junos_dfw_api.h File Reference

Library for adding firewall filters. More...

#include <sys/un.h>
#include <sys/time.h>
#include <jnx/jnx_ports_pub.h>
#include <jnx/dfw_shared_pub.h>
#include <isc/eventlib.h>

Data Structures

struct  junos_dfw_object_key
 String conveying more information for rejecting a transaction. More...
struct  junos_dfw_term_key_pair
 String information coveying more information about term conflict errors. More...
struct  junos_dfw_trans_reject_reason_info
 Transaction rejection information structure optionally conveys more information related to the rejection code. More...
struct  junos_dfw_client_functions
 Client callback functions. More...
struct  junos_dfw_conn_unix_addr
struct  junos_dfw_conn_inet_addr
 INET connection address definition structure. More...
struct  junos_dfw_conn_tnp_addr
struct  junos_dfw_conn_addr
 JUNOS-DFW connection address definition structure. More...
struct  junos_dfw_filter_info
 Filter information structure. More...
struct  junos_dfw_term_order
 Definitions to specify ordering information when JUNOS_DFW_TERM_TYPE_ORDERED is used. More...
struct  junos_dfw_term_info
 Term information structure definition. More...
struct  junos_dfw_policer_info
 Policer information structure definition. More...
struct  junos_dfw_filter_intf_attach
 Interface attach-point definition structure. More...
struct  junos_dfw_filter_rtt_attach
struct  junos_dfw_filter_bd_attach
struct  junos_dfw_filter_attach_info
 Attach-point definition structure. More...
struct  junos_dfw_stats_client_functions
 The vector of all statistic callback functions. More...

Defines

#define boolean   u_int8_t
 The library for clients to add firewall filters/policers via JUNOS-DFW.
#define JUNOS_DFW_FILTER_NAME_LEN   65
#define JUNOS_DFW_POLICER_NAME_LEN   65
#define JUNOS_DFW_TIMER_NAME_LEN   65
#define JUNOS_DFW_ATTACH_NAME_LEN   256
#define JUNOS_DFW_COUNTER_NAME_LEN   65
#define JUNOS_DFW_TERM_NAME_LEN   65
#define JUNOS_DFW_NAME_LEN   128
#define JUNOS_DFW_DEFAULT_PORT   LIBDFWD_API_TCP_PORT
#define JUNOS_DFW_DEFAULT_LOCAL_ADDR   "127.0.0.1"
#define JUNOS_DFW_BURST_SIZE_LIMIT_MIN   1500
 The range of values for burst_size_limit in bytes.
#define JUNOS_DFW_BURST_SIZE_LIMIT_MAX   40000000000LLU

Typedefs

typedef OPAQUE_junos_dfw_session * junos_dfw_session_handle_t
typedef u_int16_t junos_dfw_client_id_t
typedef u_int64_t dfwdlib_ctx_type_t
typedef enum junos_dfw_session_connect_return junos_dfw_session_connect_return_t
 Session connect return codes.
typedef void(* junos_dfw_session_connect_cb_t )(junos_dfw_session_handle_t handle, junos_dfw_session_connect_return_t code, junos_dfw_client_id_t *client_id_list, int num_client_ids)
 Callback for session connect.
typedef enum junos_dfw_session_state junos_dfw_session_state_t
 Session state change codes.
typedef void(* junos_dfw_session_state_change_cb_t )(junos_dfw_session_handle_t handle, junos_dfw_session_state_t state)
 Callback for session connection state change.
typedef enum junos_dfw_trans_reject_reason junos_dfw_trans_reject_reason_t
 Transaction reject reason codes.
typedef junos_dfw_object_key junos_dfw_object_key_t
 String conveying more information for rejecting a transaction.
typedef junos_dfw_term_key_pair junos_dfw_term_key_pair_t
 String information coveying more information about term conflict errors.
typedef junos_dfw_trans_reject_reason_info junos_dfw_trans_reject_reason_info_t
 Transaction rejection information structure optionally conveys more information related to the rejection code.
typedef void(* junos_dfw_trans_rejected_cb_t )(junos_dfw_session_handle_t handle, u_int64_t ctx, junos_dfw_trans_reject_reason_info_t reason_info)
 Callback for config rejected.
typedef void(* junos_dfw_trans_accepted_cb_t )(junos_dfw_session_handle_t handle, u_int64_t ctx, u_int32_t dfw_index)
 Callback for config accepted.
typedef junos_dfw_client_functions junos_dfw_client_functions_t
 Client callback functions.
typedef enum junos_dfw_conn_af junos_dfw_conn_af_t
 Connection address family definitions.
typedef junos_dfw_conn_unix_addr junos_dfw_conn_unix_addr_t
typedef junos_dfw_conn_inet_addr junos_dfw_conn_inet_addr_t
 INET connection address definition structure.
typedef junos_dfw_conn_tnp_addr junos_dfw_conn_tnp_addr_t
typedef junos_dfw_conn_addr junos_dfw_conn_addr_t
 JUNOS-DFW connection address definition structure.
typedef u_int32_t junos_dfw_sdk_app_id_t
 Definition for SDK client identifier unique application identifier.
typedef OPAQUE_junos_dfw_trans * junos_dfw_trans_handle_t
typedef enum junos_dfw_filter_types junos_dfw_filter_types_t
 Filter type definitions.
typedef enum junos_dfw_filter_op junos_dfw_filter_op_t
 Filter operation definitions.
typedef enum junos_dfw_filter_addr_family junos_dfw_filter_addr_family_t
 Filter address family definitions.
typedef junos_dfw_filter_info junos_dfw_filter_info_t
 Filter information structure.
typedef enum junos_dfw_filter_field_type junos_dfw_filter_field_type_t
 Filter field types.
typedef enum junos_dfw_term_type junos_dfw_term_type_t
 Term type definitions.
typedef enum junos_dfw_term_adj junos_dfw_term_adj_t
 Definitions to specify ordering information when JUNOS_DFW_TERM_TYPE_ORDERED is used.
typedef junos_dfw_term_order junos_dfw_term_order_t
 Definitions to specify ordering information when JUNOS_DFW_TERM_TYPE_ORDERED is used.
typedef junos_dfw_term_info junos_dfw_term_info_t
 Term information structure definition.
typedef enum junos_dfw_term_op junos_dfw_term_op_t
 Term-related operations definitions.
typedef enum junos_dfw_filter_match_op junos_dfw_filter_match_op_t
 Match operation definitions.
typedef junos_dfw_policer_info junos_dfw_policer_info_t
typedef enum junos_dfw_policer_op junos_dfw_policer_op_t
 Indicates the configuration operation to be executed by JUNOS-DFW.
typedef enum junos_dfw_rate_unit junos_dfw_rate_unit_t
 Flow rate unit definitions.
typedef enum junos_dfw_burst_size_unit junos_dfw_burst_size_unit_t
 Flow burst-size unit definitions.
typedef enum junos_dfw_filter_attach_point junos_dfw_filter_attach_point_t
 Attach-point definitions.
typedef junos_dfw_filter_intf_attach junos_dfw_filter_intf_attach_t
 Interface attach-point definition structure.
typedef junos_dfw_filter_rtt_attach junos_dfw_filter_rtt_attach_t
typedef junos_dfw_filter_bd_attach junos_dfw_filter_bd_attach_t
typedef junos_dfw_filter_attach_info junos_dfw_filter_attach_info_t
 Attach-point definition structure.
typedef void(* junos_dfw_stats_trans_get_cb_t )(junos_dfw_session_handle_t handle, u_int64_t ctx, u_int32_t num_counters, dfw_counter_t *counter_list)
 Callback for get statistics.
typedef void(* junos_dfw_stats_trans_reset_cb_t )(junos_dfw_session_handle_t handle, u_int64_t ctx)
 Callback for reset statistics.
typedef junos_dfw_stats_client_functions junos_dfw_stats_client_functions_t
 The vector of all statistic callback functions.
typedef OPAQUE_junos_dfw_session * junos_dfw_stats_filter_handle_t
typedef enum junos_dfw_counter_op junos_dfw_counter_op_t
 Counter operations definitions.

Enumerations

enum  junos_dfw_session_connect_return { JUNOS_DFW_SC_SUCCESS = 0x00, JUNOS_DFW_SC_FAILED, JUNOS_DFW_SC_FAILED_VERSION }
 Session connect return codes. More...
enum  junos_dfw_session_state { JUNOS_DFW_SS_DOWN = 0x00 }
 Session state change codes. More...
enum  junos_dfw_trans_reject_reason {
  JUNOS_DFW_FILTER_NOT_FOUND = 0x00, JUNOS_DFW_FILTER_IN_USE, JUNOS_DFW_FILTER_ALREADY_EXISTS, JUNOS_DFW_FILTER_CONFIG_ERR,
  JUNOS_DFW_TERM_NOT_FOUND, JUNOS_DFW_TERM_ALREADY_EXISTS, JUNOS_DFW_TERM_CONFIG_ERR, JUNOS_DFW_TERM_CONFLICT_ERR,
  JUNOS_DFW_POLICER_NOT_FOUND, JUNOS_DFW_POLICER_IN_USE, JUNOS_DFW_POLICER_ALREADY_EXISTS, JUNOS_DFW_POLICER_CONFIG_ERR,
  JUNOS_DFW_ATTACH_POINT_NOT_FOUND, JUNOS_DFW_ATTACH_POINT_IN_USE, JUNOS_DFW_DFW_INDEX_EXHAUSTED, JUNOS_DFW_OUT_OF_MEMORY_ERR,
  JUNOS_DFW_INTERNAL_ERR, JUNOS_DFW_TIMER_NOT_FOUND, JUNOS_DFW_TIMER_IN_USE, JUNOS_DFW_TIMER_ALREADY_EXISTS,
  JUNOS_DFW_TIMER_CONFIG_ERR, JUNOS_DFW_TNP_SESSION_ERR
}
 Transaction reject reason codes. More...
enum  junos_dfw_conn_af { JUNOS_DFW_CONN_AF_UNIX = 0x00, JUNOS_DFW_CONN_AF_INET, JUNOS_DFW_CONN_AF_TNP }
 Connection address family definitions. More...
enum  junos_dfw_filter_types { JUNOS_DFW_FILTER_TYPE_CLASSIC = 0x00, JUNOS_DFW_FILTER_TYPE_FAST_UPDATE, JUNOS_DFW_FILTER_TYPE_MAX = JUNOS_DFW_FILTER_TYPE_FAST_UPDATE }
 Filter type definitions. More...
enum  junos_dfw_filter_op { JUNOS_DFW_FILTER_OP_ADD = 0x00, JUNOS_DFW_FILTER_OP_DELETE, JUNOS_DFW_FILTER_OP_CHANGE, JUNOS_DFW_FILTER_OP_MAX = JUNOS_DFW_FILTER_OP_CHANGE }
 Filter operation definitions. More...
enum  junos_dfw_filter_addr_family {
  JUNOS_DFW_FILTER_AF_INET = 0x00, JUNOS_DFW_FILTER_AF_INET6, JUNOS_DFW_FILTER_AF_ES, JUNOS_DFW_FILTER_AF_VPLS,
  JUNOS_DFW_FILTER_AF_MULTISERVICE, JUNOS_DFW_FILTER_AF_CCC, JUNOS_DFW_FILTER_AF_MAX = JUNOS_DFW_FILTER_AF_CCC
}
 Filter address family definitions. More...
enum  junos_dfw_filter_field_type {
  JUNOS_DFW_FILTER_FIELD_INVALID = 0x00, JUNOS_DFW_FILTER_FIELD_IP_PROTO, JUNOS_DFW_FILTER_FIELD_IP_SRC_ADDR, JUNOS_DFW_FILTER_FIELD_IP_DEST_ADDR,
  JUNOS_DFW_FILTER_FIELD_SRC_PORT, JUNOS_DFW_FILTER_FIELD_DEST_PORT, JUNOS_DFW_FILTER_FIELD_MAC_SRC_ADDR, JUNOS_DFW_FILTER_FIELD_MAC_DEST_ADDR,
  JUNOS_DFW_FILTER_FIELD_ETHER_TYPE, JUNOS_DFW_FILTER_FIELD_DSCP, JUNOS_DFW_FILTER_FIELD_MAX = JUNOS_DFW_FILTER_FIELD_DSCP
}
 Filter field types. More...
enum  junos_dfw_term_type { JUNOS_DFW_TERM_TYPE_ORDERED = 0x00, JUNOS_DFW_TERM_TYPE_PRIORITISED, JUNOS_DFW_TERM_TYPE_MAX = JUNOS_DFW_TERM_TYPE_PRIORITISED }
 Term type definitions. More...
enum  junos_dfw_term_adj { JUNOS_DFW_TERM_ADJ_NEXT = 0x00, JUNOS_DFW_TERM_ADJ_PREV, JUNOS_DFW_TERM_ADJ_MAX = JUNOS_DFW_TERM_ADJ_PREV }
 Definitions to specify ordering information when JUNOS_DFW_TERM_TYPE_ORDERED is used. More...
enum  junos_dfw_term_op { JUNOS_DFW_TERM_OP_ADD = 0x00, JUNOS_DFW_TERM_OP_DELETE, JUNOS_DFW_TERM_OP_REPLACE, JUNOS_DFW_TERM_OP_MAX = JUNOS_DFW_TERM_OP_REPLACE }
 Term-related operations definitions. More...
enum  junos_dfw_filter_match_op { JUNOS_DFW_FILTER_OP_MATCH = 0x00, JUNOS_DFW_FILTER_OP_MATCH_EXCEPT }
 Match operation definitions. More...
enum  junos_dfw_policer_op { JUNOS_DFW_POLICER_OP_ADD = 0x00, JUNOS_DFW_POLICER_OP_DELETE, JUNOS_DFW_POLICER_OP_REPLACE, JUNOS_DFW_POLICER_OP_MAX = JUNOS_DFW_POLICER_OP_REPLACE }
 Indicates the configuration operation to be executed by JUNOS-DFW. More...
enum  junos_dfw_rate_unit {
  JUNOS_DFW_RATE_UNIT_BPS = 0x00, JUNOS_DFW_RATE_UNIT_KBPS, JUNOS_DFW_RATE_UNIT_MBPS, JUNOS_DFW_RATE_UNIT_GBPS,
  JUNOS_DFW_RATE_UNIT_BANDWIDTH_PERCENT, JUNOS_DFW_RATE_UNIT_MAX = JUNOS_DFW_RATE_UNIT_GBPS
}
 Flow rate unit definitions. More...
enum  junos_dfw_burst_size_unit {
  JUNOS_DFW_BURST_SIZE_UNIT_BYTE = 0x00, JUNOS_DFW_BURST_SIZE_UNIT_KBYTE, JUNOS_DFW_BURST_SIZE_UNIT_MBYTE, JUNOS_DFW_BURST_SIZE_UNIT_GBYTE,
  JUNOS_DFW_BURST_SIZE_UNIT_MAX = JUNOS_DFW_BURST_SIZE_UNIT_GBYTE
}
 Flow burst-size unit definitions. More...
enum  junos_dfw_filter_attach_point {
  JUNOS_DFW_FILTER_ATTACH_POINT_INPUT_INTF = 0x00, JUNOS_DFW_FILTER_ATTACH_POINT_OUTPUT_INTF, JUNOS_DFW_FILTER_ATTACH_POINT_INPUT_FWDTABLE, JUNOS_DFW_FILTER_ATTACH_POINT_INPUT_BD,
  JUNOS_DFW_FILTER_ATTACH_POINT_MAX = JUNOS_DFW_FILTER_ATTACH_POINT_INPUT_BD
}
 Attach-point definitions. More...
enum  junos_dfw_counter_op { JUNOS_DFW_COUNTER_OP_GET = 0x00, JUNOS_DFW_COUNTER_OP_CLEAR, JUNOS_DFW_COUNTER_OP_MAX = JUNOS_DFW_COUNTER_OP_CLEAR }
 Counter operations definitions. More...

Functions

void junos_dfw_trans_reject_reason_strerr (junos_dfw_trans_reject_reason_info_t reason_info, char *buffer, size_t buffer_size)
 Convert reject reason code into string.
int junos_dfw_session_handle_alloc (junos_dfw_session_handle_t *handlep, junos_dfw_client_functions_t *funs)
 Allocate session handle.
int junos_dfw_session_handle_free (junos_dfw_session_handle_t handle)
 Free session handle.
int junos_dfw_session_open (junos_dfw_session_handle_t handle, const junos_dfw_conn_addr_t *conn_addr, junos_dfw_sdk_app_id_t sdk_app_id, evContext ctx)
 Opens a connection with JUNOS-DFW.
int junos_dfw_session_close (junos_dfw_session_handle_t handle)
 Close JUNOS-DFW session.
int junos_dfw_session_user_data_set (junos_dfw_session_handle_t handle, void *opaque)
 Allows user to store data reference inside session.
int junos_dfw_session_user_data_get (junos_dfw_session_handle_t handle, void **opaque)
 Allows user to retrieve data reference stored inside session.
int junos_dfw_filter_trans_alloc (const junos_dfw_filter_info_t *filter_info, junos_dfw_filter_op_t operation, junos_dfw_trans_handle_t *handlep)
 Allocate a filter transaction structure.
int junos_dfw_filter_prop_ordered_field_list (junos_dfw_trans_handle_t trans_handle, int num_fields, junos_dfw_filter_field_type_t *field_list)
 Ordered field list filter property.
int junos_dfw_term_start (junos_dfw_trans_handle_t trans_handle, const junos_dfw_term_info_t *term_info, junos_dfw_term_op_t operation)
 Term definition start marker routine.
int junos_dfw_term_end (junos_dfw_trans_handle_t trans_handle)
 Term definition end marker routine.
int junos_dfw_term_match_src_prefix (junos_dfw_trans_handle_t trans_handle, u_int32_t *prefix, u_int8_t prefix_len, junos_dfw_filter_match_op_t op)
 Source address prefix term match.
int junos_dfw_term_match_dest_prefix (junos_dfw_trans_handle_t trans_handle, u_int32_t *prefix, u_int8_t prefix_len, junos_dfw_filter_match_op_t op)
 Destination address prefix match.
int junos_dfw_term_match_prefix (junos_dfw_trans_handle_t trans_handle, u_int32_t *prefix, u_int8_t prefix_len, junos_dfw_filter_match_op_t op)
 Address prefix match.
int junos_dfw_term_match_ip_proto (junos_dfw_trans_handle_t trans_handle, u_int8_t ip_proto_min, u_int8_t ip_proto_max, junos_dfw_filter_match_op_t op)
 IP protocol term match routine.
int junos_dfw_term_match_src_port (junos_dfw_trans_handle_t trans_handle, u_int16_t src_port_min, u_int16_t src_port_max, junos_dfw_filter_match_op_t op)
 Source port number term match.
int junos_dfw_term_match_dest_port (junos_dfw_trans_handle_t trans_handle, u_int16_t dest_port_min, u_int16_t dest_port_max, junos_dfw_filter_match_op_t op)
 Destination port number term match.
int junos_dfw_term_match_port (junos_dfw_trans_handle_t trans_handle, u_int16_t port_min, u_int16_t port_max, junos_dfw_filter_match_op_t op)
 Port number term match.
int junos_dfw_term_match_icmp_type (junos_dfw_trans_handle_t trans_handle, u_int16_t icmp_type_min, u_int16_t icmp_type_max, junos_dfw_filter_match_op_t op)
 ICMP type term match.
int junos_dfw_term_match_icmp_code (junos_dfw_trans_handle_t trans_handle, u_int16_t icmp_code_min, u_int16_t icmp_code_max, junos_dfw_filter_match_op_t op)
 ICMP code term match.
int junos_dfw_term_match_packet_len (junos_dfw_trans_handle_t trans_handle, u_int32_t packet_len_min, u_int32_t packet_len_max, junos_dfw_filter_match_op_t op)
 Packet length term match.
int junos_dfw_term_match_dscp_code (junos_dfw_trans_handle_t trans_handle, u_int8_t dscp_code_min, u_int8_t dscp_code_max, junos_dfw_filter_match_op_t op)
 DSCP code term match.
int junos_dfw_term_match_ifl_index (junos_dfw_trans_handle_t trans_handle, u_int32_t ifl_index, junos_dfw_filter_match_op_t op)
 IFL index term match.
int junos_dfw_term_match_vlan_ether_type (junos_dfw_trans_handle_t trans_handle, u_int16_t vlan_ether_type_min, u_int16_t vlan_ether_type_max, junos_dfw_filter_match_op_t op)
 VLAN ethertype term match.
int junos_dfw_term_match_ether_type (junos_dfw_trans_handle_t trans_handle, u_int16_t ether_type_min, u_int16_t ether_type_max, junos_dfw_filter_match_op_t op)
 Match a range of Ethernet types.
int junos_dfw_term_match_src_mac (junos_dfw_trans_handle_t trans_handle, u_int8_t *src_mac, u_int8_t prefix_len, junos_dfw_filter_match_op_t op)
 Match the whole or portion of the source MAC address.
int junos_dfw_term_match_dest_mac (junos_dfw_trans_handle_t trans_handle, u_int8_t *dest_mac, u_int8_t prefix_len, junos_dfw_filter_match_op_t op)
 Match the whole or portion of the destination MAC address.
int junos_dfw_term_action_accept (junos_dfw_trans_handle_t trans_handle)
 Accept term action routine.
int junos_dfw_term_action_discard (junos_dfw_trans_handle_t trans_handle)
 Discard term action routine.
int junos_dfw_term_action_sample (junos_dfw_trans_handle_t trans_handle)
 Sample term action routine.
int junos_dfw_term_action_policer (junos_dfw_trans_handle_t trans_handle, const junos_dfw_policer_info_t *policer_info)
 Policer term action routine.
int junos_dfw_term_action_count (junos_dfw_trans_handle_t trans_handle, const char *counter_name)
 Count term action routine.
int junos_dfw_term_action_next_term (junos_dfw_trans_handle_t trans_handle)
 Next term action routine.
int junos_dfw_term_action_topology_redirect (junos_dfw_trans_handle_t trans_handle, const char *routing_instance_name, const char *topology_name)
 topology redirect term action routine
int junos_dfw_term_action_redirect (junos_dfw_trans_handle_t trans_handle, const char *routing_instance_name)
 Redirect term action routine.
int junos_dfw_policer_trans_alloc (const junos_dfw_policer_info_t *policer_info, junos_dfw_policer_op_t operation, junos_dfw_trans_handle_t *handlep)
 Allocate policer transaction.
int junos_dfw_policer_parameters (junos_dfw_trans_handle_t trans_handle, u_int32_t rate, junos_dfw_rate_unit_t rate_unit, u_int32_t burst_size_limit, junos_dfw_burst_size_unit_t burst_size_unit)
 Configure policer parameters.
int junos_dfw_policer_action_discard (junos_dfw_trans_handle_t trans_handle)
 Discard policer action.
int junos_dfw_filter_attach_trans_alloc (const junos_dfw_filter_info_t *filter_info, junos_dfw_filter_attach_info_t *attach_info, junos_dfw_trans_handle_t *handlep)
 Allocate filter attach transaction.
int junos_dfw_filter_detach_trans_alloc (const junos_dfw_filter_info_t *filter_info, junos_dfw_filter_attach_info_t *attach_info, junos_dfw_trans_handle_t *handlep)
 Detach a filter.
int junos_dfw_trans_handle_free (junos_dfw_trans_handle_t handle)
 Free transaction handle.
int junos_dfw_trans_send (junos_dfw_session_handle_t handle, junos_dfw_trans_handle_t trans_handle, junos_dfw_client_id_t client_id, u_int64_t ctx)
 Send transaction.
int junos_dfw_session_reply_get (junos_dfw_session_handle_t handle, struct timeval *timeout)
 Retrieve a message from a connection.
int junos_dfw_bulk_trans_start (junos_dfw_session_handle_t handle)
 Bulk transaction start.
int junos_dfw_bulk_trans_end (junos_dfw_session_handle_t handle)
 Bulk transaction end.
int junos_dfw_trans_purge (junos_dfw_session_handle_t handle, const junos_dfw_client_id_t *client_id_list, int num_client_ids)
 Purge transaction.
int junos_dfw_stats_session_handle_alloc (junos_dfw_session_handle_t *handlep, junos_dfw_stats_client_functions_t *funs)
 Allocate statistic session handle.
int junos_dfw_stats_session_handle_free (junos_dfw_session_handle_t handle)
 Free statistic session handle.
int junos_dfw_ev_stats_session_connect_async (junos_dfw_session_handle_t handle, const junos_dfw_conn_addr_t *conn_addr, evContext ctx)
 Event library–based statistics session connect.
int junos_dfw_stats_filter_handle_alloc (junos_dfw_session_handle_t handle, const junos_dfw_filter_info_t *filter_info, boolean interface_specific_filter, const junos_dfw_filter_attach_info_t *attach_info, u_int32_t *filter_index, junos_dfw_stats_filter_handle_t *fil_handlep)
 Allocate statistics filter handle.
int junos_dfw_stats_filter_handle_free (junos_dfw_stats_filter_handle_t fil_handle)
 Free statistics filter handle.
int junos_dfw_stats_trans_alloc (junos_dfw_stats_filter_handle_t fil_handle, junos_dfw_counter_op_t operation, junos_dfw_trans_handle_t *handlep)
 Allocate statistics transaction.
int junos_dfw_stats_trans_add_counter (junos_dfw_trans_handle_t handle, const char *counter_name, char *internal_counter_name)
 Statistics add counter transaction.
int junos_dfw_stats_trans_add_policer (junos_dfw_trans_handle_t handle, const junos_dfw_policer_info_t *policer_info, const char *term_name, char *internal_counter_name)
 Statistics add policer transaction.
int junos_dfw_stats_trans_send (junos_dfw_session_handle_t handle, junos_dfw_trans_handle_t trans_handle, u_int64_t ctx)
 Send statistics transaction.
int junos_dfw_stats_trans_receive (junos_dfw_session_handle_t handle)
 Receive statistics transaction responses.


Detailed Description

Library for adding firewall filters.

This file contains all function and structure definitions needed to add firewall filter to a Juniper Networks router. Detailed descriptions are included with each function, as well as possible error returns.

Note:
Only functions listed in this file (and not marked as @internal) are supported at this time. Additional notes marked "SDK-USERS-NOTE" are specific to external SDK users only, and may convey other restrictions.

Define Documentation

#define boolean   u_int8_t
 

The library for clients to add firewall filters/policers via JUNOS-DFW.

Start with junos_dfw_session_handle_alloc() to allocate a junos_dfw_session_handle_t and bind the callback table. All session state is maintained in the handle; there is no global state. A NULL vector in the callback table means to silently complete that transaction with no callback.

Follow with a call to junos_dfw_session_open() to establish the connection with JUNOS-DFW. No other function calls should be made until session is connected.

All function calls are non-blocking. Multiple outstanding transactions are permitted.

Loss of connection to the JUNOS-DFW server will result in a callback through the session_state vector in the junos_dfw_client_functions_t callback table. The server will start a config-purge timer upon detection of lost connection. It is the responsibility of the client to reestablish the connection and reinstall all configuration. Leftover config in the server that is not refreshed is purged. A client must remain connected to server to keep its configuration. A normal session closure by client is also treated as a lost connection.

#define JUNOS_DFW_BURST_SIZE_LIMIT_MIN   1500
 

The range of values for burst_size_limit in bytes.

These values are what CLI supports.


Typedef Documentation

typedef struct junos_dfw_client_functions junos_dfw_client_functions_t
 

Client callback functions.

The vector of all callback functions. Individual callbacks can be disabled by setting the appropriate vector to NULL.

typedef enum junos_dfw_filter_addr_family junos_dfw_filter_addr_family_t
 

Filter address family definitions.

Note:
SDK-USERS-NOTE: The JUNOS_DFW_FILTER_AF_VPLS address family is only available on the MX-platform and only for a small subset of functions (see notes in description headers below).

typedef enum junos_dfw_filter_attach_point junos_dfw_filter_attach_point_t
 

Attach-point definitions.

The junos_dfw_filter_attach_point enumeration shows the attach points supported at this time.

typedef enum junos_dfw_filter_field_type junos_dfw_filter_field_type_t
 

Filter field types.

Possible fields that can occur in filter terms. Currently, this is required only for filters of type JUNOS_DFW_FILTER_TYPE_FAST_UPDATE.

typedef void(* junos_dfw_session_connect_cb_t)(junos_dfw_session_handle_t handle, junos_dfw_session_connect_return_t code, junos_dfw_client_id_t *client_id_list, int num_client_ids)
 

Callback for session connect.

If this callback reports JUNOS_DFW_SC_SUCCESS, it means the session is connected. No other function calls should be made until the session connect callback has completed successfully.

Parameters:
[in] handle Pointer to JUNOS-DFW control block.
[in] code Session connect return code.
[in] client_id_list List of client IDs associated with session.
[in] num_client_ids Number of client IDs specified in the list.

typedef void(* junos_dfw_session_state_change_cb_t)(junos_dfw_session_handle_t handle, junos_dfw_session_state_t state)
 

Callback for session connection state change.

This callback only occurs in response to an unexpected session closure. It does not occur in response to an user-initiated session closure.

Parameters:
[in] handle Pointer to JUNOS-DFW control block.
[in] state New state.

typedef void(* junos_dfw_stats_trans_get_cb_t)(junos_dfw_session_handle_t handle, u_int64_t ctx, u_int32_t num_counters, dfw_counter_t *counter_list)
 

Callback for get statistics.

This callback is invoked for a completed JUNOS_DFW_COUNTER_OP_GET transaction. It returns the ctx provided by the user when initiating the transaction (in junos_dfw_stats_trans_send()) to correlate responses with requests.

counter_list contains a list of num_counters that were successfully fetched. If some of the counters requested to be fetched were not found, num_counters will not match the number of counters requested using junos_dfw_stats_trans_add_*() calls. num_counters returned as zero means none of the counters requested to be fetched were found.

dfw_counter_t is defined in dfw_shared_pub.h. It contains counter name and its values. If a counter is policer out-of-spec counter, its byte count will be zero since policer out-of-spec counter only supports packet count.

Parameters:
[in] handle Pointer to JUNOS-DFW control block.
[in] ctx User's context.
[in] num_counters Number of counters in list.
[in] counter_list Pointer to list of counters.

typedef void(* junos_dfw_stats_trans_reset_cb_t)(junos_dfw_session_handle_t handle, u_int64_t ctx)
 

Callback for reset statistics.

This callback is invoked for a completed JUNOS_DFW_COUNTER_OP_CLEAR transaction. It returns the ctx provided by the user when initiating the transaction (in junos_dfw_stats_trans_send()) to correlate responses with requests.

Parameters:
[in] handle Pointer to JUNOS-DFW control block.
[in] ctx User's context.

typedef enum junos_dfw_term_adj junos_dfw_term_adj_t
 

Definitions to specify ordering information when JUNOS_DFW_TERM_TYPE_ORDERED is used.

When a term order is specified with respect to its previous term, use JUNOS_DFW_TERM_ADJ_PREV. First term will have term_adj_namestr_key set to NULL. If you have a list of terms already configured in a filter and you wish to insert a new term at the top of the list, you can use term_adj_type set to JUNOS_DFW_TERM_ADJ_PREV and term_adj_namestr_key set to NULL.

When a term order is specified with respect to its next term, use JUNOS_DFW_TERM_ADJ_NEXT. Last term will have term_adj_namestr_key set to NULL. If you have a list of terms already configured in a filter and you wish to append a new term at the bottom of the list, you can use term_adj_type set to JUNOS_DFW_TERM_ADJ_NEXT and term_adj_namestr_key set to NULL.

typedef struct junos_dfw_term_info junos_dfw_term_info_t
 

Term information structure definition.

Note:
SDK-USERS-NOTE: For filters of type JUNOS_DFW_FILTER_TYPE_FAST_UPDATE, the priority field of the union property should be zeroed out.

typedef struct junos_dfw_term_order junos_dfw_term_order_t
 

Definitions to specify ordering information when JUNOS_DFW_TERM_TYPE_ORDERED is used.

For more about term order, see the typedef junos_dfw_term_adj.

typedef void(* junos_dfw_trans_accepted_cb_t)(junos_dfw_session_handle_t handle, u_int64_t ctx, u_int32_t dfw_index)
 

Callback for config accepted.

This callback is invoked after a config is accepted. It does not indicate that the filter/policer has been successfully installed.

dfw_index is a unique identifier assigned by JUNOS-DFW to the filter or policer associated with the config request.

Parameters:
[in] handle Pointer to JUNOS-DFW control block.
[in] ctx User context.
[in] dfw_index JUNOS-DFW index for filter/policer.

typedef enum junos_dfw_trans_reject_reason junos_dfw_trans_reject_reason_t
 

Transaction reject reason codes.

Reasons indicate why transactions are rejected. JUNOS-DFW stops processing a transaction upon first error and rejects the entire transaction.

typedef void(* junos_dfw_trans_rejected_cb_t)(junos_dfw_session_handle_t handle, u_int64_t ctx, junos_dfw_trans_reject_reason_info_t reason_info)
 

Callback for config rejected.

This callback is invoked when a config transaction is rejected by JUNOS-DFW.

The reason_info.reason indicates why the transaction was rejected. JUNOS-DFW stops processing a transaction upon the first error and rejects the entire transaction. Some reason codes have corresponding valid reason_info.info to provide more specific reason information.

ctx is the context supplied by user to junos_dfw_trans_send() call. This can be used to identify a transaction and provide application-level sequencing.

Parameters:
[in] handle Pointer to JUNOS-DFW control block.
[in] ctx User context.
[in] reason_info Reason for rejecting.


Enumeration Type Documentation

enum junos_dfw_burst_size_unit
 

Flow burst-size unit definitions.

Enumerator:
JUNOS_DFW_BURST_SIZE_UNIT_BYTE  Bytes.
JUNOS_DFW_BURST_SIZE_UNIT_KBYTE  Kilobytes.
JUNOS_DFW_BURST_SIZE_UNIT_MBYTE  Megabytes.
JUNOS_DFW_BURST_SIZE_UNIT_GBYTE  Gigabytes.

enum junos_dfw_conn_af
 

Connection address family definitions.

Enumerator:
JUNOS_DFW_CONN_AF_UNIX  Address family type UNIX.
JUNOS_DFW_CONN_AF_INET  Internet address family.

enum junos_dfw_counter_op
 

Counter operations definitions.

Enumerator:
JUNOS_DFW_COUNTER_OP_GET  Get specified counter value.
JUNOS_DFW_COUNTER_OP_CLEAR  Clear specified counter.

enum junos_dfw_filter_addr_family
 

Filter address family definitions.

Note:
SDK-USERS-NOTE: The JUNOS_DFW_FILTER_AF_VPLS address family is only available on the MX-platform and only for a small subset of functions (see notes in description headers below).
Enumerator:
JUNOS_DFW_FILTER_AF_INET  IPv4 address family.
JUNOS_DFW_FILTER_AF_INET6  IPv6 address family.
JUNOS_DFW_FILTER_AF_VPLS  Vitual private LAN service.

enum junos_dfw_filter_attach_point
 

Attach-point definitions.

The junos_dfw_filter_attach_point enumeration shows the attach points supported at this time.

Enumerator:
JUNOS_DFW_FILTER_ATTACH_POINT_INPUT_INTF  Input interface.
JUNOS_DFW_FILTER_ATTACH_POINT_OUTPUT_INTF  Output interface.

enum junos_dfw_filter_field_type
 

Filter field types.

Possible fields that can occur in filter terms. Currently, this is required only for filters of type JUNOS_DFW_FILTER_TYPE_FAST_UPDATE.

Enumerator:
JUNOS_DFW_FILTER_FIELD_INVALID  Invalid field.
JUNOS_DFW_FILTER_FIELD_IP_PROTO  IP protocol field.
JUNOS_DFW_FILTER_FIELD_IP_SRC_ADDR  Source address field.
JUNOS_DFW_FILTER_FIELD_IP_DEST_ADDR  Destination address.
JUNOS_DFW_FILTER_FIELD_SRC_PORT  Source port field.
JUNOS_DFW_FILTER_FIELD_DEST_PORT  Destination port field.
JUNOS_DFW_FILTER_FIELD_DSCP  Only tested for FUF on MX.

enum junos_dfw_filter_match_op
 

Match operation definitions.

Enumerator:
JUNOS_DFW_FILTER_OP_MATCH  Filter operation match.
JUNOS_DFW_FILTER_OP_MATCH_EXCEPT  Filter operation not match.

enum junos_dfw_filter_op
 

Filter operation definitions.

Enumerator:
JUNOS_DFW_FILTER_OP_ADD  Filter operation add.
JUNOS_DFW_FILTER_OP_DELETE  Filter operation delete.
JUNOS_DFW_FILTER_OP_CHANGE  Filter operation change.

enum junos_dfw_filter_types
 

Filter type definitions.

Enumerator:
JUNOS_DFW_FILTER_TYPE_CLASSIC  Filter type classic.
JUNOS_DFW_FILTER_TYPE_FAST_UPDATE  Filter type 'Fast update'.

enum junos_dfw_policer_op
 

Indicates the configuration operation to be executed by JUNOS-DFW.

Enumerator:
JUNOS_DFW_POLICER_OP_ADD  Policer operation add.
JUNOS_DFW_POLICER_OP_DELETE  Policer operation delete.
JUNOS_DFW_POLICER_OP_REPLACE  Policer operation replace.

enum junos_dfw_rate_unit
 

Flow rate unit definitions.

Enumerator:
JUNOS_DFW_RATE_UNIT_BPS  Bits per second.
JUNOS_DFW_RATE_UNIT_KBPS  Kilobits per second.
JUNOS_DFW_RATE_UNIT_MBPS  Megabits per second.
JUNOS_DFW_RATE_UNIT_GBPS  Gigabits per second.

enum junos_dfw_session_connect_return
 

Session connect return codes.

Enumerator:
JUNOS_DFW_SC_SUCCESS  Session connect successful.
JUNOS_DFW_SC_FAILED  Session connect failed.
JUNOS_DFW_SC_FAILED_VERSION  Function/JUNOS-DFW version mismatch.

enum junos_dfw_session_state
 

Session state change codes.

Enumerator:
JUNOS_DFW_SS_DOWN  Session down.

enum junos_dfw_term_adj
 

Definitions to specify ordering information when JUNOS_DFW_TERM_TYPE_ORDERED is used.

When a term order is specified with respect to its previous term, use JUNOS_DFW_TERM_ADJ_PREV. First term will have term_adj_namestr_key set to NULL. If you have a list of terms already configured in a filter and you wish to insert a new term at the top of the list, you can use term_adj_type set to JUNOS_DFW_TERM_ADJ_PREV and term_adj_namestr_key set to NULL.

When a term order is specified with respect to its next term, use JUNOS_DFW_TERM_ADJ_NEXT. Last term will have term_adj_namestr_key set to NULL. If you have a list of terms already configured in a filter and you wish to append a new term at the bottom of the list, you can use term_adj_type set to JUNOS_DFW_TERM_ADJ_NEXT and term_adj_namestr_key set to NULL.

Enumerator:
JUNOS_DFW_TERM_ADJ_NEXT  Term adjacency next.
JUNOS_DFW_TERM_ADJ_PREV  Term adjacency previous.

enum junos_dfw_term_op
 

Term-related operations definitions.

Enumerator:
JUNOS_DFW_TERM_OP_ADD  Term operation add.
JUNOS_DFW_TERM_OP_DELETE  Term operation delete.
JUNOS_DFW_TERM_OP_REPLACE  Term operation replace.

enum junos_dfw_term_type
 

Term type definitions.

Enumerator:
JUNOS_DFW_TERM_TYPE_ORDERED  Term type ordered.
JUNOS_DFW_TERM_TYPE_PRIORITISED  Term type prioritized.

enum junos_dfw_trans_reject_reason
 

Transaction reject reason codes.

Reasons indicate why transactions are rejected. JUNOS-DFW stops processing a transaction upon first error and rejects the entire transaction.

Enumerator:
JUNOS_DFW_FILTER_NOT_FOUND  Filter not found.
JUNOS_DFW_FILTER_IN_USE  Filter in use.
JUNOS_DFW_FILTER_ALREADY_EXISTS  Filter already exists.
JUNOS_DFW_FILTER_CONFIG_ERR  Filter configuration error.
JUNOS_DFW_TERM_NOT_FOUND  Term not found.
JUNOS_DFW_TERM_ALREADY_EXISTS  Term already exists.
JUNOS_DFW_TERM_CONFIG_ERR  Term configuration error.
JUNOS_DFW_TERM_CONFLICT_ERR  Term conflict error.
JUNOS_DFW_POLICER_NOT_FOUND  Policer not found.
JUNOS_DFW_POLICER_IN_USE  Policer in use.
JUNOS_DFW_POLICER_ALREADY_EXISTS  Policer already exists.
JUNOS_DFW_POLICER_CONFIG_ERR  Policer configuration err.
JUNOS_DFW_ATTACH_POINT_NOT_FOUND  Attach point not found.
JUNOS_DFW_ATTACH_POINT_IN_USE  Attach point already in use.
JUNOS_DFW_DFW_INDEX_EXHAUSTED  No more JUNOS-DFW indices.
JUNOS_DFW_OUT_OF_MEMORY_ERR  Out of memory.
JUNOS_DFW_INTERNAL_ERR  Internal error.


Function Documentation

int junos_dfw_bulk_trans_end junos_dfw_session_handle_t  handle  ) 
 

Bulk transaction end.

This call indicates end of multiple filters/policers configurations. JUNOS-DFW will process all config requests between junos_dfw_bulk_trans_start() call and junos_dfw_bulk_trans_end() as a single transaction, just like a single config commit of multiple filter/policers from CLI.

A call to junos_dfw_bulk_trans_end() without junos_dfw_bulk_trans_start() has no effect.

Parameters:
[in] handle Pointer to JUNOS-DFW control block.
Return values:
errno Possible values in case of failure return.
  • EINVAL Invalid session handle, or failure to send message, or handle not in bulk config mode, i.e., junos_dfw_bulk_trans_start() not invoked yet. Check syslog for more information on specifics of the error.
  • ENOTCONN Connection not established.
  • ENOMEM Insufficient memory to complete request.
Returns:
Possible return values are:
  • 0 Everything OK.
  • -1 Failure.

int junos_dfw_bulk_trans_start junos_dfw_session_handle_t  handle  ) 
 

Bulk transaction start.

This call indicates start of multiple filters/policers configurations. JUNOS-DFW will process all config requests, i.e., possibly many individual transaction builds and junos_dfw_trans_send() calls between junos_dfw_bulk_trans_start() call and junos_dfw_bulk_trans_end() call, as a single transaction, just like a single config commit of multiple filter/policers from CLI.

Bulk config can be used at any time, but is especially useful at the time of synchronization after reestablishing a session with JUNOS-DFW. JUNOS-DFW server waits for first transaction from client. If this transaction is not a bulk config, JUNOS-DFW will automatically purge any old configuration. If it is a bulk config, JUNOS-DFW will wait for the bulk config to complete before it starts a diff of client configuration with its own database associated with this client. JUNOS-DFW makes use of bulk config to find what has changed in client's desired configuration and acts to synchronize with it. This includes adding new configuration, updating changed configuration, and deleting configuration not refurbished by the client.

Each config request in a bulk config will have its own ctx value supplied by the client in junos_dfw_trans_send() call. If any configuration of the bulk order fails at JUNOS-DFW, its ctx will be supplied to the client via trans_rejected_cb callback.

Parameters:
[in] handle Pointer to JUNOS-DFW control block.
Return values:
errno Possible values in case of failure return.
  • EINVAL Invalid session handle, or failure to send message, or handle already in bulk config mode, i.e., junos_dfw_bulk_trans_start() already invoked on handle. Check syslog for more information on specifics of the error.
  • ENOTCONN Connection not established.
  • ENOMEM Insufficient memory to complete request.
Returns:
Possible return values are:
  • 0 Everything OK.
  • -1 Failure.

int junos_dfw_ev_stats_session_connect_async junos_dfw_session_handle_t  handle,
const junos_dfw_conn_addr_t conn_addr,
evContext  ctx
 

Event library–based statistics session connect.

This call opens necessary sockets to service statistics requests. It provides support for asynchronous client interfaces using event library. The handle must be allocated by junos_dfw_stats_session_handle_alloc().

Parameters:
[in] handle Pointer to JUNOS-DFW control block.
[in] conn_addr Pointer to DFW server address structure.
[in] ctx Event library's context.
Return values:
errno Possible values in case of failure return.
  • EISCONN Sockets are already open.
  • ENOMEM Insufficient memory to complete request.
Returns:
Possible return values are:
  • 0 Everything OK.
  • -1 Failure.

int junos_dfw_filter_attach_trans_alloc const junos_dfw_filter_info_t filter_info,
junos_dfw_filter_attach_info_t attach_info,
junos_dfw_trans_handle_t *  handlep
 

Allocate filter attach transaction.

Attaching a filter requires its own transaction. Use the junos_dfw_filter_attach_trans_alloc() call to allocate an attach transaction handle, followed by junos_dfw_trans_send(). filter_info must refer to a filter already configured. attach_point (in junos_dfw_filter_attach_info structure) must be a NULL terminated string identifying a specific attach point. If a filter is attached using this call, it must be detached before it can be deleted.

Parameters:
[in] filter_info Pointer to filter information structure.
[in] attach_info Pointer to attach location structure.
[in] handlep Pointer to control block.
Return values:
errno Possible values in case of failure return.
  • EINVAL handlep or namestr_key supplied as NULL. Check syslog for more information on specifics of the error.
  • ENOMEM Insufficient memory to complete request.
Returns:
Possible return values are:
  • 0 Everything OK.
  • -1 Failure.

int junos_dfw_filter_detach_trans_alloc const junos_dfw_filter_info_t filter_info,
junos_dfw_filter_attach_info_t attach_info,
junos_dfw_trans_handle_t *  handlep
 

Detach a filter.

If a filter is attached, it must be detached before it can be deleted. Detaching a filter can be achieved using the junos_dfw_filter_detach_trans_alloc() call.

Parameters:
[in] filter_info Pointer to filter information structure.
[in] attach_info Pointer to attach location structure.
[in] handlep Pointer to control block.
Return values:
errno Possible values in case of failure return.
  • EINVAL handlep or namestr_key supplied as NULL. Check syslog for more information on specifics of the error.
  • ENOMEM Insufficient memory to complete request.
Returns:
Possible return values are:
  • 0 Everything OK.
  • -1 Failure.

int junos_dfw_filter_prop_ordered_field_list junos_dfw_trans_handle_t  trans_handle,
int  num_fields,
junos_dfw_filter_field_type_t field_list
 

Ordered field list filter property.

In fast update filters, i.e., filters of type JUNOS_DFW_FILTER_TYPE_FAST_UPDATE, user must specify all possible fields that can occur in the filter terms. This is a mandatory property. The order of occurrence of the fields in field_list decides the order in which the fields are matched in fast path. If a filter is said to allow N fields, but a term defined for that filter specifies less than N fields, the missing fields are treated as wildcard i.e. any. Such a rule becomes less specific and inherently gets lower priority than rules that are more specific.

This function call can only be used in a transaction for the DFWD_FILTER_OP_ADD operation and before configuring any term.

This function is only supported for filters of type JUNOS_DFW_FILTER_TYPE_FAST_UPDATE.

Parameters:
[in] trans_handle Pointer to handle for individual requests.
[in] num_fields Number of filter fields.
[in] field_list Pointer to filter fields list.
Return values:
errno Possible values in case of failure return.
  • EINVAL Invalid property supplied, or property not supported by the type of filter mentioned in trans_handle, or the transaction is not for JUNOS_DFW_FILTER_OP_ADD operation, or call is made after term definition.
  • ENOMEM Insufficient memory to complete request.
Returns:
Possible return values are:
  • 0 Everything OK.
  • -1 Failure.

int junos_dfw_filter_trans_alloc const junos_dfw_filter_info_t filter_info,
junos_dfw_filter_op_t  operation,
junos_dfw_trans_handle_t *  handlep
 

Allocate a filter transaction structure.

To configure a firewall filter, start the definition using junos_dfw_filter_trans_alloc(). The namestr_key and owner_client_id in argument filter_info is the key to identifying a filter. namestr_key is a NULL terminated string and can contain letters, numbers, spaces, and hyphens (-) and can be up to JUNOS_DFW_FILTER_NAME_LEN characters long including NULL. It must be unique among filters configured by a client. Combination of namestr_key and owner_client_id form a unique filter identification. Currently, owner_client_id must match the client ID specified during junos_dfw_session_open() phase.

To specify a new filter definition or to change a previously configured filter, use operation JUNOS_DFW_FILTER_OP_ADD or JUNOS_DFW_FILTER_OP_CHANGE, respectively. Multiple terms can be configured in a filter using the handle obtained for these operations. To configure a term, use junos_dfw_term_start() followed by Match function calls, followed by Action function calls, and finally junos_dfw_term_end() to end term definition. The JUNOS-DFW server will reject a transaction that has term definition specified more than once.

If no match condition is specified in a term, that term matches all packets. If no action is specified in a term, the default action is accept. If a packet matches none of the terms in the filter, it is discarded.

To delete a previously configured filter, use the operation JUNOS_DFW_FILTER_OP_DELETE. A handle obtained for JUNOS_DFW_FILTER_OP_DELETE cannot be used with any of the term configuration function calls.

The junos_dfw_filter_types_t decides the type of filter. Each type of filter has its own feature set and allowed filter configuration functions as listed below.

JUNOS_DFW_FILTER_TYPE_CLASSIC - Indicates that the filter must be treated as classic filter configured from CLI under "firewall family XYZ filter". Such a filter will go through compilation and optimization phases identical to classic filters. Term ordering is guaranteed in this filter type. User must, therefore, define terms of type JUNOS_DFW_TERM_TYPE_ORDERED. Refer to description of term types in junos_dfw_term_start().

JUNOS_DFW_FILTER_TYPE_FAST_UPDATE - Indicates that the filter is a fast update filter. Such filters have widely different semantics from those of the classic filters and have no CLI equivalent. These filters do not go through compilation/optimization phases and are ideal when the filter terms are likely be updated frequently. The action associated with the term having a longest prefix match is performed. Terms do not have any specific order; you must therefore define terms of type JUNOS_DFW_TERM_TYPE_PRIORITISED. Refer to the the description of term types in junos_dfw_term_start().

Note:
Additional stipulations may apply to internal users of JUNOS_DFW_FILTER_TYPE_FAST_UPDATE (see other header files).
The junos_dfw_filter_op_t indicates the configuration operation to be executed by JUNOS_DFW. Following is the description of various junos_dfw_filter_op_t values:

JUNOS_DFW_FILTER_OP_ADD - Indicates a new filter definition. Property functions, if supported by the filter, can be used during this operation. All terms must specify JUNOS_DFW_CONFIG_OP_ADD as operation. JUNOS-DFW will reject the config request if another filter with the same name string as specified in namestr_key already exists in JUNOS-DFW's database of filters added by this client.

JUNOS_DFW_FILTER_OP_DELETE - Indicates a delete request of a filter definition specified earlier by this client. This request cannot carry any term configuration. JUNOS-DFW will reject a delete request if no filter with the name specified in namestr_key exists in JUNOS_DFW's database of filters added by this client or the filter is in use, i.e., attached using junos_dfw_filter_attach_trans_alloc(). Filters added by other clients cannot be deleted or changed.

JUNOS_DFW_FILTER_OP_CHANGE - Indicates change request on a filter definition specified earlier by this client. The terms with any of junos_dfw_term_op_t types may be used. JUNOS-DFW will reject a change request if no filter with the name specified in namestr_key exists in JUNOS_DFW's database of filters added by this client. Filters added by other clients cannot be deleted or changed.

Returns 0 on success; -1 otherwise. On success a new handle is returned in handlep.

Parameters:
[in] filter_info Pointer to filter information structure.
[in] operation Request type.
[out] handlep Pointer to JUNOS-DFW control block.
Return values:
errno Possible values in case of failure return.
  • EINVAL handlep or namestr_key supplied as NULL.
  • ENOMEM Insufficient memory to complete request.
Returns:
Possible return values are:
  • 0 Everything OK.
  • -1 Failure.

int junos_dfw_policer_action_discard junos_dfw_trans_handle_t  trans_handle  ) 
 

Discard policer action.

This function call sets policer action to discard packet that exceeds the rate limits.

Parameters:
[in] trans_handle Pointer to handle for individual requests.
Return values:
errno Possible values in case of failure return.
  • EINVAL Invalid transaction handle. Check syslog for more information on specifics of the error.
  • ENOMEM Insufficient memory to complete request.
Returns:
Possible return values are:
  • 0 Everything OK.
  • -1 Failure.

int junos_dfw_policer_parameters junos_dfw_trans_handle_t  trans_handle,
u_int32_t  rate,
junos_dfw_rate_unit_t  rate_unit,
u_int32_t  burst_size_limit,
junos_dfw_burst_size_unit_t  burst_size_unit
 

Configure policer parameters.

This function call can be used to configure policer parameters.

You specify the bandwidth limit by providing a number in the rate argument and specifying unit in rate_unit.

You can rate-limit traffic based upon port speed. This port speed can be specified by a bandwidth percentage in a policer. You must provide the percentage in the rate argument as a complete decimal number between 1 and 100 and specify rate_unit as JUNOS_DFW_POLICER_RATE_UNIT_BANDWIDTH_PERCENT.

Note:
This function checks whether the burst_size_limit (adjusted to bytes) falls in the range of [JUNOS_DFW_BURST_SIZE_LIMIT_MIN, JUNOS_DFW_BURST_SIZE_LIMIT_MAX]. In case it does not, burst_size_limit is readjusted to the JUNOS_DFW_BURST_SIZE_LIMIT_MIN (if it is less than this) and to JUNOS_DFW_BURST_SIZE_LIMIT_MAX (if greater than this). A syslog info message is printed whenever the range check fails though no error is returned.
Parameters:
[in] trans_handle Pointer to handler for individual requests.
[in] rate Rate value.
[in] rate_unit Unit of rate.
[in] burst_size_limit Burst size limit.
[in] burst_size_unit Burst size limit unit.
Return values:
errno Possible values in case of failure return.
  • EINVAL Invalid transaction handle or function call invoked multiple times or after a junos_dfw_policer_action_XYZ(). This error code is also returned if rate_unit is specified as JUNOS_DFW_POLICER_RATE_UNIT_BANDWIDTH_PERCENT but the rate provided is not between 1 and 100. Check syslog for more information on specifics of the error.
  • ENOMEM Insufficient memory to complete request.
Returns:
Possible return values are:
  • 0 Everything OK.
  • -1 Failure.

int junos_dfw_policer_trans_alloc const junos_dfw_policer_info_t policer_info,
junos_dfw_policer_op_t  operation,
junos_dfw_trans_handle_t *  handlep
 

Allocate policer transaction.

To configure a firewall policer, start the definition using junos_dfw_policer_trans_alloc(). The namestr_key and owner_client_id in argument policer_info is the key to identifying a policer. namestr_key is a NULL terminated string and can contain letters, numbers, spaces, and hyphens (-) and can be up to JUNOS_DFW_POLICER_NAME_LEN characters long including NULL. It must be unique among policers configured by a client. Combination of namestr_key and owner_client_id form a unique filter identification. Currently, owner_client_id must match one of the client IDs provided in client_id_list to junos_dfw_session_open(). It is a provision that allows a client in the future to refer to policers configured by other clients.

To specify a new policer definition or to replace a previously configured policer, use operation JUNOS_DFW_POLICER_OP_ADD or JUNOS_DFW_POLICER_OP_REPLACE, respectively, followed by a function to specify policer parameters and actions for the poilcer.

To delete a previously configured policer, use the operation JUNOS_DFW_POLICER_OP_DELETE. A handle obtained for JUNOS_DFW_POLICER_OP_DELETE cannot be used with any of the policer parameter or action configuration function calls.

Following is the description of various junos_dfw_filter_op_t values:

  • JUNOS_DFW_POLICER_OP_ADD - Indicates a new policer definition. JUNOS-DFW will reject the config request if another policer with the same name string as specified in namestr_key already exists in JUNOS-DFW's database of filters added by this client.
  • JUNOS_DFW_POLICER_OP_DELETE - Indicates a deletion of a policer definition specified earlier by this client. This request cannot carry any configuration. The JUNOS-DFW server will reject a delete request if no policer with the name specified in namestr_key exists in JUNOS-DFW's database of filters added by this client, or if the policer is in use, i.e., referred by a filter. Policers added by other clients cannot be deleted or changed.
  • JUNOS_DFW_POLICER_OP_REPLACE - Indicates replace request on a policer definition specified earlier by this client. Entire policer definition must be provided as this operation replaces the old policer definition with a new one. The JUNOS-DFW server will reject a replace request if no policer with the name specified in namestr_key exists in JUNOS-DFW's database of filters added by this client. Policers added by other clients cannot be deleted or changed.
Parameters:
[in] policer_info Pointer to policer information structure.
[in] operation Requested operation.
[out] handlep Pointer to control block.
Return values:
errno Possible values in case of failure return.
  • EINVAL handlep or namestr_key supplied as NULL. Check syslog for more information on specifics of the error.
  • ENOMEM Insufficient memory to complete request.
Returns:
Possible return values are:
  • 0 Everything OK.
  • -1 Failure.

int junos_dfw_session_close junos_dfw_session_handle_t  handle  ) 
 

Close JUNOS-DFW session.

Close a connection to the JUNOS-DFW.

Parameters:
[in] handle Pointer to JUNOS-DFW control block.
Returns:
Possible return values are:
  • 0 Everything OK.
  • -1 Failure.

int junos_dfw_session_handle_alloc junos_dfw_session_handle_t *  handlep,
junos_dfw_client_functions_t funs
 

Allocate session handle.

Allocates memory for a session handle and binds callback functions.

Parameters:
[in] handlep Pointer to JUNOS-DFW control block.
[in] funs Pointer to client callback functions.
Return values:
errno Possible values in case of failure return.
  • EINVAL funs is NULL, or session_connect_cb or trans_rejected_cb callback is not defined. Check syslog for more information on specifics of the error.
  • ENOMEM Insufficient memory to complete request.
Returns:
Possible return values are:
  • 0 Everything OK.
  • -1 Failure.

int junos_dfw_session_handle_free junos_dfw_session_handle_t  handle  ) 
 

Free session handle.

Frees session handle memory. This call will close the session if it is not already closed.

Parameters:
[in] handle Pointer to JUNOS-DFW control block.
Return values:
errno Possible values in case of failure return.
  • EINVAL handle doesn't belong to a session.
Returns:
Possible return values are:
  • 0 Everything OK.
  • -1 Failure.

int junos_dfw_session_open junos_dfw_session_handle_t  handle,
const junos_dfw_conn_addr_t conn_addr,
junos_dfw_sdk_app_id_t  sdk_app_id,
evContext  ctx
 

Opens a connection with JUNOS-DFW.

This function is called to open a session with JUNOS-DFW. The corresponding callback will contain the return code and the client identifier assgined by JUNOS-DFW. The handle must be allocated by junos_dfw_session_handle_alloc. sdk_app_id must be a non-zero number that uniquely identifies a user application.

Note:
This function is primarily for SDK users as it allows a client_id to be assigned. Internal users of the JUNOS Software have pre-assigned client identifiers and should use other connect calls (see other header files for choices).
Parameters:
[in] handle Session's handle.
[in] conn_addr Structure to fill in the address and port number.
[in] sdk_app_id Application's unique identifier.
[in] ctx Event context.
Return values:
errno Possible values in case of failure return.
  • EINVAL Invalid argument(s).
  • EISCONN Connection is already open.
  • EAFNOSUPPORT Destination address family unsupported.
Returns:
Possible return values are:
  • 0 Everything OK.
  • -1 Failure.

int junos_dfw_session_reply_get junos_dfw_session_handle_t  handle,
struct timeval *  timeout
 

Retrieve a message from a connection.

Retrieve a message from a connection and invoke the appropriate callback function, if warranted.

If the user sends a series of requests without allowing the reply receive monitoring code to kick in, requests will back up. This function allows the user to occasionally check if any replies are pending. It is highly recommended that the user get in the habit of periodically calling this function when replies are pending; it is a harmless call.

Parameters:
[in] handle Pointer to JUNOS-DFW control block.
[in] timeout Pointer to timeout structure.
Return values:
errno Possible value in case of failure return.
  • EINVAL Invalid argument.
  • ENOTCONN Socket is not connected.
Returns:
Possible return values are:
  • 0 Everything OK.
  • -1 Failure.

int junos_dfw_session_user_data_get junos_dfw_session_handle_t  handle,
void **  opaque
 

Allows user to retrieve data reference stored inside session.

This function can be used to retrieve pointer to user data stored inside session.

Parameters:
[in] handle Pointer to handler for individual requests.
[in] opaque Pointer to user data.
Return values:
errno Possible value in case of failure return.
  • EINVAL Invalid parameter.
Returns:
Possible return values are:
  • 0 Everything OK.
  • -1 Failure.

int junos_dfw_session_user_data_set junos_dfw_session_handle_t  handle,
void *  opaque
 

Allows user to store data reference inside session.

This function can be used to store pointer to any user data inside session.

Parameters:
[in] handle Pointer to handler for individual requests.
[in] opaque Pointer to user data.
Return values:
errno Possible value in case of failure return.
  • EINVAL Invalid parameter.
Returns:
Possible return values are:
  • 0 Everything OK.
  • -1 Failure.

int junos_dfw_stats_filter_handle_alloc junos_dfw_session_handle_t  handle,
const junos_dfw_filter_info_t filter_info,
boolean  interface_specific_filter,
const junos_dfw_filter_attach_info_t attach_info,
u_int32_t *  filter_index,
junos_dfw_stats_filter_handle_t *  fil_handlep
 

Allocate statistics filter handle.

This function creates a filter information handle to use with junos_dfw_stats_trans_alloc().

The session handle must be allocated by junos_dfw_stats_session_handle_alloc().

If filter was interface-specific, interface_specific_filter must be TRUE and attach_info must be supplied.

If DFW index for the filter of interest is not known, supply filter_index as 0, and the function will look up the DFW index assigned to a given filter. This is a synchronous call. Therefore, if this call has to look up DFW index it can get expensive, depending on number of filters in the system.

If a filter is deleted and re-added, it is not guaranteed to be assigned the same DFW index. If the client that wants to use a stats function is the owner of the filter it wants to query, it should have received the DFW index in junos_dfw_trans_accepted_cb_t callback. Since the owner of the filter will be aware of the lifetimes of filters it installs, it is advised to supply the DFW index obtained from junos_dfw_trans_accepted_cb_t callback. For a client that does not own the filter for which they want to use the stats function, it may not be possible to know when the filter name to DFW index mapping changes. These clients are advised to use this function and refresh DFW index often.

Use junos_dfw_stats_filter_handle_free() to free the filter handle after you are done using it.

Note:
INTERFACE-SPECIFIC FILTERS ARE NOT SUPPORTED AT THIS TIME FOR FUNCTION CONFIGURED FILTERS. QUERY FOR CLI CONFIGURED FILTERS OR POLICERS IS NOT SUPPORTED.
Parameters:
[in] handle Pointer to JUNOS-DFW control block.
[in] filter_info Pointer to filter information structure.
[in] interface_specific_filter Filter is for an interface.
[in] attach_info Pointer to attach location structure.
[in] filter_index Filter index value.
[in] fil_handlep Pointer to control block.
Return values:
errno Possible values in case of failure return.
  • EINVAL Invalid parameters or filter not found.
  • ENOMEM Insufficient memory to complete request.
Returns:
Possible return values are:
  • 0 Everything OK.
  • -1 Failure.

int junos_dfw_stats_filter_handle_free junos_dfw_stats_filter_handle_t  fil_handle  ) 
 

Free statistics filter handle.

Free handle allocated using junos_dfw_stats_filter_handle_alloc().

Parameters:
[in] fil_handle Pointer to control block.
Return values:
errno Possible values in case of failure return.
  • EINVAL Invalid transaction handle. Check syslog for more information on specifics of the error.
Returns:
Possible return values are:
  • 0 Everything OK.
  • -1 Failure.

int junos_dfw_stats_session_handle_alloc junos_dfw_session_handle_t *  handlep,
junos_dfw_stats_client_functions_t funs
 

Allocate statistic session handle.

Allocates memory for a stats session handle and binds callback functions. Use junos_dfw_stats_session_handle_free() to free the handle when done using.

Parameters:
[in] handlep Pointer to control block.
[in] funs Pointer to client callback functions.
Return values:
errno Possible values in case of failure return.
  • EINVAL Callback funs is NULL. Check syslog for more information on specifics of the error.
  • ENOMEM Insufficient memory to complete request.
Returns:
Possible return values are:
  • 0 Everything OK.
  • -1 Failure.

int junos_dfw_stats_session_handle_free junos_dfw_session_handle_t  handle  ) 
 

Free statistic session handle.

Frees session handle memory. This call will close the session if it is not already closed.

Parameters:
[in] handle Pointer to JUNOS-DFW control block.
Return values:
errno Possible values in case of failure return.
  • EINVAL Invalid parameters.
Returns:
Possible return values are:
  • 0 Everything OK.
  • -1 Failure.

int junos_dfw_stats_trans_add_counter junos_dfw_trans_handle_t  handle,
const char *  counter_name,
char *  internal_counter_name
 

Statistics add counter transaction.

This call adds a counter to be acted upon by the transaction referred by handle.

Counters are internally given mangled names. This function uses the information provided and creates a mangled name so that a query can be initiated on that name. The same mangled name is used in dfw_counter_t structs returned by junos_dfw_stats_reply_cb_t callback. Provide buffer of size DFW_MAX_NAMELEN in internal_counter_name to obtain this mangled counter name.

Parameters:
[in] handle Pointer to handler for individual requests.
[in] counter_name Counter's external name.
[out] internal_counter_name Counter's internal name.
Return values:
errno Possible values in case of failure return.
  • EINVAL handle supplied is invalid or counter_name is NULL, or multiple counters specified.
  • ENOMEM Insufficient memory to complete request.
Returns:
Possible return values are:
  • 0 Everything OK.
  • -1 Failure.

int junos_dfw_stats_trans_add_policer junos_dfw_trans_handle_t  handle,
const junos_dfw_policer_info_t policer_info,
const char *  term_name,
char *  internal_counter_name
 

Statistics add policer transaction.

This call adds a policer to be acted upon by the transaction referred by handle.

Policers and their counters are internally given mangled names. This function uses the information provided and creates a mangled name so that query can be initiated on that name. The same mangled name is used in dfw_counter_t structs returned by junos_dfw_stats_reply_cb_t callback. Provide buffer of size DFW_MAX_NAMELEN in internal_counter_name to obtain this mangled name for the given policer's counter.

term_name is required if the policer is not filter-specific, i.e., policer_info -> filter_specific is FALSE because a separate policer instance is created for every term that uses this policer, and term_name identifies which particular policer instance is of interest.

Parameters:
[in] handle Pointer to handler for individual requests.
[in] policer_info Pointer to policer information structure.
[in] term_name Term's name.
[out] internal_counter_name Counter's internal name.
Return values:
errno Possible values in case of failure return.
  • EINVAL One of the parameter supplied is NULL or invalid.
Returns:
Possible return values are:
  • 0 Everything OK.
  • -1 Failure.

int junos_dfw_stats_trans_alloc junos_dfw_stats_filter_handle_t  fil_handle,
junos_dfw_counter_op_t  operation,
junos_dfw_trans_handle_t *  handlep
 

Allocate statistics transaction.

To query or clear filter stats, start with using junos_dfw_stats_trans_alloc(). fil_handle is handle obtained using junos_dfw_stats_filter_handle_alloc().

Using junos_dfw_stats_trans_add_*() function, create a list of counters that need to be operated upon.

Parameters:
[in] fil_handle Pointer to tatistics control block.
[in] operation Request type.
[in] handlep Pointer to control block.
Return values:
errno Possible values in case of failure return.
  • EINVAL handlep supplied as NULL.
  • ENOMEM Insufficient memory to complete request.
Returns:
Possible return values are:
  • 0 Everything OK.
  • -1 Failure.

int junos_dfw_stats_trans_receive junos_dfw_session_handle_t  handle  ) 
 

Receive statistics transaction responses.

Call to receive responses for outstanding statistical transactions previously sent.

Parameters:
[in] handle Pointer to JUNOS-DFW control block.
Return values:
errno Possible values in case of failure return.
  • EINVAL Invalid parameter.
  • EAGAIN Try again.
Returns:
Possible return values are:
  • 0 Everything OK.
  • -1 Failure.

int junos_dfw_stats_trans_send junos_dfw_session_handle_t  handle,
junos_dfw_trans_handle_t  trans_handle,
u_int64_t  ctx
 

Send statistics transaction.

Start a stats transaction. handle must contain a transaction request that was created with junos_dfw_stats_trans_alloc(). ctx is a user-supplied context that will be echoed in the callbacks.

User can free trans_handle at any time after this call using junos_dfw_trans_handle_free() or may save it for a later use.

Parameters:
[in] handle Pointer to JUNOS-DFW control block.
[in] trans_handle Pointer to handler for individual requests.
[in] ctx User-supplied context pointer.
Return values:
errno Possible values in case of failure return.
  • EINVAL Invalid session or transaction handle. Check syslog for more information on specifics of the error.
  • ENOTCONN Connection not established.
  • ENOMEM Insufficient memory to complete request.
Returns:
Possible return values are:
  • 0 Everything OK.
  • -1 Failure.

int junos_dfw_term_action_accept junos_dfw_trans_handle_t  trans_handle  ) 
 

Accept term action routine.

This function can be used to specify the action to take if the packet matches the conditions you have configured in the term.

Parameters:
[in] trans_handle Pointer to handle for individual requests.
Return values:
errno Possible values in case of failure return.
  • EINVAL Invalid transaction handle, or function call invoked without calling junos_dfw_term_start() or after junos_dfw_term_start() with operation JUNOS_DFW_TERM_OP_DELETE. Check syslog for more information on specifics of the error.
  • ENOMEM Insufficient memory to complete request.
Returns:
Possible return values are:
  • 0 Everything OK.
  • -1 Failure.

int junos_dfw_term_action_count junos_dfw_trans_handle_t  trans_handle,
const char *  counter_name
 

Count term action routine.

Count the number of the packets passing the filter/term combination referred to by trans_handle. counter_name is a NULL terminated string and can contain letters, numbers, spaces, and hyphens (-) and can be up to JUNOS_DFW_FILTER_NAME_LEN characters long including NULL. More than one term can use the same counter_name and, in this case, the count will include packets passing through all of these terms.

Parameters:
[in] trans_handle Pointer to handle for individual requests.
[in] counter_name Pointer to the name of the counter.
Return values:
errno Possible values in case of failure return.
  • EINVAL Invalid transaction handle. or function call invoked without calling junos_dfw_term_start() or after junos_dfw_term_start() with operation JUNOS_DFW_TERM_OP_DELETE. Check syslog for more information on specifics of the error.
  • ENOMEM Insufficient memory to complete request.
Returns:
Possible return values are:
  • 0 Everything OK.
  • -1 Failure.

int junos_dfw_term_action_discard junos_dfw_trans_handle_t  trans_handle  ) 
 

Discard term action routine.

This function can be used to specify the action to take if the packet matches the conditions you have configured in the term.

Parameters:
[in] trans_handle Pointer to handle for individual requests.
Return values:
errno Possible values in case of failure return.
  • EINVAL Invalid transaction handle, or function call invoked without calling junos_dfw_term_start() or after junos_dfw_term_start() with operation JUNOS_DFW_TERM_OP_DELETE. Check syslog for more information on specifics of the error.
  • ENOMEM Insufficient memory to complete request.
Returns:
Possible return values are:
  • 0 Everything OK.
  • -1 Failure.

int junos_dfw_term_action_next_term junos_dfw_trans_handle_t  trans_handle  ) 
 

Next term action routine.

This function can be used to allow firewall match to continue to next term in the filter.

Note:
This function may not be supported on all platforms and only for filters of type JUNOS_DFW_FILTER_TYPE_CLASSIC.
Parameters:
[in] trans_handle Pointer to handler for individual requests.
Return values:
errno Possible value in case of failure return.
  • EINVAL Invalid parameter.
  • ENOMEM Insufficient memory to complete request.
Returns:
Possible return values are:
  • 0 Everything OK.
  • -1 Failure.

int junos_dfw_term_action_policer junos_dfw_trans_handle_t  trans_handle,
const junos_dfw_policer_info_t policer_info
 

Policer term action routine.

Apply rate limits to the traffic using the named policer. policer_info must refer to a policer configured before the filter containing this action; otherwise, JUNOS-DFW server will reject the config request.

Currently, client can only refer to policers configured by itself. Therefore, owner_client_id in policer_info supplied must match client_id supplied in junos_dfw_session_open().

Parameters:
[in] trans_handle Pointer to handle for individual requests.
[in] policer_info Pointer to policer information structure.
Return values:
errno Possible values in case of failure return.
  • EINVAL Invalid transaction handle, or function call invoked without calling junos_dfw_term_start() or after junos_dfw_term_start() with operation JUNOS_DFW_TERM_OP_DELETE. Check syslog for more information on specifics of the error.
  • ENOMEM Insufficient memory to complete request.
Returns:
Possible return values are:
  • 0 Everything OK.
  • -1 Failure.

int junos_dfw_term_action_redirect junos_dfw_trans_handle_t  trans_handle,
const char *  routing_instance_name
 

Redirect term action routine.

Redirect the packets passing the filter/term combination referred to by trans_handle to a routing instance. routing_instance_name is a NULL terminated string and can contain letters, numbers, spaces, and hyphens (-) and can be up to JUNOS_DFW_FILTER_NAME_LEN characters long including NULL.

Note:
If routing instance does not exist then the packets matching the term that contains action routing-instance will get dropped.
Parameters:
[in] trans_handle Pointer to handle for individual requests.
[in] routing_instance_name Pointer to the name of the routing instance.
Return values:
errno Possible values in case of failure return.
  • EINVAL Invalid transaction handle. or function call invoked without calling junos_dfw_term_start() or after junos_dfw_term_start() with operation JUNOS_DFW_TERM_OP_DELETE. Check syslog for more information on specifics of the error.
Returns:
Possible return values are:
  • 0 Everything OK.
  • -1 Failure.

int junos_dfw_term_action_sample junos_dfw_trans_handle_t  trans_handle  ) 
 

Sample term action routine.

This function can be used to specify the action to take if the packet matches the conditions you have configured in the term.

Parameters:
[in] trans_handle Pointer to handle for individual requests.
Return values:
errno Possible values in case of failure return.
  • EINVAL Invalid transaction handle, or function call invoked without calling junos_dfw_term_start() or after junos_dfw_term_start() with operation JUNOS_DFW_TERM_OP_DELETE. Check syslog for more information on specifics of the error.
Returns:
Possible return values are:
  • 0 Everything OK.
  • -1 Failure.

int junos_dfw_term_action_topology_redirect junos_dfw_trans_handle_t  trans_handle,
const char *  routing_instance_name,
const char *  topology_name
 

topology redirect term action routine

Redirect the packets passing the filter/term combination referred to by trans_handle to a topology. routing_instance_name and are NULL terminated string and can contain letters, numbers, spaces, and hyphens (-) and can be up to JUNOS_DFW_FILTER_NAME_LEN characters long including NULL.

Note:
If routing instance does not exist then the packets matching the term that contains action routing-instance will get dropped.
Parameters:
[in] trans_handle Pointer to handle for individual requests.
[in] routing_instance_name Pointer to the name of the routing instance. This should be NULL, in case of default routing instance.
[in] topolofy_name Pointer to the name of topology
Return values:
errno Possible values in case of failure return.
  • EINVAL Invalid transaction handle. or function call invoked without calling junos_dfw_term_start() or after junos_dfw_term_start() with operation JUNOS_DFW_TERM_OP_DELETE. Check syslog for more information on specifics of the error.
Returns:
Possible return values are:
  • 0 Everything OK.
  • -1 Failure.

int junos_dfw_term_end junos_dfw_trans_handle_t  trans_handle  ) 
 

Term definition end marker routine.

To mark end of a term definition, use junos_dfw_term_end(). A number of validations that are specific to a filter type are done in this call. E.g., restrictions like only certain match conditions and actions are allowed or only one dest port or port range is allowed for each filter term for filters of type JUNOS_DFW_FILTER_TYPE_FAST_UPDATE, etc., are checked in this call.

Parameters:
[in] trans_handle Pointer to handler for individual requests.
Return values:
errno Possible values in case of failure return.
  • EINVAL Invalid transaction handle or junos_dfw_term_end() invoked without calling junos_dfw_term_start(), or invoked without any term definition but operation supplied in junos_dfw_term_start() was JUNOS_DFW_TERM_OP_ADD, or term validation failed. Check syslog for more information on specifics of the error.
  • ENOMEM Insufficient memory to complete request.
Returns:
Possible return values are:
  • 0 Everything OK.
  • -1 Failure.

int junos_dfw_term_match_dest_mac junos_dfw_trans_handle_t  trans_handle,
u_int8_t *  dest_mac,
u_int8_t  prefix_len,
junos_dfw_filter_match_op_t  op
 

Match the whole or portion of the destination MAC address.

Note:
SDK-USERS-NOTE: Address family must be JUNOS_DFW_FILTER_AF_VPLS. This function is only available on I-chip based MX platform; M120 and M320 are not supported.
This routine creates a destination MAC address match condition to be included in a filter term definition. The prefix_len defines the number of bits to match (to allow wildcards).

Parameters:
[in] trans_handle Pointer to handler for individual requests.
[in] dest_mac Pointer to destination MAC address start.
[in] prefix_len Number of bits from beginning to match.
[in] op Match operation type.
Return values:
errno Possible values in case of failure return.
  • EINVAL Invalid argument.
Returns:
Possible return values are:
  • 0 Everything OK.
  • -1 Failure.

int junos_dfw_term_match_dest_port junos_dfw_trans_handle_t  trans_handle,
u_int16_t  dest_port_min,
u_int16_t  dest_port_max,
junos_dfw_filter_match_op_t  op
 

Destination port number term match.

Match destination port number to within the specified range.

Parameters:
[in] trans_handle Pointer to handler for individual requests.
[in] dest_port_min Destination port number range begin.
[in] dest_port_max Destination port number range end.
[in] op Match operation type.
Return values:
errno Possible values in case of failure return.
  • EINVAL Invalid parameter.
  • ENOMEM Insufficient memory to complete request.
Returns:
Possible return values are:
  • 0 Everything OK.
  • -1 Failure.

int junos_dfw_term_match_dest_prefix junos_dfw_trans_handle_t  trans_handle,
u_int32_t *  prefix,
u_int8_t  prefix_len,
junos_dfw_filter_match_op_t  op
 

Destination address prefix match.

Match specified length of destination address. Type of family (IPv4/v6) is determined by addr_family supplied to junos_dfw_filter_trans_alloc().

Parameters:
[in] trans_handle Pointer to handler for individual requests.
[in] prefix Pointer to destination address.
[in] prefix_len Destination address prefix length in bits.
[in] op Match operation type.
Return values:
errno Possible values in case of failure return.
  • EINVAL Invalid parameter.
  • ENOMEM Insufficient memory to complete request.
Returns:
Possible return values are:
  • 0 Everything OK.
  • -1 Failure.

int junos_dfw_term_match_dscp_code junos_dfw_trans_handle_t  trans_handle,
u_int8_t  dscp_code_min,
u_int8_t  dscp_code_max,
junos_dfw_filter_match_op_t  op
 

DSCP code term match.

Match DSCP (diffserv code point) code to within the specified range.

Parameters:
[in] trans_handle Pointer to handler for individual requests.
[in] dscp_code_min DSCP code range begin.
[in] dscp_code_max DSCP code range end.
[in] op Match operation type.
Return values:
errno Possible values in case of failure return.
  • EINVAL Invalid parameter.
  • ENOMEM Insufficient memory to complete request.
Returns:
Possible return values are:
  • 0 Everything OK.
  • -1 Failure.

int junos_dfw_term_match_ether_type junos_dfw_trans_handle_t  trans_handle,
u_int16_t  ether_type_min,
u_int16_t  ether_type_max,
junos_dfw_filter_match_op_t  op
 

Match a range of Ethernet types.

This routine creates a Ethernet type match condition to be included in a filter term definition. A range may be specified with different ether_type_min and ether_type_max values.

Note:
SDK-USERS-NOTE: Address family must be JUNOS_DFW_FILTER_AF_VPLS. This function is only available on I-chip based MX platform; M120 and M320 are not supported.
Parameters:
[in] trans_handle Pointer to handler for individual requests.
[in] ether_type_min Ethernet type range begin.
[in] ether_type_max Ethernet type range end.
[in] op Match operation type.
Return values:
errno Possible values in case of failure return.
  • EINVAL Invalid argument.
Returns:
Possible return values are:
  • 0 Everything OK.
  • -1 Failure.
See also:
junos_dfw_term_match_vlan_ether_type(). Both routines match on the same field.

int junos_dfw_term_match_icmp_code junos_dfw_trans_handle_t  trans_handle,
u_int16_t  icmp_code_min,
u_int16_t  icmp_code_max,
junos_dfw_filter_match_op_t  op
 

ICMP code term match.

Match ICMP code to within the specified range.

Parameters:
[in] trans_handle Pointer to handler for individual requests.
[in] icmp_code_min ICMP code range begin.
[in] icmp_code_max ICMP code range end.
[in] op Match operation type.
Return values:
errno Possible values in case of failure return.
  • EINVAL Invalid parameter.
  • ENOMEM Insufficient memory to complete request.
Returns:
Possible return values are:
  • 0 Everything OK.
  • -1 Failure.

int junos_dfw_term_match_icmp_type junos_dfw_trans_handle_t  trans_handle,
u_int16_t  icmp_type_min,
u_int16_t  icmp_type_max,
junos_dfw_filter_match_op_t  op
 

ICMP type term match.

Match ICMP type to within the specified range.

Parameters:
[in] trans_handle Pointer to handler for individual requests.
[in] icmp_type_min ICMP type range begin.
[in] icmp_type_max ICMP type range end.
[in] op Match operation type.
Return values:
errno Possible values in case of failure return.
  • EINVAL Invalid parameter.
  • ENOMEM Insufficient memory to complete request.
Returns:
Possible return values are:
  • 0 Everything OK.
  • -1 Failure.

int junos_dfw_term_match_ifl_index junos_dfw_trans_handle_t  trans_handle,
u_int32_t  ifl_index,
junos_dfw_filter_match_op_t  op
 

IFL index term match.

Match specified IFL index.

Parameters:
[in] trans_handle Pointer to handler for individual requests.
[in] ifl_index IFL index value to match.
[in] op Match operation type.
Return values:
errno Possible values in case of failure return.
  • EINVAL Invalid parameter.
  • ENOMEM Insufficient memory to complete request.
Returns:
Possible return values are:
  • 0 Everything OK.
  • -1 Failure.

int junos_dfw_term_match_ip_proto junos_dfw_trans_handle_t  trans_handle,
u_int8_t  ip_proto_min,
u_int8_t  ip_proto_max,
junos_dfw_filter_match_op_t  op
 

IP protocol term match routine.

Match IP protocol type to within the specified range.

Parameters:
[in] trans_handle Pointer to handler for individual requests.
[in] ip_proto_min IP protocol type range begin.
[in] ip_proto_max IP protocol type range end.
[in] op Match operation type.
Return values:
errno Possible values in case of failure return.
  • EINVAL Invalid parameter.
  • ENOMEM Insufficient memory to complete request.
Returns:
Possible return values are:
  • 0 Everything OK.
  • -1 Failure.

int junos_dfw_term_match_packet_len junos_dfw_trans_handle_t  trans_handle,
u_int32_t  packet_len_min,
u_int32_t  packet_len_max,
junos_dfw_filter_match_op_t  op
 

Packet length term match.

Match packet length to within the specified range.

Parameters:
[in] trans_handle Pointer to handler for individual requests.
[in] packet_len_min Packet length range begin.
[in] packet_len_max Packet length range end.
[in] op Match operation type.
Return values:
errno Possible values in case of failure return.
  • EINVAL Invalid parameter.
  • ENOMEM Insufficient memory to complete request.
Returns:
Possible return values are:
  • 0 Everything OK.
  • -1 Failure.

int junos_dfw_term_match_port junos_dfw_trans_handle_t  trans_handle,
u_int16_t  port_min,
u_int16_t  port_max,
junos_dfw_filter_match_op_t  op
 

Port number term match.

Match source or destination port number to within the specified range.

Note:
This function is only supported for filters of type JUNOS_DFW_FILTER_TYPE_CLASSIC.
Parameters:
[in] trans_handle Pointer to handler for individual requests.
[in] port_min Source port number range begin.
[in] port_max Source port number range end.
[in] op Match operation type.
Return values:
errno Possible values in case of failure return.
  • EINVAL Invalid parameter.
  • ENOMEM Insufficient memory to complete request.
Returns:
Possible return values are:
  • 0 Everything OK.
  • -1 Failure.

int junos_dfw_term_match_prefix junos_dfw_trans_handle_t  trans_handle,
u_int32_t *  prefix,
u_int8_t  prefix_len,
junos_dfw_filter_match_op_t  op
 

Address prefix match.

Match specified length of destination or source address. Type of family (IPv4/v6) is determined by addr_family supplied to junos_dfw_filter_trans_alloc().

Parameters:
[in] trans_handle Pointer to handler for individual requests.
[in] prefix Pointer to address.
[in] prefix_len Address prefix length in bits.
[in] op Match operation type.
Return values:
errno Possible values in case of failure return.
  • EINVAL Invalid parameter.
  • ENOMEM Insufficient memory to complete request.
Returns:
Possible return values are:
  • 0 Everything OK.
  • -1 Failure.

int junos_dfw_term_match_src_mac junos_dfw_trans_handle_t  trans_handle,
u_int8_t *  src_mac,
u_int8_t  prefix_len,
junos_dfw_filter_match_op_t  op
 

Match the whole or portion of the source MAC address.

This routine creates a source MAC address match condition to be included in a filter term definition. The prefix_len defines the number of bits to match (to allow wildcards).

Note:
SDK-USERS-NOTE: Address family must be JUNOS_DFW_FILTER_AF_VPLS. This function is only available on I-chip based MX platform; M120 and M320 are not supported.
Parameters:
[in] trans_handle Pointer to handler for individual requests.
[in] src_mac Pointer to source MAC address start.
[in] prefix_len Number of bits from beginning to match.
[in] op Match operation type.
Return values:
errno Possible values in case of failure return.
  • EINVAL Invalid argument.
Returns:
Possible return values are:
  • 0 Everything OK.
  • -1 Failure.

int junos_dfw_term_match_src_port junos_dfw_trans_handle_t  trans_handle,
u_int16_t  src_port_min,
u_int16_t  src_port_max,
junos_dfw_filter_match_op_t  op
 

Source port number term match.

Match source port number to within the specified range.

Parameters:
[in] trans_handle Pointer to handler for individual requests.
[in] src_port_min Source port number range begin.
[in] src_port_max Source port number range end.
[in] op Match operation type.
Return values:
errno Possible values in case of failure return.
  • EINVAL Invalid parameter.
  • ENOMEM Insufficient memory to complete request.
Returns:
Possible return values are:
  • 0 Everything OK.
  • -1 Failure.

int junos_dfw_term_match_src_prefix junos_dfw_trans_handle_t  trans_handle,
u_int32_t *  prefix,
u_int8_t  prefix_len,
junos_dfw_filter_match_op_t  op
 

Source address prefix term match.

Match specified length of source address. Type of family (IPv4/v6) is determined by addr_family supplied to junos_dfw_filter_trans_alloc().

Note:
This function is only supported for filters of type JUNOS_DFW_FILTER_TYPE_CLASSIC.
Parameters:
[in] trans_handle Pointer to handler for individual requests.
[in] prefix Pointer to source address.
[in] prefix_len Source address prefix length in bits.
[in] op Match operation type.
Return values:
errno Possible values in case of failure return.
  • EINVAL Invalid parameter.
  • ENOMEM Insufficient memory to complete request.
Returns:
Possible return values are:
  • 0 Everything OK.
  • -1 Failure.

int junos_dfw_term_match_vlan_ether_type junos_dfw_trans_handle_t  trans_handle,
u_int16_t  vlan_ether_type_min,
u_int16_t  vlan_ether_type_max,
junos_dfw_filter_match_op_t  op
 

VLAN ethertype term match.

Match specified vlan-ethertype.

Note:
SDK-USERS-NOTE: Address family must be JUNOS_DFW_FILTER_AF_VPLS. This function is only available on I-chip based MX platform; M120 and M320 are not supported.
Parameters:
[in] trans_handle Pointer to handler for individual requests.
[in] vlan_ether_type_min VLAN ether-type range begin.
[in] vlan_ether_type_max VLAN ether-type range end.
[in] op Match operation type.
Return values:
errno Possible value in case of failure return.
  • EINVAL Invalid parameter.
  • ENOMEM Insufficient memory to complete request.
Returns:
Possible return values are:
  • 0 Everything OK.
  • -1 Failure.
See also:
junos_dfw_term_match_ether_type(). Both routines match on the same field.

int junos_dfw_term_start junos_dfw_trans_handle_t  trans_handle,
const junos_dfw_term_info_t term_info,
junos_dfw_term_op_t  operation
 

Term definition start marker routine.

To configure a term, start the definition using junos_dfw_term_start(). trans_handle must be a filter handle allocated for JUNOS_DFW_FILTER_OP_ADD or JUNOS_DFW_FILTER_OP_CHANGE operation. namestr_key in term_info is the key to identifying the term. It can contain letters, numbers, spaces, and hyphens (-) and can be up to JUNOS_DFW_TERM_NAME_LEN characters long including NULL.

Following are the types of terms that can be defined depending on the filter type being configured. Check description of junos_dfw_filter_trans_alloc() to see which term type is supported for the type of filter being configured.

  • JUNOS_DFW_TERM_TYPE_ORDERED - Filter terms are matched in the order provided during configuration.
  • JUNOS_DFW_TERM_TYPE_PRIORITISED - Filter terms are matched according to a longest prefix match algorithm. The JUNOS-DFW server will reject configurations with conflicting terms.
Following is the description of various junos_dfw_term_op_t values:

  • JUNOS_DFW_TERM_OP_ADD - Indicates a new term definition. The JUNOS-DFW server will reject an add request if another term with the same name string as specified by namestr_key already exists in the filter referred by trans_handle.
  • JUNOS_DFW_TERM_OP_DELETE - Indicates deletion of a term matching the name specified by namestr_key. No match condition or action can be specified for term to be deleted, i.e., junos_dfw_term_match_XYZ or junos_dfw_term_action_XYZ calls are not allowed. JUNOS-DFW will reject a delete request if no term with the given name exists in the filter referred by trans_handle.
  • JUNOS_DFW_TERM_OP_REPLACE - Indicates replacement of a previously defined term with a new definition or re-order/re-prioritize term or both. It is required that entire new term definition be provided. The JUNOS-DFW server will reject a replace request if no term with the given name exists in the filter referred by trans_handle.
Parameters:
[in] trans_handle Pointer to handle for individual requests.
[in] term_info Pointer to term information structure.
[in] operation Requested operation.
Return values:
errno Possible values in case of failure return.
  • EINVAL Invalid transaction handle (not allocated using JUNOS_DFW_FILTER_OP_ADD or JUNOS_DFW_FILTER_OP_CHANGE), or namestr_key supplied as NULL, or junos_dfw_term_start() invoked without calling junos_dfw_term_end() for an earlier term. Check syslog for more information on specifics of the error.
  • ENOMEM Insufficient memory to complete request.
Returns:
Possible return values are:
  • 0 Everything OK.
  • -1 Failure.

int junos_dfw_trans_handle_free junos_dfw_trans_handle_t  handle  ) 
 

Free transaction handle.

Frees handle allocated using the following function calls:

Parameters:
[in] handle Pointer to JUNOS-DFW control block.
Return values:
errno Possible values in case of failure return.
  • EINVAL Invalid transaction handle. Check syslog for more information on specifics of the error.
Returns:
Possible return values are:
  • 0 Everything OK.
  • -1 Failure.

int junos_dfw_trans_purge junos_dfw_session_handle_t  handle,
const junos_dfw_client_id_t *  client_id_list,
int  num_client_ids
 

Purge transaction.

This call will cause JUNOS-DFW to purge all configuration added using this session handle and associated with num_client_ids client identifiers in client_id_list. This call is not permitted on a handle in bulk config mode, i.e, this call cannot be made between junos_dfw_bulk_trans_start() and junos_dfw_bulk_trans_end().

Calls are handled in sequential order. All previous configuration requests and the purge request are handled in turn. In-progress and commited actions are all purged.

Parameters:
[in] handle Pointer to JUNOS-DFW control block.
[in] client_id_list Pointer to list of client identifiers.
[in] num_client_ids Number of client identifiers in list.
Return values:
errno Possible values in case of failure return.
  • EINVAL Invalid session handle, or failure to send message, or call made between junos_dfw_bulk_trans_start() and junos_dfw_bulk_trans_end() calls. Check syslog for more information on specifics of the error.
  • ENOTCONN Connection not established.
  • ENOMEM Insufficient memory to complete request.
Returns:
Possible return values are:
  • 0 Everything OK.
  • -1 Failure.

void junos_dfw_trans_reject_reason_strerr junos_dfw_trans_reject_reason_info_t  reason_info,
char *  buffer,
size_t  buffer_size
 

Convert reject reason code into string.

Converts junos_dfw_trans_reject_reason_t identifiers to an error string that can be useful for debugging purposes.

Parameters:
[in] reason_info Reject reason info structure.
[in] buffer Pointer to buffer.
[in] buffer_size Buffer size in bytes.

int junos_dfw_trans_send junos_dfw_session_handle_t  handle,
junos_dfw_trans_handle_t  trans_handle,
junos_dfw_client_id_t  client_id,
u_int64_t  ctx
 

Send transaction.

Send a config request to the JUNOS-DFW server's filter database. handle can contain configuration request created starting with junos_dfw_filter_trans_alloc() for filters or junos_dfw_policer_trans_alloc() for policer followed by their respective definition function calls. handle can also contain attach or detach request created using junos_dfw_filter_attach_trans_alloc() or junos_dfw_filter_detach_trans_alloc(), respectively. ctx is a user-supplied context that will be echoed in the callback. client_id must match one of the client IDs provided in client_id_list to junos_dfw_session_open(). This will associate the transaction with client_id.

User can free trans_handle at any time after this call using junos_dfw_trans_handle_free() or can save it for a later replay.

Parameters:
[in] handle Pointer to JUNOS-DFW control block.
[in] trans_handle Pointer to handler for individual requests.
[in] client_id Client identifier.
[in] ctx User-supplied context pointer.
Return values:
errno Possible values in case of failure return.
  • EINVAL Invalid session or transaction handle. Check syslog for more information on specifics of the error.
  • ENOTCONN Connection not established.
  • ENOMEM Insufficient memory to complete request.
Returns:
Possible return values are:
  • 0 Everything OK.
  • -1 Failure.


2007-2009 Juniper Networks, Inc. All rights reserved. The information contained herein is confidential information of Juniper Networks, Inc., and may not be used, disclosed, distributed, modified, or copied without the prior written consent of Juniper Networks, Inc. in an express license. This information is subject to change by Juniper Networks, Inc. Juniper Networks, the Juniper Networks logo, and JUNOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.
Generated on Sun May 30 20:24:20 2010 for libdfwd by Doxygen 1.4.5