nant's projects / dragonfly.git / blame
| Commit | Line | Data |
|---|---|---|
| 105c533e | 1 | /* |
| 03c7df6d BY |
2 | * Copyright (c) 1993 Daniel Boulet |
| 3 | * Copyright (c) 1994 Ugen J.S.Antsilevich | |
| 4 | * Copyright (c) 2002 Luigi Rizzo, Universita` di Pisa | |
| fe628012 BY |
5 | * Copyright (c) 2015 The DragonFly Project. All rights reserved. |
| 6 | * | |
| 7 | * This code is derived from software contributed to The DragonFly Project | |
| 8 | * by Bill Yuan <bycn82@gmail.com> | |
| 105c533e BY |
9 | * |
| 10 | * Redistribution and use in source and binary forms, with or without | |
| 11 | * modification, are permitted provided that the following conditions | |
| 12 | * are met: | |
| fe628012 | 13 | * |
| 105c533e BY |
14 | * 1. Redistributions of source code must retain the above copyright |
| 15 | * notice, this list of conditions and the following disclaimer. | |
| 16 | * 2. Redistributions in binary form must reproduce the above copyright | |
| fe628012 BY |
17 | * notice, this list of conditions and the following disclaimer in |
| 18 | * the documentation and/or other materials provided with the | |
| 19 | * distribution. | |
| 20 | * 3. Neither the name of The DragonFly Project nor the names of its | |
| 21 | * contributors may be used to endorse or promote products derived | |
| 22 | * from this software without specific, prior written permission. | |
| 105c533e | 23 | * |
| fe628012 BY |
24 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS |
| 25 | * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT | |
| 26 | * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS | |
| 27 | * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE | |
| 28 | * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, | |
| 29 | * INCIDENTAL, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES (INCLUDING, | |
| 30 | * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; | |
| 31 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED | |
| 32 | * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, | |
| 33 | * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT | |
| 34 | * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |
| 105c533e BY |
35 | * SUCH DAMAGE. |
| 36 | * | |
| 105c533e BY |
37 | */ |
| 38 | ||
| 6a03354e MD |
39 | #ifndef _IP_FW3_H_ |
| 40 | #define _IP_FW3_H_ | |
| 105c533e BY |
41 | |
| 42 | #ifdef _KERNEL | |
| e895e94d | 43 | #include <net/bpf.h> |
| 105c533e | 44 | #include <net/netisr2.h> |
| 950193f2 | 45 | |
| 6a03354e MD |
46 | int ip_fw3_sockopt(struct sockopt *); |
| 47 | extern int ip_fw3_loaded; | |
| 950193f2 | 48 | |
| e895e94d BY |
49 | #else |
| 50 | #include <pcap/bpf.h> | |
| 51 | #define PCAP_DONT_INCLUDE_PCAP_BPF_H | |
| 105c533e BY |
52 | #endif |
| 53 | ||
| 6a03354e | 54 | #define IPFW3_LOADED (ip_fw3_loaded) |
| 950193f2 | 55 | |
| 6a03354e MD |
56 | /* |
| 57 | * _IPFW2_H is from ipfw/ip_fw2.h, both cannot be included past this | |
| 58 | * point but we need both the IPFW2_LOADED and IPFW3_LOADED macros | |
| 59 | */ | |
| 950193f2 | 60 | #ifndef _IPFW2_H |
| 6a03354e | 61 | #define _IPFW2_H |
| 950193f2 | 62 | |
| 105c533e BY |
63 | #define RESERVED_SIZE 12 |
| 64 | #define SIZE_OF_IPFWINSN 8 | |
| 65 | #define LEN_OF_IPFWINSN 2 | |
| 66 | #define IPFW_DEFAULT_RULE 65535 /* rulenum for the default rule */ | |
| 67 | #define IPFW_DEFAULT_SET 31 /* set number for the default rule */ | |
| 68 | ||
| 69 | /* | |
| 70 | * Template for instructions. | |
| 71 | * | |
| 72 | * ipfw_insn is used for all instructions which require no operands, | |
| 73 | * a single 16-bit value (arg1), or a couple of 8-bit values. | |
| 74 | * | |
| 75 | * For other instructions which require different/larger arguments | |
| 76 | * we have derived structures, ipfw_insn_*. | |
| 77 | * | |
| 78 | * The size of the instruction (in 32-bit words) is in the low | |
| 79 | * 6 bits of "len". The 2 remaining bits are used to implement | |
| 80 | * NOT and OR on individual instructions. Given a type, you can | |
| 81 | * compute the length to be put in "len" using F_INSN_SIZE(t) | |
| 82 | * | |
| 83 | * F_NOT negates the match result of the instruction. | |
| 84 | * | |
| 85 | * F_OR is used to build or blocks. By default, instructions | |
| 86 | * are evaluated as part of a logical AND. An "or" block | |
| 87 | * { X or Y or Z } contains F_OR set in all but the last | |
| 88 | * instruction of the block. A match will cause the code | |
| 89 | * to skip past the last instruction of the block. | |
| 90 | * | |
| 91 | * NOTA BENE: in a couple of places we assume that | |
| 92 | * sizeof(ipfw_insn) == sizeof(uint32_t) | |
| 93 | * this needs to be fixed. | |
| 94 | * | |
| 95 | */ | |
| 96 | ||
| 97 | #define F_NOT 0x80 | |
| 98 | #define F_OR 0x40 | |
| 99 | #define F_LEN_MASK 0x3f | |
| 100 | #define F_LEN(cmd) ((cmd)->len & F_LEN_MASK) | |
| 101 | ||
| 102 | typedef struct _ipfw_insn { /* template for instructions */ | |
| 103 | uint8_t opcode; | |
| 104 | uint8_t len; /* numer of 32-byte words */ | |
| 105 | uint16_t arg1; | |
| 106 | ||
| 107 | uint8_t module; | |
| 108 | uint8_t arg3; | |
| 109 | uint16_t arg2; | |
| 110 | } ipfw_insn; | |
| 111 | ||
| 112 | /* | |
| 113 | * The F_INSN_SIZE(type) computes the size, in 4-byte words, of | |
| 114 | * a given type. | |
| 115 | */ | |
| 116 | #define F_INSN_SIZE(t) ((sizeof (t))/sizeof(uint32_t)) | |
| 117 | ||
| 118 | #define MTAG_IPFW 1148380143 /* IPFW-tagged cookie */ | |
| 119 | ||
| 120 | /* | |
| 121 | * This is used to store an array of 16-bit entries (ports etc.) | |
| 122 | */ | |
| 123 | typedef struct _ipfw_insn_u16 { | |
| 124 | ipfw_insn o; | |
| 125 | uint16_t ports[2]; /* there may be more */ | |
| 126 | } ipfw_insn_u16; | |
| 127 | ||
| 128 | /* | |
| 129 | * This is used to store an array of 32-bit entries | |
| 130 | * (uid, single IPv4 addresses etc.) | |
| 131 | */ | |
| 132 | typedef struct _ipfw_insn_u32 { | |
| 133 | ipfw_insn o; | |
| 134 | uint32_t d[1]; /* one or more */ | |
| 135 | } ipfw_insn_u32; | |
| 136 | ||
| 137 | /* | |
| 138 | * This is used to store IP addr-mask pairs. | |
| 139 | */ | |
| 140 | typedef struct _ipfw_insn_ip { | |
| 141 | ipfw_insn o; | |
| 142 | struct in_addr addr; | |
| 143 | struct in_addr mask; | |
| 144 | } ipfw_insn_ip; | |
| 145 | ||
| 146 | /* | |
| 147 | * This is used to forward to a given address (ip) | |
| 148 | */ | |
| 149 | typedef struct _ipfw_insn_sa { | |
| 150 | ipfw_insn o; | |
| 151 | struct sockaddr_in sa; | |
| 152 | } ipfw_insn_sa; | |
| 153 | ||
| 154 | /* | |
| 155 | * This is used for MAC addr-mask pairs. | |
| 156 | */ | |
| 157 | typedef struct _ipfw_insn_mac { | |
| 158 | ipfw_insn o; | |
| 159 | u_char addr[12]; /* dst[6] + src[6] */ | |
| 160 | u_char mask[12]; /* dst[6] + src[6] */ | |
| 161 | } ipfw_insn_mac; | |
| 162 | ||
| 163 | /* | |
| 164 | * This is used for interface match rules (recv xx, xmit xx) | |
| 165 | */ | |
| 166 | typedef struct _ipfw_insn_if { | |
| 167 | ipfw_insn o; | |
| 168 | union { | |
| 169 | struct in_addr ip; | |
| 170 | int glob; | |
| 171 | } p; | |
| 172 | char name[IFNAMSIZ]; | |
| 173 | } ipfw_insn_if; | |
| 174 | ||
| 175 | /* | |
| 176 | * This is used for pipe and queue actions, which need to store | |
| 177 | * a single pointer (which can have different size on different | |
| 178 | * architectures. | |
| 179 | */ | |
| 180 | typedef struct _ipfw_insn_pipe { | |
| 181 | ipfw_insn o; | |
| 182 | void *pipe_ptr; | |
| 183 | } ipfw_insn_pipe; | |
| 184 | ||
| 185 | /* | |
| 186 | * This is used for limit rules. | |
| 187 | */ | |
| 188 | typedef struct _ipfw_insn_limit { | |
| 189 | ipfw_insn o; | |
| 190 | uint8_t _pad; | |
| 191 | uint8_t limit_mask; /* combination of DYN_* below */ | |
| 192 | #define DYN_SRC_ADDR 0x1 | |
| 193 | #define DYN_SRC_PORT 0x2 | |
| 194 | #define DYN_DST_ADDR 0x4 | |
| 195 | #define DYN_DST_PORT 0x8 | |
| 196 | ||
| 197 | uint16_t conn_limit; | |
| 198 | } ipfw_insn_limit; | |
| 199 | ||
| e895e94d BY |
200 | /* |
| 201 | * This is used for bpf filtering. | |
| 202 | */ | |
| 203 | typedef struct _ipfw_insn_bpf { | |
| 204 | ipfw_insn o; | |
| 205 | char bf_str[128]; | |
| 206 | u_int bf_len; | |
| 207 | struct bpf_insn bf_insn[1]; | |
| 208 | } ipfw_insn_bpf; | |
| 105c533e BY |
209 | |
| 210 | /* | |
| 211 | * Here we have the structure representing an ipfw rule. | |
| 212 | * | |
| 213 | * It starts with a general area (with link fields and counters) | |
| 214 | * followed by an array of one or more instructions, which the code | |
| 215 | * accesses as an array of 32-bit values. | |
| 216 | * | |
| 217 | * Given a rule pointer r: | |
| 218 | * | |
| 219 | * r->cmd is the start of the first instruction. | |
| 220 | * ACTION_PTR(r) is the start of the first action (things to do | |
| 221 | * once a rule matched). | |
| 222 | * | |
| 223 | * When assembling instruction, remember the following: | |
| 224 | * | |
| 225 | * + if a rule has a "keep-state" (or "limit") option, then the | |
| 226 | * first instruction (at r->cmd) MUST BE an O_PROBE_STATE | |
| 227 | * + if a rule has a "log" option, then the first action | |
| 228 | * (at ACTION_PTR(r)) MUST be O_LOG | |
| 229 | * | |
| 230 | * NOTE: we use a simple linked list of rules because we never need | |
| 231 | * to delete a rule without scanning the list. We do not use | |
| 232 | * queue(3) macros for portability and readability. | |
| 233 | */ | |
| 234 | ||
| 235 | struct ip_fw { | |
| 236 | struct ip_fw *next; /* linked list of rules */ | |
| 237 | struct ip_fw *next_rule; /* ptr to next [skipto] rule */ | |
| 238 | uint16_t act_ofs; /* offset of action in 32-bit units */ | |
| 239 | uint16_t cmd_len; /* # of 32-bit words in cmd */ | |
| 240 | uint16_t rulenum; /* rule number */ | |
| 241 | uint8_t set; /* rule set (0..31) */ | |
| 242 | uint8_t flags; /* IPFW_USR_F_ */ | |
| 243 | ||
| 244 | /* These fields are present in all rules. */ | |
| 245 | uint64_t pcnt; /* Packet counter */ | |
| 246 | uint64_t bcnt; /* Byte counter */ | |
| 247 | uint32_t timestamp; /* tv_sec of last match */ | |
| 248 | ||
| 249 | struct ip_fw *sibling; /* pointer to the rule in next CPU */ | |
| 250 | ||
| 251 | ipfw_insn cmd[1]; /* storage for commands */ | |
| 252 | }; | |
| 253 | ||
| 254 | ||
| 255 | #define IPFW_RULE_F_INVALID 0x1 | |
| 256 | #define IPFW_RULE_F_STATE 0x2 | |
| 257 | ||
| 258 | #define RULESIZE(rule) (sizeof(struct ip_fw) + (rule)->cmd_len * 4 - SIZE_OF_IPFWINSN) | |
| 259 | ||
| 260 | /* | |
| 261 | * This structure is used as a flow mask and a flow id for various | |
| 262 | * parts of the code. | |
| 263 | */ | |
| 264 | struct ipfw_flow_id { | |
| 265 | uint32_t dst_ip; | |
| 266 | uint32_t src_ip; | |
| 267 | uint16_t dst_port; | |
| 268 | uint16_t src_port; | |
| 269 | uint8_t proto; | |
| 270 | uint8_t flags; /* protocol-specific flags */ | |
| 271 | }; | |
| 272 | ||
| 273 | struct ip_fw_state { | |
| 274 | struct ip_fw_state *next; | |
| 275 | struct ipfw_flow_id flow_id; | |
| 276 | struct ip_fw *stub; | |
| 277 | ||
| 278 | uint64_t pcnt; /* packet match counter */ | |
| 279 | uint64_t bcnt; /* byte match counter */ | |
| 280 | ||
| 281 | uint16_t lifetime; | |
| 282 | uint32_t timestamp; | |
| 283 | uint32_t expiry; | |
| 284 | }; | |
| 285 | ||
| 286 | ||
| 287 | /* ipfw_chk/ip_fw_chk_ptr return values */ | |
| 288 | #define IP_FW_PASS 0 | |
| 289 | #define IP_FW_DENY 1 | |
| 290 | #define IP_FW_DIVERT 2 | |
| 291 | #define IP_FW_TEE 3 | |
| 292 | #define IP_FW_DUMMYNET 4 | |
| 293 | #define IP_FW_NAT 5 | |
| 294 | #define IP_FW_ROUTE 6 | |
| 295 | ||
| 296 | /* ipfw_chk controller values */ | |
| 297 | #define IP_FW_CTL_NO 0 | |
| 298 | #define IP_FW_CTL_DONE 1 | |
| 299 | #define IP_FW_CTL_AGAIN 2 | |
| 300 | #define IP_FW_CTL_NEXT 3 | |
| 301 | #define IP_FW_CTL_NAT 4 | |
| 302 | #define IP_FW_CTL_LOOP 5 | |
| 303 | #define IP_FW_CTL_CHK_STATE 6 | |
| 304 | ||
| 305 | #define IP_FW_NOT_MATCH 0 | |
| 306 | #define IP_FW_MATCH 1 | |
| 307 | ||
| 308 | /* | |
| 309 | * arguments for calling ipfw_chk() and dummynet_io(). We put them | |
| 310 | * all into a structure because this way it is easier and more | |
| 311 | * efficient to pass variables around and extend the interface. | |
| 312 | */ | |
| 313 | struct ip_fw_args { | |
| 314 | struct mbuf *m; /* the mbuf chain */ | |
| 315 | struct ifnet *oif; /* output interface */ | |
| 316 | struct ip_fw *rule; /* matching rule */ | |
| 317 | struct ether_header *eh; /* for bridged packets */ | |
| 318 | ||
| 319 | struct ipfw_flow_id f_id; /* grabbed from IP header */ | |
| 320 | ||
| 321 | /* | |
| 322 | * Depend on the return value of ipfw_chk/ip_fw_chk_ptr | |
| 323 | * 'cookie' field may save following information: | |
| 324 | * | |
| 325 | * IP_FW_TEE or IP_FW_DIVERT | |
| 326 | * The divert port number | |
| 327 | * | |
| 328 | * IP_FW_DUMMYNET | |
| 329 | * The pipe or queue number | |
| 330 | */ | |
| 331 | uint32_t cookie; | |
| 332 | }; | |
| 333 | ||
| 334 | #ifdef _KERNEL | |
| 335 | /* | |
| 336 | * Function definitions. | |
| 337 | */ | |
| 338 | int ip_fw_sockopt(struct sockopt *); | |
| 339 | int ipfw_ctl_x(struct sockopt *sopt); | |
| 340 | ||
| 341 | /* Firewall hooks */ | |
| 342 | struct sockopt; | |
| 343 | struct dn_flow_set; | |
| 344 | ||
| 345 | typedef int ip_fw_chk_t(struct ip_fw_args *); | |
| 950193f2 | 346 | typedef int ip_fw_ctl_t(struct sockopt *); |
| 105c533e BY |
347 | typedef int ipfw_nat_cfg_t(struct sockopt *); |
| 348 | typedef void ip_fw_dn_io_t(struct mbuf *, int, int, struct ip_fw_args *); | |
| 349 | ||
| 350 | ||
| 351 | extern ip_fw_chk_t *ip_fw_chk_ptr; | |
| 950193f2 | 352 | extern ip_fw_ctl_t *ip_fw_ctl_x_ptr; |
| 105c533e BY |
353 | extern ip_fw_dn_io_t *ip_fw_dn_io_ptr; |
| 354 | ||
| 6a03354e MD |
355 | extern int fw3_one_pass; |
| 356 | extern int fw3_enable; | |
| 105c533e | 357 | |
| 105c533e BY |
358 | |
| 359 | #define IPFW_CFGCPUID 0 | |
| 360 | #define IPFW_CFGPORT netisr_cpuport(IPFW_CFGCPUID) | |
| 361 | #define IPFW_ASSERT_CFGPORT(msgport) \ | |
| 362 | KASSERT((msgport) == IPFW_CFGPORT, ("not IPFW CFGPORT")) | |
| 363 | ||
| 364 | ||
| 365 | struct ipfw_context { | |
| 366 | struct ip_fw *ipfw_rule_chain; /* list of rules*/ | |
| 367 | struct ip_fw *ipfw_default_rule; /* default rule */ | |
| 368 | struct ipfw_state_context *state_ctx; | |
| 369 | uint16_t state_hash_size; | |
| 370 | uint32_t ipfw_set_disable; | |
| 371 | }; | |
| 372 | ||
| 373 | struct ipfw_state_context { | |
| 374 | struct ip_fw_state *state; | |
| 375 | struct ip_fw_state *last; | |
| 376 | int count; | |
| 377 | }; | |
| 378 | ||
| 379 | struct ipfw_nat_context { | |
| 380 | LIST_HEAD(, cfg_nat) nat; /* list of nat entries */ | |
| 381 | }; | |
| 382 | ||
| 383 | typedef void (*filter_func)(int *cmd_ctl,int *cmd_val,struct ip_fw_args **args, | |
| 384 | struct ip_fw **f,ipfw_insn *cmd,uint16_t ip_len); | |
| 385 | void register_ipfw_filter_funcs(int module,int opcode,filter_func func); | |
| 386 | void unregister_ipfw_filter_funcs(int module,filter_func func); | |
| 387 | void register_ipfw_module(int module_id,char *module_name); | |
| 388 | int unregister_ipfw_module(int module_id); | |
| 389 | ||
| 390 | #endif | |
| 391 | ||
| 392 | #define ACTION_PTR(rule) \ | |
| 393 | (ipfw_insn *)((uint32_t *)((rule)->cmd) + ((rule)->act_ofs)) | |
| 394 | ||
| 395 | ||
| 396 | ||
| 397 | struct ipfw_ioc_rule { | |
| 398 | uint16_t act_ofs; /* offset of action in 32-bit units */ | |
| 399 | uint16_t cmd_len; /* # of 32-bit words in cmd */ | |
| 400 | uint16_t rulenum; /* rule number */ | |
| 401 | uint8_t set; /* rule set (0..31) */ | |
| 402 | uint8_t usr_flags; /* IPFW_USR_F_ */ | |
| 403 | ||
| 404 | /* Rule set information */ | |
| 405 | uint32_t set_disable; /* disabled rule sets */ | |
| 406 | uint32_t static_count; /* # of static rules */ | |
| 407 | uint32_t static_len; /* total length of static rules */ | |
| 408 | ||
| 409 | /* Statistics */ | |
| 410 | uint64_t pcnt; /* Packet counter */ | |
| 411 | uint64_t bcnt; /* Byte counter */ | |
| 412 | uint32_t timestamp; /* tv_sec of last match */ | |
| 413 | ||
| 414 | uint8_t reserved[RESERVED_SIZE]; | |
| 415 | ||
| 416 | ipfw_insn cmd[1]; /* storage for commands */ | |
| 417 | }; | |
| 418 | ||
| 419 | #define IPFW_USR_F_NORULE 0x01 | |
| 420 | ||
| 421 | #define IPFW_RULE_SIZE_MAX 255 /* unit: uint32_t */ | |
| 422 | ||
| 423 | #define IOC_RULESIZE(rule) \ | |
| 424 | (sizeof(struct ipfw_ioc_rule) + (rule)->cmd_len * 4 - SIZE_OF_IPFWINSN) | |
| 425 | ||
| 426 | struct ipfw_ioc_flowid { | |
| 427 | uint16_t type; /* ETHERTYPE_ */ | |
| 428 | uint16_t pad; | |
| 429 | union { | |
| 430 | struct { | |
| 431 | uint32_t dst_ip; | |
| 432 | uint32_t src_ip; | |
| 433 | uint16_t dst_port; | |
| 434 | uint16_t src_port; | |
| 435 | uint8_t proto; | |
| 436 | } ip; | |
| 437 | uint8_t pad[64]; | |
| 438 | } u; | |
| 439 | }; | |
| 440 | ||
| 441 | struct ipfw_ioc_state { | |
| 442 | uint64_t pcnt; /* packet match counter */ | |
| 443 | uint64_t bcnt; /* byte match counter */ | |
| 444 | uint16_t lifetime; | |
| 445 | uint32_t timestamp; /* alive time */ | |
| 446 | uint32_t expiry; /* expire time */ | |
| 447 | ||
| 448 | uint16_t rulenum; | |
| fe628012 | 449 | uint16_t cpuid; |
| 105c533e BY |
450 | struct ipfw_flow_id flow_id; /* proto +src/dst ip/port */ |
| 451 | uint8_t reserved[16]; | |
| 452 | }; | |
| 453 | ||
| 454 | /* | |
| 455 | * Definitions for IP option names. | |
| 456 | */ | |
| 457 | #define IP_FW_IPOPT_LSRR 0x01 | |
| 458 | #define IP_FW_IPOPT_SSRR 0x02 | |
| 459 | #define IP_FW_IPOPT_RR 0x04 | |
| 460 | #define IP_FW_IPOPT_TS 0x08 | |
| 461 | ||
| 462 | /* | |
| 463 | * Definitions for TCP option names. | |
| 464 | */ | |
| 465 | #define IP_FW_TCPOPT_MSS 0x01 | |
| 466 | #define IP_FW_TCPOPT_WINDOW 0x02 | |
| 467 | #define IP_FW_TCPOPT_SACK 0x04 | |
| 468 | #define IP_FW_TCPOPT_TS 0x08 | |
| 469 | #define IP_FW_TCPOPT_CC 0x10 | |
| 470 | ||
| 471 | #define ICMP_REJECT_RST 0x100 /* fake ICMP code (send a TCP RST) */ | |
| 472 | ||
| 473 | struct ipfw_module{ | |
| 474 | int type; | |
| 475 | int id; | |
| 476 | char name[20]; | |
| 477 | }; | |
| 478 | ||
| 479 | #define IPFW_KEYWORD_TYPE_NONE 0 | |
| 480 | #define IPFW_KEYWORD_TYPE_ACTION 1 | |
| 481 | #define IPFW_KEYWORD_TYPE_FILTER 2 | |
| 482 | #define IPFW_KEYWORD_TYPE_OTHERS 3 | |
| 483 | ||
| 484 | #define IPFW_MAPPING_TYPE_NONE 0 | |
| 485 | #define IPFW_MAPPING_TYPE_IN_USE 1 | |
| 486 | ||
| 487 | #define NEED1(msg) {if (ac < 1) errx(EX_USAGE, msg);} | |
| 488 | #define NEED2(msg) {if (ac < 2) errx(EX_USAGE, msg);} | |
| 489 | #define NEED(c, n, msg) {if (c < n) errx(EX_USAGE, msg);} | |
| 490 | ||
| 491 | #define NEXT_ARG ac--; if(ac > 0){av++;} | |
| 492 | #define NEXT_ARG1 (*ac)--; if(*ac > 0){(*av)++;} | |
| 493 | ||
| 105c533e BY |
494 | #define MATCH_REVERSE 0 |
| 495 | #define MATCH_FORWARD 1 | |
| 496 | #define MATCH_NONE 2 | |
| 497 | #define MATCH_UNKNOWN 3 | |
| 498 | ||
| 499 | #define BOTH_SYN (TH_SYN | (TH_SYN << 8)) | |
| 500 | #define BOTH_FIN (TH_FIN | (TH_FIN << 8)) | |
| 501 | ||
| 502 | #define TIME_LEQ(a, b) ((int)((a) - (b)) <= 0) | |
| 503 | #define L3HDR(T, ip) ((T *)((uint32_t *)(ip) + (ip)->ip_hl)) | |
| 504 | ||
| 505 | /* IP_FW_X header/opcodes */ | |
| 506 | typedef struct _ip_fw_x_header { | |
| 507 | uint16_t opcode; /* Operation opcode */ | |
| 508 | uint16_t _pad; /* Opcode version */ | |
| 509 | } ip_fw_x_header; | |
| 510 | ||
| 511 | typedef void ipfw_basic_delete_state_t(struct ip_fw *); | |
| 512 | typedef void ipfw_basic_append_state_t(struct ipfw_ioc_state *); | |
| 513 | ||
| 6a03354e | 514 | /* IP_FW3 opcodes */ |
| 105c533e BY |
515 | |
| 516 | #define IP_FW_ADD 50 /* add a firewall rule to chain */ | |
| 517 | #define IP_FW_DEL 51 /* delete a firewall rule from chain */ | |
| 518 | #define IP_FW_FLUSH 52 /* flush firewall rule chain */ | |
| 519 | #define IP_FW_ZERO 53 /* clear single/all firewall counter(s) */ | |
| 520 | #define IP_FW_GET 54 /* get entire firewall rule chain */ | |
| 521 | #define IP_FW_RESETLOG 55 /* reset logging counters */ | |
| 522 | ||
| 523 | #define IP_DUMMYNET_CONFIGURE 60 /* add/configure a dummynet pipe */ | |
| 524 | #define IP_DUMMYNET_DEL 61 /* delete a dummynet pipe from chain */ | |
| 525 | #define IP_DUMMYNET_FLUSH 62 /* flush dummynet */ | |
| 526 | #define IP_DUMMYNET_GET 64 /* get entire dummynet pipes */ | |
| 527 | ||
| 528 | #define IP_FW_MODULE 67 /* get modules names */ | |
| 529 | ||
| 530 | #define IP_FW_NAT_CFG 68 /* add/config a nat rule */ | |
| 531 | #define IP_FW_NAT_DEL 69 /* delete a nat rule */ | |
| 532 | #define IP_FW_NAT_FLUSH 70 /* get configuration of a nat rule */ | |
| 0fe3a974 BY |
533 | #define IP_FW_NAT_GET 71 /* get config of a nat rule */ |
| 534 | #define IP_FW_NAT_LOG 72 /* get nat record of a nat rule */ | |
| 105c533e BY |
535 | |
| 536 | #define IP_FW_STATE_ADD 56 /* add one state */ | |
| 537 | #define IP_FW_STATE_DEL 57 /* delete states of one rulenum */ | |
| 538 | #define IP_FW_STATE_FLUSH 58 /* flush all states */ | |
| 950193f2 BY |
539 | #endif |
| 540 | ||
| 6a03354e | 541 | #endif /* _IPFW3_H_ */ |