1 /* 2 * Copyright (c) 1993 Daniel Boulet 3 * Copyright (c) 1994 Ugen J.S.Antsilevich 4 * 5 * Redistribution and use in source forms, with and without modification, 6 * are permitted provided that this entire comment appears intact. 7 * 8 * Redistribution in binary form may occur without any restrictions. 9 * Obviously, it would be nice if you gave credit where credit is due 10 * but requiring it would be too onerous. 11 * 12 * This software is provided ``AS IS'' without any warranties of any kind. 13 * 14 * $FreeBSD$ 15 */ 16 17 #ifndef _IP_FW_H 18 #define _IP_FW_H 19 20 #include <sys/queue.h> 21 22 /* 23 * This union structure identifies an interface, either explicitly 24 * by name or implicitly by IP address. The flags IP_FW_F_IIFNAME 25 * and IP_FW_F_OIFNAME say how to interpret this structure. An 26 * interface unit number of -1 matches any unit number, while an 27 * IP address of 0.0.0.0 indicates matches any interface. 28 * 29 * The receive and transmit interfaces are only compared against the 30 * the packet if the corresponding bit (IP_FW_F_IIFACE or IP_FW_F_OIFACE) 31 * is set. Note some packets lack a receive or transmit interface 32 * (in which case the missing "interface" never matches). 33 */ 34 35 union ip_fw_if { 36 struct in_addr fu_via_ip; /* Specified by IP address */ 37 struct { /* Specified by interface name */ 38 #define FW_IFNLEN 10 /* need room ! was IFNAMSIZ */ 39 char name[FW_IFNLEN]; 40 short unit; /* -1 means match any unit */ 41 } fu_via_if; 42 }; 43 44 /* 45 * Format of an IP firewall descriptor 46 * 47 * fw_src, fw_dst, fw_smsk, fw_dmsk are always stored in network byte order. 48 * fw_flg and fw_n*p are stored in host byte order (of course). 49 * Port numbers are stored in HOST byte order. 50 */ 51 52 /* 53 * To match MAC headers: 54 * 12 bytes at fw_mac_hdr contain the dst-src MAC address after masking. 55 * 12 bytes at fw_mac_mask contain the mask to apply to dst-src 56 * 2 bytes at fw_mac_type contain the mac type after mask (in net format) 57 * 2 bytes at fw_mac_type_mask contain the mac type mask 58 * If IP_FW_F_SRNG, the two contain the low-high of a range of types. 59 * IP_FW_F_DRNG is used to indicare we want to match a vlan. 60 */ 61 #define fw_mac_hdr fw_src 62 #define fw_mac_mask fw_uar 63 #define fw_mac_type fw_iplen 64 #define fw_mac_mask_type fw_ipid 65 66 struct ip_fw { 67 LIST_ENTRY(ip_fw) next; /* bidirectional list of rules */ 68 u_int fw_flg; /* Operational Flags word */ 69 u_int64_t fw_pcnt; /* Packet counters */ 70 u_int64_t fw_bcnt; /* Byte counters */ 71 72 struct in_addr fw_src; /* Source IP address */ 73 struct in_addr fw_dst; /* Destination IP address */ 74 struct in_addr fw_smsk; /* Mask for source IP address */ 75 struct in_addr fw_dmsk; /* Mask for destination address */ 76 u_short fw_number; /* Rule number */ 77 u_char fw_prot; /* IP protocol */ 78 #if 1 79 u_char fw_nports; /* # of src/dst port in array */ 80 #define IP_FW_GETNSRCP(rule) ((rule)->fw_nports & 0x0f) 81 #define IP_FW_SETNSRCP(rule, n) do { \ 82 (rule)->fw_nports &= ~0x0f; \ 83 (rule)->fw_nports |= (n); \ 84 } while (0) 85 #define IP_FW_GETNDSTP(rule) ((rule)->fw_nports >> 4) 86 #define IP_FW_SETNDSTP(rule, n) do { \ 87 (rule)->fw_nports &= ~0xf0; \ 88 (rule)->fw_nports |= (n) << 4;\ 89 } while (0) 90 #define IP_FW_HAVEPORTS(rule) ((rule)->fw_nports != 0) 91 #else 92 u_char __pad[1]; 93 u_int _nsrcp; 94 u_int _ndstp; 95 #define IP_FW_GETNSRCP(rule) (rule)->_nsrcp 96 #define IP_FW_SETNSRCP(rule,n) (rule)->_nsrcp = n 97 #define IP_FW_GETNDSTP(rule) (rule)->_ndstp 98 #define IP_FW_SETNDSTP(rule,n) (rule)->_ndstp = n 99 #define IP_FW_HAVEPORTS(rule) ((rule)->_ndstp + (rule)->_nsrcp != 0) 100 #endif 101 #define IP_FW_MAX_PORTS 10 /* A reasonable maximum */ 102 union { 103 u_short fw_pts[IP_FW_MAX_PORTS]; /* port numbers to match */ 104 #define IP_FW_ICMPTYPES_MAX 128 105 #define IP_FW_ICMPTYPES_DIM (IP_FW_ICMPTYPES_MAX / (sizeof(unsigned) * 8)) 106 unsigned fw_icmptypes[IP_FW_ICMPTYPES_DIM]; /*ICMP types bitmap*/ 107 } fw_uar; 108 109 u_int fw_ipflg; /* IP flags word */ 110 u_short fw_iplen; /* IP length */ 111 u_short fw_ipid; /* Identification */ 112 u_char fw_ipopt; /* IP options set */ 113 u_char fw_ipnopt; /* IP options unset */ 114 u_char fw_iptos; /* IP type of service set */ 115 u_char fw_ipntos; /* IP type of service unset */ 116 u_char fw_ipttl; /* IP time to live */ 117 u_int fw_ipver:4; /* IP version */ 118 u_char fw_tcpopt; /* TCP options set */ 119 u_char fw_tcpnopt; /* TCP options unset */ 120 u_char fw_tcpf; /* TCP flags set */ 121 u_char fw_tcpnf; /* TCP flags unset */ 122 u_short fw_tcpwin; /* TCP window size */ 123 u_int32_t fw_tcpseq; /* TCP sequence */ 124 u_int32_t fw_tcpack; /* TCP acknowledgement */ 125 long timestamp; /* timestamp (tv_sec) of last match */ 126 union ip_fw_if fw_in_if; /* Incoming interfaces */ 127 union ip_fw_if fw_out_if; /* Outgoing interfaces */ 128 union { 129 u_short fu_divert_port; /* Divert/tee port (options IPDIVERT) */ 130 u_short fu_pipe_nr; /* queue number (option DUMMYNET) */ 131 u_short fu_skipto_rule; /* SKIPTO command rule number */ 132 u_short fu_reject_code; /* REJECT response code */ 133 struct sockaddr_in fu_fwd_ip; 134 } fw_un; 135 void *pipe_ptr; /* flow_set ptr for dummynet pipe */ 136 void *next_rule_ptr; /* next rule in case of match */ 137 uid_t fw_uid; /* uid to match */ 138 gid_t fw_gid; /* gid to match */ 139 int fw_logamount; /* amount to log */ 140 u_int64_t fw_loghighest; /* highest number packet to log */ 141 142 long dont_match_prob; /* 0x7fffffff means 1.0, always fail */ 143 u_char dyn_type; /* type for dynamic rule */ 144 145 #define DYN_KEEP_STATE 0 /* type for keep-state rules */ 146 #define DYN_LIMIT 1 /* type for limit connection rules */ 147 #define DYN_LIMIT_PARENT 2 /* parent entry for limit connection rules */ 148 149 /* following two fields are used to limit number of connections 150 * basing on either src, srcport, dst, dstport. 151 */ 152 u_char limit_mask; /* mask type for limit rule, can 153 * have many. 154 */ 155 #define DYN_SRC_ADDR 0x1 156 #define DYN_SRC_PORT 0x2 157 #define DYN_DST_ADDR 0x4 158 #define DYN_DST_PORT 0x8 159 160 u_short conn_limit; /* # of connections for limit rule */ 161 }; 162 163 #define fw_divert_port fw_un.fu_divert_port 164 #define fw_skipto_rule fw_un.fu_skipto_rule 165 #define fw_reject_code fw_un.fu_reject_code 166 #define fw_pipe_nr fw_un.fu_pipe_nr 167 #define fw_fwd_ip fw_un.fu_fwd_ip 168 169 /* 170 * 171 * rule_ptr -------------+ 172 * V 173 * [ next.le_next ]---->[ next.le_next ]---- [ next.le_next ]---> 174 * [ next.le_prev ]<----[ next.le_prev ]<----[ next.le_prev ]<--- 175 * [ <ip_fw> body ] [ <ip_fw> body ] [ <ip_fw> body ] 176 * 177 */ 178 179 /* 180 * Flow mask/flow id for each queue. 181 */ 182 struct ipfw_flow_id { 183 u_int32_t dst_ip; 184 u_int32_t src_ip; 185 u_int16_t dst_port; 186 u_int16_t src_port; 187 u_int8_t proto; 188 u_int8_t flags; /* protocol-specific flags */ 189 }; 190 191 /* 192 * dynamic ipfw rule 193 */ 194 struct ipfw_dyn_rule { 195 struct ipfw_dyn_rule *next; 196 struct ipfw_flow_id id; /* (masked) flow id */ 197 struct ip_fw *rule; /* pointer to rule */ 198 struct ipfw_dyn_rule *parent; /* pointer to parent rule */ 199 u_int32_t expire; /* expire time */ 200 u_int64_t pcnt; /* packet match counters */ 201 u_int64_t bcnt; /* byte match counters */ 202 u_int32_t bucket; /* which bucket in hash table */ 203 u_int32_t state; /* state of this rule (typically a 204 * combination of TCP flags) 205 */ 206 u_int16_t dyn_type; /* rule type */ 207 u_int16_t count; /* refcount */ 208 }; 209 210 /* 211 * Values for "flags" field . 212 */ 213 #define IP_FW_F_COMMAND 0x000000ff /* Mask for type of chain entry: */ 214 #define IP_FW_F_DENY 0x00000000 /* This is a deny rule */ 215 #define IP_FW_F_REJECT 0x00000001 /* Deny and send a response packet */ 216 #define IP_FW_F_ACCEPT 0x00000002 /* This is an accept rule */ 217 #define IP_FW_F_COUNT 0x00000003 /* This is a count rule */ 218 #define IP_FW_F_DIVERT 0x00000004 /* This is a divert rule */ 219 #define IP_FW_F_TEE 0x00000005 /* This is a tee rule */ 220 #define IP_FW_F_SKIPTO 0x00000006 /* This is a skipto rule */ 221 #define IP_FW_F_FWD 0x00000007 /* This is a "change forwarding 222 * address" rule 223 */ 224 #define IP_FW_F_PIPE 0x00000008 /* This is a dummynet rule */ 225 #define IP_FW_F_QUEUE 0x00000009 /* This is a dummynet queue */ 226 227 #define IP_FW_F_IN 0x00000100 /* Check inbound packets */ 228 #define IP_FW_F_OUT 0x00000200 /* Check outbound packets */ 229 #define IP_FW_F_IIFACE 0x00000400 /* Apply inbound interface test */ 230 #define IP_FW_F_OIFACE 0x00000800 /* Apply outbound interface test */ 231 #define IP_FW_F_PRN 0x00001000 /* Print if this rule matches */ 232 #define IP_FW_F_SRNG 0x00002000 /* The first two src ports are a min 233 * and max range (stored in host byte 234 * order). 235 */ 236 #define IP_FW_F_DRNG 0x00004000 /* The first two dst ports are a min 237 * and max range (stored in host byte 238 * order). 239 */ 240 #define IP_FW_F_FRAG 0x00008000 /* Fragment */ 241 #define IP_FW_F_IIFNAME 0x00010000 /* In interface by name/unit (not IP) */ 242 #define IP_FW_F_OIFNAME 0x00020000 /* Out interface by name/unit (not IP)*/ 243 #define IP_FW_F_INVSRC 0x00040000 /* Invert sense of src check */ 244 #define IP_FW_F_INVDST 0x00080000 /* Invert sense of dst check */ 245 #define IP_FW_F_ICMPBIT 0x00100000 /* ICMP type bitmap is valid */ 246 #define IP_FW_F_UID 0x00200000 /* filter by uid */ 247 #define IP_FW_F_GID 0x00400000 /* filter by gid */ 248 #define IP_FW_F_RND_MATCH 0x00800000 /* probabilistic rule match */ 249 #define IP_FW_F_SMSK 0x01000000 /* src-port + mask */ 250 #define IP_FW_F_DMSK 0x02000000 /* dst-port + mask */ 251 #define IP_FW_BRIDGED 0x04000000 /* only match bridged packets */ 252 #define IP_FW_F_KEEP_S 0x08000000 /* keep state */ 253 #define IP_FW_F_CHECK_S 0x10000000 /* check state */ 254 #define IP_FW_F_SME 0x20000000 /* source = me */ 255 #define IP_FW_F_DME 0x40000000 /* destination = me */ 256 #define IP_FW_F_MAC 0x80000000 /* match MAC header */ 257 258 #define IP_FW_F_MASK 0xFFFFFFFF /* All possible flag bits mask */ 259 260 /* 261 * Flags for the 'fw_ipflg' field, for comparing values 262 * of ip and its protocols. 263 */ 264 #define IP_FW_IF_TCPOPT 0x00000001 /* tcp options */ 265 #define IP_FW_IF_TCPFLG 0x00000002 /* tcp flags */ 266 #define IP_FW_IF_TCPSEQ 0x00000004 /* tcp sequence number */ 267 #define IP_FW_IF_TCPACK 0x00000008 /* tcp acknowledgement number */ 268 #define IP_FW_IF_TCPWIN 0x00000010 /* tcp window size */ 269 #define IP_FW_IF_TCPEST 0x00000020 /* established TCP connection */ 270 #define IP_FW_IF_TCPMSK 0x0000003f /* mask of all tcp values */ 271 #define IP_FW_IF_IPOPT 0x00000100 /* ip options */ 272 #define IP_FW_IF_IPLEN 0x00000200 /* ip length */ 273 #define IP_FW_IF_IPID 0x00000400 /* ip identification */ 274 #define IP_FW_IF_IPTOS 0x00000800 /* ip type of service */ 275 #define IP_FW_IF_IPTTL 0x00001000 /* ip time to live */ 276 #define IP_FW_IF_IPVER 0x00002000 /* ip version */ 277 #define IP_FW_IF_IPPRE 0x00004000 /* ip precedence */ 278 #define IP_FW_IF_IPMSK 0x00007f00 /* mask of all ip values */ 279 #define IP_FW_IF_MSK 0x0000ffff /* All possible bits mask */ 280 281 /* 282 * For backwards compatibility with rules specifying "via iface" but 283 * not restricted to only "in" or "out" packets, we define this combination 284 * of bits to represent this configuration. 285 */ 286 287 #define IF_FW_F_VIAHACK (IP_FW_F_IN|IP_FW_F_OUT|IP_FW_F_IIFACE|IP_FW_F_OIFACE) 288 289 /* 290 * Definitions for REJECT response codes. 291 * Values less than 256 correspond to ICMP unreachable codes. 292 */ 293 #define IP_FW_REJECT_RST 0x0100 /* TCP packets: send RST */ 294 295 /* 296 * Definitions for IP option names. 297 */ 298 #define IP_FW_IPOPT_LSRR 0x01 299 #define IP_FW_IPOPT_SSRR 0x02 300 #define IP_FW_IPOPT_RR 0x04 301 #define IP_FW_IPOPT_TS 0x08 302 303 /* 304 * Definitions for TCP option names. 305 */ 306 #define IP_FW_TCPOPT_MSS 0x01 307 #define IP_FW_TCPOPT_WINDOW 0x02 308 #define IP_FW_TCPOPT_SACK 0x04 309 #define IP_FW_TCPOPT_TS 0x08 310 #define IP_FW_TCPOPT_CC 0x10 311 312 /* 313 * Main firewall chains definitions and global var's definitions. 314 */ 315 #ifdef _KERNEL 316 317 #define IP_FW_PORT_DYNT_FLAG 0x10000 318 #define IP_FW_PORT_TEE_FLAG 0x20000 319 #define IP_FW_PORT_DENY_FLAG 0x40000 320 321 /* 322 * arguments for calling ip_fw_chk() and dummynet_io(). We put them 323 * all into a structure because this way it is easier and more 324 * efficient to pass variables around and extend the interface. 325 */ 326 struct ip_fw_args { 327 struct mbuf *m; /* the mbuf chain */ 328 struct ifnet *oif; /* output interface */ 329 struct sockaddr_in *next_hop; /* forward address */ 330 struct ip_fw *rule; /* matching rule */ 331 struct ether_header *eh; /* for bridged packets */ 332 333 struct route *ro; /* for dummynet */ 334 struct sockaddr_in *dst; /* for dummynet */ 335 int flags; /* for dummynet */ 336 337 struct ipfw_flow_id f_id; /* grabbed from IP header */ 338 u_int16_t divert_rule; /* divert cookie */ 339 u_int32_t retval; 340 }; 341 342 /* 343 * Function definitions. 344 */ 345 void ip_fw_init(void); 346 347 /* Firewall hooks */ 348 struct ip; 349 struct sockopt; 350 typedef int ip_fw_chk_t (struct ip_fw_args *args); 351 typedef int ip_fw_ctl_t (struct sockopt *); 352 extern ip_fw_chk_t *ip_fw_chk_ptr; 353 extern ip_fw_ctl_t *ip_fw_ctl_ptr; 354 extern int fw_one_pass; 355 extern int fw_enable; 356 #define IPFW_LOADED (ip_fw_chk_ptr != NULL) 357 #endif /* _KERNEL */ 358 359 #endif /* _IP_FW_H */ 360