2 * Copyright (C) 1993-2001, 2003 by Darren Reed.
4 * See the IPFILTER.LICENCE file for details on licencing.
6 * @(#)ip_fil.h 1.35 6/5/96
8 * Id: ip_fil.h,v 2.170.2.29 2006/03/29 11:19:55 darrenr Exp $
14 #include "netinet/ip_compat.h"
17 # define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
28 #if defined(__STDC__) || defined(__GNUC__) || defined(_AIX51)
29 # define SIOCADAFR _IOW('r', 60, struct ipfobj)
30 # define SIOCRMAFR _IOW('r', 61, struct ipfobj)
31 # define SIOCSETFF _IOW('r', 62, u_int)
32 # define SIOCGETFF _IOR('r', 63, u_int)
33 # define SIOCGETFS _IOWR('r', 64, struct ipfobj)
34 # define SIOCIPFFL _IOWR('r', 65, int)
35 # define SIOCIPFFB _IOR('r', 66, int)
36 # define SIOCADIFR _IOW('r', 67, struct ipfobj)
37 # define SIOCRMIFR _IOW('r', 68, struct ipfobj)
38 # define SIOCSWAPA _IOR('r', 69, u_int)
39 # define SIOCINAFR _IOW('r', 70, struct ipfobj)
40 # define SIOCINIFR _IOW('r', 71, struct ipfobj)
41 # define SIOCFRENB _IOW('r', 72, u_int)
42 # define SIOCFRSYN _IOW('r', 73, u_int)
43 # define SIOCFRZST _IOWR('r', 74, struct ipfobj)
44 # define SIOCZRLST _IOWR('r', 75, struct ipfobj)
45 # define SIOCAUTHW _IOWR('r', 76, struct ipfobj)
46 # define SIOCAUTHR _IOWR('r', 77, struct ipfobj)
47 # define SIOCSTAT1 _IOWR('r', 78, struct ipfobj)
48 # define SIOCSTLCK _IOWR('r', 79, u_int)
49 # define SIOCSTPUT _IOWR('r', 80, struct ipfobj)
50 # define SIOCSTGET _IOWR('r', 81, struct ipfobj)
51 # define SIOCSTGSZ _IOWR('r', 82, struct ipfobj)
52 # define SIOCSTAT2 _IOWR('r', 83, struct ipfobj)
53 # define SIOCSETLG _IOWR('r', 84, int)
54 # define SIOCGETLG _IOWR('r', 85, int)
55 # define SIOCFUNCL _IOWR('r', 86, struct ipfunc_resolve)
56 # define SIOCIPFGETNEXT _IOWR('r', 87, struct ipfobj)
57 # define SIOCIPFGET _IOWR('r', 88, struct ipfobj)
58 # define SIOCIPFSET _IOWR('r', 89, struct ipfobj)
59 # define SIOCIPFL6 _IOWR('r', 90, int)
60 # define SIOCIPFITER _IOWR('r', 91, struct ipfobj)
61 # define SIOCGENITER _IOWR('r', 92, struct ipfobj)
62 # define SIOCGTABL _IOWR('r', 93, struct ipfobj)
63 # define SIOCIPFDELTOK _IOWR('r', 94, int)
64 # define SIOCLOOKUPITER _IOWR('r', 95, struct ipfobj)
65 # define SIOCGTQTAB _IOWR('r', 96, struct ipfobj)
67 # define SIOCADAFR _IOW(r, 60, struct ipfobj)
68 # define SIOCRMAFR _IOW(r, 61, struct ipfobj)
69 # define SIOCSETFF _IOW(r, 62, u_int)
70 # define SIOCGETFF _IOR(r, 63, u_int)
71 # define SIOCGETFS _IOWR(r, 64, struct ipfobj)
72 # define SIOCIPFFL _IOWR(r, 65, int)
73 # define SIOCIPFFB _IOR(r, 66, int)
74 # define SIOCADIFR _IOW(r, 67, struct ipfobj)
75 # define SIOCRMIFR _IOW(r, 68, struct ipfobj)
76 # define SIOCSWAPA _IOR(r, 69, u_int)
77 # define SIOCINAFR _IOW(r, 70, struct ipfobj)
78 # define SIOCINIFR _IOW(r, 71, struct ipfobj)
79 # define SIOCFRENB _IOW(r, 72, u_int)
80 # define SIOCFRSYN _IOW(r, 73, u_int)
81 # define SIOCFRZST _IOWR(r, 74, struct ipfobj)
82 # define SIOCZRLST _IOWR(r, 75, struct ipfobj)
83 # define SIOCAUTHW _IOWR(r, 76, struct ipfobj)
84 # define SIOCAUTHR _IOWR(r, 77, struct ipfobj)
85 # define SIOCSTAT1 _IOWR(r, 78, struct ipfobj)
86 # define SIOCSTLCK _IOWR(r, 79, u_int)
87 # define SIOCSTPUT _IOWR(r, 80, struct ipfobj)
88 # define SIOCSTGET _IOWR(r, 81, struct ipfobj)
89 # define SIOCSTGSZ _IOWR(r, 82, struct ipfobj)
90 # define SIOCSTAT2 _IOWR(r, 83, struct ipfobj)
91 # define SIOCSETLG _IOWR(r, 84, int)
92 # define SIOCGETLG _IOWR(r, 85, int)
93 # define SIOCFUNCL _IOWR(r, 86, struct ipfunc_resolve)
94 # define SIOCIPFGETNEXT _IOWR(r, 87, struct ipfobj)
95 # define SIOCIPFGET _IOWR(r, 88, struct ipfobj)
96 # define SIOCIPFSET _IOWR(r, 89, struct ipfobj)
97 # define SIOCIPFL6 _IOWR(r, 90, int)
98 # define SIOCIPFITER _IOWR(r, 91, struct ipfobj)
99 # define SIOCGENITER _IOWR(r, 92, struct ipfobj)
100 # define SIOCGTABL _IOWR(r, 93, struct ipfobj)
101 # define SIOCIPFDELTOK _IOWR(r, 94, int)
102 # define SIOCLOOKUPITER _IOWR(r, 95, struct ipfobj)
103 # define SIOCGTQTAB _IOWR(r, 96, struct ipfobj)
105 #define SIOCADDFR SIOCADAFR
106 #define SIOCDELFR SIOCRMAFR
107 #define SIOCINSFR SIOCINAFR
108 #define SIOCATHST SIOCSTAT1
109 #define SIOCGFRST SIOCSTAT2
116 typedef int (* lookupfunc_t) __P((void *, int, void *));
119 * i6addr is used as a container for both IPv4 and IPv6 addresses, as well
120 * as other types of objects, depending on its qualifier.
123 typedef union i6addr {
128 lookupfunc_t lptr[2];
136 typedef union i6addr {
140 lookupfunc_t lptr[2];
149 #define in4_addr in4.s_addr
150 #define iplookupnum i6[1]
151 #define iplookupname i6un.label
152 #define iplookuptype i6un.type
153 #define iplookupsubtype i6un.subtype
155 * NOTE: These DO overlap the above on 64bit systems and this IS recognised.
157 #define iplookupptr vptr[0]
158 #define iplookupfunc lptr[1]
160 #define I60(x) (((i6addr_t *)(x))->i6[0])
161 #define I61(x) (((i6addr_t *)(x))->i6[1])
162 #define I62(x) (((i6addr_t *)(x))->i6[2])
163 #define I63(x) (((i6addr_t *)(x))->i6[3])
164 #define HI60(x) ntohl(((i6addr_t *)(x))->i6[0])
165 #define HI61(x) ntohl(((i6addr_t *)(x))->i6[1])
166 #define HI62(x) ntohl(((i6addr_t *)(x))->i6[2])
167 #define HI63(x) ntohl(((i6addr_t *)(x))->i6[3])
169 #define IP6_EQ(a,b) ((I63(a) == I63(b)) && (I62(a) == I62(b)) && \
170 (I61(a) == I61(b)) && (I60(a) == I60(b)))
171 #define IP6_NEQ(a,b) ((I63(a) != I63(b)) || (I62(a) != I62(b)) || \
172 (I61(a) != I61(b)) || (I60(a) != I60(b)))
173 #define IP6_ISZERO(a) ((I60(a) | I61(a) | I62(a) | I63(a)) == 0)
174 #define IP6_NOTZERO(a) ((I60(a) | I61(a) | I62(a) | I63(a)) != 0)
175 #define IP6_GT(a,b) (HI60(a) > HI60(b) || (HI60(a) == HI60(b) && \
176 (HI61(a) > HI61(b) || (HI61(a) == HI61(b) && \
177 (HI62(a) > HI62(b) || (HI62(a) == HI62(b) && \
178 HI63(a) > HI63(b)))))))
179 #define IP6_LT(a,b) (HI60(a) < HI60(b) || (HI60(a) == HI60(b) && \
180 (HI61(a) < HI61(b) || (HI61(a) == HI61(b) && \
181 (HI62(a) < HI62(b) || (HI62(a) == HI62(b) && \
182 HI63(a) < HI63(b)))))))
183 #define NLADD(n,x) htonl(ntohl(n) + (x))
185 { i6addr_t *_i6 = (i6addr_t *)(a); \
186 _i6->i6[0] = NLADD(_i6->i6[0], 1); \
187 if (_i6->i6[0] == 0) { \
188 _i6->i6[0] = NLADD(_i6->i6[1], 1); \
189 if (_i6->i6[1] == 0) { \
190 _i6->i6[0] = NLADD(_i6->i6[2], 1); \
191 if (_i6->i6[2] == 0) { \
192 _i6->i6[0] = NLADD(_i6->i6[3], 1); \
197 #define IP6_ADD(a,x,d) \
198 { i6addr_t *_s = (i6addr_t *)(a); \
199 i6addr_t *_d = (i6addr_t *)(d); \
200 _d->i6[0] = NLADD(_s->i6[0], x); \
201 if (ntohl(_d->i6[0]) < ntohl(_s->i6[0])) { \
202 _d->i6[1] = NLADD(_d->i6[1], 1); \
203 if (ntohl(_d->i6[1]) < ntohl(_s->i6[1])) { \
204 _d->i6[2] = NLADD(_d->i6[2], 1); \
205 if (ntohl(_d->i6[2]) < ntohl(_s->i6[2])) { \
206 _d->i6[3] = NLADD(_d->i6[3], 1); \
211 #define IP6_AND(a,b,d) { i6addr_t *_s1 = (i6addr_t *)(a); \
212 i6addr_t *_s2 = (i6addr_t *)(d); \
213 i6addr_t *_d = (i6addr_t *)(d); \
214 _d->i6[0] = _s1->i6[0] & _s2->i6[0]; \
215 _d->i6[1] = _s1->i6[1] & _s2->i6[1]; \
216 _d->i6[2] = _s1->i6[2] & _s2->i6[2]; \
217 _d->i6[3] = _s1->i6[3] & _s2->i6[3]; \
219 #define IP6_MERGE(a,b,c) \
220 { i6addr_t *_d, *_s1, *_s2; \
221 _d = (i6addr_t *)(a); \
222 _s1 = (i6addr_t *)(b); \
223 _s2 = (i6addr_t *)(c); \
224 _d->i6[0] |= _s1->i6[0] & ~_s2->i6[0]; \
225 _d->i6[1] |= _s1->i6[1] & ~_s2->i6[1]; \
226 _d->i6[2] |= _s1->i6[2] & ~_s2->i6[2]; \
227 _d->i6[2] |= _s1->i6[3] & ~_s2->i6[3]; \
231 typedef struct fr_ip {
232 u_32_t fi_v:4; /* IP version */
233 u_32_t fi_xx:4; /* spare */
234 u_32_t fi_tos:8; /* IP packet TOS */
235 u_32_t fi_ttl:8; /* IP packet TTL */
236 u_32_t fi_p:8; /* IP packet protocol */
237 u_32_t fi_optmsk; /* bitmask composed from IP options */
238 i6addr_t fi_src; /* source address from packet */
239 i6addr_t fi_dst; /* destination address from packet */
240 u_short fi_secmsk; /* bitmask composed from IP security options */
241 u_short fi_auth; /* authentication code from IP sec. options */
242 u_32_t fi_flx; /* packet flags */
243 u_32_t fi_tcpmsk; /* TCP options set/reset */
244 u_32_t fi_res1; /* RESERVED */
250 #define FI_TCPUDP 0x0001 /* TCP/UCP implied comparison*/
251 #define FI_OPTIONS 0x0002
252 #define FI_FRAG 0x0004
253 #define FI_SHORT 0x0008
254 #define FI_NATED 0x0010
255 #define FI_MULTICAST 0x0020
256 #define FI_BROADCAST 0x0040
257 #define FI_MBCAST 0x0080
258 #define FI_STATE 0x0100
259 #define FI_BADNAT 0x0200
260 #define FI_BAD 0x0400
261 #define FI_OOW 0x0800 /* Out of state window, else match */
262 #define FI_ICMPERR 0x1000
263 #define FI_FRAGBODY 0x2000
264 #define FI_BADSRC 0x4000
265 #define FI_LOWTTL 0x8000
266 #define FI_CMP 0xcfe3 /* Not FI_FRAG,FI_NATED,FI_FRAGTAIL */
267 #define FI_ICMPCMP 0x0003 /* Flags we can check for ICMP error packets */
268 #define FI_WITH 0xeffe /* Not FI_TCPUDP */
269 #define FI_V6EXTHDR 0x10000
270 #define FI_COALESCE 0x20000
271 #define FI_NOCKSUM 0x20000000 /* don't do a L4 checksum validation */
272 #define FI_DONTCACHE 0x40000000 /* don't cache the result */
273 #define FI_IGNORE 0x80000000
275 #define fi_saddr fi_src.in4.s_addr
276 #define fi_daddr fi_dst.in4.s_addr
277 #define fi_srcnum fi_src.iplookupnum
278 #define fi_dstnum fi_dst.iplookupnum
279 #define fi_srcname fi_src.iplookupname
280 #define fi_dstname fi_dst.iplookupname
281 #define fi_srctype fi_src.iplookuptype
282 #define fi_dsttype fi_dst.iplookuptype
283 #define fi_srcsubtype fi_src.iplookupsubtype
284 #define fi_dstsubtype fi_dst.iplookupsubtype
285 #define fi_srcptr fi_src.iplookupptr
286 #define fi_dstptr fi_dst.iplookupptr
287 #define fi_srcfunc fi_src.iplookupfunc
288 #define fi_dstfunc fi_dst.iplookupfunc
292 * These are both used by the state and NAT code to indicate that one port or
293 * the other should be treated as a wildcard.
294 * NOTE: When updating, check bit masks in ip_state.h and update there too.
296 #define SI_W_SPORT 0x00000100
297 #define SI_W_DPORT 0x00000200
298 #define SI_WILDP (SI_W_SPORT|SI_W_DPORT)
299 #define SI_W_SADDR 0x00000400
300 #define SI_W_DADDR 0x00000800
301 #define SI_WILDA (SI_W_SADDR|SI_W_DADDR)
302 #define SI_NEWFR 0x00001000
303 #define SI_CLONE 0x00002000
304 #define SI_CLONED 0x00004000
307 typedef struct fr_info {
308 void *fin_ifp; /* interface packet is `on' */
309 fr_ip_t fin_fi; /* IP Packet summary */
311 u_short fid_16[2]; /* TCP/UDP ports, ICMP code/type */
314 int fin_out; /* in or out ? 1 == out, 0 == in */
315 int fin_rev; /* state only: 1 = reverse */
316 u_short fin_hlen; /* length of IP header in bytes */
317 u_char fin_tcpf; /* TCP header flags (SYN, ACK, etc) */
318 u_char fin_icode; /* ICMP error to return */
319 u_32_t fin_rule; /* rule # last matched */
320 char fin_group[FR_GROUPLEN]; /* group number, -1 for none */
321 struct frentry *fin_fr; /* last matching rule */
322 void *fin_dp; /* start of data past IP header */
323 int fin_dlen; /* length of data portion of packet */
325 int fin_ipoff; /* # bytes from buffer start to hdr */
326 u_short fin_id; /* IP packet id field */
328 int fin_depth; /* Group nesting depth */
329 int fin_error; /* Error code to return */
335 mb_t **fin_mp; /* pointer to pointer to mbuf */
336 mb_t *fin_m; /* pointer to mbuf */
338 mb_t *fin_qfm; /* pointer to mblk where pkt starts */
340 char fin_ifname[LIFNAMSIZ];
347 #define fin_v fin_fi.fi_v
348 #define fin_p fin_fi.fi_p
349 #define fin_flx fin_fi.fi_flx
350 #define fin_optmsk fin_fi.fi_optmsk
351 #define fin_secmsk fin_fi.fi_secmsk
352 #define fin_auth fin_fi.fi_auth
353 #define fin_src fin_fi.fi_src.in4
354 #define fin_src6 fin_fi.fi_src.in6
355 #define fin_saddr fin_fi.fi_saddr
356 #define fin_dst fin_fi.fi_dst.in4
357 #define fin_dst6 fin_fi.fi_dst.in6
358 #define fin_daddr fin_fi.fi_daddr
359 #define fin_data fin_dat.fid_16
360 #define fin_sport fin_dat.fid_16[0]
361 #define fin_dport fin_dat.fid_16[1]
362 #define fin_ports fin_dat.fid_32
367 typedef struct frentry *(*ipfunc_t) __P((fr_info_t *, u_32_t *));
368 typedef int (*ipfuncinit_t) __P((struct frentry *));
370 typedef struct ipfunc_resolve {
373 ipfuncinit_t ipfu_init;
377 * Size for compares on fr_info structures
379 #define FI_CSIZE offsetof(fr_info_t, fin_icode)
380 #define FI_LCSIZE offsetof(fr_info_t, fin_dp)
383 * Size for copying cache fr_info structure
385 #define FI_COPYSIZE offsetof(fr_info_t, fin_dp)
388 * Structure for holding IPFilter's tag information
390 #define IPFTAG_LEN 16
394 char iptu_tag[IPFTAG_LEN];
399 #define ipt_tag ipt_un.iptu_tag
400 #define ipt_num ipt_un.iptu_num
404 * This structure is used to hold information about the next hop for where
405 * to forward a packet.
407 typedef struct frdest {
410 char fd_ifname[LIFNAMSIZ];
413 #define fd_ip fd_ip6.in4
417 * This structure holds information about a port comparison.
419 typedef struct frpcmp {
420 int frp_cmp; /* data for port comparisons */
421 u_short frp_port; /* top port for <> and >< */
422 u_short frp_top; /* top port for <> and >< */
429 #define FR_GREATERT 4
431 #define FR_GREATERTE 6
432 #define FR_OUTRANGE 7
434 #define FR_INCRANGE 9
437 * Structure containing all the relevant TCP things that can be checked in
440 typedef struct frtuc {
441 u_char ftu_tcpfm; /* tcp flags mask */
442 u_char ftu_tcpf; /* tcp flags */
447 #define ftu_scmp ftu_src.frp_cmp
448 #define ftu_dcmp ftu_dst.frp_cmp
449 #define ftu_sport ftu_src.frp_port
450 #define ftu_dport ftu_dst.frp_port
451 #define ftu_stop ftu_src.frp_top
452 #define ftu_dtop ftu_dst.frp_top
454 #define FR_TCPFMAX 0x3f
457 * This structure makes up what is considered to be the IPFilter specific
458 * matching components of a filter rule, as opposed to the data structures
459 * used to define the result which are in frentry_t and not here.
461 typedef struct fripf {
463 fr_ip_t fri_mip; /* mask structure */
465 u_short fri_icmpm; /* data for ICMP packets (mask) */
469 int fri_satype; /* addres type */
470 int fri_datype; /* addres type */
471 int fri_sifpidx; /* doing dynamic addressing */
472 int fri_difpidx; /* index into fr_ifps[] to use when */
475 #define fri_dlookup fri_mip.fi_dst
476 #define fri_slookup fri_mip.fi_src
477 #define fri_dstnum fri_mip.fi_dstnum
478 #define fri_srcnum fri_mip.fi_srcnum
479 #define fri_dstname fri_mip.fi_dstname
480 #define fri_srcname fri_mip.fi_srcname
481 #define fri_dstptr fri_mip.fi_dstptr
482 #define fri_srcptr fri_mip.fi_srcptr
484 #define FRI_NORMAL 0 /* Normal address */
485 #define FRI_DYNAMIC 1 /* dynamic address */
486 #define FRI_LOOKUP 2 /* address is a pool # */
487 #define FRI_RANGE 3 /* address/mask is a range */
488 #define FRI_NETWORK 4 /* network address from if */
489 #define FRI_BROADCAST 5 /* broadcast address from if */
490 #define FRI_PEERADDR 6 /* Peer address for P-to-P */
491 #define FRI_NETMASKED 7 /* network address with netmask from if */
494 typedef struct frentry * (* frentfunc_t) __P((fr_info_t *));
496 typedef struct frentry {
498 struct frentry *fr_next;
499 struct frentry **fr_grp;
500 struct ipscan *fr_isc;
502 void *fr_ptr; /* for use with fr_arg */
503 char *fr_comment; /* text comment for rule */
504 int fr_ref; /* reference count - for grouping */
505 int fr_statecnt; /* state count - for limit rules */
507 * The line number from a file is here because we need to be able to
508 * match the rule generated with ``grep rule ipf.conf | ipf -rf -''
509 * with the rule loaded using ``ipf -f ipf.conf'' - thus it can't be
510 * on the other side of fr_func.
512 int fr_flineno; /* line number from conf file */
514 * These are only incremented when a packet matches this rule and
515 * it is the last match
521 * For PPS rate limiting
523 struct timeval fr_lastpkt;
530 frentfunc_t fru_func;
534 * Fields after this may not change whilst in the kernel.
536 ipfunc_t fr_func; /* call this function */
539 int fr_statemax; /* max reference count */
541 u_32_t fr_flags; /* per-rule flags && options (see below) */
542 u_32_t fr_logtag; /* user defined log tag # */
543 u_32_t fr_collect; /* collection number */
544 u_int fr_arg; /* misc. numeric arg for rule */
545 u_int fr_loglevel; /* syslog log facility + priority */
546 u_int fr_age[2]; /* non-TCP timeouts */
548 u_char fr_icode; /* return ICMP code */
549 char fr_group[FR_GROUPLEN]; /* group to which this rule belongs */
550 char fr_grhead[FR_GROUPLEN]; /* group # which this rule starts */
552 char fr_ifnames[4][LIFNAMSIZ];
554 frdest_t fr_tifs[2]; /* "to"/"reply-to" interface */
555 frdest_t fr_dif; /* duplicate packet interface */
557 * This must be last and will change after loaded into the kernel.
559 u_int fr_cksum; /* checksum on filter rules for performance */
562 #define fr_caddr fr_dun.fru_caddr
563 #define fr_data fr_dun.fru_data
564 #define fr_dfunc fr_dun.fru_func
565 #define fr_ipf fr_dun.fru_ipf
566 #define fr_ip fr_ipf->fri_ip
567 #define fr_mip fr_ipf->fri_mip
568 #define fr_icmpm fr_ipf->fri_icmpm
569 #define fr_icmp fr_ipf->fri_icmp
570 #define fr_tuc fr_ipf->fri_tuc
571 #define fr_satype fr_ipf->fri_satype
572 #define fr_datype fr_ipf->fri_datype
573 #define fr_sifpidx fr_ipf->fri_sifpidx
574 #define fr_difpidx fr_ipf->fri_difpidx
575 #define fr_proto fr_ip.fi_p
576 #define fr_mproto fr_mip.fi_p
577 #define fr_ttl fr_ip.fi_ttl
578 #define fr_mttl fr_mip.fi_ttl
579 #define fr_tos fr_ip.fi_tos
580 #define fr_mtos fr_mip.fi_tos
581 #define fr_tcpfm fr_tuc.ftu_tcpfm
582 #define fr_tcpf fr_tuc.ftu_tcpf
583 #define fr_scmp fr_tuc.ftu_scmp
584 #define fr_dcmp fr_tuc.ftu_dcmp
585 #define fr_dport fr_tuc.ftu_dport
586 #define fr_sport fr_tuc.ftu_sport
587 #define fr_stop fr_tuc.ftu_stop
588 #define fr_dtop fr_tuc.ftu_dtop
589 #define fr_dst fr_ip.fi_dst.in4
590 #define fr_daddr fr_ip.fi_dst.in4.s_addr
591 #define fr_src fr_ip.fi_src.in4
592 #define fr_saddr fr_ip.fi_src.in4.s_addr
593 #define fr_dmsk fr_mip.fi_dst.in4
594 #define fr_dmask fr_mip.fi_dst.in4.s_addr
595 #define fr_smsk fr_mip.fi_src.in4
596 #define fr_smask fr_mip.fi_src.in4.s_addr
597 #define fr_dstnum fr_ip.fi_dstnum
598 #define fr_srcnum fr_ip.fi_srcnum
599 #define fr_dlookup fr_ip.fi_dst
600 #define fr_slookup fr_ip.fi_src
601 #define fr_dstname fr_ip.fi_dstname
602 #define fr_srcname fr_ip.fi_srcname
603 #define fr_dsttype fr_ip.fi_dsttype
604 #define fr_srctype fr_ip.fi_srctype
605 #define fr_dstsubtype fr_ip.fi_dstsubtype
606 #define fr_srcsubtype fr_ip.fi_srcsubtype
607 #define fr_dstptr fr_mip.fi_dstptr
608 #define fr_srcptr fr_mip.fi_srcptr
609 #define fr_dstfunc fr_mip.fi_dstfunc
610 #define fr_srcfunc fr_mip.fi_srcfunc
611 #define fr_optbits fr_ip.fi_optmsk
612 #define fr_optmask fr_mip.fi_optmsk
613 #define fr_secbits fr_ip.fi_secmsk
614 #define fr_secmask fr_mip.fi_secmsk
615 #define fr_authbits fr_ip.fi_auth
616 #define fr_authmask fr_mip.fi_auth
617 #define fr_flx fr_ip.fi_flx
618 #define fr_mflx fr_mip.fi_flx
619 #define fr_ifname fr_ifnames[0]
620 #define fr_oifname fr_ifnames[2]
621 #define fr_ifa fr_ifas[0]
622 #define fr_oifa fr_ifas[2]
623 #define fr_tif fr_tifs[0]
624 #define fr_rif fr_tifs[1]
626 #define FR_NOLOGTAG 0
629 #define offsetof(t,m) (int)((&((t *)0L)->m))
631 #define FR_CMPSIZ (sizeof(struct frentry) - \
632 offsetof(struct frentry, fr_func))
638 #define FR_T_IPF 1 /* IPF structures */
639 #define FR_T_BPFOPC 2 /* BPF opcode */
640 #define FR_T_CALLFUNC 3 /* callout to function in fr_func only */
641 #define FR_T_COMPIPF 4 /* compiled C code */
642 #define FR_T_BUILTIN 0x80000000 /* rule is in kernel space */
647 #define FR_CALL 0x00000 /* call rule */
648 #define FR_BLOCK 0x00001 /* do not allow packet to pass */
649 #define FR_PASS 0x00002 /* allow packet to pass */
650 #define FR_AUTH 0x00003 /* use authentication */
651 #define FR_PREAUTH 0x00004 /* require preauthentication */
652 #define FR_ACCOUNT 0x00005 /* Accounting rule */
653 #define FR_SKIP 0x00006 /* skip rule */
654 #define FR_DIVERT 0x00007 /* divert rule */
655 #define FR_CMDMASK 0x0000f
656 #define FR_LOG 0x00010 /* Log */
657 #define FR_LOGB 0x00011 /* Log-fail */
658 #define FR_LOGP 0x00012 /* Log-pass */
659 #define FR_LOGMASK (FR_LOG|FR_CMDMASK)
660 #define FR_CALLNOW 0x00020 /* call another function (fr_func) if matches */
661 #define FR_NOTSRCIP 0x00040
662 #define FR_NOTDSTIP 0x00080
663 #define FR_QUICK 0x00100 /* match & stop processing list */
664 #define FR_KEEPFRAG 0x00200 /* keep fragment information */
665 #define FR_KEEPSTATE 0x00400 /* keep `connection' state information */
666 #define FR_FASTROUTE 0x00800 /* bypass normal routing */
667 #define FR_RETRST 0x01000 /* Return TCP RST packet - reset connection */
668 #define FR_RETICMP 0x02000 /* Return ICMP unreachable packet */
669 #define FR_FAKEICMP 0x03000 /* Return ICMP unreachable with fake source */
670 #define FR_OUTQUE 0x04000 /* outgoing packets */
671 #define FR_INQUE 0x08000 /* ingoing packets */
672 #define FR_LOGBODY 0x10000 /* Log the body */
673 #define FR_LOGFIRST 0x20000 /* Log the first byte if state held */
674 #define FR_LOGORBLOCK 0x40000 /* block the packet if it can't be logged */
675 #define FR_DUP 0x80000 /* duplicate packet */
676 #define FR_FRSTRICT 0x100000 /* strict frag. cache */
677 #define FR_STSTRICT 0x200000 /* strict keep state */
678 #define FR_NEWISN 0x400000 /* new ISN for outgoing TCP */
679 #define FR_NOICMPERR 0x800000 /* do not match ICMP errors in state */
680 #define FR_STATESYNC 0x1000000 /* synchronize state to slave */
681 #define FR_NOMATCH 0x8000000 /* no match occured */
682 /* 0x10000000 FF_LOGPASS */
683 /* 0x20000000 FF_LOGBLOCK */
684 /* 0x40000000 FF_LOGNOMATCH */
685 /* 0x80000000 FF_BLOCKNONIP */
686 #define FR_COPIED 0x40000000 /* copied from user space */
687 #define FR_INACTIVE 0x80000000 /* only used when flush'ing rules */
689 #define FR_RETMASK (FR_RETICMP|FR_RETRST|FR_FAKEICMP)
690 #define FR_ISBLOCK(x) (((x) & FR_CMDMASK) == FR_BLOCK)
691 #define FR_ISPASS(x) (((x) & FR_CMDMASK) == FR_PASS)
692 #define FR_ISAUTH(x) (((x) & FR_CMDMASK) == FR_AUTH)
693 #define FR_ISPREAUTH(x) (((x) & FR_CMDMASK) == FR_PREAUTH)
694 #define FR_ISACCOUNT(x) (((x) & FR_CMDMASK) == FR_ACCOUNT)
695 #define FR_ISSKIP(x) (((x) & FR_CMDMASK) == FR_SKIP)
696 #define FR_ISNOMATCH(x) ((x) & FR_NOMATCH)
697 #define FR_INOUT (FR_INQUE|FR_OUTQUE)
700 * recognized flags for SIOCGETFF and SIOCSETFF, and get put in fr_flags
702 #define FF_LOGPASS 0x10000000
703 #define FF_LOGBLOCK 0x20000000
704 #define FF_LOGNOMATCH 0x40000000
705 #define FF_LOGGING (FF_LOGPASS|FF_LOGBLOCK|FF_LOGNOMATCH)
706 #define FF_BLOCKNONIP 0x80000000 /* Solaris2 Only */
710 * Structure that passes information on what/how to flush to the kernel.
712 typedef struct ipfflush {
721 typedef struct ipfgetctl {
722 u_int ipfg_min; /* min value */
723 u_int ipfg_current; /* current value */
724 u_int ipfg_max; /* max value */
725 u_int ipfg_default; /* default value */
726 u_int ipfg_steps; /* value increments */
727 char ipfg_name[40]; /* tag name for this control */
730 typedef struct ipfsetctl {
731 int ipfs_which; /* 0 = min 1 = current 2 = max 3 = default */
732 u_int ipfs_value; /* min value */
733 char ipfs_name[40]; /* tag name for this control */
738 * Some of the statistics below are in their own counters, but most are kept
739 * in this single structure so that they can all easily be collected and
740 * copied back as required.
742 typedef struct filterstats {
743 u_long fr_pass; /* packets allowed */
744 u_long fr_block; /* packets denied */
745 u_long fr_nom; /* packets which don't match any rule */
746 u_long fr_short; /* packets which are short */
747 u_long fr_ppkl; /* packets allowed and logged */
748 u_long fr_bpkl; /* packets denied and logged */
749 u_long fr_npkl; /* packets unmatched and logged */
750 u_long fr_pkl; /* packets logged */
751 u_long fr_skip; /* packets to be logged but buffer full */
752 u_long fr_ret; /* packets for which a return is sent */
753 u_long fr_acct; /* packets for which counting was performed */
754 u_long fr_bnfr; /* bad attempts to allocate fragment state */
755 u_long fr_nfr; /* new fragment state kept */
756 u_long fr_cfr; /* add new fragment state but complete pkt */
757 u_long fr_bads; /* bad attempts to allocate packet state */
758 u_long fr_ads; /* new packet state kept */
759 u_long fr_chit; /* cached hit */
760 u_long fr_tcpbad; /* TCP checksum check failures */
761 u_long fr_pull[2]; /* good and bad pullup attempts */
762 u_long fr_badsrc; /* source received doesn't match route */
763 u_long fr_badttl; /* TTL in packet doesn't reach minimum */
764 u_long fr_bad; /* bad IP packets to the filter */
765 u_long fr_ipv6; /* IPv6 packets in/out */
766 u_long fr_ppshit; /* dropped because of pps ceiling */
767 u_long fr_ipud; /* IP id update failures */
771 * Log structure. Each packet header logged is prepended by one of these.
772 * Following this in the log records read from the device will be an ipflog
773 * structure which is then followed by any packet data.
775 typedef struct iplog {
778 struct timeval ipl_time;
780 struct iplog *ipl_next;
783 #define ipl_sec ipl_time.tv_sec
784 #define ipl_usec ipl_time.tv_usec
786 #define IPL_MAGIC 0x49504c4d /* 'IPLM' */
787 #define IPL_MAGIC_NAT 0x49504c4e /* 'IPLN' */
788 #define IPL_MAGIC_STATE 0x49504c53 /* 'IPLS' */
789 #define IPLOG_SIZE sizeof(iplog_t)
791 typedef struct ipflog {
792 #if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603)) || \
793 (defined(OpenBSD) && (OpenBSD >= 199603))
802 u_short fl_plen; /* extra data after hlen */
803 u_short fl_loglevel; /* syslog log level */
804 char fl_group[FR_GROUPLEN];
805 u_char fl_hlen; /* length of IP headers saved */
807 u_char fl_xxx[2]; /* pad */
808 char fl_ifname[LIFNAMSIZ];
812 # define IPF_LOGGING 0
814 #ifndef IPF_DEFAULT_PASS
815 # define IPF_DEFAULT_PASS FR_PASS
818 #define DEFAULT_IPFLOGSIZE 8192
819 #ifndef IPFILTER_LOGSIZE
820 # define IPFILTER_LOGSIZE DEFAULT_IPFLOGSIZE
822 # if IPFILTER_LOGSIZE < DEFAULT_IPFLOGSIZE
823 # error IPFILTER_LOGSIZE too small. Must be >= DEFAULT_IPFLOGSIZE
827 #define IPF_OPTCOPY 0x07ff00 /* bit mask of copied options */
830 * Device filenames for reading log information. Use ipf on Solaris2 because
831 * ipl is already a name used by something else.
835 # define IPL_NAME "/dev/ipf"
837 # define IPL_NAME "/dev/ipl"
841 * Pathnames for various IP Filter control devices. Used by LKM
842 * and userland, so defined here.
844 #define IPNAT_NAME "/dev/ipnat"
845 #define IPSTATE_NAME "/dev/ipstate"
846 #define IPAUTH_NAME "/dev/ipauth"
847 #define IPSYNC_NAME "/dev/ipsync"
848 #define IPSCAN_NAME "/dev/ipscan"
849 #define IPLOOKUP_NAME "/dev/iplookup"
851 #define IPL_LOGIPF 0 /* Minor device #'s for accessing logs */
853 #define IPL_LOGSTATE 2
854 #define IPL_LOGAUTH 3
855 #define IPL_LOGSYNC 4
856 #define IPL_LOGSCAN 5
857 #define IPL_LOGLOOKUP 6
858 #define IPL_LOGCOUNT 7
860 #define IPL_LOGSIZE IPL_LOGMAX + 1
861 #define IPL_LOGALL -1
862 #define IPL_LOGNONE -2
867 typedef struct friostat {
868 struct filterstats f_st[2];
869 struct frentry *f_ipf[2][2];
870 struct frentry *f_acct[2][2];
871 struct frentry *f_ipf6[2][2];
872 struct frentry *f_acct6[2][2];
873 struct frentry *f_auth;
874 struct frgroup *f_groups[IPL_LOGSIZE][2];
877 int f_locks[IPL_LOGMAX];
880 int f_defpass; /* default pass - from fr_pass */
881 int f_active; /* 1 or 0 - active rule set */
882 int f_running; /* 1 if running, else 0 */
883 int f_logging; /* 1 if enabled, else 0 */
885 char f_version[32]; /* version string */
888 #define f_fin f_ipf[0]
889 #define f_fin6 f_ipf6[0]
890 #define f_fout f_ipf[1]
891 #define f_fout6 f_ipf6[1]
892 #define f_acctin f_acct[0]
893 #define f_acctin6 f_acct6[0]
894 #define f_acctout f_acct[1]
895 #define f_acctout6 f_acct6[1]
897 #define IPF_FEAT_LKM 0x001
898 #define IPF_FEAT_LOG 0x002
899 #define IPF_FEAT_LOOKUP 0x004
900 #define IPF_FEAT_BPF 0x008
901 #define IPF_FEAT_COMPILED 0x010
902 #define IPF_FEAT_CKSUM 0x020
903 #define IPF_FEAT_SYNC 0x040
904 #define IPF_FEAT_SCAN 0x080
905 #define IPF_FEAT_IPV6 0x100
907 typedef struct optlist {
914 * Group list structure.
916 typedef struct frgroup {
917 struct frgroup *fg_next;
918 struct frentry *fg_head;
919 struct frentry *fg_start;
922 char fg_name[FR_GROUPLEN];
925 #define FG_NAME(g) (*(g)->fg_name == '\0' ? "" : (g)->fg_name)
929 * Used by state and NAT tables
931 typedef struct icmpinfo {
937 typedef struct udpinfo {
943 typedef struct tcpdata {
952 #define TCP_WSCALE_MAX 14
954 #define TCP_WSCALE_SEEN 0x00000001
955 #define TCP_WSCALE_FIRST 0x00000002
956 #define TCP_SACK_PERMIT 0x00000004
959 typedef struct tcpinfo {
962 tcpdata_t ts_data[2];
967 * Structures to define a GRE header as seen in a packet.
982 typedef struct grehdr {
984 struct grebits gru_bits;
991 #define gr_flags gr_un.gru_flags
992 #define gr_bits gr_un.gru_bits
993 #define gr_ptype gr_bits.grb_ptype
994 #define gr_C gr_bits.grb_C
995 #define gr_R gr_bits.grb_R
996 #define gr_K gr_bits.grb_K
997 #define gr_S gr_bits.grb_S
998 #define gr_s gr_bits.grb_s
999 #define gr_recur gr_bits.grb_recur
1000 #define gr_A gr_bits.grb_A
1001 #define gr_ver gr_bits.grb_ver
1004 * GRE information tracked by "keep state"
1006 typedef struct greinfo {
1012 #define GRE_REV(x) ((ntohs(x) >> 13) & 7)
1016 * Format of an Authentication header
1018 typedef struct authhdr {
1021 u_short ah_reserved;
1024 /* Following the sequence number field is 0 or more bytes of */
1025 /* authentication data, as specified by ah_plen - RFC 2402. */
1030 * Timeout tail queue list member
1032 typedef struct ipftqent {
1033 struct ipftqent **tqe_pnext;
1034 struct ipftqent *tqe_next;
1035 struct ipftq *tqe_ifq;
1036 void *tqe_parent; /* pointer back to NAT/state struct */
1037 u_long tqe_die; /* when this entriy is to die */
1040 int tqe_state[2]; /* current state of this entry */
1043 #define TQE_RULEBASED 0x00000001
1047 * Timeout tail queue head for IPFilter
1049 typedef struct ipftq {
1050 ipfmutex_t ifq_lock;
1052 ipftqent_t *ifq_head;
1053 ipftqent_t **ifq_tail;
1054 struct ipftq *ifq_next;
1055 struct ipftq **ifq_pnext;
1060 #define IFQF_USER 0x01 /* User defined aging */
1061 #define IFQF_DELETE 0x02 /* Marked for deletion */
1062 #define IFQF_PROXY 0x04 /* Timeout queue in use by a proxy */
1064 #define IPF_HZ_MULT 1
1065 #define IPF_HZ_DIVIDE 2 /* How many times a second ipfilter */
1066 /* checks its timeout queues. */
1067 #define IPF_TTLVAL(x) (((x) / IPF_HZ_MULT) * IPF_HZ_DIVIDE)
1069 typedef int (*ipftq_delete_fn_t)(void *);
1072 * Structure to define address for pool lookups.
1081 * Object structure description. For passing through in ioctls.
1083 typedef struct ipfobj {
1084 u_32_t ipfo_rev; /* IPFilter version number */
1085 u_32_t ipfo_size; /* size of object at ipfo_ptr */
1086 void *ipfo_ptr; /* pointer to object */
1087 int ipfo_type; /* type of object being pointed to */
1088 int ipfo_offset; /* bytes from ipfo_ptr where to start */
1089 u_char ipfo_xxxpad[32]; /* reserved for future use */
1092 #define IPFOBJ_FRENTRY 0 /* struct frentry */
1093 #define IPFOBJ_IPFSTAT 1 /* struct friostat */
1094 #define IPFOBJ_IPFINFO 2 /* struct fr_info */
1095 #define IPFOBJ_AUTHSTAT 3 /* struct fr_authstat */
1096 #define IPFOBJ_FRAGSTAT 4 /* struct ipfrstat */
1097 #define IPFOBJ_IPNAT 5 /* struct ipnat */
1098 #define IPFOBJ_NATSTAT 6 /* struct natstat */
1099 #define IPFOBJ_STATESAVE 7 /* struct ipstate_save */
1100 #define IPFOBJ_NATSAVE 8 /* struct nat_save */
1101 #define IPFOBJ_NATLOOKUP 9 /* struct natlookup */
1102 #define IPFOBJ_IPSTATE 10 /* struct ipstate */
1103 #define IPFOBJ_STATESTAT 11 /* struct ips_stat */
1104 #define IPFOBJ_FRAUTH 12 /* struct frauth */
1105 #define IPFOBJ_TUNEABLE 13 /* struct ipftune */
1106 #define IPFOBJ_NAT 14 /* struct nat */
1107 #define IPFOBJ_IPFITER 15 /* struct ipfruleiter */
1108 #define IPFOBJ_GENITER 16 /* struct ipfgeniter */
1109 #define IPFOBJ_GTABLE 17 /* struct ipftable */
1110 #define IPFOBJ_LOOKUPITER 18 /* struct ipflookupiter */
1111 #define IPFOBJ_STATETQTAB 19 /* struct ipftq [NSTATES] */
1112 #define IPFOBJ_COUNT 20 /* How many #defines are above this? */
1115 typedef union ipftunevalptr {
1119 u_short *ipftp_short;
1123 typedef struct ipftuneable {
1124 ipftunevalptr_t ipft_una;
1125 const char *ipft_name;
1130 struct ipftuneable *ipft_next;
1133 #define ipft_addr ipft_una.ipftp_void
1134 #define ipft_plong ipft_una.ipftp_long
1135 #define ipft_pint ipft_una.ipftp_int
1136 #define ipft_pshort ipft_una.ipftp_short
1137 #define ipft_pchar ipft_una.ipftp_char
1139 #define IPFT_RDONLY 1 /* read-only */
1140 #define IPFT_WRDISABLED 2 /* write when disabled only */
1142 typedef union ipftuneval {
1145 u_short ipftu_short;
1149 typedef struct ipftune {
1151 ipftuneval_t ipft_un;
1159 #define ipft_vlong ipft_un.ipftu_long
1160 #define ipft_vint ipft_un.ipftu_int
1161 #define ipft_vshort ipft_un.ipftu_short
1162 #define ipft_vchar ipft_un.ipftu_char
1167 typedef struct ipfruleiter {
1169 char iri_group[FR_GROUPLEN];
1173 frentry_t *iri_rule;
1177 * Values for iri_inout
1185 typedef struct ipfgeniter {
1191 #define IPFGENITER_IPF 0
1192 #define IPFGENITER_NAT 1
1193 #define IPFGENITER_IPNAT 2
1194 #define IPFGENITER_FRAG 3
1195 #define IPFGENITER_AUTH 4
1196 #define IPFGENITER_STATE 5
1197 #define IPFGENITER_NATFRAG 6
1198 #define IPFGENITER_HOSTMAP 7
1199 #define IPFGENITER_LOOKUP 8
1201 typedef struct ipftable {
1206 #define IPFTABLE_BUCKETS 1
1212 typedef struct ipftoken {
1213 struct ipftoken *ipt_next;
1214 struct ipftoken **ipt_pnext;
1229 /* HP-UX locking sequence deadlock detection module lock MAJOR ID */
1230 # define IPF_SMAJ 0 /* temp assignment XXX, not critical */
1233 #if !defined(CDEV_MAJOR) && defined (__FreeBSD_version) && \
1234 (__FreeBSD_version >= 220000)
1235 # define CDEV_MAJOR 79
1239 * Post NetBSD 1.2 has the PFIL interface for packet filters. This turns
1240 * on those hooks. We don't need any special mods in non-IP Filter code
1243 #if (defined(NetBSD) && (NetBSD > 199609) && (NetBSD <= 1991011)) || \
1244 (defined(NetBSD1_2) && NetBSD1_2 > 1) || \
1245 (defined(__FreeBSD__) && (__FreeBSD_version >= 500043))
1246 # if defined(NetBSD) && (NetBSD >= 199905)
1255 # define FR_VERBOSE(verb_pr)
1256 # define FR_DEBUG(verb_pr)
1258 extern void debug __P((char *, ...));
1259 extern void verbose __P((char *, ...));
1260 # define FR_VERBOSE(verb_pr) verbose verb_pr
1261 # define FR_DEBUG(verb_pr) debug verb_pr
1266 extern int fr_check __P((struct ip *, int, void *, int, mb_t **));
1267 extern int (*fr_checkp) __P((ip_t *, int, void *, int, mb_t **));
1268 extern int ipf_log __P((void));
1269 extern struct ifnet *get_unit __P((char *, int));
1270 extern char *get_ifname __P((struct ifnet *));
1271 # if defined(__NetBSD__) || defined(__OpenBSD__) || \
1272 (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000)
1273 extern int iplioctl __P((int, ioctlcmd_t, caddr_t, int));
1275 extern int iplioctl __P((int, ioctlcmd_t, caddr_t, int));
1277 extern int iplopen __P((dev_t, int));
1278 extern int iplclose __P((dev_t, int));
1279 extern void m_freem __P((mb_t *));
1280 extern int bcopywrap __P((void *, void *, size_t));
1281 #else /* #ifndef _KERNEL */
1283 # if (defined(__NetBSD__) && (__NetBSD_Version__ < 399000000)) || \
1284 defined(__osf__) || \
1285 (defined(__FreeBSD_version) && (__FreeBSD_version < 500043))
1286 # include <sys/select.h>
1288 # include <sys/selinfo.h>
1290 extern struct selinfo ipfselwait[IPL_LOGSIZE];
1292 # if defined(__NetBSD__) && defined(PFIL_HOOKS)
1293 extern void ipfilterattach __P((int));
1295 extern int ipl_enable __P((void));
1296 extern int ipl_disable __P((void));
1297 extern int ipf_inject __P((fr_info_t *, mb_t *));
1299 extern int fr_check __P((struct ip *, int, void *, int, void *,
1303 extern int iplioctl __P((dev_t, int, intptr_t, int, cred_t *, int *));
1305 extern int iplioctl __P((dev_t, int, int *, int, cred_t *, int *));
1307 extern int iplopen __P((dev_t *, int, int, cred_t *));
1308 extern int iplclose __P((dev_t, int, int, cred_t *));
1309 extern int iplread __P((dev_t, uio_t *, cred_t *));
1310 extern int iplwrite __P((dev_t, uio_t *, cred_t *));
1313 extern int iplopen __P((dev_t, int, intptr_t, int));
1314 extern int iplclose __P((dev_t, int, int));
1315 extern int iplioctl __P((dev_t, int, caddr_t, int));
1316 extern int iplread __P((dev_t, uio_t *));
1317 extern int iplwrite __P((dev_t, uio_t *));
1318 extern int iplselect __P((dev_t, int));
1320 extern int fr_qout __P((queue_t *, mblk_t *));
1322 extern int fr_check __P((struct ip *, int, void *, int, mb_t **));
1323 extern int (*fr_checkp) __P((ip_t *, int, void *, int, mb_t **));
1324 extern size_t mbufchainlen __P((mb_t *));
1326 # include <sys/cred.h>
1327 extern int iplioctl __P((dev_t, int, caddr_t, int, cred_t *, int *));
1328 extern int iplopen __P((dev_t *, int, int, cred_t *));
1329 extern int iplclose __P((dev_t, int, int, cred_t *));
1330 extern int iplread __P((dev_t, uio_t *, cred_t *));
1331 extern int iplwrite __P((dev_t, uio_t *, cred_t *));
1332 extern int ipfilter_sgi_attach __P((void));
1333 extern void ipfilter_sgi_detach __P((void));
1334 extern void ipfilter_sgi_intfsync __P((void));
1336 # ifdef IPFILTER_LKM
1337 extern int iplidentify __P((char *));
1339 # if (defined(_BSDI_VERSION) && _BSDI_VERSION >= 199510) || \
1340 (__FreeBSD_version >= 220000) || \
1341 (NetBSD >= 199511) || defined(__OpenBSD__)
1342 # if defined(__NetBSD__) || \
1343 (defined(_BSDI_VERSION) && _BSDI_VERSION >= 199701) || \
1344 defined(__OpenBSD__) || (__FreeBSD_version >= 300000)
1345 # if (__FreeBSD_version >= 500024)
1346 # if (__FreeBSD_version >= 502116)
1347 extern int iplioctl __P((struct cdev*, u_long, caddr_t, int, struct thread *));
1349 extern int iplioctl __P((dev_t, u_long, caddr_t, int, struct thread *));
1350 # endif /* __FreeBSD_version >= 502116 */
1352 # if (__NetBSD_Version__ >= 499001000)
1353 extern int iplioctl __P((dev_t, u_long, void *, int, struct lwp *));
1355 # if (__NetBSD_Version__ >= 399001400)
1356 extern int iplioctl __P((dev_t, u_long, caddr_t, int, struct lwp *));
1358 extern int iplioctl __P((dev_t, u_long, caddr_t, int, struct proc *));
1361 # endif /* __FreeBSD_version >= 500024 */
1363 extern int iplioctl __P((dev_t, int, caddr_t, int, struct thread *));
1365 # if (__FreeBSD_version >= 500024)
1366 # if (__FreeBSD_version >= 502116)
1367 extern int iplopen __P((struct cdev*, int, int, struct thread *));
1368 extern int iplclose __P((struct cdev*, int, int, struct thread *));
1370 extern int iplopen __P((dev_t, int, int, struct thread *));
1371 extern int iplclose __P((dev_t, int, int, struct thread *));
1372 # endif /* __FreeBSD_version >= 502116 */
1374 # if (__NetBSD_Version__ >= 399001400)
1375 extern int iplopen __P((dev_t, int, int, struct lwp *));
1376 extern int iplclose __P((dev_t, int, int, struct lwp *));
1378 extern int iplopen __P((dev_t, int, int, struct proc *));
1379 extern int iplclose __P((dev_t, int, int, struct proc *));
1380 # endif /* __NetBSD_Version__ >= 399001400 */
1381 # endif /* __FreeBSD_version >= 500024 */
1384 extern int iplioctl __P((struct inode *, struct file *, u_int, u_long));
1386 extern int iplopen __P((dev_t, int));
1387 extern int iplclose __P((dev_t, int));
1388 extern int iplioctl __P((dev_t, int, caddr_t, int));
1390 # endif /* (_BSDI_VERSION >= 199510) */
1392 # if (__FreeBSD_version >= 502116)
1393 extern int iplread __P((struct cdev*, struct uio *, int));
1394 extern int iplwrite __P((struct cdev*, struct uio *, int));
1396 extern int iplread __P((dev_t, struct uio *, int));
1397 extern int iplwrite __P((dev_t, struct uio *, int));
1398 # endif /* __FreeBSD_version >= 502116 */
1401 extern int iplread __P((dev_t, struct uio *));
1402 extern int iplwrite __P((dev_t, struct uio *));
1404 # endif /* BSD >= 199306 */
1405 # endif /* __ sgi */
1406 # endif /* MENTAT */
1408 #endif /* #ifndef _KERNEL */
1410 extern ipfmutex_t ipl_mutex, ipf_authmx, ipf_rw, ipf_hostmap;
1411 extern ipfmutex_t ipf_timeoutlock, ipf_stinsert, ipf_natio, ipf_nat_new;
1412 extern ipfrwlock_t ipf_mutex, ipf_global, ip_poolrw, ipf_ipidfrag;
1413 extern ipfrwlock_t ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth;
1414 extern ipfrwlock_t ipf_frcache, ipf_tokens;
1416 extern char *memstr __P((const char *, char *, size_t, size_t));
1417 extern int count4bits __P((u_32_t));
1418 extern int frrequest __P((int, ioctlcmd_t, caddr_t, int, int));
1419 extern char *getifname __P((struct ifnet *));
1420 extern int ipfattach __P((void));
1421 extern int ipfdetach __P((void));
1422 extern u_short ipf_cksum __P((u_short *, int));
1423 extern int copyinptr __P((void *, void *, size_t));
1424 extern int copyoutptr __P((void *, void *, size_t));
1425 extern int fr_fastroute __P((mb_t *, mb_t **, fr_info_t *, frdest_t *));
1426 extern int fr_inobj __P((void *, void *, int));
1427 extern int fr_inobjsz __P((void *, void *, int, int));
1428 extern int fr_ioctlswitch __P((int, void *, ioctlcmd_t, int, int, void *));
1429 extern int fr_ipf_ioctl __P((caddr_t, ioctlcmd_t, int, int, void *));
1430 extern int fr_ipftune __P((ioctlcmd_t, void *));
1431 extern int fr_outobj __P((void *, void *, int));
1432 extern int fr_outobjsz __P((void *, void *, int, int));
1433 extern void *fr_pullup __P((mb_t *, fr_info_t *, int));
1434 extern void fr_resolvedest __P((struct frdest *, int));
1435 extern int fr_resolvefunc __P((void *));
1436 extern void *fr_resolvenic __P((char *, int));
1437 extern int fr_send_icmp_err __P((int, fr_info_t *, int));
1438 extern int fr_send_reset __P((fr_info_t *));
1439 #if (__FreeBSD_version < 501000) || !defined(_KERNEL)
1440 extern int ppsratecheck __P((struct timeval *, int *, int));
1442 extern ipftq_t *fr_addtimeoutqueue __P((ipftq_t **, u_int));
1443 extern void fr_deletequeueentry __P((ipftqent_t *));
1444 extern int fr_deletetimeoutqueue __P((ipftq_t *));
1445 extern void fr_freetimeoutqueue __P((ipftq_t *));
1446 extern void fr_movequeue __P((ipftqent_t *, ipftq_t *, ipftq_t *));
1447 extern void fr_queueappend __P((ipftqent_t *, ipftq_t *, void *));
1448 extern void fr_queueback __P((ipftqent_t *));
1449 extern void fr_queuefront __P((ipftqent_t *));
1450 extern void fr_checkv4sum __P((fr_info_t *));
1451 extern int fr_checkl4sum __P((fr_info_t *));
1452 extern int fr_ifpfillv4addr __P((int, struct sockaddr_in *,
1453 struct sockaddr_in *, struct in_addr *,
1455 extern int fr_coalesce __P((fr_info_t *));
1457 extern void fr_checkv6sum __P((fr_info_t *));
1458 extern int fr_ifpfillv6addr __P((int, struct sockaddr_in6 *,
1459 struct sockaddr_in6 *, struct in_addr *,
1463 extern int fr_addipftune __P((ipftuneable_t *));
1464 extern int fr_delipftune __P((ipftuneable_t *));
1466 extern int frflush __P((minor_t, int, int));
1467 extern void frsync __P((void *));
1468 extern frgroup_t *fr_addgroup __P((char *, void *, u_32_t, minor_t, int));
1469 extern int fr_derefrule __P((frentry_t **));
1470 extern void fr_delgroup __P((char *, minor_t, int));
1471 extern frgroup_t *fr_findgroup __P((char *, minor_t, int, frgroup_t ***));
1473 extern int fr_loginit __P((void));
1474 extern int ipflog_canread __P((int));
1475 extern int ipflog_clear __P((minor_t));
1476 extern int ipflog_read __P((minor_t, uio_t *));
1477 extern int ipflog __P((fr_info_t *, u_int));
1478 extern int ipllog __P((int, fr_info_t *, void **, size_t *, int *, int));
1479 extern void fr_logunload __P((void));
1481 extern frentry_t *fr_acctpkt __P((fr_info_t *, u_32_t *));
1482 extern int fr_copytolog __P((int, char *, int));
1483 extern u_short fr_cksum __P((mb_t *, ip_t *, int, void *, int));
1484 extern void fr_deinitialise __P((void));
1485 extern frentry_t *fr_dolog __P((fr_info_t *, u_32_t *));
1486 extern frentry_t *fr_dstgrpmap __P((fr_info_t *, u_32_t *));
1487 extern void fr_fixskip __P((frentry_t **, frentry_t *, int));
1488 extern void fr_forgetifp __P((void *));
1489 extern frentry_t *fr_getrulen __P((int, char *, u_32_t));
1490 extern void fr_getstat __P((struct friostat *));
1491 extern int fr_ifpaddr __P((int, int, void *,
1492 struct in_addr *, struct in_addr *));
1493 extern int fr_initialise __P((void));
1494 extern void fr_lock __P((caddr_t, int *));
1495 extern int fr_makefrip __P((int, ip_t *, fr_info_t *));
1496 extern int fr_matchtag __P((ipftag_t *, ipftag_t *));
1497 extern int fr_matchicmpqueryreply __P((int, icmpinfo_t *,
1498 struct icmp *, int));
1499 extern u_32_t fr_newisn __P((fr_info_t *));
1500 extern u_short fr_nextipid __P((fr_info_t *));
1501 extern int ipf_queueflush __P((ipftq_delete_fn_t, ipftq_t *, ipftq_t *));
1502 extern int fr_rulen __P((int, frentry_t *));
1503 extern int fr_scanlist __P((fr_info_t *, u_32_t));
1504 extern frentry_t *fr_srcgrpmap __P((fr_info_t *, u_32_t *));
1505 extern int fr_tcpudpchk __P((fr_info_t *, frtuc_t *));
1506 extern int fr_verifysrc __P((fr_info_t *fin));
1507 extern int fr_zerostats __P((char *));
1508 extern ipftoken_t *ipf_findtoken __P((int, int, void *));
1509 extern int ipf_getnextrule __P((ipftoken_t *, void *));
1510 extern void ipf_expiretokens __P((void));
1511 extern void ipf_freetoken __P((ipftoken_t *));
1512 extern int ipf_deltoken __P((int,int, void *));
1513 extern int ipfsync __P((void));
1514 extern int ipf_genericiter __P((void *, int, void *));
1516 extern int fr_running;
1517 extern u_long fr_frouteok[2];
1519 extern int fr_flags;
1520 extern int fr_active;
1521 extern int fr_chksrc;
1522 extern int fr_minttl;
1523 extern int fr_refcnt;
1524 extern int fr_control_forwarding;
1525 extern int fr_update_ipid;
1526 extern int nat_logging;
1527 extern int ipstate_logging;
1528 extern int ipl_suppress;
1529 extern int ipl_logmax;
1530 extern int ipl_logall;
1531 extern int ipl_logsize;
1532 extern u_long fr_ticks;
1533 extern fr_info_t frcache[2][8];
1534 extern char ipfilter_version[];
1535 extern iplog_t **iplh[IPL_LOGMAX+1], *iplt[IPL_LOGMAX+1];
1536 extern int iplused[IPL_LOGMAX + 1];
1537 extern struct frentry *ipfilter[2][2], *ipacct[2][2];
1539 extern struct frentry *ipfilter6[2][2], *ipacct6[2][2];
1540 extern int icmptoicmp6types[ICMP_MAXTYPE+1];
1541 extern int icmptoicmp6unreach[ICMP_MAX_UNREACH];
1542 extern int icmpreplytype6[ICMP6_MAXTYPE + 1];
1544 extern int icmpreplytype4[ICMP_MAXTYPE + 1];
1545 extern struct frgroup *ipfgroups[IPL_LOGSIZE][2];
1546 extern struct filterstats frstats[];
1547 extern frentry_t *ipfrule_match __P((fr_info_t *));
1548 extern u_char ipf_iss_secret[32];
1549 extern ipftuneable_t ipf_tuneables[];
1551 #endif /* __IP_FIL_H__ */