URL https://opencores.org/ocsvn/or1k/or1k/trunk

Subversion Repositories or1k

[/] [or1k/] [trunk/] [ecos-2.0/] [packages/] [net/] [bsd_tcpip/] [v2_0/] [include/] [netinet/] [ip_fw.h] - Blame information for rev 1765

Details | Compare with Previous | View Log


//==========================================================================
//
//      include/netinet/ip_fw.h
//
//==========================================================================
//####BSDCOPYRIGHTBEGIN####
//
// -------------------------------------------
//
// Portions of this software may have been derived from OpenBSD, 
// FreeBSD or other sources, and are covered by the appropriate
// copyright disclaimers included herein.
//
// Portions created by Red Hat are
// Copyright (C) 2002 Red Hat, Inc. All Rights Reserved.
//
// -------------------------------------------
//
//####BSDCOPYRIGHTEND####
//==========================================================================
 
/*
 * Copyright (c) 1993 Daniel Boulet
 * Copyright (c) 1994 Ugen J.S.Antsilevich
 *
 * Redistribution and use in source forms, with and without modification,
 * are permitted provided that this entire comment appears intact.
 *
 * Redistribution in binary form may occur without any restrictions.
 * Obviously, it would be nice if you gave credit where credit is due
 * but requiring it would be too onerous.
 *
 * This software is provided ``AS IS'' without any warranties of any kind.
 *
 * $FreeBSD: src/sys/netinet/ip_fw.h,v 1.47.2.8 2001/02/20 11:39:17 phk Exp $
 */
 
#ifndef _IP_FW_H
#define _IP_FW_H
 
#include <sys/queue.h>
 
/*
 * This union structure identifies an interface, either explicitly
 * by name or implicitly by IP address. The flags IP_FW_F_IIFNAME
 * and IP_FW_F_OIFNAME say how to interpret this structure. An
 * interface unit number of -1 matches any unit number, while an
 * IP address of 0.0.0.0 indicates matches any interface.
 *
 * The receive and transmit interfaces are only compared against the
 * the packet if the corresponding bit (IP_FW_F_IIFACE or IP_FW_F_OIFACE)
 * is set. Note some packets lack a receive or transmit interface
 * (in which case the missing "interface" never matches).
 */
 
union ip_fw_if {
    struct in_addr fu_via_ip;   /* Specified by IP address */
    struct {                    /* Specified by interface name */
#define FW_IFNLEN     10 /* need room ! was IFNAMSIZ */
            char  name[FW_IFNLEN];
            short unit;         /* -1 means match any unit */
    } fu_via_if;
};
 
/*
 * Format of an IP firewall descriptor
 *
 * fw_src, fw_dst, fw_smsk, fw_dmsk are always stored in network byte order.
 * fw_flg and fw_n*p are stored in host byte order (of course).
 * Port numbers are stored in HOST byte order.
 */
 
struct ip_fw {
    u_int64_t fw_pcnt,fw_bcnt;          /* Packet and byte counters */
    struct in_addr fw_src, fw_dst;      /* Source and destination IP addr */
    struct in_addr fw_smsk, fw_dmsk;    /* Mask for src and dest IP addr */
    u_short fw_number;                  /* Rule number */
    u_int fw_flg;                       /* Flags word */
#define IP_FW_MAX_PORTS 10              /* A reasonable maximum */
        union {
        u_short fw_pts[IP_FW_MAX_PORTS];        /* Array of port numbers to match */
#define IP_FW_ICMPTYPES_MAX     128
#define IP_FW_ICMPTYPES_DIM     (IP_FW_ICMPTYPES_MAX / (sizeof(unsigned) * 8))
        unsigned fw_icmptypes[IP_FW_ICMPTYPES_DIM]; /* ICMP types bitmap */
        } fw_uar;
    u_int fw_ipflg;                     /* IP flags word */
    u_char fw_ipopt,fw_ipnopt;          /* IP options set/unset */
    u_char fw_tcpopt,fw_tcpnopt;        /* TCP options set/unset */
    u_char fw_tcpf,fw_tcpnf;            /* TCP flags set/unset */
    long timestamp;                     /* timestamp (tv_sec) of last match */
    union ip_fw_if fw_in_if, fw_out_if; /* Incoming and outgoing interfaces */
    union {
        u_short fu_divert_port;         /* Divert/tee port (options IPDIVERT) */
        u_short fu_pipe_nr;             /* queue number (option DUMMYNET) */
        u_short fu_skipto_rule;         /* SKIPTO command rule number */
        u_short fu_reject_code;         /* REJECT response code */
        struct sockaddr_in fu_fwd_ip;
    } fw_un;
    u_char fw_prot;                     /* IP protocol */
        /*
         * N'of src ports and # of dst ports in ports array (dst ports
         * follow src ports; max of 10 ports in all; count of 0 means
         * match all ports)
         */
    u_char fw_nports;
    void *pipe_ptr;                    /* flow_set ptr for dummynet pipe */
    void *next_rule_ptr ;              /* next rule in case of match */
    uid_t fw_uid;                       /* uid to match */
    gid_t fw_gid;                       /* gid to match */
    int fw_logamount;                   /* amount to log */
    u_int64_t fw_loghighest;            /* highest number packet to log */
};
 
/*
 * extended ipfw structure... some fields in the original struct
 * can be used to pass parameters up/down, namely pointers
 *     void *pipe_ptr
 *     void *next_rule_ptr
 * some others can be used to pass parameters down, namely counters etc.
 *     u_int64_t fw_pcnt,fw_bcnt;
 *     long timestamp;
 */
 
struct ip_fw_ext {             /* extended structure */
    struct ip_fw rule;      /* must be at offset 0 */
    long    dont_match_prob;        /* 0x7fffffff means 1.0, always fail */
    u_int   dyn_type;  /* type for dynamic rule */
};
 
#define IP_FW_GETNSRCP(rule)            ((rule)->fw_nports & 0x0f)
#define IP_FW_SETNSRCP(rule, n)         do {                            \
                                          (rule)->fw_nports &= ~0x0f;   \
                                          (rule)->fw_nports |= (n);     \
                                        } while (0)
#define IP_FW_GETNDSTP(rule)            ((rule)->fw_nports >> 4)
#define IP_FW_SETNDSTP(rule, n)         do {                            \
                                          (rule)->fw_nports &= ~0xf0;   \
                                          (rule)->fw_nports |= (n) << 4;\
                                        } while (0)
 
#define fw_divert_port  fw_un.fu_divert_port
#define fw_skipto_rule  fw_un.fu_skipto_rule
#define fw_reject_code  fw_un.fu_reject_code
#define fw_pipe_nr      fw_un.fu_pipe_nr
#define fw_fwd_ip       fw_un.fu_fwd_ip
 
struct ip_fw_chain {
        LIST_ENTRY(ip_fw_chain) next;
        struct ip_fw *rule;
};
 
/*
 * Flow mask/flow id for each queue.
 */
struct ipfw_flow_id {
    u_int32_t dst_ip, src_ip ;
    u_int16_t dst_port, src_port ;
    u_int8_t proto ;
    u_int8_t flags ;    /* protocol-specific flags */
} ;
 
/*
 * dynamic ipfw rule
 */
struct ipfw_dyn_rule {
    struct ipfw_dyn_rule *next ;
 
    struct ipfw_flow_id id ;
    struct ipfw_flow_id mask ;
    struct ip_fw_chain *chain ;         /* pointer to parent rule       */
    u_int32_t type ;                    /* rule type                    */
    u_int32_t expire ;                  /* expire time                  */
    u_int64_t pcnt, bcnt;               /* match counters               */
    u_int32_t bucket ;                  /* which bucket in hash table   */
    u_int32_t state ;                   /* state of this rule (typ. a   */
                                        /* combination of TCP flags)    */
} ;
 
/*
 * Values for "flags" field .
 */
#define IP_FW_F_COMMAND 0x000000ff      /* Mask for type of chain entry:        */
#define IP_FW_F_DENY    0x00000000      /* This is a deny rule                  */
#define IP_FW_F_REJECT  0x00000001      /* Deny and send a response packet      */
#define IP_FW_F_ACCEPT  0x00000002      /* This is an accept rule               */
#define IP_FW_F_COUNT   0x00000003      /* This is a count rule                 */
#define IP_FW_F_DIVERT  0x00000004      /* This is a divert rule                */
#define IP_FW_F_TEE     0x00000005      /* This is a tee rule                   */
#define IP_FW_F_SKIPTO  0x00000006      /* This is a skipto rule                */
#define IP_FW_F_FWD     0x00000007      /* This is a "change forwarding address" rule */
#define IP_FW_F_PIPE    0x00000008      /* This is a dummynet rule */
#define IP_FW_F_QUEUE   0x00000009      /* This is a dummynet queue */
 
#define IP_FW_F_IN      0x00000100      /* Check inbound packets                */
#define IP_FW_F_OUT     0x00000200      /* Check outbound packets               */
#define IP_FW_F_IIFACE  0x00000400      /* Apply inbound interface test         */
#define IP_FW_F_OIFACE  0x00000800      /* Apply outbound interface test        */
 
#define IP_FW_F_PRN     0x00001000      /* Print if this rule matches           */
 
#define IP_FW_F_SRNG    0x00002000      /* The first two src ports are a min    *
                                         * and max range (stored in host byte   *
                                         * order).                              */
 
#define IP_FW_F_DRNG    0x00004000      /* The first two dst ports are a min    *
                                         * and max range (stored in host byte   *
                                         * order).                              */
 
#define IP_FW_F_FRAG    0x00008000      /* Fragment                             */
 
#define IP_FW_F_IIFNAME 0x00010000      /* In interface by name/unit (not IP)   */
#define IP_FW_F_OIFNAME 0x00020000      /* Out interface by name/unit (not IP)  */
 
#define IP_FW_F_INVSRC  0x00040000      /* Invert sense of src check            */
#define IP_FW_F_INVDST  0x00080000      /* Invert sense of dst check            */
 
#define IP_FW_F_ICMPBIT 0x00100000      /* ICMP type bitmap is valid            */
 
#define IP_FW_F_UID     0x00200000      /* filter by uid                        */
 
#define IP_FW_F_GID     0x00400000      /* filter by gid                        */
 
#define IP_FW_F_RND_MATCH 0x00800000    /* probabilistic rule match             */
#define IP_FW_F_SMSK    0x01000000      /* src-port + mask                      */
#define IP_FW_F_DMSK    0x02000000      /* dst-port + mask                      */
#define IP_FW_BRIDGED   0x04000000      /* only match bridged packets           */
#define IP_FW_F_KEEP_S  0x08000000      /* keep state                           */
#define IP_FW_F_CHECK_S 0x10000000      /* check state                          */
 
#define IP_FW_F_SME     0x20000000      /* source = me                          */
#define IP_FW_F_DME     0x40000000      /* destination = me                     */
 
#define IP_FW_F_MASK    0x7FFFFFFF      /* All possible flag bits mask          */
 
/*
 * Flags for the 'fw_ipflg' field, for comparing values of ip and its protocols.
 */
#define IP_FW_IF_TCPEST 0x00000020      /* established TCP connection */
#define IP_FW_IF_TCPMSK 0x00000020      /* mask of all TCP values */
 
/*
 * For backwards compatibility with rules specifying "via iface" but
 * not restricted to only "in" or "out" packets, we define this combination
 * of bits to represent this configuration.
 */
 
#define IF_FW_F_VIAHACK (IP_FW_F_IN|IP_FW_F_OUT|IP_FW_F_IIFACE|IP_FW_F_OIFACE)
 
/*
 * Definitions for REJECT response codes.
 * Values less than 256 correspond to ICMP unreachable codes.
 */
#define IP_FW_REJECT_RST        0x0100          /* TCP packets: send RST */
 
/*
 * Definitions for IP option names.
 */
#define IP_FW_IPOPT_LSRR        0x01
#define IP_FW_IPOPT_SSRR        0x02
#define IP_FW_IPOPT_RR          0x04
#define IP_FW_IPOPT_TS          0x08
 
/*
 * Definitions for TCP option names.
 */
#define IP_FW_TCPOPT_MSS        0x01
#define IP_FW_TCPOPT_WINDOW     0x02
#define IP_FW_TCPOPT_SACK       0x04
#define IP_FW_TCPOPT_TS         0x08
#define IP_FW_TCPOPT_CC         0x10
 
/*
 * Definitions for TCP flags.
 */
#define IP_FW_TCPF_FIN          TH_FIN
#define IP_FW_TCPF_SYN          TH_SYN
#define IP_FW_TCPF_RST          TH_RST
#define IP_FW_TCPF_PSH          TH_PUSH
#define IP_FW_TCPF_ACK          TH_ACK
#define IP_FW_TCPF_URG          TH_URG
 
/*
 * Main firewall chains definitions and global var's definitions.
 */
#ifdef _KERNEL
 
#define IP_FW_PORT_DYNT_FLAG    0x10000
#define IP_FW_PORT_TEE_FLAG     0x20000
#define IP_FW_PORT_DENY_FLAG    0x40000
 
/*
 * Function definitions.
 */
void ip_fw_init __P((void));
 
/* Firewall hooks */
struct ip;
struct sockopt;
typedef int ip_fw_chk_t __P((struct ip **, int, struct ifnet *, u_int16_t *,
             struct mbuf **, struct ip_fw_chain **, struct sockaddr_in **));
typedef int ip_fw_ctl_t __P((struct sockopt *));
extern  ip_fw_chk_t *ip_fw_chk_ptr;
extern  ip_fw_ctl_t *ip_fw_ctl_ptr;
extern int fw_one_pass;
extern int fw_enable;
extern struct ipfw_flow_id last_pkt ;
#endif /* _KERNEL */
 
#endif /* _IP_FW_H */

Browse

Tools

Subversion Repositories or1k

[/] [or1k/] [trunk/] [ecos-2.0/] [packages/] [net/] [bsd_tcpip/] [v2_0/] [include/] [netinet/] [ip_fw.h] - Blame information for rev 1765

Line No.	Rev	Author	Line
1	1254	phoenix	`//==========================================================================`
2			`//`
3			`// include/netinet/ip_fw.h`
4			`//`
5			`//==========================================================================`
6			`//####BSDCOPYRIGHTBEGIN####`
7			`//`
8			`// -------------------------------------------`
9			`//`
10			`// Portions of this software may have been derived from OpenBSD,`
11			`// FreeBSD or other sources, and are covered by the appropriate`
12			`// copyright disclaimers included herein.`
13			`//`
14			`// Portions created by Red Hat are`
15			`// Copyright (C) 2002 Red Hat, Inc. All Rights Reserved.`
16			`//`
17			`// -------------------------------------------`
18			`//`
19			`//####BSDCOPYRIGHTEND####`
20			`//==========================================================================`
21
22			`/*`
23			`* Copyright (c) 1993 Daniel Boulet`
24			`* Copyright (c) 1994 Ugen J.S.Antsilevich`
25			`*`
26			`* Redistribution and use in source forms, with and without modification,`
27			`* are permitted provided that this entire comment appears intact.`
28			`*`
29			`* Redistribution in binary form may occur without any restrictions.`
30			`* Obviously, it would be nice if you gave credit where credit is due`
31			`* but requiring it would be too onerous.`
32			`*`
33			* This software is provided ``AS IS'' without any warranties of any kind.
34			`*`
35			`* $FreeBSD: src/sys/netinet/ip_fw.h,v 1.47.2.8 2001/02/20 11:39:17 phk Exp $`
36			`*/`
37
38			`#ifndef _IP_FW_H`
39			`#define _IP_FW_H`
40
41			`#include <sys/queue.h>`
42
43			`/*`
44			`* This union structure identifies an interface, either explicitly`
45			`* by name or implicitly by IP address. The flags IP_FW_F_IIFNAME`
46			`* and IP_FW_F_OIFNAME say how to interpret this structure. An`
47			`* interface unit number of -1 matches any unit number, while an`
48			`* IP address of 0.0.0.0 indicates matches any interface.`
49			`*`
50			`* The receive and transmit interfaces are only compared against the`
51			`* the packet if the corresponding bit (IP_FW_F_IIFACE or IP_FW_F_OIFACE)`
52			`* is set. Note some packets lack a receive or transmit interface`
53			`* (in which case the missing "interface" never matches).`
54			`*/`
55
56			`union ip_fw_if {`
57			`struct in_addr fu_via_ip; /* Specified by IP address */`
58			`struct { /* Specified by interface name */`
59			`#define FW_IFNLEN 10 /* need room ! was IFNAMSIZ */`
60			`char name[FW_IFNLEN];`
61			`short unit; /* -1 means match any unit */`
62			`} fu_via_if;`
63			`};`
64
65			`/*`
66			`* Format of an IP firewall descriptor`
67			`*`
68			`* fw_src, fw_dst, fw_smsk, fw_dmsk are always stored in network byte order.`
69			`* fw_flg and fw_n*p are stored in host byte order (of course).`
70			`* Port numbers are stored in HOST byte order.`
71			`*/`
72
73			`struct ip_fw {`
74			`u_int64_t fw_pcnt,fw_bcnt; /* Packet and byte counters */`
75			`struct in_addr fw_src, fw_dst; /* Source and destination IP addr */`
76			`struct in_addr fw_smsk, fw_dmsk; /* Mask for src and dest IP addr */`
77			`u_short fw_number; /* Rule number */`
78			`u_int fw_flg; /* Flags word */`
79			`#define IP_FW_MAX_PORTS 10 /* A reasonable maximum */`
80			`union {`
81			`u_short fw_pts[IP_FW_MAX_PORTS]; /* Array of port numbers to match */`
82			`#define IP_FW_ICMPTYPES_MAX 128`
83			`#define IP_FW_ICMPTYPES_DIM (IP_FW_ICMPTYPES_MAX / (sizeof(unsigned) * 8))`
84			`unsigned fw_icmptypes[IP_FW_ICMPTYPES_DIM]; /* ICMP types bitmap */`
85			`} fw_uar;`
86			`u_int fw_ipflg; /* IP flags word */`
87			`u_char fw_ipopt,fw_ipnopt; /* IP options set/unset */`
88			`u_char fw_tcpopt,fw_tcpnopt; /* TCP options set/unset */`
89			`u_char fw_tcpf,fw_tcpnf; /* TCP flags set/unset */`
90			`long timestamp; /* timestamp (tv_sec) of last match */`
91			`union ip_fw_if fw_in_if, fw_out_if; /* Incoming and outgoing interfaces */`
92			`union {`
93			`u_short fu_divert_port; /* Divert/tee port (options IPDIVERT) */`
94			`u_short fu_pipe_nr; /* queue number (option DUMMYNET) */`
95			`u_short fu_skipto_rule; /* SKIPTO command rule number */`
96			`u_short fu_reject_code; /* REJECT response code */`
97			`struct sockaddr_in fu_fwd_ip;`
98			`} fw_un;`
99			`u_char fw_prot; /* IP protocol */`
100			`/*`
101			`* N'of src ports and # of dst ports in ports array (dst ports`
102			`* follow src ports; max of 10 ports in all; count of 0 means`
103			`* match all ports)`
104			`*/`
105			`u_char fw_nports;`
106			`void pipe_ptr; / flow_set ptr for dummynet pipe */`
107			`void next_rule_ptr ; / next rule in case of match */`
108			`uid_t fw_uid; /* uid to match */`
109			`gid_t fw_gid; /* gid to match */`
110			`int fw_logamount; /* amount to log */`
111			`u_int64_t fw_loghighest; /* highest number packet to log */`
112			`};`
113
114			`/*`
115			`* extended ipfw structure... some fields in the original struct`
116			`* can be used to pass parameters up/down, namely pointers`
117			`* void *pipe_ptr`
118			`* void *next_rule_ptr`
119			`* some others can be used to pass parameters down, namely counters etc.`
120			`* u_int64_t fw_pcnt,fw_bcnt;`
121			`* long timestamp;`
122			`*/`
123
124			`struct ip_fw_ext { /* extended structure */`
125			`struct ip_fw rule; /* must be at offset 0 */`
126			`long dont_match_prob; /* 0x7fffffff means 1.0, always fail */`
127			`u_int dyn_type; /* type for dynamic rule */`
128			`};`
129
130			`#define IP_FW_GETNSRCP(rule) ((rule)->fw_nports & 0x0f)`
131			`#define IP_FW_SETNSRCP(rule, n) do { \`
132			`(rule)->fw_nports &= ~0x0f; \`
133			`(rule)->fw_nports \|= (n); \`
134			`} while (0)`
135			`#define IP_FW_GETNDSTP(rule) ((rule)->fw_nports >> 4)`
136			`#define IP_FW_SETNDSTP(rule, n) do { \`
137			`(rule)->fw_nports &= ~0xf0; \`
138			`(rule)->fw_nports \|= (n) << 4;\`
139			`} while (0)`
140
141			`#define fw_divert_port fw_un.fu_divert_port`
142			`#define fw_skipto_rule fw_un.fu_skipto_rule`
143			`#define fw_reject_code fw_un.fu_reject_code`
144			`#define fw_pipe_nr fw_un.fu_pipe_nr`
145			`#define fw_fwd_ip fw_un.fu_fwd_ip`
146
147			`struct ip_fw_chain {`
148			`LIST_ENTRY(ip_fw_chain) next;`
149			`struct ip_fw *rule;`
150			`};`
151
152			`/*`
153			`* Flow mask/flow id for each queue.`
154			`*/`
155			`struct ipfw_flow_id {`
156			`u_int32_t dst_ip, src_ip ;`
157			`u_int16_t dst_port, src_port ;`
158			`u_int8_t proto ;`
159			`u_int8_t flags ; /* protocol-specific flags */`
160			`} ;`
161
162			`/*`
163			`* dynamic ipfw rule`
164			`*/`
165			`struct ipfw_dyn_rule {`
166			`struct ipfw_dyn_rule *next ;`
167
168			`struct ipfw_flow_id id ;`
169			`struct ipfw_flow_id mask ;`
170			`struct ip_fw_chain chain ; / pointer to parent rule */`
171			`u_int32_t type ; /* rule type */`
172			`u_int32_t expire ; /* expire time */`
173			`u_int64_t pcnt, bcnt; /* match counters */`
174			`u_int32_t bucket ; /* which bucket in hash table */`
175			`u_int32_t state ; /* state of this rule (typ. a */`
176			`/* combination of TCP flags) */`
177			`} ;`
178
179			`/*`
180			`* Values for "flags" field .`
181			`*/`
182			`#define IP_FW_F_COMMAND 0x000000ff /* Mask for type of chain entry: */`
183			`#define IP_FW_F_DENY 0x00000000 /* This is a deny rule */`
184			`#define IP_FW_F_REJECT 0x00000001 /* Deny and send a response packet */`
185			`#define IP_FW_F_ACCEPT 0x00000002 /* This is an accept rule */`
186			`#define IP_FW_F_COUNT 0x00000003 /* This is a count rule */`
187			`#define IP_FW_F_DIVERT 0x00000004 /* This is a divert rule */`
188			`#define IP_FW_F_TEE 0x00000005 /* This is a tee rule */`
189			`#define IP_FW_F_SKIPTO 0x00000006 /* This is a skipto rule */`
190			`#define IP_FW_F_FWD 0x00000007 /* This is a "change forwarding address" rule */`
191			`#define IP_FW_F_PIPE 0x00000008 /* This is a dummynet rule */`
192			`#define IP_FW_F_QUEUE 0x00000009 /* This is a dummynet queue */`
193
194			`#define IP_FW_F_IN 0x00000100 /* Check inbound packets */`
195			`#define IP_FW_F_OUT 0x00000200 /* Check outbound packets */`
196			`#define IP_FW_F_IIFACE 0x00000400 /* Apply inbound interface test */`
197			`#define IP_FW_F_OIFACE 0x00000800 /* Apply outbound interface test */`
198
199			`#define IP_FW_F_PRN 0x00001000 /* Print if this rule matches */`
200
201			`#define IP_FW_F_SRNG 0x00002000 /* The first two src ports are a min *`
202			`* and max range (stored in host byte *`
203			`* order). */`
204
205			`#define IP_FW_F_DRNG 0x00004000 /* The first two dst ports are a min *`
206			`* and max range (stored in host byte *`
207			`* order). */`
208
209			`#define IP_FW_F_FRAG 0x00008000 /* Fragment */`
210
211			`#define IP_FW_F_IIFNAME 0x00010000 /* In interface by name/unit (not IP) */`
212			`#define IP_FW_F_OIFNAME 0x00020000 /* Out interface by name/unit (not IP) */`
213
214			`#define IP_FW_F_INVSRC 0x00040000 /* Invert sense of src check */`
215			`#define IP_FW_F_INVDST 0x00080000 /* Invert sense of dst check */`
216
217			`#define IP_FW_F_ICMPBIT 0x00100000 /* ICMP type bitmap is valid */`
218
219			`#define IP_FW_F_UID 0x00200000 /* filter by uid */`
220
221			`#define IP_FW_F_GID 0x00400000 /* filter by gid */`
222
223			`#define IP_FW_F_RND_MATCH 0x00800000 /* probabilistic rule match */`
224			`#define IP_FW_F_SMSK 0x01000000 /* src-port + mask */`
225			`#define IP_FW_F_DMSK 0x02000000 /* dst-port + mask */`
226			`#define IP_FW_BRIDGED 0x04000000 /* only match bridged packets */`
227			`#define IP_FW_F_KEEP_S 0x08000000 /* keep state */`
228			`#define IP_FW_F_CHECK_S 0x10000000 /* check state */`
229
230			`#define IP_FW_F_SME 0x20000000 /* source = me */`
231			`#define IP_FW_F_DME 0x40000000 /* destination = me */`
232
233			`#define IP_FW_F_MASK 0x7FFFFFFF /* All possible flag bits mask */`
234
235			`/*`
236			`* Flags for the 'fw_ipflg' field, for comparing values of ip and its protocols.`
237			`*/`
238			`#define IP_FW_IF_TCPEST 0x00000020 /* established TCP connection */`
239			`#define IP_FW_IF_TCPMSK 0x00000020 /* mask of all TCP values */`
240
241			`/*`
242			`* For backwards compatibility with rules specifying "via iface" but`
243			`* not restricted to only "in" or "out" packets, we define this combination`
244			`* of bits to represent this configuration.`
245			`*/`
246
247			`#define IF_FW_F_VIAHACK (IP_FW_F_IN\|IP_FW_F_OUT\|IP_FW_F_IIFACE\|IP_FW_F_OIFACE)`
248
249			`/*`
250			`* Definitions for REJECT response codes.`
251			`* Values less than 256 correspond to ICMP unreachable codes.`
252			`*/`
253			`#define IP_FW_REJECT_RST 0x0100 /* TCP packets: send RST */`
254
255			`/*`
256			`* Definitions for IP option names.`
257			`*/`
258			`#define IP_FW_IPOPT_LSRR 0x01`
259			`#define IP_FW_IPOPT_SSRR 0x02`
260			`#define IP_FW_IPOPT_RR 0x04`
261			`#define IP_FW_IPOPT_TS 0x08`
262
263			`/*`
264			`* Definitions for TCP option names.`
265			`*/`
266			`#define IP_FW_TCPOPT_MSS 0x01`
267			`#define IP_FW_TCPOPT_WINDOW 0x02`
268			`#define IP_FW_TCPOPT_SACK 0x04`
269			`#define IP_FW_TCPOPT_TS 0x08`
270			`#define IP_FW_TCPOPT_CC 0x10`
271
272			`/*`
273			`* Definitions for TCP flags.`
274			`*/`
275			`#define IP_FW_TCPF_FIN TH_FIN`
276			`#define IP_FW_TCPF_SYN TH_SYN`
277			`#define IP_FW_TCPF_RST TH_RST`
278			`#define IP_FW_TCPF_PSH TH_PUSH`
279			`#define IP_FW_TCPF_ACK TH_ACK`
280			`#define IP_FW_TCPF_URG TH_URG`
281
282			`/*`
283			`* Main firewall chains definitions and global var's definitions.`
284			`*/`
285			`#ifdef _KERNEL`
286
287			`#define IP_FW_PORT_DYNT_FLAG 0x10000`
288			`#define IP_FW_PORT_TEE_FLAG 0x20000`
289			`#define IP_FW_PORT_DENY_FLAG 0x40000`
290
291			`/*`
292			`* Function definitions.`
293			`*/`
294			`void ip_fw_init __P((void));`
295
296			`/* Firewall hooks */`
297			`struct ip;`
298			`struct sockopt;`
299			`typedef int ip_fw_chk_t __P((struct ip *, int, struct ifnet , u_int16_t *,`
300			`struct mbuf , struct ip_fw_chain , struct sockaddr_in **));`
301			`typedef int ip_fw_ctl_t __P((struct sockopt *));`
302			`extern ip_fw_chk_t *ip_fw_chk_ptr;`
303			`extern ip_fw_ctl_t *ip_fw_ctl_ptr;`
304			`extern int fw_one_pass;`
305			`extern int fw_enable;`
306			`extern struct ipfw_flow_id last_pkt ;`
307			`#endif /* _KERNEL */`
308
309			`#endif /* _IP_FW_H */`