xref: /freebsd/sys/netinet/ip_fw.h (revision 5ebc7e6281887681c3a348a5a4c902e262ccd656) 
1 /*
2  * Copyright (c) 1993 Daniel Boulet
3  * Copyright (c) 1994 Ugen J.S.Antsilevich
4  *
5  * Redistribution and use in source forms, with and without modification,
6  * are permitted provided that this entire comment appears intact.
7  *
8  * Redistribution in binary form may occur without any restrictions.
9  * Obviously, it would be nice if you gave credit where credit is due
10  * but requiring it would be too onerous.
11  *
12  * This software is provided ``AS IS'' without any warranties of any kind.
13  */
14 
15 /*
16  * Format of an IP firewall descriptor
17  *
18  * fw_src, fw_dst, fw_smsk, fw_dmsk are always stored in network byte order.
19  * fw_flg and fw_n*p are stored in host byte order (of course).
20  * Port numbers are stored in HOST byte order.
21  */
22 #ifndef _IP_FW_H
23 #define _IP_FW_H
24 
25 struct ip_fw {
26     struct ip_fw *fw_next;		/* Next firewall on chain */
27     struct in_addr fw_src, fw_dst;	/* Source and destination IP addr */
28     struct in_addr fw_smsk, fw_dmsk;	/* Mask for src and dest IP addr */
29 	/*
30 	 * This union keeps all "via" information.
31 	 * If ever fu_via_ip is 0,or IP_FW_F_IFNAME set and
32 	 * fu_via_name[0] is 0 - match any packet.
33 	 */
34     union {
35 	struct in_addr fu_via_ip;
36 	struct {
37 #define FW_IFNLEN	6		/* To keep structure on 2^x boundary */
38 		char  fu_via_name[FW_IFNLEN];
39 		short fu_via_unit;
40 	} fu_via_if;
41     } fu_via_un;
42     u_short fw_flg;			/* Flags word */
43     u_short fw_nsp, fw_ndp;             /* N'of src ports and # of dst ports */
44     					/* in ports array (dst ports follow */
45     					/* src ports; max of 10 ports in all; */
46     					/* count of 0 means match all ports) */
47 #define IP_FW_MAX_PORTS	10      	/* A reasonable maximum */
48     u_short fw_pts[IP_FW_MAX_PORTS];    /* Array of port numbers to match */
49     u_long fw_pcnt,fw_bcnt;		/* Packet and byte counters */
50 };
51 
52 
53 /*
54  * Definitions to make expressions
55  * for "via" stuff shorter.
56  */
57 #define fw_via_ip	fu_via_un.fu_via_ip
58 #define fw_via_name	fu_via_un.fu_via_if.fu_via_name
59 #define fw_via_unit	fu_via_un.fu_via_if.fu_via_unit
60 
61 /*
62  * Values for "flags" field .
63  */
64 
65 #define IP_FW_F_ALL	0x000	/* This is a universal packet firewall*/
66 #define IP_FW_F_TCP	0x001	/* This is a TCP packet firewall      */
67 #define IP_FW_F_UDP	0x002	/* This is a UDP packet firewall      */
68 #define IP_FW_F_ICMP	0x003	/* This is a ICMP packet firewall     */
69 #define IP_FW_F_KIND	0x003	/* Mask to isolate firewall kind      */
70 #define IP_FW_F_ACCEPT	0x004	/* This is an accept firewall (as     *
71 				 *         opposed to a deny firewall)*
72 				 *                                    */
73 #define IP_FW_F_SRNG	0x008	/* The first two src ports are a min  *
74 				 * and max range (stored in host byte *
75 				 * order).                            *
76 				 *                                    */
77 #define IP_FW_F_DRNG	0x010	/* The first two dst ports are a min  *
78 				 * and max range (stored in host byte *
79 				 * order).                            *
80 				 * (ports[0] <= port <= ports[1])     *
81 				 *                                    */
82 #define IP_FW_F_PRN	0x020	/* In verbose mode print this firewall*/
83 #define IP_FW_F_BIDIR	0x040	/* For accounting-count two way       */
84 #define IP_FW_F_TCPSYN	0x080	/* For tcp packets-check SYN only     */
85 #define IP_FW_F_ICMPRPL	0x100	/* Send back icmp unreachable packet  */
86 #define IP_FW_F_IFNAME	0x200	/* Use interface name/unit (not IP)   */
87 #define IP_FW_F_MASK	0x3FF	/* All possible flag bits mask        */
88 
89 /*
90  * New IP firewall options for [gs]etsockopt at the RAW IP level.
91  */
92 #define IP_FW_BASE_CTL	53
93 
94 #define IP_FW_ADD     (IP_FW_BASE_CTL)
95 #define IP_FW_DEL     (IP_FW_BASE_CTL+4)
96 #define IP_FW_FLUSH   (IP_FW_BASE_CTL+6)
97 #define IP_FW_POLICY  (IP_FW_BASE_CTL+7)
98 
99 #define IP_ACCT_ADD   (IP_FW_BASE_CTL+10)
100 #define IP_ACCT_DEL   (IP_FW_BASE_CTL+11)
101 #define IP_ACCT_FLUSH (IP_FW_BASE_CTL+12)
102 #define IP_ACCT_ZERO  (IP_FW_BASE_CTL+13)
103 #define IP_ACCT_CLR   (IP_FW_BASE_CTL+14)
104 
105 /*
106  * Policy flags...
107  */
108 #define IP_FW_P_DENY		0x01
109 #define IP_FW_P_ICMP		0x02
110 #define IP_FW_P_MASK		0x03
111 
112 
113 /*
114  * Main firewall chains definitions and global var's definitions.
115  */
116 #ifdef KERNEL
117 
118 /*
119  * Variables/chain.
120  */
121 extern struct  ip_fw *ip_fw_chain;
122 extern u_short ip_fw_policy;
123 
124 extern struct  ip_fw *ip_acct_chain;
125 
126 /*
127  * Function pointers.
128  */
129 extern int (*ip_fw_chk_ptr)(struct ip *,struct ifnet *,struct ip_fw *);
130 extern int (*ip_fw_ctl_ptr)(int,struct mbuf *);
131 
132 extern void (*ip_acct_cnt_ptr)(struct ip *,struct ifnet *,struct ip_fw *,int);
133 extern int  (*ip_acct_ctl_ptr)(int,struct mbuf *);
134 
135 /*
136  * Function definitions.
137  */
138 int ip_fw_chk(struct ip *,struct ifnet *,struct ip_fw *);
139 int ip_fw_ctl(int,struct mbuf *);
140 
141 void ip_acct_cnt(struct ip *,struct ifnet *,struct ip_fw *,int);
142 int  ip_acct_ctl(int,struct mbuf *);
143 
144 #endif /* KERNEL */
145 
146 #endif /* _IP_FW_H */
147