root/include/linux/ip_fw.h

/* [previous][next][first][last][top][bottom][index][help] */

INCLUDED FROM


   1 /*
   2  *      IP firewalling code. This is taken from 4.4BSD. Please note the 
   3  *      copyright message below. As per the GPL it must be maintained
   4  *      and the licenses thus do not conflict. While this port is subject
   5  *      to the GPL I also place my modifications under the original 
   6  *      license in recognition of the original copyright. 
   7  *
   8  *      Ported from BSD to Linux,
   9  *              Alan Cox 22/Nov/1994.
  10  *      Merged and included the FreeBSD-Current changes at Ugen's request
  11  *      (but hey it's a lot cleaner now). Ugen would prefer in some ways
  12  *      we waited for his final product but since Linux 1.2.0 is about to
  13  *      appear it's not practical - Read: It works, it's not clean but please
  14  *      don't consider it to be his standard of finished work.
  15  *              Alan.
  16  *
  17  * Fixes:
  18  *      Pauline Middelink       :       Added masquerading.
  19  *
  20  *      All the real work was done by .....
  21  */
  22 
  23 /*
  24  * Copyright (c) 1993 Daniel Boulet
  25  * Copyright (c) 1994 Ugen J.S.Antsilevich
  26  *
  27  * Redistribution and use in source forms, with and without modification,
  28  * are permitted provided that this entire comment appears intact.
  29  *
  30  * Redistribution in binary form may occur without any restrictions.
  31  * Obviously, it would be nice if you gave credit where credit is due
  32  * but requiring it would be too onerous.
  33  *
  34  * This software is provided ``AS IS'' without any warranties of any kind.
  35  */
  36 
  37 /*
  38  *      Format of an IP firewall descriptor
  39  *
  40  *      src, dst, src_mask, dst_mask are always stored in network byte order.
  41  *      flags and num_*_ports are stored in host byte order (of course).
  42  *      Port numbers are stored in HOST byte order.
  43  */
  44  
  45 #ifndef _IP_FW_H
  46 #define _IP_FW_H
  47 
  48 struct ip_fw 
  49 {
  50         struct ip_fw  *fw_next;                 /* Next firewall on chain */
  51         struct in_addr fw_src, fw_dst;          /* Source and destination IP addr */
  52         struct in_addr fw_smsk, fw_dmsk;        /* Mask for src and dest IP addr */
  53         struct in_addr fw_via;                  /* IP address of interface "via" */
  54         unsigned short fw_flg;                  /* Flags word */
  55         unsigned short fw_nsp, fw_ndp;          /* N'of src ports and # of dst ports */
  56                                                 /* in ports array (dst ports follow */
  57                                                 /* src ports; max of 10 ports in all; */
  58                                                 /* count of 0 means match all ports) */
  59 #define IP_FW_MAX_PORTS 10                      /* A reasonable maximum */
  60         unsigned short fw_pts[IP_FW_MAX_PORTS]; /* Array of port numbers to match */
  61         unsigned long  fw_pcnt,fw_bcnt;         /* Packet and byte counters */
  62         unsigned short fw_priority;             /* Revised packet priority */
  63 };
  64 
  65 struct ip_fw_old
  66 {
  67         struct ip_fw  *fw_next;                 /* Next firewall on chain */
  68         struct in_addr fw_src, fw_dst;          /* Source and destination IP addr */
  69         struct in_addr fw_smsk, fw_dmsk;        /* Mask for src and dest IP addr */
  70         struct in_addr fw_via;                  /* IP address of interface "via" */
  71         unsigned short fw_flg;                  /* Flags word */
  72         unsigned short fw_nsp, fw_ndp;          /* N'of src ports and # of dst ports */
  73                                                 /* in ports array (dst ports follow */
  74                                                 /* src ports; max of 10 ports in all; */
  75                                                 /* count of 0 means match all ports) */
  76 #define IP_FW_MAX_PORTS 10                      /* A reasonable maximum */
  77         unsigned short fw_pts[IP_FW_MAX_PORTS]; /* Array of port numbers to match */
  78         unsigned long  fw_pcnt,fw_bcnt;         /* Packet and byte counters */
  79 };
  80 
  81 /*
  82  *      Values for "flags" field .
  83  */
  84 
  85 #define IP_FW_F_ALL     0x000   /* This is a universal packet firewall*/
  86 #define IP_FW_F_TCP     0x001   /* This is a TCP packet firewall      */
  87 #define IP_FW_F_UDP     0x002   /* This is a UDP packet firewall      */
  88 #define IP_FW_F_ICMP    0x003   /* This is a ICMP packet firewall     */
  89 #define IP_FW_F_KIND    0x003   /* Mask to isolate firewall kind      */
  90 #define IP_FW_F_ACCEPT  0x004   /* This is an accept firewall (as     *
  91                                  *         opposed to a deny firewall)*
  92                                  *                                    */
  93 #define IP_FW_F_SRNG    0x008   /* The first two src ports are a min  *
  94                                  * and max range (stored in host byte *
  95                                  * order).                            *
  96                                  *                                    */
  97 #define IP_FW_F_DRNG    0x010   /* The first two dst ports are a min  *
  98                                  * and max range (stored in host byte *
  99                                  * order).                            *
 100                                  * (ports[0] <= port <= ports[1])     *
 101                                  *                                    */
 102 #define IP_FW_F_PRN     0x020   /* In verbose mode print this firewall*/
 103 #define IP_FW_F_BIDIR   0x040   /* For bidirectional firewalls        */
 104 #define IP_FW_F_TCPSYN  0x080   /* For tcp packets-check SYN only     */
 105 #define IP_FW_F_ICMPRPL 0x100   /* Send back icmp unreachable packet  */
 106 #define IP_FW_F_MASQ    0x200   /* Masquerading                       */
 107 #define IP_FW_F_TCPACK  0x400   /* For tcp-packets match if ACK is set*/
 108 #define IP_FW_F_MASK    0x7FF   /* All possible flag bits mask        */
 109 
 110 /*    
 111  *      New IP firewall options for [gs]etsockopt at the RAW IP level.
 112  *      Unlike BSD Linux inherits IP options so you don't have to use
 113  *      a raw socket for this. Instead we check rights in the calls.
 114  */     
 115 
 116 #define IP_FW_BASE_CTL   64
 117 
 118 #define IP_FW_ADD_BLK    (IP_FW_BASE_CTL)
 119 #define IP_FW_ADD_FWD    (IP_FW_BASE_CTL+1)   
 120 #define IP_FW_CHK_BLK    (IP_FW_BASE_CTL+2)
 121 #define IP_FW_CHK_FWD    (IP_FW_BASE_CTL+3)
 122 #define IP_FW_DEL_BLK    (IP_FW_BASE_CTL+4)
 123 #define IP_FW_DEL_FWD    (IP_FW_BASE_CTL+5)
 124 #define IP_FW_FLUSH_BLK  (IP_FW_BASE_CTL+6)
 125 #define IP_FW_FLUSH_FWD  (IP_FW_BASE_CTL+7)
 126 #define IP_FW_ZERO_BLK   (IP_FW_BASE_CTL+8)
 127 #define IP_FW_ZERO_FWD   (IP_FW_BASE_CTL+9)
 128 #define IP_FW_POLICY_BLK (IP_FW_BASE_CTL+10)
 129 #define IP_FW_POLICY_FWD (IP_FW_BASE_CTL+11)
 130 
 131 #define IP_ACCT_ADD      (IP_FW_BASE_CTL+16)
 132 #define IP_ACCT_DEL      (IP_FW_BASE_CTL+17)
 133 #define IP_ACCT_FLUSH    (IP_FW_BASE_CTL+18)
 134 #define IP_ACCT_ZERO     (IP_FW_BASE_CTL+19)
 135 
 136 struct ip_fwpkt
 137 {
 138         struct iphdr fwp_iph;                   /* IP header */
 139         union {
 140                 struct tcphdr fwp_tcph;         /* TCP header or */
 141                 struct udphdr fwp_udph;         /* UDP header */
 142         } fwp_protoh;
 143         struct in_addr fwp_via;                 /* interface address */
 144 };
 145 
 146 /*
 147  *      Main firewall chains definitions and global var's definitions.
 148  */
 149 
 150 #ifdef __KERNEL__
 151 
 152 #include <linux/config.h>
 153 
 154 #ifdef CONFIG_IP_MASQUERADE
 155 struct ip_masq {
 156         struct ip_masq  *next;          /* next member in list */
 157         struct timer_list timer;        /* Expiration timer */
 158         __u16           protocol;       /* Which protocol are we talking? */
 159         __u32           src, dst;       /* Source and destination IP addresses */
 160         __u16           sport,dport;    /* Source and destination ports */
 161         __u16           mport;          /* Masquaraded port */
 162         __u32           init_seq;       /* Add delta from this seq. on */
 163         short           delta;          /* Delta in sequence numbers */
 164         short           previous_delta; /* Delta in sequence numbers before last resized PORT command */
 165         char            sawfin;         /* Did we saw an FIN packet? */
 166 };
 167 extern struct ip_masq *ip_msq_hosts;
 168 extern void ip_fw_masquerade(struct sk_buff **, struct device *);
 169 extern int ip_fw_demasquerade(struct sk_buff *);
 170 #endif
 171 #ifdef CONFIG_IP_FIREWALL
 172 extern struct ip_fw *ip_fw_blk_chain;
 173 extern struct ip_fw *ip_fw_fwd_chain;
 174 extern int ip_fw_blk_policy;
 175 extern int ip_fw_fwd_policy;
 176 extern int ip_fw_ctl(int, void *, int);
 177 #endif
 178 #ifdef CONFIG_IP_ACCT
 179 extern struct ip_fw *ip_acct_chain;
 180 extern void ip_acct_cnt(struct iphdr *, struct device *, struct ip_fw *);
 181 extern int ip_acct_ctl(int, void *, int);
 182 #endif
 183 
 184 
 185 extern int ip_fw_chk(struct iphdr *, struct device *rif,struct ip_fw *, int, int);
 186 extern void ip_fw_init(void);
 187 #endif /* KERNEL */
 188 
 189 #ifdef CONFIG_IP_MASQUERADE
 190 
 191 #undef DEBUG_MASQ
 192 
 193 #define MASQUERADE_EXPIRE_TCP     15*60*HZ
 194 #define MASQUERADE_EXPIRE_TCP_FIN  2*60*HZ
 195 #define MASQUERADE_EXPIRE_UDP      5*60*HZ
 196 
 197 /*
 198  *      Linux ports don't normally get allocated above 32K. I used an extra 4K port-space
 199  */
 200  
 201 #define PORT_MASQ_BEGIN 60000
 202 #define PORT_MASQ_END   (PORT_MASQ_BEGIN+4096)
 203 #define FTP_DPORT_TBD (PORT_MASQ_END+1) /* Avoid using hardcoded port 20 for ftp data connection */
 204 #endif
 205 
 206 #endif /* _IP_FW_H */

/* [previous][next][first][last][top][bottom][index][help] */