ipfw2.diff

dragonfly, 06/28/2006 02:31 PM

Download (22.2 KB)

View differences:

lib/libalias/Makefile 28 Jun 2006 02:30:49 -0000
4 4
LIB=		alias
5 5
SHLIB_MAJOR=	5
6 6
CFLAGS+=	-Wall -Wmissing-prototypes
7
.if defined(IPFW2)
8 7
CFLAGS+=	-DIPFW2
9
.endif
10 8
SRCS=		alias.c alias_cuseeme.c alias_db.c alias_ftp.c alias_irc.c \
11 9
		alias_nbt.c alias_pptp.c alias_proxy.c alias_smedia.c \
12 10
		alias_util.c
lib/libalias/alias_db.c 28 Jun 2006 02:08:47 -0000
2643 2643
#include <string.h>
2644 2644
#include <err.h>
2645 2645

  
2646
#if IPFW2		/* support for new firewall code */
2647 2646
/*
2648 2647
 * helper function, updates the pointer to cmd with the length
2649 2648
 * of the current command, and also cleans up the first word of
......
2713 2712

  
2714 2713
    return ((void *)cmd - buf);
2715 2714
}
2716
#endif /* IPFW2 */
2717 2715

  
2718 2716
static void ClearAllFWHoles(void);
2719 2717

  
......
2804 2802
     *	add fwhole accept tcp from OAddr OPort to DAddr DPort
2805 2803
     *	add fwhole accept tcp from DAddr DPort to OAddr OPort
2806 2804
     */
2807
#if IPFW2
2808 2805
    if (GetOriginalPort(link) != 0 && GetDestPort(link) != 0) {
2809 2806
	u_int32_t rulebuf[255];
2810 2807
	int i;
......
2825 2822
	if (r)
2826 2823
		err(1, "alias punch inbound(2) setsockopt(IP_FW_ADD)");
2827 2824
    }
2828
#else	/* !IPFW2, old code to generate ipfw rule */
2829

  
2830
    /* Build generic part of the two rules */
2831
    rule.fw_number = fwhole;
2832
    IP_FW_SETNSRCP(&rule, 1);	/* Number of source ports. */
2833
    IP_FW_SETNDSTP(&rule, 1);	/* Number of destination ports. */
2834
    rule.fw_flg = IP_FW_F_ACCEPT | IP_FW_F_IN | IP_FW_F_OUT;
2835
    rule.fw_prot = IPPROTO_TCP;
2836
    rule.fw_smsk.s_addr = INADDR_BROADCAST;
2837
    rule.fw_dmsk.s_addr = INADDR_BROADCAST;
2838

  
2839
    /* Build and apply specific part of the rules */
2840
    rule.fw_src = GetOriginalAddress(link);
2841
    rule.fw_dst = GetDestAddress(link);
2842
    rule.fw_uar.fw_pts[0] = ntohs(GetOriginalPort(link));
2843
    rule.fw_uar.fw_pts[1] = ntohs(GetDestPort(link));
2844

  
2845
    /* Skip non-bound links - XXX should not be strictly necessary,
2846
       but seems to leave hole if not done.  Leak of non-bound links?
2847
       (Code should be left even if the problem is fixed - it is a
2848
       clear optimization) */
2849
    if (rule.fw_uar.fw_pts[0] != 0 && rule.fw_uar.fw_pts[1] != 0) {
2850
        r = setsockopt(fireWallFD, IPPROTO_IP, IP_FW_ADD, &rule, sizeof rule);
2851
#ifdef DEBUG
2852
        if (r)
2853
            err(1, "alias punch inbound(1) setsockopt(IP_FW_ADD)");
2854
#endif
2855
        rule.fw_src = GetDestAddress(link);
2856
        rule.fw_dst = GetOriginalAddress(link);
2857
        rule.fw_uar.fw_pts[0] = ntohs(GetDestPort(link));
2858
        rule.fw_uar.fw_pts[1] = ntohs(GetOriginalPort(link));
2859
        r = setsockopt(fireWallFD, IPPROTO_IP, IP_FW_ADD, &rule, sizeof rule);
2860
#ifdef DEBUG
2861
        if (r)
2862
            err(1, "alias punch inbound(2) setsockopt(IP_FW_ADD)");
2863
#endif
2864
    }
2865
#endif /* !IPFW2 */
2866 2825
/* Indicate hole applied */
2867 2826
    link->data.tcp->fwhole = fwhole;
2868 2827
    fw_setfield(fireWallField, fwhole);
......
2880 2839
	    return;
2881 2840

  
2882 2841
        memset(&rule, 0, sizeof rule); /* useless for ipfw2 */
2883
#if IPFW2
2884 2842
	while (!setsockopt(fireWallFD, IPPROTO_IP, IP_FW_DEL,
2885 2843
		    &fwhole, sizeof fwhole))
2886 2844
	    ;
2887
#else /* !IPFW2 */
2888
        rule.fw_number = fwhole;
2889
        while (!setsockopt(fireWallFD, IPPROTO_IP, IP_FW_DEL,
2890
		    &rule, sizeof rule))
2891
            ;
2892
#endif /* !IPFW2 */
2893 2845
        fw_clrfield(fireWallField, fwhole);
2894 2846
        link->data.tcp->fwhole = -1;
2895 2847
    }
......
2906 2858

  
2907 2859
    memset(&rule, 0, sizeof rule);
2908 2860
    for (i = fireWallBaseNum; i < fireWallBaseNum + fireWallNumNums; i++) {
2909
#if IPFW2
2910 2861
	int r = i;
2911 2862
	while (!setsockopt(fireWallFD, IPPROTO_IP, IP_FW_DEL, &r, sizeof r))
2912 2863
	    ;
2913
#else /* !IPFW2 */
2914
        rule.fw_number = i;
2915
        while (!setsockopt(fireWallFD, IPPROTO_IP, IP_FW_DEL, &rule, sizeof rule))
2916
            ;
2917
#endif /* !IPFW2 */
2918 2864
    }
2919 2865
    memset(fireWallField, 0, fireWallNumNums);
2920 2866
}
sbin/ipfw/Makefile 28 Jun 2006 02:29:42 -0000
4 4
PROG=	ipfw
5 5
MAN=	ipfw.8
6 6
CFLAGS+=-Wall
7
.if defined(IPFW2)
8 7
SRCS=	ipfw2.c
9 8
CFLAGS+= -DIPFW2
10
.endif
11 9

  
12 10
.include <bsd.prog.mk>
sbin/ipfw/ipfw.8 28 Jun 2006 02:27:09 -0000
89 89
.Sx IPFW2 ENHANCEMENTS ,
90 90
which you are encouraged to read to revise older rulesets and possibly
91 91
write them more efficiently.
92
See Section
93
.Sx USING IPFW2 IN FreeBSD-STABLE
94
for instructions on how to run
95
.Nm ipfw2
96
on
97
.Fx
98
STABLE.
99 92
.Ed
100 93
.Pp
101 94
An
......
1625 1618
.Nm .
1626 1619
Default is no.
1627 1620
.El
1628
.Sh USING IPFW2 IN FreeBSD-STABLE
1629
.Nm ipfw2
1630
is standard in
1631
.Fx
1632
CURRENT, whereas
1633
.Fx
1634
STABLE still uses
1635
.Nm ipfw1
1636
unless the kernel is compiled with
1637
.Cm options IPFW2 ,
1638
and
1639
.Nm /sbin/ipfw
1640
and
1641
.Nm /usr/lib/libalias
1642
are recompiled with
1643
.Cm -DIPFW2
1644
and reinstalled (the same effect can be achieved by adding
1645
.Cm IPFW2=TRUE
1646
to
1647
.Nm /etc/make.conf
1648
before a buildworld).
1649 1621
.Sh IPFW2 ENHANCEMENTS
1650 1622
This Section lists the features that have been introduced in
1651 1623
.Nm ipfw2
sys/conf/options 28 Jun 2006 02:13:56 -0000
283 283
IPFILTER_LOG		opt_ipfilter.h
284 284
IPFILTER_DEFAULT_BLOCK	opt_ipfilter.h
285 285
IPFIREWALL		opt_ipfw.h
286
IPFW2			opt_ipfw.h
287 286
IPFIREWALL_VERBOSE	opt_ipfw.h
288 287
IPFIREWALL_VERBOSE_LIMIT	opt_ipfw.h
289 288
IPFIREWALL_DEFAULT_TO_ACCEPT	opt_ipfw.h
sys/i386/conf/LINT 28 Jun 2006 02:14:24 -0000
2650 2650
options 	FE_8BIT_SUPPORT
2651 2651
options 	I4B_SMP_WORKAROUND
2652 2652
options 	I586_PMC_GUPROF=0x70000
2653
options 	IPFW2
2654 2653
options 	KBDIO_DEBUG=2
2655 2654
options 	KBD_MAXRETRY=4
2656 2655
options 	KBD_MAXWAIT=6
sys/net/dummynet/Makefile 28 Jun 2006 14:05:12 -0000
5 5
KMOD=   dummynet
6 6
SRCS=   ip_dummynet.c
7 7
NOMAN=
8
.if defined(IPFW2)
9 8
CFLAGS+= -DIPFW2
10
.endif
11 9
KMODDEPS= ipfw
12 10

  
13 11
.include <bsd.kmod.mk>
sys/net/dummynet/ip_dummynet.c 28 Jun 2006 02:16:01 -0000
1000 1000
struct dn_flow_set *
1001 1001
locate_flowset(int pipe_nr, struct ip_fw *rule)
1002 1002
{
1003
#if IPFW2
1004 1003
    struct dn_flow_set *fs;
1005 1004
    ipfw_insn *cmd = rule->cmd + rule->act_ofs;
1006 1005

  
......
1012 1011
	return fs;
1013 1012

  
1014 1013
    if (cmd->opcode == O_QUEUE)
1015
#else /* !IPFW2 */
1016
    struct dn_flow_set *fs = NULL ;
1017

  
1018
    if ( (rule->fw_flg & IP_FW_F_COMMAND) == IP_FW_F_QUEUE )
1019
#endif /* !IPFW2 */
1020 1014
	for (fs=all_flow_sets; fs && fs->fs_nr != pipe_nr; fs=fs->next)
1021 1015
	    ;
1022 1016
    else {
......
1027 1021
	    fs = &(p1->fs) ;
1028 1022
    }
1029 1023
    /* record for the future */
1030
#if IPFW2
1031 1024
    ((ipfw_insn_pipe *)cmd)->pipe_ptr = fs;
1032
#else
1033
    if (fs != NULL)
1034
	rule->pipe_ptr = fs;
1035
#endif
1036 1025
    return fs ;
1037 1026
}
1038 1027

  
......
1062 1051
    int is_pipe;
1063 1052

  
1064 1053
    crit_enter();
1065
#if IPFW2
1066 1054
    ipfw_insn *cmd = fwa->rule->cmd + fwa->rule->act_ofs;
1067 1055

  
1068 1056
    if (cmd->opcode == O_LOG)
1069 1057
	cmd += F_LEN(cmd);
1070 1058
    is_pipe = (cmd->opcode == O_PIPE);
1071
#else
1072
    is_pipe = (fwa->rule->fw_flg & IP_FW_F_COMMAND) == IP_FW_F_PIPE;
1073
#endif
1074 1059

  
1075 1060
    pipe_nr &= 0xffff ;
1076 1061

  
sys/net/ipfw/Makefile 28 Jun 2006 02:33:39 -0000
5 5
KMOD=	ipfw
6 6
NOMAN=
7 7
CFLAGS+= -DIPFIREWALL
8
.if defined(IPFW2)
9 8
SRCS=	ip_fw2.c
10 9
CFLAGS+= -DIPFW2
11
.else
12
SRCS=	ip_fw.c
13
.endif
14 10
#
15 11
#If you want it verbose
16 12
#CFLAGS+= -DIPFIREWALL_VERBOSE
sys/net/ipfw/ip_fw.h 28 Jun 2006 02:17:51 -0000
18 18
#ifndef _IP_FW_H
19 19
#define _IP_FW_H
20 20

  
21
#if IPFW2
22 21
#include "ip_fw2.h"
23
#else /* !IPFW2, good old ipfw */
24 22

  
25
#include <sys/queue.h>
26

  
27
/*
28
 * This union structure identifies an interface, either explicitly
29
 * by name or implicitly by IP address. The flags IP_FW_F_IIFNAME
30
 * and IP_FW_F_OIFNAME say how to interpret this structure. An
31
 * interface unit number of -1 matches any unit number, while an
32
 * IP address of 0.0.0.0 indicates matches any interface.
33
 *
34
 * The receive and transmit interfaces are only compared against the
35
 * the packet if the corresponding bit (IP_FW_F_IIFACE or IP_FW_F_OIFACE)
36
 * is set. Note some packets lack a receive or transmit interface
37
 * (in which case the missing "interface" never matches).
38
 */
39

  
40
union ip_fw_if {
41
	struct in_addr	fu_via_ip;	/* Specified by IP address */
42
	struct {			/* Specified by interface name */
43
#define FW_IFNLEN	IFNAMSIZ
44
		char	name[FW_IFNLEN];
45
		short	glob;
46
	} fu_via_if;
47
};
48

  
49
/*
50
 * Format of an IP firewall descriptor
51
 *
52
 * fw_src, fw_dst, fw_smsk, fw_dmsk are always stored in network byte order.
53
 * fw_flg and fw_n*p are stored in host byte order (of course).
54
 * Port numbers are stored in HOST byte order.
55
 */
56

  
57
struct ip_fw {
58
	LIST_ENTRY(ip_fw) next;		/* bidirectional list of rules */
59
	u_int32_t	fw_flg;		/* Operational Flags word */
60
	u_int64_t	fw_pcnt;	/* Packet counters */
61
	u_int64_t	fw_bcnt;	/* Byte counters */
62
	struct in_addr	fw_src;		/* Source IP address */
63
	struct in_addr	fw_dst;		/* Destination IP address */
64
	struct in_addr	fw_smsk;	/* Mask for source IP address */
65
	struct in_addr	fw_dmsk;	/* Mask for destination address */
66
	u_short		fw_number;	/* Rule number */
67
	u_char		fw_prot;	/* IP protocol */
68
#if 1
69
	u_char		fw_nports;	/* # of src/dst port in array */
70
#define	IP_FW_GETNSRCP(rule)		((rule)->fw_nports & 0x0f)
71
#define	IP_FW_SETNSRCP(rule, n)		do {				\
72
					    (rule)->fw_nports &= ~0x0f;	\
73
					    (rule)->fw_nports |= (n);	\
74
					} while (0)
75
#define	IP_FW_GETNDSTP(rule)		((rule)->fw_nports >> 4)
76
#define	IP_FW_SETNDSTP(rule, n)		do {				  \
77
					    (rule)->fw_nports &= ~0xf0;	  \
78
					    (rule)->fw_nports |= (n) << 4;\
79
					} while (0)
80
#define	IP_FW_HAVEPORTS(rule)		((rule)->fw_nports != 0)
81
#else
82
	u_char		__pad[1];
83
	u_int		_nsrcp;
84
	u_int		_ndstp;
85
#define	IP_FW_GETNSRCP(rule)		(rule)->_nsrcp
86
#define	IP_FW_SETNSRCP(rule,n)		(rule)->_nsrcp = n
87
#define	IP_FW_GETNDSTP(rule)		(rule)->_ndstp
88
#define	IP_FW_SETNDSTP(rule,n)		(rule)->_ndstp = n
89
#define	IP_FW_HAVEPORTS(rule)		((rule)->_ndstp + (rule)->_nsrcp != 0)
90
#endif
91
#define	IP_FW_MAX_PORTS	10		/* A reasonable maximum */
92
    union {
93
	u_short		fw_pts[IP_FW_MAX_PORTS]; /* port numbers to match */
94
#define	IP_FW_ICMPTYPES_MAX	128
95
#define	IP_FW_ICMPTYPES_DIM	(IP_FW_ICMPTYPES_MAX / (sizeof(unsigned) * 8))
96
	unsigned	fw_icmptypes[IP_FW_ICMPTYPES_DIM]; /*ICMP types bitmap*/
97
    } fw_uar;
98

  
99
	u_int		fw_ipflg;	/* IP flags word */
100
	u_short		fw_iplen;	/* IP length XXX */
101
	u_short		fw_ipid;	/* Identification XXX */
102

  
103
	u_char		fw_ipopt;	/* IP options set */
104
	u_char		fw_ipnopt;	/* IP options unset */
105
	u_char		fw_iptos;	/* IP type of service set XXX */
106
	u_char		fw_ipntos;	/* IP type of service unset XXX */
107

  
108
	u_char		fw_ipttl;	/* IP time to live XXX */
109
	u_char		fw_ipver:4;	/* IP version XXX */
110
	u_char		fw_tcpopt;	/* TCP options set */
111
	u_char		fw_tcpnopt;	/* TCP options unset */
112

  
113
	u_char		fw_tcpf;	/* TCP flags set/unset */
114
	u_char		fw_tcpnf;	/* TCP flags set/unset */
115
	u_short		fw_tcpwin;	/* TCP window size XXX */
116

  
117
	u_int32_t	fw_tcpseq;	/* TCP sequence XXX */
118
	u_int32_t	fw_tcpack;	/* TCP acknowledgement XXX */
119

  
120
	long		timestamp;	/* timestamp (tv_sec) of last match */
121
	union ip_fw_if	fw_in_if;	/* Incoming interfaces */
122
	union ip_fw_if	fw_out_if;	/* Outgoing interfaces */
123
    union {
124
	u_short		fu_divert_port;	/* Divert/tee port (options IPDIVERT) */
125
	u_short		fu_pipe_nr;	/* queue number (option DUMMYNET) */
126
	u_short		fu_skipto_rule;	/* SKIPTO command rule number */
127
	u_short		fu_reject_code;	/* REJECT response code */
128
	struct sockaddr_in fu_fwd_ip;
129
    } fw_un;
130

  
131
	/*
132
	 * N'of src ports and # of dst ports in ports array (dst ports
133
	 * follow src ports; max of 10 ports in all; count of 0 means
134
	 * match all ports)
135
	 */
136
	void		*pipe_ptr;	/* flow_set ptr for dummynet pipe */
137
	void		*next_rule_ptr;	/* next rule in case of match */
138
	uid_t		fw_uid;		/* uid to match */
139
	gid_t		fw_gid;		/* gid to match */
140
	int		fw_logamount;	/* amount to log */
141
	u_int64_t	fw_loghighest;	/* highest number packet to log */
142

  
143
	long		dont_match_prob; /* 0x7fffffff means 1.0-always fail */
144
	u_char		dyn_type;	/* type for dynamic rule */
145

  
146
#define	DYN_KEEP_STATE	0	/* type for keep-state rules    */
147
#define	DYN_LIMIT	1	/* type for limit connection rules */
148
#define	DYN_LIMIT_PARENT 2	/* parent entry for limit connection rules */
149

  
150
	/*
151
	 * following two fields are used to limit number of connections
152
	 * basing on either src, srcport, dst, dstport.
153
	 */
154
	u_char		limit_mask;	/* mask type for limit rule, can
155
					 * have many.
156
					 */
157
#define	DYN_SRC_ADDR	0x1
158
#define	DYN_SRC_PORT	0x2
159
#define	DYN_DST_ADDR	0x4
160
#define	DYN_DST_PORT	0x8
161

  
162
	u_short		conn_limit;	/* # of connections for limit rule */
163
};
164

  
165
#define	fw_divert_port	fw_un.fu_divert_port
166
#define	fw_skipto_rule	fw_un.fu_skipto_rule
167
#define	fw_reject_code	fw_un.fu_reject_code
168
#define	fw_pipe_nr	fw_un.fu_pipe_nr
169
#define	fw_fwd_ip	fw_un.fu_fwd_ip
170

  
171
/*
172
 *
173
 *   rule_ptr  -------------+
174
 *                          V
175
 *     [ next.le_next ]---->[ next.le_next ]---- [ next.le_next ]--->
176
 *     [ next.le_prev ]<----[ next.le_prev ]<----[ next.le_prev ]<---
177
 *     [ <ip_fw> body ]     [ <ip_fw> body ]     [ <ip_fw> body ]
178
 *
179
 */
180
 
181
/*
182
 * Flow mask/flow id for each queue.
183
 */
184
struct ipfw_flow_id {
185
	u_int32_t	dst_ip;
186
	u_int32_t	src_ip;
187
	u_int16_t	dst_port;
188
	u_int16_t	src_port;
189
	u_int8_t	proto;
190
	u_int8_t	flags;	/* protocol-specific flags */
191
};
192

  
193
/*
194
 * dynamic ipfw rule
195
 */
196
struct ipfw_dyn_rule {
197
	struct ipfw_dyn_rule *next;
198
	struct ipfw_flow_id id;		/* (masked) flow id */
199
	struct ip_fw	*rule;		/* pointer to rule */
200
	struct ipfw_dyn_rule *parent;	/* pointer to parent rule */
201
	u_int32_t	expire;		/* expire time */
202
	u_int64_t	pcnt;		/* packet match counters */
203
	u_int64_t	bcnt;		/* byte match counters */
204
	u_int32_t	bucket;		/* which bucket in hash table */
205
	u_int32_t	state;		/* state of this rule (typically a
206
					 * combination of TCP flags)
207
					 */
208
	u_int16_t	dyn_type;	/* rule type */
209
	u_int16_t	count;		/* refcount */
210
};
211

  
212
/*
213
 * Values for "flags" field .
214
 */
215
#define	IP_FW_F_COMMAND	0x000000ff	/* Mask for type of chain entry: */
216
#define	IP_FW_F_DENY	0x00000000	/* This is a deny rule */
217
#define	IP_FW_F_REJECT	0x00000001	/* Deny and send a response packet */
218
#define	IP_FW_F_ACCEPT	0x00000002	/* This is an accept rule */
219
#define	IP_FW_F_COUNT	0x00000003	/* This is a count rule */
220
#define	IP_FW_F_DIVERT	0x00000004	/* This is a divert rule */
221
#define	IP_FW_F_TEE	0x00000005	/* This is a tee rule */
222
#define	IP_FW_F_SKIPTO	0x00000006	/* This is a skipto rule */
223
#define	IP_FW_F_FWD	0x00000007	/* This is a "change forwarding
224
					 * address" rule
225
					 */
226
#define	IP_FW_F_PIPE	0x00000008	/* This is a dummynet rule */
227
#define	IP_FW_F_QUEUE	0x00000009	/* This is a dummynet queue */
228

  
229
#define	IP_FW_F_IN	0x00000100	/* Check inbound packets */
230
#define	IP_FW_F_OUT	0x00000200	/* Check outbound packets */
231
#define	IP_FW_F_IIFACE	0x00000400	/* Apply inbound interface test */
232
#define	IP_FW_F_OIFACE	0x00000800	/* Apply outbound interface test */
233
#define	IP_FW_F_PRN	0x00001000	/* Print if this rule matches */
234
#define	IP_FW_F_SRNG	0x00002000	/* The first two src ports are a min
235
					 * and max range (stored in host byte
236
					 * order).
237
					 */
238
#define	IP_FW_F_DRNG	0x00004000	/* The first two dst ports are a min
239
					 * and max range (stored in host byte
240
					 * order).
241
					 */
242
#define	IP_FW_F_FRAG	0x00008000	/* Fragment */
243
#define	IP_FW_F_IIFNAME	0x00010000	/* In interface by name/unit (not IP) */
244
#define	IP_FW_F_OIFNAME	0x00020000	/* Out interface by name/unit (not IP)*/
245
#define	IP_FW_F_INVSRC	0x00040000	/* Invert sense of src check */
246
#define	IP_FW_F_INVDST	0x00080000	/* Invert sense of dst check */
247
#define	IP_FW_F_ICMPBIT	0x00100000	/* ICMP type bitmap is valid */
248
#define	IP_FW_F_UID	0x00200000	/* filter by uid */
249
#define	IP_FW_F_GID	0x00400000	/* filter by gid */
250
#define	IP_FW_F_RND_MATCH 0x00800000	/* probabilistic rule match */
251
#define	IP_FW_F_SMSK	0x01000000	/* src-port + mask */
252
#define	IP_FW_F_DMSK	0x02000000	/* dst-port + mask */
253
#define	IP_FW_UNUSED0	0x04000000
254
#define	IP_FW_F_KEEP_S	0x08000000	/* keep state */
255
#define	IP_FW_F_CHECK_S	0x10000000	/* check state */
256
#define	IP_FW_F_SME	0x20000000	/* source = me */
257
#define	IP_FW_F_DME	0x40000000	/* destination = me */
258

  
259
#define	IP_FW_F_MASK	0x7FFFFFFF	/* All possible flag bits mask */
260

  
261
/*
262
 * Flags for the 'fw_ipflg' field, for comparing values
263
 * of ip and its protocols. Not all are currently used,
264
 * IP_FW_IF_*MSK list the one actually used.
265
 */
266
#define	IP_FW_IF_TCPOPT	0x00000001      /* tcp options */
267
#define	IP_FW_IF_TCPFLG	0x00000002      /* tcp flags */
268
#define	IP_FW_IF_TCPSEQ	0x00000004      /* tcp sequence number */
269
#define	IP_FW_IF_TCPACK	0x00000008      /* tcp acknowledgement number */
270
#define	IP_FW_IF_TCPWIN	0x00000010      /* tcp window size */
271
#define	IP_FW_IF_TCPEST	0x00000020      /* established TCP connection */
272
#define	IP_FW_IF_TCPMSK	0x00000020      /* mask of all tcp values */
273

  
274
#define	IP_FW_IF_IPOPT	0x00000100      /* ip options */
275
#define	IP_FW_IF_IPLEN	0x00000200      /* ip length */
276
#define	IP_FW_IF_IPID	0x00000400      /* ip identification */
277
#define	IP_FW_IF_IPTOS	0x00000800      /* ip type of service */
278
#define	IP_FW_IF_IPTTL	0x00001000      /* ip time to live */
279
#define	IP_FW_IF_IPVER	0x00002000      /* ip version */
280
#define	IP_FW_IF_IPMSK	0x00000000      /* mask of all ip values */
281

  
282
#define	IP_FW_IF_MSK    0x00000020      /* All possible bits mask */
283
 
284
/*
285
 * For backwards compatibility with rules specifying "via iface" but
286
 * not restricted to only "in" or "out" packets, we define this combination
287
 * of bits to represent this configuration.
288
 */
289

  
290
#define	IF_FW_F_VIAHACK (IP_FW_F_IN|IP_FW_F_OUT|IP_FW_F_IIFACE|IP_FW_F_OIFACE)
291

  
292
/*
293
 * Definitions for REJECT response codes.
294
 * Values less than 256 correspond to ICMP unreachable codes.
295
 */
296
#define	IP_FW_REJECT_RST	0x0100	/* TCP packets: send RST */
297

  
298
/*
299
 * Definitions for IP option names.
300
 */
301
#define	IP_FW_IPOPT_LSRR	0x01
302
#define	IP_FW_IPOPT_SSRR	0x02
303
#define	IP_FW_IPOPT_RR		0x04
304
#define	IP_FW_IPOPT_TS		0x08
305

  
306
/*
307
 * Definitions for TCP option names.
308
 */
309
#define	IP_FW_TCPOPT_MSS	0x01
310
#define	IP_FW_TCPOPT_WINDOW	0x02
311
#define	IP_FW_TCPOPT_SACK	0x04
312
#define	IP_FW_TCPOPT_TS		0x08
313
#define	IP_FW_TCPOPT_CC		0x10
314

  
315
/*
316
 * Definitions for TCP flags.
317
 */
318
#define	IP_FW_TCPF_FIN		TH_FIN
319
#define	IP_FW_TCPF_SYN		TH_SYN
320
#define	IP_FW_TCPF_RST		TH_RST
321
#define	IP_FW_TCPF_PSH		TH_PUSH
322
#define	IP_FW_TCPF_ACK		TH_ACK
323
#define	IP_FW_TCPF_URG		TH_URG
324

  
325
/*
326
 * Main firewall chains definitions and global var's definitions.
327
 */
328
#ifdef _KERNEL
329

  
330
#define	IP_FW_PORT_DYNT_FLAG	0x10000
331
#define	IP_FW_PORT_TEE_FLAG	0x20000
332
#define	IP_FW_PORT_DENY_FLAG	0x40000
333

  
334
/*
335
 * arguments for calling ipfw_chk() and dummynet_io(). We put them
336
 * all into a structure because this way it is easier and more
337
 * efficient to pass variables around and extend the interface.
338
 */
339
struct ip_fw_args {
340
	struct mbuf	*m;		/* the mbuf chain		*/
341
	struct ifnet	*oif;		/* output interface		*/
342
	struct sockaddr_in *next_hop;	/* forward address		*/
343
	struct ip_fw	*rule;		/* matching rule		*/
344
	struct ether_header *eh;	/* for bridged packets		*/
345

  
346
	struct route	*ro;		/* for dummynet			*/
347
	struct sockaddr_in *dst;	/* for dummynet			*/
348
	int flags;			/* for dummynet			*/
349

  
350
	struct ipfw_flow_id f_id;	/* grabbed from IP header	*/
351
	u_int32_t	retval;
352
};
353

  
354
/*
355
 * Function definitions.
356
 */
357
void ip_fw_init (void);
358

  
359
/* Firewall hooks */
360
struct sockopt;
361
struct dn_flow_set;
362
void flush_pipe_ptrs(struct dn_flow_set *match); /* used by dummynet */
363

  
364
typedef int ip_fw_chk_t (struct ip_fw_args *args);
365
typedef int ip_fw_ctl_t (struct sockopt *);
366
extern ip_fw_chk_t *ip_fw_chk_ptr;
367
extern ip_fw_ctl_t *ip_fw_ctl_ptr;
368
extern int fw_one_pass;
369
extern int fw_enable;
370
extern struct ipfw_flow_id last_pkt;
371
#define IPFW_LOADED	(ip_fw_chk_ptr != NULL)
372
#endif /* _KERNEL */
373

  
374
#endif /* !IPFW2 */
375 23
#endif /* _IP_FW_H */
sys/net/ipfw/ip_fw2.c 28 Jun 2006 02:20:23 -0000
43 43
#endif /* INET */
44 44
#endif
45 45

  
46
#if IPFW2
47 46
#include <sys/param.h>
48 47
#include <sys/systm.h>
49 48
#include <sys/malloc.h>
......
2767 2766
};
2768 2767
DECLARE_MODULE(ipfw, ipfwmod, SI_SUB_PSEUDO, SI_ORDER_ANY);
2769 2768
MODULE_VERSION(ipfw, 1);
2770
#endif /* IPFW2 */
2769