ip_fil.h revision 9c70e5c3f2b50554a90731f853b71dd8d9857dce
/*
* Copyright (C) 1993-2001, 2003 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ip_fil.h 1.35 6/5/96
* $Id: ip_fil.h,v 2.170.2.22 2005/07/16 05:55:35 darrenr Exp $
*
*/
#ifndef __IP_FIL_H__
#define __IP_FIL_H__
#include "netinet/ip_compat.h"
#ifndef SOLARIS
#endif
#ifndef __P
# ifdef __STDC__
# define __P(x) x
# else
# define __P(x) ()
# endif
#endif
#else
#endif
/*
* What type of table is getting flushed?
*/
#define NAT_FLUSH 1
#define STATE_FLUSH 2
/*
* What table flush options are available?
*/
#define FLUSH_LIST 0
/*
* Define the default hi and lo watermarks used when flushing the
* tables. The values represent percent full of respective tables.
*/
#define NAT_FLUSH_HI 95
#define NAT_FLUSH_LO 75
#define ST_FLUSH_HI 95
#define ST_FLUSH_LO 75
/*
* How full are the tables?
*/
/ (x)->ifs_ipf_nattable_max)
/ (x)->ifs_fr_statemax)
struct ipscan;
struct ifnet;
typedef struct ipf_stack ipf_stack_t;
/*
* i6addr is used as a container for both IPv4 and IPv6 addresses, as well
* as other types of objects, depending on its qualifier.
*/
#ifdef USE_INET6
typedef union i6addr {
void *vptr[2];
} i6addr_t;
#else
typedef union i6addr {
void *vptr[2];
} i6addr_t;
#endif
#define iplookupnum i6[0]
/*
* NOTE: These DO overlap the above on 64bit systems and this IS recognised.
*/
#define iplookupptr vptr[0]
#define IP6_INC(a) \
} \
} \
} \
}
#define IP6_ADD(a,x,d) \
} \
} \
} \
}
}
#define IP6_MASKEQ(a,m,b) \
#define IP6_MASKNEQ(a,m,b) \
#define IP6_MERGE(a,b,c) \
}
typedef struct fr_ip {
} fr_ip_t;
/*
* For use in fi_flx
*/
#define FI_OPTIONS 0x0002
#define FI_FRAG 0x0004
#define FI_SHORT 0x0008
#define FI_NATED 0x0010
#define FI_MULTICAST 0x0020
#define FI_BROADCAST 0x0040
#define FI_MBCAST 0x0080
#define FI_STATE 0x0100
#define FI_BADNAT 0x0200
#define FI_BAD 0x0400
#define FI_ICMPERR 0x1000
#define FI_FRAGBODY 0x2000
#define FI_BADSRC 0x4000
#define FI_LOWTTL 0x8000
#define FI_V6EXTHDR 0x10000
#define FI_COALESCE 0x20000
#define FI_ICMPQUERY 0x40000
#define FI_NEWNAT 0x80000
#define FI_MOREFRAG 0x100000
#define FI_IGNORE 0x80000000
/*
* These are both used by the state and NAT code to indicate that one port or
* the other should be treated as a wildcard.
* NOTE: When updating, check bit masks in ip_state.h and update there too.
*/
#define SI_W_SPORT 0x00000100
#define SI_W_DPORT 0x00000200
#define SI_W_SADDR 0x00000400
#define SI_W_DADDR 0x00000800
#define SI_NEWFR 0x00001000
#define SI_CLONE 0x00002000
#define SI_CLONED 0x00004000
struct fr_info {
void *fin_ifp; /* interface packet is `on' */
union {
} fin_dat;
int fin_out; /* in or out ? 1 == out, 0 == in */
int fin_rev; /* state only: 1 = reverse */
void *fin_dp; /* start of data past IP header */
int fin_dlen; /* length of data portion of packet */
int fin_plen;
int fin_ipoff; /* # bytes from buffer start to hdr */
int fin_depth; /* Group nesting depth */
int fin_error; /* Error code to return */
void *fin_nattag;
union {
#ifdef USE_INET6
#endif
} fin_ipu;
#ifdef MENTAT
void *fin_qpi;
#endif
#ifdef __sgi
void *fin_hbuf;
#endif
};
#ifdef USE_INET6
#endif
#define IPF_IN 0
#define IPF_OUT 1
ipf_stack_t *));
typedef struct ipfunc_resolve {
char ipfu_name[32];
/*
* Size for compares on fr_info structures
*/
/*
* Size for copying cache fr_info structure
*/
/*
* Structure for holding IPFilter's tag information
*/
#define IPFTAG_LEN 16
typedef struct {
union {
char iptu_tag[IPFTAG_LEN];
} ipt_un;
int ipt_not;
} ipftag_t;
/*
* This structure is used to hold information about the next hop for where
* to forward a packet.
*/
typedef struct frdest {
void *fd_ifp;
} frdest_t;
/*
* This structure holds information about a port comparison.
*/
typedef struct frpcmp {
int frp_cmp; /* data for port comparisons */
} frpcmp_t;
#define FR_NONE 0
#define FR_EQUAL 1
#define FR_NEQUAL 2
#define FR_LESST 3
#define FR_GREATERT 4
#define FR_LESSTE 5
#define FR_GREATERTE 6
#define FR_OUTRANGE 7
#define FR_INRANGE 8
#define FR_INCRANGE 9
/*
* Structure containing all the relevant TCP things that can be checked in
* a filter rule.
*/
typedef struct frtuc {
} frtuc_t;
#define FR_TCPFMAX 0x3f
/*
* This structure makes up what is considered to be the IPFilter specific
* matching components of a filter rule, as opposed to the data structures
* used to define the result which are in frentry_t and not here.
*/
typedef struct fripf {
int fri_satype; /* addres type */
int fri_datype; /* addres type */
int fri_sifpidx; /* doing dynamic addressing */
int fri_difpidx; /* index into fr_ifps[] to use when */
} fripf_t;
#define FRI_NORMAL 0 /* Normal address */
typedef struct frentry {
void *fr_ifas[4];
void *fr_ptr; /* for use with fr_arg */
char *fr_comment; /* text comment for rule */
int fr_ref; /* reference count - for grouping */
int fr_statecnt; /* state count - for limit rules */
/*
* These are only incremented when a packet matches this rule and
* it is the last match
*/
/*
* For PPS rate limiting
*/
struct timeval fr_lastpkt;
int fr_curpps;
union {
void *fru_data;
} fr_dun;
/*
* Fields after this may not change whilst in the kernel.
*/
int fr_dsize;
int fr_pps;
int fr_statemax; /* max reference count */
int fr_flineno; /* line number from conf file */
char fr_isctag[16];
/*
* This must be last and will change after loaded into the kernel.
*/
} frentry_t;
#define fr_ifname fr_ifnames[0]
#define FR_NOLOGTAG 0
#ifndef offsetof
#endif
/*
* fr_type
*/
#define FR_T_NONE 0
/*
* fr_flags
*/
#define FR_CMDMASK 0x0000f
#define FR_NOTSRCIP 0x00040
#define FR_NOTDSTIP 0x00080
/* 0x10000000 FF_LOGPASS */
/* 0x20000000 FF_LOGBLOCK */
/* 0x40000000 FF_LOGNOMATCH */
/* 0x80000000 FF_BLOCKNONIP */
#define FR_ISNOMATCH(x) ((x) & FR_NOMATCH)
/*
* recognized flags for SIOCGETFF and SIOCSETFF, and get put in fr_flags
*/
#define FF_LOGPASS 0x10000000
#define FF_LOGBLOCK 0x20000000
#define FF_LOGNOMATCH 0x40000000
/*
*/
typedef struct ipfflush {
int ipflu_how;
int ipflu_arg;
} ipfflush_t;
/*
*
*/
typedef struct ipfgetctl {
} ipfgetctl_t;
typedef struct ipfsetctl {
int ipfs_which; /* 0 = min 1 = current 2 = max 3 = default */
} ipfsetctl_t;
/*
* Some of the statistics below are in their own counters, but most are kept
* in this single structure so that they can all easily be collected and
* copied back as required.
*
* NOTE: when changing, keep in sync with kstats (below).
*/
typedef struct filterstats {
/*
* kstat "copy" of the above - keep in sync!
* also keep in sync with initialisation code in solaris.c, ipf_kstat_init().
*/
typedef struct filter_kstats {
/*
* Log structure. Each packet header logged is prepended by one of these.
* Following this in the log records read from the device will be an ipflog
* structure which is then followed by any packet data.
*/
typedef struct iplog {
} iplog_t;
#define IPLOG_SIZE sizeof(iplog_t)
typedef struct ipflog {
#else
#endif
char fl_group[FR_GROUPLEN];
} ipflog_t;
#ifndef IPF_LOGGING
# define IPF_LOGGING 0
#endif
#ifndef IPF_DEFAULT_PASS
# define IPF_DEFAULT_PASS FR_PASS
#endif
#define DEFAULT_IPFLOGSIZE 8192
#ifndef IPFILTER_LOGSIZE
# define IPFILTER_LOGSIZE DEFAULT_IPFLOGSIZE
#else
# endif
#endif
/*
* Device filenames for reading log information. Use ipf on Solaris2 because
* ipl is already a name used by something else.
*/
#ifndef IPL_NAME
# if SOLARIS
# else
# endif
#endif
/*
* Pathnames for various IP Filter control devices. Used by LKM
* and userland, so defined here.
*/
#define IPNAT_NAME "/dev/ipnat"
#define IPSTATE_NAME "/dev/ipstate"
#define IPAUTH_NAME "/dev/ipauth"
#define IPSYNC_NAME "/dev/ipsync"
#define IPSCAN_NAME "/dev/ipscan"
#define IPLOOKUP_NAME "/dev/iplookup"
#define IPL_LOGIPF 0 /* Minor device #'s for accessing logs */
#define IPL_LOGNAT 1
#define IPL_LOGSTATE 2
#define IPL_LOGAUTH 3
#define IPL_LOGSYNC 4
#define IPL_LOGSCAN 5
#define IPL_LOGLOOKUP 6
#define IPL_LOGCOUNT 7
#define IPL_LOGMAX 7
#define IPL_LOGALL -1
#define IPL_LOGNONE -2
/*
* For SIOCGETFS
*/
typedef struct friostat {
int f_locks[IPL_LOGMAX];
int f_defpass; /* default pass - from fr_pass */
int f_active; /* 1 or 0 - active rule set */
int f_running; /* 1 if running, else 0 */
int f_logging; /* 1 if enabled, else 0 */
int f_features;
} friostat_t;
#define IPF_FEAT_LKM 0x001
#define IPF_FEAT_LOG 0x002
#define IPF_FEAT_LOOKUP 0x004
#define IPF_FEAT_BPF 0x008
#define IPF_FEAT_COMPILED 0x010
#define IPF_FEAT_CKSUM 0x020
#define IPF_FEAT_SYNC 0x040
#define IPF_FEAT_SCAN 0x080
#define IPF_FEAT_IPV6 0x100
typedef struct optlist {
int ol_bit;
} optlist_t;
/*
* Group list structure.
*/
typedef struct frgroup {
int fg_ref;
char fg_name[FR_GROUPLEN];
} frgroup_t;
/*
* Used by state and NAT tables
*/
typedef struct icmpinfo {
} icmpinfo_t;
typedef struct udpinfo {
} udpinfo_t;
typedef struct tcpdata {
int td_winflags;
} tcpdata_t;
#define TCP_WSCALE_MAX 14
#define TCP_WSCALE_SEEN 0x00000001
#define TCP_WSCALE_FIRST 0x00000002
#define TCP_SACK_PERMIT 0x00000004
typedef struct tcpinfo {
} tcpinfo_t;
/*
* Structures to define a GRE header as seen in a packet.
*/
struct grebits {
};
typedef struct grehdr {
union {
} gr_un;
} grehdr_t;
/*
* GRE information tracked by "keep state"
*/
typedef struct greinfo {
} greinfo_t;
/*
* Format of an Authentication header
*/
typedef struct authhdr {
/* Following the sequence number field is 0 or more bytes of */
/* authentication data, as specified by ah_plen - RFC 2402. */
} authhdr_t;
/*
* Timeout tail queue list member
*/
typedef struct ipftqent {
void *tqe_parent; /* pointer back to NAT/state struct */
int tqe_flags;
} ipftqent_t;
#define TQE_RULEBASED 0x00000001
/*
* Timeout tail queue head for IPFilter
*/
typedef struct ipftq {
int ifq_ref;
} ipftq_t;
#define IPF_HZ_MULT 1
/* checks its timeout queues. */
/*
* Structure to define address for pool lookups.
*/
typedef struct {
} addrfamily_t;
/*
* Object structure description. For passing through in ioctls.
*/
typedef struct ipfobj {
void *ipfo_ptr; /* pointer to object */
int ipfo_type; /* type of object being pointed to */
int ipfo_offset; /* bytes from ipfo_ptr where to start */
} ipfobj_t;
#define IPFOBJ_FRENTRY 0 /* struct frentry */
typedef union ipftunevalptr {
void *ipftp_void;
typedef struct ipftuneable {
char *ipft_name;
int ipft_sz;
int ipft_flags;
struct ipftuneable *ipft_next;
typedef union ipftuneval {
} ipftuneval_t;
typedef struct ipftune {
void *ipft_cookie;
int ipft_sz;
int ipft_flags;
char ipft_name[80];
} ipftune_t;
/*
* ipfruleiter is iterator structure used for filter rules.
*/
typedef struct ipfruleiter {
int iri_ver;
int iri_inout;
char iri_group[FR_GROUPLEN];
int iri_active;
int iri_nrules;
/* Values for iri_inout */
#define F_IN 0
#define F_OUT 1
#define F_ACIN 2
#define F_ACOUT 3
/*
* ipfgeniter is generic iterator structure used for nat rules,
* hostmap entries and nat table entries.
*/
typedef struct ipfgeniter {
int igi_type; /* type of data we're looking at */
int igi_nitems;
void *igi_data;
} ipfgeniter_t;
#define IPFGENITER_IPF 0
#define IPFGENITER_NAT 1
#define IPFGENITER_IPNAT 2
#define IPFGENITER_FRAG 3
#define IPFGENITER_AUTH 4
#define IPFGENITER_STATE 5
#define IPFGENITER_NATFRAG 6
#define IPFGENITER_HOSTMAP 7
#define IPFGENITER_LOOKUP 8
typedef struct ipftable {
int ita_type;
void *ita_table;
} ipftable_t;
typedef struct ipftoken {
void *ipt_ctx;
void *ipt_data;
int ipt_type;
int ipt_uid;
int ipt_subtype;
int ipt_alive;
} ipftoken_t;
/*
* sync commands
*/
#define IPFSYNC_RESYNC 0
#define IPFSYNC_NEWIFP 1
#define IPFSYNC_OLDIFP 2
/*
** HPUX Port
*/
#ifdef __hpux
/* HP-UX locking sequence deadlock detection module lock MAJOR ID */
# define IPF_SMAJ 0 /* temp assignment XXX, not critical */
#endif
#if !defined(CDEV_MAJOR) && defined (__FreeBSD_version) && \
(__FreeBSD_version >= 220000)
# define CDEV_MAJOR 79
#endif
/*
* Post NetBSD 1.2 has the PFIL interface for packet filters. This turns
* on those hooks. We don't need any special mods in non-IP Filter code
* with this!
*/
# if (NetBSD >= 199905)
# define PFIL_HOOKS
# endif
# ifdef PFIL_HOOKS
# define NETBSD_PF
# endif
#endif
#ifndef _KERNEL
# if defined(__NetBSD__) || defined(__OpenBSD__) || \
# else
# endif
#else /* #ifndef _KERNEL */
# if defined(__NetBSD__) && defined(PFIL_HOOKS)
extern void ipfilterattach __P((int));
# endif
extern int ipl_enable __P((void));
extern int ipl_disable __P((void));
# ifdef MENTAT
mblk_t **, ipf_stack_t *));
# if SOLARIS
# if SOLARIS2 >= 7
# else
# endif
# endif
# endif
# ifdef __hpux
# endif
# else /* MENTAT */
# ifdef __sgi
extern int ipfilter_sgi_attach __P((void));
extern void ipfilter_sgi_detach __P((void));
extern void ipfilter_sgi_intfsync __P((void));
# else
# ifdef IPFILTER_LKM
extern int iplidentify __P((char *));
# endif
# if (__FreeBSD_version >= 500024)
# if (__FreeBSD_version >= 502116)
# else
# endif /* __FreeBSD_version >= 502116 */
# else
# endif /* __FreeBSD_version >= 500024 */
# else
# endif
# if (__FreeBSD_version >= 500024)
# if (__FreeBSD_version >= 502116)
# else
# endif /* __FreeBSD_version >= 502116 */
# else
# endif /* __FreeBSD_version >= 500024 */
# else
# ifdef linux
# else
# endif
# endif /* (_BSDI_VERSION >= 199510) */
# if BSD >= 199306
# if (__FreeBSD_version >= 502116)
# else
# endif /* __FreeBSD_version >= 502116 */
# else
# ifndef linux
# endif
# endif /* BSD >= 199306 */
# endif /* __ sgi */
# endif /* MENTAT */
#endif /* #ifndef _KERNEL */
extern int fr_inobjsz __P((void *, void *, int, int));
ipf_stack_t *));
extern int fr_outobjsz __P((void *, void *, int, int));
extern int fr_resolvefunc __P((void *));
#endif
ipf_stack_t *));
ipf_stack_t *));
struct sockaddr_in *, struct in_addr *,
struct in_addr *));
#ifdef USE_INET6
struct sockaddr_in6 *, struct in_addr *,
struct in_addr *));
#endif
#define IPFILTER_COMPAT
#if SOLARIS2 >= 10
#endif
ipf_stack_t *));
ipf_stack_t *));
ipf_stack_t *));
extern int fr_copytolog __P((int, char *, int));
ipf_stack_t *));
extern int fr_ifpaddr __P((int, int, void *,
ipf_stack_t *));
struct icmp *, int));
ipf_stack_t *));
#ifndef ipf_random
#endif
extern char ipfilter_version[];
#ifdef USE_INET6
extern int icmptoicmp6unreach[ICMP_MAX_UNREACH];
#endif
extern void ipftuneable_alloc(ipf_stack_t *);
extern void ipftuneable_free(ipf_stack_t *);
#endif /* __IP_FIL_H__ */