Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-1-4]: src/sys/netinet Pull up revision 1.32 (requested by darrenr):
details: https://anonhg.NetBSD.org/src/rev/7f9e4fd9de76
branches: netbsd-1-4
changeset: 469950:7f9e4fd9de76
user: he <he%NetBSD.org@localhost>
date: Mon Dec 20 21:07:52 1999 +0000
description:
Pull up revision 1.32 (requested by darrenr):
Update IPF to version 3.3.5.
diffstat:
sys/netinet/ip_fil.h | 239 +++++++++++++++++++++++++++++---------------------
1 files changed, 139 insertions(+), 100 deletions(-)
diffs (truncated from 441 to 300 lines):
diff -r 40528166b3c5 -r 7f9e4fd9de76 sys/netinet/ip_fil.h
--- a/sys/netinet/ip_fil.h Mon Dec 20 21:07:46 1999 +0000
+++ b/sys/netinet/ip_fil.h Mon Dec 20 21:07:52 1999 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: ip_fil.h,v 1.31 1998/12/11 23:47:16 mrg Exp $ */
+/* $NetBSD: ip_fil.h,v 1.31.2.1 1999/12/20 21:07:52 he Exp $ */
/*
* Copyright (C) 1993-1998 by Darren Reed.
@@ -8,13 +8,14 @@
* to the original author and the contributors.
*
* @(#)ip_fil.h 1.35 6/5/96
- * Id: ip_fil.h,v 2.0.2.39.2.18 1998/11/22 01:50:24 darrenr Exp
+ * Id: ip_fil.h,v 2.3.2.5 1999/12/04 02:07:00 darrenr Exp
*/
#ifndef _NETINET_IP_FIL_H_
#define _NETINET_IP_FIL_H_
-#if defined(__NetBSD__) && defined(_KERNEL) && !defined(_LKM)
+#if defined(__NetBSD__) && defined(_KERNEL) && !defined(_LKM) && \
+ (NetBSD >= 199905) && !defined(IPFILTER_LKM)
# include "opt_ipfilter_log.h"
#endif
@@ -27,11 +28,11 @@
#define IPAUTH_NAME "/dev/ipauth"
#ifndef SOLARIS
-#define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
+# define SOLARIS (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
#endif
-#if defined(KERNEL) && !defined(_KERNEL)
-#define _KERNEL
+#if defined(__FreeBSD__) && defined(KERNEL) && !defined(_KERNEL)
+# define _KERNEL
#endif
#ifndef __P
@@ -43,45 +44,45 @@
#endif
#if defined(__STDC__) || defined(__GNUC__)
-#define SIOCADAFR _IOW('r', 60, struct frentry)
-#define SIOCRMAFR _IOW('r', 61, struct frentry)
-#define SIOCSETFF _IOW('r', 62, u_int)
-#define SIOCGETFF _IOR('r', 63, u_int)
-#define SIOCGETFS _IOR('r', 64, struct friostat)
-#define SIOCIPFFL _IOWR('r', 65, int)
-#define SIOCIPFFB _IOR('r', 66, int)
-#define SIOCADIFR _IOW('r', 67, struct frentry)
-#define SIOCRMIFR _IOW('r', 68, struct frentry)
-#define SIOCSWAPA _IOR('r', 69, u_int)
-#define SIOCINAFR _IOW('r', 70, struct frentry)
-#define SIOCINIFR _IOW('r', 71, struct frentry)
-#define SIOCFRENB _IOW('r', 72, u_int)
-#define SIOCFRSYN _IOW('r', 73, u_int)
-#define SIOCFRZST _IOWR('r', 74, struct friostat)
-#define SIOCZRLST _IOWR('r', 75, struct frentry)
-#define SIOCAUTHW _IOWR('r', 76, struct fr_info)
-#define SIOCAUTHR _IOWR('r', 77, struct fr_info)
-#define SIOCATHST _IOWR('r', 78, struct fr_authstat)
+# define SIOCADAFR _IOW('r', 60, struct frentry)
+# define SIOCRMAFR _IOW('r', 61, struct frentry)
+# define SIOCSETFF _IOW('r', 62, u_int)
+# define SIOCGETFF _IOR('r', 63, u_int)
+# define SIOCGETFS _IOR('r', 64, struct friostat)
+# define SIOCIPFFL _IOWR('r', 65, int)
+# define SIOCIPFFB _IOR('r', 66, int)
+# define SIOCADIFR _IOW('r', 67, struct frentry)
+# define SIOCRMIFR _IOW('r', 68, struct frentry)
+# define SIOCSWAPA _IOR('r', 69, u_int)
+# define SIOCINAFR _IOW('r', 70, struct frentry)
+# define SIOCINIFR _IOW('r', 71, struct frentry)
+# define SIOCFRENB _IOW('r', 72, u_int)
+# define SIOCFRSYN _IOW('r', 73, u_int)
+# define SIOCFRZST _IOWR('r', 74, struct friostat)
+# define SIOCZRLST _IOWR('r', 75, struct frentry)
+# define SIOCAUTHW _IOWR('r', 76, struct fr_info)
+# define SIOCAUTHR _IOWR('r', 77, struct fr_info)
+# define SIOCATHST _IOWR('r', 78, struct fr_authstat)
#else
-#define SIOCADAFR _IOW(r, 60, struct frentry)
-#define SIOCRMAFR _IOW(r, 61, struct frentry)
-#define SIOCSETFF _IOW(r, 62, u_int)
-#define SIOCGETFF _IOR(r, 63, u_int)
-#define SIOCGETFS _IOR(r, 64, struct friostat)
-#define SIOCIPFFL _IOWR(r, 65, int)
-#define SIOCIPFFB _IOR(r, 66, int)
-#define SIOCADIFR _IOW(r, 67, struct frentry)
-#define SIOCRMIFR _IOW(r, 68, struct frentry)
-#define SIOCSWAPA _IOR(r, 69, u_int)
-#define SIOCINAFR _IOW(r, 70, struct frentry)
-#define SIOCINIFR _IOW(r, 71, struct frentry)
-#define SIOCFRENB _IOW(r, 72, u_int)
-#define SIOCFRSYN _IOW(r, 73, u_int)
-#define SIOCFRZST _IOWR(r, 74, struct friostat)
-#define SIOCZRLST _IOWR(r, 75, struct frentry)
-#define SIOCAUTHW _IOWR(r, 76, struct fr_info)
-#define SIOCAUTHR _IOWR(r, 77, struct fr_info)
-#define SIOCATHST _IOWR(r, 78, struct fr_authstat)
+# define SIOCADAFR _IOW(r, 60, struct frentry)
+# define SIOCRMAFR _IOW(r, 61, struct frentry)
+# define SIOCSETFF _IOW(r, 62, u_int)
+# define SIOCGETFF _IOR(r, 63, u_int)
+# define SIOCGETFS _IOR(r, 64, struct friostat)
+# define SIOCIPFFL _IOWR(r, 65, int)
+# define SIOCIPFFB _IOR(r, 66, int)
+# define SIOCADIFR _IOW(r, 67, struct frentry)
+# define SIOCRMIFR _IOW(r, 68, struct frentry)
+# define SIOCSWAPA _IOR(r, 69, u_int)
+# define SIOCINAFR _IOW(r, 70, struct frentry)
+# define SIOCINIFR _IOW(r, 71, struct frentry)
+# define SIOCFRENB _IOW(r, 72, u_int)
+# define SIOCFRSYN _IOW(r, 73, u_int)
+# define SIOCFRZST _IOWR(r, 74, struct friostat)
+# define SIOCZRLST _IOWR(r, 75, struct frentry)
+# define SIOCAUTHW _IOWR(r, 76, struct fr_info)
+# define SIOCAUTHR _IOWR(r, 77, struct fr_info)
+# define SIOCATHST _IOWR(r, 78, struct fr_authstat)
#endif
#define SIOCADDFR SIOCADAFR
#define SIOCDELFR SIOCRMAFR
@@ -104,25 +105,36 @@
#define FI_TCPUDP (FF_TCPUDP >> 24) /* TCP/UCP implied comparison*/
#define FI_FRAG (FF_FRAG >> 24)
#define FI_SHORT (FF_SHORT >> 24)
+#define FI_CMP (FI_OPTIONS|FI_TCPUDP|FI_SHORT)
+
+/*
+ * These are both used by the state and NAT code to indicate that one port or
+ * the other should be treated as a wildcard.
+ */
+#define FI_W_SPORT 0x00000100
+#define FI_W_DPORT 0x00000200
+#define FI_WILD (FI_W_SPORT|FI_W_DPORT)
typedef struct fr_info {
+ void *fin_ifp; /* interface packet is `on' */
struct fr_ip fin_fi; /* IP Packet summary */
u_short fin_data[2]; /* TCP/UDP ports, ICMP code/type */
- u_short fin_out; /* in or out ? 1 == out, 0 == in */
+ u_char fin_out; /* in or out ? 1 == out, 0 == in */
+ u_char fin_rev; /* state only: 1 = reverse */
u_short fin_hlen; /* length of IP header in bytes */
u_char fin_tcpf; /* TCP header flags (SYN, ACK, etc) */
/* From here on is packet specific */
u_char fin_icode; /* ICMP error to return */
u_short fin_rule; /* rule # last matched */
u_short fin_group; /* group number, -1 for none */
+ struct frentry *fin_fr; /* last matching rule */
+ char *fin_dp; /* start of data past IP header */
u_short fin_dlen; /* length of data portion of packet */
u_short fin_id; /* IP packet id field */
- void *fin_ifp; /* interface packet is `on' */
- struct frentry *fin_fr; /* last matching rule */
- char *fin_dp; /* start of data past IP header */
void *fin_mp; /* pointer to pointer to mbuf */
#if SOLARIS && defined(_KERNEL)
void *fin_qfm; /* pointer to mblk where pkt starts */
+ void *fin_qif;
#endif
} fr_info_t;
@@ -149,6 +161,9 @@
struct frentry *fr_grp;
int fr_ref; /* reference count - for grouping */
void *fr_ifa;
+#if BSD >= 199306
+ void *fr_oifa;
+#endif
/*
* These are only incremented when a packet matches this rule and
* it is the last match
@@ -174,10 +189,14 @@
u_short fr_stop; /* top port for <> and >< */
u_short fr_dtop; /* top port for <> and >< */
u_32_t fr_flags; /* per-rule flags && options (see below) */
- int fr_skip; /* # of rules to skip */
+ u_short fr_skip; /* # of rules to skip */
+ u_short fr_loglevel; /* syslog log facility + priority */
int (*fr_func) __P((int, ip_t *, fr_info_t *)); /* call this function */
char fr_icode; /* return ICMP code */
char fr_ifname[IFNAMSIZ];
+#if BSD >= 199306
+ char fr_oifname[IFNAMSIZ];
+#endif
struct frdest fr_tif; /* "to" interface */
struct frdest fr_dif; /* duplicate packet interfaces */
} frentry_t;
@@ -209,6 +228,7 @@
#define FR_LOGFIRST 0x00040 /* Log the first byte if state held */
#define FR_RETRST 0x00080 /* Return TCP RST packet - reset connection */
#define FR_RETICMP 0x00100 /* Return ICMP unreachable packet */
+#define FR_FAKEICMP 0x00180 /* Return ICMP unreachable with fake source */
#define FR_NOMATCH 0x00200 /* no match occured */
#define FR_ACCOUNT 0x00400 /* count packet bytes */
#define FR_KEEPFRAG 0x00800 /* keep fragment information */
@@ -223,8 +243,10 @@
#define FR_NOTDSTIP 0x100000 /* not the dst IP# */
#define FR_AUTH 0x200000 /* use authentication */
#define FR_PREAUTH 0x400000 /* require preauthentication */
+#define FR_DONTCACHE 0x800000 /* don't cache the result */
#define FR_LOGMASK (FR_LOG|FR_LOGP|FR_LOGB)
+#define FR_RETMASK (FR_RETICMP|FR_RETRST|FR_FAKEICMP)
/*
* These correspond to #define's for FI_* and are stored in fr_flags
@@ -290,8 +312,13 @@
struct frentry *f_acctin[2];
struct frentry *f_acctout[2];
struct frentry *f_auth;
+ struct frgroup *f_groups[3][2];
u_long f_froute[2];
- int f_active;
+ int f_active; /* 1 or 0 - active rule set */
+ int f_defpass; /* default pass - from fr_pass */
+ int f_running; /* 1 if running, else 0 */
+ int f_logging; /* 1 if enabled, else 0 */
+ char f_version[32]; /* version string */
} friostat_t;
typedef struct optlist {
@@ -317,11 +344,10 @@
* structure which is then followed by any packet data.
*/
typedef struct iplog {
- u_long ipl_magic;
+ u_32_t ipl_magic;
+ u_int ipl_count;
u_long ipl_sec;
u_long ipl_usec;
- u_int ipl_len;
- u_int ipl_count;
size_t ipl_dsize;
struct iplog *ipl_next;
} iplog_t;
@@ -340,19 +366,21 @@
u_char fl_hlen; /* length of IP headers saved */
u_short fl_rule; /* assume never more than 64k rules, total */
u_short fl_group;
+ u_short fl_loglevel; /* syslog log level */
u_32_t fl_flags;
+ u_32_t fl_lflags;
} ipflog_t;
#ifndef ICMP_UNREACH_FILTER
-#define ICMP_UNREACH_FILTER 13
+# define ICMP_UNREACH_FILTER 13
#endif
#ifndef IPF_LOGGING
-#define IPF_LOGGING 0
+# define IPF_LOGGING 0
#endif
#ifndef IPF_DEFAULT_PASS
-#define IPF_DEFAULT_PASS FR_PASS
+# define IPF_DEFAULT_PASS FR_PASS
#endif
#define IPMINLEN(i, h) ((i)->ip_len >= ((i)->ip_hl * 4 + sizeof(struct h)))
@@ -384,16 +412,32 @@
# define CDEV_MAJOR 79
#endif
+/*
+ * Post NetBSD 1.2 has the PFIL interface for packet filters. This turns
+ * on those hooks. We don't need any special mods in non-IP Filter code
+ * with this!
+ */
+#if (defined(NetBSD) && (NetBSD > 199609) && (NetBSD <= 1991011)) || \
+ (defined(NetBSD1_2) && NetBSD1_2 > 1)
+# if (NetBSD >= 199905)
+# define PFIL_HOOKS
+# endif
+# ifdef PFIL_HOOKS
+# define NETBSD_PF
+# endif
+#endif
+
+
#ifndef _KERNEL
extern int fr_check __P((ip_t *, int, void *, int, mb_t **));
extern int (*fr_checkp) __P((ip_t *, int, void *, int, mb_t **));
extern int send_reset __P((ip_t *, struct ifnet *));
extern int icmp_error __P((ip_t *, struct ifnet *));
extern int ipf_log __P((void));
-extern void ipfr_fastroute __P((ip_t *, fr_info_t *, frdest_t *));
+extern int ipfr_fastroute __P((ip_t *, fr_info_t *, frdest_t *));
extern struct ifnet *get_unit __P((char *));
-# define FR_SCANLIST(p, ip, fi, m) fr_scanlist(p, ip, fi, m)
-# if defined(__NetBSD__) || defined(__OpenBSD__) || (_BSDI_VERSION >= 199701)
+# if defined(__NetBSD__) || defined(__OpenBSD__) || \
+ (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000)
extern int iplioctl __P((dev_t, u_long, caddr_t, int));
# else
Home |
Main Index |
Thread Index |
Old Index