1.TH IPF 4
2.SH NAME
3ipf \- packet filtering kernel interface
4.SH SYNOPSIS
5#include <sys/ip_fil.h>
6.SH IOCTLS
7.PP
8To add and delete rules to the filter list, three 'basic' ioctls are provided
9for use. The ioctl's are called as:
10.LP
11.nf
12 ioctl(fd, SIOCADDFR, struct frentry *)
13 ioctl(fd, SIOCDELFR, struct frentry *)
--- 22 unchanged lines hidden (view full) ---
36The three groups of ioctls above perform adding rules to the end of the
37list (SIOCAD*), deletion of rules from any place in the list (SIOCRM*)
38and insertion of a rule into the list (SIOCIN*). The rule place into
39which it is inserted is stored in the "fr_hits" field, below.
40.LP
41.nf
42typedef struct frentry {
43 struct frentry *fr_next;
44 struct ifnet *fr_ifa;
45 u_long fr_hits;
46 u_long fr_bytes; /* this is only incremented when a packet */
47 /* stops matching on this rule */
48 /*
49 * Fields after this may not change whilst in the kernel.
50 */
51 struct fr_ip fr_ip;
52 struct fr_ip fr_mip;
53
54 u_char fr_tcpfm; /* tcp flags mask */
55 u_char fr_tcpf; /* tcp flags */
56
57 u_short fr_icmpm; /* data for ICMP packets (mask) */
58 u_short fr_icmp;
59
60 u_char fr_scmp; /* data for port comparisons */
61 u_char fr_dcmp;
62 u_short fr_dport;
63 u_short fr_sport;
64 u_short fr_stop; /* top port for <> and >< */
65 u_short fr_dtop; /* top port for <> and >< */
66 u_long fr_flags; /* per-rule flags && options (see below) */
67 int (*fr_func)(); /* call this function */
68 char fr_icode; /* return ICMP code */
69 char fr_ifname[IFNAMSIZ];
70 struct frdest fr_tif; /* "to" interface */
71 struct frdest fr_dif; /* duplicate packet interfaces */
72} frentry_t;
73.fi
74.PP
75When adding a new rule, all unused fields (in the filter rule) should be
76initialised to be zero. To insert a rule, at a particular position in the
77filter list, the number of the rule which it is to be inserted before must
78be put in the "fr_hits" field (the first rule is number 0).
79.LP
80.PP
81Flags which are recognised in fr_pass:
82.nf
83
84 FR_BLOCK 0x00001 /* do not allow packet to pass */
85 FR_PASS 0x00002 /* allow packet to pass */
86 FR_OUTQUE 0x00004 /* outgoing packets */
87 FR_INQUE 0x00008 /* ingoing packets */
88 FR_LOG 0x00010 /* Log */
89 FR_LOGP 0x00011 /* Log-pass */
90 FR_LOGB 0x00012 /* Log-fail */
91 FR_LOGBODY 0x00020 /* log the body of packets too */
92 FR_LOGFIRST 0x00040 /* log only the first packet to match */
93 FR_RETRST 0x00080 /* return a TCP RST packet if blocked */
94 FR_RETICMP 0x00100 /* return an ICMP packet if blocked */
95 FR_NOMATCH 0x00200 /* no match occured */
96 FR_ACCOUNT 0x00400 /* count packet bytes */
97 FR_KEEPFRAG 0x00800
98 FR_KEEPSTATE 0x01000 /* keep packet flow state information */
99 FR_INACTIVE 0x02000
100 FR_QUICK 0x04000 /* quick-match and return */
101 FR_FASTROUTE 0x08000
102 FR_CALLNOW 0x10000
103 FR_DUP 0x20000 /* duplicate the packet (not Solaris2)
104
105.fi
106.PP
107Values for fr_scomp and fr_dcomp (source and destination port value
108comparisons) :
109.LP
110.nf
111 FR_NONE 0
--- 17 unchanged lines hidden (view full) ---
129rules used. These allow for packets which are either passed or blocked
130to be logged. To set (and clear)/get these flags, two ioctls are
131provided:
132.IP SIOCSETFF 16
133Takes an unsigned integer as the parameter. The flags are then set to
134those provided (clearing/setting all in one).
135.nf
136
137 FF_LOGPASS 1
138 FF_LOGBLOCK 2
139.fi
140.IP SIOCGETFF 16
141Takes a pointer to an unsigned integer as the parameter. A copy of the
142flags currently in used is copied to user space.
143.LP
144\fBFilter statistics\fP
145Statistics on the various operations performed by this package on packets
146is kept inside the kernel. These statistics apply to packets traversing
147through the kernel. To retrieve this structure, use this ioctl:
148.nf
149
150 ioctl(fd, SIOCGETFS, struct friostat *)
151
152struct friostat {
153 struct filterstats f_st[2];
154 struct frentry *f_fin;
155 struct frentry *f_fout;
156};
157
158struct filterstats {
159 u_long fr_pass; /* packets allowed */
160 u_long fr_block; /* packets denied */
161 u_long fr_nom; /* packets which don't match any rule */
162 u_long fr_ppkl; /* packets allowed and logged */
163 u_long fr_bpkl; /* packets denied and logged */
164 u_long fr_npkl; /* packets unmatched and logged */
165 u_long fr_pkl; /* packets logged */
166 u_long fr_skip; /* packets to be logged but buffer full */
167 u_long fr_ret; /* packets for which a return is sent */
168 u_long fr_acct; /* packets for which counting was performed */
169 u_long fr_bnfr; /* bad attempts to allocate fragment state */
170 u_long fr_nfr; /* new fragment state kept */
171 u_long fr_cfr; /* add new fragment state but complete pkt */
172 u_long fr_bads; /* bad attempts to allocate packet state */
173 u_long fr_ads; /* new packet state kept */
174 u_long fr_chit; /* cached hit */
175#if SOLARIS
176 u_long fr_bad; /* bad IP packets to the filter */
177 u_long fr_notip; /* packets passed through no on ip queue */
178 u_long fr_drop; /* packets dropped - no info for them! */
179#endif
180};
181.fi
182.SH SEE ALSO
183ipfstat(1), ipf(1), ipf(5)
2.SH NAME
3ipf \- packet filtering kernel interface
4.SH SYNOPSIS
5#include <sys/ip_fil.h>
6.SH IOCTLS
7.PP
8To add and delete rules to the filter list, three 'basic' ioctls are provided
9for use. The ioctl's are called as:
10.LP
11.nf
12 ioctl(fd, SIOCADDFR, struct frentry *)
13 ioctl(fd, SIOCDELFR, struct frentry *)
--- 22 unchanged lines hidden (view full) ---
36The three groups of ioctls above perform adding rules to the end of the
37list (SIOCAD*), deletion of rules from any place in the list (SIOCRM*)
38and insertion of a rule into the list (SIOCIN*). The rule place into
39which it is inserted is stored in the "fr_hits" field, below.
40.LP
41.nf
42typedef struct frentry {
43 struct frentry *fr_next;
44 struct ifnet *fr_ifa;
45 u_long fr_hits;
46 u_long fr_bytes; /* this is only incremented when a packet */
47 /* stops matching on this rule */
48 /*
49 * Fields after this may not change whilst in the kernel.
50 */
51 struct fr_ip fr_ip;
52 struct fr_ip fr_mip;
53
54 u_char fr_tcpfm; /* tcp flags mask */
55 u_char fr_tcpf; /* tcp flags */
56
57 u_short fr_icmpm; /* data for ICMP packets (mask) */
58 u_short fr_icmp;
59
60 u_char fr_scmp; /* data for port comparisons */
61 u_char fr_dcmp;
62 u_short fr_dport;
63 u_short fr_sport;
64 u_short fr_stop; /* top port for <> and >< */
65 u_short fr_dtop; /* top port for <> and >< */
66 u_long fr_flags; /* per-rule flags && options (see below) */
67 int (*fr_func)(); /* call this function */
68 char fr_icode; /* return ICMP code */
69 char fr_ifname[IFNAMSIZ];
70 struct frdest fr_tif; /* "to" interface */
71 struct frdest fr_dif; /* duplicate packet interfaces */
72} frentry_t;
73.fi
74.PP
75When adding a new rule, all unused fields (in the filter rule) should be
76initialised to be zero. To insert a rule, at a particular position in the
77filter list, the number of the rule which it is to be inserted before must
78be put in the "fr_hits" field (the first rule is number 0).
79.LP
80.PP
81Flags which are recognised in fr_pass:
82.nf
83
84 FR_BLOCK 0x00001 /* do not allow packet to pass */
85 FR_PASS 0x00002 /* allow packet to pass */
86 FR_OUTQUE 0x00004 /* outgoing packets */
87 FR_INQUE 0x00008 /* ingoing packets */
88 FR_LOG 0x00010 /* Log */
89 FR_LOGP 0x00011 /* Log-pass */
90 FR_LOGB 0x00012 /* Log-fail */
91 FR_LOGBODY 0x00020 /* log the body of packets too */
92 FR_LOGFIRST 0x00040 /* log only the first packet to match */
93 FR_RETRST 0x00080 /* return a TCP RST packet if blocked */
94 FR_RETICMP 0x00100 /* return an ICMP packet if blocked */
95 FR_NOMATCH 0x00200 /* no match occured */
96 FR_ACCOUNT 0x00400 /* count packet bytes */
97 FR_KEEPFRAG 0x00800
98 FR_KEEPSTATE 0x01000 /* keep packet flow state information */
99 FR_INACTIVE 0x02000
100 FR_QUICK 0x04000 /* quick-match and return */
101 FR_FASTROUTE 0x08000
102 FR_CALLNOW 0x10000
103 FR_DUP 0x20000 /* duplicate the packet (not Solaris2)
104
105.fi
106.PP
107Values for fr_scomp and fr_dcomp (source and destination port value
108comparisons) :
109.LP
110.nf
111 FR_NONE 0
--- 17 unchanged lines hidden (view full) ---
129rules used. These allow for packets which are either passed or blocked
130to be logged. To set (and clear)/get these flags, two ioctls are
131provided:
132.IP SIOCSETFF 16
133Takes an unsigned integer as the parameter. The flags are then set to
134those provided (clearing/setting all in one).
135.nf
136
137 FF_LOGPASS 1
138 FF_LOGBLOCK 2
139.fi
140.IP SIOCGETFF 16
141Takes a pointer to an unsigned integer as the parameter. A copy of the
142flags currently in used is copied to user space.
143.LP
144\fBFilter statistics\fP
145Statistics on the various operations performed by this package on packets
146is kept inside the kernel. These statistics apply to packets traversing
147through the kernel. To retrieve this structure, use this ioctl:
148.nf
149
150 ioctl(fd, SIOCGETFS, struct friostat *)
151
152struct friostat {
153 struct filterstats f_st[2];
154 struct frentry *f_fin;
155 struct frentry *f_fout;
156};
157
158struct filterstats {
159 u_long fr_pass; /* packets allowed */
160 u_long fr_block; /* packets denied */
161 u_long fr_nom; /* packets which don't match any rule */
162 u_long fr_ppkl; /* packets allowed and logged */
163 u_long fr_bpkl; /* packets denied and logged */
164 u_long fr_npkl; /* packets unmatched and logged */
165 u_long fr_pkl; /* packets logged */
166 u_long fr_skip; /* packets to be logged but buffer full */
167 u_long fr_ret; /* packets for which a return is sent */
168 u_long fr_acct; /* packets for which counting was performed */
169 u_long fr_bnfr; /* bad attempts to allocate fragment state */
170 u_long fr_nfr; /* new fragment state kept */
171 u_long fr_cfr; /* add new fragment state but complete pkt */
172 u_long fr_bads; /* bad attempts to allocate packet state */
173 u_long fr_ads; /* new packet state kept */
174 u_long fr_chit; /* cached hit */
175#if SOLARIS
176 u_long fr_bad; /* bad IP packets to the filter */
177 u_long fr_notip; /* packets passed through no on ip queue */
178 u_long fr_drop; /* packets dropped - no info for them! */
179#endif
180};
181.fi
182.SH SEE ALSO
183ipfstat(1), ipf(1), ipf(5)