4 ipf \- packet filtering kernel interface
6 #include <netinet/ip_compat.h>
8 #include <netinet/ip_fil.h>
11 To add and delete rules to the filter list, three 'basic' ioctls are provided
12 for use. The ioctl's are called as:
15 ioctl(fd, SIOCADDFR, struct frentry **)
16 ioctl(fd, SIOCDELFR, struct frentry **)
17 ioctl(fd, SIOCIPFFL, int *)
20 However, the full complement is as follows:
23 ioctl(fd, SIOCADAFR, struct frentry **) (same as SIOCADDFR)
24 ioctl(fd, SIOCRMAFR, struct frentry **) (same as SIOCDELFR)
25 ioctl(fd, SIOCADIFR, struct frentry **)
26 ioctl(fd, SIOCRMIFR, struct frentry **)
27 ioctl(fd, SIOCINAFR, struct frentry **)
28 ioctl(fd, SIOCINIFR, struct frentry **)
29 ioctl(fd, SIOCSETFF, u_int *)
30 ioctl(fd, SIOGGETFF, u_int *)
31 ioctl(fd, SIOCGETFS, struct friostat **)
32 ioctl(fd, SIOCIPFFL, int *)
33 ioctl(fd, SIOCIPFFB, int *)
34 ioctl(fd, SIOCSWAPA, u_int *)
35 ioctl(fd, SIOCFRENB, u_int *)
36 ioctl(fd, SIOCFRSYN, u_int *)
37 ioctl(fd, SIOCFRZST, struct friostat **)
38 ioctl(fd, SIOCZRLST, struct frentry **)
39 ioctl(fd, SIOCAUTHW, struct fr_info **)
40 ioctl(fd, SIOCAUTHR, struct fr_info **)
41 ioctl(fd, SIOCATHST, struct fr_authstat **)
44 The variations, SIOCADAFR vs. SIOCADIFR, allow operation on the two lists,
45 active and inactive, respectively. All of these ioctl's are implemented
46 as being routing ioctls and thus the same rules for the various routing
47 ioctls and the file descriptor are employed, mainly being that the fd must
48 be that of the device associated with the module (i.e., /dev/ipl).
50 The three groups of ioctls above perform adding rules to the end of the
51 list (SIOCAD*), deletion of rules from any place in the list (SIOCRM*)
52 and insertion of a rule into the list (SIOCIN*). The rule place into
53 which it is inserted is stored in the "fr_hits" field, below.
56 typedef struct frentry {
57 struct frentry *fr_next;
58 u_short fr_group; /* group to which this rule belongs */
59 u_short fr_grhead; /* group # which this rule starts */
60 struct frentry *fr_grp;
61 int fr_ref; /* reference count - for grouping */
67 * These are only incremented when a packet matches this rule and
68 * it is the last match
73 * Fields after this may not change whilst in the kernel.
76 struct fr_ip fr_mip; /* mask structure */
78 u_char fr_tcpfm; /* tcp flags mask */
79 u_char fr_tcpf; /* tcp flags */
81 u_short fr_icmpm; /* data for ICMP packets (mask) */
84 u_char fr_scmp; /* data for port comparisons */
88 u_short fr_stop; /* top port for <> and >< */
89 u_short fr_dtop; /* top port for <> and >< */
90 u_32_t fr_flags; /* per-rule flags && options (see below) */
91 u_short fr_skip; /* # of rules to skip */
92 u_short fr_loglevel; /* syslog log facility + priority */
93 int (*fr_func) __P((int, ip_t *, fr_info_t *));
94 char fr_icode; /* return ICMP code */
95 char fr_ifname[IFNAMSIZ];
97 char fr_oifname[IFNAMSIZ];
99 struct frdest fr_tif; /* "to" interface */
100 struct frdest fr_dif; /* duplicate packet interfaces */
104 When adding a new rule, all unused fields (in the filter rule) should be
105 initialised to be zero. To insert a rule, at a particular position in the
106 filter list, the number of the rule which it is to be inserted before must
107 be put in the "fr_hits" field (the first rule is number 0).
109 Flags which are recognised in fr_flags:
112 FR_BLOCK 0x000001 /* do not allow packet to pass */
113 FR_PASS 0x000002 /* allow packet to pass */
114 FR_OUTQUE 0x000004 /* outgoing packets */
115 FR_INQUE 0x000008 /* ingoing packets */
116 FR_LOG 0x000010 /* Log */
117 FR_LOGB 0x000011 /* Log-fail */
118 FR_LOGP 0x000012 /* Log-pass */
119 FR_LOGBODY 0x000020 /* log the body of packets too */
120 FR_LOGFIRST 0x000040 /* log only the first packet to match */
121 FR_RETRST 0x000080 /* return a TCP RST packet if blocked */
122 FR_RETICMP 0x000100 /* return an ICMP packet if blocked */
123 FR_FAKEICMP 0x00180 /* Return ICMP unreachable with fake source */
124 FR_NOMATCH 0x000200 /* no match occured */
125 FR_ACCOUNT 0x000400 /* count packet bytes */
126 FR_KEEPFRAG 0x000800 /* keep fragment information */
127 FR_KEEPSTATE 0x001000 /* keep `connection' state information */
129 FR_QUICK 0x004000 /* match & stop processing list */
130 FR_FASTROUTE 0x008000 /* bypass normal routing */
131 FR_CALLNOW 0x010000 /* call another function (fr_func) if matches */
132 FR_DUP 0x020000 /* duplicate the packet */
133 FR_LOGORBLOCK 0x040000 /* block the packet if it can't be logged */
134 FR_NOTSRCIP 0x080000 /* not the src IP# */
135 FR_NOTDSTIP 0x100000 /* not the dst IP# */
136 FR_AUTH 0x200000 /* use authentication */
137 FR_PREAUTH 0x400000 /* require preauthentication */
141 Values for fr_scomp and fr_dcomp (source and destination port value
156 The third ioctl, SIOCIPFFL, flushes either the input filter list, the
157 output filter list or both and it returns the number of filters removed
158 from the list(s). The values which it will take and recognise are FR_INQUE
159 and FR_OUTQUE (see above). This ioctl is also implemented for
160 \fB/dev/ipstate\fP and will flush all state tables entries if passed 0
161 or just all those which are not established if passed 1.
163 .IP "\fBGeneral Logging Flags\fP" 0
164 There are two flags which can be set to log packets independently of the
165 rules used. These allow for packets which are either passed or blocked
166 to be logged. To set (and clear)/get these flags, two ioctls are
169 Takes an unsigned integer as the parameter. The flags are then set to
170 those provided (clearing/setting all in one).
173 FF_LOGPASS 0x10000000
174 FF_LOGBLOCK 0x20000000
175 FF_LOGNOMATCH 0x40000000
176 FF_BLOCKNONIP 0x80000000 /* Solaris 2.x only */
179 Takes a pointer to an unsigned integer as the parameter. A copy of the
180 flags currently in used is copied to user space.
181 .IP "\fBFilter statistics\fP" 0
182 Statistics on the various operations performed by this package on packets
183 is kept inside the kernel. These statistics apply to packets traversing
184 through the kernel. To retrieve this structure, use this ioctl:
187 ioctl(fd, SIOCGETFS, struct friostat *)
190 struct filterstats f_st[2];
191 struct frentry *f_fin[2];
192 struct frentry *f_fout[2];
193 struct frentry *f_acctin[2];
194 struct frentry *f_acctout[2];
195 struct frentry *f_auth;
197 int f_active; /* 1 or 0 - active rule set */
198 int f_defpass; /* default pass - from fr_pass */
199 int f_running; /* 1 if running, else 0 */
200 int f_logging; /* 1 if enabled, else 0 */
201 char f_version[32]; /* version string */
205 u_long fr_pass; /* packets allowed */
206 u_long fr_block; /* packets denied */
207 u_long fr_nom; /* packets which don't match any rule */
208 u_long fr_ppkl; /* packets allowed and logged */
209 u_long fr_bpkl; /* packets denied and logged */
210 u_long fr_npkl; /* packets unmatched and logged */
211 u_long fr_pkl; /* packets logged */
212 u_long fr_skip; /* packets to be logged but buffer full */
213 u_long fr_ret; /* packets for which a return is sent */
214 u_long fr_acct; /* packets for which counting was performed */
215 u_long fr_bnfr; /* bad attempts to allocate fragment state */
216 u_long fr_nfr; /* new fragment state kept */
217 u_long fr_cfr; /* add new fragment state but complete pkt */
218 u_long fr_bads; /* bad attempts to allocate packet state */
219 u_long fr_ads; /* new packet state kept */
220 u_long fr_chit; /* cached hit */
221 u_long fr_pull[2]; /* good and bad pullup attempts */
223 u_long fr_notdata; /* PROTO/PCPROTO that have no data */
224 u_long fr_nodata; /* mblks that have no data */
225 u_long fr_bad; /* bad IP packets to the filter */
226 u_long fr_notip; /* packets passed through no on ip queue */
227 u_long fr_drop; /* packets dropped - no info for them! */
231 If we wanted to retrieve all the statistics and reset the counters back to
232 0, then the ioctl() call would be made to SIOCFRZST rather than SIOCGETFS.
233 In addition to the statistics above, each rule keeps a hit count, counting
234 both number of packets and bytes. To reset these counters for a rule,
235 load the various rule information into a frentry structure and call
237 .IP "Swapping Active lists" 0
238 IP Filter supports two lists of rules for filtering and accounting: an
239 active list and an inactive list. This allows for large scale rule base
240 changes to be put in place atomically with otherwise minimal interruption.
241 Which of the two is active can be changed using the SIOCSWAPA ioctl. It
242 is important to note that no passed argument is recognised and that the
243 value returned is that of the list which is now inactive.
254 ipl(4), ipnat(4), ipf(5), ipf(8), ipfstat(8)