Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

screenmode(8) [osf1 man page]

screenmode(8)						      System Manager's Manual						     screenmode(8)

NAME
screenmode - Enable or disable gateway screening SYNOPSIS
/usr/sbin/screenmode [on | off] DESCRIPTION
The screenmode command enables or disables gateway screening if the argument is on or off, respectively. See the screen(2) reference page for more information on gateway screening. When no argument is supplied, screenmode indicates the state of gateway screening as on or off. In order to avoid packets being forwarded before the screend program has been started, screenmode should be run before configuring any interfaces, other than the first interface on the system (which might be needed during the bootstrap sequence). Only the superuser can change the state. NOTES
If gateway screening is disabled while screend is running, the daemon might exit. ERRORS
If an unauthorized user tries to change the state, an error message is displayed. SEE ALSO
Commands: screend(8), screenstat(8) Functions: screen(2) screenmode(8)

Check Out this Related Man Page

screen(2)							System Calls Manual							 screen(2)

Name
       screen - gateway packet screening facility

Syntax
       #include <sys/types.h>
       #include <net/gw_screen.h>
       int mode;
       struct screen_data sdata;
       struct screen_stats sstats;

       ioctl(s, SIOCSCREENON, (caddr_t)&mode);
       ioctl(s, SIOCSCREEN, (caddr_t)&sdata);
       ioctl(s, SIOCSCREENSTATS, (caddr_t)&sstats);

Arguments
       The interface to the gateway screen facility is a set of ioctl requests.  All these requests are meant to be used on a file descriptor cre-
       ated by the system call.

       SIOCSCREENON
		 The mode parameter, passed by reference, can be or Upon completion of the system call, the mode parameter contains  the  previous
		 value of the screen mode.  Unprivileged users may only use the request.

       SIOCSCREEN
		 This is the most important request and is described below.  Only the super-user may make this request.

       SIOCSCREENSTATS
		 Returns, by reference using the sstats parameter, statistics in this structure:
		 struct screen_stats {
		      u_long	ss_packets;    /* total packets screened */
		      u_long	ss_nobuffer;   /* dropped, buffer was full */
		      u_long	ss_accept;     /* total accepted */
		      u_long	ss_reject;     /* total rejected */
		      u_long	ss_badsync;    /* dropped, user was out of sync */
		      u_long	ss_stale; /* dropped, too old */
		 };

Description
       The  gateway screen facility allows a user-level process to decide which network packets should be forwarded by the kernel (when the system
       is acting as a gateway).  When the screen mode is set to ``off,'' all packets are forwarded normally;  when  the  screen  mode  is  set	to
       ``on,'' all packets that would be forwarded must be approved through the use of this facility.

   Use of SIOCSCREEN
       The request is used in the main loop of the user-level daemon.  Each time it is called, it returns (by reference using the sdata parameter)
       a structure containing a prefix of a packet (normally containing the packet headers) and some additional information:
       struct screen_data_hdr {
	    short     sdh_count;     /* length of entire record */
	    short     sdh_dlen; /* bytes of packet header */
	    u_long    sdh_xid;	/* transaction ID */
	    struct timeval sdh_arrival;   /* time packet arrived */
	    short     sdh_family;    /* address family */
	    int  sdh_action;	/* disposition for packet */

       #define	 SCREEN_ACCEPT	0x0001	  /* Accept this packet */
       #define	 SCREEN_DROP	0x0000	  /* Do not accept this packet */
       #define	 SCREEN_NOTIFY	0x0002	  /* Notify sender of failure */
       #define	 SCREEN_NONOTIFY     0x0000    /* Do not notify sender */
       };

       struct screen_data {
	    struct screen_data_hdr sd_hdr;
	    char sd_data[SCREEN_DATALEN]; /* sd_dlen bytes of packet header */
       };

       #define	 sd_count  sd_hdr.sdh_count
       #define	 sd_dlen	sd_hdr.sdh_dlen
       #define	 sd_xid 	sd_hdr.sdh_xid
       #define	 sd_action sd_hdr.sdh_action
       #define	 sd_arrival	sd_hdr.sdh_arrival
       #define	 sd_family sd_hdr.sdh_family
       The sd_family field indicates the protocol family (for example, under which the packet is being handled; there is no protocol-specific code
       in  the	kernel	implementation	of  the  gateway screen.  Either the sd_family field should be initialized to a specific family before the
       request is invoked (indicating that the user process is willing to handle requests for this family only), or it should be set to  (indicat-
       ing that the user process is willing to handle all protocols).

       The  user-level	process examines the packet headers and decides whether or not the packet should be forwarded.	It communicates this deci-
       sion to the kernel by filling in the sd_action field in the structure with either or bit-wise ORed with the last choice causes the  gateway
       to drop the packet but send an error packet to the source host (if this is supported in the protocol family).  The process then passes that
       structure back to the kernel in another invocation of the request.  That ioctl call then blocks until a new packet is available,  at  which
       point the cycle repeats.

       Note  that  two actions are being carried out through one system call, and that each cycle starts mid-way through a system call.  Thus, the
       first time a daemon uses this ioctl request, it has to pass in a no-op decision to complete the first (half)  cycle.   The  kernel  matches
       incoming decisions with pending packets by comparing both the transaction id (sd_xid) field, and the user's process id (so one process can-
       not provide decisions on packets presented to a different process).  Decisions must be supplied in  first-in,  first-out  order;  decisions
       supplied in the wrong order may result in packets being dropped.

Return Values
       If an error has occurred, a value of -1 is returned and is set to indicate the error.

Diagnostics
       In addition to those error codes described for the request can also return:

       [ENOPROTOOPT]	   If the screen mode is set to the request is meaningless.

       [EPERM]		   If an operation reserved for the superuser is attempted by a non-superuser.

See Also
       screenmode(8), screend(8), screenstat(8), ioctl(2)

																	 screen(2)
Man Page