![[bottom]](../icons/bottom.png){kind=icon}
![[previous]](../icons/n_left.png){kind=icon}
![[next]](../icons/n_right.png){kind=icon}
![[first]](../icons/n_first.png){kind=icon}
![[last]](../icons/n_last.png){kind=icon}
![[top]](../icons/n_top.png){kind=icon}
![[index]](../icons/index.png){kind=icon}
![[help]](../icons/help.png){kind=icon}
*/
1 /*
2 * IP firewalling code. This is taken from 4.4BSD. Please note the
3 * copyright message below. As per the GPL it must be maintained
4 * and the licenses thus do not conflict. While this port is subject
5 * to the GPL I also place my modifications under the original
6 * license in recognition of the original copyright.
7 *
8 * Ported from BSD to Linux,
9 * Alan Cox 22/Nov/1994.
10 * Merged and included the FreeBSD-Current changes at Ugen's request
11 * (but hey it's a lot cleaner now). Ugen would prefer in some ways
12 * we waited for his final product but since Linux 1.2.0 is about to
13 * appear it's not practical - Read: It works, it's not clean but please
14 * don't consider it to be his standard of finished work.
15 * Alan.
16 *
17 * Fixes:
18 * Pauline Middelink : Added masquerading.
19 * Jos Vos : Separate input and output firewall
20 * chains, new "insert" and "append"
21 * commands to replace "add" commands,
22 * add ICMP header to struct ip_fwpkt.
23 *
24 * All the real work was done by .....
25 */
26
27 /*
28 * Copyright (c) 1993 Daniel Boulet
29 * Copyright (c) 1994 Ugen J.S.Antsilevich
30 *
31 * Redistribution and use in source forms, with and without modification,
32 * are permitted provided that this entire comment appears intact.
33 *
34 * Redistribution in binary form may occur without any restrictions.
35 * Obviously, it would be nice if you gave credit where credit is due
36 * but requiring it would be too onerous.
37 *
38 * This software is provided ``AS IS'' without any warranties of any kind.
39 */
40
41 /*
42 * Format of an IP firewall descriptor
43 *
44 * src, dst, src_mask, dst_mask are always stored in network byte order.
45 * flags and num_*_ports are stored in host byte order (of course).
46 * Port numbers are stored in HOST byte order.
47 */
48
49 #ifndef _IP_FW_H
50 #define _IP_FW_H
51
52 struct ip_fw
53 {
54 struct ip_fw *fw_next; /* Next firewall on chain */
55 struct in_addr fw_src, fw_dst; /* Source and destination IP addr */
56 struct in_addr fw_smsk, fw_dmsk; /* Mask for src and dest IP addr */
57 struct in_addr fw_via; /* IP address of interface "via" */
58 unsigned short fw_flg; /* Flags word */
59 unsigned short fw_nsp, fw_ndp; /* N'of src ports and # of dst ports */
60 /* in ports array (dst ports follow */
61 /* src ports; max of 10 ports in all; */
62 /* count of 0 means match all ports) */
63 #define IP_FW_MAX_PORTS 10 /* A reasonable maximum */
64 unsigned short fw_pts[IP_FW_MAX_PORTS]; /* Array of port numbers to match */
65 unsigned long fw_pcnt,fw_bcnt; /* Packet and byte counters */
66 unsigned char fw_tosand, fw_tosxor; /* Revised packet priority */
67 };
68
69 /*
70 * Values for "flags" field .
71 */
72
73 #define IP_FW_F_ALL 0x000 /* This is a universal packet firewall*/
74 #define IP_FW_F_TCP 0x001 /* This is a TCP packet firewall */
75 #define IP_FW_F_UDP 0x002 /* This is a UDP packet firewall */
76 #define IP_FW_F_ICMP 0x003 /* This is a ICMP packet firewall */
77 #define IP_FW_F_KIND 0x003 /* Mask to isolate firewall kind */
78 #define IP_FW_F_ACCEPT 0x004 /* This is an accept firewall (as *
79 * opposed to a deny firewall)*
80 * */
81 #define IP_FW_F_SRNG 0x008 /* The first two src ports are a min *
82 * and max range (stored in host byte *
83 * order). *
84 * */
85 #define IP_FW_F_DRNG 0x010 /* The first two dst ports are a min *
86 * and max range (stored in host byte *
87 * order). *
88 * (ports[0] <= port <= ports[1]) *
89 * */
90 #define IP_FW_F_PRN 0x020 /* In verbose mode print this firewall*/
91 #define IP_FW_F_BIDIR 0x040 /* For bidirectional firewalls */
92 #define IP_FW_F_TCPSYN 0x080 /* For tcp packets-check SYN only */
93 #define IP_FW_F_ICMPRPL 0x100 /* Send back icmp unreachable packet */
94 #define IP_FW_F_MASQ 0x200 /* Masquerading */
95 #define IP_FW_F_TCPACK 0x400 /* For tcp-packets match if ACK is set*/
96
97 #define IP_FW_F_MASK 0x7FF /* All possible flag bits mask */
98
99 /*
100 * New IP firewall options for [gs]etsockopt at the RAW IP level.
101 * Unlike BSD Linux inherits IP options so you don't have to use
102 * a raw socket for this. Instead we check rights in the calls.
103 */
104
105 #define IP_FW_BASE_CTL 64 /* base for firewall socket options */
106
107 #define IP_FW_COMMAND 0x00FF /* mask for command without chain */
108 #define IP_FW_TYPE 0x0300 /* mask for type (chain) */
109 #define IP_FW_SHIFT 8 /* shift count for type (chain) */
110
111 #define IP_FW_FWD 0
112 #define IP_FW_IN 1
113 #define IP_FW_OUT 2
114 #define IP_FW_ACCT 3
115
116 #define IP_FW_INSERT (IP_FW_BASE_CTL)
117 #define IP_FW_APPEND (IP_FW_BASE_CTL+1)
118 #define IP_FW_DELETE (IP_FW_BASE_CTL+2)
119 #define IP_FW_FLUSH (IP_FW_BASE_CTL+3)
120 #define IP_FW_ZERO (IP_FW_BASE_CTL+4)
121 #define IP_FW_POLICY (IP_FW_BASE_CTL+5)
122 #define IP_FW_CHECK (IP_FW_BASE_CTL+6)
123
124 #define IP_FW_INSERT_FWD (IP_FW_INSERT | (IP_FW_FWD << IP_FW_SHIFT))
125 #define IP_FW_APPEND_FWD (IP_FW_APPEND | (IP_FW_FWD << IP_FW_SHIFT))
126 #define IP_FW_DELETE_FWD (IP_FW_DELETE | (IP_FW_FWD << IP_FW_SHIFT))
127 #define IP_FW_FLUSH_FWD (IP_FW_FLUSH | (IP_FW_FWD << IP_FW_SHIFT))
128 #define IP_FW_ZERO_FWD (IP_FW_ZERO | (IP_FW_FWD << IP_FW_SHIFT))
129 #define IP_FW_POLICY_FWD (IP_FW_POLICY | (IP_FW_FWD << IP_FW_SHIFT))
130 #define IP_FW_CHECK_FWD (IP_FW_CHECK | (IP_FW_FWD << IP_FW_SHIFT))
131
132 #define IP_FW_INSERT_IN (IP_FW_INSERT | (IP_FW_IN << IP_FW_SHIFT))
133 #define IP_FW_APPEND_IN (IP_FW_APPEND | (IP_FW_IN << IP_FW_SHIFT))
134 #define IP_FW_DELETE_IN (IP_FW_DELETE | (IP_FW_IN << IP_FW_SHIFT))
135 #define IP_FW_FLUSH_IN (IP_FW_FLUSH | (IP_FW_IN << IP_FW_SHIFT))
136 #define IP_FW_ZERO_IN (IP_FW_ZERO | (IP_FW_IN << IP_FW_SHIFT))
137 #define IP_FW_POLICY_IN (IP_FW_POLICY | (IP_FW_IN << IP_FW_SHIFT))
138 #define IP_FW_CHECK_IN (IP_FW_CHECK | (IP_FW_IN << IP_FW_SHIFT))
139
140 #define IP_FW_INSERT_OUT (IP_FW_INSERT | (IP_FW_OUT << IP_FW_SHIFT))
141 #define IP_FW_APPEND_OUT (IP_FW_APPEND | (IP_FW_OUT << IP_FW_SHIFT))
142 #define IP_FW_DELETE_OUT (IP_FW_DELETE | (IP_FW_OUT << IP_FW_SHIFT))
143 #define IP_FW_FLUSH_OUT (IP_FW_FLUSH | (IP_FW_OUT << IP_FW_SHIFT))
144 #define IP_FW_ZERO_OUT (IP_FW_ZERO | (IP_FW_OUT << IP_FW_SHIFT))
145 #define IP_FW_POLICY_OUT (IP_FW_POLICY | (IP_FW_OUT << IP_FW_SHIFT))
146 #define IP_FW_CHECK_OUT (IP_FW_CHECK | (IP_FW_OUT << IP_FW_SHIFT))
147
148 #define IP_ACCT_INSERT (IP_FW_INSERT | (IP_FW_ACCT << IP_FW_SHIFT))
149 #define IP_ACCT_APPEND (IP_FW_APPEND | (IP_FW_ACCT << IP_FW_SHIFT))
150 #define IP_ACCT_DELETE (IP_FW_DELETE | (IP_FW_ACCT << IP_FW_SHIFT))
151 #define IP_ACCT_FLUSH (IP_FW_FLUSH | (IP_FW_ACCT << IP_FW_SHIFT))
152 #define IP_ACCT_ZERO (IP_FW_ZERO | (IP_FW_ACCT << IP_FW_SHIFT))
153
154 struct ip_fwpkt
155 {
156 struct iphdr fwp_iph; /* IP header */
157 union {
158 struct tcphdr fwp_tcph; /* TCP header or */
159 struct udphdr fwp_udph; /* UDP header */
160 struct icmphdr fwp_icmph; /* ICMP header */
161 } fwp_protoh;
162 struct in_addr fwp_via; /* interface address */
163 };
164
165 /*
166 * Main firewall chains definitions and global var's definitions.
167 */
168
169 #ifdef __KERNEL__
170
171 #include <linux/config.h>
172
173 #ifdef CONFIG_IP_MASQUERADE
174 struct ip_masq {
175 struct ip_masq *next; /* next member in list */
176 struct timer_list timer; /* Expiration timer */
177 __u16 protocol; /* Which protocol are we talking? */
178 __u32 src, dst; /* Source and destination IP addresses */
179 __u16 sport,dport; /* Source and destination ports */
180 __u16 mport; /* Masquaraded port */
181 __u32 init_seq; /* Add delta from this seq. on */
182 short delta; /* Delta in sequence numbers */
183 short previous_delta; /* Delta in sequence numbers before last resized PORT command */
184 char sawfin; /* Did we saw an FIN packet? */
185 };
186 extern struct ip_masq *ip_msq_hosts;
187 extern void ip_fw_masquerade(struct sk_buff **, struct device *);
188 extern int ip_fw_demasquerade(struct sk_buff *);
189 #endif
190 #ifdef CONFIG_IP_FIREWALL
191 extern struct ip_fw *ip_fw_in_chain;
192 extern struct ip_fw *ip_fw_out_chain;
193 extern struct ip_fw *ip_fw_fwd_chain;
194 extern int ip_fw_in_policy;
195 extern int ip_fw_out_policy;
196 extern int ip_fw_fwd_policy;
197 extern int ip_fw_ctl(int, void *, int);
198 #endif
199 #ifdef CONFIG_IP_ACCT
200 extern struct ip_fw *ip_acct_chain;
201 extern void ip_acct_cnt(struct iphdr *, struct device *, struct ip_fw *);
202 extern int ip_acct_ctl(int, void *, int);
203 #endif
204
205
206 extern int ip_fw_chk(struct iphdr *, struct device *rif,struct ip_fw *, int, int);
207 extern void ip_fw_init(void);
208 #endif /* KERNEL */
209
210 #ifdef CONFIG_IP_MASQUERADE
211
212 #undef DEBUG_MASQ
213
214 #define MASQUERADE_EXPIRE_TCP 15*60*HZ
215 #define MASQUERADE_EXPIRE_TCP_FIN 2*60*HZ
216 #define MASQUERADE_EXPIRE_UDP 5*60*HZ
217
218 /*
219 * Linux ports don't normally get allocated above 32K. I used an extra 4K port-space
220 */
221
222 #define PORT_MASQ_BEGIN 60000
223 #define PORT_MASQ_END (PORT_MASQ_BEGIN+4096)
224 #define FTP_DPORT_TBD (PORT_MASQ_END+1) /* Avoid using hardcoded port 20 for ftp data connection */
225 #endif
226
227 #endif /* _IP_FW_H */
![[top]](../icons/top.png){kind=icon}
![[bottom]](../icons/n_bottom.png){kind=icon}
*/