www.pudn.com > Firewall_PNE_3_3.zip > fw.h, change:2009-03-16,size:9280b


/* fw.h - Firewall definitions */

/* Copyright 2004-2005 Wind River Systems, Inc. */

/*
modification history
--------------------
01k,26apr05,zhu  Removed deprecated header files
01h,09mar05,svk  Fix compilation warning
01g,13dec04,myz  added IPV6 support
01f,21jul04,myz  changed default tag value and use quad_t for stat counters 
01e,13jul04,myz  port to dual stack
01d,09feb04,myz  replaced groupIdVerify with fwIpfIdVerify 
01c,06oct03,myz  Modified log function prototype
01b,01oct03,vks  code cleanup, added debug macro, added copyright info
01a,03dec02,vks  created
*/

#ifndef __INCfwh
#define __INCfwh

#include "vxWorks.h" 
#include <net/unixLib.h>
#include <selectLib.h>
#include <errnoLib.h>
#include <tickLib.h>
#include <logLib.h>
#include <sysLib.h>
#include <stdio.h>

#include <netconf.h>

#include <net/systm.h>
#include <net/mbuf.h>
#include <net/protosw.h>

#include <syslog.h>
#include <net/domain.h>
#include <sys/socket.h>
#include <net/socketvar.h>

#include <net/if.h>
#include <net/if_types.h>
#include <net/if_var.h>
#include <net/if_dl.h>
#include <muxLib.h>
#include <muxTkLib.h>

#include <net/route.h>

#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/in_var.h>
#include <netinet/ip.h>
#include <netinet/in_pcb.h>
#include <netinet/ip_var.h>
#include <netinet/ip_icmp.h>
#include <netinet/tcp.h>
#include <netinet/udp.h>
#include <netinet6/icmp6.h>
#include "inetLib.h"
#include "arpa/inet.h"
#include "time.h"
#include "private/timerLibP.h"

#include <netinet/ipfw.h>
#include "wrn/firewall/fwLib.h"
#include "wrn/firewall/syslogcLib.h"


#define FW_RULE_FILTER        15
#define INVALID_SERIAL_NO     0 
#define RULE_FILTER_DFT_PRI   8     /* larger number == higher priority */
#define RULE_FILTER_DFT_TAG   "IP Firewall Rule Filter"

/* Rule block set indicator, for reducing unnecessary check. */

#define RULE_TRANSPORT_HEAD_SET    1
#define RULE_IP_HEAD_SET           (1 << 1)
#define RULE_INTERFACE_SET         (1 << 2)
#define RULE_SRCADDR_SET           (1 << 3)
#define RULE_DSTADDR_SET           (1 << 4)
#define RULE_PKTSIZE_SET           (1 << 5)
#define RULE_SRCPORT_SET           (1 << 6)
#define RULE_DSTPORT_SET           (1 << 7)
#define RULE_IPV6_EXTHDR_SET       (1 << 8)
#define RULE_IPV6_EXTTYPE_SET      (1 << 9)

/* defines for group rule ID type or rule ID type */

#define FW_GROUP_ID_TYPE   1
#define FW_RULE_ID_TYPE    2

/* TCP states used for Firewall state table and event functions */

#define TCP_SYN_SENT         0
#define TCP_ESTABLISH_STATE  1
#define TCP_CLOSEWAIT_STATE  2
#define TCP_FINWAIT_STATE    3
#define TCP_END_STATE        4
#define TCP_LAST_STATE       TCP_END_STATE
#define TCP_INVALID_STATE    (TCP_LAST_STATE + 1)

#define IP_VERSION_MASK    0xf0
#define IPV4_VERSION       0x40

/* argument must be the type char * */

#define V6ADDR8_IS_ASSIGNED(p) ((p)[0] || (p)[1] || (p)[2] || (p)[3] || \
	(p)[4] || (p)[5] || (p)[6] || (p)[7] || (p)[8] || (p)[9] || \
	(p)[10] || (p)[11] || (p)[12] || (p)[13] || (p)[14] || (p)[15])

/* argumnet must be the type UINT16 * */

#define V6ADDR16_IS_ASSIGNED(p) ((p)[0] || (p)[1] || (p)[2] || (p)[3] || \
	(p)[4] || (p)[5] || (p)[6] || (p)[7])

/* argument must be the type UINT32 * */

#define V6ADDR32_IS_ASSIGNED(p) ((p)[0] || (p)[1] || (p)[2] || (p)[3]) 

/* parse network data packet field macros
 * These macros performs the same functions of the standard ntoh[sl] or hton[sl]
 * macros except it always access the fields in the naturally aligned address
 * boundary, and the address of the field needs to be passed into.
 */

#if     _BYTE_ORDER==_BIG_ENDIAN
#define antohl(x)  ((ALIGNED(x, sizeof(ULONG)))? (*(ULONG *)(x)): \
                   (ALIGNED(x, sizeof(USHORT)))? \
                   (*(USHORT *)(x)) << 16 | (*((USHORT *)(x) + 1)) : \
                   (((UINT8 *)(x))[0] << 24) | (((UINT8 *)(x))[1] << 16) | \
                   (((UINT8 *)(x))[2] << 8)  | ((UINT8 *)(x))[3])

#define antohs(x)  ((ALIGNED(x, sizeof(USHORT)))? \
                   (*(USHORT *)(x)): \
                   (((UINT8 *)(x))[0] << 8) | ((UINT8 *)(x))[1])

#define ahtonl(x)        antohl(x)
#define ahtons(x)        antohs(x)

#endif /* _BYTE_ORDER==_BIG_ENDIAN */

#if     _BYTE_ORDER==_LITTLE_ENDIAN

#define antohl(x)  ((ALIGNED(x, sizeof(ULONG)))? ntohl(*(ULONG *)(x)): \
             (ALIGNED(x, sizeof(USHORT)))? \
             (ntohs(*(USHORT *)(x))) << 16 | (ntohs(*((USHORT *)(x) + 1))): \
                   (((UINT8 *)(x))[0] << 24) | (((UINT8 *)(x))[1] << 16) | \
                   (((UINT8 *)(x))[2] << 8)  | ((UINT8 *)(x))[3])

#define ahtonl(x)  antohl(x)

#define antohs(x)  ((ALIGNED(x, sizeof(USHORT)))?  ntohs(*(UINT16 *)(x)): \
                   (((UINT8 *)(x))[0] << 8) | ((UINT8 *)(x))[1])

#define ahtons(x)  antohs(x)
#endif  /* _BYTE_ORDER==_LITTLE_ENDIAN */

#define PKT_2BYTES_TO_SHORT(x) \
        ((((UINT8 *)(x))[0] << 8) | ((UINT8 *)(x))[1])

#define PKT_4BYTES_TO_INT32(x) \
        ((((UINT8 *)(x))[0] << 24) | (((UINT8 *)(x))[1] << 16) | \
         (((UINT8 *)(x))[2] << 8)  | ((UINT8 *)(x))[3])

#define PKT_2SHORT_TO_INT32(x) \
        ((((UINT16 *)(x))[0] << 16) | ((UINT16 *)(x))[1])

/* Firewall IP stack hook routine typedefs */

extern int fwPreinputHook (ipfw_t *, struct mbuf **, UINT32, ipfw_opt_t *);
extern int fwInputHook    (ipfw_t *, struct mbuf **, UINT32, ipfw_opt_t *);
extern int fwForwardHook  (ipfw_t *, struct mbuf **, UINT32, ipfw_opt_t *);
extern int fwOutputHook   (ipfw_t *, struct mbuf **, UINT32, ipfw_opt_t *);
extern int fwPreinputV6Hook (ipfw_t *, struct mbuf **, UINT32, ipfw_opt_t *);
extern int fwInputV6Hook    (ipfw_t *, struct mbuf **, UINT32, ipfw_opt_t *);
extern int fwForwardV6Hook  (ipfw_t *, struct mbuf **, UINT32, ipfw_opt_t *);
extern int fwOutputV6Hook   (ipfw_t *, struct mbuf **, UINT32, ipfw_opt_t *);


#ifdef INET6
typedef struct {
    UINT8 type;
    UINT8 len;  /* in 8 byte quantity */
    } EXT_HDR_ENTRY;

typedef struct {
    UINT8 upProType;
    UINT8 pad0;
    UINT16 m2FragOffset;
    UINT8 maxEntries;
    UINT8 actualNum;    
    EXT_HDR_ENTRY entries[40];
    } EXT_HDR_INFO;
#endif

/* state typedefs */

typedef struct {
    UINT16 srcPort;
    UINT16 dstPort;
    UINT8  state;
    } UDP_STATE_ELEMENT;

typedef struct {
    UINT16 srcPort;
    UINT16 dstPort;
    union {
        UINT8  state;
        UINT8  flag;
        } u;
    UINT8  pad0;
    UINT16 pad1;
    } TCP_STATE_ELEMENT;

typedef struct {
    UINT16  icd_id;
    UINT16  icd_seq;
    u_char  type;
    u_char  code;
    } ICMP_STATE_ELEMENT;

typedef union {
        UINT32 data[2];
        UINT16 data16[4];
        TCP_STATE_ELEMENT tcp;
        UDP_STATE_ELEMENT udp;
        ICMP_STATE_ELEMENT icmp;
    } TRANSPORT_STATE_INFO;

typedef struct {
    union {
        struct {
            struct in_addr   srcAddrV4;
            struct in_addr   dstAddrV4;
            } v4;
#ifdef INET6
        struct {
            struct in6_addr  srcAddrV6;
            struct in6_addr  dstAddrV6;
            } v6;
#endif
	} au;
    } PKT_ADRS_INFO;
 
typedef struct {
    union {
        NODE    lnode;
        DL_NODE node;
        DL_LIST list;
        } u;
    union {
        struct {
            struct in_addr   srcAddrV4;
            struct in_addr   dstAddrV4;
            } v4;
#ifdef INET6
        struct {
            struct in6_addr  srcAddrV6;
            struct in6_addr  dstAddrV6;
            } v6;
#endif
        } au;

    UINT8 proto;
    UINT8 ipVer;
    UINT16 pad1;
    TRANSPORT_STATE_INFO tu;
    int timeout;
    void * ownerId;
    FW_EVENT_FUNC_ENTRY * pEvtFuncTbl;
    } PKT_STATE_ENTRY;

#define SRCADDRV4     au.v4.srcAddrV4.s_addr
#define DSTADDRV4     au.v4.dstAddrV4.s_addr

#ifdef INET6
#define SRCADDRV632   au.v6.srcAddrV6.s6_addr32
#define DSTADDRV632   au.v6.dstAddrV6.s6_addr32
#define SRCADDRV68    au.v6.srcAddrV6.s6_addr8
#define DSTADDRV68    au.v6.dstAddrV6.s6_addr8
#endif

typedef struct {
    quad_t dropped;
    quad_t denied;
    quad_t accepted;
    quad_t reported;
    } RULE_FILTER_STAT_DESC;

typedef struct {
    FW_LOC_TYPE loc;
    LIST * pGrpLists;
    int  serialNo;
    RULE_FILTER_STAT_DESC stats;
    FW_GROUP_ATTR attr;
    FW_EXT_FUNC_PTR pDftFunc;
    void * funcArg;
    } RULE_LIST_DESC;

typedef struct {
    TRANSPORT_STATE_INFO * pTport;
    RULE_LIST_DESC * pDesc;
    UINT8 ipVer;
    UINT8 proto;	 
    } PKT_HDRS_INFO;
     
typedef struct {
    FW_LOC_TYPE loc;
    void * groupId;
    } REMOVE_LIST_NODE_PAIR;

extern u_long fwRewrite (ipfw_t *, struct mbuf *, int, ipfw_opt_t *);
extern BOOL groupIdPerLocVerify (LIST*, FW_GROUP_HEAD_ENTRY *);
extern BOOL fwIpfIdVerify (void *,int);
extern LIST * fwRuleListGet (int);
extern int connectionStateCheck (FW_RULE_ENTRY_NODE *,PKT_ADRS_INFO *,
                                 PKT_HDRS_INFO *);
extern unsigned long m_x32(struct mbuf *,int, int *);
extern u_char m_x8(struct mbuf *,  int, int *);
extern u_short m_x16(struct mbuf *, int, int *);
extern RULE_LIST_DESC * fwListDescGet (FW_LOC_TYPE);
extern u_long  ruleFilter (ipfw_t *, struct mbuf *m, int dir, ipfw_opt_t *);
extern int fwRuleFilterPush (ipfw_t *, void *, int);
extern int b4cmp (UINT32 *, UINT32 *, int);
extern BOOL ipv6UpHdrOffsetGet (struct ip6_hdr *, int *, int *, int);

#endif