Root/
Source at commit 1446 created 12 years 11 months ago. By jrcs, Fix multiboot | |
---|---|
1 | /*␊ |
2 | * Copyright (c) 2008 Apple Computer, Inc. All rights reserved.␊ |
3 | *␊ |
4 | * @APPLE_OSREFERENCE_LICENSE_HEADER_START@␊ |
5 | * ␊ |
6 | * This file contains Original Code and/or Modifications of Original Code␊ |
7 | * as defined in and that are subject to the Apple Public Source License␊ |
8 | * Version 2.0 (the 'License'). You may not use this file except in␊ |
9 | * compliance with the License. The rights granted to you under the License␊ |
10 | * may not be used to create, or enable the creation or redistribution of,␊ |
11 | * unlawful or unlicensed copies of an Apple operating system, or to␊ |
12 | * circumvent, violate, or enable the circumvention or violation of, any␊ |
13 | * terms of an Apple operating system software license agreement.␊ |
14 | * ␊ |
15 | * Please obtain a copy of the License at␊ |
16 | * http://www.opensource.apple.com/apsl/ and read it before using this file.␊ |
17 | * ␊ |
18 | * The Original Code and all software distributed under the License are␊ |
19 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER␊ |
20 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,␊ |
21 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,␊ |
22 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.␊ |
23 | * Please see the License for the specific language governing rights and␊ |
24 | * limitations under the License.␊ |
25 | * ␊ |
26 | * @APPLE_OSREFERENCE_LICENSE_HEADER_END@␊ |
27 | */␊ |
28 | /*␊ |
29 | * Copyright (c) 1993 Daniel Boulet␊ |
30 | * Copyright (c) 1994 Ugen J.S.Antsilevich␊ |
31 | *␊ |
32 | * Redistribution and use in source forms, with and without modification,␊ |
33 | * are permitted provided that this entire comment appears intact.␊ |
34 | *␊ |
35 | * Redistribution in binary form may occur without any restrictions.␊ |
36 | * Obviously, it would be nice if you gave credit where credit is due␊ |
37 | * but requiring it would be too onerous.␊ |
38 | *␊ |
39 | * This software is provided ``AS IS'' without any warranties of any kind.␊ |
40 | *␊ |
41 | */␊ |
42 | ␊ |
43 | #ifndef _IP6_FW_H␊ |
44 | #define _IP6_FW_H␊ |
45 | ␊ |
46 | #include <sys/appleapiopts.h>␊ |
47 | ␊ |
48 | /*␊ |
49 | * Define IPv6 Firewall event subclass, and associated events.␊ |
50 | */␊ |
51 | ␊ |
52 | /*!␊ |
53 | ␉@defined KEV_IP6FW_SUBCLASS␊ |
54 | ␉@discussion The kernel event subclass for IPv6 Firewall.␊ |
55 | */␊ |
56 | #define KEV_IP6FW_SUBCLASS␉2␊ |
57 | ␊ |
58 | /*!␊ |
59 | ␉@defined KEV_IP6FW_ADD␊ |
60 | ␉@discussion The event code indicating a rule has been added.␊ |
61 | */␊ |
62 | #define KEV_IP6FW_ADD␉␉1␊ |
63 | ␊ |
64 | /*!␊ |
65 | ␉@defined KEV_IP6FW_DEL␊ |
66 | ␉@discussion The event code indicating a rule has been removed.␊ |
67 | */␊ |
68 | #define KEV_IP6FW_DEL␉␉2␊ |
69 | ␊ |
70 | /*!␊ |
71 | ␉@defined KEV_IP6FW_FLUSH␊ |
72 | ␉@discussion The event code indicating the rule set has been flushed.␊ |
73 | */␊ |
74 | #define KEV_IP6FW_FLUSH␉␉3␊ |
75 | ␊ |
76 | /*!␊ |
77 | ␉@defined KEV_IP6FW_FLUSH␊ |
78 | ␉@discussion The event code indicating the enable flag has been changed ␊ |
79 | */␊ |
80 | #define KEV_IP6FW_ENABLE␉4␊ |
81 | ␊ |
82 | ␊ |
83 | #include <net/if.h>␊ |
84 | ␊ |
85 | #define IPV6_FW_CURRENT_API_VERSION 20␉/* Version of this API */␊ |
86 | ␊ |
87 | ␊ |
88 | /*␊ |
89 | * This union structure identifies an interface, either explicitly␊ |
90 | * by name or implicitly by IP address. The flags IP_FW_F_IIFNAME␊ |
91 | * and IP_FW_F_OIFNAME say how to interpret this structure. An␊ |
92 | * interface unit number of -1 matches any unit number, while an␊ |
93 | * IP address of 0.0.0.0 indicates matches any interface.␊ |
94 | *␊ |
95 | * The receive and transmit interfaces are only compared against the␊ |
96 | * the packet if the corresponding bit (IP_FW_F_IIFACE or IP_FW_F_OIFACE)␊ |
97 | * is set. Note some packets lack a receive or transmit interface␊ |
98 | * (in which case the missing "interface" never matches).␊ |
99 | */␊ |
100 | ␊ |
101 | union ip6_fw_if {␊ |
102 | struct in6_addr fu_via_ip6;␉/* Specified by IPv6 address */␊ |
103 | struct {␉␉␉/* Specified by interface name */␊ |
104 | #define IP6FW_IFNLEN IFNAMSIZ␊ |
105 | ␉ char name[IP6FW_IFNLEN];␊ |
106 | ␉ short unit;␉␉/* -1 means match any unit */␊ |
107 | } fu_via_if;␊ |
108 | };␊ |
109 | ␊ |
110 | /*␊ |
111 | * Format of an IP firewall descriptor␊ |
112 | *␊ |
113 | * fw_src, fw_dst, fw_smsk, fw_dmsk are always stored in network byte order.␊ |
114 | * fw_flg and fw_n*p are stored in host byte order (of course).␊ |
115 | * Port numbers are stored in HOST byte order.␊ |
116 | * Warning: setsockopt() will fail if sizeof(struct ip_fw) > MLEN (108)␊ |
117 | */␊ |
118 | ␊ |
119 | ␊ |
120 | struct ip6_fw {␊ |
121 | ␉u_int32_t version;␉␉/* Version of this structure. Should always be */␊ |
122 | ␉␉␉␉␉␉␉/* set to IP6_FW_CURRENT_API_VERSION by clients. */␊ |
123 | ␉void *context;␉␉␉/* Context that is usable by user processes to */␊ |
124 | ␉␉␉␉␉␉␉/* identify this rule. */␊ |
125 | u_int32_t fw_pcnt,fw_bcnt;␉␉/* Packet and byte counters */␊ |
126 | struct in6_addr fw_src, fw_dst;␉/* Source and destination IPv6 addr */␊ |
127 | struct in6_addr fw_smsk, fw_dmsk;␉/* Mask for src and dest IPv6 addr */␊ |
128 | u_short fw_number;␉␉␉/* Rule number */␊ |
129 | u_short fw_flg;␉␉␉/* Flags word */␊ |
130 | #define IPV6_FW_MAX_PORTS␉10␉/* A reasonable maximum */␊ |
131 | u_int fw_ipflg;␉␉␉/* IP flags word */␊ |
132 | u_short fw_pts[IPV6_FW_MAX_PORTS];␉/* Array of port numbers to match */␊ |
133 | u_char fw_ip6opt,fw_ip6nopt;␉/* IPv6 options set/unset */␊ |
134 | u_char fw_tcpf,fw_tcpnf;␉␉/* TCP flags set/unset */␊ |
135 | #define IPV6_FW_ICMPTYPES_DIM (256 / (sizeof(unsigned) * 8))␊ |
136 | unsigned fw_icmp6types[IPV6_FW_ICMPTYPES_DIM]; /* ICMP types bitmap */␊ |
137 | long timestamp;␉␉␉/* timestamp (tv_sec) of last match */␊ |
138 | union ip6_fw_if fw_in_if, fw_out_if;/* Incoming and outgoing interfaces */␊ |
139 | union {␊ |
140 | ␉u_short fu_divert_port;␉␉/* Divert/tee port (options IP6DIVERT) */␊ |
141 | ␉u_short fu_skipto_rule;␉␉/* SKIPTO command rule number */␊ |
142 | ␉u_short fu_reject_code;␉␉/* REJECT response code */␊ |
143 | } fw_un;␊ |
144 | u_char fw_prot;␉␉␉/* IPv6 protocol */␊ |
145 | u_char fw_nports;␉␉␉/* N'of src ports and # of dst ports */␊ |
146 | ␉␉␉␉␉/* in ports array (dst ports follow */␊ |
147 | ␉␉␉␉␉/* src ports; max of 10 ports in all; */␊ |
148 | ␉␉␉␉␉/* count of 0 means match all ports) */␊ |
149 | };␊ |
150 | ␊ |
151 | ␊ |
152 | #define IPV6_FW_GETNSRCP(rule)␉␉((rule)->fw_nports & 0x0f)␊ |
153 | #define IPV6_FW_SETNSRCP(rule, n)␉␉do {␉␉␉␉\␊ |
154 | ␉␉␉␉␉ (rule)->fw_nports &= ~0x0f;␉\␊ |
155 | ␉␉␉␉␉ (rule)->fw_nports |= (n);␉\␊ |
156 | ␉␉␉␉␉} while (0)␊ |
157 | #define IPV6_FW_GETNDSTP(rule)␉␉((rule)->fw_nports >> 4)␊ |
158 | #define IPV6_FW_SETNDSTP(rule, n)␉␉do {␉␉␉␉\␊ |
159 | ␉␉␉␉␉ (rule)->fw_nports &= ~0xf0;␉\␊ |
160 | ␉␉␉␉␉ (rule)->fw_nports |= (n) << 4;\␊ |
161 | ␉␉␉␉␉} while (0)␊ |
162 | ␊ |
163 | #define fw_divert_port␉fw_un.fu_divert_port␊ |
164 | #define fw_skipto_rule␉fw_un.fu_skipto_rule␊ |
165 | #define fw_reject_code␉fw_un.fu_reject_code␊ |
166 | ␊ |
167 | struct ip6_fw_chain {␊ |
168 | LIST_ENTRY(ip6_fw_chain) chain;␊ |
169 | struct ip6_fw *rule;␊ |
170 | };␊ |
171 | ␊ |
172 | /*␊ |
173 | * Values for "flags" field .␊ |
174 | */␊ |
175 | #define IPV6_FW_F_IN␉0x0001␉/* Check inbound packets␉␉*/␊ |
176 | #define IPV6_FW_F_OUT␉0x0002␉/* Check outbound packets␉␉*/␊ |
177 | #define IPV6_FW_F_IIFACE␉0x0004␉/* Apply inbound interface test␉␉*/␊ |
178 | #define IPV6_FW_F_OIFACE␉0x0008␉/* Apply outbound interface test␉*/␊ |
179 | ␊ |
180 | #define IPV6_FW_F_COMMAND 0x0070␉/* Mask for type of chain entry:␉*/␊ |
181 | #define IPV6_FW_F_DENY␉0x0000␉/* This is a deny rule␉␉␉*/␊ |
182 | #define IPV6_FW_F_REJECT␉0x0010␉/* Deny and send a response packet␉*/␊ |
183 | #define IPV6_FW_F_ACCEPT␉0x0020␉/* This is an accept rule␉␉*/␊ |
184 | #define IPV6_FW_F_COUNT␉0x0030␉/* This is a count rule␉␉␉*/␊ |
185 | #define IPV6_FW_F_DIVERT␉0x0040␉/* This is a divert rule␉␉*/␊ |
186 | #define IPV6_FW_F_TEE␉0x0050␉/* This is a tee rule␉␉␉*/␊ |
187 | #define IPV6_FW_F_SKIPTO␉0x0060␉/* This is a skipto rule␉␉*/␊ |
188 | ␊ |
189 | #define IPV6_FW_F_PRN␉0x0080␉/* Print if this rule matches␉␉*/␊ |
190 | ␊ |
191 | #define IPV6_FW_F_SRNG␉0x0100␉/* The first two src ports are a min␉*␊ |
192 | ␉␉␉␉ * and max range (stored in host byte␉*␊ |
193 | ␉␉␉␉ * order).␉␉␉␉*/␊ |
194 | ␊ |
195 | #define IPV6_FW_F_DRNG␉0x0200␉/* The first two dst ports are a min␉*␊ |
196 | ␉␉␉␉ * and max range (stored in host byte␉*␊ |
197 | ␉␉␉␉ * order).␉␉␉␉*/␊ |
198 | ␊ |
199 | #define IPV6_FW_F_IIFNAME␉0x0400␉/* In interface by name/unit (not IP)␉*/␊ |
200 | #define IPV6_FW_F_OIFNAME␉0x0800␉/* Out interface by name/unit (not IP)␉*/␊ |
201 | ␊ |
202 | #define IPV6_FW_F_INVSRC␉0x1000␉/* Invert sense of src check␉␉*/␊ |
203 | #define IPV6_FW_F_INVDST␉0x2000␉/* Invert sense of dst check␉␉*/␊ |
204 | ␊ |
205 | #define IPV6_FW_F_FRAG␉0x4000␉/* Fragment␉␉␉␉*/␊ |
206 | ␊ |
207 | #define IPV6_FW_F_ICMPBIT 0x8000␉/* ICMP type bitmap is valid␉␉*/␊ |
208 | ␊ |
209 | #define IPV6_FW_F_MASK␉0xFFFF␉/* All possible flag bits mask␉␉*/␊ |
210 | ␊ |
211 | /* ␊ |
212 | * Flags for the 'fw_ipflg' field, for comparing values of ip and its protocols. */␊ |
213 | #define␉IPV6_FW_IF_TCPEST 0x00000020␉/* established TCP connection␉*/␊ |
214 | #define IPV6_FW_IF_TCPMSK 0x00000020␉/* mask of all TCP values */␊ |
215 | ␊ |
216 | /*␊ |
217 | * For backwards compatibility with rules specifying "via iface" but␊ |
218 | * not restricted to only "in" or "out" packets, we define this combination␊ |
219 | * of bits to represent this configuration.␊ |
220 | */␊ |
221 | ␊ |
222 | #define IF6_FW_F_VIAHACK␉(IPV6_FW_F_IN|IPV6_FW_F_OUT|IPV6_FW_F_IIFACE|IPV6_FW_F_OIFACE)␊ |
223 | ␊ |
224 | /*␊ |
225 | * Definitions for REJECT response codes.␊ |
226 | * Values less than 256 correspond to ICMP unreachable codes.␊ |
227 | */␊ |
228 | #define IPV6_FW_REJECT_RST␉0x0100␉␉/* TCP packets: send RST */␊ |
229 | ␊ |
230 | /*␊ |
231 | * Definitions for IPv6 option names.␊ |
232 | */␊ |
233 | #define IPV6_FW_IP6OPT_HOPOPT␉0x01␊ |
234 | #define IPV6_FW_IP6OPT_ROUTE␉0x02␊ |
235 | #define IPV6_FW_IP6OPT_FRAG␉0x04␊ |
236 | #define IPV6_FW_IP6OPT_ESP␉0x08␊ |
237 | #define IPV6_FW_IP6OPT_AH␉0x10␊ |
238 | #define IPV6_FW_IP6OPT_NONXT␉0x20␊ |
239 | #define IPV6_FW_IP6OPT_OPTS␉0x40␊ |
240 | ␊ |
241 | /*␊ |
242 | * Definitions for TCP flags.␊ |
243 | */␊ |
244 | #define IPV6_FW_TCPF_FIN␉TH_FIN␊ |
245 | #define IPV6_FW_TCPF_SYN␉TH_SYN␊ |
246 | #define IPV6_FW_TCPF_RST␉TH_RST␊ |
247 | #define IPV6_FW_TCPF_PSH␉TH_PUSH␊ |
248 | #define IPV6_FW_TCPF_ACK␉TH_ACK␊ |
249 | #define IPV6_FW_TCPF_URG␉TH_URG␊ |
250 | ␊ |
251 | /*␊ |
252 | * Main firewall chains definitions and global var's definitions.␊ |
253 | */␊ |
254 | ␊ |
255 | #endif /* _IP6_FW_H */␊ |
256 |