Root/
Source at commit 1444 created 12 years 11 months ago. By jrcs, Print the multiboot_magic | |
---|---|
1 | /*␊ |
2 | * Copyright (c) 2008 Apple Computer, Inc. All rights reserved.␊ |
3 | *␊ |
4 | * @APPLE_OSREFERENCE_LICENSE_HEADER_START@␊ |
5 | * ␊ |
6 | * This file contains Original Code and/or Modifications of Original Code␊ |
7 | * as defined in and that are subject to the Apple Public Source License␊ |
8 | * Version 2.0 (the 'License'). You may not use this file except in␊ |
9 | * compliance with the License. The rights granted to you under the License␊ |
10 | * may not be used to create, or enable the creation or redistribution of,␊ |
11 | * unlawful or unlicensed copies of an Apple operating system, or to␊ |
12 | * circumvent, violate, or enable the circumvention or violation of, any␊ |
13 | * terms of an Apple operating system software license agreement.␊ |
14 | * ␊ |
15 | * Please obtain a copy of the License at␊ |
16 | * http://www.opensource.apple.com/apsl/ and read it before using this file.␊ |
17 | * ␊ |
18 | * The Original Code and all software distributed under the License are␊ |
19 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER␊ |
20 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,␊ |
21 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,␊ |
22 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.␊ |
23 | * Please see the License for the specific language governing rights and␊ |
24 | * limitations under the License.␊ |
25 | * ␊ |
26 | * @APPLE_OSREFERENCE_LICENSE_HEADER_END@␊ |
27 | */␊ |
28 | /*␊ |
29 | * Copyright (c) 1993 Daniel Boulet␊ |
30 | * Copyright (c) 1994 Ugen J.S.Antsilevich␊ |
31 | *␊ |
32 | * Redistribution and use in source forms, with and without modification,␊ |
33 | * are permitted provided that this entire comment appears intact.␊ |
34 | *␊ |
35 | * Redistribution in binary form may occur without any restrictions.␊ |
36 | * Obviously, it would be nice if you gave credit where credit is due␊ |
37 | * but requiring it would be too onerous.␊ |
38 | *␊ |
39 | * This software is provided ``AS IS'' without any warranties of any kind.␊ |
40 | *␊ |
41 | */␊ |
42 | ␊ |
43 | #ifndef _IP_FW_H␊ |
44 | #define _IP_FW_H␊ |
45 | ␊ |
46 | #include <sys/appleapiopts.h>␊ |
47 | ␊ |
48 | #ifdef IPFW2␊ |
49 | #include <netinet/ip_fw2.h>␊ |
50 | #else /* !IPFW2, good old ipfw */␊ |
51 | ␊ |
52 | #include <sys/queue.h>␊ |
53 | #include <sys/types.h>␉␉/* u_ types */␊ |
54 | ␊ |
55 | #define IP_FW_CURRENT_API_VERSION 20␉/* Version of this API */␊ |
56 | ␊ |
57 | ␊ |
58 | /*␊ |
59 | * This union structure identifies an interface, either explicitly␊ |
60 | * by name or implicitly by IP address. The flags IP_FW_F_IIFNAME␊ |
61 | * and IP_FW_F_OIFNAME say how to interpret this structure. An␊ |
62 | * interface unit number of -1 matches any unit number, while an␊ |
63 | * IP address of 0.0.0.0 indicates matches any interface.␊ |
64 | *␊ |
65 | * The receive and transmit interfaces are only compared against the␊ |
66 | * the packet if the corresponding bit (IP_FW_F_IIFACE or IP_FW_F_OIFACE)␊ |
67 | * is set. Note some packets lack a receive or transmit interface␊ |
68 | * (in which case the missing "interface" never matches).␊ |
69 | */␊ |
70 | ␊ |
71 | union ip_fw_if {␊ |
72 | struct in_addr fu_via_ip;␉/* Specified by IP address */␊ |
73 | struct {␉␉␉/* Specified by interface name */␊ |
74 | #define FW_IFNLEN 10 /* need room ! was IFNAMSIZ */␊ |
75 | ␉ char name[FW_IFNLEN];␊ |
76 | ␉ short unit;␉␉/* -1 means match any unit */␊ |
77 | } fu_via_if;␊ |
78 | };␊ |
79 | ␊ |
80 | /*␊ |
81 | * Format of an IP firewall descriptor␊ |
82 | *␊ |
83 | * fw_src, fw_dst, fw_smsk, fw_dmsk are always stored in network byte order.␊ |
84 | * fw_flg and fw_n*p are stored in host byte order (of course).␊ |
85 | * Port numbers are stored in HOST byte order.␊ |
86 | */␊ |
87 | ␊ |
88 | struct ip_fw {␊ |
89 | ␉u_int32_t version;␉␉/* Version of this structure. Should always be */␊ |
90 | ␉␉␉␉␉␉␉/* set to IP_FW_CURRENT_API_VERSION by clients. */␊ |
91 | ␉void *context;␉␉␉/* Context that is usable by user processes to */␊ |
92 | ␉␉␉␉␉␉␉/* identify this rule. */␊ |
93 | u_int64_t fw_pcnt,fw_bcnt;␉␉/* Packet and byte counters */␊ |
94 | struct in_addr fw_src, fw_dst;␉/* Source and destination IP addr */␊ |
95 | struct in_addr fw_smsk, fw_dmsk;␉/* Mask for src and dest IP addr */␊ |
96 | u_short fw_number;␉␉␉/* Rule number */␊ |
97 | u_int fw_flg;␉␉␉/* Flags word */␊ |
98 | #define IP_FW_MAX_PORTS␉10␉␉/* A reasonable maximum */␊ |
99 | ␉union {␊ |
100 | ␉u_short fw_pts[IP_FW_MAX_PORTS];␉/* Array of port numbers to match */␊ |
101 | #define IP_FW_ICMPTYPES_MAX␉128␊ |
102 | #define IP_FW_ICMPTYPES_DIM␉(IP_FW_ICMPTYPES_MAX / (sizeof(unsigned) * 8))␊ |
103 | ␉unsigned fw_icmptypes[IP_FW_ICMPTYPES_DIM]; /* ICMP types bitmap */␊ |
104 | ␉} fw_uar;␊ |
105 | u_int fw_ipflg;␉␉␉/* IP flags word */␊ |
106 | u_char fw_ipopt,fw_ipnopt;␉␉/* IP options set/unset */␊ |
107 | u_char fw_tcpopt,fw_tcpnopt;␉/* TCP options set/unset */␊ |
108 | u_char fw_tcpf,fw_tcpnf;␉␉/* TCP flags set/unset */␊ |
109 | long timestamp;␉␉␉/* timestamp (tv_sec) of last match */␊ |
110 | union ip_fw_if fw_in_if, fw_out_if;␉/* Incoming and outgoing interfaces */␊ |
111 | union {␊ |
112 | ␉u_short fu_divert_port;␉␉/* Divert/tee port (options IPDIVERT) */␊ |
113 | ␉u_short fu_pipe_nr;␉␉/* queue number (option DUMMYNET) */␊ |
114 | ␉u_short fu_skipto_rule;␉␉/* SKIPTO command rule number */␊ |
115 | ␉u_short fu_reject_code;␉␉/* REJECT response code */␊ |
116 | ␉struct sockaddr_in fu_fwd_ip;␊ |
117 | } fw_un;␊ |
118 | u_char fw_prot;␉␉␉/* IP protocol */␊ |
119 | ␉/*␊ |
120 | ␉ * N'of src ports and # of dst ports in ports array (dst ports␊ |
121 | ␉ * follow src ports; max of 10 ports in all; count of 0 means␊ |
122 | ␉ * match all ports)␊ |
123 | ␉ */␊ |
124 | u_char fw_nports;␊ |
125 | void *pipe_ptr; /* flow_set ptr for dummynet pipe */␊ |
126 | void *next_rule_ptr ; /* next rule in case of match */␊ |
127 | uid_t fw_uid;␉␉␉/* uid to match */␊ |
128 | int fw_logamount;␉␉␉/* amount to log */␊ |
129 | u_int64_t fw_loghighest;␉␉/* highest number packet to log */␊ |
130 | };␊ |
131 | ␊ |
132 | /*␊ |
133 | * extended ipfw structure... some fields in the original struct␊ |
134 | * can be used to pass parameters up/down, namely pointers␊ |
135 | * void *pipe_ptr␊ |
136 | * void *next_rule_ptr ␊ |
137 | * some others can be used to pass parameters down, namely counters etc.␊ |
138 | * u_int64_t fw_pcnt,fw_bcnt;␊ |
139 | * long timestamp;␊ |
140 | */␊ |
141 | ␊ |
142 | struct ip_fw_ext { /* extended structure */␊ |
143 | struct ip_fw rule; /* must be at offset 0 */␊ |
144 | long dont_match_prob; /* 0x7fffffff means 1.0, always fail */␊ |
145 | u_int dyn_type; /* type for dynamic rule */␊ |
146 | };␊ |
147 | ␊ |
148 | #define IP_FW_GETNSRCP(rule)␉␉((rule)->fw_nports & 0x0f)␊ |
149 | #define IP_FW_SETNSRCP(rule, n)␉␉do {␉␉␉␉\␊ |
150 | ␉␉␉␉␉ (rule)->fw_nports &= ~0x0f;␉\␊ |
151 | ␉␉␉␉␉ (rule)->fw_nports |= (n);␉\␊ |
152 | ␉␉␉␉␉} while (0)␊ |
153 | #define IP_FW_GETNDSTP(rule)␉␉((rule)->fw_nports >> 4)␊ |
154 | #define IP_FW_SETNDSTP(rule, n)␉␉do {␉␉␉␉\␊ |
155 | ␉␉␉␉␉ (rule)->fw_nports &= ~0xf0;␉\␊ |
156 | ␉␉␉␉␉ (rule)->fw_nports |= (n) << 4;\␊ |
157 | ␉␉␉␉␉} while (0)␊ |
158 | ␊ |
159 | #define fw_divert_port␉fw_un.fu_divert_port␊ |
160 | #define fw_skipto_rule␉fw_un.fu_skipto_rule␊ |
161 | #define fw_reject_code␉fw_un.fu_reject_code␊ |
162 | #define fw_pipe_nr␉fw_un.fu_pipe_nr␊ |
163 | #define fw_fwd_ip␉fw_un.fu_fwd_ip␊ |
164 | ␊ |
165 | struct ip_fw_chain {␊ |
166 | ␉LIST_ENTRY(ip_fw_chain) next;␊ |
167 | ␉struct ip_fw *rule;␊ |
168 | };␊ |
169 | ␊ |
170 | /*␊ |
171 | * Flow mask/flow id for each queue.␊ |
172 | */␊ |
173 | struct ipfw_flow_id {␊ |
174 | u_int32_t dst_ip, src_ip ;␊ |
175 | u_int16_t dst_port, src_port ; ␊ |
176 | u_int8_t proto ; ␊ |
177 | u_int8_t flags ; /* protocol-specific flags */␊ |
178 | } ;␊ |
179 | ␊ |
180 | /*␊ |
181 | * dynamic ipfw rule␊ |
182 | */␊ |
183 | struct ipfw_dyn_rule {␊ |
184 | struct ipfw_dyn_rule *next ;␊ |
185 | ␊ |
186 | struct ipfw_flow_id id ;␊ |
187 | struct ipfw_flow_id mask ;␊ |
188 | struct ip_fw_chain *chain ;␉␉/* pointer to parent rule␉*/␊ |
189 | u_int32_t type ;␉␉␉/* rule type␉␉␉*/␊ |
190 | u_int32_t expire ;␉␉␉/* expire time␉␉␉*/␊ |
191 | u_int64_t pcnt, bcnt;␉␉/* match counters␉␉*/␊ |
192 | u_int32_t bucket ;␉␉␉/* which bucket in hash table␉*/␊ |
193 | u_int32_t state ;␉␉␉/* state of this rule (typ. a */␊ |
194 | ␉␉␉␉␉/* combination of TCP flags)␉*/␊ |
195 | } ;␊ |
196 | ␊ |
197 | /*␊ |
198 | * Values for "flags" field .␊ |
199 | */␊ |
200 | #define IP_FW_F_COMMAND 0x000000ff␉/* Mask for type of chain entry:␉*/␊ |
201 | #define IP_FW_F_DENY␉0x00000000␉/* This is a deny rule␉␉␉*/␊ |
202 | #define IP_FW_F_REJECT␉0x00000001␉/* Deny and send a response packet␉*/␊ |
203 | #define IP_FW_F_ACCEPT␉0x00000002␉/* This is an accept rule␉␉*/␊ |
204 | #define IP_FW_F_COUNT␉0x00000003␉/* This is a count rule␉␉␉*/␊ |
205 | #define IP_FW_F_DIVERT␉0x00000004␉/* This is a divert rule␉␉*/␊ |
206 | #define IP_FW_F_TEE␉0x00000005␉/* This is a tee rule␉␉␉*/␊ |
207 | #define IP_FW_F_SKIPTO␉0x00000006␉/* This is a skipto rule␉␉*/␊ |
208 | #define IP_FW_F_FWD␉0x00000007␉/* This is a "change forwarding address" rule */␊ |
209 | #define IP_FW_F_PIPE␉0x00000008␉/* This is a dummynet rule */␊ |
210 | #define IP_FW_F_QUEUE␉0x00000009␉/* This is a dummynet queue */␊ |
211 | ␊ |
212 | #define IP_FW_F_IN␉0x00000100␉/* Check inbound packets␉␉*/␊ |
213 | #define IP_FW_F_OUT␉0x00000200␉/* Check outbound packets␉␉*/␊ |
214 | #define IP_FW_F_IIFACE␉0x00000400␉/* Apply inbound interface test␉␉*/␊ |
215 | #define IP_FW_F_OIFACE␉0x00000800␉/* Apply outbound interface test␉*/␊ |
216 | ␊ |
217 | #define IP_FW_F_PRN␉0x00001000␉/* Print if this rule matches␉␉*/␊ |
218 | ␊ |
219 | #define IP_FW_F_SRNG␉0x00002000␉/* The first two src ports are a min␉*␊ |
220 | ␉␉␉␉␉ * and max range (stored in host byte␉*␊ |
221 | ␉␉␉␉␉ * order).␉␉␉␉*/␊ |
222 | ␊ |
223 | #define IP_FW_F_DRNG␉0x00004000␉/* The first two dst ports are a min␉*␊ |
224 | ␉␉␉␉␉ * and max range (stored in host byte␉*␊ |
225 | ␉␉␉␉␉ * order).␉␉␉␉*/␊ |
226 | ␊ |
227 | #define IP_FW_F_FRAG␉0x00008000␉/* Fragment␉␉␉␉*/␊ |
228 | ␊ |
229 | #define IP_FW_F_IIFNAME␉0x00010000␉/* In interface by name/unit (not IP)␉*/␊ |
230 | #define IP_FW_F_OIFNAME␉0x00020000␉/* Out interface by name/unit (not IP)␉*/␊ |
231 | ␊ |
232 | #define IP_FW_F_INVSRC␉0x00040000␉/* Invert sense of src check␉␉*/␊ |
233 | #define IP_FW_F_INVDST␉0x00080000␉/* Invert sense of dst check␉␉*/␊ |
234 | ␊ |
235 | #define IP_FW_F_ICMPBIT 0x00100000␉/* ICMP type bitmap is valid␉␉*/␊ |
236 | ␊ |
237 | #define IP_FW_F_UID␉0x00200000␉/* filter by uid␉␉␉*/␊ |
238 | ␊ |
239 | #define IP_FW_F_RND_MATCH 0x00800000␉/* probabilistic rule match␉␉*/␊ |
240 | #define IP_FW_F_SMSK␉0x01000000␉/* src-port + mask ␉␉␉*/␊ |
241 | #define IP_FW_F_DMSK␉0x02000000␉/* dst-port + mask ␉␉␉*/␊ |
242 | #define␉IP_FW_BRIDGED␉0x04000000␉/* only match bridged packets␉␉*/␊ |
243 | #define IP_FW_F_KEEP_S␉0x08000000␉/* keep state␉ ␉␉␉*/␊ |
244 | #define IP_FW_F_CHECK_S␉0x10000000␉/* check state␉ ␉␉␉*/␊ |
245 | ␊ |
246 | #define IP_FW_F_SME␉0x20000000␉/* source = me␉␉␉␉*/␊ |
247 | #define IP_FW_F_DME␉0x40000000␉/* destination = me␉␉␉*/␊ |
248 | ␊ |
249 | #define IP_FW_F_MASK␉0x7FFFFFFF␉/* All possible flag bits mask␉␉*/␊ |
250 | ␊ |
251 | /*␊ |
252 | * Flags for the 'fw_ipflg' field, for comparing values of ip and its protocols.␊ |
253 | */␊ |
254 | #define␉IP_FW_IF_TCPEST␉0x00000020␉/* established TCP connection */␊ |
255 | #define␉IP_FW_IF_TCPMSK␉0x00000020␉/* mask of all TCP values */␊ |
256 | ␊ |
257 | /*␊ |
258 | * For backwards compatibility with rules specifying "via iface" but␊ |
259 | * not restricted to only "in" or "out" packets, we define this combination␊ |
260 | * of bits to represent this configuration.␊ |
261 | */␊ |
262 | ␊ |
263 | #define IF_FW_F_VIAHACK␉(IP_FW_F_IN|IP_FW_F_OUT|IP_FW_F_IIFACE|IP_FW_F_OIFACE)␊ |
264 | ␊ |
265 | /*␊ |
266 | * Definitions for REJECT response codes.␊ |
267 | * Values less than 256 correspond to ICMP unreachable codes.␊ |
268 | */␊ |
269 | #define IP_FW_REJECT_RST␉0x0100␉␉/* TCP packets: send RST */␊ |
270 | ␊ |
271 | /*␊ |
272 | * Definitions for IP option names.␊ |
273 | */␊ |
274 | #define IP_FW_IPOPT_LSRR␉0x01␊ |
275 | #define IP_FW_IPOPT_SSRR␉0x02␊ |
276 | #define IP_FW_IPOPT_RR␉␉0x04␊ |
277 | #define IP_FW_IPOPT_TS␉␉0x08␊ |
278 | ␊ |
279 | /*␊ |
280 | * Definitions for TCP option names.␊ |
281 | */␊ |
282 | #define IP_FW_TCPOPT_MSS␉0x01␊ |
283 | #define IP_FW_TCPOPT_WINDOW␉0x02␊ |
284 | #define IP_FW_TCPOPT_SACK␉0x04␊ |
285 | #define IP_FW_TCPOPT_TS␉␉0x08␊ |
286 | #define IP_FW_TCPOPT_CC␉␉0x10␊ |
287 | ␊ |
288 | /*␊ |
289 | * Definitions for TCP flags.␊ |
290 | */␊ |
291 | #define IP_FW_TCPF_FIN␉␉TH_FIN␊ |
292 | #define IP_FW_TCPF_SYN␉␉TH_SYN␊ |
293 | #define IP_FW_TCPF_RST␉␉TH_RST␊ |
294 | #define IP_FW_TCPF_PSH␉␉TH_PUSH␊ |
295 | #define IP_FW_TCPF_ACK␉␉TH_ACK␊ |
296 | #define IP_FW_TCPF_URG␉␉TH_URG␊ |
297 | ␊ |
298 | /*␊ |
299 | * Main firewall chains definitions and global var's definitions.␊ |
300 | */␊ |
301 | ␊ |
302 | #endif /* !IPFW2 */␊ |
303 | #endif /* _IP_FW_H */␊ |
304 |