1/*
2 * Written by Toshiharu OHNO (tony-o@iij.ad.jp)
3 *
4 * Copyright (C) 1993, Internet Initiative Japan, Inc. All rights reserverd.
5 *
6 * Redistribution and use in source and binary forms are permitted
7 * provided that the above copyright notice and this paragraph are
8 * duplicated in all such forms and that any documentation,
9 * advertising materials, and other materials related to such
10 * distribution and use acknowledge that the software was developed
11 * by the Internet Initiative Japan. The name of the
12 * IIJ may not be used to endorse or promote products derived
13 * from this software without specific prior written permission.
14 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
15 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
16 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
17 *
| 1/*
2 * Written by Toshiharu OHNO (tony-o@iij.ad.jp)
3 *
4 * Copyright (C) 1993, Internet Initiative Japan, Inc. All rights reserverd.
5 *
6 * Redistribution and use in source and binary forms are permitted
7 * provided that the above copyright notice and this paragraph are
8 * duplicated in all such forms and that any documentation,
9 * advertising materials, and other materials related to such
10 * distribution and use acknowledge that the software was developed
11 * by the Internet Initiative Japan. The name of the
12 * IIJ may not be used to endorse or promote products derived
13 * from this software without specific prior written permission.
14 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
15 * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
16 * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
17 *
|
18 * $Id: filter.h,v 1.15 1999/05/31 23:57:37 brian Exp $
| 18 * $Id: filter.h,v 1.16 1999/06/23 16:48:22 brian Exp $
|
19 *
20 * TODO:
21 */
22
| 19 *
20 * TODO:
21 */
22
|
23/* Actions */
24#define A_NONE 0
25#define A_PERMIT 1
26#define A_DENY 2
27#define A_MASK 3
28#define A_UHOST 4
29#define A_UPORT 8
30
31/* Known protocols */
| 23/* Known protocols - f_proto */
|
32#define P_NONE 0
33#define P_TCP 1
34#define P_UDP 2
35#define P_ICMP 3
36#define P_IGMP 4
37
| 24#define P_NONE 0
25#define P_TCP 1
26#define P_UDP 2
27#define P_ICMP 3
28#define P_IGMP 4
29
|
38/* Operations */
| 30/* Operations - f_srcop, f_dstop */
|
39#define OP_NONE 0
40#define OP_EQ 1
41#define OP_GT 2
| 31#define OP_NONE 0
32#define OP_EQ 1
33#define OP_GT 2
|
42#define OP_LT 4
| 34#define OP_LT 3
|
43
44/* srctype or dsttype */
45#define T_ADDR 0
46#define T_MYADDR 1
47#define T_HISADDR 2
48
| 35
36/* srctype or dsttype */
37#define T_ADDR 0
38#define T_MYADDR 1
39#define T_HISADDR 2
40
|
| 41/*
42 * There's a struct filterent for each possible filter rule. The
43 * layout is designed to minimise size (there are 4 * MAXFILTERS of
44 * them) - which is also conveniently a power of 2 (32 bytes) on
45 * architectures where sizeof(int)==4 (this makes indexing faster).
46 *
47 * f_action and f_proto only need to be 6 and 3 bits, respectively,
48 * but making them 8 bits allows them to be efficently accessed using
49 * byte operations as well as allowing space for future expansion
50 * (expanding MAXFILTERS or converting f_proto IPPROTO_... values).
51 *
52 * Note that there are four free bits in the initial word for future
53 * extensions.
54 */
|
49struct filterent {
| 55struct filterent {
|
50 int action; /* Filtering action */
51 unsigned srctype : 2; /* T_ value of src */
52 struct in_range src; /* Source address */
53 unsigned dsttype : 2; /* T_ value of dst */
54 struct in_range dst; /* Destination address */
55 int proto; /* Protocol */
56 struct {
57 short srcop;
58 u_short srcport;
59 short dstop;
60 u_short dstport;
61 unsigned estab : 1;
62 unsigned syn : 1;
63 unsigned finrst : 1;
64 } opt;
| 56 unsigned f_action : 8; /* Filtering action: goto or A_... */
57 unsigned f_proto : 8; /* Protocol: P_... */
58 unsigned f_srcop : 2; /* Source port operation: OP_... */
59 unsigned f_dstop : 2; /* Destination port operation: OP_... */
60 unsigned f_srctype : 2; /* T_ value of src */
61 unsigned f_dsttype : 2; /* T_ value of dst */
62 unsigned f_estab : 1; /* Check TCP ACK bit */
63 unsigned f_syn : 1; /* Check TCP SYN bit */
64 unsigned f_finrst : 1; /* Check TCP FIN/RST bits */
65 unsigned f_invert : 1; /* true to complement match */
66 struct in_range f_src; /* Source address and mask */
67 struct in_range f_dst; /* Destination address and mask */
68 u_short f_srcport; /* Source port, compared with f_srcop */
69 u_short f_dstport; /* Destination port, compared with f_dstop */
|
65};
66
| 70};
71
|
67#define MAXFILTERS 40 /* in each filter set */
| 72#define MAXFILTERS 40 /* in each filter set */
|
68
| 73
|
| 74/* f_action values [0..MAXFILTERS) specify the next filter rule, others are: */
75#define A_NONE (MAXFILTERS)
76#define A_PERMIT (A_NONE+1)
77#define A_DENY (A_PERMIT+1)
78
|
69struct filter {
70 struct filterent rule[MAXFILTERS]; /* incoming packet filter */
71 const char *name;
72 unsigned fragok : 1;
73 unsigned logok : 1;
74};
75
| 79struct filter {
80 struct filterent rule[MAXFILTERS]; /* incoming packet filter */
81 const char *name;
82 unsigned fragok : 1;
83 unsigned logok : 1;
84};
85
|
| 86/* Which filter set */
|
76#define FL_IN 0
77#define FL_OUT 1
78#define FL_DIAL 2
79#define FL_KEEP 3
80
81struct ipcp;
82struct cmdargs;
83
84extern int ParseAddr(struct ipcp *, const char *, struct in_addr *,
85 struct in_addr *, int *);
86extern int filter_Show(struct cmdargs const *);
87extern int filter_Set(struct cmdargs const *);
88extern const char * filter_Action2Nam(int);
89extern const char *filter_Proto2Nam(int);
90extern const char *filter_Op2Nam(int);
91extern struct in_addr bits2mask(int);
92extern void filter_AdjustAddr(struct filter *, struct in_addr *,
93 struct in_addr *);
| 87#define FL_IN 0
88#define FL_OUT 1
89#define FL_DIAL 2
90#define FL_KEEP 3
91
92struct ipcp;
93struct cmdargs;
94
95extern int ParseAddr(struct ipcp *, const char *, struct in_addr *,
96 struct in_addr *, int *);
97extern int filter_Show(struct cmdargs const *);
98extern int filter_Set(struct cmdargs const *);
99extern const char * filter_Action2Nam(int);
100extern const char *filter_Proto2Nam(int);
101extern const char *filter_Op2Nam(int);
102extern struct in_addr bits2mask(int);
103extern void filter_AdjustAddr(struct filter *, struct in_addr *,
104 struct in_addr *);
|