![[bottom]](../icons/bottom.png){kind=icon}
![[previous]](../icons/n_left.png){kind=icon}
![[next]](../icons/n_right.png){kind=icon}
![[first]](../icons/n_first.png){kind=icon}
![[last]](../icons/n_last.png){kind=icon}
![[top]](../icons/n_top.png){kind=icon}
![[index]](../icons/index.png){kind=icon}
![[help]](../icons/help.png){kind=icon}
*/
1 /*
2 * IP firewalling code. This is taken from 4.4BSD. Please note the
3 * copyright message below. As per the GPL it must be maintained
4 * and the licenses thus do not conflict. While this port is subject
5 * to the GPL I also place my modifications under the original
6 * license in recognition of the original copyright.
7 *
8 * Ported from BSD to Linux,
9 * Alan Cox 22/Nov/1994.
10 * Merged and included the FreeBSD-Current changes at Ugen's request
11 * (but hey it's a lot cleaner now). Ugen would prefer in some ways
12 * we waited for his final product but since Linux 1.2.0 is about to
13 * appear it's not practical - Read: It works, it's not clean but please
14 * don't consider it to be his standard of finished work.
15 * Alan.
16 *
17 * Fixes:
18 * Pauline Middelink : Added masquerading.
19 *
20 * All the real work was done by .....
21 */
22
23 /*
24 * Copyright (c) 1993 Daniel Boulet
25 * Copyright (c) 1994 Ugen J.S.Antsilevich
26 *
27 * Redistribution and use in source forms, with and without modification,
28 * are permitted provided that this entire comment appears intact.
29 *
30 * Redistribution in binary form may occur without any restrictions.
31 * Obviously, it would be nice if you gave credit where credit is due
32 * but requiring it would be too onerous.
33 *
34 * This software is provided ``AS IS'' without any warranties of any kind.
35 */
36
37 /*
38 * Format of an IP firewall descriptor
39 *
40 * src, dst, src_mask, dst_mask are always stored in network byte order.
41 * flags and num_*_ports are stored in host byte order (of course).
42 * Port numbers are stored in HOST byte order.
43 */
44
45 #ifndef _IP_FW_H
46 #define _IP_FW_H
47
48 struct ip_fw
49 {
50 struct ip_fw *fw_next; /* Next firewall on chain */
51 struct in_addr fw_src, fw_dst; /* Source and destination IP addr */
52 struct in_addr fw_smsk, fw_dmsk; /* Mask for src and dest IP addr */
53 struct in_addr fw_via; /* IP address of interface "via" */
54 unsigned short fw_flg; /* Flags word */
55 unsigned short fw_nsp, fw_ndp; /* N'of src ports and # of dst ports */
56 /* in ports array (dst ports follow */
57 /* src ports; max of 10 ports in all; */
58 /* count of 0 means match all ports) */
59 #define IP_FW_MAX_PORTS 10 /* A reasonable maximum */
60 unsigned short fw_pts[IP_FW_MAX_PORTS]; /* Array of port numbers to match */
61 unsigned long fw_pcnt,fw_bcnt; /* Packet and byte counters */
62 };
63
64 /*
65 * Values for "flags" field .
66 */
67
68 #define IP_FW_F_ALL 0x000 /* This is a universal packet firewall*/
69 #define IP_FW_F_TCP 0x001 /* This is a TCP packet firewall */
70 #define IP_FW_F_UDP 0x002 /* This is a UDP packet firewall */
71 #define IP_FW_F_ICMP 0x003 /* This is a ICMP packet firewall */
72 #define IP_FW_F_KIND 0x003 /* Mask to isolate firewall kind */
73 #define IP_FW_F_ACCEPT 0x004 /* This is an accept firewall (as *
74 * opposed to a deny firewall)*
75 * */
76 #define IP_FW_F_SRNG 0x008 /* The first two src ports are a min *
77 * and max range (stored in host byte *
78 * order). *
79 * */
80 #define IP_FW_F_DRNG 0x010 /* The first two dst ports are a min *
81 * and max range (stored in host byte *
82 * order). *
83 * (ports[0] <= port <= ports[1]) *
84 * */
85 #define IP_FW_F_PRN 0x020 /* In verbose mode print this firewall*/
86 #define IP_FW_F_BIDIR 0x040 /* For bidirectional firewalls */
87 #define IP_FW_F_TCPSYN 0x080 /* For tcp packets-check SYN only */
88 #define IP_FW_F_ICMPRPL 0x100 /* Send back icmp unreachable packet */
89 #define IP_FW_F_MASQ 0x200 /* Masquerading */
90 #define IP_FW_F_TCPACK 0x400 /* For tcp-packets match if ACK is set*/
91 #define IP_FW_F_MASK 0x7FF /* All possible flag bits mask */
92
93 /*
94 * New IP firewall options for [gs]etsockopt at the RAW IP level.
95 * Unlike BSD Linux inherits IP options so you don't have to use
96 * a raw socket for this. Instead we check rights in the calls.
97 */
98
99 #define IP_FW_BASE_CTL 64
100
101 #define IP_FW_ADD_BLK (IP_FW_BASE_CTL)
102 #define IP_FW_ADD_FWD (IP_FW_BASE_CTL+1)
103 #define IP_FW_CHK_BLK (IP_FW_BASE_CTL+2)
104 #define IP_FW_CHK_FWD (IP_FW_BASE_CTL+3)
105 #define IP_FW_DEL_BLK (IP_FW_BASE_CTL+4)
106 #define IP_FW_DEL_FWD (IP_FW_BASE_CTL+5)
107 #define IP_FW_FLUSH_BLK (IP_FW_BASE_CTL+6)
108 #define IP_FW_FLUSH_FWD (IP_FW_BASE_CTL+7)
109 #define IP_FW_ZERO_BLK (IP_FW_BASE_CTL+8)
110 #define IP_FW_ZERO_FWD (IP_FW_BASE_CTL+9)
111 #define IP_FW_POLICY_BLK (IP_FW_BASE_CTL+10)
112 #define IP_FW_POLICY_FWD (IP_FW_BASE_CTL+11)
113
114 #define IP_ACCT_ADD (IP_FW_BASE_CTL+16)
115 #define IP_ACCT_DEL (IP_FW_BASE_CTL+17)
116 #define IP_ACCT_FLUSH (IP_FW_BASE_CTL+18)
117 #define IP_ACCT_ZERO (IP_FW_BASE_CTL+19)
118
119 struct ip_fwpkt
120 {
121 struct iphdr fwp_iph; /* IP header */
122 union {
123 struct tcphdr fwp_tcph; /* TCP header or */
124 struct udphdr fwp_udph; /* UDP header */
125 } fwp_protoh;
126 struct in_addr fwp_via; /* interface address */
127 };
128
129 /*
130 * Main firewall chains definitions and global var's definitions.
131 */
132
133 #ifdef __KERNEL__
134
135 #include <linux/config.h>
136
137 #ifdef CONFIG_IP_MASQUERADE
138 struct ip_masq {
139 struct ip_masq *next; /* next member in list */
140 struct timer_list timer; /* Expiration timer */
141 __u16 protocol; /* Which protocol are we talking? */
142 __u32 src, dst; /* Source and destination IP addresses */
143 __u16 sport,dport; /* Source and destination ports */
144 __u16 mport; /* Masquaraded port */
145 __u32 init_seq; /* Add delta from this seq. on */
146 short delta; /* Delta in sequence numbers */
147 short previous_delta; /* Delta in sequence numbers before last resized PORT command */
148 char sawfin; /* Did we saw an FIN packet? */
149 };
150 extern struct ip_masq *ip_msq_hosts;
151 extern void ip_fw_masquerade(struct sk_buff **, struct device *);
152 extern int ip_fw_demasquerade(struct sk_buff *);
153 #endif
154 #ifdef CONFIG_IP_FIREWALL
155 extern struct ip_fw *ip_fw_blk_chain;
156 extern struct ip_fw *ip_fw_fwd_chain;
157 extern int ip_fw_blk_policy;
158 extern int ip_fw_fwd_policy;
159 extern int ip_fw_ctl(int, void *, int);
160 #endif
161 #ifdef CONFIG_IP_ACCT
162 extern struct ip_fw *ip_acct_chain;
163 extern void ip_acct_cnt(struct iphdr *, struct device *, struct ip_fw *);
164 extern int ip_acct_ctl(int, void *, int);
165 #endif
166
167
168 extern int ip_fw_chk(struct iphdr *, struct device *rif,struct ip_fw *, int, int);
169 extern void ip_fw_init(void);
170 #endif /* KERNEL */
171
172 #ifdef CONFIG_IP_MASQUERADE
173
174 #undef DEBUG_MASQ
175
176 #define MASQUERADE_EXPIRE_TCP 15*60*HZ
177 #define MASQUERADE_EXPIRE_TCP_FIN 2*60*HZ
178 #define MASQUERADE_EXPIRE_UDP 5*60*HZ
179
180 /*
181 * Linux ports don't normally get allocated above 32K. I used an extra 4K port-space
182 */
183
184 #define PORT_MASQ_BEGIN 60000
185 #define PORT_MASQ_END (PORT_MASQ_BEGIN+4096)
186 #define FTP_DPORT_TBD (PORT_MASQ_END+1) /* Avoid using hardcoded port 20 for ftp data connection */
187 #endif
188
189 #endif /* _IP_FW_H */
![[top]](../icons/top.png){kind=icon}
![[bottom]](../icons/n_bottom.png){kind=icon}
*/