| ipf.4 (24583) | ipf.4 (31183) |
|---|---|
| 1.TH IPF 4 2.SH NAME 3ipf \- packet filtering kernel interface 4.SH SYNOPSIS | 1.TH IPF 4 2.SH NAME 3ipf \- packet filtering kernel interface 4.SH SYNOPSIS |
| 5#include <sys/ip_fil.h> | 5#include <netinet/ip_compat.h> 6#include <netinet/ip_fil.h> |
| 6.SH IOCTLS 7.PP 8To add and delete rules to the filter list, three 'basic' ioctls are provided 9for use. The ioctl's are called as: 10.LP 11.nf 12 ioctl(fd, SIOCADDFR, struct frentry *) 13 ioctl(fd, SIOCDELFR, struct frentry *) --- 22 unchanged lines hidden (view full) --- 36The three groups of ioctls above perform adding rules to the end of the 37list (SIOCAD*), deletion of rules from any place in the list (SIOCRM*) 38and insertion of a rule into the list (SIOCIN*). The rule place into 39which it is inserted is stored in the "fr_hits" field, below. 40.LP 41.nf 42typedef struct frentry { 43 struct frentry *fr_next; | 7.SH IOCTLS 8.PP 9To add and delete rules to the filter list, three 'basic' ioctls are provided 10for use. The ioctl's are called as: 11.LP 12.nf 13 ioctl(fd, SIOCADDFR, struct frentry *) 14 ioctl(fd, SIOCDELFR, struct frentry *) --- 22 unchanged lines hidden (view full) --- 37The three groups of ioctls above perform adding rules to the end of the 38list (SIOCAD*), deletion of rules from any place in the list (SIOCRM*) 39and insertion of a rule into the list (SIOCIN*). The rule place into 40which it is inserted is stored in the "fr_hits" field, below. 41.LP 42.nf 43typedef struct frentry { 44 struct frentry *fr_next; |
| 45 u_short fr_group; /* group to which this rule belongs */ 46 u_short fr_head; /* group # which this rule starts */ 47 struct frentry *fr_grp; 48 int fr_ref; /* reference count - for grouping */ |
|
| 44 struct ifnet *fr_ifa; | 49 struct ifnet *fr_ifa; |
| 45 u_long fr_hits; 46 u_long fr_bytes; /* this is only incremented when a packet */ 47 /* stops matching on this rule */ | |
| 48 /* | 50 /* |
| 51 * These are only incremented when a packet matches this rule and 52 * it is the last match 53 */ 54 U_QUAD_T fr_hits; 55 U_QUAD_T fr_bytes; 56 /* |
|
| 49 * Fields after this may not change whilst in the kernel. 50 */ 51 struct fr_ip fr_ip; 52 struct fr_ip fr_mip; 53 54 u_char fr_tcpfm; /* tcp flags mask */ 55 u_char fr_tcpf; /* tcp flags */ 56 57 u_short fr_icmpm; /* data for ICMP packets (mask) */ 58 u_short fr_icmp; 59 60 u_char fr_scmp; /* data for port comparisons */ 61 u_char fr_dcmp; 62 u_short fr_dport; 63 u_short fr_sport; 64 u_short fr_stop; /* top port for <> and >< */ 65 u_short fr_dtop; /* top port for <> and >< */ 66 u_long fr_flags; /* per-rule flags && options (see below) */ | 57 * Fields after this may not change whilst in the kernel. 58 */ 59 struct fr_ip fr_ip; 60 struct fr_ip fr_mip; 61 62 u_char fr_tcpfm; /* tcp flags mask */ 63 u_char fr_tcpf; /* tcp flags */ 64 65 u_short fr_icmpm; /* data for ICMP packets (mask) */ 66 u_short fr_icmp; 67 68 u_char fr_scmp; /* data for port comparisons */ 69 u_char fr_dcmp; 70 u_short fr_dport; 71 u_short fr_sport; 72 u_short fr_stop; /* top port for <> and >< */ 73 u_short fr_dtop; /* top port for <> and >< */ 74 u_long fr_flags; /* per-rule flags && options (see below) */ |
| 75 int fr_skip; /* # of rules to skip */ |
|
| 67 int (*fr_func)(); /* call this function */ 68 char fr_icode; /* return ICMP code */ 69 char fr_ifname[IFNAMSIZ]; 70 struct frdest fr_tif; /* "to" interface */ 71 struct frdest fr_dif; /* duplicate packet interfaces */ 72} frentry_t; 73.fi 74.PP 75When adding a new rule, all unused fields (in the filter rule) should be 76initialised to be zero. To insert a rule, at a particular position in the 77filter list, the number of the rule which it is to be inserted before must 78be put in the "fr_hits" field (the first rule is number 0). 79.LP 80.PP 81Flags which are recognised in fr_pass: 82.nf 83 | 76 int (*fr_func)(); /* call this function */ 77 char fr_icode; /* return ICMP code */ 78 char fr_ifname[IFNAMSIZ]; 79 struct frdest fr_tif; /* "to" interface */ 80 struct frdest fr_dif; /* duplicate packet interfaces */ 81} frentry_t; 82.fi 83.PP 84When adding a new rule, all unused fields (in the filter rule) should be 85initialised to be zero. To insert a rule, at a particular position in the 86filter list, the number of the rule which it is to be inserted before must 87be put in the "fr_hits" field (the first rule is number 0). 88.LP 89.PP 90Flags which are recognised in fr_pass: 91.nf 92 |
| 84 FR_BLOCK 0x00001 /* do not allow packet to pass */ 85 FR_PASS 0x00002 /* allow packet to pass */ 86 FR_OUTQUE 0x00004 /* outgoing packets */ 87 FR_INQUE 0x00008 /* ingoing packets */ 88 FR_LOG 0x00010 /* Log */ 89 FR_LOGP 0x00011 /* Log-pass */ 90 FR_LOGB 0x00012 /* Log-fail */ 91 FR_LOGBODY 0x00020 /* log the body of packets too */ 92 FR_LOGFIRST 0x00040 /* log only the first packet to match */ 93 FR_RETRST 0x00080 /* return a TCP RST packet if blocked */ 94 FR_RETICMP 0x00100 /* return an ICMP packet if blocked */ 95 FR_NOMATCH 0x00200 /* no match occured */ 96 FR_ACCOUNT 0x00400 /* count packet bytes */ 97 FR_KEEPFRAG 0x00800 98 FR_KEEPSTATE 0x01000 /* keep packet flow state information */ 99 FR_INACTIVE 0x02000 100 FR_QUICK 0x04000 /* quick-match and return */ 101 FR_FASTROUTE 0x08000 102 FR_CALLNOW 0x10000 103 FR_DUP 0x20000 /* duplicate the packet (not Solaris2) | 93 FR_BLOCK 0x000001 /* do not allow packet to pass */ 94 FR_PASS 0x000002 /* allow packet to pass */ 95 FR_OUTQUE 0x000004 /* outgoing packets */ 96 FR_INQUE 0x000008 /* ingoing packets */ 97 FR_LOG 0x000010 /* Log */ 98 FR_LOGP 0x000011 /* Log-pass */ 99 FR_LOGB 0x000012 /* Log-fail */ 100 FR_LOGBODY 0x000020 /* log the body of packets too */ 101 FR_LOGFIRST 0x000040 /* log only the first packet to match */ 102 FR_RETRST 0x000080 /* return a TCP RST packet if blocked */ 103 FR__RETICMP 0x000100 /* return an ICMP packet if blocked */ 104 FR_NOMATCH 0x000200 /* no match occured */ 105 FR_ACCOUNT 0x000400 /* count packet bytes */ 106 FR_KEEPFRAG 0x000800 /* keep fragment information */ 107 FR_KEEPSTATE 0x001000 /* keep `connection' state information */ 108 FR_INACTIVE 0x002000 109 FR_QUICK 0x004000 /* match & stop processing list */ 110 FR_FASTROUTE 0x008000 /* bypass normal routing */ 111 FR_CALLNOW 0x010000 /* call another function (fr_func) if matches */ 112 FR_DUP 0x020000 /* duplicate the packet */ 113 FR_LOGORBLOCK 0x040000 /* block the packet if it can't be logged */ 114 FR_NOTSRCIP 0x080000 /* not the src IP# */ 115 FR_NOTDSTIP 0x100000 /* not the dst IP# */ 116 FR_AUTH 0x200000 /* use authentication */ 117 FR_PREAUTH 0x400000 /* require preauthentication */ |
| 104 105.fi 106.PP 107Values for fr_scomp and fr_dcomp (source and destination port value 108comparisons) : 109.LP 110.nf 111 FR_NONE 0 --- 17 unchanged lines hidden (view full) --- 129rules used. These allow for packets which are either passed or blocked 130to be logged. To set (and clear)/get these flags, two ioctls are 131provided: 132.IP SIOCSETFF 16 133Takes an unsigned integer as the parameter. The flags are then set to 134those provided (clearing/setting all in one). 135.nf 136 | 118 119.fi 120.PP 121Values for fr_scomp and fr_dcomp (source and destination port value 122comparisons) : 123.LP 124.nf 125 FR_NONE 0 --- 17 unchanged lines hidden (view full) --- 143rules used. These allow for packets which are either passed or blocked 144to be logged. To set (and clear)/get these flags, two ioctls are 145provided: 146.IP SIOCSETFF 16 147Takes an unsigned integer as the parameter. The flags are then set to 148those provided (clearing/setting all in one). 149.nf 150 |
| 137 FF_LOGPASS 1 138 FF_LOGBLOCK 2 | 151 FF_LOGPASS 0x10000000 152 FF_LOGBLOCK 0x20000000 153 FF_LOGNOMATCH 0x40000000 154 FF_BLOCKNONIP 0x80000000 /* Solaris 2.x only */ |
| 139.fi 140.IP SIOCGETFF 16 141Takes a pointer to an unsigned integer as the parameter. A copy of the 142flags currently in used is copied to user space. 143.LP 144\fBFilter statistics\fP 145Statistics on the various operations performed by this package on packets 146is kept inside the kernel. These statistics apply to packets traversing 147through the kernel. To retrieve this structure, use this ioctl: 148.nf 149 150 ioctl(fd, SIOCGETFS, struct friostat *) 151 | 155.fi 156.IP SIOCGETFF 16 157Takes a pointer to an unsigned integer as the parameter. A copy of the 158flags currently in used is copied to user space. 159.LP 160\fBFilter statistics\fP 161Statistics on the various operations performed by this package on packets 162is kept inside the kernel. These statistics apply to packets traversing 163through the kernel. To retrieve this structure, use this ioctl: 164.nf 165 166 ioctl(fd, SIOCGETFS, struct friostat *) 167 |
| 152struct friostat { 153 struct filterstats f_st[2]; 154 struct frentry *f_fin; 155 struct frentry *f_fout; | 168struct friostat { 169 struct filterstats f_st[2]; 170 struct frentry *f_fin[2]; 171 struct frentry *f_fout[2]; 172 struct frentry *f_acctin[2]; 173 struct frentry *f_acctout[2]; 174 struct frentry *f_auth; 175 int f_active; |
| 156}; 157 158struct filterstats { 159 u_long fr_pass; /* packets allowed */ 160 u_long fr_block; /* packets denied */ 161 u_long fr_nom; /* packets which don't match any rule */ 162 u_long fr_ppkl; /* packets allowed and logged */ 163 u_long fr_bpkl; /* packets denied and logged */ 164 u_long fr_npkl; /* packets unmatched and logged */ 165 u_long fr_pkl; /* packets logged */ 166 u_long fr_skip; /* packets to be logged but buffer full */ 167 u_long fr_ret; /* packets for which a return is sent */ 168 u_long fr_acct; /* packets for which counting was performed */ 169 u_long fr_bnfr; /* bad attempts to allocate fragment state */ 170 u_long fr_nfr; /* new fragment state kept */ 171 u_long fr_cfr; /* add new fragment state but complete pkt */ 172 u_long fr_bads; /* bad attempts to allocate packet state */ 173 u_long fr_ads; /* new packet state kept */ 174 u_long fr_chit; /* cached hit */ | 176}; 177 178struct filterstats { 179 u_long fr_pass; /* packets allowed */ 180 u_long fr_block; /* packets denied */ 181 u_long fr_nom; /* packets which don't match any rule */ 182 u_long fr_ppkl; /* packets allowed and logged */ 183 u_long fr_bpkl; /* packets denied and logged */ 184 u_long fr_npkl; /* packets unmatched and logged */ 185 u_long fr_pkl; /* packets logged */ 186 u_long fr_skip; /* packets to be logged but buffer full */ 187 u_long fr_ret; /* packets for which a return is sent */ 188 u_long fr_acct; /* packets for which counting was performed */ 189 u_long fr_bnfr; /* bad attempts to allocate fragment state */ 190 u_long fr_nfr; /* new fragment state kept */ 191 u_long fr_cfr; /* add new fragment state but complete pkt */ 192 u_long fr_bads; /* bad attempts to allocate packet state */ 193 u_long fr_ads; /* new packet state kept */ 194 u_long fr_chit; /* cached hit */ |
| 195 u_long fr_pull[2]; /* good and bad pullup attempts */ |
|
| 175#if SOLARIS 176 u_long fr_bad; /* bad IP packets to the filter */ 177 u_long fr_notip; /* packets passed through no on ip queue */ 178 u_long fr_drop; /* packets dropped - no info for them! */ 179#endif 180}; 181.fi 182.SH SEE ALSO 183ipfstat(1), ipf(1), ipf(5) | 196#if SOLARIS 197 u_long fr_bad; /* bad IP packets to the filter */ 198 u_long fr_notip; /* packets passed through no on ip queue */ 199 u_long fr_drop; /* packets dropped - no info for them! */ 200#endif 201}; 202.fi 203.SH SEE ALSO 204ipfstat(1), ipf(1), ipf(5) |