ip_fw.h revision 17072 
118099Spst/*
218099Spst * Copyright (c) 1993 Daniel Boulet
318099Spst * Copyright (c) 1994 Ugen J.S.Antsilevich
418099Spst *
569626Sru * Redistribution and use in source forms, with and without modification,
669626Sru * are permitted provided that this entire comment appears intact.
769626Sru *
8151497Sru * Redistribution in binary form may occur without any restrictions.
9151497Sru * Obviously, it would be nice if you gave credit where credit is due
10151497Sru * but requiring it would be too onerous.
1118099Spst *
12114402Sru * This software is provided ``AS IS'' without any warranties of any kind.
1318099Spst *
1418099Spst *	$Id: ip_fw.h,v 1.20 1996/06/09 23:46:21 alex Exp $
1518099Spst */
1618099Spst
1718099Spst/*
1818099Spst * Format of an IP firewall descriptor
1918099Spst *
2018099Spst * fw_src, fw_dst, fw_smsk, fw_dmsk are always stored in network byte order.
2118099Spst * fw_flg and fw_n*p are stored in host byte order (of course).
2255839Sasmodai * Port numbers are stored in HOST byte order.
2318099Spst */
2418099Spst#ifndef _IP_FW_H
2575584Sru#define _IP_FW_H
2675584Sru
2775584Srustruct ip_fw {
2875584Sru    u_long fw_pcnt,fw_bcnt;		/* Packet and byte counters */
2975584Sru    struct in_addr fw_src, fw_dst;	/* Source and destination IP addr */
3075584Sru    struct in_addr fw_smsk, fw_dmsk;	/* Mask for src and dest IP addr */
31151497Sru    union {
32151497Sru	struct in_addr fu_via_ip;	/* Specified by IP address */
33151497Sru	struct {			/* Specified by interface name */
34151497Sru#define FW_IFNLEN	6		/* To keep structure on 2^x boundary */
3575584Sru		char  fu_via_name[FW_IFNLEN];
3644777Sobrien		short fu_via_unit;
3718099Spst	} fu_via_if;
3818099Spst    } fu_via_un;
39151497Sru#define fw_via_ip	fu_via_un.fu_via_ip
4018099Spst#define fw_via_name	fu_via_un.fu_via_if.fu_via_name
4169626Sru#define fw_via_unit	fu_via_un.fu_via_if.fu_via_unit
4218099Spst    u_short fw_number;
43104862Sru    u_short fw_flg;			/* Flags word */
44104862Sru    u_short fw_nsp, fw_ndp;             /* N'of src ports and # of dst ports */
45151497Sru    					/* in ports array (dst ports follow */
46151497Sru    					/* src ports; max of 10 ports in all; */
47151497Sru    					/* count of 0 means match all ports) */
4855839Sasmodai#define IP_FW_MAX_PORTS	10      	/* A reasonable maximum */
4918099Spst    u_short fw_pts[IP_FW_MAX_PORTS];    /* Array of port numbers to match */
5018099Spst    u_char fw_ipopt,fw_ipnopt;		/* IP options set/unset */
51    u_char fw_tcpf,fw_tcpnf;		/* TCP flags set/unset */
52#define IP_FW_ICMPTYPES_DIM (256 / (sizeof(unsigned) * 8))
53    unsigned fw_icmptypes[IP_FW_ICMPTYPES_DIM]; /* ICMP types bitmap */
54    long timestamp;         		/* timestamp (tv_sec) of last match */
55    u_short fw_divert_port;		/* Divert port (options IPDIVERT) */
56};
57
58struct ip_fw_chain {
59        LIST_ENTRY(ip_fw_chain) chain;
60        struct ip_fw    *rule;
61};
62
63/*
64 * Values for "flags" field .
65 */
66
67#define IP_FW_F_ALL	0x0000	/* This is a universal packet rule    */
68#define IP_FW_F_TCP	0x0001	/* This is a TCP packet rule          */
69#define IP_FW_F_UDP	0x0002	/* This is a UDP packet rule          */
70#define IP_FW_F_ICMP	0x0003	/* This is a ICMP packet rule         */
71#define IP_FW_F_KIND	0x0003	/* Mask to isolate rule kind          */
72
73#define IP_FW_F_IN	0x0004	/* Inbound 			      */
74#define IP_FW_F_OUT	0x0008	/* Outbound			      */
75
76#define IP_FW_F_COMMAND 0x0030	/* Mask for type of chain entry:      */
77#define IP_FW_F_ACCEPT	0x0010	/* This is an accept rule	      */
78#define IP_FW_F_COUNT	0x0020	/* This is a count rule		      */
79#define IP_FW_F_DIVERT	0x0030	/* This is a divert rule	      */
80#define IP_FW_F_DENY	0x0000	/* This is a deny rule	              */
81
82#define IP_FW_F_PRN	0x0040	/* Print if this rule matches	      */
83#define IP_FW_F_ICMPRPL	0x0080	/* Send back icmp unreachable packet  */
84
85#define IP_FW_F_SRNG	0x0100	/* The first two src ports are a min  *
86				 * and max range (stored in host byte *
87				 * order).                            */
88
89#define IP_FW_F_DRNG	0x0200	/* The first two dst ports are a min  *
90				 * and max range (stored in host byte *
91				 * order).                            */
92
93#define IP_FW_F_IFNAME	0x0400	/* Use interface name/unit (not IP)   */
94
95#define IP_FW_F_FRAG	0x0800	/* Fragment			      */
96
97#define IP_FW_F_ICMPBIT 0x1000	/* ICMP type bitmap is valid          */
98
99#define IP_FW_F_IFUWILD	0x2000	/* Match all interface units          */
100
101#define IP_FW_F_MASK	0x3FFF	/* All possible flag bits mask        */
102
103/*
104 * Definitions for IP option names.
105 */
106#define IP_FW_IPOPT_LSRR	0x01
107#define IP_FW_IPOPT_SSRR	0x02
108#define IP_FW_IPOPT_RR		0x04
109#define IP_FW_IPOPT_TS		0x08
110
111/*
112 * Definitions for TCP flags.
113 */
114#define IP_FW_TCPF_FIN		TH_FIN
115#define IP_FW_TCPF_SYN		TH_SYN
116#define IP_FW_TCPF_RST		TH_RST
117#define IP_FW_TCPF_PSH		TH_PUSH
118#define IP_FW_TCPF_ACK		TH_ACK
119#define IP_FW_TCPF_URG		TH_URG
120#define IP_FW_TCPF_ESTAB	0x40
121
122/*
123 * New IP firewall options for [gs]etsockopt at the RAW IP level.
124 */
125#define IP_FW_BASE_CTL	50
126
127#define IP_FW_ADD     (IP_FW_BASE_CTL+0)
128#define IP_FW_DEL     (IP_FW_BASE_CTL+1)
129#define IP_FW_FLUSH   (IP_FW_BASE_CTL+2)
130#define IP_FW_ZERO    (IP_FW_BASE_CTL+3)
131#define IP_FW_GET     (IP_FW_BASE_CTL+4)
132
133/*
134 * Main firewall chains definitions and global var's definitions.
135 */
136#ifdef KERNEL
137
138/*
139 * Function definitions.
140 */
141void ip_fw_init(void);
142
143#endif /* KERNEL */
144
145#endif /* _IP_FW_H */
146