1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
|
/*
* (C)opyright 1993-1996 by Darren Reed.
*
* Redistribution and use in source and binary forms are permitted
* provided that this notice is preserved and due credit is given
* to the original author and the contributors.
*
* @(#)ip_fil.h 1.32 3/24/96
*/
#ifndef __IP_FIL_H__
#define __IP_FIL_H__
#ifdef _KERNEL
#define IPFILTER_LOG
#endif /* _KERNEL */
#ifndef SOLARIS
#define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
#endif
#define IPMINLEN(i, h) ((i)->ip_len >= ((i)->ip_hl * 4 + sizeof(struct h)))
#ifndef IP_OFFMASK
#define IP_OFFMASK 0x1fff
#endif
#ifndef MAX
#define MAX(a,b) (((a) > (b)) ? (a) : (b))
#endif
#ifdef _KERNEL
# if SOLARIS
# define MUTEX_ENTER(x) mutex_enter(x)
# define MUTEX_EXIT(x) mutex_exit(x)
# define MTOD(m,t) (t)((m)->b_rptr)
# define IRCOPY(a,b,c) copyin((a), (b), (c))
# define IWCOPY(a,b,c) copyout((a), (b), (c))
# else
# define MUTEX_ENTER(x) ;
# define MUTEX_EXIT(x) ;
# ifndef linux
# define MTOD(m,t) mtod(m,t)
# define IRCOPY(a,b,c) bcopy((a), (b), (c))
# define IWCOPY(a,b,c) bcopy((a), (b), (c))
# endif
# endif /* SOLARIS */
# ifdef sun
# if defined(__svr4__) || defined(__SVR4)
# define GETUNIT(n) get_unit((n))
# else
# include <sys/kmem_alloc.h>
# define GETUNIT(n) ifunit((n), IFNAMSIZ)
# endif
# else
# define GETUNIT(n) ifunit((n))
# endif /* sun */
# if defined(sun) && !defined(linux)
# define UIOMOVE(a,b,c,d) uiomove(a,b,c,d)
# define SLEEP(id, n) sleep((id), PZERO+1)
# define KFREE(x) kmem_free((char *)(x), sizeof(*(x)))
# if SOLARIS
typedef struct qif {
struct qif *qf_next;
ill_t *qf_ill;
kmutex_t qf_lock;
void *qf_iptr;
void *qf_optr;
queue_t *qf_in;
queue_t *qf_out;
void *qf_wqinfo;
void *qf_rqinfo;
char qf_name[8];
int (*qf_inp)();
int (*qf_outp)();
/*
* in case the ILL has disappeared...
*/
int qf_hl; /* header length */
} qif_t;
# define SPLNET(x) ;
# undef SPLX
# define SPLX(x) ;
# ifdef sparc
# define ntohs(x) (x)
# define ntohl(x) (x)
# define htons(x) (x)
# define htonl(x) (x)
# endif
# define KMALLOC(x) kmem_alloc((x), KM_SLEEP)
# define GET_MINOR(x) getminor(x)
# else
# define KMALLOC(x) new_kmem_alloc((x), KMEM_SLEEP)
# endif /* __svr4__ */
# endif /* sun && !linux */
# ifndef GET_MINOR
# define GET_MINOR(x) minor(x)
# endif
# if BSD >= 199306 || defined(__FreeBSD__)
# include <vm/vm.h>
# if !defined(__FreeBSD__)
# include <vm/vm_extern.h>
# include <sys/proc.h>
extern vm_map_t kmem_map;
# else
# include <vm/vm_kern.h>
# endif /* __FreeBSD__ */
# define KMALLOC(x) kmem_alloc(kmem_map, (x))
# define KFREE(x) kmem_free(kmem_map, (vm_offset_t)(x), \
sizeof(*(x)))
# define UIOMOVE(a,b,c,d) uiomove(a,b,d)
# define SLEEP(id, n) tsleep((id), PPAUSE|PCATCH, n, 0)
# endif /* BSD */
# if defined(NetBSD1_0) && (NetBSD1_0 > 1)
# define SPLNET(x) x = splsoftnet()
# else
# if !SOLARIS
# define SPLNET(x) x = splnet()
# define SPLX(x) (void) splx(x)
# endif
# endif
#else
# define MUTEX_ENTER(x) ;
# define MUTEX_EXIT(x) ;
# define SPLNET(x) ;
# define SPLX(x) ;
# define KMALLOC(x) malloc(x)
# define KFREE(x) free(x)
# define GETUNIT(x) (x)
# define IRCOPY(a,b,c) bcopy((a), (b), (c))
# define IWCOPY(a,b,c) bcopy((a), (b), (c))
#endif /* KERNEL */
#ifdef linux
# define ICMP_UNREACH ICMP_DEST_UNREACH
# define ICMP_SOURCEQUENCH ICMP_SOURCE_QUENCH
# define ICMP_TIMXCEED ICMP_TIME_EXCEEDED
# define ICMP_PARAMPROB ICMP_PARAMETERPROB
# define icmp icmphdr
# define icmp_type type
# define icmp_code code
# define TH_FIN 0x01
# define TH_SYN 0x02
# define TH_RST 0x04
# define TH_PUSH 0x08
# define TH_ACK 0x10
# define TH_URG 0x20
typedef struct {
__u16 th_sport;
__u16 th_dport;
__u32 th_seq;
__u32 th_ack;
__u8 th_x;
__u8 th_flags;
__u16 th_win;
__u16 th_sum;
__u16 th_urp;
} tcphdr_t;
typedef struct {
__u16 uh_sport;
__u16 uh_dport;
__u16 uh_ulen;
__u16 uh_sun;
} udphdr_t;
typedef struct {
# if defined(__i386__) || defined(__MIPSEL__) || defined(__alpha__) ||\
defined(vax)
__u8 ip_hl:4;
__u8 ip_v:4;
# else
__u8 ip_hl:4;
__u8 ip_v:4;
# endif
__u8 ip_tos;
__u16 ip_len;
__u16 ip_id;
__u16 ip_off;
__u8 ip_ttl;
__u8 ip_p;
__u16 ip_sum;
__u32 ip_src;
__u32 ip_dst;
} ip_t;
# define SPLX(x) (void)
# define SPLNET(x) (void)
# define bcopy(a,b,c) memmove(b,a,c)
# define bcmp(a,b,c) memcmp(a,b,c)
# define UNITNAME(n) dev_get((n))
# define ifnet device
# define KMALLOC(x) kmalloc((x), GFP_ATOMIC)
# define KFREE(x) kfree_s((x), sizeof(*(x)))
# define IRCOPY(a,b,c) { \
error = verify_area(VERIFY_READ, \
(b) ,sizeof((b))); \
if (!error) \
memcpy_fromfs((b), (a), (c)); \
}
# define IWCOPY(a,b,c) { \
error = verify_area(VERIFY_WRITE, \
(b) ,sizeof((b))); \
if (!error) \
memcpy_tofs((b), (a), (c)); \
}
#else
typedef struct tcphdr tcphdr_t;
typedef struct udphdr udphdr_t;
typedef struct ip ip_t;
#endif /* linux */
#ifndef SOLARIS
#define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
#endif
#if defined(KERNEL) && !defined(_KERNEL)
#define _KERNEL
#endif
#if SOLARIS
# include <sys/ioccom.h>
# include <sys/sysmacros.h>
# ifdef _KERNEL
# include <inet/common.h>
/*
* because Solaris 2 defines these in two places :-/
*/
#undef IPOPT_EOL
#undef IPOPT_NOP
#undef IPOPT_LSRR
#undef IPOPT_RR
#undef IPOPT_SSRR
# include <inet/ip.h>
# endif
#endif
#if defined(__STDC__) || defined(__GNUC__)
#define SIOCADAFR _IOW('r', 60, struct frentry)
#define SIOCRMAFR _IOW('r', 61, struct frentry)
#define SIOCSETFF _IOW('r', 62, u_int)
#define SIOCGETFF _IOR('r', 63, u_int)
#define SIOCGETFS _IOR('r', 64, struct friostat)
#define SIOCIPFFL _IOWR('r', 65, int)
#define SIOCIPFFB _IOR('r', 66, int)
#define SIOCADIFR _IOW('r', 67, struct frentry)
#define SIOCRMIFR _IOW('r', 68, struct frentry)
#define SIOCSWAPA _IOR('r', 69, u_int)
#define SIOCINAFR _IOW('r', 70, struct frentry)
#define SIOCINIFR _IOW('r', 71, struct frentry)
#define SIOCFRENB _IOW('r', 72, u_int)
#define SIOCFRSYN _IOW('r', 73, u_int)
#define SIOCFRZST _IOWR('r', 74, struct friostat)
#else
#define SIOCADAFR _IOW(r, 60, struct frentry)
#define SIOCRMAFR _IOW(r, 61, struct frentry)
#define SIOCSETFF _IOW(r, 62, u_int)
#define SIOCGETFF _IOR(r, 63, u_int)
#define SIOCGETFS _IOR(r, 64, struct friostat)
#define SIOCIPFFL _IOWR(r, 65, int)
#define SIOCIPFFB _IOR(r, 66, int)
#define SIOCADIFR _IOW(r, 67, struct frentry)
#define SIOCRMIFR _IOW(r, 68, struct frentry)
#define SIOCSWAPA _IOR(r, 69, u_int)
#define SIOCINAFR _IOW(r, 70, struct frentry)
#define SIOCINIFR _IOW(r, 71, struct frentry)
#define SIOCFRENB _IOW(r, 72, u_int)
#define SIOCFRSYN _IOW(r, 73, u_int)
#define SIOCFRZST _IOWR(r, 74, struct friostat)
#endif
#define SIOCADDFR SIOCADAFR
#define SIOCDELFR SIOCRMAFR
#define SIOCINSFR SIOCINAFR
typedef struct fr_ip {
u_char fi_v:4;
u_char fi_fl:4;
u_char fi_tos;
u_char fi_ttl;
u_char fi_p;
struct in_addr fi_src;
struct in_addr fi_dst;
u_long fi_optmsk;
u_short fi_secmsk;
u_short fi_auth;
} fr_ip_t;
#define FI_OPTIONS 0x01
#define FI_TCPUDP 0x02 /* TCP/UCP implied comparison involved */
#define FI_FRAG 0x04
#define FI_SHORT 0x08
typedef struct fr_info {
struct fr_ip fin_fi;
void *fin_ifp;
u_short fin_data[2];
u_short fin_out;
u_char fin_tcpf;
u_char fin_icode;
u_short fin_rule;
u_short fin_hlen;
u_short fin_dlen;
char *fin_dp;
struct frentry *fin_fr;
} fr_info_t;
#define FI_CSIZE (sizeof(struct fr_ip) + 11)
typedef struct frentry {
struct frentry *fr_next;
struct ifnet *fr_ifa;
u_long fr_hits;
u_long fr_bytes; /* this is only incremented when a packet */
/* stops matching on this rule */
/*
* Fields after this may not change whilst in the kernel.
*/
struct fr_ip fr_ip;
struct fr_ip fr_mip;
u_char fr_tcpfm; /* tcp flags mask */
u_char fr_tcpf; /* tcp flags */
u_short fr_icmpm; /* data for ICMP packets (mask) */
u_short fr_icmp;
u_char fr_scmp; /* data for port comparisons */
u_char fr_dcmp;
u_short fr_dport;
u_short fr_sport;
u_short fr_stop; /* top port for <> and >< */
u_short fr_dtop; /* top port for <> and >< */
u_long fr_flags; /* per-rule flags && options (see below) */
char fr_icode; /* return ICMP code */
char fr_ifname[IFNAMSIZ];
} frentry_t;
#define fr_proto fr_ip.fi_p
#define fr_ttl fr_ip.fi_ttl
#define fr_tos fr_ip.fi_tos
#define fr_dst fr_ip.fi_dst
#define fr_src fr_ip.fi_src
#define fr_dmsk fr_mip.fi_dst
#define fr_smsk fr_mip.fi_src
#ifndef offsetof
#define offsetof(t,m) (int)((&((t *)0L)->m))
#endif
#define FR_CMPSIZ (sizeof(struct frentry) - offsetof(frentry_t, fr_ip))
/*
* fr_flags
*/
#define FR_BLOCK 0x0001
#define FR_PASS 0x0002
#define FR_OUTQUE 0x0004
#define FR_INQUE 0x0008
#define FR_LOG 0x0010 /* Log */
#define FR_LOGB 0x0021 /* Log-fail */
#define FR_LOGP 0x0022 /* Log-pass */
#define FR_LOGBODY 0x0040 /* Log the body */
#define FR_LOGFIRST 0x0080
#define FR_RETRST 0x0100
#define FR_RETICMP 0x0200
#define FR_NOMATCH 0x0400
#define FR_ACCOUNT 0x0800 /* count packet bytes */
#define FR_KEEPFRAG 0x1000
#define FR_KEEPSTATE 0x2000
#define FR_INACTIVE 0x4000
#define FR_QUICK 0x8000
/*
* recognized flags for SIOCGETFF and SIOCSETFF
*/
#define FF_LOGPASS 0x100000
#define FF_LOGBLOCK 0x200000
#define FF_LOGNOMATCH 0x400000
#define FR_NONE 0
#define FR_EQUAL 1
#define FR_NEQUAL 2
#define FR_LESST 3
#define FR_GREATERT 4
#define FR_LESSTE 5
#define FR_GREATERTE 6
#define FR_OUTRANGE 7
#define FR_INRANGE 8
typedef struct filterstats {
u_long fr_pass; /* packets allowed */
u_long fr_block; /* packets denied */
u_long fr_nom; /* packets which don't match any rule */
u_long fr_ppkl; /* packets allowed and logged */
u_long fr_bpkl; /* packets denied and logged */
u_long fr_npkl; /* packets unmatched and logged */
u_long fr_pkl; /* packets logged */
u_long fr_skip; /* packets to be logged but buffer full */
u_long fr_ret; /* packets for which a return is sent */
u_long fr_acct; /* packets for which counting was performed */
u_long fr_bnfr; /* bad attempts to allocate fragment state */
u_long fr_nfr; /* new fragment state kept */
u_long fr_cfr; /* add new fragment state but complete pkt */
u_long fr_bads; /* bad attempts to allocate packet state */
u_long fr_ads; /* new packet state kept */
u_long fr_chit; /* cached hit */
#if SOLARIS
u_long fr_bad; /* bad IP packets to the filter */
u_long fr_notip; /* packets passed through no on ip queue */
u_long fr_drop; /* packets dropped - no info for them! */
#endif
} filterstats_t;
/*
* For SIOCGETFS
*/
typedef struct friostat {
struct filterstats f_st[2];
struct frentry *f_fin[2];
struct frentry *f_fout[2];
struct frentry *f_acctin[2];
struct frentry *f_acctout[2];
int f_active;
} friostat_t;
typedef struct optlist {
u_short ol_val;
int ol_bit;
} optlist_t;
typedef struct ipl_ci {
u_long sec;
u_long usec;
u_char hlen;
u_char plen;
u_short rule;
u_long flags:24;
#if !defined (__OpenBSD__) && !defined (__NetBSD__)
u_long unit:8;
u_char ifname[4];
#else /* OpenBSD or NetBSD */
u_long : 0;
u_char ifname[IFNAMSIZ];
#endif /* OpenBSD or NetBSD */
} ipl_ci_t;
#ifndef ICMP_UNREACH_FILTER
#define ICMP_UNREACH_FILTER 13
#endif
/*
* Security Options for Intenet Protocol (IPSO) as defined in RFC 1108.
*
* Basic Option
*
* 00000001 - (Reserved 4)
* 00111101 - Top Secret
* 01011010 - Secret
* 10010110 - Confidential
* 01100110 - (Reserved 3)
* 11001100 - (Reserved 2)
* 10101011 - Unclassified
* 11110001 - (Reserved 1)
*/
#define IPSO_CLASS_RES4 0x01
#define IPSO_CLASS_TOPS 0x3d
#define IPSO_CLASS_SECR 0x5a
#define IPSO_CLASS_CONF 0x96
#define IPSO_CLASS_RES3 0x66
#define IPSO_CLASS_RES2 0xcc
#define IPSO_CLASS_UNCL 0xab
#define IPSO_CLASS_RES1 0xf1
#define IPSO_AUTH_GENSER 0x80
#define IPSO_AUTH_ESI 0x40
#define IPSO_AUTH_SCI 0x20
#define IPSO_AUTH_NSA 0x10
#define IPSO_AUTH_DOE 0x08
#define IPSO_AUTH_UN 0x06
#define IPSO_AUTH_FTE 0x01
/*#define IPOPT_RR 7 */
#define IPOPT_ZSU 10 /* ZSU */
#define IPOPT_MTUP 11 /* MTUP */
#define IPOPT_MTUR 12 /* MTUR */
#define IPOPT_ENCODE 15 /* ENCODE */
/*#define IPOPT_TS 68 */
#define IPOPT_TR 82 /* TR */
/*#define IPOPT_SECURITY 130 */
/*#define IPOPT_LSRR 131 */
#define IPOPT_E_SEC 133 /* E-SEC */
#define IPOPT_CIPSO 134 /* CIPSO */
/*#define IPOPT_SATID 136 */
#ifndef IPOPT_SID
# define IPOPT_SID IPOPT_SATID
#endif
/*#define IPOPT_SSRR 137 */
#define IPOPT_ADDEXT 147 /* ADDEXT */
#define IPOPT_VISA 142 /* VISA */
#define IPOPT_IMITD 144 /* IMITD */
#define IPOPT_EIP 145 /* EIP */
#define IPOPT_FINN 205 /* FINN */
#define IPMINLEN(i, h) ((i)->ip_len >= ((i)->ip_hl * 4 + sizeof(struct h)))
extern int fr_check();
extern fr_info_t frcache[];
#ifdef _KERNEL
extern struct frentry *ipfilter[2][2], *ipacct[2][2];
extern struct filterstats frstats[];
# if SOLARIS
extern int ipfsync();
# endif
#endif /* _KERNEL */
#endif /* __IP_FIL_H__ */
|