diff options
Diffstat (limited to 'sys/contrib/ipfilter/netinet/ip_fil.h')
| -rw-r--r-- | sys/contrib/ipfilter/netinet/ip_fil.h | 186 |
1 files changed, 166 insertions, 20 deletions
diff --git a/sys/contrib/ipfilter/netinet/ip_fil.h b/sys/contrib/ipfilter/netinet/ip_fil.h index 568453d..dc5a473 100644 --- a/sys/contrib/ipfilter/netinet/ip_fil.h +++ b/sys/contrib/ipfilter/netinet/ip_fil.h @@ -44,12 +44,12 @@ # define SIOCZRLST _IOWR('r', 75, struct ipfobj) # define SIOCAUTHW _IOWR('r', 76, struct ipfobj) # define SIOCAUTHR _IOWR('r', 77, struct ipfobj) -# define SIOCATHST _IOWR('r', 78, struct ipfobj) +# define SIOCSTAT1 _IOWR('r', 78, struct ipfobj) # define SIOCSTLCK _IOWR('r', 79, u_int) # define SIOCSTPUT _IOWR('r', 80, struct ipfobj) # define SIOCSTGET _IOWR('r', 81, struct ipfobj) # define SIOCSTGSZ _IOWR('r', 82, struct ipfobj) -# define SIOCGFRST _IOWR('r', 83, struct ipfobj) +# define SIOCSTAT2 _IOWR('r', 83, struct ipfobj) # define SIOCSETLG _IOWR('r', 84, int) # define SIOCGETLG _IOWR('r', 85, int) # define SIOCFUNCL _IOWR('r', 86, struct ipfunc_resolve) @@ -57,6 +57,12 @@ # define SIOCIPFGET _IOWR('r', 88, struct ipfobj) # define SIOCIPFSET _IOWR('r', 89, struct ipfobj) # define SIOCIPFL6 _IOWR('r', 90, int) +# define SIOCIPFITER _IOWR('r', 91, struct ipfobj) +# define SIOCGENITER _IOWR('r', 92, struct ipfobj) +# define SIOCGTABL _IOWR('r', 93, struct ipfobj) +# define SIOCIPFDELTOK _IOWR('r', 94, int) +# define SIOCLOOKUPITER _IOWR('r', 95, struct ipfobj) +# define SIOCGTQTAB _IOWR('r', 96, struct ipfobj) #else # define SIOCADAFR _IOW(r, 60, struct ipfobj) # define SIOCRMAFR _IOW(r, 61, struct ipfobj) @@ -76,12 +82,12 @@ # define SIOCZRLST _IOWR(r, 75, struct ipfobj) # define SIOCAUTHW _IOWR(r, 76, struct ipfobj) # define SIOCAUTHR _IOWR(r, 77, struct ipfobj) -# define SIOCATHST _IOWR(r, 78, struct ipfobj) +# define SIOCSTAT1 _IOWR(r, 78, struct ipfobj) # define SIOCSTLCK _IOWR(r, 79, u_int) # define SIOCSTPUT _IOWR(r, 80, struct ipfobj) # define SIOCSTGET _IOWR(r, 81, struct ipfobj) # define SIOCSTGSZ _IOWR(r, 82, struct ipfobj) -# define SIOCGFRST _IOWR(r, 83, struct ipfobj) +# define SIOCSTAT2 _IOWR(r, 83, struct ipfobj) # define SIOCSETLG _IOWR(r, 84, int) # define SIOCGETLG _IOWR(r, 85, int) # define SIOCFUNCL _IOWR(r, 86, struct ipfunc_resolve) @@ -89,10 +95,18 @@ # define SIOCIPFGET _IOWR(r, 88, struct ipfobj) # define SIOCIPFSET _IOWR(r, 89, struct ipfobj) # define SIOCIPFL6 _IOWR(r, 90, int) +# define SIOCIPFITER _IOWR(r, 91, struct ipfobj) +# define SIOCGENITER _IOWR(r, 92, struct ipfobj) +# define SIOCGTABL _IOWR(r, 93, struct ipfobj) +# define SIOCIPFDELTOK _IOWR(r, 94, int) +# define SIOCLOOKUPITER _IOWR(r, 95, struct ipfobj) +# define SIOCGTQTAB _IOWR(r, 96, struct ipfobj) #endif #define SIOCADDFR SIOCADAFR #define SIOCDELFR SIOCRMAFR #define SIOCINSFR SIOCINAFR +#define SIOCATHST SIOCSTAT1 +#define SIOCGFRST SIOCSTAT2 struct ipscan; @@ -112,6 +126,11 @@ typedef union i6addr { struct in6_addr in6; void *vptr[2]; lookupfunc_t lptr[2]; + struct { + u_short type; + u_short subtype; + char label[12]; + } i6un; } i6addr_t; #else typedef union i6addr { @@ -119,12 +138,19 @@ typedef union i6addr { struct in_addr in4; void *vptr[2]; lookupfunc_t lptr[2]; + struct { + u_short type; + u_short subtype; + char label[12]; + } i6un; } i6addr_t; #endif #define in4_addr in4.s_addr -#define iplookupnum i6[0] -#define iplookuptype i6[1] +#define iplookupnum i6[1] +#define iplookupname i6un.label +#define iplookuptype i6un.type +#define iplookupsubtype i6un.subtype /* * NOTE: These DO overlap the above on 64bit systems and this IS recognised. */ @@ -250,8 +276,12 @@ typedef struct fr_ip { #define fi_daddr fi_dst.in4.s_addr #define fi_srcnum fi_src.iplookupnum #define fi_dstnum fi_dst.iplookupnum +#define fi_srcname fi_src.iplookupname +#define fi_dstname fi_dst.iplookupname #define fi_srctype fi_src.iplookuptype #define fi_dsttype fi_dst.iplookuptype +#define fi_srcsubtype fi_src.iplookupsubtype +#define fi_dstsubtype fi_dst.iplookupsubtype #define fi_srcptr fi_src.iplookupptr #define fi_dstptr fi_dst.iplookupptr #define fi_srcfunc fi_src.iplookupfunc @@ -300,6 +330,7 @@ typedef struct fr_info { void *fin_nat; void *fin_state; void *fin_nattag; + void *fin_exthdr; ip_t *fin_ip; mb_t **fin_mp; /* pointer to pointer to mbuf */ mb_t *fin_m; /* pointer to mbuf */ @@ -330,8 +361,8 @@ typedef struct fr_info { #define fin_dport fin_dat.fid_16[1] #define fin_ports fin_dat.fid_32 -#define IPF_IN 0 -#define IPF_OUT 1 +#define IPF_IN 0 +#define IPF_OUT 1 typedef struct frentry *(*ipfunc_t) __P((fr_info_t *, u_32_t *)); typedef int (*ipfuncinit_t) __P((struct frentry *)); @@ -441,9 +472,13 @@ typedef struct fripf { int fri_difpidx; /* index into fr_ifps[] to use when */ } fripf_t; -#define fri_dstnum fri_ip.fi_dstnum +#define fri_dlookup fri_mip.fi_dst +#define fri_slookup fri_mip.fi_src +#define fri_dstnum fri_mip.fi_dstnum #define fri_srcnum fri_mip.fi_srcnum -#define fri_dstptr fri_ip.fi_dstptr +#define fri_dstname fri_mip.fi_dstname +#define fri_srcname fri_mip.fi_srcname +#define fri_dstptr fri_mip.fi_dstptr #define fri_srcptr fri_mip.fi_srcptr #define FRI_NORMAL 0 /* Normal address */ @@ -469,6 +504,13 @@ typedef struct frentry { int fr_ref; /* reference count - for grouping */ int fr_statecnt; /* state count - for limit rules */ /* + * The line number from a file is here because we need to be able to + * match the rule generated with ``grep rule ipf.conf | ipf -rf -'' + * with the rule loaded using ``ipf -f ipf.conf'' - thus it can't be + * on the other side of fr_func. + */ + int fr_flineno; /* line number from conf file */ + /* * These are only incremented when a packet matches this rule and * it is the last match */ @@ -495,7 +537,6 @@ typedef struct frentry { int fr_dsize; int fr_pps; int fr_statemax; /* max reference count */ - int fr_flineno; /* line number from conf file */ u_32_t fr_type; u_32_t fr_flags; /* per-rule flags && options (see below) */ u_32_t fr_logtag; /* user defined log tag # */ @@ -555,8 +596,14 @@ typedef struct frentry { #define fr_smask fr_mip.fi_src.in4.s_addr #define fr_dstnum fr_ip.fi_dstnum #define fr_srcnum fr_ip.fi_srcnum +#define fr_dlookup fr_ip.fi_dst +#define fr_slookup fr_ip.fi_src +#define fr_dstname fr_ip.fi_dstname +#define fr_srcname fr_ip.fi_srcname #define fr_dsttype fr_ip.fi_dsttype #define fr_srctype fr_ip.fi_srctype +#define fr_dstsubtype fr_ip.fi_dstsubtype +#define fr_srcsubtype fr_ip.fi_srcsubtype #define fr_dstptr fr_mip.fi_dstptr #define fr_srcptr fr_mip.fi_srcptr #define fr_dstfunc fr_mip.fi_dstfunc @@ -1019,6 +1066,8 @@ typedef struct ipftq { /* checks its timeout queues. */ #define IPF_TTLVAL(x) (((x) / IPF_HZ_MULT) * IPF_HZ_DIVIDE) +typedef int (*ipftq_delete_fn_t)(void *); + /* * Structure to define address for pool lookups. */ @@ -1054,6 +1103,13 @@ typedef struct ipfobj { #define IPFOBJ_STATESTAT 11 /* struct ips_stat */ #define IPFOBJ_FRAUTH 12 /* struct frauth */ #define IPFOBJ_TUNEABLE 13 /* struct ipftune */ +#define IPFOBJ_NAT 14 /* struct nat */ +#define IPFOBJ_IPFITER 15 /* struct ipfruleiter */ +#define IPFOBJ_GENITER 16 /* struct ipfgeniter */ +#define IPFOBJ_GTABLE 17 /* struct ipftable */ +#define IPFOBJ_LOOKUPITER 18 /* struct ipflookupiter */ +#define IPFOBJ_STATETQTAB 19 /* struct ipftq [NSTATES] */ +#define IPFOBJ_COUNT 20 /* How many #defines are above this? */ typedef union ipftunevalptr { @@ -1066,7 +1122,7 @@ typedef union ipftunevalptr { typedef struct ipftuneable { ipftunevalptr_t ipft_una; - char *ipft_name; + const char *ipft_name; u_long ipft_min; u_long ipft_max; int ipft_sz; @@ -1105,6 +1161,66 @@ typedef struct ipftune { #define ipft_vshort ipft_un.ipftu_short #define ipft_vchar ipft_un.ipftu_char +/* + * + */ +typedef struct ipfruleiter { + int iri_inout; + char iri_group[FR_GROUPLEN]; + int iri_active; + int iri_nrules; + int iri_v; + frentry_t *iri_rule; +} ipfruleiter_t; + +/* + * Values for iri_inout + */ +#define F_IN 0 +#define F_OUT 1 +#define F_ACIN 2 +#define F_ACOUT 3 + + +typedef struct ipfgeniter { + int igi_type; + int igi_nitems; + void *igi_data; +} ipfgeniter_t; + +#define IPFGENITER_IPF 0 +#define IPFGENITER_NAT 1 +#define IPFGENITER_IPNAT 2 +#define IPFGENITER_FRAG 3 +#define IPFGENITER_AUTH 4 +#define IPFGENITER_STATE 5 +#define IPFGENITER_NATFRAG 6 +#define IPFGENITER_HOSTMAP 7 +#define IPFGENITER_LOOKUP 8 + +typedef struct ipftable { + int ita_type; + void *ita_table; +} ipftable_t; + +#define IPFTABLE_BUCKETS 1 + + +/* + * + */ +typedef struct ipftoken { + struct ipftoken *ipt_next; + struct ipftoken **ipt_pnext; + void *ipt_ctx; + void *ipt_data; + u_long ipt_die; + int ipt_type; + int ipt_uid; + int ipt_subtype; + int ipt_alive; +} ipftoken_t; + /* ** HPUX Port @@ -1163,11 +1279,22 @@ extern int iplclose __P((dev_t, int)); extern void m_freem __P((mb_t *)); extern int bcopywrap __P((void *, void *, size_t)); #else /* #ifndef _KERNEL */ +# ifdef BSD +# if (defined(__NetBSD__) && (__NetBSD_Version__ < 399000000)) || \ + defined(__osf__) || \ + (defined(__FreeBSD_version) && (__FreeBSD_version < 500043)) +# include <sys/select.h> +# else +# include <sys/selinfo.h> +# endif +extern struct selinfo ipfselwait[IPL_LOGSIZE]; +# endif # if defined(__NetBSD__) && defined(PFIL_HOOKS) extern void ipfilterattach __P((int)); # endif extern int ipl_enable __P((void)); extern int ipl_disable __P((void)); +extern int ipf_inject __P((fr_info_t *, mb_t *)); # ifdef MENTAT extern int fr_check __P((struct ip *, int, void *, int, void *, mblk_t **)); @@ -1190,7 +1317,6 @@ extern int iplread __P((dev_t, uio_t *)); extern int iplwrite __P((dev_t, uio_t *)); extern int iplselect __P((dev_t, int)); # endif -extern int ipfsync __P((void)); extern int fr_qout __P((queue_t *, mblk_t *)); # else /* MENTAT */ extern int fr_check __P((struct ip *, int, void *, int, mb_t **)); @@ -1203,7 +1329,6 @@ extern int iplopen __P((dev_t *, int, int, cred_t *)); extern int iplclose __P((dev_t, int, int, cred_t *)); extern int iplread __P((dev_t, uio_t *, cred_t *)); extern int iplwrite __P((dev_t, uio_t *, cred_t *)); -extern int ipfsync __P((void)); extern int ipfilter_sgi_attach __P((void)); extern void ipfilter_sgi_detach __P((void)); extern void ipfilter_sgi_intfsync __P((void)); @@ -1224,7 +1349,15 @@ extern int iplioctl __P((struct cdev*, u_long, caddr_t, int, struct thread *)); extern int iplioctl __P((dev_t, u_long, caddr_t, int, struct thread *)); # endif /* __FreeBSD_version >= 502116 */ # else +# if (__NetBSD_Version__ >= 499001000) +extern int iplioctl __P((dev_t, u_long, void *, int, struct lwp *)); +# else +# if (__NetBSD_Version__ >= 399001400) +extern int iplioctl __P((dev_t, u_long, caddr_t, int, struct lwp *)); +# else extern int iplioctl __P((dev_t, u_long, caddr_t, int, struct proc *)); +# endif +# endif # endif /* __FreeBSD_version >= 500024 */ # else extern int iplioctl __P((dev_t, int, caddr_t, int, struct thread *)); @@ -1238,8 +1371,13 @@ extern int iplopen __P((dev_t, int, int, struct thread *)); extern int iplclose __P((dev_t, int, int, struct thread *)); # endif /* __FreeBSD_version >= 502116 */ # else +# if (__NetBSD_Version__ >= 399001400) +extern int iplopen __P((dev_t, int, int, struct lwp *)); +extern int iplclose __P((dev_t, int, int, struct lwp *)); +# else extern int iplopen __P((dev_t, int, int, struct proc *)); extern int iplclose __P((dev_t, int, int, struct proc *)); +# endif /* __NetBSD_Version__ >= 399001400 */ # endif /* __FreeBSD_version >= 500024 */ # else # ifdef linux @@ -1273,21 +1411,22 @@ extern ipfmutex_t ipl_mutex, ipf_authmx, ipf_rw, ipf_hostmap; extern ipfmutex_t ipf_timeoutlock, ipf_stinsert, ipf_natio, ipf_nat_new; extern ipfrwlock_t ipf_mutex, ipf_global, ip_poolrw, ipf_ipidfrag; extern ipfrwlock_t ipf_frag, ipf_state, ipf_nat, ipf_natfrag, ipf_auth; -extern ipfrwlock_t ipf_frcache; +extern ipfrwlock_t ipf_frcache, ipf_tokens; extern char *memstr __P((const char *, char *, size_t, size_t)); extern int count4bits __P((u_32_t)); extern int frrequest __P((int, ioctlcmd_t, caddr_t, int, int)); extern char *getifname __P((struct ifnet *)); -extern int iplattach __P((void)); -extern int ipldetach __P((void)); +extern int ipfattach __P((void)); +extern int ipfdetach __P((void)); extern u_short ipf_cksum __P((u_short *, int)); extern int copyinptr __P((void *, void *, size_t)); extern int copyoutptr __P((void *, void *, size_t)); extern int fr_fastroute __P((mb_t *, mb_t **, fr_info_t *, frdest_t *)); extern int fr_inobj __P((void *, void *, int)); extern int fr_inobjsz __P((void *, void *, int, int)); -extern int fr_ioctlswitch __P((int, void *, ioctlcmd_t, int)); +extern int fr_ioctlswitch __P((int, void *, ioctlcmd_t, int, int, void *)); +extern int fr_ipf_ioctl __P((caddr_t, ioctlcmd_t, int, int, void *)); extern int fr_ipftune __P((ioctlcmd_t, void *)); extern int fr_outobj __P((void *, void *, int)); extern int fr_outobjsz __P((void *, void *, int, int)); @@ -1297,7 +1436,7 @@ extern int fr_resolvefunc __P((void *)); extern void *fr_resolvenic __P((char *, int)); extern int fr_send_icmp_err __P((int, fr_info_t *, int)); extern int fr_send_reset __P((fr_info_t *)); -#if (__FreeBSD_version < 490000) || !defined(_KERNEL) +#if (__FreeBSD_version < 501000) || !defined(_KERNEL) extern int ppsratecheck __P((struct timeval *, int *, int)); #endif extern ipftq_t *fr_addtimeoutqueue __P((ipftq_t **, u_int)); @@ -1359,12 +1498,20 @@ extern int fr_matchicmpqueryreply __P((int, icmpinfo_t *, struct icmp *, int)); extern u_32_t fr_newisn __P((fr_info_t *)); extern u_short fr_nextipid __P((fr_info_t *)); +extern int ipf_queueflush __P((ipftq_delete_fn_t, ipftq_t *, ipftq_t *)); extern int fr_rulen __P((int, frentry_t *)); extern int fr_scanlist __P((fr_info_t *, u_32_t)); extern frentry_t *fr_srcgrpmap __P((fr_info_t *, u_32_t *)); extern int fr_tcpudpchk __P((fr_info_t *, frtuc_t *)); extern int fr_verifysrc __P((fr_info_t *fin)); extern int fr_zerostats __P((char *)); +extern ipftoken_t *ipf_findtoken __P((int, int, void *)); +extern int ipf_getnextrule __P((ipftoken_t *, void *)); +extern void ipf_expiretokens __P((void)); +extern void ipf_freetoken __P((ipftoken_t *)); +extern int ipf_deltoken __P((int,int, void *)); +extern int ipfsync __P((void)); +extern int ipf_genericiter __P((void *, int, void *)); extern int fr_running; extern u_long fr_frouteok[2]; @@ -1379,7 +1526,6 @@ extern int fr_update_ipid; extern int nat_logging; extern int ipstate_logging; extern int ipl_suppress; -extern int ipl_buffer_sz; extern int ipl_logmax; extern int ipl_logall; extern int ipl_logsize; |
