Provided by: ipfwadm_2.3.0-4_i386
ipfw - IP firewall and accounting
int setsockopt (int socket, IPPROTO_IP, int command, void *data, int
The IP firewall and accounting facilities in the Linux kernel provide
mechanisms for accounting IP packets, for building firewalls based on
packet-level filtering, for building firewalls using transparent proxy
servers (by redirecting packets to local sockets), and for masquerading
forwarded packets. The administration of these functions is maintained
in the kernel as 4 separate lists, each containing zero or more rules.
Each rule contains specific information about source and destination
addresses, protocols, port numbers, and some other characteristics. A
packet will match with a rule when the characteristics of the rule
match those of the IP packet. The 4 categories of rules are:
The accounting rules are used for all IP packets that are sent
or received via one of the local network interfaces. Every
packet will be compared with all rules in this list, and every
match will cause an increment of the packet and byte counters
associated with that rule.
These rules regulate the acceptance of incoming IP packets. All
packets coming in via one of the local network interfaces are
checked against the input firewall rules. The first rule that
matches with a packet determines the policy to use and will also
cause the rule’s packet en byte counters being adapted. When no
matching rule is found, the default policy for the input
firewall is used.
These rules define the permissions for sending IP packets. All
packets that are ready to be be sent via one of the local
network interfaces are checked against the output firewall
rules. The first rule that matches with a packet determines the
policy to use and will also cause the rule’s packet and byte
counters being adapted. When no matching rule is found, the
default policy for the output firewall is used.
These rules define the permissions for forwarding IP packets.
All packets sent by a remote host having another remote host as
destination are checked against the forwarding firewall rules.
The first rule that matches with a packet determines the policy
to use and will also cause the rule’s packet and byte counters
being adapted. When no matching rule is found, the default
policy for the forwarding firewall is used.
Each of the firewall rules (not the accounting rules) contains a
policy, which specifies what action has to be taken when a packet
matches with the rule. There are 3 different policies possible: accept
(let the packet pass the firewall), reject (do not accept the packet
and send an ICMP host unreachable message back to the sender as
notification), and deny (ignore the packet without sending any
notification). For all 3 types of firewalls there also exists a
default policy, which applies to all packets for which none of the
The input rules also define whether or not packets should be redirected
to a local socket after being accepted by the input firewall. In this
case, the packet will be received by a local process, even if it was
sent to another host and/or another port number. This function only
applies to TCP or UDP packets.
The forwarding rules also define whether or not packets should be
masqueraded when being forwarded. In that case, the sender address in
the IP packets is replaced by the address of the local host and the
source port in the TCP or UDP header is replaced by a locally generated
(temporary) port number before being forwarded. Because this
administration is kept in the kernel, reverse packets (sent to the
temporary port number on the local host) are recognized automatically.
The destination address and port number of these packets will be
replaced by the original address and port number that was saved when
the first packet was masqueraded. This function only applies to TCP or
This paragraph describes the way a packet goes through the firewall and
accounting rules. Packets received via one of the local network
interface will pass the following sets of rules:
accounting (incoming device)
input firewall (incoming device)
Here, the device (network interface) that is used when trying to match
a rule with an IP packet is listed between brackets. After this step,
a packet will optionally be redirected to a local socket. When a
packet has to be forwarded to a remote host, it will also pass the next
set of rules:
forwarding firewall (outgoing device)
After this step, a packet will optionally be masqueraded. Responses to
masqueraded packets will never pass the forwarding firewall (but they
will pass both the input and output firewalls). All packets sent via
one of the local network interfaces, either locally generated or being
forwarded, will pass the following sets of rules:
output firewall (outgoing device)
accounting (outgoing device)
Note that masqueraded packets will pass the output firewall and
accounting rules with the new packet headers (after passing the input
and forwarding firewall with the original headers). Also, responses to
masqueraded packets will have different headers when passing the input
and output firewall rules.
The firewall and accounting administration can be changed via calls to
setsockopt(2). The existing rules can be inspected by looking at 4
files in the /proc/net directory: ip_acct, ip_input, ip_output, and
ip_forward. The current administration related to masqueraded sessions
can be found in the file ip_masquerade in the same directory (note that
the rules specifying which sessions should be masqueraded are in
Commands for changing the lists of rules or the default policies have
to be given as options to the setsockopt(2) system call, working on a
raw IP socket. Most commands require some additional data to be
passed. A pointer to this data and the length of the data are passed
as option value and option length arguments to setsockopt. The
following commands are available:
Add a rule to one of the accounting or firewall lists.
Depending on the command, the rule is added to the list for
accounting, input firewall, output firewall, or forwarding
firewall, respectively. The new rule rule is appended to the
end of the list. The data passed with this command is an ip_fw
structure, defining the contents of the new rule.
These commands are equal to the append commands, except that the
new rule is inserted at the beginning of the list.
Remove a rule from one of the accounting or firewall lists.
Depending on the command, the rule will be removed from the list
for accounting, input firewall, output firewall, or forwarding
firewall, repectively. The data passed with this command is an
ip_fw structure, defining the contents of the rule to be
removed. The first rule conforming to the given definition is
removed from the list.
Reset the packet and byte counters in all rules of the list for
accounting, input firewall, output firewall, or forwarding
firewall, repectively. Note that a (dummy) integer has to be
passed as data with this command. See also the description of
the /proc/net files for a way to atomically list and reset the
Remove all rules from the list for accounting, input firewall,
output firewall, or forwarding firewall, repectively. Note that
a (dummy) integer has to be passed as data with this command.
Change the default policy for the input firewall, output
firewall, or the forwarding firewall. The new policy is passed
as integer data with the following possible values:
IP_FW_F_ACCEPT (accept a packet), IP_FW_F_ICMPRPL (reject a
packet by sending an ICMP host unreachable message back to the
sender), or 0 (deny a packet, without any further notification).
The policy is used when none of the available firewall rules in
the appropriate list matches the packet being screened. For the
forwarding firewall, the given policy may also be IP_FW_F_ACCEPT
| IP_FW_F_MASQ ®(accept a packet to be forwarded, but also use
masquerading for TCP and UDP packets).
Set the timeout values used for masquerading. The data passed
with this command is a structure containing 3 fields of type
int, representing the timeout values (in jiffies, 1/HZ second)
for TCP sessions, TCP sessions after receiving a FIN packet, and
UDP packets, repectively. A timeout value 0 means that the
current timeout value of the corresponding entry is preserved.
Check whether a packet would be accepted, denied, or rejected by
the input firewall (IP_FW_CHECK_IN), the output firewall
(IP_FW_CHECK_OUT), or the forwarding firewall (IP_FW_CHECK_FWD).
The data passed with this command is an ip_fwpkt structure,
defining the packet headers and the interface address.
The ip_fw structure contains the following relevant fields to be filled
in for adding or deleting a rule:
struct in_addr fw_src, fw_dst
Source and destination IP addresses.
struct in_addr fw_smsk, fw_dmsk
Masks for the source and destination IP addresses. Note that a
mask of 0.0.0.0 will result in a match for all hosts.
struct in_addr fw_via
IP address of the interface via which a packet is received by
the system or is going to be sent by the system. The address
0.0.0.0 has a special meaning: it will match with all interface
Name of the interface via which a packet is received by the
system or is going to be sent by the system. The empty string
has a special meaning: it will match with all device names.
unsigned short fw_flg
Flags for this rule. The flags for the different options can be
bitwise or’ed with each other.
The protocol (mandatory). Possible values are IP_FW_F_TCP
(TCP), IP_FW_F_UDP (UDP), IP_FW_F_ICMP (ICMP), or IP_FW_F_ALL
(all protocols, which defines a universal firewall/accounting
The policy to be used when a packet matches with this rule.
This policy can be IP_FW_F_ACCEPT (accept the packet),
IP_FW_F_ICMPRPL (reject the packet by sending an ICMP host
unreachable message back to the sender). When none of these
flags is specified, the packet is denied without any
notification. Note that the policy is ignored in accounting
Redirection and masquerading are also defined with 2 flags.
IP_FW_F_REDIR redirects an accepted packet to a local socket
(specified by a port number, see below). It is only valid in
input firewall rules and can only be used when the kernel is
compiled with CONFIG_IP_TRANSPARENT_PROXY defined. IP_FW_F_MASQ
masquerades an accepted packet. It is only valid in forwarding
firewall rules and can only be used when the kernel is compiled
with CONFIG_IP_MASQUERADE defined.
The other options are: IP_FW_F_BIDIR (bidirectional rule,
matching in both directions), IP_FW_F_TCPACK (only matches with
TCP packets when the ACK bit is set in the TCP header, ignored
with other protocols), IP_FW_F_TCPSYN (only matches with TCP
packets when the SYN bit is set and the ACK bit is cleared in
the TCP header, ignored with other protocols), IP_FW_F_ACCTIN
and IP_FW_F_ACCTOUT (only match incoming or outgoing packets,
respectively; these options only have effect in accounting
rules), IP_FW_F_SRNG, and IP_FW_F_DRNG (see below for a
description of these flags). The option IP_FW_F_PRN can be used
to list some information about a matching packet via printk().
This option will only be effective when the kernel is compiled
with CONFIG_IP_FIREWALL_VERBOSE defined.
unsigned short fw_nsp, fw_ndp, fw_pts[IP_FW_MAX_PORTS]
These fields specify the number of source ports, the number of
destination ports, and the array in which these ports are
stored, respectively. The array starts with the source ports,
directly followed by the destination ports. If the option
IP_FW_F_REDIR is used, these ports are followed by the
redirection port. If this redirection port is 0, the
destination port of a packet will be used as the redirection
port. The total number of ports is limited to IP_FW_MAX_PORTS
(currently 10). Both the list of source and destination ports
may contain at most one range. In that case, the first 2 port
numbers of the list are taken as the minimum and maximum values
of the range. For ICMP packets, source ports are interpreted as
ICMP types and destination ports are ignored. Because the
second and further fragments of a TCP or UDP packet do not
contain port numbers, these IP packets are treated in accounting
rules as if both port numbers are equal to 65535. For the same
reason, all second and further fragments of an ICMP packet are
treated in accounting rules as if the ICMP message type is 255.
Furthermore, all second and further fragments of TCP, UDP, or
ICMP packets will be accepted by any of the 3 firewalls. The
flags IP_FW_F_SRNG and IP_FW_F_DRNG in the fw_flg field specify
whether or not a source and/or destination range is specified.
unsigned char fw_tosand, fw_tosxor
These 8-bit masks define how the TOS field in the IP header
should be changed when a packet is accepted by the firewall
rule. The TOS field is first bitwise and’ed with fw_tosand and
the result of this will be bitwise xor’ed with fw_tosxor. The
fields are ignored in accounting rules or in firewall rules for
rejecting or denying a packet.
The ip_fwpkt structure, used when checking a packet, contains the
struct iphdr fwp_iph
The IP header. See <linux/ip.h> for a detailed description of
the iphdr structure.
struct tcphdr fwp_protoh.fwp_tcph
struct udphdr fwp_protoh.fwp_udph
struct icmphdr fwp_protoh.fwp_icmph
The TCP, UDP, or ICMP header, combined in a union named
fwp_protoh. See <linux/tcp.h>, <linux/udp.h>, or <linux/icmp.h>
for a detailed description of the respective structures.
struct in_addr fwp_via
The interface address via which the packet is pretended to be
received or sent.
On success, zero is returned. On error, -1 is returned and errno is
set appropriately. See setsockopt(2) for a list of possible error
values. When one of the 2 check packet commands is used, zero is
returned when the packet would be accepted without redirection or
masquerading. Otherwise, -1 is returned and errno is set to
ECONNABORTED (packet would be accepted using redirection), ECONNRESET
(packet would be accepted using masquerading), ETIMEDOUT (packet would
be denied), or ECONNREFUSED (packet would be rejected).
In the directory /proc/net there are 4 entries to list the currently
defined rules for each of the categories: ip_acct (for IP accounting
rules), ip_input (for IP input firewall rules), ip_output (for IP
output firewall rules), and ip_forward (for IP forwarding firewall
rules). Reading these files results in a header line and one line for
each defined rule. For all 3 types of firewall, the header line
includes at the end a decimal representation of the corresponding
default policy (one of IP_FW_F_ACCEPT, IP_FW_F_ICMPRPL, and 0; the
policy of the forwarding firewall may also be IP_FW_F_ACCEPT |
Each following line lists the contents of a rule in the following
order: source address and mask, destination address and mask, interface
address, flags, number of source and destination ports, packet and byte
counters, the list of ports, a TOS and-mask, and a TOS xor-mask. The
IP addresses and masks are listed as 8 hexadecimal digits, the TOS
masks are listed as 2 hexadecimal digits preceded by the letter A and
X, repectively, and the other values are represented in decimal format.
Individual fields are separated by white space, by a ’/’ (the address
and the corresponding mask), or by "->" (the source and destination
The files may also be opened in read/write mode (only root is allowed
to do this). In that case, the packet and byte counters in all the
rules of that category will be reset to zero after listing their
The file /proc/net/ip_masquerade contains the kernel administration
related to masquerading. After a header line, each masqueraded session
is described on a separate line with the following entries, separated
by white space or by ’:’ (the address/port number pairs): protocol name
("TCP" or "UDP"), source IP address and port number, destination IP
address and port number, the new port number, the initial sequence
number for adding a delta value, the delta value, the previous delta
value, and the expire time in jiffies (1/HZ second). All addresses and
numeric values are in hexadecimal format, except the last 3 entries,
being represented in decimal format.
setsockopt(2), socket(2), ipfwadm(8)
June 17, 1996 IPFW(4)