acl2.h

netflow,抓包

/*
 * Copyright (c) 2001 Mark Fullmer and The Ohio State University
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
 *      $Id: acl2.h,v 1.6 2002/02/10 03:50:00 maf Exp $
 */

#include <netinet/in.h>

#include <ftlib.h>


#define ACL_FLAG_PERMIT     0x1     /* else deny */
#define ACL_FLAG_SRC_PORT   0x2     /* do source port filtering */
#define ACL_FLAG_DST_PORT   0x4     /* do destination port filtering */
#define ACL_FLAG_ESTABLISHED  0x8   /* do "established" filtering */
#define ACL_FLAG_PRECEDENCE   0x10  /* do "precedence" filtering */
#define ACL_FLAG_TOS      0x20      /* do "tos" filtering */
#define ACL_FLAG_IP_ALL     0x40    /* all ip protocols */

#define ACL_OP_LT   1
#define ACL_OP_GT   1
#define ACL_OP_EQ   1
#define ACL_OP_NEQ    1
#define ACL_OP_RANGE  1

#define ACL_TYPE_STD  1
#define ACL_TYPE_EXT  2

struct acl_list {
  int num;                          /* number of entries */
  int num_std;                      /* number of standard acl entries */
  int num_ext;                      /* number of extended acl entries */
  struct acl_names *names;          /* name of acl (num of these) */
  struct acl_ip_std *acl_ip_std;    /* list of standard acl's (not || names) */
                                    /* num_std of these */
  struct acl_ip_ext *acl_ip_ext;    /* list of extended acl's (not || names) */
                                    /* num_ext of these */
};

struct acl_names {
  int num;       /* index into standard or extended list */
  char *name;    /* name of this acl */
  int type;      /* ACL_TYPE_* */
};

struct acl_ip_std {
  int           num_lines;        /* # of allocated entries */
  struct acl_ip_std_entry *line;
};

struct acl_ip_std_entry {
  u_int32   src_addr;       /* source address */
  u_int32   src_mask;       /* source address mask */
  u_int64   matches;        /* # of matches */
  int     flag;             /* permit/deny */
};

struct acl_ip_ext {
  int           num_lines;  /* # of allocated entries */
  struct acl_ip_ext_entry *line;
};

struct acl_ip_ext_entry {

  u_int8    protocol;      /* IP protocol */
  u_int8    precedence;    /* IP precedence */
  u_int8    tos;           /* IP type of service */

  u_int8    type;
  u_int8    type_code;
  u_int8    message;

  u_int8    src_op;
  u_int8    dst_op;

  u_int32   src_addr;    /* source address */
  u_int32   src_mask;    /* source address mask */
  u_int16   src_port;    /* source port */
  u_int16   src_port2;   /* source port (end of range) */

  u_int32   dst_addr;    /* destination address */
  u_int32   dst_mask;    /* destinan address mask */
  u_int16   dst_port;    /* destination port */
  u_int16   dst_port2;   /* destination port (end of range) */

  u_int64   matches;     /* # of matches */
  int     flag;          /* permit/deny, etc */
};

int acl_create(struct acl_list *acl_list, char *name, int type);
int acl_delete_list(struct acl_list acl_list);
void acl_dump(struct acl_list acl_list);
void acl_dump_std(struct acl_list acl_list, int x);
void acl_dump_ext(struct acl_list acl_list, int x);
int acl_find(struct acl_list acl_list, char *name);
int acl_add_line_std(struct acl_list acl_list, int acl_index,
  struct acl_ip_std_entry acl_ip_std_entry);
int acl_add_line_ext(struct acl_list acl_list, int acl_index,
  struct acl_ip_ext_entry acl_ip_ext_entry);
int acl_eval_std(struct acl_list acl_list, int index, u_int32 ip);
int acl_eval_ext(struct acl_list acl_list, int index,
  struct acl_ip_ext_entry entry);