[apple/xnu.git] / bsd / netinet / ip_fil.h

/*
 * Copyright (c) 2000 Apple Computer, Inc. All rights reserved.
 *
 * @APPLE_LICENSE_HEADER_START@
 * 
 * The contents of this file constitute Original Code as defined in and
 * are subject to the Apple Public Source License Version 1.1 (the
 * "License").  You may not use this file except in compliance with the
 * License.  Please obtain a copy of the License at
 * http://www.apple.com/publicsource and read it before using this file.
 * 
 * This Original Code and all software distributed under the License are
 * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT.  Please see the
 * License for the specific language governing rights and limitations
 * under the License.
 * 
 * @APPLE_LICENSE_HEADER_END@
 */
/*
 * Copyright (C) 1993-1997 by Darren Reed.
 *
 * Redistribution and use in source and binary forms are permitted
 * provided that this notice is preserved and due credit is given
 * to the original author and the contributors.
 *
 * @(#)ip_fil.h	1.35 6/5/96
 * $Id: ip_fil.h,v 1.3 2000/11/22 01:12:12 zarzycki Exp $
 */

#ifndef	__IP_FIL_H__
#define	__IP_FIL_H__

/*
 * Pathnames for various IP Filter control devices.  Used by LKM
 * and userland, so defined here.
 */
#define	IPNAT_NAME	"/dev/ipnat"
#define	IPSTATE_NAME	"/dev/ipstate"
#define	IPAUTH_NAME	"/dev/ipauth"

#ifndef	SOLARIS
#define	SOLARIS	(defined(sun) && (defined(__svr4__) || defined(__SVR4)))
#endif

#if defined(KERNEL) && !defined(_KERNEL)
#define	_KERNEL
#endif

#ifndef	__P
# if	__STDC__
#  define	__P(x)	x
# else
#  define	__P(x)	()
# endif
#endif

#if defined(__STDC__) || defined(__GNUC__)
#define	SIOCADAFR	_IOW('r', 60, struct frentry)
#define	SIOCRMAFR	_IOW('r', 61, struct frentry)
#define	SIOCSETFF	_IOW('r', 62, u_int)
#define	SIOCGETFF	_IOR('r', 63, u_int)
#define	SIOCGETFS	_IOR('r', 64, struct friostat)
#define	SIOCIPFFL	_IOWR('r', 65, int)
#define	SIOCIPFFB	_IOR('r', 66, int)
#define	SIOCADIFR	_IOW('r', 67, struct frentry)
#define	SIOCRMIFR	_IOW('r', 68, struct frentry)
#define	SIOCSWAPA	_IOR('r', 69, u_int)
#define	SIOCINAFR	_IOW('r', 70, struct frentry)
#define	SIOCINIFR	_IOW('r', 71, struct frentry)
#define	SIOCFRENB	_IOW('r', 72, u_int)
#define	SIOCFRSYN	_IOW('r', 73, u_int)
#define	SIOCFRZST	_IOWR('r', 74, struct friostat)
#define	SIOCZRLST	_IOWR('r', 75, struct frentry)
#define	SIOCAUTHW	_IOWR('r', 76, struct fr_info)
#define	SIOCAUTHR	_IOWR('r', 77, struct fr_info)
#define	SIOCATHST	_IOWR('r', 78, struct fr_authstat)
#else
#define	SIOCADAFR	_IOW(r, 60, struct frentry)
#define	SIOCRMAFR	_IOW(r, 61, struct frentry)
#define	SIOCSETFF	_IOW(r, 62, u_int)
#define	SIOCGETFF	_IOR(r, 63, u_int)
#define	SIOCGETFS	_IOR(r, 64, struct friostat)
#define	SIOCIPFFL	_IOWR(r, 65, int)
#define	SIOCIPFFB	_IOR(r, 66, int)
#define	SIOCADIFR	_IOW(r, 67, struct frentry)
#define	SIOCRMIFR	_IOW(r, 68, struct frentry)
#define	SIOCSWAPA	_IOR(r, 69, u_int)
#define	SIOCINAFR	_IOW(r, 70, struct frentry)
#define	SIOCINIFR	_IOW(r, 71, struct frentry)
#define SIOCFRENB	_IOW(r, 72, u_int)
#define	SIOCFRSYN	_IOW(r, 73, u_int)
#define	SIOCFRZST	_IOWR(r, 74, struct friostat)
#define	SIOCZRLST	_IOWR(r, 75, struct frentry)
#define	SIOCAUTHW	_IOWR(r, 76, struct fr_info)
#define	SIOCAUTHR	_IOWR(r, 77, struct fr_info)
#define	SIOCATHST	_IOWR(r, 78, struct fr_authstat)
#endif
#define	SIOCADDFR	SIOCADAFR
#define	SIOCDELFR	SIOCRMAFR
#define	SIOCINSFR	SIOCINAFR

typedef	struct	fr_ip	{
	u_int	fi_v:4;		/* IP version */
	u_int	fi_fl:4;	/* packet flags */
	u_char	fi_tos;
	u_char	fi_ttl;
	u_char	fi_p;
	struct	in_addr	fi_src;
	struct	in_addr	fi_dst;
	u_32_t	fi_optmsk;	/* bitmask composed from IP options */
	u_short	fi_secmsk;	/* bitmask composed from IP security options */
	u_short	fi_auth;
} fr_ip_t;

#define	FI_OPTIONS	(FF_OPTIONS >> 24)
#define	FI_TCPUDP	(FF_TCPUDP >> 24)	/* TCP/UCP implied comparison*/
#define	FI_FRAG		(FF_FRAG >> 24)
#define	FI_SHORT	(FF_SHORT >> 24)

typedef	struct	fr_info	{
	struct	fr_ip	fin_fi;
	u_short	fin_data[2];
	u_short	fin_out;
	u_short	fin_hlen;
	u_char	fin_tcpf;
	u_char	fin_icode;		/* From here on is packet specific */
	u_short	fin_rule;
	u_short	fin_group;
	u_short	fin_dlen;
	u_short	fin_id;
	void	*fin_ifp;
	struct	frentry *fin_fr;
	char	*fin_dp;		/* start of data past IP header */
	void	*fin_mp;
} fr_info_t;

/*
 * Size for compares on fr_info structures
 */
#define	FI_CSIZE	(sizeof(struct fr_ip) + sizeof(u_short) * 4 + \
			 sizeof(u_char))
/*
 * Size for copying cache fr_info structure
 */
#define	FI_COPYSIZE	(sizeof(fr_info_t) - sizeof(void *) * 2)

typedef	struct	frdest	{
	void	*fd_ifp;
	struct	in_addr	fd_ip;
	char	fd_ifname[IFNAMSIZ];
} frdest_t;

typedef	struct	frentry {
	struct	frentry	*fr_next;
	u_short	fr_group;	/* group to which this rule belongs */
	u_short	fr_grhead;	/* group # which this rule starts */
	struct	frentry	*fr_grp;
	int	fr_ref;		/* reference count - for grouping */
	void	*fr_ifa;
	/*
	 * These are only incremented when a packet  matches this rule and
	 * it is the last match
	 */
	U_QUAD_T	fr_hits;
	U_QUAD_T	fr_bytes;
	/*
	 * Fields after this may not change whilst in the kernel.
	 */
	struct	fr_ip	fr_ip;
	struct	fr_ip	fr_mip;	/* mask structure */

	u_char	fr_tcpfm;	/* tcp flags mask */
	u_char	fr_tcpf;	/* tcp flags */

	u_short	fr_icmpm;	/* data for ICMP packets (mask) */
	u_short	fr_icmp;

	u_char	fr_scmp;	/* data for port comparisons */
	u_char	fr_dcmp;
	u_short	fr_dport;
	u_short	fr_sport;
	u_short	fr_stop;	/* top port for <> and >< */
	u_short	fr_dtop;	/* top port for <> and >< */
	u_32_t	fr_flags;	/* per-rule flags && options (see below) */
	int	fr_skip;	/* # of rules to skip */
	int	(*fr_func) __P((int, ip_t *, fr_info_t *));	/* call this function */
	char	fr_icode;	/* return ICMP code */
	char	fr_ifname[IFNAMSIZ];
	struct	frdest	fr_tif;	/* "to" interface */
	struct	frdest	fr_dif;	/* duplicate packet interfaces */
} frentry_t;

#define	fr_proto	fr_ip.fi_p
#define	fr_ttl		fr_ip.fi_ttl
#define	fr_tos		fr_ip.fi_tos
#define	fr_dst		fr_ip.fi_dst
#define	fr_src		fr_ip.fi_src
#define	fr_dmsk		fr_mip.fi_dst
#define	fr_smsk		fr_mip.fi_src

#ifndef	offsetof
#define	offsetof(t,m)	(int)((&((t *)0L)->m))
#endif
#define	FR_CMPSIZ	(sizeof(struct frentry) - offsetof(frentry_t, fr_ip))

/*
 * fr_flags
 */
#define	FR_BLOCK	0x00001	/* do not allow packet to pass */
#define	FR_PASS		0x00002	/* allow packet to pass */
#define	FR_OUTQUE	0x00004	/* outgoing packets */
#define	FR_INQUE	0x00008	/* ingoing packets */
#define	FR_LOG		0x00010	/* Log */
#define	FR_LOGB		0x00011	/* Log-fail */
#define	FR_LOGP		0x00012	/* Log-pass */
#define	FR_LOGBODY	0x00020	/* Log the body */
#define	FR_LOGFIRST	0x00040	/* Log the first byte if state held */
#define	FR_RETRST	0x00080	/* Return TCP RST packet - reset connection */
#define	FR_RETICMP	0x00100	/* Return ICMP unreachable packet */
#define	FR_NOMATCH	0x00200	/* no match occured */
#define	FR_ACCOUNT	0x00400	/* count packet bytes */
#define	FR_KEEPFRAG	0x00800	/* keep fragment information */
#define	FR_KEEPSTATE	0x01000	/* keep `connection' state information */
#define	FR_INACTIVE	0x02000
#define	FR_QUICK	0x04000	/* match & stop processing list */
#define	FR_FASTROUTE	0x08000	/* bypass normal routing */
#define	FR_CALLNOW	0x10000	/* call another function (fr_func) if matches */
#define	FR_DUP		0x20000	/* duplicate packet */
#define	FR_LOGORBLOCK	0x40000	/* block the packet if it can't be logged */
#define	FR_NOTSRCIP	0x80000	/* not the src IP# */
#define	FR_NOTDSTIP	0x100000	/* not the dst IP# */
#define	FR_AUTH		0x200000	/* use authentication */
#define	FR_PREAUTH	0x400000	/* require preauthentication */

#define	FR_LOGMASK	(FR_LOG|FR_LOGP|FR_LOGB)

/*
 * These correspond to #define's for FI_* and are stored in fr_flags
 */
#define	FF_OPTIONS	0x01000000
#define	FF_TCPUDP	0x02000000
#define	FF_FRAG		0x04000000
#define	FF_SHORT	0x08000000
/*
 * recognized flags for SIOCGETFF and SIOCSETFF, and get put in fr_flags
 */
#define	FF_LOGPASS	0x10000000
#define	FF_LOGBLOCK	0x20000000
#define	FF_LOGNOMATCH	0x40000000
#define	FF_LOGGING	(FF_LOGPASS|FF_LOGBLOCK|FF_LOGNOMATCH)
#define	FF_BLOCKNONIP	0x80000000	/* Solaris2 Only */

#define	FR_NONE 0
#define	FR_EQUAL 1
#define	FR_NEQUAL 2
#define FR_LESST 3
#define FR_GREATERT 4
#define FR_LESSTE 5
#define FR_GREATERTE 6
#define	FR_OUTRANGE 7
#define	FR_INRANGE 8

typedef	struct	filterstats {
	u_long	fr_pass;	/* packets allowed */
	u_long	fr_block;	/* packets denied */
	u_long	fr_nom;		/* packets which don't match any rule */
	u_long	fr_ppkl;	/* packets allowed and logged */
	u_long	fr_bpkl;	/* packets denied and logged */
	u_long	fr_npkl;	/* packets unmatched and logged */
	u_long	fr_pkl;		/* packets logged */
	u_long	fr_skip;	/* packets to be logged but buffer full */
	u_long	fr_ret;		/* packets for which a return is sent */
	u_long	fr_acct;	/* packets for which counting was performed */
	u_long	fr_bnfr;	/* bad attempts to allocate fragment state */
	u_long	fr_nfr;		/* new fragment state kept */
	u_long	fr_cfr;		/* add new fragment state but complete pkt */
	u_long	fr_bads;	/* bad attempts to allocate packet state */
	u_long	fr_ads;		/* new packet state kept */
	u_long	fr_chit;	/* cached hit */
	u_long	fr_tcpbad;	/* TCP checksum check failures */
	u_long	fr_pull[2];	/* good and bad pullup attempts */
#if SOLARIS
	u_long	fr_bad;		/* bad IP packets to the filter */
	u_long	fr_notip;	/* packets passed through no on ip queue */
	u_long	fr_drop;	/* packets dropped - no info for them! */
#endif
} filterstats_t;

/*
 * For SIOCGETFS
 */
typedef	struct	friostat	{
	struct	filterstats	f_st[2];
	struct	frentry		*f_fin[2];
	struct	frentry		*f_fout[2];
	struct	frentry		*f_acctin[2];
	struct	frentry		*f_acctout[2];
	struct	frentry		*f_auth;
	u_long	f_froute[2];
	int	f_active;
} friostat_t;

typedef struct	optlist {
	u_short ol_val;
	int	ol_bit;
} optlist_t;


/*
 * Group list structure.
 */
typedef	struct frgroup {
	u_short	fg_num;
	struct	frgroup	*fg_next;
	struct	frentry	*fg_head;
	struct	frentry	**fg_start;
} frgroup_t;


/*
 * Log structure.  Each packet header logged is prepended by one of these.
 * Following this in the log records read from the device will be an ipflog
 * structure which is then followed by any packet data.
 */
typedef	struct	iplog	{
	u_long	ipl_magic;
	u_long	ipl_sec;
	u_long	ipl_usec;
	u_int	ipl_len;
	u_int	ipl_count;
	size_t	ipl_dsize;
	struct	iplog	*ipl_next;
} iplog_t;

#define IPL_MAGIC 0x49504c4d /* 'IPLM' */

typedef	struct	ipflog	{
#if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603)) || \
        (defined(OpenBSD) && (OpenBSD >= 199603))
	u_char	fl_ifname[IFNAMSIZ];
#else
	u_int	fl_unit;
	u_char	fl_ifname[4];
#endif
	u_char	fl_plen;	/* extra data after hlen */
	u_char	fl_hlen;	/* length of IP headers saved */
	u_short	fl_rule;	/* assume never more than 64k rules, total */
	u_short	fl_group;
	u_32_t	fl_flags;
} ipflog_t;


#ifndef	ICMP_UNREACH_FILTER
#define	ICMP_UNREACH_FILTER	13
#endif

#ifndef	IPF_LOGGING
#define	IPF_LOGGING	0
#endif
#ifndef	IPF_DEFAULT_PASS
#define	IPF_DEFAULT_PASS	FR_PASS
#endif

#define	IPMINLEN(i, h)	((i)->ip_len >= ((i)->ip_hl * 4 + sizeof(struct h)))
#define	IPLLOGSIZE	8192

/*
 * Device filenames for reading log information.  Use ipf on Solaris2 because
 * ipl is already a name used by something else.
 */
#ifndef	IPL_NAME
# if	SOLARIS
#  define	IPL_NAME	"/dev/ipf"
# else
#  define	IPL_NAME	"/dev/ipl"
# endif
#endif
#define	IPL_NAT		IPNAT_NAME
#define	IPL_STATE	IPSTATE_NAME
#define	IPL_AUTH	IPAUTH_NAME

#define	IPL_LOGIPF	0	/* Minor device #'s for accessing logs */
#define	IPL_LOGNAT	1
#define	IPL_LOGSTATE	2
#define	IPL_LOGAUTH	3
#define	IPL_LOGMAX	3

#if !defined(CDEV_MAJOR) && defined (__FreeBSD_version) && \
    (__FreeBSD_version >= 220000)
# define	CDEV_MAJOR	79
#endif

#ifndef	_KERNEL
struct ifnet;
extern	int	fr_check __P((ip_t *, int, void *, int, mb_t **));
extern	int	(*fr_checkp) __P((ip_t *, int, void *, int, mb_t **));
extern	int	send_reset __P((ip_t *, struct ifnet *));
extern	int	icmp_error __P((ip_t *, struct ifnet *));
extern	int	ipf_log __P((void));
extern	void	ipfr_fastroute __P((ip_t *, fr_info_t *, frdest_t *));
extern	struct	ifnet *get_unit __P((char *));
# define	FR_SCANLIST(p, ip, fi, m)	fr_scanlist(p, ip, fi, m)
# if defined(__NetBSD__) || defined(__OpenBSD__) || \
     (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300003)
extern	int	iplioctl __P((dev_t, u_long, caddr_t, int));
# else
extern	int	iplioctl __P((dev_t, int, caddr_t, int));
# endif
extern	int	iplopen __P((dev_t, int));
extern	int	iplclose __P((dev_t, int));
#else /* #ifndef _KERNEL */
# if defined(__NetBSD__) && defined(PFIL_HOOKS)
extern	int	ipfilterattach __P((int));
# endif
extern	int	iplattach __P((void));
extern	int	ipl_enable __P((void));
extern	int	ipl_disable __P((void));
extern	void	ipflog_init __P((void));
extern	int	ipflog_clear __P((int));
extern	int	ipflog_read __P((int, struct uio *));
extern	int	ipflog __P((u_int, ip_t *, fr_info_t *, mb_t *));
extern	int	ipllog __P((int, u_long, void **, size_t *, int *, int));
# if	SOLARIS
extern	int	fr_check __P((ip_t *, int, void *, int, qif_t *, mb_t **));
extern	int	(*fr_checkp) __P((ip_t *, int, void *,
				  int, qif_t *, mb_t **));
extern	int	icmp_error __P((ip_t *, int, int, qif_t *,
				struct in_addr));
extern	int	iplioctl __P((dev_t, int, int, int, cred_t *, int *));
extern	int	iplopen __P((dev_t *, int, int, cred_t *));
extern	int	iplclose __P((dev_t, int, int, cred_t *));
extern	int	ipfsync __P((void));
extern	int	send_reset __P((ip_t *, qif_t *));
extern	int	ipfr_fastroute __P((qif_t *, ip_t *, mblk_t *, mblk_t **,
				   fr_info_t *, frdest_t *));
extern	void	copyin_mblk __P((mblk_t *, int, int, char *));
extern	void	copyout_mblk __P((mblk_t *, int, int, char *));
extern	int	fr_qin __P((queue_t *, mblk_t *));
extern	int	fr_qout __P((queue_t *, mblk_t *));
#  if	IPFILTER_LOG
extern	int	iplread __P((dev_t, struct uio *, cred_t *));
#  endif
# else /* SOLARIS */
extern	int	fr_check __P((ip_t *, int, void *, int, mb_t **));
extern	int	(*fr_checkp) __P((ip_t *, int, void *, int, mb_t **));
#  if	linux
extern	int	send_reset __P((tcpiphdr_t *, struct ifnet *));
#  else
extern	int	send_reset __P((tcpiphdr_t *));
#  endif
extern	void	ipfr_fastroute __P((mb_t *, fr_info_t *, frdest_t *));
extern	size_t	mbufchainlen __P((mb_t *));
#  if	__sgi
#   include <sys/cred.h>
extern	int	iplioctl __P((dev_t, int, caddr_t, int, cred_t *, int *));
extern	int	iplopen __P((dev_t *, int, int, cred_t *));
extern	int	iplclose __P((dev_t, int, int, cred_t *));
extern	int	iplread __P((dev_t, struct uio *, cred_t *));
extern	int	ipfsync __P((void));
extern	int	ipfilter_sgi_attach __P((void));
extern	void	ipfilter_sgi_detach __P((void));
extern	void	ipfilter_sgi_intfsync __P((void));
#  else
#   if	IPFILTER_LKM
extern	int	iplidentify __P((char *));
#   endif
#   if (_BSDI_VERSION >= 199510) || (__FreeBSD_version >= 220000) || \
      (NetBSD >= 199511)
#    if defined(__NetBSD__) || (_BSDI_VERSION >= 199701) || \
        (__FreeBSD_version >= 300003)
extern	int	iplioctl __P((dev_t, u_long, caddr_t, int, struct proc *));
#    else
extern	int	iplioctl __P((dev_t, int, caddr_t, int, struct proc *));
#    endif
extern	int	iplopen __P((dev_t, int, int, struct proc *));
extern	int	iplclose __P((dev_t, int, int, struct proc *));
#   else
#    if defined(__OpenBSD__)
extern	int	iplioctl __P((dev_t, u_long, caddr_t, int));
#    else /* __OpenBSD__ */
#     ifndef	linux
extern	int	iplioctl __P((dev_t, int, caddr_t, int));
#     else
extern	int	iplioctl(struct inode *, struct file *, u_int, u_long);
#     endif
#    endif /* __OpenBSD__ */
#    ifndef linux
extern	int	iplopen __P((dev_t, int));
extern	int	iplclose __P((dev_t, int));
#    else
extern	int	iplopen __P((struct inode *, struct file *));
extern	void	iplclose __P((struct inode *, struct file *));
#    endif /* !linux */
#   endif /* (_BSDI_VERSION >= 199510) */
#   if	BSD >= 199306
extern	int	iplread __P((dev_t, struct uio *, int));
#   else
#    ifndef linux
extern	int	iplread __P((dev_t, struct uio *));
#    else
extern	int	iplread(struct inode *, struct file *, char *, int);
#    endif /* !linux */
#   endif /* BSD >= 199306 */
#  endif /* __ sgi */
# endif /* SOLARIS */
#endif /* #ifndef _KERNEL */

/*
 * Post NetBSD 1.2 has the PFIL interface for packet filters.  This turns
 * on those hooks.  We don't need any special mods in non-IP Filter code
 * with this!
 */
#if (defined(NetBSD) && (NetBSD > 199609) && (NetBSD <= 1991011)) || \
    (defined(NetBSD1_2) && NetBSD1_2 > 1)
# define NETBSD_PF
#endif

extern	int	ipldetach __P((void));
extern	u_short	fr_tcpsum __P((mb_t *, ip_t *, tcphdr_t *, int));
#define	FR_SCANLIST(p, ip, fi, m)	fr_scanlist(p, ip, fi, m)
extern	int	fr_scanlist __P((int, ip_t *, fr_info_t *, void *));
extern	u_short	ipf_cksum __P((u_short *, int));
extern	int	fr_copytolog __P((int, char *, int));
extern	void	frflush __P((int, int *));
extern	frgroup_t *fr_addgroup __P((u_short, frentry_t *, int, int));
extern	frgroup_t *fr_findgroup __P((u_short, u_32_t, int, int, frgroup_t ***));
extern	void	fr_delgroup __P((u_short, u_32_t, int, int));
extern	int	ipl_unreach;
extern	int	ipl_inited;
extern	u_long	ipl_frouteok[2];
extern	int	fr_pass;
extern	int	fr_flags;
extern	int	fr_active;
extern	fr_info_t	frcache[2];
#if	IPFILTER_LOG
extern	iplog_t	**iplh[IPL_LOGMAX+1], *iplt[IPL_LOGMAX+1];
extern	int	iplused[IPL_LOGMAX + 1];
#endif
extern	struct frentry *ipfilter[2][2], *ipacct[2][2];
extern	struct frgroup *ipfgroups[3][2];
extern	struct filterstats frstats[];

#endif	/* __IP_FIL_H__ */
Commit	Line	Data
1c79356b A	1	/*
	2	* Copyright (c) 2000 Apple Computer, Inc. All rights reserved.
	3	*
	4	* @APPLE_LICENSE_HEADER_START@
	5	*
	6	* The contents of this file constitute Original Code as defined in and
	7	* are subject to the Apple Public Source License Version 1.1 (the
	8	* "License"). You may not use this file except in compliance with the
	9	* License. Please obtain a copy of the License at
	10	* http://www.apple.com/publicsource and read it before using this file.
	11	*
	12	* This Original Code and all software distributed under the License are
	13	* distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
	14	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
	15	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
	16	* FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the
	17	* License for the specific language governing rights and limitations
	18	* under the License.
	19	*
	20	* @APPLE_LICENSE_HEADER_END@
	21	*/
	22	/*
	23	* Copyright (C) 1993-1997 by Darren Reed.
	24	*
	25	* Redistribution and use in source and binary forms are permitted
	26	* provided that this notice is preserved and due credit is given
	27	* to the original author and the contributors.
	28	*
	29	* @(#)ip_fil.h 1.35 6/5/96
	30	* $Id: ip_fil.h,v 1.3 2000/11/22 01:12:12 zarzycki Exp $
	31	*/
	32
	33	#ifndef __IP_FIL_H__
	34	#define __IP_FIL_H__
	35
	36	/*
	37	* Pathnames for various IP Filter control devices. Used by LKM
	38	* and userland, so defined here.
	39	*/
	40	#define IPNAT_NAME "/dev/ipnat"
	41	#define IPSTATE_NAME "/dev/ipstate"
	42	#define IPAUTH_NAME "/dev/ipauth"
	43
	44	#ifndef SOLARIS
	45	#define SOLARIS (defined(sun) && (defined(__svr4__) \|\| defined(__SVR4)))
	46	#endif
	47
	48	#if defined(KERNEL) && !defined(_KERNEL)
	49	#define _KERNEL
	50	#endif
	51
	52	#ifndef __P
	53	# if __STDC__
	54	# define __P(x) x
	55	# else
	56	# define __P(x) ()
	57	# endif
	58	#endif
	59
	60	#if defined(__STDC__) \|\| defined(__GNUC__)
	61	#define SIOCADAFR _IOW('r', 60, struct frentry)
	62	#define SIOCRMAFR _IOW('r', 61, struct frentry)
	63	#define SIOCSETFF _IOW('r', 62, u_int)
	64	#define SIOCGETFF _IOR('r', 63, u_int)
65	#define SIOCGETFS _IOR('r', 64, struct friostat)
66	#define SIOCIPFFL _IOWR('r', 65, int)
67	#define SIOCIPFFB _IOR('r', 66, int)
68	#define SIOCADIFR _IOW('r', 67, struct frentry)
69	#define SIOCRMIFR _IOW('r', 68, struct frentry)
70	#define SIOCSWAPA _IOR('r', 69, u_int)
71	#define SIOCINAFR _IOW('r', 70, struct frentry)
72	#define SIOCINIFR _IOW('r', 71, struct frentry)
73	#define SIOCFRENB _IOW('r', 72, u_int)
74	#define SIOCFRSYN _IOW('r', 73, u_int)
75	#define SIOCFRZST _IOWR('r', 74, struct friostat)
76	#define SIOCZRLST _IOWR('r', 75, struct frentry)
77	#define SIOCAUTHW _IOWR('r', 76, struct fr_info)
78	#define SIOCAUTHR _IOWR('r', 77, struct fr_info)
79	#define SIOCATHST _IOWR('r', 78, struct fr_authstat)
80	#else
81	#define SIOCADAFR _IOW(r, 60, struct frentry)
82	#define SIOCRMAFR _IOW(r, 61, struct frentry)
83	#define SIOCSETFF _IOW(r, 62, u_int)
84	#define SIOCGETFF _IOR(r, 63, u_int)
85	#define SIOCGETFS _IOR(r, 64, struct friostat)
86	#define SIOCIPFFL _IOWR(r, 65, int)
87	#define SIOCIPFFB _IOR(r, 66, int)
88	#define SIOCADIFR _IOW(r, 67, struct frentry)
89	#define SIOCRMIFR _IOW(r, 68, struct frentry)
90	#define SIOCSWAPA _IOR(r, 69, u_int)
91	#define SIOCINAFR _IOW(r, 70, struct frentry)
92	#define SIOCINIFR _IOW(r, 71, struct frentry)
93	#define SIOCFRENB _IOW(r, 72, u_int)
94	#define SIOCFRSYN _IOW(r, 73, u_int)
95	#define SIOCFRZST _IOWR(r, 74, struct friostat)
96	#define SIOCZRLST _IOWR(r, 75, struct frentry)
97	#define SIOCAUTHW _IOWR(r, 76, struct fr_info)
98	#define SIOCAUTHR _IOWR(r, 77, struct fr_info)
99	#define SIOCATHST _IOWR(r, 78, struct fr_authstat)
100	#endif
101	#define SIOCADDFR SIOCADAFR
102	#define SIOCDELFR SIOCRMAFR
103	#define SIOCINSFR SIOCINAFR
104
105	typedef struct fr_ip {
106	u_int fi_v:4; /* IP version */
107	u_int fi_fl:4; /* packet flags */
108	u_char fi_tos;
109	u_char fi_ttl;
110	u_char fi_p;
111	struct in_addr fi_src;
112	struct in_addr fi_dst;
113	u_32_t fi_optmsk; /* bitmask composed from IP options */
114	u_short fi_secmsk; /* bitmask composed from IP security options */
115	u_short fi_auth;
116	} fr_ip_t;
117
118	#define FI_OPTIONS (FF_OPTIONS >> 24)
119	#define FI_TCPUDP (FF_TCPUDP >> 24) /* TCP/UCP implied comparison*/
120	#define FI_FRAG (FF_FRAG >> 24)
121	#define FI_SHORT (FF_SHORT >> 24)
122
123	typedef struct fr_info {
124	struct fr_ip fin_fi;
125	u_short fin_data[2];
126	u_short fin_out;
127	u_short fin_hlen;
128	u_char fin_tcpf;
129	u_char fin_icode; /* From here on is packet specific */
130	u_short fin_rule;
131	u_short fin_group;
132	u_short fin_dlen;
133	u_short fin_id;
134	void *fin_ifp;
135	struct frentry *fin_fr;
136	char fin_dp; / start of data past IP header */
137	void *fin_mp;
138	} fr_info_t;
139
140	/*
141	* Size for compares on fr_info structures
142	*/
143	#define FI_CSIZE (sizeof(struct fr_ip) + sizeof(u_short) * 4 + \
144	sizeof(u_char))
145	/*
146	* Size for copying cache fr_info structure
147	*/
148	#define FI_COPYSIZE (sizeof(fr_info_t) - sizeof(void ) 2)
149
150	typedef struct frdest {
151	void *fd_ifp;
152	struct in_addr fd_ip;
153	char fd_ifname[IFNAMSIZ];
154	} frdest_t;
155
156	typedef struct frentry {
157	struct frentry *fr_next;
158	u_short fr_group; /* group to which this rule belongs */
159	u_short fr_grhead; /* group # which this rule starts */
160	struct frentry *fr_grp;
161	int fr_ref; /* reference count - for grouping */
162	void *fr_ifa;
163	/*
164	* These are only incremented when a packet matches this rule and
165	* it is the last match
166	*/
167	U_QUAD_T fr_hits;
168	U_QUAD_T fr_bytes;
169	/*
170	* Fields after this may not change whilst in the kernel.
171	*/
172	struct fr_ip fr_ip;
173	struct fr_ip fr_mip; /* mask structure */
174
175	u_char fr_tcpfm; /* tcp flags mask */
176	u_char fr_tcpf; /* tcp flags */
177
178	u_short fr_icmpm; /* data for ICMP packets (mask) */
179	u_short fr_icmp;
180
181	u_char fr_scmp; /* data for port comparisons */
182	u_char fr_dcmp;
183	u_short fr_dport;
184	u_short fr_sport;
185	u_short fr_stop; /* top port for <> and >< */
186	u_short fr_dtop; /* top port for <> and >< */
187	u_32_t fr_flags; /* per-rule flags && options (see below) */
188	int fr_skip; /* # of rules to skip */
189	int (fr_func) __P((int, ip_t , fr_info_t )); / call this function */
190	char fr_icode; /* return ICMP code */
191	char fr_ifname[IFNAMSIZ];
192	struct frdest fr_tif; /* "to" interface */
193	struct frdest fr_dif; /* duplicate packet interfaces */
194	} frentry_t;
195
196	#define fr_proto fr_ip.fi_p
197	#define fr_ttl fr_ip.fi_ttl
198	#define fr_tos fr_ip.fi_tos
199	#define fr_dst fr_ip.fi_dst
200	#define fr_src fr_ip.fi_src
201	#define fr_dmsk fr_mip.fi_dst
202	#define fr_smsk fr_mip.fi_src
203
204	#ifndef offsetof
205	#define offsetof(t,m) (int)((&((t *)0L)->m))
206	#endif
207	#define FR_CMPSIZ (sizeof(struct frentry) - offsetof(frentry_t, fr_ip))
208
209	/*
210	* fr_flags
211	*/
212	#define FR_BLOCK 0x00001 /* do not allow packet to pass */
213	#define FR_PASS 0x00002 /* allow packet to pass */
214	#define FR_OUTQUE 0x00004 /* outgoing packets */
215	#define FR_INQUE 0x00008 /* ingoing packets */
216	#define FR_LOG 0x00010 /* Log */
217	#define FR_LOGB 0x00011 /* Log-fail */
218	#define FR_LOGP 0x00012 /* Log-pass */
219	#define FR_LOGBODY 0x00020 /* Log the body */
220	#define FR_LOGFIRST 0x00040 /* Log the first byte if state held */
221	#define FR_RETRST 0x00080 /* Return TCP RST packet - reset connection */
222	#define FR_RETICMP 0x00100 /* Return ICMP unreachable packet */
223	#define FR_NOMATCH 0x00200 /* no match occured */
224	#define FR_ACCOUNT 0x00400 /* count packet bytes */
225	#define FR_KEEPFRAG 0x00800 /* keep fragment information */
226	#define FR_KEEPSTATE 0x01000 /* keep `connection' state information */
227	#define FR_INACTIVE 0x02000
228	#define FR_QUICK 0x04000 /* match & stop processing list */
229	#define FR_FASTROUTE 0x08000 /* bypass normal routing */
230	#define FR_CALLNOW 0x10000 /* call another function (fr_func) if matches */
231	#define FR_DUP 0x20000 /* duplicate packet */
232	#define FR_LOGORBLOCK 0x40000 /* block the packet if it can't be logged */
233	#define FR_NOTSRCIP 0x80000 /* not the src IP# */
234	#define FR_NOTDSTIP 0x100000 /* not the dst IP# */
235	#define FR_AUTH 0x200000 /* use authentication */
236	#define FR_PREAUTH 0x400000 /* require preauthentication */
237
238	#define FR_LOGMASK (FR_LOG\|FR_LOGP\|FR_LOGB)
239
240	/*
241	* These correspond to #define's for FI_* and are stored in fr_flags
242	*/
243	#define FF_OPTIONS 0x01000000
244	#define FF_TCPUDP 0x02000000
245	#define FF_FRAG 0x04000000
246	#define FF_SHORT 0x08000000
247	/*
248	* recognized flags for SIOCGETFF and SIOCSETFF, and get put in fr_flags
249	*/
250	#define FF_LOGPASS 0x10000000
251	#define FF_LOGBLOCK 0x20000000
252	#define FF_LOGNOMATCH 0x40000000
253	#define FF_LOGGING (FF_LOGPASS\|FF_LOGBLOCK\|FF_LOGNOMATCH)
254	#define FF_BLOCKNONIP 0x80000000 /* Solaris2 Only */
255
256	#define FR_NONE 0
257	#define FR_EQUAL 1
258	#define FR_NEQUAL 2
259	#define FR_LESST 3
260	#define FR_GREATERT 4
261	#define FR_LESSTE 5
262	#define FR_GREATERTE 6
263	#define FR_OUTRANGE 7
264	#define FR_INRANGE 8
265
266	typedef struct filterstats {
267	u_long fr_pass; /* packets allowed */
268	u_long fr_block; /* packets denied */
269	u_long fr_nom; /* packets which don't match any rule */
270	u_long fr_ppkl; /* packets allowed and logged */
271	u_long fr_bpkl; /* packets denied and logged */
272	u_long fr_npkl; /* packets unmatched and logged */
273	u_long fr_pkl; /* packets logged */
274	u_long fr_skip; /* packets to be logged but buffer full */
275	u_long fr_ret; /* packets for which a return is sent */
276	u_long fr_acct; /* packets for which counting was performed */
277	u_long fr_bnfr; /* bad attempts to allocate fragment state */
278	u_long fr_nfr; /* new fragment state kept */
279	u_long fr_cfr; /* add new fragment state but complete pkt */
280	u_long fr_bads; /* bad attempts to allocate packet state */
281	u_long fr_ads; /* new packet state kept */
282	u_long fr_chit; /* cached hit */
283	u_long fr_tcpbad; /* TCP checksum check failures */
284	u_long fr_pull[2]; /* good and bad pullup attempts */
285	#if SOLARIS
286	u_long fr_bad; /* bad IP packets to the filter */
287	u_long fr_notip; /* packets passed through no on ip queue */
288	u_long fr_drop; /* packets dropped - no info for them! */
289	#endif
290	} filterstats_t;
291
292	/*
293	* For SIOCGETFS
294	*/
295	typedef struct friostat {
296	struct filterstats f_st[2];
297	struct frentry *f_fin[2];
298	struct frentry *f_fout[2];
299	struct frentry *f_acctin[2];
300	struct frentry *f_acctout[2];
301	struct frentry *f_auth;
302	u_long f_froute[2];
303	int f_active;
304	} friostat_t;
305
306	typedef struct optlist {
307	u_short ol_val;
308	int ol_bit;
309	} optlist_t;
310
311
312	/*
313	* Group list structure.
314	*/
315	typedef struct frgroup {
316	u_short fg_num;
317	struct frgroup *fg_next;
318	struct frentry *fg_head;
319	struct frentry **fg_start;
320	} frgroup_t;
321
322
323	/*
324	* Log structure. Each packet header logged is prepended by one of these.
325	* Following this in the log records read from the device will be an ipflog
326	* structure which is then followed by any packet data.
327	*/
328	typedef struct iplog {
329	u_long ipl_magic;
330	u_long ipl_sec;
331	u_long ipl_usec;
332	u_int ipl_len;
333	u_int ipl_count;
334	size_t ipl_dsize;
335	struct iplog *ipl_next;
336	} iplog_t;
337
338	#define IPL_MAGIC 0x49504c4d /* 'IPLM' */
339
340	typedef struct ipflog {
341	#if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603)) \|\| \
342	(defined(OpenBSD) && (OpenBSD >= 199603))
343	u_char fl_ifname[IFNAMSIZ];
344	#else
345	u_int fl_unit;
346	u_char fl_ifname[4];
347	#endif
348	u_char fl_plen; /* extra data after hlen */
349	u_char fl_hlen; /* length of IP headers saved */
350	u_short fl_rule; /* assume never more than 64k rules, total */
351	u_short fl_group;
352	u_32_t fl_flags;
353	} ipflog_t;
354
355
356	#ifndef ICMP_UNREACH_FILTER
357	#define ICMP_UNREACH_FILTER 13
358	#endif
359
360	#ifndef IPF_LOGGING
361	#define IPF_LOGGING 0
362	#endif
363	#ifndef IPF_DEFAULT_PASS
364	#define IPF_DEFAULT_PASS FR_PASS
365	#endif
366
367	#define IPMINLEN(i, h) ((i)->ip_len >= ((i)->ip_hl * 4 + sizeof(struct h)))
368	#define IPLLOGSIZE 8192
369
370	/*
371	* Device filenames for reading log information. Use ipf on Solaris2 because
372	* ipl is already a name used by something else.
373	*/
374	#ifndef IPL_NAME
375	# if SOLARIS
376	# define IPL_NAME "/dev/ipf"
377	# else
378	# define IPL_NAME "/dev/ipl"
379	# endif
380	#endif
381	#define IPL_NAT IPNAT_NAME
382	#define IPL_STATE IPSTATE_NAME
383	#define IPL_AUTH IPAUTH_NAME
384
385	#define IPL_LOGIPF 0 /* Minor device #'s for accessing logs */
386	#define IPL_LOGNAT 1
387	#define IPL_LOGSTATE 2
388	#define IPL_LOGAUTH 3
389	#define IPL_LOGMAX 3
390
391	#if !defined(CDEV_MAJOR) && defined (__FreeBSD_version) && \
392	(__FreeBSD_version >= 220000)
393	# define CDEV_MAJOR 79
394	#endif
395
396	#ifndef _KERNEL
397	struct ifnet;
398	extern int fr_check __P((ip_t , int, void , int, mb_t **));
399	extern int (fr_checkp) __P((ip_t , int, void , int, mb_t *));
400	extern int send_reset __P((ip_t , struct ifnet ));
401	extern int icmp_error __P((ip_t , struct ifnet ));
402	extern int ipf_log __P((void));
403	extern void ipfr_fastroute __P((ip_t , fr_info_t , frdest_t *));
404	extern struct ifnet get_unit __P((char ));
405	# define FR_SCANLIST(p, ip, fi, m) fr_scanlist(p, ip, fi, m)
406	# if defined(__NetBSD__) \|\| defined(__OpenBSD__) \|\| \
407	(_BSDI_VERSION >= 199701) \|\| (__FreeBSD_version >= 300003)
408	extern int iplioctl __P((dev_t, u_long, caddr_t, int));
409	# else
410	extern int iplioctl __P((dev_t, int, caddr_t, int));
411	# endif
412	extern int iplopen __P((dev_t, int));
413	extern int iplclose __P((dev_t, int));
414	#else /* #ifndef _KERNEL */
415	# if defined(__NetBSD__) && defined(PFIL_HOOKS)
416	extern int ipfilterattach __P((int));
417	# endif
418	extern int iplattach __P((void));
419	extern int ipl_enable __P((void));
420	extern int ipl_disable __P((void));
421	extern void ipflog_init __P((void));
422	extern int ipflog_clear __P((int));
423	extern int ipflog_read __P((int, struct uio *));
424	extern int ipflog __P((u_int, ip_t , fr_info_t , mb_t *));
425	extern int ipllog __P((int, u_long, void *, size_t , int *, int));
426	# if SOLARIS
427	extern int fr_check __P((ip_t , int, void , int, qif_t , mb_t *));
428	extern int (fr_checkp) __P((ip_t , int, void *,
429	int, qif_t , mb_t *));
430	extern int icmp_error __P((ip_t , int, int, qif_t ,
431	struct in_addr));
432	extern int iplioctl __P((dev_t, int, int, int, cred_t , int ));
433	extern int iplopen __P((dev_t , int, int, cred_t ));
434	extern int iplclose __P((dev_t, int, int, cred_t *));
435	extern int ipfsync __P((void));
436	extern int send_reset __P((ip_t , qif_t ));
437	extern int ipfr_fastroute __P((qif_t , ip_t , mblk_t , mblk_t *,
438	fr_info_t , frdest_t ));
439	extern void copyin_mblk __P((mblk_t , int, int, char ));
440	extern void copyout_mblk __P((mblk_t , int, int, char ));
441	extern int fr_qin __P((queue_t , mblk_t ));
442	extern int fr_qout __P((queue_t , mblk_t ));
443	# if IPFILTER_LOG
444	extern int iplread __P((dev_t, struct uio , cred_t ));
445	# endif
446	# else /* SOLARIS */
447	extern int fr_check __P((ip_t , int, void , int, mb_t **));
448	extern int (fr_checkp) __P((ip_t , int, void , int, mb_t *));
449	# if linux
450	extern int send_reset __P((tcpiphdr_t , struct ifnet ));
451	# else
452	extern int send_reset __P((tcpiphdr_t *));
453	# endif
454	extern void ipfr_fastroute __P((mb_t , fr_info_t , frdest_t *));
455	extern size_t mbufchainlen __P((mb_t *));
456	# if __sgi
457	# include <sys/cred.h>
458	extern int iplioctl __P((dev_t, int, caddr_t, int, cred_t , int ));
459	extern int iplopen __P((dev_t , int, int, cred_t ));
460	extern int iplclose __P((dev_t, int, int, cred_t *));
461	extern int iplread __P((dev_t, struct uio , cred_t ));
462	extern int ipfsync __P((void));
463	extern int ipfilter_sgi_attach __P((void));
464	extern void ipfilter_sgi_detach __P((void));
465	extern void ipfilter_sgi_intfsync __P((void));
466	# else
467	# if IPFILTER_LKM
468	extern int iplidentify __P((char *));
469	# endif
470	# if (_BSDI_VERSION >= 199510) \|\| (__FreeBSD_version >= 220000) \|\| \
471	(NetBSD >= 199511)
472	# if defined(__NetBSD__) \|\| (_BSDI_VERSION >= 199701) \|\| \
473	(__FreeBSD_version >= 300003)
474	extern int iplioctl __P((dev_t, u_long, caddr_t, int, struct proc *));
475	# else
476	extern int iplioctl __P((dev_t, int, caddr_t, int, struct proc *));
477	# endif
478	extern int iplopen __P((dev_t, int, int, struct proc *));
479	extern int iplclose __P((dev_t, int, int, struct proc *));
480	# else
481	# if defined(__OpenBSD__)
482	extern int iplioctl __P((dev_t, u_long, caddr_t, int));
483	# else /* __OpenBSD__ */
484	# ifndef linux
485	extern int iplioctl __P((dev_t, int, caddr_t, int));
486	# else
487	extern int iplioctl(struct inode , struct file , u_int, u_long);
488	# endif
489	# endif /* __OpenBSD__ */
490	# ifndef linux
491	extern int iplopen __P((dev_t, int));
492	extern int iplclose __P((dev_t, int));
493	# else
494	extern int iplopen __P((struct inode , struct file ));
495	extern void iplclose __P((struct inode , struct file ));
496	# endif /* !linux */
497	# endif /* (_BSDI_VERSION >= 199510) */
498	# if BSD >= 199306
499	extern int iplread __P((dev_t, struct uio *, int));
500	# else
501	# ifndef linux
502	extern int iplread __P((dev_t, struct uio *));
503	# else
504	extern int iplread(struct inode , struct file , char *, int);
505	# endif /* !linux */
506	# endif /* BSD >= 199306 */
507	# endif /* __ sgi */
508	# endif /* SOLARIS */
509	#endif /* #ifndef _KERNEL */
510
511	/*
512	* Post NetBSD 1.2 has the PFIL interface for packet filters. This turns
513	* on those hooks. We don't need any special mods in non-IP Filter code
514	* with this!
515	*/
516	#if (defined(NetBSD) && (NetBSD > 199609) && (NetBSD <= 1991011)) \|\| \
517	(defined(NetBSD1_2) && NetBSD1_2 > 1)
518	# define NETBSD_PF
519	#endif
520
521	extern int ipldetach __P((void));
522	extern u_short fr_tcpsum __P((mb_t , ip_t , tcphdr_t *, int));
523	#define FR_SCANLIST(p, ip, fi, m) fr_scanlist(p, ip, fi, m)
524	extern int fr_scanlist __P((int, ip_t , fr_info_t , void *));
525	extern u_short ipf_cksum __P((u_short *, int));
526	extern int fr_copytolog __P((int, char *, int));
527	extern void frflush __P((int, int *));
528	extern frgroup_t fr_addgroup __P((u_short, frentry_t , int, int));
529	extern frgroup_t fr_findgroup __P((u_short, u_32_t, int, int, frgroup_t **));
530	extern void fr_delgroup __P((u_short, u_32_t, int, int));
531	extern int ipl_unreach;
532	extern int ipl_inited;
533	extern u_long ipl_frouteok[2];
534	extern int fr_pass;
535	extern int fr_flags;
536	extern int fr_active;
537	extern fr_info_t frcache[2];
538	#if IPFILTER_LOG
539	extern iplog_t *iplh[IPL_LOGMAX+1], iplt[IPL_LOGMAX+1];
540	extern int iplused[IPL_LOGMAX + 1];
541	#endif
542	extern struct frentry ipfilter[2][2], ipacct[2][2];
543	extern struct frgroup *ipfgroups[3][2];
544	extern struct filterstats frstats[];
545
546	#endif /* __IP_FIL_H__ */