1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
|
.TH IPF 4
.SH NAME
ipf \- packet filtering kernel interface
.SH SYNOPSIS
.nf
#include <netinet/ip_fil_compat.h>
#include <netinet/ip_fil.h>
.fi
.SH IOCTLS
.PP
To add and delete rules to the filter list, three 'basic' ioctls are provided
for use. The ioctls are called as:
.LP
.nf
ioctl(fd, SIOCADDFR, struct frentry *)
ioctl(fd, SIOCDELFR, struct frentry *)
ioctl(fd, SIOCIPFFL, int *)
.fi
.PP
However, the full complement is as follows:
.LP
.nf
ioctl(fd, SIOCADAFR, struct frentry *) (same as SUICADDFR)
ioctl(fd, SIOCRMAFR, struct frentry *) (same as SUICDELFR)
ioctl(fd, SIOCADIFR, struct frentry *)
ioctl(fd, SIOCRMIFR, struct frentry *)
ioctl(fd, SIOCINAFR, struct frentry *)
ioctl(fd, SIOCINIFR, struct frentry *)
ioctl(fd, SIOCIPFFL, int *)
.fi
.PP
The variations, SIOCADAFR vs. SIOCADIFR, allow operation on the two lists,
active and inactive, respectively. All of these ioctls are implemented
as being routing ioctls and thus the same rules for the various routing
ioctls and the file descriptor are employed, mainly being that the fd must
be that of the device associated with the module (i.e., /dev/ipl).
.LP
.PP
The three groups of ioctls above perform adding rules to the end of the
list (SIOCAD*), deletion of rules from any place in the list (SIOCRM*)
and insertion of a rule into the list (SIOCIN*). The rule place into
which it is inserted is stored in the "fr_hits" field, below.
.LP
.nf
typedef struct frentry {
struct frentry *fr_next;
struct ifnet *fr_ifa;
u_long fr_hits;
u_long fr_bytes; /* this is only incremented when a packet */
/* stops matching on this rule */
/*
* Fields after this may not change whilst in the kernel.
*/
struct fr_ip fr_ip;
struct fr_ip fr_mip;
u_char fr_tcpfm; /* tcp flags mask */
u_char fr_tcpf; /* tcp flags */
u_short fr_icmpm; /* data for ICMP packets (mask) */
u_short fr_icmp;
u_char fr_scmp; /* data for port comparisons */
u_char fr_dcmp;
u_short fr_dport;
u_short fr_sport;
u_short fr_stop; /* top port for <> and >< */
u_short fr_dtop; /* top port for <> and >< */
u_long fr_flags; /* per-rule flags && options (see below) */
int (*fr_func)(); /* call this function */
char fr_icode; /* return ICMP code */
char fr_ifname[IFNAMSIZ];
struct frdest fr_tif; /* "to" interface */
struct frdest fr_dif; /* duplicate packet interfaces */
} frentry_t;
.fi
.PP
When adding a new rule, all unused fields (in the filter rule) should be
initialized to be zero. To insert a rule, at a particular position in the
filter list, the number of the rule which it is to be inserted before must
be put in the "fr_hits" field (the first rule is number 0).
.LP
.PP
Flags which are recognized in fr_pass:
.nf
FR_BLOCK 0x00001 /* do not allow packet to pass */
FR_PASS 0x00002 /* allow packet to pass */
FR_OUTQUE 0x00004 /* outgoing packets */
FR_INQUE 0x00008 /* ingoing packets */
FR_LOG 0x00010 /* Log */
FR_LOGP 0x00011 /* Log-pass */
FR_LOGB 0x00012 /* Log-fail */
FR_LOGBODY 0x00020 /* log the body of packets too */
FR_LOGFIRST 0x00040 /* log only the first packet to match */
FR_RETRST 0x00080 /* return a TCP RST packet if blocked */
FR_RETICMP 0x00100 /* return an ICMP packet if blocked */
FR_NOMATCH 0x00200 /* no match occurred */
FR_ACCOUNT 0x00400 /* count packet bytes */
FR_KEEPFRAG 0x00800
FR_KEEPSTATE 0x01000 /* keep packet flow state information */
FR_INACTIVE 0x02000
FR_QUICK 0x04000 /* quick-match and return */
FR_FASTROUTE 0x08000
FR_CALLFUNC 0x10000
FR_CALLNOW 0x20000
FR_DUP 0x40000 /* duplicate the packet (not Solaris2)
.fi
.PP
Values for fr_scomp and fr_dcomp (source and destination port value
comparisons) :
.LP
.nf
FR_NONE 0
FR_EQUAL 1
FR_NEQUAL 2
FR_LESST 3
FR_GREATERT 4
FR_LESSTE 5
FR_GREATERTE 6
FR_OUTRANGE 7
FR_INRANGE 8
.fi
.PP
The third ioctl, SIOCIPFFL, flushes either the input filter list, the
output filter list or both and it returns the number of filters removed
from the list(s). The values which it will take and recognize are FR_INQUE
and FR_OUTQUE (see above).
\fBGeneral Logging Flags\fP
There are two flags which can be set to log packets independently of the
rules used. These allow for packets which are either passed or blocked
to be logged. To set (and clear)/get these flags, two ioctls are
provided:
.IP SIOCSETFF 16
Takes an unsigned integer as the parameter. The flags are then set to
those provided (clearing/setting all in one).
.nf
FF_LOGPASS 1
FF_LOGBLOCK 2
.fi
.IP SIOCGETFF 16
Takes a pointer to an unsigned integer as the parameter. A copy of the
flags currently in used is copied to user space.
.LP
\fBFilter statistics\fP
Statistics on the various operations performed by this package on packets
is kept inside the kernel. These statistics apply to packets traversing
through the kernel. To retrieve this structure, use this ioctl:
.nf
ioctl(fd, SIOCGETFS, struct friostat *)
struct friostat {
struct filterstats f_st[2];
struct frentry *f_fin;
struct frentry *f_fout;
};
struct filterstats {
u_long fr_pass; /* packets allowed */
u_long fr_block; /* packets denied */
u_long fr_nom; /* packets which don't match any rule */
u_long fr_ppkl; /* packets allowed and logged */
u_long fr_bpkl; /* packets denied and logged */
u_long fr_npkl; /* packets unmatched and logged */
u_long fr_pkl; /* packets logged */
u_long fr_skip; /* packets to be logged but buffer full */
u_long fr_ret; /* packets for which a return is sent */
u_long fr_acct; /* packets for which counting was performed */
u_long fr_bnfr; /* bad attempts to allocate fragment state */
u_long fr_nfr; /* new fragment state kept */
u_long fr_cfr; /* add new fragment state but complete pkt */
u_long fr_bads; /* bad attempts to allocate packet state */
u_long fr_ads; /* new packet state kept */
u_long fr_chit; /* cached hit */
#if SOLARIS
u_long fr_bad; /* bad IP packets to the filter */
u_long fr_notip; /* packets passed through no on ip queue */
u_long fr_drop; /* packets dropped - no info for them! */
#endif
};
.fi
.SH SEE ALSO
ipfstat(1), ipf(1), ipf(5)
|