diff options
author | Poul-Henning Kamp <phk@FreeBSD.org> | 1996-02-23 15:47:58 +0000 |
---|---|---|
committer | Poul-Henning Kamp <phk@FreeBSD.org> | 1996-02-23 15:47:58 +0000 |
commit | e7319bab6bd0bb7f1f719c5cbb670d5ed21b3296 (patch) | |
tree | 97c7360219d204b89bc15ace01e53279c1509f40 /sys/netinet/ip_fw.h | |
parent | b69a06147a085c1b58c89a15d2afc8e8ce5ce6fe (diff) | |
download | src-e7319bab6bd0bb7f1f719c5cbb670d5ed21b3296.tar.gz src-e7319bab6bd0bb7f1f719c5cbb670d5ed21b3296.zip |
Big sweep over the IPFIREWALL and IPACCT code.
Close the ip-fragment hole.
Waste less memory.
Rewrite to contemporary more readable style.
Kill separate IPACCT facility, use "accept" rules in IPFIREWALL.
Filter incoming >and< outgoing packets.
Replace "policy" by sticky "deny all" rule.
Rules have numbers used for ordering and deletion.
Remove "rerorder" code entirely.
Count packet & bytecount matches for rules.
Code in -current & -stable is now the same.
Notes
Notes:
svn path=/head/; revision=14209
Diffstat (limited to 'sys/netinet/ip_fw.h')
-rw-r--r-- | sys/netinet/ip_fw.h | 100 |
1 files changed, 36 insertions, 64 deletions
diff --git a/sys/netinet/ip_fw.h b/sys/netinet/ip_fw.h index bc2dfc528533..3a2962fab641 100644 --- a/sys/netinet/ip_fw.h +++ b/sys/netinet/ip_fw.h @@ -11,7 +11,7 @@ * * This software is provided ``AS IS'' without any warranties of any kind. * - * $Id: ip_fw.h,v 1.13 1995/07/23 05:36:30 davidg Exp $ + * $Id: ip_fw.h,v 1.11.4.2 1996/02/23 15:26:05 phk Exp $ */ /* @@ -25,14 +25,9 @@ #define _IP_FW_H struct ip_fw { - struct ip_fw *fw_next; /* Next firewall on chain */ + u_long fw_pcnt,fw_bcnt; /* Packet and byte counters */ struct in_addr fw_src, fw_dst; /* Source and destination IP addr */ struct in_addr fw_smsk, fw_dmsk; /* Mask for src and dest IP addr */ - /* - * This union keeps all "via" information. - * If ever fu_via_ip is 0,or IP_FW_F_IFNAME set and - * fu_via_name[0] is 0 - match any packet. - */ union { struct in_addr fu_via_ip; struct { @@ -41,6 +36,10 @@ struct ip_fw { short fu_via_unit; } fu_via_if; } fu_via_un; +#define fw_via_ip fu_via_un.fu_via_ip +#define fw_via_name fu_via_un.fu_via_if.fu_via_name +#define fw_via_unit fu_via_un.fu_via_if.fu_via_unit + u_short fw_number; u_short fw_flg; /* Flags word */ u_short fw_nsp, fw_ndp; /* N'of src ports and # of dst ports */ /* in ports array (dst ports follow */ @@ -48,46 +47,40 @@ struct ip_fw { /* count of 0 means match all ports) */ #define IP_FW_MAX_PORTS 10 /* A reasonable maximum */ u_short fw_pts[IP_FW_MAX_PORTS]; /* Array of port numbers to match */ - u_long fw_pcnt,fw_bcnt; /* Packet and byte counters */ u_char fw_ipopt,fw_ipnopt; /* IP options set/unset */ u_char fw_tcpf,fw_tcpnf; /* TCP flags sen/unset */ }; - -/* - * Definitions to make expressions - * for "via" stuff shorter. - */ -#define fw_via_ip fu_via_un.fu_via_ip -#define fw_via_name fu_via_un.fu_via_if.fu_via_name -#define fw_via_unit fu_via_un.fu_via_if.fu_via_unit +struct ip_fw_chain { + LIST_ENTRY(ip_fw_chain) chain; + struct ip_fw *rule; +}; /* * Values for "flags" field . */ -#define IP_FW_F_ALL 0x000 /* This is a universal packet firewall*/ -#define IP_FW_F_TCP 0x001 /* This is a TCP packet firewall */ -#define IP_FW_F_UDP 0x002 /* This is a UDP packet firewall */ -#define IP_FW_F_ICMP 0x003 /* This is a ICMP packet firewall */ -#define IP_FW_F_KIND 0x003 /* Mask to isolate firewall kind */ -#define IP_FW_F_ACCEPT 0x004 /* This is an accept firewall (as * - * opposed to a deny firewall)* - * */ -#define IP_FW_F_SRNG 0x008 /* The first two src ports are a min * +#define IP_FW_F_ALL 0x000 /* This is a universal packet rule */ +#define IP_FW_F_TCP 0x001 /* This is a TCP packet rule */ +#define IP_FW_F_UDP 0x002 /* This is a UDP packet rule */ +#define IP_FW_F_ICMP 0x003 /* This is a ICMP packet rule */ +#define IP_FW_F_KIND 0x003 /* Mask to isolate rule kind */ + +#define IP_FW_F_ACCEPT 0x004 /* This is an accept rule */ +#define IP_FW_F_PRN 0x008 /* Print if this rule matches */ +#define IP_FW_F_ICMPRPL 0x010 /* Send back icmp unreachable packet */ + +#define IP_FW_F_SRNG 0x020 /* The first two src ports are a min * * and max range (stored in host byte * - * order). * - * */ -#define IP_FW_F_DRNG 0x010 /* The first two dst ports are a min * + * order). */ + +#define IP_FW_F_DRNG 0x040 /* The first two dst ports are a min * * and max range (stored in host byte * - * order). * - * (ports[0] <= port <= ports[1]) * - * */ -#define IP_FW_F_PRN 0x020 /* In verbose mode print this firewall*/ -#define IP_FW_F_BIDIR 0x040 /* For accounting-count two way */ -#define IP_FW_F_ICMPRPL 0x100 /* Send back icmp unreachable packet */ -#define IP_FW_F_IFNAME 0x200 /* Use interface name/unit (not IP) */ -#define IP_FW_F_MASK 0x3FF /* All possible flag bits mask */ + * order). */ + +#define IP_FW_F_IFNAME 0x080 /* Use interface name/unit (not IP) */ + +#define IP_FW_F_MASK 0x0FF /* All possible flag bits mask */ /* * Definitions for IP option names. @@ -110,18 +103,12 @@ struct ip_fw { /* * New IP firewall options for [gs]etsockopt at the RAW IP level. */ -#define IP_FW_BASE_CTL 53 - -#define IP_FW_ADD (IP_FW_BASE_CTL) -#define IP_FW_DEL (IP_FW_BASE_CTL+4) -#define IP_FW_FLUSH (IP_FW_BASE_CTL+6) -#define IP_FW_POLICY (IP_FW_BASE_CTL+7) +#define IP_FW_BASE_CTL 50 -#define IP_ACCT_ADD (IP_FW_BASE_CTL+10) -#define IP_ACCT_DEL (IP_FW_BASE_CTL+11) -#define IP_ACCT_FLUSH (IP_FW_BASE_CTL+12) -#define IP_ACCT_ZERO (IP_FW_BASE_CTL+13) -#define IP_ACCT_CLR (IP_FW_BASE_CTL+14) +#define IP_FW_ADD (IP_FW_BASE_CTL+0) +#define IP_FW_DEL (IP_FW_BASE_CTL+1) +#define IP_FW_FLUSH (IP_FW_BASE_CTL+2) +#define IP_FW_ZERO (IP_FW_BASE_CTL+3) /* * Policy flags... @@ -138,30 +125,15 @@ struct ip_fw { #ifdef KERNEL /* - * Variables/chain. - */ -extern struct ip_fw *ip_fw_chain; -extern u_short ip_fw_policy; - -extern struct ip_fw *ip_acct_chain; - -/* * Function pointers. */ -extern int (*ip_fw_chk_ptr)(struct mbuf *, struct ip *,struct ifnet *,struct ip_fw *); +extern int (*ip_fw_chk_ptr)(struct mbuf *, struct ip *,struct ifnet *, int dir); extern int (*ip_fw_ctl_ptr)(int,struct mbuf *); -extern void (*ip_acct_cnt_ptr)(struct ip *,struct ifnet *,struct ip_fw *,int); -extern int (*ip_acct_ctl_ptr)(int,struct mbuf *); - /* * Function definitions. */ -int ip_fw_chk(struct mbuf *, struct ip *,struct ifnet *,struct ip_fw *); -int ip_fw_ctl(int,struct mbuf *); - -void ip_acct_cnt(struct ip *,struct ifnet *,struct ip_fw *,int); -int ip_acct_ctl(int,struct mbuf *); +void ip_fw_init(void); #endif /* KERNEL */ |