Big sweep over the IPFIREWALL and IPACCT code.

Close the ip-fragment hole. Waste less memory. Rewrite to contemporary more readable style. Kill separate IPACCT facility, use "accept" rules in IPFIREWALL. Filter incoming >and< outgoing packets. Replace "policy" by sticky "deny all" rule. Rules have numbers used for ordering and deletion. Remove "rerorder" code entirely. Count packet & bytecount matches for rules. Code in -current & -stable is now the same.
author: phk <phk@FreeBSD.org> 1996-02-23 15:47:58 +0000
committer: phk <phk@FreeBSD.org> 1996-02-23 15:47:58 +0000
commit: 37d6472c4f2c7b8e39635fc5494ab71a47e41caa (patch)
tree: 97c7360219d204b89bc15ace01e53279c1509f40 /sys/netinet/ip_fw.h
parent: 8b3d623d7962824ee462d964e5374d96532e5807 (diff)
download: FreeBSD-src-37d6472c4f2c7b8e39635fc5494ab71a47e41caa.zip
FreeBSD-src-37d6472c4f2c7b8e39635fc5494ab71a47e41caa.tar.gz
1 files changed, 36 insertions, 64 deletions
diff --git a/sys/netinet/ip_fw.h b/sys/netinet/ip_fw.h
index bc2dfc5..3a2962f 100644
--- a/sys/netinet/ip_fw.h
+++ b/sys/netinet/ip_fw.h
@@ -11,7 +11,7 @@
  *
  * This software is provided ``AS IS'' without any warranties of any kind.
  *
- *	$Id: ip_fw.h,v 1.13 1995/07/23 05:36:30 davidg Exp $
+ *	$Id: ip_fw.h,v 1.11.4.2 1996/02/23 15:26:05 phk Exp $
  */
 
 /*
@@ -25,14 +25,9 @@
 #define _IP_FW_H
 
 struct ip_fw {
-    struct ip_fw *fw_next;		/* Next firewall on chain */
+    u_long fw_pcnt,fw_bcnt;		/* Packet and byte counters */
     struct in_addr fw_src, fw_dst;	/* Source and destination IP addr */
     struct in_addr fw_smsk, fw_dmsk;	/* Mask for src and dest IP addr */
-	/*
-	 * This union keeps all "via" information.
-	 * If ever fu_via_ip is 0,or IP_FW_F_IFNAME set and
-	 * fu_via_name[0] is 0 - match any packet.
-	 */
     union {
 	struct in_addr fu_via_ip;
 	struct {
@@ -41,6 +36,10 @@ struct ip_fw {
 		short fu_via_unit;
 	} fu_via_if;
     } fu_via_un;
+#define fw_via_ip	fu_via_un.fu_via_ip
+#define fw_via_name	fu_via_un.fu_via_if.fu_via_name
+#define fw_via_unit	fu_via_un.fu_via_if.fu_via_unit
+    u_short fw_number;
     u_short fw_flg;			/* Flags word */
     u_short fw_nsp, fw_ndp;             /* N'of src ports and # of dst ports */
     					/* in ports array (dst ports follow */
@@ -48,46 +47,40 @@ struct ip_fw {
     					/* count of 0 means match all ports) */
 #define IP_FW_MAX_PORTS	10      	/* A reasonable maximum */
     u_short fw_pts[IP_FW_MAX_PORTS];    /* Array of port numbers to match */
-    u_long fw_pcnt,fw_bcnt;		/* Packet and byte counters */
     u_char fw_ipopt,fw_ipnopt;		/* IP options set/unset */
     u_char fw_tcpf,fw_tcpnf;		/* TCP flags sen/unset */
 };
 
-
-/*
- * Definitions to make expressions
- * for "via" stuff shorter.
- */
-#define fw_via_ip	fu_via_un.fu_via_ip
-#define fw_via_name	fu_via_un.fu_via_if.fu_via_name
-#define fw_via_unit	fu_via_un.fu_via_if.fu_via_unit
+struct ip_fw_chain {
+        LIST_ENTRY(ip_fw_chain) chain;
+        struct ip_fw    *rule;
+};
 
 /*
  * Values for "flags" field .
  */
 
-#define IP_FW_F_ALL	0x000	/* This is a universal packet firewall*/
-#define IP_FW_F_TCP	0x001	/* This is a TCP packet firewall      */
-#define IP_FW_F_UDP	0x002	/* This is a UDP packet firewall      */
-#define IP_FW_F_ICMP	0x003	/* This is a ICMP packet firewall     */
-#define IP_FW_F_KIND	0x003	/* Mask to isolate firewall kind      */
-#define IP_FW_F_ACCEPT	0x004	/* This is an accept firewall (as     *
-				 *         opposed to a deny firewall)*
-				 *                                    */
-#define IP_FW_F_SRNG	0x008	/* The first two src ports are a min  *
+#define IP_FW_F_ALL	0x000	/* This is a universal packet rule    */
+#define IP_FW_F_TCP	0x001	/* This is a TCP packet rule          */
+#define IP_FW_F_UDP	0x002	/* This is a UDP packet rule          */
+#define IP_FW_F_ICMP	0x003	/* This is a ICMP packet rule         */
+#define IP_FW_F_KIND	0x003	/* Mask to isolate rule kind          */
+
+#define IP_FW_F_ACCEPT	0x004	/* This is an accept rule	      */
+#define IP_FW_F_PRN	0x008	/* Print if this rule matches	      */
+#define IP_FW_F_ICMPRPL	0x010	/* Send back icmp unreachable packet  */
+				 
+#define IP_FW_F_SRNG	0x020	/* The first two src ports are a min  *
 				 * and max range (stored in host byte *
-				 * order).                            *
-				 *                                    */
-#define IP_FW_F_DRNG	0x010	/* The first two dst ports are a min  *
+				 * order).                            */
+
+#define IP_FW_F_DRNG	0x040	/* The first two dst ports are a min  *
 				 * and max range (stored in host byte *
-				 * order).                            *
-				 * (ports[0] <= port <= ports[1])     *
-				 *                                    */
-#define IP_FW_F_PRN	0x020	/* In verbose mode print this firewall*/
-#define IP_FW_F_BIDIR	0x040	/* For accounting-count two way       */
-#define IP_FW_F_ICMPRPL	0x100	/* Send back icmp unreachable packet  */
-#define IP_FW_F_IFNAME	0x200	/* Use interface name/unit (not IP)   */
-#define IP_FW_F_MASK	0x3FF	/* All possible flag bits mask        */
+				 * order).                            */
+
+#define IP_FW_F_IFNAME	0x080	/* Use interface name/unit (not IP)   */
+
+#define IP_FW_F_MASK	0x0FF	/* All possible flag bits mask        */
 
 /*
  * Definitions for IP option names.
@@ -110,18 +103,12 @@ struct ip_fw {
 /*
  * New IP firewall options for [gs]etsockopt at the RAW IP level.
  */
-#define IP_FW_BASE_CTL	53
-
-#define IP_FW_ADD     (IP_FW_BASE_CTL)
-#define IP_FW_DEL     (IP_FW_BASE_CTL+4)
-#define IP_FW_FLUSH   (IP_FW_BASE_CTL+6)
-#define IP_FW_POLICY  (IP_FW_BASE_CTL+7)
+#define IP_FW_BASE_CTL	50
 
-#define IP_ACCT_ADD   (IP_FW_BASE_CTL+10)
-#define IP_ACCT_DEL   (IP_FW_BASE_CTL+11)
-#define IP_ACCT_FLUSH (IP_FW_BASE_CTL+12)
-#define IP_ACCT_ZERO  (IP_FW_BASE_CTL+13)
-#define IP_ACCT_CLR   (IP_FW_BASE_CTL+14)
+#define IP_FW_ADD     (IP_FW_BASE_CTL+0)
+#define IP_FW_DEL     (IP_FW_BASE_CTL+1)
+#define IP_FW_FLUSH   (IP_FW_BASE_CTL+2)
+#define IP_FW_ZERO    (IP_FW_BASE_CTL+3)
 
 /*
  * Policy flags...
@@ -138,30 +125,15 @@ struct ip_fw {
 #ifdef KERNEL
 
 /*
- * Variables/chain.
- */
-extern struct  ip_fw *ip_fw_chain;
-extern u_short ip_fw_policy;
-
-extern struct  ip_fw *ip_acct_chain;
-
-/*
  * Function pointers.
  */
-extern int (*ip_fw_chk_ptr)(struct mbuf *, struct ip *,struct ifnet *,struct ip_fw *);
+extern int (*ip_fw_chk_ptr)(struct mbuf *, struct ip *,struct ifnet *, int dir);
 extern int (*ip_fw_ctl_ptr)(int,struct mbuf *);
 
-extern void (*ip_acct_cnt_ptr)(struct ip *,struct ifnet *,struct ip_fw *,int);
-extern int  (*ip_acct_ctl_ptr)(int,struct mbuf *);
-
 /*
  * Function definitions.
  */
-int ip_fw_chk(struct mbuf *, struct ip *,struct ifnet *,struct ip_fw *);
-int ip_fw_ctl(int,struct mbuf *);
-
-void ip_acct_cnt(struct ip *,struct ifnet *,struct ip_fw *,int);
-int  ip_acct_ctl(int,struct mbuf *);
+void ip_fw_init(void);
 
 #endif /* KERNEL */
author	phk <phk@FreeBSD.org>	1996-02-23 15:47:58 +0000
committer	phk <phk@FreeBSD.org>	1996-02-23 15:47:58 +0000
commit	37d6472c4f2c7b8e39635fc5494ab71a47e41caa (patch)
tree	97c7360219d204b89bc15ace01e53279c1509f40 /sys/netinet/ip_fw.h
parent	8b3d623d7962824ee462d964e5374d96532e5807 (diff)
download	FreeBSD-src-37d6472c4f2c7b8e39635fc5494ab71a47e41caa.zip FreeBSD-src-37d6472c4f2c7b8e39635fc5494ab71a47e41caa.tar.gz