From 0a7657b3329286c1adb3f581bd671054fb7b0636 Mon Sep 17 00:00:00 2001
From: luigi <luigi@FreeBSD.org>
Date: Thu, 10 Feb 2000 14:17:40 +0000
Subject: Support for stateful (dynamic) ipfw rules. They are very similar to
 ipfilter's keep-state.

Look at the updated ipfw(8) manpage for details.

Approved-by: jordan
---
 sys/netinet/ip_fw.h | 39 +++++++++++++++++++++++++++++++++++----
 1 file changed, 35 insertions(+), 4 deletions(-)

(limited to 'sys/netinet/ip_fw.h')

diff --git a/sys/netinet/ip_fw.h b/sys/netinet/ip_fw.h
index ffd1d04..a106108 100644
--- a/sys/netinet/ip_fw.h
+++ b/sys/netinet/ip_fw.h
@@ -102,7 +102,7 @@ struct ip_fw {
 struct ip_fw_ext {             /* extended structure */
     struct ip_fw rule;      /* must be at offset 0 */
     long    dont_match_prob;        /* 0x7fffffff means 1.0, always fail */
-    u_int   param1;         /* unused at the moment */
+    u_int   dyn_type;  /* type for dynamic rule */
 };
 
 #define IP_FW_GETNSRCP(rule)		((rule)->fw_nports & 0x0f)
@@ -128,6 +128,33 @@ struct ip_fw_chain {
 };
 
 /*
+ * Flow mask/flow id for each queue.
+ */
+struct ipfw_flow_id {
+    u_int32_t dst_ip, src_ip ;
+    u_int16_t dst_port, src_port ; 
+    u_int8_t proto ;    
+    u_int8_t flags ;    /* protocol-specific flags */
+} ;
+
+/*
+ * dynamic ipfw rule
+ */
+struct ipfw_dyn_rule {
+    struct ipfw_dyn_rule *next ;
+
+    struct ipfw_flow_id id ;
+    struct ipfw_flow_id mask ;
+    struct ip_fw_chain *chain ;		/* pointer to parent rule	*/
+    u_int32_t type ;			/* rule type			*/
+    u_int32_t expire ;			/* expire time			*/
+    u_int64_t pcnt, bcnt;		/* match counters		*/
+    u_int32_t bucket ;			/* which bucket in hash table	*/
+    u_int32_t state ;			/* state of this rule (typ. a   */
+					/* combination of TCP flags)	*/
+} ;
+
+/*
  * Values for "flags" field .
  */
 #define IP_FW_F_COMMAND 0x000000ff	/* Mask for type of chain entry:	*/
@@ -173,9 +200,11 @@ struct ip_fw_chain {
 #define IP_FW_F_RND_MATCH 0x00800000	/* probabilistic rule match		*/
 #define IP_FW_F_SMSK	0x01000000	/* src-port + mask 			*/
 #define IP_FW_F_DMSK	0x02000000	/* dst-port + mask 			*/
-#define IP_FW_F_KEEP_S	0x04000000	/* keep state	 			*/
+#define	IP_FW_BRIDGED	0x04000000	/* only match bridged packets		*/
+#define IP_FW_F_KEEP_S	0x08000000	/* keep state	 			*/
+#define IP_FW_F_CHECK_S	0x10000000	/* check state	 			*/
 
-#define IP_FW_F_MASK	0x03FFFFFF	/* All possible flag bits mask		*/
+#define IP_FW_F_MASK	0x1FFFFFFF	/* All possible flag bits mask		*/
 
 /*
  * For backwards compatibility with rules specifying "via iface" but
@@ -231,7 +260,9 @@ typedef	int ip_fw_chk_t __P((struct ip **, int, struct ifnet *, u_int16_t *,
 typedef	int ip_fw_ctl_t __P((struct sockopt *));
 extern	ip_fw_chk_t *ip_fw_chk_ptr;
 extern	ip_fw_ctl_t *ip_fw_ctl_ptr;
-
+extern int fw_one_pass;
+extern int fw_enable;
+extern struct ipfw_flow_id last_pkt ;
 #endif /* _KERNEL */
 
 #endif /* _IP_FW_H */
-- 
cgit v1.1