1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
|
/* $FreeBSD$ */
/*
* Copyright (C) 2012 by Darren Reed.
*
* See the IPFILTER.LICENCE file for details on licencing.
*
* @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed
* $FreeBSD$
* Id: ip_state.h,v 2.68.2.10 2007/10/16 09:33:24 darrenr Exp $
*/
#ifndef __IP_STATE_H__
#define __IP_STATE_H__
#if defined(__STDC__) || defined(__GNUC__) || defined(_AIX51)
# define SIOCDELST _IOW('r', 61, struct ipfobj)
#else
# define SIOCDELST _IOW(r, 61, struct ipfobj)
#endif
struct ipscan;
#ifndef IPSTATE_SIZE
# define IPSTATE_SIZE 5737
#endif
#ifndef IPSTATE_MAX
# define IPSTATE_MAX 4013 /* Maximum number of states held */
#endif
#define PAIRS(s1,d1,s2,d2) ((((s1) == (s2)) && ((d1) == (d2))) ||\
(((s1) == (d2)) && ((d1) == (s2))))
#define IPPAIR(s1,d1,s2,d2) PAIRS((s1).s_addr, (d1).s_addr, \
(s2).s_addr, (d2).s_addr)
typedef struct ipstate {
ipfmutex_t is_lock;
struct ipstate *is_next;
struct ipstate **is_pnext;
struct ipstate *is_hnext;
struct ipstate **is_phnext;
struct ipstate **is_me;
void *is_ifp[4];
void *is_sync;
frentry_t *is_rule;
struct ipftq *is_tqehead[2];
struct ipscan *is_isc;
U_QUAD_T is_pkts[4];
U_QUAD_T is_bytes[4];
U_QUAD_T is_icmppkts[4];
struct ipftqent is_sti;
u_int is_frage[2];
int is_ref; /* reference count */
int is_isninc[2];
u_short is_sumd[2];
i6addr_t is_src;
i6addr_t is_dst;
u_int is_pass;
u_char is_p; /* Protocol */
u_char is_v;
int is_family;
u_32_t is_hv;
u_32_t is_tag;
u_32_t is_opt[2]; /* packet options set */
u_32_t is_optmsk[2]; /* " " mask */
u_short is_sec; /* security options set */
u_short is_secmsk; /* " " mask */
u_short is_auth; /* authentication options set */
u_short is_authmsk; /* " " mask */
union {
icmpinfo_t is_ics;
tcpinfo_t is_ts;
udpinfo_t is_us;
greinfo_t is_ug;
} is_ps;
u_32_t is_flags;
int is_flx[2][2];
u_32_t is_rulen; /* rule number when created */
u_32_t is_s0[2];
u_short is_smsk[2];
frdest_t is_dif;
frdest_t is_tifs[2];
char is_group[FR_GROUPLEN];
char is_sbuf[2][16];
char is_ifname[4][LIFNAMSIZ];
} ipstate_t;
#define is_die is_sti.tqe_die
#define is_state is_sti.tqe_state
#define is_touched is_sti.tqe_touched
#define is_saddr is_src.in4.s_addr
#define is_daddr is_dst.in4.s_addr
#define is_icmp is_ps.is_ics
#define is_type is_icmp.ici_type
#define is_tcp is_ps.is_ts
#define is_udp is_ps.is_us
#define is_send is_tcp.ts_data[0].td_end
#define is_dend is_tcp.ts_data[1].td_end
#define is_maxswin is_tcp.ts_data[0].td_maxwin
#define is_maxdwin is_tcp.ts_data[1].td_maxwin
#define is_maxsend is_tcp.ts_data[0].td_maxend
#define is_maxdend is_tcp.ts_data[1].td_maxend
#define is_swinscale is_tcp.ts_data[0].td_winscale
#define is_dwinscale is_tcp.ts_data[1].td_winscale
#define is_swinflags is_tcp.ts_data[0].td_winflags
#define is_dwinflags is_tcp.ts_data[1].td_winflags
#define is_sport is_tcp.ts_sport
#define is_dport is_tcp.ts_dport
#define is_ifpin is_ifp[0]
#define is_ifpout is_ifp[2]
#define is_gre is_ps.is_ug
#define is_call is_gre.gs_call
#define IS_WSPORT SI_W_SPORT /* 0x00100 */
#define IS_WDPORT SI_W_DPORT /* 0x00200 */
#define IS_WSADDR SI_W_SADDR /* 0x00400 */
#define IS_WDADDR SI_W_DADDR /* 0x00800 */
#define IS_NEWFR SI_NEWFR /* 0x01000 */
#define IS_CLONE SI_CLONE /* 0x02000 */
#define IS_CLONED SI_CLONED /* 0x04000 */
#define IS_TCPFSM 0x10000
#define IS_STRICT 0x20000
#define IS_ISNSYN 0x40000
#define IS_ISNACK 0x80000
#define IS_STATESYNC 0x100000
#define IS_LOOSE 0x200000
/*
* IS_SC flags are for scan-operations that need to be recognised in state.
*/
#define IS_SC_CLIENT 0x10000000
#define IS_SC_SERVER 0x20000000
#define IS_SC_MATCHC 0x40000000
#define IS_SC_MATCHS 0x80000000
#define IS_SC_MATCHALL (IS_SC_MATCHC|IS_SC_MATCHC)
#define IS_SC_ALL (IS_SC_MATCHC|IS_SC_MATCHC|IS_SC_CLIENT|IS_SC_SERVER)
/*
* Flags that can be passed into ipf_addstate
*/
#define IS_INHERITED 0x0fffff00
#define TH_OPENING (TH_SYN|TH_ACK)
/*
* is_flags:
* Bits 0 - 3 are use as a mask with the current packet's bits to check for
* whether it is short, tcp/udp, a fragment or the presence of IP options.
* Bits 4 - 7 are set from the initial packet and contain what the packet
* anded with bits 0-3 must match.
* Bits 8,9 are used to indicate wildcard source/destination port matching.
* Bits 10,11 are reserved for other wildcard flag compatibility.
* Bits 12,13 are for scaning.
*/
typedef struct ipstate_save {
void *ips_next;
struct ipstate ips_is;
struct frentry ips_fr;
} ipstate_save_t;
#define ips_rule ips_is.is_rule
typedef struct ipslog {
U_QUAD_T isl_pkts[4];
U_QUAD_T isl_bytes[4];
i6addr_t isl_src;
i6addr_t isl_dst;
u_32_t isl_tag;
u_short isl_type;
union {
u_short isl_filler[2];
u_short isl_ports[2];
u_short isl_icmp;
} isl_ps;
u_char isl_v;
u_char isl_p;
u_char isl_flags;
u_char isl_state[2];
u_32_t isl_rulen;
char isl_group[FR_GROUPLEN];
} ipslog_t;
#define isl_sport isl_ps.isl_ports[0]
#define isl_dport isl_ps.isl_ports[1]
#define isl_itype isl_ps.isl_icmp
#define ISL_NEW 0
#define ISL_CLONE 1
#define ISL_STATECHANGE 2
#define ISL_EXPIRE 0xffff
#define ISL_FLUSH 0xfffe
#define ISL_REMOVE 0xfffd
#define ISL_INTERMEDIATE 0xfffc
#define ISL_KILLED 0xfffb
#define ISL_ORPHAN 0xfffa
#define ISL_UNLOAD 0xfff9
typedef struct ips_stat {
u_int iss_active;
u_int iss_active_proto[256];
u_long iss_add_bad;
u_long iss_add_dup;
u_long iss_add_locked;
u_long iss_add_oow;
u_long iss_bucket_full;
u_long iss_check_bad;
u_long iss_check_miss;
u_long iss_check_nattag;
u_long iss_check_notag;
u_long iss_clone_nomem;
u_long iss_cloned;
u_long iss_expire;
u_long iss_fin;
u_long iss_flush_all;
u_long iss_flush_closing;
u_long iss_flush_queue;
u_long iss_flush_state;
u_long iss_flush_timeout;
u_long iss_hits;
u_long iss_icmp6_icmperr;
u_long iss_icmp6_miss;
u_long iss_icmp6_notinfo;
u_long iss_icmp6_notquery;
u_long iss_icmp_bad;
u_long iss_icmp_banned;
u_long iss_icmp_headblock;
u_long iss_icmp_hits;
u_long iss_icmp_icmperr;
u_long iss_icmp_miss;
u_long iss_icmp_notquery;
u_long iss_icmp_short;
u_long iss_icmp_toomany;
u_int iss_inuse;
ipstate_t *iss_list;
u_long iss_log_fail;
u_long iss_log_ok;
u_long iss_lookup_badifp;
u_long iss_lookup_badport;
u_long iss_lookup_miss;
u_long iss_max;
u_long iss_max_ref;
u_long iss_max_track;
u_long iss_miss_mask;
u_long iss_nomem;
u_long iss_oow;
u_long iss_orphan;
u_long iss_proto[256];
u_long iss_scan_block;
u_long iss_state_max;
u_long iss_state_size;
u_long iss_states[IPF_TCP_NSTATES];
ipstate_t **iss_table;
u_long iss_tcp_closing;
u_long iss_tcp_oow;
u_long iss_tcp_rstadd;
u_long iss_tcp_toosmall;
u_long iss_tcp_badopt;
u_long iss_tcp_fsm;
u_long iss_tcp_strict;
ipftq_t *iss_tcptab;
u_int iss_ticks;
u_long iss_wild;
u_long iss_winsack;
u_int *iss_bucketlen;
} ips_stat_t;
typedef struct ipf_state_softc_s {
ipfmutex_t ipf_stinsert;
int ipf_state_logging;
int ipf_state_lock;
int ipf_state_doflush;
u_int ipf_state_inited;
u_int ipf_state_max;
u_int ipf_state_maxbucket;
u_int ipf_state_size;
u_int ipf_state_wm_freq;
u_int ipf_state_wm_high;
u_int ipf_state_wm_low;
u_int ipf_state_wm_last;
u_long *ipf_state_seed;
ipstate_t *ipf_state_list;
ipstate_t **ipf_state_table;
ipftuneable_t *ipf_state_tune;
ipftq_t *ipf_state_usertq;
ipftq_t ipf_state_pending;
ipftq_t ipf_state_deletetq;
ipftq_t ipf_state_udptq;
ipftq_t ipf_state_udpacktq;
ipftq_t ipf_state_iptq;
ipftq_t ipf_state_icmptq;
ipftq_t ipf_state_icmpacktq;
ipftq_t ipf_state_tcptq[IPF_TCP_NSTATES];
ips_stat_t ipf_state_stats;
} ipf_state_softc_t;
#ifndef _KERNEL
extern void ipf_state_dump __P((ipf_main_softc_t *, void *));
#endif
extern int ipf_tcp_age __P((struct ipftqent *, struct fr_info *,
struct ipftq *, int, int));
extern int ipf_tcpinwindow __P((struct fr_info *, struct tcpdata *,
struct tcpdata *, tcphdr_t *, int));
extern int ipf_state_add __P((ipf_main_softc_t *, fr_info_t *,
ipstate_t **, u_int));
extern frentry_t *ipf_state_check __P((struct fr_info *, u_32_t *));
extern void ipf_state_deref __P((ipf_main_softc_t *, ipstate_t **));
extern void ipf_state_expire __P((ipf_main_softc_t *));
extern int ipf_state_flush __P((ipf_main_softc_t *, int, int));
extern ipstate_t *ipf_state_lookup __P((fr_info_t *, tcphdr_t *, ipftq_t **));
extern int ipf_state_init __P((void));
extern int ipf_state_insert __P((ipf_main_softc_t *, struct ipstate *, int));
extern int ipf_state_ioctl __P((ipf_main_softc_t *, caddr_t, ioctlcmd_t, int, int, void *));
extern void ipf_state_log __P((ipf_main_softc_t *, struct ipstate *, u_int));
extern int ipf_state_matchflush __P((ipf_main_softc_t *, caddr_t));
extern int ipf_state_rehash __P((ipf_main_softc_t *, ipftuneable_t *, ipftuneval_t *));
extern void ipf_state_setqueue __P((ipf_main_softc_t *, ipstate_t *, int));
extern void ipf_state_setpending __P((ipf_main_softc_t *, ipstate_t *));
extern int ipf_state_settimeout __P((struct ipf_main_softc_s *, ipftuneable_t *, ipftuneval_t *));
extern void ipf_state_sync __P((ipf_main_softc_t *, void *));
extern void ipf_state_update __P((fr_info_t *, ipstate_t *));
extern void ipf_sttab_init __P((ipf_main_softc_t *, struct ipftq *));
extern void ipf_sttab_destroy __P((struct ipftq *));
extern void ipf_state_setlock __P((void *, int));
extern int ipf_state_main_load __P((void));
extern int ipf_state_main_unload __P((void));
extern void *ipf_state_soft_create __P((ipf_main_softc_t *));
extern void ipf_state_soft_destroy __P((ipf_main_softc_t *, void *));
extern int ipf_state_soft_init __P((ipf_main_softc_t *, void *));
extern int ipf_state_soft_fini __P((ipf_main_softc_t *, void *));
extern ipftq_t *ipf_state_add_tq __P((ipf_main_softc_t *, int));
#endif /* __IP_STATE_H__ */
|