diff options
| author | phk <phk@FreeBSD.org> | 2001-02-13 14:12:37 +0000 |
|---|---|---|
| committer | phk <phk@FreeBSD.org> | 2001-02-13 14:12:37 +0000 |
| commit | be4fee4a9b95feb53ff3469bab486e71c7ef750e (patch) | |
| tree | 7a462819b17f833cc6f3bb95b5c92c8df675db8e /sys/netinet/ip_fw.h | |
| parent | 56b912587564e3c12be17e5965e983c50b5c368a (diff) | |
| download | FreeBSD-src-be4fee4a9b95feb53ff3469bab486e71c7ef750e.zip FreeBSD-src-be4fee4a9b95feb53ff3469bab486e71c7ef750e.tar.gz | |
Introduce a new feature in IPFW: Check of the source or destination
address is configured on a interface. This is useful for routers with
dynamic interfaces. It is now possible to say:
0100 allow tcp from any to any established
0200 skipto 1000 tcp from any to any
0300 allow ip from any to any
1000 allow tcp from 1.2.3.4 to me 22
1010 deny tcp from any to me 22
1020 allow tcp from any to any
and not have to worry about the behaviour if dynamic interfaces configure
new IP numbers later on.
The check is semi expensive (traverses the interface address list)
so it should be protected as in the above example if high performance
is a requirement.
Diffstat (limited to 'sys/netinet/ip_fw.h')
| -rw-r--r-- | sys/netinet/ip_fw.h | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/sys/netinet/ip_fw.h b/sys/netinet/ip_fw.h index 81da17a..7abae15 100644 --- a/sys/netinet/ip_fw.h +++ b/sys/netinet/ip_fw.h @@ -212,7 +212,10 @@ struct ipfw_dyn_rule { #define IP_FW_F_KEEP_S 0x08000000 /* keep state */ #define IP_FW_F_CHECK_S 0x10000000 /* check state */ -#define IP_FW_F_MASK 0x1FFFFFFF /* All possible flag bits mask */ +#define IP_FW_F_SME 0x20000000 /* source = me */ +#define IP_FW_F_DME 0x40000000 /* destination = me */ + +#define IP_FW_F_MASK 0x7FFFFFFF /* All possible flag bits mask */ /* * Flags for the 'fw_ipflg' field, for comparing values of ip and its protocols. |
