master
1/*
2 * Copyright (C) 2012 by Darren Reed.
3 *
4 * See the IPFILTER.LICENCE file for details on licencing.
5 *
6 * @(#)ip_fil.h 1.35 6/5/96
7 * Id: ip_fil.h,v 2.170.2.51 2007/10/10 09:48:03 darrenr Exp $
8 */
9
10#ifndef __IP_FIL_H__
11#define __IP_FIL_H__
12
13#include <netinet/in.h>
14
15#include "netinet/ip_compat.h"
16#include "netinet/ipf_rb.h"
17#if NETBSD_GE_REV(104040000)
18# include <sys/callout.h>
19#endif
20#if defined(BSD) && defined(_KERNEL)
21# include <sys/selinfo.h>
22#endif
23
24#ifndef SOLARIS
25# if defined(sun) && defined(__SVR4)
26# define SOLARIS 1
27# else
28# define SOLARIS 0
29# endif
30#endif
31
32#ifndef __P
33# define __P(x) x
34#endif
35
36#define SIOCADAFR _IOW('r', 60, struct ipfobj)
37#define SIOCRMAFR _IOW('r', 61, struct ipfobj)
38#define SIOCSETFF _IOW('r', 62, u_int)
39#define SIOCGETFF _IOR('r', 63, u_int)
40#define SIOCGETFS _IOWR('r', 64, struct ipfobj)
41#define SIOCIPFFL _IOWR('r', 65, int)
42#define SIOCIPFFB _IOR('r', 66, int)
43#define SIOCADIFR _IOW('r', 67, struct ipfobj)
44#define SIOCRMIFR _IOW('r', 68, struct ipfobj)
45#define SIOCSWAPA _IOR('r', 69, u_int)
46#define SIOCINAFR _IOW('r', 70, struct ipfobj)
47#define SIOCINIFR _IOW('r', 71, struct ipfobj)
48#define SIOCFRENB _IOW('r', 72, u_int)
49#define SIOCFRSYN _IOW('r', 73, u_int)
50#define SIOCFRZST _IOWR('r', 74, struct ipfobj)
51#define SIOCZRLST _IOWR('r', 75, struct ipfobj)
52#define SIOCAUTHW _IOWR('r', 76, struct ipfobj)
53#define SIOCAUTHR _IOWR('r', 77, struct ipfobj)
54#define SIOCSTAT1 _IOWR('r', 78, struct ipfobj)
55#define SIOCSTLCK _IOWR('r', 79, u_int)
56#define SIOCSTPUT _IOWR('r', 80, struct ipfobj)
57#define SIOCSTGET _IOWR('r', 81, struct ipfobj)
58#define SIOCSTGSZ _IOWR('r', 82, struct ipfobj)
59#define SIOCSTAT2 _IOWR('r', 83, struct ipfobj)
60#define SIOCSETLG _IOWR('r', 84, int)
61#define SIOCGETLG _IOWR('r', 85, int)
62#define SIOCFUNCL _IOWR('r', 86, struct ipfunc_resolve)
63#define SIOCIPFGETNEXT _IOWR('r', 87, struct ipfobj)
64#define SIOCIPFGET _IOWR('r', 88, struct ipfobj)
65#define SIOCIPFSET _IOWR('r', 89, struct ipfobj)
66#define SIOCIPFL6 _IOWR('r', 90, int)
67#define SIOCIPFITER _IOWR('r', 91, struct ipfobj)
68#define SIOCGENITER _IOWR('r', 92, struct ipfobj)
69#define SIOCGTABL _IOWR('r', 93, struct ipfobj)
70#define SIOCIPFDELTOK _IOWR('r', 94, int)
71#define SIOCLOOKUPITER _IOWR('r', 95, struct ipfobj)
72#define SIOCGTQTAB _IOWR('r', 96, struct ipfobj)
73#define SIOCMATCHFLUSH _IOWR('r', 97, struct ipfobj)
74#define SIOCIPFINTERROR _IOR('r', 98, int)
75#define SIOCADDFR SIOCADAFR
76#define SIOCDELFR SIOCRMAFR
77#define SIOCINSFR SIOCINAFR
78#define SIOCATHST SIOCSTAT1
79#define SIOCGFRST SIOCSTAT2
80
81
82struct ipscan;
83struct ifnet;
84struct ipf_main_softc_s;
85
86typedef int (* lookupfunc_t)(struct ipf_main_softc_s *, void *,
87 int, void *, u_int);
88
89/*
90 * i6addr is used as a container for both IPv4 and IPv6 addresses, as well
91 * as other types of objects, depending on its qualifier.
92 */
93typedef union i6addr {
94 u_32_t i6[4];
95 struct in_addr in4;
96#ifdef USE_INET6
97 struct in6_addr in6;
98#endif
99 void *vptr[2];
100 lookupfunc_t lptr[2];
101 struct {
102 u_short type;
103 u_short subtype;
104 int name;
105 } i6un;
106} i6addr_t;
107
108#define in4_addr in4.s_addr
109#define iplookupnum i6[1]
110#define iplookupname i6un.name
111#define iplookuptype i6un.type
112#define iplookupsubtype i6un.subtype
113/*
114 * NOTE: These DO overlap the above on 64bit systems and this IS recognised.
115 */
116#define iplookupptr vptr[0]
117#define iplookupfunc lptr[1]
118
119#define I60(x) (((u_32_t *)(x))[0])
120#define I61(x) (((u_32_t *)(x))[1])
121#define I62(x) (((u_32_t *)(x))[2])
122#define I63(x) (((u_32_t *)(x))[3])
123#define HI60(x) ntohl(((u_32_t *)(x))[0])
124#define HI61(x) ntohl(((u_32_t *)(x))[1])
125#define HI62(x) ntohl(((u_32_t *)(x))[2])
126#define HI63(x) ntohl(((u_32_t *)(x))[3])
127
128#define IP6_EQ(a,b) ((I63(a) == I63(b)) && (I62(a) == I62(b)) && \
129 (I61(a) == I61(b)) && (I60(a) == I60(b)))
130#define IP6_NEQ(a,b) ((I63(a) != I63(b)) || (I62(a) != I62(b)) || \
131 (I61(a) != I61(b)) || (I60(a) != I60(b)))
132#define IP6_ISZERO(a) ((I60(a) | I61(a) | I62(a) | I63(a)) == 0)
133#define IP6_NOTZERO(a) ((I60(a) | I61(a) | I62(a) | I63(a)) != 0)
134#define IP6_ISONES(a) ((I63(a) == 0xffffffff) && (I62(a) == 0xffffffff) && \
135 (I61(a) == 0xffffffff) && (I60(a) == 0xffffffff))
136#define IP6_GT(a,b) (ntohl(HI60(a)) > ntohl(HI60(b)) || \
137 (HI60(a) == HI60(b) && \
138 (ntohl(HI61(a)) > ntohl(HI61(b)) || \
139 (HI61(a) == HI61(b) && \
140 (ntohl(HI62(a)) > ntohl(HI62(b)) || \
141 (HI62(a) == HI62(b) && \
142 ntohl(HI63(a)) > ntohl(HI63(b))))))))
143#define IP6_LT(a,b) (ntohl(HI60(a)) < ntohl(HI60(b)) || \
144 (HI60(a) == HI60(b) && \
145 (ntohl(HI61(a)) < ntohl(HI61(b)) || \
146 (HI61(a) == HI61(b) && \
147 (ntohl(HI62(a)) < ntohl(HI62(b)) || \
148 (HI62(a) == HI62(b) && \
149 ntohl(HI63(a)) < ntohl(HI63(b))))))))
150#define NLADD(n,x) htonl(ntohl(n) + (x))
151#define IP6_INC(a) \
152 do { u_32_t *_i6 = (u_32_t *)(a); \
153 _i6[3] = NLADD(_i6[3], 1); \
154 if (_i6[3] == 0) { \
155 _i6[2] = NLADD(_i6[2], 1); \
156 if (_i6[2] == 0) { \
157 _i6[1] = NLADD(_i6[1], 1); \
158 if (_i6[1] == 0) { \
159 _i6[0] = NLADD(_i6[0], 1); \
160 } \
161 } \
162 } \
163 } while (0)
164#define IP6_ADD(a,x,d) \
165 do { i6addr_t *_s = (i6addr_t *)(a); \
166 i6addr_t *_d = (i6addr_t *)(d); \
167 _d->i6[0] = NLADD(_s->i6[0], x); \
168 if (ntohl(_d->i6[0]) < ntohl(_s->i6[0])) { \
169 _d->i6[1] = NLADD(_d->i6[1], 1); \
170 if (ntohl(_d->i6[1]) < ntohl(_s->i6[1])) { \
171 _d->i6[2] = NLADD(_d->i6[2], 1); \
172 if (ntohl(_d->i6[2]) < ntohl(_s->i6[2])) { \
173 _d->i6[3] = NLADD(_d->i6[3], 1); \
174 } \
175 } \
176 } \
177 } while (0)
178#define IP6_AND(a,b,d) do { i6addr_t *_s1 = (i6addr_t *)(a); \
179 i6addr_t *_s2 = (i6addr_t *)(b); \
180 i6addr_t *_d = (i6addr_t *)(d); \
181 _d->i6[0] = _s1->i6[0] & _s2->i6[0]; \
182 _d->i6[1] = _s1->i6[1] & _s2->i6[1]; \
183 _d->i6[2] = _s1->i6[2] & _s2->i6[2]; \
184 _d->i6[3] = _s1->i6[3] & _s2->i6[3]; \
185 } while (0)
186#define IP6_ANDASSIGN(a,m) \
187 do { i6addr_t *_d = (i6addr_t *)(a); \
188 i6addr_t *_m = (i6addr_t *)(m); \
189 _d->i6[0] &= _m->i6[0]; \
190 _d->i6[1] &= _m->i6[1]; \
191 _d->i6[2] &= _m->i6[2]; \
192 _d->i6[3] &= _m->i6[3]; \
193 } while (0)
194#define IP6_MASKEQ(a,m,b) \
195 (((I60(a) & I60(m)) == I60(b)) && \
196 ((I61(a) & I61(m)) == I61(b)) && \
197 ((I62(a) & I62(m)) == I62(b)) && \
198 ((I63(a) & I63(m)) == I63(b)))
199#define IP6_MASKNEQ(a,m,b) \
200 (((I60(a) & I60(m)) != I60(b)) || \
201 ((I61(a) & I61(m)) != I61(b)) || \
202 ((I62(a) & I62(m)) != I62(b)) || \
203 ((I63(a) & I63(m)) != I63(b)))
204#define IP6_MERGE(a,b,c) \
205 do { i6addr_t *_d, *_s1, *_s2; \
206 _d = (i6addr_t *)(a); \
207 _s1 = (i6addr_t *)(b); \
208 _s2 = (i6addr_t *)(c); \
209 _d->i6[0] |= _s1->i6[0] & ~_s2->i6[0]; \
210 _d->i6[1] |= _s1->i6[1] & ~_s2->i6[1]; \
211 _d->i6[2] |= _s1->i6[2] & ~_s2->i6[2]; \
212 _d->i6[3] |= _s1->i6[3] & ~_s2->i6[3]; \
213 } while (0)
214#define IP6_MASK(a,b,c) \
215 do { i6addr_t *_d, *_s1, *_s2; \
216 _d = (i6addr_t *)(a); \
217 _s1 = (i6addr_t *)(b); \
218 _s2 = (i6addr_t *)(c); \
219 _d->i6[0] = _s1->i6[0] & ~_s2->i6[0]; \
220 _d->i6[1] = _s1->i6[1] & ~_s2->i6[1]; \
221 _d->i6[2] = _s1->i6[2] & ~_s2->i6[2]; \
222 _d->i6[3] = _s1->i6[3] & ~_s2->i6[3]; \
223 } while (0)
224#define IP6_SETONES(a) \
225 do { i6addr_t *_d = (i6addr_t *)(a); \
226 _d->i6[0] = 0xffffffff; \
227 _d->i6[1] = 0xffffffff; \
228 _d->i6[2] = 0xffffffff; \
229 _d->i6[3] = 0xffffffff; \
230 } while (0)
231
232typedef union ipso_u {
233 u_short ipso_ripso[2];
234 u_32_t ipso_doi;
235} ipso_t;
236
237typedef struct fr_ip {
238 u_32_t fi_v:4; /* IP version */
239 u_32_t fi_xx:4; /* spare */
240 u_32_t fi_tos:8; /* IP packet TOS */
241 u_32_t fi_ttl:8; /* IP packet TTL */
242 u_32_t fi_p:8; /* IP packet protocol */
243 u_32_t fi_optmsk; /* bitmask composed from IP options */
244 i6addr_t fi_src; /* source address from packet */
245 i6addr_t fi_dst; /* destination address from packet */
246 ipso_t fi_ipso; /* IP security options */
247 u_32_t fi_flx; /* packet flags */
248 u_32_t fi_tcpmsk; /* TCP options set/reset */
249 u_32_t fi_ports[2]; /* TCP ports */
250 u_char fi_tcpf; /* TCP flags */
251 u_char fi_sensitivity;
252 u_char fi_xxx[2]; /* pad */
253} fr_ip_t;
254
255/*
256 * For use in fi_flx
257 */
258#define FI_TCPUDP 0x0001 /* TCP/UCP implied comparison*/
259#define FI_OPTIONS 0x0002
260#define FI_FRAG 0x0004
261#define FI_SHORT 0x0008
262#define FI_NATED 0x0010
263#define FI_MULTICAST 0x0020
264#define FI_BROADCAST 0x0040
265#define FI_MBCAST 0x0080
266#define FI_STATE 0x0100
267#define FI_BADNAT 0x0200
268#define FI_BAD 0x0400
269#define FI_OOW 0x0800 /* Out of state window, else match */
270#define FI_ICMPERR 0x1000
271#define FI_FRAGBODY 0x2000
272#define FI_BADSRC 0x4000
273#define FI_LOWTTL 0x8000
274#define FI_CMP 0x5cfe3 /* Not FI_FRAG,FI_NATED,FI_FRAGTAIL */
275#define FI_ICMPCMP 0x0003 /* Flags we can check for ICMP error packets */
276#define FI_WITH 0x5effe /* Not FI_TCPUDP */
277#define FI_V6EXTHDR 0x10000
278#define FI_COALESCE 0x20000
279#define FI_NEWNAT 0x40000
280#define FI_ICMPQUERY 0x80000
281#define FI_ENCAP 0x100000 /* encap/decap with NAT */
282#define FI_AH 0x200000 /* AH header present */
283#define FI_DOCKSUM 0x10000000 /* Proxy wants L4 recalculation */
284#define FI_NOCKSUM 0x20000000 /* don't do a L4 checksum validation */
285#define FI_NOWILD 0x40000000 /* Do not do wildcard searches */
286#define FI_IGNORE 0x80000000
287
288#define fi_secmsk fi_ipso.ipso_ripso[0]
289#define fi_auth fi_ipso.ipso_ripso[1]
290#define fi_doi fi_ipso.ipso_doi
291#define fi_saddr fi_src.in4.s_addr
292#define fi_daddr fi_dst.in4.s_addr
293#define fi_srcnum fi_src.iplookupnum
294#define fi_dstnum fi_dst.iplookupnum
295#define fi_srcname fi_src.iplookupname
296#define fi_dstname fi_dst.iplookupname
297#define fi_srctype fi_src.iplookuptype
298#define fi_dsttype fi_dst.iplookuptype
299#define fi_srcsubtype fi_src.iplookupsubtype
300#define fi_dstsubtype fi_dst.iplookupsubtype
301#define fi_srcptr fi_src.iplookupptr
302#define fi_dstptr fi_dst.iplookupptr
303#define fi_srcfunc fi_src.iplookupfunc
304#define fi_dstfunc fi_dst.iplookupfunc
305
306
307/*
308 * These are both used by the state and NAT code to indicate that one port or
309 * the other should be treated as a wildcard.
310 * NOTE: When updating, check bit masks in ip_state.h and update there too.
311 */
312#define SI_W_SPORT 0x00000100
313#define SI_W_DPORT 0x00000200
314#define SI_WILDP (SI_W_SPORT|SI_W_DPORT)
315#define SI_W_SADDR 0x00000400
316#define SI_W_DADDR 0x00000800
317#define SI_WILDA (SI_W_SADDR|SI_W_DADDR)
318#define SI_NEWFR 0x00001000
319#define SI_CLONE 0x00002000
320#define SI_CLONED 0x00004000
321#define SI_NEWCLONE 0x00008000
322
323typedef struct {
324 u_short fda_ports[2];
325 u_char fda_tcpf; /* TCP header flags (SYN, ACK, etc) */
326} frdat_t;
327
328typedef enum fr_breasons_e {
329 FRB_BLOCKED = 0,
330 FRB_LOGFAIL = 1,
331 FRB_PPSRATE = 2,
332 FRB_JUMBO = 3,
333 FRB_MAKEFRIP = 4,
334 FRB_STATEADD = 5,
335 FRB_UPDATEIPID = 6,
336 FRB_LOGFAIL2 = 7,
337 FRB_DECAPFRIP = 8,
338 FRB_AUTHNEW = 9,
339 FRB_AUTHCAPTURE = 10,
340 FRB_COALESCE = 11,
341 FRB_PULLUP = 12,
342 FRB_AUTHFEEDBACK = 13,
343 FRB_BADFRAG = 14,
344 FRB_NATV4 = 15,
345 FRB_NATV6 = 16,
346} fr_breason_t;
347
348#define FRB_MAX_VALUE 16
349
350typedef enum ipf_cksum_e {
351 FI_CK_BAD = -1,
352 FI_CK_NEEDED = 0,
353 FI_CK_SUMOK = 1,
354 FI_CK_L4PART = 2,
355 FI_CK_L4FULL = 4
356} ipf_cksum_t;
357
358typedef struct fr_info {
359 void *fin_main_soft;
360#ifdef __FreeBSD__
361 struct ifnet *fin_ifp; /* interface packet is `on' */
362#else
363 void *fin_ifp; /* interface packet is `on' */
364#endif
365 struct frentry *fin_fr; /* last matching rule */
366 int fin_out; /* in or out ? 1 == out, 0 == in */
367 fr_ip_t fin_fi; /* IP Packet summary */
368 frdat_t fin_dat; /* TCP/UDP ports, ICMP code/type */
369 int fin_dlen; /* length of data portion of packet */
370 int fin_plen;
371 u_32_t fin_rule; /* rule # last matched */
372 u_short fin_hlen; /* length of IP header in bytes */
373 char fin_group[FR_GROUPLEN]; /* group number, -1 for none */
374 void *fin_dp; /* start of data past IP header */
375 /*
376 * Fields after fin_dp aren't used for compression of log records.
377 * fin_fi contains the IP version (fin_family)
378 * fin_rule isn't included because adding a new rule can change it but
379 * not change fin_fr. fin_rule is the rule number reported.
380 * It isn't necessary to include fin_crc because that is checked
381 * for explicitly, before calling bcmp.
382 */
383 u_32_t fin_crc; /* Simple calculation for logging */
384 int fin_family; /* AF_INET, etc. */
385 int fin_icode; /* ICMP error to return */
386 int fin_mtu; /* MTU input for ICMP need-frag */
387 int fin_rev; /* state only: 1 = reverse */
388 int fin_ipoff; /* # bytes from buffer start to hdr */
389 u_32_t fin_id; /* IP packet id field */
390 u_short fin_l4hlen; /* length of L4 header, if known */
391 u_short fin_off;
392 int fin_depth; /* Group nesting depth */
393 int fin_error; /* Error code to return */
394 ipf_cksum_t fin_cksum; /* -1 = bad, 1 = good, 0 = not done */
395 fr_breason_t fin_reason; /* why auto blocked */
396 u_int fin_pktnum;
397 void *fin_nattag;
398 struct frdest *fin_dif;
399 struct frdest *fin_tif;
400 union {
401 ip_t *fip_ip;
402#ifdef USE_INET6
403 ip6_t *fip_ip6;
404#endif
405 } fin_ipu;
406 mb_t **fin_mp; /* pointer to pointer to mbuf */
407 mb_t *fin_m; /* pointer to mbuf */
408#if SOLARIS
409 mb_t *fin_qfm; /* pointer to mblk where pkt starts */
410 void *fin_qpi;
411 char fin_ifname[LIFNAMSIZ];
412#endif
413 void *fin_fraghdr; /* pointer to start of ipv6 frag hdr */
414} fr_info_t;
415
416#define fin_ip fin_ipu.fip_ip
417#define fin_ip6 fin_ipu.fip_ip6
418#define fin_v fin_fi.fi_v
419#define fin_p fin_fi.fi_p
420#define fin_flx fin_fi.fi_flx
421#define fin_optmsk fin_fi.fi_optmsk
422#define fin_secmsk fin_fi.fi_secmsk
423#define fin_doi fin_fi.fi_doi
424#define fin_auth fin_fi.fi_auth
425#define fin_src fin_fi.fi_src.in4
426#define fin_saddr fin_fi.fi_saddr
427#define fin_dst fin_fi.fi_dst.in4
428#define fin_daddr fin_fi.fi_daddr
429#define fin_data fin_fi.fi_ports
430#define fin_sport fin_fi.fi_ports[0]
431#define fin_dport fin_fi.fi_ports[1]
432#define fin_tcpf fin_fi.fi_tcpf
433#define fin_src6 fin_fi.fi_src
434#define fin_dst6 fin_fi.fi_dst
435#define fin_srcip6 fin_fi.fi_src.in6
436#define fin_dstip6 fin_fi.fi_dst.in6
437
438#define IPF_IN 0
439#define IPF_OUT 1
440
441typedef struct frentry *(*ipfunc_t)(fr_info_t *, u_32_t *);
442typedef int (*ipfuncinit_t)(struct ipf_main_softc_s *, struct frentry *);
443
444typedef struct ipfunc_resolve {
445 char ipfu_name[32];
446 ipfunc_t ipfu_addr;
447 ipfuncinit_t ipfu_init;
448 ipfuncinit_t ipfu_fini;
449} ipfunc_resolve_t;
450
451/*
452 * Size for compares on fr_info structures
453 */
454#define FI_CSIZE offsetof(fr_info_t, fin_icode)
455#define FI_LCSIZE offsetof(fr_info_t, fin_dp)
456
457/*
458 * Size for copying cache fr_info structure
459 */
460#define FI_COPYSIZE offsetof(fr_info_t, fin_dp)
461
462/*
463 * Structure for holding IPFilter's tag information
464 */
465#define IPFTAG_LEN 16
466typedef struct {
467 union {
468 u_32_t iptu_num[4];
469 char iptu_tag[IPFTAG_LEN];
470 } ipt_un;
471 int ipt_not;
472} ipftag_t;
473
474#define ipt_tag ipt_un.iptu_tag
475#define ipt_num ipt_un.iptu_num
476
477/*
478 * Structure to define address for pool lookups.
479 */
480typedef struct {
481 u_char adf_len;
482 sa_family_t adf_family;
483 u_char adf_xxx[2];
484 i6addr_t adf_addr;
485} addrfamily_t;
486
487
488RBI_LINK(ipf_rb, host_node_s);
489
490typedef struct host_node_s {
491 RBI_FIELD(ipf_rb) hn_entry;
492 addrfamily_t hn_addr;
493 int hn_active;
494} host_node_t;
495
496typedef RBI_HEAD(ipf_rb, host_node_s) ipf_rb_head_t;
497
498typedef struct host_track_s {
499 ipf_rb_head_t ht_root;
500 int ht_max_nodes;
501 int ht_max_per_node;
502 int ht_netmask;
503 int ht_cur_nodes;
504} host_track_t;
505
506
507typedef enum fr_dtypes_e {
508 FRD_NORMAL = 0,
509 FRD_DSTLIST
510} fr_dtypes_t;
511/*
512 * This structure is used to hold information about the next hop for where
513 * to forward a packet.
514 */
515typedef struct frdest {
516 void *fd_ptr;
517 addrfamily_t fd_addr;
518 fr_dtypes_t fd_type;
519 int fd_name;
520} frdest_t;
521
522#define fd_ip6 fd_addr.adf_addr
523#define fd_ip fd_ip6.in4
524
525
526typedef enum fr_ctypes_e {
527 FR_NONE = 0,
528 FR_EQUAL,
529 FR_NEQUAL,
530 FR_LESST,
531 FR_GREATERT,
532 FR_LESSTE,
533 FR_GREATERTE,
534 FR_OUTRANGE,
535 FR_INRANGE,
536 FR_INCRANGE
537} fr_ctypes_t;
538
539/*
540 * This structure holds information about a port comparison.
541 */
542typedef struct frpcmp {
543 fr_ctypes_t frp_cmp; /* data for port comparisons */
544 u_32_t frp_port; /* low port for <> and >< */
545 u_32_t frp_top; /* high port for <> and >< */
546} frpcmp_t;
547
548
549/*
550 * Structure containing all the relevant TCP/UDP things that can be checked in
551 * a filter rule.
552 */
553typedef struct frtuc {
554 u_char ftu_tcpfm; /* tcp flags mask */
555 u_char ftu_tcpf; /* tcp flags */
556 frpcmp_t ftu_src; /* source port */
557 frpcmp_t ftu_dst; /* destination port */
558} frtuc_t;
559
560#define ftu_scmp ftu_src.frp_cmp
561#define ftu_dcmp ftu_dst.frp_cmp
562#define ftu_sport ftu_src.frp_port
563#define ftu_dport ftu_dst.frp_port
564#define ftu_stop ftu_src.frp_top
565#define ftu_dtop ftu_dst.frp_top
566
567#define FR_TCPFMAX 0x3f
568
569typedef enum fr_atypes_e {
570 FRI_NONE = -1, /* For LHS of NAT */
571 FRI_NORMAL = 0, /* Normal address */
572 FRI_DYNAMIC, /* dynamic address */
573 FRI_LOOKUP, /* address is a pool # */
574 FRI_RANGE, /* address/mask is a range */
575 FRI_NETWORK, /* network address from if */
576 FRI_BROADCAST, /* broadcast address from if */
577 FRI_PEERADDR, /* Peer address for P-to-P */
578 FRI_NETMASKED, /* network address with netmask from if */
579 FRI_SPLIT, /* For NAT compatibility */
580 FRI_INTERFACE /* address is based on interface name */
581} fr_atypes_t;
582
583/*
584 * This structure makes up what is considered to be the IPFilter specific
585 * matching components of a filter rule, as opposed to the data structures
586 * used to define the result which are in frentry_t and not here.
587 */
588typedef struct fripf {
589 fr_ip_t fri_ip;
590 fr_ip_t fri_mip; /* mask structure */
591
592 u_short fri_icmpm; /* data for ICMP packets (mask) */
593 u_short fri_icmp;
594
595 frtuc_t fri_tuc;
596 fr_atypes_t fri_satype; /* address type */
597 fr_atypes_t fri_datype; /* address type */
598 int fri_sifpidx; /* doing dynamic addressing */
599 int fri_difpidx; /* index into fr_ifps[] to use when */
600} fripf_t;
601
602#define fri_dlookup fri_mip.fi_dst
603#define fri_slookup fri_mip.fi_src
604#define fri_dstnum fri_mip.fi_dstnum
605#define fri_srcnum fri_mip.fi_srcnum
606#define fri_dstname fri_mip.fi_dstname
607#define fri_srcname fri_mip.fi_srcname
608#define fri_dstptr fri_mip.fi_dstptr
609#define fri_srcptr fri_mip.fi_srcptr
610
611
612typedef enum fr_rtypes_e {
613 FR_T_NONE = 0,
614 FR_T_IPF, /* IPF structures */
615 FR_T_BPFOPC, /* BPF opcode */
616 FR_T_CALLFUNC, /* callout to function in fr_func only */
617 FR_T_COMPIPF, /* compiled C code */
618 FR_T_IPFEXPR, /* IPF expression */
619 FR_T_BUILTIN = 0x40000000, /* rule is in kernel space */
620 FR_T_IPF_BUILTIN,
621 FR_T_BPFOPC_BUILTIN,
622 FR_T_CALLFUNC_BUILTIN,
623 FR_T_COMPIPF_BUILTIN,
624 FR_T_IPFEXPR_BUILTIN
625} fr_rtypes_t;
626
627typedef struct frentry * (* frentfunc_t)(fr_info_t *);
628
629typedef struct frentry {
630 ipfmutex_t fr_lock;
631 struct frentry *fr_next;
632 struct frentry **fr_pnext;
633 struct frgroup *fr_grp;
634 struct frgroup *fr_grphead;
635 struct frgroup *fr_icmpgrp;
636 struct ipscan *fr_isc;
637 struct frentry *fr_dnext; /* 2 fr_die linked list pointers */
638 struct frentry **fr_pdnext;
639 void *fr_ifas[4];
640 void *fr_ptr; /* for use with fr_arg */
641 int fr_comment; /* text comment for rule */
642 int fr_size; /* size of this structure */
643 int fr_ref; /* reference count */
644 int fr_statecnt; /* state count - for limit rules */
645 u_32_t fr_die; /* only used on loading the rule */
646 u_int fr_cksum; /* checksum on filter rules for performance */
647 /*
648 * The line number from a file is here because we need to be able to
649 * match the rule generated with ``grep rule ipf.conf | ipf -rf -''
650 * with the rule loaded using ``ipf -f ipf.conf'' - thus it can't be
651 * on the other side of fr_func.
652 */
653 int fr_flineno; /* line number from conf file */
654 /*
655 * These are only incremented when a packet matches this rule and
656 * it is the last match
657 */
658 U_QUAD_T fr_hits;
659 U_QUAD_T fr_bytes;
660
661 /*
662 * For PPS rate limiting
663 * fr_lpu is used to always have the same size for this field,
664 * allocating 64bits for seconds and 32bits for milliseconds.
665 */
666 union {
667 struct timeval frp_lastpkt;
668 char frp_bytes[12];
669 } fr_lpu;
670 int fr_curpps;
671
672 union {
673 void *fru_data;
674 char *fru_caddr;
675 fripf_t *fru_ipf;
676 frentfunc_t fru_func;
677 } fr_dun;
678
679 /*
680 * Fields after this may not change whilst in the kernel.
681 */
682 ipfunc_t fr_func; /* call this function */
683 int fr_dsize;
684 int fr_pps;
685 fr_rtypes_t fr_type;
686 u_32_t fr_flags; /* per-rule flags && options (see below) */
687 u_32_t fr_logtag; /* user defined log tag # */
688 u_32_t fr_collect; /* collection number */
689 u_int fr_arg; /* misc. numeric arg for rule */
690 u_int fr_loglevel; /* syslog log facility + priority */
691 u_char fr_family;
692 u_char fr_icode; /* return ICMP code */
693 int fr_group; /* group to which this rule belongs */
694 int fr_grhead; /* group # which this rule starts */
695 int fr_isctag;
696 int fr_rpc; /* XID Filtering */
697 ipftag_t fr_nattag;
698 /*
699 * These are all options related to stateful filtering
700 */
701 host_track_t fr_srctrack;
702 int fr_nostatelog;
703 int fr_statemax; /* max reference count */
704 int fr_icmphead; /* ICMP group for state options */
705 u_int fr_age[2]; /* non-TCP state timeouts */
706 /*
707 * These are compared separately.
708 */
709 int fr_ifnames[4];
710 frdest_t fr_tifs[2]; /* "to"/"reply-to" interface */
711 frdest_t fr_dif; /* duplicate packet interface */
712 /*
713 * How big is the name buffer at the end?
714 */
715 int fr_namelen;
716 char fr_names[1];
717} frentry_t;
718
719#define fr_lastpkt fr_lpu.frp_lastpkt
720#define fr_caddr fr_dun.fru_caddr
721#define fr_data fr_dun.fru_data
722#define fr_dfunc fr_dun.fru_func
723#define fr_ipf fr_dun.fru_ipf
724#define fr_ip fr_ipf->fri_ip
725#define fr_mip fr_ipf->fri_mip
726#define fr_icmpm fr_ipf->fri_icmpm
727#define fr_icmp fr_ipf->fri_icmp
728#define fr_tuc fr_ipf->fri_tuc
729#define fr_satype fr_ipf->fri_satype
730#define fr_datype fr_ipf->fri_datype
731#define fr_sifpidx fr_ipf->fri_sifpidx
732#define fr_difpidx fr_ipf->fri_difpidx
733#define fr_proto fr_ip.fi_p
734#define fr_mproto fr_mip.fi_p
735#define fr_ttl fr_ip.fi_ttl
736#define fr_mttl fr_mip.fi_ttl
737#define fr_tos fr_ip.fi_tos
738#define fr_mtos fr_mip.fi_tos
739#define fr_tcpfm fr_tuc.ftu_tcpfm
740#define fr_tcpf fr_tuc.ftu_tcpf
741#define fr_scmp fr_tuc.ftu_scmp
742#define fr_dcmp fr_tuc.ftu_dcmp
743#define fr_dport fr_tuc.ftu_dport
744#define fr_sport fr_tuc.ftu_sport
745#define fr_stop fr_tuc.ftu_stop
746#define fr_dtop fr_tuc.ftu_dtop
747#define fr_dst fr_ip.fi_dst.in4
748#define fr_dst6 fr_ip.fi_dst
749#define fr_daddr fr_ip.fi_dst.in4.s_addr
750#define fr_src fr_ip.fi_src.in4
751#define fr_src6 fr_ip.fi_src
752#define fr_saddr fr_ip.fi_src.in4.s_addr
753#define fr_dmsk fr_mip.fi_dst.in4
754#define fr_dmsk6 fr_mip.fi_dst
755#define fr_dmask fr_mip.fi_dst.in4.s_addr
756#define fr_smsk fr_mip.fi_src.in4
757#define fr_smsk6 fr_mip.fi_src
758#define fr_smask fr_mip.fi_src.in4.s_addr
759#define fr_dstnum fr_ip.fi_dstnum
760#define fr_srcnum fr_ip.fi_srcnum
761#define fr_dlookup fr_ip.fi_dst
762#define fr_slookup fr_ip.fi_src
763#define fr_dstname fr_ip.fi_dstname
764#define fr_srcname fr_ip.fi_srcname
765#define fr_dsttype fr_ip.fi_dsttype
766#define fr_srctype fr_ip.fi_srctype
767#define fr_dstsubtype fr_ip.fi_dstsubtype
768#define fr_srcsubtype fr_ip.fi_srcsubtype
769#define fr_dstptr fr_mip.fi_dstptr
770#define fr_srcptr fr_mip.fi_srcptr
771#define fr_dstfunc fr_mip.fi_dstfunc
772#define fr_srcfunc fr_mip.fi_srcfunc
773#define fr_optbits fr_ip.fi_optmsk
774#define fr_optmask fr_mip.fi_optmsk
775#define fr_secbits fr_ip.fi_secmsk
776#define fr_secmask fr_mip.fi_secmsk
777#define fr_authbits fr_ip.fi_auth
778#define fr_authmask fr_mip.fi_auth
779#define fr_doi fr_ip.fi_doi
780#define fr_doimask fr_mip.fi_doi
781#define fr_flx fr_ip.fi_flx
782#define fr_mflx fr_mip.fi_flx
783#define fr_ifa fr_ifas[0]
784#define fr_oifa fr_ifas[2]
785#define fr_tif fr_tifs[0]
786#define fr_rif fr_tifs[1]
787
788#define FR_NOLOGTAG 0
789
790#define FR_CMPSIZ (offsetof(struct frentry, fr_ifnames) - \
791 offsetof(struct frentry, fr_func))
792#define FR_NAME(_f, _n) (_f)->fr_names + (_f)->_n
793#define FR_NUM(_a) (sizeof(_a) / sizeof(*_a))
794
795
796/*
797 * fr_flags
798 */
799#define FR_BLOCK 0x00001 /* do not allow packet to pass */
800#define FR_PASS 0x00002 /* allow packet to pass */
801#define FR_AUTH 0x00003 /* use authentication */
802#define FR_PREAUTH 0x00004 /* require preauthentication */
803#define FR_ACCOUNT 0x00005 /* Accounting rule */
804#define FR_SKIP 0x00006 /* skip rule */
805#define FR_DECAPSULATE 0x00008 /* decapsulate rule */
806#define FR_CALL 0x00009 /* call rule */
807#define FR_CMDMASK 0x0000f
808#define FR_LOG 0x00010 /* Log */
809#define FR_LOGB 0x00011 /* Log-fail */
810#define FR_LOGP 0x00012 /* Log-pass */
811#define FR_LOGMASK (FR_LOG|FR_CMDMASK)
812#define FR_CALLNOW 0x00020 /* call another function (fr_func) if matches */
813#define FR_NOTSRCIP 0x00040
814#define FR_NOTDSTIP 0x00080
815#define FR_QUICK 0x00100 /* match & stop processing list */
816#define FR_KEEPFRAG 0x00200 /* keep fragment information */
817#define FR_KEEPSTATE 0x00400 /* keep `connection' state information */
818#define FR_FASTROUTE 0x00800 /* bypass normal routing */
819#define FR_RETRST 0x01000 /* Return TCP RST packet - reset connection */
820#define FR_RETICMP 0x02000 /* Return ICMP unreachable packet */
821#define FR_FAKEICMP 0x03000 /* Return ICMP unreachable with fake source */
822#define FR_OUTQUE 0x04000 /* outgoing packets */
823#define FR_INQUE 0x08000 /* ingoing packets */
824#define FR_LOGBODY 0x10000 /* Log the body */
825#define FR_LOGFIRST 0x20000 /* Log the first byte if state held */
826#define FR_LOGORBLOCK 0x40000 /* block the packet if it can't be logged */
827#define FR_STLOOSE 0x80000 /* loose state checking */
828#define FR_FRSTRICT 0x100000 /* strict frag. cache */
829#define FR_STSTRICT 0x200000 /* strict keep state */
830#define FR_NEWISN 0x400000 /* new ISN for outgoing TCP */
831#define FR_NOICMPERR 0x800000 /* do not match ICMP errors in state */
832#define FR_STATESYNC 0x1000000 /* synchronize state to slave */
833#define FR_COPIED 0x2000000 /* copied from user space */
834#define FR_INACTIVE 0x4000000 /* only used when flush'ing rules */
835#define FR_NOMATCH 0x8000000 /* no match occurred */
836 /* 0x10000000 FF_LOGPASS */
837 /* 0x20000000 FF_LOGBLOCK */
838 /* 0x40000000 FF_LOGNOMATCH */
839 /* 0x80000000 FF_BLOCKNONIP */
840
841#define FR_RETMASK (FR_RETICMP|FR_RETRST|FR_FAKEICMP)
842#define FR_ISBLOCK(x) (((x) & FR_CMDMASK) == FR_BLOCK)
843#define FR_ISPASS(x) (((x) & FR_CMDMASK) == FR_PASS)
844#define FR_ISAUTH(x) (((x) & FR_CMDMASK) == FR_AUTH)
845#define FR_ISPREAUTH(x) (((x) & FR_CMDMASK) == FR_PREAUTH)
846#define FR_ISACCOUNT(x) (((x) & FR_CMDMASK) == FR_ACCOUNT)
847#define FR_ISSKIP(x) (((x) & FR_CMDMASK) == FR_SKIP)
848#define FR_ISDECAPS(x) (((x) & FR_CMDMASK) == FR_DECAPSULATE)
849#define FR_ISNOMATCH(x) ((x) & FR_NOMATCH)
850#define FR_INOUT (FR_INQUE|FR_OUTQUE)
851
852/*
853 * recognized flags for SIOCGETFF and SIOCSETFF, and get put in fr_flags
854 */
855#define FF_LOGPASS 0x10000000
856#define FF_LOGBLOCK 0x20000000
857#define FF_LOGNOMATCH 0x40000000
858#define FF_LOGGING (FF_LOGPASS|FF_LOGBLOCK|FF_LOGNOMATCH)
859#define FF_BLOCKNONIP 0x80000000 /* Solaris2 Only */
860
861
862/*
863 * Structure that passes information on what/how to flush to the kernel.
864 */
865typedef struct ipfflush {
866 int ipflu_how;
867 int ipflu_arg;
868} ipfflush_t;
869
870
871/*
872 *
873 */
874typedef struct ipfgetctl {
875 u_int ipfg_min; /* min value */
876 u_int ipfg_current; /* current value */
877 u_int ipfg_max; /* max value */
878 u_int ipfg_default; /* default value */
879 u_int ipfg_steps; /* value increments */
880 char ipfg_name[40]; /* tag name for this control */
881} ipfgetctl_t;
882
883typedef struct ipfsetctl {
884 int ipfs_which; /* 0 = min 1 = current 2 = max 3 = default */
885 u_int ipfs_value; /* min value */
886 char ipfs_name[40]; /* tag name for this control */
887} ipfsetctl_t;
888
889
890/*
891 * Some of the statistics below are in their own counters, but most are kept
892 * in this single structure so that they can all easily be collected and
893 * copied back as required.
894 */
895typedef struct ipf_statistics {
896 u_long fr_icmp_coalesce;
897 u_long fr_tcp_frag;
898 u_long fr_tcp_pullup;
899 u_long fr_tcp_short;
900 u_long fr_tcp_small;
901 u_long fr_tcp_bad_flags;
902 u_long fr_udp_pullup;
903 u_long fr_ip_freed;
904 u_long fr_v6_ah_bad;
905 u_long fr_v6_bad;
906 u_long fr_v6_badfrag;
907 u_long fr_v6_dst_bad;
908 u_long fr_v6_esp_pullup;
909 u_long fr_v6_ext_short;
910 u_long fr_v6_ext_pullup;
911 u_long fr_v6_ext_hlen;
912 u_long fr_v6_frag_bad;
913 u_long fr_v6_frag_pullup;
914 u_long fr_v6_frag_size;
915 u_long fr_v6_gre_pullup;
916 u_long fr_v6_icmp6_pullup;
917 u_long fr_v6_rh_bad;
918 u_long fr_v6_badttl; /* TTL in packet doesn't reach minimum */
919 u_long fr_v4_ah_bad;
920 u_long fr_v4_ah_pullup;
921 u_long fr_v4_esp_pullup;
922 u_long fr_v4_cipso_bad;
923 u_long fr_v4_cipso_tlen;
924 u_long fr_v4_gre_frag;
925 u_long fr_v4_gre_pullup;
926 u_long fr_v4_icmp_frag;
927 u_long fr_v4_icmp_pullup;
928 u_long fr_v4_badttl; /* TTL in packet doesn't reach minimum */
929 u_long fr_v4_badsrc; /* source received doesn't match route */
930 u_long fr_l4_badcksum; /* layer 4 header checksum failure */
931 u_long fr_badcoalesces;
932 u_long fr_pass; /* packets allowed */
933 u_long fr_block; /* packets denied */
934 u_long fr_nom; /* packets which don't match any rule */
935 u_long fr_short; /* packets which are short */
936 u_long fr_ppkl; /* packets allowed and logged */
937 u_long fr_bpkl; /* packets denied and logged */
938 u_long fr_npkl; /* packets unmatched and logged */
939 u_long fr_ret; /* packets for which a return is sent */
940 u_long fr_acct; /* packets for which counting was performed */
941 u_long fr_bnfr; /* bad attempts to allocate fragment state */
942 u_long fr_nfr; /* new fragment state kept */
943 u_long fr_cfr; /* add new fragment state but complete pkt */
944 u_long fr_bads; /* bad attempts to allocate packet state */
945 u_long fr_ads; /* new packet state kept */
946 u_long fr_chit; /* cached hit */
947 u_long fr_cmiss; /* cached miss */
948 u_long fr_tcpbad; /* TCP checksum check failures */
949 u_long fr_pull[2]; /* good and bad pullup attempts */
950 u_long fr_bad; /* bad IP packets to the filter */
951 u_long fr_ipv6; /* IPv6 packets in/out */
952 u_long fr_ppshit; /* dropped because of pps ceiling */
953 u_long fr_ipud; /* IP id update failures */
954 u_long fr_blocked[FRB_MAX_VALUE + 1];
955} ipf_statistics_t;
956
957/*
958 * Log structure. Each packet header logged is prepended by one of these.
959 * Following this in the log records read from the device will be an ipflog
960 * structure which is then followed by any packet data.
961 */
962typedef struct iplog {
963 u_32_t ipl_magic;
964 u_int ipl_count;
965 u_32_t ipl_seqnum;
966 struct timeval ipl_time;
967 size_t ipl_dsize;
968 struct iplog *ipl_next;
969} iplog_t;
970
971#define ipl_sec ipl_time.tv_sec
972#define ipl_usec ipl_time.tv_usec
973
974#define IPL_MAGIC 0x49504c4d /* 'IPLM' */
975#define IPL_MAGIC_NAT 0x49504c4e /* 'IPLN' */
976#define IPL_MAGIC_STATE 0x49504c53 /* 'IPLS' */
977#define IPLOG_SIZE sizeof(iplog_t)
978
979typedef struct ipflog {
980 u_int fl_unit;
981 u_32_t fl_rule;
982 u_32_t fl_flags;
983 u_32_t fl_lflags;
984 u_32_t fl_logtag;
985 ipftag_t fl_nattag;
986 u_short fl_plen; /* extra data after hlen */
987 u_short fl_loglevel; /* syslog log level */
988 char fl_group[FR_GROUPLEN];
989 u_char fl_hlen; /* length of IP headers saved */
990 u_char fl_dir;
991 u_char fl_breason; /* from fin_reason */
992 u_char fl_family; /* address family of packet logged */
993 char fl_ifname[LIFNAMSIZ];
994} ipflog_t;
995
996#ifndef IPF_LOGGING
997# define IPF_LOGGING 0
998#endif
999#ifndef IPF_DEFAULT_PASS
1000# define IPF_DEFAULT_PASS FR_PASS
1001#endif
1002
1003#define DEFAULT_IPFLOGSIZE 32768
1004#ifndef IPFILTER_LOGSIZE
1005# define IPFILTER_LOGSIZE DEFAULT_IPFLOGSIZE
1006#else
1007# if IPFILTER_LOGSIZE < 8192
1008# error IPFILTER_LOGSIZE too small. Must be >= 8192
1009# endif
1010#endif
1011
1012#define IPF_OPTCOPY 0x07ff00 /* bit mask of copied options */
1013
1014/*
1015 * Device filenames for reading log information. Use ipf on Solaris2 because
1016 * ipl is already a name used by something else.
1017 */
1018#ifndef IPL_NAME
1019# if SOLARIS
1020# define IPL_NAME "/dev/ipf"
1021# else
1022# define IPL_NAME "/dev/ipl"
1023# endif
1024#endif
1025/*
1026 * Pathnames for various IP Filter control devices. Used by LKM
1027 * and userland, so defined here.
1028 */
1029#define IPNAT_NAME "/dev/ipnat"
1030#define IPSTATE_NAME "/dev/ipstate"
1031#define IPAUTH_NAME "/dev/ipauth"
1032#define IPSYNC_NAME "/dev/ipsync"
1033#define IPSCAN_NAME "/dev/ipscan"
1034#define IPLOOKUP_NAME "/dev/iplookup"
1035
1036#define IPL_LOGIPF 0 /* Minor device #'s for accessing logs */
1037#define IPL_LOGNAT 1
1038#define IPL_LOGSTATE 2
1039#define IPL_LOGAUTH 3
1040#define IPL_LOGSYNC 4
1041#define IPL_LOGSCAN 5
1042#define IPL_LOGLOOKUP 6
1043#define IPL_LOGCOUNT 7
1044#define IPL_LOGMAX 7
1045#define IPL_LOGSIZE IPL_LOGMAX + 1
1046#define IPL_LOGALL -1
1047#define IPL_LOGNONE -2
1048
1049/*
1050 * For SIOCGETFS
1051 */
1052typedef struct friostat {
1053 ipf_statistics_t f_st[2];
1054 frentry_t *f_ipf[2][2];
1055 frentry_t *f_acct[2][2];
1056 frentry_t *f_auth;
1057 struct frgroup *f_groups[IPL_LOGSIZE][2];
1058 u_long f_froute[2];
1059 u_long f_log_ok;
1060 u_long f_log_fail;
1061 u_long f_rb_no_mem;
1062 u_long f_rb_node_max;
1063 u_32_t f_ticks;
1064 int f_locks[IPL_LOGSIZE];
1065 int f_defpass; /* default pass - from fr_pass */
1066 int f_active; /* 1 or 0 - active rule set */
1067 int f_running; /* 1 if running, else 0 */
1068 int f_logging; /* 1 if enabled, else 0 */
1069 int f_features;
1070 char f_version[32]; /* version string */
1071} friostat_t;
1072
1073#define f_fin f_ipf[0]
1074#define f_fout f_ipf[1]
1075#define f_acctin f_acct[0]
1076#define f_acctout f_acct[1]
1077
1078#define IPF_FEAT_LKM 0x001
1079#define IPF_FEAT_LOG 0x002
1080#define IPF_FEAT_LOOKUP 0x004
1081#define IPF_FEAT_BPF 0x008
1082#define IPF_FEAT_COMPILED 0x010
1083#define IPF_FEAT_CKSUM 0x020
1084#define IPF_FEAT_SYNC 0x040
1085#define IPF_FEAT_SCAN 0x080
1086#define IPF_FEAT_IPV6 0x100
1087
1088typedef struct optlist {
1089 u_short ol_val;
1090 int ol_bit;
1091} optlist_t;
1092
1093
1094/*
1095 * Group list structure.
1096 */
1097typedef struct frgroup {
1098 struct frgroup *fg_next;
1099 struct frentry *fg_head;
1100 struct frentry *fg_start;
1101 struct frgroup **fg_set;
1102 u_32_t fg_flags;
1103 int fg_ref;
1104 char fg_name[FR_GROUPLEN];
1105} frgroup_t;
1106
1107#define FG_NAME(g) (*(g)->fg_name == '\0' ? "" : (g)->fg_name)
1108
1109
1110/*
1111 * Used by state and NAT tables
1112 */
1113typedef struct icmpinfo {
1114 u_short ici_id;
1115 u_short ici_seq;
1116 u_char ici_type;
1117} icmpinfo_t;
1118
1119typedef struct udpinfo {
1120 u_short us_sport;
1121 u_short us_dport;
1122} udpinfo_t;
1123
1124
1125typedef struct tcpdata {
1126 u_32_t td_end;
1127 u_32_t td_maxend;
1128 u_32_t td_maxwin;
1129 u_32_t td_winscale;
1130 u_32_t td_maxseg;
1131 int td_winflags;
1132} tcpdata_t;
1133
1134#define TCP_WSCALE_MAX 14
1135
1136#define TCP_WSCALE_SEEN 0x00000001
1137#define TCP_WSCALE_FIRST 0x00000002
1138#define TCP_SACK_PERMIT 0x00000004
1139
1140
1141typedef struct tcpinfo {
1142 u_32_t ts_sport;
1143 u_32_t ts_dport;
1144 tcpdata_t ts_data[2];
1145} tcpinfo_t;
1146
1147
1148/*
1149 * Structures to define a GRE header as seen in a packet.
1150 */
1151struct grebits {
1152#if defined(sparc)
1153 u_32_t grb_ver:3;
1154 u_32_t grb_flags:3;
1155 u_32_t grb_A:1;
1156 u_32_t grb_recur:1;
1157 u_32_t grb_s:1;
1158 u_32_t grb_S:1;
1159 u_32_t grb_K:1;
1160 u_32_t grb_R:1;
1161 u_32_t grb_C:1;
1162#else
1163 u_32_t grb_C:1;
1164 u_32_t grb_R:1;
1165 u_32_t grb_K:1;
1166 u_32_t grb_S:1;
1167 u_32_t grb_s:1;
1168 u_32_t grb_recur:1;
1169 u_32_t grb_A:1;
1170 u_32_t grb_flags:3;
1171 u_32_t grb_ver:3;
1172#endif
1173 u_short grb_ptype;
1174};
1175
1176typedef struct grehdr {
1177 union {
1178 struct grebits gru_bits;
1179 u_short gru_flags;
1180 } gr_un;
1181 u_short gr_len;
1182 u_short gr_call;
1183} grehdr_t;
1184
1185#define gr_flags gr_un.gru_flags
1186#define gr_bits gr_un.gru_bits
1187#define gr_ptype gr_bits.grb_ptype
1188#define gr_C gr_bits.grb_C
1189#define gr_R gr_bits.grb_R
1190#define gr_K gr_bits.grb_K
1191#define gr_S gr_bits.grb_S
1192#define gr_s gr_bits.grb_s
1193#define gr_recur gr_bits.grb_recur
1194#define gr_A gr_bits.grb_A
1195#define gr_ver gr_bits.grb_ver
1196
1197/*
1198 * GRE information tracked by "keep state"
1199 */
1200typedef struct greinfo {
1201 u_short gs_call[2];
1202 u_short gs_flags;
1203 u_short gs_ptype;
1204} greinfo_t;
1205
1206#define GRE_REV(x) ((ntohs(x) >> 13) & 7)
1207
1208
1209/*
1210 * Format of an Authentication header
1211 */
1212typedef struct authhdr {
1213 u_char ah_next;
1214 u_char ah_plen;
1215 u_short ah_reserved;
1216 u_32_t ah_spi;
1217 u_32_t ah_seq;
1218 /* Following the sequence number field is 0 or more bytes of */
1219 /* authentication data, as specified by ah_plen - RFC 2402. */
1220} authhdr_t;
1221
1222
1223/*
1224 * Timeout tail queue list member
1225 */
1226typedef struct ipftqent {
1227 struct ipftqent **tqe_pnext;
1228 struct ipftqent *tqe_next;
1229 struct ipftq *tqe_ifq;
1230 void *tqe_parent; /* pointer back to NAT/state struct */
1231 u_32_t tqe_die; /* when this entriy is to die */
1232 u_32_t tqe_touched;
1233 int tqe_flags;
1234 int tqe_state[2]; /* current state of this entry */
1235} ipftqent_t;
1236
1237#define TQE_RULEBASED 0x00000001
1238#define TQE_DELETE 0x00000002
1239
1240
1241/*
1242 * Timeout tail queue head for IPFilter
1243 */
1244typedef struct ipftq {
1245 ipfmutex_t ifq_lock;
1246 u_int ifq_ttl;
1247 ipftqent_t *ifq_head;
1248 ipftqent_t **ifq_tail;
1249 struct ipftq *ifq_next;
1250 struct ipftq **ifq_pnext;
1251 int ifq_ref;
1252 u_int ifq_flags;
1253} ipftq_t;
1254
1255#define IFQF_USER 0x01 /* User defined aging */
1256#define IFQF_DELETE 0x02 /* Marked for deletion */
1257#define IFQF_PROXY 0x04 /* Timeout queue in use by a proxy */
1258
1259#define IPFTQ_INIT(x,y,z) do { \
1260 (x)->ifq_ttl = (y); \
1261 (x)->ifq_head = NULL; \
1262 (x)->ifq_ref = 1; \
1263 (x)->ifq_tail = &(x)->ifq_head; \
1264 MUTEX_INIT(&(x)->ifq_lock, (z)); \
1265 } while (0)
1266
1267#define IPF_HZ_MULT 1
1268#define IPF_HZ_DIVIDE 2 /* How many times a second ipfilter */
1269 /* checks its timeout queues. */
1270#define IPF_TTLVAL(x) (((x) / IPF_HZ_MULT) * IPF_HZ_DIVIDE)
1271
1272typedef int (*ipftq_delete_fn_t)(struct ipf_main_softc_s *, void *);
1273
1274
1275/*
1276 * Object structure description. For passing through in ioctls.
1277 */
1278typedef struct ipfobj {
1279 u_32_t ipfo_rev; /* IPFilter version number */
1280 u_32_t ipfo_size; /* size of object at ipfo_ptr */
1281 void *ipfo_ptr; /* pointer to object */
1282 int ipfo_type; /* type of object being pointed to */
1283 int ipfo_offset; /* bytes from ipfo_ptr where to start */
1284 int ipfo_retval; /* return value */
1285 u_char ipfo_xxxpad[28]; /* reserved for future use */
1286} ipfobj_t;
1287
1288#define IPFOBJ_FRENTRY 0 /* struct frentry */
1289#define IPFOBJ_IPFSTAT 1 /* struct friostat */
1290#define IPFOBJ_IPFINFO 2 /* struct fr_info */
1291#define IPFOBJ_AUTHSTAT 3 /* struct fr_authstat */
1292#define IPFOBJ_FRAGSTAT 4 /* struct ipfrstat */
1293#define IPFOBJ_IPNAT 5 /* struct ipnat */
1294#define IPFOBJ_NATSTAT 6 /* struct natstat */
1295#define IPFOBJ_STATESAVE 7 /* struct ipstate_save */
1296#define IPFOBJ_NATSAVE 8 /* struct nat_save */
1297#define IPFOBJ_NATLOOKUP 9 /* struct natlookup */
1298#define IPFOBJ_IPSTATE 10 /* struct ipstate */
1299#define IPFOBJ_STATESTAT 11 /* struct ips_stat */
1300#define IPFOBJ_FRAUTH 12 /* struct frauth */
1301#define IPFOBJ_TUNEABLE 13 /* struct ipftune */
1302#define IPFOBJ_NAT 14 /* struct nat */
1303#define IPFOBJ_IPFITER 15 /* struct ipfruleiter */
1304#define IPFOBJ_GENITER 16 /* struct ipfgeniter */
1305#define IPFOBJ_GTABLE 17 /* struct ipftable */
1306#define IPFOBJ_LOOKUPITER 18 /* struct ipflookupiter */
1307#define IPFOBJ_STATETQTAB 19 /* struct ipftq * NSTATES */
1308#define IPFOBJ_IPFEXPR 20
1309#define IPFOBJ_PROXYCTL 21 /* strct ap_ctl */
1310#define IPFOBJ_FRIPF 22 /* structfripf */
1311#define IPFOBJ_COUNT 23 /* How many #defines are above this? */
1312
1313
1314typedef union ipftunevalptr {
1315 void *ipftp_void;
1316 u_long *ipftp_long;
1317 u_int *ipftp_int;
1318 u_short *ipftp_short;
1319 u_char *ipftp_char;
1320 u_long ipftp_offset;
1321} ipftunevalptr_t;
1322
1323typedef union ipftuneval {
1324 u_long ipftu_long;
1325 u_int ipftu_int;
1326 u_short ipftu_short;
1327 u_char ipftu_char;
1328} ipftuneval_t;
1329
1330struct ipftuneable;
1331typedef int (* ipftunefunc_t)(struct ipf_main_softc_s *, struct ipftuneable *, ipftuneval_t *);
1332
1333typedef struct ipftuneable {
1334 ipftunevalptr_t ipft_una;
1335 const char *ipft_name;
1336 u_long ipft_min;
1337 u_long ipft_max;
1338 int ipft_sz;
1339 int ipft_flags;
1340 struct ipftuneable *ipft_next;
1341 ipftunefunc_t ipft_func;
1342} ipftuneable_t;
1343
1344#define ipft_addr ipft_una.ipftp_void
1345#define ipft_plong ipft_una.ipftp_long
1346#define ipft_pint ipft_una.ipftp_int
1347#define ipft_pshort ipft_una.ipftp_short
1348#define ipft_pchar ipft_una.ipftp_char
1349
1350#define IPFT_RDONLY 1 /* read-only */
1351#define IPFT_WRDISABLED 2 /* write when disabled only */
1352
1353typedef struct ipftune {
1354 void *ipft_cookie;
1355 ipftuneval_t ipft_un;
1356 u_long ipft_min;
1357 u_long ipft_max;
1358 int ipft_sz;
1359 int ipft_flags;
1360 char ipft_name[80];
1361} ipftune_t;
1362
1363#define ipft_vlong ipft_un.ipftu_long
1364#define ipft_vint ipft_un.ipftu_int
1365#define ipft_vshort ipft_un.ipftu_short
1366#define ipft_vchar ipft_un.ipftu_char
1367
1368/*
1369 * Hash table header
1370 */
1371#define IPFHASH(x,y) typedef struct { \
1372 ipfrwlock_t ipfh_lock; \
1373 struct x *ipfh_head; \
1374 } y
1375
1376/*
1377** HPUX Port
1378*/
1379
1380#if !defined(CDEV_MAJOR) && defined (__FreeBSD__)
1381# define CDEV_MAJOR 79
1382#endif
1383
1384#ifdef _KERNEL
1385# define FR_VERBOSE(verb_pr)
1386# define FR_DEBUG(verb_pr)
1387#else
1388extern void ipfkdebug(char *, ...);
1389extern void ipfkverbose(char *, ...);
1390# define FR_VERBOSE(verb_pr) ipfkverbose verb_pr
1391# define FR_DEBUG(verb_pr) ipfkdebug verb_pr
1392#endif
1393
1394/*
1395 *
1396 */
1397typedef struct ipfruleiter {
1398 int iri_inout;
1399 char iri_group[FR_GROUPLEN];
1400 int iri_active;
1401 int iri_nrules;
1402 int iri_v; /* No longer used (compatibility) */
1403 frentry_t *iri_rule;
1404} ipfruleiter_t;
1405
1406/*
1407 * Values for iri_inout
1408 */
1409#define F_IN 0
1410#define F_OUT 1
1411#define F_ACIN 2
1412#define F_ACOUT 3
1413
1414
1415typedef struct ipfgeniter {
1416 int igi_type;
1417 int igi_nitems;
1418 void *igi_data;
1419} ipfgeniter_t;
1420
1421#define IPFGENITER_IPF 0
1422#define IPFGENITER_NAT 1
1423#define IPFGENITER_IPNAT 2
1424#define IPFGENITER_FRAG 3
1425#define IPFGENITER_AUTH 4
1426#define IPFGENITER_STATE 5
1427#define IPFGENITER_NATFRAG 6
1428#define IPFGENITER_HOSTMAP 7
1429#define IPFGENITER_LOOKUP 8
1430
1431typedef struct ipftable {
1432 int ita_type;
1433 void *ita_table;
1434} ipftable_t;
1435
1436#define IPFTABLE_BUCKETS 1
1437#define IPFTABLE_BUCKETS_NATIN 2
1438#define IPFTABLE_BUCKETS_NATOUT 3
1439
1440
1441typedef struct ipf_v4_masktab_s {
1442 u_32_t imt4_active[33];
1443 int imt4_masks[33];
1444 int imt4_max;
1445} ipf_v4_masktab_t;
1446
1447typedef struct ipf_v6_masktab_s {
1448 i6addr_t imt6_active[129];
1449 int imt6_masks[129];
1450 int imt6_max;
1451} ipf_v6_masktab_t;
1452
1453
1454/*
1455 *
1456 */
1457typedef struct ipftoken {
1458 struct ipftoken *ipt_next;
1459 struct ipftoken **ipt_pnext;
1460 void *ipt_ctx;
1461 void *ipt_data;
1462 u_long ipt_die;
1463 int ipt_type;
1464 int ipt_uid;
1465 int ipt_subtype;
1466 int ipt_ref;
1467 int ipt_complete;
1468} ipftoken_t;
1469
1470
1471/*
1472 *
1473 */
1474typedef struct ipfexp {
1475 int ipfe_cmd;
1476 int ipfe_not;
1477 int ipfe_narg;
1478 int ipfe_size;
1479 int ipfe_arg0[1];
1480} ipfexp_t;
1481
1482/*
1483 * Currently support commands (ipfe_cmd)
1484 * 32bits is split up follows:
1485 * aabbcccc
1486 * aa = 0 = packet matching, 1 = meta data matching
1487 * bb = IP protocol number
1488 * cccc = command
1489 */
1490#define IPF_EXP_IP_PR 0x00000001
1491#define IPF_EXP_IP_ADDR 0x00000002
1492#define IPF_EXP_IP_SRCADDR 0x00000003
1493#define IPF_EXP_IP_DSTADDR 0x00000004
1494#define IPF_EXP_IP6_ADDR 0x00000005
1495#define IPF_EXP_IP6_SRCADDR 0x00000006
1496#define IPF_EXP_IP6_DSTADDR 0x00000007
1497#define IPF_EXP_TCP_FLAGS 0x00060001
1498#define IPF_EXP_TCP_PORT 0x00060002
1499#define IPF_EXP_TCP_SPORT 0x00060003
1500#define IPF_EXP_TCP_DPORT 0x00060004
1501#define IPF_EXP_UDP_PORT 0x00110002
1502#define IPF_EXP_UDP_SPORT 0x00110003
1503#define IPF_EXP_UDP_DPORT 0x00110004
1504#define IPF_EXP_IDLE_GT 0x01000001
1505#define IPF_EXP_TCP_STATE 0x01060002
1506#define IPF_EXP_END 0xffffffff
1507
1508#define ONE_DAY IPF_TTLVAL(1 * 86400) /* 1 day */
1509#define FIVE_DAYS (5 * ONE_DAY)
1510
1511typedef struct ipf_main_softc_s {
1512 struct ipf_main_softc_s *ipf_next;
1513 ipfmutex_t ipf_rw;
1514 ipfmutex_t ipf_timeoutlock;
1515 ipfrwlock_t ipf_mutex;
1516 ipfrwlock_t ipf_frag;
1517 ipfrwlock_t ipf_global;
1518 ipfrwlock_t ipf_tokens;
1519 ipfrwlock_t ipf_state;
1520 ipfrwlock_t ipf_nat;
1521 ipfrwlock_t ipf_natfrag;
1522 ipfrwlock_t ipf_poolrw;
1523 int ipf_dynamic_softc;
1524 int ipf_refcnt;
1525 int ipf_running;
1526 int ipf_flags;
1527 int ipf_active;
1528 int ipf_control_forwarding;
1529 int ipf_update_ipid;
1530 int ipf_chksrc; /* causes a system crash if enabled */
1531 int ipf_pass;
1532 int ipf_minttl;
1533 int ipf_icmpminfragmtu;
1534 int ipf_interror; /* Should be in a struct that is per */
1535 /* thread or process. Does not belong */
1536 /* here but there's a lot more work */
1537 /* in doing that properly. For now, */
1538 /* it is squatting. */
1539 u_int ipf_tcpidletimeout;
1540 u_int ipf_tcpclosewait;
1541 u_int ipf_tcplastack;
1542 u_int ipf_tcptimewait;
1543 u_int ipf_tcptimeout;
1544 u_int ipf_tcpsynsent;
1545 u_int ipf_tcpsynrecv;
1546 u_int ipf_tcpclosed;
1547 u_int ipf_tcphalfclosed;
1548 u_int ipf_udptimeout;
1549 u_int ipf_udpacktimeout;
1550 u_int ipf_icmptimeout;
1551 u_int ipf_icmpacktimeout;
1552 u_int ipf_iptimeout;
1553 u_int ipf_large_nat;
1554 u_long ipf_ticks;
1555 u_long ipf_userifqs;
1556 u_long ipf_rb_no_mem;
1557 u_long ipf_rb_node_max;
1558 u_long ipf_frouteok[2];
1559 ipftuneable_t *ipf_tuners;
1560 void *ipf_frag_soft;
1561 void *ipf_nat_soft;
1562 void *ipf_state_soft;
1563 void *ipf_auth_soft;
1564 void *ipf_proxy_soft;
1565 void *ipf_sync_soft;
1566 void *ipf_lookup_soft;
1567 void *ipf_log_soft;
1568 struct frgroup *ipf_groups[IPL_LOGSIZE][2];
1569 frentry_t *ipf_rules[2][2];
1570 frentry_t *ipf_acct[2][2];
1571 frentry_t *ipf_rule_explist[2];
1572 ipftoken_t *ipf_token_head;
1573 ipftoken_t **ipf_token_tail;
1574#if defined(__FreeBSD__) && defined(_KERNEL)
1575 struct callout ipf_slow_ch;
1576#endif
1577#if NETBSD_GE_REV(104040000)
1578 struct callout ipf_slow_ch;
1579#endif
1580#if SOLARIS
1581 timeout_id_t ipf_slow_ch;
1582#endif
1583#if defined(_KERNEL)
1584# if SOLARIS
1585 struct pollhead ipf_poll_head[IPL_LOGSIZE];
1586 void *ipf_dip;
1587# if defined(INSTANCES)
1588 int ipf_get_loopback;
1589 u_long ipf_idnum;
1590 net_handle_t ipf_nd_v4;
1591 net_handle_t ipf_nd_v6;
1592 hook_t *ipf_hk_v4_in;
1593 hook_t *ipf_hk_v4_out;
1594 hook_t *ipf_hk_v4_nic;
1595 hook_t *ipf_hk_v6_in;
1596 hook_t *ipf_hk_v6_out;
1597 hook_t *ipf_hk_v6_nic;
1598 hook_t *ipf_hk_loop_v4_in;
1599 hook_t *ipf_hk_loop_v4_out;
1600 hook_t *ipf_hk_loop_v6_in;
1601 hook_t *ipf_hk_loop_v6_out;
1602# endif
1603# else
1604 struct selinfo ipf_selwait[IPL_LOGSIZE];
1605# endif
1606#endif
1607 void *ipf_slow;
1608 ipf_statistics_t ipf_stats[2];
1609 u_char ipf_iss_secret[32];
1610 u_short ipf_ip_id;
1611} ipf_main_softc_t;
1612
1613#define IPFERROR(_e) do { softc->ipf_interror = (_e); \
1614 DT1(user_error, int, _e); \
1615 } while (0)
1616
1617#ifndef _KERNEL
1618extern int ipf_check(void *, struct ip *, int, struct ifnet *, int, mb_t **);
1619extern struct ifnet *get_unit(char *, int);
1620extern char *get_ifname(struct ifnet *);
1621extern int ipfioctl(ipf_main_softc_t *, int, ioctlcmd_t,
1622 caddr_t, int);
1623extern void m_freem(mb_t *);
1624extern size_t msgdsize(mb_t *);
1625extern int bcopywrap(void *, void *, size_t);
1626extern void ip_fillid(struct ip *);
1627#else /* #ifndef _KERNEL */
1628# if defined(__NetBSD__) && defined(PFIL_HOOKS)
1629extern void ipfilterattach(int);
1630# endif
1631extern int ipl_enable(void);
1632extern int ipl_disable(void);
1633# if SOLARIS
1634extern int ipf_check(void *, struct ip *, int, struct ifnet *, int, void *,
1635 mblk_t **);
1636# if SOLARIS
1637extern void ipf_prependmbt(fr_info_t *, mblk_t *);
1638extern int ipfioctl(dev_t, int, intptr_t, int, cred_t *, int *);
1639# endif
1640extern int ipf_qout(queue_t *, mblk_t *);
1641# else /* SOLARIS */
1642extern int ipf_check(void *, struct ip *, int, struct ifnet *, int, mb_t **);
1643extern int (*fr_checkp)(ip_t *, int, void *, int, mb_t **);
1644extern size_t mbufchainlen(mb_t *);
1645# ifdef IPFILTER_LKM
1646extern int ipf_identify(char *);
1647# endif
1648# if defined(__FreeBSD__)
1649extern int ipfioctl(struct cdev*, u_long, caddr_t, int, struct thread *);
1650# elif defined(__NetBSD__)
1651extern int ipfioctl(dev_t, u_long, void *, int, struct lwp *);
1652# endif
1653# endif /* SOLARIS */
1654
1655# if defined(__FreeBSD__)
1656extern int ipf_pfil_hook(void);
1657extern int ipf_pfil_unhook(void);
1658extern void ipf_event_reg(void);
1659extern void ipf_event_dereg(void);
1660extern void ipf_fbsd_kenv_get(ipf_main_softc_t *);
1661# endif
1662
1663# if defined(INSTANCES)
1664extern ipf_main_softc_t *ipf_find_softc(u_long);
1665extern int ipf_set_loopback(ipf_main_softc_t *, ipftuneable_t *,
1666 ipftuneval_t *);
1667# endif
1668
1669#endif /* #ifndef _KERNEL */
1670
1671extern char *memstr(const char *, char *, size_t, size_t);
1672extern int count4bits(u_32_t);
1673#ifdef USE_INET6
1674extern int count6bits(u_32_t *);
1675#endif
1676extern int frrequest(ipf_main_softc_t *, int, ioctlcmd_t, caddr_t,
1677 int, int);
1678extern char *getifname(struct ifnet *);
1679extern int ipfattach(ipf_main_softc_t *);
1680extern int ipfdetach(ipf_main_softc_t *);
1681extern u_short ipf_cksum(u_short *, int);
1682extern int copyinptr(ipf_main_softc_t *, void *, void *, size_t);
1683extern int copyoutptr(ipf_main_softc_t *, void *, void *, size_t);
1684extern int ipf_fastroute(mb_t *, mb_t **, fr_info_t *, frdest_t *);
1685extern int ipf_inject(fr_info_t *, mb_t *);
1686extern int ipf_inobj(ipf_main_softc_t *, void *, ipfobj_t *,
1687 void *, int);
1688extern int ipf_inobjsz(ipf_main_softc_t *, void *, void *,
1689 int , int);
1690extern int ipf_ioctlswitch(ipf_main_softc_t *, int, void *,
1691 ioctlcmd_t, int, int, void *);
1692extern int ipf_ipf_ioctl(ipf_main_softc_t *, caddr_t, ioctlcmd_t,
1693 int, int, void *);
1694extern int ipf_ipftune(ipf_main_softc_t *, ioctlcmd_t, void *);
1695extern int ipf_matcharray_load(ipf_main_softc_t *, caddr_t,
1696 ipfobj_t *, int **);
1697extern int ipf_matcharray_verify(int *, int);
1698extern int ipf_outobj(ipf_main_softc_t *, void *, void *, int);
1699extern int ipf_outobjk(ipf_main_softc_t *, ipfobj_t *, void *);
1700extern int ipf_outobjsz(ipf_main_softc_t *, void *, void *,
1701 int, int);
1702extern ip_t *ipf_pullup(mb_t *, fr_info_t *, int);
1703extern int ipf_resolvedest(ipf_main_softc_t *, char *,
1704 struct frdest *, int);
1705extern int ipf_resolvefunc(ipf_main_softc_t *, void *);
1706extern void *ipf_resolvenic(ipf_main_softc_t *, char *, int);
1707extern int ipf_send_icmp_err(int, fr_info_t *, int);
1708extern int ipf_send_reset(fr_info_t *);
1709extern void ipf_apply_timeout(ipftq_t *, u_int);
1710extern ipftq_t *ipf_addtimeoutqueue(ipf_main_softc_t *, ipftq_t **,
1711 u_int);
1712extern void ipf_deletequeueentry(ipftqent_t *);
1713extern int ipf_deletetimeoutqueue(ipftq_t *);
1714extern void ipf_freetimeoutqueue(ipf_main_softc_t *, ipftq_t *);
1715extern void ipf_movequeue(u_long, ipftqent_t *, ipftq_t *,
1716 ipftq_t *);
1717extern void ipf_queueappend(u_long, ipftqent_t *, ipftq_t *, void *);
1718extern void ipf_queueback(u_long, ipftqent_t *);
1719extern int ipf_queueflush(ipf_main_softc_t *, ipftq_delete_fn_t,
1720 ipftq_t *, ipftq_t *, u_int *, int, int);
1721extern void ipf_queuefront(ipftqent_t *);
1722extern int ipf_settimeout_tcp(ipftuneable_t *, ipftuneval_t *,
1723 ipftq_t *);
1724extern int ipf_checkv4sum(fr_info_t *);
1725extern int ipf_checkl4sum(fr_info_t *);
1726extern int ipf_ifpfillv4addr(int, struct sockaddr_in *,
1727 struct sockaddr_in *, struct in_addr *,
1728 struct in_addr *);
1729extern int ipf_coalesce(fr_info_t *);
1730#ifdef USE_INET6
1731extern int ipf_checkv6sum(fr_info_t *);
1732extern int ipf_ifpfillv6addr(int, struct sockaddr_in6 *,
1733 struct sockaddr_in6 *, i6addr_t *,
1734 i6addr_t *);
1735#endif
1736
1737extern int ipf_tune_add(ipf_main_softc_t *, ipftuneable_t *);
1738extern int ipf_tune_add_array(ipf_main_softc_t *, ipftuneable_t *);
1739extern int ipf_tune_del(ipf_main_softc_t *, ipftuneable_t *);
1740extern int ipf_tune_del_array(ipf_main_softc_t *, ipftuneable_t *);
1741extern int ipf_tune_array_link(ipf_main_softc_t *, ipftuneable_t *);
1742extern int ipf_tune_array_unlink(ipf_main_softc_t *,
1743 ipftuneable_t *);
1744extern ipftuneable_t *ipf_tune_array_copy(void *, size_t,
1745 ipftuneable_t *);
1746
1747extern int ipf_pr_pullup(fr_info_t *, int);
1748
1749extern int ipf_flush(ipf_main_softc_t *, minor_t, int);
1750extern frgroup_t *ipf_group_add(ipf_main_softc_t *, char *, void *,
1751 u_32_t, minor_t, int);
1752extern void ipf_group_del(ipf_main_softc_t *, frgroup_t *,
1753 frentry_t *);
1754extern int ipf_derefrule(ipf_main_softc_t *, frentry_t **);
1755extern frgroup_t *ipf_findgroup(ipf_main_softc_t *, char *, minor_t,
1756 int, frgroup_t ***);
1757
1758extern int ipf_log_init(void);
1759extern int ipf_log_bytesused(ipf_main_softc_t *, int);
1760extern int ipf_log_canread(ipf_main_softc_t *, int);
1761extern int ipf_log_clear(ipf_main_softc_t *, minor_t);
1762extern u_long ipf_log_failures(ipf_main_softc_t *, int);
1763extern int ipf_log_read(ipf_main_softc_t *, minor_t, uio_t *);
1764extern int ipf_log_items(ipf_main_softc_t *, int, fr_info_t *,
1765 void **, size_t *, int *, int);
1766extern u_long ipf_log_logok(ipf_main_softc_t *, int);
1767extern void ipf_log_unload(ipf_main_softc_t *);
1768extern int ipf_log_pkt(fr_info_t *, u_int);
1769
1770extern frentry_t *ipf_acctpkt(fr_info_t *, u_32_t *);
1771extern u_short fr_cksum(fr_info_t *, ip_t *, int, void *);
1772extern void ipf_deinitialise(ipf_main_softc_t *);
1773extern int ipf_deliverlocal(ipf_main_softc_t *, int, void *,
1774 i6addr_t *);
1775extern frentry_t *ipf_dstgrpmap(fr_info_t *, u_32_t *);
1776extern void ipf_fixskip(frentry_t **, frentry_t *, int);
1777extern void ipf_forgetifp(ipf_main_softc_t *, void *);
1778extern frentry_t *ipf_getrulen(ipf_main_softc_t *, int, char *,
1779 u_32_t);
1780extern int ipf_ifpaddr(ipf_main_softc_t *, int, int, void *,
1781 i6addr_t *, i6addr_t *);
1782extern void ipf_inet_mask_add(int, ipf_v4_masktab_t *);
1783extern void ipf_inet_mask_del(int, ipf_v4_masktab_t *);
1784#ifdef USE_INET6
1785extern void ipf_inet6_mask_add(int, i6addr_t *,
1786 ipf_v6_masktab_t *);
1787extern void ipf_inet6_mask_del(int, i6addr_t *,
1788 ipf_v6_masktab_t *);
1789#endif
1790extern int ipf_initialise(void);
1791extern int ipf_lock(caddr_t, int *);
1792extern int ipf_makefrip(int, ip_t *, fr_info_t *);
1793extern int ipf_matchtag(ipftag_t *, ipftag_t *);
1794extern int ipf_matchicmpqueryreply(int, icmpinfo_t *,
1795 struct icmp *, int);
1796extern u_32_t ipf_newisn(fr_info_t *);
1797extern u_int ipf_pcksum(fr_info_t *, int, u_int);
1798#ifdef USE_INET6
1799extern u_int ipf_pcksum6(struct mbuf *, ip6_t *,
1800 u_int32_t, u_int32_t);
1801#endif
1802extern void ipf_rule_expire(ipf_main_softc_t *);
1803extern int ipf_scanlist(fr_info_t *, u_32_t);
1804extern frentry_t *ipf_srcgrpmap(fr_info_t *, u_32_t *);
1805extern int ipf_tcpudpchk(fr_ip_t *, frtuc_t *);
1806extern int ipf_verifysrc(fr_info_t *fin);
1807extern int ipf_zerostats(ipf_main_softc_t *, char *);
1808extern int ipf_getnextrule(ipf_main_softc_t *, ipftoken_t *,
1809 void *);
1810extern int ipf_sync(ipf_main_softc_t *, void *);
1811extern int ipf_token_deref(ipf_main_softc_t *, ipftoken_t *);
1812extern void ipf_token_expire(ipf_main_softc_t *);
1813extern ipftoken_t *ipf_token_find(ipf_main_softc_t *, int, int,
1814 void *);
1815extern int ipf_token_del(ipf_main_softc_t *, int, int,
1816 void *);
1817extern void ipf_token_mark_complete(ipftoken_t *);
1818extern int ipf_genericiter(ipf_main_softc_t *, void *,
1819 int, void *);
1820#ifdef IPFILTER_LOOKUP
1821extern void *ipf_resolvelookup(int, u_int, u_int,
1822 lookupfunc_t *);
1823#endif
1824extern u_32_t ipf_random(void);
1825
1826extern int ipf_main_load(void);
1827extern void *ipf_main_soft_create(void *);
1828extern void ipf_main_soft_destroy(ipf_main_softc_t *);
1829extern int ipf_main_soft_init(ipf_main_softc_t *);
1830extern int ipf_main_soft_fini(ipf_main_softc_t *);
1831extern int ipf_main_unload(void);
1832extern int ipf_load_all(void);
1833extern int ipf_unload_all(void);
1834extern void ipf_destroy_all(ipf_main_softc_t *);
1835extern ipf_main_softc_t *ipf_create_all(void *);
1836extern int ipf_init_all(ipf_main_softc_t *);
1837extern int ipf_fini_all(ipf_main_softc_t *);
1838extern void ipf_log_soft_destroy(ipf_main_softc_t *, void *);
1839extern void *ipf_log_soft_create(ipf_main_softc_t *);
1840extern int ipf_log_soft_init(ipf_main_softc_t *, void *);
1841extern int ipf_log_soft_fini(ipf_main_softc_t *, void *);
1842extern int ipf_log_main_load(void);
1843extern int ipf_log_main_unload(void);
1844
1845
1846extern char ipfilter_version[];
1847#ifdef USE_INET6
1848extern int icmptoicmp6types[ICMP_MAXTYPE+1];
1849extern int icmptoicmp6unreach[ICMP_MAX_UNREACH];
1850extern int icmpreplytype6[ICMP6_MAXTYPE + 1];
1851#endif
1852#ifdef IPFILTER_COMPAT
1853extern int ipf_in_compat(ipf_main_softc_t *, ipfobj_t *, void *,int);
1854extern int ipf_out_compat(ipf_main_softc_t *, ipfobj_t *, void *);
1855#endif
1856extern int icmpreplytype4[ICMP_MAXTYPE + 1];
1857
1858extern int ipf_ht_node_add(ipf_main_softc_t *, host_track_t *,
1859 int, i6addr_t *);
1860extern int ipf_ht_node_del(host_track_t *, int, i6addr_t *);
1861extern void ipf_rb_ht_flush(host_track_t *);
1862extern void ipf_rb_ht_freenode(host_node_t *, void *);
1863extern void ipf_rb_ht_init(host_track_t *);
1864
1865#endif /* __IP_FIL_H__ */