1 /*
2 * Copyright (C) 1993-2001, 2003 by Darren Reed.
3 *
4 * See the IPFILTER.LICENCE file for details on licencing.
5 *
6 * @(#)ip_fil.h 1.35 6/5/96
7 * $Id: ip_fil.h,v 2.170.2.22 2005/07/16 05:55:35 darrenr Exp $
8 *
9 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
10 *
11 * Copyright (c) 2014, Joyent, Inc. All rights reserved.
12 */
13
14 #ifndef __IP_FIL_H__
15 #define __IP_FIL_H__
16
17 #include "netinet/ip_compat.h"
18 #include <sys/zone.h>
19
20 #ifdef SOLARIS
21 #undef SOLARIS
22 #endif
23 #if (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
24 #define SOLARIS (1)
25 #else
26 #define SOLARIS (0)
27 #endif
28
29 #ifndef __P
30 # ifdef __STDC__
31 # define __P(x) x
32 # else
33 # define __P(x) ()
34 # endif
35 #endif
36
37 #if defined(__STDC__) || defined(__GNUC__) || defined(_AIX51)
38 # define SIOCADAFR _IOW('r', 60, struct ipfobj)
98 # define SIOCSTGSZ _IOWR(r, 82, struct ipfobj)
99 # define SIOCGFRST _IOWR(r, 83, struct ipfobj)
100 # define SIOCSETLG _IOWR(r, 84, int)
101 # define SIOCGETLG _IOWR(r, 85, int)
102 # define SIOCFUNCL _IOWR(r, 86, struct ipfunc_resolve)
103 # define SIOCIPFGETNEXT _IOWR(r, 87, struct ipfobj)
104 # define SIOCIPFGET _IOWR(r, 88, struct ipfobj)
105 # define SIOCIPFSET _IOWR(r, 89, struct ipfobj)
106 # define SIOCIPFL6 _IOWR(r, 90, int)
107 # define SIOCIPFLP _IOWR(r, 91, int)
108 # define SIOCIPFITER _IOWR(r, 92, struct ipfobj)
109 # define SIOCGENITER _IOWR(r, 93, struct ipfobj)
110 # define SIOCGTABL _IOWR(r, 94, struct ipfobj)
111 # define SIOCIPFDELTOK _IOWR(r, 95, int)
112 # define SIOCLOOKUPITER _IOWR(r, 96, struct ipfobj)
113 #endif
114 #define SIOCADDFR SIOCADAFR
115 #define SIOCDELFR SIOCRMAFR
116 #define SIOCINSFR SIOCINAFR
117 # define SIOCIPFZONESET _IOWR('r', 97, struct ipfzoneobj)
118
119 /*
120 * What type of table is getting flushed?
121 */
122
123 #define NAT_FLUSH 1
124 #define STATE_FLUSH 2
125
126 /*
127 * What table flush options are available?
128 */
129
130 #define FLUSH_LIST 0
131 #define FLUSH_TABLE_ALL 1 /* Flush entire table */
132 #define FLUSH_TABLE_CLOSING 2 /* Flush "closing" entries" */
133 #define FLUSH_TABLE_EXTRA 3 /* Targetted flush: almost closed, long idle */
134
135 #define VALID_TABLE_FLUSH_OPT(x) ((x) >= 1 && (x) <= 3)
136
137 /*
582
583 union {
584 void *fru_data;
585 caddr_t fru_caddr;
586 fripf_t *fru_ipf;
587 frentfunc_t fru_func;
588 } fr_dun;
589
590 /*
591 * Fields after this may not change whilst in the kernel.
592 */
593 ipfunc_t fr_func; /* call this function */
594 int fr_dsize;
595 int fr_pps;
596 int fr_statemax; /* max reference count */
597 int fr_flineno; /* line number from conf file */
598 u_32_t fr_type;
599 u_32_t fr_flags; /* per-rule flags && options (see below) */
600 u_32_t fr_logtag; /* user defined log tag # */
601 u_32_t fr_collect; /* collection number */
602 u_int fr_arg; /* misc. numeric arg for rule */
603 u_int fr_loglevel; /* syslog log facility + priority */
604 u_int fr_age[2]; /* non-TCP timeouts */
605 u_char fr_v;
606 u_char fr_icode; /* return ICMP code */
607 char fr_group[FR_GROUPLEN]; /* group to which this rule belongs */
608 char fr_grhead[FR_GROUPLEN]; /* group # which this rule starts */
609 ipftag_t fr_nattag;
610 char fr_ifnames[4][LIFNAMSIZ];
611 char fr_isctag[16];
612 frdest_t fr_tifs[2]; /* "to"/"reply-to" interface */
613 frdest_t fr_dif; /* duplicate packet interface */
614 /*
615 * This must be last and will change after loaded into the kernel.
616 */
617 u_int fr_cksum; /* checksum on filter rules for performance */
618 } frentry_t;
619
620 #define fr_caddr fr_dun.fru_caddr
621 #define fr_data fr_dun.fru_data
710 #define FR_NOTSRCIP 0x00040
711 #define FR_NOTDSTIP 0x00080
712 #define FR_QUICK 0x00100 /* match & stop processing list */
713 #define FR_KEEPFRAG 0x00200 /* keep fragment information */
714 #define FR_KEEPSTATE 0x00400 /* keep `connection' state information */
715 #define FR_FASTROUTE 0x00800 /* bypass normal routing */
716 #define FR_RETRST 0x01000 /* Return TCP RST packet - reset connection */
717 #define FR_RETICMP 0x02000 /* Return ICMP unreachable packet */
718 #define FR_FAKEICMP 0x03000 /* Return ICMP unreachable with fake source */
719 #define FR_OUTQUE 0x04000 /* outgoing packets */
720 #define FR_INQUE 0x08000 /* ingoing packets */
721 #define FR_LOGBODY 0x10000 /* Log the body */
722 #define FR_LOGFIRST 0x20000 /* Log the first byte if state held */
723 #define FR_LOGORBLOCK 0x40000 /* block the packet if it can't be logged */
724 #define FR_DUP 0x80000 /* duplicate packet */
725 #define FR_FRSTRICT 0x100000 /* strict frag. cache */
726 #define FR_STSTRICT 0x200000 /* strict keep state */
727 #define FR_NEWISN 0x400000 /* new ISN for outgoing TCP */
728 #define FR_NOICMPERR 0x800000 /* do not match ICMP errors in state */
729 #define FR_STATESYNC 0x1000000 /* synchronize state to slave */
730 #define FR_NOMATCH 0x8000000 /* no match occured */
731 /* 0x10000000 FF_LOGPASS */
732 /* 0x20000000 FF_LOGBLOCK */
733 /* 0x40000000 FF_LOGNOMATCH */
734 /* 0x80000000 FF_BLOCKNONIP */
735 #define FR_COPIED 0x40000000 /* copied from user space */
736 #define FR_INACTIVE 0x80000000 /* only used when flush'ing rules */
737
738 #define FR_RETMASK (FR_RETICMP|FR_RETRST|FR_FAKEICMP)
739 #define FR_ISBLOCK(x) (((x) & FR_CMDMASK) == FR_BLOCK)
740 #define FR_ISPASS(x) (((x) & FR_CMDMASK) == FR_PASS)
741 #define FR_ISAUTH(x) (((x) & FR_CMDMASK) == FR_AUTH)
742 #define FR_ISPREAUTH(x) (((x) & FR_CMDMASK) == FR_PREAUTH)
743 #define FR_ISACCOUNT(x) (((x) & FR_CMDMASK) == FR_ACCOUNT)
744 #define FR_ISSKIP(x) (((x) & FR_CMDMASK) == FR_SKIP)
745 #define FR_ISNOMATCH(x) ((x) & FR_NOMATCH)
746 #define FR_INOUT (FR_INQUE|FR_OUTQUE)
747
748 /*
749 * recognized flags for SIOCGETFF and SIOCSETFF, and get put in fr_flags
865
866 #define ipl_sec ipl_time.tv_sec
867 #define ipl_usec ipl_time.tv_usec
868
869 #define IPL_MAGIC 0x49504c4d /* 'IPLM' */
870 #define IPL_MAGIC_NAT 0x49504c4e /* 'IPLN' */
871 #define IPL_MAGIC_STATE 0x49504c53 /* 'IPLS' */
872 #define IPLOG_SIZE sizeof(iplog_t)
873
874 typedef struct ipflog {
875 #if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603)) || \
876 (defined(OpenBSD) && (OpenBSD >= 199603))
877 #else
878 u_int fl_unit;
879 #endif
880 u_32_t fl_rule;
881 u_32_t fl_flags;
882 u_32_t fl_lflags;
883 u_32_t fl_logtag;
884 ipftag_t fl_nattag;
885 u_short fl_plen; /* extra data after hlen */
886 u_short fl_loglevel; /* syslog log level */
887 char fl_group[FR_GROUPLEN];
888 u_char fl_hlen; /* length of IP headers saved */
889 u_char fl_dir;
890 u_char fl_xxx[2]; /* pad */
891 char fl_ifname[LIFNAMSIZ];
892 } ipflog_t;
893
894 #ifndef IPF_LOGGING
895 # define IPF_LOGGING 0
896 #endif
897 #ifndef IPF_DEFAULT_PASS
898 # define IPF_DEFAULT_PASS FR_PASS
899 #endif
900
901 #define DEFAULT_IPFLOGSIZE 8192
902 #ifndef IPFILTER_LOGSIZE
903 # define IPFILTER_LOGSIZE DEFAULT_IPFLOGSIZE
904 #else
913 * Device filenames for reading log information. Use ipf on Solaris2 because
914 * ipl is already a name used by something else.
915 */
916 #ifndef IPL_NAME
917 # ifdef SOLARIS
918 # define IPL_NAME "/dev/ipf"
919 # else
920 # define IPL_NAME "/dev/ipl"
921 # endif
922 #endif
923 /*
924 * Pathnames for various IP Filter control devices. Used by LKM
925 * and userland, so defined here.
926 */
927 #define IPNAT_NAME "/dev/ipnat"
928 #define IPSTATE_NAME "/dev/ipstate"
929 #define IPAUTH_NAME "/dev/ipauth"
930 #define IPSYNC_NAME "/dev/ipsync"
931 #define IPSCAN_NAME "/dev/ipscan"
932 #define IPLOOKUP_NAME "/dev/iplookup"
933
934 #define IPL_LOGIPF 0 /* Minor device #'s for accessing logs */
935 #define IPL_LOGNAT 1
936 #define IPL_LOGSTATE 2
937 #define IPL_LOGAUTH 3
938 #define IPL_LOGSYNC 4
939 #define IPL_LOGSCAN 5
940 #define IPL_LOGLOOKUP 6
941 #define IPL_LOGCOUNT 7
942 #define IPL_LOGMAX 7
943 #define IPL_LOGSIZE (IPL_LOGMAX + 1)
944 #define IPL_LOGALL -1
945 #define IPL_LOGNONE -2
946
947 /*
948 * For SIOCGETFS
949 */
950 typedef struct friostat {
951 struct filterstats f_st[2];
952 struct frentry *f_ipf[2][2];
953 struct frentry *f_acct[2][2];
954 struct frentry *f_ipf6[2][2];
955 struct frentry *f_acct6[2][2];
956 struct frentry *f_auth;
957 struct frgroup *f_groups[IPL_LOGSIZE][2];
958 u_long f_froute[2];
959 u_long f_ticks;
960 int f_locks[IPL_LOGMAX];
961 size_t f_kmutex_sz;
962 size_t f_krwlock_sz;
1163 * Object structure description. For passing through in ioctls.
1164 */
1165 typedef struct ipfobj {
1166 u_32_t ipfo_rev; /* IPFilter version number */
1167 u_32_t ipfo_size; /* size of object at ipfo_ptr */
1168 void *ipfo_ptr; /* pointer to object */
1169 int ipfo_type; /* type of object being pointed to */
1170 int ipfo_offset; /* bytes from ipfo_ptr where to start */
1171 u_char ipfo_xxxpad[32]; /* reserved for future use */
1172 } ipfobj_t;
1173
1174 /*
1175 * ioctl struct for setting what zone further ioctls will act on. ipfz_gz is a
1176 * boolean: set it to 1 to operate on the GZ-controlled stack.
1177 */
1178 typedef struct ipfzoneobj {
1179 u_32_t ipfz_gz; /* GZ stack boolean */
1180 char ipfz_zonename[ZONENAME_MAX]; /* zone to act on */
1181 } ipfzoneobj_t;
1182
1183 #if defined(_KERNEL)
1184 /* Set ipfs_zoneid to this if no zone has been set: */
1185 #define IPFS_ZONE_UNSET -2
1186
1187 typedef struct ipf_devstate {
1188 zoneid_t ipfs_zoneid;
1189 minor_t ipfs_minor;
1190 boolean_t ipfs_gz;
1191 } ipf_devstate_t;
1192 #endif
1193
1194 #define IPFOBJ_FRENTRY 0 /* struct frentry */
1195 #define IPFOBJ_IPFSTAT 1 /* struct friostat */
1196 #define IPFOBJ_IPFINFO 2 /* struct fr_info */
1197 #define IPFOBJ_AUTHSTAT 3 /* struct fr_authstat */
1198 #define IPFOBJ_FRAGSTAT 4 /* struct ipfrstat */
1199 #define IPFOBJ_IPNAT 5 /* struct ipnat */
1200 #define IPFOBJ_NATSTAT 6 /* struct natstat */
1201 #define IPFOBJ_STATESAVE 7 /* struct ipstate_save */
1202 #define IPFOBJ_NATSAVE 8 /* struct nat_save */
1542 extern int frflush __P((minor_t, int, int, ipf_stack_t *));
1543 extern void frsync __P((int, int, void *, char *, ipf_stack_t *));
1544 #if SOLARIS2 >= 10
1545 extern void fr_ifindexsync __P((void *, void *, ipf_stack_t *));
1546 #endif
1547 extern frgroup_t *fr_addgroup __P((char *, void *, u_32_t, minor_t, int,
1548 ipf_stack_t *));
1549 extern int fr_derefrule __P((frentry_t **, ipf_stack_t *));
1550 extern void fr_delgroup __P((char *, minor_t, int, ipf_stack_t *));
1551 extern frgroup_t *fr_findgroup __P((char *, minor_t, int, frgroup_t ***,
1552 ipf_stack_t *));
1553
1554 extern int fr_loginit __P((ipf_stack_t *));
1555 extern int ipflog_clear __P((minor_t, ipf_stack_t *));
1556 extern int ipflog_read __P((minor_t, struct uio *, ipf_stack_t *));
1557 extern int ipflog __P((fr_info_t *, u_int));
1558 extern int ipllog __P((int, fr_info_t *, void **, size_t *, int *, int,
1559 ipf_stack_t *));
1560 extern void fr_logunload __P((ipf_stack_t *));
1561
1562 extern frentry_t *fr_acctpkt __P((fr_info_t *, u_32_t *));
1563 extern int fr_copytolog __P((int, char *, int));
1564 extern u_short fr_cksum __P((mb_t *, ip_t *, int, void *));
1565 extern void fr_deinitialise __P((ipf_stack_t *));
1566 extern frentry_t *fr_dolog __P((fr_info_t *, u_32_t *));
1567 extern frentry_t *fr_dstgrpmap __P((fr_info_t *, u_32_t *));
1568 extern void fr_fixskip __P((frentry_t **, frentry_t *, int));
1569 extern void fr_forgetifp __P((void *, ipf_stack_t *));
1570 extern frentry_t *fr_getrulen __P((int, char *, u_32_t,
1571 ipf_stack_t *));
1572 extern void fr_getstat __P((struct friostat *, ipf_stack_t *));
1573 extern int fr_ifpaddr __P((int, int, void *,
1574 struct in_addr *, struct in_addr *,
1575 ipf_stack_t *));
1576 extern int fr_initialise __P((ipf_stack_t *));
1577 extern int fr_lock __P((caddr_t, int *));
1578 extern int fr_makefrip __P((int, ip_t *, fr_info_t *));
1579 extern int fr_matchtag __P((ipftag_t *, ipftag_t *));
1580 extern int fr_matchicmpqueryreply __P((int, icmpinfo_t *,
1581 struct icmp *, int));
|
1 /*
2 * Copyright (C) 1993-2001, 2003 by Darren Reed.
3 *
4 * See the IPFILTER.LICENCE file for details on licencing.
5 *
6 * @(#)ip_fil.h 1.35 6/5/96
7 * $Id: ip_fil.h,v 2.170.2.22 2005/07/16 05:55:35 darrenr Exp $
8 *
9 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
10 *
11 * Copyright 2019, Joyent, Inc.
12 */
13
14 #ifndef __IP_FIL_H__
15 #define __IP_FIL_H__
16
17 #include "netinet/ip_compat.h"
18 #include <sys/zone.h>
19 #include <sys/uuid.h>
20
21 #ifdef SOLARIS
22 #undef SOLARIS
23 #endif
24 #if (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
25 #define SOLARIS (1)
26 #else
27 #define SOLARIS (0)
28 #endif
29
30 #ifndef __P
31 # ifdef __STDC__
32 # define __P(x) x
33 # else
34 # define __P(x) ()
35 # endif
36 #endif
37
38 #if defined(__STDC__) || defined(__GNUC__) || defined(_AIX51)
39 # define SIOCADAFR _IOW('r', 60, struct ipfobj)
99 # define SIOCSTGSZ _IOWR(r, 82, struct ipfobj)
100 # define SIOCGFRST _IOWR(r, 83, struct ipfobj)
101 # define SIOCSETLG _IOWR(r, 84, int)
102 # define SIOCGETLG _IOWR(r, 85, int)
103 # define SIOCFUNCL _IOWR(r, 86, struct ipfunc_resolve)
104 # define SIOCIPFGETNEXT _IOWR(r, 87, struct ipfobj)
105 # define SIOCIPFGET _IOWR(r, 88, struct ipfobj)
106 # define SIOCIPFSET _IOWR(r, 89, struct ipfobj)
107 # define SIOCIPFL6 _IOWR(r, 90, int)
108 # define SIOCIPFLP _IOWR(r, 91, int)
109 # define SIOCIPFITER _IOWR(r, 92, struct ipfobj)
110 # define SIOCGENITER _IOWR(r, 93, struct ipfobj)
111 # define SIOCGTABL _IOWR(r, 94, struct ipfobj)
112 # define SIOCIPFDELTOK _IOWR(r, 95, int)
113 # define SIOCLOOKUPITER _IOWR(r, 96, struct ipfobj)
114 #endif
115 #define SIOCADDFR SIOCADAFR
116 #define SIOCDELFR SIOCRMAFR
117 #define SIOCINSFR SIOCINAFR
118 # define SIOCIPFZONESET _IOWR('r', 97, struct ipfzoneobj)
119 # define SIOCIPFCFWCFG _IOR('r', 98, struct ipfcfwcfg)
120 # define SIOCIPFCFWNEWSZ _IOWR('r', 99, struct ipfcfwcfg)
121
122 /*
123 * What type of table is getting flushed?
124 */
125
126 #define NAT_FLUSH 1
127 #define STATE_FLUSH 2
128
129 /*
130 * What table flush options are available?
131 */
132
133 #define FLUSH_LIST 0
134 #define FLUSH_TABLE_ALL 1 /* Flush entire table */
135 #define FLUSH_TABLE_CLOSING 2 /* Flush "closing" entries" */
136 #define FLUSH_TABLE_EXTRA 3 /* Targetted flush: almost closed, long idle */
137
138 #define VALID_TABLE_FLUSH_OPT(x) ((x) >= 1 && (x) <= 3)
139
140 /*
585
586 union {
587 void *fru_data;
588 caddr_t fru_caddr;
589 fripf_t *fru_ipf;
590 frentfunc_t fru_func;
591 } fr_dun;
592
593 /*
594 * Fields after this may not change whilst in the kernel.
595 */
596 ipfunc_t fr_func; /* call this function */
597 int fr_dsize;
598 int fr_pps;
599 int fr_statemax; /* max reference count */
600 int fr_flineno; /* line number from conf file */
601 u_32_t fr_type;
602 u_32_t fr_flags; /* per-rule flags && options (see below) */
603 u_32_t fr_logtag; /* user defined log tag # */
604 u_32_t fr_collect; /* collection number */
605 uuid_t fr_uuid; /* user defined uuid */
606 u_int fr_arg; /* misc. numeric arg for rule */
607 u_int fr_loglevel; /* syslog log facility + priority */
608 u_int fr_age[2]; /* non-TCP timeouts */
609 u_char fr_v;
610 u_char fr_icode; /* return ICMP code */
611 char fr_group[FR_GROUPLEN]; /* group to which this rule belongs */
612 char fr_grhead[FR_GROUPLEN]; /* group # which this rule starts */
613 ipftag_t fr_nattag;
614 char fr_ifnames[4][LIFNAMSIZ];
615 char fr_isctag[16];
616 frdest_t fr_tifs[2]; /* "to"/"reply-to" interface */
617 frdest_t fr_dif; /* duplicate packet interface */
618 /*
619 * This must be last and will change after loaded into the kernel.
620 */
621 u_int fr_cksum; /* checksum on filter rules for performance */
622 } frentry_t;
623
624 #define fr_caddr fr_dun.fru_caddr
625 #define fr_data fr_dun.fru_data
714 #define FR_NOTSRCIP 0x00040
715 #define FR_NOTDSTIP 0x00080
716 #define FR_QUICK 0x00100 /* match & stop processing list */
717 #define FR_KEEPFRAG 0x00200 /* keep fragment information */
718 #define FR_KEEPSTATE 0x00400 /* keep `connection' state information */
719 #define FR_FASTROUTE 0x00800 /* bypass normal routing */
720 #define FR_RETRST 0x01000 /* Return TCP RST packet - reset connection */
721 #define FR_RETICMP 0x02000 /* Return ICMP unreachable packet */
722 #define FR_FAKEICMP 0x03000 /* Return ICMP unreachable with fake source */
723 #define FR_OUTQUE 0x04000 /* outgoing packets */
724 #define FR_INQUE 0x08000 /* ingoing packets */
725 #define FR_LOGBODY 0x10000 /* Log the body */
726 #define FR_LOGFIRST 0x20000 /* Log the first byte if state held */
727 #define FR_LOGORBLOCK 0x40000 /* block the packet if it can't be logged */
728 #define FR_DUP 0x80000 /* duplicate packet */
729 #define FR_FRSTRICT 0x100000 /* strict frag. cache */
730 #define FR_STSTRICT 0x200000 /* strict keep state */
731 #define FR_NEWISN 0x400000 /* new ISN for outgoing TCP */
732 #define FR_NOICMPERR 0x800000 /* do not match ICMP errors in state */
733 #define FR_STATESYNC 0x1000000 /* synchronize state to slave */
734 #define FR_CFWLOG 0x2000000 /* Global CFW logging enabled */
735 #define FR_NOMATCH 0x8000000 /* no match occured */
736 /* 0x10000000 FF_LOGPASS */
737 /* 0x20000000 FF_LOGBLOCK */
738 /* 0x40000000 FF_LOGNOMATCH */
739 /* 0x80000000 FF_BLOCKNONIP */
740 #define FR_COPIED 0x40000000 /* copied from user space */
741 #define FR_INACTIVE 0x80000000 /* only used when flush'ing rules */
742
743 #define FR_RETMASK (FR_RETICMP|FR_RETRST|FR_FAKEICMP)
744 #define FR_ISBLOCK(x) (((x) & FR_CMDMASK) == FR_BLOCK)
745 #define FR_ISPASS(x) (((x) & FR_CMDMASK) == FR_PASS)
746 #define FR_ISAUTH(x) (((x) & FR_CMDMASK) == FR_AUTH)
747 #define FR_ISPREAUTH(x) (((x) & FR_CMDMASK) == FR_PREAUTH)
748 #define FR_ISACCOUNT(x) (((x) & FR_CMDMASK) == FR_ACCOUNT)
749 #define FR_ISSKIP(x) (((x) & FR_CMDMASK) == FR_SKIP)
750 #define FR_ISNOMATCH(x) ((x) & FR_NOMATCH)
751 #define FR_INOUT (FR_INQUE|FR_OUTQUE)
752
753 /*
754 * recognized flags for SIOCGETFF and SIOCSETFF, and get put in fr_flags
870
871 #define ipl_sec ipl_time.tv_sec
872 #define ipl_usec ipl_time.tv_usec
873
874 #define IPL_MAGIC 0x49504c4d /* 'IPLM' */
875 #define IPL_MAGIC_NAT 0x49504c4e /* 'IPLN' */
876 #define IPL_MAGIC_STATE 0x49504c53 /* 'IPLS' */
877 #define IPLOG_SIZE sizeof(iplog_t)
878
879 typedef struct ipflog {
880 #if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603)) || \
881 (defined(OpenBSD) && (OpenBSD >= 199603))
882 #else
883 u_int fl_unit;
884 #endif
885 u_32_t fl_rule;
886 u_32_t fl_flags;
887 u_32_t fl_lflags;
888 u_32_t fl_logtag;
889 ipftag_t fl_nattag;
890 uuid_t fl_uuid;
891 u_short fl_plen; /* extra data after hlen */
892 u_short fl_loglevel; /* syslog log level */
893 char fl_group[FR_GROUPLEN];
894 u_char fl_hlen; /* length of IP headers saved */
895 u_char fl_dir;
896 u_char fl_xxx[2]; /* pad */
897 char fl_ifname[LIFNAMSIZ];
898 } ipflog_t;
899
900 #ifndef IPF_LOGGING
901 # define IPF_LOGGING 0
902 #endif
903 #ifndef IPF_DEFAULT_PASS
904 # define IPF_DEFAULT_PASS FR_PASS
905 #endif
906
907 #define DEFAULT_IPFLOGSIZE 8192
908 #ifndef IPFILTER_LOGSIZE
909 # define IPFILTER_LOGSIZE DEFAULT_IPFLOGSIZE
910 #else
919 * Device filenames for reading log information. Use ipf on Solaris2 because
920 * ipl is already a name used by something else.
921 */
922 #ifndef IPL_NAME
923 # ifdef SOLARIS
924 # define IPL_NAME "/dev/ipf"
925 # else
926 # define IPL_NAME "/dev/ipl"
927 # endif
928 #endif
929 /*
930 * Pathnames for various IP Filter control devices. Used by LKM
931 * and userland, so defined here.
932 */
933 #define IPNAT_NAME "/dev/ipnat"
934 #define IPSTATE_NAME "/dev/ipstate"
935 #define IPAUTH_NAME "/dev/ipauth"
936 #define IPSYNC_NAME "/dev/ipsync"
937 #define IPSCAN_NAME "/dev/ipscan"
938 #define IPLOOKUP_NAME "/dev/iplookup"
939 #define IPFEV_NAME "/dev/ipfev"
940
941 #define IPL_LOGIPF 0 /* Minor device #'s for accessing logs */
942 #define IPL_LOGNAT 1
943 #define IPL_LOGSTATE 2
944 #define IPL_LOGAUTH 3
945 #define IPL_LOGSYNC 4
946 #define IPL_LOGSCAN 5
947 #define IPL_LOGLOOKUP 6
948 #define IPL_LOGEV 7
949 #define IPL_LOGCOUNT 8
950 #define IPL_LOGMAX 8
951 #define IPL_LOGSIZE (IPL_LOGMAX + 1)
952 #define IPL_LOGALL -1
953 #define IPL_LOGNONE -2
954
955 /*
956 * For SIOCGETFS
957 */
958 typedef struct friostat {
959 struct filterstats f_st[2];
960 struct frentry *f_ipf[2][2];
961 struct frentry *f_acct[2][2];
962 struct frentry *f_ipf6[2][2];
963 struct frentry *f_acct6[2][2];
964 struct frentry *f_auth;
965 struct frgroup *f_groups[IPL_LOGSIZE][2];
966 u_long f_froute[2];
967 u_long f_ticks;
968 int f_locks[IPL_LOGMAX];
969 size_t f_kmutex_sz;
970 size_t f_krwlock_sz;
1171 * Object structure description. For passing through in ioctls.
1172 */
1173 typedef struct ipfobj {
1174 u_32_t ipfo_rev; /* IPFilter version number */
1175 u_32_t ipfo_size; /* size of object at ipfo_ptr */
1176 void *ipfo_ptr; /* pointer to object */
1177 int ipfo_type; /* type of object being pointed to */
1178 int ipfo_offset; /* bytes from ipfo_ptr where to start */
1179 u_char ipfo_xxxpad[32]; /* reserved for future use */
1180 } ipfobj_t;
1181
1182 /*
1183 * ioctl struct for setting what zone further ioctls will act on. ipfz_gz is a
1184 * boolean: set it to 1 to operate on the GZ-controlled stack.
1185 */
1186 typedef struct ipfzoneobj {
1187 u_32_t ipfz_gz; /* GZ stack boolean */
1188 char ipfz_zonename[ZONENAME_MAX]; /* zone to act on */
1189 } ipfzoneobj_t;
1190
1191 /* ioctl to grab CFW logging parameters */
1192 typedef struct ipfcfwcfg {
1193 /* CFG => Max event size, NEWSZ => ignored in, like CFG out. */
1194 uint32_t ipfcfwc_maxevsize;
1195 /*
1196 * CFG => Current ring size,
1197 * NEWSZ => New ring size, must be 2^N for 3 <= N <= 31.
1198 */
1199 uint32_t ipfcfwc_evringsize;
1200 /* CFG => Number of event reports, NEWSZ => ignored in, like CFG out. */
1201 uint64_t ipfcfwc_evreports;
1202 /* CFG => Number of event drops, NEWSZ => ignored in, like CFG out. */
1203 uint64_t ipfcfwc_evdrops;
1204 } ipfcfwcfg_t;
1205
1206 #if defined(_KERNEL)
1207 /* Set ipfs_zoneid to this if no zone has been set: */
1208 #define IPFS_ZONE_UNSET -2
1209
1210 typedef struct ipf_devstate {
1211 zoneid_t ipfs_zoneid;
1212 minor_t ipfs_minor;
1213 boolean_t ipfs_gz;
1214 } ipf_devstate_t;
1215 #endif
1216
1217 #define IPFOBJ_FRENTRY 0 /* struct frentry */
1218 #define IPFOBJ_IPFSTAT 1 /* struct friostat */
1219 #define IPFOBJ_IPFINFO 2 /* struct fr_info */
1220 #define IPFOBJ_AUTHSTAT 3 /* struct fr_authstat */
1221 #define IPFOBJ_FRAGSTAT 4 /* struct ipfrstat */
1222 #define IPFOBJ_IPNAT 5 /* struct ipnat */
1223 #define IPFOBJ_NATSTAT 6 /* struct natstat */
1224 #define IPFOBJ_STATESAVE 7 /* struct ipstate_save */
1225 #define IPFOBJ_NATSAVE 8 /* struct nat_save */
1565 extern int frflush __P((minor_t, int, int, ipf_stack_t *));
1566 extern void frsync __P((int, int, void *, char *, ipf_stack_t *));
1567 #if SOLARIS2 >= 10
1568 extern void fr_ifindexsync __P((void *, void *, ipf_stack_t *));
1569 #endif
1570 extern frgroup_t *fr_addgroup __P((char *, void *, u_32_t, minor_t, int,
1571 ipf_stack_t *));
1572 extern int fr_derefrule __P((frentry_t **, ipf_stack_t *));
1573 extern void fr_delgroup __P((char *, minor_t, int, ipf_stack_t *));
1574 extern frgroup_t *fr_findgroup __P((char *, minor_t, int, frgroup_t ***,
1575 ipf_stack_t *));
1576
1577 extern int fr_loginit __P((ipf_stack_t *));
1578 extern int ipflog_clear __P((minor_t, ipf_stack_t *));
1579 extern int ipflog_read __P((minor_t, struct uio *, ipf_stack_t *));
1580 extern int ipflog __P((fr_info_t *, u_int));
1581 extern int ipllog __P((int, fr_info_t *, void **, size_t *, int *, int,
1582 ipf_stack_t *));
1583 extern void fr_logunload __P((ipf_stack_t *));
1584
1585 /* SmartOS single-FD global-zone state accumulator (see cfw.c) */
1586 extern boolean_t ipf_cfwlog_enabled;
1587 struct ipstate; /* Ugggh. */
1588 extern void ipf_log_cfwlog __P((struct ipstate *, uint_t, ipf_stack_t *));
1589 extern void ipf_block_cfwlog __P((frentry_t *, fr_info_t *, ipf_stack_t *));
1590 #define IFS_CFWLOG(ifs, fr) ((ifs)->ifs_gz_controlled && ipf_cfwlog_enabled &&\
1591 fr != NULL && ((fr)->fr_flags & FR_CFWLOG))
1592 struct cfwev_s; /* See ipf_cfw.h */
1593 extern boolean_t ipf_cfwev_consume __P((struct cfwev_s *, boolean_t));
1594 /* See cfw.c's ipf_cfwev_consume_many() for details. */
1595 typedef uint_t (*cfwmanycb_t) __P((struct cfwev_s *, uint_t, void *));
1596 extern uint_t
1597 ipf_cfwev_consume_many __P((uint_t, boolean_t, cfwmanycb_t, void *));
1598 extern int ipf_cfwlog_read __P((dev_t, struct uio *, struct cred *));
1599 extern int ipf_cfwlog_ioctl __P((dev_t, int, intptr_t, int, cred_t *, int *));
1600 #define IPF_CFW_RING_ALLOCATE 0
1601 #define IPF_CFW_RING_DESTROY 1
1602 extern int ipf_cfw_ring_resize(uint32_t);
1603
1604 extern frentry_t *fr_acctpkt __P((fr_info_t *, u_32_t *));
1605 extern int fr_copytolog __P((int, char *, int));
1606 extern u_short fr_cksum __P((mb_t *, ip_t *, int, void *));
1607 extern void fr_deinitialise __P((ipf_stack_t *));
1608 extern frentry_t *fr_dolog __P((fr_info_t *, u_32_t *));
1609 extern frentry_t *fr_dstgrpmap __P((fr_info_t *, u_32_t *));
1610 extern void fr_fixskip __P((frentry_t **, frentry_t *, int));
1611 extern void fr_forgetifp __P((void *, ipf_stack_t *));
1612 extern frentry_t *fr_getrulen __P((int, char *, u_32_t,
1613 ipf_stack_t *));
1614 extern void fr_getstat __P((struct friostat *, ipf_stack_t *));
1615 extern int fr_ifpaddr __P((int, int, void *,
1616 struct in_addr *, struct in_addr *,
1617 ipf_stack_t *));
1618 extern int fr_initialise __P((ipf_stack_t *));
1619 extern int fr_lock __P((caddr_t, int *));
1620 extern int fr_makefrip __P((int, ip_t *, fr_info_t *));
1621 extern int fr_matchtag __P((ipftag_t *, ipftag_t *));
1622 extern int fr_matchicmpqueryreply __P((int, icmpinfo_t *,
1623 struct icmp *, int));
|