source: rtems/cpukit/libnetworking/netinet/ip_fw.h @ 39e6e65a

4.104.114.84.95
Last change on this file since 39e6e65a was 39e6e65a, checked in by Joel Sherrill <joel.sherrill@…>, on 08/19/98 at 21:32:28

Base files
  • Property mode set to 100644
File size: 6.0 KB
Line 
1/*
2 * Copyright (c) 1993 Daniel Boulet
3 * Copyright (c) 1994 Ugen J.S.Antsilevich
4 *
5 * Redistribution and use in source forms, with and without modification,
6 * are permitted provided that this entire comment appears intact.
7 *
8 * Redistribution in binary form may occur without any restrictions.
9 * Obviously, it would be nice if you gave credit where credit is due
10 * but requiring it would be too onerous.
11 *
12 * This software is provided ``AS IS'' without any warranties of any kind.
13 *
14 *      $Id$
15 */
16
17#ifndef _IP_FW_H
18#define _IP_FW_H
19
20#include <net/if.h>
21
22/*
23 * This union structure identifies an interface, either explicitly
24 * by name or implicitly by IP address. The flags IP_FW_F_IIFNAME
25 * and IP_FW_F_OIFNAME say how to interpret this structure. An
26 * interface unit number of -1 matches any unit number, while an
27 * IP address of 0.0.0.0 indicates matches any interface.
28 *
29 * The receive and transmit interfaces are only compared against the
30 * the packet if the corresponding bit (IP_FW_F_IIFACE or IP_FW_F_OIFACE)
31 * is set. Note some packets lack a receive or transmit interface
32 * (in which case the missing "interface" never matches).
33 */
34
35union ip_fw_if {
36    struct in_addr fu_via_ip;   /* Specified by IP address */
37    struct {                    /* Specified by interface name */
38#define FW_IFNLEN     IFNAMSIZ
39            char  name[FW_IFNLEN];
40            short unit;         /* -1 means match any unit */
41    } fu_via_if;
42};
43
44/*
45 * Format of an IP firewall descriptor
46 *
47 * fw_src, fw_dst, fw_smsk, fw_dmsk are always stored in network byte order.
48 * fw_flg and fw_n*p are stored in host byte order (of course).
49 * Port numbers are stored in HOST byte order.
50 * Warning: setsockopt() will fail if sizeof(struct ip_fw) > MLEN (108)
51 */
52
53struct ip_fw {
54    u_long fw_pcnt,fw_bcnt;             /* Packet and byte counters */
55    struct in_addr fw_src, fw_dst;      /* Source and destination IP addr */
56    struct in_addr fw_smsk, fw_dmsk;    /* Mask for src and dest IP addr */
57    u_short fw_number;                  /* Rule number */
58    u_short fw_flg;                     /* Flags word */
59#define IP_FW_MAX_PORTS 10              /* A reasonable maximum */
60    u_short fw_pts[IP_FW_MAX_PORTS];    /* Array of port numbers to match */
61    u_char fw_ipopt,fw_ipnopt;          /* IP options set/unset */
62    u_char fw_tcpf,fw_tcpnf;            /* TCP flags set/unset */
63#define IP_FW_ICMPTYPES_DIM (32 / (sizeof(unsigned) * 8))
64    unsigned fw_icmptypes[IP_FW_ICMPTYPES_DIM]; /* ICMP types bitmap */
65    long timestamp;                     /* timestamp (tv_sec) of last match */
66    union ip_fw_if fw_in_if, fw_out_if; /* Incoming and outgoing interfaces */
67    union {
68        u_short fu_divert_port;         /* Divert/tee port (options IPDIVERT) */
69        u_short fu_skipto_rule;         /* SKIPTO command rule number */
70        u_short fu_reject_code;         /* REJECT response code */
71    } fw_un;
72    u_char fw_prot;                     /* IP protocol */
73    u_char fw_nports;                   /* N'of src ports and # of dst ports */
74                                        /* in ports array (dst ports follow */
75                                        /* src ports; max of 10 ports in all; */
76                                        /* count of 0 means match all ports) */
77};
78
79#define IP_FW_GETNSRCP(rule)            ((rule)->fw_nports & 0x0f)
80#define IP_FW_SETNSRCP(rule, n)         do {                            \
81                                          (rule)->fw_nports &= ~0x0f;   \
82                                          (rule)->fw_nports |= (n);     \
83                                        } while (0)
84#define IP_FW_GETNDSTP(rule)            ((rule)->fw_nports >> 4)
85#define IP_FW_SETNDSTP(rule, n)         do {                            \
86                                          (rule)->fw_nports &= ~0xf0;   \
87                                          (rule)->fw_nports |= (n) << 4;\
88                                        } while (0)
89
90#define fw_divert_port  fw_un.fu_divert_port
91#define fw_skipto_rule  fw_un.fu_skipto_rule
92#define fw_reject_code  fw_un.fu_reject_code
93
94struct ip_fw_chain {
95        LIST_ENTRY(ip_fw_chain) chain;
96        struct ip_fw    *rule;
97};
98
99/*
100 * Values for "flags" field .
101 */
102#define IP_FW_F_IN      0x0001  /* Check inbound packets                */
103#define IP_FW_F_OUT     0x0002  /* Check outbound packets               */
104#define IP_FW_F_IIFACE  0x0004  /* Apply inbound interface test         */
105#define IP_FW_F_OIFACE  0x0008  /* Apply outbound interface test        */
106
107#define IP_FW_F_COMMAND 0x0070  /* Mask for type of chain entry:        */
108#define IP_FW_F_DENY    0x0000  /* This is a deny rule                  */
109#define IP_FW_F_REJECT  0x0010  /* Deny and send a response packet      */
110#define IP_FW_F_ACCEPT  0x0020  /* This is an accept rule               */
111#define IP_FW_F_COUNT   0x0030  /* This is a count rule                 */
112#define IP_FW_F_DIVERT  0x0040  /* This is a divert rule                */
113#define IP_FW_F_TEE     0x0050  /* This is a tee rule                   */
114#define IP_FW_F_SKIPTO  0x0060  /* This is a skipto rule                */
115
116#define IP_FW_F_PRN     0x0080  /* Print if this rule matches           */
117
118#define IP_FW_F_SRNG    0x0100  /* The first two src ports are a min    *
119                                 * and max range (stored in host byte   *
120                                 * order).                              */
121
122#define IP_FW_F_DRNG    0x0200  /* The first two dst ports are a min    *
123                                 * and max range (stored in host byte   *
124                                 * order).                              */
125
126#define IP_FW_F_IIFNAME 0x0400  /* In interface by name/unit (not IP)   */
127#define IP_FW_F_OIFNAME 0x0800  /* Out interface by name/unit (not IP)  */
128
129#define IP_FW_F_INVSRC  0x1000  /* Invert sense of src check            */
130#define IP_FW_F_INVDST  0x2000  /* Invert sense of dst check            */
131
132#define IP_FW_F_FRAG    0x4000  /* Fragment                             */
133
134#define IP_FW_F_ICMPBIT 0x8000  /* ICMP type bitmap is valid            */
135
136#define IP_FW_F_MASK    0xFFFF  /* All possible flag bits mask          */
137
138/*
139 * For backwards compatibility with rules specifying "via iface" but
140 * not restricted to only "in" or "out" packets, we define this combination
141 * of bits to represent this configuration.
142 */
143
144#define IF_FW_F_VIAHACK (IP_FW_F_IN|IP_FW_F_OUT|IP_FW_F_IIFACE|IP_FW_F_OIFACE)
145
146/*
147 * Definitions for REJECT response codes.
148 * Values less than 256 correspond to ICMP unreachable codes.
149 */
150#define IP_FW_REJECT_RST        0x0100          /* TCP packets: send RST */
151
152/*
153 * Definitions for IP option names.
154 */
155#define IP_FW_IPOPT_LSRR        0x01
156#define IP_FW_IPOPT_SSRR        0x02
157#define IP_FW_IPOPT_RR          0x04
158#define IP_FW_IPOPT_TS          0x08
159
160/*
161 * Definitions for TCP flags.
162 */
163#define IP_FW_TCPF_FIN          TH_FIN
164#define IP_FW_TCPF_SYN          TH_SYN
165#define IP_FW_TCPF_RST          TH_RST
166#define IP_FW_TCPF_PSH          TH_PUSH
167#define IP_FW_TCPF_ACK          TH_ACK
168#define IP_FW_TCPF_URG          TH_URG
169#define IP_FW_TCPF_ESTAB        0x40
170
171/*
172 * Main firewall chains definitions and global var's definitions.
173 */
174#ifdef KERNEL
175
176/*
177 * Function definitions.
178 */
179void ip_fw_init(void);
180
181#endif /* KERNEL */
182
183#endif /* _IP_FW_H */
Note: See TracBrowser for help on using the repository browser.