diff options
Diffstat (limited to 'sys/netinet/ip_fil.h')
| -rw-r--r-- | sys/netinet/ip_fil.h | 373 |
1 files changed, 206 insertions, 167 deletions
diff --git a/sys/netinet/ip_fil.h b/sys/netinet/ip_fil.h index 8d4380dd4cc..67e985af645 100644 --- a/sys/netinet/ip_fil.h +++ b/sys/netinet/ip_fil.h @@ -5,17 +5,20 @@ * provided that this notice is preserved and due credit is given * to the original author and the contributors. * - * @(#)ip_fil.h 1.23 11/11/95 + * @(#)ip_fil.h 1.29 1/12/96 */ #ifndef __IP_FIL_H_ #define __IP_FIL_H__ #ifndef IPFILTER_LOG -#define IPFILTER_LOG 1 +#define IPFILTER_LOG #endif +#ifndef SOLARIS #define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4))) +#endif + #if defined(KERNEL) && !defined(_KERNEL) #define _KERNEL #endif @@ -84,18 +87,24 @@ typedef struct fr_ip { u_long fi_optmsk; u_short fi_secmsk; u_short fi_auth; + u_short fi_out; + u_short fi_rule; + u_short fi_hlen; + u_char fi_icode; + struct frentry *fi_fr; } fr_ip_t; -#define FI_SHORT 0x01 -#define FI_OPTIONS 0x02 +#define FI_OPTIONS 0x01 +#define FI_TCPUDP 0x02 /* TCP/UCP implied comparison involved */ #define FI_FRAG 0x04 -#define FI_TCPUDP 0x08 /* TCP/UCP implied comparison involved */ +#define FI_SHORT 0x08 typedef struct frentry { struct frentry *fr_next; struct ifnet *fr_ifa; - u_int fr_hits; - + u_long fr_hits; + u_long fr_bytes; /* this is only incremented when a packet */ + /* stops matching on this rule */ /* * Fields after this may not change whilst in the kernel. */ @@ -114,7 +123,8 @@ typedef struct frentry { u_short fr_sport; u_short fr_stop; /* top port for <> and >< */ u_short fr_dtop; /* top port for <> and >< */ - u_short fr_flags; /* per-rule flags && options (see below) */ + u_long fr_flags; /* per-rule flags && options (see below) */ + char fr_icode; /* return ICMP code */ char fr_ifname[IFNAMSIZ]; } frentry_t; @@ -133,20 +143,30 @@ typedef struct frentry { /* * fr_flags - */ +*/ #define FR_BLOCK 0x0001 #define FR_PASS 0x0002 #define FR_OUTQUE 0x0004 #define FR_INQUE 0x0008 -#define FR_LOGP 0x0010 /* Log-pass */ -#define FR_LOGB 0x0020 /* Log-fail */ -#define FR_LOG 0x0040 /* Log */ -#define FR_LOGBODY 0x0080 /* Log the body */ -#define FR_QUICK 0x0100 -#define FR_RETRST 0x0200 -#define FR_RETICMP 0x0400 -#define FR_INACTIVE 0x0800 -#define FR_NOMATCH 0x1000 +#define FR_LOG 0x0010 /* Log */ +#define FR_LOGB 0x0021 /* Log-fail */ +#define FR_LOGP 0x0022 /* Log-pass */ +#define FR_LOGBODY 0x0040 /* Log the body */ +#define FR_LOGFIRST 0x0080 +#define FR_RETRST 0x0100 +#define FR_RETICMP 0x0200 +#define FR_NOMATCH 0x0400 +#define FR_ACCOUNT 0x0800 /* count packet bytes */ +#define FR_KEEPFRAG 0x1000 +#define FR_KEEPSTATE 0x2000 +#define FR_INACTIVE 0x4000 +#define FR_QUICK 0x8000 +/* + * recognized flags for SIOCGETFF and SIOCSETFF + */ +#define FF_LOGPASS 0x100000 +#define FF_LOGBLOCK 0x200000 +#define FF_LOGNOMATCH 0x400000 #define FR_NONE 0 #define FR_EQUAL 1 @@ -164,9 +184,15 @@ typedef struct filterstats { u_long fr_nom; /* packets which don't match any rule */ u_long fr_ppkl; /* packets allowed and logged */ u_long fr_bpkl; /* packets denied and logged */ + u_long fr_npkl; /* packets unmatched and logged */ u_long fr_pkl; /* packets logged */ u_long fr_skip; /* packets to be logged but buffer full */ u_long fr_ret; /* packets for which a return is sent */ + u_long fr_acct; /* packets for which counting was performed */ + u_long fr_bnfr; /* bad attempts to allocate fragment state */ + u_long fr_nfr; /* new fragment state kept */ + u_long fr_bads; /* bad attempts to allocate packet state */ + u_long fr_ads; /* new packet state kept */ #if SOLARIS u_long fr_bad; /* bad IP packets to the filter */ u_long fr_notip; /* packets passed through no on ip queue */ @@ -175,18 +201,14 @@ typedef struct filterstats { } filterstats_t; /* - * recognized flags for SIOCGETFF and SIOCSETFF - */ -#define FF_LOGPASS 1 -#define FF_LOGBLOCK 2 - -/* * For SIOCGETFS */ typedef struct friostat { struct filterstats f_st[2]; struct frentry *f_fin[2]; struct frentry *f_fout[2]; + struct frentry *f_acctin[2]; + struct frentry *f_acctout[2]; int f_active; } friostat_t; @@ -195,11 +217,6 @@ typedef struct optlist { int ol_bit; } optlist_t; -#ifdef _KERNEL -extern struct frentry *filterin[], *filterout[]; -extern struct filterstats frstats[]; -#endif - typedef struct ipl_ci { u_long sec; u_long usec; @@ -211,26 +228,143 @@ typedef struct ipl_ci { u_char ifname[4]; } ipl_ci_t; -#ifdef _KERNEL -typedef struct ipfr { - struct ipfr *ipfr_next, *ipfr_prev; - struct in_addr ipfr_src; - struct in_addr ipfr_dst; - u_short ipfr_id; - u_short ipfr_age; - u_char ipfr_p; - u_char ipfr_tos; - u_char ipfr_pass; -} ipfr_t; +#ifndef ICMP_UNREACH_FILTER +#define ICMP_UNREACH_FILTER 13 +#endif +/* + * Security Options for Intenet Protocol (IPSO) as defined in RFC 1108. + * + * Basic Option + * + * 00000001 - (Reserved 4) + * 00111101 - Top Secret + * 01011010 - Secret + * 10010110 - Confidential + * 01100110 - (Reserved 3) + * 11001100 - (Reserved 2) + * 10101011 - Unclassified + * 11110001 - (Reserved 1) + */ +#define IPSO_CLASS_RES4 0x01 +#define IPSO_CLASS_TOPS 0x3d +#define IPSO_CLASS_SECR 0x5a +#define IPSO_CLASS_CONF 0x96 +#define IPSO_CLASS_RES3 0x66 +#define IPSO_CLASS_RES2 0xcc +#define IPSO_CLASS_UNCL 0xab +#define IPSO_CLASS_RES1 0xf1 + +#define IPSO_AUTH_GENSER 0x80 +#define IPSO_AUTH_ESI 0x40 +#define IPSO_AUTH_SCI 0x20 +#define IPSO_AUTH_NSA 0x10 +#define IPSO_AUTH_DOE 0x08 +#define IPSO_AUTH_UN 0x06 +#define IPSO_AUTH_FTE 0x01 + +/*#define IPOPT_RR 7 */ +#define IPOPT_ZSU 10 /* ZSU */ +#define IPOPT_MTUP 11 /* MTUP */ +#define IPOPT_MTUR 12 /* MTUR */ +#define IPOPT_ENCODE 15 /* ENCODE */ +/*#define IPOPT_TS 68 */ +#define IPOPT_TR 82 /* TR */ +/*#define IPOPT_SECURITY 130 */ +/*#define IPOPT_LSRR 131 */ +#define IPOPT_E_SEC 133 /* E-SEC */ +#define IPOPT_CIPSO 134 /* CIPSO */ +/*#define IPOPT_SATID 136 */ +#ifndef IPOPT_SID +# define IPOPT_SID IPOPT_SATID +#endif +/*#define IPOPT_SSRR 137 */ +#define IPOPT_ADDEXT 147 /* ADDEXT */ +#define IPOPT_VISA 142 /* VISA */ +#define IPOPT_IMITD 144 /* IMITD */ +#define IPOPT_EIP 145 /* EIP */ +#define IPOPT_FINN 205 /* FINN */ + +#define IPMINLEN(i, h) ((i)->ip_len >= ((i)->ip_hl * 4 + sizeof(struct h))) + +extern int fr_check(); + +#ifdef _KERNEL + +extern struct frentry *ipfilter[2][2], *ipacct[2][2]; +extern struct filterstats frstats[]; +# if SOLARIS +extern int ipfsync(); +# endif +#endif /* _KERNEL */ + +#ifndef SOLARIS +#define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4))) +#endif +#define IPMINLEN(i, h) ((i)->ip_len >= ((i)->ip_hl * 4 + sizeof(struct h))) -#define IPFR_CMPSZ (4 + 4 + 2 + 1 + 1) +#ifndef IP_OFFMASK +#define IP_OFFMASK 0x1fff +#endif -# if defined(sun) && !defined(linux) +#ifndef MAX +#define MAX(a,b) (((a) > (b)) ? (a) : (b)) +#endif + +#ifdef _KERNEL +# if SOLARIS +# define MUTEX_ENTER(x) mutex_enter(x) +# define MUTEX_EXIT(x) mutex_exit(x) +# define MTOD(m,t) (t)((m)->b_rptr) +# define IRCOPY(a,b,c) copyin((a), (b), (c)) +# define IWCOPY(a,b,c) copyout((a), (b), (c)) +# else +# define MUTEX_ENTER(x) ; +# define MUTEX_EXIT(x) ; +# ifndef linux +# define MTOD(m,t) mtod(m,t) +# define IRCOPY(a,b,c) bcopy((a), (b), (c)) +# define IWCOPY(a,b,c) bcopy((a), (b), (c)) +# endif +# endif /* SOLARIS */ + +# ifdef sun +# if defined(__svr4__) || defined(__SVR4) +# define GETUNIT(n) get_unit((n)) +# else +# include <sys/kmem_alloc.h> +# define GETUNIT(n) ifunit((n), IFNAMSIZ) +# endif +# else +# define GETUNIT(n) ifunit((n)) +# endif /* sun */ + +# if defined(sun) && !defined(linux) && !defined(__NetBSD__) && !defined (__OpenBSD__) # define UIOMOVE(a,b,c,d) uiomove(a,b,c,d) # define SLEEP(id, n) sleep((id), PZERO+1) # define KFREE(x) kmem_free((char *)(x), sizeof(*(x))) # if SOLARIS +typedef struct qif { + struct qif *qf_next; + ill_t *qf_ill; + kmutex_t qf_lock; + void *qf_iptr; + void *qf_optr; + queue_t *qf_in; + queue_t *qf_out; + void *qf_wqinfo; + void *qf_rqinfo; + char qf_name[8]; + int (*qf_inp)(); + int (*qf_outp)(); + /* + * in case the ILL has disappeared... + */ + int qf_hl; /* header length */ +} qif_t; +# define SPLNET(x) ; +# undef SPLX +# define SPLX(x) ; # ifdef sparc # define ntohs(x) (x) # define ntohl(x) (x) @@ -242,7 +376,7 @@ typedef struct ipfr { # else # define KMALLOC(x) new_kmem_alloc((x), KMEM_SLEEP) # endif /* __svr4__ */ -# endif /* sun && !linux */ +# endif /* sun && !linux && !__NetBSD__ && !__OpenBSD__*/ # ifndef GET_MINOR # define GET_MINOR(x) minor(x) # endif @@ -260,9 +394,26 @@ extern vm_map_t kmem_map; sizeof(*(x))) # define UIOMOVE(a,b,c,d) uiomove(a,b,d) # define SLEEP(id, n) tsleep((id), PPAUSE|PCATCH, n, 0) -# else # endif /* BSD */ -#endif /* _KERNEL */ +# if defined(NetBSD1_0) && (NetBSD1_0 > 1) +# define SPLNET(x) x = splsoftnet() +# else +# if !SOLARIS +# define SPLNET(x) x = splnet() +# define SPLX(x) (void) splx(x) +# endif +# endif +#else +# define MUTEX_ENTER(x) ; +# define MUTEX_EXIT(x) ; +# define SPLNET(x) ; +# define SPLX(x) ; +# define KMALLOC(x) malloc(x) +# define KFREE(x) free(x) +# define GETUNIT(x) (x) +# define IRCOPY(a,b,c) bcopy((a), (b), (c)) +# define IWCOPY(a,b,c) bcopy((a), (b), (c)) +#endif /* KERNEL */ #ifdef linux # define ICMP_UNREACH ICMP_DEST_UNREACH @@ -293,6 +444,13 @@ typedef struct { } tcphdr_t; typedef struct { + __u16 uh_sport; + __u16 uh_dport; + __u16 uh_ulen; + __u16 uh_sun; +} udphdr_t; + +typedef struct { # if defined(__i386__) || defined(__MIPSEL__) || defined(__alpha__) ||\ defined(vax) __u8 ip_hl:4; @@ -312,8 +470,8 @@ typedef struct { __u32 ip_dst; } ip_t; -# define SPLX(x) ; -# define SPLNET(x) ; +# define SPLX(x) (void) +# define SPLNET(x) (void) # define bcopy(a,b,c) memmove(b,a,c) # define bcmp(a,b,c) memcmp(a,b,c) @@ -336,128 +494,9 @@ typedef struct { memcpy_tofs((b), (a), (c)); \ } #else - typedef struct tcphdr tcphdr_t; +typedef struct udphdr udphdr_t; typedef struct ip ip_t; - -# if SOLARIS -# define MTOD(m,t) (t)((m)->b_rptr) -# define IRCOPY(a,b,c) copyin((a), (b), (c)) -# define IWCOPY(a,b,c) copyout((a), (b), (c)) -# ifdef _KERNEL -typedef struct qif { - struct qif *qf_next; - ill_t *qf_ill; - kmutex_t qf_lock; - void *qf_iptr; - void *qf_optr; - queue_t *qf_in; - queue_t *qf_out; - void *qf_wqinfo; - void *qf_rqinfo; - char qf_name[8]; - int (*qf_inp)(); - int (*qf_outp)(); - /* - * in case the ILL has disappeared... - */ - int qf_hl; /* header length */ -} qif_t; -# endif /* _KERNEL */ -# else -# define MTOD(m,t) mtod(m,t) -# define IRCOPY(a,b,c) bcopy((a), (b), (c)) -# define IWCOPY(a,b,c) bcopy((a), (b), (c)) -# endif /* SOLARIS */ -# ifdef _KERNEL -# if defined(NetBSD1_0) && (NetBSD1_0 > 1) -# define SPLNET(x) x = splsoftnet() -# else -# if SOLARIS -# define SPLNET(x) ; -# else -# define SPLNET(x) x = splnet() -# endif -# endif -# ifdef SPLX -# undef SPLX -# endif -# if SOLARIS -# define SPLX(x) ; -# else -# define SPLX(x) (void) splx(x) -# endif -# else -# define SPLNET(x) ; -# define SPLX(x) ; -# endif /* KERNEL */ - -# ifdef sun -# if !defined(__sysv__) && !defined(__SVR4) -# define GETUNIT(n) ifunit((n), IFNAMSIZ) -# endif -# else -# define GETUNIT(n) ifunit((n)) -# endif /* sun */ -extern struct ifnet *ifunit(); #endif /* linux */ -#define IPMINLEN(i, h) ((i)->ip_len >= ((i)->ip_hl * 4 + sizeof(struct h))) - -/*#define IPOPT_RR 7 */ -#define IPOPT_ZSU 10 /* ZSU */ -#define IPOPT_MTUP 11 /* MTUP */ -#define IPOPT_MTUR 12 /* MTUR */ -#define IPOPT_ENCODE 15 /* ENCODE */ -/*#define IPOPT_TS 68 */ -#define IPOPT_TR 82 /* TR */ -/*#define IPOPT_SECURITY 130 */ -/*#define IPOPT_LSRR 131 */ -#define IPOPT_E_SEC 133 /* E-SEC */ -#define IPOPT_CIPSO 134 /* CIPSO */ -/*#define IPOPT_SATID 136 */ -#ifndef IPOPT_SID -# define IPOPT_SID IPOPT_SATID -#endif -/*#define IPOPT_SSRR 137 */ -#define IPOPT_ADDEXT 147 /* ADDEXT */ -#define IPOPT_VISA 142 /* VISA */ -#define IPOPT_IMITD 144 /* IMITD */ -#define IPOPT_EIP 145 /* EIP */ -#define IPOPT_FINN 205 /* FINN */ - -#ifndef ICMP_UNREACH_FILTER -#define ICMP_UNREACH_FILTER 13 -#endif -/* - * Security Options for Intenet Protocol (IPSO) as defined in RFC 1108. - * - * Basic Option - * - * 00000001 - (Reserved 4) - * 00111101 - Top Secret - * 01011010 - Secret - * 10010110 - Confidential - * 01100110 - (Reserved 3) - * 11001100 - (Reserved 2) - * 10101011 - Unclassified - * 11110001 - (Reserved 1) - */ -#define IPSO_CLASS_RES4 0x01 -#define IPSO_CLASS_TOPS 0x3d -#define IPSO_CLASS_SECR 0x5a -#define IPSO_CLASS_CONF 0x96 -#define IPSO_CLASS_RES3 0x66 -#define IPSO_CLASS_RES2 0xcc -#define IPSO_CLASS_UNCL 0xab -#define IPSO_CLASS_RES1 0xf1 - -#define IPSO_AUTH_GENSER 0x80 -#define IPSO_AUTH_ESI 0x40 -#define IPSO_AUTH_SCI 0x20 -#define IPSO_AUTH_NSA 0x10 -#define IPSO_AUTH_DOE 0x08 -#define IPSO_AUTH_UN 0x06 -#define IPSO_AUTH_FTE 0x01 - #endif /* __IP_FIL_H__ */ |