IPFW(4) BSD Programmer's Manual IPFW(4)NAMEipfw - Internet Protocol Filter
SYNOPSIS
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/ip_bpf.h>
int
socket(PF_INET, SOCK_RAW, IPFW_PROTO);
DESCRIPTION
An IPFW socket provides a read only interface to packets marked for re-
porting by an IP Filter. It is defined within the INET protocol family.
Before the socket is used, is should be bound to the AF_INET family by
using the bind(2) system call. The following code does the proper bind-
ing:
struct sockaddr sa;
sa.sa_len = 2;
sa.sa_family = AF_INET;
bind(fd, &sa, 2);
Once the socket is open the IPFW_SELECT socket option must be set at the
IPFW_PROTO level. The following code selects all packets logged by any
filter:
ipfw_data_t id;
id.code = 0;
id.mask = 0;
setsockopt(fd, IPFW_PROTO, IPFW_SELECT, &id, sizeof(ipfw_data_t));
Once the selection criteria has been specified packets selected may be
read by the recv(2) or read(2) system calls. Each packet read is pre-
ceeded by an int which contains the code returned by the IP Filter. The
following masks break down the code word:
IPFW_FILTER
Mask of the filter number. The following filters are specified:
IPFW_FORWARD
The packet came from the ip forwarding input filter.
IPFW_PREINPUT
The packet came from the ip pre-input filter.
IPFW_INPUT
The packet came from the ip input filter.
IPFW_PREOUTPUT
The packet came from the ip pre-output filter.
IPFW_OUTPUT
The packet came from the ip output filter.
IPFW_RETCODE
Mask of the return code bits:
IPFW_ACCEPT
The packet was delivered.
IPFW_CONTROL
The packet is a control packet of some sort. (currently
only returned from a circuit cache).
IPFW_REJECT
The packet was not delivered. (This is actually 0).
IPFW_REPORT
The packet was reported (this should always be set).
IPFW_SIZE
Mask of the length of the packet (the lower 16 bits). This
length does not include the size of the code word.
IPFW_USER
Mask of the user bits that may be specified by the filter re-
questing the packet to be logged. (These are shifted up by 16
bit as the lower 16 bits of the code are the size).
Any of the bits specified in the code may be used to select which of the
logged packets should be passed up the socket. The mask element of the
ipfw_data_t structure should be set to the bits of interest. The code
element should be set to which bits selected by the mask must be set.
For example, setting the mask to IPFW_FILTER and the code to IPFW_FORWARD
will cause all packets logged from the forwarding filter to be selected
while not selecting packets from any other filter.
FILTERS
Filters are set and manipulated through sysctl(2). The mib always starts
with the 4 units:
CTL_NET.PF_INET.IPPROTO_IP.IPCTL_IPFW
The 5th entry in the mib is the filter to be worked on:
IPFW_FORWARD
Set and/or retrieve the IP Filter for packets being forwarded by
this machine.
IPFW_PREINPUT
Set and/or retrieve the IP Filter for all ip packets as near the
top of ip_intr.
IPFW_INPUT
Set and/or retrieve the IP Filter for packets destined for this
machine.
IPFW_PREOUTPUT
Set and/or retrieve the IP Filter for all ip packets as enter
ip_output.
IPFW_OUTPUT
Set and/or retrieve the IP Filter for output packets from this
machine.
IPFW_CALL
Set and/or retrieve an IP Filter available for calling form BPF
based filters.
The 6th entry of the mib is the operation to perform on the filter:
IPFWCTL_PUSH
Retrieve the current filters in the chain and/or push a new fil-
ter on the top of the chain. A 7th entry may be added to indi-
cate only filters of a specific type shouldbe returned (see be-
low). A value of 0 implies all filter types. An 8th entry may
be added to indicate which serial number should be returned. A
valued of 0 means all serail numbers. The 7th and 8th entries
are only for retreival and do not affect any filter being pushed.
If the 7th and 8th arguments are both provided, one of the two is
typically 0.
IPFWCTL_POP
Remove a filter from the chain.
IPFWCTL_LIST
Report what filters are installed on the chain, however, only the
header for each filter is reported, the contents of the filter
are not. The 7th and 8th entries are the as for IPFWCTL_PUSH.
IPFWCTL_FLAGS
Set and/or retrieve the flags set on the specified filter. Cur-
rent flags are:
IPFWF_DOFORW
This filter is also applied to forwarded packets.
IPFWF_SECURE
This filter is secure and may not be removed or replaced.
IPFWCTL_FILTER
Set and/or retrieve the actual filter. See below.
IPFWCTL_FORW
Indicate the specified filter should also be called for forwarded
packets. The value is an int. Setting the value to non-zero
turns on filtering of forwarded packets and a value of zero turns
off the filtering of forwarded packets. This only makes sense
with the input and output filters.
IPFWCTL_SECURE
Indicate the specified filter (see below) should be marked se-
cure. A secure filter may not be removed or replaced. The only
way to change a secure filter is to reboot the system.
The data past in to (or out of) sysctl for IPFWCTL_FILTER requests con-
sists of a series of blocks. Each blocks starts with an int which con-
tains the type of block, followed by a size_t which states how much data
is in the block (excluding the header). The next block starts on the
next int boundary following the end of the current block. The following
types of blocks are available.
IPFW_BPF
A bpf(4) filter to determine which packets to report and/or re-
ject. The return status of the filter must contain the code (see
above) for the disposition of the packet. The degenerate code of
0 (zero) is the same as the return code of IPFW_REJECT.
IPFW_CIRCUIT
Initialize a filter as a circuit cache.
IPFW_CISCO
A filter based on cisco routers access-list and access-list-ex-
tended rules.
DIAGNOSTICS
A socket operation may fail with one of the following errors returned:
[EISCONN] when trying to establish a connection on a socket which
already has one, or when trying to send a datagram with
the destination address specified and the socket is al-
ready connected;
[ENOTCONN] when trying to send a datagram, but no destination ad-
dress is specified, and the socket hasn't been connect-
ed;
[ENOBUFS] when the system runs out of memory for an internal data
structure;
[EADDRINUSE] when an attempt is made to create a socket with a port
which has already been allocated;
[EADDRNOTAVAIL] when an attempt is made to create a socket with a net-
work address for which no network interface exists.
SEE ALSObind(2), read(2), recv(2), socket(2), bpf(4), intro(4), inet(4),
ip(4), ipfw(8)
April 25, 1997 4