1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
|
.TH IPF 4
.SH NAME
ipf - packet filtering kernel interface
.SH SYNOPSIS
#include <sys/ip_fil.h>
.SH IOCTLS
.PP
To add and delete rules to the filter list, three 'basic' ioctls are provided
for use. The ioctl's are called as:
.LP
.nf
ioctl(fd, SIOCADDFR, struct frentry *)
ioctl(fd, SIOCDELFR, struct frentry *)
ioctl(fd, SIOCIPFFL, int *)
.fi
.PP
However, the full complement is as follows:
.LP
.nf
ioctl(fd, SIOCADAFR, struct frentry *) (same as SUICADDFR)
ioctl(fd, SIOCRMAFR, struct frentry *) (same as SUICDELFR)
ioctl(fd, SIOCADIFR, struct frentry *)
ioctl(fd, SIOCRMIFR, struct frentry *)
ioctl(fd, SIOCINAFR, struct frentry *)
ioctl(fd, SIOCINIFR, struct frentry *)
ioctl(fd, SIOCIPFFL, int *)
.fi
.PP
The variations, SIOCADAFR vs SIOCADIFR, allow operation on the two lists,
active and inactive, respectively. All of these ioctl's are implemented
as being routing ioctls and thus the same rules for the various routing
ioctls and the file descriptor are employed, mainly being that the fd must
be that of the device associated with the module (ie /dev/ipl).
.LP
.PP
The three groups of ioctls above perform adding rules to the end of the
list (SIOCAD*), deletion of rules from any place in the list (SIOCRM*)
and insertion of a rule into the list (SIOCIN*). The rule place into
which it is inserted is stored in the "fr_hits" field, below.
.LP
.nf
typedef struct frentry {
struct frentry *fr_next;
struct ifnet *fr_ifa;
u_int fr_hits;
/*
* Fields after this may not change whilst in the kernel.
*/
struct ip fr_ip;
struct ip fr_mip;
u_short fr_icmpm; /* data for ICMP packets (mask) */
u_short fr_icmp;
char fr_tcpfm; /* tcp flags mask */
char fr_tcpf; /* tcp flags */
u_char fr_scmp; /* data for port comparisons */
u_char fr_dcmp;
u_short fr_dport;
u_short fr_sport;
u_short fr_stop; /* top port for <> and >< */
u_short fr_dtop; /* top port for <> and >< */
u_short fr_flags; /* per-rule flags && options */
char fr_ifname[IFNAMSIZ];
} frentry_t;
.fi
.PP
Flags which are recognised in fr_pass:
.nf
FR_BLOCK 0x0001 /* do not allow packet to pass */
FR_PASS 0x0002 /* allow packet to pass */
FR_OUTQUE 0x0004 /* outgoing packets */
FR_QUICK 0x0008 /* quick-match and return */
FR_LOGP 0x0010 /* Log-pass */
FR_INQUE 0x0020 /* ingoing packets */
FR_LOGB 0x0040 /* Log-fail */
FR_LOG 0x0080 /* Log */
FR_RETRST 0x0100 /* return a TCP RST packet if blocked */
FR_OPTFRAG 0x0200 /* filter packets which are fragments */
FR_OPTSHORT 0x0400 /* filter short TCP packets */
FR_RETICMP 0x0800 /* return an ICMP packet if blocked */
FR_TCPUDP 0x1000 /* TCP/UCP implied comparison involved */
.fi
.PP
Values for fr_scomp and fr_dcomp (source and destination port value
comparisons) :
.LP
.nf
FR_NONE 0
FR_EQUAL 1
FR_NEQUAL 2
FR_LESST 3
FR_GREATERT 4
FR_LESSTE 5
FR_GREATERTE 6
FR_OUTRANGE 7
FR_INRANGE 8
.fi
.PP
The third ioctl, SIOCIPFFL, flushes either the input filter list, the
output filter list or both and it returns the number of filters removed
from the list(s). The values which it will take and recognise are FR_INQUE
and FR_OUTQUE (see above).
\fBGeneral Logging Flags\fP
There are two flags which can be set to log packets independantly of the
rules used. These allow for packets which are either passed or blocked
to be logged. To set (and clear)/get these flags, two ioctls are
provided:
.IP SIOCSETFF 16
Takes an unsigned integer as the parameter. The flags are then set to
those provided (clearing/setting all in one).
.nf
FF_LOGPASS 1
FF_LOGBLOCK 2
.fi
.IP SIOCGETFF 16
Takes a pointer to an unsigned integer as the parameter. A copy of the
fags currently in used is copied to user space.
.LP
\fBFilter statistics\fP
Statistics on the various operations performed by this package on packets
is kept inside the kernel. These statistics apply to packets traversing
through the kernel. To retrieve this structure, use this ioctl:
.nf
ioctl(fd, SIOCGETFS, struct friostat *)
struct friostat {
struct filterstats f_st[2];
struct frentry *f_fin;
struct frentry *f_fout;
};
struct filterstats {
u_long fr_pass; /* packets allowed */
u_long fr_block; /* packets denied */
u_long fr_ppkl; /* packets allowed and logged */
u_long fr_bpkl; /* packets denied and logged */
u_long fr_pkl; /* packets logged */
u_long fr_skip; /* packets to be logged but buffer full */
};
.fi
.SH BUGS
It would be nice if there were more flexibility when adding and deleting
filter rules.
.SH SEE ALSO
ipfstat(1), ipf(1), ipf(5)
|