diff options
| author | dm <dm@cvs.openbsd.org> | 1996-07-18 05:11:04 +0000 |
|---|---|---|
| committer | dm <dm@cvs.openbsd.org> | 1996-07-18 05:11:04 +0000 |
| commit | 855450577164de85ddee7341a7ed13c7073882ca (patch) | |
| tree | 7c401e870b4cbd2624bb531bd9d11a1adcf08383 /sbin/ipf/ipf.4 | |
| parent | d863770dbf1c7b1d87285f2c65bde3fe93cd1b9d (diff) | |
ipfilter 3.1.0
Diffstat (limited to 'sbin/ipf/ipf.4')
| -rw-r--r-- | sbin/ipf/ipf.4 | 97 |
1 files changed, 63 insertions, 34 deletions
diff --git a/sbin/ipf/ipf.4 b/sbin/ipf/ipf.4 index a355c08185c..5cbfbd001c5 100644 --- a/sbin/ipf/ipf.4 +++ b/sbin/ipf/ipf.4 @@ -1,5 +1,3 @@ -.\" $OpenBSD: ipf.4,v 1.3 1996/06/23 14:30:53 deraadt Exp $ -.\" .TH IPF 4 .SH NAME ipf - packet filtering kernel interface @@ -41,51 +39,70 @@ and insertion of a rule into the list (SIOCIN*). The rule place into which it is inserted is stored in the "fr_hits" field, below. .LP .nf - typedef struct frentry { struct frentry *fr_next; struct ifnet *fr_ifa; - u_int fr_hits; - + u_long fr_hits; + u_long fr_bytes; /* this is only incremented when a packet */ + /* stops matching on this rule */ /* * Fields after this may not change whilst in the kernel. */ - struct ip fr_ip; - struct ip fr_mip; + struct fr_ip fr_ip; + struct fr_ip fr_mip; + + u_char fr_tcpfm; /* tcp flags mask */ + u_char fr_tcpf; /* tcp flags */ u_short fr_icmpm; /* data for ICMP packets (mask) */ u_short fr_icmp; - char fr_tcpfm; /* tcp flags mask */ - char fr_tcpf; /* tcp flags */ - u_char fr_scmp; /* data for port comparisons */ u_char fr_dcmp; u_short fr_dport; u_short fr_sport; u_short fr_stop; /* top port for <> and >< */ u_short fr_dtop; /* top port for <> and >< */ - u_short fr_flags; /* per-rule flags && options */ + u_long fr_flags; /* per-rule flags && options (see below) */ + int (*fr_func)(); /* call this function */ + char fr_icode; /* return ICMP code */ char fr_ifname[IFNAMSIZ]; + struct frdest fr_tif; /* "to" interface */ + struct frdest fr_dif; /* duplicate packet interfaces */ } frentry_t; .fi .PP +When adding a new rule, all unused fields (in the filter rule) should be +initialised to be zero. To insert a rule, at a particular position in the +filter list, the number of the rule which it is to be inserted before must +be put in the "fr_hits" field (the first rule is number 0). +.LP +.PP Flags which are recognised in fr_pass: .nf - FR_BLOCK 0x0001 /* do not allow packet to pass */ - FR_PASS 0x0002 /* allow packet to pass */ - FR_OUTQUE 0x0004 /* outgoing packets */ - FR_QUICK 0x0008 /* quick-match and return */ - FR_LOGP 0x0010 /* Log-pass */ - FR_INQUE 0x0020 /* ingoing packets */ - FR_LOGB 0x0040 /* Log-fail */ - FR_LOG 0x0080 /* Log */ - FR_RETRST 0x0100 /* return a TCP RST packet if blocked */ - FR_OPTFRAG 0x0200 /* filter packets which are fragments */ - FR_OPTSHORT 0x0400 /* filter short TCP packets */ - FR_RETICMP 0x0800 /* return an ICMP packet if blocked */ - FR_TCPUDP 0x1000 /* TCP/UCP implied comparison involved */ + FR_BLOCK 0x00001 /* do not allow packet to pass */ + FR_PASS 0x00002 /* allow packet to pass */ + FR_OUTQUE 0x00004 /* outgoing packets */ + FR_INQUE 0x00008 /* ingoing packets */ + FR_LOG 0x00010 /* Log */ + FR_LOGP 0x00011 /* Log-pass */ + FR_LOGB 0x00012 /* Log-fail */ + FR_LOGBODY 0x00020 /* log the body of packets too */ + FR_LOGFIRST 0x00040 /* log only the first packet to match */ + FR_RETRST 0x00080 /* return a TCP RST packet if blocked */ + FR_RETICMP 0x00100 /* return an ICMP packet if blocked */ + FR_NOMATCH 0x00200 /* no match occured */ + FR_ACCOUNT 0x00400 /* count packet bytes */ + FR_KEEPFRAG 0x00800 + FR_KEEPSTATE 0x01000 /* keep packet flow state information */ + FR_INACTIVE 0x02000 + FR_QUICK 0x04000 /* quick-match and return */ + FR_FASTROUTE 0x08000 + FR_CALLFUNC 0x10000 + FR_CALLNOW 0x20000 + FR_DUP 0x40000 /* duplicate the packet (not Solaris2) + .fi .PP Values for fr_scomp and fr_dcomp (source and destination port value @@ -123,7 +140,7 @@ those provided (clearing/setting all in one). .fi .IP SIOCGETFF 16 Takes a pointer to an unsigned integer as the parameter. A copy of the -fags currently in used is copied to user space. +flags currently in used is copied to user space. .LP \fBFilter statistics\fP Statistics on the various operations performed by this package on packets @@ -140,16 +157,28 @@ struct friostat { }; struct filterstats { - u_long fr_pass; /* packets allowed */ - u_long fr_block; /* packets denied */ - u_long fr_ppkl; /* packets allowed and logged */ - u_long fr_bpkl; /* packets denied and logged */ - u_long fr_pkl; /* packets logged */ - u_long fr_skip; /* packets to be logged but buffer full */ + u_long fr_pass; /* packets allowed */ + u_long fr_block; /* packets denied */ + u_long fr_nom; /* packets which don't match any rule */ + u_long fr_ppkl; /* packets allowed and logged */ + u_long fr_bpkl; /* packets denied and logged */ + u_long fr_npkl; /* packets unmatched and logged */ + u_long fr_pkl; /* packets logged */ + u_long fr_skip; /* packets to be logged but buffer full */ + u_long fr_ret; /* packets for which a return is sent */ + u_long fr_acct; /* packets for which counting was performed */ + u_long fr_bnfr; /* bad attempts to allocate fragment state */ + u_long fr_nfr; /* new fragment state kept */ + u_long fr_cfr; /* add new fragment state but complete pkt */ + u_long fr_bads; /* bad attempts to allocate packet state */ + u_long fr_ads; /* new packet state kept */ + u_long fr_chit; /* cached hit */ +#if SOLARIS + u_long fr_bad; /* bad IP packets to the filter */ + u_long fr_notip; /* packets passed through no on ip queue */ + u_long fr_drop; /* packets dropped - no info for them! */ +#endif }; .fi -.SH BUGS -It would be nice if there were more flexibility when adding and deleting -filter rules. .SH SEE ALSO ipfstat(1), ipf(1), ipf(5) |