Print this page
OS-7667 IPFilter needs to keep and report state for cloud firewall logging
Portions contributed by: Mike Gerdts <mike.gerdts@joyent.com>
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/uts/common/inet/ipf/netinet/ip_fil.h
+++ new/usr/src/uts/common/inet/ipf/netinet/ip_fil.h
1 1 /*
2 2 * Copyright (C) 1993-2001, 2003 by Darren Reed.
3 3 *
4 4 * See the IPFILTER.LICENCE file for details on licencing.
5 5 *
6 6 * @(#)ip_fil.h 1.35 6/5/96
7 7 * $Id: ip_fil.h,v 2.170.2.22 2005/07/16 05:55:35 darrenr Exp $
8 8 *
9 9 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
10 10 *
11 - * Copyright (c) 2014, Joyent, Inc. All rights reserved.
11 + * Copyright 2019, Joyent, Inc.
12 12 */
13 13
14 14 #ifndef __IP_FIL_H__
15 15 #define __IP_FIL_H__
16 16
17 17 #include "netinet/ip_compat.h"
18 18 #include <sys/zone.h>
19 +#include <sys/uuid.h>
19 20
20 21 #ifdef SOLARIS
21 22 #undef SOLARIS
22 23 #endif
23 24 #if (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
24 25 #define SOLARIS (1)
25 26 #else
26 27 #define SOLARIS (0)
27 28 #endif
28 29
29 30 #ifndef __P
30 31 # ifdef __STDC__
31 32 # define __P(x) x
32 33 # else
33 34 # define __P(x) ()
34 35 # endif
35 36 #endif
36 37
37 38 #if defined(__STDC__) || defined(__GNUC__) || defined(_AIX51)
38 39 # define SIOCADAFR _IOW('r', 60, struct ipfobj)
39 40 # define SIOCRMAFR _IOW('r', 61, struct ipfobj)
40 41 # define SIOCSETFF _IOW('r', 62, u_int)
41 42 # define SIOCGETFF _IOR('r', 63, u_int)
42 43 # define SIOCGETFS _IOWR('r', 64, struct ipfobj)
43 44 # define SIOCIPFFL _IOWR('r', 65, int)
44 45 # define SIOCIPFFB _IOR('r', 66, int)
45 46 # define SIOCADIFR _IOW('r', 67, struct ipfobj)
46 47 # define SIOCRMIFR _IOW('r', 68, struct ipfobj)
47 48 # define SIOCSWAPA _IOR('r', 69, u_int)
48 49 # define SIOCINAFR _IOW('r', 70, struct ipfobj)
49 50 # define SIOCINIFR _IOW('r', 71, struct ipfobj)
50 51 # define SIOCFRENB _IOW('r', 72, u_int)
51 52 # define SIOCFRSYN _IOW('r', 73, u_int)
52 53 # define SIOCFRZST _IOWR('r', 74, struct ipfobj)
53 54 # define SIOCZRLST _IOWR('r', 75, struct ipfobj)
54 55 # define SIOCAUTHW _IOWR('r', 76, struct ipfobj)
55 56 # define SIOCAUTHR _IOWR('r', 77, struct ipfobj)
56 57 # define SIOCATHST _IOWR('r', 78, struct ipfobj)
57 58 # define SIOCSTLCK _IOWR('r', 79, u_int)
58 59 # define SIOCSTPUT _IOWR('r', 80, struct ipfobj)
59 60 # define SIOCSTGET _IOWR('r', 81, struct ipfobj)
60 61 # define SIOCSTGSZ _IOWR('r', 82, struct ipfobj)
61 62 # define SIOCGFRST _IOWR('r', 83, struct ipfobj)
62 63 # define SIOCSETLG _IOWR('r', 84, int)
63 64 # define SIOCGETLG _IOWR('r', 85, int)
64 65 # define SIOCFUNCL _IOWR('r', 86, struct ipfunc_resolve)
65 66 # define SIOCIPFGETNEXT _IOWR('r', 87, struct ipfobj)
66 67 # define SIOCIPFGET _IOWR('r', 88, struct ipfobj)
67 68 # define SIOCIPFSET _IOWR('r', 89, struct ipfobj)
68 69 # define SIOCIPFL6 _IOWR('r', 90, int)
69 70 # define SIOCIPFLP _IOWR('r', 91, int)
70 71 # define SIOCIPFITER _IOWR('r', 92, struct ipfobj)
71 72 # define SIOCGENITER _IOWR('r', 93, struct ipfobj)
72 73 # define SIOCGTABL _IOWR('r', 94, struct ipfobj)
73 74 # define SIOCIPFDELTOK _IOWR('r', 95, int)
74 75 # define SIOCLOOKUPITER _IOWR('r', 96, struct ipfobj)
75 76 #else
76 77 # define SIOCADAFR _IOW(r, 60, struct ipfobj)
77 78 # define SIOCRMAFR _IOW(r, 61, struct ipfobj)
78 79 # define SIOCSETFF _IOW(r, 62, u_int)
79 80 # define SIOCGETFF _IOR(r, 63, u_int)
80 81 # define SIOCGETFS _IOWR(r, 64, struct ipfobj)
81 82 # define SIOCIPFFL _IOWR(r, 65, int)
82 83 # define SIOCIPFFB _IOR(r, 66, int)
83 84 # define SIOCADIFR _IOW(r, 67, struct ipfobj)
84 85 # define SIOCRMIFR _IOW(r, 68, struct ipfobj)
85 86 # define SIOCSWAPA _IOR(r, 69, u_int)
86 87 # define SIOCINAFR _IOW(r, 70, struct ipfobj)
87 88 # define SIOCINIFR _IOW(r, 71, struct ipfobj)
88 89 # define SIOCFRENB _IOW(r, 72, u_int)
89 90 # define SIOCFRSYN _IOW(r, 73, u_int)
90 91 # define SIOCFRZST _IOWR(r, 74, struct ipfobj)
91 92 # define SIOCZRLST _IOWR(r, 75, struct ipfobj)
92 93 # define SIOCAUTHW _IOWR(r, 76, struct ipfobj)
93 94 # define SIOCAUTHR _IOWR(r, 77, struct ipfobj)
94 95 # define SIOCATHST _IOWR(r, 78, struct ipfobj)
95 96 # define SIOCSTLCK _IOWR(r, 79, u_int)
96 97 # define SIOCSTPUT _IOWR(r, 80, struct ipfobj)
97 98 # define SIOCSTGET _IOWR(r, 81, struct ipfobj)
98 99 # define SIOCSTGSZ _IOWR(r, 82, struct ipfobj)
99 100 # define SIOCGFRST _IOWR(r, 83, struct ipfobj)
100 101 # define SIOCSETLG _IOWR(r, 84, int)
101 102 # define SIOCGETLG _IOWR(r, 85, int)
102 103 # define SIOCFUNCL _IOWR(r, 86, struct ipfunc_resolve)
103 104 # define SIOCIPFGETNEXT _IOWR(r, 87, struct ipfobj)
104 105 # define SIOCIPFGET _IOWR(r, 88, struct ipfobj)
105 106 # define SIOCIPFSET _IOWR(r, 89, struct ipfobj)
106 107 # define SIOCIPFL6 _IOWR(r, 90, int)
107 108 # define SIOCIPFLP _IOWR(r, 91, int)
|
↓ open down ↓ |
79 lines elided |
↑ open up ↑ |
108 109 # define SIOCIPFITER _IOWR(r, 92, struct ipfobj)
109 110 # define SIOCGENITER _IOWR(r, 93, struct ipfobj)
110 111 # define SIOCGTABL _IOWR(r, 94, struct ipfobj)
111 112 # define SIOCIPFDELTOK _IOWR(r, 95, int)
112 113 # define SIOCLOOKUPITER _IOWR(r, 96, struct ipfobj)
113 114 #endif
114 115 #define SIOCADDFR SIOCADAFR
115 116 #define SIOCDELFR SIOCRMAFR
116 117 #define SIOCINSFR SIOCINAFR
117 118 # define SIOCIPFZONESET _IOWR('r', 97, struct ipfzoneobj)
119 +# define SIOCIPFCFWCFG _IOR('r', 98, struct ipfcfwcfg)
120 +# define SIOCIPFCFWNEWSZ _IOWR('r', 99, struct ipfcfwcfg)
118 121
119 122 /*
120 123 * What type of table is getting flushed?
121 124 */
122 125
123 126 #define NAT_FLUSH 1
124 127 #define STATE_FLUSH 2
125 128
126 129 /*
127 130 * What table flush options are available?
128 131 */
129 132
130 133 #define FLUSH_LIST 0
131 134 #define FLUSH_TABLE_ALL 1 /* Flush entire table */
132 135 #define FLUSH_TABLE_CLOSING 2 /* Flush "closing" entries" */
133 136 #define FLUSH_TABLE_EXTRA 3 /* Targetted flush: almost closed, long idle */
134 137
135 138 #define VALID_TABLE_FLUSH_OPT(x) ((x) >= 1 && (x) <= 3)
136 139
137 140 /*
138 141 * Define the default hi and lo watermarks used when flushing the
139 142 * tables. The values represent percent full of respective tables.
140 143 */
141 144
142 145 #define NAT_FLUSH_HI 95
143 146 #define NAT_FLUSH_LO 75
144 147
145 148 #define ST_FLUSH_HI 95
146 149 #define ST_FLUSH_LO 75
147 150
148 151 /*
149 152 * How full are the tables?
150 153 */
151 154
152 155 #define NAT_TAB_WATER_LEVEL(x) ((x)->ifs_nat_stats.ns_inuse * 100 \
153 156 / (x)->ifs_ipf_nattable_max)
154 157
155 158 #define ST_TAB_WATER_LEVEL(x) ((x)->ifs_ips_num * 100 \
156 159 / (x)->ifs_fr_statemax)
157 160
158 161 struct ipscan;
159 162 struct ifnet;
160 163
161 164 typedef struct ipf_stack ipf_stack_t;
162 165 typedef struct fr_info fr_info_t;
163 166
164 167 typedef int (* lookupfunc_t) __P((void *, int, void *, fr_info_t *, ipf_stack_t *));
165 168
166 169 /*
167 170 * i6addr is used as a container for both IPv4 and IPv6 addresses, as well
168 171 * as other types of objects, depending on its qualifier.
169 172 */
170 173 #ifdef USE_INET6
171 174 typedef union i6addr {
172 175 u_32_t i6[4];
173 176 struct in_addr in4;
174 177 struct in6_addr in6;
175 178 void *vptr[2];
176 179 lookupfunc_t lptr[2];
177 180 } i6addr_t;
178 181 #define in6_addr8 in6.s6_addr
179 182 #else
180 183 typedef union i6addr {
181 184 u_32_t i6[4];
182 185 struct in_addr in4;
183 186 void *vptr[2];
184 187 lookupfunc_t lptr[2];
185 188 } i6addr_t;
186 189 #endif
187 190
188 191 #define in4_addr in4.s_addr
189 192 #define iplookupnum i6[0]
190 193 #define iplookuptype i6[1]
191 194 /*
192 195 * NOTE: These DO overlap the above on 64bit systems and this IS recognised.
193 196 */
194 197 #define iplookupptr vptr[0]
195 198 #define iplookupfunc lptr[1]
196 199
197 200 #define I60(x) (((i6addr_t *)(x))->i6[0])
198 201 #define I61(x) (((i6addr_t *)(x))->i6[1])
199 202 #define I62(x) (((i6addr_t *)(x))->i6[2])
200 203 #define I63(x) (((i6addr_t *)(x))->i6[3])
201 204 #define HI60(x) ntohl(((i6addr_t *)(x))->i6[0])
202 205 #define HI61(x) ntohl(((i6addr_t *)(x))->i6[1])
203 206 #define HI62(x) ntohl(((i6addr_t *)(x))->i6[2])
204 207 #define HI63(x) ntohl(((i6addr_t *)(x))->i6[3])
205 208
206 209 #define IP6_EQ(a,b) ((I63(a) == I63(b)) && (I62(a) == I62(b)) && \
207 210 (I61(a) == I61(b)) && (I60(a) == I60(b)))
208 211 #define IP6_NEQ(a,b) ((I63(a) != I63(b)) || (I62(a) != I62(b)) || \
209 212 (I61(a) != I61(b)) || (I60(a) != I60(b)))
210 213 #define IP6_ISZERO(a) ((I60(a) | I61(a) | I62(a) | I63(a)) == 0)
211 214 #define IP6_NOTZERO(a) ((I60(a) | I61(a) | I62(a) | I63(a)) != 0)
212 215 #define IP6_ISONES(a) ((I63(a) == 0xffffffff) && (I62(a) == 0xffffffff) && \
213 216 (I61(a) == 0xffffffff) && (I60(a) == 0xffffffff))
214 217 #define IP6_GT(a,b) (ntohl(HI60(a)) > ntohl(HI60(b)) || \
215 218 (HI60(a) == HI60(b) && \
216 219 (ntohl(HI61(a)) > ntohl(HI61(b)) || \
217 220 (HI61(a) == HI61(b) && \
218 221 (ntohl(HI62(a)) > ntohl(HI62(b)) || \
219 222 (HI62(a) == HI62(b) && \
220 223 ntohl(HI63(a)) > ntohl(HI63(b))))))))
221 224 #define IP6_LT(a,b) (ntohl(HI60(a)) < ntohl(HI60(b)) || \
222 225 (HI60(a) == HI60(b) && \
223 226 (ntohl(HI61(a)) < ntohl(HI61(b)) || \
224 227 (HI61(a) == HI61(b) && \
225 228 (ntohl(HI62(a)) < ntohl(HI62(b)) || \
226 229 (HI62(a) == HI62(b) && \
227 230 ntohl(HI63(a)) < ntohl(HI63(b))))))))
228 231 #define NLADD(n,x) htonl(ntohl(n) + (x))
229 232 #define IP6_INC(a) \
230 233 { i6addr_t *_i6 = (i6addr_t *)(a); \
231 234 _i6->i6[3] = NLADD(_i6->i6[3], 1); \
232 235 if (_i6->i6[3] == 0) { \
233 236 _i6->i6[2] = NLADD(_i6->i6[2], 1); \
234 237 if (_i6->i6[2] == 0) { \
235 238 _i6->i6[1] = NLADD(_i6->i6[1], 1); \
236 239 if (_i6->i6[1] == 0) { \
237 240 _i6->i6[0] = NLADD(_i6->i6[0], 1); \
238 241 } \
239 242 } \
240 243 } \
241 244 }
242 245 #define IP6_ADD(a,x,d) \
243 246 { i6addr_t *_s = (i6addr_t *)(a); \
244 247 i6addr_t *_d = (i6addr_t *)(d); \
245 248 _d->i6[3] = NLADD(_s->i6[3], x); \
246 249 if (ntohl(_d->i6[3]) < ntohl(_s->i6[3])) { \
247 250 _d->i6[2] = NLADD(_d->i6[2], 1); \
248 251 if (ntohl(_d->i6[2]) < ntohl(_s->i6[2])) { \
249 252 _d->i6[1] = NLADD(_d->i6[1], 1); \
250 253 if (ntohl(_d->i6[1]) < ntohl(_s->i6[1])) { \
251 254 _d->i6[0] = NLADD(_d->i6[0], 1); \
252 255 } \
253 256 } \
254 257 } \
255 258 }
256 259 #define IP6_AND(a,b,d) { i6addr_t *_s1 = (i6addr_t *)(a); \
257 260 i6addr_t *_s2 = (i6addr_t *)(b); \
258 261 i6addr_t *_d = (i6addr_t *)(d); \
259 262 _d->i6[0] = _s1->i6[0] & _s2->i6[0]; \
260 263 _d->i6[1] = _s1->i6[1] & _s2->i6[1]; \
261 264 _d->i6[2] = _s1->i6[2] & _s2->i6[2]; \
262 265 _d->i6[3] = _s1->i6[3] & _s2->i6[3]; \
263 266 }
264 267 #define IP6_MASKEQ(a,m,b) \
265 268 (((I60(a) & I60(m)) == I60(b)) && \
266 269 ((I61(a) & I61(m)) == I61(b)) && \
267 270 ((I62(a) & I62(m)) == I62(b)) && \
268 271 ((I63(a) & I63(m)) == I63(b)))
269 272 #define IP6_MASKNEQ(a,m,b) \
270 273 (((I60(a) & I60(m)) != I60(b)) || \
271 274 ((I61(a) & I61(m)) != I61(b)) || \
272 275 ((I62(a) & I62(m)) != I62(b)) || \
273 276 ((I63(a) & I63(m)) != I63(b)))
274 277 #define IP6_MERGE(a,b,c) \
275 278 { i6addr_t *_d, *_s1, *_s2; \
276 279 _d = (i6addr_t *)(a); \
277 280 _s1 = (i6addr_t *)(b); \
278 281 _s2 = (i6addr_t *)(c); \
279 282 _d->i6[0] |= _s1->i6[0] & ~_s2->i6[0]; \
280 283 _d->i6[1] |= _s1->i6[1] & ~_s2->i6[1]; \
281 284 _d->i6[2] |= _s1->i6[2] & ~_s2->i6[2]; \
282 285 _d->i6[3] |= _s1->i6[3] & ~_s2->i6[3]; \
283 286 }
284 287
285 288
286 289 typedef struct fr_ip {
287 290 u_32_t fi_v:4; /* IP version */
288 291 u_32_t fi_xx:4; /* spare */
289 292 u_32_t fi_tos:8; /* IP packet TOS */
290 293 u_32_t fi_ttl:8; /* IP packet TTL */
291 294 u_32_t fi_p:8; /* IP packet protocol */
292 295 u_32_t fi_optmsk; /* bitmask composed from IP options */
293 296 i6addr_t fi_src; /* source address from packet */
294 297 i6addr_t fi_dst; /* destination address from packet */
295 298 u_short fi_secmsk; /* bitmask composed from IP security options */
296 299 u_short fi_auth; /* authentication code from IP sec. options */
297 300 u_32_t fi_flx; /* packet flags */
298 301 u_32_t fi_tcpmsk; /* TCP options set/reset */
299 302 u_32_t fi_res1; /* RESERVED */
300 303 } fr_ip_t;
301 304
302 305 /*
303 306 * For use in fi_flx
304 307 */
305 308 #define FI_TCPUDP 0x0001 /* TCP/UCP implied comparison*/
306 309 #define FI_OPTIONS 0x0002
307 310 #define FI_FRAG 0x0004
308 311 #define FI_SHORT 0x0008
309 312 #define FI_NATED 0x0010
310 313 #define FI_MULTICAST 0x0020
311 314 #define FI_BROADCAST 0x0040
312 315 #define FI_MBCAST 0x0080
313 316 #define FI_STATE 0x0100
314 317 #define FI_BADNAT 0x0200
315 318 #define FI_BAD 0x0400
316 319 #define FI_OOW 0x0800 /* Out of state window, else match */
317 320 #define FI_ICMPERR 0x1000
318 321 #define FI_FRAGBODY 0x2000
319 322 #define FI_BADSRC 0x4000
320 323 #define FI_LOWTTL 0x8000
321 324 #define FI_CMP 0xcf03 /* Not FI_FRAG,FI_NATED,FI_FRAGTAIL,broadcast */
322 325 #define FI_ICMPCMP 0x0003 /* Flags we can check for ICMP error packets */
323 326 #define FI_WITH 0xeffe /* Not FI_TCPUDP */
324 327 #define FI_V6EXTHDR 0x10000
325 328 #define FI_COALESCE 0x20000
326 329 #define FI_ICMPQUERY 0x40000
327 330 #define FI_NEWNAT 0x80000
328 331 #define FI_MOREFRAG 0x100000
329 332 #define FI_NEG_OOW 0x10000000 /* packet underflows TCP window */
330 333 #define FI_NOCKSUM 0x20000000 /* don't do a L4 checksum validation */
331 334 #define FI_DONTCACHE 0x40000000 /* don't cache the result */
332 335 #define FI_IGNORE 0x80000000
333 336
334 337 #define fi_saddr fi_src.in4.s_addr
335 338 #define fi_daddr fi_dst.in4.s_addr
336 339 #define fi_srcnum fi_src.iplookupnum
337 340 #define fi_dstnum fi_dst.iplookupnum
338 341 #define fi_srctype fi_src.iplookuptype
339 342 #define fi_dsttype fi_dst.iplookuptype
340 343 #define fi_srcptr fi_src.iplookupptr
341 344 #define fi_dstptr fi_dst.iplookupptr
342 345 #define fi_srcfunc fi_src.iplookupfunc
343 346 #define fi_dstfunc fi_dst.iplookupfunc
344 347
345 348
346 349 /*
347 350 * These are both used by the state and NAT code to indicate that one port or
348 351 * the other should be treated as a wildcard.
349 352 * NOTE: When updating, check bit masks in ip_state.h and update there too.
350 353 */
351 354 #define SI_W_SPORT 0x00000100
352 355 #define SI_W_DPORT 0x00000200
353 356 #define SI_WILDP (SI_W_SPORT|SI_W_DPORT)
354 357 #define SI_W_SADDR 0x00000400
355 358 #define SI_W_DADDR 0x00000800
356 359 #define SI_WILDA (SI_W_SADDR|SI_W_DADDR)
357 360 #define SI_NEWFR 0x00001000
358 361 #define SI_CLONE 0x00002000
359 362 #define SI_CLONED 0x00004000
360 363
361 364
362 365
363 366
364 367 struct fr_info {
365 368 void *fin_ifp; /* interface packet is `on' */
366 369 fr_ip_t fin_fi; /* IP Packet summary */
367 370 union {
368 371 u_short fid_16[2]; /* TCP/UDP ports, ICMP code/type */
369 372 u_32_t fid_32;
370 373 } fin_dat;
371 374 int fin_out; /* in or out ? 1 == out, 0 == in */
372 375 int fin_rev; /* state only: 1 = reverse */
373 376 u_short fin_hlen; /* length of IP header in bytes */
374 377 u_char fin_tcpf; /* TCP header flags (SYN, ACK, etc) */
375 378 u_char fin_icode; /* ICMP error to return */
376 379 u_32_t fin_rule; /* rule # last matched */
377 380 char fin_group[FR_GROUPLEN]; /* group number, -1 for none */
378 381 struct frentry *fin_fr; /* last matching rule */
379 382 void *fin_dp; /* start of data past IP header */
380 383 int fin_dlen; /* length of data portion of packet */
381 384 int fin_plen;
382 385 int fin_ipoff; /* # bytes from buffer start to hdr */
383 386 u_32_t fin_id; /* IP packet id field */
384 387 u_short fin_off;
385 388 int fin_depth; /* Group nesting depth */
386 389 int fin_error; /* Error code to return */
387 390 u_int fin_pktnum;
388 391 void *fin_nattag;
389 392 union {
390 393 ip_t *fip_ip;
391 394 #ifdef USE_INET6
392 395 ip6_t *fip_ip6;
393 396 #endif
394 397 } fin_ipu;
395 398 mb_t **fin_mp; /* pointer to pointer to mbuf */
396 399 mb_t *fin_m; /* pointer to mbuf */
397 400 #ifdef MENTAT
398 401 mb_t *fin_qfm; /* pointer to mblk where pkt starts */
399 402 void *fin_qpi;
400 403 ipf_stack_t *fin_ifs;
401 404 #endif
402 405 #ifdef __sgi
403 406 void *fin_hbuf;
404 407 #endif
405 408 };
406 409
407 410 #define fin_ip fin_ipu.fip_ip
408 411 #define fin_ip6 fin_ipu.fip_ip6
409 412 #define fin_v fin_fi.fi_v
410 413 #define fin_p fin_fi.fi_p
411 414 #define fin_flx fin_fi.fi_flx
412 415 #define fin_optmsk fin_fi.fi_optmsk
413 416 #define fin_secmsk fin_fi.fi_secmsk
414 417 #define fin_auth fin_fi.fi_auth
415 418 #define fin_src fin_fi.fi_src.in4
416 419 #define fin_saddr fin_fi.fi_saddr
417 420 #define fin_dst fin_fi.fi_dst.in4
418 421 #define fin_daddr fin_fi.fi_daddr
419 422 #define fin_data fin_dat.fid_16
420 423 #define fin_sport fin_dat.fid_16[0]
421 424 #define fin_dport fin_dat.fid_16[1]
422 425 #define fin_ports fin_dat.fid_32
423 426
424 427 #ifdef USE_INET6
425 428 # define fin_src6 fin_fi.fi_src
426 429 # define fin_dst6 fin_fi.fi_dst
427 430 # define fin_dstip6 fin_fi.fi_dst.in6
428 431 # define fin_srcip6 fin_fi.fi_src.in6
429 432 #endif
430 433
431 434 #define IPF_IN 0
432 435 #define IPF_OUT 1
433 436
434 437 typedef struct frentry *(*ipfunc_t) __P((fr_info_t *, u_32_t *));
435 438 typedef int (*ipfuncinit_t) __P((struct frentry *,
436 439 ipf_stack_t *));
437 440
438 441 typedef struct ipfunc_resolve {
439 442 char ipfu_name[32];
440 443 ipfunc_t ipfu_addr;
441 444 ipfuncinit_t ipfu_init;
442 445 } ipfunc_resolve_t;
443 446
444 447 /*
445 448 * Size for compares on fr_info structures
446 449 */
447 450 #define FI_CSIZE offsetof(fr_info_t, fin_icode)
448 451 #define FI_LCSIZE offsetof(fr_info_t, fin_dp)
449 452
450 453 /*
451 454 * Size for copying cache fr_info structure
452 455 */
453 456 #define FI_COPYSIZE offsetof(fr_info_t, fin_dp)
454 457
455 458 /*
456 459 * Structure for holding IPFilter's tag information
457 460 */
458 461 #define IPFTAG_LEN 16
459 462 typedef struct {
460 463 union {
461 464 u_32_t iptu_num[4];
462 465 char iptu_tag[IPFTAG_LEN];
463 466 } ipt_un;
464 467 int ipt_not;
465 468 } ipftag_t;
466 469
467 470 #define ipt_tag ipt_un.iptu_tag
468 471 #define ipt_num ipt_un.iptu_num
469 472
470 473
471 474 /*
472 475 * This structure is used to hold information about the next hop for where
473 476 * to forward a packet.
474 477 */
475 478 typedef struct frdest {
476 479 void *fd_ifp;
477 480 i6addr_t fd_ip6;
478 481 char fd_ifname[LIFNAMSIZ];
479 482 } frdest_t;
480 483
481 484 #define fd_ip fd_ip6.in4
482 485
483 486
484 487 /*
485 488 * This structure holds information about a port comparison.
486 489 */
487 490 typedef struct frpcmp {
488 491 int frp_cmp; /* data for port comparisons */
489 492 u_short frp_port; /* top port for <> and >< */
490 493 u_short frp_top; /* top port for <> and >< */
491 494 } frpcmp_t;
492 495
493 496 #define FR_NONE 0
494 497 #define FR_EQUAL 1
495 498 #define FR_NEQUAL 2
496 499 #define FR_LESST 3
497 500 #define FR_GREATERT 4
498 501 #define FR_LESSTE 5
499 502 #define FR_GREATERTE 6
500 503 #define FR_OUTRANGE 7
501 504 #define FR_INRANGE 8
502 505 #define FR_INCRANGE 9
503 506
504 507 /*
505 508 * Structure containing all the relevant TCP things that can be checked in
506 509 * a filter rule.
507 510 */
508 511 typedef struct frtuc {
509 512 u_char ftu_tcpfm; /* tcp flags mask */
510 513 u_char ftu_tcpf; /* tcp flags */
511 514 frpcmp_t ftu_src;
512 515 frpcmp_t ftu_dst;
513 516 } frtuc_t;
514 517
515 518 #define ftu_scmp ftu_src.frp_cmp
516 519 #define ftu_dcmp ftu_dst.frp_cmp
517 520 #define ftu_sport ftu_src.frp_port
518 521 #define ftu_dport ftu_dst.frp_port
519 522 #define ftu_stop ftu_src.frp_top
520 523 #define ftu_dtop ftu_dst.frp_top
521 524
522 525 #define FR_TCPFMAX 0x3f
523 526
524 527 /*
525 528 * This structure makes up what is considered to be the IPFilter specific
526 529 * matching components of a filter rule, as opposed to the data structures
527 530 * used to define the result which are in frentry_t and not here.
528 531 */
529 532 typedef struct fripf {
530 533 fr_ip_t fri_ip;
531 534 fr_ip_t fri_mip; /* mask structure */
532 535
533 536 u_short fri_icmpm; /* data for ICMP packets (mask) */
534 537 u_short fri_icmp;
535 538
536 539 frtuc_t fri_tuc;
537 540 int fri_satype; /* addres type */
538 541 int fri_datype; /* addres type */
539 542 int fri_sifpidx; /* doing dynamic addressing */
540 543 int fri_difpidx; /* index into fr_ifps[] to use when */
541 544 } fripf_t;
542 545
543 546 #define fri_dstnum fri_ip.fi_dstnum
544 547 #define fri_srcnum fri_mip.fi_srcnum
545 548 #define fri_dstptr fri_ip.fi_dstptr
546 549 #define fri_srcptr fri_mip.fi_srcptr
547 550
548 551 #define FRI_NORMAL 0 /* Normal address */
549 552 #define FRI_DYNAMIC 1 /* dynamic address */
550 553 #define FRI_LOOKUP 2 /* address is a pool # */
551 554 #define FRI_RANGE 3 /* address/mask is a range */
552 555 #define FRI_NETWORK 4 /* network address from if */
553 556 #define FRI_BROADCAST 5 /* broadcast address from if */
554 557 #define FRI_PEERADDR 6 /* Peer address for P-to-P */
555 558 #define FRI_NETMASKED 7 /* network address with netmask from if */
556 559
557 560
558 561 typedef struct frentry * (* frentfunc_t) __P((fr_info_t *));
559 562
560 563 typedef struct frentry {
561 564 ipfmutex_t fr_lock;
562 565 struct frentry *fr_next;
563 566 struct frentry **fr_grp;
564 567 struct ipscan *fr_isc;
565 568 void *fr_ifas[4];
566 569 void *fr_ptr; /* for use with fr_arg */
567 570 char *fr_comment; /* text comment for rule */
568 571 int fr_ref; /* reference count - for grouping */
569 572 int fr_statecnt; /* state count - for limit rules */
570 573 /*
571 574 * These are only incremented when a packet matches this rule and
572 575 * it is the last match
573 576 */
574 577 U_QUAD_T fr_hits;
575 578 U_QUAD_T fr_bytes;
576 579
577 580 /*
578 581 * For PPS rate limiting
579 582 */
580 583 struct timeval fr_lastpkt;
581 584 int fr_curpps;
582 585
583 586 union {
584 587 void *fru_data;
585 588 caddr_t fru_caddr;
586 589 fripf_t *fru_ipf;
587 590 frentfunc_t fru_func;
588 591 } fr_dun;
589 592
590 593 /*
591 594 * Fields after this may not change whilst in the kernel.
|
↓ open down ↓ |
464 lines elided |
↑ open up ↑ |
592 595 */
593 596 ipfunc_t fr_func; /* call this function */
594 597 int fr_dsize;
595 598 int fr_pps;
596 599 int fr_statemax; /* max reference count */
597 600 int fr_flineno; /* line number from conf file */
598 601 u_32_t fr_type;
599 602 u_32_t fr_flags; /* per-rule flags && options (see below) */
600 603 u_32_t fr_logtag; /* user defined log tag # */
601 604 u_32_t fr_collect; /* collection number */
605 + uuid_t fr_uuid; /* user defined uuid */
602 606 u_int fr_arg; /* misc. numeric arg for rule */
603 607 u_int fr_loglevel; /* syslog log facility + priority */
604 608 u_int fr_age[2]; /* non-TCP timeouts */
605 609 u_char fr_v;
606 610 u_char fr_icode; /* return ICMP code */
607 611 char fr_group[FR_GROUPLEN]; /* group to which this rule belongs */
608 612 char fr_grhead[FR_GROUPLEN]; /* group # which this rule starts */
609 613 ipftag_t fr_nattag;
610 614 char fr_ifnames[4][LIFNAMSIZ];
611 615 char fr_isctag[16];
612 616 frdest_t fr_tifs[2]; /* "to"/"reply-to" interface */
613 617 frdest_t fr_dif; /* duplicate packet interface */
614 618 /*
615 619 * This must be last and will change after loaded into the kernel.
616 620 */
617 621 u_int fr_cksum; /* checksum on filter rules for performance */
618 622 } frentry_t;
619 623
620 624 #define fr_caddr fr_dun.fru_caddr
621 625 #define fr_data fr_dun.fru_data
622 626 #define fr_dfunc fr_dun.fru_func
623 627 #define fr_ipf fr_dun.fru_ipf
624 628 #define fr_ip fr_ipf->fri_ip
625 629 #define fr_mip fr_ipf->fri_mip
626 630 #define fr_icmpm fr_ipf->fri_icmpm
627 631 #define fr_icmp fr_ipf->fri_icmp
628 632 #define fr_tuc fr_ipf->fri_tuc
629 633 #define fr_satype fr_ipf->fri_satype
630 634 #define fr_datype fr_ipf->fri_datype
631 635 #define fr_sifpidx fr_ipf->fri_sifpidx
632 636 #define fr_difpidx fr_ipf->fri_difpidx
633 637 #define fr_proto fr_ip.fi_p
634 638 #define fr_mproto fr_mip.fi_p
635 639 #define fr_ttl fr_ip.fi_ttl
636 640 #define fr_mttl fr_mip.fi_ttl
637 641 #define fr_tos fr_ip.fi_tos
638 642 #define fr_mtos fr_mip.fi_tos
639 643 #define fr_tcpfm fr_tuc.ftu_tcpfm
640 644 #define fr_tcpf fr_tuc.ftu_tcpf
641 645 #define fr_scmp fr_tuc.ftu_scmp
642 646 #define fr_dcmp fr_tuc.ftu_dcmp
643 647 #define fr_dport fr_tuc.ftu_dport
644 648 #define fr_sport fr_tuc.ftu_sport
645 649 #define fr_stop fr_tuc.ftu_stop
646 650 #define fr_dtop fr_tuc.ftu_dtop
647 651 #define fr_dst fr_ip.fi_dst.in4
648 652 #define fr_daddr fr_ip.fi_dst.in4.s_addr
649 653 #define fr_src fr_ip.fi_src.in4
650 654 #define fr_saddr fr_ip.fi_src.in4.s_addr
651 655 #define fr_dmsk fr_mip.fi_dst.in4
652 656 #define fr_dmask fr_mip.fi_dst.in4.s_addr
653 657 #define fr_smsk fr_mip.fi_src.in4
654 658 #define fr_smask fr_mip.fi_src.in4.s_addr
655 659 #define fr_dstnum fr_ip.fi_dstnum
656 660 #define fr_srcnum fr_ip.fi_srcnum
657 661 #define fr_dsttype fr_ip.fi_dsttype
658 662 #define fr_srctype fr_ip.fi_srctype
659 663 #define fr_dstptr fr_mip.fi_dstptr
660 664 #define fr_srcptr fr_mip.fi_srcptr
661 665 #define fr_dstfunc fr_mip.fi_dstfunc
662 666 #define fr_srcfunc fr_mip.fi_srcfunc
663 667 #define fr_optbits fr_ip.fi_optmsk
664 668 #define fr_optmask fr_mip.fi_optmsk
665 669 #define fr_secbits fr_ip.fi_secmsk
666 670 #define fr_secmask fr_mip.fi_secmsk
667 671 #define fr_authbits fr_ip.fi_auth
668 672 #define fr_authmask fr_mip.fi_auth
669 673 #define fr_flx fr_ip.fi_flx
670 674 #define fr_mflx fr_mip.fi_flx
671 675 #define fr_ifname fr_ifnames[0]
672 676 #define fr_oifname fr_ifnames[2]
673 677 #define fr_ifa fr_ifas[0]
674 678 #define fr_oifa fr_ifas[2]
675 679 #define fr_tif fr_tifs[0]
676 680 #define fr_rif fr_tifs[1]
677 681
678 682 #define FR_NOLOGTAG 0
679 683
680 684 #define FR_CMPSIZ (sizeof(struct frentry) - \
681 685 offsetof(struct frentry, fr_func))
682 686
683 687 /*
684 688 * fr_type
685 689 */
686 690 #define FR_T_NONE 0
687 691 #define FR_T_IPF 1 /* IPF structures */
688 692 #define FR_T_BPFOPC 2 /* BPF opcode */
689 693 #define FR_T_CALLFUNC 3 /* callout to function in fr_func only */
690 694 #define FR_T_COMPIPF 4 /* compiled C code */
691 695 #define FR_T_BUILTIN 0x80000000 /* rule is in kernel space */
692 696
693 697 /*
694 698 * fr_flags
695 699 */
696 700 #define FR_CALL 0x00000 /* call rule */
697 701 #define FR_BLOCK 0x00001 /* do not allow packet to pass */
698 702 #define FR_PASS 0x00002 /* allow packet to pass */
699 703 #define FR_AUTH 0x00003 /* use authentication */
700 704 #define FR_PREAUTH 0x00004 /* require preauthentication */
701 705 #define FR_ACCOUNT 0x00005 /* Accounting rule */
702 706 #define FR_SKIP 0x00006 /* skip rule */
703 707 #define FR_DIVERT 0x00007 /* divert rule */
704 708 #define FR_CMDMASK 0x0000f
705 709 #define FR_LOG 0x00010 /* Log */
706 710 #define FR_LOGB 0x00011 /* Log-fail */
707 711 #define FR_LOGP 0x00012 /* Log-pass */
708 712 #define FR_LOGMASK (FR_LOG|FR_CMDMASK)
709 713 #define FR_CALLNOW 0x00020 /* call another function (fr_func) if matches */
710 714 #define FR_NOTSRCIP 0x00040
711 715 #define FR_NOTDSTIP 0x00080
712 716 #define FR_QUICK 0x00100 /* match & stop processing list */
713 717 #define FR_KEEPFRAG 0x00200 /* keep fragment information */
714 718 #define FR_KEEPSTATE 0x00400 /* keep `connection' state information */
715 719 #define FR_FASTROUTE 0x00800 /* bypass normal routing */
716 720 #define FR_RETRST 0x01000 /* Return TCP RST packet - reset connection */
717 721 #define FR_RETICMP 0x02000 /* Return ICMP unreachable packet */
718 722 #define FR_FAKEICMP 0x03000 /* Return ICMP unreachable with fake source */
719 723 #define FR_OUTQUE 0x04000 /* outgoing packets */
|
↓ open down ↓ |
108 lines elided |
↑ open up ↑ |
720 724 #define FR_INQUE 0x08000 /* ingoing packets */
721 725 #define FR_LOGBODY 0x10000 /* Log the body */
722 726 #define FR_LOGFIRST 0x20000 /* Log the first byte if state held */
723 727 #define FR_LOGORBLOCK 0x40000 /* block the packet if it can't be logged */
724 728 #define FR_DUP 0x80000 /* duplicate packet */
725 729 #define FR_FRSTRICT 0x100000 /* strict frag. cache */
726 730 #define FR_STSTRICT 0x200000 /* strict keep state */
727 731 #define FR_NEWISN 0x400000 /* new ISN for outgoing TCP */
728 732 #define FR_NOICMPERR 0x800000 /* do not match ICMP errors in state */
729 733 #define FR_STATESYNC 0x1000000 /* synchronize state to slave */
734 +#define FR_CFWLOG 0x2000000 /* Global CFW logging enabled */
730 735 #define FR_NOMATCH 0x8000000 /* no match occured */
731 736 /* 0x10000000 FF_LOGPASS */
732 737 /* 0x20000000 FF_LOGBLOCK */
733 738 /* 0x40000000 FF_LOGNOMATCH */
734 739 /* 0x80000000 FF_BLOCKNONIP */
735 740 #define FR_COPIED 0x40000000 /* copied from user space */
736 741 #define FR_INACTIVE 0x80000000 /* only used when flush'ing rules */
737 742
738 743 #define FR_RETMASK (FR_RETICMP|FR_RETRST|FR_FAKEICMP)
739 744 #define FR_ISBLOCK(x) (((x) & FR_CMDMASK) == FR_BLOCK)
740 745 #define FR_ISPASS(x) (((x) & FR_CMDMASK) == FR_PASS)
741 746 #define FR_ISAUTH(x) (((x) & FR_CMDMASK) == FR_AUTH)
742 747 #define FR_ISPREAUTH(x) (((x) & FR_CMDMASK) == FR_PREAUTH)
743 748 #define FR_ISACCOUNT(x) (((x) & FR_CMDMASK) == FR_ACCOUNT)
744 749 #define FR_ISSKIP(x) (((x) & FR_CMDMASK) == FR_SKIP)
745 750 #define FR_ISNOMATCH(x) ((x) & FR_NOMATCH)
746 751 #define FR_INOUT (FR_INQUE|FR_OUTQUE)
747 752
748 753 /*
749 754 * recognized flags for SIOCGETFF and SIOCSETFF, and get put in fr_flags
750 755 */
751 756 #define FF_LOGPASS 0x10000000
752 757 #define FF_LOGBLOCK 0x20000000
753 758 #define FF_LOGNOMATCH 0x40000000
754 759 #define FF_LOGGING (FF_LOGPASS|FF_LOGBLOCK|FF_LOGNOMATCH)
755 760 #define FF_BLOCKNONIP 0x80000000 /* Solaris2 Only */
756 761
757 762
758 763 /*
759 764 * Structure that passes information on what/how to flush to the kernel.
760 765 */
761 766 typedef struct ipfflush {
762 767 int ipflu_how;
763 768 int ipflu_arg;
764 769 } ipfflush_t;
765 770
766 771
767 772 /*
768 773 *
769 774 */
770 775 typedef struct ipfgetctl {
771 776 u_int ipfg_min; /* min value */
772 777 u_int ipfg_current; /* current value */
773 778 u_int ipfg_max; /* max value */
774 779 u_int ipfg_default; /* default value */
775 780 u_int ipfg_steps; /* value increments */
776 781 char ipfg_name[40]; /* tag name for this control */
777 782 } ipfgetctl_t;
778 783
779 784 typedef struct ipfsetctl {
780 785 int ipfs_which; /* 0 = min 1 = current 2 = max 3 = default */
781 786 u_int ipfs_value; /* min value */
782 787 char ipfs_name[40]; /* tag name for this control */
783 788 } ipfsetctl_t;
784 789
785 790
786 791 /*
787 792 * Some of the statistics below are in their own counters, but most are kept
788 793 * in this single structure so that they can all easily be collected and
789 794 * copied back as required.
790 795 *
791 796 * NOTE: when changing, keep in sync with kstats (below).
792 797 */
793 798 typedef struct filterstats {
794 799 u_long fr_pass; /* packets allowed */
795 800 u_long fr_block; /* packets denied */
796 801 u_long fr_nom; /* packets which don't match any rule */
797 802 u_long fr_short; /* packets which are short */
798 803 u_long fr_ppkl; /* packets allowed and logged */
799 804 u_long fr_bpkl; /* packets denied and logged */
800 805 u_long fr_npkl; /* packets unmatched and logged */
801 806 u_long fr_pkl; /* packets logged */
802 807 u_long fr_skip; /* packets to be logged but buffer full */
803 808 u_long fr_ret; /* packets for which a return is sent */
804 809 u_long fr_acct; /* packets for which counting was performed */
805 810 u_long fr_bnfr; /* bad attempts to allocate fragment state */
806 811 u_long fr_nfr; /* new fragment state kept */
807 812 u_long fr_cfr; /* add new fragment state but complete pkt */
808 813 u_long fr_bads; /* bad attempts to allocate packet state */
809 814 u_long fr_ads; /* new packet state kept */
810 815 u_long fr_chit; /* cached hit */
811 816 u_long fr_tcpbad; /* TCP checksum check failures */
812 817 u_long fr_pull[2]; /* good and bad pullup attempts */
813 818 u_long fr_badsrc; /* source received doesn't match route */
814 819 u_long fr_badttl; /* TTL in packet doesn't reach minimum */
815 820 u_long fr_bad; /* bad IP packets to the filter */
816 821 u_long fr_ipv6; /* IPv6 packets in/out */
817 822 u_long fr_ppshit; /* dropped because of pps ceiling */
818 823 u_long fr_ipud; /* IP id update failures */
819 824 } filterstats_t;
820 825
821 826 /*
822 827 * kstat "copy" of the above - keep in sync!
823 828 * also keep in sync with initialisation code in solaris.c, ipf_kstat_init().
824 829 */
825 830 typedef struct filter_kstats {
826 831 kstat_named_t fks_pass; /* see above for comments */
827 832 kstat_named_t fks_block;
828 833 kstat_named_t fks_nom;
829 834 kstat_named_t fks_short;
830 835 kstat_named_t fks_ppkl;
831 836 kstat_named_t fks_bpkl;
832 837 kstat_named_t fks_npkl;
833 838 kstat_named_t fks_pkl;
834 839 kstat_named_t fks_skip;
835 840 kstat_named_t fks_ret;
836 841 kstat_named_t fks_acct;
837 842 kstat_named_t fks_bnfr;
838 843 kstat_named_t fks_nfr;
839 844 kstat_named_t fks_cfr;
840 845 kstat_named_t fks_bads;
841 846 kstat_named_t fks_ads;
842 847 kstat_named_t fks_chit;
843 848 kstat_named_t fks_tcpbad;
844 849 kstat_named_t fks_pull[2];
845 850 kstat_named_t fks_badsrc;
846 851 kstat_named_t fks_badttl;
847 852 kstat_named_t fks_bad;
848 853 kstat_named_t fks_ipv6;
849 854 kstat_named_t fks_ppshit;
850 855 kstat_named_t fks_ipud;
851 856 } filter_kstats_t;
852 857
853 858 /*
854 859 * Log structure. Each packet header logged is prepended by one of these.
855 860 * Following this in the log records read from the device will be an ipflog
856 861 * structure which is then followed by any packet data.
857 862 */
858 863 typedef struct iplog {
859 864 u_32_t ipl_magic;
860 865 u_int ipl_count;
861 866 struct timeval ipl_time;
862 867 size_t ipl_dsize;
863 868 struct iplog *ipl_next;
864 869 } iplog_t;
865 870
866 871 #define ipl_sec ipl_time.tv_sec
867 872 #define ipl_usec ipl_time.tv_usec
868 873
869 874 #define IPL_MAGIC 0x49504c4d /* 'IPLM' */
870 875 #define IPL_MAGIC_NAT 0x49504c4e /* 'IPLN' */
871 876 #define IPL_MAGIC_STATE 0x49504c53 /* 'IPLS' */
872 877 #define IPLOG_SIZE sizeof(iplog_t)
873 878
874 879 typedef struct ipflog {
|
↓ open down ↓ |
135 lines elided |
↑ open up ↑ |
875 880 #if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603)) || \
876 881 (defined(OpenBSD) && (OpenBSD >= 199603))
877 882 #else
878 883 u_int fl_unit;
879 884 #endif
880 885 u_32_t fl_rule;
881 886 u_32_t fl_flags;
882 887 u_32_t fl_lflags;
883 888 u_32_t fl_logtag;
884 889 ipftag_t fl_nattag;
890 + uuid_t fl_uuid;
885 891 u_short fl_plen; /* extra data after hlen */
886 892 u_short fl_loglevel; /* syslog log level */
887 893 char fl_group[FR_GROUPLEN];
888 894 u_char fl_hlen; /* length of IP headers saved */
889 895 u_char fl_dir;
890 896 u_char fl_xxx[2]; /* pad */
891 897 char fl_ifname[LIFNAMSIZ];
892 898 } ipflog_t;
893 899
894 900 #ifndef IPF_LOGGING
895 901 # define IPF_LOGGING 0
896 902 #endif
897 903 #ifndef IPF_DEFAULT_PASS
898 904 # define IPF_DEFAULT_PASS FR_PASS
899 905 #endif
900 906
901 907 #define DEFAULT_IPFLOGSIZE 8192
902 908 #ifndef IPFILTER_LOGSIZE
903 909 # define IPFILTER_LOGSIZE DEFAULT_IPFLOGSIZE
904 910 #else
905 911 # if IPFILTER_LOGSIZE < DEFAULT_IPFLOGSIZE
906 912 # error IPFILTER_LOGSIZE too small. Must be >= DEFAULT_IPFLOGSIZE
907 913 # endif
908 914 #endif
909 915
910 916 #define IPF_OPTCOPY 0x07ff00 /* bit mask of copied options */
911 917
912 918 /*
913 919 * Device filenames for reading log information. Use ipf on Solaris2 because
914 920 * ipl is already a name used by something else.
915 921 */
916 922 #ifndef IPL_NAME
917 923 # ifdef SOLARIS
918 924 # define IPL_NAME "/dev/ipf"
919 925 # else
920 926 # define IPL_NAME "/dev/ipl"
921 927 # endif
922 928 #endif
|
↓ open down ↓ |
28 lines elided |
↑ open up ↑ |
923 929 /*
924 930 * Pathnames for various IP Filter control devices. Used by LKM
925 931 * and userland, so defined here.
926 932 */
927 933 #define IPNAT_NAME "/dev/ipnat"
928 934 #define IPSTATE_NAME "/dev/ipstate"
929 935 #define IPAUTH_NAME "/dev/ipauth"
930 936 #define IPSYNC_NAME "/dev/ipsync"
931 937 #define IPSCAN_NAME "/dev/ipscan"
932 938 #define IPLOOKUP_NAME "/dev/iplookup"
939 +#define IPFEV_NAME "/dev/ipfev"
933 940
934 941 #define IPL_LOGIPF 0 /* Minor device #'s for accessing logs */
935 942 #define IPL_LOGNAT 1
936 943 #define IPL_LOGSTATE 2
937 944 #define IPL_LOGAUTH 3
938 945 #define IPL_LOGSYNC 4
939 946 #define IPL_LOGSCAN 5
940 947 #define IPL_LOGLOOKUP 6
941 -#define IPL_LOGCOUNT 7
942 -#define IPL_LOGMAX 7
948 +#define IPL_LOGEV 7
949 +#define IPL_LOGCOUNT 8
950 +#define IPL_LOGMAX 8
943 951 #define IPL_LOGSIZE (IPL_LOGMAX + 1)
944 952 #define IPL_LOGALL -1
945 953 #define IPL_LOGNONE -2
946 954
947 955 /*
948 956 * For SIOCGETFS
949 957 */
950 958 typedef struct friostat {
951 959 struct filterstats f_st[2];
952 960 struct frentry *f_ipf[2][2];
953 961 struct frentry *f_acct[2][2];
954 962 struct frentry *f_ipf6[2][2];
955 963 struct frentry *f_acct6[2][2];
956 964 struct frentry *f_auth;
957 965 struct frgroup *f_groups[IPL_LOGSIZE][2];
958 966 u_long f_froute[2];
959 967 u_long f_ticks;
960 968 int f_locks[IPL_LOGMAX];
961 969 size_t f_kmutex_sz;
962 970 size_t f_krwlock_sz;
963 971 int f_defpass; /* default pass - from fr_pass */
964 972 int f_active; /* 1 or 0 - active rule set */
965 973 int f_running; /* 1 if running, else 0 */
966 974 int f_logging; /* 1 if enabled, else 0 */
967 975 int f_features;
968 976 char f_version[32]; /* version string */
969 977 } friostat_t;
970 978
971 979 #define f_fin f_ipf[0]
972 980 #define f_fin6 f_ipf6[0]
973 981 #define f_fout f_ipf[1]
974 982 #define f_fout6 f_ipf6[1]
975 983 #define f_acctin f_acct[0]
976 984 #define f_acctin6 f_acct6[0]
977 985 #define f_acctout f_acct[1]
978 986 #define f_acctout6 f_acct6[1]
979 987
980 988 #define IPF_FEAT_LKM 0x001
981 989 #define IPF_FEAT_LOG 0x002
982 990 #define IPF_FEAT_LOOKUP 0x004
983 991 #define IPF_FEAT_BPF 0x008
984 992 #define IPF_FEAT_COMPILED 0x010
985 993 #define IPF_FEAT_CKSUM 0x020
986 994 #define IPF_FEAT_SYNC 0x040
987 995 #define IPF_FEAT_SCAN 0x080
988 996 #define IPF_FEAT_IPV6 0x100
989 997
990 998 typedef struct optlist {
991 999 u_short ol_val;
992 1000 int ol_bit;
993 1001 } optlist_t;
994 1002
995 1003
996 1004 /*
997 1005 * Group list structure.
998 1006 */
999 1007 typedef struct frgroup {
1000 1008 struct frgroup *fg_next;
1001 1009 struct frentry *fg_head;
1002 1010 struct frentry *fg_start;
1003 1011 u_32_t fg_flags;
1004 1012 int fg_ref;
1005 1013 char fg_name[FR_GROUPLEN];
1006 1014 } frgroup_t;
1007 1015
1008 1016 #define FG_NAME(g) (*(g)->fg_name == '\0' ? "" : (g)->fg_name)
1009 1017
1010 1018
1011 1019 /*
1012 1020 * Used by state and NAT tables
1013 1021 */
1014 1022 typedef struct icmpinfo {
1015 1023 u_short ici_id;
1016 1024 u_short ici_seq;
1017 1025 u_char ici_type;
1018 1026 } icmpinfo_t;
1019 1027
1020 1028 typedef struct udpinfo {
1021 1029 u_short us_sport;
1022 1030 u_short us_dport;
1023 1031 } udpinfo_t;
1024 1032
1025 1033
1026 1034 typedef struct tcpdata {
1027 1035 u_32_t td_end;
1028 1036 u_32_t td_maxend;
1029 1037 u_32_t td_maxwin;
1030 1038 u_32_t td_winscale;
1031 1039 u_32_t td_maxseg;
1032 1040 int td_winflags;
1033 1041 } tcpdata_t;
1034 1042
1035 1043 #define TCP_WSCALE_MAX 14
1036 1044
1037 1045 #define TCP_WSCALE_SEEN 0x00000001
1038 1046 #define TCP_WSCALE_FIRST 0x00000002
1039 1047 #define TCP_SACK_PERMIT 0x00000004
1040 1048
1041 1049
1042 1050 typedef struct tcpinfo {
1043 1051 u_short ts_sport;
1044 1052 u_short ts_dport;
1045 1053 tcpdata_t ts_data[2];
1046 1054 } tcpinfo_t;
1047 1055
1048 1056
1049 1057 /*
1050 1058 * Structures to define a GRE header as seen in a packet.
1051 1059 */
1052 1060 struct grebits {
1053 1061 u_32_t grb_C:1;
1054 1062 u_32_t grb_R:1;
1055 1063 u_32_t grb_K:1;
1056 1064 u_32_t grb_S:1;
1057 1065 u_32_t grb_s:1;
1058 1066 u_32_t grb_recur:1;
1059 1067 u_32_t grb_A:1;
1060 1068 u_32_t grb_flags:3;
1061 1069 u_32_t grb_ver:3;
1062 1070 u_short grb_ptype;
1063 1071 };
1064 1072
1065 1073 typedef struct grehdr {
1066 1074 union {
1067 1075 struct grebits gru_bits;
1068 1076 u_short gru_flags;
1069 1077 } gr_un;
1070 1078 u_short gr_len;
1071 1079 u_short gr_call;
1072 1080 } grehdr_t;
1073 1081
1074 1082 #define gr_flags gr_un.gru_flags
1075 1083 #define gr_bits gr_un.gru_bits
1076 1084 #define gr_ptype gr_bits.grb_ptype
1077 1085 #define gr_C gr_bits.grb_C
1078 1086 #define gr_R gr_bits.grb_R
1079 1087 #define gr_K gr_bits.grb_K
1080 1088 #define gr_S gr_bits.grb_S
1081 1089 #define gr_s gr_bits.grb_s
1082 1090 #define gr_recur gr_bits.grb_recur
1083 1091 #define gr_A gr_bits.grb_A
1084 1092 #define gr_ver gr_bits.grb_ver
1085 1093
1086 1094 /*
1087 1095 * GRE information tracked by "keep state"
1088 1096 */
1089 1097 typedef struct greinfo {
1090 1098 u_short gs_call[2];
1091 1099 u_short gs_flags;
1092 1100 u_short gs_ptype;
1093 1101 } greinfo_t;
1094 1102
1095 1103 #define GRE_REV(x) ((ntohs(x) >> 13) & 7)
1096 1104
1097 1105
1098 1106 /*
1099 1107 * Format of an Authentication header
1100 1108 */
1101 1109 typedef struct authhdr {
1102 1110 u_char ah_next;
1103 1111 u_char ah_plen;
1104 1112 u_short ah_reserved;
1105 1113 u_32_t ah_spi;
1106 1114 u_32_t ah_seq;
1107 1115 /* Following the sequence number field is 0 or more bytes of */
1108 1116 /* authentication data, as specified by ah_plen - RFC 2402. */
1109 1117 } authhdr_t;
1110 1118
1111 1119
1112 1120 /*
1113 1121 * Timeout tail queue list member
1114 1122 */
1115 1123 typedef struct ipftqent {
1116 1124 struct ipftqent **tqe_pnext;
1117 1125 struct ipftqent *tqe_next;
1118 1126 struct ipftq *tqe_ifq;
1119 1127 void *tqe_parent; /* pointer back to NAT/state struct */
1120 1128 u_long tqe_die; /* when this entriy is to die */
1121 1129 u_long tqe_touched;
1122 1130 int tqe_flags;
1123 1131 int tqe_state[2]; /* current state of this entry */
1124 1132 } ipftqent_t;
1125 1133
1126 1134 #define TQE_RULEBASED 0x00000001
1127 1135
1128 1136
1129 1137 /*
1130 1138 * Timeout tail queue head for IPFilter
1131 1139 */
1132 1140 typedef struct ipftq {
1133 1141 ipfmutex_t ifq_lock;
1134 1142 u_int ifq_ttl;
1135 1143 ipftqent_t *ifq_head;
1136 1144 ipftqent_t **ifq_tail;
1137 1145 struct ipftq *ifq_next;
1138 1146 struct ipftq **ifq_pnext;
1139 1147 int ifq_ref;
1140 1148 u_int ifq_flags;
1141 1149 } ipftq_t;
1142 1150
1143 1151 #define IFQF_USER 0x01 /* User defined aging */
1144 1152 #define IFQF_DELETE 0x02 /* Marked for deletion */
1145 1153 #define IFQF_PROXY 0x04 /* Timeout queue in use by a proxy */
1146 1154
1147 1155 #define IPF_HZ_MULT 1
1148 1156 #define IPF_HZ_DIVIDE 2 /* How many times a second ipfilter */
1149 1157 /* checks its timeout queues. */
1150 1158 #define IPF_TTLVAL(x) (((x) / IPF_HZ_MULT) * IPF_HZ_DIVIDE)
1151 1159
1152 1160 /*
1153 1161 * Structure to define address for pool lookups.
1154 1162 */
1155 1163 typedef struct {
1156 1164 u_char adf_len;
1157 1165 sa_family_t adf_family;
1158 1166 i6addr_t adf_addr;
1159 1167 } addrfamily_t;
1160 1168
1161 1169
1162 1170 /*
1163 1171 * Object structure description. For passing through in ioctls.
1164 1172 */
1165 1173 typedef struct ipfobj {
1166 1174 u_32_t ipfo_rev; /* IPFilter version number */
1167 1175 u_32_t ipfo_size; /* size of object at ipfo_ptr */
1168 1176 void *ipfo_ptr; /* pointer to object */
1169 1177 int ipfo_type; /* type of object being pointed to */
1170 1178 int ipfo_offset; /* bytes from ipfo_ptr where to start */
1171 1179 u_char ipfo_xxxpad[32]; /* reserved for future use */
1172 1180 } ipfobj_t;
|
↓ open down ↓ |
220 lines elided |
↑ open up ↑ |
1173 1181
1174 1182 /*
1175 1183 * ioctl struct for setting what zone further ioctls will act on. ipfz_gz is a
1176 1184 * boolean: set it to 1 to operate on the GZ-controlled stack.
1177 1185 */
1178 1186 typedef struct ipfzoneobj {
1179 1187 u_32_t ipfz_gz; /* GZ stack boolean */
1180 1188 char ipfz_zonename[ZONENAME_MAX]; /* zone to act on */
1181 1189 } ipfzoneobj_t;
1182 1190
1191 +/* ioctl to grab CFW logging parameters */
1192 +typedef struct ipfcfwcfg {
1193 + /* CFG => Max event size, NEWSZ => ignored in, like CFG out. */
1194 + uint32_t ipfcfwc_maxevsize;
1195 + /*
1196 + * CFG => Current ring size,
1197 + * NEWSZ => New ring size, must be 2^N for 3 <= N <= 31.
1198 + */
1199 + uint32_t ipfcfwc_evringsize;
1200 + /* CFG => Number of event reports, NEWSZ => ignored in, like CFG out. */
1201 + uint64_t ipfcfwc_evreports;
1202 + /* CFG => Number of event drops, NEWSZ => ignored in, like CFG out. */
1203 + uint64_t ipfcfwc_evdrops;
1204 +} ipfcfwcfg_t;
1205 +
1183 1206 #if defined(_KERNEL)
1184 1207 /* Set ipfs_zoneid to this if no zone has been set: */
1185 1208 #define IPFS_ZONE_UNSET -2
1186 1209
1187 1210 typedef struct ipf_devstate {
1188 1211 zoneid_t ipfs_zoneid;
1189 1212 minor_t ipfs_minor;
1190 1213 boolean_t ipfs_gz;
1191 1214 } ipf_devstate_t;
1192 1215 #endif
1193 1216
1194 1217 #define IPFOBJ_FRENTRY 0 /* struct frentry */
1195 1218 #define IPFOBJ_IPFSTAT 1 /* struct friostat */
1196 1219 #define IPFOBJ_IPFINFO 2 /* struct fr_info */
1197 1220 #define IPFOBJ_AUTHSTAT 3 /* struct fr_authstat */
1198 1221 #define IPFOBJ_FRAGSTAT 4 /* struct ipfrstat */
1199 1222 #define IPFOBJ_IPNAT 5 /* struct ipnat */
1200 1223 #define IPFOBJ_NATSTAT 6 /* struct natstat */
1201 1224 #define IPFOBJ_STATESAVE 7 /* struct ipstate_save */
1202 1225 #define IPFOBJ_NATSAVE 8 /* struct nat_save */
1203 1226 #define IPFOBJ_NATLOOKUP 9 /* struct natlookup */
1204 1227 #define IPFOBJ_IPSTATE 10 /* struct ipstate */
1205 1228 #define IPFOBJ_STATESTAT 11 /* struct ips_stat */
1206 1229 #define IPFOBJ_FRAUTH 12 /* struct frauth */
1207 1230 #define IPFOBJ_TUNEABLE 13 /* struct ipftune */
1208 1231 #define IPFOBJ_NAT 14 /* struct nat */
1209 1232 #define IPFOBJ_IPFITER 15 /* struct ipfruleiter */
1210 1233 #define IPFOBJ_GENITER 16 /* struct ipfgeniter */
1211 1234 #define IPFOBJ_GTABLE 17 /* struct ipftable */
1212 1235 #define IPFOBJ_LOOKUPITER 18 /* struct ipflookupiter */
1213 1236 #define IPFOBJ_COUNT 19 /* How many #defines are above this? */
1214 1237
1215 1238
1216 1239 typedef union ipftunevalptr {
1217 1240 void *ipftp_void;
1218 1241 u_long *ipftp_long;
1219 1242 u_int *ipftp_int;
1220 1243 u_short *ipftp_short;
1221 1244 u_char *ipftp_char;
1222 1245 } ipftunevalptr_t;
1223 1246
1224 1247 typedef struct ipftuneable {
1225 1248 ipftunevalptr_t ipft_una;
1226 1249 char *ipft_name;
1227 1250 u_long ipft_min;
1228 1251 u_long ipft_max;
1229 1252 int ipft_sz;
1230 1253 int ipft_flags;
1231 1254 struct ipftuneable *ipft_next;
1232 1255 } ipftuneable_t;
1233 1256
1234 1257 #define ipft_addr ipft_una.ipftp_void
1235 1258 #define ipft_plong ipft_una.ipftp_long
1236 1259 #define ipft_pint ipft_una.ipftp_int
1237 1260 #define ipft_pshort ipft_una.ipftp_short
1238 1261 #define ipft_pchar ipft_una.ipftp_char
1239 1262
1240 1263 #define IPFT_RDONLY 1 /* read-only */
1241 1264 #define IPFT_WRDISABLED 2 /* write when disabled only */
1242 1265
1243 1266 typedef union ipftuneval {
1244 1267 u_long ipftu_long;
1245 1268 u_int ipftu_int;
1246 1269 u_short ipftu_short;
1247 1270 u_char ipftu_char;
1248 1271 } ipftuneval_t;
1249 1272
1250 1273 typedef struct ipftune {
1251 1274 void *ipft_cookie;
1252 1275 ipftuneval_t ipft_un;
1253 1276 u_long ipft_min;
1254 1277 u_long ipft_max;
1255 1278 int ipft_sz;
1256 1279 int ipft_flags;
1257 1280 char ipft_name[80];
1258 1281 } ipftune_t;
1259 1282
1260 1283 #define ipft_vlong ipft_un.ipftu_long
1261 1284 #define ipft_vint ipft_un.ipftu_int
1262 1285 #define ipft_vshort ipft_un.ipftu_short
1263 1286 #define ipft_vchar ipft_un.ipftu_char
1264 1287
1265 1288 /*
1266 1289 * ipfruleiter is iterator structure used for filter rules.
1267 1290 */
1268 1291 typedef struct ipfruleiter {
1269 1292 int iri_ver;
1270 1293 int iri_inout;
1271 1294 char iri_group[FR_GROUPLEN];
1272 1295 int iri_active;
1273 1296 int iri_nrules;
1274 1297 frentry_t *iri_rule;
1275 1298 } ipfruleiter_t;
1276 1299
1277 1300 /* Values for iri_inout */
1278 1301 #define F_IN 0
1279 1302 #define F_OUT 1
1280 1303 #define F_ACIN 2
1281 1304 #define F_ACOUT 3
1282 1305
1283 1306 /*
1284 1307 * ipfgeniter is generic iterator structure used for nat rules,
1285 1308 * hostmap entries and nat table entries.
1286 1309 */
1287 1310 typedef struct ipfgeniter {
1288 1311 int igi_type; /* type of data we're looking at */
1289 1312 int igi_nitems;
1290 1313 void *igi_data;
1291 1314 } ipfgeniter_t;
1292 1315
1293 1316 #define IPFGENITER_IPF 0
1294 1317 #define IPFGENITER_NAT 1
1295 1318 #define IPFGENITER_IPNAT 2
1296 1319 #define IPFGENITER_FRAG 3
1297 1320 #define IPFGENITER_AUTH 4
1298 1321 #define IPFGENITER_STATE 5
1299 1322 #define IPFGENITER_NATFRAG 6
1300 1323 #define IPFGENITER_HOSTMAP 7
1301 1324 #define IPFGENITER_LOOKUP 8
1302 1325
1303 1326 typedef struct ipftable {
1304 1327 int ita_type;
1305 1328 void *ita_table;
1306 1329 } ipftable_t;
1307 1330
1308 1331 typedef struct ipftoken {
1309 1332 struct ipftoken *ipt_next;
1310 1333 struct ipftoken **ipt_pnext;
1311 1334 void *ipt_ctx;
1312 1335 void *ipt_data;
1313 1336 u_long ipt_die;
1314 1337 int ipt_type;
1315 1338 int ipt_uid;
1316 1339 int ipt_subtype;
1317 1340 int ipt_alive;
1318 1341 } ipftoken_t;
1319 1342
1320 1343
1321 1344 /*
1322 1345 * sync commands
1323 1346 */
1324 1347 #define IPFSYNC_RESYNC 0
1325 1348 #define IPFSYNC_NEWIFP 1
1326 1349 #define IPFSYNC_OLDIFP 2
1327 1350
1328 1351
1329 1352 /*
1330 1353 ** HPUX Port
1331 1354 */
1332 1355 #ifdef __hpux
1333 1356 /* HP-UX locking sequence deadlock detection module lock MAJOR ID */
1334 1357 # define IPF_SMAJ 0 /* temp assignment XXX, not critical */
1335 1358 #endif
1336 1359
1337 1360 #if !defined(CDEV_MAJOR) && defined (__FreeBSD_version) && \
1338 1361 (__FreeBSD_version >= 220000)
1339 1362 # define CDEV_MAJOR 79
1340 1363 #endif
1341 1364
1342 1365 /*
1343 1366 * Post NetBSD 1.2 has the PFIL interface for packet filters. This turns
1344 1367 * on those hooks. We don't need any special mods in non-IP Filter code
1345 1368 * with this!
1346 1369 */
1347 1370 #if (defined(NetBSD) && (NetBSD > 199609) && (NetBSD <= 1991011)) || \
1348 1371 (defined(NetBSD1_2) && NetBSD1_2 > 1) || \
1349 1372 (defined(__FreeBSD__) && (__FreeBSD_version >= 500043))
1350 1373 # if (NetBSD >= 199905)
1351 1374 # define PFIL_HOOKS
1352 1375 # endif
1353 1376 # ifdef PFIL_HOOKS
1354 1377 # define NETBSD_PF
1355 1378 # endif
1356 1379 #endif
1357 1380
1358 1381 #ifndef _KERNEL
1359 1382 extern int fr_check __P((struct ip *, int, void *, int, mb_t **, ipf_stack_t *));
1360 1383 extern int (*fr_checkp) __P((ip_t *, int, void *, int, mb_t **, ipf_stack_t *));
1361 1384 extern int ipf_log __P((void));
1362 1385 extern struct ifnet *get_unit __P((char *, int, ipf_stack_t *));
1363 1386 extern char *get_ifname __P((struct ifnet *));
1364 1387 # if defined(__NetBSD__) || defined(__OpenBSD__) || \
1365 1388 (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000)
1366 1389 extern int frrequest __P((int, u_long, caddr_t, int, int, ipf_stack_t *));
1367 1390 # else
1368 1391 extern int iplioctl __P((int, ioctlcmd_t, caddr_t, int));
1369 1392 # endif
1370 1393 extern int iplopen __P((dev_t, int));
1371 1394 extern int iplclose __P((dev_t, int));
1372 1395 extern void m_freem __P((mb_t *));
1373 1396 #else /* #ifndef _KERNEL */
1374 1397 extern phy_if_t get_unit __P((char *, int, ipf_stack_t *));
1375 1398 # if defined(__NetBSD__) && defined(PFIL_HOOKS)
1376 1399 extern void ipfilterattach __P((int));
1377 1400 # endif
1378 1401 extern int ipl_enable __P((void));
1379 1402 extern int ipl_disable __P((void));
1380 1403 # ifdef MENTAT
1381 1404 extern int fr_check __P((struct ip *, int, void *, int, void *,
1382 1405 mblk_t **, ipf_stack_t *));
1383 1406 # if SOLARIS
1384 1407 # if SOLARIS2 >= 7
1385 1408 extern int iplioctl __P((dev_t, int, intptr_t, int, cred_t *, int *));
1386 1409 # else
1387 1410 extern int iplioctl __P((dev_t, int, int *, int, cred_t *, int *));
1388 1411 # endif
1389 1412 # if SOLARIS2 >= 10 && defined(_KERNEL)
1390 1413 extern int fr_make_rst __P((fr_info_t *));
1391 1414 extern int fr_make_icmp __P((fr_info_t *));
1392 1415 extern void fr_calc_chksum __P((fr_info_t *, mb_t *));
1393 1416 extern ipf_stack_t *ipf_find_stack(const zoneid_t, ipf_devstate_t *);
1394 1417 # endif
1395 1418 extern int iplopen __P((dev_t *, int, int, cred_t *));
1396 1419 extern int iplclose __P((dev_t, int, int, cred_t *));
1397 1420 extern int iplread __P((dev_t, uio_t *, cred_t *));
1398 1421 extern int iplwrite __P((dev_t, uio_t *, cred_t *));
1399 1422 # endif
1400 1423 # ifdef __hpux
1401 1424 extern int iplopen __P((dev_t, int, intptr_t, int));
1402 1425 extern int iplclose __P((dev_t, int, int));
1403 1426 extern int iplioctl __P((dev_t, int, caddr_t, int));
1404 1427 extern int iplread __P((dev_t, uio_t *));
1405 1428 extern int iplwrite __P((dev_t, uio_t *));
1406 1429 extern int iplselect __P((dev_t, int));
1407 1430 # endif
1408 1431 extern int ipfsync __P((ipf_stack_t *));
1409 1432 extern int fr_qout __P((queue_t *, mblk_t *));
1410 1433 # else /* MENTAT */
1411 1434 extern int fr_check __P((struct ip *, int, void *, int, mb_t **, ipf_stack_t *));
1412 1435 extern int (*fr_checkp) __P((ip_t *, int, void *, int, mb_t **, ipf_stack_t *));
1413 1436 extern size_t mbufchainlen __P((mb_t *));
1414 1437 # ifdef __sgi
1415 1438 # include <sys/cred.h>
1416 1439 extern int iplioctl __P((dev_t, int, caddr_t, int, cred_t *, int *));
1417 1440 extern int iplopen __P((dev_t *, int, int, cred_t *));
1418 1441 extern int iplclose __P((dev_t, int, int, cred_t *));
1419 1442 extern int iplread __P((dev_t, uio_t *, cred_t *));
1420 1443 extern int iplwrite __P((dev_t, uio_t *, cred_t *));
1421 1444 extern int ipfsync __P((ipf_stack_t *));
1422 1445 extern int ipfilter_sgi_attach __P((void));
1423 1446 extern void ipfilter_sgi_detach __P((void));
1424 1447 extern void ipfilter_sgi_intfsync __P((void));
1425 1448 # else
1426 1449 # ifdef IPFILTER_LKM
1427 1450 extern int iplidentify __P((char *));
1428 1451 # endif
1429 1452 # if (_BSDI_VERSION >= 199510) || (__FreeBSD_version >= 220000) || \
1430 1453 (NetBSD >= 199511) || defined(__OpenBSD__)
1431 1454 # if defined(__NetBSD__) || (_BSDI_VERSION >= 199701) || \
1432 1455 defined(__OpenBSD__) || (__FreeBSD_version >= 300000)
1433 1456 # if (__FreeBSD_version >= 500024)
1434 1457 # if (__FreeBSD_version >= 502116)
1435 1458 extern int iplioctl __P((struct cdev*, u_long, caddr_t, int, struct thread *));
1436 1459 # else
1437 1460 extern int iplioctl __P((dev_t, u_long, caddr_t, int, struct thread *));
1438 1461 # endif /* __FreeBSD_version >= 502116 */
1439 1462 # else
1440 1463 extern int iplioctl __P((dev_t, u_long, caddr_t, int, struct proc *));
1441 1464 # endif /* __FreeBSD_version >= 500024 */
1442 1465 # else
1443 1466 extern int iplioctl __P((dev_t, int, caddr_t, int, struct proc *));
1444 1467 # endif
1445 1468 # if (__FreeBSD_version >= 500024)
1446 1469 # if (__FreeBSD_version >= 502116)
1447 1470 extern int iplopen __P((struct cdev*, int, int, struct thread *));
1448 1471 extern int iplclose __P((struct cdev*, int, int, struct thread *));
1449 1472 # else
1450 1473 extern int iplopen __P((dev_t, int, int, struct thread *));
1451 1474 extern int iplclose __P((dev_t, int, int, struct thread *));
1452 1475 # endif /* __FreeBSD_version >= 502116 */
1453 1476 # else
1454 1477 extern int iplopen __P((dev_t, int, int, struct proc *));
1455 1478 extern int iplclose __P((dev_t, int, int, struct proc *));
1456 1479 # endif /* __FreeBSD_version >= 500024 */
1457 1480 # else
1458 1481 # ifdef linux
1459 1482 extern int iplioctl __P((struct inode *, struct file *, u_int, u_long));
1460 1483 # else
1461 1484 extern int iplopen __P((dev_t, int));
1462 1485 extern int iplclose __P((dev_t, int));
1463 1486 extern int iplioctl __P((dev_t, int, caddr_t, int));
1464 1487 # endif
1465 1488 # endif /* (_BSDI_VERSION >= 199510) */
1466 1489 # if BSD >= 199306
1467 1490 # if (__FreeBSD_version >= 502116)
1468 1491 extern int iplread __P((struct cdev*, struct uio *, int));
1469 1492 extern int iplwrite __P((struct cdev*, struct uio *, int));
1470 1493 # else
1471 1494 extern int iplread __P((dev_t, struct uio *, int));
1472 1495 extern int iplwrite __P((dev_t, struct uio *, int));
1473 1496 # endif /* __FreeBSD_version >= 502116 */
1474 1497 # else
1475 1498 # ifndef linux
1476 1499 extern int iplread __P((dev_t, struct uio *));
1477 1500 extern int iplwrite __P((dev_t, struct uio *));
1478 1501 # endif
1479 1502 # endif /* BSD >= 199306 */
1480 1503 # endif /* __ sgi */
1481 1504 # endif /* MENTAT */
1482 1505
1483 1506 #endif /* #ifndef _KERNEL */
1484 1507
1485 1508 extern char *memstr __P((char *, char *, int, int));
1486 1509 extern int count4bits __P((u_32_t));
1487 1510 extern int count6bits __P((u_32_t *));
1488 1511 extern int frrequest __P((int, ioctlcmd_t, caddr_t, int, int, ipf_stack_t *));
1489 1512 extern char *getifname __P((struct ifnet *));
1490 1513 extern int iplattach __P((ipf_stack_t *));
1491 1514 extern int ipldetach __P((ipf_stack_t *));
1492 1515 extern u_short ipf_cksum __P((u_short *, int));
1493 1516 extern int copyinptr __P((void *, void *, size_t));
1494 1517 extern int copyoutptr __P((void *, void *, size_t));
1495 1518 extern int fr_fastroute __P((mb_t *, mb_t **, fr_info_t *, frdest_t *));
1496 1519 extern int fr_inobj __P((void *, void *, int));
1497 1520 extern int fr_inobjsz __P((void *, void *, int, int));
1498 1521 extern int fr_ioctlswitch __P((int, void *, ioctlcmd_t, int, int, void *,
1499 1522 ipf_stack_t *));
1500 1523 extern int fr_ipftune __P((ioctlcmd_t, void *, ipf_stack_t *));
1501 1524 extern int fr_outobj __P((void *, void *, int));
1502 1525 extern int fr_outobjsz __P((void *, void *, int, int));
1503 1526 extern void *fr_pullup __P((mb_t *, fr_info_t *, int));
1504 1527 extern void fr_resolvedest __P((struct frdest *, int, ipf_stack_t *));
1505 1528 extern int fr_resolvefunc __P((void *));
1506 1529 extern void *fr_resolvenic __P((char *, int, ipf_stack_t *));
1507 1530 extern int fr_send_icmp_err __P((int, fr_info_t *, int));
1508 1531 extern int fr_send_reset __P((fr_info_t *));
1509 1532 #if (__FreeBSD_version < 490000) || !defined(_KERNEL)
1510 1533 extern int ppsratecheck __P((struct timeval *, int *, int));
1511 1534 #endif
1512 1535 extern ipftq_t *fr_addtimeoutqueue __P((ipftq_t **, u_int, ipf_stack_t *));
1513 1536 extern void fr_deletequeueentry __P((ipftqent_t *));
1514 1537 extern int fr_deletetimeoutqueue __P((ipftq_t *));
1515 1538 extern void fr_freetimeoutqueue __P((ipftq_t *, ipf_stack_t *));
1516 1539 extern void fr_movequeue __P((ipftqent_t *, ipftq_t *, ipftq_t *,
1517 1540 ipf_stack_t *));
1518 1541 extern void fr_queueappend __P((ipftqent_t *, ipftq_t *, void *,
1519 1542 ipf_stack_t *));
1520 1543 extern void fr_queueback __P((ipftqent_t *, ipf_stack_t *));
1521 1544 extern void fr_queuefront __P((ipftqent_t *));
1522 1545 extern void fr_checkv4sum __P((fr_info_t *));
1523 1546 extern int fr_checkl4sum __P((fr_info_t *));
1524 1547 extern int fr_ifpfillv4addr __P((int, struct sockaddr_in *,
1525 1548 struct sockaddr_in *, struct in_addr *,
1526 1549 struct in_addr *));
1527 1550 extern int fr_coalesce __P((fr_info_t *));
1528 1551 #ifdef USE_INET6
1529 1552 extern void fr_checkv6sum __P((fr_info_t *));
1530 1553 extern int fr_ifpfillv6addr __P((int, struct sockaddr_in6 *,
1531 1554 struct sockaddr_in6 *, struct in_addr *,
1532 1555 struct in_addr *));
1533 1556 #endif
1534 1557
1535 1558 #define IPFILTER_COMPAT
1536 1559 extern int fr_incomptrans __P((ipfobj_t *, void *));
1537 1560 extern int fr_outcomptrans __P((ipfobj_t *, void *));
1538 1561
1539 1562 extern int fr_addipftune __P((ipftuneable_t *, ipf_stack_t *));
1540 1563 extern int fr_delipftune __P((ipftuneable_t *, ipf_stack_t *));
1541 1564
1542 1565 extern int frflush __P((minor_t, int, int, ipf_stack_t *));
1543 1566 extern void frsync __P((int, int, void *, char *, ipf_stack_t *));
1544 1567 #if SOLARIS2 >= 10
1545 1568 extern void fr_ifindexsync __P((void *, void *, ipf_stack_t *));
1546 1569 #endif
1547 1570 extern frgroup_t *fr_addgroup __P((char *, void *, u_32_t, minor_t, int,
1548 1571 ipf_stack_t *));
1549 1572 extern int fr_derefrule __P((frentry_t **, ipf_stack_t *));
1550 1573 extern void fr_delgroup __P((char *, minor_t, int, ipf_stack_t *));
1551 1574 extern frgroup_t *fr_findgroup __P((char *, minor_t, int, frgroup_t ***,
|
↓ open down ↓ |
359 lines elided |
↑ open up ↑ |
1552 1575 ipf_stack_t *));
1553 1576
1554 1577 extern int fr_loginit __P((ipf_stack_t *));
1555 1578 extern int ipflog_clear __P((minor_t, ipf_stack_t *));
1556 1579 extern int ipflog_read __P((minor_t, struct uio *, ipf_stack_t *));
1557 1580 extern int ipflog __P((fr_info_t *, u_int));
1558 1581 extern int ipllog __P((int, fr_info_t *, void **, size_t *, int *, int,
1559 1582 ipf_stack_t *));
1560 1583 extern void fr_logunload __P((ipf_stack_t *));
1561 1584
1585 +/* SmartOS single-FD global-zone state accumulator (see cfw.c) */
1586 +extern boolean_t ipf_cfwlog_enabled;
1587 +struct ipstate; /* Ugggh. */
1588 +extern void ipf_log_cfwlog __P((struct ipstate *, uint_t, ipf_stack_t *));
1589 +extern void ipf_block_cfwlog __P((frentry_t *, fr_info_t *, ipf_stack_t *));
1590 +#define IFS_CFWLOG(ifs, fr) ((ifs)->ifs_gz_controlled && ipf_cfwlog_enabled &&\
1591 + fr != NULL && ((fr)->fr_flags & FR_CFWLOG))
1592 +struct cfwev_s; /* See ipf_cfw.h */
1593 +extern boolean_t ipf_cfwev_consume __P((struct cfwev_s *, boolean_t));
1594 +/* See cfw.c's ipf_cfwev_consume_many() for details. */
1595 +typedef uint_t (*cfwmanycb_t) __P((struct cfwev_s *, uint_t, void *));
1596 +extern uint_t
1597 + ipf_cfwev_consume_many __P((uint_t, boolean_t, cfwmanycb_t, void *));
1598 +extern int ipf_cfwlog_read __P((dev_t, struct uio *, struct cred *));
1599 +extern int ipf_cfwlog_ioctl __P((dev_t, int, intptr_t, int, cred_t *, int *));
1600 +#define IPF_CFW_RING_ALLOCATE 0
1601 +#define IPF_CFW_RING_DESTROY 1
1602 +extern int ipf_cfw_ring_resize(uint32_t);
1603 +
1562 1604 extern frentry_t *fr_acctpkt __P((fr_info_t *, u_32_t *));
1563 1605 extern int fr_copytolog __P((int, char *, int));
1564 1606 extern u_short fr_cksum __P((mb_t *, ip_t *, int, void *));
1565 1607 extern void fr_deinitialise __P((ipf_stack_t *));
1566 1608 extern frentry_t *fr_dolog __P((fr_info_t *, u_32_t *));
1567 1609 extern frentry_t *fr_dstgrpmap __P((fr_info_t *, u_32_t *));
1568 1610 extern void fr_fixskip __P((frentry_t **, frentry_t *, int));
1569 1611 extern void fr_forgetifp __P((void *, ipf_stack_t *));
1570 1612 extern frentry_t *fr_getrulen __P((int, char *, u_32_t,
1571 1613 ipf_stack_t *));
1572 1614 extern void fr_getstat __P((struct friostat *, ipf_stack_t *));
1573 1615 extern int fr_ifpaddr __P((int, int, void *,
1574 1616 struct in_addr *, struct in_addr *,
1575 1617 ipf_stack_t *));
1576 1618 extern int fr_initialise __P((ipf_stack_t *));
1577 1619 extern int fr_lock __P((caddr_t, int *));
1578 1620 extern int fr_makefrip __P((int, ip_t *, fr_info_t *));
1579 1621 extern int fr_matchtag __P((ipftag_t *, ipftag_t *));
1580 1622 extern int fr_matchicmpqueryreply __P((int, icmpinfo_t *,
1581 1623 struct icmp *, int));
1582 1624 extern u_32_t fr_newisn __P((fr_info_t *));
1583 1625 extern u_short fr_nextipid __P((fr_info_t *));
1584 1626 extern int fr_rulen __P((int, frentry_t *, ipf_stack_t *));
1585 1627 extern int fr_scanlist __P((fr_info_t *, u_32_t));
1586 1628 extern frentry_t *fr_srcgrpmap __P((fr_info_t *, u_32_t *));
1587 1629 extern int fr_tcpudpchk __P((fr_info_t *, frtuc_t *));
1588 1630 extern int fr_verifysrc __P((fr_info_t *fin));
1589 1631 extern int fr_zerostats __P((char *, ipf_stack_t *));
1590 1632 extern ipftoken_t *ipf_findtoken __P((int, int, void *, ipf_stack_t *));
1591 1633 extern int ipf_getnextrule __P((ipftoken_t *, void *,
1592 1634 ipf_stack_t *));
1593 1635 extern void ipf_expiretokens __P((ipf_stack_t *));
1594 1636 extern void ipf_freetoken __P((ipftoken_t *, ipf_stack_t *));
1595 1637 extern int ipf_deltoken __P((int, int, void *, ipf_stack_t *));
1596 1638 extern int ipf_genericiter __P((void *, int, void *, ipf_stack_t *));
1597 1639 extern int ipf_extraflush __P((int, ipftq_t *, ipftq_t *, ipf_stack_t *));
1598 1640 extern int ipf_flushclosing __P((int, int, ipftq_t *, ipftq_t *, ipf_stack_t *));
1599 1641 extern int ipf_earlydrop __P((int, ipftq_t *, int, ipf_stack_t *));
1600 1642
1601 1643 #ifndef ipf_random
1602 1644 extern u_32_t ipf_random __P((void));
1603 1645 #endif
1604 1646
1605 1647 #if defined(_KERNEL)
1606 1648 extern int fr_setzoneid __P((ipf_devstate_t *, void *));
1607 1649 #endif
1608 1650
1609 1651 extern char ipfilter_version[];
1610 1652 #ifdef USE_INET6
1611 1653 extern int icmptoicmp6types[ICMP_MAXTYPE+1];
1612 1654 extern int icmptoicmp6unreach[ICMP_MAX_UNREACH];
1613 1655 extern int icmpreplytype6[ICMP6_MAXTYPE + 1];
1614 1656 #endif
1615 1657 extern int icmpreplytype4[ICMP_MAXTYPE + 1];
1616 1658 extern frentry_t *ipfrule_match __P((fr_info_t *));
1617 1659
1618 1660 extern void ipftuneable_alloc(ipf_stack_t *);
1619 1661 extern void ipftuneable_free(ipf_stack_t *);
1620 1662
1621 1663 #endif /* __IP_FIL_H__ */
|
↓ open down ↓ |
50 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX