ip_state.h revision 80482 
1/*
2 * Copyright (C) 1995-2001 by Darren Reed.
3 *
4 * See the IPFILTER.LICENCE file for details on licencing.
5 *
6 * @(#)ip_state.h	1.3 1/12/96 (C) 1995 Darren Reed
7 * $Id: ip_state.h,v 2.13.2.1 2000/07/08 02:15:35 darrenr Exp $
8 * $FreeBSD: head/sys/contrib/ipfilter/netinet/ip_state.h 80482 2001-07-28 11:58:26Z darrenr $
9 */
10#ifndef	__IP_STATE_H__
11#define	__IP_STATE_H__
12
13#if defined(__STDC__) || defined(__GNUC__)
14# define	SIOCDELST	_IOW('r', 61, struct ipstate *)
15#else
16# define	SIOCDELST	_IOW(r, 61, struct ipstate *)
17#endif
18
19#ifndef	IPSTATE_SIZE
20# define	IPSTATE_SIZE	5737
21#endif
22#ifndef	IPSTATE_MAX
23# define	IPSTATE_MAX	4013	/* Maximum number of states held */
24#endif
25
26#define	PAIRS(s1,d1,s2,d2)	((((s1) == (s2)) && ((d1) == (d2))) ||\
27				 (((s1) == (d2)) && ((d1) == (s2))))
28#define	IPPAIR(s1,d1,s2,d2)	PAIRS((s1).s_addr, (d1).s_addr, \
29				      (s2).s_addr, (d2).s_addr)
30
31
32typedef struct udpstate {
33	u_short	us_sport;
34	u_short	us_dport;
35} udpstate_t;
36
37typedef struct icmpstate {
38	u_short	ics_id;
39	u_short	ics_seq;
40	u_char	ics_type;
41} icmpstate_t;
42
43typedef	struct	tcpdata	{
44	u_32_t	td_end;
45	u_32_t	td_maxend;
46	u_short	td_maxwin;
47} tcpdata_t;
48
49typedef	struct tcpstate {
50	u_short	ts_sport;
51	u_short	ts_dport;
52	tcpdata_t ts_data[2];
53	u_char	ts_state[2];
54} tcpstate_t;
55
56typedef struct ipstate {
57	struct	ipstate	*is_next;
58	struct	ipstate	**is_pnext;
59	struct	ipstate	*is_hnext;
60	struct	ipstate	**is_phnext;
61	u_long	is_age;
62	u_int	is_pass;
63	U_QUAD_T	is_pkts;
64	U_QUAD_T	is_bytes;
65	void	*is_ifp[2];
66	frentry_t	*is_rule;
67	union	i6addr	is_src;
68	union	i6addr	is_dst;
69	u_char	is_p;			/* Protocol */
70	u_char	is_v;
71	u_int	is_hv;
72	u_32_t	is_flags;
73	u_32_t	is_opt;			/* packet options set */
74	u_32_t	is_optmsk;		/*    "      "    mask */
75	u_short	is_sec;			/* security options set */
76	u_short	is_secmsk;		/*    "        "    mask */
77	u_short	is_auth;		/* authentication options set */
78	u_short	is_authmsk;		/*    "              "    mask */
79	union {
80		icmpstate_t	is_ics;
81		tcpstate_t	is_ts;
82		udpstate_t	is_us;
83	} is_ps;
84	char	is_ifname[2][IFNAMSIZ];
85#if SOLARIS || defined(__sgi)
86	kmutex_t	is_lock;
87#endif
88} ipstate_t;
89
90#define	is_saddr	is_src.in4.s_addr
91#define	is_daddr	is_dst.in4.s_addr
92#define	is_icmp		is_ps.is_ics
93#define	is_type		is_icmp.ics_type
94#define	is_code		is_icmp.ics_code
95#define	is_tcp		is_ps.is_ts
96#define	is_udp		is_ps.is_us
97#define is_send		is_tcp.ts_data[0].td_end
98#define is_dend		is_tcp.ts_data[1].td_end
99#define is_maxswin	is_tcp.ts_data[0].td_maxwin
100#define is_maxdwin	is_tcp.ts_data[1].td_maxwin
101#define is_maxsend	is_tcp.ts_data[0].td_maxend
102#define is_maxdend	is_tcp.ts_data[1].td_maxend
103#define	is_sport	is_tcp.ts_sport
104#define	is_dport	is_tcp.ts_dport
105#define	is_state	is_tcp.ts_state
106#define	is_ifpin	is_ifp[0]
107#define	is_ifpout	is_ifp[1]
108
109#define	TH_OPENING	(TH_SYN|TH_ACK)
110/*
111 * is_flags:
112 * Bits 0 - 3 are use as a mask with the current packet's bits to check for
113 * whether it is short, tcp/udp, a fragment or the presence of IP options.
114 * Bits 4 - 7 are set from the initial packet and contain what the packet
115 * anded with bits 0-3 must match.
116 * Bits 8,9 are used to indicate wildcard source/destination port matching.
117 */
118
119typedef	struct	ipstate_save	{
120	void	*ips_next;
121	struct	ipstate	ips_is;
122	struct	frentry	ips_fr;
123} ipstate_save_t;
124
125#define	ips_rule	ips_is.is_rule
126
127
128typedef	struct	ipslog	{
129	U_QUAD_T	isl_pkts;
130	U_QUAD_T	isl_bytes;
131	union	i6addr	isl_src;
132	union	i6addr	isl_dst;
133	u_short	isl_type;
134	union {
135		u_short	isl_filler[2];
136		u_short	isl_ports[2];
137		u_short	isl_icmp;
138	} isl_ps;
139	u_char	isl_v;
140	u_char	isl_p;
141	u_char	isl_flags;
142	u_char	isl_state[2];
143} ipslog_t;
144
145#define	isl_sport	isl_ps.isl_ports[0]
146#define	isl_dport	isl_ps.isl_ports[1]
147#define	isl_itype	isl_ps.isl_icmp
148
149#define	ISL_NEW		0
150#define	ISL_EXPIRE	0xffff
151#define	ISL_FLUSH	0xfffe
152#define	ISL_REMOVE	0xfffd
153
154
155typedef	struct	ips_stat {
156	u_long	iss_hits;
157	u_long	iss_miss;
158	u_long	iss_max;
159	u_long	iss_tcp;
160	u_long	iss_udp;
161	u_long	iss_icmp;
162	u_long	iss_nomem;
163	u_long	iss_expire;
164	u_long	iss_fin;
165	u_long	iss_active;
166	u_long	iss_logged;
167	u_long	iss_logfail;
168	u_long	iss_inuse;
169	ipstate_t **iss_table;
170	ipstate_t *iss_list;
171} ips_stat_t;
172
173
174extern	u_long	fr_tcpidletimeout;
175extern	u_long	fr_tcpclosewait;
176extern	u_long	fr_tcplastack;
177extern	u_long	fr_tcptimeout;
178extern	u_long	fr_tcpclosed;
179extern	u_long	fr_tcphalfclosed;
180extern	u_long	fr_udptimeout;
181extern	u_long	fr_icmptimeout;
182extern	int	fr_state_lock;
183extern	int	fr_stateinit __P((void));
184extern	int	fr_tcpstate __P((ipstate_t *, fr_info_t *, ip_t *, tcphdr_t *));
185extern	ipstate_t	*fr_addstate __P((ip_t *, fr_info_t *, u_int));
186extern	frentry_t	*fr_checkstate __P((ip_t *, fr_info_t *));
187extern	void	ip_statesync __P((void *));
188extern	void	fr_timeoutstate __P((void));
189extern	void	fr_tcp_age __P((u_long *, u_char *, fr_info_t *, int));
190extern	void	fr_stateunload __P((void));
191extern	void	ipstate_log __P((struct ipstate *, u_int));
192#if defined(__NetBSD__) || defined(__OpenBSD__)
193extern	int	fr_state_ioctl __P((caddr_t, u_long, int));
194#else
195extern	int	fr_state_ioctl __P((caddr_t, int, int));
196#endif
197
198#endif /* __IP_STATE_H__ */
199