#ifndef __IP_FIL_H__
#define __IP_FIL_H__
#include "netinet/ip_compat.h"
#include <sys/zone.h>
#ifdef SOLARIS
#undef SOLARIS
#endif
#if (defined(sun) && (defined(__svr4__) || defined(__SVR4)))
#define SOLARIS (1)
#else
#define SOLARIS (0)
#endif
#ifndef __P
# ifdef __STDC__
# define __P(x) x
# else
# define __P(x) ()
# endif
#endif
#if defined(__STDC__) || defined(__GNUC__) || defined(_AIX51)
# define SIOCADAFR _IOW('r', 60, struct ipfobj)
# define SIOCRMAFR _IOW('r', 61, struct ipfobj)
# define SIOCSETFF _IOW('r', 62, u_int)
# define SIOCGETFF _IOR('r', 63, u_int)
# define SIOCGETFS _IOWR('r', 64, struct ipfobj)
# define SIOCIPFFL _IOWR('r', 65, int)
# define SIOCIPFFB _IOR('r', 66, int)
# define SIOCADIFR _IOW('r', 67, struct ipfobj)
# define SIOCRMIFR _IOW('r', 68, struct ipfobj)
# define SIOCSWAPA _IOR('r', 69, u_int)
# define SIOCINAFR _IOW('r', 70, struct ipfobj)
# define SIOCINIFR _IOW('r', 71, struct ipfobj)
# define SIOCFRENB _IOW('r', 72, u_int)
# define SIOCFRSYN _IOW('r', 73, u_int)
# define SIOCFRZST _IOWR('r', 74, struct ipfobj)
# define SIOCZRLST _IOWR('r', 75, struct ipfobj)
# define SIOCAUTHW _IOWR('r', 76, struct ipfobj)
# define SIOCAUTHR _IOWR('r', 77, struct ipfobj)
# define SIOCATHST _IOWR('r', 78, struct ipfobj)
# define SIOCSTLCK _IOWR('r', 79, u_int)
# define SIOCSTPUT _IOWR('r', 80, struct ipfobj)
# define SIOCSTGET _IOWR('r', 81, struct ipfobj)
# define SIOCSTGSZ _IOWR('r', 82, struct ipfobj)
# define SIOCGFRST _IOWR('r', 83, struct ipfobj)
# define SIOCSETLG _IOWR('r', 84, int)
# define SIOCGETLG _IOWR('r', 85, int)
# define SIOCFUNCL _IOWR('r', 86, struct ipfunc_resolve)
# define SIOCIPFGETNEXT _IOWR('r', 87, struct ipfobj)
# define SIOCIPFGET _IOWR('r', 88, struct ipfobj)
# define SIOCIPFSET _IOWR('r', 89, struct ipfobj)
# define SIOCIPFL6 _IOWR('r', 90, int)
# define SIOCIPFLP _IOWR('r', 91, int)
# define SIOCIPFITER _IOWR('r', 92, struct ipfobj)
# define SIOCGENITER _IOWR('r', 93, struct ipfobj)
# define SIOCGTABL _IOWR('r', 94, struct ipfobj)
# define SIOCIPFDELTOK _IOWR('r', 95, int)
# define SIOCLOOKUPITER _IOWR('r', 96, struct ipfobj)
#else
# define SIOCADAFR _IOW(r, 60, struct ipfobj)
# define SIOCRMAFR _IOW(r, 61, struct ipfobj)
# define SIOCSETFF _IOW(r, 62, u_int)
# define SIOCGETFF _IOR(r, 63, u_int)
# define SIOCGETFS _IOWR(r, 64, struct ipfobj)
# define SIOCIPFFL _IOWR(r, 65, int)
# define SIOCIPFFB _IOR(r, 66, int)
# define SIOCADIFR _IOW(r, 67, struct ipfobj)
# define SIOCRMIFR _IOW(r, 68, struct ipfobj)
# define SIOCSWAPA _IOR(r, 69, u_int)
# define SIOCINAFR _IOW(r, 70, struct ipfobj)
# define SIOCINIFR _IOW(r, 71, struct ipfobj)
# define SIOCFRENB _IOW(r, 72, u_int)
# define SIOCFRSYN _IOW(r, 73, u_int)
# define SIOCFRZST _IOWR(r, 74, struct ipfobj)
# define SIOCZRLST _IOWR(r, 75, struct ipfobj)
# define SIOCAUTHW _IOWR(r, 76, struct ipfobj)
# define SIOCAUTHR _IOWR(r, 77, struct ipfobj)
# define SIOCATHST _IOWR(r, 78, struct ipfobj)
# define SIOCSTLCK _IOWR(r, 79, u_int)
# define SIOCSTPUT _IOWR(r, 80, struct ipfobj)
# define SIOCSTGET _IOWR(r, 81, struct ipfobj)
# define SIOCSTGSZ _IOWR(r, 82, struct ipfobj)
# define SIOCGFRST _IOWR(r, 83, struct ipfobj)
# define SIOCSETLG _IOWR(r, 84, int)
# define SIOCGETLG _IOWR(r, 85, int)
# define SIOCFUNCL _IOWR(r, 86, struct ipfunc_resolve)
# define SIOCIPFGETNEXT _IOWR(r, 87, struct ipfobj)
# define SIOCIPFGET _IOWR(r, 88, struct ipfobj)
# define SIOCIPFSET _IOWR(r, 89, struct ipfobj)
# define SIOCIPFL6 _IOWR(r, 90, int)
# define SIOCIPFLP _IOWR(r, 91, int)
# define SIOCIPFITER _IOWR(r, 92, struct ipfobj)
# define SIOCGENITER _IOWR(r, 93, struct ipfobj)
# define SIOCGTABL _IOWR(r, 94, struct ipfobj)
# define SIOCIPFDELTOK _IOWR(r, 95, int)
# define SIOCLOOKUPITER _IOWR(r, 96, struct ipfobj)
#endif
#define SIOCADDFR SIOCADAFR
#define SIOCDELFR SIOCRMAFR
#define SIOCINSFR SIOCINAFR
# define SIOCIPFZONESET _IOWR('r', 97, struct ipfzoneobj)
#define NAT_FLUSH 1
#define STATE_FLUSH 2
#define FLUSH_LIST 0
#define FLUSH_TABLE_ALL 1
#define FLUSH_TABLE_CLOSING 2
#define FLUSH_TABLE_EXTRA 3
#define VALID_TABLE_FLUSH_OPT(x) ((x) >= 1 && (x) <= 3)
#define NAT_FLUSH_HI 95
#define NAT_FLUSH_LO 75
#define ST_FLUSH_HI 95
#define ST_FLUSH_LO 75
#define NAT_TAB_WATER_LEVEL(x) ((x)->ifs_nat_stats.ns_inuse * 100 \
/ (x)->ifs_ipf_nattable_max)
#define ST_TAB_WATER_LEVEL(x) ((x)->ifs_ips_num * 100 \
/ (x)->ifs_fr_statemax)
struct ipscan;
struct ifnet;
typedef struct ipf_stack ipf_stack_t;
typedef struct fr_info fr_info_t;
typedef int (* lookupfunc_t) __P((void *, int, void *, fr_info_t *, ipf_stack_t *));
#ifdef USE_INET6
typedef union i6addr {
u_32_t i6[4];
struct in_addr in4;
struct in6_addr in6;
void *vptr[2];
lookupfunc_t lptr[2];
} i6addr_t;
#define in6_addr8 in6.s6_addr
#else
typedef union i6addr {
u_32_t i6[4];
struct in_addr in4;
void *vptr[2];
lookupfunc_t lptr[2];
} i6addr_t;
#endif
#define in4_addr in4.s_addr
#define iplookupnum i6[0]
#define iplookuptype i6[1]
#define iplookupptr vptr[0]
#define iplookupfunc lptr[1]
#define I60(x) (((i6addr_t *)(x))->i6[0])
#define I61(x) (((i6addr_t *)(x))->i6[1])
#define I62(x) (((i6addr_t *)(x))->i6[2])
#define I63(x) (((i6addr_t *)(x))->i6[3])
#define HI60(x) ntohl(((i6addr_t *)(x))->i6[0])
#define HI61(x) ntohl(((i6addr_t *)(x))->i6[1])
#define HI62(x) ntohl(((i6addr_t *)(x))->i6[2])
#define HI63(x) ntohl(((i6addr_t *)(x))->i6[3])
#define IP6_EQ(a,b) ((I63(a) == I63(b)) && (I62(a) == I62(b)) && \
(I61(a) == I61(b)) && (I60(a) == I60(b)))
#define IP6_NEQ(a,b) ((I63(a) != I63(b)) || (I62(a) != I62(b)) || \
(I61(a) != I61(b)) || (I60(a) != I60(b)))
#define IP6_ISZERO(a) ((I60(a) | I61(a) | I62(a) | I63(a)) == 0)
#define IP6_NOTZERO(a) ((I60(a) | I61(a) | I62(a) | I63(a)) != 0)
#define IP6_ISONES(a) ((I63(a) == 0xffffffff) && (I62(a) == 0xffffffff) && \
(I61(a) == 0xffffffff) && (I60(a) == 0xffffffff))
#define IP6_GT(a,b) (ntohl(HI60(a)) > ntohl(HI60(b)) || \
(HI60(a) == HI60(b) && \
(ntohl(HI61(a)) > ntohl(HI61(b)) || \
(HI61(a) == HI61(b) && \
(ntohl(HI62(a)) > ntohl(HI62(b)) || \
(HI62(a) == HI62(b) && \
ntohl(HI63(a)) > ntohl(HI63(b))))))))
#define IP6_LT(a,b) (ntohl(HI60(a)) < ntohl(HI60(b)) || \
(HI60(a) == HI60(b) && \
(ntohl(HI61(a)) < ntohl(HI61(b)) || \
(HI61(a) == HI61(b) && \
(ntohl(HI62(a)) < ntohl(HI62(b)) || \
(HI62(a) == HI62(b) && \
ntohl(HI63(a)) < ntohl(HI63(b))))))))
#define NLADD(n,x) htonl(ntohl(n) + (x))
#define IP6_INC(a) \
{ i6addr_t *_i6 = (i6addr_t *)(a); \
_i6->i6[3] = NLADD(_i6->i6[3], 1); \
if (_i6->i6[3] == 0) { \
_i6->i6[2] = NLADD(_i6->i6[2], 1); \
if (_i6->i6[2] == 0) { \
_i6->i6[1] = NLADD(_i6->i6[1], 1); \
if (_i6->i6[1] == 0) { \
_i6->i6[0] = NLADD(_i6->i6[0], 1); \
} \
} \
} \
}
#define IP6_ADD(a,x,d) \
{ i6addr_t *_s = (i6addr_t *)(a); \
i6addr_t *_d = (i6addr_t *)(d); \
_d->i6[3] = NLADD(_s->i6[3], x); \
if (ntohl(_d->i6[3]) < ntohl(_s->i6[3])) { \
_d->i6[2] = NLADD(_d->i6[2], 1); \
if (ntohl(_d->i6[2]) < ntohl(_s->i6[2])) { \
_d->i6[1] = NLADD(_d->i6[1], 1); \
if (ntohl(_d->i6[1]) < ntohl(_s->i6[1])) { \
_d->i6[0] = NLADD(_d->i6[0], 1); \
} \
} \
} \
}
#define IP6_AND(a,b,d) { i6addr_t *_s1 = (i6addr_t *)(a); \
i6addr_t *_s2 = (i6addr_t *)(b); \
i6addr_t *_d = (i6addr_t *)(d); \
_d->i6[0] = _s1->i6[0] & _s2->i6[0]; \
_d->i6[1] = _s1->i6[1] & _s2->i6[1]; \
_d->i6[2] = _s1->i6[2] & _s2->i6[2]; \
_d->i6[3] = _s1->i6[3] & _s2->i6[3]; \
}
#define IP6_MASKEQ(a,m,b) \
(((I60(a) & I60(m)) == I60(b)) && \
((I61(a) & I61(m)) == I61(b)) && \
((I62(a) & I62(m)) == I62(b)) && \
((I63(a) & I63(m)) == I63(b)))
#define IP6_MASKNEQ(a,m,b) \
(((I60(a) & I60(m)) != I60(b)) || \
((I61(a) & I61(m)) != I61(b)) || \
((I62(a) & I62(m)) != I62(b)) || \
((I63(a) & I63(m)) != I63(b)))
#define IP6_MERGE(a,b,c) \
{ i6addr_t *_d, *_s1, *_s2; \
_d = (i6addr_t *)(a); \
_s1 = (i6addr_t *)(b); \
_s2 = (i6addr_t *)(c); \
_d->i6[0] |= _s1->i6[0] & ~_s2->i6[0]; \
_d->i6[1] |= _s1->i6[1] & ~_s2->i6[1]; \
_d->i6[2] |= _s1->i6[2] & ~_s2->i6[2]; \
_d->i6[3] |= _s1->i6[3] & ~_s2->i6[3]; \
}
typedef struct fr_ip {
u_32_t fi_v:4;
u_32_t fi_xx:4;
u_32_t fi_tos:8;
u_32_t fi_ttl:8;
u_32_t fi_p:8;
u_32_t fi_optmsk;
i6addr_t fi_src;
i6addr_t fi_dst;
u_short fi_secmsk;
u_short fi_auth;
u_32_t fi_flx;
u_32_t fi_tcpmsk;
u_32_t fi_res1;
} fr_ip_t;
#define FI_TCPUDP 0x0001
#define FI_OPTIONS 0x0002
#define FI_FRAG 0x0004
#define FI_SHORT 0x0008
#define FI_NATED 0x0010
#define FI_MULTICAST 0x0020
#define FI_BROADCAST 0x0040
#define FI_MBCAST 0x0080
#define FI_STATE 0x0100
#define FI_BADNAT 0x0200
#define FI_BAD 0x0400
#define FI_OOW 0x0800
#define FI_ICMPERR 0x1000
#define FI_FRAGBODY 0x2000
#define FI_BADSRC 0x4000
#define FI_LOWTTL 0x8000
#define FI_CMP 0xcf03
#define FI_ICMPCMP 0x0003
#define FI_WITH 0xeffe
#define FI_V6EXTHDR 0x10000
#define FI_COALESCE 0x20000
#define FI_ICMPQUERY 0x40000
#define FI_NEWNAT 0x80000
#define FI_MOREFRAG 0x100000
#define FI_GENERATED 0x200000
#define FI_NEG_OOW 0x10000000
#define FI_NOCKSUM 0x20000000
#define FI_DONTCACHE 0x40000000
#define FI_IGNORE 0x80000000
#define fi_saddr fi_src.in4.s_addr
#define fi_daddr fi_dst.in4.s_addr
#define fi_srcnum fi_src.iplookupnum
#define fi_dstnum fi_dst.iplookupnum
#define fi_srctype fi_src.iplookuptype
#define fi_dsttype fi_dst.iplookuptype
#define fi_srcptr fi_src.iplookupptr
#define fi_dstptr fi_dst.iplookupptr
#define fi_srcfunc fi_src.iplookupfunc
#define fi_dstfunc fi_dst.iplookupfunc
#define SI_W_SPORT 0x00000100
#define SI_W_DPORT 0x00000200
#define SI_WILDP (SI_W_SPORT|SI_W_DPORT)
#define SI_W_SADDR 0x00000400
#define SI_W_DADDR 0x00000800
#define SI_WILDA (SI_W_SADDR|SI_W_DADDR)
#define SI_NEWFR 0x00001000
#define SI_CLONE 0x00002000
#define SI_CLONED 0x00004000
struct fr_info {
void *fin_ifp;
fr_ip_t fin_fi;
union {
u_short fid_16[2];
u_32_t fid_32;
} fin_dat;
int fin_out;
int fin_rev;
u_short fin_hlen;
u_char fin_tcpf;
u_char fin_icode;
u_32_t fin_rule;
char fin_group[FR_GROUPLEN];
struct frentry *fin_fr;
void *fin_dp;
int fin_dlen;
int fin_plen;
int fin_ipoff;
u_32_t fin_id;
u_short fin_off;
int fin_depth;
int fin_error;
u_int fin_pktnum;
void *fin_nattag;
union {
ip_t *fip_ip;
#ifdef USE_INET6
ip6_t *fip_ip6;
#endif
} fin_ipu;
mb_t **fin_mp;
mb_t *fin_m;
#ifdef MENTAT
mb_t *fin_qfm;
void *fin_qpi;
ipf_stack_t *fin_ifs;
#endif
#ifdef __sgi
void *fin_hbuf;
#endif
};
#define fin_ip fin_ipu.fip_ip
#define fin_ip6 fin_ipu.fip_ip6
#define fin_v fin_fi.fi_v
#define fin_p fin_fi.fi_p
#define fin_flx fin_fi.fi_flx
#define fin_optmsk fin_fi.fi_optmsk
#define fin_secmsk fin_fi.fi_secmsk
#define fin_auth fin_fi.fi_auth
#define fin_src fin_fi.fi_src.in4
#define fin_saddr fin_fi.fi_saddr
#define fin_dst fin_fi.fi_dst.in4
#define fin_daddr fin_fi.fi_daddr
#define fin_data fin_dat.fid_16
#define fin_sport fin_dat.fid_16[0]
#define fin_dport fin_dat.fid_16[1]
#define fin_ports fin_dat.fid_32
#ifdef USE_INET6
# define fin_src6 fin_fi.fi_src
# define fin_dst6 fin_fi.fi_dst
# define fin_dstip6 fin_fi.fi_dst.in6
# define fin_srcip6 fin_fi.fi_src.in6
#endif
#define IPF_IN 0
#define IPF_OUT 1
typedef struct frentry *(*ipfunc_t) __P((fr_info_t *, u_32_t *));
typedef int (*ipfuncinit_t) __P((struct frentry *,
ipf_stack_t *));
typedef struct ipfunc_resolve {
char ipfu_name[32];
ipfunc_t ipfu_addr;
ipfuncinit_t ipfu_init;
} ipfunc_resolve_t;
#define FI_CSIZE offsetof(fr_info_t, fin_icode)
#define FI_LCSIZE offsetof(fr_info_t, fin_dp)
#define FI_COPYSIZE offsetof(fr_info_t, fin_dp)
#define IPFTAG_LEN 16
typedef struct {
union {
u_32_t iptu_num[4];
char iptu_tag[IPFTAG_LEN];
} ipt_un;
int ipt_not;
} ipftag_t;
#define ipt_tag ipt_un.iptu_tag
#define ipt_num ipt_un.iptu_num
typedef struct frdest {
void *fd_ifp;
i6addr_t fd_ip6;
char fd_ifname[LIFNAMSIZ];
} frdest_t;
#define fd_ip fd_ip6.in4
typedef struct frpcmp {
int frp_cmp;
u_short frp_port;
u_short frp_top;
} frpcmp_t;
#define FR_NONE 0
#define FR_EQUAL 1
#define FR_NEQUAL 2
#define FR_LESST 3
#define FR_GREATERT 4
#define FR_LESSTE 5
#define FR_GREATERTE 6
#define FR_OUTRANGE 7
#define FR_INRANGE 8
#define FR_INCRANGE 9
typedef struct frtuc {
u_char ftu_tcpfm;
u_char ftu_tcpf;
frpcmp_t ftu_src;
frpcmp_t ftu_dst;
} frtuc_t;
#define ftu_scmp ftu_src.frp_cmp
#define ftu_dcmp ftu_dst.frp_cmp
#define ftu_sport ftu_src.frp_port
#define ftu_dport ftu_dst.frp_port
#define ftu_stop ftu_src.frp_top
#define ftu_dtop ftu_dst.frp_top
#define FR_TCPFMAX 0x3f
typedef struct fripf {
fr_ip_t fri_ip;
fr_ip_t fri_mip;
u_short fri_icmpm;
u_short fri_icmp;
frtuc_t fri_tuc;
int fri_satype;
int fri_datype;
int fri_sifpidx;
int fri_difpidx;
} fripf_t;
#define fri_dstnum fri_ip.fi_dstnum
#define fri_srcnum fri_mip.fi_srcnum
#define fri_dstptr fri_ip.fi_dstptr
#define fri_srcptr fri_mip.fi_srcptr
#define FRI_NORMAL 0
#define FRI_DYNAMIC 1
#define FRI_LOOKUP 2
#define FRI_RANGE 3
#define FRI_NETWORK 4
#define FRI_BROADCAST 5
#define FRI_PEERADDR 6
#define FRI_NETMASKED 7
typedef struct frentry * (* frentfunc_t) __P((fr_info_t *));
typedef struct frentry {
ipfmutex_t fr_lock;
struct frentry *fr_next;
struct frentry **fr_grp;
struct ipscan *fr_isc;
void *fr_ifas[4];
void *fr_ptr;
char *fr_comment;
int fr_ref;
int fr_statecnt;
U_QUAD_T fr_hits;
U_QUAD_T fr_bytes;
struct timeval fr_lastpkt;
int fr_curpps;
union {
void *fru_data;
caddr_t fru_caddr;
fripf_t *fru_ipf;
frentfunc_t fru_func;
} fr_dun;
ipfunc_t fr_func;
int fr_dsize;
int fr_pps;
int fr_statemax;
int fr_flineno;
u_32_t fr_type;
u_32_t fr_flags;
u_32_t fr_logtag;
u_32_t fr_collect;
u_int fr_arg;
u_int fr_loglevel;
u_int fr_age[2];
u_char fr_v;
u_char fr_icode;
char fr_group[FR_GROUPLEN];
char fr_grhead[FR_GROUPLEN];
ipftag_t fr_nattag;
char fr_ifnames[4][LIFNAMSIZ];
char fr_isctag[16];
frdest_t fr_tifs[2];
frdest_t fr_dif;
u_int fr_cksum;
} frentry_t;
#define fr_caddr fr_dun.fru_caddr
#define fr_data fr_dun.fru_data
#define fr_dfunc fr_dun.fru_func
#define fr_ipf fr_dun.fru_ipf
#define fr_ip fr_ipf->fri_ip
#define fr_mip fr_ipf->fri_mip
#define fr_icmpm fr_ipf->fri_icmpm
#define fr_icmp fr_ipf->fri_icmp
#define fr_tuc fr_ipf->fri_tuc
#define fr_satype fr_ipf->fri_satype
#define fr_datype fr_ipf->fri_datype
#define fr_sifpidx fr_ipf->fri_sifpidx
#define fr_difpidx fr_ipf->fri_difpidx
#define fr_proto fr_ip.fi_p
#define fr_mproto fr_mip.fi_p
#define fr_ttl fr_ip.fi_ttl
#define fr_mttl fr_mip.fi_ttl
#define fr_tos fr_ip.fi_tos
#define fr_mtos fr_mip.fi_tos
#define fr_tcpfm fr_tuc.ftu_tcpfm
#define fr_tcpf fr_tuc.ftu_tcpf
#define fr_scmp fr_tuc.ftu_scmp
#define fr_dcmp fr_tuc.ftu_dcmp
#define fr_dport fr_tuc.ftu_dport
#define fr_sport fr_tuc.ftu_sport
#define fr_stop fr_tuc.ftu_stop
#define fr_dtop fr_tuc.ftu_dtop
#define fr_dst fr_ip.fi_dst.in4
#define fr_daddr fr_ip.fi_dst.in4.s_addr
#define fr_src fr_ip.fi_src.in4
#define fr_saddr fr_ip.fi_src.in4.s_addr
#define fr_dmsk fr_mip.fi_dst.in4
#define fr_dmask fr_mip.fi_dst.in4.s_addr
#define fr_smsk fr_mip.fi_src.in4
#define fr_smask fr_mip.fi_src.in4.s_addr
#define fr_dstnum fr_ip.fi_dstnum
#define fr_srcnum fr_ip.fi_srcnum
#define fr_dsttype fr_ip.fi_dsttype
#define fr_srctype fr_ip.fi_srctype
#define fr_dstptr fr_mip.fi_dstptr
#define fr_srcptr fr_mip.fi_srcptr
#define fr_dstfunc fr_mip.fi_dstfunc
#define fr_srcfunc fr_mip.fi_srcfunc
#define fr_optbits fr_ip.fi_optmsk
#define fr_optmask fr_mip.fi_optmsk
#define fr_secbits fr_ip.fi_secmsk
#define fr_secmask fr_mip.fi_secmsk
#define fr_authbits fr_ip.fi_auth
#define fr_authmask fr_mip.fi_auth
#define fr_flx fr_ip.fi_flx
#define fr_mflx fr_mip.fi_flx
#define fr_ifname fr_ifnames[0]
#define fr_oifname fr_ifnames[2]
#define fr_ifa fr_ifas[0]
#define fr_oifa fr_ifas[2]
#define fr_tif fr_tifs[0]
#define fr_rif fr_tifs[1]
#define FR_NOLOGTAG 0
#define FR_CMPSIZ (sizeof(struct frentry) - \
offsetof(struct frentry, fr_func))
#define FR_T_NONE 0
#define FR_T_IPF 1
#define FR_T_BPFOPC 2
#define FR_T_CALLFUNC 3
#define FR_T_COMPIPF 4
#define FR_T_BUILTIN 0x80000000
#define FR_CALL 0x00000
#define FR_BLOCK 0x00001
#define FR_PASS 0x00002
#define FR_AUTH 0x00003
#define FR_PREAUTH 0x00004
#define FR_ACCOUNT 0x00005
#define FR_SKIP 0x00006
#define FR_DIVERT 0x00007
#define FR_CMDMASK 0x0000f
#define FR_LOG 0x00010
#define FR_LOGB 0x00011
#define FR_LOGP 0x00012
#define FR_LOGMASK (FR_LOG|FR_CMDMASK)
#define FR_CALLNOW 0x00020
#define FR_NOTSRCIP 0x00040
#define FR_NOTDSTIP 0x00080
#define FR_QUICK 0x00100
#define FR_KEEPFRAG 0x00200
#define FR_KEEPSTATE 0x00400
#define FR_FASTROUTE 0x00800
#define FR_RETRST 0x01000
#define FR_RETICMP 0x02000
#define FR_FAKEICMP 0x03000
#define FR_OUTQUE 0x04000
#define FR_INQUE 0x08000
#define FR_LOGBODY 0x10000
#define FR_LOGFIRST 0x20000
#define FR_LOGORBLOCK 0x40000
#define FR_DUP 0x80000
#define FR_FRSTRICT 0x100000
#define FR_STSTRICT 0x200000
#define FR_NEWISN 0x400000
#define FR_NOICMPERR 0x800000
#define FR_STATESYNC 0x1000000
#define FR_NOMATCH 0x8000000
#define FR_COPIED 0x40000000
#define FR_INACTIVE 0x80000000
#define FR_RETMASK (FR_RETICMP|FR_RETRST|FR_FAKEICMP)
#define FR_ISBLOCK(x) (((x) & FR_CMDMASK) == FR_BLOCK)
#define FR_ISPASS(x) (((x) & FR_CMDMASK) == FR_PASS)
#define FR_ISAUTH(x) (((x) & FR_CMDMASK) == FR_AUTH)
#define FR_ISPREAUTH(x) (((x) & FR_CMDMASK) == FR_PREAUTH)
#define FR_ISACCOUNT(x) (((x) & FR_CMDMASK) == FR_ACCOUNT)
#define FR_ISSKIP(x) (((x) & FR_CMDMASK) == FR_SKIP)
#define FR_ISNOMATCH(x) ((x) & FR_NOMATCH)
#define FR_INOUT (FR_INQUE|FR_OUTQUE)
#define FF_LOGPASS 0x10000000
#define FF_LOGBLOCK 0x20000000
#define FF_LOGNOMATCH 0x40000000
#define FF_LOGGING (FF_LOGPASS|FF_LOGBLOCK|FF_LOGNOMATCH)
#define FF_BLOCKNONIP 0x80000000
typedef struct ipfflush {
int ipflu_how;
int ipflu_arg;
} ipfflush_t;
typedef struct ipfgetctl {
u_int ipfg_min;
u_int ipfg_current;
u_int ipfg_max;
u_int ipfg_default;
u_int ipfg_steps;
char ipfg_name[40];
} ipfgetctl_t;
typedef struct ipfsetctl {
int ipfs_which;
u_int ipfs_value;
char ipfs_name[40];
} ipfsetctl_t;
typedef struct filterstats {
u_long fr_pass;
u_long fr_block;
u_long fr_nom;
u_long fr_short;
u_long fr_ppkl;
u_long fr_bpkl;
u_long fr_npkl;
u_long fr_pkl;
u_long fr_skip;
u_long fr_ret;
u_long fr_acct;
u_long fr_bnfr;
u_long fr_nfr;
u_long fr_cfr;
u_long fr_bads;
u_long fr_ads;
u_long fr_chit;
u_long fr_tcpbad;
u_long fr_pull[2];
u_long fr_badsrc;
u_long fr_badttl;
u_long fr_bad;
u_long fr_ipv6;
u_long fr_ppshit;
u_long fr_ipud;
} filterstats_t;
typedef struct filter_kstats {
kstat_named_t fks_pass;
kstat_named_t fks_block;
kstat_named_t fks_nom;
kstat_named_t fks_short;
kstat_named_t fks_ppkl;
kstat_named_t fks_bpkl;
kstat_named_t fks_npkl;
kstat_named_t fks_pkl;
kstat_named_t fks_skip;
kstat_named_t fks_ret;
kstat_named_t fks_acct;
kstat_named_t fks_bnfr;
kstat_named_t fks_nfr;
kstat_named_t fks_cfr;
kstat_named_t fks_bads;
kstat_named_t fks_ads;
kstat_named_t fks_chit;
kstat_named_t fks_tcpbad;
kstat_named_t fks_pull[2];
kstat_named_t fks_badsrc;
kstat_named_t fks_badttl;
kstat_named_t fks_bad;
kstat_named_t fks_ipv6;
kstat_named_t fks_ppshit;
kstat_named_t fks_ipud;
} filter_kstats_t;
typedef struct iplog {
u_32_t ipl_magic;
u_int ipl_count;
struct timeval ipl_time;
size_t ipl_dsize;
struct iplog *ipl_next;
} iplog_t;
#define ipl_sec ipl_time.tv_sec
#define ipl_usec ipl_time.tv_usec
#define IPL_MAGIC 0x49504c4d
#define IPL_MAGIC_NAT 0x49504c4e
#define IPL_MAGIC_STATE 0x49504c53
#define IPLOG_SIZE sizeof(iplog_t)
typedef struct ipflog {
#if (defined(NetBSD) && (NetBSD <= 1991011) && (NetBSD >= 199603)) || \
(defined(OpenBSD) && (OpenBSD >= 199603))
#else
u_int fl_unit;
#endif
u_32_t fl_rule;
u_32_t fl_flags;
u_32_t fl_lflags;
u_32_t fl_logtag;
ipftag_t fl_nattag;
u_short fl_plen;
u_short fl_loglevel;
char fl_group[FR_GROUPLEN];
u_char fl_hlen;
u_char fl_dir;
u_char fl_xxx[2];
char fl_ifname[LIFNAMSIZ];
} ipflog_t;
#ifndef IPF_LOGGING
# define IPF_LOGGING 0
#endif
#ifndef IPF_DEFAULT_PASS
# define IPF_DEFAULT_PASS FR_PASS
#endif
#define DEFAULT_IPFLOGSIZE 8192
#ifndef IPFILTER_LOGSIZE
# define IPFILTER_LOGSIZE DEFAULT_IPFLOGSIZE
#else
# if IPFILTER_LOGSIZE < DEFAULT_IPFLOGSIZE
# error IPFILTER_LOGSIZE too small. Must be >= DEFAULT_IPFLOGSIZE
# endif
#endif
#define IPF_OPTCOPY 0x07ff00
#ifndef IPL_NAME
# ifdef SOLARIS
# define IPL_NAME "/dev/ipf"
# else
# define IPL_NAME "/dev/ipl"
# endif
#endif
#define IPNAT_NAME "/dev/ipnat"
#define IPSTATE_NAME "/dev/ipstate"
#define IPAUTH_NAME "/dev/ipauth"
#define IPSYNC_NAME "/dev/ipsync"
#define IPSCAN_NAME "/dev/ipscan"
#define IPLOOKUP_NAME "/dev/iplookup"
#define IPL_LOGIPF 0
#define IPL_LOGNAT 1
#define IPL_LOGSTATE 2
#define IPL_LOGAUTH 3
#define IPL_LOGSYNC 4
#define IPL_LOGSCAN 5
#define IPL_LOGLOOKUP 6
#define IPL_LOGCOUNT 7
#define IPL_LOGMAX 7
#define IPL_LOGSIZE (IPL_LOGMAX + 1)
#define IPL_LOGALL -1
#define IPL_LOGNONE -2
typedef struct friostat {
struct filterstats f_st[2];
struct frentry *f_ipf[2][2];
struct frentry *f_acct[2][2];
struct frentry *f_ipf6[2][2];
struct frentry *f_acct6[2][2];
struct frentry *f_auth;
struct frgroup *f_groups[IPL_LOGSIZE][2];
u_long f_froute[2];
u_long f_ticks;
int f_locks[IPL_LOGMAX];
size_t f_kmutex_sz;
size_t f_krwlock_sz;
int f_defpass;
int f_active;
int f_running;
int f_logging;
int f_features;
char f_version[32];
} friostat_t;
#define f_fin f_ipf[0]
#define f_fin6 f_ipf6[0]
#define f_fout f_ipf[1]
#define f_fout6 f_ipf6[1]
#define f_acctin f_acct[0]
#define f_acctin6 f_acct6[0]
#define f_acctout f_acct[1]
#define f_acctout6 f_acct6[1]
#define IPF_FEAT_LKM 0x001
#define IPF_FEAT_LOG 0x002
#define IPF_FEAT_LOOKUP 0x004
#define IPF_FEAT_BPF 0x008
#define IPF_FEAT_COMPILED 0x010
#define IPF_FEAT_CKSUM 0x020
#define IPF_FEAT_SYNC 0x040
#define IPF_FEAT_SCAN 0x080
#define IPF_FEAT_IPV6 0x100
typedef struct optlist {
u_short ol_val;
int ol_bit;
} optlist_t;
typedef struct frgroup {
struct frgroup *fg_next;
struct frentry *fg_head;
struct frentry *fg_start;
u_32_t fg_flags;
int fg_ref;
char fg_name[FR_GROUPLEN];
} frgroup_t;
#define FG_NAME(g) (*(g)->fg_name == '\0' ? "" : (g)->fg_name)
typedef struct icmpinfo {
u_short ici_id;
u_short ici_seq;
u_char ici_type;
} icmpinfo_t;
typedef struct udpinfo {
u_short us_sport;
u_short us_dport;
} udpinfo_t;
typedef struct tcpdata {
u_32_t td_end;
u_32_t td_maxend;
u_32_t td_maxwin;
u_32_t td_winscale;
u_32_t td_maxseg;
int td_winflags;
} tcpdata_t;
#define TCP_WSCALE_MAX 14
#define TCP_WSCALE_SEEN 0x00000001
#define TCP_WSCALE_FIRST 0x00000002
#define TCP_SACK_PERMIT 0x00000004
typedef struct tcpinfo {
u_short ts_sport;
u_short ts_dport;
tcpdata_t ts_data[2];
} tcpinfo_t;
struct grebits {
u_32_t grb_C:1;
u_32_t grb_R:1;
u_32_t grb_K:1;
u_32_t grb_S:1;
u_32_t grb_s:1;
u_32_t grb_recur:1;
u_32_t grb_A:1;
u_32_t grb_flags:3;
u_32_t grb_ver:3;
u_short grb_ptype;
};
typedef struct grehdr {
union {
struct grebits gru_bits;
u_short gru_flags;
} gr_un;
u_short gr_len;
u_short gr_call;
} grehdr_t;
#define gr_flags gr_un.gru_flags
#define gr_bits gr_un.gru_bits
#define gr_ptype gr_bits.grb_ptype
#define gr_C gr_bits.grb_C
#define gr_R gr_bits.grb_R
#define gr_K gr_bits.grb_K
#define gr_S gr_bits.grb_S
#define gr_s gr_bits.grb_s
#define gr_recur gr_bits.grb_recur
#define gr_A gr_bits.grb_A
#define gr_ver gr_bits.grb_ver
typedef struct greinfo {
u_short gs_call[2];
u_short gs_flags;
u_short gs_ptype;
} greinfo_t;
#define GRE_REV(x) ((ntohs(x) >> 13) & 7)
typedef struct authhdr {
u_char ah_next;
u_char ah_plen;
u_short ah_reserved;
u_32_t ah_spi;
u_32_t ah_seq;
} authhdr_t;
typedef struct ipftqent {
struct ipftqent **tqe_pnext;
struct ipftqent *tqe_next;
struct ipftq *tqe_ifq;
void *tqe_parent;
u_long tqe_die;
u_long tqe_touched;
int tqe_flags;
int tqe_state[2];
} ipftqent_t;
#define TQE_RULEBASED 0x00000001
typedef struct ipftq {
ipfmutex_t ifq_lock;
u_int ifq_ttl;
ipftqent_t *ifq_head;
ipftqent_t **ifq_tail;
struct ipftq *ifq_next;
struct ipftq **ifq_pnext;
int ifq_ref;
u_int ifq_flags;
} ipftq_t;
#define IFQF_USER 0x01
#define IFQF_DELETE 0x02
#define IFQF_PROXY 0x04
#define IPF_HZ_MULT 1
#define IPF_HZ_DIVIDE 2
#define IPF_TTLVAL(x) (((x) / IPF_HZ_MULT) * IPF_HZ_DIVIDE)
typedef struct {
u_char adf_len;
sa_family_t adf_family;
i6addr_t adf_addr;
} addrfamily_t;
typedef struct ipfobj {
u_32_t ipfo_rev;
u_32_t ipfo_size;
void *ipfo_ptr;
int ipfo_type;
int ipfo_offset;
u_char ipfo_xxxpad[32];
} ipfobj_t;
typedef struct ipfzoneobj {
u_32_t ipfz_gz;
char ipfz_zonename[ZONENAME_MAX];
} ipfzoneobj_t;
#if defined(_KERNEL)
#define IPFS_ZONE_UNSET -2
typedef struct ipf_devstate {
zoneid_t ipfs_zoneid;
minor_t ipfs_minor;
boolean_t ipfs_gz;
} ipf_devstate_t;
#endif
#define IPFOBJ_FRENTRY 0
#define IPFOBJ_IPFSTAT 1
#define IPFOBJ_IPFINFO 2
#define IPFOBJ_AUTHSTAT 3
#define IPFOBJ_FRAGSTAT 4
#define IPFOBJ_IPNAT 5
#define IPFOBJ_NATSTAT 6
#define IPFOBJ_STATESAVE 7
#define IPFOBJ_NATSAVE 8
#define IPFOBJ_NATLOOKUP 9
#define IPFOBJ_IPSTATE 10
#define IPFOBJ_STATESTAT 11
#define IPFOBJ_FRAUTH 12
#define IPFOBJ_TUNEABLE 13
#define IPFOBJ_NAT 14
#define IPFOBJ_IPFITER 15
#define IPFOBJ_GENITER 16
#define IPFOBJ_GTABLE 17
#define IPFOBJ_LOOKUPITER 18
#define IPFOBJ_COUNT 19
typedef union ipftunevalptr {
void *ipftp_void;
u_long *ipftp_long;
u_int *ipftp_int;
u_short *ipftp_short;
u_char *ipftp_char;
} ipftunevalptr_t;
typedef struct ipftuneable {
ipftunevalptr_t ipft_una;
char *ipft_name;
u_long ipft_min;
u_long ipft_max;
int ipft_sz;
int ipft_flags;
struct ipftuneable *ipft_next;
} ipftuneable_t;
#define ipft_addr ipft_una.ipftp_void
#define ipft_plong ipft_una.ipftp_long
#define ipft_pint ipft_una.ipftp_int
#define ipft_pshort ipft_una.ipftp_short
#define ipft_pchar ipft_una.ipftp_char
#define IPFT_RDONLY 1
#define IPFT_WRDISABLED 2
typedef union ipftuneval {
u_long ipftu_long;
u_int ipftu_int;
u_short ipftu_short;
u_char ipftu_char;
} ipftuneval_t;
typedef struct ipftune {
void *ipft_cookie;
ipftuneval_t ipft_un;
u_long ipft_min;
u_long ipft_max;
int ipft_sz;
int ipft_flags;
char ipft_name[80];
} ipftune_t;
#define ipft_vlong ipft_un.ipftu_long
#define ipft_vint ipft_un.ipftu_int
#define ipft_vshort ipft_un.ipftu_short
#define ipft_vchar ipft_un.ipftu_char
typedef struct ipfruleiter {
int iri_ver;
int iri_inout;
char iri_group[FR_GROUPLEN];
int iri_active;
int iri_nrules;
frentry_t *iri_rule;
} ipfruleiter_t;
#define F_IN 0
#define F_OUT 1
#define F_ACIN 2
#define F_ACOUT 3
typedef struct ipfgeniter {
int igi_type;
int igi_nitems;
void *igi_data;
} ipfgeniter_t;
#define IPFGENITER_IPF 0
#define IPFGENITER_NAT 1
#define IPFGENITER_IPNAT 2
#define IPFGENITER_FRAG 3
#define IPFGENITER_AUTH 4
#define IPFGENITER_STATE 5
#define IPFGENITER_NATFRAG 6
#define IPFGENITER_HOSTMAP 7
#define IPFGENITER_LOOKUP 8
typedef struct ipftable {
int ita_type;
void *ita_table;
} ipftable_t;
typedef struct ipftoken {
struct ipftoken *ipt_next;
struct ipftoken **ipt_pnext;
void *ipt_ctx;
void *ipt_data;
u_long ipt_die;
int ipt_type;
int ipt_uid;
int ipt_subtype;
int ipt_alive;
} ipftoken_t;
#define IPFSYNC_RESYNC 0
#define IPFSYNC_NEWIFP 1
#define IPFSYNC_OLDIFP 2
#ifdef __hpux
# define IPF_SMAJ 0
#endif
#if !defined(CDEV_MAJOR) && defined (__FreeBSD_version) && \
(__FreeBSD_version >= 220000)
# define CDEV_MAJOR 79
#endif
#if (defined(NetBSD) && (NetBSD > 199609) && (NetBSD <= 1991011)) || \
(defined(NetBSD1_2) && NetBSD1_2 > 1) || \
(defined(__FreeBSD__) && (__FreeBSD_version >= 500043))
# if (NetBSD >= 199905)
# define PFIL_HOOKS
# endif
# ifdef PFIL_HOOKS
# define NETBSD_PF
# endif
#endif
#ifndef _KERNEL
extern int fr_check __P((struct ip *, int, void *, int, mb_t **, ipf_stack_t *));
extern int (*fr_checkp) __P((ip_t *, int, void *, int, mb_t **, ipf_stack_t *));
extern int ipf_log __P((void));
extern struct ifnet *get_unit __P((char *, int, ipf_stack_t *));
extern char *get_ifname __P((struct ifnet *));
# if defined(__NetBSD__) || defined(__OpenBSD__) || \
(_BSDI_VERSION >= 199701) || (__FreeBSD_version >= 300000)
extern int frrequest __P((int, u_long, caddr_t, int, int, ipf_stack_t *));
# else
extern int iplioctl __P((int, ioctlcmd_t, caddr_t, int));
# endif
extern int iplopen __P((dev_t, int));
extern int iplclose __P((dev_t, int));
extern void m_freem __P((mb_t *));
#else
extern phy_if_t get_unit __P((char *, int, ipf_stack_t *));
# if defined(__NetBSD__) && defined(PFIL_HOOKS)
extern void ipfilterattach __P((int));
# endif
extern int ipl_enable __P((void));
extern int ipl_disable __P((void));
# ifdef MENTAT
extern int fr_check __P((struct ip *, int, void *, int, void *,
mblk_t **, ipf_stack_t *));
# if SOLARIS
# if SOLARIS2 >= 7
extern int iplioctl __P((dev_t, int, intptr_t, int, cred_t *, int *));
# else
extern int iplioctl __P((dev_t, int, int *, int, cred_t *, int *));
# endif
# if SOLARIS2 >= 10 && defined(_KERNEL)
extern int fr_make_rst __P((fr_info_t *));
extern int fr_make_icmp __P((fr_info_t *));
extern void fr_calc_chksum __P((fr_info_t *, mb_t *));
extern ipf_stack_t *ipf_find_stack(const zoneid_t, ipf_devstate_t *);
# endif
extern int iplopen __P((dev_t *, int, int, cred_t *));
extern int iplclose __P((dev_t, int, int, cred_t *));
extern int iplread __P((dev_t, uio_t *, cred_t *));
extern int iplwrite __P((dev_t, uio_t *, cred_t *));
# endif
# ifdef __hpux
extern int iplopen __P((dev_t, int, intptr_t, int));
extern int iplclose __P((dev_t, int, int));
extern int iplioctl __P((dev_t, int, caddr_t, int));
extern int iplread __P((dev_t, uio_t *));
extern int iplwrite __P((dev_t, uio_t *));
extern int iplselect __P((dev_t, int));
# endif
extern int ipfsync __P((ipf_stack_t *));
extern int fr_qout __P((queue_t *, mblk_t *));
# else
extern int fr_check __P((struct ip *, int, void *, int, mb_t **, ipf_stack_t *));
extern int (*fr_checkp) __P((ip_t *, int, void *, int, mb_t **, ipf_stack_t *));
extern size_t mbufchainlen __P((mb_t *));
# ifdef __sgi
# include <sys/cred.h>
extern int iplioctl __P((dev_t, int, caddr_t, int, cred_t *, int *));
extern int iplopen __P((dev_t *, int, int, cred_t *));
extern int iplclose __P((dev_t, int, int, cred_t *));
extern int iplread __P((dev_t, uio_t *, cred_t *));
extern int iplwrite __P((dev_t, uio_t *, cred_t *));
extern int ipfsync __P((ipf_stack_t *));
extern int ipfilter_sgi_attach __P((void));
extern void ipfilter_sgi_detach __P((void));
extern void ipfilter_sgi_intfsync __P((void));
# else
# ifdef IPFILTER_LKM
extern int iplidentify __P((char *));
# endif
# if (_BSDI_VERSION >= 199510) || (__FreeBSD_version >= 220000) || \
(NetBSD >= 199511) || defined(__OpenBSD__)
# if defined(__NetBSD__) || (_BSDI_VERSION >= 199701) || \
defined(__OpenBSD__) || (__FreeBSD_version >= 300000)
# if (__FreeBSD_version >= 500024)
# if (__FreeBSD_version >= 502116)
extern int iplioctl __P((struct cdev*, u_long, caddr_t, int, struct thread *));
# else
extern int iplioctl __P((dev_t, u_long, caddr_t, int, struct thread *));
# endif
# else
extern int iplioctl __P((dev_t, u_long, caddr_t, int, struct proc *));
# endif
# else
extern int iplioctl __P((dev_t, int, caddr_t, int, struct proc *));
# endif
# if (__FreeBSD_version >= 500024)
# if (__FreeBSD_version >= 502116)
extern int iplopen __P((struct cdev*, int, int, struct thread *));
extern int iplclose __P((struct cdev*, int, int, struct thread *));
# else
extern int iplopen __P((dev_t, int, int, struct thread *));
extern int iplclose __P((dev_t, int, int, struct thread *));
# endif
# else
extern int iplopen __P((dev_t, int, int, struct proc *));
extern int iplclose __P((dev_t, int, int, struct proc *));
# endif
# else
# ifdef linux
extern int iplioctl __P((struct inode *, struct file *, u_int, u_long));
# else
extern int iplopen __P((dev_t, int));
extern int iplclose __P((dev_t, int));
extern int iplioctl __P((dev_t, int, caddr_t, int));
# endif
# endif
# if BSD >= 199306
# if (__FreeBSD_version >= 502116)
extern int iplread __P((struct cdev*, struct uio *, int));
extern int iplwrite __P((struct cdev*, struct uio *, int));
# else
extern int iplread __P((dev_t, struct uio *, int));
extern int iplwrite __P((dev_t, struct uio *, int));
# endif
# else
# ifndef linux
extern int iplread __P((dev_t, struct uio *));
extern int iplwrite __P((dev_t, struct uio *));
# endif
# endif
# endif
# endif
#endif
extern char *memstr __P((char *, char *, int, int));
extern int count4bits __P((u_32_t));
extern int count6bits __P((u_32_t *));
extern int frrequest __P((int, ioctlcmd_t, caddr_t, int, int, ipf_stack_t *));
extern char *getifname __P((struct ifnet *));
extern int iplattach __P((ipf_stack_t *));
extern int ipldetach __P((ipf_stack_t *));
extern u_short ipf_cksum __P((u_short *, int));
extern int copyinptr __P((void *, void *, size_t));
extern int copyoutptr __P((void *, void *, size_t));
extern int fr_fastroute __P((mb_t *, mb_t **, fr_info_t *, frdest_t *));
extern int fr_inobj __P((void *, void *, int));
extern int fr_inobjsz __P((void *, void *, int, int));
extern int fr_ioctlswitch __P((int, void *, ioctlcmd_t, int, int, void *,
ipf_stack_t *));
extern int fr_ipftune __P((ioctlcmd_t, void *, ipf_stack_t *));
extern int fr_outobj __P((void *, void *, int));
extern int fr_outobjsz __P((void *, void *, int, int));
extern void *fr_pullup __P((mb_t *, fr_info_t *, int));
extern void fr_resolvedest __P((struct frdest *, int, ipf_stack_t *));
extern int fr_resolvefunc __P((void *));
extern void *fr_resolvenic __P((char *, int, ipf_stack_t *));
extern int fr_send_icmp_err __P((int, fr_info_t *, int));
extern int fr_send_reset __P((fr_info_t *));
#if (__FreeBSD_version < 490000) || !defined(_KERNEL)
extern int ppsratecheck __P((struct timeval *, int *, int));
#endif
extern ipftq_t *fr_addtimeoutqueue __P((ipftq_t **, u_int, ipf_stack_t *));
extern void fr_deletequeueentry __P((ipftqent_t *));
extern int fr_deletetimeoutqueue __P((ipftq_t *));
extern void fr_freetimeoutqueue __P((ipftq_t *, ipf_stack_t *));
extern void fr_movequeue __P((ipftqent_t *, ipftq_t *, ipftq_t *,
ipf_stack_t *));
extern void fr_queueappend __P((ipftqent_t *, ipftq_t *, void *,
ipf_stack_t *));
extern void fr_queueback __P((ipftqent_t *, ipf_stack_t *));
extern void fr_queuefront __P((ipftqent_t *));
extern void fr_checkv4sum __P((fr_info_t *));
extern int fr_checkl4sum __P((fr_info_t *));
extern int fr_ifpfillv4addr __P((int, struct sockaddr_in *,
struct sockaddr_in *, struct in_addr *,
struct in_addr *));
extern int fr_coalesce __P((fr_info_t *));
#ifdef USE_INET6
extern void fr_checkv6sum __P((fr_info_t *));
extern int fr_ifpfillv6addr __P((int, struct sockaddr_in6 *,
struct sockaddr_in6 *, struct in_addr *,
struct in_addr *));
#endif
#define IPFILTER_COMPAT
extern int fr_incomptrans __P((ipfobj_t *, void *));
extern int fr_outcomptrans __P((ipfobj_t *, void *));
extern int fr_addipftune __P((ipftuneable_t *, ipf_stack_t *));
extern int fr_delipftune __P((ipftuneable_t *, ipf_stack_t *));
extern int frflush __P((minor_t, int, int, ipf_stack_t *));
extern void frsync __P((int, int, void *, char *, ipf_stack_t *));
#if SOLARIS2 >= 10
extern void fr_ifindexsync __P((void *, void *, ipf_stack_t *));
#endif
extern frgroup_t *fr_addgroup __P((char *, void *, u_32_t, minor_t, int,
ipf_stack_t *));
extern int fr_derefrule __P((frentry_t **, ipf_stack_t *));
extern void fr_delgroup __P((char *, minor_t, int, ipf_stack_t *));
extern frgroup_t *fr_findgroup __P((char *, minor_t, int, frgroup_t ***,
ipf_stack_t *));
extern int fr_loginit __P((ipf_stack_t *));
extern int ipflog_clear __P((minor_t, ipf_stack_t *));
extern int ipflog_read __P((minor_t, struct uio *, ipf_stack_t *));
extern int ipflog __P((fr_info_t *, u_int));
extern int ipllog __P((int, fr_info_t *, void **, size_t *, int *, int,
ipf_stack_t *));
extern void fr_logunload __P((ipf_stack_t *));
extern frentry_t *fr_acctpkt __P((fr_info_t *, u_32_t *));
extern int fr_copytolog __P((int, char *, int));
extern u_short fr_cksum __P((mb_t *, ip_t *, int, void *));
extern void fr_deinitialise __P((ipf_stack_t *));
extern frentry_t *fr_dolog __P((fr_info_t *, u_32_t *));
extern frentry_t *fr_dstgrpmap __P((fr_info_t *, u_32_t *));
extern void fr_fixskip __P((frentry_t **, frentry_t *, int));
extern void fr_forgetifp __P((void *, ipf_stack_t *));
extern frentry_t *fr_getrulen __P((int, char *, u_32_t,
ipf_stack_t *));
extern void fr_getstat __P((struct friostat *, ipf_stack_t *));
extern int fr_ifpaddr __P((int, int, void *,
struct in_addr *, struct in_addr *,
ipf_stack_t *));
extern int fr_initialise __P((ipf_stack_t *));
extern int fr_lock __P((caddr_t, int *));
extern int fr_makefrip __P((int, ip_t *, fr_info_t *));
extern int fr_matchtag __P((ipftag_t *, ipftag_t *));
extern int fr_matchicmpqueryreply __P((int, icmpinfo_t *,
struct icmp *, int));
extern u_32_t fr_newisn __P((fr_info_t *));
extern u_short fr_nextipid __P((fr_info_t *));
extern int fr_rulen __P((int, frentry_t *, ipf_stack_t *));
extern int fr_scanlist __P((fr_info_t *, u_32_t));
extern frentry_t *fr_srcgrpmap __P((fr_info_t *, u_32_t *));
extern int fr_tcpudpchk __P((fr_info_t *, frtuc_t *));
extern int fr_verifysrc __P((fr_info_t *fin));
extern int fr_zerostats __P((char *, ipf_stack_t *));
extern ipftoken_t *ipf_findtoken __P((int, int, void *, ipf_stack_t *));
extern int ipf_getnextrule __P((ipftoken_t *, void *,
ipf_stack_t *));
extern void ipf_expiretokens __P((ipf_stack_t *));
extern void ipf_freetoken __P((ipftoken_t *, ipf_stack_t *));
extern int ipf_deltoken __P((int, int, void *, ipf_stack_t *));
extern int ipf_genericiter __P((void *, int, void *, ipf_stack_t *));
extern int ipf_extraflush __P((int, ipftq_t *, ipftq_t *, ipf_stack_t *));
extern int ipf_flushclosing __P((int, int, ipftq_t *, ipftq_t *, ipf_stack_t *));
extern int ipf_earlydrop __P((int, ipftq_t *, int, ipf_stack_t *));
#ifndef ipf_random
extern u_32_t ipf_random __P((void));
#endif
#if defined(_KERNEL)
extern int fr_setzoneid __P((ipf_devstate_t *, void *));
#endif
extern char ipfilter_version[];
#ifdef USE_INET6
extern int icmptoicmp6types[ICMP_MAXTYPE+1];
extern int icmptoicmp6unreach[ICMP_MAX_UNREACH];
extern int icmpreplytype6[ICMP6_MAXTYPE + 1];
#endif
extern int icmpreplytype4[ICMP_MAXTYPE + 1];
extern frentry_t *ipfrule_match __P((fr_info_t *));
extern void ipftuneable_alloc(ipf_stack_t *);
extern void ipftuneable_free(ipf_stack_t *);
#endif
