| ip_fw_private.h (201124) | ip_fw_private.h (201527) |
|---|---|
| 1/*- 2 * Copyright (c) 2002-2009 Luigi Rizzo, Universita` di Pisa 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 1. Redistributions of source code must retain the above copyright 8 * notice, this list of conditions and the following disclaimer. --- 8 unchanged lines hidden (view full) --- 17 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 18 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 19 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 20 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 21 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 22 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 23 * SUCH DAMAGE. 24 * | 1/*- 2 * Copyright (c) 2002-2009 Luigi Rizzo, Universita` di Pisa 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 1. Redistributions of source code must retain the above copyright 8 * notice, this list of conditions and the following disclaimer. --- 8 unchanged lines hidden (view full) --- 17 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 18 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 19 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 20 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 21 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 22 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 23 * SUCH DAMAGE. 24 * |
| 25 * $FreeBSD: head/sys/netinet/ipfw/ip_fw_private.h 201124 2009-12-28 12:29:13Z luigi $ | 25 * $FreeBSD: head/sys/netinet/ipfw/ip_fw_private.h 201527 2010-01-04 19:01:22Z luigi $ |
| 26 */ 27 28#ifndef _IPFW2_PRIVATE_H 29#define _IPFW2_PRIVATE_H 30 31/* 32 * Internal constants and data structures used by ipfw components 33 * and not meant to be exported outside the kernel. 34 */ 35 36#ifdef _KERNEL 37 38#define MTAG_IPFW 1148380143 /* IPFW-tagged cookie */ | 26 */ 27 28#ifndef _IPFW2_PRIVATE_H 29#define _IPFW2_PRIVATE_H 30 31/* 32 * Internal constants and data structures used by ipfw components 33 * and not meant to be exported outside the kernel. 34 */ 35 36#ifdef _KERNEL 37 38#define MTAG_IPFW 1148380143 /* IPFW-tagged cookie */ |
| 39#define MTAG_IPFW_RULE 1262273568 /* rule reference */ |
|
| 39 40/* Return values from ipfw_chk() */ 41enum { 42 IP_FW_PASS = 0, 43 IP_FW_DENY, 44 IP_FW_DIVERT, 45 IP_FW_TEE, 46 IP_FW_DUMMYNET, 47 IP_FW_NETGRAPH, 48 IP_FW_NGTEE, 49 IP_FW_NAT, 50 IP_FW_REASS, 51}; 52 | 40 41/* Return values from ipfw_chk() */ 42enum { 43 IP_FW_PASS = 0, 44 IP_FW_DENY, 45 IP_FW_DIVERT, 46 IP_FW_TEE, 47 IP_FW_DUMMYNET, 48 IP_FW_NETGRAPH, 49 IP_FW_NGTEE, 50 IP_FW_NAT, 51 IP_FW_REASS, 52}; 53 |
| 53/* flags for divert mtag */ 54#define IP_FW_DIVERT_LOOPBACK_FLAG 0x00080000 55#define IP_FW_DIVERT_OUTPUT_FLAG 0x00100000 56 | |
| 57/* 58 * Structure for collecting parameters to dummynet for ip6_output forwarding 59 */ 60struct _ip6dn_args { 61 struct ip6_pktopts *opt_or; 62 struct route_in6 ro_or; 63 int flags_or; 64 struct ip6_moptions *im6o_or; 65 struct ifnet *origifp_or; 66 struct ifnet *ifp_or; 67 struct sockaddr_in6 dst_or; 68 u_long mtu_or; 69 struct route_in6 ro_pmtu_or; 70}; 71 72/* | 54/* 55 * Structure for collecting parameters to dummynet for ip6_output forwarding 56 */ 57struct _ip6dn_args { 58 struct ip6_pktopts *opt_or; 59 struct route_in6 ro_or; 60 int flags_or; 61 struct ip6_moptions *im6o_or; 62 struct ifnet *origifp_or; 63 struct ifnet *ifp_or; 64 struct sockaddr_in6 dst_or; 65 u_long mtu_or; 66 struct route_in6 ro_pmtu_or; 67}; 68 69/* |
| 70 * Reference to an ipfw rule that can be carried outside critical sections. 71 * A rule is identified by rulenum:rule_id which is ordered. 72 * In version chain_id the rule can be found in slot 'slot', so 73 * we don't need a lookup if chain_id == chain->id. 74 * 75 * On exit from the firewall this structure refers to the rule after 76 * the matching one (slot points to the new rule; rulenum:rule_id-1 77 * is the matching rule), and additional info (e.g. info often contains 78 * the insn argument or tablearg in the low 16 bits, in host format). 79 * On entry, the structure is valid if slot>0, and refers to the starting 80 * rules. 'info' contains the reason for reinject, e.g. divert port, 81 * divert direction, and so on. 82 */ 83struct ipfw_rule_ref { 84 uint32_t slot; /* slot for matching rule */ 85 uint32_t rulenum; /* matching rule number */ 86 uint32_t rule_id; /* matching rule id */ 87 uint32_t chain_id; /* ruleset id */ 88 uint32_t info; /* see below */ 89}; 90 91enum { 92 IPFW_INFO_MASK = 0x0000ffff, 93 IPFW_INFO_OUT = 0x00000000, /* outgoing, just for convenience */ 94 IPFW_INFO_IN = 0x80000000, /* incoming, overloads dir */ 95 IPFW_ONEPASS = 0x40000000, /* One-pass, do not reinject */ 96 IPFW_IS_MASK = 0x30000000, /* which source ? */ 97 IPFW_IS_DIVERT = 0x20000000, 98 IPFW_IS_DUMMYNET =0x10000000, 99 IPFW_IS_PIPE = 0x08000000, /* pip1=1, queue = 0 */ 100}; 101 102/* |
|
| 73 * Arguments for calling ipfw_chk() and dummynet_io(). We put them 74 * all into a structure because this way it is easier and more 75 * efficient to pass variables around and extend the interface. 76 */ 77struct ip_fw_args { 78 struct mbuf *m; /* the mbuf chain */ 79 struct ifnet *oif; /* output interface */ 80 struct sockaddr_in *next_hop; /* forward address */ 81 | 103 * Arguments for calling ipfw_chk() and dummynet_io(). We put them 104 * all into a structure because this way it is easier and more 105 * efficient to pass variables around and extend the interface. 106 */ 107struct ip_fw_args { 108 struct mbuf *m; /* the mbuf chain */ 109 struct ifnet *oif; /* output interface */ 110 struct sockaddr_in *next_hop; /* forward address */ 111 |
| 82 /* chain_id validates 'slot', the location of the pointer to 83 * a matching rule. 84 * If invalid, we can lookup the rule using rule_id and rulenum | 112 /* 113 * On return, it points to the matching rule. 114 * On entry, rule.slot > 0 means the info is valid and 115 * contains the the starting rule for an ipfw search. 116 * If chain_id == chain->id && slot >0 then jump to that slot. 117 * Otherwise, we locate the first rule >= rulenum:rule_id |
| 85 */ | 118 */ |
| 86 uint32_t slot; /* slot for matching rule */ 87 uint32_t rulenum; /* matching rule number */ 88 uint32_t rule_id; /* matching rule id */ 89 uint32_t chain_id; /* ruleset id */ | 119 struct ipfw_rule_ref rule; /* match/restart info */ |
| 90 91 struct ether_header *eh; /* for bridged packets */ 92 93 struct ipfw_flow_id f_id; /* grabbed from IP header */ | 120 121 struct ether_header *eh; /* for bridged packets */ 122 123 struct ipfw_flow_id f_id; /* grabbed from IP header */ |
| 94 uint32_t cookie; /* a cookie depending on rule action */ | 124 //uint32_t cookie; /* a cookie depending on rule action */ |
| 95 struct inpcb *inp; 96 97 struct _ip6dn_args dummypar; /* dummynet->ip6_output */ 98 struct sockaddr_in hopstore; /* store here if cannot use a pointer */ 99}; 100 101MALLOC_DECLARE(M_IPFW); 102 --- 14 unchanged lines hidden (view full) --- 117 PROTO_LAYER2 = 0x4, /* set for layer 2 */ 118 /* PROTO_DEFAULT = 0, */ 119 PROTO_IPV4 = 0x08, 120 PROTO_IPV6 = 0x10, 121 PROTO_IFB = 0x0c, /* layer2 + ifbridge */ 122 /* PROTO_OLDBDG = 0x14, unused, old bridge */ 123}; 124 | 125 struct inpcb *inp; 126 127 struct _ip6dn_args dummypar; /* dummynet->ip6_output */ 128 struct sockaddr_in hopstore; /* store here if cannot use a pointer */ 129}; 130 131MALLOC_DECLARE(M_IPFW); 132 --- 14 unchanged lines hidden (view full) --- 147 PROTO_LAYER2 = 0x4, /* set for layer 2 */ 148 /* PROTO_DEFAULT = 0, */ 149 PROTO_IPV4 = 0x08, 150 PROTO_IPV6 = 0x10, 151 PROTO_IFB = 0x0c, /* layer2 + ifbridge */ 152 /* PROTO_OLDBDG = 0x14, unused, old bridge */ 153}; 154 |
| 155/* wrapper for freeing a packet, in case we need to do more work */ 156#define FREE_PKT(m) m_freem(m) 157 |
|
| 125/* 126 * Function definitions. 127 */ 128 129/* attach (arg = 1) or detach (arg = 0) hooks */ 130int ipfw_attach_hooks(int); 131#ifdef NOTYET 132void ipfw_nat_destroy(void); --- 118 unchanged lines hidden (view full) --- 251int ipfw_add_table_entry(struct ip_fw_chain *ch, uint16_t tbl, in_addr_t addr, 252 uint8_t mlen, uint32_t value); 253int ipfw_dump_table_entry(struct radix_node *rn, void *arg); 254int ipfw_del_table_entry(struct ip_fw_chain *ch, uint16_t tbl, in_addr_t addr, 255 uint8_t mlen); 256int ipfw_count_table(struct ip_fw_chain *ch, uint32_t tbl, uint32_t *cnt); 257int ipfw_dump_table(struct ip_fw_chain *ch, ipfw_table *tbl); 258 | 158/* 159 * Function definitions. 160 */ 161 162/* attach (arg = 1) or detach (arg = 0) hooks */ 163int ipfw_attach_hooks(int); 164#ifdef NOTYET 165void ipfw_nat_destroy(void); --- 118 unchanged lines hidden (view full) --- 284int ipfw_add_table_entry(struct ip_fw_chain *ch, uint16_t tbl, in_addr_t addr, 285 uint8_t mlen, uint32_t value); 286int ipfw_dump_table_entry(struct radix_node *rn, void *arg); 287int ipfw_del_table_entry(struct ip_fw_chain *ch, uint16_t tbl, in_addr_t addr, 288 uint8_t mlen); 289int ipfw_count_table(struct ip_fw_chain *ch, uint32_t tbl, uint32_t *cnt); 290int ipfw_dump_table(struct ip_fw_chain *ch, ipfw_table *tbl); 291 |
| 292/* hooks for divert */ 293extern void (*ip_divert_ptr)(struct mbuf *m, int incoming); 294 |
|
| 259/* In ip_fw_nat.c */ 260 261extern struct cfg_nat *(*lookup_nat_ptr)(struct nat_list *, int); 262 263typedef int ipfw_nat_t(struct ip_fw_args *, struct cfg_nat *, struct mbuf *); 264typedef int ipfw_nat_cfg_t(struct sockopt *); 265 266extern ipfw_nat_t *ipfw_nat_ptr; --- 5 unchanged lines hidden (view full) --- 272extern ipfw_nat_cfg_t *ipfw_nat_get_log_ptr; 273 274/* netgraph prototypes */ 275 276typedef int ng_ipfw_input_t(struct mbuf **, int, struct ip_fw_args *, int); 277extern ng_ipfw_input_t *ng_ipfw_input_p; 278#define NG_IPFW_LOADED (ng_ipfw_input_p != NULL) 279 | 295/* In ip_fw_nat.c */ 296 297extern struct cfg_nat *(*lookup_nat_ptr)(struct nat_list *, int); 298 299typedef int ipfw_nat_t(struct ip_fw_args *, struct cfg_nat *, struct mbuf *); 300typedef int ipfw_nat_cfg_t(struct sockopt *); 301 302extern ipfw_nat_t *ipfw_nat_ptr; --- 5 unchanged lines hidden (view full) --- 308extern ipfw_nat_cfg_t *ipfw_nat_get_log_ptr; 309 310/* netgraph prototypes */ 311 312typedef int ng_ipfw_input_t(struct mbuf **, int, struct ip_fw_args *, int); 313extern ng_ipfw_input_t *ng_ipfw_input_p; 314#define NG_IPFW_LOADED (ng_ipfw_input_p != NULL) 315 |
| 280struct ng_ipfw_tag { 281 struct m_tag mt; /* tag header */ 282 /* reinject info */ 283 uint32_t slot; /* slot for next rule */ 284 uint32_t rulenum; /* matching rule number */ 285 uint32_t rule_id; /* matching rule id */ 286 uint32_t chain_id; /* ruleset id */ 287 int dir; 288 289// struct ifnet *ifp; /* interface, for ip_output */ 290}; 291 | |
| 292#define TAGSIZ (sizeof(struct ng_ipfw_tag) - sizeof(struct m_tag)) 293 294 295#endif /* _KERNEL */ 296#endif /* _IPFW2_PRIVATE_H */ | 316#define TAGSIZ (sizeof(struct ng_ipfw_tag) - sizeof(struct m_tag)) 317 318 319#endif /* _KERNEL */ 320#endif /* _IPFW2_PRIVATE_H */ |