summaryrefslogtreecommitdiff
path: root/sbin/ipf/ipf.4
blob: f88151230da03ddf9bd3d549df2f2926eb4b6c65 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
.\"	$OpenBSD: ipf.4,v 1.19 2000/02/19 21:46:45 aaron Exp $
.TH IPF 4
.SH NAME
ipf \- packet filtering kernel interface
.SH SYNOPSIS
#include <netinet/ip_fil_compat.h>
.br
#include <netinet/ip_fil.h>
.SH IOCTLS
.PP
To add and delete rules to the filter list, three 'basic' ioctls are provided
for use.  The ioctls are called as:
.LP
.nf
	ioctl(fd, SIOCADDFR, struct frentry *)
	ioctl(fd, SIOCDELFR, struct frentry *)
	ioctl(fd, SIOCIPFFL, int *)
.fi
.PP
However, the full complement is as follows:
.LP
.nf
	ioctl(fd, SIOCADAFR, struct frentry *) (same as SIOCADDFR)
	ioctl(fd, SIOCRMAFR, struct frentry *) (same as SIOCDELFR)
	ioctl(fd, SIOCADIFR, struct frentry *)
	ioctl(fd, SIOCRMIFR, struct frentry *)
	ioctl(fd, SIOCINAFR, struct frentry *)
	ioctl(fd, SIOCINIFR, struct frentry *)
	ioctl(fd, SIOCSETFF, u_int *)
	ioctl(fd, SIOGGETFF, u_int *)
	ioctl(fd, SIOCGETFS, struct friostat *)
	ioctl(fd, SIOCIPFFL, int *)
	ioctl(fd, SIOCIPFFB, int *)
	ioctl(fd, SIOCSWAPA, u_int *)
	ioctl(fd, SIOCFRENB, u_int *)
	ioctl(fd, SIOCFRSYN, u_int *)
	ioctl(fd, SIOCFRZST, struct friostat *)
	ioctl(fd, SIOCZRLST, struct frentry *)
	ioctl(fd, SIOCAUTHW, struct fr_info *)
	ioctl(fd, SIOCAUTHR, struct fr_info *)
	ioctl(fd, SIOCATHST, struct fr_authstat *)
.fi
.PP
The variations, SIOCADAFR vs. SIOCADIFR, allow operation on the two lists,
active and inactive, respectively.  All of these ioctls are implemented
as being routing ioctls and thus the same rules for the various routing
ioctls and the file descriptor are employed, mainly being that the fd must
be that of the device associated with the module (i.e., /dev/ipl).
.LP
.PP
The three groups of ioctls above perform adding rules to the end of the
list (SIOCAD*), deletion of rules from any place in the list (SIOCRM*)
and insertion of a rule into the list (SIOCIN*).  The rule place into
which it is inserted is stored in the "fr_hits" field, below.
.LP
.nf
typedef struct  frentry {
        struct  frentry *fr_next;
        u_short fr_group;       /* group to which this rule belongs */
        u_short fr_grhead;      /* group # which this rule starts */
        struct  frentry *fr_grp;
        int     fr_ref;         /* reference count - for grouping */
        void	*fr_ifa;
#if BSD >= 199306
        void	*fr_oifa;
#endif
        /*
         * These are only incremented when a packet matches this rule and
         * it is the last match
         */
        U_QUAD_T	fr_hits;
        U_QUAD_T	fr_bytes;
        /*
         * Fields after this may not change whilst in the kernel.
         */
        struct  fr_ip   fr_ip;
        struct  fr_ip   fr_mip; /* mask structure */

        u_char  fr_tcpfm;       /* tcp flags mask */
        u_char  fr_tcpf;        /* tcp flags */

        u_short fr_icmpm;       /* data for ICMP packets (mask) */
        u_short fr_icmp;

        u_char  fr_scmp;        /* data for port comparisons */
        u_char  fr_dcmp;
        u_short fr_dport;
        u_short fr_sport;
        u_short fr_stop;        /* top port for <> and >< */
        u_short fr_dtop;        /* top port for <> and >< */
        u_32_t  fr_flags;       /* per-rule flags && options (see below) */
        u_short fr_skip;        /* # of rules to skip */
        u_short fr_loglevel;    /* syslog log facility + priority */
        int     (*fr_func) __P((int, ip_t *, fr_info_t *));
        char    fr_icode;       /* return ICMP code */
        char    fr_ifname[IFNAMSIZ];
#if BSD > 199306
        char	fr_oifname[IFNAMSIZ];
#endif
        struct  frdest  fr_tif; /* "to" interface */
        struct  frdest  fr_dif; /* duplicate packet interfaces */
} frentry_t;
.fi
.PP
When adding a new rule, all unused fields (in the filter rule) should be
initialized to be zero.  To insert a rule, at a particular position in the
filter list, the number of the rule which it is to be inserted before must
be put in the "fr_hits" field (the first rule is number 0).
.LP
.PP
Flags which are recognised in fr_pass:
.nf

     FR_BLOCK        0x000001   /* do not allow packet to pass */
     FR_PASS         0x000002   /* allow packet to pass */
     FR_OUTQUE       0x000004   /* outgoing packets */
     FR_INQUE        0x000008   /* ingoing packets */
     FR_LOG          0x000010   /* Log */
     FR_LOGB         0x000011   /* Log-fail */
     FR_LOGP         0x000012   /* Log-pass */
     FR_LOGBODY      0x000020   /* log the body of packets too */
     FR_LOGFIRST     0x000040   /* log only the first packet to match */
     FR_RETRST       0x000080   /* return a TCP RST packet if blocked */
     FR_RETICMP      0x000100   /* return an ICMP packet if blocked */
     FR_FAKEICMP     0x00180    /* Return ICMP unreachable with fake source */
     FR_NOMATCH      0x000200   /* no match occurred */
     FR_ACCOUNT      0x000400   /* count packet bytes */
     FR_KEEPFRAG     0x000800   /* keep fragment information */
     FR_KEEPSTATE    0x001000   /* keep `connection' state information */
     FR_INACTIVE     0x002000
     FR_QUICK        0x004000   /* match & stop processing list */
     FR_FASTROUTE    0x008000   /* bypass normal routing */
     FR_CALLNOW      0x010000   /* call another function (fr_func) if matches */
     FR_DUP          0x020000   /* duplicate the packet */
     FR_LOGORBLOCK   0x040000   /* block the packet if it can't be logged */
     FR_NOTSRCIP     0x080000   /* not the src IP# */
     FR_NOTDSTIP     0x100000   /* not the dst IP# */
     FR_AUTH         0x200000   /* use authentication */
     FR_PREAUTH      0x400000   /* require preauthentication */
	
.fi
.PP
Values for fr_scomp and fr_dcomp (source and destination port value
comparisons) :
.LP
.nf
	FR_NONE         0
	FR_EQUAL        1
	FR_NEQUAL       2
	FR_LESST        3
	FR_GREATERT     4
	FR_LESSTE       5
	FR_GREATERTE    6
	FR_OUTRANGE     7
	FR_INRANGE      8
.fi
.PP
The third ioctl, SIOCIPFFL, flushes either the input filter list, the
output filter list or both and it returns the number of filters removed
from the list(s).  The values which it will take and recognise are FR_INQUE
and FR_OUTQUE (see above). This ioctl is also implemented for
.Pa /dev/ipstate
and will flush all state tables entries if passed 0 or just all those
which are not established if passed 1.

.IP "\fBGeneral Logging Flags\fP" 0
There are two flags which can be set to log packets independently of the
rules used.  These allow for packets which are either passed or blocked
to be logged.  To set (and clear)/get these flags, two ioctls are
provided:
.IP SIOCSETFF 16
Takes an unsigned integer as the parameter.  The flags are then set to
those provided (clearing/setting all in one).
.nf

	FF_LOGPASS	0x10000000
	FF_LOGBLOCK	0x20000000
	FF_LOGNOMATCH	0x40000000
	FF_BLOCKNONIP	0x80000000    /* Solaris 2.x only */
.fi
.IP SIOCGETFF 16
Takes a pointer to an unsigned integer as the parameter.  A copy of the
flags currently in used is copied to user space.
.LP
.IP "\fBFilter statistics\fP" 0
Statistics on the various operations performed by this package on packets
is kept inside the kernel.  These statistics apply to packets traversing
through the kernel.  To retrieve this structure, use this ioctl:
.nf

	ioctl(fd, SIOCGETFS, struct friostat *)

struct  friostat        {
        struct  filterstats     f_st[2];
        struct  frentry         *f_fin[2];
        struct  frentry         *f_fout[2];
        struct  frentry         *f_acctin[2];
        struct  frentry         *f_acctout[2];
        struct  frentry         *f_auth;
        u_long  f_froute[2];
        int     f_active;       /* 1 or 0 - active rule set */
        int     f_defpass;      /* default pass - from fr_pass */
        int     f_running;      /* 1 if running, else 0 */
        int     f_logging;      /* 1 if enabled, else 0 */
        char    f_version[32];  /* version string */
};

struct	filterstats {
        u_long  fr_pass;        /* packets allowed */
        u_long  fr_block;       /* packets denied */
        u_long  fr_nom;         /* packets which don't match any rule */
        u_long  fr_ppkl;        /* packets allowed and logged */
        u_long  fr_bpkl;        /* packets denied and logged */
        u_long  fr_npkl;        /* packets unmatched and logged */
        u_long  fr_pkl;         /* packets logged */
        u_long  fr_skip;        /* packets to be logged but buffer full */
        u_long  fr_ret;         /* packets for which a return is sent */
        u_long  fr_acct;        /* packets for which counting was performed */
        u_long  fr_bnfr;        /* bad attempts to allocate fragment state */
        u_long  fr_nfr;         /* new fragment state kept */
        u_long  fr_cfr;         /* add new fragment state but complete pkt */
        u_long  fr_bads;        /* bad attempts to allocate packet state */
        u_long  fr_ads;         /* new packet state kept */
        u_long  fr_chit;        /* cached hit */
        u_long  fr_pull[2];     /* good and bad pullup attempts */
#if SOLARIS
        u_long  fr_notdata;     /* PROTO/PCPROTO that have no data */
        u_long  fr_nodata;      /* mblks that have no data */
	u_long  fr_bad;         /* bad IP packets to the filter */
        u_long  fr_notip;       /* packets passed through no on ip queue */
        u_long  fr_drop;        /* packets dropped - no info for them! */
#endif
};
.fi
If we wanted to retrieve all the statistics and reset the counters back to
0, then the ioctl() call would be made to SIOCFRZST rather than SIOCGETFS.
In addition to the statistics above, each rule keeps a hit count, counting
both number of packets and bytes.  To reset these counters for a rule,
load the various rule information into a frentry structure and call
SIOCZRLST.
.IP "Swapping Active lists" 0
IP Filter supports two lists of rules for filtering and accounting: an
active list and an inactive list.  This allows for large scale rule base
changes to be put in place atomically with otherwise minimal interruption.
Which of the two is active can be changed using the SIOCSWAPA ioctl.  It
is important to note that no passed argument is recognised and that the
value returned is that of the list which is now inactive.
.br
.SH FILES
/dev/ipauth
.br
/dev/ipl
.br
/dev/ipstate
.SH SEE ALSO
ipftest(1), ipl(4), ipnat(4), ipf(5), ipnat(5), ipf(8), ipfstat(8), ipmon(8), ipnat(8)
.br
http://coombs.anu.edu.au/~avalon