Print this page
Only exploit ipf state keeping for CFW logging.
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/uts/common/inet/ipf/netinet/ip_fil.h
+++ new/usr/src/uts/common/inet/ipf/netinet/ip_fil.h
1 1 /*
2 2 * Copyright (C) 1993-2001, 2003 by Darren Reed.
3 3 *
4 4 * See the IPFILTER.LICENCE file for details on licencing.
5 5 *
6 6 * @(#)ip_fil.h 1.35 6/5/96
7 7 * $Id: ip_fil.h,v 2.170.2.22 2005/07/16 05:55:35 darrenr Exp $
8 8 *
9 9 * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
10 10 *
11 - * Copyright (c) 2014, Joyent, Inc. All rights reserved.
11 + * Copyright 2019, Joyent, Inc.
12 12 */
13 13
14 14 #ifndef __IP_FIL_H__
15 15 #define __IP_FIL_H__
16 16
17 17 #include "netinet/ip_compat.h"
18 18 #include <sys/zone.h>
19 19
20 20 #ifdef SOLARIS
21 21 #undef SOLARIS
22 22 #endif
23 23 #if (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
24 24 #define SOLARIS (1)
25 25 #else
26 26 #define SOLARIS (0)
27 27 #endif
28 28
29 29 #ifndef __P
30 30 # ifdef __STDC__
31 31 # define __P(x) x
32 32 # else
33 33 # define __P(x) ()
34 34 # endif
35 35 #endif
36 36
37 37 #if defined(__STDC__) || defined(__GNUC__) || defined(_AIX51)
38 38 # define SIOCADAFR _IOW('r', 60, struct ipfobj)
39 39 # define SIOCRMAFR _IOW('r', 61, struct ipfobj)
40 40 # define SIOCSETFF _IOW('r', 62, u_int)
41 41 # define SIOCGETFF _IOR('r', 63, u_int)
42 42 # define SIOCGETFS _IOWR('r', 64, struct ipfobj)
43 43 # define SIOCIPFFL _IOWR('r', 65, int)
44 44 # define SIOCIPFFB _IOR('r', 66, int)
45 45 # define SIOCADIFR _IOW('r', 67, struct ipfobj)
46 46 # define SIOCRMIFR _IOW('r', 68, struct ipfobj)
47 47 # define SIOCSWAPA _IOR('r', 69, u_int)
48 48 # define SIOCINAFR _IOW('r', 70, struct ipfobj)
49 49 # define SIOCINIFR _IOW('r', 71, struct ipfobj)
50 50 # define SIOCFRENB _IOW('r', 72, u_int)
51 51 # define SIOCFRSYN _IOW('r', 73, u_int)
52 52 # define SIOCFRZST _IOWR('r', 74, struct ipfobj)
53 53 # define SIOCZRLST _IOWR('r', 75, struct ipfobj)
54 54 # define SIOCAUTHW _IOWR('r', 76, struct ipfobj)
55 55 # define SIOCAUTHR _IOWR('r', 77, struct ipfobj)
56 56 # define SIOCATHST _IOWR('r', 78, struct ipfobj)
57 57 # define SIOCSTLCK _IOWR('r', 79, u_int)
58 58 # define SIOCSTPUT _IOWR('r', 80, struct ipfobj)
59 59 # define SIOCSTGET _IOWR('r', 81, struct ipfobj)
60 60 # define SIOCSTGSZ _IOWR('r', 82, struct ipfobj)
61 61 # define SIOCGFRST _IOWR('r', 83, struct ipfobj)
62 62 # define SIOCSETLG _IOWR('r', 84, int)
63 63 # define SIOCGETLG _IOWR('r', 85, int)
64 64 # define SIOCFUNCL _IOWR('r', 86, struct ipfunc_resolve)
65 65 # define SIOCIPFGETNEXT _IOWR('r', 87, struct ipfobj)
66 66 # define SIOCIPFGET _IOWR('r', 88, struct ipfobj)
67 67 # define SIOCIPFSET _IOWR('r', 89, struct ipfobj)
68 68 # define SIOCIPFL6 _IOWR('r', 90, int)
69 69 # define SIOCIPFLP _IOWR('r', 91, int)
70 70 # define SIOCIPFITER _IOWR('r', 92, struct ipfobj)
71 71 # define SIOCGENITER _IOWR('r', 93, struct ipfobj)
72 72 # define SIOCGTABL _IOWR('r', 94, struct ipfobj)
73 73 # define SIOCIPFDELTOK _IOWR('r', 95, int)
74 74 # define SIOCLOOKUPITER _IOWR('r', 96, struct ipfobj)
75 75 #else
76 76 # define SIOCADAFR _IOW(r, 60, struct ipfobj)
77 77 # define SIOCRMAFR _IOW(r, 61, struct ipfobj)
78 78 # define SIOCSETFF _IOW(r, 62, u_int)
79 79 # define SIOCGETFF _IOR(r, 63, u_int)
80 80 # define SIOCGETFS _IOWR(r, 64, struct ipfobj)
81 81 # define SIOCIPFFL _IOWR(r, 65, int)
82 82 # define SIOCIPFFB _IOR(r, 66, int)
83 83 # define SIOCADIFR _IOW(r, 67, struct ipfobj)
84 84 # define SIOCRMIFR _IOW(r, 68, struct ipfobj)
85 85 # define SIOCSWAPA _IOR(r, 69, u_int)
86 86 # define SIOCINAFR _IOW(r, 70, struct ipfobj)
87 87 # define SIOCINIFR _IOW(r, 71, struct ipfobj)
88 88 # define SIOCFRENB _IOW(r, 72, u_int)
89 89 # define SIOCFRSYN _IOW(r, 73, u_int)
90 90 # define SIOCFRZST _IOWR(r, 74, struct ipfobj)
91 91 # define SIOCZRLST _IOWR(r, 75, struct ipfobj)
92 92 # define SIOCAUTHW _IOWR(r, 76, struct ipfobj)
93 93 # define SIOCAUTHR _IOWR(r, 77, struct ipfobj)
94 94 # define SIOCATHST _IOWR(r, 78, struct ipfobj)
95 95 # define SIOCSTLCK _IOWR(r, 79, u_int)
96 96 # define SIOCSTPUT _IOWR(r, 80, struct ipfobj)
97 97 # define SIOCSTGET _IOWR(r, 81, struct ipfobj)
98 98 # define SIOCSTGSZ _IOWR(r, 82, struct ipfobj)
99 99 # define SIOCGFRST _IOWR(r, 83, struct ipfobj)
100 100 # define SIOCSETLG _IOWR(r, 84, int)
101 101 # define SIOCGETLG _IOWR(r, 85, int)
102 102 # define SIOCFUNCL _IOWR(r, 86, struct ipfunc_resolve)
103 103 # define SIOCIPFGETNEXT _IOWR(r, 87, struct ipfobj)
104 104 # define SIOCIPFGET _IOWR(r, 88, struct ipfobj)
105 105 # define SIOCIPFSET _IOWR(r, 89, struct ipfobj)
106 106 # define SIOCIPFL6 _IOWR(r, 90, int)
107 107 # define SIOCIPFLP _IOWR(r, 91, int)
108 108 # define SIOCIPFITER _IOWR(r, 92, struct ipfobj)
109 109 # define SIOCGENITER _IOWR(r, 93, struct ipfobj)
110 110 # define SIOCGTABL _IOWR(r, 94, struct ipfobj)
111 111 # define SIOCIPFDELTOK _IOWR(r, 95, int)
112 112 # define SIOCLOOKUPITER _IOWR(r, 96, struct ipfobj)
113 113 #endif
114 114 #define SIOCADDFR SIOCADAFR
115 115 #define SIOCDELFR SIOCRMAFR
116 116 #define SIOCINSFR SIOCINAFR
117 117 # define SIOCIPFZONESET _IOWR('r', 97, struct ipfzoneobj)
118 118
119 119 /*
120 120 * What type of table is getting flushed?
121 121 */
122 122
123 123 #define NAT_FLUSH 1
124 124 #define STATE_FLUSH 2
125 125
126 126 /*
127 127 * What table flush options are available?
128 128 */
129 129
130 130 #define FLUSH_LIST 0
131 131 #define FLUSH_TABLE_ALL 1 /* Flush entire table */
132 132 #define FLUSH_TABLE_CLOSING 2 /* Flush "closing" entries" */
133 133 #define FLUSH_TABLE_EXTRA 3 /* Targetted flush: almost closed, long idle */
134 134
135 135 #define VALID_TABLE_FLUSH_OPT(x) ((x) >= 1 && (x) <= 3)
136 136
137 137 /*
138 138 * Define the default hi and lo watermarks used when flushing the
139 139 * tables. The values represent percent full of respective tables.
140 140 */
141 141
142 142 #define NAT_FLUSH_HI 95
143 143 #define NAT_FLUSH_LO 75
144 144
145 145 #define ST_FLUSH_HI 95
146 146 #define ST_FLUSH_LO 75
147 147
148 148 /*
149 149 * How full are the tables?
150 150 */
151 151
152 152 #define NAT_TAB_WATER_LEVEL(x) ((x)->ifs_nat_stats.ns_inuse * 100 \
153 153 / (x)->ifs_ipf_nattable_max)
154 154
155 155 #define ST_TAB_WATER_LEVEL(x) ((x)->ifs_ips_num * 100 \
156 156 / (x)->ifs_fr_statemax)
157 157
158 158 struct ipscan;
159 159 struct ifnet;
160 160
161 161 typedef struct ipf_stack ipf_stack_t;
162 162 typedef struct fr_info fr_info_t;
163 163
164 164 typedef int (* lookupfunc_t) __P((void *, int, void *, fr_info_t *, ipf_stack_t *));
165 165
166 166 /*
167 167 * i6addr is used as a container for both IPv4 and IPv6 addresses, as well
168 168 * as other types of objects, depending on its qualifier.
169 169 */
170 170 #ifdef USE_INET6
171 171 typedef union i6addr {
172 172 u_32_t i6[4];
173 173 struct in_addr in4;
174 174 struct in6_addr in6;
175 175 void *vptr[2];
176 176 lookupfunc_t lptr[2];
177 177 } i6addr_t;
178 178 #define in6_addr8 in6.s6_addr
179 179 #else
180 180 typedef union i6addr {
181 181 u_32_t i6[4];
182 182 struct in_addr in4;
183 183 void *vptr[2];
184 184 lookupfunc_t lptr[2];
185 185 } i6addr_t;
186 186 #endif
187 187
188 188 #define in4_addr in4.s_addr
189 189 #define iplookupnum i6[0]
190 190 #define iplookuptype i6[1]
191 191 /*
192 192 * NOTE: These DO overlap the above on 64bit systems and this IS recognised.
193 193 */
194 194 #define iplookupptr vptr[0]
195 195 #define iplookupfunc lptr[1]
196 196
197 197 #define I60(x) (((i6addr_t *)(x))->i6[0])
198 198 #define I61(x) (((i6addr_t *)(x))->i6[1])
199 199 #define I62(x) (((i6addr_t *)(x))->i6[2])
200 200 #define I63(x) (((i6addr_t *)(x))->i6[3])
201 201 #define HI60(x) ntohl(((i6addr_t *)(x))->i6[0])
202 202 #define HI61(x) ntohl(((i6addr_t *)(x))->i6[1])
203 203 #define HI62(x) ntohl(((i6addr_t *)(x))->i6[2])
204 204 #define HI63(x) ntohl(((i6addr_t *)(x))->i6[3])
205 205
206 206 #define IP6_EQ(a,b) ((I63(a) == I63(b)) && (I62(a) == I62(b)) && \
207 207 (I61(a) == I61(b)) && (I60(a) == I60(b)))
208 208 #define IP6_NEQ(a,b) ((I63(a) != I63(b)) || (I62(a) != I62(b)) || \
209 209 (I61(a) != I61(b)) || (I60(a) != I60(b)))
210 210 #define IP6_ISZERO(a) ((I60(a) | I61(a) | I62(a) | I63(a)) == 0)
211 211 #define IP6_NOTZERO(a) ((I60(a) | I61(a) | I62(a) | I63(a)) != 0)
212 212 #define IP6_ISONES(a) ((I63(a) == 0xffffffff) && (I62(a) == 0xffffffff) && \
213 213 (I61(a) == 0xffffffff) && (I60(a) == 0xffffffff))
214 214 #define IP6_GT(a,b) (ntohl(HI60(a)) > ntohl(HI60(b)) || \
215 215 (HI60(a) == HI60(b) && \
216 216 (ntohl(HI61(a)) > ntohl(HI61(b)) || \
217 217 (HI61(a) == HI61(b) && \
218 218 (ntohl(HI62(a)) > ntohl(HI62(b)) || \
219 219 (HI62(a) == HI62(b) && \
220 220 ntohl(HI63(a)) > ntohl(HI63(b))))))))
221 221 #define IP6_LT(a,b) (ntohl(HI60(a)) < ntohl(HI60(b)) || \
222 222 (HI60(a) == HI60(b) && \
223 223 (ntohl(HI61(a)) < ntohl(HI61(b)) || \
224 224 (HI61(a) == HI61(b) && \
225 225 (ntohl(HI62(a)) < ntohl(HI62(b)) || \
226 226 (HI62(a) == HI62(b) && \
227 227 ntohl(HI63(a)) < ntohl(HI63(b))))))))
228 228 #define NLADD(n,x) htonl(ntohl(n) + (x))
229 229 #define IP6_INC(a) \
230 230 { i6addr_t *_i6 = (i6addr_t *)(a); \
231 231 _i6->i6[3] = NLADD(_i6->i6[3], 1); \
232 232 if (_i6->i6[3] == 0) { \
233 233 _i6->i6[2] = NLADD(_i6->i6[2], 1); \
234 234 if (_i6->i6[2] == 0) { \
235 235 _i6->i6[1] = NLADD(_i6->i6[1], 1); \
236 236 if (_i6->i6[1] == 0) { \
237 237 _i6->i6[0] = NLADD(_i6->i6[0], 1); \
238 238 } \
239 239 } \
240 240 } \
241 241 }
242 242 #define IP6_ADD(a,x,d) \
243 243 { i6addr_t *_s = (i6addr_t *)(a); \
244 244 i6addr_t *_d = (i6addr_t *)(d); \
245 245 _d->i6[3] = NLADD(_s->i6[3], x); \
246 246 if (ntohl(_d->i6[3]) < ntohl(_s->i6[3])) { \
247 247 _d->i6[2] = NLADD(_d->i6[2], 1); \
248 248 if (ntohl(_d->i6[2]) < ntohl(_s->i6[2])) { \
249 249 _d->i6[1] = NLADD(_d->i6[1], 1); \
250 250 if (ntohl(_d->i6[1]) < ntohl(_s->i6[1])) { \
251 251 _d->i6[0] = NLADD(_d->i6[0], 1); \
252 252 } \
253 253 } \
254 254 } \
255 255 }
256 256 #define IP6_AND(a,b,d) { i6addr_t *_s1 = (i6addr_t *)(a); \
257 257 i6addr_t *_s2 = (i6addr_t *)(b); \
258 258 i6addr_t *_d = (i6addr_t *)(d); \
259 259 _d->i6[0] = _s1->i6[0] & _s2->i6[0]; \
260 260 _d->i6[1] = _s1->i6[1] & _s2->i6[1]; \
261 261 _d->i6[2] = _s1->i6[2] & _s2->i6[2]; \
262 262 _d->i6[3] = _s1->i6[3] & _s2->i6[3]; \
263 263 }
264 264 #define IP6_MASKEQ(a,m,b) \
265 265 (((I60(a) & I60(m)) == I60(b)) && \
266 266 ((I61(a) & I61(m)) == I61(b)) && \
267 267 ((I62(a) & I62(m)) == I62(b)) && \
268 268 ((I63(a) & I63(m)) == I63(b)))
269 269 #define IP6_MASKNEQ(a,m,b) \
270 270 (((I60(a) & I60(m)) != I60(b)) || \
271 271 ((I61(a) & I61(m)) != I61(b)) || \
272 272 ((I62(a) & I62(m)) != I62(b)) || \
273 273 ((I63(a) & I63(m)) != I63(b)))
274 274 #define IP6_MERGE(a,b,c) \
275 275 { i6addr_t *_d, *_s1, *_s2; \
276 276 _d = (i6addr_t *)(a); \
277 277 _s1 = (i6addr_t *)(b); \
278 278 _s2 = (i6addr_t *)(c); \
279 279 _d->i6[0] |= _s1->i6[0] & ~_s2->i6[0]; \
280 280 _d->i6[1] |= _s1->i6[1] & ~_s2->i6[1]; \
281 281 _d->i6[2] |= _s1->i6[2] & ~_s2->i6[2]; \
282 282 _d->i6[3] |= _s1->i6[3] & ~_s2->i6[3]; \
283 283 }
284 284
285 285
286 286 typedef struct fr_ip {
287 287 u_32_t fi_v:4; /* IP version */
288 288 u_32_t fi_xx:4; /* spare */
289 289 u_32_t fi_tos:8; /* IP packet TOS */
290 290 u_32_t fi_ttl:8; /* IP packet TTL */
291 291 u_32_t fi_p:8; /* IP packet protocol */
292 292 u_32_t fi_optmsk; /* bitmask composed from IP options */
293 293 i6addr_t fi_src; /* source address from packet */
294 294 i6addr_t fi_dst; /* destination address from packet */
295 295 u_short fi_secmsk; /* bitmask composed from IP security options */
296 296 u_short fi_auth; /* authentication code from IP sec. options */
297 297 u_32_t fi_flx; /* packet flags */
298 298 u_32_t fi_tcpmsk; /* TCP options set/reset */
299 299 u_32_t fi_res1; /* RESERVED */
300 300 } fr_ip_t;
301 301
302 302 /*
303 303 * For use in fi_flx
304 304 */
305 305 #define FI_TCPUDP 0x0001 /* TCP/UCP implied comparison*/
306 306 #define FI_OPTIONS 0x0002
307 307 #define FI_FRAG 0x0004
308 308 #define FI_SHORT 0x0008
309 309 #define FI_NATED 0x0010
310 310 #define FI_MULTICAST 0x0020
311 311 #define FI_BROADCAST 0x0040
312 312 #define FI_MBCAST 0x0080
313 313 #define FI_STATE 0x0100
314 314 #define FI_BADNAT 0x0200
315 315 #define FI_BAD 0x0400
316 316 #define FI_OOW 0x0800 /* Out of state window, else match */
317 317 #define FI_ICMPERR 0x1000
318 318 #define FI_FRAGBODY 0x2000
319 319 #define FI_BADSRC 0x4000
320 320 #define FI_LOWTTL 0x8000
321 321 #define FI_CMP 0xcf03 /* Not FI_FRAG,FI_NATED,FI_FRAGTAIL,broadcast */
322 322 #define FI_ICMPCMP 0x0003 /* Flags we can check for ICMP error packets */
323 323 #define FI_WITH 0xeffe /* Not FI_TCPUDP */
324 324 #define FI_V6EXTHDR 0x10000
325 325 #define FI_COALESCE 0x20000
326 326 #define FI_ICMPQUERY 0x40000
327 327 #define FI_NEWNAT 0x80000
328 328 #define FI_MOREFRAG 0x100000
329 329 #define FI_NEG_OOW 0x10000000 /* packet underflows TCP window */
330 330 #define FI_NOCKSUM 0x20000000 /* don't do a L4 checksum validation */
331 331 #define FI_DONTCACHE 0x40000000 /* don't cache the result */
332 332 #define FI_IGNORE 0x80000000
333 333
334 334 #define fi_saddr fi_src.in4.s_addr
335 335 #define fi_daddr fi_dst.in4.s_addr
336 336 #define fi_srcnum fi_src.iplookupnum
337 337 #define fi_dstnum fi_dst.iplookupnum
338 338 #define fi_srctype fi_src.iplookuptype
339 339 #define fi_dsttype fi_dst.iplookuptype
340 340 #define fi_srcptr fi_src.iplookupptr
341 341 #define fi_dstptr fi_dst.iplookupptr
342 342 #define fi_srcfunc fi_src.iplookupfunc
343 343 #define fi_dstfunc fi_dst.iplookupfunc
344 344
345 345
346 346 /*
347 347 * These are both used by the state and NAT code to indicate that one port or
348 348 * the other should be treated as a wildcard.
349 349 * NOTE: When updating, check bit masks in ip_state.h and update there too.
350 350 */
351 351 #define SI_W_SPORT 0x00000100
352 352 #define SI_W_DPORT 0x00000200
353 353 #define SI_WILDP (SI_W_SPORT|SI_W_DPORT)
354 354 #define SI_W_SADDR 0x00000400
355 355 #define SI_W_DADDR 0x00000800
356 356 #define SI_WILDA (SI_W_SADDR|SI_W_DADDR)
357 357 #define SI_NEWFR 0x00001000
358 358 #define SI_CLONE 0x00002000
359 359 #define SI_CLONED 0x00004000
360 360
361 361
362 362
363 363
364 364 struct fr_info {
365 365 void *fin_ifp; /* interface packet is `on' */
366 366 fr_ip_t fin_fi; /* IP Packet summary */
367 367 union {
368 368 u_short fid_16[2]; /* TCP/UDP ports, ICMP code/type */
369 369 u_32_t fid_32;
370 370 } fin_dat;
371 371 int fin_out; /* in or out ? 1 == out, 0 == in */
372 372 int fin_rev; /* state only: 1 = reverse */
373 373 u_short fin_hlen; /* length of IP header in bytes */
374 374 u_char fin_tcpf; /* TCP header flags (SYN, ACK, etc) */
375 375 u_char fin_icode; /* ICMP error to return */
376 376 u_32_t fin_rule; /* rule # last matched */
377 377 char fin_group[FR_GROUPLEN]; /* group number, -1 for none */
378 378 struct frentry *fin_fr; /* last matching rule */
379 379 void *fin_dp; /* start of data past IP header */
380 380 int fin_dlen; /* length of data portion of packet */
381 381 int fin_plen;
382 382 int fin_ipoff; /* # bytes from buffer start to hdr */
383 383 u_32_t fin_id; /* IP packet id field */
384 384 u_short fin_off;
385 385 int fin_depth; /* Group nesting depth */
386 386 int fin_error; /* Error code to return */
387 387 u_int fin_pktnum;
388 388 void *fin_nattag;
389 389 union {
390 390 ip_t *fip_ip;
391 391 #ifdef USE_INET6
392 392 ip6_t *fip_ip6;
393 393 #endif
394 394 } fin_ipu;
395 395 mb_t **fin_mp; /* pointer to pointer to mbuf */
396 396 mb_t *fin_m; /* pointer to mbuf */
397 397 #ifdef MENTAT
398 398 mb_t *fin_qfm; /* pointer to mblk where pkt starts */
399 399 void *fin_qpi;
400 400 ipf_stack_t *fin_ifs;
401 401 #endif
402 402 #ifdef __sgi
403 403 void *fin_hbuf;
404 404 #endif
405 405 };
406 406
407 407 #define fin_ip fin_ipu.fip_ip
408 408 #define fin_ip6 fin_ipu.fip_ip6
409 409 #define fin_v fin_fi.fi_v
410 410 #define fin_p fin_fi.fi_p
411 411 #define fin_flx fin_fi.fi_flx
412 412 #define fin_optmsk fin_fi.fi_optmsk
413 413 #define fin_secmsk fin_fi.fi_secmsk
414 414 #define fin_auth fin_fi.fi_auth
415 415 #define fin_src fin_fi.fi_src.in4
416 416 #define fin_saddr fin_fi.fi_saddr
417 417 #define fin_dst fin_fi.fi_dst.in4
418 418 #define fin_daddr fin_fi.fi_daddr
419 419 #define fin_data fin_dat.fid_16
420 420 #define fin_sport fin_dat.fid_16[0]
421 421 #define fin_dport fin_dat.fid_16[1]
422 422 #define fin_ports fin_dat.fid_32
423 423
424 424 #ifdef USE_INET6
425 425 # define fin_src6 fin_fi.fi_src
426 426 # define fin_dst6 fin_fi.fi_dst
427 427 # define fin_dstip6 fin_fi.fi_dst.in6
428 428 # define fin_srcip6 fin_fi.fi_src.in6
429 429 #endif
430 430
431 431 #define IPF_IN 0
432 432 #define IPF_OUT 1
433 433
434 434 typedef struct frentry *(*ipfunc_t) __P((fr_info_t *, u_32_t *));
435 435 typedef int (*ipfuncinit_t) __P((struct frentry *,
436 436 ipf_stack_t *));
437 437
438 438 typedef struct ipfunc_resolve {
439 439 char ipfu_name[32];
440 440 ipfunc_t ipfu_addr;
441 441 ipfuncinit_t ipfu_init;
442 442 } ipfunc_resolve_t;
443 443
444 444 /*
445 445 * Size for compares on fr_info structures
446 446 */
447 447 #define FI_CSIZE offsetof(fr_info_t, fin_icode)
448 448 #define FI_LCSIZE offsetof(fr_info_t, fin_dp)
449 449
450 450 /*
451 451 * Size for copying cache fr_info structure
452 452 */
453 453 #define FI_COPYSIZE offsetof(fr_info_t, fin_dp)
454 454
455 455 /*
456 456 * Structure for holding IPFilter's tag information
457 457 */
458 458 #define IPFTAG_LEN 16
459 459 typedef struct {
460 460 union {
461 461 u_32_t iptu_num[4];
462 462 char iptu_tag[IPFTAG_LEN];
463 463 } ipt_un;
464 464 int ipt_not;
465 465 } ipftag_t;
466 466
467 467 #define ipt_tag ipt_un.iptu_tag
468 468 #define ipt_num ipt_un.iptu_num
469 469
470 470
471 471 /*
472 472 * This structure is used to hold information about the next hop for where
473 473 * to forward a packet.
474 474 */
475 475 typedef struct frdest {
476 476 void *fd_ifp;
477 477 i6addr_t fd_ip6;
478 478 char fd_ifname[LIFNAMSIZ];
479 479 } frdest_t;
480 480
481 481 #define fd_ip fd_ip6.in4
482 482
483 483
484 484 /*
485 485 * This structure holds information about a port comparison.
486 486 */
487 487 typedef struct frpcmp {
488 488 int frp_cmp; /* data for port comparisons */
489 489 u_short frp_port; /* top port for <> and >< */
490 490 u_short frp_top; /* top port for <> and >< */
491 491 } frpcmp_t;
492 492
493 493 #define FR_NONE 0
494 494 #define FR_EQUAL 1
495 495 #define FR_NEQUAL 2
496 496 #define FR_LESST 3
497 497 #define FR_GREATERT 4
498 498 #define FR_LESSTE 5
499 499 #define FR_GREATERTE 6
500 500 #define FR_OUTRANGE 7
501 501 #define FR_INRANGE 8
502 502 #define FR_INCRANGE 9
503 503
504 504 /*
505 505 * Structure containing all the relevant TCP things that can be checked in
506 506 * a filter rule.
507 507 */
508 508 typedef struct frtuc {
509 509 u_char ftu_tcpfm; /* tcp flags mask */
510 510 u_char ftu_tcpf; /* tcp flags */
511 511 frpcmp_t ftu_src;
512 512 frpcmp_t ftu_dst;
513 513 } frtuc_t;
514 514
515 515 #define ftu_scmp ftu_src.frp_cmp
516 516 #define ftu_dcmp ftu_dst.frp_cmp
517 517 #define ftu_sport ftu_src.frp_port
518 518 #define ftu_dport ftu_dst.frp_port
519 519 #define ftu_stop ftu_src.frp_top
520 520 #define ftu_dtop ftu_dst.frp_top
521 521
522 522 #define FR_TCPFMAX 0x3f
523 523
524 524 /*
525 525 * This structure makes up what is considered to be the IPFilter specific
526 526 * matching components of a filter rule, as opposed to the data structures
527 527 * used to define the result which are in frentry_t and not here.
528 528 */
529 529 typedef struct fripf {
530 530 fr_ip_t fri_ip;
531 531 fr_ip_t fri_mip; /* mask structure */
532 532
533 533 u_short fri_icmpm; /* data for ICMP packets (mask) */
534 534 u_short fri_icmp;
535 535
536 536 frtuc_t fri_tuc;
537 537 int fri_satype; /* addres type */
538 538 int fri_datype; /* addres type */
539 539 int fri_sifpidx; /* doing dynamic addressing */
540 540 int fri_difpidx; /* index into fr_ifps[] to use when */
541 541 } fripf_t;
542 542
543 543 #define fri_dstnum fri_ip.fi_dstnum
544 544 #define fri_srcnum fri_mip.fi_srcnum
545 545 #define fri_dstptr fri_ip.fi_dstptr
546 546 #define fri_srcptr fri_mip.fi_srcptr
547 547
548 548 #define FRI_NORMAL 0 /* Normal address */
549 549 #define FRI_DYNAMIC 1 /* dynamic address */
550 550 #define FRI_LOOKUP 2 /* address is a pool # */
551 551 #define FRI_RANGE 3 /* address/mask is a range */
552 552 #define FRI_NETWORK 4 /* network address from if */
553 553 #define FRI_BROADCAST 5 /* broadcast address from if */
554 554 #define FRI_PEERADDR 6 /* Peer address for P-to-P */
555 555 #define FRI_NETMASKED 7 /* network address with netmask from if */
556 556
557 557
558 558 typedef struct frentry * (* frentfunc_t) __P((fr_info_t *));
559 559
560 560 typedef struct frentry {
561 561 ipfmutex_t fr_lock;
562 562 struct frentry *fr_next;
563 563 struct frentry **fr_grp;
564 564 struct ipscan *fr_isc;
565 565 void *fr_ifas[4];
566 566 void *fr_ptr; /* for use with fr_arg */
567 567 char *fr_comment; /* text comment for rule */
568 568 int fr_ref; /* reference count - for grouping */
569 569 int fr_statecnt; /* state count - for limit rules */
570 570 /*
571 571 * These are only incremented when a packet matches this rule and
572 572 * it is the last match
573 573 */
574 574 U_QUAD_T fr_hits;
575 575 U_QUAD_T fr_bytes;
576 576
577 577 /*
578 578 * For PPS rate limiting
579 579 */
580 580 struct timeval fr_lastpkt;
581 581 int fr_curpps;
582 582
583 583 union {
584 584 void *fru_data;
585 585 caddr_t fru_caddr;
586 586 fripf_t *fru_ipf;
587 587 frentfunc_t fru_func;
588 588 } fr_dun;
589 589
590 590 /*
591 591 * Fields after this may not change whilst in the kernel.
592 592 */
593 593 ipfunc_t fr_func; /* call this function */
594 594 int fr_dsize;
595 595 int fr_pps;
596 596 int fr_statemax; /* max reference count */
597 597 int fr_flineno; /* line number from conf file */
598 598 u_32_t fr_type;
599 599 u_32_t fr_flags; /* per-rule flags && options (see below) */
600 600 u_32_t fr_logtag; /* user defined log tag # */
601 601 u_32_t fr_collect; /* collection number */
602 602 u_int fr_arg; /* misc. numeric arg for rule */
603 603 u_int fr_loglevel; /* syslog log facility + priority */
604 604 u_int fr_age[2]; /* non-TCP timeouts */
605 605 u_char fr_v;
606 606 u_char fr_icode; /* return ICMP code */
607 607 char fr_group[FR_GROUPLEN]; /* group to which this rule belongs */
608 608 char fr_grhead[FR_GROUPLEN]; /* group # which this rule starts */
609 609 ipftag_t fr_nattag;
610 610 char fr_ifnames[4][LIFNAMSIZ];
611 611 char fr_isctag[16];
612 612 frdest_t fr_tifs[2]; /* "to"/"reply-to" interface */
613 613 frdest_t fr_dif; /* duplicate packet interface */
614 614 /*
615 615 * This must be last and will change after loaded into the kernel.
616 616 */
617 617 u_int fr_cksum; /* checksum on filter rules for performance */
618 618 } frentry_t;
619 619
620 620 #define fr_caddr fr_dun.fru_caddr
621 621 #define fr_data fr_dun.fru_data
622 622 #define fr_dfunc fr_dun.fru_func
623 623 #define fr_ipf fr_dun.fru_ipf
624 624 #define fr_ip fr_ipf->fri_ip
625 625 #define fr_mip fr_ipf->fri_mip
626 626 #define fr_icmpm fr_ipf->fri_icmpm
627 627 #define fr_icmp fr_ipf->fri_icmp
628 628 #define fr_tuc fr_ipf->fri_tuc
629 629 #define fr_satype fr_ipf->fri_satype
630 630 #define fr_datype fr_ipf->fri_datype
631 631 #define fr_sifpidx fr_ipf->fri_sifpidx
632 632 #define fr_difpidx fr_ipf->fri_difpidx
633 633 #define fr_proto fr_ip.fi_p
634 634 #define fr_mproto fr_mip.fi_p
635 635 #define fr_ttl fr_ip.fi_ttl
636 636 #define fr_mttl fr_mip.fi_ttl
637 637 #define fr_tos fr_ip.fi_tos
638 638 #define fr_mtos fr_mip.fi_tos
639 639 #define fr_tcpfm fr_tuc.ftu_tcpfm
640 640 #define fr_tcpf fr_tuc.ftu_tcpf
641 641 #define fr_scmp fr_tuc.ftu_scmp
642 642 #define fr_dcmp fr_tuc.ftu_dcmp
643 643 #define fr_dport fr_tuc.ftu_dport
644 644 #define fr_sport fr_tuc.ftu_sport
645 645 #define fr_stop fr_tuc.ftu_stop
646 646 #define fr_dtop fr_tuc.ftu_dtop
647 647 #define fr_dst fr_ip.fi_dst.in4
648 648 #define fr_daddr fr_ip.fi_dst.in4.s_addr
649 649 #define fr_src fr_ip.fi_src.in4
650 650 #define fr_saddr fr_ip.fi_src.in4.s_addr
651 651 #define fr_dmsk fr_mip.fi_dst.in4
652 652 #define fr_dmask fr_mip.fi_dst.in4.s_addr
653 653 #define fr_smsk fr_mip.fi_src.in4
654 654 #define fr_smask fr_mip.fi_src.in4.s_addr
655 655 #define fr_dstnum fr_ip.fi_dstnum
656 656 #define fr_srcnum fr_ip.fi_srcnum
657 657 #define fr_dsttype fr_ip.fi_dsttype
658 658 #define fr_srctype fr_ip.fi_srctype
659 659 #define fr_dstptr fr_mip.fi_dstptr
660 660 #define fr_srcptr fr_mip.fi_srcptr
661 661 #define fr_dstfunc fr_mip.fi_dstfunc
662 662 #define fr_srcfunc fr_mip.fi_srcfunc
663 663 #define fr_optbits fr_ip.fi_optmsk
664 664 #define fr_optmask fr_mip.fi_optmsk
665 665 #define fr_secbits fr_ip.fi_secmsk
666 666 #define fr_secmask fr_mip.fi_secmsk
667 667 #define fr_authbits fr_ip.fi_auth
668 668 #define fr_authmask fr_mip.fi_auth
669 669 #define fr_flx fr_ip.fi_flx
670 670 #define fr_mflx fr_mip.fi_flx
671 671 #define fr_ifname fr_ifnames[0]
672 672 #define fr_oifname fr_ifnames[2]
673 673 #define fr_ifa fr_ifas[0]
674 674 #define fr_oifa fr_ifas[2]
675 675 #define fr_tif fr_tifs[0]
676 676 #define fr_rif fr_tifs[1]
677 677
678 678 #define FR_NOLOGTAG 0
679 679
680 680 #define FR_CMPSIZ (sizeof(struct frentry) - \
681 681 offsetof(struct frentry, fr_func))
682 682
683 683 /*
684 684 * fr_type
685 685 */
686 686 #define FR_T_NONE 0
687 687 #define FR_T_IPF 1 /* IPF structures */
688 688 #define FR_T_BPFOPC 2 /* BPF opcode */
689 689 #define FR_T_CALLFUNC 3 /* callout to function in fr_func only */
690 690 #define FR_T_COMPIPF 4 /* compiled C code */
691 691 #define FR_T_BUILTIN 0x80000000 /* rule is in kernel space */
692 692
693 693 /*
694 694 * fr_flags
695 695 */
696 696 #define FR_CALL 0x00000 /* call rule */
697 697 #define FR_BLOCK 0x00001 /* do not allow packet to pass */
698 698 #define FR_PASS 0x00002 /* allow packet to pass */
699 699 #define FR_AUTH 0x00003 /* use authentication */
700 700 #define FR_PREAUTH 0x00004 /* require preauthentication */
701 701 #define FR_ACCOUNT 0x00005 /* Accounting rule */
702 702 #define FR_SKIP 0x00006 /* skip rule */
703 703 #define FR_DIVERT 0x00007 /* divert rule */
704 704 #define FR_CMDMASK 0x0000f
705 705 #define FR_LOG 0x00010 /* Log */
706 706 #define FR_LOGB 0x00011 /* Log-fail */
707 707 #define FR_LOGP 0x00012 /* Log-pass */
708 708 #define FR_LOGMASK (FR_LOG|FR_CMDMASK)
709 709 #define FR_CALLNOW 0x00020 /* call another function (fr_func) if matches */
710 710 #define FR_NOTSRCIP 0x00040
711 711 #define FR_NOTDSTIP 0x00080
712 712 #define FR_QUICK 0x00100 /* match & stop processing list */
713 713 #define FR_KEEPFRAG 0x00200 /* keep fragment information */
714 714 #define FR_KEEPSTATE 0x00400 /* keep `connection' state information */
715 715 #define FR_FASTROUTE 0x00800 /* bypass normal routing */
716 716 #define FR_RETRST 0x01000 /* Return TCP RST packet - reset connection */
717 717 #define FR_RETICMP 0x02000 /* Return ICMP unreachable packet */
718 718 #define FR_FAKEICMP 0x03000 /* Return ICMP unreachable with fake source */
719 719 #define FR_OUTQUE 0x04000 /* outgoing packets */
720 720 #define FR_INQUE 0x08000 /* ingoing packets */
721 721 #define FR_LOGBODY 0x10000 /* Log the body */
722 722 #define FR_LOGFIRST 0x20000 /* Log the first byte if state held */
723 723 #define FR_LOGORBLOCK 0x40000 /* block the packet if it can't be logged */
724 724 #define FR_DUP 0x80000 /* duplicate packet */
725 725 #define FR_FRSTRICT 0x100000 /* strict frag. cache */
726 726 #define FR_STSTRICT 0x200000 /* strict keep state */
727 727 #define FR_NEWISN 0x400000 /* new ISN for outgoing TCP */
728 728 #define FR_NOICMPERR 0x800000 /* do not match ICMP errors in state */
729 729 #define FR_STATESYNC 0x1000000 /* synchronize state to slave */
730 730 #define FR_NOMATCH 0x8000000 /* no match occured */
731 731 /* 0x10000000 FF_LOGPASS */
732 732 /* 0x20000000 FF_LOGBLOCK */
733 733 /* 0x40000000 FF_LOGNOMATCH */
734 734 /* 0x80000000 FF_BLOCKNONIP */
735 735 #define FR_COPIED 0x40000000 /* copied from user space */
736 736 #define FR_INACTIVE 0x80000000 /* only used when flush'ing rules */
737 737
738 738 #define FR_RETMASK (FR_RETICMP|FR_RETRST|FR_FAKEICMP)
739 739 #define FR_ISBLOCK(x) (((x) & FR_CMDMASK) == FR_BLOCK)
740 740 #define FR_ISPASS(x) (((x) & FR_CMDMASK) == FR_PASS)
741 741 #define FR_ISAUTH(x) (((x) & FR_CMDMASK) == FR_AUTH)
742 742 #define FR_ISPREAUTH(x) (((x) & FR_CMDMASK) == FR_PREAUTH)
743 743 #define FR_ISACCOUNT(x) (((x) & FR_CMDMASK) == FR_ACCOUNT)
744 744 #define FR_ISSKIP(x) (((x) & FR_CMDMASK) == FR_SKIP)
745 745 #define FR_ISNOMATCH(x) ((x) & FR_NOMATCH)
746 746 #define FR_INOUT (FR_INQUE|FR_OUTQUE)
747 747
748 748 /*
749 749 * recognized flags for SIOCGETFF and SIOCSETFF, and get put in fr_flags
750 750 */
751 751 #define FF_LOGPASS 0x10000000
752 752 #define FF_LOGBLOCK 0x20000000
753 753 #define FF_LOGNOMATCH 0x40000000
754 754 #define FF_LOGGING (FF_LOGPASS|FF_LOGBLOCK|FF_LOGNOMATCH)
755 755 #define FF_BLOCKNONIP 0x80000000 /* Solaris2 Only */
756 756
757 757
758 758 /*
759 759 * Structure that passes information on what/how to flush to the kernel.
760 760 */
761 761 typedef struct ipfflush {
762 762 int ipflu_how;
763 763 int ipflu_arg;
764 764 } ipfflush_t;
765 765
766 766
767 767 /*
768 768 *
769 769 */
770 770 typedef struct ipfgetctl {
771 771 u_int ipfg_min; /* min value */
772 772 u_int ipfg_current; /* current value */
773 773 u_int ipfg_max; /* max value */
774 774 u_int ipfg_default; /* default value */
775 775 u_int ipfg_steps; /* value increments */
776 776 char ipfg_name[40]; /* tag name for this control */
777 777 } ipfgetctl_t;
778 778
779 779 typedef struct ipfsetctl {
780 780 int ipfs_which; /* 0 = min 1 = current 2 = max 3 = default */
781 781 u_int ipfs_value; /* min value */
782 782 char ipfs_name[40]; /* tag name for this control */
783 783 } ipfsetctl_t;
784 784
785 785
786 786 /*
787 787 * Some of the statistics below are in their own counters, but most are kept
788 788 * in this single structure so that they can all easily be collected and
789 789 * copied back as required.
790 790 *
791 791 * NOTE: when changing, keep in sync with kstats (below).
792 792 */
793 793 typedef struct filterstats {
794 794 u_long fr_pass; /* packets allowed */
795 795 u_long fr_block; /* packets denied */
796 796 u_long fr_nom; /* packets which don't match any rule */
797 797 u_long fr_short; /* packets which are short */
798 798 u_long fr_ppkl; /* packets allowed and logged */
799 799 u_long fr_bpkl; /* packets denied and logged */
800 800 u_long fr_npkl; /* packets unmatched and logged */
801 801 u_long fr_pkl; /* packets logged */
802 802 u_long fr_skip; /* packets to be logged but buffer full */
803 803 u_long fr_ret; /* packets for which a return is sent */
804 804 u_long fr_acct; /* packets for which counting was performed */
805 805 u_long fr_bnfr; /* bad attempts to allocate fragment state */
806 806 u_long fr_nfr; /* new fragment state kept */
807 807 u_long fr_cfr; /* add new fragment state but complete pkt */
808 808 u_long fr_bads; /* bad attempts to allocate packet state */
809 809 u_long fr_ads; /* new packet state kept */
810 810 u_long fr_chit; /* cached hit */
811 811 u_long fr_tcpbad; /* TCP checksum check failures */
812 812 u_long fr_pull[2]; /* good and bad pullup attempts */
813 813 u_long fr_badsrc; /* source received doesn't match route */
814 814 u_long fr_badttl; /* TTL in packet doesn't reach minimum */
815 815 u_long fr_bad; /* bad IP packets to the filter */
816 816 u_long fr_ipv6; /* IPv6 packets in/out */
817 817 u_long fr_ppshit; /* dropped because of pps ceiling */
818 818 u_long fr_ipud; /* IP id update failures */
819 819 } filterstats_t;
820 820
821 821 /*
822 822 * kstat "copy" of the above - keep in sync!
823 823 * also keep in sync with initialisation code in solaris.c, ipf_kstat_init().
824 824 */
825 825 typedef struct filter_kstats {
826 826 kstat_named_t fks_pass; /* see above for comments */
827 827 kstat_named_t fks_block;
828 828 kstat_named_t fks_nom;
829 829 kstat_named_t fks_short;
830 830 kstat_named_t fks_ppkl;
831 831 kstat_named_t fks_bpkl;
832 832 kstat_named_t fks_npkl;
833 833 kstat_named_t fks_pkl;
834 834 kstat_named_t fks_skip;
835 835 kstat_named_t fks_ret;
836 836 kstat_named_t fks_acct;
837 837 kstat_named_t fks_bnfr;
838 838 kstat_named_t fks_nfr;
839 839 kstat_named_t fks_cfr;
840 840 kstat_named_t fks_bads;
841 841 kstat_named_t fks_ads;
842 842 kstat_named_t fks_chit;
843 843 kstat_named_t fks_tcpbad;
844 844 kstat_named_t fks_pull[2];
845 845 kstat_named_t fks_badsrc;
846 846 kstat_named_t fks_badttl;
847 847 kstat_named_t fks_bad;
848 848 kstat_named_t fks_ipv6;
849 849 kstat_named_t fks_ppshit;
850 850 kstat_named_t fks_ipud;
851 851 } filter_kstats_t;
852 852
853 853 /*
854 854 * Log structure. Each packet header logged is prepended by one of these.
855 855 * Following this in the log records read from the device will be an ipflog
856 856 * structure which is then followed by any packet data.
857 857 */
858 858 typedef struct iplog {
859 859 u_32_t ipl_magic;
860 860 u_int ipl_count;
861 861 struct timeval ipl_time;
862 862 size_t ipl_dsize;
863 863 struct iplog *ipl_next;
864 864 } iplog_t;
865 865
866 866 #define ipl_sec ipl_time.tv_sec
867 867 #define ipl_usec ipl_time.tv_usec
868 868
869 869 #define IPL_MAGIC 0x49504c4d /* 'IPLM' */
870 870 #define IPL_MAGIC_NAT 0x49504c4e /* 'IPLN' */
871 871 #define IPL_MAGIC_STATE 0x49504c53 /* 'IPLS' */
872 872 #define IPLOG_SIZE sizeof(iplog_t)
873 873
874 874 typedef struct ipflog {
875 875 #if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603)) || \
876 876 (defined(OpenBSD) && (OpenBSD >= 199603))
877 877 #else
878 878 u_int fl_unit;
879 879 #endif
880 880 u_32_t fl_rule;
881 881 u_32_t fl_flags;
882 882 u_32_t fl_lflags;
883 883 u_32_t fl_logtag;
884 884 ipftag_t fl_nattag;
885 885 u_short fl_plen; /* extra data after hlen */
886 886 u_short fl_loglevel; /* syslog log level */
887 887 char fl_group[FR_GROUPLEN];
888 888 u_char fl_hlen; /* length of IP headers saved */
889 889 u_char fl_dir;
890 890 u_char fl_xxx[2]; /* pad */
891 891 char fl_ifname[LIFNAMSIZ];
892 892 } ipflog_t;
893 893
894 894 #ifndef IPF_LOGGING
895 895 # define IPF_LOGGING 0
896 896 #endif
897 897 #ifndef IPF_DEFAULT_PASS
898 898 # define IPF_DEFAULT_PASS FR_PASS
899 899 #endif
900 900
901 901 #define DEFAULT_IPFLOGSIZE 8192
902 902 #ifndef IPFILTER_LOGSIZE
903 903 # define IPFILTER_LOGSIZE DEFAULT_IPFLOGSIZE
904 904 #else
905 905 # if IPFILTER_LOGSIZE < DEFAULT_IPFLOGSIZE
906 906 # error IPFILTER_LOGSIZE too small. Must be >= DEFAULT_IPFLOGSIZE
907 907 # endif
908 908 #endif
909 909
910 910 #define IPF_OPTCOPY 0x07ff00 /* bit mask of copied options */
911 911
912 912 /*
913 913 * Device filenames for reading log information. Use ipf on Solaris2 because
914 914 * ipl is already a name used by something else.
915 915 */
916 916 #ifndef IPL_NAME
917 917 # ifdef SOLARIS
918 918 # define IPL_NAME "/dev/ipf"
919 919 # else
920 920 # define IPL_NAME "/dev/ipl"
921 921 # endif
922 922 #endif
923 923 /*
924 924 * Pathnames for various IP Filter control devices. Used by LKM
925 925 * and userland, so defined here.
926 926 */
927 927 #define IPNAT_NAME "/dev/ipnat"
928 928 #define IPSTATE_NAME "/dev/ipstate"
929 929 #define IPAUTH_NAME "/dev/ipauth"
930 930 #define IPSYNC_NAME "/dev/ipsync"
931 931 #define IPSCAN_NAME "/dev/ipscan"
932 932 #define IPLOOKUP_NAME "/dev/iplookup"
933 933
934 934 #define IPL_LOGIPF 0 /* Minor device #'s for accessing logs */
935 935 #define IPL_LOGNAT 1
936 936 #define IPL_LOGSTATE 2
937 937 #define IPL_LOGAUTH 3
938 938 #define IPL_LOGSYNC 4
939 939 #define IPL_LOGSCAN 5
940 940 #define IPL_LOGLOOKUP 6
941 941 #define IPL_LOGCOUNT 7
942 942 #define IPL_LOGMAX 7
943 943 #define IPL_LOGSIZE (IPL_LOGMAX + 1)
944 944 #define IPL_LOGALL -1
945 945 #define IPL_LOGNONE -2
946 946
947 947 /*
948 948 * For SIOCGETFS
949 949 */
950 950 typedef struct friostat {
951 951 struct filterstats f_st[2];
952 952 struct frentry *f_ipf[2][2];
953 953 struct frentry *f_acct[2][2];
954 954 struct frentry *f_ipf6[2][2];
955 955 struct frentry *f_acct6[2][2];
956 956 struct frentry *f_auth;
957 957 struct frgroup *f_groups[IPL_LOGSIZE][2];
958 958 u_long f_froute[2];
959 959 u_long f_ticks;
960 960 int f_locks[IPL_LOGMAX];
961 961 size_t f_kmutex_sz;
962 962 size_t f_krwlock_sz;
963 963 int f_defpass; /* default pass - from fr_pass */
964 964 int f_active; /* 1 or 0 - active rule set */
965 965 int f_running; /* 1 if running, else 0 */
966 966 int f_logging; /* 1 if enabled, else 0 */
967 967 int f_features;
968 968 char f_version[32]; /* version string */
969 969 } friostat_t;
970 970
971 971 #define f_fin f_ipf[0]
972 972 #define f_fin6 f_ipf6[0]
973 973 #define f_fout f_ipf[1]
974 974 #define f_fout6 f_ipf6[1]
975 975 #define f_acctin f_acct[0]
976 976 #define f_acctin6 f_acct6[0]
977 977 #define f_acctout f_acct[1]
978 978 #define f_acctout6 f_acct6[1]
979 979
980 980 #define IPF_FEAT_LKM 0x001
981 981 #define IPF_FEAT_LOG 0x002
982 982 #define IPF_FEAT_LOOKUP 0x004
983 983 #define IPF_FEAT_BPF 0x008
984 984 #define IPF_FEAT_COMPILED 0x010
985 985 #define IPF_FEAT_CKSUM 0x020
986 986 #define IPF_FEAT_SYNC 0x040
987 987 #define IPF_FEAT_SCAN 0x080
988 988 #define IPF_FEAT_IPV6 0x100
989 989
990 990 typedef struct optlist {
991 991 u_short ol_val;
992 992 int ol_bit;
993 993 } optlist_t;
994 994
995 995
996 996 /*
997 997 * Group list structure.
998 998 */
999 999 typedef struct frgroup {
1000 1000 struct frgroup *fg_next;
1001 1001 struct frentry *fg_head;
1002 1002 struct frentry *fg_start;
1003 1003 u_32_t fg_flags;
1004 1004 int fg_ref;
1005 1005 char fg_name[FR_GROUPLEN];
1006 1006 } frgroup_t;
1007 1007
1008 1008 #define FG_NAME(g) (*(g)->fg_name == '\0' ? "" : (g)->fg_name)
1009 1009
1010 1010
1011 1011 /*
1012 1012 * Used by state and NAT tables
1013 1013 */
1014 1014 typedef struct icmpinfo {
1015 1015 u_short ici_id;
1016 1016 u_short ici_seq;
1017 1017 u_char ici_type;
1018 1018 } icmpinfo_t;
1019 1019
1020 1020 typedef struct udpinfo {
1021 1021 u_short us_sport;
1022 1022 u_short us_dport;
1023 1023 } udpinfo_t;
1024 1024
1025 1025
1026 1026 typedef struct tcpdata {
1027 1027 u_32_t td_end;
1028 1028 u_32_t td_maxend;
1029 1029 u_32_t td_maxwin;
1030 1030 u_32_t td_winscale;
1031 1031 u_32_t td_maxseg;
1032 1032 int td_winflags;
1033 1033 } tcpdata_t;
1034 1034
1035 1035 #define TCP_WSCALE_MAX 14
1036 1036
1037 1037 #define TCP_WSCALE_SEEN 0x00000001
1038 1038 #define TCP_WSCALE_FIRST 0x00000002
1039 1039 #define TCP_SACK_PERMIT 0x00000004
1040 1040
1041 1041
1042 1042 typedef struct tcpinfo {
1043 1043 u_short ts_sport;
1044 1044 u_short ts_dport;
1045 1045 tcpdata_t ts_data[2];
1046 1046 } tcpinfo_t;
1047 1047
1048 1048
1049 1049 /*
1050 1050 * Structures to define a GRE header as seen in a packet.
1051 1051 */
1052 1052 struct grebits {
1053 1053 u_32_t grb_C:1;
1054 1054 u_32_t grb_R:1;
1055 1055 u_32_t grb_K:1;
1056 1056 u_32_t grb_S:1;
1057 1057 u_32_t grb_s:1;
1058 1058 u_32_t grb_recur:1;
1059 1059 u_32_t grb_A:1;
1060 1060 u_32_t grb_flags:3;
1061 1061 u_32_t grb_ver:3;
1062 1062 u_short grb_ptype;
1063 1063 };
1064 1064
1065 1065 typedef struct grehdr {
1066 1066 union {
1067 1067 struct grebits gru_bits;
1068 1068 u_short gru_flags;
1069 1069 } gr_un;
1070 1070 u_short gr_len;
1071 1071 u_short gr_call;
1072 1072 } grehdr_t;
1073 1073
1074 1074 #define gr_flags gr_un.gru_flags
1075 1075 #define gr_bits gr_un.gru_bits
1076 1076 #define gr_ptype gr_bits.grb_ptype
1077 1077 #define gr_C gr_bits.grb_C
1078 1078 #define gr_R gr_bits.grb_R
1079 1079 #define gr_K gr_bits.grb_K
1080 1080 #define gr_S gr_bits.grb_S
1081 1081 #define gr_s gr_bits.grb_s
1082 1082 #define gr_recur gr_bits.grb_recur
1083 1083 #define gr_A gr_bits.grb_A
1084 1084 #define gr_ver gr_bits.grb_ver
1085 1085
1086 1086 /*
1087 1087 * GRE information tracked by "keep state"
1088 1088 */
1089 1089 typedef struct greinfo {
1090 1090 u_short gs_call[2];
1091 1091 u_short gs_flags;
1092 1092 u_short gs_ptype;
1093 1093 } greinfo_t;
1094 1094
1095 1095 #define GRE_REV(x) ((ntohs(x) >> 13) & 7)
1096 1096
1097 1097
1098 1098 /*
1099 1099 * Format of an Authentication header
1100 1100 */
1101 1101 typedef struct authhdr {
1102 1102 u_char ah_next;
1103 1103 u_char ah_plen;
1104 1104 u_short ah_reserved;
1105 1105 u_32_t ah_spi;
1106 1106 u_32_t ah_seq;
1107 1107 /* Following the sequence number field is 0 or more bytes of */
1108 1108 /* authentication data, as specified by ah_plen - RFC 2402. */
1109 1109 } authhdr_t;
1110 1110
1111 1111
1112 1112 /*
1113 1113 * Timeout tail queue list member
1114 1114 */
1115 1115 typedef struct ipftqent {
1116 1116 struct ipftqent **tqe_pnext;
1117 1117 struct ipftqent *tqe_next;
1118 1118 struct ipftq *tqe_ifq;
1119 1119 void *tqe_parent; /* pointer back to NAT/state struct */
1120 1120 u_long tqe_die; /* when this entriy is to die */
1121 1121 u_long tqe_touched;
1122 1122 int tqe_flags;
1123 1123 int tqe_state[2]; /* current state of this entry */
1124 1124 } ipftqent_t;
1125 1125
1126 1126 #define TQE_RULEBASED 0x00000001
1127 1127
1128 1128
1129 1129 /*
1130 1130 * Timeout tail queue head for IPFilter
1131 1131 */
1132 1132 typedef struct ipftq {
1133 1133 ipfmutex_t ifq_lock;
1134 1134 u_int ifq_ttl;
1135 1135 ipftqent_t *ifq_head;
1136 1136 ipftqent_t **ifq_tail;
1137 1137 struct ipftq *ifq_next;
1138 1138 struct ipftq **ifq_pnext;
1139 1139 int ifq_ref;
1140 1140 u_int ifq_flags;
1141 1141 } ipftq_t;
1142 1142
1143 1143 #define IFQF_USER 0x01 /* User defined aging */
1144 1144 #define IFQF_DELETE 0x02 /* Marked for deletion */
1145 1145 #define IFQF_PROXY 0x04 /* Timeout queue in use by a proxy */
1146 1146
1147 1147 #define IPF_HZ_MULT 1
1148 1148 #define IPF_HZ_DIVIDE 2 /* How many times a second ipfilter */
1149 1149 /* checks its timeout queues. */
1150 1150 #define IPF_TTLVAL(x) (((x) / IPF_HZ_MULT) * IPF_HZ_DIVIDE)
1151 1151
1152 1152 /*
1153 1153 * Structure to define address for pool lookups.
1154 1154 */
1155 1155 typedef struct {
1156 1156 u_char adf_len;
1157 1157 sa_family_t adf_family;
1158 1158 i6addr_t adf_addr;
1159 1159 } addrfamily_t;
1160 1160
1161 1161
1162 1162 /*
1163 1163 * Object structure description. For passing through in ioctls.
1164 1164 */
1165 1165 typedef struct ipfobj {
1166 1166 u_32_t ipfo_rev; /* IPFilter version number */
1167 1167 u_32_t ipfo_size; /* size of object at ipfo_ptr */
1168 1168 void *ipfo_ptr; /* pointer to object */
1169 1169 int ipfo_type; /* type of object being pointed to */
1170 1170 int ipfo_offset; /* bytes from ipfo_ptr where to start */
1171 1171 u_char ipfo_xxxpad[32]; /* reserved for future use */
1172 1172 } ipfobj_t;
1173 1173
1174 1174 /*
1175 1175 * ioctl struct for setting what zone further ioctls will act on. ipfz_gz is a
1176 1176 * boolean: set it to 1 to operate on the GZ-controlled stack.
1177 1177 */
1178 1178 typedef struct ipfzoneobj {
1179 1179 u_32_t ipfz_gz; /* GZ stack boolean */
1180 1180 char ipfz_zonename[ZONENAME_MAX]; /* zone to act on */
1181 1181 } ipfzoneobj_t;
1182 1182
1183 1183 #if defined(_KERNEL)
1184 1184 /* Set ipfs_zoneid to this if no zone has been set: */
1185 1185 #define IPFS_ZONE_UNSET -2
1186 1186
1187 1187 typedef struct ipf_devstate {
1188 1188 zoneid_t ipfs_zoneid;
1189 1189 minor_t ipfs_minor;
1190 1190 boolean_t ipfs_gz;
1191 1191 } ipf_devstate_t;
1192 1192 #endif
1193 1193
1194 1194 #define IPFOBJ_FRENTRY 0 /* struct frentry */
1195 1195 #define IPFOBJ_IPFSTAT 1 /* struct friostat */
1196 1196 #define IPFOBJ_IPFINFO 2 /* struct fr_info */
1197 1197 #define IPFOBJ_AUTHSTAT 3 /* struct fr_authstat */
1198 1198 #define IPFOBJ_FRAGSTAT 4 /* struct ipfrstat */
1199 1199 #define IPFOBJ_IPNAT 5 /* struct ipnat */
1200 1200 #define IPFOBJ_NATSTAT 6 /* struct natstat */
1201 1201 #define IPFOBJ_STATESAVE 7 /* struct ipstate_save */
1202 1202 #define IPFOBJ_NATSAVE 8 /* struct nat_save */
1203 1203 #define IPFOBJ_NATLOOKUP 9 /* struct natlookup */
1204 1204 #define IPFOBJ_IPSTATE 10 /* struct ipstate */
1205 1205 #define IPFOBJ_STATESTAT 11 /* struct ips_stat */
1206 1206 #define IPFOBJ_FRAUTH 12 /* struct frauth */
1207 1207 #define IPFOBJ_TUNEABLE 13 /* struct ipftune */
1208 1208 #define IPFOBJ_NAT 14 /* struct nat */
1209 1209 #define IPFOBJ_IPFITER 15 /* struct ipfruleiter */
1210 1210 #define IPFOBJ_GENITER 16 /* struct ipfgeniter */
1211 1211 #define IPFOBJ_GTABLE 17 /* struct ipftable */
1212 1212 #define IPFOBJ_LOOKUPITER 18 /* struct ipflookupiter */
1213 1213 #define IPFOBJ_COUNT 19 /* How many #defines are above this? */
1214 1214
1215 1215
1216 1216 typedef union ipftunevalptr {
1217 1217 void *ipftp_void;
1218 1218 u_long *ipftp_long;
1219 1219 u_int *ipftp_int;
1220 1220 u_short *ipftp_short;
1221 1221 u_char *ipftp_char;
1222 1222 } ipftunevalptr_t;
1223 1223
1224 1224 typedef struct ipftuneable {
1225 1225 ipftunevalptr_t ipft_una;
1226 1226 char *ipft_name;
1227 1227 u_long ipft_min;
1228 1228 u_long ipft_max;
1229 1229 int ipft_sz;
1230 1230 int ipft_flags;
1231 1231 struct ipftuneable *ipft_next;
1232 1232 } ipftuneable_t;
1233 1233
1234 1234 #define ipft_addr ipft_una.ipftp_void
1235 1235 #define ipft_plong ipft_una.ipftp_long
1236 1236 #define ipft_pint ipft_una.ipftp_int
1237 1237 #define ipft_pshort ipft_una.ipftp_short
1238 1238 #define ipft_pchar ipft_una.ipftp_char
1239 1239
1240 1240 #define IPFT_RDONLY 1 /* read-only */
1241 1241 #define IPFT_WRDISABLED 2 /* write when disabled only */
1242 1242
1243 1243 typedef union ipftuneval {
1244 1244 u_long ipftu_long;
1245 1245 u_int ipftu_int;
1246 1246 u_short ipftu_short;
1247 1247 u_char ipftu_char;
1248 1248 } ipftuneval_t;
1249 1249
1250 1250 typedef struct ipftune {
1251 1251 void *ipft_cookie;
1252 1252 ipftuneval_t ipft_un;
1253 1253 u_long ipft_min;
1254 1254 u_long ipft_max;
1255 1255 int ipft_sz;
1256 1256 int ipft_flags;
1257 1257 char ipft_name[80];
1258 1258 } ipftune_t;
1259 1259
1260 1260 #define ipft_vlong ipft_un.ipftu_long
1261 1261 #define ipft_vint ipft_un.ipftu_int
1262 1262 #define ipft_vshort ipft_un.ipftu_short
1263 1263 #define ipft_vchar ipft_un.ipftu_char
1264 1264
1265 1265 /*
1266 1266 * ipfruleiter is iterator structure used for filter rules.
1267 1267 */
1268 1268 typedef struct ipfruleiter {
1269 1269 int iri_ver;
1270 1270 int iri_inout;
1271 1271 char iri_group[FR_GROUPLEN];
1272 1272 int iri_active;
1273 1273 int iri_nrules;
1274 1274 frentry_t *iri_rule;
1275 1275 } ipfruleiter_t;
1276 1276
1277 1277 /* Values for iri_inout */
1278 1278 #define F_IN 0
1279 1279 #define F_OUT 1
1280 1280 #define F_ACIN 2
1281 1281 #define F_ACOUT 3
1282 1282
1283 1283 /*
1284 1284 * ipfgeniter is generic iterator structure used for nat rules,
1285 1285 * hostmap entries and nat table entries.
1286 1286 */
1287 1287 typedef struct ipfgeniter {
1288 1288 int igi_type; /* type of data we're looking at */
1289 1289 int igi_nitems;
1290 1290 void *igi_data;
1291 1291 } ipfgeniter_t;
1292 1292
1293 1293 #define IPFGENITER_IPF 0
1294 1294 #define IPFGENITER_NAT 1
1295 1295 #define IPFGENITER_IPNAT 2
1296 1296 #define IPFGENITER_FRAG 3
1297 1297 #define IPFGENITER_AUTH 4
1298 1298 #define IPFGENITER_STATE 5
1299 1299 #define IPFGENITER_NATFRAG 6
1300 1300 #define IPFGENITER_HOSTMAP 7
1301 1301 #define IPFGENITER_LOOKUP 8
1302 1302
1303 1303 typedef struct ipftable {
1304 1304 int ita_type;
1305 1305 void *ita_table;
1306 1306 } ipftable_t;
1307 1307
1308 1308 typedef struct ipftoken {
1309 1309 struct ipftoken *ipt_next;
1310 1310 struct ipftoken **ipt_pnext;
1311 1311 void *ipt_ctx;
1312 1312 void *ipt_data;
1313 1313 u_long ipt_die;
1314 1314 int ipt_type;
1315 1315 int ipt_uid;
1316 1316 int ipt_subtype;
1317 1317 int ipt_alive;
1318 1318 } ipftoken_t;
1319 1319
1320 1320
1321 1321 /*
1322 1322 * sync commands
1323 1323 */
1324 1324 #define IPFSYNC_RESYNC 0
1325 1325 #define IPFSYNC_NEWIFP 1
1326 1326 #define IPFSYNC_OLDIFP 2
1327 1327
1328 1328
1329 1329 /*
1330 1330 ** HPUX Port
1331 1331 */
1332 1332 #ifdef __hpux
1333 1333 /* HP-UX locking sequence deadlock detection module lock MAJOR ID */
1334 1334 # define IPF_SMAJ 0 /* temp assignment XXX, not critical */
1335 1335 #endif
1336 1336
1337 1337 #if !defined(CDEV_MAJOR) && defined (__FreeBSD_version) && \
1338 1338 (__FreeBSD_version >= 220000)
1339 1339 # define CDEV_MAJOR 79
1340 1340 #endif
1341 1341
1342 1342 /*
1343 1343 * Post NetBSD 1.2 has the PFIL interface for packet filters. This turns
1344 1344 * on those hooks. We don't need any special mods in non-IP Filter code
1345 1345 * with this!
1346 1346 */
1347 1347 #if (defined(NetBSD) && (NetBSD > 199609) && (NetBSD <= 1991011)) || \
1348 1348 (defined(NetBSD1_2) && NetBSD1_2 > 1) || \
1349 1349 (defined(__FreeBSD__) && (__FreeBSD_version >= 500043))
1350 1350 # if (NetBSD >= 199905)
1351 1351 # define PFIL_HOOKS
1352 1352 # endif
1353 1353 # ifdef PFIL_HOOKS
1354 1354 # define NETBSD_PF
1355 1355 # endif
1356 1356 #endif
1357 1357
1358 1358 #ifndef _KERNEL
1359 1359 extern int fr_check __P((struct ip *, int, void *, int, mb_t **, ipf_stack_t *));
1360 1360 extern int (*fr_checkp) __P((ip_t *, int, void *, int, mb_t **, ipf_stack_t *));
1361 1361 extern int ipf_log __P((void));
1362 1362 extern struct ifnet *get_unit __P((char *, int, ipf_stack_t *));
1363 1363 extern char *get_ifname __P((struct ifnet *));
1364 1364 # if defined(__NetBSD__) || defined(__OpenBSD__) || \
1365 1365 (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000)
1366 1366 extern int frrequest __P((int, u_long, caddr_t, int, int, ipf_stack_t *));
1367 1367 # else
1368 1368 extern int iplioctl __P((int, ioctlcmd_t, caddr_t, int));
1369 1369 # endif
1370 1370 extern int iplopen __P((dev_t, int));
1371 1371 extern int iplclose __P((dev_t, int));
1372 1372 extern void m_freem __P((mb_t *));
1373 1373 #else /* #ifndef _KERNEL */
1374 1374 extern phy_if_t get_unit __P((char *, int, ipf_stack_t *));
1375 1375 # if defined(__NetBSD__) && defined(PFIL_HOOKS)
1376 1376 extern void ipfilterattach __P((int));
1377 1377 # endif
1378 1378 extern int ipl_enable __P((void));
1379 1379 extern int ipl_disable __P((void));
1380 1380 # ifdef MENTAT
1381 1381 extern int fr_check __P((struct ip *, int, void *, int, void *,
1382 1382 mblk_t **, ipf_stack_t *));
1383 1383 # if SOLARIS
1384 1384 # if SOLARIS2 >= 7
1385 1385 extern int iplioctl __P((dev_t, int, intptr_t, int, cred_t *, int *));
1386 1386 # else
1387 1387 extern int iplioctl __P((dev_t, int, int *, int, cred_t *, int *));
1388 1388 # endif
1389 1389 # if SOLARIS2 >= 10 && defined(_KERNEL)
1390 1390 extern int fr_make_rst __P((fr_info_t *));
1391 1391 extern int fr_make_icmp __P((fr_info_t *));
1392 1392 extern void fr_calc_chksum __P((fr_info_t *, mb_t *));
1393 1393 extern ipf_stack_t *ipf_find_stack(const zoneid_t, ipf_devstate_t *);
1394 1394 # endif
1395 1395 extern int iplopen __P((dev_t *, int, int, cred_t *));
1396 1396 extern int iplclose __P((dev_t, int, int, cred_t *));
1397 1397 extern int iplread __P((dev_t, uio_t *, cred_t *));
1398 1398 extern int iplwrite __P((dev_t, uio_t *, cred_t *));
1399 1399 # endif
1400 1400 # ifdef __hpux
1401 1401 extern int iplopen __P((dev_t, int, intptr_t, int));
1402 1402 extern int iplclose __P((dev_t, int, int));
1403 1403 extern int iplioctl __P((dev_t, int, caddr_t, int));
1404 1404 extern int iplread __P((dev_t, uio_t *));
1405 1405 extern int iplwrite __P((dev_t, uio_t *));
1406 1406 extern int iplselect __P((dev_t, int));
1407 1407 # endif
1408 1408 extern int ipfsync __P((ipf_stack_t *));
1409 1409 extern int fr_qout __P((queue_t *, mblk_t *));
1410 1410 # else /* MENTAT */
1411 1411 extern int fr_check __P((struct ip *, int, void *, int, mb_t **, ipf_stack_t *));
1412 1412 extern int (*fr_checkp) __P((ip_t *, int, void *, int, mb_t **, ipf_stack_t *));
1413 1413 extern size_t mbufchainlen __P((mb_t *));
1414 1414 # ifdef __sgi
1415 1415 # include <sys/cred.h>
1416 1416 extern int iplioctl __P((dev_t, int, caddr_t, int, cred_t *, int *));
1417 1417 extern int iplopen __P((dev_t *, int, int, cred_t *));
1418 1418 extern int iplclose __P((dev_t, int, int, cred_t *));
1419 1419 extern int iplread __P((dev_t, uio_t *, cred_t *));
1420 1420 extern int iplwrite __P((dev_t, uio_t *, cred_t *));
1421 1421 extern int ipfsync __P((ipf_stack_t *));
1422 1422 extern int ipfilter_sgi_attach __P((void));
1423 1423 extern void ipfilter_sgi_detach __P((void));
1424 1424 extern void ipfilter_sgi_intfsync __P((void));
1425 1425 # else
1426 1426 # ifdef IPFILTER_LKM
1427 1427 extern int iplidentify __P((char *));
1428 1428 # endif
1429 1429 # if (_BSDI_VERSION >= 199510) || (__FreeBSD_version >= 220000) || \
1430 1430 (NetBSD >= 199511) || defined(__OpenBSD__)
1431 1431 # if defined(__NetBSD__) || (_BSDI_VERSION >= 199701) || \
1432 1432 defined(__OpenBSD__) || (__FreeBSD_version >= 300000)
1433 1433 # if (__FreeBSD_version >= 500024)
1434 1434 # if (__FreeBSD_version >= 502116)
1435 1435 extern int iplioctl __P((struct cdev*, u_long, caddr_t, int, struct thread *));
1436 1436 # else
1437 1437 extern int iplioctl __P((dev_t, u_long, caddr_t, int, struct thread *));
1438 1438 # endif /* __FreeBSD_version >= 502116 */
1439 1439 # else
1440 1440 extern int iplioctl __P((dev_t, u_long, caddr_t, int, struct proc *));
1441 1441 # endif /* __FreeBSD_version >= 500024 */
1442 1442 # else
1443 1443 extern int iplioctl __P((dev_t, int, caddr_t, int, struct proc *));
1444 1444 # endif
1445 1445 # if (__FreeBSD_version >= 500024)
1446 1446 # if (__FreeBSD_version >= 502116)
1447 1447 extern int iplopen __P((struct cdev*, int, int, struct thread *));
1448 1448 extern int iplclose __P((struct cdev*, int, int, struct thread *));
1449 1449 # else
1450 1450 extern int iplopen __P((dev_t, int, int, struct thread *));
1451 1451 extern int iplclose __P((dev_t, int, int, struct thread *));
1452 1452 # endif /* __FreeBSD_version >= 502116 */
1453 1453 # else
1454 1454 extern int iplopen __P((dev_t, int, int, struct proc *));
1455 1455 extern int iplclose __P((dev_t, int, int, struct proc *));
1456 1456 # endif /* __FreeBSD_version >= 500024 */
1457 1457 # else
1458 1458 # ifdef linux
1459 1459 extern int iplioctl __P((struct inode *, struct file *, u_int, u_long));
1460 1460 # else
1461 1461 extern int iplopen __P((dev_t, int));
1462 1462 extern int iplclose __P((dev_t, int));
1463 1463 extern int iplioctl __P((dev_t, int, caddr_t, int));
1464 1464 # endif
1465 1465 # endif /* (_BSDI_VERSION >= 199510) */
1466 1466 # if BSD >= 199306
1467 1467 # if (__FreeBSD_version >= 502116)
1468 1468 extern int iplread __P((struct cdev*, struct uio *, int));
1469 1469 extern int iplwrite __P((struct cdev*, struct uio *, int));
1470 1470 # else
1471 1471 extern int iplread __P((dev_t, struct uio *, int));
1472 1472 extern int iplwrite __P((dev_t, struct uio *, int));
1473 1473 # endif /* __FreeBSD_version >= 502116 */
1474 1474 # else
1475 1475 # ifndef linux
1476 1476 extern int iplread __P((dev_t, struct uio *));
1477 1477 extern int iplwrite __P((dev_t, struct uio *));
1478 1478 # endif
1479 1479 # endif /* BSD >= 199306 */
1480 1480 # endif /* __ sgi */
1481 1481 # endif /* MENTAT */
1482 1482
1483 1483 #endif /* #ifndef _KERNEL */
1484 1484
1485 1485 extern char *memstr __P((char *, char *, int, int));
1486 1486 extern int count4bits __P((u_32_t));
1487 1487 extern int count6bits __P((u_32_t *));
1488 1488 extern int frrequest __P((int, ioctlcmd_t, caddr_t, int, int, ipf_stack_t *));
1489 1489 extern char *getifname __P((struct ifnet *));
1490 1490 extern int iplattach __P((ipf_stack_t *));
1491 1491 extern int ipldetach __P((ipf_stack_t *));
1492 1492 extern u_short ipf_cksum __P((u_short *, int));
1493 1493 extern int copyinptr __P((void *, void *, size_t));
1494 1494 extern int copyoutptr __P((void *, void *, size_t));
1495 1495 extern int fr_fastroute __P((mb_t *, mb_t **, fr_info_t *, frdest_t *));
1496 1496 extern int fr_inobj __P((void *, void *, int));
1497 1497 extern int fr_inobjsz __P((void *, void *, int, int));
1498 1498 extern int fr_ioctlswitch __P((int, void *, ioctlcmd_t, int, int, void *,
1499 1499 ipf_stack_t *));
1500 1500 extern int fr_ipftune __P((ioctlcmd_t, void *, ipf_stack_t *));
1501 1501 extern int fr_outobj __P((void *, void *, int));
1502 1502 extern int fr_outobjsz __P((void *, void *, int, int));
1503 1503 extern void *fr_pullup __P((mb_t *, fr_info_t *, int));
1504 1504 extern void fr_resolvedest __P((struct frdest *, int, ipf_stack_t *));
1505 1505 extern int fr_resolvefunc __P((void *));
1506 1506 extern void *fr_resolvenic __P((char *, int, ipf_stack_t *));
1507 1507 extern int fr_send_icmp_err __P((int, fr_info_t *, int));
1508 1508 extern int fr_send_reset __P((fr_info_t *));
1509 1509 #if (__FreeBSD_version < 490000) || !defined(_KERNEL)
1510 1510 extern int ppsratecheck __P((struct timeval *, int *, int));
1511 1511 #endif
1512 1512 extern ipftq_t *fr_addtimeoutqueue __P((ipftq_t **, u_int, ipf_stack_t *));
1513 1513 extern void fr_deletequeueentry __P((ipftqent_t *));
1514 1514 extern int fr_deletetimeoutqueue __P((ipftq_t *));
1515 1515 extern void fr_freetimeoutqueue __P((ipftq_t *, ipf_stack_t *));
1516 1516 extern void fr_movequeue __P((ipftqent_t *, ipftq_t *, ipftq_t *,
1517 1517 ipf_stack_t *));
1518 1518 extern void fr_queueappend __P((ipftqent_t *, ipftq_t *, void *,
1519 1519 ipf_stack_t *));
1520 1520 extern void fr_queueback __P((ipftqent_t *, ipf_stack_t *));
1521 1521 extern void fr_queuefront __P((ipftqent_t *));
1522 1522 extern void fr_checkv4sum __P((fr_info_t *));
1523 1523 extern int fr_checkl4sum __P((fr_info_t *));
1524 1524 extern int fr_ifpfillv4addr __P((int, struct sockaddr_in *,
1525 1525 struct sockaddr_in *, struct in_addr *,
1526 1526 struct in_addr *));
1527 1527 extern int fr_coalesce __P((fr_info_t *));
1528 1528 #ifdef USE_INET6
1529 1529 extern void fr_checkv6sum __P((fr_info_t *));
1530 1530 extern int fr_ifpfillv6addr __P((int, struct sockaddr_in6 *,
1531 1531 struct sockaddr_in6 *, struct in_addr *,
1532 1532 struct in_addr *));
1533 1533 #endif
1534 1534
1535 1535 #define IPFILTER_COMPAT
1536 1536 extern int fr_incomptrans __P((ipfobj_t *, void *));
1537 1537 extern int fr_outcomptrans __P((ipfobj_t *, void *));
1538 1538
1539 1539 extern int fr_addipftune __P((ipftuneable_t *, ipf_stack_t *));
1540 1540 extern int fr_delipftune __P((ipftuneable_t *, ipf_stack_t *));
1541 1541
1542 1542 extern int frflush __P((minor_t, int, int, ipf_stack_t *));
1543 1543 extern void frsync __P((int, int, void *, char *, ipf_stack_t *));
1544 1544 #if SOLARIS2 >= 10
1545 1545 extern void fr_ifindexsync __P((void *, void *, ipf_stack_t *));
1546 1546 #endif
1547 1547 extern frgroup_t *fr_addgroup __P((char *, void *, u_32_t, minor_t, int,
1548 1548 ipf_stack_t *));
1549 1549 extern int fr_derefrule __P((frentry_t **, ipf_stack_t *));
1550 1550 extern void fr_delgroup __P((char *, minor_t, int, ipf_stack_t *));
1551 1551 extern frgroup_t *fr_findgroup __P((char *, minor_t, int, frgroup_t ***,
|
↓ open down ↓ |
1530 lines elided |
↑ open up ↑ |
1552 1552 ipf_stack_t *));
1553 1553
1554 1554 extern int fr_loginit __P((ipf_stack_t *));
1555 1555 extern int ipflog_clear __P((minor_t, ipf_stack_t *));
1556 1556 extern int ipflog_read __P((minor_t, struct uio *, ipf_stack_t *));
1557 1557 extern int ipflog __P((fr_info_t *, u_int));
1558 1558 extern int ipllog __P((int, fr_info_t *, void **, size_t *, int *, int,
1559 1559 ipf_stack_t *));
1560 1560 extern void fr_logunload __P((ipf_stack_t *));
1561 1561
1562 +/* SmartOS single-FD global-zone state accumulator (see cfw.c) */
1563 +extern boolean_t ipf_cfwlog_enabled;
1564 +struct ipstate; /* Ugggh. */
1565 +extern void ipf_log_cfwlog __P((struct ipstate *, uint_t, ipf_stack_t *));
1566 +extern void ipf_block_cfwlog __P((frentry_t *, fr_info_t *, ipf_stack_t *));
1567 +#define IFS_CFWLOG(ifs) ((ifs)->ifs_gz_controlled && ipf_cfwlog_enabled)
1568 +
1569 +
1562 1570 extern frentry_t *fr_acctpkt __P((fr_info_t *, u_32_t *));
1563 1571 extern int fr_copytolog __P((int, char *, int));
1564 1572 extern u_short fr_cksum __P((mb_t *, ip_t *, int, void *));
1565 1573 extern void fr_deinitialise __P((ipf_stack_t *));
1566 1574 extern frentry_t *fr_dolog __P((fr_info_t *, u_32_t *));
1567 1575 extern frentry_t *fr_dstgrpmap __P((fr_info_t *, u_32_t *));
1568 1576 extern void fr_fixskip __P((frentry_t **, frentry_t *, int));
1569 1577 extern void fr_forgetifp __P((void *, ipf_stack_t *));
1570 1578 extern frentry_t *fr_getrulen __P((int, char *, u_32_t,
1571 1579 ipf_stack_t *));
1572 1580 extern void fr_getstat __P((struct friostat *, ipf_stack_t *));
1573 1581 extern int fr_ifpaddr __P((int, int, void *,
1574 1582 struct in_addr *, struct in_addr *,
1575 1583 ipf_stack_t *));
1576 1584 extern int fr_initialise __P((ipf_stack_t *));
1577 1585 extern int fr_lock __P((caddr_t, int *));
1578 1586 extern int fr_makefrip __P((int, ip_t *, fr_info_t *));
1579 1587 extern int fr_matchtag __P((ipftag_t *, ipftag_t *));
1580 1588 extern int fr_matchicmpqueryreply __P((int, icmpinfo_t *,
1581 1589 struct icmp *, int));
1582 1590 extern u_32_t fr_newisn __P((fr_info_t *));
1583 1591 extern u_short fr_nextipid __P((fr_info_t *));
1584 1592 extern int fr_rulen __P((int, frentry_t *, ipf_stack_t *));
1585 1593 extern int fr_scanlist __P((fr_info_t *, u_32_t));
1586 1594 extern frentry_t *fr_srcgrpmap __P((fr_info_t *, u_32_t *));
1587 1595 extern int fr_tcpudpchk __P((fr_info_t *, frtuc_t *));
1588 1596 extern int fr_verifysrc __P((fr_info_t *fin));
1589 1597 extern int fr_zerostats __P((char *, ipf_stack_t *));
1590 1598 extern ipftoken_t *ipf_findtoken __P((int, int, void *, ipf_stack_t *));
1591 1599 extern int ipf_getnextrule __P((ipftoken_t *, void *,
1592 1600 ipf_stack_t *));
1593 1601 extern void ipf_expiretokens __P((ipf_stack_t *));
1594 1602 extern void ipf_freetoken __P((ipftoken_t *, ipf_stack_t *));
1595 1603 extern int ipf_deltoken __P((int, int, void *, ipf_stack_t *));
1596 1604 extern int ipf_genericiter __P((void *, int, void *, ipf_stack_t *));
1597 1605 extern int ipf_extraflush __P((int, ipftq_t *, ipftq_t *, ipf_stack_t *));
1598 1606 extern int ipf_flushclosing __P((int, int, ipftq_t *, ipftq_t *, ipf_stack_t *));
1599 1607 extern int ipf_earlydrop __P((int, ipftq_t *, int, ipf_stack_t *));
1600 1608
1601 1609 #ifndef ipf_random
1602 1610 extern u_32_t ipf_random __P((void));
1603 1611 #endif
1604 1612
1605 1613 #if defined(_KERNEL)
1606 1614 extern int fr_setzoneid __P((ipf_devstate_t *, void *));
1607 1615 #endif
1608 1616
1609 1617 extern char ipfilter_version[];
1610 1618 #ifdef USE_INET6
1611 1619 extern int icmptoicmp6types[ICMP_MAXTYPE+1];
1612 1620 extern int icmptoicmp6unreach[ICMP_MAX_UNREACH];
1613 1621 extern int icmpreplytype6[ICMP6_MAXTYPE + 1];
1614 1622 #endif
1615 1623 extern int icmpreplytype4[ICMP_MAXTYPE + 1];
1616 1624 extern frentry_t *ipfrule_match __P((fr_info_t *));
1617 1625
1618 1626 extern void ipftuneable_alloc(ipf_stack_t *);
1619 1627 extern void ipftuneable_free(ipf_stack_t *);
1620 1628
1621 1629 #endif /* __IP_FIL_H__ */
|
↓ open down ↓ |
50 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX