ip_fw.h revision 84058
1/* 2 * Copyright (c) 1993 Daniel Boulet 3 * Copyright (c) 1994 Ugen J.S.Antsilevich 4 * 5 * Redistribution and use in source forms, with and without modification, 6 * are permitted provided that this entire comment appears intact. 7 * 8 * Redistribution in binary form may occur without any restrictions. 9 * Obviously, it would be nice if you gave credit where credit is due 10 * but requiring it would be too onerous. 11 * 12 * This software is provided ``AS IS'' without any warranties of any kind. 13 * 14 * $FreeBSD: head/sys/netinet/ip_fw.h 84058 2001-09-27 23:44:27Z luigi $ 15 */ 16 17#ifndef _IP_FW_H 18#define _IP_FW_H 19 20#include <sys/queue.h> 21 22/* 23 * This union structure identifies an interface, either explicitly 24 * by name or implicitly by IP address. The flags IP_FW_F_IIFNAME 25 * and IP_FW_F_OIFNAME say how to interpret this structure. An 26 * interface unit number of -1 matches any unit number, while an 27 * IP address of 0.0.0.0 indicates matches any interface. 28 * 29 * The receive and transmit interfaces are only compared against the 30 * the packet if the corresponding bit (IP_FW_F_IIFACE or IP_FW_F_OIFACE) 31 * is set. Note some packets lack a receive or transmit interface 32 * (in which case the missing "interface" never matches). 33 */ 34 35union ip_fw_if { 36 struct in_addr fu_via_ip; /* Specified by IP address */ 37 struct { /* Specified by interface name */ 38#define FW_IFNLEN 10 /* need room ! was IFNAMSIZ */ 39 char name[FW_IFNLEN]; 40 short unit; /* -1 means match any unit */ 41 } fu_via_if; 42}; 43 44/* 45 * Format of an IP firewall descriptor 46 * 47 * fw_src, fw_dst, fw_smsk, fw_dmsk are always stored in network byte order. 48 * fw_flg and fw_n*p are stored in host byte order (of course). 49 * Port numbers are stored in HOST byte order. 50 */ 51 52struct ip_fw { 53 LIST_ENTRY(ip_fw) next; /* bidirectional list of rules */ 54 u_int fw_flg; /* Operational Flags word */ 55 56 u_int64_t fw_pcnt,fw_bcnt; /* Packet and byte counters */ 57 struct in_addr fw_src, fw_dst; /* Source and dest. IP addr */ 58 struct in_addr fw_smsk, fw_dmsk; /* Mask for above addresses */ 59 u_short fw_number; /* Rule number */ 60 u_char fw_prot; /* IP protocol */ 61#if 1 62 u_char fw_nports; /* # of src/dst port in array */ 63#define IP_FW_GETNSRCP(rule) ((rule)->fw_nports & 0x0f) 64#define IP_FW_SETNSRCP(rule, n) do { \ 65 (rule)->fw_nports &= ~0x0f; \ 66 (rule)->fw_nports |= (n); \ 67 } while (0) 68#define IP_FW_GETNDSTP(rule) ((rule)->fw_nports >> 4) 69#define IP_FW_SETNDSTP(rule, n) do { \ 70 (rule)->fw_nports &= ~0xf0; \ 71 (rule)->fw_nports |= (n) << 4;\ 72 } while (0) 73#define IP_FW_HAVEPORTS(rule) ((rule)->fw_nports != 0) 74#else 75 u_char __pad[1]; 76u_int _nsrcp, _ndstp; 77#define IP_FW_GETNSRCP(rule) (rule)->_nsrcp 78#define IP_FW_SETNSRCP(rule,n) (rule)->_nsrcp = n 79#define IP_FW_GETNDSTP(rule) (rule)->_ndstp 80#define IP_FW_SETNDSTP(rule,n) (rule)->_ndstp = n 81#define IP_FW_HAVEPORTS(rule) ((rule)->_ndstp + (rule)->_nsrcp != 0) 82#endif 83#define IP_FW_MAX_PORTS 10 /* A reasonable maximum */ 84 union { 85 u_short fw_pts[IP_FW_MAX_PORTS]; /* port numbers to match */ 86#define IP_FW_ICMPTYPES_MAX 128 87#define IP_FW_ICMPTYPES_DIM (IP_FW_ICMPTYPES_MAX / (sizeof(unsigned) * 8)) 88 unsigned fw_icmptypes[IP_FW_ICMPTYPES_DIM]; /* ICMP types bitmap */ 89 } fw_uar; 90 91 u_int fw_ipflg; /* IP flags word */ 92 93 u_short fw_iplen, fw_ipid; /* IP length, identification */ 94 95 u_char fw_ipopt,fw_ipnopt; /* IP options set/unset */ 96 u_char fw_iptos, fw_ipntos; /* IP type of service set/unset */ 97 98 u_char fw_ipttl; /* IP time to live */ 99 u_int fw_ipver:4; /* IP version */ 100 u_char fw_tcpopt,fw_tcpnopt; /* TCP options set/unset */ 101 102 u_char fw_tcpf,fw_tcpnf; /* TCP flags set/unset */ 103 u_short fw_tcpwin; /* TCP window size */ 104 105 u_int32_t fw_tcpseq, fw_tcpack; /* TCP sequence and acknowledgement */ 106 long timestamp; /* timestamp (tv_sec) of last match */ 107 union ip_fw_if fw_in_if, fw_out_if; /* Incoming and outgoing interfaces */ 108 union { 109 u_short fu_divert_port; /* Divert/tee port (options IPDIVERT) */ 110 u_short fu_pipe_nr; /* queue number (option DUMMYNET) */ 111 u_short fu_skipto_rule; /* SKIPTO command rule number */ 112 u_short fu_reject_code; /* REJECT response code */ 113 struct sockaddr_in fu_fwd_ip; 114 } fw_un; 115 void *pipe_ptr; /* flow_set ptr for dummynet pipe */ 116 void *next_rule_ptr ; /* next rule in case of match */ 117 uid_t fw_uid; /* uid to match */ 118 gid_t fw_gid; /* gid to match */ 119 int fw_logamount; /* amount to log */ 120 u_int64_t fw_loghighest; /* highest number packet to log */ 121 122 long dont_match_prob; /* 0x7fffffff means 1.0, always fail */ 123 u_char dyn_type; /* type for dynamic rule */ 124#define DYN_KEEP_STATE 0 /* type for keep-state rules */ 125#define DYN_LIMIT 1 /* type for limit connection rules */ 126#define DYN_LIMIT_PARENT 2 /* parent entry for limit connection rules */ 127 /* following two fields are used to limit number of connections 128 * basing on either src,srcport,dst,dstport. 129 */ 130 u_char limit_mask ; /* mask type for limit rule, can have many */ 131#define DYN_SRC_ADDR 0x1 132#define DYN_SRC_PORT 0x2 133#define DYN_DST_ADDR 0x4 134#define DYN_DST_PORT 0x8 135 u_short conn_limit ; /* # of connections for limit rule */ 136}; 137 138#define fw_divert_port fw_un.fu_divert_port 139#define fw_skipto_rule fw_un.fu_skipto_rule 140#define fw_reject_code fw_un.fu_reject_code 141#define fw_pipe_nr fw_un.fu_pipe_nr 142#define fw_fwd_ip fw_un.fu_fwd_ip 143 144/** 145 * 146 * rule_ptr -------------+ 147 * V 148 * [ next.le_next ]---->[ next.le_next ]---- [ next.le_next ]---> 149 * [ next.le_prev ]<----[ next.le_prev ]<----[ next.le_prev ]<--- 150 * [ <ip_fw> body ] [ <ip_fw> body ] [ <ip_fw> body ] 151 * 152 */ 153 154/* 155 * Flow mask/flow id for each queue. 156 */ 157struct ipfw_flow_id { 158 u_int32_t dst_ip, src_ip ; 159 u_int16_t dst_port, src_port ; 160 u_int8_t proto ; 161 u_int8_t flags ; /* protocol-specific flags */ 162} ; 163 164/* 165 * dynamic ipfw rule 166 */ 167struct ipfw_dyn_rule { 168 struct ipfw_dyn_rule *next ; 169 170 struct ipfw_flow_id id ; /* (masked) flow id */ 171 struct ip_fw *rule ; /* pointer to rule */ 172 struct ipfw_dyn_rule *parent ; /* pointer to parent rule */ 173 u_int32_t expire ; /* expire time */ 174 u_int64_t pcnt, bcnt; /* match counters */ 175 u_int32_t bucket ; /* which bucket in hash table */ 176 u_int32_t state ; /* state of this rule (typ. a */ 177 /* combination of TCP flags) */ 178 u_int16_t dyn_type; /* rule type */ 179 u_int16_t count; /* refcount */ 180} ; 181 182/* 183 * Values for "flags" field . 184 */ 185#define IP_FW_F_COMMAND 0x000000ff /* Mask for type of chain entry: */ 186#define IP_FW_F_DENY 0x00000000 /* This is a deny rule */ 187#define IP_FW_F_REJECT 0x00000001 /* Deny and send a response packet */ 188#define IP_FW_F_ACCEPT 0x00000002 /* This is an accept rule */ 189#define IP_FW_F_COUNT 0x00000003 /* This is a count rule */ 190#define IP_FW_F_DIVERT 0x00000004 /* This is a divert rule */ 191#define IP_FW_F_TEE 0x00000005 /* This is a tee rule */ 192#define IP_FW_F_SKIPTO 0x00000006 /* This is a skipto rule */ 193#define IP_FW_F_FWD 0x00000007 /* This is a "change forwarding address" rule */ 194#define IP_FW_F_PIPE 0x00000008 /* This is a dummynet rule */ 195#define IP_FW_F_QUEUE 0x00000009 /* This is a dummynet queue */ 196 197#define IP_FW_F_IN 0x00000100 /* Check inbound packets */ 198#define IP_FW_F_OUT 0x00000200 /* Check outbound packets */ 199#define IP_FW_F_IIFACE 0x00000400 /* Apply inbound interface test */ 200#define IP_FW_F_OIFACE 0x00000800 /* Apply outbound interface test */ 201 202#define IP_FW_F_PRN 0x00001000 /* Print if this rule matches */ 203 204#define IP_FW_F_SRNG 0x00002000 /* The first two src ports are a min * 205 * and max range (stored in host byte * 206 * order). */ 207 208#define IP_FW_F_DRNG 0x00004000 /* The first two dst ports are a min * 209 * and max range (stored in host byte * 210 * order). */ 211 212#define IP_FW_F_FRAG 0x00008000 /* Fragment */ 213 214#define IP_FW_F_IIFNAME 0x00010000 /* In interface by name/unit (not IP) */ 215#define IP_FW_F_OIFNAME 0x00020000 /* Out interface by name/unit (not IP) */ 216 217#define IP_FW_F_INVSRC 0x00040000 /* Invert sense of src check */ 218#define IP_FW_F_INVDST 0x00080000 /* Invert sense of dst check */ 219 220#define IP_FW_F_ICMPBIT 0x00100000 /* ICMP type bitmap is valid */ 221 222#define IP_FW_F_UID 0x00200000 /* filter by uid */ 223 224#define IP_FW_F_GID 0x00400000 /* filter by gid */ 225 226#define IP_FW_F_RND_MATCH 0x00800000 /* probabilistic rule match */ 227#define IP_FW_F_SMSK 0x01000000 /* src-port + mask */ 228#define IP_FW_F_DMSK 0x02000000 /* dst-port + mask */ 229#define IP_FW_BRIDGED 0x04000000 /* only match bridged packets */ 230#define IP_FW_F_KEEP_S 0x08000000 /* keep state */ 231#define IP_FW_F_CHECK_S 0x10000000 /* check state */ 232 233#define IP_FW_F_SME 0x20000000 /* source = me */ 234#define IP_FW_F_DME 0x40000000 /* destination = me */ 235 236#define IP_FW_F_MASK 0x7FFFFFFF /* All possible flag bits mask */ 237 238/* 239 * Flags for the 'fw_ipflg' field, for comparing values of ip and its protocols. 240 */ 241#define IP_FW_IF_TCPOPT 0x00000001 /* tcp options */ 242#define IP_FW_IF_TCPFLG 0x00000002 /* tcp flags */ 243#define IP_FW_IF_TCPSEQ 0x00000004 /* tcp sequence number */ 244#define IP_FW_IF_TCPACK 0x00000008 /* tcp acknowledgement number */ 245#define IP_FW_IF_TCPWIN 0x00000010 /* tcp window size */ 246#define IP_FW_IF_TCPEST 0x00000020 /* established TCP connection */ 247#define IP_FW_IF_TCPMSK 0x0000003f /* mask of all tcp values */ 248 249#define IP_FW_IF_IPOPT 0x00000100 /* ip options */ 250#define IP_FW_IF_IPLEN 0x00000200 /* ip length */ 251#define IP_FW_IF_IPID 0x00000400 /* ip identification */ 252#define IP_FW_IF_IPTOS 0x00000800 /* ip type of service */ 253#define IP_FW_IF_IPTTL 0x00001000 /* ip time to live */ 254#define IP_FW_IF_IPVER 0x00002000 /* ip version */ 255#define IP_FW_IF_IPMSK 0x00003f00 /* mask of all ip values */ 256 257#define IP_FW_IF_MSK 0x0000ffff /* All possible bits mask */ 258 259/* 260 * For backwards compatibility with rules specifying "via iface" but 261 * not restricted to only "in" or "out" packets, we define this combination 262 * of bits to represent this configuration. 263 */ 264 265#define IF_FW_F_VIAHACK (IP_FW_F_IN|IP_FW_F_OUT|IP_FW_F_IIFACE|IP_FW_F_OIFACE) 266 267/* 268 * Definitions for REJECT response codes. 269 * Values less than 256 correspond to ICMP unreachable codes. 270 */ 271#define IP_FW_REJECT_RST 0x0100 /* TCP packets: send RST */ 272 273/* 274 * Definitions for IP option names. 275 */ 276#define IP_FW_IPOPT_LSRR 0x01 277#define IP_FW_IPOPT_SSRR 0x02 278#define IP_FW_IPOPT_RR 0x04 279#define IP_FW_IPOPT_TS 0x08 280 281/* 282 * Definitions for TCP option names. 283 */ 284#define IP_FW_TCPOPT_MSS 0x01 285#define IP_FW_TCPOPT_WINDOW 0x02 286#define IP_FW_TCPOPT_SACK 0x04 287#define IP_FW_TCPOPT_TS 0x08 288#define IP_FW_TCPOPT_CC 0x10 289 290/* 291 * Definitions for TCP flags. 292 */ 293#define IP_FW_TCPF_FIN TH_FIN 294#define IP_FW_TCPF_SYN TH_SYN 295#define IP_FW_TCPF_RST TH_RST 296#define IP_FW_TCPF_PSH TH_PUSH 297#define IP_FW_TCPF_ACK TH_ACK 298#define IP_FW_TCPF_URG TH_URG 299 300/* 301 * Main firewall chains definitions and global var's definitions. 302 */ 303#ifdef _KERNEL 304 305#define IP_FW_PORT_DYNT_FLAG 0x10000 306#define IP_FW_PORT_TEE_FLAG 0x20000 307#define IP_FW_PORT_DENY_FLAG 0x40000 308 309/* 310 * Function definitions. 311 */ 312void ip_fw_init __P((void)); 313 314/* Firewall hooks */ 315struct ip; 316struct sockopt; 317typedef int ip_fw_chk_t (struct ip **, int, struct ifnet *, u_int16_t *, 318 struct mbuf **, struct ip_fw **, struct sockaddr_in **); 319typedef int ip_fw_ctl_t (struct sockopt *); 320extern ip_fw_chk_t *ip_fw_chk_ptr; 321extern ip_fw_ctl_t *ip_fw_ctl_ptr; 322extern int fw_one_pass; 323extern int fw_enable; 324extern struct ipfw_flow_id last_pkt ; 325#endif /* _KERNEL */ 326 327#endif /* _IP_FW_H */ 328