diff options
| author | luigi <luigi@FreeBSD.org> | 2000-02-10 14:17:40 +0000 |
|---|---|---|
| committer | luigi <luigi@FreeBSD.org> | 2000-02-10 14:17:40 +0000 |
| commit | 0a7657b3329286c1adb3f581bd671054fb7b0636 (patch) | |
| tree | d6950c94c1ae4f771f218f381f1e033d31bd5973 /sys/netinet/ip_fw.h | |
| parent | 8ee757716a386e49c12c6c2880528590059b4261 (diff) | |
| download | FreeBSD-src-0a7657b3329286c1adb3f581bd671054fb7b0636.zip FreeBSD-src-0a7657b3329286c1adb3f581bd671054fb7b0636.tar.gz | |
Support for stateful (dynamic) ipfw rules. They are very
similar to ipfilter's keep-state.
Look at the updated ipfw(8) manpage for details.
Approved-by: jordan
Diffstat (limited to 'sys/netinet/ip_fw.h')
| -rw-r--r-- | sys/netinet/ip_fw.h | 39 |
1 files changed, 35 insertions, 4 deletions
diff --git a/sys/netinet/ip_fw.h b/sys/netinet/ip_fw.h index ffd1d04..a106108 100644 --- a/sys/netinet/ip_fw.h +++ b/sys/netinet/ip_fw.h @@ -102,7 +102,7 @@ struct ip_fw { struct ip_fw_ext { /* extended structure */ struct ip_fw rule; /* must be at offset 0 */ long dont_match_prob; /* 0x7fffffff means 1.0, always fail */ - u_int param1; /* unused at the moment */ + u_int dyn_type; /* type for dynamic rule */ }; #define IP_FW_GETNSRCP(rule) ((rule)->fw_nports & 0x0f) @@ -128,6 +128,33 @@ struct ip_fw_chain { }; /* + * Flow mask/flow id for each queue. + */ +struct ipfw_flow_id { + u_int32_t dst_ip, src_ip ; + u_int16_t dst_port, src_port ; + u_int8_t proto ; + u_int8_t flags ; /* protocol-specific flags */ +} ; + +/* + * dynamic ipfw rule + */ +struct ipfw_dyn_rule { + struct ipfw_dyn_rule *next ; + + struct ipfw_flow_id id ; + struct ipfw_flow_id mask ; + struct ip_fw_chain *chain ; /* pointer to parent rule */ + u_int32_t type ; /* rule type */ + u_int32_t expire ; /* expire time */ + u_int64_t pcnt, bcnt; /* match counters */ + u_int32_t bucket ; /* which bucket in hash table */ + u_int32_t state ; /* state of this rule (typ. a */ + /* combination of TCP flags) */ +} ; + +/* * Values for "flags" field . */ #define IP_FW_F_COMMAND 0x000000ff /* Mask for type of chain entry: */ @@ -173,9 +200,11 @@ struct ip_fw_chain { #define IP_FW_F_RND_MATCH 0x00800000 /* probabilistic rule match */ #define IP_FW_F_SMSK 0x01000000 /* src-port + mask */ #define IP_FW_F_DMSK 0x02000000 /* dst-port + mask */ -#define IP_FW_F_KEEP_S 0x04000000 /* keep state */ +#define IP_FW_BRIDGED 0x04000000 /* only match bridged packets */ +#define IP_FW_F_KEEP_S 0x08000000 /* keep state */ +#define IP_FW_F_CHECK_S 0x10000000 /* check state */ -#define IP_FW_F_MASK 0x03FFFFFF /* All possible flag bits mask */ +#define IP_FW_F_MASK 0x1FFFFFFF /* All possible flag bits mask */ /* * For backwards compatibility with rules specifying "via iface" but @@ -231,7 +260,9 @@ typedef int ip_fw_chk_t __P((struct ip **, int, struct ifnet *, u_int16_t *, typedef int ip_fw_ctl_t __P((struct sockopt *)); extern ip_fw_chk_t *ip_fw_chk_ptr; extern ip_fw_ctl_t *ip_fw_ctl_ptr; - +extern int fw_one_pass; +extern int fw_enable; +extern struct ipfw_flow_id last_pkt ; #endif /* _KERNEL */ #endif /* _IP_FW_H */ |
