Root/
Source at commit 1165 created 13 years 10 days ago. By slice, new targets: make image and make pkg, Russian localization | |
---|---|
1 | /*␊ |
2 | * Copyright (c) 2008 Apple Inc. All rights reserved.␊ |
3 | *␊ |
4 | * @APPLE_OSREFERENCE_LICENSE_HEADER_START@␊ |
5 | *␊ |
6 | * This file contains Original Code and/or Modifications of Original Code␊ |
7 | * as defined in and that are subject to the Apple Public Source License␊ |
8 | * Version 2.0 (the 'License'). You may not use this file except in␊ |
9 | * compliance with the License. The rights granted to you under the License␊ |
10 | * may not be used to create, or enable the creation or redistribution of,␊ |
11 | * unlawful or unlicensed copies of an Apple operating system, or to␊ |
12 | * circumvent, violate, or enable the circumvention or violation of, any␊ |
13 | * terms of an Apple operating system software license agreement.␊ |
14 | *␊ |
15 | * Please obtain a copy of the License at␊ |
16 | * http://www.opensource.apple.com/apsl/ and read it before using this file.␊ |
17 | *␊ |
18 | * The Original Code and all software distributed under the License are␊ |
19 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER␊ |
20 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,␊ |
21 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,␊ |
22 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.␊ |
23 | * Please see the License for the specific language governing rights and␊ |
24 | * limitations under the License.␊ |
25 | *␊ |
26 | * @APPLE_OSREFERENCE_LICENSE_HEADER_END@␊ |
27 | */␊ |
28 | ␊ |
29 | /*␊ |
30 | * Copyright (c) 2002 Luigi Rizzo, Universita` di Pisa␊ |
31 | *␊ |
32 | * Redistribution and use in source and binary forms, with or without␊ |
33 | * modification, are permitted provided that the following conditions␊ |
34 | * are met:␊ |
35 | * 1. Redistributions of source code must retain the above copyright␊ |
36 | * notice, this list of conditions and the following disclaimer.␊ |
37 | * 2. Redistributions in binary form must reproduce the above copyright␊ |
38 | * notice, this list of conditions and the following disclaimer in the␊ |
39 | * documentation and/or other materials provided with the distribution.␊ |
40 | *␊ |
41 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND␊ |
42 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE␊ |
43 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE␊ |
44 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE␊ |
45 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL␊ |
46 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS␊ |
47 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)␊ |
48 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT␊ |
49 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY␊ |
50 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF␊ |
51 | * SUCH DAMAGE.␊ |
52 | *␊ |
53 | * $FreeBSD: src/sys/netinet/ip_fw2.h,v 1.1.2.4 2003/07/17 06:03:39 luigi Exp $␊ |
54 | */␊ |
55 | ␊ |
56 | #ifndef _IPFW2_H␊ |
57 | #define _IPFW2_H␊ |
58 | ␊ |
59 | /*␊ |
60 | * Define IP Firewall event subclass, and associated events.␊ |
61 | */␊ |
62 | ␊ |
63 | /*!␊ |
64 | ␉@defined KEV_IPFW_SUBCLASS␊ |
65 | ␉@discussion The kernel event subclass for IP Firewall.␊ |
66 | */␊ |
67 | #define KEV_IPFW_SUBCLASS␉1␊ |
68 | ␊ |
69 | /*!␊ |
70 | ␉@defined KEV_IPFW_ADD␊ |
71 | ␉@discussion The event code indicating a rule has been added.␊ |
72 | */␊ |
73 | #define KEV_IPFW_ADD␉␉1␊ |
74 | ␊ |
75 | /*!␊ |
76 | ␉@defined KEV_IPFW_DEL␊ |
77 | ␉@discussion The event code indicating a rule has been removed.␊ |
78 | */␊ |
79 | #define KEV_IPFW_DEL␉␉2␊ |
80 | ␊ |
81 | /*!␊ |
82 | ␉@defined KEV_IPFW_FLUSH␊ |
83 | ␉@discussion The event code indicating the rule set has been flushed.␊ |
84 | */␊ |
85 | #define KEV_IPFW_FLUSH␉␉3␊ |
86 | ␊ |
87 | /*!␊ |
88 | ␉@defined KEV_IPFW_ENABLE␊ |
89 | ␉@discussion The event code indicating the enable flag has been changed ␊ |
90 | */␊ |
91 | #define KEV_IPFW_ENABLE␉␉4␊ |
92 | ␊ |
93 | ␊ |
94 | ␊ |
95 | /*␊ |
96 | * The kernel representation of ipfw rules is made of a list of␊ |
97 | * 'instructions' (for all practical purposes equivalent to BPF␊ |
98 | * instructions), which specify which fields of the packet␊ |
99 | * (or its metadata) should be analysed.␊ |
100 | *␊ |
101 | * Each instruction is stored in a structure which begins with␊ |
102 | * "ipfw_insn", and can contain extra fields depending on the␊ |
103 | * instruction type (listed below).␊ |
104 | * Note that the code is written so that individual instructions␊ |
105 | * have a size which is a multiple of 32 bits. This means that, if␊ |
106 | * such structures contain pointers or other 64-bit entities,␊ |
107 | * (there is just one instance now) they may end up unaligned on␊ |
108 | * 64-bit architectures, so the must be handled with care.␊ |
109 | *␊ |
110 | * "enum ipfw_opcodes" are the opcodes supported. We can have up␊ |
111 | * to 256 different opcodes.␊ |
112 | */␊ |
113 | ␊ |
114 | enum ipfw_opcodes {␉␉/* arguments (4 byte each)␉*/␊ |
115 | ␉O_NOP,␊ |
116 | ␊ |
117 | ␉O_IP_SRC,␉␉/* u32 = IP␉␉␉*/␊ |
118 | ␉O_IP_SRC_MASK,␉␉/* ip = IP/mask␉␉␉*/␊ |
119 | ␉O_IP_SRC_ME,␉␉/* none␉␉␉␉*/␊ |
120 | ␉O_IP_SRC_SET,␉␉/* u32=base, arg1=len, bitmap␉*/␊ |
121 | ␊ |
122 | ␉O_IP_DST,␉␉/* u32 = IP␉␉␉*/␊ |
123 | ␉O_IP_DST_MASK,␉␉/* ip = IP/mask␉␉␉*/␊ |
124 | ␉O_IP_DST_ME,␉␉/* none␉␉␉␉*/␊ |
125 | ␉O_IP_DST_SET,␉␉/* u32=base, arg1=len, bitmap␉*/␊ |
126 | ␊ |
127 | ␉O_IP_SRCPORT,␉␉/* (n)port list:mask 4 byte ea␉*/␊ |
128 | ␉O_IP_DSTPORT,␉␉/* (n)port list:mask 4 byte ea␉*/␊ |
129 | ␉O_PROTO,␉␉/* arg1=protocol␉␉*/␊ |
130 | ␊ |
131 | ␉O_MACADDR2,␉␉/* 2 mac addr:mask␉␉*/␊ |
132 | ␉O_MAC_TYPE,␉␉/* same as srcport␉␉*/␊ |
133 | ␊ |
134 | ␉O_LAYER2,␉␉/* none␉␉␉␉*/␊ |
135 | ␉O_IN,␉␉␉/* none␉␉␉␉*/␊ |
136 | ␉O_FRAG,␉␉␉/* none␉␉␉␉*/␊ |
137 | ␊ |
138 | ␉O_RECV,␉␉␉/* none␉␉␉␉*/␊ |
139 | ␉O_XMIT,␉␉␉/* none␉␉␉␉*/␊ |
140 | ␉O_VIA,␉␉␉/* none␉␉␉␉*/␊ |
141 | ␊ |
142 | ␉O_IPOPT,␉␉/* arg1 = 2*u8 bitmap␉␉*/␊ |
143 | ␉O_IPLEN,␉␉/* arg1 = len␉␉␉*/␊ |
144 | ␉O_IPID,␉␉␉/* arg1 = id␉␉␉*/␊ |
145 | ␊ |
146 | ␉O_IPTOS,␉␉/* arg1 = id␉␉␉*/␊ |
147 | ␉O_IPPRECEDENCE,␉␉/* arg1 = precedence << 5␉*/␊ |
148 | ␉O_IPTTL,␉␉/* arg1 = TTL␉␉␉*/␊ |
149 | ␊ |
150 | ␉O_IPVER,␉␉/* arg1 = version␉␉*/␊ |
151 | ␉O_UID,␉␉␉/* u32 = id␉␉␉*/␊ |
152 | ␉O_GID,␉␉␉/* u32 = id␉␉␉*/␊ |
153 | ␉O_ESTAB,␉␉/* none (tcp established)␉*/␊ |
154 | ␉O_TCPFLAGS,␉␉/* arg1 = 2*u8 bitmap␉␉*/␊ |
155 | ␉O_TCPWIN,␉␉/* arg1 = desired win␉␉*/␊ |
156 | ␉O_TCPSEQ,␉␉/* u32 = desired seq.␉␉*/␊ |
157 | ␉O_TCPACK,␉␉/* u32 = desired seq.␉␉*/␊ |
158 | ␉O_ICMPTYPE,␉␉/* u32 = icmp bitmap␉␉*/␊ |
159 | ␉O_TCPOPTS,␉␉/* arg1 = 2*u8 bitmap␉␉*/␊ |
160 | ␊ |
161 | ␉O_VERREVPATH,␉␉/* none␉␉␉␉*/␊ |
162 | ␊ |
163 | ␉O_PROBE_STATE,␉␉/* none␉␉␉␉*/␊ |
164 | ␉O_KEEP_STATE,␉␉/* none␉␉␉␉*/␊ |
165 | ␉O_LIMIT,␉␉/* ipfw_insn_limit␉␉*/␊ |
166 | ␉O_LIMIT_PARENT,␉␉/* dyn_type, not an opcode.␉*/␊ |
167 | ␊ |
168 | ␉/*␊ |
169 | ␉ * These are really 'actions'.␊ |
170 | ␉ */␊ |
171 | ␊ |
172 | ␉O_LOG,␉␉␉/* ipfw_insn_log␉␉*/␊ |
173 | ␉O_PROB,␉␉␉/* u32 = match probability␉*/␊ |
174 | ␊ |
175 | ␉O_CHECK_STATE,␉␉/* none␉␉␉␉*/␊ |
176 | ␉O_ACCEPT,␉␉/* none␉␉␉␉*/␊ |
177 | ␉O_DENY,␉␉␉/* none ␉␉␉*/␊ |
178 | ␉O_REJECT,␉␉/* arg1=icmp arg (same as deny)␉*/␊ |
179 | ␉O_COUNT,␉␉/* none␉␉␉␉*/␊ |
180 | ␉O_SKIPTO,␉␉/* arg1=next rule number␉*/␊ |
181 | ␉O_PIPE,␉␉␉/* arg1=pipe number␉␉*/␊ |
182 | ␉O_QUEUE,␉␉/* arg1=queue number␉␉*/␊ |
183 | ␉O_DIVERT,␉␉/* arg1=port number␉␉*/␊ |
184 | ␉O_TEE,␉␉␉/* arg1=port number␉␉*/␊ |
185 | ␉O_FORWARD_IP,␉␉/* fwd sockaddr␉␉␉*/␊ |
186 | ␉O_FORWARD_MAC,␉␉/* fwd mac␉␉␉*/␊ |
187 | ␊ |
188 | ␉/*␊ |
189 | ␉ * More opcodes.␊ |
190 | ␉ */␊ |
191 | ␉O_IPSEC,␉␉/* has ipsec history␉␉*/␊ |
192 | ␊ |
193 | ␉O_LAST_OPCODE␉␉/* not an opcode!␉␉*/␊ |
194 | };␊ |
195 | ␊ |
196 | /*␊ |
197 | * Template for instructions.␊ |
198 | *␊ |
199 | * ipfw_insn is used for all instructions which require no operands,␊ |
200 | * a single 16-bit value (arg1), or a couple of 8-bit values.␊ |
201 | *␊ |
202 | * For other instructions which require different/larger arguments␊ |
203 | * we have derived structures, ipfw_insn_*.␊ |
204 | *␊ |
205 | * The size of the instruction (in 32-bit words) is in the low␊ |
206 | * 6 bits of "len". The 2 remaining bits are used to implement␊ |
207 | * NOT and OR on individual instructions. Given a type, you can␊ |
208 | * compute the length to be put in "len" using F_INSN_SIZE(t)␊ |
209 | *␊ |
210 | * F_NOT␉negates the match result of the instruction.␊ |
211 | *␊ |
212 | * F_OR␉␉is used to build or blocks. By default, instructions␊ |
213 | *␉␉are evaluated as part of a logical AND. An "or" block␊ |
214 | *␉␉{ X or Y or Z } contains F_OR set in all but the last␊ |
215 | *␉␉instruction of the block. A match will cause the code␊ |
216 | *␉␉to skip past the last instruction of the block.␊ |
217 | *␊ |
218 | * NOTA BENE: in a couple of places we assume that␊ |
219 | *␉sizeof(ipfw_insn) == sizeof(u_int32_t)␊ |
220 | * this needs to be fixed.␊ |
221 | *␊ |
222 | */␊ |
223 | typedef struct␉_ipfw_insn {␉/* template for instructions */␊ |
224 | ␉enum ipfw_opcodes␉opcode:8;␊ |
225 | ␉u_int8_t␉len;␉/* numer of 32-byte words */␊ |
226 | #define␉F_NOT␉␉0x80␊ |
227 | #define␉F_OR␉␉0x40␊ |
228 | #define␉F_LEN_MASK␉0x3f␊ |
229 | #define␉F_LEN(cmd)␉((cmd)->len & F_LEN_MASK)␊ |
230 | ␊ |
231 | ␉u_int16_t␉arg1;␊ |
232 | } ipfw_insn;␊ |
233 | ␊ |
234 | /*␊ |
235 | * The F_INSN_SIZE(type) computes the size, in 4-byte words, of␊ |
236 | * a given type.␊ |
237 | */␊ |
238 | #define␉F_INSN_SIZE(t)␉((sizeof (t))/sizeof(u_int32_t))␊ |
239 | ␊ |
240 | /*␊ |
241 | * This is used to store an array of 16-bit entries (ports etc.)␊ |
242 | */␊ |
243 | typedef struct␉_ipfw_insn_u16 {␊ |
244 | ␉ipfw_insn o;␊ |
245 | ␉u_int16_t ports[2];␉/* there may be more */␊ |
246 | } ipfw_insn_u16;␊ |
247 | ␊ |
248 | /*␊ |
249 | * This is used to store an array of 32-bit entries␊ |
250 | * (uid, single IPv4 addresses etc.)␊ |
251 | */␊ |
252 | typedef struct␉_ipfw_insn_u32 {␊ |
253 | ␉ipfw_insn o;␊ |
254 | ␉u_int32_t d[1];␉/* one or more */␊ |
255 | } ipfw_insn_u32;␊ |
256 | ␊ |
257 | /*␊ |
258 | * This is used to store IP addr-mask pairs.␊ |
259 | */␊ |
260 | typedef struct␉_ipfw_insn_ip {␊ |
261 | ␉ipfw_insn o;␊ |
262 | ␉struct in_addr␉addr;␊ |
263 | ␉struct in_addr␉mask;␊ |
264 | } ipfw_insn_ip;␊ |
265 | ␊ |
266 | /*␊ |
267 | * This is used to forward to a given address (ip).␊ |
268 | */␊ |
269 | typedef struct _ipfw_insn_sa {␊ |
270 | ␉ipfw_insn o;␊ |
271 | ␉struct sockaddr_in sa;␊ |
272 | } ipfw_insn_sa;␊ |
273 | ␊ |
274 | /*␊ |
275 | * This is used for MAC addr-mask pairs.␊ |
276 | */␊ |
277 | typedef struct␉_ipfw_insn_mac {␊ |
278 | ␉ipfw_insn o;␊ |
279 | ␉u_char addr[12];␉/* dst[6] + src[6] */␊ |
280 | ␉u_char mask[12];␉/* dst[6] + src[6] */␊ |
281 | } ipfw_insn_mac;␊ |
282 | ␊ |
283 | /*␊ |
284 | * This is used for interface match rules (recv xx, xmit xx).␊ |
285 | */␊ |
286 | typedef struct␉_ipfw_insn_if {␊ |
287 | ␉ipfw_insn o;␊ |
288 | ␉union {␊ |
289 | ␉␉struct in_addr ip;␊ |
290 | ␉␉int32_t unit;␊ |
291 | ␉} p;␊ |
292 | ␉char name[IFNAMSIZ];␊ |
293 | } ipfw_insn_if;␊ |
294 | ␊ |
295 | /*␊ |
296 | * This is used for pipe and queue actions, which need to store␊ |
297 | * a single pointer (which can have different size on different␊ |
298 | * architectures.␊ |
299 | * Note that, because of previous instructions, pipe_ptr might␊ |
300 | * be unaligned in the overall structure, so it needs to be␊ |
301 | * manipulated with care.␊ |
302 | */␊ |
303 | typedef struct␉_ipfw_insn_pipe {␊ |
304 | ␉ipfw_insn␉o;␊ |
305 | ␉void␉␉*pipe_ptr;␉/* XXX */␊ |
306 | } ipfw_insn_pipe;␊ |
307 | ␊ |
308 | /*␊ |
309 | * This is used for limit rules.␊ |
310 | */␊ |
311 | typedef struct␉_ipfw_insn_limit {␊ |
312 | ␉ipfw_insn o;␊ |
313 | ␉u_int8_t _pad;␊ |
314 | ␉u_int8_t limit_mask;␉/* combination of DYN_* below␉*/␊ |
315 | #define␉DYN_SRC_ADDR␉0x1␊ |
316 | #define␉DYN_SRC_PORT␉0x2␊ |
317 | #define␉DYN_DST_ADDR␉0x4␊ |
318 | #define␉DYN_DST_PORT␉0x8␊ |
319 | ␊ |
320 | ␉u_int16_t conn_limit;␊ |
321 | } ipfw_insn_limit;␊ |
322 | ␊ |
323 | /*␊ |
324 | * This is used for log instructions.␊ |
325 | */␊ |
326 | typedef struct _ipfw_insn_log {␊ |
327 | ipfw_insn o;␊ |
328 | ␉u_int32_t max_log;␉/* how many do we log -- 0 = all */␊ |
329 | ␉u_int32_t log_left;␉/* how many left to log ␉*/␊ |
330 | } ipfw_insn_log;␊ |
331 | ␊ |
332 | /* Version of this API */␊ |
333 | #define IP_FW_VERSION_NONE 0 ␊ |
334 | #define IP_FW_VERSION_0 10␉/* old ipfw */␊ |
335 | #define IP_FW_VERSION_1 20␉/* ipfw in Jaguar/Panther */␊ |
336 | #define IP_FW_VERSION_2 30␉/* ipfw2 */␊ |
337 | #define IP_FW_CURRENT_API_VERSION IP_FW_VERSION_2 ␊ |
338 | ␊ |
339 | /*␊ |
340 | * Here we have the structure representing an ipfw rule.␊ |
341 | *␊ |
342 | * It starts with a general area (with link fields and counters)␊ |
343 | * followed by an array of one or more instructions, which the code␊ |
344 | * accesses as an array of 32-bit values.␊ |
345 | *␊ |
346 | * Given a rule pointer r:␊ |
347 | *␊ |
348 | * r->cmd␉␉is the start of the first instruction.␊ |
349 | * ACTION_PTR(r)␉is the start of the first action (things to do␊ |
350 | *␉␉␉once a rule matched).␊ |
351 | *␊ |
352 | * When assembling instruction, remember the following:␊ |
353 | *␊ |
354 | * + if a rule has a "keep-state" (or "limit") option, then the␊ |
355 | *␉first instruction (at r->cmd) MUST BE an O_PROBE_STATE␊ |
356 | * + if a rule has a "log" option, then the first action␊ |
357 | *␉(at ACTION_PTR(r)) MUST be O_LOG␊ |
358 | *␊ |
359 | * NOTE: we use a simple linked list of rules because we never need␊ |
360 | * ␉to delete a rule without scanning the list. We do not use␊ |
361 | *␉queue(3) macros for portability and readability.␊ |
362 | */␊ |
363 | ␊ |
364 | struct ip_fw {␊ |
365 | ␉u_int32_t version;␉␉/* Version of this structure. MUST be set */␊ |
366 | ␉␉␉␉␉␉␉/* by clients. Should always be */␊ |
367 | ␉␉␉␉␉␉␉/* set to IP_FW_CURRENT_API_VERSION. */␊ |
368 | ␉void *context;␉␉␉/* Context that is usable by user processes to */␊ |
369 | ␉␉␉␉␉␉␉/* identify this rule. */␊ |
370 | ␉struct ip_fw␉*next;␉␉/* linked list of rules␉␉*/␊ |
371 | ␉struct ip_fw␉*next_rule;␉/* ptr to next [skipto] rule␉*/␊ |
372 | ␉/* 'next_rule' is used to pass up 'set_disable' status␉␉*/␊ |
373 | ␊ |
374 | ␉u_int16_t␉act_ofs;␉/* offset of action in 32-bit units */␊ |
375 | ␉u_int16_t␉cmd_len;␉/* # of 32-bit words in cmd␉*/␊ |
376 | ␉u_int16_t␉rulenum;␉/* rule number␉␉␉*/␊ |
377 | ␉u_int8_t␉set;␉␉/* rule set (0..31)␉␉*/␊ |
378 | ␉u_int32_t␉set_masks[2];␉/* masks for manipulating sets atomically */␊ |
379 | #define␉RESVD_SET␉31␉/* set for default and persistent rules */␊ |
380 | ␉u_int8_t␉_pad;␉␉/* padding␉␉␉*/␊ |
381 | ␊ |
382 | ␉/* These fields are present in all rules.␉␉␉*/␊ |
383 | ␉u_int64_t␉pcnt;␉␉/* Packet counter␉␉*/␊ |
384 | ␉u_int64_t␉bcnt;␉␉/* Byte counter␉␉␉*/␊ |
385 | ␉u_int32_t␉timestamp;␉/* tv_sec of last match␉␉*/␊ |
386 | ␉␊ |
387 | ␉u_int32_t␉reserved_1;␉/* reserved - set to 0 */␊ |
388 | ␉u_int32_t␉reserved_2;␉/* reserved - set to 0 */␊ |
389 | ␊ |
390 | ␉ipfw_insn␉cmd[1];␉␉/* storage for commands␉␉*/␊ |
391 | };␊ |
392 | ␊ |
393 | #define ACTION_PTR(rule)␉␉␉␉\␊ |
394 | ␉(ipfw_insn *)( (u_int32_t *)((rule)->cmd) + ((rule)->act_ofs) )␊ |
395 | ␊ |
396 | #define RULESIZE(rule) (sizeof(struct ip_fw) + \␊ |
397 | ␉((struct ip_fw *)(rule))->cmd_len * 4 - 4)␊ |
398 | ␊ |
399 | /*␊ |
400 | * This structure is used as a flow mask and a flow id for various␊ |
401 | * parts of the code.␊ |
402 | */␊ |
403 | struct ipfw_flow_id {␊ |
404 | ␉u_int32_t␉dst_ip;␊ |
405 | ␉u_int32_t␉src_ip;␊ |
406 | ␉u_int16_t␉dst_port;␊ |
407 | ␉u_int16_t␉src_port;␊ |
408 | ␉u_int8_t␉proto;␊ |
409 | ␉u_int8_t␉flags;␉/* protocol-specific flags */␊ |
410 | };␊ |
411 | ␊ |
412 | /*␊ |
413 | * Dynamic ipfw rule.␊ |
414 | */␊ |
415 | typedef struct _ipfw_dyn_rule ipfw_dyn_rule;␊ |
416 | ␊ |
417 | struct _ipfw_dyn_rule {␊ |
418 | ␉ipfw_dyn_rule␉*next;␉␉/* linked list of rules.␉*/␊ |
419 | ␉struct ip_fw *rule;␉␉/* pointer to rule␉␉*/␊ |
420 | ␉/* 'rule' is used to pass up the rule number (from the parent)␉*/␊ |
421 | ␊ |
422 | ␉ipfw_dyn_rule *parent;␉␉/* pointer to parent rule␉*/␊ |
423 | ␉u_int64_t␉pcnt;␉␉/* packet match counter␉␉*/␊ |
424 | ␉u_int64_t␉bcnt;␉␉/* byte match counter␉␉*/␊ |
425 | ␉struct ipfw_flow_id id;␉␉/* (masked) flow id␉␉*/␊ |
426 | ␉u_int32_t␉expire;␉␉/* expire time␉␉␉*/␊ |
427 | ␉u_int32_t␉bucket;␉␉/* which bucket in hash table␉*/␊ |
428 | ␉u_int32_t␉state;␉␉/* state of this rule (typically a␊ |
429 | ␉␉␉␉␉ * combination of TCP flags)␊ |
430 | ␉␉␉␉␉ */␊ |
431 | ␉u_int32_t␉ack_fwd;␉/* most recent ACKs in forward␉*/␊ |
432 | ␉u_int32_t␉ack_rev;␉/* and reverse directions (used␉*/␊ |
433 | ␉␉␉␉␉/* to generate keepalives)␉*/␊ |
434 | ␉u_int16_t␉dyn_type;␉/* rule type␉␉␉*/␊ |
435 | ␉u_int16_t␉count;␉␉/* refcount␉␉␉*/␊ |
436 | };␊ |
437 | ␊ |
438 | /*␊ |
439 | * Definitions for IP option names.␊ |
440 | */␊ |
441 | #define␉IP_FW_IPOPT_LSRR␉0x01␊ |
442 | #define␉IP_FW_IPOPT_SSRR␉0x02␊ |
443 | #define␉IP_FW_IPOPT_RR␉␉0x04␊ |
444 | #define␉IP_FW_IPOPT_TS␉␉0x08␊ |
445 | ␊ |
446 | /*␊ |
447 | * Definitions for TCP option names.␊ |
448 | */␊ |
449 | #define␉IP_FW_TCPOPT_MSS␉0x01␊ |
450 | #define␉IP_FW_TCPOPT_WINDOW␉0x02␊ |
451 | #define␉IP_FW_TCPOPT_SACK␉0x04␊ |
452 | #define␉IP_FW_TCPOPT_TS␉␉0x08␊ |
453 | #define␉IP_FW_TCPOPT_CC␉␉0x10␊ |
454 | ␊ |
455 | #define␉ICMP_REJECT_RST␉␉0x100␉/* fake ICMP code (send a TCP RST) */␊ |
456 | ␊ |
457 | /*␊ |
458 | * Main firewall chains definitions and global var's definitions.␊ |
459 | */␊ |
460 | ␊ |
461 | ␊ |
462 | #endif /* _IPFW2_H */␊ |
463 |