Differential D46183 Diff 141631 sys/netinet/ip_fw.h

Changeset View

Standalone View

sys/netinet/ip_fw.h

Show First 20 Lines • Show All 69 Lines • ▼ Show 20 Lines

/* IP_FW3 header/opcodes */		/* IP_FW3 header/opcodes */
typedef struct _ip_fw3_opheader {		typedef struct _ip_fw3_opheader {
uint16_t opcode; /* Operation opcode */		uint16_t opcode; /* Operation opcode */
uint16_t version; /* Opcode version */		uint16_t version; /* Opcode version */
uint16_t reserved[2]; /* Align to 64-bit boundary */		uint16_t reserved[2]; /* Align to 64-bit boundary */
} ip_fw3_opheader;		} ip_fw3_opheader;

		#define IP_FW3_OPVER_0 0
		#define IP_FW3_OPVER_1 1 /* 32bit rulenum */
		#define IP_FW3_OPVER IP_FW3_OPVER_1

/* IP_FW3 opcodes */		/* IP_FW3 opcodes */
#define IP_FW_TABLE_XADD 86 /* add entry */		#define IP_FW_TABLE_XADD 86 /* add entry */
#define IP_FW_TABLE_XDEL 87 /* delete entry */		#define IP_FW_TABLE_XDEL 87 /* delete entry */
#define IP_FW_TABLE_XGETSIZE 88 /* get table size (deprecated) */		#define IP_FW_TABLE_XGETSIZE 88 /* get table size (deprecated) */
#define IP_FW_TABLE_XLIST 89 /* list table contents */		#define IP_FW_TABLE_XLIST 89 /* list table contents */
#define IP_FW_TABLE_XDESTROY 90 /* destroy table */		#define IP_FW_TABLE_XDESTROY 90 /* destroy table */
#define IP_FW_TABLES_XLIST 92 /* list all tables */		#define IP_FW_TABLES_XLIST 92 /* list all tables */
#define IP_FW_TABLE_XINFO 93 /* request info for one table */		#define IP_FW_TABLE_XINFO 93 /* request info for one table */
Show All 18 Lines
#define IP_FW_NAT44_XCONFIG 111 /* Create/modify NAT44 instance */		#define IP_FW_NAT44_XCONFIG 111 /* Create/modify NAT44 instance */
#define IP_FW_NAT44_DESTROY 112 /* Destroys NAT44 instance */		#define IP_FW_NAT44_DESTROY 112 /* Destroys NAT44 instance */
#define IP_FW_NAT44_XGETCONFIG 113 /* Get NAT44 instance config */		#define IP_FW_NAT44_XGETCONFIG 113 /* Get NAT44 instance config */
#define IP_FW_NAT44_LIST_NAT 114 /* List all NAT44 instances */		#define IP_FW_NAT44_LIST_NAT 114 /* List all NAT44 instances */
#define IP_FW_NAT44_XGETLOG 115 /* Get log from NAT44 instance */		#define IP_FW_NAT44_XGETLOG 115 /* Get log from NAT44 instance */

#define IP_FW_DUMP_SOPTCODES 116 /* Dump available sopts/versions */		#define IP_FW_DUMP_SOPTCODES 116 /* Dump available sopts/versions */
#define IP_FW_DUMP_SRVOBJECTS 117 /* Dump existing named objects */		#define IP_FW_DUMP_SRVOBJECTS 117 /* Dump existing named objects */
		#define IP_FW_SKIPTO_CACHE 118 /* Manage skipto cache */

#define IP_FW_NAT64STL_CREATE 130 /* Create stateless NAT64 instance */		#define IP_FW_NAT64STL_CREATE 130 /* Create stateless NAT64 instance */
#define IP_FW_NAT64STL_DESTROY 131 /* Destroy stateless NAT64 instance */		#define IP_FW_NAT64STL_DESTROY 131 /* Destroy stateless NAT64 instance */
#define IP_FW_NAT64STL_CONFIG 132 /* Modify stateless NAT64 instance */		#define IP_FW_NAT64STL_CONFIG 132 /* Modify stateless NAT64 instance */
#define IP_FW_NAT64STL_LIST 133 /* List stateless NAT64 instances */		#define IP_FW_NAT64STL_LIST 133 /* List stateless NAT64 instances */
#define IP_FW_NAT64STL_STATS 134 /* Get NAT64STL instance statistics */		#define IP_FW_NAT64STL_STATS 134 /* Get NAT64STL instance statistics */
#define IP_FW_NAT64STL_RESET_STATS 135 /* Reset NAT64STL instance statistics */		#define IP_FW_NAT64STL_RESET_STATS 135 /* Reset NAT64STL instance statistics */

▲ Show 20 Lines • Show All 86 Lines • ▼ Show 20 Lines	enum ipfw_opcodes { /* arguments (4 byte each) */
O_TCPSEQ, /* u32 = desired seq. */		O_TCPSEQ, /* u32 = desired seq. */
O_TCPACK, /* u32 = desired seq. */		O_TCPACK, /* u32 = desired seq. */
O_ICMPTYPE, /* u32 = icmp bitmap */		O_ICMPTYPE, /* u32 = icmp bitmap */
O_TCPOPTS, /* arg1 = 2u8 bitmap /		O_TCPOPTS, /* arg1 = 2u8 bitmap /

O_VERREVPATH, /* none */		O_VERREVPATH, /* none */
O_VERSRCREACH, /* none */		O_VERSRCREACH, /* none */

O_PROBE_STATE, /* none */		O_PROBE_STATE, /* v0:arg1=kidx, v1:kidx=kidx */
O_KEEP_STATE, /* none */		O_KEEP_STATE, /* v0:arg1=kidx, v1:kidx=kidx */
O_LIMIT, /* ipfw_insn_limit */		O_LIMIT, /* ipfw_insn_limit */
O_LIMIT_PARENT, /* dyn_type, not an opcode. */		O_LIMIT_PARENT, /* dyn_type, not an opcode. */

/*		/*
* These are really 'actions'.		* These are really 'actions'.
*/		*/

O_LOG, /* ipfw_insn_log */		O_LOG, /* ipfw_insn_log */
O_PROB, /* u32 = match probability */		O_PROB, /* u32 = match probability */

O_CHECK_STATE, /* none */		O_CHECK_STATE, /* v0:arg1=kidx, v1:kidx=kidx */
O_ACCEPT, /* none */		O_ACCEPT, /* none */
O_DENY, /* none */		O_DENY, /* none */
O_REJECT, /* arg1=icmp arg (same as deny) */		O_REJECT, /* arg1=icmp arg (same as deny) */
O_COUNT, /* none */		O_COUNT, /* none */
O_SKIPTO, /* arg1=next rule number */		O_SKIPTO, /* v0:arg1=next rule number */
		/* v1:kidx= next rule number */
O_PIPE, /* arg1=pipe number */		O_PIPE, /* arg1=pipe number */
O_QUEUE, /* arg1=queue number */		O_QUEUE, /* arg1=queue number */
O_DIVERT, /* arg1=port number */		O_DIVERT, /* arg1=port number */
O_TEE, /* arg1=port number */		O_TEE, /* arg1=port number */
O_FORWARD_IP, /* fwd sockaddr */		O_FORWARD_IP, /* fwd sockaddr */
O_FORWARD_MAC, /* fwd mac */		O_FORWARD_MAC, /* fwd mac */
O_NAT, /* nope */		O_NAT, /* nope */
O_REASS, /* none */		O_REASS, /* none */

/*		/*
* More opcodes.		* More opcodes.
*/		*/
O_IPSEC, /* has ipsec history */		O_IPSEC, /* has ipsec history */
O_IP_SRC_LOOKUP, /* arg1=table number, u32=value */		O_IP_SRC_LOOKUP, /* v0:arg1=table number, u32=value */
		/* v1:kidx=name, u32=value, arg1=key */
O_IP_DST_LOOKUP, /* arg1=table number, u32=value */		O_IP_DST_LOOKUP, /* arg1=table number, u32=value */
		/* v1:kidx=name, u32=value, arg1=key */
O_ANTISPOOF, /* none */		O_ANTISPOOF, /* none */
O_JAIL, /* u32 = id */		O_JAIL, /* u32 = id */
O_ALTQ, /* u32 = altq classif. qid */		O_ALTQ, /* u32 = altq classif. qid */
O_DIVERTED, /* arg1=bitmap (1:loop, 2:out) */		O_DIVERTED, /* arg1=bitmap (1:loop, 2:out) */
O_TCPDATALEN, /* arg1 = tcp data len */		O_TCPDATALEN, /* arg1 = tcp data len */
O_IP6_SRC, /* address without mask */		O_IP6_SRC, /* address without mask */
O_IP6_SRC_ME, /* my addresses */		O_IP6_SRC_ME, /* my addresses */
O_IP6_SRC_MASK, /* address with the mask */		O_IP6_SRC_MASK, /* address with the mask */
Show All 18 Lines	enum ipfw_opcodes { /* arguments (4 byte each) */
O_TAG, /* arg1=tag number */		O_TAG, /* arg1=tag number */
O_TAGGED, /* arg1=tag number */		O_TAGGED, /* arg1=tag number */

O_SETFIB, /* arg1=FIB number */		O_SETFIB, /* arg1=FIB number */
O_FIB, /* arg1=FIB desired fib number */		O_FIB, /* arg1=FIB desired fib number */

O_SOCKARG, /* socket argument */		O_SOCKARG, /* socket argument */

O_CALLRETURN, /* arg1=called rule number */		O_CALLRETURN, /* v0:arg1=called rule number */
		/* v1:kidx=called rule number */

O_FORWARD_IP6, /* fwd sockaddr_in6 */		O_FORWARD_IP6, /* fwd sockaddr_in6 */

O_DSCP, /* 2 u32 = DSCP mask */		O_DSCP, /* 2 u32 = DSCP mask */
O_SETDSCP, /* arg1=DSCP value */		O_SETDSCP, /* arg1=DSCP value */
O_IP_FLOW_LOOKUP, /* arg1=table number, u32=value */		O_IP_FLOW_LOOKUP, /* v0:arg1=table number, u32=value */
		/* v1:kidx=name, u32=value */

O_EXTERNAL_ACTION, /* arg1=id of external action handler */		O_EXTERNAL_ACTION, /* v0:arg1=id of external action handler */
O_EXTERNAL_INSTANCE, /* arg1=id of eaction handler instance */		/* v1:kidx=id of external action handler */
		O_EXTERNAL_INSTANCE, /* v0:arg1=id of eaction handler instance */
		/* v1:kidx=id of eaction handler instance */
O_EXTERNAL_DATA, /* variable length data */		O_EXTERNAL_DATA, /* variable length data */

O_SKIP_ACTION, /* none */		O_SKIP_ACTION, /* none */
O_TCPMSS, /* arg1=MSS value */		O_TCPMSS, /* arg1=MSS value */

O_MAC_SRC_LOOKUP, /* arg1=table number, u32=value */		O_MAC_SRC_LOOKUP, /* kidx=name, u32=value, arg1=key */
O_MAC_DST_LOOKUP, /* arg1=table number, u32=value */		O_MAC_DST_LOOKUP, /* kidx=name, u32=value, arg1=key */

O_SETMARK, /* u32 = value */		O_SETMARK, /* u32 = value */
O_MARK, /* 2 u32 = value, bitmask */		O_MARK, /* 2 u32 = value, bitmask */

O_LAST_OPCODE /* not an opcode! */		O_LAST_OPCODE /* not an opcode! */
};		};

/*		/*
* Defines key types used by lookup instruction
*/
enum ipfw_table_lookup_type {
LOOKUP_DST_IP,
LOOKUP_SRC_IP,
LOOKUP_DST_PORT,
LOOKUP_SRC_PORT,
LOOKUP_UID,
LOOKUP_JAIL,
LOOKUP_DSCP,
LOOKUP_DST_MAC,
LOOKUP_SRC_MAC,
LOOKUP_MARK,
};

/*
* The extension header are filtered only for presence using a bit		* The extension header are filtered only for presence using a bit
* vector with a flag for each header.		* vector with a flag for each header.
*/		*/
#define EXT_FRAGMENT 0x1		#define EXT_FRAGMENT 0x1
#define EXT_HOPOPTS 0x2		#define EXT_HOPOPTS 0x2
#define EXT_ROUTING 0x4		#define EXT_ROUTING 0x4
#define EXT_AH 0x8		#define EXT_AH 0x8
#define EXT_ESP 0x10		#define EXT_ESP 0x10
▲ Show 20 Lines • Show All 57 Lines • ▼ Show 20 Lines
* This is used to store an array of 32-bit entries		* This is used to store an array of 32-bit entries
* (uid, single IPv4 addresses etc.)		* (uid, single IPv4 addresses etc.)
*/		*/
typedef struct _ipfw_insn_u32 {		typedef struct _ipfw_insn_u32 {
ipfw_insn o;		ipfw_insn o;
u_int32_t d[1]; /* one or more */		u_int32_t d[1]; /* one or more */
} ipfw_insn_u32;		} ipfw_insn_u32;

		typedef struct _ipfw_insn_kidx {
		ipfw_insn o;
		uint32_t kidx;
		} ipfw_insn_kidx;

/*		/*
* This is used to store IP addr-mask pairs.		* This is used to store IP addr-mask pairs.
*/		*/
typedef struct _ipfw_insn_ip {		typedef struct _ipfw_insn_ip {
ipfw_insn o;		ipfw_insn o;
struct in_addr addr;		struct in_addr addr;
struct in_addr mask;		struct in_addr mask;
} ipfw_insn_ip;		} ipfw_insn_ip;

		typedef struct _ipfw_insn_table {
		ipfw_insn o; /* arg1 is optional lookup key */
		uint32_t kidx; /* table name index */
		uint32_t value; /* table value */
		} ipfw_insn_table;

		#define IPFW_LOOKUP_TYPE_MASK 0x00FF
		#define IPFW_LOOKUP_TYPE(insn) ((insn)->arg1 & IPFW_LOOKUP_TYPE_MASK)
		#define IPFW_SET_LOOKUP_TYPE(insn, type) do { \
		(insn)->arg1 &= ~IPFW_LOOKUP_TYPE_MASK; \
		(insn)->arg1 \|= (type) & IPFW_LOOKUP_TYPE_MASK; \
		} while (0)

/*		/*
		* Defines key types used by lookup instruction
		*/
		enum ipfw_table_lookup_type {
		LOOKUP_NONE = 0,
		LOOKUP_DST_IP,
		LOOKUP_SRC_IP,
		LOOKUP_DST_PORT,
		LOOKUP_SRC_PORT,
		LOOKUP_UID,
		LOOKUP_JAIL,
		LOOKUP_DSCP,
		LOOKUP_DST_MAC,
		LOOKUP_SRC_MAC,
		LOOKUP_MARK,
		LOOKUP_RULENUM,
		};

		enum ipfw_return_type {
		RETURN_NEXT_RULENUM = 0,
		RETURN_NEXT_RULE,
		};

		enum ipfw_skipto_cache_op {
		SKIPTO_CACHE_DISABLE = 0,
		SKIPTO_CACHE_ENABLE,
		};

		/*
* This is used to forward to a given address (ip).		* This is used to forward to a given address (ip).
*/		*/
typedef struct _ipfw_insn_sa {		typedef struct _ipfw_insn_sa {
ipfw_insn o;		ipfw_insn o;
struct sockaddr_in sa;		struct sockaddr_in sa;
} ipfw_insn_sa;		} ipfw_insn_sa;

/*		/*
Show All 16 Lines
/*		/*
* This is used for interface match rules (recv xx, xmit xx).		* This is used for interface match rules (recv xx, xmit xx).
*/		*/
typedef struct _ipfw_insn_if {		typedef struct _ipfw_insn_if {
ipfw_insn o;		ipfw_insn o;
union {		union {
struct in_addr ip;		struct in_addr ip;
int glob;		int glob;
uint16_t kidx;		uint16_t kidx_v0;
		uint32_t kidx;
} p;		} p;
char name[IFNAMSIZ];		char name[IFNAMSIZ];
} ipfw_insn_if;		} ipfw_insn_if;

/*		/*
* This is used for storing an altq queue id number.		* This is used for storing an altq queue id number.
*/		*/
typedef struct _ipfw_insn_altq {		typedef struct _ipfw_insn_altq {
ipfw_insn o;		ipfw_insn o;
u_int32_t qid;		u_int32_t qid;
} ipfw_insn_altq;		} ipfw_insn_altq;

/*		/*
* This is used for limit rules.		* This is used for limit rules.
*/		*/
typedef struct _ipfw_insn_limit {		typedef struct _ipfw_insn_limit {
ipfw_insn o;		ipfw_insn o;
		u_int32_t kidx;
u_int8_t _pad;		u_int8_t _pad;
u_int8_t limit_mask; /* combination of DYN_* below */		u_int8_t limit_mask; /* combination of DYN_* below */
#define DYN_SRC_ADDR 0x1		#define DYN_SRC_ADDR 0x1
#define DYN_SRC_PORT 0x2		#define DYN_SRC_PORT 0x2
#define DYN_DST_ADDR 0x4		#define DYN_DST_ADDR 0x4
#define DYN_DST_PORT 0x8		#define DYN_DST_PORT 0x8

u_int16_t conn_limit;		u_int16_t conn_limit;
} ipfw_insn_limit;		} ipfw_insn_limit;

		/* MAC/InfiniBand/etc address length */
		#define IPFW_MAX_L2_ADDR_LEN 20

/*		/*
* This is used for log instructions.		* This is used for log instructions.
*/		*/
typedef struct _ipfw_insn_log {		typedef struct _ipfw_insn_log {
ipfw_insn o;		ipfw_insn o;
u_int32_t max_log; /* how many do we log -- 0 = all */		u_int32_t max_log; /* how many do we log -- 0 = all */
u_int32_t log_left; /* how many left to log */		u_int32_t log_left; /* how many left to log */
} ipfw_insn_log;		} ipfw_insn_log;

		/* ipfw_insn_log->o.arg1 bitmasks */
		#define IPFW_LOG_DEFAULT 0x0000
		#define IPFW_LOG_SYSLOG (1 << 15)
		#define IPFW_LOG_IPFW0 (1 << 14)
		#define IPFW_LOG_RTSOCK (1 << 13)

		typedef struct _ipfwlog_rtsock_hdr_v2 {
		uint32_t rulenum;
		uint32_t tablearg;
		ipfw_insn cmd;
		u_char ether_shost[IPFW_MAX_L2_ADDR_LEN];
		u_char ether_dhost[IPFW_MAX_L2_ADDR_LEN];
		uint32_t mark;
		char comment[0];
		} ipfwlog_rtsock_hdr_v2;

/* Legacy NAT structures, compat only */		/* Legacy NAT structures, compat only */
#ifndef _KERNEL		#ifndef _KERNEL
/*		/*
* Data structures required by both ipfw(8) and ipfw(4) but not part of the		* Data structures required by both ipfw(8) and ipfw(4) but not part of the
* management API are protected by IPFW_INTERNAL.		* management API are protected by IPFW_INTERNAL.
*/		*/
#ifdef IPFW_INTERNAL		#ifdef IPFW_INTERNAL
/* Server pool support (LSNAT). */		/* Server pool support (LSNAT). */
▲ Show 20 Lines • Show All 117 Lines • ▼ Show 20 Lines	typedef struct _ipfw_insn_icmp6 {
ipfw_insn o;		ipfw_insn o;
uint32_t d[7]; /* XXX This number si related to the netinet/icmp6.h		uint32_t d[7]; /* XXX This number si related to the netinet/icmp6.h
* define ICMP6_MAXTYPE		* define ICMP6_MAXTYPE
* as follows: n = ICMP6_MAXTYPE/32 + 1		* as follows: n = ICMP6_MAXTYPE/32 + 1
* Actually is 203		* Actually is 203
*/		*/
} ipfw_insn_icmp6;		} ipfw_insn_icmp6;

		/* Convert pointer to instruction with specified type */
		#define insntod(p, type) ((ipfw_insn_ ## type *)(p))
		#define insntoc(p, type) ((const ipfw_insn_ ## type *)(p))

/*		/*
* Here we have the structure representing an ipfw rule.		* Here we have the structure representing an ipfw rule.
*		*
* Layout:		* Layout:
* struct ip_fw_rule		* struct ip_fw_rule
* [ counter block, size = rule->cntr_len ]		* [ counter block, size = rule->cntr_len ]
* [ one or more instructions, size = rule->cmd_len * 4 ]		* [ one or more instructions, size = rule->cmd_len * 4 ]
*		*
▲ Show 20 Lines • Show All 99 Lines • ▼ Show 20 Lines
#endif		#endif

#define IS_IP4_FLOW_ID(id) ((id)->addr_type == 4)		#define IS_IP4_FLOW_ID(id) ((id)->addr_type == 4)
#define IS_IP6_FLOW_ID(id) ((id)->addr_type == 6)		#define IS_IP6_FLOW_ID(id) ((id)->addr_type == 6)

/*		/*
* Dynamic ipfw rule.		* Dynamic ipfw rule.
*/		*/
typedef struct _ipfw_dyn_rule ipfw_dyn_rule;		#define IPFW_DYN_ORPHANED 0x40000 /* state's parent rule was deleted */

struct _ipfw_dyn_rule {		typedef struct _ipfw_dyn_rule {
ipfw_dyn_rule next; / linked list of rules. */
struct ip_fw rule; / pointer to rule */
/* 'rule' is used to pass up the rule number (from the parent) */

ipfw_dyn_rule parent; / pointer to parent rule */
u_int64_t pcnt; /* packet match counter */
u_int64_t bcnt; /* byte match counter */
struct ipfw_flow_id id; /* (masked) flow id */		struct ipfw_flow_id id; /* (masked) flow id */
u_int32_t expire; /* expire time */		uint8_t set;
u_int32_t bucket; /* which bucket in hash table */		uint8_t type; /* rule type */
u_int32_t state; /* state of this rule (typically a		uint16_t pad;
		uint32_t expire; /* expire time */
		uint32_t rulenum; /* parent's rule number */
		uint32_t kidx; /* index of named object */
		uint64_t pcnt; /* packet match counter */
		uint64_t bcnt; /* byte match counter */
		uint32_t hashval; /* hash value */
		union {
		uint32_t state; /* state of this rule (typically a
* combination of TCP flags)		* combination of TCP flags)
*/		*/
#define IPFW_DYN_ORPHANED 0x40000 /* state's parent rule was deleted */		uint32_t count; /* number of linked states */
u_int32_t ack_fwd; /* most recent ACKs in forward */		};
u_int32_t ack_rev; /* and reverse directions (used */		uint32_t ack_fwd; /* most recent ACKs in forward */
		uint32_t ack_rev; /* and reverse directions (used */
/* to generate keepalives) */		/* to generate keepalives) */
u_int16_t dyn_type; /* rule type */		} __packed __aligned(8) ipfw_dyn_rule;
u_int16_t count; /* refcount */
u_int16_t kidx; /* index of named object */
} __packed __aligned(8);

/*		/*
* Definitions for IP option names.		* Definitions for IP option names.
*/		*/
#define IP_FW_IPOPT_LSRR 0x01		#define IP_FW_IPOPT_LSRR 0x01
#define IP_FW_IPOPT_SSRR 0x02		#define IP_FW_IPOPT_SSRR 0x02
#define IP_FW_IPOPT_RR 0x04		#define IP_FW_IPOPT_RR 0x04
#define IP_FW_IPOPT_TS 0x08		#define IP_FW_IPOPT_TS 0x08
Show All 35 Lines
#define IPFW_VTYPE_TAG 0x00000020 /* tag/untag */		#define IPFW_VTYPE_TAG 0x00000020 /* tag/untag */
#define IPFW_VTYPE_DIVERT 0x00000040 /* divert/tee */		#define IPFW_VTYPE_DIVERT 0x00000040 /* divert/tee */
#define IPFW_VTYPE_NETGRAPH 0x00000080 /* netgraph/ngtee */		#define IPFW_VTYPE_NETGRAPH 0x00000080 /* netgraph/ngtee */
#define IPFW_VTYPE_LIMIT 0x00000100 /* limit */		#define IPFW_VTYPE_LIMIT 0x00000100 /* limit */
#define IPFW_VTYPE_NH4 0x00000200 /* IPv4 nexthop */		#define IPFW_VTYPE_NH4 0x00000200 /* IPv4 nexthop */
#define IPFW_VTYPE_NH6 0x00000400 /* IPv6 nexthop */		#define IPFW_VTYPE_NH6 0x00000400 /* IPv6 nexthop */
#define IPFW_VTYPE_MARK 0x00000800 /* [fw]mark */		#define IPFW_VTYPE_MARK 0x00000800 /* [fw]mark */

/* MAC/InfiniBand/etc address length */
#define IPFW_MAX_L2_ADDR_LEN 20

typedef struct _ipfw_table_entry {
in_addr_t addr; /* network address */
u_int32_t value; /* value */
u_int16_t tbl; /* table number */
u_int8_t masklen; /* mask length */
} ipfw_table_entry;

typedef struct _ipfw_table_xentry {		typedef struct _ipfw_table_xentry {
uint16_t len; /* Total entry length */		uint16_t len; /* Total entry length */
uint8_t type; /* entry type */		uint8_t type; /* entry type */
uint8_t masklen; /* mask length */		uint8_t masklen; /* mask length */
uint16_t tbl; /* table number */		uint16_t tbl; /* table number */
uint16_t flags; /* record flags */		uint16_t flags; /* record flags */
uint32_t value; /* value */		uint32_t value; /* value */
union {		union {
/* Longest field needs to be aligned by 4-byte boundary */		/* Longest field needs to be aligned by 4-byte boundary */
struct in6_addr addr6; /* IPv6 address */		struct in6_addr addr6; /* IPv6 address */
char iface[IF_NAMESIZE]; /* interface name */		char iface[IF_NAMESIZE]; /* interface name */
} k;		} k;
} ipfw_table_xentry;		} ipfw_table_xentry;
#define IPFW_TCF_INET 0x01 /* CIDR flags: IPv4 record */		#define IPFW_TCF_INET 0x01 /* CIDR flags: IPv4 record */

typedef struct _ipfw_table {
u_int32_t size; /* size of entries in bytes */
u_int32_t cnt; /* # of entries */
u_int16_t tbl; /* table number */
ipfw_table_entry ent[0]; /* entries */
} ipfw_table;

typedef struct _ipfw_xtable {		typedef struct _ipfw_xtable {
ip_fw3_opheader opheader; /* IP_FW3 opcode */		ip_fw3_opheader opheader; /* IP_FW3 opcode */
uint32_t size; /* size of entries in bytes */		uint32_t size; /* size of entries in bytes */
uint32_t cnt; /* # of entries */		uint32_t cnt; /* # of entries */
uint16_t tbl; /* table number */		uint16_t tbl; /* table number */
uint8_t type; /* table type */		uint8_t type; /* table type */
ipfw_table_xentry xent[0]; /* entries */		ipfw_table_xentry xent[0]; /* entries */
} ipfw_xtable;		} ipfw_xtable;
Show All 23 Lines
typedef struct _ipfw_obj_data {		typedef struct _ipfw_obj_data {
ipfw_obj_tlv head;		ipfw_obj_tlv head;
void *data[0];		void *data[0];
} ipfw_obj_data;		} ipfw_obj_data;

/* Object name TLV */		/* Object name TLV */
typedef struct _ipfw_obj_ntlv {		typedef struct _ipfw_obj_ntlv {
ipfw_obj_tlv head; /* TLV header */		ipfw_obj_tlv head; /* TLV header */
uint16_t idx; /* Name index */		uint32_t idx; /* Name index */
uint8_t set; /* set, if applicable */		uint8_t set; /* set, if applicable */
uint8_t type; /* object type, if applicable */		uint8_t type; /* object type, if applicable */
uint32_t spare; /* unused */		uint16_t spare; /* unused */
char name[64]; /* Null-terminated name */		char name[64]; /* Null-terminated name */
} ipfw_obj_ntlv;		} ipfw_obj_ntlv;

/* IPv4/IPv6 L4 flow description */		/* IPv4/IPv6 L4 flow description */
struct tflow_entry {		struct tflow_entry {
uint8_t af;		uint8_t af;
uint8_t proto;		uint8_t proto;
uint16_t spare;		uint16_t spare;
uint16_t sport;		uint16_t sport;
uint16_t dport;		uint16_t dport;
union {		union {
struct {		struct {
struct in_addr sip;		struct in_addr sip;
struct in_addr dip;		struct in_addr dip;
} a4;		} a4;
struct {		struct {
struct in6_addr sip6;		struct in6_addr sip6;
struct in6_addr dip6;		struct in6_addr dip6;
} a6;		} a6;
} a;		} a;
};		};

		#define IPFW_TVALUE_TYPE_MASK 0xFF00
		#define IPFW_TVALUE_TYPE(insn) (((insn)->arg1 & IPFW_TVALUE_TYPE_MASK) >> 8)
		#define IPFW_SET_TVALUE_TYPE(insn, type) do { \
		(insn)->arg1 &= ~IPFW_TVALUE_TYPE_MASK; \
		(insn)->arg1 \|= ((type) << 8) & IPFW_TVALUE_TYPE_MASK; \
		} while (0)

		enum ipfw_table_value_type {
		TVALUE_TAG = 0,
		TVALUE_PIPE,
		TVALUE_DIVERT,
		TVALUE_SKIPTO,
		TVALUE_NETGRAPH,
		TVALUE_FIB,
		TVALUE_NAT,
		TVALUE_NH4,
		TVALUE_DSCP,
		TVALUE_LIMIT,
		TVALUE_MARK,
		};

/* 64-byte structure representing multi-field table value */		/* 64-byte structure representing multi-field table value */
typedef struct _ipfw_table_value {		typedef struct _ipfw_table_value {
uint32_t tag; /* O_TAG/O_TAGGED */		uint32_t tag; /* O_TAG/O_TAGGED */
uint32_t pipe; /* O_PIPE/O_QUEUE */		uint16_t pipe; /* O_PIPE/O_QUEUE */
uint16_t divert; /* O_DIVERT/O_TEE */		uint16_t divert; /* O_DIVERT/O_TEE */
uint16_t skipto; /* skipto, CALLRET */		uint32_t skipto; /* skipto, CALLRET */
uint32_t netgraph; /* O_NETGRAPH/O_NGTEE */		uint32_t netgraph; /* O_NETGRAPH/O_NGTEE */
uint32_t fib; /* O_SETFIB */
uint32_t nat; /* O_NAT */		uint32_t nat; /* O_NAT */
uint32_t nh4;		uint32_t nh4;
		uint16_t fib; /* O_SETFIB */
uint8_t dscp;		uint8_t dscp;
uint8_t spare0;		uint8_t spare0;
uint16_t kidx; /* value kernel index */		uint32_t kidx; /* value kernel index */
struct in6_addr nh6;		struct in6_addr nh6;
uint32_t limit; /* O_LIMIT */		uint32_t limit; /* O_LIMIT */
uint32_t zoneid; /* scope zone id for nh6 */		uint32_t zoneid; /* scope zone id for nh6 */
uint32_t mark; /* O_SETMARK/O_MARK */		uint32_t mark; /* O_SETMARK/O_MARK */
uint32_t refcnt; /* XXX 64-bit in kernel */		uint32_t refcnt; /* XXX 64-bit in kernel */
} ipfw_table_value;		} ipfw_table_value;

/* Table entry TLV */		/* Table entry TLV */
typedef struct _ipfw_obj_tentry {		typedef struct _ipfw_obj_tentry {
ipfw_obj_tlv head; /* TLV header */		ipfw_obj_tlv head; /* TLV header */
uint8_t subtype; /* subtype (IPv4,IPv6) */		uint8_t subtype; /* subtype (IPv4,IPv6) */
uint8_t masklen; /* mask length */		uint8_t masklen; /* mask length */
uint8_t result; /* request result */		uint8_t result; /* request result */
uint8_t spare0;		uint8_t spare0;
uint16_t idx; /* Table name index */		uint32_t idx; /* Table name index */
uint16_t spare1;
union {		union {
/* Longest field needs to be aligned by 8-byte boundary */		/* Longest field needs to be aligned by 8-byte boundary */
struct in_addr addr; /* IPv4 address */		struct in_addr addr; /* IPv4 address */
uint32_t key; /* uid/gid/port */		uint32_t key; /* uid/gid/port */
struct in6_addr addr6; /* IPv6 address */		struct in6_addr addr6; /* IPv6 address */
char iface[IF_NAMESIZE]; /* interface name */		char iface[IF_NAMESIZE]; /* interface name */
u_char mac[IPFW_MAX_L2_ADDR_LEN]; /* MAC address */		u_char mac[IPFW_MAX_L2_ADDR_LEN]; /* MAC address */
struct tflow_entry flow;		struct tflow_entry flow;
Show All 30 Lines	typedef struct _ipfw_obj_ctlv {
uint8_t version; /* TLV version */		uint8_t version; /* TLV version */
uint8_t flags; /* TLV-specific flags */		uint8_t flags; /* TLV-specific flags */
} ipfw_obj_ctlv;		} ipfw_obj_ctlv;

/* Range TLV */		/* Range TLV */
typedef struct _ipfw_range_tlv {		typedef struct _ipfw_range_tlv {
ipfw_obj_tlv head; /* TLV header */		ipfw_obj_tlv head; /* TLV header */
uint32_t flags; /* Range flags */		uint32_t flags; /* Range flags */
uint16_t start_rule; /* Range start */		uint32_t start_rule; /* Range start */
uint16_t end_rule; /* Range end */		uint32_t end_rule; /* Range end */
uint32_t set; /* Range set to match */		uint32_t set; /* Range set to match */
uint32_t new_set; /* New set to move/swap to */		uint32_t new_set; /* New set to move/swap to */
} ipfw_range_tlv;		} ipfw_range_tlv;
#define IPFW_RCFLAG_RANGE 0x01 /* rule range is set */		#define IPFW_RCFLAG_RANGE 0x01 /* rule range is set */
#define IPFW_RCFLAG_ALL 0x02 /* match ALL rules */		#define IPFW_RCFLAG_ALL 0x02 /* match ALL rules */
#define IPFW_RCFLAG_SET 0x04 /* match rules in given set */		#define IPFW_RCFLAG_SET 0x04 /* match rules in given set */
#define IPFW_RCFLAG_DYNAMIC 0x08 /* match only dynamic states */		#define IPFW_RCFLAG_DYNAMIC 0x08 /* match only dynamic states */
/* User-settable flags */		/* User-settable flags */
▲ Show 20 Lines • Show All 67 Lines • ▼ Show 20 Lines	typedef struct _ipfw_ta_info {
char algoname[64]; /* algorithm name */		char algoname[64]; /* algorithm name */
uint32_t type; /* lookup type */		uint32_t type; /* lookup type */
uint32_t flags;		uint32_t flags;
uint32_t refcnt;		uint32_t refcnt;
uint32_t spare0;		uint32_t spare0;
uint64_t spare1;		uint64_t spare1;
} ipfw_ta_info;		} ipfw_ta_info;

		typedef struct _ipfw_cmd_header { /* control command header */
		ip_fw3_opheader opheader; /* IP_FW3 opcode */
		uint32_t size; /* Total size (incl. header) */
		uint32_t cmd; /* command */
		} ipfw_cmd_header;

typedef struct _ipfw_obj_header {		typedef struct _ipfw_obj_header {
ip_fw3_opheader opheader; /* IP_FW3 opcode */		ip_fw3_opheader opheader; /* IP_FW3 opcode */
uint32_t spare;		uint32_t idx; /* object name index */
uint16_t idx; /* object name index */		uint16_t spare;
uint8_t objtype; /* object type */		uint8_t objtype; /* object type */
uint8_t objsubtype; /* object subtype */		uint8_t objsubtype; /* object subtype */
ipfw_obj_ntlv ntlv; /* object name tlv */		ipfw_obj_ntlv ntlv; /* object name tlv */
} ipfw_obj_header;		} ipfw_obj_header;

typedef struct _ipfw_obj_lheader {		typedef struct _ipfw_obj_lheader {
ip_fw3_opheader opheader; /* IP_FW3 opcode */		ip_fw3_opheader opheader; /* IP_FW3 opcode */
uint32_t set_mask; /* disabled set mask */		uint32_t set_mask; /* disabled set mask */
Show All 32 Lines