diff options
| author | jkh <jkh@FreeBSD.org> | 1994-11-16 10:17:11 +0000 |
|---|---|---|
| committer | jkh <jkh@FreeBSD.org> | 1994-11-16 10:17:11 +0000 |
| commit | e8b4c662322a9ab5c29fc31eaa45041a0ef8b5eb (patch) | |
| tree | fe6126b4eeffefa1c2cbe50fa4bb9bebcc17fdf4 /sys/netinet/ip_fw.h | |
| parent | 6f2263602c66db2070a547e628b802cbfa4b37da (diff) | |
| download | FreeBSD-src-e8b4c662322a9ab5c29fc31eaa45041a0ef8b5eb.zip FreeBSD-src-e8b4c662322a9ab5c29fc31eaa45041a0ef8b5eb.tar.gz | |
Ugen J.S.Antsilevich's latest, happiest, IP firewall code.
Poul: Please take this into BETA. It's non-intrusive, and a rather
substantial improvement over what was there before.
Diffstat (limited to 'sys/netinet/ip_fw.h')
| -rw-r--r-- | sys/netinet/ip_fw.h | 45 |
1 files changed, 29 insertions, 16 deletions
diff --git a/sys/netinet/ip_fw.h b/sys/netinet/ip_fw.h index ca999bc..f9979b6 100644 --- a/sys/netinet/ip_fw.h +++ b/sys/netinet/ip_fw.h @@ -26,39 +26,40 @@ struct ip_fw { struct ip_fw *next; /* Next firewall on chain */ struct in_addr src, dst; /* Source and destination IP addr */ struct in_addr src_mask, dst_mask; /* Mask for src and dest IP addr */ - u_short flags; - - u_short n_src_p, n_dst_p; /* # of src ports and # of dst ports */ + u_short flags; /* Flags word */ + u_short n_src_p, n_dst_p; /* # of src ports and # of dst ports */ /* in ports array (dst ports follow */ /* src ports; max of 10 ports in all; */ /* count of 0 means match all ports) */ -#define IP_FW_MAX_PORTS 10 /* A reasonable maximum */ - u_short ports[IP_FW_MAX_PORTS]; /* Array of port numbers to match */ +#define IP_FW_MAX_PORTS 10 /* A reasonable maximum */ + u_short ports[IP_FW_MAX_PORTS]; /* Array of port numbers to match */ + u_long p_cnt,b_cnt; /* Packet and byte counters */ }; /* * Values for "flags" field . */ -#define IP_FW_F_ALL 0 /* This is a universal packet firewall*/ -#define IP_FW_F_TCP 1 /* This is a TCP packet firewall */ -#define IP_FW_F_UDP 2 /* This is a UDP packet firewall */ -#define IP_FW_F_ICMP 3 /* This is a ICMP packet firewall */ -#define IP_FW_F_KIND 3 /* Mask to isolate firewall kind */ -#define IP_FW_F_ACCEPT 4 /* This is an accept firewall (as * +#define IP_FW_F_ALL 0x00 /* This is a universal packet firewall*/ +#define IP_FW_F_TCP 0x01 /* This is a TCP packet firewall */ +#define IP_FW_F_UDP 0x02 /* This is a UDP packet firewall */ +#define IP_FW_F_ICMP 0x03 /* This is a ICMP packet firewall */ +#define IP_FW_F_KIND 0x03 /* Mask to isolate firewall kind */ +#define IP_FW_F_ACCEPT 0x04 /* This is an accept firewall (as * * opposed to a deny firewall)* * */ -#define IP_FW_F_SRNG 8 /* The first two src ports are a min * +#define IP_FW_F_SRNG 0x08 /* The first two src ports are a min * * and max range (stored in host byte * * order). * * */ -#define IP_FW_F_DRNG 16 /* The first two dst ports are a min * +#define IP_FW_F_DRNG 0x10 /* The first two dst ports are a min * * and max range (stored in host byte * * order). * * (ports[0] <= port <= ports[1]) * * */ -#define IP_FW_F_PRN 32 /* In verbose mode print this firewall*/ -#define IP_FW_F_MASK 0x3F /* All possible flag bits mask */ +#define IP_FW_F_PRN 0x20 /* In verbose mode print this firewall*/ +#define IP_FW_F_BIDIR 0x40 /* For accounting-count two way */ +#define IP_FW_F_MASK 0x7F /* All possible flag bits mask */ /* * New IP firewall options for [gs]etsockopt at the RAW IP level. @@ -74,12 +75,24 @@ struct ip_fw { #define IP_FW_FLUSH (IP_FW_BASE_CTL+6) #define IP_FW_POLICY (IP_FW_BASE_CTL+7) +#define IP_ACCT_ADD (IP_FW_BASE_CTL+10) +#define IP_ACCT_DEL (IP_FW_BASE_CTL+11) +#define IP_ACCT_FLUSH (IP_FW_BASE_CTL+12) +#define IP_ACCT_ZERO (IP_FW_BASE_CTL+13) + /* * Main firewall chains definitions and global var's definitions. */ +#ifdef KERNEL +#ifdef IPFIREWALL extern struct ip_fw *ip_fw_blk_chain; extern struct ip_fw *ip_fw_fwd_chain; extern int ip_fw_policy; - #endif +#ifdef IPACCT +extern struct ip_fw *ip_acct_chain; +#endif +#endif /* KERNEL */ + +#endif /* _IP_FW_H */ |
