summaryrefslogtreecommitdiffstats
path: root/man/ipf.4
diff options
context:
space:
mode:
Diffstat (limited to 'man/ipf.4')
-rw-r--r--man/ipf.4255
1 files changed, 255 insertions, 0 deletions
diff --git a/man/ipf.4 b/man/ipf.4
new file mode 100644
index 0000000..e2e5b5b
--- /dev/null
+++ b/man/ipf.4
@@ -0,0 +1,255 @@
+.TH IPF 4
+.SH NAME
+ipf \- packet filtering kernel interface
+.SH SYNOPSIS
+#include <netinet/ip_compat.h>
+.br
+#include <netinet/ip_fil.h>
+.SH IOCTLS
+.PP
+To add and delete rules to the filter list, three 'basic' ioctls are provided
+for use. The ioctl's are called as:
+.LP
+.nf
+ ioctl(fd, SIOCADDFR, struct frentry **)
+ ioctl(fd, SIOCDELFR, struct frentry **)
+ ioctl(fd, SIOCIPFFL, int *)
+.fi
+.PP
+However, the full complement is as follows:
+.LP
+.nf
+ ioctl(fd, SIOCADAFR, struct frentry **) (same as SIOCADDFR)
+ ioctl(fd, SIOCRMAFR, struct frentry **) (same as SIOCDELFR)
+ ioctl(fd, SIOCADIFR, struct frentry **)
+ ioctl(fd, SIOCRMIFR, struct frentry **)
+ ioctl(fd, SIOCINAFR, struct frentry **)
+ ioctl(fd, SIOCINIFR, struct frentry **)
+ ioctl(fd, SIOCSETFF, u_int *)
+ ioctl(fd, SIOGGETFF, u_int *)
+ ioctl(fd, SIOCGETFS, struct friostat **)
+ ioctl(fd, SIOCIPFFL, int *)
+ ioctl(fd, SIOCIPFFB, int *)
+ ioctl(fd, SIOCSWAPA, u_int *)
+ ioctl(fd, SIOCFRENB, u_int *)
+ ioctl(fd, SIOCFRSYN, u_int *)
+ ioctl(fd, SIOCFRZST, struct friostat **)
+ ioctl(fd, SIOCZRLST, struct frentry **)
+ ioctl(fd, SIOCAUTHW, struct fr_info **)
+ ioctl(fd, SIOCAUTHR, struct fr_info **)
+ ioctl(fd, SIOCATHST, struct fr_authstat **)
+.fi
+.PP
+The variations, SIOCADAFR vs. SIOCADIFR, allow operation on the two lists,
+active and inactive, respectively. All of these ioctl's are implemented
+as being routing ioctls and thus the same rules for the various routing
+ioctls and the file descriptor are employed, mainly being that the fd must
+be that of the device associated with the module (i.e., /dev/ipl).
+.LP
+.PP
+The three groups of ioctls above perform adding rules to the end of the
+list (SIOCAD*), deletion of rules from any place in the list (SIOCRM*)
+and insertion of a rule into the list (SIOCIN*). The rule place into
+which it is inserted is stored in the "fr_hits" field, below.
+.LP
+.nf
+typedef struct frentry {
+ struct frentry *fr_next;
+ u_short fr_group; /* group to which this rule belongs */
+ u_short fr_grhead; /* group # which this rule starts */
+ struct frentry *fr_grp;
+ int fr_ref; /* reference count - for grouping */
+ void *fr_ifa;
+#if BSD >= 199306
+ void *fr_oifa;
+#endif
+ /*
+ * These are only incremented when a packet matches this rule and
+ * it is the last match
+ */
+ U_QUAD_T fr_hits;
+ U_QUAD_T fr_bytes;
+ /*
+ * Fields after this may not change whilst in the kernel.
+ */
+ struct fr_ip fr_ip;
+ struct fr_ip fr_mip; /* mask structure */
+
+ u_char fr_tcpfm; /* tcp flags mask */
+ u_char fr_tcpf; /* tcp flags */
+
+ u_short fr_icmpm; /* data for ICMP packets (mask) */
+ u_short fr_icmp;
+
+ u_char fr_scmp; /* data for port comparisons */
+ u_char fr_dcmp;
+ u_short fr_dport;
+ u_short fr_sport;
+ u_short fr_stop; /* top port for <> and >< */
+ u_short fr_dtop; /* top port for <> and >< */
+ u_32_t fr_flags; /* per-rule flags && options (see below) */
+ u_short fr_skip; /* # of rules to skip */
+ u_short fr_loglevel; /* syslog log facility + priority */
+ int (*fr_func) __P((int, ip_t *, fr_info_t *));
+ char fr_icode; /* return ICMP code */
+ char fr_ifname[IFNAMSIZ];
+#if BSD > 199306
+ char fr_oifname[IFNAMSIZ];
+#endif
+ struct frdest fr_tif; /* "to" interface */
+ struct frdest fr_dif; /* duplicate packet interfaces */
+} frentry_t;
+.fi
+.PP
+When adding a new rule, all unused fields (in the filter rule) should be
+initialised to be zero. To insert a rule, at a particular position in the
+filter list, the number of the rule which it is to be inserted before must
+be put in the "fr_hits" field (the first rule is number 0).
+.LP
+.PP
+Flags which are recognised in fr_flags:
+.nf
+
+ FR_BLOCK 0x000001 /* do not allow packet to pass */
+ FR_PASS 0x000002 /* allow packet to pass */
+ FR_OUTQUE 0x000004 /* outgoing packets */
+ FR_INQUE 0x000008 /* ingoing packets */
+ FR_LOG 0x000010 /* Log */
+ FR_LOGB 0x000011 /* Log-fail */
+ FR_LOGP 0x000012 /* Log-pass */
+ FR_LOGBODY 0x000020 /* log the body of packets too */
+ FR_LOGFIRST 0x000040 /* log only the first packet to match */
+ FR_RETRST 0x000080 /* return a TCP RST packet if blocked */
+ FR_RETICMP 0x000100 /* return an ICMP packet if blocked */
+ FR_FAKEICMP 0x00180 /* Return ICMP unreachable with fake source */
+ FR_NOMATCH 0x000200 /* no match occured */
+ FR_ACCOUNT 0x000400 /* count packet bytes */
+ FR_KEEPFRAG 0x000800 /* keep fragment information */
+ FR_KEEPSTATE 0x001000 /* keep `connection' state information */
+ FR_INACTIVE 0x002000
+ FR_QUICK 0x004000 /* match & stop processing list */
+ FR_FASTROUTE 0x008000 /* bypass normal routing */
+ FR_CALLNOW 0x010000 /* call another function (fr_func) if matches */
+ FR_DUP 0x020000 /* duplicate the packet */
+ FR_LOGORBLOCK 0x040000 /* block the packet if it can't be logged */
+ FR_NOTSRCIP 0x080000 /* not the src IP# */
+ FR_NOTDSTIP 0x100000 /* not the dst IP# */
+ FR_AUTH 0x200000 /* use authentication */
+ FR_PREAUTH 0x400000 /* require preauthentication */
+
+.fi
+.PP
+Values for fr_scomp and fr_dcomp (source and destination port value
+comparisons) :
+.LP
+.nf
+ FR_NONE 0
+ FR_EQUAL 1
+ FR_NEQUAL 2
+ FR_LESST 3
+ FR_GREATERT 4
+ FR_LESSTE 5
+ FR_GREATERTE 6
+ FR_OUTRANGE 7
+ FR_INRANGE 8
+.fi
+.PP
+The third ioctl, SIOCIPFFL, flushes either the input filter list, the
+output filter list or both and it returns the number of filters removed
+from the list(s). The values which it will take and recognise are FR_INQUE
+and FR_OUTQUE (see above). This ioctl is also implemented for
+\fB/dev/ipstate\fP and will flush all state tables entries if passed 0
+or just all those which are not established if passed 1.
+
+.IP "\fBGeneral Logging Flags\fP" 0
+There are two flags which can be set to log packets independently of the
+rules used. These allow for packets which are either passed or blocked
+to be logged. To set (and clear)/get these flags, two ioctls are
+provided:
+.IP SIOCSETFF 16
+Takes an unsigned integer as the parameter. The flags are then set to
+those provided (clearing/setting all in one).
+.nf
+
+ FF_LOGPASS 0x10000000
+ FF_LOGBLOCK 0x20000000
+ FF_LOGNOMATCH 0x40000000
+ FF_BLOCKNONIP 0x80000000 /* Solaris 2.x only */
+.fi
+.IP SIOCGETFF 16
+Takes a pointer to an unsigned integer as the parameter. A copy of the
+flags currently in used is copied to user space.
+.IP "\fBFilter statistics\fP" 0
+Statistics on the various operations performed by this package on packets
+is kept inside the kernel. These statistics apply to packets traversing
+through the kernel. To retrieve this structure, use this ioctl:
+.nf
+
+ ioctl(fd, SIOCGETFS, struct friostat *)
+
+struct friostat {
+ struct filterstats f_st[2];
+ struct frentry *f_fin[2];
+ struct frentry *f_fout[2];
+ struct frentry *f_acctin[2];
+ struct frentry *f_acctout[2];
+ struct frentry *f_auth;
+ u_long f_froute[2];
+ int f_active; /* 1 or 0 - active rule set */
+ int f_defpass; /* default pass - from fr_pass */
+ int f_running; /* 1 if running, else 0 */
+ int f_logging; /* 1 if enabled, else 0 */
+ char f_version[32]; /* version string */
+};
+
+struct filterstats {
+ u_long fr_pass; /* packets allowed */
+ u_long fr_block; /* packets denied */
+ u_long fr_nom; /* packets which don't match any rule */
+ u_long fr_ppkl; /* packets allowed and logged */
+ u_long fr_bpkl; /* packets denied and logged */
+ u_long fr_npkl; /* packets unmatched and logged */
+ u_long fr_pkl; /* packets logged */
+ u_long fr_skip; /* packets to be logged but buffer full */
+ u_long fr_ret; /* packets for which a return is sent */
+ u_long fr_acct; /* packets for which counting was performed */
+ u_long fr_bnfr; /* bad attempts to allocate fragment state */
+ u_long fr_nfr; /* new fragment state kept */
+ u_long fr_cfr; /* add new fragment state but complete pkt */
+ u_long fr_bads; /* bad attempts to allocate packet state */
+ u_long fr_ads; /* new packet state kept */
+ u_long fr_chit; /* cached hit */
+ u_long fr_pull[2]; /* good and bad pullup attempts */
+#if SOLARIS
+ u_long fr_notdata; /* PROTO/PCPROTO that have no data */
+ u_long fr_nodata; /* mblks that have no data */
+ u_long fr_bad; /* bad IP packets to the filter */
+ u_long fr_notip; /* packets passed through no on ip queue */
+ u_long fr_drop; /* packets dropped - no info for them! */
+#endif
+};
+.fi
+If we wanted to retrieve all the statistics and reset the counters back to
+0, then the ioctl() call would be made to SIOCFRZST rather than SIOCGETFS.
+In addition to the statistics above, each rule keeps a hit count, counting
+both number of packets and bytes. To reset these counters for a rule,
+load the various rule information into a frentry structure and call
+SIOCZRLST.
+.IP "Swapping Active lists" 0
+IP Filter supports two lists of rules for filtering and accounting: an
+active list and an inactive list. This allows for large scale rule base
+changes to be put in place atomically with otherwise minimal interruption.
+Which of the two is active can be changed using the SIOCSWAPA ioctl. It
+is important to note that no passed argument is recognised and that the
+value returned is that of the list which is now inactive.
+.br
+.SH FILES
+/dev/ipauth
+.br
+/dev/ipl
+.br
+/dev/ipnat
+.br
+/dev/ipstate
+.SH SEE ALSO
+ipl(4), ipnat(4), ipf(5), ipf(8), ipfstat(8)
OpenPOWER on IntegriCloud