diff options
Diffstat (limited to 'sys/netinet/ip_fil.h')
| -rw-r--r-- | sys/netinet/ip_fil.h | 391 |
1 files changed, 311 insertions, 80 deletions
diff --git a/sys/netinet/ip_fil.h b/sys/netinet/ip_fil.h index e9ec1254057..8bb0186cb60 100644 --- a/sys/netinet/ip_fil.h +++ b/sys/netinet/ip_fil.h @@ -1,18 +1,25 @@ -/* $OpenBSD: ip_fil.h,v 1.8 1997/02/11 22:23:16 kstailey Exp $ */ /* - * (C)opyright 1993-1996 by Darren Reed. + * Copyright (C) 1993-1997 by Darren Reed. * * Redistribution and use in source and binary forms are permitted * provided that this notice is preserved and due credit is given * to the original author and the contributors. * * @(#)ip_fil.h 1.35 6/5/96 - * Id: ip_fil.h,v 2.0.1.2 1997/01/10 00:28:15 darrenr Exp + * $Id: ip_fil.h,v 1.9 1998/01/26 04:10:39 dgregor Exp $ */ #ifndef __IP_FIL_H__ #define __IP_FIL_H__ +/* + * Pathnames for various IP Filter control devices. Used by LKM + * and userland, so defined here. + */ +#define IPNAT_NAME "/dev/ipnat" +#define IPSTATE_NAME "/dev/ipstate" +#define IPAUTH_NAME "/dev/ipauth" + #ifndef SOLARIS #define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4))) #endif @@ -20,20 +27,12 @@ #if defined(KERNEL) && !defined(_KERNEL) #define _KERNEL #endif -#if SOLARIS -# include <sys/ioccom.h> -# include <sys/sysmacros.h> -# ifdef _KERNEL -# include <inet/common.h> -/* - * because Solaris 2 defines these in two places :-/ - */ -#undef IPOPT_EOL -#undef IPOPT_NOP -#undef IPOPT_LSRR -#undef IPOPT_RR -#undef IPOPT_SSRR -# include <inet/ip.h> + +#ifndef __P +# ifdef __STDC__ +# define __P(x) x +# else +# define __P(x) () # endif #endif @@ -54,6 +53,9 @@ #define SIOCFRSYN _IOW('r', 73, u_int) #define SIOCFRZST _IOWR('r', 74, struct friostat) #define SIOCZRLST _IOWR('r', 75, struct frentry) +#define SIOCAUTHW _IOWR('r', 76, struct fr_info) +#define SIOCAUTHR _IOWR('r', 77, struct fr_info) +#define SIOCATHST _IOWR('r', 78, struct fr_authstat) #else #define SIOCADAFR _IOW(r, 60, struct frentry) #define SIOCRMAFR _IOW(r, 61, struct frentry) @@ -71,6 +73,9 @@ #define SIOCFRSYN _IOW(r, 73, u_int) #define SIOCFRZST _IOWR(r, 74, struct friostat) #define SIOCZRLST _IOWR(r, 75, struct frentry) +#define SIOCAUTHW _IOWR(r, 76, struct fr_info) +#define SIOCAUTHR _IOWR(r, 77, struct fr_info) +#define SIOCATHST _IOWR(r, 78, struct fr_authstat) #endif #define SIOCADDFR SIOCADAFR #define SIOCDELFR SIOCRMAFR @@ -84,31 +89,42 @@ typedef struct fr_ip { u_char fi_p; struct in_addr fi_src; struct in_addr fi_dst; - u_long fi_optmsk; /* bitmask composed from IP options */ + u_32_t fi_optmsk; /* bitmask composed from IP options */ u_short fi_secmsk; /* bitmask composed from IP security options */ u_short fi_auth; } fr_ip_t; -#define FI_OPTIONS 0x01 -#define FI_TCPUDP 0x02 /* TCP/UCP implied comparison involved */ -#define FI_FRAG 0x04 -#define FI_SHORT 0x08 +#define FI_OPTIONS (FF_OPTIONS >> 24) +#define FI_TCPUDP (FF_TCPUDP >> 24) /* TCP/UCP implied comparison*/ +#define FI_FRAG (FF_FRAG >> 24) +#define FI_SHORT (FF_SHORT >> 24) typedef struct fr_info { struct fr_ip fin_fi; - void *fin_ifp; u_short fin_data[2]; u_short fin_out; + u_short fin_hlen; u_char fin_tcpf; - u_char fin_icode; + u_char fin_icode; /* From here on is packet specific */ u_short fin_rule; - u_short fin_hlen; + u_short fin_group; u_short fin_dlen; - char *fin_dp; /* start of data past IP header */ + u_short fin_id; + void *fin_ifp; struct frentry *fin_fr; + char *fin_dp; /* start of data past IP header */ + void *fin_mp; } fr_info_t; -#define FI_CSIZE (sizeof(struct fr_ip) + 11) +/* + * Size for compares on fr_info structures + */ +#define FI_CSIZE (sizeof(struct fr_ip) + sizeof(u_short) * 4 + \ + sizeof(u_char)) +/* + * Size for copying cache fr_info structure + */ +#define FI_COPYSIZE (sizeof(fr_info_t) - sizeof(void *) * 2) typedef struct frdest { void *fd_ifp; @@ -118,10 +134,17 @@ typedef struct frdest { typedef struct frentry { struct frentry *fr_next; - struct ifnet *fr_ifa; - u_long fr_hits; - u_long fr_bytes; /* this is only incremented when a packet */ - /* matches this rule and it is the last match*/ + u_short fr_group; /* group to which this rule belongs */ + u_short fr_grhead; /* group # which this rule starts */ + struct frentry *fr_grp; + int fr_ref; /* reference count - for grouping */ + void *fr_ifa; + /* + * These are only incremented when a packet matches this rule and + * it is the last match + */ + U_QUAD_T fr_hits; + U_QUAD_T fr_bytes; /* * Fields after this may not change whilst in the kernel. */ @@ -140,9 +163,9 @@ typedef struct frentry { u_short fr_sport; u_short fr_stop; /* top port for <> and >< */ u_short fr_dtop; /* top port for <> and >< */ - u_long fr_flags; /* per-rule flags && options (see below) */ - int (*fr_func) __P((int, ip_t *, fr_info_t *)); - /* call this function */ + u_32_t fr_flags; /* per-rule flags && options (see below) */ + int fr_skip; /* # of rules to skip */ + int (*fr_func) __P((int, ip_t *, fr_info_t *)); /* call this function */ char fr_icode; /* return ICMP code */ char fr_ifname[IFNAMSIZ]; struct frdest fr_tif; /* "to" interface */ @@ -164,11 +187,11 @@ typedef struct frentry { /* * fr_flags -*/ -#define FR_BLOCK 0x00001 -#define FR_PASS 0x00002 -#define FR_OUTQUE 0x00004 -#define FR_INQUE 0x00008 + */ +#define FR_BLOCK 0x00001 /* do not allow packet to pass */ +#define FR_PASS 0x00002 /* allow packet to pass */ +#define FR_OUTQUE 0x00004 /* outgoing packets */ +#define FR_INQUE 0x00008 /* ingoing packets */ #define FR_LOG 0x00010 /* Log */ #define FR_LOGB 0x00011 /* Log-fail */ #define FR_LOGP 0x00012 /* Log-pass */ @@ -176,7 +199,7 @@ typedef struct frentry { #define FR_LOGFIRST 0x00040 /* Log the first byte if state held */ #define FR_RETRST 0x00080 /* Return TCP RST packet - reset connection */ #define FR_RETICMP 0x00100 /* Return ICMP unreachable packet */ -#define FR_NOMATCH 0x00200 +#define FR_NOMATCH 0x00200 /* no match occured */ #define FR_ACCOUNT 0x00400 /* count packet bytes */ #define FR_KEEPFRAG 0x00800 /* keep fragment information */ #define FR_KEEPSTATE 0x01000 /* keep `connection' state information */ @@ -186,16 +209,28 @@ typedef struct frentry { #define FR_CALLNOW 0x10000 /* call another function (fr_func) if matches */ #define FR_DUP 0x20000 /* duplicate packet */ #define FR_LOGORBLOCK 0x40000 /* block the packet if it can't be logged */ +#define FR_NOTSRCIP 0x80000 /* not the src IP# */ +#define FR_NOTDSTIP 0x100000 /* not the dst IP# */ +#define FR_AUTH 0x200000 /* use authentication */ +#define FR_PREAUTH 0x400000 /* require preauthentication */ #define FR_LOGMASK (FR_LOG|FR_LOGP|FR_LOGB) + /* - * recognized flags for SIOCGETFF and SIOCSETFF + * These correspond to #define's for FI_* and are stored in fr_flags */ -#define FF_LOGPASS 0x100000 -#define FF_LOGBLOCK 0x200000 -#define FF_LOGNOMATCH 0x400000 +#define FF_OPTIONS 0x01000000 +#define FF_TCPUDP 0x02000000 +#define FF_FRAG 0x04000000 +#define FF_SHORT 0x08000000 +/* + * recognized flags for SIOCGETFF and SIOCSETFF, and get put in fr_flags + */ +#define FF_LOGPASS 0x10000000 +#define FF_LOGBLOCK 0x20000000 +#define FF_LOGNOMATCH 0x40000000 #define FF_LOGGING (FF_LOGPASS|FF_LOGBLOCK|FF_LOGNOMATCH) -#define FF_BLOCKNONIP 0x800000 /* Solaris2 Only */ +#define FF_BLOCKNONIP 0x80000000 /* Solaris2 Only */ #define FR_NONE 0 #define FR_EQUAL 1 @@ -224,6 +259,7 @@ typedef struct filterstats { u_long fr_bads; /* bad attempts to allocate packet state */ u_long fr_ads; /* new packet state kept */ u_long fr_chit; /* cached hit */ + u_long fr_tcpbad; /* TCP checksum check failures */ u_long fr_pull[2]; /* good and bad pullup attempts */ #if SOLARIS u_long fr_bad; /* bad IP packets to the filter */ @@ -241,61 +277,256 @@ typedef struct friostat { struct frentry *f_fout[2]; struct frentry *f_acctin[2]; struct frentry *f_acctout[2]; + struct frentry *f_auth; + u_long f_froute[2]; int f_active; } friostat_t; -typedef struct optlist { +typedef struct optlist { u_short ol_val; - int ol_bit; + int ol_bit; } optlist_t; + /* - * Log structure. Each packet header logged is prepended by one of these, - * minimize size to make most effective use of log space which should - * (ideally) be a muliple of the most common log entry size. + * Group list structure. */ -typedef struct ipl_ci { - u_long sec; - u_long usec; - u_char hlen; - u_char plen; - u_short rule; /* assume never more than 64k rules, total */ +typedef struct frgroup { + u_short fg_num; + struct frgroup *fg_next; + struct frentry *fg_head; + struct frentry **fg_start; +} frgroup_t; + + +/* + * Log structure. Each packet header logged is prepended by one of these. + * Following this in the log records read from the device will be an ipflog + * structure which is then followed by any packet data. + */ +typedef struct iplog { + u_long ipl_magic; + u_long ipl_sec; + u_long ipl_usec; + u_int ipl_len; + u_int ipl_count; + size_t ipl_dsize; + struct iplog *ipl_next; +} iplog_t; + +#define IPL_MAGIC 0x49504c4d /* 'IPLM' */ + +typedef struct ipflog { #if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603)) || \ - (defined(OpenBSD) && (OpenBSD >= 199603)) - u_long flags; - u_char ifname[IFNAMSIZ]; /* = 32 bytes */ + (defined(OpenBSD) && (OpenBSD >= 199603)) + u_char fl_ifname[IFNAMSIZ]; #else - u_long flags:24; - u_long unit:8; - u_char ifname[4]; /* = 20 bytes */ + u_int fl_unit; + u_char fl_ifname[4]; #endif -} ipl_ci_t; + u_char fl_plen; /* extra data after hlen */ + u_char fl_hlen; /* length of IP headers saved */ + u_short fl_rule; /* assume never more than 64k rules, total */ + u_short fl_group; + u_32_t fl_flags; +} ipflog_t; +# ifdef __OpenBSD__ +# ifndef ICMP_UNREACH_FILTER_PROHIB +# define ICMP_UNREACH_FILTER_PROHIB 13 +# endif +#else +# ifndef ICMP_UNREACH_FILTER +# define ICMP_UNREACH_FILTER 13 +# endif +#endif -#ifndef ICMP_UNREACH_FILTER_PROHIB -#define ICMP_UNREACH_FILTER_PROHIB 13 +#ifndef IPF_LOGGING +#define IPF_LOGGING 0 +#endif +#ifndef IPF_DEFAULT_PASS +#define IPF_DEFAULT_PASS FR_PASS #endif #define IPMINLEN(i, h) ((i)->ip_len >= ((i)->ip_hl * 4 + sizeof(struct h))) #define IPLLOGSIZE 8192 -#ifdef _KERNEL -extern int fr_check __P((ip_t *, int, struct ifnet *, int, - struct mbuf **)); -#else -extern int fr_check __P((ip_t *, int, struct ifnet *, int)); +/* + * Device filenames for reading log information. Use ipf on Solaris2 because + * ipl is already a name used by something else. + */ +#ifndef IPL_NAME +# if SOLARIS +# define IPL_NAME "/dev/ipf" +# else +# define IPL_NAME "/dev/ipl" +# endif #endif -extern int fr_copytolog(char *, int); -extern fr_info_t frcache[]; -extern char *iplh, *iplt; -extern char iplbuf[IPLLOGSIZE]; +#define IPL_NAT IPNAT_NAME +#define IPL_STATE IPSTATE_NAME +#define IPL_AUTH IPAUTH_NAME -#ifdef _KERNEL +#define IPL_LOGIPF 0 /* Minor device #'s for accessing logs */ +#define IPL_LOGNAT 1 +#define IPL_LOGSTATE 2 +#define IPL_LOGAUTH 3 +#define IPL_LOGMAX 3 -extern struct frentry *ipfilter[2][2], *ipacct[2][2]; -extern struct filterstats frstats[]; -# if SOLARIS -extern int ipfsync(); +#if !defined(CDEV_MAJOR) && defined (__FreeBSD_version) && \ + (__FreeBSD_version >= 220000) +# define CDEV_MAJOR 79 +#endif + +#ifndef _KERNEL +extern int fr_check __P((ip_t *, int, void *, int, mb_t **)); +extern int (*fr_checkp) __P((ip_t *, int, void *, int, mb_t **)); +extern int send_reset __P((ip_t *, struct ifnet *)); +extern int icmp_error __P((ip_t *, struct ifnet *)); +extern int ipf_log __P((void)); +extern void ipfr_fastroute __P((ip_t *, fr_info_t *, frdest_t *)); +extern struct ifnet *get_unit __P((char *)); +# define FR_SCANLIST(p, ip, fi, m) fr_scanlist(p, ip, fi, m) +# if defined(__NetBSD__) || defined(__OpenBSD__) || (_BSDI_VERSION >= 199701) +extern int iplioctl __P((dev_t, u_long, caddr_t, int)); +# else +extern int iplioctl __P((dev_t, int, caddr_t, int)); +# endif +# ifdef __OpenBSD__ +extern int iplopen __P((dev_t, int)); +extern int iplclose __P((dev_t, int)); # endif -#endif /* _KERNEL */ +extern int ipl_enable __P((void)); +extern int ipl_disable __P((void)); +#else /* #ifndef _KERNEL */ +# if defined(__NetBSD__) && defined(PFIL_HOOKS) +extern int ipfilterattach __P((int)); +# endif +# ifndef __OpenBSD__ +extern int iplattach __P((void)); +# endif +extern int ipl_enable __P((void)); +extern int ipl_disable __P((void)); +extern void ipflog_init __P((void)); +extern int ipflog_clear __P((int)); +extern int ipflog_read __P((int, struct uio *)); +extern int ipflog __P((u_int, ip_t *, fr_info_t *, mb_t *)); +extern int ipllog __P((int, u_long, void **, size_t *, int *, int)); +# if SOLARIS +extern int fr_check __P((ip_t *, int, void *, int, qif_t *, mb_t **)); +extern int (*fr_checkp) __P((ip_t *, int, void *, + int, qif_t *, mb_t **)); +extern int icmp_error __P((ip_t *, int, int, qif_t *, + struct in_addr)); +extern int iplioctl __P((dev_t, int, int, int, cred_t *, int *)); +extern int iplopen __P((dev_t *, int, int, cred_t *)); +extern int iplclose __P((dev_t, int, int, cred_t *)); +extern int ipfsync __P((void)); +extern int send_reset __P((ip_t *, qif_t *)); +extern int ipfr_fastroute __P((qif_t *, ip_t *, mblk_t *, mblk_t **, + fr_info_t *, frdest_t *)); +extern void copyin_mblk __P((mblk_t *, int, int, char *)); +extern void copyout_mblk __P((mblk_t *, int, int, char *)); +extern int fr_qin __P((queue_t *, mblk_t *)); +extern int fr_qout __P((queue_t *, mblk_t *)); +# ifdef IPFILTER_LOG +extern int iplread __P((dev_t, struct uio *, cred_t *)); +# endif +# else /* SOLARIS */ +extern int fr_check __P((ip_t *, int, void *, int, mb_t **)); +extern int (*fr_checkp) __P((ip_t *, int, void *, int, mb_t **)); +# ifdef linux +extern int send_reset __P((tcpiphdr_t *, struct ifnet *)); +# else +extern int send_reset __P((tcpiphdr_t *)); +# endif +extern void ipfr_fastroute __P((mb_t *, fr_info_t *, frdest_t *)); +extern size_t mbufchainlen __P((mb_t *)); +# ifdef __sgi +# include <sys/cred.h> +extern int iplioctl __P((dev_t, int, caddr_t, int, cred_t *, int *)); +extern int iplopen __P((dev_t *, int, int, cred_t *)); +extern int iplclose __P((dev_t, int, int, cred_t *)); +extern int iplread __P((dev_t, struct uio *, cred_t *)); +extern int ipfsync __P((void)); +extern int ipfilter_sgi_attach __P((void)); +extern void ipfilter_sgi_detach __P((void)); +extern void ipfilter_sgi_intfsync __P((void)); +# else +# ifdef IPFILTER_LKM +extern int iplidentify __P((char *)); +# endif +# if (_BSDI_VERSION >= 199510) || (__FreeBSD_version >= 220000) || \ + (NetBSD >= 199511) || defined(__OpenBSD__) +# if defined(__NetBSD__) || (_BSDI_VERSION >= 199701) || defined(__OpenBSD__) +extern int iplioctl __P((dev_t, u_long, caddr_t, int, struct proc *)); +# else +extern int iplioctl __P((dev_t, int, caddr_t, int, struct proc *)); +# endif +extern int iplopen __P((dev_t, int, int, struct proc *)); +extern int iplclose __P((dev_t, int, int, struct proc *)); +# else +# if defined(__OpenBSD__) +extern int iplioctl __P((dev_t, u_long, caddr_t, int)); +# else /* __OpenBSD__ */ +# ifndef linux +extern int iplioctl __P((dev_t, int, caddr_t, int)); +# else +extern int iplioctl(struct inode *, struct file *, u_int, u_long); +# endif +# endif /* __OpenBSD__ */ +# ifndef linux +extern int iplopen __P((dev_t, int)); +extern int iplclose __P((dev_t, int)); +# else +extern int iplopen __P((struct inode *, struct file *)); +extern void iplclose __P((struct inode *, struct file *)); +# endif /* !linux */ +# endif /* (_BSDI_VERSION >= 199510) */ +# if BSD >= 199306 +extern int iplread __P((dev_t, struct uio *, int)); +# else +# ifndef linux +extern int iplread __P((dev_t, struct uio *)); +# else +extern int iplread(struct inode *, struct file *, char *, int); +# endif /* !linux */ +# endif /* BSD >= 199306 */ +# endif /* __ sgi */ +# endif /* SOLARIS */ +#endif /* #ifndef _KERNEL */ + +/* + * Post NetBSD 1.2 has the PFIL interface for packet filters. This turns + * on those hooks. We don't need any special mods in non-IP Filter code + * with this! + */ +#if (defined(NetBSD) && (NetBSD > 199609) && (NetBSD <= 1991011)) || \ + (defined(NetBSD1_2) && NetBSD1_2 > 1) +# define NETBSD_PF +#endif + +extern int ipldetach __P((void)); +extern u_short fr_tcpsum __P((mb_t *, ip_t *, tcphdr_t *, int)); +#define FR_SCANLIST(p, ip, fi, m) fr_scanlist(p, ip, fi, m) +extern int fr_scanlist __P((int, ip_t *, fr_info_t *, void *)); +extern u_short ipf_cksum __P((u_short *, int)); +extern int fr_copytolog __P((int, char *, int)); +extern void frflush __P((int, int *)); +extern frgroup_t *fr_addgroup __P((u_short, frentry_t *, int, int)); +extern frgroup_t *fr_findgroup __P((u_short, u_32_t, int, int, frgroup_t ***)); +extern void fr_delgroup __P((u_short, u_32_t, int, int)); +extern int ipl_unreach; +extern int ipl_inited; +extern u_long ipl_frouteok[2]; +extern int fr_pass; +extern int fr_flags; +extern int fr_active; +extern fr_info_t frcache[2]; +#ifdef IPFILTER_LOG +extern iplog_t **iplh[IPL_LOGMAX+1], *iplt[IPL_LOGMAX+1]; +extern int iplused[IPL_LOGMAX + 1]; +#endif +extern struct frentry *ipfilter[2][2], *ipacct[2][2]; +extern struct frgroup *ipfgroups[3][2]; +extern struct filterstats frstats[]; #endif /* __IP_FIL_H__ */ |