ip_fil.h

来自「eCos操作系统源码」· C头文件 代码 · 共 609 行 · 第 1/2 页

	u_long	fr_ppkl;	/* packets allowed and logged */
	u_long	fr_bpkl;	/* packets denied and logged */
	u_long	fr_npkl;	/* packets unmatched and logged */
	u_long	fr_pkl;		/* packets logged */
	u_long	fr_skip;	/* packets to be logged but buffer full */
	u_long	fr_ret;		/* packets for which a return is sent */
	u_long	fr_acct;	/* packets for which counting was performed */
	u_long	fr_bnfr;	/* bad attempts to allocate fragment state */
	u_long	fr_nfr;		/* new fragment state kept */
	u_long	fr_cfr;		/* add new fragment state but complete pkt */
	u_long	fr_bads;	/* bad attempts to allocate packet state */
	u_long	fr_ads;		/* new packet state kept */
	u_long	fr_chit;	/* cached hit */
	u_long	fr_tcpbad;	/* TCP checksum check failures */
	u_long	fr_pull[2];	/* good and bad pullup attempts */
#if SOLARIS
	u_long	fr_notdata;	/* PROTO/PCPROTO that have no data */
	u_long	fr_nodata;	/* mblks that have no data */
	u_long	fr_bad;		/* bad IP packets to the filter */
	u_long	fr_notip;	/* packets passed through no on ip queue */
	u_long	fr_drop;	/* packets dropped - no info for them! */
#endif
} filterstats_t;

/*
 * For SIOCGETFS
 */
typedef	struct	friostat	{
	struct	filterstats	f_st[2];
	struct	frentry		*f_fin[2];
	struct	frentry		*f_fout[2];
	struct	frentry		*f_acctin[2];
	struct	frentry		*f_acctout[2];
	struct	frentry		*f_auth;
	struct	frgroup		*f_groups[3][2];
	u_long	f_froute[2];
	int	f_active;	/* 1 or 0 - active rule set */
	int	f_defpass;	/* default pass - from fr_pass */
	int	f_running;	/* 1 if running, else 0 */
	int	f_logging;	/* 1 if enabled, else 0 */
	char	f_version[32];	/* version string */
} friostat_t;

typedef struct	optlist {
	u_short ol_val;
	int	ol_bit;
} optlist_t;


/*
 * Group list structure.
 */
typedef	struct frgroup {
	u_short	fg_num;
	struct	frgroup	*fg_next;
	struct	frentry	*fg_head;
	struct	frentry	**fg_start;
} frgroup_t;


/*
 * Log structure.  Each packet header logged is prepended by one of these.
 * Following this in the log records read from the device will be an ipflog
 * structure which is then followed by any packet data.
 */
typedef	struct	iplog	{
	u_32_t	ipl_magic;
	u_int	ipl_count;
	u_long	ipl_sec;
	u_long	ipl_usec;
	size_t	ipl_dsize;
	struct	iplog	*ipl_next;
} iplog_t;

#define IPL_MAGIC 0x49504c4d /* 'IPLM' */

typedef	struct	ipflog	{
#if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603)) || \
        (defined(OpenBSD) && (OpenBSD >= 199603))
	u_char	fl_ifname[IFNAMSIZ];
#else
	u_int	fl_unit;
	u_char	fl_ifname[4];
#endif
	u_char	fl_plen;	/* extra data after hlen */
	u_char	fl_hlen;	/* length of IP headers saved */
	u_short	fl_rule;	/* assume never more than 64k rules, total */
	u_short	fl_group;
	u_short	fl_loglevel;	/* syslog log level */
	u_32_t	fl_flags;
	u_32_t	fl_lflags;
} ipflog_t;


#if !defined(__OpenBSD__)
# ifndef	ICMP_UNREACH_FILTER
#  define	ICMP_UNREACH_FILTER	13
# endif
#endif

#ifndef	IPF_LOGGING
# define	IPF_LOGGING	0
#endif
#ifndef	IPF_DEFAULT_PASS
# define	IPF_DEFAULT_PASS	FR_PASS
#endif

#define	IPMINLEN(i, h)	((i)->ip_len >= ((i)->ip_hl * 4 + sizeof(struct h)))
#define	IPLLOGSIZE	8192

/*
 * Device filenames for reading log information.  Use ipf on Solaris2 because
 * ipl is already a name used by something else.
 */
#ifndef	IPL_NAME
# if	SOLARIS
#  define	IPL_NAME	"/dev/ipf"
# else
#  define	IPL_NAME	"/dev/ipl"
# endif
#endif
#define	IPL_NAT		IPNAT_NAME
#define	IPL_STATE	IPSTATE_NAME
#define	IPL_AUTH	IPAUTH_NAME

#define	IPL_LOGIPF	0	/* Minor device #'s for accessing logs */
#define	IPL_LOGNAT	1
#define	IPL_LOGSTATE	2
#define	IPL_LOGAUTH	3
#define	IPL_LOGMAX	3

#if !defined(CDEV_MAJOR) && defined (__FreeBSD_version) && \
    (__FreeBSD_version >= 220000)
# define	CDEV_MAJOR	79
#endif

/*
 * Post NetBSD 1.2 has the PFIL interface for packet filters.  This turns
 * on those hooks.  We don't need any special mods in non-IP Filter code
 * with this!
 */
#if (defined(NetBSD) && (NetBSD > 199609) && (NetBSD <= 1991011)) || \
    (defined(NetBSD1_2) && NetBSD1_2 > 1)
# if (NetBSD >= 199905)
#  define PFIL_HOOKS
# endif
# ifdef PFIL_HOOKS
#  define NETBSD_PF
# endif
#endif


#ifndef	_KERNEL
extern	int	fr_check __P((ip_t *, int, void *, int, mb_t **));
extern	int	(*fr_checkp) __P((ip_t *, int, void *, int, mb_t **));
extern	int	send_reset __P((ip_t *, struct ifnet *));
extern	int	icmp_error __P((ip_t *, struct ifnet *));
extern	int	ipf_log __P((void));
extern	int	ipfr_fastroute __P((ip_t *, fr_info_t *, frdest_t *));
extern	struct	ifnet *get_unit __P((char *));
# if defined(__NetBSD__) || defined(__OpenBSD__) || \
	  (_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000)
extern	int	iplioctl __P((dev_t, u_long, caddr_t, int));
# else
extern	int	iplioctl __P((dev_t, int, caddr_t, int));
# endif
extern	int	iplopen __P((dev_t, int));
extern	int	iplclose __P((dev_t, int));
#else /* #ifndef _KERNEL */
# if defined(__NetBSD__) && defined(PFIL_HOOKS)
extern	void	ipfilterattach __P((int));
# endif

#if !defined(__OpenBSD__)
/*
 * OpenBSD has this call in the kernel but doesn't export it to userland.
 * See ip_fil.c for actual hook and more details.
 */
extern	int	iplattach __P((void));
#endif

extern	int	ipl_enable __P((void));
extern	int	ipl_disable __P((void));
extern	void	ipflog_init __P((void));
extern	int	ipflog_clear __P((minor_t));
extern	int	ipflog_read __P((minor_t, struct uio *));
extern	int	ipflog __P((u_int, ip_t *, fr_info_t *, mb_t *));
extern	int	ipllog __P((int, fr_info_t *, void **, size_t *, int *, int));
# if	SOLARIS
extern	int	fr_check __P((ip_t *, int, void *, int, qif_t *, mb_t **));
extern	int	(*fr_checkp) __P((ip_t *, int, void *,
				  int, qif_t *, mb_t **));
extern	int	icmp_error __P((ip_t *, int, int, qif_t *, struct in_addr));
#  if SOLARIS2 >= 7
extern	int	iplioctl __P((dev_t, int, intptr_t, int, cred_t *, int *));
#  else
extern	int	iplioctl __P((dev_t, int, int *, int, cred_t *, int *));
#  endif
extern	int	iplopen __P((dev_t *, int, int, cred_t *));
extern	int	iplclose __P((dev_t, int, int, cred_t *));
extern	int	ipfsync __P((void));
extern	int	send_reset __P((fr_info_t *, ip_t *, qif_t *));
extern	int	ipfr_fastroute __P((qif_t *, ip_t *, mblk_t *, mblk_t **,
				   fr_info_t *, frdest_t *));
extern	void	copyin_mblk __P((mblk_t *, size_t, size_t, char *));
extern	void	copyout_mblk __P((mblk_t *, size_t, size_t, char *));
extern	int	fr_qin __P((queue_t *, mblk_t *));
extern	int	fr_qout __P((queue_t *, mblk_t *));
#  ifdef	IPFILTER_LOG
extern	int	iplread __P((dev_t, struct uio *, cred_t *));
#  endif
# else /* SOLARIS */
extern	int	fr_check __P((ip_t *, int, void *, int, mb_t **));
extern	int	(*fr_checkp) __P((ip_t *, int, void *, int, mb_t **));
#  ifdef	linux
extern	int	send_reset __P((tcpiphdr_t *, struct ifnet *));
#  else
extern	int	send_reset __P((fr_info_t *, struct ip *));
extern	int	send_icmp_err __P((ip_t *, int, int, void *, struct in_addr));
#  endif
extern	int	ipfr_fastroute __P((mb_t *, fr_info_t *, frdest_t *));
extern	size_t	mbufchainlen __P((mb_t *));
#  ifdef	__sgi
#   include <sys/cred.h>
extern	int	iplioctl __P((dev_t, int, caddr_t, int, cred_t *, int *));
extern	int	iplopen __P((dev_t *, int, int, cred_t *));
extern	int	iplclose __P((dev_t, int, int, cred_t *));
extern	int	iplread __P((dev_t, struct uio *, cred_t *));
extern	int	ipfsync __P((void));
extern	int	ipfilter_sgi_attach __P((void));
extern	void	ipfilter_sgi_detach __P((void));
extern	void	ipfilter_sgi_intfsync __P((void));
#  else
#   ifdef	IPFILTER_LKM
extern	int	iplidentify __P((char *));
#   endif
#   if (_BSDI_VERSION >= 199510) || (__FreeBSD_version >= 220000) || \
      (NetBSD >= 199511) || defined(__OpenBSD__)
#    if defined(__NetBSD__) || (_BSDI_VERSION >= 199701) || \
       defined(__OpenBSD__) || (__FreeBSD_version >= 300000)
extern	int	iplioctl __P((dev_t, u_long, caddr_t, int, struct proc *));
#    else
extern	int	iplioctl __P((dev_t, int, caddr_t, int, struct proc *));
#    endif
extern	int	iplopen __P((dev_t, int, int, struct proc *));
extern	int	iplclose __P((dev_t, int, int, struct proc *));
#   else
#    ifndef	linux
extern	int	iplopen __P((dev_t, int));
extern	int	iplclose __P((dev_t, int));
extern	int	iplioctl __P((dev_t, int, caddr_t, int));
#    else
extern	int	iplioctl(struct inode *, struct file *, u_int, u_long);
extern	int	iplopen __P((struct inode *, struct file *));
extern	void	iplclose __P((struct inode *, struct file *));
#    endif /* !linux */
#   endif /* (_BSDI_VERSION >= 199510) */
#   if	BSD >= 199306
extern	int	iplread __P((dev_t, struct uio *, int));
#   else
#    ifndef linux
extern	int	iplread __P((dev_t, struct uio *));
#    else
extern	int	iplread(struct inode *, struct file *, char *, int);
#    endif /* !linux */
#   endif /* BSD >= 199306 */
#  endif /* __ sgi */
# endif /* SOLARIS */
#endif /* #ifndef _KERNEL */

extern	void	fixskip __P((frentry_t **, frentry_t *, int));
extern	int	countbits __P((u_32_t));
extern	int	ipldetach __P((void));
extern	u_short	fr_tcpsum __P((mb_t *, ip_t *, tcphdr_t *));
extern	int	fr_scanlist __P((u_32_t, ip_t *, fr_info_t *, void *));
extern	u_short	ipf_cksum __P((u_short *, int));
extern	int	fr_copytolog __P((int, char *, int));
extern	void	fr_forgetifp __P((void *));
extern	int	frflush __P((minor_t, int));
extern	void	frsync __P((void));
extern	frgroup_t *fr_addgroup __P((u_int, frentry_t *, minor_t, int));
extern	frgroup_t *fr_findgroup __P((u_int, u_32_t, minor_t, int, frgroup_t ***));
extern	void	fr_delgroup __P((u_int, u_32_t, minor_t, int));
extern  void	fr_makefrip __P((int, ip_t *, fr_info_t *));
extern	int	fr_ifpaddr __P((void *, struct in_addr *));
extern	char	*memstr __P((char *, char *, int, int));
extern	int	ipl_unreach;
extern	int	ipl_inited;
extern	u_long	ipl_frouteok[2];
extern	int	fr_pass;
extern	int	fr_flags;
extern	int	fr_active;
extern	fr_info_t	frcache[2];
extern	char	ipfilter_version[];
#ifdef	IPFILTER_LOG
extern	iplog_t	**iplh[IPL_LOGMAX+1], *iplt[IPL_LOGMAX+1];
extern	size_t	iplused[IPL_LOGMAX + 1];
#endif
extern	struct frentry *ipfilter[2][2], *ipacct[2][2];
extern	struct frgroup *ipfgroups[3][2];
extern	struct filterstats frstats[];

#endif	/* _NETINET_IP_FIL_H__ */