ipfw man page on BSDOS

Man page or keyword search:  
man Server   6284 pages
apropos Keyword Search (all sections)
Output format
BSDOS logo
[printable version]

IPFW(4)			    BSD Programmer's Manual		       IPFW(4)

NAME
     ipfw - Internet Protocol Filter

SYNOPSIS
     #include <sys/socket.h>
     #include <netinet/in.h>
     #include <netinet/ip_bpf.h>

     int
     socket(PF_INET, SOCK_RAW, IPFW_PROTO);

DESCRIPTION
     An IPFW socket provides a read only interface to packets marked for re-
     porting by an IP Filter.  It is defined within the INET protocol family.

     Before the socket is used, is should be bound to the AF_INET family by
     using the bind(2) system call.  The following code does the proper bind-
     ing:

	   struct sockaddr sa;
	   sa.sa_len = 2;
	   sa.sa_family = AF_INET;
	   bind(fd, &sa, 2);

     Once the socket is open the IPFW_SELECT socket option must be set at the
     IPFW_PROTO level.	The following code selects all packets logged by any
     filter:

	   ipfw_data_t id;
	   id.code = 0;
	   id.mask = 0;
	   setsockopt(fd, IPFW_PROTO, IPFW_SELECT, &id, sizeof(ipfw_data_t));

     Once the selection criteria has been specified packets selected may be
     read by the recv(2) or read(2) system calls.  Each packet read is pre-
     ceeded by an int which contains the code returned by the IP Filter.  The
     following masks break down the code word:

     IPFW_FILTER
	     Mask of the filter number.	 The following filters are specified:

	     IPFW_FORWARD
		     The packet came from the ip forwarding input filter.

	     IPFW_PREINPUT
		     The packet came from the ip pre-input filter.

	     IPFW_INPUT
		     The packet came from the ip input filter.

	     IPFW_PREOUTPUT
		     The packet came from the ip pre-output filter.

	     IPFW_OUTPUT
		     The packet came from the ip output filter.

     IPFW_RETCODE
	     Mask of the return code bits:

	     IPFW_ACCEPT
		     The packet was delivered.

	     IPFW_CONTROL
		     The packet is a control packet of some sort.  (currently
		     only returned from a circuit cache).

	     IPFW_REJECT
		     The packet was not delivered.  (This is actually 0).

	     IPFW_REPORT
		     The packet was reported (this should always be set).

     IPFW_SIZE
	     Mask of the length of the packet (the lower 16 bits).  This
	     length does not include the size of the code word.

     IPFW_USER
	     Mask of the user bits that may be specified by the filter re-
	     questing the packet to be logged.	(These are shifted up by 16
	     bit as the lower 16 bits of the code are the size).

     Any of the bits specified in the code may be used to select which of the
     logged packets should be passed up the socket.  The mask element of the
     ipfw_data_t structure should be set to the bits of interest.  The code
     element should be set to which bits selected by the mask must be set.
     For example, setting the mask to IPFW_FILTER and the code to IPFW_FORWARD
     will cause all packets logged from the forwarding filter to be selected
     while not selecting packets from any other filter.

FILTERS
     Filters are set and manipulated through sysctl(2).	 The mib always starts
     with the 4 units:

	   CTL_NET.PF_INET.IPPROTO_IP.IPCTL_IPFW

     The 5th entry in the mib is the filter to be worked on:

     IPFW_FORWARD
	     Set and/or retrieve the IP Filter for packets being forwarded by
	     this machine.

     IPFW_PREINPUT
	     Set and/or retrieve the IP Filter for all ip packets as near the
	     top of ip_intr.

     IPFW_INPUT
	     Set and/or retrieve the IP Filter for packets destined for this
	     machine.

     IPFW_PREOUTPUT
	     Set and/or retrieve the IP Filter for all ip packets as enter
	     ip_output.

     IPFW_OUTPUT
	     Set and/or retrieve the IP Filter for output packets from this
	     machine.

     IPFW_CALL
	     Set and/or retrieve an IP Filter available for calling form BPF
	     based filters.

     The 6th entry of the mib is the operation to perform on the filter:

     IPFWCTL_PUSH
	     Retrieve the current filters in the chain and/or push a new fil-
	     ter on the top of the chain.  A 7th entry may be added to indi-
	     cate only filters of a specific type shouldbe returned (see be-
	     low).  A value of 0 implies all filter types.  An 8th entry may
	     be added to indicate which serial number should be returned.  A
	     valued of 0 means all serail numbers.  The 7th and 8th entries
	     are only for retreival and do not affect any filter being pushed.
	     If the 7th and 8th arguments are both provided, one of the two is
	     typically 0.

     IPFWCTL_POP
	     Remove a filter from the chain.

     IPFWCTL_LIST
	     Report what filters are installed on the chain, however, only the
	     header for each filter is reported, the contents of the filter
	     are not.  The 7th and 8th entries are the as for IPFWCTL_PUSH.

     IPFWCTL_FLAGS
	     Set and/or retrieve the flags set on the specified filter.	 Cur-
	     rent flags are:

	     IPFWF_DOFORW
		     This filter is also applied to forwarded packets.

	     IPFWF_SECURE
		     This filter is secure and may not be removed or replaced.

     IPFWCTL_FILTER
	     Set and/or retrieve the actual filter.  See below.

     IPFWCTL_FORW
	     Indicate the specified filter should also be called for forwarded
	     packets.  The value is an int. Setting the value to non-zero
	     turns on filtering of forwarded packets and a value of zero turns
	     off the filtering of forwarded packets.  This only makes sense
	     with the input and output filters.

     IPFWCTL_SECURE
	     Indicate the specified filter (see below) should be marked se-
	     cure.  A secure filter may not be removed or replaced.  The only
	     way to change a secure filter is to reboot the system.

     The data past in to (or out of) sysctl for IPFWCTL_FILTER requests con-
     sists of a series of blocks.  Each blocks starts with an int which con-
     tains the type of block, followed by a size_t which states how much data
     is in the block (excluding the header).  The next block starts on the
     next int boundary following the end of the current block.	The following
     types of blocks are available.

     IPFW_BPF
	     A bpf(4) filter to determine which packets to report and/or re-
	     ject.  The return status of the filter must contain the code (see
	     above) for the disposition of the packet.	The degenerate code of
	     0 (zero) is the same as the return code of IPFW_REJECT.

     IPFW_CIRCUIT
	     Initialize a filter as a circuit cache.

     IPFW_CISCO
	     A filter based on cisco routers access-list and access-list-ex-
	     tended rules.

DIAGNOSTICS
     A socket operation may fail with one of the following errors returned:

     [EISCONN]	      when trying to establish a connection on a socket which
		      already has one, or when trying to send a datagram with
		      the destination address specified and the socket is al-

		      ready connected;

     [ENOTCONN]	      when trying to send a datagram, but no destination ad-
		      dress is specified, and the socket hasn't been connect-
		      ed;

     [ENOBUFS]	      when the system runs out of memory for an internal data
		      structure;

     [EADDRINUSE]     when an attempt is made to create a socket with a port
		      which has already been allocated;

     [EADDRNOTAVAIL]  when an attempt is made to create a socket with a net-
		      work address for which no network interface exists.

SEE ALSO
     bind(2),  read(2),	 recv(2),  socket(2),  bpf(4),	intro(4),  inet(4),
     ip(4),  ipfw(8)

				April 25, 1997				     4
[top]
                             _         _         _ 
                            | |       | |       | |     
                            | |       | |       | |     
                         __ | | __ __ | | __ __ | | __  
                         \ \| |/ / \ \| |/ / \ \| |/ /  
                          \ \ / /   \ \ / /   \ \ / /   
                           \   /     \   /     \   /    
                            \_/       \_/       \_/ 
More information is available in HTML format for server BSDOS

List of man pages available for BSDOS

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net