ip_fw_private.h revision 200838
1145524Sdarrenr/*- 2145524Sdarrenr * Copyright (c) 2002-2009 Luigi Rizzo, Universita` di Pisa 3145524Sdarrenr * 4145524Sdarrenr * Redistribution and use in source and binary forms, with or without 5145524Sdarrenr * modification, are permitted provided that the following conditions 6145524Sdarrenr * are met: 7 * 1. Redistributions of source code must retain the above copyright 8 * notice, this list of conditions and the following disclaimer. 9 * 2. Redistributions in binary form must reproduce the above copyright 10 * notice, this list of conditions and the following disclaimer in the 11 * documentation and/or other materials provided with the distribution. 12 * 13 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 14 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 15 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 16 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 17 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 18 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 19 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 20 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 21 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 22 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 23 * SUCH DAMAGE. 24 * 25 * $FreeBSD: head/sys/netinet/ipfw/ip_fw_private.h 200838 2009-12-22 13:53:34Z luigi $ 26 */ 27 28#ifndef _IPFW2_PRIVATE_H 29#define _IPFW2_PRIVATE_H 30 31/* 32 * Internal constants and data structures used by ipfw components 33 * and not meant to be exported outside the kernel. 34 */ 35 36#ifdef _KERNEL 37 38#define MTAG_IPFW 1148380143 /* IPFW-tagged cookie */ 39 40/* Return values from ipfw_chk() */ 41enum { 42 IP_FW_PASS = 0, 43 IP_FW_DENY, 44 IP_FW_DIVERT, 45 IP_FW_TEE, 46 IP_FW_DUMMYNET, 47 IP_FW_NETGRAPH, 48 IP_FW_NGTEE, 49 IP_FW_NAT, 50 IP_FW_REASS, 51}; 52 53/* flags for divert mtag */ 54#define IP_FW_DIVERT_LOOPBACK_FLAG 0x00080000 55#define IP_FW_DIVERT_OUTPUT_FLAG 0x00100000 56 57/* 58 * Structure for collecting parameters to dummynet for ip6_output forwarding 59 */ 60struct _ip6dn_args { 61 struct ip6_pktopts *opt_or; 62 struct route_in6 ro_or; 63 int flags_or; 64 struct ip6_moptions *im6o_or; 65 struct ifnet *origifp_or; 66 struct ifnet *ifp_or; 67 struct sockaddr_in6 dst_or; 68 u_long mtu_or; 69 struct route_in6 ro_pmtu_or; 70}; 71 72/* 73 * Arguments for calling ipfw_chk() and dummynet_io(). We put them 74 * all into a structure because this way it is easier and more 75 * efficient to pass variables around and extend the interface. 76 */ 77struct ip_fw_args { 78 struct mbuf *m; /* the mbuf chain */ 79 struct ifnet *oif; /* output interface */ 80 struct sockaddr_in *next_hop; /* forward address */ 81 82 struct ip_fw *rule; /* matching rule */ 83 uint32_t rule_id; /* matching rule id */ 84 uint32_t chain_id; /* ruleset id */ 85 86 struct ether_header *eh; /* for bridged packets */ 87 88 struct ipfw_flow_id f_id; /* grabbed from IP header */ 89 uint32_t cookie; /* a cookie depending on rule action */ 90 struct inpcb *inp; 91 92 struct _ip6dn_args dummypar; /* dummynet->ip6_output */ 93 struct sockaddr_in hopstore; /* store here if cannot use a pointer */ 94}; 95 96MALLOC_DECLARE(M_IPFW); 97 98/* 99 * Function definitions. 100 */ 101 102/* Firewall hooks */ 103 104int ipfw_check_in(void *, struct mbuf **, struct ifnet *, 105 int, struct inpcb *inp); 106int ipfw_check_out(void *, struct mbuf **, struct ifnet *, 107 int, struct inpcb *inp); 108 109int ipfw_attach_hooks(void); 110int ipfw_unhook(void); 111int ipfw6_unhook(void); 112#ifdef NOTYET 113void ipfw_nat_destroy(void); 114#endif 115 116/* In ip_fw_log.c */ 117struct ip; 118void ipfw_log_bpf(int); 119void ipfw_log(struct ip_fw *f, u_int hlen, struct ip_fw_args *args, 120 struct mbuf *m, struct ifnet *oif, u_short offset, uint32_t tablearg, 121 struct ip *ip); 122VNET_DECLARE(u_int64_t, norule_counter); 123#define V_norule_counter VNET(norule_counter) 124VNET_DECLARE(int, verbose_limit); 125#define V_verbose_limit VNET(verbose_limit) 126 127/* In ip_fw_dynamic.c */ 128 129enum { /* result for matching dynamic rules */ 130 MATCH_REVERSE = 0, 131 MATCH_FORWARD, 132 MATCH_NONE, 133 MATCH_UNKNOWN, 134}; 135 136/* 137 * The lock for dynamic rules is only used once outside the file, 138 * and only to release the result of lookup_dyn_rule(). 139 * Eventually we may implement it with a callback on the function. 140 */ 141void ipfw_dyn_unlock(void); 142 143struct tcphdr; 144struct mbuf *ipfw_send_pkt(struct mbuf *, struct ipfw_flow_id *, 145 u_int32_t, u_int32_t, int); 146int ipfw_install_state(struct ip_fw *rule, ipfw_insn_limit *cmd, 147 struct ip_fw_args *args, uint32_t tablearg); 148ipfw_dyn_rule *ipfw_lookup_dyn_rule(struct ipfw_flow_id *pkt, 149 int *match_direction, struct tcphdr *tcp); 150void ipfw_remove_dyn_children(struct ip_fw *rule); 151void ipfw_get_dynamic(char **bp, const char *ep); 152 153void ipfw_dyn_attach(void); /* uma_zcreate .... */ 154void ipfw_dyn_detach(void); /* uma_zdestroy ... */ 155void ipfw_dyn_init(void); /* per-vnet initialization */ 156void ipfw_dyn_uninit(int); /* per-vnet deinitialization */ 157int ipfw_dyn_len(void); 158 159/* common variables */ 160VNET_DECLARE(int, fw_one_pass); 161#define V_fw_one_pass VNET(fw_one_pass) 162 163VNET_DECLARE(int, fw_verbose); 164#define V_fw_verbose VNET(fw_verbose) 165 166VNET_DECLARE(struct ip_fw_chain, layer3_chain); 167#define V_layer3_chain VNET(layer3_chain) 168 169VNET_DECLARE(u_int32_t, set_disable); 170#define V_set_disable VNET(set_disable) 171 172VNET_DECLARE(int, autoinc_step); 173#define V_autoinc_step VNET(autoinc_step) 174 175struct ip_fw_chain { 176 struct ip_fw *rules; /* list of rules */ 177 struct ip_fw *reap; /* list of rules to reap */ 178 struct ip_fw *default_rule; 179 int n_rules; /* number of static rules */ 180 int static_len; /* total len of static rules */ 181 LIST_HEAD(nat_list, cfg_nat) nat; /* list of nat entries */ 182 struct radix_node_head *tables[IPFW_TABLES_MAX]; 183 struct rwlock rwmtx; 184 uint32_t id; /* ruleset id */ 185}; 186 187struct sockopt; /* used by tcp_var.h */ 188 189/* 190 * The lock is heavily used by ip_fw2.c (the main file) and ip_fw_nat.c 191 * so the variable and the macros must be here. 192 */ 193 194#define IPFW_LOCK_INIT(_chain) \ 195 rw_init(&(_chain)->rwmtx, "IPFW static rules") 196#define IPFW_LOCK_DESTROY(_chain) rw_destroy(&(_chain)->rwmtx) 197#define IPFW_WLOCK_ASSERT(_chain) rw_assert(&(_chain)->rwmtx, RA_WLOCKED) 198 199#define IPFW_RLOCK(p) rw_rlock(&(p)->rwmtx) 200#define IPFW_RUNLOCK(p) rw_runlock(&(p)->rwmtx) 201#define IPFW_WLOCK(p) rw_wlock(&(p)->rwmtx) 202#define IPFW_WUNLOCK(p) rw_wunlock(&(p)->rwmtx) 203 204/* In ip_fw_sockopt.c */ 205int ipfw_add_rule(struct ip_fw_chain *chain, struct ip_fw *input_rule); 206int ipfw_ctl(struct sockopt *sopt); 207int ipfw_chk(struct ip_fw_args *args); 208void ipfw_reap_rules(struct ip_fw *head); 209void ipfw_free_chain(struct ip_fw_chain *chain, int kill_default); 210 211/* In ip_fw_table.c */ 212struct radix_node; 213int ipfw_lookup_table(struct ip_fw_chain *ch, uint16_t tbl, in_addr_t addr, 214 uint32_t *val); 215int ipfw_init_tables(struct ip_fw_chain *ch); 216int ipfw_flush_table(struct ip_fw_chain *ch, uint16_t tbl); 217void ipfw_flush_tables(struct ip_fw_chain *ch); 218int ipfw_add_table_entry(struct ip_fw_chain *ch, uint16_t tbl, in_addr_t addr, 219 uint8_t mlen, uint32_t value); 220int ipfw_dump_table_entry(struct radix_node *rn, void *arg); 221int ipfw_del_table_entry(struct ip_fw_chain *ch, uint16_t tbl, in_addr_t addr, 222 uint8_t mlen); 223int ipfw_count_table(struct ip_fw_chain *ch, uint32_t tbl, uint32_t *cnt); 224int ipfw_dump_table(struct ip_fw_chain *ch, ipfw_table *tbl); 225 226/* In ip_fw_nat.c */ 227 228extern struct cfg_nat *(*lookup_nat_ptr)(struct nat_list *, int); 229 230typedef int ipfw_nat_t(struct ip_fw_args *, struct cfg_nat *, struct mbuf *); 231typedef int ipfw_nat_cfg_t(struct sockopt *); 232 233extern ipfw_nat_t *ipfw_nat_ptr; 234#define IPFW_NAT_LOADED (ipfw_nat_ptr != NULL) 235 236extern ipfw_nat_cfg_t *ipfw_nat_cfg_ptr; 237extern ipfw_nat_cfg_t *ipfw_nat_del_ptr; 238extern ipfw_nat_cfg_t *ipfw_nat_get_cfg_ptr; 239extern ipfw_nat_cfg_t *ipfw_nat_get_log_ptr; 240 241#endif /* _KERNEL */ 242#endif /* _IPFW2_PRIVATE_H */ 243