2 * Copyright (C) 1993-2001, 2003 by Darren Reed.
4 * See the IPFILTER.LICENCE file for details on licencing.
6 * @(#)ip_fil.h 1.35 6/5/96
8 * Id: ip_fil.h,v 2.170.2.51 2007/10/10 09:48:03 darrenr Exp $
14 #include "netinet/ip_compat.h"
17 # define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
28 #if defined(__STDC__) || defined(__GNUC__) || defined(_AIX51)
29 # define SIOCADAFR _IOW('r', 60, struct ipfobj)
30 # define SIOCRMAFR _IOW('r', 61, struct ipfobj)
31 # define SIOCSETFF _IOW('r', 62, u_int)
32 # define SIOCGETFF _IOR('r', 63, u_int)
33 # define SIOCGETFS _IOWR('r', 64, struct ipfobj)
34 # define SIOCIPFFL _IOWR('r', 65, int)
35 # define SIOCIPFFB _IOR('r', 66, int)
36 # define SIOCADIFR _IOW('r', 67, struct ipfobj)
37 # define SIOCRMIFR _IOW('r', 68, struct ipfobj)
38 # define SIOCSWAPA _IOR('r', 69, u_int)
39 # define SIOCINAFR _IOW('r', 70, struct ipfobj)
40 # define SIOCINIFR _IOW('r', 71, struct ipfobj)
41 # define SIOCFRENB _IOW('r', 72, u_int)
42 # define SIOCFRSYN _IOW('r', 73, u_int)
43 # define SIOCFRZST _IOWR('r', 74, struct ipfobj)
44 # define SIOCZRLST _IOWR('r', 75, struct ipfobj)
45 # define SIOCAUTHW _IOWR('r', 76, struct ipfobj)
46 # define SIOCAUTHR _IOWR('r', 77, struct ipfobj)
47 # define SIOCSTAT1 _IOWR('r', 78, struct ipfobj)
48 # define SIOCSTLCK _IOWR('r', 79, u_int)
49 # define SIOCSTPUT _IOWR('r', 80, struct ipfobj)
50 # define SIOCSTGET _IOWR('r', 81, struct ipfobj)
51 # define SIOCSTGSZ _IOWR('r', 82, struct ipfobj)
52 # define SIOCSTAT2 _IOWR('r', 83, struct ipfobj)
53 # define SIOCSETLG _IOWR('r', 84, int)
54 # define SIOCGETLG _IOWR('r', 85, int)
55 # define SIOCFUNCL _IOWR('r', 86, struct ipfunc_resolve)
56 # define SIOCIPFGETNEXT _IOWR('r', 87, struct ipfobj)
57 # define SIOCIPFGET _IOWR('r', 88, struct ipfobj)
58 # define SIOCIPFSET _IOWR('r', 89, struct ipfobj)
59 # define SIOCIPFL6 _IOWR('r', 90, int)
60 # define SIOCIPFITER _IOWR('r', 91, struct ipfobj)
61 # define SIOCGENITER _IOWR('r', 92, struct ipfobj)
62 # define SIOCGTABL _IOWR('r', 93, struct ipfobj)
63 # define SIOCIPFDELTOK _IOWR('r', 94, int)
64 # define SIOCLOOKUPITER _IOWR('r', 95, struct ipfobj)
65 # define SIOCGTQTAB _IOWR('r', 96, struct ipfobj)
67 # define SIOCADAFR _IOW(r, 60, struct ipfobj)
68 # define SIOCRMAFR _IOW(r, 61, struct ipfobj)
69 # define SIOCSETFF _IOW(r, 62, u_int)
70 # define SIOCGETFF _IOR(r, 63, u_int)
71 # define SIOCGETFS _IOWR(r, 64, struct ipfobj)
72 # define SIOCIPFFL _IOWR(r, 65, int)
73 # define SIOCIPFFB _IOR(r, 66, int)
74 # define SIOCADIFR _IOW(r, 67, struct ipfobj)
75 # define SIOCRMIFR _IOW(r, 68, struct ipfobj)
76 # define SIOCSWAPA _IOR(r, 69, u_int)
77 # define SIOCINAFR _IOW(r, 70, struct ipfobj)
78 # define SIOCINIFR _IOW(r, 71, struct ipfobj)
79 # define SIOCFRENB _IOW(r, 72, u_int)
80 # define SIOCFRSYN _IOW(r, 73, u_int)
81 # define SIOCFRZST _IOWR(r, 74, struct ipfobj)
82 # define SIOCZRLST _IOWR(r, 75, struct ipfobj)
83 # define SIOCAUTHW _IOWR(r, 76, struct ipfobj)
84 # define SIOCAUTHR _IOWR(r, 77, struct ipfobj)
85 # define SIOCSTAT1 _IOWR(r, 78, struct ipfobj)
86 # define SIOCSTLCK _IOWR(r, 79, u_int)
87 # define SIOCSTPUT _IOWR(r, 80, struct ipfobj)
88 # define SIOCSTGET _IOWR(r, 81, struct ipfobj)
89 # define SIOCSTGSZ _IOWR(r, 82, struct ipfobj)
90 # define SIOCSTAT2 _IOWR(r, 83, struct ipfobj)
91 # define SIOCSETLG _IOWR(r, 84, int)
92 # define SIOCGETLG _IOWR(r, 85, int)
93 # define SIOCFUNCL _IOWR(r, 86, struct ipfunc_resolve)
94 # define SIOCIPFGETNEXT _IOWR(r, 87, struct ipfobj)
95 # define SIOCIPFGET _IOWR(r, 88, struct ipfobj)
96 # define SIOCIPFSET _IOWR(r, 89, struct ipfobj)
97 # define SIOCIPFL6 _IOWR(r, 90, int)
98 # define SIOCIPFITER _IOWR(r, 91, struct ipfobj)
99 # define SIOCGENITER _IOWR(r, 92, struct ipfobj)
100 # define SIOCGTABL _IOWR(r, 93, struct ipfobj)
101 # define SIOCIPFDELTOK _IOWR(r, 94, int)
102 # define SIOCLOOKUPITER _IOWR(r, 95, struct ipfobj)
103 # define SIOCGTQTAB _IOWR(r, 96, struct ipfobj)
105 #define SIOCADDFR SIOCADAFR
106 #define SIOCDELFR SIOCRMAFR
107 #define SIOCINSFR SIOCINAFR
108 #define SIOCATHST SIOCSTAT1
109 #define SIOCGFRST SIOCSTAT2
116 typedef int (* lookupfunc_t) __P((void *, int, void *));
119 * i6addr is used as a container for both IPv4 and IPv6 addresses, as well
120 * as other types of objects, depending on its qualifier.
123 typedef union i6addr {
128 lookupfunc_t lptr[2];
136 typedef union i6addr {
140 lookupfunc_t lptr[2];
149 #define in4_addr in4.s_addr
150 #define iplookupnum i6[1]
151 #define iplookupname i6un.label
152 #define iplookuptype i6un.type
153 #define iplookupsubtype i6un.subtype
155 * NOTE: These DO overlap the above on 64bit systems and this IS recognised.
157 #define iplookupptr vptr[0]
158 #define iplookupfunc lptr[1]
160 #define I60(x) (((u_32_t *)(x))[0])
161 #define I61(x) (((u_32_t *)(x))[1])
162 #define I62(x) (((u_32_t *)(x))[2])
163 #define I63(x) (((u_32_t *)(x))[3])
164 #define HI60(x) ntohl(((u_32_t *)(x))[0])
165 #define HI61(x) ntohl(((u_32_t *)(x))[1])
166 #define HI62(x) ntohl(((u_32_t *)(x))[2])
167 #define HI63(x) ntohl(((u_32_t *)(x))[3])
169 #define IP6_EQ(a,b) ((I63(a) == I63(b)) && (I62(a) == I62(b)) && \
170 (I61(a) == I61(b)) && (I60(a) == I60(b)))
171 #define IP6_NEQ(a,b) ((I63(a) != I63(b)) || (I62(a) != I62(b)) || \
172 (I61(a) != I61(b)) || (I60(a) != I60(b)))
173 #define IP6_ISZERO(a) ((I60(a) | I61(a) | I62(a) | I63(a)) == 0)
174 #define IP6_NOTZERO(a) ((I60(a) | I61(a) | I62(a) | I63(a)) != 0)
175 #define IP6_GT(a,b) (HI60(a) > HI60(b) || (HI60(a) == HI60(b) && \
176 (HI61(a) > HI61(b) || (HI61(a) == HI61(b) && \
177 (HI62(a) > HI62(b) || (HI62(a) == HI62(b) && \
178 HI63(a) > HI63(b)))))))
179 #define IP6_LT(a,b) (HI60(a) < HI60(b) || (HI60(a) == HI60(b) && \
180 (HI61(a) < HI61(b) || (HI61(a) == HI61(b) && \
181 (HI62(a) < HI62(b) || (HI62(a) == HI62(b) && \
182 HI63(a) < HI63(b)))))))
183 #define NLADD(n,x) htonl(ntohl(n) + (x))
185 { u_32_t *_i6 = (u_32_t *)(a); \
186 _i6[3] = NLADD(_i6[3], 1); \
188 _i6[2] = NLADD(_i6[2], 1); \
190 _i6[1] = NLADD(_i6[1], 1); \
192 _i6[0] = NLADD(_i6[0], 1); \
197 #define IP6_ADD(a,x,d) \
198 { i6addr_t *_s = (i6addr_t *)(a); \
199 i6addr_t *_d = (i6addr_t *)(d); \
200 _d->i6[0] = NLADD(_s->i6[0], x); \
201 if (ntohl(_d->i6[0]) < ntohl(_s->i6[0])) { \
202 _d->i6[1] = NLADD(_d->i6[1], 1); \
203 if (ntohl(_d->i6[1]) < ntohl(_s->i6[1])) { \
204 _d->i6[2] = NLADD(_d->i6[2], 1); \
205 if (ntohl(_d->i6[2]) < ntohl(_s->i6[2])) { \
206 _d->i6[3] = NLADD(_d->i6[3], 1); \
211 #define IP6_AND(a,b,d) { i6addr_t *_s1 = (i6addr_t *)(a); \
212 i6addr_t *_s2 = (i6addr_t *)(d); \
213 i6addr_t *_d = (i6addr_t *)(d); \
214 _d->i6[0] = _s1->i6[0] & _s2->i6[0]; \
215 _d->i6[1] = _s1->i6[1] & _s2->i6[1]; \
216 _d->i6[2] = _s1->i6[2] & _s2->i6[2]; \
217 _d->i6[3] = _s1->i6[3] & _s2->i6[3]; \
219 #define IP6_MERGE(a,b,c) \
220 { i6addr_t *_d, *_s1, *_s2; \
221 _d = (i6addr_t *)(a); \
222 _s1 = (i6addr_t *)(b); \
223 _s2 = (i6addr_t *)(c); \
224 _d->i6[0] |= _s1->i6[0] & ~_s2->i6[0]; \
225 _d->i6[1] |= _s1->i6[1] & ~_s2->i6[1]; \
226 _d->i6[2] |= _s1->i6[2] & ~_s2->i6[2]; \
227 _d->i6[2] |= _s1->i6[3] & ~_s2->i6[3]; \
231 typedef struct fr_ip {
232 u_32_t fi_v:4; /* IP version */
233 u_32_t fi_xx:4; /* spare */
234 u_32_t fi_tos:8; /* IP packet TOS */
235 u_32_t fi_ttl:8; /* IP packet TTL */
236 u_32_t fi_p:8; /* IP packet protocol */
237 u_32_t fi_optmsk; /* bitmask composed from IP options */
238 i6addr_t fi_src; /* source address from packet */
239 i6addr_t fi_dst; /* destination address from packet */
240 u_short fi_secmsk; /* bitmask composed from IP security options */
241 u_short fi_auth; /* authentication code from IP sec. options */
242 u_32_t fi_flx; /* packet flags */
243 u_32_t fi_tcpmsk; /* TCP options set/reset */
244 u_32_t fi_res1; /* RESERVED */
250 #define FI_TCPUDP 0x0001 /* TCP/UCP implied comparison*/
251 #define FI_OPTIONS 0x0002
252 #define FI_FRAG 0x0004
253 #define FI_SHORT 0x0008
254 #define FI_NATED 0x0010
255 #define FI_MULTICAST 0x0020
256 #define FI_BROADCAST 0x0040
257 #define FI_MBCAST 0x0080
258 #define FI_STATE 0x0100
259 #define FI_BADNAT 0x0200
260 #define FI_BAD 0x0400
261 #define FI_OOW 0x0800 /* Out of state window, else match */
262 #define FI_ICMPERR 0x1000
263 #define FI_FRAGBODY 0x2000
264 #define FI_BADSRC 0x4000
265 #define FI_LOWTTL 0x8000
266 #define FI_CMP 0xcf03 /* Not FI_FRAG,FI_NATED,FI_FRAGTAIL,broadcast */
267 #define FI_ICMPCMP 0x0003 /* Flags we can check for ICMP error packets */
268 #define FI_WITH 0xeffe /* Not FI_TCPUDP */
269 #define FI_V6EXTHDR 0x10000
270 #define FI_COALESCE 0x20000
271 #define FI_NEWNAT 0x40000
272 #define FI_NOCKSUM 0x20000000 /* don't do a L4 checksum validation */
273 #define FI_DONTCACHE 0x40000000 /* don't cache the result */
274 #define FI_IGNORE 0x80000000
276 #define fi_saddr fi_src.in4.s_addr
277 #define fi_daddr fi_dst.in4.s_addr
278 #define fi_srcnum fi_src.iplookupnum
279 #define fi_dstnum fi_dst.iplookupnum
280 #define fi_srcname fi_src.iplookupname
281 #define fi_dstname fi_dst.iplookupname
282 #define fi_srctype fi_src.iplookuptype
283 #define fi_dsttype fi_dst.iplookuptype
284 #define fi_srcsubtype fi_src.iplookupsubtype
285 #define fi_dstsubtype fi_dst.iplookupsubtype
286 #define fi_srcptr fi_src.iplookupptr
287 #define fi_dstptr fi_dst.iplookupptr
288 #define fi_srcfunc fi_src.iplookupfunc
289 #define fi_dstfunc fi_dst.iplookupfunc
293 * These are both used by the state and NAT code to indicate that one port or
294 * the other should be treated as a wildcard.
295 * NOTE: When updating, check bit masks in ip_state.h and update there too.
297 #define SI_W_SPORT 0x00000100
298 #define SI_W_DPORT 0x00000200
299 #define SI_WILDP (SI_W_SPORT|SI_W_DPORT)
300 #define SI_W_SADDR 0x00000400
301 #define SI_W_DADDR 0x00000800
302 #define SI_WILDA (SI_W_SADDR|SI_W_DADDR)
303 #define SI_NEWFR 0x00001000
304 #define SI_CLONE 0x00002000
305 #define SI_CLONED 0x00004000
308 typedef struct fr_info {
309 void *fin_ifp; /* interface packet is `on' */
310 fr_ip_t fin_fi; /* IP Packet summary */
312 u_short fid_16[2]; /* TCP/UDP ports, ICMP code/type */
315 int fin_out; /* in or out ? 1 == out, 0 == in */
316 int fin_rev; /* state only: 1 = reverse */
317 u_short fin_hlen; /* length of IP header in bytes */
318 u_char fin_tcpf; /* TCP header flags (SYN, ACK, etc) */
319 u_char fin_icode; /* ICMP error to return */
320 u_32_t fin_rule; /* rule # last matched */
321 char fin_group[FR_GROUPLEN]; /* group number, -1 for none */
322 struct frentry *fin_fr; /* last matching rule */
323 void *fin_dp; /* start of data past IP header */
324 int fin_dlen; /* length of data portion of packet */
326 int fin_ipoff; /* # bytes from buffer start to hdr */
327 u_short fin_id; /* IP packet id field */
329 int fin_depth; /* Group nesting depth */
330 int fin_error; /* Error code to return */
331 int fin_cksum; /* -1 bad, 1 good, 0 not done */
337 mb_t **fin_mp; /* pointer to pointer to mbuf */
338 mb_t *fin_m; /* pointer to mbuf */
340 mb_t *fin_qfm; /* pointer to mblk where pkt starts */
342 char fin_ifname[LIFNAMSIZ];
349 #define fin_v fin_fi.fi_v
350 #define fin_p fin_fi.fi_p
351 #define fin_flx fin_fi.fi_flx
352 #define fin_optmsk fin_fi.fi_optmsk
353 #define fin_secmsk fin_fi.fi_secmsk
354 #define fin_auth fin_fi.fi_auth
355 #define fin_src fin_fi.fi_src.in4
356 #define fin_src6 fin_fi.fi_src.in6
357 #define fin_saddr fin_fi.fi_saddr
358 #define fin_dst fin_fi.fi_dst.in4
359 #define fin_dst6 fin_fi.fi_dst.in6
360 #define fin_daddr fin_fi.fi_daddr
361 #define fin_data fin_dat.fid_16
362 #define fin_sport fin_dat.fid_16[0]
363 #define fin_dport fin_dat.fid_16[1]
364 #define fin_ports fin_dat.fid_32
369 typedef struct frentry *(*ipfunc_t) __P((fr_info_t *, u_32_t *));
370 typedef int (*ipfuncinit_t) __P((struct frentry *));
372 typedef struct ipfunc_resolve {
375 ipfuncinit_t ipfu_init;
379 * Size for compares on fr_info structures
381 #define FI_CSIZE offsetof(fr_info_t, fin_icode)
382 #define FI_LCSIZE offsetof(fr_info_t, fin_dp)
385 * Size for copying cache fr_info structure
387 #define FI_COPYSIZE offsetof(fr_info_t, fin_dp)
390 * Structure for holding IPFilter's tag information
392 #define IPFTAG_LEN 16
396 char iptu_tag[IPFTAG_LEN];
401 #define ipt_tag ipt_un.iptu_tag
402 #define ipt_num ipt_un.iptu_num
406 * This structure is used to hold information about the next hop for where
407 * to forward a packet.
409 typedef struct frdest {
412 char fd_ifname[LIFNAMSIZ];
415 #define fd_ip fd_ip6.in4
419 * This structure holds information about a port comparison.
421 typedef struct frpcmp {
422 int frp_cmp; /* data for port comparisons */
423 u_short frp_port; /* top port for <> and >< */
424 u_short frp_top; /* top port for <> and >< */
431 #define FR_GREATERT 4
433 #define FR_GREATERTE 6
434 #define FR_OUTRANGE 7
436 #define FR_INCRANGE 9
439 * Structure containing all the relevant TCP things that can be checked in
442 typedef struct frtuc {
443 u_char ftu_tcpfm; /* tcp flags mask */
444 u_char ftu_tcpf; /* tcp flags */
449 #define ftu_scmp ftu_src.frp_cmp
450 #define ftu_dcmp ftu_dst.frp_cmp
451 #define ftu_sport ftu_src.frp_port
452 #define ftu_dport ftu_dst.frp_port
453 #define ftu_stop ftu_src.frp_top
454 #define ftu_dtop ftu_dst.frp_top
456 #define FR_TCPFMAX 0x3f
459 * This structure makes up what is considered to be the IPFilter specific
460 * matching components of a filter rule, as opposed to the data structures
461 * used to define the result which are in frentry_t and not here.
463 typedef struct fripf {
465 fr_ip_t fri_mip; /* mask structure */
467 u_short fri_icmpm; /* data for ICMP packets (mask) */
471 int fri_satype; /* addres type */
472 int fri_datype; /* addres type */
473 int fri_sifpidx; /* doing dynamic addressing */
474 int fri_difpidx; /* index into fr_ifps[] to use when */
477 #define fri_dlookup fri_mip.fi_dst
478 #define fri_slookup fri_mip.fi_src
479 #define fri_dstnum fri_mip.fi_dstnum
480 #define fri_srcnum fri_mip.fi_srcnum
481 #define fri_dstname fri_mip.fi_dstname
482 #define fri_srcname fri_mip.fi_srcname
483 #define fri_dstptr fri_mip.fi_dstptr
484 #define fri_srcptr fri_mip.fi_srcptr
486 #define FRI_NORMAL 0 /* Normal address */
487 #define FRI_DYNAMIC 1 /* dynamic address */
488 #define FRI_LOOKUP 2 /* address is a pool # */
489 #define FRI_RANGE 3 /* address/mask is a range */
490 #define FRI_NETWORK 4 /* network address from if */
491 #define FRI_BROADCAST 5 /* broadcast address from if */
492 #define FRI_PEERADDR 6 /* Peer address for P-to-P */
493 #define FRI_NETMASKED 7 /* network address with netmask from if */
496 typedef struct frentry * (* frentfunc_t) __P((fr_info_t *));
498 typedef struct frentry {
500 struct frentry *fr_next;
501 struct frentry **fr_grp;
502 struct ipscan *fr_isc;
504 void *fr_ptr; /* for use with fr_arg */
505 char *fr_comment; /* text comment for rule */
506 int fr_ref; /* reference count - for grouping */
507 int fr_statecnt; /* state count - for limit rules */
509 * The line number from a file is here because we need to be able to
510 * match the rule generated with ``grep rule ipf.conf | ipf -rf -''
511 * with the rule loaded using ``ipf -f ipf.conf'' - thus it can't be
512 * on the other side of fr_func.
514 int fr_flineno; /* line number from conf file */
516 * These are only incremented when a packet matches this rule and
517 * it is the last match
523 * For PPS rate limiting
525 struct timeval fr_lastpkt;
532 frentfunc_t fru_func;
536 * Fields after this may not change whilst in the kernel.
538 ipfunc_t fr_func; /* call this function */
541 int fr_statemax; /* max reference count */
543 u_32_t fr_flags; /* per-rule flags && options (see below) */
544 u_32_t fr_logtag; /* user defined log tag # */
545 u_32_t fr_collect; /* collection number */
546 u_int fr_arg; /* misc. numeric arg for rule */
547 u_int fr_loglevel; /* syslog log facility + priority */
548 u_int fr_age[2]; /* non-TCP timeouts */
550 u_char fr_icode; /* return ICMP code */
551 char fr_group[FR_GROUPLEN]; /* group to which this rule belongs */
552 char fr_grhead[FR_GROUPLEN]; /* group # which this rule starts */
554 char fr_ifnames[4][LIFNAMSIZ];
556 frdest_t fr_tifs[2]; /* "to"/"reply-to" interface */
557 frdest_t fr_dif; /* duplicate packet interface */
559 * This must be last and will change after loaded into the kernel.
561 u_int fr_cksum; /* checksum on filter rules for performance */
564 #define fr_caddr fr_dun.fru_caddr
565 #define fr_data fr_dun.fru_data
566 #define fr_dfunc fr_dun.fru_func
567 #define fr_ipf fr_dun.fru_ipf
568 #define fr_ip fr_ipf->fri_ip
569 #define fr_mip fr_ipf->fri_mip
570 #define fr_icmpm fr_ipf->fri_icmpm
571 #define fr_icmp fr_ipf->fri_icmp
572 #define fr_tuc fr_ipf->fri_tuc
573 #define fr_satype fr_ipf->fri_satype
574 #define fr_datype fr_ipf->fri_datype
575 #define fr_sifpidx fr_ipf->fri_sifpidx
576 #define fr_difpidx fr_ipf->fri_difpidx
577 #define fr_proto fr_ip.fi_p
578 #define fr_mproto fr_mip.fi_p
579 #define fr_ttl fr_ip.fi_ttl
580 #define fr_mttl fr_mip.fi_ttl
581 #define fr_tos fr_ip.fi_tos
582 #define fr_mtos fr_mip.fi_tos
583 #define fr_tcpfm fr_tuc.ftu_tcpfm
584 #define fr_tcpf fr_tuc.ftu_tcpf
585 #define fr_scmp fr_tuc.ftu_scmp
586 #define fr_dcmp fr_tuc.ftu_dcmp
587 #define fr_dport fr_tuc.ftu_dport
588 #define fr_sport fr_tuc.ftu_sport
589 #define fr_stop fr_tuc.ftu_stop
590 #define fr_dtop fr_tuc.ftu_dtop
591 #define fr_dst fr_ip.fi_dst.in4
592 #define fr_daddr fr_ip.fi_dst.in4.s_addr
593 #define fr_src fr_ip.fi_src.in4
594 #define fr_saddr fr_ip.fi_src.in4.s_addr
595 #define fr_dmsk fr_mip.fi_dst.in4
596 #define fr_dmask fr_mip.fi_dst.in4.s_addr
597 #define fr_smsk fr_mip.fi_src.in4
598 #define fr_smask fr_mip.fi_src.in4.s_addr
599 #define fr_dstnum fr_ip.fi_dstnum
600 #define fr_srcnum fr_ip.fi_srcnum
601 #define fr_dlookup fr_ip.fi_dst
602 #define fr_slookup fr_ip.fi_src
603 #define fr_dstname fr_ip.fi_dstname
604 #define fr_srcname fr_ip.fi_srcname
605 #define fr_dsttype fr_ip.fi_dsttype
606 #define fr_srctype fr_ip.fi_srctype
607 #define fr_dstsubtype fr_ip.fi_dstsubtype
608 #define fr_srcsubtype fr_ip.fi_srcsubtype
609 #define fr_dstptr fr_mip.fi_dstptr
610 #define fr_srcptr fr_mip.fi_srcptr
611 #define fr_dstfunc fr_mip.fi_dstfunc
612 #define fr_srcfunc fr_mip.fi_srcfunc
613 #define fr_optbits fr_ip.fi_optmsk
614 #define fr_optmask fr_mip.fi_optmsk
615 #define fr_secbits fr_ip.fi_secmsk
616 #define fr_secmask fr_mip.fi_secmsk
617 #define fr_authbits fr_ip.fi_auth
618 #define fr_authmask fr_mip.fi_auth
619 #define fr_flx fr_ip.fi_flx
620 #define fr_mflx fr_mip.fi_flx
621 #define fr_ifname fr_ifnames[0]
622 #define fr_oifname fr_ifnames[2]
623 #define fr_ifa fr_ifas[0]
624 #define fr_oifa fr_ifas[2]
625 #define fr_tif fr_tifs[0]
626 #define fr_rif fr_tifs[1]
628 #define FR_NOLOGTAG 0
631 #define offsetof(t,m) (int)((&((t *)0L)->m))
633 #define FR_CMPSIZ (sizeof(struct frentry) - \
634 offsetof(struct frentry, fr_func))
640 #define FR_T_IPF 1 /* IPF structures */
641 #define FR_T_BPFOPC 2 /* BPF opcode */
642 #define FR_T_CALLFUNC 3 /* callout to function in fr_func only */
643 #define FR_T_COMPIPF 4 /* compiled C code */
644 #define FR_T_BUILTIN 0x80000000 /* rule is in kernel space */
649 #define FR_CALL 0x00000 /* call rule */
650 #define FR_BLOCK 0x00001 /* do not allow packet to pass */
651 #define FR_PASS 0x00002 /* allow packet to pass */
652 #define FR_AUTH 0x00003 /* use authentication */
653 #define FR_PREAUTH 0x00004 /* require preauthentication */
654 #define FR_ACCOUNT 0x00005 /* Accounting rule */
655 #define FR_SKIP 0x00006 /* skip rule */
656 #define FR_DIVERT 0x00007 /* divert rule */
657 #define FR_CMDMASK 0x0000f
658 #define FR_LOG 0x00010 /* Log */
659 #define FR_LOGB 0x00011 /* Log-fail */
660 #define FR_LOGP 0x00012 /* Log-pass */
661 #define FR_LOGMASK (FR_LOG|FR_CMDMASK)
662 #define FR_CALLNOW 0x00020 /* call another function (fr_func) if matches */
663 #define FR_NOTSRCIP 0x00040
664 #define FR_NOTDSTIP 0x00080
665 #define FR_QUICK 0x00100 /* match & stop processing list */
666 #define FR_KEEPFRAG 0x00200 /* keep fragment information */
667 #define FR_KEEPSTATE 0x00400 /* keep `connection' state information */
668 #define FR_FASTROUTE 0x00800 /* bypass normal routing */
669 #define FR_RETRST 0x01000 /* Return TCP RST packet - reset connection */
670 #define FR_RETICMP 0x02000 /* Return ICMP unreachable packet */
671 #define FR_FAKEICMP 0x03000 /* Return ICMP unreachable with fake source */
672 #define FR_OUTQUE 0x04000 /* outgoing packets */
673 #define FR_INQUE 0x08000 /* ingoing packets */
674 #define FR_LOGBODY 0x10000 /* Log the body */
675 #define FR_LOGFIRST 0x20000 /* Log the first byte if state held */
676 #define FR_LOGORBLOCK 0x40000 /* block the packet if it can't be logged */
677 #define FR_DUP 0x80000 /* duplicate packet */
678 #define FR_FRSTRICT 0x100000 /* strict frag. cache */
679 #define FR_STSTRICT 0x200000 /* strict keep state */
680 #define FR_NEWISN 0x400000 /* new ISN for outgoing TCP */
681 #define FR_NOICMPERR 0x800000 /* do not match ICMP errors in state */
682 #define FR_STATESYNC 0x1000000 /* synchronize state to slave */
683 #define FR_NOMATCH 0x8000000 /* no match occured */
684 /* 0x10000000 FF_LOGPASS */
685 /* 0x20000000 FF_LOGBLOCK */
686 /* 0x40000000 FF_LOGNOMATCH */
687 /* 0x80000000 FF_BLOCKNONIP */
688 #define FR_COPIED 0x40000000 /* copied from user space */
689 #define FR_INACTIVE 0x80000000 /* only used when flush'ing rules */
691 #define FR_RETMASK (FR_RETICMP|FR_RETRST|FR_FAKEICMP)
692 #define FR_ISBLOCK(x) (((x) & FR_CMDMASK) == FR_BLOCK)
693 #define FR_ISPASS(x) (((x) & FR_CMDMASK) == FR_PASS)
694 #define FR_ISAUTH(x) (((x) & FR_CMDMASK) == FR_AUTH)
695 #define FR_ISPREAUTH(x) (((x) & FR_CMDMASK) == FR_PREAUTH)
696 #define FR_ISACCOUNT(x) (((x) & FR_CMDMASK) == FR_ACCOUNT)
697 #define FR_ISSKIP(x) (((x) & FR_CMDMASK) == FR_SKIP)
698 #define FR_ISNOMATCH(x) ((x) & FR_NOMATCH)
699 #define FR_INOUT (FR_INQUE|FR_OUTQUE)
702 * recognized flags for SIOCGETFF and SIOCSETFF, and get put in fr_flags
704 #define FF_LOGPASS 0x10000000
705 #define FF_LOGBLOCK 0x20000000
706 #define FF_LOGNOMATCH 0x40000000
707 #define FF_LOGGING (FF_LOGPASS|FF_LOGBLOCK|FF_LOGNOMATCH)
708 #define FF_BLOCKNONIP 0x80000000 /* Solaris2 Only */
712 * Structure that passes information on what/how to flush to the kernel.
714 typedef struct ipfflush {
723 typedef struct ipfgetctl {
724 u_int ipfg_min; /* min value */
725 u_int ipfg_current; /* current value */
726 u_int ipfg_max; /* max value */
727 u_int ipfg_default; /* default value */
728 u_int ipfg_steps; /* value increments */
729 char ipfg_name[40]; /* tag name for this control */
732 typedef struct ipfsetctl {
733 int ipfs_which; /* 0 = min 1 = current 2 = max 3 = default */
734 u_int ipfs_value; /* min value */
735 char ipfs_name[40]; /* tag name for this control */
740 * Some of the statistics below are in their own counters, but most are kept
741 * in this single structure so that they can all easily be collected and
742 * copied back as required.
744 typedef struct filterstats {
745 u_long fr_pass; /* packets allowed */
746 u_long fr_block; /* packets denied */
747 u_long fr_nom; /* packets which don't match any rule */
748 u_long fr_short; /* packets which are short */
749 u_long fr_ppkl; /* packets allowed and logged */
750 u_long fr_bpkl; /* packets denied and logged */
751 u_long fr_npkl; /* packets unmatched and logged */
752 u_long fr_pkl; /* packets logged */
753 u_long fr_skip; /* packets to be logged but buffer full */
754 u_long fr_ret; /* packets for which a return is sent */
755 u_long fr_acct; /* packets for which counting was performed */
756 u_long fr_bnfr; /* bad attempts to allocate fragment state */
757 u_long fr_nfr; /* new fragment state kept */
758 u_long fr_cfr; /* add new fragment state but complete pkt */
759 u_long fr_bads; /* bad attempts to allocate packet state */
760 u_long fr_ads; /* new packet state kept */
761 u_long fr_chit; /* cached hit */
762 u_long fr_tcpbad; /* TCP checksum check failures */
763 u_long fr_pull[2]; /* good and bad pullup attempts */
764 u_long fr_badsrc; /* source received doesn't match route */
765 u_long fr_badttl; /* TTL in packet doesn't reach minimum */
766 u_long fr_bad; /* bad IP packets to the filter */
767 u_long fr_ipv6; /* IPv6 packets in/out */
768 u_long fr_ppshit; /* dropped because of pps ceiling */
769 u_long fr_ipud; /* IP id update failures */
773 * Log structure. Each packet header logged is prepended by one of these.
774 * Following this in the log records read from the device will be an ipflog
775 * structure which is then followed by any packet data.
777 typedef struct iplog {
780 struct timeval ipl_time;
782 struct iplog *ipl_next;
785 #define ipl_sec ipl_time.tv_sec
786 #define ipl_usec ipl_time.tv_usec
788 #define IPL_MAGIC 0x49504c4d /* 'IPLM' */
789 #define IPL_MAGIC_NAT 0x49504c4e /* 'IPLN' */
790 #define IPL_MAGIC_STATE 0x49504c53 /* 'IPLS' */
791 #define IPLOG_SIZE sizeof(iplog_t)
793 typedef struct ipflog {
794 #if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603)) || \
795 (defined(OpenBSD) && (OpenBSD >= 199603))
804 u_short fl_plen; /* extra data after hlen */
805 u_short fl_loglevel; /* syslog log level */
806 char fl_group[FR_GROUPLEN];
807 u_char fl_hlen; /* length of IP headers saved */
809 u_char fl_xxx[2]; /* pad */
810 char fl_ifname[LIFNAMSIZ];
814 # define IPF_LOGGING 0
816 #ifndef IPF_DEFAULT_PASS
817 # define IPF_DEFAULT_PASS FR_PASS
820 #define DEFAULT_IPFLOGSIZE 8192
821 #ifndef IPFILTER_LOGSIZE
822 # define IPFILTER_LOGSIZE DEFAULT_IPFLOGSIZE
824 # if IPFILTER_LOGSIZE < DEFAULT_IPFLOGSIZE
825 # error IPFILTER_LOGSIZE too small. Must be >= DEFAULT_IPFLOGSIZE
829 #define IPF_OPTCOPY 0x07ff00 /* bit mask of copied options */
832 * Device filenames for reading log information. Use ipf on Solaris2 because
833 * ipl is already a name used by something else.
837 # define IPL_NAME "/dev/ipf"
839 # define IPL_NAME "/dev/ipl"
843 * Pathnames for various IP Filter control devices. Used by LKM
844 * and userland, so defined here.
846 #define IPNAT_NAME "/dev/ipnat"
847 #define IPSTATE_NAME "/dev/ipstate"
848 #define IPAUTH_NAME "/dev/ipauth"
849 #define IPSYNC_NAME "/dev/ipsync"
850 #define IPSCAN_NAME "/dev/ipscan"
851 #define IPLOOKUP_NAME "/dev/iplookup"
853 #define IPL_LOGIPF 0 /* Minor device #'s for accessing logs */
855 #define IPL_LOGSTATE 2
856 #define IPL_LOGAUTH 3
857 #define IPL_LOGSYNC 4
858 #define IPL_LOGSCAN 5
859 #define IPL_LOGLOOKUP 6
860 #define IPL_LOGCOUNT 7
862 #define IPL_LOGSIZE IPL_LOGMAX + 1
863 #define IPL_LOGALL -1
864 #define IPL_LOGNONE -2
869 typedef struct friostat {
870 struct filterstats f_st[2];
871 struct frentry *f_ipf[2][2];
872 struct frentry *f_acct[2][2];
873 struct frentry *f_ipf6[2][2];
874 struct frentry *f_acct6[2][2];
875 struct frentry *f_auth;
876 struct frgroup *f_groups[IPL_LOGSIZE][2];
879 int f_locks[IPL_LOGMAX];
882 int f_defpass; /* default pass - from fr_pass */
883 int f_active; /* 1 or 0 - active rule set */
884 int f_running; /* 1 if running, else 0 */
885 int f_logging; /* 1 if enabled, else 0 */
887 char f_version[32]; /* version string */
890 #define f_fin f_ipf[0]
891 #define f_fin6 f_ipf6[0]
892 #define f_fout f_ipf[1]
893 #define f_fout6 f_ipf6[1]
894 #define f_acctin f_acct[0]
895 #define f_acctin6 f_acct6[0]
896 #define f_acctout f_acct[1]
897 #define f_acctout6 f_acct6[1]
899 #define IPF_FEAT_LKM 0x001
900 #define IPF_FEAT_LOG 0x002
901 #define IPF_FEAT_LOOKUP 0x004
902 #define IPF_FEAT_BPF 0x008
903 #define IPF_FEAT_COMPILED 0x010
904 #define IPF_FEAT_CKSUM 0x020
905 #define IPF_FEAT_SYNC 0x040
906 #define IPF_FEAT_SCAN 0x080
907 #define IPF_FEAT_IPV6 0x100
909 typedef struct optlist {
916 * Group list structure.
918 typedef struct frgroup {
919 struct frgroup *fg_next;
920 struct frentry *fg_head;
921 struct frentry *fg_start;
924 char fg_name[FR_GROUPLEN];
927 #define FG_NAME(g) (*(g)->fg_name == '\0' ? "" : (g)->fg_name)
931 * Used by state and NAT tables
933 typedef struct icmpinfo {
939 typedef struct udpinfo {
945 typedef struct tcpdata {
954 #define TCP_WSCALE_MAX 14
956 #define TCP_WSCALE_SEEN 0x00000001
957 #define TCP_WSCALE_FIRST 0x00000002
958 #define TCP_SACK_PERMIT 0x00000004
961 typedef struct tcpinfo {
964 tcpdata_t ts_data[2];
969 * Structures to define a GRE header as seen in a packet.
984 typedef struct grehdr {
986 struct grebits gru_bits;
993 #define gr_flags gr_un.gru_flags
994 #define gr_bits gr_un.gru_bits
995 #define gr_ptype gr_bits.grb_ptype
996 #define gr_C gr_bits.grb_C
997 #define gr_R gr_bits.grb_R
998 #define gr_K gr_bits.grb_K
999 #define gr_S gr_bits.grb_S
1000 #define gr_s gr_bits.grb_s
1001 #define gr_recur gr_bits.grb_recur
1002 #define gr_A gr_bits.grb_A
1003 #define gr_ver gr_bits.grb_ver
1006 * GRE information tracked by "keep state"
1008 typedef struct greinfo {
1014 #define GRE_REV(x) ((ntohs(x) >> 13) & 7)
1018 * Format of an Authentication header
1020 typedef struct authhdr {
1023 u_short ah_reserved;
1026 /* Following the sequence number field is 0 or more bytes of */
1027 /* authentication data, as specified by ah_plen - RFC 2402. */
1032 * Timeout tail queue list member
1034 typedef struct ipftqent {
1035 struct ipftqent **tqe_pnext;
1036 struct ipftqent *tqe_next;
1037 struct ipftq *tqe_ifq;
1038 void *tqe_parent; /* pointer back to NAT/state struct */
1039 u_long tqe_die; /* when this entriy is to die */
1042 int tqe_state[2]; /* current state of this entry */
1045 #define TQE_RULEBASED 0x00000001
1049 * Timeout tail queue head for IPFilter
1051 typedef struct ipftq {
1052 ipfmutex_t ifq_lock;
1054 ipftqent_t *ifq_head;
1055 ipftqent_t **ifq_tail;
1056 struct ipftq *ifq_next;
1057 struct ipftq **ifq_pnext;
1062 #define IFQF_USER 0x01 /* User defined aging */
1063 #define IFQF_DELETE 0x02 /* Marked for deletion */
1064 #define IFQF_PROXY 0x04 /* Timeout queue in use by a proxy */
1066 #define IPF_HZ_MULT 1
1067 #define IPF_HZ_DIVIDE 2 /* How many times a second ipfilter */
1068 /* checks its timeout queues. */
1069 #define IPF_TTLVAL(x) (((x) / IPF_HZ_MULT) * IPF_HZ_DIVIDE)
1071 typedef int (*ipftq_delete_fn_t)(void *);
1074 * Structure to define address for pool lookups.
1083 * Object structure description. For passing through in ioctls.
1085 typedef struct ipfobj {
1086 u_32_t ipfo_rev; /* IPFilter version number */
1087 u_32_t ipfo_size; /* size of object at ipfo_ptr */
1088 void *ipfo_ptr; /* pointer to object */
1089 int ipfo_type; /* type of object being pointed to */
1090 int ipfo_offset; /* bytes from ipfo_ptr where to start */
1091 u_char ipfo_xxxpad[32]; /* reserved for future use */
1094 #define IPFOBJ_FRENTRY 0 /* struct frentry */
1095 #define IPFOBJ_IPFSTAT 1 /* struct friostat */
1096 #define IPFOBJ_IPFINFO 2 /* struct fr_info */
1097 #define IPFOBJ_AUTHSTAT 3 /* struct fr_authstat */
1098 #define IPFOBJ_FRAGSTAT 4 /* struct ipfrstat */
1099 #define IPFOBJ_IPNAT 5 /* struct ipnat */
1100 #define IPFOBJ_NATSTAT 6 /* struct natstat */
1101 #define IPFOBJ_STATESAVE 7 /* struct ipstate_save */
1102 #define IPFOBJ_NATSAVE 8 /* struct nat_save */
1103 #define IPFOBJ_NATLOOKUP 9 /* struct natlookup */
1104 #define IPFOBJ_IPSTATE 10 /* struct ipstate */
1105 #define IPFOBJ_STATESTAT 11 /* struct ips_stat */
1106 #define IPFOBJ_FRAUTH 12 /* struct frauth */
1107 #define IPFOBJ_TUNEABLE 13 /* struct ipftune */
1108 #define IPFOBJ_NAT 14 /* struct nat */
1109 #define IPFOBJ_IPFITER 15 /* struct ipfruleiter */
1110 #define IPFOBJ_GENITER 16 /* struct ipfgeniter */
1111 #define IPFOBJ_GTABLE 17 /* struct ipftable */
1112 #define IPFOBJ_LOOKUPITER 18 /* struct ipflookupiter */
1113 #define IPFOBJ_STATETQTAB 19 /* struct ipftq [NSTATES] */
1114 #define IPFOBJ_COUNT 20 /* How many #defines are above this? */
1117 typedef union ipftunevalptr {
1121 u_short *ipftp_short;
1125 typedef struct ipftuneable {
1126 ipftunevalptr_t ipft_una;
1127 const char *ipft_name;
1132 struct ipftuneable *ipft_next;
1135 #define ipft_addr ipft_una.ipftp_void
1136 #define ipft_plong ipft_una.ipftp_long
1137 #define ipft_pint ipft_una.ipftp_int
1138 #define ipft_pshort ipft_una.ipftp_short
1139 #define ipft_pchar ipft_una.ipftp_char
1141 #define IPFT_RDONLY 1 /* read-only */
1142 #define IPFT_WRDISABLED 2 /* write when disabled only */
1144 typedef union ipftuneval {
1147 u_short ipftu_short;
1151 typedef struct ipftune {
1153 ipftuneval_t ipft_un;
1161 #define ipft_vlong ipft_un.ipftu_long
1162 #define ipft_vint ipft_un.ipftu_int
1163 #define ipft_vshort ipft_un.ipftu_short
1164 #define ipft_vchar ipft_un.ipftu_char
1169 typedef struct ipfruleiter {
1171 char iri_group[FR_GROUPLEN];
1175 frentry_t *iri_rule;
1179 * Values for iri_inout
1187 typedef struct ipfgeniter {
1193 #define IPFGENITER_IPF 0
1194 #define IPFGENITER_NAT 1
1195 #define IPFGENITER_IPNAT 2
1196 #define IPFGENITER_FRAG 3
1197 #define IPFGENITER_AUTH 4
1198 #define IPFGENITER_STATE 5
1199 #define IPFGENITER_NATFRAG 6
1200 #define IPFGENITER_HOSTMAP 7
1201 #define IPFGENITER_LOOKUP 8
1203 typedef struct ipftable {
1208 #define IPFTABLE_BUCKETS 1
1209 #define IPFTABLE_BUCKETS_NATIN 2
1210 #define IPFTABLE_BUCKETS_NATOUT 3
1216 typedef struct ipftoken {
1217 struct ipftoken *ipt_next;
1218 struct ipftoken **ipt_pnext;
1233 /* HP-UX locking sequence deadlock detection module lock MAJOR ID */
1234 # define IPF_SMAJ 0 /* temp assignment XXX, not critical */
1237 #if !defined(CDEV_MAJOR) && defined (__FreeBSD_version) && \
1238 (__FreeBSD_version >= 220000)
1239 # define CDEV_MAJOR 79
1243 * Post NetBSD 1.2 has the PFIL interface for packet filters. This turns
1244 * on those hooks. We don't need any special mods in non-IP Filter code
1247 #if (defined(NetBSD) && (NetBSD > 199609) && (NetBSD <= 1991011)) || \
1248 (defined(NetBSD1_2) && NetBSD1_2 > 1) || \
1249 (defined(__FreeBSD__) && (__FreeBSD_version >= 500043))
1250 # if defined(NetBSD) && (NetBSD >= 199905)
1259 # define FR_VERBOSE(verb_pr)
1260 # define FR_DEBUG(verb_pr)
1262 extern void debug __P((char *, ...));
1263 extern void verbose __P((char *, ...));
1264 # define FR_VERBOSE(verb_pr) verbose verb_pr
1265 # define FR_DEBUG(verb_pr) debug verb_pr
1270 extern int fr_check __P((struct ip *, int, void *, int, mb_t **));
1271 extern int (*fr_checkp) __P((ip_t *, int, void *, int, mb_t **));
1272 extern int ipf_log __P((void));
1273 extern struct ifnet *get_unit __P((char *, int));
1274 extern char *get_ifname __P((struct ifnet *));
1275 # if defined(__NetBSD__) || defined(__OpenBSD__) || \
1276 (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000)
1277 extern int iplioctl __P((int, ioctlcmd_t, caddr_t, int));
1279 extern int iplioctl __P((int, ioctlcmd_t, caddr_t, int));
1281 extern int iplopen __P((dev_t, int));
1282 extern int iplclose __P((dev_t, int));
1283 extern void m_freem __P((mb_t *));
1284 extern int bcopywrap __P((void *, void *, size_t));
1285 #else /* #ifndef _KERNEL */
1287 # if (defined(__NetBSD__) && (__NetBSD_Version__ < 399000000)) || \
1288 defined(__osf__) || \
1289 (defined(__FreeBSD_version) && (__FreeBSD_version < 500043))
1290 # include <sys/select.h>
1292 # include <sys/selinfo.h>
1294 extern struct selinfo ipfselwait[IPL_LOGSIZE];
1296 # if defined(__NetBSD__) && defined(PFIL_HOOKS)
1297 extern void ipfilterattach __P((int));
1299 extern int ipl_enable __P((void));
1300 extern int ipl_disable __P((void));
1301 extern int ipf_inject __P((fr_info_t *, mb_t *));
1303 extern int fr_check __P((struct ip *, int, void *, int, void *,
1307 extern int iplioctl __P((dev_t, int, intptr_t, int, cred_t *, int *));
1309 extern int iplioctl __P((dev_t, int, int *, int, cred_t *, int *));
1311 extern int iplopen __P((dev_t *, int, int, cred_t *));
1312 extern int iplclose __P((dev_t, int, int, cred_t *));
1313 extern int iplread __P((dev_t, uio_t *, cred_t *));
1314 extern int iplwrite __P((dev_t, uio_t *, cred_t *));
1317 extern int iplopen __P((dev_t, int, intptr_t, int));
1318 extern int iplclose __P((dev_t, int, int));
1319 extern int iplioctl __P((dev_t, int, caddr_t, int));
1320 extern int iplread __P((dev_t, uio_t *));
1321 extern int iplwrite __P((dev_t, uio_t *));
1322 extern int iplselect __P((dev_t, int));
1324 extern int fr_qout __P((queue_t *, mblk_t *));
1326 extern int fr_check __P((struct ip *, int, void *, int, mb_t **));
1327 extern int (*fr_checkp) __P((ip_t *, int, void *, int, mb_t **));
1328 extern size_t mbufchainlen __P((mb_t *));
1330 # include <sys/cred.h>
1331 extern int iplioctl __P((dev_t, int, caddr_t, int, cred_t *, int *));
1332 extern int iplopen __P((dev_t *, int, int, cred_t *));
1333 extern int iplclose __P((dev_t, int, int, cred_t *));
1334 extern int iplread __P((dev_t, uio_t *, cred_t *));
1335 extern int iplwrite __P((dev_t, uio_t *, cred_t *));
1336 extern int ipfilter_sgi_attach __P((void));
1337 extern void ipfilter_sgi_detach __P((void));
1338 extern void ipfilter_sgi_intfsync __P((void));
1340 # ifdef IPFILTER_LKM
1341 extern int iplidentify __P((char *));
1343 # if (defined(_BSDI_VERSION) && _BSDI_VERSION >= 199510) || \
1344 (__FreeBSD_version >= 220000) || \
1345 (NetBSD >= 199511) || defined(__OpenBSD__)
1346 # if defined(__NetBSD__) || \
1347 (defined(_BSDI_VERSION) && _BSDI_VERSION >= 199701) || \
1348 defined(__OpenBSD__) || (__FreeBSD_version >= 300000)
1349 # if (__FreeBSD_version >= 500024)
1350 # if (__FreeBSD_version >= 502116)
1351 extern int iplioctl __P((struct cdev*, u_long, caddr_t, int, struct thread *));
1353 extern int iplioctl __P((dev_t, u_long, caddr_t, int, struct thread *));
1354 # endif /* __FreeBSD_version >= 502116 */
1356 # if (__NetBSD_Version__ >= 499001000)
1357 extern int iplioctl __P((dev_t, u_long, void *, int, struct lwp *));
1359 # if (__NetBSD_Version__ >= 399001400)
1360 extern int iplioctl __P((dev_t, u_long, caddr_t, int, struct lwp *));
1362 extern int iplioctl __P((dev_t, u_long, caddr_t, int, struct proc *));
1365 # endif /* __FreeBSD_version >= 500024 */
1367 extern int iplioctl __P((dev_t, int, caddr_t, int, struct thread *));
1369 # if (__FreeBSD_version >= 500024)
1370 # if (__FreeBSD_version >= 502116)
1371 extern int iplopen __P((struct cdev*, int, int, struct thread *));
1372 extern int iplclose __P((struct cdev*, int, int, struct thread *));
1374 extern int iplopen __P((dev_t, int, int, struct thread *));
1375 extern int iplclose __P((dev_t, int, int, struct thread *));
1376 # endif /* __FreeBSD_version >= 502116 */
1378 # if (__NetBSD_Version__ >= 399001400)
1379 extern int iplopen __P((dev_t, int, int, struct lwp *));
1380 extern int iplclose __P((dev_t, int, int, struct lwp *));
1382 extern int iplopen __P((dev_t, int, int, struct proc *));
1383 extern int iplclose __P((dev_t, int, int, struct proc *));
1384 # endif /* __NetBSD_Version__ >= 399001400 */
1385 # endif /* __FreeBSD_version >= 500024 */
1388 extern int iplioctl __P((struct inode *, struct file *, u_int, u_long));
1390 extern int iplopen __P((dev_t, int));
1391 extern int iplclose __P((dev_t, int));
1392 extern int iplioctl __P((dev_t, int, caddr_t, int));
1394 # endif /* (_BSDI_VERSION >= 199510) */
1396 # if (__FreeBSD_version >= 502116)
1397 extern int iplread __P((struct cdev*, struct uio *, int));
1398 extern int iplwrite __P((struct cdev*, struct uio *, int));
1400 extern int iplread __P((dev_t, struct uio *, int));
1401 extern int iplwrite __P((dev_t, struct uio *, int));
1402 # endif /* __FreeBSD_version >= 502116 */
1405 extern int iplread __P((dev_t, struct uio *));
1406 extern int iplwrite __P((dev_t, struct uio *));
1408 # endif /* BSD >= 199306 */
1409 # endif /* __ sgi */
1410 # endif /* MENTAT */
1412 # if defined(__FreeBSD_version)
1413 extern int ipf_pfil_hook __P((void));
1414 extern int ipf_pfil_unhook __P((void));
1415 extern void ipf_event_reg __P((void));
1416 extern void ipf_event_dereg __P((void));
1419 #endif /* #ifndef _KERNEL */
1421 extern ipfmutex_t ipl_mutex, ipf_authmx, ipf_rw, ipf_hostmap;
1422 extern ipfmutex_t ipf_timeoutlock, ipf_stinsert, ipf_natio, ipf_nat_new;
1423 extern ipfrwlock_t ipf_mutex, ipf_global, ip_poolrw, ipf_ipidfrag;
1424 extern ipfrwlock_t ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth;
1425 extern ipfrwlock_t ipf_frcache, ipf_tokens;
1427 extern char *memstr __P((const char *, char *, size_t, size_t));
1428 extern int count4bits __P((u_32_t));
1429 extern int frrequest __P((int, ioctlcmd_t, caddr_t, int, int));
1430 extern char *getifname __P((struct ifnet *));
1431 extern int ipfattach __P((void));
1432 extern int ipfdetach __P((void));
1433 extern u_short ipf_cksum __P((u_short *, int));
1434 extern int copyinptr __P((void *, void *, size_t));
1435 extern int copyoutptr __P((void *, void *, size_t));
1436 extern int fr_fastroute __P((mb_t *, mb_t **, fr_info_t *, frdest_t *));
1437 extern int fr_inobj __P((void *, void *, int));
1438 extern int fr_inobjsz __P((void *, void *, int, int));
1439 extern int fr_ioctlswitch __P((int, void *, ioctlcmd_t, int, int, void *));
1440 extern int fr_ipf_ioctl __P((caddr_t, ioctlcmd_t, int, int, void *));
1441 extern int fr_ipftune __P((ioctlcmd_t, void *));
1442 extern int fr_outobj __P((void *, void *, int));
1443 extern int fr_outobjsz __P((void *, void *, int, int));
1444 extern void *fr_pullup __P((mb_t *, fr_info_t *, int));
1445 extern void fr_resolvedest __P((struct frdest *, int));
1446 extern int fr_resolvefunc __P((void *));
1447 extern void *fr_resolvenic __P((char *, int));
1448 extern int fr_send_icmp_err __P((int, fr_info_t *, int));
1449 extern int fr_send_reset __P((fr_info_t *));
1450 #if (__FreeBSD_version < 501000) || !defined(_KERNEL)
1451 extern int ppsratecheck __P((struct timeval *, int *, int));
1453 extern ipftq_t *fr_addtimeoutqueue __P((ipftq_t **, u_int));
1454 extern void fr_deletequeueentry __P((ipftqent_t *));
1455 extern int fr_deletetimeoutqueue __P((ipftq_t *));
1456 extern void fr_freetimeoutqueue __P((ipftq_t *));
1457 extern void fr_movequeue __P((ipftqent_t *, ipftq_t *, ipftq_t *));
1458 extern void fr_queueappend __P((ipftqent_t *, ipftq_t *, void *));
1459 extern void fr_queueback __P((ipftqent_t *));
1460 extern void fr_queuefront __P((ipftqent_t *));
1461 extern void fr_checkv4sum __P((fr_info_t *));
1462 extern int fr_checkl4sum __P((fr_info_t *));
1463 extern int fr_ifpfillv4addr __P((int, struct sockaddr_in *,
1464 struct sockaddr_in *, struct in_addr *,
1466 extern int fr_coalesce __P((fr_info_t *));
1468 extern void fr_checkv6sum __P((fr_info_t *));
1469 extern int fr_ifpfillv6addr __P((int, struct sockaddr_in6 *,
1470 struct sockaddr_in6 *, struct in_addr *,
1474 extern int fr_addipftune __P((ipftuneable_t *));
1475 extern int fr_delipftune __P((ipftuneable_t *));
1477 extern int frflush __P((minor_t, int, int));
1478 extern void frsync __P((void *));
1479 extern frgroup_t *fr_addgroup __P((char *, void *, u_32_t, minor_t, int));
1480 extern int fr_derefrule __P((frentry_t **));
1481 extern void fr_delgroup __P((char *, minor_t, int));
1482 extern frgroup_t *fr_findgroup __P((char *, minor_t, int, frgroup_t ***));
1484 extern int fr_loginit __P((void));
1485 extern int ipflog_canread __P((int));
1486 extern int ipflog_clear __P((minor_t));
1487 extern int ipflog_read __P((minor_t, uio_t *));
1488 extern int ipflog __P((fr_info_t *, u_int));
1489 extern int ipllog __P((int, fr_info_t *, void **, size_t *, int *, int));
1490 extern void fr_logunload __P((void));
1492 extern frentry_t *fr_acctpkt __P((fr_info_t *, u_32_t *));
1493 extern int fr_copytolog __P((int, char *, int));
1494 extern u_short fr_cksum __P((mb_t *, ip_t *, int, void *, int));
1495 extern void fr_deinitialise __P((void));
1496 extern frentry_t *fr_dolog __P((fr_info_t *, u_32_t *));
1497 extern frentry_t *fr_dstgrpmap __P((fr_info_t *, u_32_t *));
1498 extern void fr_fixskip __P((frentry_t **, frentry_t *, int));
1499 extern void fr_forgetifp __P((void *));
1500 extern frentry_t *fr_getrulen __P((int, char *, u_32_t));
1501 extern void fr_getstat __P((struct friostat *));
1502 extern int fr_ifpaddr __P((int, int, void *,
1503 struct in_addr *, struct in_addr *));
1504 extern int fr_initialise __P((void));
1505 extern int fr_lock __P((caddr_t, int *));
1506 extern int fr_makefrip __P((int, ip_t *, fr_info_t *));
1507 extern int fr_matchtag __P((ipftag_t *, ipftag_t *));
1508 extern int fr_matchicmpqueryreply __P((int, icmpinfo_t *,
1509 struct icmp *, int));
1510 extern u_32_t fr_newisn __P((fr_info_t *));
1511 extern u_short fr_nextipid __P((fr_info_t *));
1512 extern int ipf_queueflush __P((ipftq_delete_fn_t, ipftq_t *, ipftq_t *));
1513 extern int fr_rulen __P((int, frentry_t *));
1514 extern int fr_scanlist __P((fr_info_t *, u_32_t));
1515 extern frentry_t *fr_srcgrpmap __P((fr_info_t *, u_32_t *));
1516 extern int fr_tcpudpchk __P((fr_info_t *, frtuc_t *));
1517 extern int fr_verifysrc __P((fr_info_t *fin));
1518 extern int fr_zerostats __P((void *));
1519 extern ipftoken_t *ipf_findtoken __P((int, int, void *));
1520 extern int ipf_getnextrule __P((ipftoken_t *, void *));
1521 extern void ipf_expiretokens __P((void));
1522 extern void ipf_freetoken __P((ipftoken_t *));
1523 extern int ipf_deltoken __P((int,int, void *));
1524 extern int ipfsync __P((void));
1525 extern int ipf_genericiter __P((void *, int, void *));
1527 extern u_32_t ipf_random __P((void));
1529 #ifdef NEED_LOCAL_RAND
1530 extern void ipf_rand_push __P((void *, int));
1533 extern int fr_running;
1534 extern u_long fr_frouteok[2];
1536 extern int fr_flags;
1537 extern int fr_active;
1538 extern int fr_chksrc;
1539 extern int fr_minttl;
1540 extern int fr_refcnt;
1541 extern int fr_control_forwarding;
1542 extern int fr_update_ipid;
1543 extern int nat_logging;
1544 extern int ipstate_logging;
1545 extern int ipl_suppress;
1546 extern int ipl_logmax;
1547 extern int ipl_logall;
1548 extern int ipl_logsize;
1549 extern u_long fr_ticks;
1550 extern fr_info_t frcache[2][8];
1551 extern char ipfilter_version[];
1552 extern iplog_t **iplh[IPL_LOGMAX+1], *iplt[IPL_LOGMAX+1];
1553 extern int iplused[IPL_LOGMAX + 1];
1554 extern struct frentry *ipfilter[2][2], *ipacct[2][2];
1556 extern struct frentry *ipfilter6[2][2], *ipacct6[2][2];
1557 extern int icmptoicmp6types[ICMP_MAXTYPE+1];
1558 extern int icmptoicmp6unreach[ICMP_MAX_UNREACH];
1559 extern int icmpreplytype6[ICMP6_MAXTYPE + 1];
1561 extern int icmpreplytype4[ICMP_MAXTYPE + 1];
1562 extern struct frgroup *ipfgroups[IPL_LOGSIZE][2];
1563 extern struct filterstats frstats[];
1564 extern frentry_t *ipfrule_match __P((fr_info_t *));
1565 extern u_char ipf_iss_secret[32];
1566 extern ipftuneable_t ipf_tuneables[];
1568 #endif /* __IP_FIL_H__ */
projects / FreeBSD / releng / 9.2.git / blob