![[bottom]](../icons/bottom.png){kind=icon}
![[previous]](../icons/n_left.png){kind=icon}
![[next]](../icons/n_right.png){kind=icon}
![[first]](../icons/n_first.png){kind=icon}
![[last]](../icons/n_last.png){kind=icon}
![[top]](../icons/n_top.png){kind=icon}
![[index]](../icons/index.png){kind=icon}
![[help]](../icons/help.png){kind=icon}
*/
1 /*
2 * IP firewalling code. This is taken from 4.4BSD. Please note the
3 * copyright message below. As per the GPL it must be maintained
4 * and the licenses thus do not conflict. While this port is subject
5 * to the GPL I also place my modifications under the original
6 * license in recognition of the original copyright.
7 *
8 * Ported from BSD to Linux,
9 * Alan Cox 22/Nov/1994.
10 * Merged and included the FreeBSD-Current changes at Ugen's request
11 * (but hey it's a lot cleaner now). Ugen would prefer in some ways
12 * we waited for his final product but since Linux 1.2.0 is about to
13 * appear it's not practical - Read: It works, it's not clean but please
14 * don't consider it to be his standard of finished work.
15 * Alan.
16 *
17 * Fixes:
18 * Pauline Middelink : Added masquerading.
19 *
20 * All the real work was done by .....
21 */
22
23 /*
24 * Copyright (c) 1993 Daniel Boulet
25 * Copyright (c) 1994 Ugen J.S.Antsilevich
26 *
27 * Redistribution and use in source forms, with and without modification,
28 * are permitted provided that this entire comment appears intact.
29 *
30 * Redistribution in binary form may occur without any restrictions.
31 * Obviously, it would be nice if you gave credit where credit is due
32 * but requiring it would be too onerous.
33 *
34 * This software is provided ``AS IS'' without any warranties of any kind.
35 */
36
37 /*
38 * Format of an IP firewall descriptor
39 *
40 * src, dst, src_mask, dst_mask are always stored in network byte order.
41 * flags and num_*_ports are stored in host byte order (of course).
42 * Port numbers are stored in HOST byte order.
43 */
44
45 #ifndef _IP_FW_H
46 #define _IP_FW_H
47
48 struct ip_fw
49 {
50 struct ip_fw *fw_next; /* Next firewall on chain */
51 struct in_addr fw_src, fw_dst; /* Source and destination IP addr */
52 struct in_addr fw_smsk, fw_dmsk; /* Mask for src and dest IP addr */
53 struct in_addr fw_via; /* IP address of interface "via" */
54 unsigned short fw_flg; /* Flags word */
55 unsigned short fw_nsp, fw_ndp; /* N'of src ports and # of dst ports */
56 /* in ports array (dst ports follow */
57 /* src ports; max of 10 ports in all; */
58 /* count of 0 means match all ports) */
59 #define IP_FW_MAX_PORTS 10 /* A reasonable maximum */
60 unsigned short fw_pts[IP_FW_MAX_PORTS]; /* Array of port numbers to match */
61 unsigned long fw_pcnt,fw_bcnt; /* Packet and byte counters */
62 };
63
64 /*
65 * Values for "flags" field .
66 */
67
68 #define IP_FW_F_ALL 0x000 /* This is a universal packet firewall*/
69 #define IP_FW_F_TCP 0x001 /* This is a TCP packet firewall */
70 #define IP_FW_F_UDP 0x002 /* This is a UDP packet firewall */
71 #define IP_FW_F_ICMP 0x003 /* This is a ICMP packet firewall */
72 #define IP_FW_F_KIND 0x003 /* Mask to isolate firewall kind */
73 #define IP_FW_F_ACCEPT 0x004 /* This is an accept firewall (as *
74 * opposed to a deny firewall)*
75 * */
76 #define IP_FW_F_SRNG 0x008 /* The first two src ports are a min *
77 * and max range (stored in host byte *
78 * order). *
79 * */
80 #define IP_FW_F_DRNG 0x010 /* The first two dst ports are a min *
81 * and max range (stored in host byte *
82 * order). *
83 * (ports[0] <= port <= ports[1]) *
84 * */
85 #define IP_FW_F_PRN 0x020 /* In verbose mode print this firewall*/
86 #define IP_FW_F_BIDIR 0x040 /* For bidirectional firewalls */
87 #define IP_FW_F_TCPSYN 0x080 /* For tcp packets-check SYN only */
88 #define IP_FW_F_ICMPRPL 0x100 /* Send back icmp unreachable packet */
89 #define IP_FW_F_MASQ 0x200 /* Masquerading */
90 #define IP_FW_F_TCPACK 0x400 /* For tcp-packets match if ACK is set*/
91 #define IP_FW_F_MASK 0x7FF /* All possible flag bits mask */
92
93 /*
94 * New IP firewall options for [gs]etsockopt at the RAW IP level.
95 * Unlike BSD Linux inherits IP options so you don't have to use
96 * a raw socket for this. Instead we check rights in the calls.
97 */
98
99 #define IP_FW_BASE_CTL 64
100
101 #define IP_FW_ADD_BLK (IP_FW_BASE_CTL)
102 #define IP_FW_ADD_FWD (IP_FW_BASE_CTL+1)
103 #define IP_FW_CHK_BLK (IP_FW_BASE_CTL+2)
104 #define IP_FW_CHK_FWD (IP_FW_BASE_CTL+3)
105 #define IP_FW_DEL_BLK (IP_FW_BASE_CTL+4)
106 #define IP_FW_DEL_FWD (IP_FW_BASE_CTL+5)
107 #define IP_FW_FLUSH_BLK (IP_FW_BASE_CTL+6)
108 #define IP_FW_FLUSH_FWD (IP_FW_BASE_CTL+7)
109 #define IP_FW_ZERO_BLK (IP_FW_BASE_CTL+8)
110 #define IP_FW_ZERO_FWD (IP_FW_BASE_CTL+9)
111 #define IP_FW_POLICY_BLK (IP_FW_BASE_CTL+10)
112 #define IP_FW_POLICY_FWD (IP_FW_BASE_CTL+11)
113
114 #define IP_ACCT_ADD (IP_FW_BASE_CTL+16)
115 #define IP_ACCT_DEL (IP_FW_BASE_CTL+17)
116 #define IP_ACCT_FLUSH (IP_FW_BASE_CTL+18)
117 #define IP_ACCT_ZERO (IP_FW_BASE_CTL+19)
118
119 struct ip_fwpkt
120 {
121 struct iphdr fwp_iph; /* IP header */
122 union {
123 struct tcphdr fwp_tcph; /* TCP header or */
124 struct udphdr fwp_udph; /* UDP header */
125 } fwp_protoh;
126 struct in_addr fwp_via; /* interface address */
127 };
128
129 /*
130 * Main firewall chains definitions and global var's definitions.
131 */
132
133 #ifdef __KERNEL__
134
135 #include <linux/config.h>
136
137 #ifdef CONFIG_IP_MASQUERADE
138 struct ip_masq {
139 struct ip_masq *next; /* next member in list */
140 struct timer_list timer; /* Expiration timer */
141 __u16 protocol; /* Which protocol are we talking? */
142 __u32 src, dst; /* Source and destination IP addresses */
143 __u16 sport,dport; /* Source and destoination ports */
144 __u16 mport; /* Masquaraded port */
145 __u32 init_seq; /* Add delta from this seq. on */
146 short delta; /* Delta in sequence numbers */
147 char sawfin; /* Did we saw an FIN packet? */
148 };
149 extern struct ip_masq *ip_msq_hosts;
150 extern void ip_fw_masquerade(struct sk_buff **, struct device *);
151 extern int ip_fw_demasquerade(struct sk_buff *);
152 #endif
153 #ifdef CONFIG_IP_FIREWALL
154 extern struct ip_fw *ip_fw_blk_chain;
155 extern struct ip_fw *ip_fw_fwd_chain;
156 extern int ip_fw_blk_policy;
157 extern int ip_fw_fwd_policy;
158 extern int ip_fw_ctl(int, void *, int);
159 #endif
160 #ifdef CONFIG_IP_ACCT
161 extern struct ip_fw *ip_acct_chain;
162 extern void ip_acct_cnt(struct iphdr *, struct device *, struct ip_fw *);
163 extern int ip_acct_ctl(int, void *, int);
164 #endif
165
166 #define FW_BLOCK 0
167 #define FW_ACCEPT 1
168 #define FW_REJECT (-1)
169 #define FW_MASQUERADE 2
170
171 extern int ip_fw_chk(struct iphdr *, struct device *rif,struct ip_fw *, int, int);
172 extern void ip_fw_init(void);
173 #endif /* KERNEL */
174
175 #ifdef CONFIG_IP_MASQUERADE
176
177 #undef DEBUG_MASQ
178
179 #define MASQUERADE_EXPIRE_TCP 15*60*HZ
180 #define MASQUERADE_EXPIRE_TCP_FIN 2*60*HZ
181 #define MASQUERADE_EXPIRE_UDP 5*60*HZ
182
183 /*
184 * Linux ports don't normally get allocated above 32K. I used an extra 4K port-space
185 */
186
187 #define PORT_MASQ_BEGIN 60000
188 #define PORT_MASQ_END (PORT_MASQ_BEGIN+4096)
189 #endif
190
191 #endif /* _IP_FW_H */
![[top]](../icons/top.png){kind=icon}
![[bottom]](../icons/n_bottom.png){kind=icon}
*/