Details | Last modification | View Log | RSS feed
| Rev | Author | Line No. | Line |
|---|---|---|---|
| 423 | giacomo | 1 | #ifndef _IPFWADM_CORE_H |
| 2 | #define _IPFWADM_CORE_H |
||
| 3 | /* Minor modifications to fit on compatibility framework: |
||
| 4 | Rusty.Russell@rustcorp.com.au |
||
| 5 | */ |
||
| 6 | |||
| 7 | /* |
||
| 8 | * IP firewalling code. This is taken from 4.4BSD. Please note the |
||
| 9 | * copyright message below. As per the GPL it must be maintained |
||
| 10 | * and the licenses thus do not conflict. While this port is subject |
||
| 11 | * to the GPL I also place my modifications under the original |
||
| 12 | * license in recognition of the original copyright. |
||
| 13 | * |
||
| 14 | * Ported from BSD to Linux, |
||
| 15 | * Alan Cox 22/Nov/1994. |
||
| 16 | * Merged and included the FreeBSD-Current changes at Ugen's request |
||
| 17 | * (but hey it's a lot cleaner now). Ugen would prefer in some ways |
||
| 18 | * we waited for his final product but since Linux 1.2.0 is about to |
||
| 19 | * appear it's not practical - Read: It works, it's not clean but please |
||
| 20 | * don't consider it to be his standard of finished work. |
||
| 21 | * Alan. |
||
| 22 | * |
||
| 23 | * Fixes: |
||
| 24 | * Pauline Middelink : Added masquerading. |
||
| 25 | * Jos Vos : Separate input and output firewall |
||
| 26 | * chains, new "insert" and "append" |
||
| 27 | * commands to replace "add" commands, |
||
| 28 | * add ICMP header to struct ip_fwpkt. |
||
| 29 | * Jos Vos : Add support for matching device names. |
||
| 30 | * Willy Konynenberg : Add transparent proxying support. |
||
| 31 | * Jos Vos : Add options for input/output accounting. |
||
| 32 | * |
||
| 33 | * All the real work was done by ..... |
||
| 34 | */ |
||
| 35 | |||
| 36 | /* |
||
| 37 | * Copyright (c) 1993 Daniel Boulet |
||
| 38 | * Copyright (c) 1994 Ugen J.S.Antsilevich |
||
| 39 | * |
||
| 40 | * Redistribution and use in source forms, with and without modification, |
||
| 41 | * are permitted provided that this entire comment appears intact. |
||
| 42 | * |
||
| 43 | * Redistribution in binary form may occur without any restrictions. |
||
| 44 | * Obviously, it would be nice if you gave credit where credit is due |
||
| 45 | * but requiring it would be too onerous. |
||
| 46 | * |
||
| 47 | * This software is provided ``AS IS'' without any warranties of any kind. |
||
| 48 | */ |
||
| 49 | |||
| 50 | /* |
||
| 51 | * Format of an IP firewall descriptor |
||
| 52 | * |
||
| 53 | * src, dst, src_mask, dst_mask are always stored in network byte order. |
||
| 54 | * flags and num_*_ports are stored in host byte order (of course). |
||
| 55 | * Port numbers are stored in HOST byte order. |
||
| 56 | */ |
||
| 57 | |||
| 58 | #ifdef __KERNEL__ |
||
| 59 | #include <linux/icmp.h> |
||
| 60 | #include <linux/in.h> |
||
| 61 | #include <linux/ip.h> |
||
| 62 | #include <linux/tcp.h> |
||
| 63 | #include <linux/udp.h> |
||
| 64 | #endif |
||
| 65 | |||
| 66 | struct ip_fw |
||
| 67 | { |
||
| 68 | struct ip_fw *fw_next; /* Next firewall on chain */ |
||
| 69 | struct in_addr fw_src, fw_dst; /* Source and destination IP addr */ |
||
| 70 | struct in_addr fw_smsk, fw_dmsk; /* Mask for src and dest IP addr */ |
||
| 71 | struct in_addr fw_via; /* IP address of interface "via" */ |
||
| 72 | struct net_device *fw_viadev; /* device of interface "via" */ |
||
| 73 | __u16 fw_flg; /* Flags word */ |
||
| 74 | __u16 fw_nsp, fw_ndp; /* N'of src ports and # of dst ports */ |
||
| 75 | /* in ports array (dst ports follow */ |
||
| 76 | /* src ports; max of 10 ports in all; */ |
||
| 77 | /* count of 0 means match all ports) */ |
||
| 78 | #define IP_FW_MAX_PORTS 10 /* A reasonable maximum */ |
||
| 79 | __u16 fw_pts[IP_FW_MAX_PORTS]; /* Array of port numbers to match */ |
||
| 80 | unsigned long fw_pcnt,fw_bcnt; /* Packet and byte counters */ |
||
| 81 | __u8 fw_tosand, fw_tosxor; /* Revised packet priority */ |
||
| 82 | char fw_vianame[IFNAMSIZ]; /* name of interface "via" */ |
||
| 83 | }; |
||
| 84 | |||
| 85 | /* |
||
| 86 | * Values for "flags" field . |
||
| 87 | */ |
||
| 88 | |||
| 89 | #define IP_FW_F_ALL 0x0000 /* This is a universal packet firewall*/ |
||
| 90 | #define IP_FW_F_TCP 0x0001 /* This is a TCP packet firewall */ |
||
| 91 | #define IP_FW_F_UDP 0x0002 /* This is a UDP packet firewall */ |
||
| 92 | #define IP_FW_F_ICMP 0x0003 /* This is a ICMP packet firewall */ |
||
| 93 | #define IP_FW_F_KIND 0x0003 /* Mask to isolate firewall kind */ |
||
| 94 | #define IP_FW_F_ACCEPT 0x0004 /* This is an accept firewall (as * |
||
| 95 | * opposed to a deny firewall)* |
||
| 96 | * */ |
||
| 97 | #define IP_FW_F_SRNG 0x0008 /* The first two src ports are a min * |
||
| 98 | * and max range (stored in host byte * |
||
| 99 | * order). * |
||
| 100 | * */ |
||
| 101 | #define IP_FW_F_DRNG 0x0010 /* The first two dst ports are a min * |
||
| 102 | * and max range (stored in host byte * |
||
| 103 | * order). * |
||
| 104 | * (ports[0] <= port <= ports[1]) * |
||
| 105 | * */ |
||
| 106 | #define IP_FW_F_PRN 0x0020 /* In verbose mode print this firewall*/ |
||
| 107 | #define IP_FW_F_BIDIR 0x0040 /* For bidirectional firewalls */ |
||
| 108 | #define IP_FW_F_TCPSYN 0x0080 /* For tcp packets-check SYN only */ |
||
| 109 | #define IP_FW_F_ICMPRPL 0x0100 /* Send back icmp unreachable packet */ |
||
| 110 | #define IP_FW_F_MASQ 0x0200 /* Masquerading */ |
||
| 111 | #define IP_FW_F_TCPACK 0x0400 /* For tcp-packets match if ACK is set*/ |
||
| 112 | #define IP_FW_F_REDIR 0x0800 /* Redirect to local port fw_pts[n] */ |
||
| 113 | #define IP_FW_F_ACCTIN 0x1000 /* Account incoming packets only. */ |
||
| 114 | #define IP_FW_F_ACCTOUT 0x2000 /* Account outgoing packets only. */ |
||
| 115 | |||
| 116 | #define IP_FW_F_MASK 0x3FFF /* All possible flag bits mask */ |
||
| 117 | |||
| 118 | /* |
||
| 119 | * New IP firewall options for [gs]etsockopt at the RAW IP level. |
||
| 120 | * Unlike BSD Linux inherits IP options so you don't have to use |
||
| 121 | * a raw socket for this. Instead we check rights in the calls. |
||
| 122 | */ |
||
| 123 | |||
| 124 | #define IP_FW_BASE_CTL 64 /* base for firewall socket options */ |
||
| 125 | |||
| 126 | #define IP_FW_COMMAND 0x00FF /* mask for command without chain */ |
||
| 127 | #define IP_FW_TYPE 0x0300 /* mask for type (chain) */ |
||
| 128 | #define IP_FW_SHIFT 8 /* shift count for type (chain) */ |
||
| 129 | |||
| 130 | #define IP_FW_FWD 0 |
||
| 131 | #define IP_FW_IN 1 |
||
| 132 | #define IP_FW_OUT 2 |
||
| 133 | #define IP_FW_ACCT 3 |
||
| 134 | #define IP_FW_CHAINS 4 /* total number of ip_fw chains */ |
||
| 135 | #define IP_FW_MASQ 5 |
||
| 136 | |||
| 137 | #define IP_FW_INSERT (IP_FW_BASE_CTL) |
||
| 138 | #define IP_FW_APPEND (IP_FW_BASE_CTL+1) |
||
| 139 | #define IP_FW_DELETE (IP_FW_BASE_CTL+2) |
||
| 140 | #define IP_FW_FLUSH (IP_FW_BASE_CTL+3) |
||
| 141 | #define IP_FW_ZERO (IP_FW_BASE_CTL+4) |
||
| 142 | #define IP_FW_POLICY (IP_FW_BASE_CTL+5) |
||
| 143 | #define IP_FW_CHECK (IP_FW_BASE_CTL+6) |
||
| 144 | #define IP_FW_MASQ_TIMEOUTS (IP_FW_BASE_CTL+7) |
||
| 145 | |||
| 146 | #define IP_FW_INSERT_FWD (IP_FW_INSERT | (IP_FW_FWD << IP_FW_SHIFT)) |
||
| 147 | #define IP_FW_APPEND_FWD (IP_FW_APPEND | (IP_FW_FWD << IP_FW_SHIFT)) |
||
| 148 | #define IP_FW_DELETE_FWD (IP_FW_DELETE | (IP_FW_FWD << IP_FW_SHIFT)) |
||
| 149 | #define IP_FW_FLUSH_FWD (IP_FW_FLUSH | (IP_FW_FWD << IP_FW_SHIFT)) |
||
| 150 | #define IP_FW_ZERO_FWD (IP_FW_ZERO | (IP_FW_FWD << IP_FW_SHIFT)) |
||
| 151 | #define IP_FW_POLICY_FWD (IP_FW_POLICY | (IP_FW_FWD << IP_FW_SHIFT)) |
||
| 152 | #define IP_FW_CHECK_FWD (IP_FW_CHECK | (IP_FW_FWD << IP_FW_SHIFT)) |
||
| 153 | |||
| 154 | #define IP_FW_INSERT_IN (IP_FW_INSERT | (IP_FW_IN << IP_FW_SHIFT)) |
||
| 155 | #define IP_FW_APPEND_IN (IP_FW_APPEND | (IP_FW_IN << IP_FW_SHIFT)) |
||
| 156 | #define IP_FW_DELETE_IN (IP_FW_DELETE | (IP_FW_IN << IP_FW_SHIFT)) |
||
| 157 | #define IP_FW_FLUSH_IN (IP_FW_FLUSH | (IP_FW_IN << IP_FW_SHIFT)) |
||
| 158 | #define IP_FW_ZERO_IN (IP_FW_ZERO | (IP_FW_IN << IP_FW_SHIFT)) |
||
| 159 | #define IP_FW_POLICY_IN (IP_FW_POLICY | (IP_FW_IN << IP_FW_SHIFT)) |
||
| 160 | #define IP_FW_CHECK_IN (IP_FW_CHECK | (IP_FW_IN << IP_FW_SHIFT)) |
||
| 161 | |||
| 162 | #define IP_FW_INSERT_OUT (IP_FW_INSERT | (IP_FW_OUT << IP_FW_SHIFT)) |
||
| 163 | #define IP_FW_APPEND_OUT (IP_FW_APPEND | (IP_FW_OUT << IP_FW_SHIFT)) |
||
| 164 | #define IP_FW_DELETE_OUT (IP_FW_DELETE | (IP_FW_OUT << IP_FW_SHIFT)) |
||
| 165 | #define IP_FW_FLUSH_OUT (IP_FW_FLUSH | (IP_FW_OUT << IP_FW_SHIFT)) |
||
| 166 | #define IP_FW_ZERO_OUT (IP_FW_ZERO | (IP_FW_OUT << IP_FW_SHIFT)) |
||
| 167 | #define IP_FW_POLICY_OUT (IP_FW_POLICY | (IP_FW_OUT << IP_FW_SHIFT)) |
||
| 168 | #define IP_FW_CHECK_OUT (IP_FW_CHECK | (IP_FW_OUT << IP_FW_SHIFT)) |
||
| 169 | |||
| 170 | #define IP_ACCT_INSERT (IP_FW_INSERT | (IP_FW_ACCT << IP_FW_SHIFT)) |
||
| 171 | #define IP_ACCT_APPEND (IP_FW_APPEND | (IP_FW_ACCT << IP_FW_SHIFT)) |
||
| 172 | #define IP_ACCT_DELETE (IP_FW_DELETE | (IP_FW_ACCT << IP_FW_SHIFT)) |
||
| 173 | #define IP_ACCT_FLUSH (IP_FW_FLUSH | (IP_FW_ACCT << IP_FW_SHIFT)) |
||
| 174 | #define IP_ACCT_ZERO (IP_FW_ZERO | (IP_FW_ACCT << IP_FW_SHIFT)) |
||
| 175 | |||
| 176 | #define IP_FW_MASQ_INSERT (IP_FW_INSERT | (IP_FW_MASQ << IP_FW_SHIFT)) |
||
| 177 | #define IP_FW_MASQ_ADD (IP_FW_APPEND | (IP_FW_MASQ << IP_FW_SHIFT)) |
||
| 178 | #define IP_FW_MASQ_DEL (IP_FW_DELETE | (IP_FW_MASQ << IP_FW_SHIFT)) |
||
| 179 | #define IP_FW_MASQ_FLUSH (IP_FW_FLUSH | (IP_FW_MASQ << IP_FW_SHIFT)) |
||
| 180 | |||
| 181 | #define IP_FW_MASQ_INSERT (IP_FW_INSERT | (IP_FW_MASQ << IP_FW_SHIFT)) |
||
| 182 | #define IP_FW_MASQ_ADD (IP_FW_APPEND | (IP_FW_MASQ << IP_FW_SHIFT)) |
||
| 183 | #define IP_FW_MASQ_DEL (IP_FW_DELETE | (IP_FW_MASQ << IP_FW_SHIFT)) |
||
| 184 | #define IP_FW_MASQ_FLUSH (IP_FW_FLUSH | (IP_FW_MASQ << IP_FW_SHIFT)) |
||
| 185 | |||
| 186 | struct ip_fwpkt |
||
| 187 | { |
||
| 188 | struct iphdr fwp_iph; /* IP header */ |
||
| 189 | union { |
||
| 190 | struct tcphdr fwp_tcph; /* TCP header or */ |
||
| 191 | struct udphdr fwp_udph; /* UDP header */ |
||
| 192 | struct icmphdr fwp_icmph; /* ICMP header */ |
||
| 193 | } fwp_protoh; |
||
| 194 | struct in_addr fwp_via; /* interface address */ |
||
| 195 | char fwp_vianame[IFNAMSIZ]; /* interface name */ |
||
| 196 | }; |
||
| 197 | |||
| 198 | #define IP_FW_MASQCTL_MAX 256 |
||
| 199 | #define IP_MASQ_MOD_NMAX 32 |
||
| 200 | |||
| 201 | struct ip_fw_masqctl |
||
| 202 | { |
||
| 203 | int mctl_action; |
||
| 204 | union { |
||
| 205 | struct { |
||
| 206 | char name[IP_MASQ_MOD_NMAX]; |
||
| 207 | char data[1]; |
||
| 208 | } mod; |
||
| 209 | } u; |
||
| 210 | }; |
||
| 211 | |||
| 212 | /* |
||
| 213 | * timeouts for ip masquerading |
||
| 214 | */ |
||
| 215 | |||
| 216 | struct ip_fw_masq; |
||
| 217 | |||
| 218 | /* |
||
| 219 | * Main firewall chains definitions and global var's definitions. |
||
| 220 | */ |
||
| 221 | |||
| 222 | #ifdef __KERNEL__ |
||
| 223 | |||
| 224 | /* Modes used in the ip_fw_chk() routine. */ |
||
| 225 | #define IP_FW_MODE_FW 0x00 /* kernel firewall check */ |
||
| 226 | #define IP_FW_MODE_ACCT_IN 0x01 /* accounting (incoming) */ |
||
| 227 | #define IP_FW_MODE_ACCT_OUT 0x02 /* accounting (outgoing) */ |
||
| 228 | #define IP_FW_MODE_CHK 0x04 /* check requested by user */ |
||
| 229 | |||
| 230 | #include <linux/config.h> |
||
| 231 | #ifdef CONFIG_IP_FIREWALL |
||
| 232 | extern struct ip_fw *ip_fw_in_chain; |
||
| 233 | extern struct ip_fw *ip_fw_out_chain; |
||
| 234 | extern struct ip_fw *ip_fw_fwd_chain; |
||
| 235 | extern int ip_fw_in_policy; |
||
| 236 | extern int ip_fw_out_policy; |
||
| 237 | extern int ip_fw_fwd_policy; |
||
| 238 | extern int ip_fw_ctl(int, void *, int); |
||
| 239 | #endif |
||
| 240 | #ifdef CONFIG_IP_ACCT |
||
| 241 | extern struct ip_fw *ip_acct_chain; |
||
| 242 | extern int ip_acct_ctl(int, void *, int); |
||
| 243 | #endif |
||
| 244 | #ifdef CONFIG_IP_MASQUERADE |
||
| 245 | extern int ip_masq_ctl(int, void *, int); |
||
| 246 | #endif |
||
| 247 | #ifdef CONFIG_IP_MASQUERADE |
||
| 248 | extern int ip_masq_ctl(int, void *, int); |
||
| 249 | #endif |
||
| 250 | |||
| 251 | extern int ip_fw_masq_timeouts(void *user, int len); |
||
| 252 | |||
| 253 | extern int ip_fw_chk(struct sk_buff **, struct net_device *, __u16 *, |
||
| 254 | struct ip_fw *, int, int); |
||
| 255 | #endif /* KERNEL */ |
||
| 256 | #endif /* _IP_FW_H */ |