
 */
struct ipfw_flow_id {
        u_int32_t       dst_ip;
        u_int32_t       src_ip;
        u_int16_t       dst_port;
        u_int16_t       src_port;
        u_int8_t        proto;
        u_int8_t        flags;  /* protocol-specific flags */
};
 
/*
 * dynamic ipfw rule
 */
struct ipfw_dyn_rule {
        struct ipfw_dyn_rule *next;
        struct ipfw_flow_id id;         /* (masked) flow id */
        struct ip_fw    *rule;          /* pointer to rule */
        struct ipfw_dyn_rule *parent;   /* pointer to parent rule */
        u_int32_t       expire;         /* expire time */
        u_int64_t       pcnt;           /* packet match counters */
        u_int64_t       bcnt;           /* byte match counters */
        u_int32_t       bucket;         /* which bucket in hash table */
        u_int32_t       state;          /* state of this rule (typically a
                                         * combination of TCP flags)
                                         */
        u_int16_t       dyn_type;       /* rule type */
        u_int16_t       count;          /* refcount */
};
 
/*
 * Values for "flags" field .
 */
#define IP_FW_F_COMMAND 0x000000ff      /* Mask for type of chain entry: */
#define IP_FW_F_DENY    0x00000000      /* This is a deny rule */
#define IP_FW_F_REJECT  0x00000001      /* Deny and send a response packet */
#define IP_FW_F_ACCEPT  0x00000002      /* This is an accept rule */
#define IP_FW_F_COUNT   0x00000003      /* This is a count rule */
#define IP_FW_F_DIVERT  0x00000004      /* This is a divert rule */
#define IP_FW_F_TEE     0x00000005      /* This is a tee rule */
#define IP_FW_F_SKIPTO  0x00000006      /* This is a skipto rule */
#define IP_FW_F_FWD     0x00000007      /* This is a "change forwarding
                                         * address" rule
                                         */
#define IP_FW_F_PIPE    0x00000008      /* This is a dummynet rule */
#define IP_FW_F_QUEUE   0x00000009      /* This is a dummynet queue */
 
#define IP_FW_F_IN      0x00000100      /* Check inbound packets */
#define IP_FW_F_OUT     0x00000200      /* Check outbound packets */
#define IP_FW_F_IIFACE  0x00000400      /* Apply inbound interface test */
#define IP_FW_F_OIFACE  0x00000800      /* Apply outbound interface test */
#define IP_FW_F_PRN     0x00001000      /* Print if this rule matches */
#define IP_FW_F_SRNG    0x00002000      /* The first two src ports are a min
                                         * and max range (stored in host byte
                                         * order).
                                         */
#define IP_FW_F_DRNG    0x00004000      /* The first two dst ports are a min
                                         * and max range (stored in host byte
                                         * order).
                                         */
#define IP_FW_F_FRAG    0x00008000      /* Fragment */
#define IP_FW_F_IIFNAME 0x00010000      /* In interface by name/unit (not IP) */
#define IP_FW_F_OIFNAME 0x00020000      /* Out interface by name/unit (not IP)*/
#define IP_FW_F_INVSRC  0x00040000      /* Invert sense of src check */
#define IP_FW_F_INVDST  0x00080000      /* Invert sense of dst check */
#define IP_FW_F_ICMPBIT 0x00100000      /* ICMP type bitmap is valid */
#define IP_FW_F_UID     0x00200000      /* filter by uid */
#define IP_FW_F_GID     0x00400000      /* filter by gid */
#define IP_FW_F_RND_MATCH 0x00800000    /* probabilistic rule match */
#define IP_FW_F_SMSK    0x01000000      /* src-port + mask */
#define IP_FW_F_DMSK    0x02000000      /* dst-port + mask */
#define IP_FW_BRIDGED   0x04000000      /* only match bridged packets */
#define IP_FW_F_KEEP_S  0x08000000      /* keep state */
#define IP_FW_F_CHECK_S 0x10000000      /* check state */
#define IP_FW_F_SME     0x20000000      /* source = me */
#define IP_FW_F_DME     0x40000000      /* destination = me */
#define IP_FW_F_MAC     0x80000000      /* match MAC header */
 
#define IP_FW_F_MASK    0xFFFFFFFF      /* All possible flag bits mask */
 
/*
 * Flags for the 'fw_ipflg' field, for comparing values
 * of ip and its protocols.
 */
#define IP_FW_IF_TCPOPT 0x00000001      /* tcp options */
#define IP_FW_IF_TCPFLG 0x00000002      /* tcp flags */
#define IP_FW_IF_TCPSEQ 0x00000004      /* tcp sequence number */
#define IP_FW_IF_TCPACK 0x00000008      /* tcp acknowledgement number */
#define IP_FW_IF_TCPWIN 0x00000010      /* tcp window size */
#define IP_FW_IF_TCPEST 0x00000020      /* established TCP connection */
#define IP_FW_IF_TCPMSK 0x0000003f      /* mask of all tcp values */
#define IP_FW_IF_IPOPT  0x00000100      /* ip options */
#define IP_FW_IF_IPLEN  0x00000200      /* ip length */
#define IP_FW_IF_IPID   0x00000400      /* ip identification */
#define IP_FW_IF_IPTOS  0x00000800      /* ip type of service */
#define IP_FW_IF_IPTTL  0x00001000      /* ip time to live */
#define IP_FW_IF_IPVER  0x00002000      /* ip version */
#define IP_FW_IF_IPPRE  0x00004000      /* ip precedence */
#define IP_FW_IF_IPMSK  0x00007f00      /* mask of all ip values */
#define IP_FW_IF_MSK    0x0000ffff      /* All possible bits mask */
 
/*
 * For backwards compatibility with rules specifying "via iface" but
 * not restricted to only "in" or "out" packets, we define this combination
 * of bits to represent this configuration.
 */
 
#define IF_FW_F_VIAHACK (IP_FW_F_IN|IP_FW_F_OUT|IP_FW_F_IIFACE|IP_FW_F_OIFACE)
 
/*
 * Definitions for REJECT response codes.
 * Values less than 256 correspond to ICMP unreachable codes.
 */
#define IP_FW_REJECT_RST        0x0100  /* TCP packets: send RST */
 
/*
 * Definitions for IP option names.
 */
#define IP_FW_IPOPT_LSRR        0x01
#define IP_FW_IPOPT_SSRR        0x02
#define IP_FW_IPOPT_RR          0x04
#define IP_FW_IPOPT_TS          0x08
 
/*
 * Definitions for TCP option names.
 */
#define IP_FW_TCPOPT_MSS        0x01
#define IP_FW_TCPOPT_WINDOW     0x02
#define IP_FW_TCPOPT_SACK       0x04
#define IP_FW_TCPOPT_TS         0x08
#define IP_FW_TCPOPT_CC         0x10
 
/*
 * Definitions for TCP flags.
 */
#define IP_FW_TCPF_FIN          TH_FIN
#define IP_FW_TCPF_SYN          TH_SYN
#define IP_FW_TCPF_RST          TH_RST
#define IP_FW_TCPF_PSH          TH_PUSH
#define IP_FW_TCPF_ACK          TH_ACK
#define IP_FW_TCPF_URG          TH_URG
 
/*
 * Main firewall chains definitions and global var's definitions.
 */
#ifdef _KERNEL
 
#define IP_FW_PORT_DYNT_FLAG    0x10000
#define IP_FW_PORT_TEE_FLAG     0x20000
#define IP_FW_PORT_DENY_FLAG    0x40000
 
/*
 * Function definitions.
 */
void ip_fw_init(void);
 
/* Firewall hooks */
struct ip;
struct sockopt;
typedef int ip_fw_chk_t (struct mbuf **m, struct ifnet *oif,
    u_int16_t *cookie, struct ip_fw **rule, struct sockaddr_in **next_hop);
typedef int ip_fw_ctl_t (struct sockopt *);
extern ip_fw_chk_t *ip_fw_chk_ptr;
extern ip_fw_ctl_t *ip_fw_ctl_ptr;
extern int fw_one_pass;
extern int fw_enable;
extern struct ipfw_flow_id last_pkt;
#define IPFW_LOADED     (ip_fw_chk_ptr != NULL)
#endif /* _KERNEL */
 
#endif /* _IP_FW_H */

Browse

Tools

Subversion Repositories openrisc

[/] [openrisc/] [trunk/] [gnu-old/] [newlib-1.17.0/] [newlib/] [libc/] [sys/] [linux/] [include/] [netinet/] [ip_fw.h] - Blame information for rev 816

Line No.	Rev	Author	Line
1	148	jeremybenn	`/*`
2			`* Copyright (c) 1993 Daniel Boulet`
3			`* Copyright (c) 1994 Ugen J.S.Antsilevich`
4			`*`
5			`* Redistribution and use in source forms, with and without modification,`
6			`* are permitted provided that this entire comment appears intact.`
7			`*`
8			`* Redistribution in binary form may occur without any restrictions.`
9			`* Obviously, it would be nice if you gave credit where credit is due`
10			`* but requiring it would be too onerous.`
11			`*`
12			* This software is provided ``AS IS'' without any warranties of any kind.
13			`*`
14			`* $FreeBSD: src/sys/netinet/ip_fw.h,v 1.66 2002/05/09 10:34:57 luigi Exp $`
15			`*/`
16
17			`#ifndef _IP_FW_H`
18			`#define _IP_FW_H`
19
20			`#include <sys/queue.h>`
21
22			`/*`
23			`* This union structure identifies an interface, either explicitly`
24			`* by name or implicitly by IP address. The flags IP_FW_F_IIFNAME`
25			`* and IP_FW_F_OIFNAME say how to interpret this structure. An`
26			`* interface unit number of -1 matches any unit number, while an`
27			`* IP address of 0.0.0.0 indicates matches any interface.`
28			`*`
29			`* The receive and transmit interfaces are only compared against the`
30			`* the packet if the corresponding bit (IP_FW_F_IIFACE or IP_FW_F_OIFACE)`
31			`* is set. Note some packets lack a receive or transmit interface`
32			`* (in which case the missing "interface" never matches).`
33			`*/`
34
35			`union ip_fw_if {`
36			`struct in_addr fu_via_ip; /* Specified by IP address */`
37			`struct { /* Specified by interface name */`
38			`#define FW_IFNLEN 10 /* need room ! was IFNAMSIZ */`
39			`char name[FW_IFNLEN];`
40			`short unit; /* -1 means match any unit */`
41			`} fu_via_if;`
42			`};`
43
44			`/*`
45			`* Format of an IP firewall descriptor`
46			`*`
47			`* fw_src, fw_dst, fw_smsk, fw_dmsk are always stored in network byte order.`
48			`* fw_flg and fw_n*p are stored in host byte order (of course).`
49			`* Port numbers are stored in HOST byte order.`
50			`*/`
51
52			`/*`
53			`* To match MAC headers:`
54			`* 12 bytes at fw_mac_hdr contain the dst-src MAC address after masking.`
55			`* 12 bytes at fw_mac_mask contain the mask to apply to dst-src`
56			`* 2 bytes at fw_mac_type contain the mac type after mask (in net format)`
57			`* 2 bytes at fw_mac_type_mask contain the mac type mask`
58			`* If IP_FW_F_SRNG, the two contain the low-high of a range of types.`
59			`* IP_FW_F_DRNG is used to indicare we want to match a vlan.`
60			`*/`
61			`#define fw_mac_hdr fw_src`
62			`#define fw_mac_mask fw_uar`
63			`#define fw_mac_type fw_iplen`
64			`#define fw_mac_mask_type fw_ipid`
65
66			`struct ip_fw {`
67			`LIST_ENTRY(ip_fw) next; /* bidirectional list of rules */`
68			`u_int fw_flg; /* Operational Flags word */`
69			`u_int64_t fw_pcnt; /* Packet counters */`
70			`u_int64_t fw_bcnt; /* Byte counters */`
71
72			`struct in_addr fw_src; /* Source IP address */`
73			`struct in_addr fw_dst; /* Destination IP address */`
74			`struct in_addr fw_smsk; /* Mask for source IP address */`
75			`struct in_addr fw_dmsk; /* Mask for destination address */`
76			`u_short fw_number; /* Rule number */`
77			`u_char fw_prot; /* IP protocol */`
78			`#if 1`
79			`u_char fw_nports; /* # of src/dst port in array */`
80			`#define IP_FW_GETNSRCP(rule) ((rule)->fw_nports & 0x0f)`
81			`#define IP_FW_SETNSRCP(rule, n) do { \`
82			`(rule)->fw_nports &= ~0x0f; \`
83			`(rule)->fw_nports \|= (n); \`
84			`} while (0)`
85			`#define IP_FW_GETNDSTP(rule) ((rule)->fw_nports >> 4)`
86			`#define IP_FW_SETNDSTP(rule, n) do { \`
87			`(rule)->fw_nports &= ~0xf0; \`
88			`(rule)->fw_nports \|= (n) << 4;\`
89			`} while (0)`
90			`#define IP_FW_HAVEPORTS(rule) ((rule)->fw_nports != 0)`
91			`#else`
92			`u_char __pad[1];`
93			`u_int _nsrcp;`
94			`u_int _ndstp;`
95			`#define IP_FW_GETNSRCP(rule) (rule)->_nsrcp`
96			`#define IP_FW_SETNSRCP(rule,n) (rule)->_nsrcp = n`
97			`#define IP_FW_GETNDSTP(rule) (rule)->_ndstp`
98			`#define IP_FW_SETNDSTP(rule,n) (rule)->_ndstp = n`
99			`#define IP_FW_HAVEPORTS(rule) ((rule)->_ndstp + (rule)->_nsrcp != 0)`
100			`#endif`
101			`#define IP_FW_MAX_PORTS 10 /* A reasonable maximum */`
102			`union {`
103			`u_short fw_pts[IP_FW_MAX_PORTS]; /* port numbers to match */`
104			`#define IP_FW_ICMPTYPES_MAX 128`
105			`#define IP_FW_ICMPTYPES_DIM (IP_FW_ICMPTYPES_MAX / (sizeof(unsigned) * 8))`
106			`unsigned fw_icmptypes[IP_FW_ICMPTYPES_DIM]; /ICMP types bitmap/`
107			`} fw_uar;`
108
109			`u_int fw_ipflg; /* IP flags word */`
110			`u_short fw_iplen; /* IP length */`
111			`u_short fw_ipid; /* Identification */`
112			`u_char fw_ipopt; /* IP options set */`
113			`u_char fw_ipnopt; /* IP options unset */`
114			`u_char fw_iptos; /* IP type of service set */`
115			`u_char fw_ipntos; /* IP type of service unset */`
116			`u_char fw_ipttl; /* IP time to live */`
117			`u_int fw_ipver:4; /* IP version */`
118			`u_char fw_tcpopt; /* TCP options set */`
119			`u_char fw_tcpnopt; /* TCP options unset */`
120			`u_char fw_tcpf; /* TCP flags set */`
121			`u_char fw_tcpnf; /* TCP flags unset */`
122			`u_short fw_tcpwin; /* TCP window size */`
123			`u_int32_t fw_tcpseq; /* TCP sequence */`
124			`u_int32_t fw_tcpack; /* TCP acknowledgement */`
125			`long timestamp; /* timestamp (tv_sec) of last match */`
126			`union ip_fw_if fw_in_if; /* Incoming interfaces */`
127			`union ip_fw_if fw_out_if; /* Outgoing interfaces */`
128			`union {`
129			`u_short fu_divert_port; /* Divert/tee port (options IPDIVERT) */`
130			`u_short fu_pipe_nr; /* queue number (option DUMMYNET) */`
131			`u_short fu_skipto_rule; /* SKIPTO command rule number */`
132			`u_short fu_reject_code; /* REJECT response code */`
133			`struct sockaddr_in fu_fwd_ip;`
134			`} fw_un;`
135			`void pipe_ptr; / flow_set ptr for dummynet pipe */`
136			`void next_rule_ptr; / next rule in case of match */`
137			`uid_t fw_uid; /* uid to match */`
138			`gid_t fw_gid; /* gid to match */`
139			`int fw_logamount; /* amount to log */`
140			`u_int64_t fw_loghighest; /* highest number packet to log */`
141
142			`long dont_match_prob; /* 0x7fffffff means 1.0, always fail */`
143			`u_char dyn_type; /* type for dynamic rule */`
144
145			`#define DYN_KEEP_STATE 0 /* type for keep-state rules */`
146			`#define DYN_LIMIT 1 /* type for limit connection rules */`
147			`#define DYN_LIMIT_PARENT 2 /* parent entry for limit connection rules */`
148
149			`/* following two fields are used to limit number of connections`
150			`* basing on either src, srcport, dst, dstport.`
151			`*/`
152			`u_char limit_mask; /* mask type for limit rule, can`
153			`* have many.`
154			`*/`
155			`#define DYN_SRC_ADDR 0x1`
156			`#define DYN_SRC_PORT 0x2`
157			`#define DYN_DST_ADDR 0x4`
158			`#define DYN_DST_PORT 0x8`
159
160			`u_short conn_limit; /* # of connections for limit rule */`
161			`};`
162
163			`#define fw_divert_port fw_un.fu_divert_port`
164			`#define fw_skipto_rule fw_un.fu_skipto_rule`
165			`#define fw_reject_code fw_un.fu_reject_code`
166			`#define fw_pipe_nr fw_un.fu_pipe_nr`
167			`#define fw_fwd_ip fw_un.fu_fwd_ip`
168
169			`/*`
170			`*`
171			`* rule_ptr -------------+`
172			`* V`
173			`* [ next.le_next ]---->[ next.le_next ]---- [ next.le_next ]--->`
174			`* [ next.le_prev ]<----[ next.le_prev ]<----[ next.le_prev ]<---`
175			`* [ <ip_fw> body ] [ <ip_fw> body ] [ <ip_fw> body ]`
176			`*`
177			`*/`
178
179			`/*`
180			`* Flow mask/flow id for each queue.`
181			`*/`
182			`struct ipfw_flow_id {`
183			`u_int32_t dst_ip;`
184			`u_int32_t src_ip;`
185			`u_int16_t dst_port;`
186			`u_int16_t src_port;`
187			`u_int8_t proto;`
188			`u_int8_t flags; /* protocol-specific flags */`
189			`};`
190
191			`/*`
192			`* dynamic ipfw rule`
193			`*/`
194			`struct ipfw_dyn_rule {`
195			`struct ipfw_dyn_rule *next;`
196			`struct ipfw_flow_id id; /* (masked) flow id */`
197			`struct ip_fw rule; / pointer to rule */`
198			`struct ipfw_dyn_rule parent; / pointer to parent rule */`
199			`u_int32_t expire; /* expire time */`
200			`u_int64_t pcnt; /* packet match counters */`
201			`u_int64_t bcnt; /* byte match counters */`
202			`u_int32_t bucket; /* which bucket in hash table */`
203			`u_int32_t state; /* state of this rule (typically a`
204			`* combination of TCP flags)`
205			`*/`
206			`u_int16_t dyn_type; /* rule type */`
207			`u_int16_t count; /* refcount */`
208			`};`
209
210			`/*`
211			`* Values for "flags" field .`
212			`*/`
213			`#define IP_FW_F_COMMAND 0x000000ff /* Mask for type of chain entry: */`
214			`#define IP_FW_F_DENY 0x00000000 /* This is a deny rule */`
215			`#define IP_FW_F_REJECT 0x00000001 /* Deny and send a response packet */`
216			`#define IP_FW_F_ACCEPT 0x00000002 /* This is an accept rule */`
217			`#define IP_FW_F_COUNT 0x00000003 /* This is a count rule */`
218			`#define IP_FW_F_DIVERT 0x00000004 /* This is a divert rule */`
219			`#define IP_FW_F_TEE 0x00000005 /* This is a tee rule */`
220			`#define IP_FW_F_SKIPTO 0x00000006 /* This is a skipto rule */`
221			`#define IP_FW_F_FWD 0x00000007 /* This is a "change forwarding`
222			`* address" rule`
223			`*/`
224			`#define IP_FW_F_PIPE 0x00000008 /* This is a dummynet rule */`
225			`#define IP_FW_F_QUEUE 0x00000009 /* This is a dummynet queue */`
226
227			`#define IP_FW_F_IN 0x00000100 /* Check inbound packets */`
228			`#define IP_FW_F_OUT 0x00000200 /* Check outbound packets */`
229			`#define IP_FW_F_IIFACE 0x00000400 /* Apply inbound interface test */`
230			`#define IP_FW_F_OIFACE 0x00000800 /* Apply outbound interface test */`
231			`#define IP_FW_F_PRN 0x00001000 /* Print if this rule matches */`
232			`#define IP_FW_F_SRNG 0x00002000 /* The first two src ports are a min`
233			`* and max range (stored in host byte`
234			`* order).`
235			`*/`
236			`#define IP_FW_F_DRNG 0x00004000 /* The first two dst ports are a min`
237			`* and max range (stored in host byte`
238			`* order).`
239			`*/`
240			`#define IP_FW_F_FRAG 0x00008000 /* Fragment */`
241			`#define IP_FW_F_IIFNAME 0x00010000 /* In interface by name/unit (not IP) */`
242			`#define IP_FW_F_OIFNAME 0x00020000 /* Out interface by name/unit (not IP)*/`
243			`#define IP_FW_F_INVSRC 0x00040000 /* Invert sense of src check */`
244			`#define IP_FW_F_INVDST 0x00080000 /* Invert sense of dst check */`
245			`#define IP_FW_F_ICMPBIT 0x00100000 /* ICMP type bitmap is valid */`
246			`#define IP_FW_F_UID 0x00200000 /* filter by uid */`
247			`#define IP_FW_F_GID 0x00400000 /* filter by gid */`
248			`#define IP_FW_F_RND_MATCH 0x00800000 /* probabilistic rule match */`
249			`#define IP_FW_F_SMSK 0x01000000 /* src-port + mask */`
250			`#define IP_FW_F_DMSK 0x02000000 /* dst-port + mask */`
251			`#define IP_FW_BRIDGED 0x04000000 /* only match bridged packets */`
252			`#define IP_FW_F_KEEP_S 0x08000000 /* keep state */`
253			`#define IP_FW_F_CHECK_S 0x10000000 /* check state */`
254			`#define IP_FW_F_SME 0x20000000 /* source = me */`
255			`#define IP_FW_F_DME 0x40000000 /* destination = me */`
256			`#define IP_FW_F_MAC 0x80000000 /* match MAC header */`
257
258			`#define IP_FW_F_MASK 0xFFFFFFFF /* All possible flag bits mask */`
259
260			`/*`
261			`* Flags for the 'fw_ipflg' field, for comparing values`
262			`* of ip and its protocols.`
263			`*/`
264			`#define IP_FW_IF_TCPOPT 0x00000001 /* tcp options */`
265			`#define IP_FW_IF_TCPFLG 0x00000002 /* tcp flags */`
266			`#define IP_FW_IF_TCPSEQ 0x00000004 /* tcp sequence number */`
267			`#define IP_FW_IF_TCPACK 0x00000008 /* tcp acknowledgement number */`
268			`#define IP_FW_IF_TCPWIN 0x00000010 /* tcp window size */`
269			`#define IP_FW_IF_TCPEST 0x00000020 /* established TCP connection */`
270			`#define IP_FW_IF_TCPMSK 0x0000003f /* mask of all tcp values */`
271			`#define IP_FW_IF_IPOPT 0x00000100 /* ip options */`
272			`#define IP_FW_IF_IPLEN 0x00000200 /* ip length */`
273			`#define IP_FW_IF_IPID 0x00000400 /* ip identification */`
274			`#define IP_FW_IF_IPTOS 0x00000800 /* ip type of service */`
275			`#define IP_FW_IF_IPTTL 0x00001000 /* ip time to live */`
276			`#define IP_FW_IF_IPVER 0x00002000 /* ip version */`
277			`#define IP_FW_IF_IPPRE 0x00004000 /* ip precedence */`
278			`#define IP_FW_IF_IPMSK 0x00007f00 /* mask of all ip values */`
279			`#define IP_FW_IF_MSK 0x0000ffff /* All possible bits mask */`
280
281			`/*`
282			`* For backwards compatibility with rules specifying "via iface" but`
283			`* not restricted to only "in" or "out" packets, we define this combination`
284			`* of bits to represent this configuration.`
285			`*/`
286
287			`#define IF_FW_F_VIAHACK (IP_FW_F_IN\|IP_FW_F_OUT\|IP_FW_F_IIFACE\|IP_FW_F_OIFACE)`
288
289			`/*`
290			`* Definitions for REJECT response codes.`
291			`* Values less than 256 correspond to ICMP unreachable codes.`
292			`*/`
293			`#define IP_FW_REJECT_RST 0x0100 /* TCP packets: send RST */`
294
295			`/*`
296			`* Definitions for IP option names.`
297			`*/`
298			`#define IP_FW_IPOPT_LSRR 0x01`
299			`#define IP_FW_IPOPT_SSRR 0x02`
300			`#define IP_FW_IPOPT_RR 0x04`
301			`#define IP_FW_IPOPT_TS 0x08`
302
303			`/*`
304			`* Definitions for TCP option names.`
305			`*/`
306			`#define IP_FW_TCPOPT_MSS 0x01`
307			`#define IP_FW_TCPOPT_WINDOW 0x02`
308			`#define IP_FW_TCPOPT_SACK 0x04`
309			`#define IP_FW_TCPOPT_TS 0x08`
310			`#define IP_FW_TCPOPT_CC 0x10`
311
312			`/*`
313			`* Definitions for TCP flags.`
314			`*/`
315			`#define IP_FW_TCPF_FIN TH_FIN`
316			`#define IP_FW_TCPF_SYN TH_SYN`
317			`#define IP_FW_TCPF_RST TH_RST`
318			`#define IP_FW_TCPF_PSH TH_PUSH`
319			`#define IP_FW_TCPF_ACK TH_ACK`
320			`#define IP_FW_TCPF_URG TH_URG`
321
322			`/*`
323			`* Main firewall chains definitions and global var's definitions.`
324			`*/`
325			`#ifdef _KERNEL`
326
327			`#define IP_FW_PORT_DYNT_FLAG 0x10000`
328			`#define IP_FW_PORT_TEE_FLAG 0x20000`
329			`#define IP_FW_PORT_DENY_FLAG 0x40000`
330
331			`/*`
332			`* Function definitions.`
333			`*/`
334			`void ip_fw_init(void);`
335
336			`/* Firewall hooks */`
337			`struct ip;`
338			`struct sockopt;`
339			`typedef int ip_fw_chk_t (struct mbuf *m, struct ifnet oif,`
340			`u_int16_t cookie, struct ip_fw rule, struct sockaddr_in *next_hop);`
341			`typedef int ip_fw_ctl_t (struct sockopt *);`
342			`extern ip_fw_chk_t *ip_fw_chk_ptr;`
343			`extern ip_fw_ctl_t *ip_fw_ctl_ptr;`
344			`extern int fw_one_pass;`
345			`extern int fw_enable;`
346			`extern struct ipfw_flow_id last_pkt;`
347			`#define IPFW_LOADED (ip_fw_chk_ptr != NULL)`
348			`#endif /* _KERNEL */`
349
350			`#endif /* _IP_FW_H */`