Details | Last modification | View Log | RSS feed
Rev | Author | Line No. | Line |
---|---|---|---|
423 | giacomo | 1 | #ifndef _IPFWADM_CORE_H |
2 | #define _IPFWADM_CORE_H |
||
3 | /* Minor modifications to fit on compatibility framework: |
||
4 | Rusty.Russell@rustcorp.com.au |
||
5 | */ |
||
6 | |||
7 | /* |
||
8 | * IP firewalling code. This is taken from 4.4BSD. Please note the |
||
9 | * copyright message below. As per the GPL it must be maintained |
||
10 | * and the licenses thus do not conflict. While this port is subject |
||
11 | * to the GPL I also place my modifications under the original |
||
12 | * license in recognition of the original copyright. |
||
13 | * |
||
14 | * Ported from BSD to Linux, |
||
15 | * Alan Cox 22/Nov/1994. |
||
16 | * Merged and included the FreeBSD-Current changes at Ugen's request |
||
17 | * (but hey it's a lot cleaner now). Ugen would prefer in some ways |
||
18 | * we waited for his final product but since Linux 1.2.0 is about to |
||
19 | * appear it's not practical - Read: It works, it's not clean but please |
||
20 | * don't consider it to be his standard of finished work. |
||
21 | * Alan. |
||
22 | * |
||
23 | * Fixes: |
||
24 | * Pauline Middelink : Added masquerading. |
||
25 | * Jos Vos : Separate input and output firewall |
||
26 | * chains, new "insert" and "append" |
||
27 | * commands to replace "add" commands, |
||
28 | * add ICMP header to struct ip_fwpkt. |
||
29 | * Jos Vos : Add support for matching device names. |
||
30 | * Willy Konynenberg : Add transparent proxying support. |
||
31 | * Jos Vos : Add options for input/output accounting. |
||
32 | * |
||
33 | * All the real work was done by ..... |
||
34 | */ |
||
35 | |||
36 | /* |
||
37 | * Copyright (c) 1993 Daniel Boulet |
||
38 | * Copyright (c) 1994 Ugen J.S.Antsilevich |
||
39 | * |
||
40 | * Redistribution and use in source forms, with and without modification, |
||
41 | * are permitted provided that this entire comment appears intact. |
||
42 | * |
||
43 | * Redistribution in binary form may occur without any restrictions. |
||
44 | * Obviously, it would be nice if you gave credit where credit is due |
||
45 | * but requiring it would be too onerous. |
||
46 | * |
||
47 | * This software is provided ``AS IS'' without any warranties of any kind. |
||
48 | */ |
||
49 | |||
50 | /* |
||
51 | * Format of an IP firewall descriptor |
||
52 | * |
||
53 | * src, dst, src_mask, dst_mask are always stored in network byte order. |
||
54 | * flags and num_*_ports are stored in host byte order (of course). |
||
55 | * Port numbers are stored in HOST byte order. |
||
56 | */ |
||
57 | |||
58 | #ifdef __KERNEL__ |
||
59 | #include <linux/icmp.h> |
||
60 | #include <linux/in.h> |
||
61 | #include <linux/ip.h> |
||
62 | #include <linux/tcp.h> |
||
63 | #include <linux/udp.h> |
||
64 | #endif |
||
65 | |||
66 | struct ip_fw |
||
67 | { |
||
68 | struct ip_fw *fw_next; /* Next firewall on chain */ |
||
69 | struct in_addr fw_src, fw_dst; /* Source and destination IP addr */ |
||
70 | struct in_addr fw_smsk, fw_dmsk; /* Mask for src and dest IP addr */ |
||
71 | struct in_addr fw_via; /* IP address of interface "via" */ |
||
72 | struct net_device *fw_viadev; /* device of interface "via" */ |
||
73 | __u16 fw_flg; /* Flags word */ |
||
74 | __u16 fw_nsp, fw_ndp; /* N'of src ports and # of dst ports */ |
||
75 | /* in ports array (dst ports follow */ |
||
76 | /* src ports; max of 10 ports in all; */ |
||
77 | /* count of 0 means match all ports) */ |
||
78 | #define IP_FW_MAX_PORTS 10 /* A reasonable maximum */ |
||
79 | __u16 fw_pts[IP_FW_MAX_PORTS]; /* Array of port numbers to match */ |
||
80 | unsigned long fw_pcnt,fw_bcnt; /* Packet and byte counters */ |
||
81 | __u8 fw_tosand, fw_tosxor; /* Revised packet priority */ |
||
82 | char fw_vianame[IFNAMSIZ]; /* name of interface "via" */ |
||
83 | }; |
||
84 | |||
85 | /* |
||
86 | * Values for "flags" field . |
||
87 | */ |
||
88 | |||
89 | #define IP_FW_F_ALL 0x0000 /* This is a universal packet firewall*/ |
||
90 | #define IP_FW_F_TCP 0x0001 /* This is a TCP packet firewall */ |
||
91 | #define IP_FW_F_UDP 0x0002 /* This is a UDP packet firewall */ |
||
92 | #define IP_FW_F_ICMP 0x0003 /* This is a ICMP packet firewall */ |
||
93 | #define IP_FW_F_KIND 0x0003 /* Mask to isolate firewall kind */ |
||
94 | #define IP_FW_F_ACCEPT 0x0004 /* This is an accept firewall (as * |
||
95 | * opposed to a deny firewall)* |
||
96 | * */ |
||
97 | #define IP_FW_F_SRNG 0x0008 /* The first two src ports are a min * |
||
98 | * and max range (stored in host byte * |
||
99 | * order). * |
||
100 | * */ |
||
101 | #define IP_FW_F_DRNG 0x0010 /* The first two dst ports are a min * |
||
102 | * and max range (stored in host byte * |
||
103 | * order). * |
||
104 | * (ports[0] <= port <= ports[1]) * |
||
105 | * */ |
||
106 | #define IP_FW_F_PRN 0x0020 /* In verbose mode print this firewall*/ |
||
107 | #define IP_FW_F_BIDIR 0x0040 /* For bidirectional firewalls */ |
||
108 | #define IP_FW_F_TCPSYN 0x0080 /* For tcp packets-check SYN only */ |
||
109 | #define IP_FW_F_ICMPRPL 0x0100 /* Send back icmp unreachable packet */ |
||
110 | #define IP_FW_F_MASQ 0x0200 /* Masquerading */ |
||
111 | #define IP_FW_F_TCPACK 0x0400 /* For tcp-packets match if ACK is set*/ |
||
112 | #define IP_FW_F_REDIR 0x0800 /* Redirect to local port fw_pts[n] */ |
||
113 | #define IP_FW_F_ACCTIN 0x1000 /* Account incoming packets only. */ |
||
114 | #define IP_FW_F_ACCTOUT 0x2000 /* Account outgoing packets only. */ |
||
115 | |||
116 | #define IP_FW_F_MASK 0x3FFF /* All possible flag bits mask */ |
||
117 | |||
118 | /* |
||
119 | * New IP firewall options for [gs]etsockopt at the RAW IP level. |
||
120 | * Unlike BSD Linux inherits IP options so you don't have to use |
||
121 | * a raw socket for this. Instead we check rights in the calls. |
||
122 | */ |
||
123 | |||
124 | #define IP_FW_BASE_CTL 64 /* base for firewall socket options */ |
||
125 | |||
126 | #define IP_FW_COMMAND 0x00FF /* mask for command without chain */ |
||
127 | #define IP_FW_TYPE 0x0300 /* mask for type (chain) */ |
||
128 | #define IP_FW_SHIFT 8 /* shift count for type (chain) */ |
||
129 | |||
130 | #define IP_FW_FWD 0 |
||
131 | #define IP_FW_IN 1 |
||
132 | #define IP_FW_OUT 2 |
||
133 | #define IP_FW_ACCT 3 |
||
134 | #define IP_FW_CHAINS 4 /* total number of ip_fw chains */ |
||
135 | #define IP_FW_MASQ 5 |
||
136 | |||
137 | #define IP_FW_INSERT (IP_FW_BASE_CTL) |
||
138 | #define IP_FW_APPEND (IP_FW_BASE_CTL+1) |
||
139 | #define IP_FW_DELETE (IP_FW_BASE_CTL+2) |
||
140 | #define IP_FW_FLUSH (IP_FW_BASE_CTL+3) |
||
141 | #define IP_FW_ZERO (IP_FW_BASE_CTL+4) |
||
142 | #define IP_FW_POLICY (IP_FW_BASE_CTL+5) |
||
143 | #define IP_FW_CHECK (IP_FW_BASE_CTL+6) |
||
144 | #define IP_FW_MASQ_TIMEOUTS (IP_FW_BASE_CTL+7) |
||
145 | |||
146 | #define IP_FW_INSERT_FWD (IP_FW_INSERT | (IP_FW_FWD << IP_FW_SHIFT)) |
||
147 | #define IP_FW_APPEND_FWD (IP_FW_APPEND | (IP_FW_FWD << IP_FW_SHIFT)) |
||
148 | #define IP_FW_DELETE_FWD (IP_FW_DELETE | (IP_FW_FWD << IP_FW_SHIFT)) |
||
149 | #define IP_FW_FLUSH_FWD (IP_FW_FLUSH | (IP_FW_FWD << IP_FW_SHIFT)) |
||
150 | #define IP_FW_ZERO_FWD (IP_FW_ZERO | (IP_FW_FWD << IP_FW_SHIFT)) |
||
151 | #define IP_FW_POLICY_FWD (IP_FW_POLICY | (IP_FW_FWD << IP_FW_SHIFT)) |
||
152 | #define IP_FW_CHECK_FWD (IP_FW_CHECK | (IP_FW_FWD << IP_FW_SHIFT)) |
||
153 | |||
154 | #define IP_FW_INSERT_IN (IP_FW_INSERT | (IP_FW_IN << IP_FW_SHIFT)) |
||
155 | #define IP_FW_APPEND_IN (IP_FW_APPEND | (IP_FW_IN << IP_FW_SHIFT)) |
||
156 | #define IP_FW_DELETE_IN (IP_FW_DELETE | (IP_FW_IN << IP_FW_SHIFT)) |
||
157 | #define IP_FW_FLUSH_IN (IP_FW_FLUSH | (IP_FW_IN << IP_FW_SHIFT)) |
||
158 | #define IP_FW_ZERO_IN (IP_FW_ZERO | (IP_FW_IN << IP_FW_SHIFT)) |
||
159 | #define IP_FW_POLICY_IN (IP_FW_POLICY | (IP_FW_IN << IP_FW_SHIFT)) |
||
160 | #define IP_FW_CHECK_IN (IP_FW_CHECK | (IP_FW_IN << IP_FW_SHIFT)) |
||
161 | |||
162 | #define IP_FW_INSERT_OUT (IP_FW_INSERT | (IP_FW_OUT << IP_FW_SHIFT)) |
||
163 | #define IP_FW_APPEND_OUT (IP_FW_APPEND | (IP_FW_OUT << IP_FW_SHIFT)) |
||
164 | #define IP_FW_DELETE_OUT (IP_FW_DELETE | (IP_FW_OUT << IP_FW_SHIFT)) |
||
165 | #define IP_FW_FLUSH_OUT (IP_FW_FLUSH | (IP_FW_OUT << IP_FW_SHIFT)) |
||
166 | #define IP_FW_ZERO_OUT (IP_FW_ZERO | (IP_FW_OUT << IP_FW_SHIFT)) |
||
167 | #define IP_FW_POLICY_OUT (IP_FW_POLICY | (IP_FW_OUT << IP_FW_SHIFT)) |
||
168 | #define IP_FW_CHECK_OUT (IP_FW_CHECK | (IP_FW_OUT << IP_FW_SHIFT)) |
||
169 | |||
170 | #define IP_ACCT_INSERT (IP_FW_INSERT | (IP_FW_ACCT << IP_FW_SHIFT)) |
||
171 | #define IP_ACCT_APPEND (IP_FW_APPEND | (IP_FW_ACCT << IP_FW_SHIFT)) |
||
172 | #define IP_ACCT_DELETE (IP_FW_DELETE | (IP_FW_ACCT << IP_FW_SHIFT)) |
||
173 | #define IP_ACCT_FLUSH (IP_FW_FLUSH | (IP_FW_ACCT << IP_FW_SHIFT)) |
||
174 | #define IP_ACCT_ZERO (IP_FW_ZERO | (IP_FW_ACCT << IP_FW_SHIFT)) |
||
175 | |||
176 | #define IP_FW_MASQ_INSERT (IP_FW_INSERT | (IP_FW_MASQ << IP_FW_SHIFT)) |
||
177 | #define IP_FW_MASQ_ADD (IP_FW_APPEND | (IP_FW_MASQ << IP_FW_SHIFT)) |
||
178 | #define IP_FW_MASQ_DEL (IP_FW_DELETE | (IP_FW_MASQ << IP_FW_SHIFT)) |
||
179 | #define IP_FW_MASQ_FLUSH (IP_FW_FLUSH | (IP_FW_MASQ << IP_FW_SHIFT)) |
||
180 | |||
181 | #define IP_FW_MASQ_INSERT (IP_FW_INSERT | (IP_FW_MASQ << IP_FW_SHIFT)) |
||
182 | #define IP_FW_MASQ_ADD (IP_FW_APPEND | (IP_FW_MASQ << IP_FW_SHIFT)) |
||
183 | #define IP_FW_MASQ_DEL (IP_FW_DELETE | (IP_FW_MASQ << IP_FW_SHIFT)) |
||
184 | #define IP_FW_MASQ_FLUSH (IP_FW_FLUSH | (IP_FW_MASQ << IP_FW_SHIFT)) |
||
185 | |||
186 | struct ip_fwpkt |
||
187 | { |
||
188 | struct iphdr fwp_iph; /* IP header */ |
||
189 | union { |
||
190 | struct tcphdr fwp_tcph; /* TCP header or */ |
||
191 | struct udphdr fwp_udph; /* UDP header */ |
||
192 | struct icmphdr fwp_icmph; /* ICMP header */ |
||
193 | } fwp_protoh; |
||
194 | struct in_addr fwp_via; /* interface address */ |
||
195 | char fwp_vianame[IFNAMSIZ]; /* interface name */ |
||
196 | }; |
||
197 | |||
198 | #define IP_FW_MASQCTL_MAX 256 |
||
199 | #define IP_MASQ_MOD_NMAX 32 |
||
200 | |||
201 | struct ip_fw_masqctl |
||
202 | { |
||
203 | int mctl_action; |
||
204 | union { |
||
205 | struct { |
||
206 | char name[IP_MASQ_MOD_NMAX]; |
||
207 | char data[1]; |
||
208 | } mod; |
||
209 | } u; |
||
210 | }; |
||
211 | |||
212 | /* |
||
213 | * timeouts for ip masquerading |
||
214 | */ |
||
215 | |||
216 | struct ip_fw_masq; |
||
217 | |||
218 | /* |
||
219 | * Main firewall chains definitions and global var's definitions. |
||
220 | */ |
||
221 | |||
222 | #ifdef __KERNEL__ |
||
223 | |||
224 | /* Modes used in the ip_fw_chk() routine. */ |
||
225 | #define IP_FW_MODE_FW 0x00 /* kernel firewall check */ |
||
226 | #define IP_FW_MODE_ACCT_IN 0x01 /* accounting (incoming) */ |
||
227 | #define IP_FW_MODE_ACCT_OUT 0x02 /* accounting (outgoing) */ |
||
228 | #define IP_FW_MODE_CHK 0x04 /* check requested by user */ |
||
229 | |||
230 | #include <linux/config.h> |
||
231 | #ifdef CONFIG_IP_FIREWALL |
||
232 | extern struct ip_fw *ip_fw_in_chain; |
||
233 | extern struct ip_fw *ip_fw_out_chain; |
||
234 | extern struct ip_fw *ip_fw_fwd_chain; |
||
235 | extern int ip_fw_in_policy; |
||
236 | extern int ip_fw_out_policy; |
||
237 | extern int ip_fw_fwd_policy; |
||
238 | extern int ip_fw_ctl(int, void *, int); |
||
239 | #endif |
||
240 | #ifdef CONFIG_IP_ACCT |
||
241 | extern struct ip_fw *ip_acct_chain; |
||
242 | extern int ip_acct_ctl(int, void *, int); |
||
243 | #endif |
||
244 | #ifdef CONFIG_IP_MASQUERADE |
||
245 | extern int ip_masq_ctl(int, void *, int); |
||
246 | #endif |
||
247 | #ifdef CONFIG_IP_MASQUERADE |
||
248 | extern int ip_masq_ctl(int, void *, int); |
||
249 | #endif |
||
250 | |||
251 | extern int ip_fw_masq_timeouts(void *user, int len); |
||
252 | |||
253 | extern int ip_fw_chk(struct sk_buff **, struct net_device *, __u16 *, |
||
254 | struct ip_fw *, int, int); |
||
255 | #endif /* KERNEL */ |
||
256 | #endif /* _IP_FW_H */ |