ip_fil.h revision 139282 
1/*
2 * Copyright (C) 1993-2002 by Darren Reed.
3 *
4 * See the IPFILTER.LICENCE file for details on licencing.
5 *
6 * @(#)ip_fil.h	1.35 6/5/96
7 * $Id: ip_fil.h,v 2.29.2.4 2000/11/12 11:54:53 darrenr Exp $
8 * $FreeBSD: head/sys/contrib/ipfilter/netinet/ip_fil.h 139282 2004-12-25 00:22:25Z scottl $
9 */
10
11#ifndef	__IP_FIL_H__
12#define	__IP_FIL_H__
13
14/*
15 * Pathnames for various IP Filter control devices.  Used by LKM
16 * and userland, so defined here.
17 */
18#define	IPNAT_NAME	"/dev/ipnat"
19#define	IPSTATE_NAME	"/dev/ipstate"
20#define	IPAUTH_NAME	"/dev/ipauth"
21
22#ifndef	SOLARIS
23# define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
24#endif
25
26#if defined(KERNEL) && !defined(_KERNEL)
27# define	_KERNEL
28#endif
29
30#ifndef	__P
31# ifdef	__STDC__
32#  define	__P(x)	x
33# else
34#  define	__P(x)	()
35# endif
36#endif
37
38#ifndef	offsetof
39# define	offsetof(t,m)	(int)((&((t *)0L)->m))
40#endif
41
42#if defined(__STDC__) || defined(__GNUC__)
43# define	SIOCADAFR	_IOW('r', 60, struct frentry *)
44# define	SIOCRMAFR	_IOW('r', 61, struct frentry *)
45# define	SIOCSETFF	_IOW('r', 62, u_int)
46# define	SIOCGETFF	_IOR('r', 63, u_int)
47# define	SIOCGETFS	_IOWR('r', 64, struct friostat *)
48# define	SIOCIPFFL	_IOWR('r', 65, int)
49# define	SIOCIPFFB	_IOR('r', 66, int)
50# define	SIOCADIFR	_IOW('r', 67, struct frentry *)
51# define	SIOCRMIFR	_IOW('r', 68, struct frentry *)
52# define	SIOCSWAPA	_IOR('r', 69, u_int)
53# define	SIOCINAFR	_IOW('r', 70, struct frentry *)
54# define	SIOCINIFR	_IOW('r', 71, struct frentry *)
55# define	SIOCFRENB	_IOW('r', 72, u_int)
56# define	SIOCFRSYN	_IOW('r', 73, u_int)
57# define	SIOCFRZST	_IOWR('r', 74, struct friostat *)
58# define	SIOCZRLST	_IOWR('r', 75, struct frentry *)
59# define	SIOCAUTHW	_IOWR('r', 76, struct frauth *)
60# define	SIOCAUTHR	_IOWR('r', 77, struct frauth *)
61# define	SIOCATHST	_IOWR('r', 78, struct fr_authstat *)
62# define	SIOCSTLCK	_IOWR('r', 79, u_int)
63# define	SIOCSTPUT	_IOWR('r', 80, struct ipstate_save *)
64# define	SIOCSTGET	_IOWR('r', 81, struct ipstate_save *)
65# define	SIOCSTGSZ	_IOWR('r', 82, struct natget)
66# define	SIOCGFRST	_IOWR('r', 83, struct ipfrstat *)
67# define	SIOCIPFL6	_IOWR('r', 84, int)
68#else
69# define	SIOCADAFR	_IOW(r, 60, struct frentry *)
70# define	SIOCRMAFR	_IOW(r, 61, struct frentry *)
71# define	SIOCSETFF	_IOW(r, 62, u_int)
72# define	SIOCGETFF	_IOR(r, 63, u_int)
73# define	SIOCGETFS	_IOWR(r, 64, struct friostat *)
74# define	SIOCIPFFL	_IOWR(r, 65, int)
75# define	SIOCIPFFB	_IOR(r, 66, int)
76# define	SIOCADIFR	_IOW(r, 67, struct frentry *)
77# define	SIOCRMIFR	_IOW(r, 68, struct frentry *)
78# define	SIOCSWAPA	_IOR(r, 69, u_int)
79# define	SIOCINAFR	_IOW(r, 70, struct frentry *)
80# define	SIOCINIFR	_IOW(r, 71, struct frentry *)
81# define	SIOCFRENB	_IOW(r, 72, u_int)
82# define	SIOCFRSYN	_IOW(r, 73, u_int)
83# define	SIOCFRZST	_IOWR(r, 74, struct friostat *)
84# define	SIOCZRLST	_IOWR(r, 75, struct frentry *)
85# define	SIOCAUTHW	_IOWR(r, 76, struct frauth *)
86# define	SIOCAUTHR	_IOWR(r, 77, struct frauth *)
87# define	SIOCATHST	_IOWR(r, 78, struct fr_authstat *)
88# define	SIOCSTLCK	_IOWR(r, 79, u_int)
89# define	SIOCSTPUT	_IOWR(r, 80, struct ipstate_save *)
90# define	SIOCSTGET	_IOWR(r, 81, struct ipstate_save *)
91# define	SIOCSTGSZ	_IOWR(r, 82, struct natget)
92# define	SIOCGFRST	_IOWR(r, 83, struct ipfrstat *)
93# define	SIOCIPFL6	_IOWR(r, 84, int)
94#endif
95#define	SIOCADDFR	SIOCADAFR
96#define	SIOCDELFR	SIOCRMAFR
97#define	SIOCINSFR	SIOCINAFR
98
99
100typedef	struct	fr_ip	{
101	u_32_t	fi_v:4;		/* IP version */
102	u_32_t	fi_fl:4;	/* packet flags */
103	u_32_t	fi_tos:8;	/* IP packet TOS */
104	u_32_t	fi_ttl:8;	/* IP packet TTL */
105	u_32_t	fi_p:8;		/* IP packet protocol */
106	union	i6addr fi_src;	/* source address from packet */
107	union	i6addr fi_dst;	/* destination address from packet */
108	u_32_t	fi_optmsk;	/* bitmask composed from IP options */
109	u_short	fi_secmsk;	/* bitmask composed from IP security options */
110	u_short	fi_auth;	/* authentication code from IP sec. options */
111} fr_ip_t;
112
113#define	FI_OPTIONS	(FF_OPTIONS >> 24)
114#define	FI_TCPUDP	(FF_TCPUDP >> 24)	/* TCP/UCP implied comparison*/
115#define	FI_FRAG		(FF_FRAG >> 24)
116#define	FI_SHORT	(FF_SHORT >> 24)
117#define	FI_CMP		(FI_OPTIONS|FI_TCPUDP|FI_SHORT)
118
119#define	fi_saddr	fi_src.in4.s_addr
120#define	fi_daddr	fi_dst.in4.s_addr
121
122
123/*
124 * These are both used by the state and NAT code to indicate that one port or
125 * the other should be treated as a wildcard.
126 */
127#define	FI_W_SPORT	0x00000100
128#define	FI_W_DPORT	0x00000200
129#define	FI_WILDP	(FI_W_SPORT|FI_W_DPORT)
130#define	FI_W_SADDR	0x00000400
131#define	FI_W_DADDR	0x00000800
132#define	FI_WILDA	(FI_W_SADDR|FI_W_DADDR)
133#define	FI_NEWFR	0x00001000	/* Create a filter rule */
134#define	FI_IGNOREPKT	0x00002000	/* Do not treat as a real packet */
135#define	FI_NORULE	0x00004000	/* Not direct a result of a rule */
136
137typedef	struct	fr_info	{
138	void	*fin_ifp;		/* interface packet is `on' */
139	struct	fr_ip	fin_fi;		/* IP Packet summary */
140	u_short	fin_data[2];		/* TCP/UDP ports, ICMP code/type */
141	u_int	fin_out;		/* in or out ? 1 == out, 0 == in */
142	u_short	fin_hlen;		/* length of IP header in bytes */
143	u_char	fin_rev;		/* state only: 1 = reverse */
144	u_char	fin_tcpf;		/* TCP header flags (SYN, ACK, etc) */
145	u_int	fin_icode;		/* ICMP error to return */
146	u_32_t	fin_rule;		/* rule # last matched */
147	u_32_t	fin_group;		/* group number, -1 for none */
148	struct	frentry *fin_fr;	/* last matching rule */
149	char	*fin_dp;		/* start of data past IP header */
150	u_short	fin_plen;
151	u_short	fin_off;
152	u_short	fin_dlen;		/* length of data portion of packet */
153	u_short	fin_id;			/* IP packet id field */
154	u_int	fin_misc;
155	mb_t	**fin_mp;		/* pointer to pointer to mbuf */
156#if SOLARIS
157	void	*fin_qfm;		/* pointer to mblk where pkt starts */
158	void	*fin_qif;
159#endif
160} fr_info_t;
161
162#define	fin_v		fin_fi.fi_v
163#define	fin_p		fin_fi.fi_p
164#define	fin_saddr	fin_fi.fi_saddr
165#define	fin_src		fin_fi.fi_src.in4
166#define	fin_daddr	fin_fi.fi_daddr
167#define	fin_dst		fin_fi.fi_dst.in4
168#define	fin_fl		fin_fi.fi_fl
169
170/*
171 * Size for compares on fr_info structures
172 */
173#define	FI_CSIZE	offsetof(fr_info_t, fin_icode)
174#define	FI_LCSIZE	offsetof(fr_info_t, fin_dp)
175
176/*
177 * For fin_misc
178 */
179#define	FM_BADSTATE	0x00000001
180
181/*
182 * Size for copying cache fr_info structure
183 */
184#define	FI_COPYSIZE	offsetof(fr_info_t, fin_dp)
185
186typedef	struct	frdest	{
187	void	*fd_ifp;
188	union	i6addr	fd_ip6;
189	char	fd_ifname[LIFNAMSIZ];
190#if SOLARIS
191	mb_t	*fd_mp;			/* cache resolver for to/dup-to */
192#endif
193} frdest_t;
194
195#define	fd_ip	fd_ip6.in4
196
197
198typedef	struct	frpcmp	{
199	int	frp_cmp;	/* data for port comparisons */
200	u_short	frp_port;	/* top port for <> and >< */
201	u_short	frp_top;	/* top port for <> and >< */
202} frpcmp_t;
203
204typedef	struct	frtuc	{
205	u_char	ftu_tcpfm;	/* tcp flags mask */
206	u_char	ftu_tcpf;	/* tcp flags */
207	frpcmp_t	ftu_src;
208	frpcmp_t	ftu_dst;
209} frtuc_t;
210
211#define	ftu_scmp	ftu_src.frp_cmp
212#define	ftu_dcmp	ftu_dst.frp_cmp
213#define	ftu_sport	ftu_src.frp_port
214#define	ftu_dport	ftu_dst.frp_port
215#define	ftu_stop	ftu_src.frp_top
216#define	ftu_dtop	ftu_dst.frp_top
217
218typedef	struct	frentry {
219	struct	frentry	*fr_next;
220	struct	frentry	*fr_grp;
221	int	fr_ref;		/* reference count - for grouping */
222	void	*fr_ifas[4];
223	/*
224	 * These are only incremented when a packet  matches this rule and
225	 * it is the last match
226	 */
227	U_QUAD_T	fr_hits;
228	U_QUAD_T	fr_bytes;
229	/*
230	 * Fields after this may not change whilst in the kernel.
231	 */
232	struct	fr_ip	fr_ip;
233	struct	fr_ip	fr_mip;	/* mask structure */
234
235
236	u_short	fr_icmpm;	/* data for ICMP packets (mask) */
237	u_short	fr_icmp;
238
239	u_int	fr_age[2];	/* aging for state */
240	frtuc_t	fr_tuc;
241	u_32_t	fr_group;	/* group to which this rule belongs */
242	u_32_t	fr_grhead;	/* group # which this rule starts */
243	u_32_t	fr_flags;	/* per-rule flags && options (see below) */
244	u_int	fr_skip;	/* # of rules to skip */
245	u_int	fr_loglevel;	/* syslog log facility + priority */
246	int	(*fr_func) __P((int, ip_t *, fr_info_t *));	/* call this function */
247	int	fr_sap;		/* For solaris only */
248	u_char	fr_icode;	/* return ICMP code */
249	char	fr_ifnames[4][LIFNAMSIZ];
250	struct	frdest	fr_tif;	/* "to" interface */
251	struct	frdest	fr_dif;	/* duplicate packet interfaces */
252	u_int	fr_cksum;	/* checksum on filter rules for performance */
253} frentry_t;
254
255#define	fr_v		fr_ip.fi_v
256#define	fr_proto	fr_ip.fi_p
257#define	fr_ttl		fr_ip.fi_ttl
258#define	fr_tos		fr_ip.fi_tos
259#define	fr_tcpfm	fr_tuc.ftu_tcpfm
260#define	fr_tcpf		fr_tuc.ftu_tcpf
261#define	fr_scmp		fr_tuc.ftu_scmp
262#define	fr_dcmp		fr_tuc.ftu_dcmp
263#define	fr_dport	fr_tuc.ftu_dport
264#define	fr_sport	fr_tuc.ftu_sport
265#define	fr_stop		fr_tuc.ftu_stop
266#define	fr_dtop		fr_tuc.ftu_dtop
267#define	fr_dst		fr_ip.fi_dst.in4
268#define	fr_src		fr_ip.fi_src.in4
269#define	fr_dmsk		fr_mip.fi_dst.in4
270#define	fr_smsk		fr_mip.fi_src.in4
271#define	fr_ifname	fr_ifnames[0]
272#define	fr_oifname	fr_ifnames[2]
273#define	fr_ifa		fr_ifas[0]
274#define	fr_oifa		fr_ifas[2]
275
276#define	FR_CMPSIZ	(sizeof(struct frentry) - offsetof(frentry_t, fr_ip))
277
278/*
279 * fr_flags
280 */
281#define	FR_BLOCK	0x00001	/* do not allow packet to pass */
282#define	FR_PASS		0x00002	/* allow packet to pass */
283#define	FR_OUTQUE	0x00004	/* outgoing packets */
284#define	FR_INQUE	0x00008	/* ingoing packets */
285#define	FR_LOG		0x00010	/* Log */
286#define	FR_LOGB		0x00011	/* Log-fail */
287#define	FR_LOGP		0x00012	/* Log-pass */
288#define	FR_NOTSRCIP	0x00020	/* not the src IP# */
289#define	FR_NOTDSTIP	0x00040	/* not the dst IP# */
290#define	FR_RETRST	0x00080	/* Return TCP RST packet - reset connection */
291#define	FR_RETICMP	0x00100	/* Return ICMP unreachable packet */
292#define	FR_FAKEICMP	0x00180	/* Return ICMP unreachable with fake source */
293#define	FR_NOMATCH	0x00200	/* no match occured */
294#define	FR_ACCOUNT	0x00400	/* count packet bytes */
295#define	FR_KEEPFRAG	0x00800	/* keep fragment information */
296#define	FR_KEEPSTATE	0x01000	/* keep `connection' state information */
297#define	FR_INACTIVE	0x02000
298#define	FR_QUICK	0x04000	/* match & stop processing list */
299#define	FR_FASTROUTE	0x08000	/* bypass normal routing */
300#define	FR_CALLNOW	0x10000	/* call another function (fr_func) if matches */
301#define	FR_DUP		0x20000	/* duplicate packet */
302#define	FR_LOGORBLOCK	0x40000	/* block the packet if it can't be logged */
303#define	FR_LOGBODY	0x80000	/* Log the body */
304#define	FR_LOGFIRST	0x100000	/* Log the first byte if state held */
305#define	FR_AUTH		0x200000	/* use authentication */
306#define	FR_PREAUTH	0x400000	/* require preauthentication */
307#define	FR_DONTCACHE	0x800000	/* don't cache the result */
308
309#define	FR_LOGMASK	(FR_LOG|FR_LOGP|FR_LOGB)
310#define	FR_RETMASK	(FR_RETICMP|FR_RETRST|FR_FAKEICMP)
311
312/*
313 * These correspond to #define's for FI_* and are stored in fr_flags
314 */
315#define	FF_OPTIONS	0x01000000
316#define	FF_TCPUDP	0x02000000
317#define	FF_FRAG		0x04000000
318#define	FF_SHORT	0x08000000
319/*
320 * recognized flags for SIOCGETFF and SIOCSETFF, and get put in fr_flags
321 */
322#define	FF_LOGPASS	0x10000000
323#define	FF_LOGBLOCK	0x20000000
324#define	FF_LOGNOMATCH	0x40000000
325#define	FF_LOGGING	(FF_LOGPASS|FF_LOGBLOCK|FF_LOGNOMATCH)
326#define	FF_BLOCKNONIP	0x80000000	/* Solaris2 Only */
327
328#define	FR_NONE 0
329#define	FR_EQUAL 1
330#define	FR_NEQUAL 2
331#define FR_LESST 3
332#define FR_GREATERT 4
333#define FR_LESSTE 5
334#define FR_GREATERTE 6
335#define	FR_OUTRANGE 7
336#define	FR_INRANGE 8
337
338typedef	struct	filterstats {
339	u_long	fr_pass;	/* packets allowed */
340	u_long	fr_block;	/* packets denied */
341	u_long	fr_nom;		/* packets which don't match any rule */
342	u_long	fr_short;	/* packets which are short */
343	u_long	fr_ppkl;	/* packets allowed and logged */
344	u_long	fr_bpkl;	/* packets denied and logged */
345	u_long	fr_npkl;	/* packets unmatched and logged */
346	u_long	fr_pkl;		/* packets logged */
347	u_long	fr_skip;	/* packets to be logged but buffer full */
348	u_long	fr_ret;		/* packets for which a return is sent */
349	u_long	fr_acct;	/* packets for which counting was performed */
350	u_long	fr_bnfr;	/* bad attempts to allocate fragment state */
351	u_long	fr_nfr;		/* new fragment state kept */
352	u_long	fr_cfr;		/* add new fragment state but complete pkt */
353	u_long	fr_bads;	/* bad attempts to allocate packet state */
354	u_long	fr_ads;		/* new packet state kept */
355	u_long	fr_chit;	/* cached hit */
356	u_long	fr_tcpbad;	/* TCP checksum check failures */
357	u_long	fr_pull[2];	/* good and bad pullup attempts */
358	u_long	fr_badsrc;	/* source received doesn't match route */
359	u_long	fr_badttl;	/* TTL in packet doesn't reach minimum */
360#if SOLARIS
361	u_long	fr_notdata;	/* PROTO/PCPROTO that have no data */
362	u_long	fr_nodata;	/* mblks that have no data */
363	u_long	fr_bad;		/* bad IP packets to the filter */
364	u_long	fr_notip;	/* packets passed through no on ip queue */
365	u_long	fr_drop;	/* packets dropped - no info for them! */
366	u_long	fr_copy;	/* messages copied due to db_ref > 1 */
367#endif
368	u_long	fr_ipv6[2];	/* IPv6 packets in/out */
369} filterstats_t;
370
371/*
372 * For SIOCGETFS
373 */
374typedef	struct	friostat	{
375	struct	filterstats	f_st[2];
376	struct	frentry		*f_fin[2];
377	struct	frentry		*f_fout[2];
378	struct	frentry		*f_acctin[2];
379	struct	frentry		*f_acctout[2];
380	struct	frentry		*f_fin6[2];
381	struct	frentry		*f_fout6[2];
382	struct	frentry		*f_acctin6[2];
383	struct	frentry		*f_acctout6[2];
384	struct	frentry		*f_auth;
385	struct	frgroup		*f_groups[3][2];
386	u_long	f_froute[2];
387	int	f_defpass;	/* default pass - from fr_pass */
388	char	f_active;	/* 1 or 0 - active rule set */
389	char	f_running;	/* 1 if running, else 0 */
390	char	f_logging;	/* 1 if enabled, else 0 */
391	char	f_version[32];	/* version string */
392	int	f_locks[4];
393} friostat_t;
394
395typedef struct	optlist {
396	u_short ol_val;
397	int	ol_bit;
398} optlist_t;
399
400
401/*
402 * Group list structure.
403 */
404typedef	struct frgroup {
405	u_32_t	fg_num;
406	struct	frgroup	*fg_next;
407	struct	frentry	*fg_head;
408	struct	frentry	**fg_start;
409} frgroup_t;
410
411
412/*
413 * Log structure.  Each packet header logged is prepended by one of these.
414 * Following this in the log records read from the device will be an ipflog
415 * structure which is then followed by any packet data.
416 */
417typedef	struct	iplog	{
418	u_32_t		ipl_magic;
419	u_int		ipl_count;
420	struct	timeval	ipl_tv;
421	size_t		ipl_dsize;
422	struct	iplog	*ipl_next;
423} iplog_t;
424
425#define	ipl_sec		ipl_tv.tv_sec
426#define	ipl_usec	ipl_tv.tv_usec
427
428#define IPL_MAGIC	0x49504c4d /* 'IPLM' */
429#define	IPLOG_SIZE	sizeof(iplog_t)
430
431typedef	struct	ipflog	{
432#if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603)) || \
433        (defined(OpenBSD) && (OpenBSD >= 199603))
434	char	fl_ifname[LIFNAMSIZ];
435#else
436	u_int	fl_unit;
437	char	fl_ifname[LIFNAMSIZ];
438#endif
439	u_char	fl_plen;	/* extra data after hlen */
440	u_char	fl_hlen;	/* length of IP headers saved */
441	u_short	fl_loglevel;	/* syslog log level */
442	u_32_t	fl_rule;
443	u_32_t	fl_group;
444	u_32_t	fl_flags;
445	u_char	fl_dir;
446	u_char	fl_pad[3];
447} ipflog_t;
448
449
450#ifndef	ICMP_UNREACH_FILTER
451# define	ICMP_UNREACH_FILTER	13
452#endif
453
454#ifndef	IPF_LOGGING
455# define	IPF_LOGGING	0
456#endif
457#ifndef	IPF_DEFAULT_PASS
458# define	IPF_DEFAULT_PASS	FR_PASS
459#endif
460
461#define	IPMINLEN(i, h)	((i)->ip_len >= ((i)->ip_hl * 4 + sizeof(struct h)))
462#define	IPLLOGSIZE	8192
463
464#define	IPF_OPTCOPY	0x07ff00	/* bit mask of copied options */
465
466/*
467 * Device filenames for reading log information.  Use ipf on Solaris2 because
468 * ipl is already a name used by something else.
469 */
470#ifndef	IPL_NAME
471# if	SOLARIS
472#  define	IPL_NAME	"/dev/ipf"
473# else
474#  define	IPL_NAME	"/dev/ipl"
475# endif
476#endif
477#define	IPL_NAT		IPNAT_NAME
478#define	IPL_STATE	IPSTATE_NAME
479#define	IPL_AUTH	IPAUTH_NAME
480
481#define	IPL_LOGIPF	0	/* Minor device #'s for accessing logs */
482#define	IPL_LOGNAT	1
483#define	IPL_LOGSTATE	2
484#define	IPL_LOGAUTH	3
485#define	IPL_LOGMAX	3
486
487#if !defined(CDEV_MAJOR) && defined (__FreeBSD_version) && \
488    (__FreeBSD_version >= 220000)
489# define	CDEV_MAJOR	79
490#endif
491
492/*
493 * Post NetBSD 1.2 has the PFIL interface for packet filters.  This turns
494 * on those hooks.  We don't need any special mods in non-IP Filter code
495 * with this!
496 */
497#if (defined(NetBSD) && (NetBSD > 199609) && (NetBSD <= 1991011)) || \
498    (defined(NetBSD1_2) && NetBSD1_2 > 1) || (defined(__FreeBSD_version) && \
499     (__FreeBSD_version >= 500011))
500# if (NetBSD >= 199905)
501#  define PFIL_HOOKS
502# endif
503# ifdef PFIL_HOOKS
504#  define NETBSD_PF
505# endif
506#endif
507
508
509#ifndef	_KERNEL
510extern	char	*get_ifname __P((struct ifnet *));
511extern	int	fr_check __P((ip_t *, int, void *, int, mb_t **));
512extern	int	(*fr_checkp) __P((ip_t *, int, void *, int, mb_t **));
513extern	int	send_reset __P((ip_t *, fr_info_t *));
514extern	int	send_icmp_err __P((ip_t *, int, fr_info_t *, int));
515extern	int	ipf_log __P((void));
516extern	struct	ifnet *get_unit __P((char *, int));
517extern	int	mbuflen __P((mb_t *));
518# if defined(__NetBSD__) || defined(__OpenBSD__) || \
519	  (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000)
520extern	int	iplioctl __P((dev_t, u_long, caddr_t, int));
521# else
522extern	int	iplioctl __P((dev_t, int, caddr_t, int));
523# endif
524extern	int	iplopen __P((dev_t, int));
525extern	int	iplclose __P((dev_t, int));
526#else /* #ifndef _KERNEL */
527# if defined(__NetBSD__) && defined(PFIL_HOOKS)
528extern	void	ipfilterattach __P((int));
529# endif
530extern	int	iplattach __P((void));
531extern	int	ipl_enable __P((void));
532extern	int	ipl_disable __P((void));
533extern	int	send_icmp_err __P((ip_t *, int, fr_info_t *, int));
534extern	int	send_reset __P((ip_t *, fr_info_t *));
535# if	SOLARIS
536extern	int	fr_check __P((ip_t *, int, void *, int, qif_t *, mb_t **));
537extern	int	(*fr_checkp) __P((ip_t *, int, void *,
538				  int, qif_t *, mb_t **));
539#  if SOLARIS2 >= 7
540extern	int	iplioctl __P((dev_t, int, intptr_t, int, cred_t *, int *));
541#  else
542extern	int	iplioctl __P((dev_t, int, int *, int, cred_t *, int *));
543#  endif
544extern	int	iplopen __P((dev_t *, int, int, cred_t *));
545extern	int	iplclose __P((dev_t, int, int, cred_t *));
546extern	int	ipfsync __P((void));
547extern	int	ipfr_fastroute __P((ip_t *, mblk_t *, mblk_t **,
548				    fr_info_t *, frdest_t *));
549extern	void	copyin_mblk __P((mblk_t *, size_t, size_t, char *));
550extern	void	copyout_mblk __P((mblk_t *, size_t, size_t, char *));
551extern	int	fr_qin __P((queue_t *, mblk_t *));
552extern	int	fr_qout __P((queue_t *, mblk_t *));
553extern	int	iplread __P((dev_t, struct uio *, cred_t *));
554# else /* SOLARIS */
555extern	int	fr_check __P((ip_t *, int, void *, int, mb_t **));
556extern	int	(*fr_checkp) __P((ip_t *, int, void *, int, mb_t **));
557extern	int	ipfr_fastroute __P((mb_t *, mb_t **, fr_info_t *, frdest_t *));
558extern	size_t	mbufchainlen __P((mb_t *));
559#  ifdef	__sgi
560#   include <sys/cred.h>
561extern	int	iplioctl __P((dev_t, int, caddr_t, int, cred_t *, int *));
562extern	int	iplopen __P((dev_t *, int, int, cred_t *));
563extern	int	iplclose __P((dev_t, int, int, cred_t *));
564extern	int	iplread __P((dev_t, struct uio *, cred_t *));
565extern	int	ipfsync __P((void));
566extern	int	ipfilter_sgi_attach __P((void));
567extern	void	ipfilter_sgi_detach __P((void));
568extern	void	ipfilter_sgi_intfsync __P((void));
569#  else
570#   ifdef	IPFILTER_LKM
571extern	int	iplidentify __P((char *));
572#   endif
573#   if (_BSDI_VERSION >= 199510) || (__FreeBSD_version >= 220000) || \
574      (NetBSD >= 199511) || defined(__OpenBSD__)
575#    if defined(__NetBSD__) || (_BSDI_VERSION >= 199701) || \
576       defined(__OpenBSD__) || (__FreeBSD_version >= 300000)
577extern	int	iplioctl __P((struct cdev *, u_long, caddr_t, int, struct thread *));
578#    else
579extern	int	iplioctl __P((dev_t, int, caddr_t, int, struct thread *));
580#    endif
581extern	int	iplopen __P((struct cdev *, int, int, struct thread *));
582extern	int	iplclose __P((struct cdev *, int, int, struct thread *));
583#   else
584#    ifndef	linux
585extern	int	iplopen __P((dev_t, int));
586extern	int	iplclose __P((dev_t, int));
587extern	int	iplioctl __P((dev_t, int, caddr_t, int));
588#    else
589extern	int	iplioctl(struct inode *, struct file *, u_int, u_long);
590extern	int	iplopen __P((struct inode *, struct file *));
591extern	void	iplclose __P((struct inode *, struct file *));
592#    endif /* !linux */
593#   endif /* (_BSDI_VERSION >= 199510) */
594#   if	BSD >= 199306
595extern	int	iplread __P((struct cdev *, struct uio *, int));
596#   else
597#    ifndef linux
598extern	int	iplread __P((dev_t, struct uio *));
599#    else
600extern	int	iplread(struct inode *, struct file *, char *, int);
601#    endif /* !linux */
602#   endif /* BSD >= 199306 */
603#  endif /* __ sgi */
604# endif /* SOLARIS */
605#endif /* #ifndef _KERNEL */
606
607extern	char	*memstr __P((char *, char *, int, int));
608extern	void	fixskip __P((frentry_t **, frentry_t *, int));
609extern	int	countbits __P((u_32_t));
610extern	int	ipldetach __P((void));
611extern	u_short	ipf_cksum __P((u_short *, int));
612extern	int	ircopyptr __P((void *, void *, size_t));
613extern	int	iwcopyptr __P((void *, void *, size_t));
614
615extern	void	ipflog_init __P((void));
616extern	int	ipflog_clear __P((minor_t));
617extern	int	ipflog __P((u_int, ip_t *, fr_info_t *, mb_t *));
618extern	int	ipllog __P((int, fr_info_t *, void **, size_t *, int *, int));
619extern	int	ipflog_read __P((minor_t, struct uio *));
620
621extern	int	frflush __P((minor_t, int, int));
622extern	void	frsync __P((void));
623extern	frgroup_t *fr_addgroup __P((u_32_t, frentry_t *, minor_t, int));
624extern	void	fr_delgroup __P((u_32_t, u_32_t, minor_t, int));
625extern	frgroup_t *fr_findgroup __P((u_32_t, u_32_t, minor_t, int,
626				    frgroup_t ***));
627
628extern	int	fr_copytolog __P((int, char *, int));
629extern	void	fr_forgetifp __P((void *));
630extern	void	fr_getstat __P((struct friostat *));
631extern	int	fr_ifpaddr __P((int, void *, struct in_addr *));
632extern	int	fr_lock __P((caddr_t, int *));
633extern  int	fr_makefrip __P((int, ip_t *, fr_info_t *));
634extern	u_short	fr_tcpsum __P((mb_t *, ip_t *, tcphdr_t *));
635extern	int	fr_scanlist __P((u_32_t, ip_t *, fr_info_t *, void *));
636extern	int	fr_tcpudpchk __P((frtuc_t *, fr_info_t *));
637extern	int	fr_verifysrc __P((struct in_addr, void *));
638
639extern	int	ipl_unreach;
640extern	int	fr_running;
641extern	u_long	ipl_frouteok[2];
642extern	int	fr_pass;
643extern	int	fr_flags;
644extern	int	fr_active;
645extern	int	fr_chksrc;
646extern	int	fr_minttl;
647extern	int	fr_minttllog;
648extern	fr_info_t	frcache[2];
649extern	char	ipfilter_version[];
650extern	iplog_t	**iplh[IPL_LOGMAX+1], *iplt[IPL_LOGMAX+1];
651extern	size_t	iplused[IPL_LOGMAX + 1];
652extern	struct frentry *ipfilter[2][2], *ipacct[2][2];
653#ifdef	USE_INET6
654extern	struct frentry *ipfilter6[2][2], *ipacct6[2][2];
655extern	int	icmptoicmp6types[ICMP_MAXTYPE+1];
656extern	int	icmptoicmp6unreach[ICMP_MAX_UNREACH];
657#endif
658extern	struct frgroup *ipfgroups[3][2];
659extern	struct filterstats frstats[];
660
661#endif	/* __IP_FIL_H__ */
662