ip_state.h revision 95418
1/* 2 * Copyright (C) 1995-2001 by Darren Reed. 3 * 4 * See the IPFILTER.LICENCE file for details on licencing. 5 * 6 * @(#)ip_state.h 1.3 1/12/96 (C) 1995 Darren Reed 7 * $Id: ip_state.h,v 2.13.2.1 2000/07/08 02:15:35 darrenr Exp $ 8 * $FreeBSD: head/sys/contrib/ipfilter/netinet/ip_state.h 95418 2002-04-25 03:31:39Z darrenr $ 9 */ 10#ifndef __IP_STATE_H__ 11#define __IP_STATE_H__ 12 13#if defined(__STDC__) || defined(__GNUC__) 14# define SIOCDELST _IOW('r', 61, struct ipstate *) 15#else 16# define SIOCDELST _IOW(r, 61, struct ipstate *) 17#endif 18 19#ifndef IPSTATE_SIZE 20# define IPSTATE_SIZE 5737 21#endif 22#ifndef IPSTATE_MAX 23# define IPSTATE_MAX 4013 /* Maximum number of states held */ 24#endif 25 26#define PAIRS(s1,d1,s2,d2) ((((s1) == (s2)) && ((d1) == (d2))) ||\ 27 (((s1) == (d2)) && ((d1) == (s2)))) 28#define IPPAIR(s1,d1,s2,d2) PAIRS((s1).s_addr, (d1).s_addr, \ 29 (s2).s_addr, (d2).s_addr) 30 31 32typedef struct udpstate { 33 u_short us_sport; 34 u_short us_dport; 35} udpstate_t; 36 37typedef struct icmpstate { 38 u_short ics_id; 39 u_short ics_seq; 40 u_char ics_type; 41} icmpstate_t; 42 43typedef struct tcpdata { 44 u_32_t td_end; 45 u_32_t td_maxend; 46 u_32_t td_maxwin; 47 u_char td_wscale; 48} tcpdata_t; 49 50typedef struct tcpstate { 51 u_short ts_sport; 52 u_short ts_dport; 53 tcpdata_t ts_data[2]; 54 u_char ts_state[2]; 55} tcpstate_t; 56 57typedef struct ipstate { 58 struct ipstate *is_next; 59 struct ipstate **is_pnext; 60 struct ipstate *is_hnext; 61 struct ipstate **is_phnext; 62 struct ipstate **is_me; 63 frentry_t *is_rule; 64 U_QUAD_T is_pkts; 65 U_QUAD_T is_bytes; 66 union i6addr is_src; 67 union i6addr is_dst; 68 void *is_ifp[4]; 69 u_long is_age; 70 u_int is_frage[2]; /* age from filter rule, forward & reverse */ 71 u_int is_pass; 72 u_char is_p; /* Protocol */ 73 u_char is_v; /* IP version */ 74 u_char is_fsm; /* 1 = following FSM, 0 = not */ 75 u_char is_xxx; /* pad */ 76 u_int is_hv; /* hash value for this in the table */ 77 u_32_t is_rulen; /* rule number */ 78 u_32_t is_flags; /* flags for this structure */ 79 u_32_t is_opt; /* packet options set */ 80 u_32_t is_optmsk; /* " " mask */ 81 u_short is_sec; /* security options set */ 82 u_short is_secmsk; /* " " mask */ 83 u_short is_auth; /* authentication options set */ 84 u_short is_authmsk; /* " " mask */ 85 union { 86 icmpstate_t is_ics; 87 tcpstate_t is_ts; 88 udpstate_t is_us; 89 } is_ps; 90 char is_ifname[4][IFNAMSIZ]; 91#if SOLARIS || defined(__sgi) 92 kmutex_t is_lock; 93#endif 94} ipstate_t; 95 96#define is_saddr is_src.in4.s_addr 97#define is_daddr is_dst.in4.s_addr 98#define is_icmp is_ps.is_ics 99#define is_type is_icmp.ics_type 100#define is_code is_icmp.ics_code 101#define is_tcp is_ps.is_ts 102#define is_udp is_ps.is_us 103#define is_send is_tcp.ts_data[0].td_end 104#define is_dend is_tcp.ts_data[1].td_end 105#define is_maxswin is_tcp.ts_data[0].td_maxwin 106#define is_maxdwin is_tcp.ts_data[1].td_maxwin 107#define is_swscale is_tcp.ts_data[0].td_wscale 108#define is_dwscale is_tcp.ts_data[1].td_wscale 109#define is_maxsend is_tcp.ts_data[0].td_maxend 110#define is_maxdend is_tcp.ts_data[1].td_maxend 111#define is_sport is_tcp.ts_sport 112#define is_dport is_tcp.ts_dport 113#define is_state is_tcp.ts_state 114#define is_ifpin is_ifp[0] 115#define is_ifpout is_ifp[2] 116 117#define TH_OPENING (TH_SYN|TH_ACK) 118/* 119 * is_flags: 120 * Bits 0 - 3 are use as a mask with the current packet's bits to check for 121 * whether it is short, tcp/udp, a fragment or the presence of IP options. 122 * Bits 4 - 7 are set from the initial packet and contain what the packet 123 * anded with bits 0-3 must match. 124 * Bits 8,9 are used to indicate wildcard source/destination port matching. 125 */ 126 127typedef struct ipstate_save { 128 void *ips_next; 129 struct ipstate ips_is; 130 struct frentry ips_fr; 131} ipstate_save_t; 132 133#define ips_rule ips_is.is_rule 134 135 136typedef struct ipslog { 137 U_QUAD_T isl_pkts; 138 U_QUAD_T isl_bytes; 139 union i6addr isl_src; 140 union i6addr isl_dst; 141 u_short isl_type; 142 union { 143 u_short isl_filler[2]; 144 u_short isl_ports[2]; 145 u_short isl_icmp; 146 } isl_ps; 147 u_char isl_v; 148 u_char isl_p; 149 u_char isl_flags; 150 u_char isl_state[2]; 151} ipslog_t; 152 153#define isl_sport isl_ps.isl_ports[0] 154#define isl_dport isl_ps.isl_ports[1] 155#define isl_itype isl_ps.isl_icmp 156 157#define ISL_NEW 0 158#define ISL_EXPIRE 0xffff 159#define ISL_FLUSH 0xfffe 160#define ISL_REMOVE 0xfffd 161 162 163typedef struct ips_stat { 164 u_long iss_hits; 165 u_long iss_miss; 166 u_long iss_max; 167 u_long iss_tcp; 168 u_long iss_udp; 169 u_long iss_icmp; 170 u_long iss_nomem; 171 u_long iss_expire; 172 u_long iss_fin; 173 u_long iss_active; 174 u_long iss_logged; 175 u_long iss_logfail; 176 u_long iss_inuse; 177 ipstate_t **iss_table; 178 ipstate_t *iss_list; 179} ips_stat_t; 180 181 182extern u_long fr_tcpidletimeout; 183extern u_long fr_tcpclosewait; 184extern u_long fr_tcplastack; 185extern u_long fr_tcptimeout; 186extern u_long fr_tcpclosed; 187extern u_long fr_tcphalfclosed; 188extern u_long fr_udptimeout; 189extern u_long fr_udpacktimeout; 190extern u_long fr_icmptimeout; 191extern u_long fr_icmpacktimeout; 192extern ipstate_t *ips_list; 193extern int fr_state_lock; 194extern int fr_stateinit __P((void)); 195extern int fr_tcpstate __P((ipstate_t *, fr_info_t *, ip_t *, tcphdr_t *)); 196extern ipstate_t *fr_addstate __P((ip_t *, fr_info_t *, ipstate_t **, u_int)); 197extern frentry_t *fr_checkstate __P((ip_t *, fr_info_t *)); 198extern void ip_statesync __P((void *)); 199extern void fr_timeoutstate __P((void)); 200extern int fr_tcp_age __P((u_long *, u_char *, fr_info_t *, int, int)); 201extern void fr_stateunload __P((void)); 202extern void ipstate_log __P((struct ipstate *, u_int)); 203#if defined(__NetBSD__) || defined(__OpenBSD__) 204extern int fr_state_ioctl __P((caddr_t, u_long, int)); 205#else 206extern int fr_state_ioctl __P((caddr_t, int, int)); 207#endif 208 209#endif /* __IP_STATE_H__ */ 210