ip_fil.h revision 139282
1/* 2 * Copyright (C) 1993-2002 by Darren Reed. 3 * 4 * See the IPFILTER.LICENCE file for details on licencing. 5 * 6 * @(#)ip_fil.h 1.35 6/5/96 7 * $Id: ip_fil.h,v 2.29.2.4 2000/11/12 11:54:53 darrenr Exp $ 8 * $FreeBSD: head/sys/contrib/ipfilter/netinet/ip_fil.h 139282 2004-12-25 00:22:25Z scottl $ 9 */ 10 11#ifndef __IP_FIL_H__ 12#define __IP_FIL_H__ 13 14/* 15 * Pathnames for various IP Filter control devices. Used by LKM 16 * and userland, so defined here. 17 */ 18#define IPNAT_NAME "/dev/ipnat" 19#define IPSTATE_NAME "/dev/ipstate" 20#define IPAUTH_NAME "/dev/ipauth" 21 22#ifndef SOLARIS 23# define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4))) 24#endif 25 26#if defined(KERNEL) && !defined(_KERNEL) 27# define _KERNEL 28#endif 29 30#ifndef __P 31# ifdef __STDC__ 32# define __P(x) x 33# else 34# define __P(x) () 35# endif 36#endif 37 38#ifndef offsetof 39# define offsetof(t,m) (int)((&((t *)0L)->m)) 40#endif 41 42#if defined(__STDC__) || defined(__GNUC__) 43# define SIOCADAFR _IOW('r', 60, struct frentry *) 44# define SIOCRMAFR _IOW('r', 61, struct frentry *) 45# define SIOCSETFF _IOW('r', 62, u_int) 46# define SIOCGETFF _IOR('r', 63, u_int) 47# define SIOCGETFS _IOWR('r', 64, struct friostat *) 48# define SIOCIPFFL _IOWR('r', 65, int) 49# define SIOCIPFFB _IOR('r', 66, int) 50# define SIOCADIFR _IOW('r', 67, struct frentry *) 51# define SIOCRMIFR _IOW('r', 68, struct frentry *) 52# define SIOCSWAPA _IOR('r', 69, u_int) 53# define SIOCINAFR _IOW('r', 70, struct frentry *) 54# define SIOCINIFR _IOW('r', 71, struct frentry *) 55# define SIOCFRENB _IOW('r', 72, u_int) 56# define SIOCFRSYN _IOW('r', 73, u_int) 57# define SIOCFRZST _IOWR('r', 74, struct friostat *) 58# define SIOCZRLST _IOWR('r', 75, struct frentry *) 59# define SIOCAUTHW _IOWR('r', 76, struct frauth *) 60# define SIOCAUTHR _IOWR('r', 77, struct frauth *) 61# define SIOCATHST _IOWR('r', 78, struct fr_authstat *) 62# define SIOCSTLCK _IOWR('r', 79, u_int) 63# define SIOCSTPUT _IOWR('r', 80, struct ipstate_save *) 64# define SIOCSTGET _IOWR('r', 81, struct ipstate_save *) 65# define SIOCSTGSZ _IOWR('r', 82, struct natget) 66# define SIOCGFRST _IOWR('r', 83, struct ipfrstat *) 67# define SIOCIPFL6 _IOWR('r', 84, int) 68#else 69# define SIOCADAFR _IOW(r, 60, struct frentry *) 70# define SIOCRMAFR _IOW(r, 61, struct frentry *) 71# define SIOCSETFF _IOW(r, 62, u_int) 72# define SIOCGETFF _IOR(r, 63, u_int) 73# define SIOCGETFS _IOWR(r, 64, struct friostat *) 74# define SIOCIPFFL _IOWR(r, 65, int) 75# define SIOCIPFFB _IOR(r, 66, int) 76# define SIOCADIFR _IOW(r, 67, struct frentry *) 77# define SIOCRMIFR _IOW(r, 68, struct frentry *) 78# define SIOCSWAPA _IOR(r, 69, u_int) 79# define SIOCINAFR _IOW(r, 70, struct frentry *) 80# define SIOCINIFR _IOW(r, 71, struct frentry *) 81# define SIOCFRENB _IOW(r, 72, u_int) 82# define SIOCFRSYN _IOW(r, 73, u_int) 83# define SIOCFRZST _IOWR(r, 74, struct friostat *) 84# define SIOCZRLST _IOWR(r, 75, struct frentry *) 85# define SIOCAUTHW _IOWR(r, 76, struct frauth *) 86# define SIOCAUTHR _IOWR(r, 77, struct frauth *) 87# define SIOCATHST _IOWR(r, 78, struct fr_authstat *) 88# define SIOCSTLCK _IOWR(r, 79, u_int) 89# define SIOCSTPUT _IOWR(r, 80, struct ipstate_save *) 90# define SIOCSTGET _IOWR(r, 81, struct ipstate_save *) 91# define SIOCSTGSZ _IOWR(r, 82, struct natget) 92# define SIOCGFRST _IOWR(r, 83, struct ipfrstat *) 93# define SIOCIPFL6 _IOWR(r, 84, int) 94#endif 95#define SIOCADDFR SIOCADAFR 96#define SIOCDELFR SIOCRMAFR 97#define SIOCINSFR SIOCINAFR 98 99 100typedef struct fr_ip { 101 u_32_t fi_v:4; /* IP version */ 102 u_32_t fi_fl:4; /* packet flags */ 103 u_32_t fi_tos:8; /* IP packet TOS */ 104 u_32_t fi_ttl:8; /* IP packet TTL */ 105 u_32_t fi_p:8; /* IP packet protocol */ 106 union i6addr fi_src; /* source address from packet */ 107 union i6addr fi_dst; /* destination address from packet */ 108 u_32_t fi_optmsk; /* bitmask composed from IP options */ 109 u_short fi_secmsk; /* bitmask composed from IP security options */ 110 u_short fi_auth; /* authentication code from IP sec. options */ 111} fr_ip_t; 112 113#define FI_OPTIONS (FF_OPTIONS >> 24) 114#define FI_TCPUDP (FF_TCPUDP >> 24) /* TCP/UCP implied comparison*/ 115#define FI_FRAG (FF_FRAG >> 24) 116#define FI_SHORT (FF_SHORT >> 24) 117#define FI_CMP (FI_OPTIONS|FI_TCPUDP|FI_SHORT) 118 119#define fi_saddr fi_src.in4.s_addr 120#define fi_daddr fi_dst.in4.s_addr 121 122 123/* 124 * These are both used by the state and NAT code to indicate that one port or 125 * the other should be treated as a wildcard. 126 */ 127#define FI_W_SPORT 0x00000100 128#define FI_W_DPORT 0x00000200 129#define FI_WILDP (FI_W_SPORT|FI_W_DPORT) 130#define FI_W_SADDR 0x00000400 131#define FI_W_DADDR 0x00000800 132#define FI_WILDA (FI_W_SADDR|FI_W_DADDR) 133#define FI_NEWFR 0x00001000 /* Create a filter rule */ 134#define FI_IGNOREPKT 0x00002000 /* Do not treat as a real packet */ 135#define FI_NORULE 0x00004000 /* Not direct a result of a rule */ 136 137typedef struct fr_info { 138 void *fin_ifp; /* interface packet is `on' */ 139 struct fr_ip fin_fi; /* IP Packet summary */ 140 u_short fin_data[2]; /* TCP/UDP ports, ICMP code/type */ 141 u_int fin_out; /* in or out ? 1 == out, 0 == in */ 142 u_short fin_hlen; /* length of IP header in bytes */ 143 u_char fin_rev; /* state only: 1 = reverse */ 144 u_char fin_tcpf; /* TCP header flags (SYN, ACK, etc) */ 145 u_int fin_icode; /* ICMP error to return */ 146 u_32_t fin_rule; /* rule # last matched */ 147 u_32_t fin_group; /* group number, -1 for none */ 148 struct frentry *fin_fr; /* last matching rule */ 149 char *fin_dp; /* start of data past IP header */ 150 u_short fin_plen; 151 u_short fin_off; 152 u_short fin_dlen; /* length of data portion of packet */ 153 u_short fin_id; /* IP packet id field */ 154 u_int fin_misc; 155 mb_t **fin_mp; /* pointer to pointer to mbuf */ 156#if SOLARIS 157 void *fin_qfm; /* pointer to mblk where pkt starts */ 158 void *fin_qif; 159#endif 160} fr_info_t; 161 162#define fin_v fin_fi.fi_v 163#define fin_p fin_fi.fi_p 164#define fin_saddr fin_fi.fi_saddr 165#define fin_src fin_fi.fi_src.in4 166#define fin_daddr fin_fi.fi_daddr 167#define fin_dst fin_fi.fi_dst.in4 168#define fin_fl fin_fi.fi_fl 169 170/* 171 * Size for compares on fr_info structures 172 */ 173#define FI_CSIZE offsetof(fr_info_t, fin_icode) 174#define FI_LCSIZE offsetof(fr_info_t, fin_dp) 175 176/* 177 * For fin_misc 178 */ 179#define FM_BADSTATE 0x00000001 180 181/* 182 * Size for copying cache fr_info structure 183 */ 184#define FI_COPYSIZE offsetof(fr_info_t, fin_dp) 185 186typedef struct frdest { 187 void *fd_ifp; 188 union i6addr fd_ip6; 189 char fd_ifname[LIFNAMSIZ]; 190#if SOLARIS 191 mb_t *fd_mp; /* cache resolver for to/dup-to */ 192#endif 193} frdest_t; 194 195#define fd_ip fd_ip6.in4 196 197 198typedef struct frpcmp { 199 int frp_cmp; /* data for port comparisons */ 200 u_short frp_port; /* top port for <> and >< */ 201 u_short frp_top; /* top port for <> and >< */ 202} frpcmp_t; 203 204typedef struct frtuc { 205 u_char ftu_tcpfm; /* tcp flags mask */ 206 u_char ftu_tcpf; /* tcp flags */ 207 frpcmp_t ftu_src; 208 frpcmp_t ftu_dst; 209} frtuc_t; 210 211#define ftu_scmp ftu_src.frp_cmp 212#define ftu_dcmp ftu_dst.frp_cmp 213#define ftu_sport ftu_src.frp_port 214#define ftu_dport ftu_dst.frp_port 215#define ftu_stop ftu_src.frp_top 216#define ftu_dtop ftu_dst.frp_top 217 218typedef struct frentry { 219 struct frentry *fr_next; 220 struct frentry *fr_grp; 221 int fr_ref; /* reference count - for grouping */ 222 void *fr_ifas[4]; 223 /* 224 * These are only incremented when a packet matches this rule and 225 * it is the last match 226 */ 227 U_QUAD_T fr_hits; 228 U_QUAD_T fr_bytes; 229 /* 230 * Fields after this may not change whilst in the kernel. 231 */ 232 struct fr_ip fr_ip; 233 struct fr_ip fr_mip; /* mask structure */ 234 235 236 u_short fr_icmpm; /* data for ICMP packets (mask) */ 237 u_short fr_icmp; 238 239 u_int fr_age[2]; /* aging for state */ 240 frtuc_t fr_tuc; 241 u_32_t fr_group; /* group to which this rule belongs */ 242 u_32_t fr_grhead; /* group # which this rule starts */ 243 u_32_t fr_flags; /* per-rule flags && options (see below) */ 244 u_int fr_skip; /* # of rules to skip */ 245 u_int fr_loglevel; /* syslog log facility + priority */ 246 int (*fr_func) __P((int, ip_t *, fr_info_t *)); /* call this function */ 247 int fr_sap; /* For solaris only */ 248 u_char fr_icode; /* return ICMP code */ 249 char fr_ifnames[4][LIFNAMSIZ]; 250 struct frdest fr_tif; /* "to" interface */ 251 struct frdest fr_dif; /* duplicate packet interfaces */ 252 u_int fr_cksum; /* checksum on filter rules for performance */ 253} frentry_t; 254 255#define fr_v fr_ip.fi_v 256#define fr_proto fr_ip.fi_p 257#define fr_ttl fr_ip.fi_ttl 258#define fr_tos fr_ip.fi_tos 259#define fr_tcpfm fr_tuc.ftu_tcpfm 260#define fr_tcpf fr_tuc.ftu_tcpf 261#define fr_scmp fr_tuc.ftu_scmp 262#define fr_dcmp fr_tuc.ftu_dcmp 263#define fr_dport fr_tuc.ftu_dport 264#define fr_sport fr_tuc.ftu_sport 265#define fr_stop fr_tuc.ftu_stop 266#define fr_dtop fr_tuc.ftu_dtop 267#define fr_dst fr_ip.fi_dst.in4 268#define fr_src fr_ip.fi_src.in4 269#define fr_dmsk fr_mip.fi_dst.in4 270#define fr_smsk fr_mip.fi_src.in4 271#define fr_ifname fr_ifnames[0] 272#define fr_oifname fr_ifnames[2] 273#define fr_ifa fr_ifas[0] 274#define fr_oifa fr_ifas[2] 275 276#define FR_CMPSIZ (sizeof(struct frentry) - offsetof(frentry_t, fr_ip)) 277 278/* 279 * fr_flags 280 */ 281#define FR_BLOCK 0x00001 /* do not allow packet to pass */ 282#define FR_PASS 0x00002 /* allow packet to pass */ 283#define FR_OUTQUE 0x00004 /* outgoing packets */ 284#define FR_INQUE 0x00008 /* ingoing packets */ 285#define FR_LOG 0x00010 /* Log */ 286#define FR_LOGB 0x00011 /* Log-fail */ 287#define FR_LOGP 0x00012 /* Log-pass */ 288#define FR_NOTSRCIP 0x00020 /* not the src IP# */ 289#define FR_NOTDSTIP 0x00040 /* not the dst IP# */ 290#define FR_RETRST 0x00080 /* Return TCP RST packet - reset connection */ 291#define FR_RETICMP 0x00100 /* Return ICMP unreachable packet */ 292#define FR_FAKEICMP 0x00180 /* Return ICMP unreachable with fake source */ 293#define FR_NOMATCH 0x00200 /* no match occured */ 294#define FR_ACCOUNT 0x00400 /* count packet bytes */ 295#define FR_KEEPFRAG 0x00800 /* keep fragment information */ 296#define FR_KEEPSTATE 0x01000 /* keep `connection' state information */ 297#define FR_INACTIVE 0x02000 298#define FR_QUICK 0x04000 /* match & stop processing list */ 299#define FR_FASTROUTE 0x08000 /* bypass normal routing */ 300#define FR_CALLNOW 0x10000 /* call another function (fr_func) if matches */ 301#define FR_DUP 0x20000 /* duplicate packet */ 302#define FR_LOGORBLOCK 0x40000 /* block the packet if it can't be logged */ 303#define FR_LOGBODY 0x80000 /* Log the body */ 304#define FR_LOGFIRST 0x100000 /* Log the first byte if state held */ 305#define FR_AUTH 0x200000 /* use authentication */ 306#define FR_PREAUTH 0x400000 /* require preauthentication */ 307#define FR_DONTCACHE 0x800000 /* don't cache the result */ 308 309#define FR_LOGMASK (FR_LOG|FR_LOGP|FR_LOGB) 310#define FR_RETMASK (FR_RETICMP|FR_RETRST|FR_FAKEICMP) 311 312/* 313 * These correspond to #define's for FI_* and are stored in fr_flags 314 */ 315#define FF_OPTIONS 0x01000000 316#define FF_TCPUDP 0x02000000 317#define FF_FRAG 0x04000000 318#define FF_SHORT 0x08000000 319/* 320 * recognized flags for SIOCGETFF and SIOCSETFF, and get put in fr_flags 321 */ 322#define FF_LOGPASS 0x10000000 323#define FF_LOGBLOCK 0x20000000 324#define FF_LOGNOMATCH 0x40000000 325#define FF_LOGGING (FF_LOGPASS|FF_LOGBLOCK|FF_LOGNOMATCH) 326#define FF_BLOCKNONIP 0x80000000 /* Solaris2 Only */ 327 328#define FR_NONE 0 329#define FR_EQUAL 1 330#define FR_NEQUAL 2 331#define FR_LESST 3 332#define FR_GREATERT 4 333#define FR_LESSTE 5 334#define FR_GREATERTE 6 335#define FR_OUTRANGE 7 336#define FR_INRANGE 8 337 338typedef struct filterstats { 339 u_long fr_pass; /* packets allowed */ 340 u_long fr_block; /* packets denied */ 341 u_long fr_nom; /* packets which don't match any rule */ 342 u_long fr_short; /* packets which are short */ 343 u_long fr_ppkl; /* packets allowed and logged */ 344 u_long fr_bpkl; /* packets denied and logged */ 345 u_long fr_npkl; /* packets unmatched and logged */ 346 u_long fr_pkl; /* packets logged */ 347 u_long fr_skip; /* packets to be logged but buffer full */ 348 u_long fr_ret; /* packets for which a return is sent */ 349 u_long fr_acct; /* packets for which counting was performed */ 350 u_long fr_bnfr; /* bad attempts to allocate fragment state */ 351 u_long fr_nfr; /* new fragment state kept */ 352 u_long fr_cfr; /* add new fragment state but complete pkt */ 353 u_long fr_bads; /* bad attempts to allocate packet state */ 354 u_long fr_ads; /* new packet state kept */ 355 u_long fr_chit; /* cached hit */ 356 u_long fr_tcpbad; /* TCP checksum check failures */ 357 u_long fr_pull[2]; /* good and bad pullup attempts */ 358 u_long fr_badsrc; /* source received doesn't match route */ 359 u_long fr_badttl; /* TTL in packet doesn't reach minimum */ 360#if SOLARIS 361 u_long fr_notdata; /* PROTO/PCPROTO that have no data */ 362 u_long fr_nodata; /* mblks that have no data */ 363 u_long fr_bad; /* bad IP packets to the filter */ 364 u_long fr_notip; /* packets passed through no on ip queue */ 365 u_long fr_drop; /* packets dropped - no info for them! */ 366 u_long fr_copy; /* messages copied due to db_ref > 1 */ 367#endif 368 u_long fr_ipv6[2]; /* IPv6 packets in/out */ 369} filterstats_t; 370 371/* 372 * For SIOCGETFS 373 */ 374typedef struct friostat { 375 struct filterstats f_st[2]; 376 struct frentry *f_fin[2]; 377 struct frentry *f_fout[2]; 378 struct frentry *f_acctin[2]; 379 struct frentry *f_acctout[2]; 380 struct frentry *f_fin6[2]; 381 struct frentry *f_fout6[2]; 382 struct frentry *f_acctin6[2]; 383 struct frentry *f_acctout6[2]; 384 struct frentry *f_auth; 385 struct frgroup *f_groups[3][2]; 386 u_long f_froute[2]; 387 int f_defpass; /* default pass - from fr_pass */ 388 char f_active; /* 1 or 0 - active rule set */ 389 char f_running; /* 1 if running, else 0 */ 390 char f_logging; /* 1 if enabled, else 0 */ 391 char f_version[32]; /* version string */ 392 int f_locks[4]; 393} friostat_t; 394 395typedef struct optlist { 396 u_short ol_val; 397 int ol_bit; 398} optlist_t; 399 400 401/* 402 * Group list structure. 403 */ 404typedef struct frgroup { 405 u_32_t fg_num; 406 struct frgroup *fg_next; 407 struct frentry *fg_head; 408 struct frentry **fg_start; 409} frgroup_t; 410 411 412/* 413 * Log structure. Each packet header logged is prepended by one of these. 414 * Following this in the log records read from the device will be an ipflog 415 * structure which is then followed by any packet data. 416 */ 417typedef struct iplog { 418 u_32_t ipl_magic; 419 u_int ipl_count; 420 struct timeval ipl_tv; 421 size_t ipl_dsize; 422 struct iplog *ipl_next; 423} iplog_t; 424 425#define ipl_sec ipl_tv.tv_sec 426#define ipl_usec ipl_tv.tv_usec 427 428#define IPL_MAGIC 0x49504c4d /* 'IPLM' */ 429#define IPLOG_SIZE sizeof(iplog_t) 430 431typedef struct ipflog { 432#if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603)) || \ 433 (defined(OpenBSD) && (OpenBSD >= 199603)) 434 char fl_ifname[LIFNAMSIZ]; 435#else 436 u_int fl_unit; 437 char fl_ifname[LIFNAMSIZ]; 438#endif 439 u_char fl_plen; /* extra data after hlen */ 440 u_char fl_hlen; /* length of IP headers saved */ 441 u_short fl_loglevel; /* syslog log level */ 442 u_32_t fl_rule; 443 u_32_t fl_group; 444 u_32_t fl_flags; 445 u_char fl_dir; 446 u_char fl_pad[3]; 447} ipflog_t; 448 449 450#ifndef ICMP_UNREACH_FILTER 451# define ICMP_UNREACH_FILTER 13 452#endif 453 454#ifndef IPF_LOGGING 455# define IPF_LOGGING 0 456#endif 457#ifndef IPF_DEFAULT_PASS 458# define IPF_DEFAULT_PASS FR_PASS 459#endif 460 461#define IPMINLEN(i, h) ((i)->ip_len >= ((i)->ip_hl * 4 + sizeof(struct h))) 462#define IPLLOGSIZE 8192 463 464#define IPF_OPTCOPY 0x07ff00 /* bit mask of copied options */ 465 466/* 467 * Device filenames for reading log information. Use ipf on Solaris2 because 468 * ipl is already a name used by something else. 469 */ 470#ifndef IPL_NAME 471# if SOLARIS 472# define IPL_NAME "/dev/ipf" 473# else 474# define IPL_NAME "/dev/ipl" 475# endif 476#endif 477#define IPL_NAT IPNAT_NAME 478#define IPL_STATE IPSTATE_NAME 479#define IPL_AUTH IPAUTH_NAME 480 481#define IPL_LOGIPF 0 /* Minor device #'s for accessing logs */ 482#define IPL_LOGNAT 1 483#define IPL_LOGSTATE 2 484#define IPL_LOGAUTH 3 485#define IPL_LOGMAX 3 486 487#if !defined(CDEV_MAJOR) && defined (__FreeBSD_version) && \ 488 (__FreeBSD_version >= 220000) 489# define CDEV_MAJOR 79 490#endif 491 492/* 493 * Post NetBSD 1.2 has the PFIL interface for packet filters. This turns 494 * on those hooks. We don't need any special mods in non-IP Filter code 495 * with this! 496 */ 497#if (defined(NetBSD) && (NetBSD > 199609) && (NetBSD <= 1991011)) || \ 498 (defined(NetBSD1_2) && NetBSD1_2 > 1) || (defined(__FreeBSD_version) && \ 499 (__FreeBSD_version >= 500011)) 500# if (NetBSD >= 199905) 501# define PFIL_HOOKS 502# endif 503# ifdef PFIL_HOOKS 504# define NETBSD_PF 505# endif 506#endif 507 508 509#ifndef _KERNEL 510extern char *get_ifname __P((struct ifnet *)); 511extern int fr_check __P((ip_t *, int, void *, int, mb_t **)); 512extern int (*fr_checkp) __P((ip_t *, int, void *, int, mb_t **)); 513extern int send_reset __P((ip_t *, fr_info_t *)); 514extern int send_icmp_err __P((ip_t *, int, fr_info_t *, int)); 515extern int ipf_log __P((void)); 516extern struct ifnet *get_unit __P((char *, int)); 517extern int mbuflen __P((mb_t *)); 518# if defined(__NetBSD__) || defined(__OpenBSD__) || \ 519 (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000) 520extern int iplioctl __P((dev_t, u_long, caddr_t, int)); 521# else 522extern int iplioctl __P((dev_t, int, caddr_t, int)); 523# endif 524extern int iplopen __P((dev_t, int)); 525extern int iplclose __P((dev_t, int)); 526#else /* #ifndef _KERNEL */ 527# if defined(__NetBSD__) && defined(PFIL_HOOKS) 528extern void ipfilterattach __P((int)); 529# endif 530extern int iplattach __P((void)); 531extern int ipl_enable __P((void)); 532extern int ipl_disable __P((void)); 533extern int send_icmp_err __P((ip_t *, int, fr_info_t *, int)); 534extern int send_reset __P((ip_t *, fr_info_t *)); 535# if SOLARIS 536extern int fr_check __P((ip_t *, int, void *, int, qif_t *, mb_t **)); 537extern int (*fr_checkp) __P((ip_t *, int, void *, 538 int, qif_t *, mb_t **)); 539# if SOLARIS2 >= 7 540extern int iplioctl __P((dev_t, int, intptr_t, int, cred_t *, int *)); 541# else 542extern int iplioctl __P((dev_t, int, int *, int, cred_t *, int *)); 543# endif 544extern int iplopen __P((dev_t *, int, int, cred_t *)); 545extern int iplclose __P((dev_t, int, int, cred_t *)); 546extern int ipfsync __P((void)); 547extern int ipfr_fastroute __P((ip_t *, mblk_t *, mblk_t **, 548 fr_info_t *, frdest_t *)); 549extern void copyin_mblk __P((mblk_t *, size_t, size_t, char *)); 550extern void copyout_mblk __P((mblk_t *, size_t, size_t, char *)); 551extern int fr_qin __P((queue_t *, mblk_t *)); 552extern int fr_qout __P((queue_t *, mblk_t *)); 553extern int iplread __P((dev_t, struct uio *, cred_t *)); 554# else /* SOLARIS */ 555extern int fr_check __P((ip_t *, int, void *, int, mb_t **)); 556extern int (*fr_checkp) __P((ip_t *, int, void *, int, mb_t **)); 557extern int ipfr_fastroute __P((mb_t *, mb_t **, fr_info_t *, frdest_t *)); 558extern size_t mbufchainlen __P((mb_t *)); 559# ifdef __sgi 560# include <sys/cred.h> 561extern int iplioctl __P((dev_t, int, caddr_t, int, cred_t *, int *)); 562extern int iplopen __P((dev_t *, int, int, cred_t *)); 563extern int iplclose __P((dev_t, int, int, cred_t *)); 564extern int iplread __P((dev_t, struct uio *, cred_t *)); 565extern int ipfsync __P((void)); 566extern int ipfilter_sgi_attach __P((void)); 567extern void ipfilter_sgi_detach __P((void)); 568extern void ipfilter_sgi_intfsync __P((void)); 569# else 570# ifdef IPFILTER_LKM 571extern int iplidentify __P((char *)); 572# endif 573# if (_BSDI_VERSION >= 199510) || (__FreeBSD_version >= 220000) || \ 574 (NetBSD >= 199511) || defined(__OpenBSD__) 575# if defined(__NetBSD__) || (_BSDI_VERSION >= 199701) || \ 576 defined(__OpenBSD__) || (__FreeBSD_version >= 300000) 577extern int iplioctl __P((struct cdev *, u_long, caddr_t, int, struct thread *)); 578# else 579extern int iplioctl __P((dev_t, int, caddr_t, int, struct thread *)); 580# endif 581extern int iplopen __P((struct cdev *, int, int, struct thread *)); 582extern int iplclose __P((struct cdev *, int, int, struct thread *)); 583# else 584# ifndef linux 585extern int iplopen __P((dev_t, int)); 586extern int iplclose __P((dev_t, int)); 587extern int iplioctl __P((dev_t, int, caddr_t, int)); 588# else 589extern int iplioctl(struct inode *, struct file *, u_int, u_long); 590extern int iplopen __P((struct inode *, struct file *)); 591extern void iplclose __P((struct inode *, struct file *)); 592# endif /* !linux */ 593# endif /* (_BSDI_VERSION >= 199510) */ 594# if BSD >= 199306 595extern int iplread __P((struct cdev *, struct uio *, int)); 596# else 597# ifndef linux 598extern int iplread __P((dev_t, struct uio *)); 599# else 600extern int iplread(struct inode *, struct file *, char *, int); 601# endif /* !linux */ 602# endif /* BSD >= 199306 */ 603# endif /* __ sgi */ 604# endif /* SOLARIS */ 605#endif /* #ifndef _KERNEL */ 606 607extern char *memstr __P((char *, char *, int, int)); 608extern void fixskip __P((frentry_t **, frentry_t *, int)); 609extern int countbits __P((u_32_t)); 610extern int ipldetach __P((void)); 611extern u_short ipf_cksum __P((u_short *, int)); 612extern int ircopyptr __P((void *, void *, size_t)); 613extern int iwcopyptr __P((void *, void *, size_t)); 614 615extern void ipflog_init __P((void)); 616extern int ipflog_clear __P((minor_t)); 617extern int ipflog __P((u_int, ip_t *, fr_info_t *, mb_t *)); 618extern int ipllog __P((int, fr_info_t *, void **, size_t *, int *, int)); 619extern int ipflog_read __P((minor_t, struct uio *)); 620 621extern int frflush __P((minor_t, int, int)); 622extern void frsync __P((void)); 623extern frgroup_t *fr_addgroup __P((u_32_t, frentry_t *, minor_t, int)); 624extern void fr_delgroup __P((u_32_t, u_32_t, minor_t, int)); 625extern frgroup_t *fr_findgroup __P((u_32_t, u_32_t, minor_t, int, 626 frgroup_t ***)); 627 628extern int fr_copytolog __P((int, char *, int)); 629extern void fr_forgetifp __P((void *)); 630extern void fr_getstat __P((struct friostat *)); 631extern int fr_ifpaddr __P((int, void *, struct in_addr *)); 632extern int fr_lock __P((caddr_t, int *)); 633extern int fr_makefrip __P((int, ip_t *, fr_info_t *)); 634extern u_short fr_tcpsum __P((mb_t *, ip_t *, tcphdr_t *)); 635extern int fr_scanlist __P((u_32_t, ip_t *, fr_info_t *, void *)); 636extern int fr_tcpudpchk __P((frtuc_t *, fr_info_t *)); 637extern int fr_verifysrc __P((struct in_addr, void *)); 638 639extern int ipl_unreach; 640extern int fr_running; 641extern u_long ipl_frouteok[2]; 642extern int fr_pass; 643extern int fr_flags; 644extern int fr_active; 645extern int fr_chksrc; 646extern int fr_minttl; 647extern int fr_minttllog; 648extern fr_info_t frcache[2]; 649extern char ipfilter_version[]; 650extern iplog_t **iplh[IPL_LOGMAX+1], *iplt[IPL_LOGMAX+1]; 651extern size_t iplused[IPL_LOGMAX + 1]; 652extern struct frentry *ipfilter[2][2], *ipacct[2][2]; 653#ifdef USE_INET6 654extern struct frentry *ipfilter6[2][2], *ipacct6[2][2]; 655extern int icmptoicmp6types[ICMP_MAXTYPE+1]; 656extern int icmptoicmp6unreach[ICMP_MAX_UNREACH]; 657#endif 658extern struct frgroup *ipfgroups[3][2]; 659extern struct filterstats frstats[]; 660 661#endif /* __IP_FIL_H__ */ 662