/*
|
/*
|
* Copyright (c) 1993 Daniel Boulet
|
* Copyright (c) 1993 Daniel Boulet
|
* Copyright (c) 1994 Ugen J.S.Antsilevich
|
* Copyright (c) 1994 Ugen J.S.Antsilevich
|
*
|
*
|
* Redistribution and use in source forms, with and without modification,
|
* Redistribution and use in source forms, with and without modification,
|
* are permitted provided that this entire comment appears intact.
|
* are permitted provided that this entire comment appears intact.
|
*
|
*
|
* Redistribution in binary form may occur without any restrictions.
|
* Redistribution in binary form may occur without any restrictions.
|
* Obviously, it would be nice if you gave credit where credit is due
|
* Obviously, it would be nice if you gave credit where credit is due
|
* but requiring it would be too onerous.
|
* but requiring it would be too onerous.
|
*
|
*
|
* This software is provided ``AS IS'' without any warranties of any kind.
|
* This software is provided ``AS IS'' without any warranties of any kind.
|
*
|
*
|
* $FreeBSD: src/sys/netinet/ip_fw.h,v 1.66 2002/05/09 10:34:57 luigi Exp $
|
* $FreeBSD: src/sys/netinet/ip_fw.h,v 1.66 2002/05/09 10:34:57 luigi Exp $
|
*/
|
*/
|
|
|
#ifndef _IP_FW_H
|
#ifndef _IP_FW_H
|
#define _IP_FW_H
|
#define _IP_FW_H
|
|
|
#include <sys/queue.h>
|
#include <sys/queue.h>
|
|
|
/*
|
/*
|
* This union structure identifies an interface, either explicitly
|
* This union structure identifies an interface, either explicitly
|
* by name or implicitly by IP address. The flags IP_FW_F_IIFNAME
|
* by name or implicitly by IP address. The flags IP_FW_F_IIFNAME
|
* and IP_FW_F_OIFNAME say how to interpret this structure. An
|
* and IP_FW_F_OIFNAME say how to interpret this structure. An
|
* interface unit number of -1 matches any unit number, while an
|
* interface unit number of -1 matches any unit number, while an
|
* IP address of 0.0.0.0 indicates matches any interface.
|
* IP address of 0.0.0.0 indicates matches any interface.
|
*
|
*
|
* The receive and transmit interfaces are only compared against the
|
* The receive and transmit interfaces are only compared against the
|
* the packet if the corresponding bit (IP_FW_F_IIFACE or IP_FW_F_OIFACE)
|
* the packet if the corresponding bit (IP_FW_F_IIFACE or IP_FW_F_OIFACE)
|
* is set. Note some packets lack a receive or transmit interface
|
* is set. Note some packets lack a receive or transmit interface
|
* (in which case the missing "interface" never matches).
|
* (in which case the missing "interface" never matches).
|
*/
|
*/
|
|
|
union ip_fw_if {
|
union ip_fw_if {
|
struct in_addr fu_via_ip; /* Specified by IP address */
|
struct in_addr fu_via_ip; /* Specified by IP address */
|
struct { /* Specified by interface name */
|
struct { /* Specified by interface name */
|
#define FW_IFNLEN 10 /* need room ! was IFNAMSIZ */
|
#define FW_IFNLEN 10 /* need room ! was IFNAMSIZ */
|
char name[FW_IFNLEN];
|
char name[FW_IFNLEN];
|
short unit; /* -1 means match any unit */
|
short unit; /* -1 means match any unit */
|
} fu_via_if;
|
} fu_via_if;
|
};
|
};
|
|
|
/*
|
/*
|
* Format of an IP firewall descriptor
|
* Format of an IP firewall descriptor
|
*
|
*
|
* fw_src, fw_dst, fw_smsk, fw_dmsk are always stored in network byte order.
|
* fw_src, fw_dst, fw_smsk, fw_dmsk are always stored in network byte order.
|
* fw_flg and fw_n*p are stored in host byte order (of course).
|
* fw_flg and fw_n*p are stored in host byte order (of course).
|
* Port numbers are stored in HOST byte order.
|
* Port numbers are stored in HOST byte order.
|
*/
|
*/
|
|
|
/*
|
/*
|
* To match MAC headers:
|
* To match MAC headers:
|
* 12 bytes at fw_mac_hdr contain the dst-src MAC address after masking.
|
* 12 bytes at fw_mac_hdr contain the dst-src MAC address after masking.
|
* 12 bytes at fw_mac_mask contain the mask to apply to dst-src
|
* 12 bytes at fw_mac_mask contain the mask to apply to dst-src
|
* 2 bytes at fw_mac_type contain the mac type after mask (in net format)
|
* 2 bytes at fw_mac_type contain the mac type after mask (in net format)
|
* 2 bytes at fw_mac_type_mask contain the mac type mask
|
* 2 bytes at fw_mac_type_mask contain the mac type mask
|
* If IP_FW_F_SRNG, the two contain the low-high of a range of types.
|
* If IP_FW_F_SRNG, the two contain the low-high of a range of types.
|
* IP_FW_F_DRNG is used to indicare we want to match a vlan.
|
* IP_FW_F_DRNG is used to indicare we want to match a vlan.
|
*/
|
*/
|
#define fw_mac_hdr fw_src
|
#define fw_mac_hdr fw_src
|
#define fw_mac_mask fw_uar
|
#define fw_mac_mask fw_uar
|
#define fw_mac_type fw_iplen
|
#define fw_mac_type fw_iplen
|
#define fw_mac_mask_type fw_ipid
|
#define fw_mac_mask_type fw_ipid
|
|
|
struct ip_fw {
|
struct ip_fw {
|
LIST_ENTRY(ip_fw) next; /* bidirectional list of rules */
|
LIST_ENTRY(ip_fw) next; /* bidirectional list of rules */
|
u_int fw_flg; /* Operational Flags word */
|
u_int fw_flg; /* Operational Flags word */
|
u_int64_t fw_pcnt; /* Packet counters */
|
u_int64_t fw_pcnt; /* Packet counters */
|
u_int64_t fw_bcnt; /* Byte counters */
|
u_int64_t fw_bcnt; /* Byte counters */
|
|
|
struct in_addr fw_src; /* Source IP address */
|
struct in_addr fw_src; /* Source IP address */
|
struct in_addr fw_dst; /* Destination IP address */
|
struct in_addr fw_dst; /* Destination IP address */
|
struct in_addr fw_smsk; /* Mask for source IP address */
|
struct in_addr fw_smsk; /* Mask for source IP address */
|
struct in_addr fw_dmsk; /* Mask for destination address */
|
struct in_addr fw_dmsk; /* Mask for destination address */
|
u_short fw_number; /* Rule number */
|
u_short fw_number; /* Rule number */
|
u_char fw_prot; /* IP protocol */
|
u_char fw_prot; /* IP protocol */
|
#if 1
|
#if 1
|
u_char fw_nports; /* # of src/dst port in array */
|
u_char fw_nports; /* # of src/dst port in array */
|
#define IP_FW_GETNSRCP(rule) ((rule)->fw_nports & 0x0f)
|
#define IP_FW_GETNSRCP(rule) ((rule)->fw_nports & 0x0f)
|
#define IP_FW_SETNSRCP(rule, n) do { \
|
#define IP_FW_SETNSRCP(rule, n) do { \
|
(rule)->fw_nports &= ~0x0f; \
|
(rule)->fw_nports &= ~0x0f; \
|
(rule)->fw_nports |= (n); \
|
(rule)->fw_nports |= (n); \
|
} while (0)
|
} while (0)
|
#define IP_FW_GETNDSTP(rule) ((rule)->fw_nports >> 4)
|
#define IP_FW_GETNDSTP(rule) ((rule)->fw_nports >> 4)
|
#define IP_FW_SETNDSTP(rule, n) do { \
|
#define IP_FW_SETNDSTP(rule, n) do { \
|
(rule)->fw_nports &= ~0xf0; \
|
(rule)->fw_nports &= ~0xf0; \
|
(rule)->fw_nports |= (n) << 4;\
|
(rule)->fw_nports |= (n) << 4;\
|
} while (0)
|
} while (0)
|
#define IP_FW_HAVEPORTS(rule) ((rule)->fw_nports != 0)
|
#define IP_FW_HAVEPORTS(rule) ((rule)->fw_nports != 0)
|
#else
|
#else
|
u_char __pad[1];
|
u_char __pad[1];
|
u_int _nsrcp;
|
u_int _nsrcp;
|
u_int _ndstp;
|
u_int _ndstp;
|
#define IP_FW_GETNSRCP(rule) (rule)->_nsrcp
|
#define IP_FW_GETNSRCP(rule) (rule)->_nsrcp
|
#define IP_FW_SETNSRCP(rule,n) (rule)->_nsrcp = n
|
#define IP_FW_SETNSRCP(rule,n) (rule)->_nsrcp = n
|
#define IP_FW_GETNDSTP(rule) (rule)->_ndstp
|
#define IP_FW_GETNDSTP(rule) (rule)->_ndstp
|
#define IP_FW_SETNDSTP(rule,n) (rule)->_ndstp = n
|
#define IP_FW_SETNDSTP(rule,n) (rule)->_ndstp = n
|
#define IP_FW_HAVEPORTS(rule) ((rule)->_ndstp + (rule)->_nsrcp != 0)
|
#define IP_FW_HAVEPORTS(rule) ((rule)->_ndstp + (rule)->_nsrcp != 0)
|
#endif
|
#endif
|
#define IP_FW_MAX_PORTS 10 /* A reasonable maximum */
|
#define IP_FW_MAX_PORTS 10 /* A reasonable maximum */
|
union {
|
union {
|
u_short fw_pts[IP_FW_MAX_PORTS]; /* port numbers to match */
|
u_short fw_pts[IP_FW_MAX_PORTS]; /* port numbers to match */
|
#define IP_FW_ICMPTYPES_MAX 128
|
#define IP_FW_ICMPTYPES_MAX 128
|
#define IP_FW_ICMPTYPES_DIM (IP_FW_ICMPTYPES_MAX / (sizeof(unsigned) * 8))
|
#define IP_FW_ICMPTYPES_DIM (IP_FW_ICMPTYPES_MAX / (sizeof(unsigned) * 8))
|
unsigned fw_icmptypes[IP_FW_ICMPTYPES_DIM]; /*ICMP types bitmap*/
|
unsigned fw_icmptypes[IP_FW_ICMPTYPES_DIM]; /*ICMP types bitmap*/
|
} fw_uar;
|
} fw_uar;
|
|
|
u_int fw_ipflg; /* IP flags word */
|
u_int fw_ipflg; /* IP flags word */
|
u_short fw_iplen; /* IP length */
|
u_short fw_iplen; /* IP length */
|
u_short fw_ipid; /* Identification */
|
u_short fw_ipid; /* Identification */
|
u_char fw_ipopt; /* IP options set */
|
u_char fw_ipopt; /* IP options set */
|
u_char fw_ipnopt; /* IP options unset */
|
u_char fw_ipnopt; /* IP options unset */
|
u_char fw_iptos; /* IP type of service set */
|
u_char fw_iptos; /* IP type of service set */
|
u_char fw_ipntos; /* IP type of service unset */
|
u_char fw_ipntos; /* IP type of service unset */
|
u_char fw_ipttl; /* IP time to live */
|
u_char fw_ipttl; /* IP time to live */
|
u_int fw_ipver:4; /* IP version */
|
u_int fw_ipver:4; /* IP version */
|
u_char fw_tcpopt; /* TCP options set */
|
u_char fw_tcpopt; /* TCP options set */
|
u_char fw_tcpnopt; /* TCP options unset */
|
u_char fw_tcpnopt; /* TCP options unset */
|
u_char fw_tcpf; /* TCP flags set */
|
u_char fw_tcpf; /* TCP flags set */
|
u_char fw_tcpnf; /* TCP flags unset */
|
u_char fw_tcpnf; /* TCP flags unset */
|
u_short fw_tcpwin; /* TCP window size */
|
u_short fw_tcpwin; /* TCP window size */
|
u_int32_t fw_tcpseq; /* TCP sequence */
|
u_int32_t fw_tcpseq; /* TCP sequence */
|
u_int32_t fw_tcpack; /* TCP acknowledgement */
|
u_int32_t fw_tcpack; /* TCP acknowledgement */
|
long timestamp; /* timestamp (tv_sec) of last match */
|
long timestamp; /* timestamp (tv_sec) of last match */
|
union ip_fw_if fw_in_if; /* Incoming interfaces */
|
union ip_fw_if fw_in_if; /* Incoming interfaces */
|
union ip_fw_if fw_out_if; /* Outgoing interfaces */
|
union ip_fw_if fw_out_if; /* Outgoing interfaces */
|
union {
|
union {
|
u_short fu_divert_port; /* Divert/tee port (options IPDIVERT) */
|
u_short fu_divert_port; /* Divert/tee port (options IPDIVERT) */
|
u_short fu_pipe_nr; /* queue number (option DUMMYNET) */
|
u_short fu_pipe_nr; /* queue number (option DUMMYNET) */
|
u_short fu_skipto_rule; /* SKIPTO command rule number */
|
u_short fu_skipto_rule; /* SKIPTO command rule number */
|
u_short fu_reject_code; /* REJECT response code */
|
u_short fu_reject_code; /* REJECT response code */
|
struct sockaddr_in fu_fwd_ip;
|
struct sockaddr_in fu_fwd_ip;
|
} fw_un;
|
} fw_un;
|
void *pipe_ptr; /* flow_set ptr for dummynet pipe */
|
void *pipe_ptr; /* flow_set ptr for dummynet pipe */
|
void *next_rule_ptr; /* next rule in case of match */
|
void *next_rule_ptr; /* next rule in case of match */
|
uid_t fw_uid; /* uid to match */
|
uid_t fw_uid; /* uid to match */
|
gid_t fw_gid; /* gid to match */
|
gid_t fw_gid; /* gid to match */
|
int fw_logamount; /* amount to log */
|
int fw_logamount; /* amount to log */
|
u_int64_t fw_loghighest; /* highest number packet to log */
|
u_int64_t fw_loghighest; /* highest number packet to log */
|
|
|
long dont_match_prob; /* 0x7fffffff means 1.0, always fail */
|
long dont_match_prob; /* 0x7fffffff means 1.0, always fail */
|
u_char dyn_type; /* type for dynamic rule */
|
u_char dyn_type; /* type for dynamic rule */
|
|
|
#define DYN_KEEP_STATE 0 /* type for keep-state rules */
|
#define DYN_KEEP_STATE 0 /* type for keep-state rules */
|
#define DYN_LIMIT 1 /* type for limit connection rules */
|
#define DYN_LIMIT 1 /* type for limit connection rules */
|
#define DYN_LIMIT_PARENT 2 /* parent entry for limit connection rules */
|
#define DYN_LIMIT_PARENT 2 /* parent entry for limit connection rules */
|
|
|
/* following two fields are used to limit number of connections
|
/* following two fields are used to limit number of connections
|
* basing on either src, srcport, dst, dstport.
|
* basing on either src, srcport, dst, dstport.
|
*/
|
*/
|
u_char limit_mask; /* mask type for limit rule, can
|
u_char limit_mask; /* mask type for limit rule, can
|
* have many.
|
* have many.
|
*/
|
*/
|
#define DYN_SRC_ADDR 0x1
|
#define DYN_SRC_ADDR 0x1
|
#define DYN_SRC_PORT 0x2
|
#define DYN_SRC_PORT 0x2
|
#define DYN_DST_ADDR 0x4
|
#define DYN_DST_ADDR 0x4
|
#define DYN_DST_PORT 0x8
|
#define DYN_DST_PORT 0x8
|
|
|
u_short conn_limit; /* # of connections for limit rule */
|
u_short conn_limit; /* # of connections for limit rule */
|
};
|
};
|
|
|
#define fw_divert_port fw_un.fu_divert_port
|
#define fw_divert_port fw_un.fu_divert_port
|
#define fw_skipto_rule fw_un.fu_skipto_rule
|
#define fw_skipto_rule fw_un.fu_skipto_rule
|
#define fw_reject_code fw_un.fu_reject_code
|
#define fw_reject_code fw_un.fu_reject_code
|
#define fw_pipe_nr fw_un.fu_pipe_nr
|
#define fw_pipe_nr fw_un.fu_pipe_nr
|
#define fw_fwd_ip fw_un.fu_fwd_ip
|
#define fw_fwd_ip fw_un.fu_fwd_ip
|
|
|
/*
|
/*
|
*
|
*
|
* rule_ptr -------------+
|
* rule_ptr -------------+
|
* V
|
* V
|
* [ next.le_next ]---->[ next.le_next ]---- [ next.le_next ]--->
|
* [ next.le_next ]---->[ next.le_next ]---- [ next.le_next ]--->
|
* [ next.le_prev ]<----[ next.le_prev ]<----[ next.le_prev ]<---
|
* [ next.le_prev ]<----[ next.le_prev ]<----[ next.le_prev ]<---
|
* [ <ip_fw> body ] [ <ip_fw> body ] [ <ip_fw> body ]
|
* [ <ip_fw> body ] [ <ip_fw> body ] [ <ip_fw> body ]
|
*
|
*
|
*/
|
*/
|
|
|
/*
|
/*
|
* Flow mask/flow id for each queue.
|
* Flow mask/flow id for each queue.
|
*/
|
*/
|
struct ipfw_flow_id {
|
struct ipfw_flow_id {
|
u_int32_t dst_ip;
|
u_int32_t dst_ip;
|
u_int32_t src_ip;
|
u_int32_t src_ip;
|
u_int16_t dst_port;
|
u_int16_t dst_port;
|
u_int16_t src_port;
|
u_int16_t src_port;
|
u_int8_t proto;
|
u_int8_t proto;
|
u_int8_t flags; /* protocol-specific flags */
|
u_int8_t flags; /* protocol-specific flags */
|
};
|
};
|
|
|
/*
|
/*
|
* dynamic ipfw rule
|
* dynamic ipfw rule
|
*/
|
*/
|
struct ipfw_dyn_rule {
|
struct ipfw_dyn_rule {
|
struct ipfw_dyn_rule *next;
|
struct ipfw_dyn_rule *next;
|
struct ipfw_flow_id id; /* (masked) flow id */
|
struct ipfw_flow_id id; /* (masked) flow id */
|
struct ip_fw *rule; /* pointer to rule */
|
struct ip_fw *rule; /* pointer to rule */
|
struct ipfw_dyn_rule *parent; /* pointer to parent rule */
|
struct ipfw_dyn_rule *parent; /* pointer to parent rule */
|
u_int32_t expire; /* expire time */
|
u_int32_t expire; /* expire time */
|
u_int64_t pcnt; /* packet match counters */
|
u_int64_t pcnt; /* packet match counters */
|
u_int64_t bcnt; /* byte match counters */
|
u_int64_t bcnt; /* byte match counters */
|
u_int32_t bucket; /* which bucket in hash table */
|
u_int32_t bucket; /* which bucket in hash table */
|
u_int32_t state; /* state of this rule (typically a
|
u_int32_t state; /* state of this rule (typically a
|
* combination of TCP flags)
|
* combination of TCP flags)
|
*/
|
*/
|
u_int16_t dyn_type; /* rule type */
|
u_int16_t dyn_type; /* rule type */
|
u_int16_t count; /* refcount */
|
u_int16_t count; /* refcount */
|
};
|
};
|
|
|
/*
|
/*
|
* Values for "flags" field .
|
* Values for "flags" field .
|
*/
|
*/
|
#define IP_FW_F_COMMAND 0x000000ff /* Mask for type of chain entry: */
|
#define IP_FW_F_COMMAND 0x000000ff /* Mask for type of chain entry: */
|
#define IP_FW_F_DENY 0x00000000 /* This is a deny rule */
|
#define IP_FW_F_DENY 0x00000000 /* This is a deny rule */
|
#define IP_FW_F_REJECT 0x00000001 /* Deny and send a response packet */
|
#define IP_FW_F_REJECT 0x00000001 /* Deny and send a response packet */
|
#define IP_FW_F_ACCEPT 0x00000002 /* This is an accept rule */
|
#define IP_FW_F_ACCEPT 0x00000002 /* This is an accept rule */
|
#define IP_FW_F_COUNT 0x00000003 /* This is a count rule */
|
#define IP_FW_F_COUNT 0x00000003 /* This is a count rule */
|
#define IP_FW_F_DIVERT 0x00000004 /* This is a divert rule */
|
#define IP_FW_F_DIVERT 0x00000004 /* This is a divert rule */
|
#define IP_FW_F_TEE 0x00000005 /* This is a tee rule */
|
#define IP_FW_F_TEE 0x00000005 /* This is a tee rule */
|
#define IP_FW_F_SKIPTO 0x00000006 /* This is a skipto rule */
|
#define IP_FW_F_SKIPTO 0x00000006 /* This is a skipto rule */
|
#define IP_FW_F_FWD 0x00000007 /* This is a "change forwarding
|
#define IP_FW_F_FWD 0x00000007 /* This is a "change forwarding
|
* address" rule
|
* address" rule
|
*/
|
*/
|
#define IP_FW_F_PIPE 0x00000008 /* This is a dummynet rule */
|
#define IP_FW_F_PIPE 0x00000008 /* This is a dummynet rule */
|
#define IP_FW_F_QUEUE 0x00000009 /* This is a dummynet queue */
|
#define IP_FW_F_QUEUE 0x00000009 /* This is a dummynet queue */
|
|
|
#define IP_FW_F_IN 0x00000100 /* Check inbound packets */
|
#define IP_FW_F_IN 0x00000100 /* Check inbound packets */
|
#define IP_FW_F_OUT 0x00000200 /* Check outbound packets */
|
#define IP_FW_F_OUT 0x00000200 /* Check outbound packets */
|
#define IP_FW_F_IIFACE 0x00000400 /* Apply inbound interface test */
|
#define IP_FW_F_IIFACE 0x00000400 /* Apply inbound interface test */
|
#define IP_FW_F_OIFACE 0x00000800 /* Apply outbound interface test */
|
#define IP_FW_F_OIFACE 0x00000800 /* Apply outbound interface test */
|
#define IP_FW_F_PRN 0x00001000 /* Print if this rule matches */
|
#define IP_FW_F_PRN 0x00001000 /* Print if this rule matches */
|
#define IP_FW_F_SRNG 0x00002000 /* The first two src ports are a min
|
#define IP_FW_F_SRNG 0x00002000 /* The first two src ports are a min
|
* and max range (stored in host byte
|
* and max range (stored in host byte
|
* order).
|
* order).
|
*/
|
*/
|
#define IP_FW_F_DRNG 0x00004000 /* The first two dst ports are a min
|
#define IP_FW_F_DRNG 0x00004000 /* The first two dst ports are a min
|
* and max range (stored in host byte
|
* and max range (stored in host byte
|
* order).
|
* order).
|
*/
|
*/
|
#define IP_FW_F_FRAG 0x00008000 /* Fragment */
|
#define IP_FW_F_FRAG 0x00008000 /* Fragment */
|
#define IP_FW_F_IIFNAME 0x00010000 /* In interface by name/unit (not IP) */
|
#define IP_FW_F_IIFNAME 0x00010000 /* In interface by name/unit (not IP) */
|
#define IP_FW_F_OIFNAME 0x00020000 /* Out interface by name/unit (not IP)*/
|
#define IP_FW_F_OIFNAME 0x00020000 /* Out interface by name/unit (not IP)*/
|
#define IP_FW_F_INVSRC 0x00040000 /* Invert sense of src check */
|
#define IP_FW_F_INVSRC 0x00040000 /* Invert sense of src check */
|
#define IP_FW_F_INVDST 0x00080000 /* Invert sense of dst check */
|
#define IP_FW_F_INVDST 0x00080000 /* Invert sense of dst check */
|
#define IP_FW_F_ICMPBIT 0x00100000 /* ICMP type bitmap is valid */
|
#define IP_FW_F_ICMPBIT 0x00100000 /* ICMP type bitmap is valid */
|
#define IP_FW_F_UID 0x00200000 /* filter by uid */
|
#define IP_FW_F_UID 0x00200000 /* filter by uid */
|
#define IP_FW_F_GID 0x00400000 /* filter by gid */
|
#define IP_FW_F_GID 0x00400000 /* filter by gid */
|
#define IP_FW_F_RND_MATCH 0x00800000 /* probabilistic rule match */
|
#define IP_FW_F_RND_MATCH 0x00800000 /* probabilistic rule match */
|
#define IP_FW_F_SMSK 0x01000000 /* src-port + mask */
|
#define IP_FW_F_SMSK 0x01000000 /* src-port + mask */
|
#define IP_FW_F_DMSK 0x02000000 /* dst-port + mask */
|
#define IP_FW_F_DMSK 0x02000000 /* dst-port + mask */
|
#define IP_FW_BRIDGED 0x04000000 /* only match bridged packets */
|
#define IP_FW_BRIDGED 0x04000000 /* only match bridged packets */
|
#define IP_FW_F_KEEP_S 0x08000000 /* keep state */
|
#define IP_FW_F_KEEP_S 0x08000000 /* keep state */
|
#define IP_FW_F_CHECK_S 0x10000000 /* check state */
|
#define IP_FW_F_CHECK_S 0x10000000 /* check state */
|
#define IP_FW_F_SME 0x20000000 /* source = me */
|
#define IP_FW_F_SME 0x20000000 /* source = me */
|
#define IP_FW_F_DME 0x40000000 /* destination = me */
|
#define IP_FW_F_DME 0x40000000 /* destination = me */
|
#define IP_FW_F_MAC 0x80000000 /* match MAC header */
|
#define IP_FW_F_MAC 0x80000000 /* match MAC header */
|
|
|
#define IP_FW_F_MASK 0xFFFFFFFF /* All possible flag bits mask */
|
#define IP_FW_F_MASK 0xFFFFFFFF /* All possible flag bits mask */
|
|
|
/*
|
/*
|
* Flags for the 'fw_ipflg' field, for comparing values
|
* Flags for the 'fw_ipflg' field, for comparing values
|
* of ip and its protocols.
|
* of ip and its protocols.
|
*/
|
*/
|
#define IP_FW_IF_TCPOPT 0x00000001 /* tcp options */
|
#define IP_FW_IF_TCPOPT 0x00000001 /* tcp options */
|
#define IP_FW_IF_TCPFLG 0x00000002 /* tcp flags */
|
#define IP_FW_IF_TCPFLG 0x00000002 /* tcp flags */
|
#define IP_FW_IF_TCPSEQ 0x00000004 /* tcp sequence number */
|
#define IP_FW_IF_TCPSEQ 0x00000004 /* tcp sequence number */
|
#define IP_FW_IF_TCPACK 0x00000008 /* tcp acknowledgement number */
|
#define IP_FW_IF_TCPACK 0x00000008 /* tcp acknowledgement number */
|
#define IP_FW_IF_TCPWIN 0x00000010 /* tcp window size */
|
#define IP_FW_IF_TCPWIN 0x00000010 /* tcp window size */
|
#define IP_FW_IF_TCPEST 0x00000020 /* established TCP connection */
|
#define IP_FW_IF_TCPEST 0x00000020 /* established TCP connection */
|
#define IP_FW_IF_TCPMSK 0x0000003f /* mask of all tcp values */
|
#define IP_FW_IF_TCPMSK 0x0000003f /* mask of all tcp values */
|
#define IP_FW_IF_IPOPT 0x00000100 /* ip options */
|
#define IP_FW_IF_IPOPT 0x00000100 /* ip options */
|
#define IP_FW_IF_IPLEN 0x00000200 /* ip length */
|
#define IP_FW_IF_IPLEN 0x00000200 /* ip length */
|
#define IP_FW_IF_IPID 0x00000400 /* ip identification */
|
#define IP_FW_IF_IPID 0x00000400 /* ip identification */
|
#define IP_FW_IF_IPTOS 0x00000800 /* ip type of service */
|
#define IP_FW_IF_IPTOS 0x00000800 /* ip type of service */
|
#define IP_FW_IF_IPTTL 0x00001000 /* ip time to live */
|
#define IP_FW_IF_IPTTL 0x00001000 /* ip time to live */
|
#define IP_FW_IF_IPVER 0x00002000 /* ip version */
|
#define IP_FW_IF_IPVER 0x00002000 /* ip version */
|
#define IP_FW_IF_IPPRE 0x00004000 /* ip precedence */
|
#define IP_FW_IF_IPPRE 0x00004000 /* ip precedence */
|
#define IP_FW_IF_IPMSK 0x00007f00 /* mask of all ip values */
|
#define IP_FW_IF_IPMSK 0x00007f00 /* mask of all ip values */
|
#define IP_FW_IF_MSK 0x0000ffff /* All possible bits mask */
|
#define IP_FW_IF_MSK 0x0000ffff /* All possible bits mask */
|
|
|
/*
|
/*
|
* For backwards compatibility with rules specifying "via iface" but
|
* For backwards compatibility with rules specifying "via iface" but
|
* not restricted to only "in" or "out" packets, we define this combination
|
* not restricted to only "in" or "out" packets, we define this combination
|
* of bits to represent this configuration.
|
* of bits to represent this configuration.
|
*/
|
*/
|
|
|
#define IF_FW_F_VIAHACK (IP_FW_F_IN|IP_FW_F_OUT|IP_FW_F_IIFACE|IP_FW_F_OIFACE)
|
#define IF_FW_F_VIAHACK (IP_FW_F_IN|IP_FW_F_OUT|IP_FW_F_IIFACE|IP_FW_F_OIFACE)
|
|
|
/*
|
/*
|
* Definitions for REJECT response codes.
|
* Definitions for REJECT response codes.
|
* Values less than 256 correspond to ICMP unreachable codes.
|
* Values less than 256 correspond to ICMP unreachable codes.
|
*/
|
*/
|
#define IP_FW_REJECT_RST 0x0100 /* TCP packets: send RST */
|
#define IP_FW_REJECT_RST 0x0100 /* TCP packets: send RST */
|
|
|
/*
|
/*
|
* Definitions for IP option names.
|
* Definitions for IP option names.
|
*/
|
*/
|
#define IP_FW_IPOPT_LSRR 0x01
|
#define IP_FW_IPOPT_LSRR 0x01
|
#define IP_FW_IPOPT_SSRR 0x02
|
#define IP_FW_IPOPT_SSRR 0x02
|
#define IP_FW_IPOPT_RR 0x04
|
#define IP_FW_IPOPT_RR 0x04
|
#define IP_FW_IPOPT_TS 0x08
|
#define IP_FW_IPOPT_TS 0x08
|
|
|
/*
|
/*
|
* Definitions for TCP option names.
|
* Definitions for TCP option names.
|
*/
|
*/
|
#define IP_FW_TCPOPT_MSS 0x01
|
#define IP_FW_TCPOPT_MSS 0x01
|
#define IP_FW_TCPOPT_WINDOW 0x02
|
#define IP_FW_TCPOPT_WINDOW 0x02
|
#define IP_FW_TCPOPT_SACK 0x04
|
#define IP_FW_TCPOPT_SACK 0x04
|
#define IP_FW_TCPOPT_TS 0x08
|
#define IP_FW_TCPOPT_TS 0x08
|
#define IP_FW_TCPOPT_CC 0x10
|
#define IP_FW_TCPOPT_CC 0x10
|
|
|
/*
|
/*
|
* Definitions for TCP flags.
|
* Definitions for TCP flags.
|
*/
|
*/
|
#define IP_FW_TCPF_FIN TH_FIN
|
#define IP_FW_TCPF_FIN TH_FIN
|
#define IP_FW_TCPF_SYN TH_SYN
|
#define IP_FW_TCPF_SYN TH_SYN
|
#define IP_FW_TCPF_RST TH_RST
|
#define IP_FW_TCPF_RST TH_RST
|
#define IP_FW_TCPF_PSH TH_PUSH
|
#define IP_FW_TCPF_PSH TH_PUSH
|
#define IP_FW_TCPF_ACK TH_ACK
|
#define IP_FW_TCPF_ACK TH_ACK
|
#define IP_FW_TCPF_URG TH_URG
|
#define IP_FW_TCPF_URG TH_URG
|
|
|
/*
|
/*
|
* Main firewall chains definitions and global var's definitions.
|
* Main firewall chains definitions and global var's definitions.
|
*/
|
*/
|
#ifdef _KERNEL
|
#ifdef _KERNEL
|
|
|
#define IP_FW_PORT_DYNT_FLAG 0x10000
|
#define IP_FW_PORT_DYNT_FLAG 0x10000
|
#define IP_FW_PORT_TEE_FLAG 0x20000
|
#define IP_FW_PORT_TEE_FLAG 0x20000
|
#define IP_FW_PORT_DENY_FLAG 0x40000
|
#define IP_FW_PORT_DENY_FLAG 0x40000
|
|
|
/*
|
/*
|
* Function definitions.
|
* Function definitions.
|
*/
|
*/
|
void ip_fw_init(void);
|
void ip_fw_init(void);
|
|
|
/* Firewall hooks */
|
/* Firewall hooks */
|
struct ip;
|
struct ip;
|
struct sockopt;
|
struct sockopt;
|
typedef int ip_fw_chk_t (struct mbuf **m, struct ifnet *oif,
|
typedef int ip_fw_chk_t (struct mbuf **m, struct ifnet *oif,
|
u_int16_t *cookie, struct ip_fw **rule, struct sockaddr_in **next_hop);
|
u_int16_t *cookie, struct ip_fw **rule, struct sockaddr_in **next_hop);
|
typedef int ip_fw_ctl_t (struct sockopt *);
|
typedef int ip_fw_ctl_t (struct sockopt *);
|
extern ip_fw_chk_t *ip_fw_chk_ptr;
|
extern ip_fw_chk_t *ip_fw_chk_ptr;
|
extern ip_fw_ctl_t *ip_fw_ctl_ptr;
|
extern ip_fw_ctl_t *ip_fw_ctl_ptr;
|
extern int fw_one_pass;
|
extern int fw_one_pass;
|
extern int fw_enable;
|
extern int fw_enable;
|
extern struct ipfw_flow_id last_pkt;
|
extern struct ipfw_flow_id last_pkt;
|
#define IPFW_LOADED (ip_fw_chk_ptr != NULL)
|
#define IPFW_LOADED (ip_fw_chk_ptr != NULL)
|
#endif /* _KERNEL */
|
#endif /* _KERNEL */
|
|
|
#endif /* _IP_FW_H */
|
#endif /* _IP_FW_H */
|
|
|
