branches/ErmaC/Modules/i386/include/netinet/ip_fw.h - Chameleon Svn Source Tree - Chameleon open source boot loader project.

Root/branches/ErmaC/Modules/i386/include/netinet/ip_fw.h

1	/*␊
2	* Copyright (c) 2008 Apple Computer, Inc. All rights reserved.␊
3	*␊
4	* @APPLE_OSREFERENCE_LICENSE_HEADER_START@␊
5	* ␊
6	* This file contains Original Code and/or Modifications of Original Code␊
7	* as defined in and that are subject to the Apple Public Source License␊
8	* Version 2.0 (the 'License'). You may not use this file except in␊
9	* compliance with the License. The rights granted to you under the License␊
10	* may not be used to create, or enable the creation or redistribution of,␊
11	* unlawful or unlicensed copies of an Apple operating system, or to␊
12	* circumvent, violate, or enable the circumvention or violation of, any␊
13	* terms of an Apple operating system software license agreement.␊
14	* ␊
15	* Please obtain a copy of the License at␊
16	* http://www.opensource.apple.com/apsl/ and read it before using this file.␊
17	* ␊
18	* The Original Code and all software distributed under the License are␊
19	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER␊
20	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,␊
21	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,␊
22	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.␊
23	* Please see the License for the specific language governing rights and␊
24	* limitations under the License.␊
25	* ␊
26	* @APPLE_OSREFERENCE_LICENSE_HEADER_END@␊
27	*/␊
28	/*␊
29	* Copyright (c) 1993 Daniel Boulet␊
30	* Copyright (c) 1994 Ugen J.S.Antsilevich␊
31	*␊
32	* Redistribution and use in source forms, with and without modification,␊
33	* are permitted provided that this entire comment appears intact.␊
34	*␊
35	* Redistribution in binary form may occur without any restrictions.␊
36	* Obviously, it would be nice if you gave credit where credit is due␊
37	* but requiring it would be too onerous.␊
38	*␊
39	* This software is provided ``AS IS'' without any warranties of any kind.␊
40	*␊
41	*/␊
42	␊
43	#ifndef _IP_FW_H␊
44	#define _IP_FW_H␊
45	␊
46	#include <sys/appleapiopts.h>␊
47	␊
48	#ifdef IPFW2␊
49	#include <netinet/ip_fw2.h>␊
50	#else /* !IPFW2, good old ipfw */␊
51	␊
52	#include <sys/queue.h>␊
53	#include <sys/types.h>␉␉/* u_ types */␊
54	␊
55	#define IP_FW_CURRENT_API_VERSION 20␉/* Version of this API */␊
56	␊
57	␊
58	/*␊
59	* This union structure identifies an interface, either explicitly␊
60	* by name or implicitly by IP address. The flags IP_FW_F_IIFNAME␊
61	* and IP_FW_F_OIFNAME say how to interpret this structure. An␊
62	* interface unit number of -1 matches any unit number, while an␊
63	* IP address of 0.0.0.0 indicates matches any interface.␊
64	*␊
65	* The receive and transmit interfaces are only compared against the␊
66	* the packet if the corresponding bit (IP_FW_F_IIFACE or IP_FW_F_OIFACE)␊
67	* is set. Note some packets lack a receive or transmit interface␊
68	* (in which case the missing "interface" never matches).␊
69	*/␊
70	␊
71	union ip_fw_if {␊
72	struct in_addr fu_via_ip;␉/* Specified by IP address */␊
73	struct {␉␉␉/* Specified by interface name */␊
74	#define FW_IFNLEN 10 /* need room ! was IFNAMSIZ */␊
75	␉ char name[FW_IFNLEN];␊
76	␉ short unit;␉␉/* -1 means match any unit */␊
77	} fu_via_if;␊
78	};␊
79	␊
80	/*␊
81	* Format of an IP firewall descriptor␊
82	*␊
83	* fw_src, fw_dst, fw_smsk, fw_dmsk are always stored in network byte order.␊
84	* fw_flg and fw_n*p are stored in host byte order (of course).␊
85	* Port numbers are stored in HOST byte order.␊
86	*/␊
87	␊
88	struct ip_fw {␊
89	␉u_int32_t version;␉␉/* Version of this structure. Should always be */␊
90	␉␉␉␉␉␉␉/* set to IP_FW_CURRENT_API_VERSION by clients. */␊
91	␉void context;␉␉␉/ Context that is usable by user processes to */␊
92	␉␉␉␉␉␉␉/* identify this rule. */␊
93	u_int64_t fw_pcnt,fw_bcnt;␉␉/* Packet and byte counters */␊
94	struct in_addr fw_src, fw_dst;␉/* Source and destination IP addr */␊
95	struct in_addr fw_smsk, fw_dmsk;␉/* Mask for src and dest IP addr */␊
96	u_short fw_number;␉␉␉/* Rule number */␊
97	u_int fw_flg;␉␉␉/* Flags word */␊
98	#define IP_FW_MAX_PORTS␉10␉␉/* A reasonable maximum */␊
99	␉union {␊
100	␉u_short fw_pts[IP_FW_MAX_PORTS];␉/* Array of port numbers to match */␊
101	#define IP_FW_ICMPTYPES_MAX␉128␊
102	#define IP_FW_ICMPTYPES_DIM␉(IP_FW_ICMPTYPES_MAX / (sizeof(unsigned) * 8))␊
103	␉unsigned fw_icmptypes[IP_FW_ICMPTYPES_DIM]; /* ICMP types bitmap */␊
104	␉} fw_uar;␊
105	u_int fw_ipflg;␉␉␉/* IP flags word */␊
106	u_char fw_ipopt,fw_ipnopt;␉␉/* IP options set/unset */␊
107	u_char fw_tcpopt,fw_tcpnopt;␉/* TCP options set/unset */␊
108	u_char fw_tcpf,fw_tcpnf;␉␉/* TCP flags set/unset */␊
109	long timestamp;␉␉␉/* timestamp (tv_sec) of last match */␊
110	union ip_fw_if fw_in_if, fw_out_if;␉/* Incoming and outgoing interfaces */␊
111	union {␊
112	␉u_short fu_divert_port;␉␉/* Divert/tee port (options IPDIVERT) */␊
113	␉u_short fu_pipe_nr;␉␉/* queue number (option DUMMYNET) */␊
114	␉u_short fu_skipto_rule;␉␉/* SKIPTO command rule number */␊
115	␉u_short fu_reject_code;␉␉/* REJECT response code */␊
116	␉struct sockaddr_in fu_fwd_ip;␊
117	} fw_un;␊
118	u_char fw_prot;␉␉␉/* IP protocol */␊
119	␉/*␊
120	␉ * N'of src ports and # of dst ports in ports array (dst ports␊
121	␉ * follow src ports; max of 10 ports in all; count of 0 means␊
122	␉ * match all ports)␊
123	␉ */␊
124	u_char fw_nports;␊
125	void pipe_ptr; / flow_set ptr for dummynet pipe */␊
126	void next_rule_ptr ; / next rule in case of match */␊
127	uid_t fw_uid;␉␉␉/* uid to match */␊
128	int fw_logamount;␉␉␉/* amount to log */␊
129	u_int64_t fw_loghighest;␉␉/* highest number packet to log */␊
130	};␊
131	␊
132	/*␊
133	* extended ipfw structure... some fields in the original struct␊
134	* can be used to pass parameters up/down, namely pointers␊
135	* void *pipe_ptr␊
136	* void *next_rule_ptr ␊
137	* some others can be used to pass parameters down, namely counters etc.␊
138	* u_int64_t fw_pcnt,fw_bcnt;␊
139	* long timestamp;␊
140	*/␊
141	␊
142	struct ip_fw_ext { /* extended structure */␊
143	struct ip_fw rule; /* must be at offset 0 */␊
144	long dont_match_prob; /* 0x7fffffff means 1.0, always fail */␊
145	u_int dyn_type; /* type for dynamic rule */␊
146	};␊
147	␊
148	#define IP_FW_GETNSRCP(rule)␉␉((rule)->fw_nports & 0x0f)␊
149	#define IP_FW_SETNSRCP(rule, n)␉␉do {␉␉␉␉\␊
150	␉␉␉␉␉ (rule)->fw_nports &= ~0x0f;␉\␊
151	␉␉␉␉␉ (rule)->fw_nports \|= (n);␉\␊
152	␉␉␉␉␉} while (0)␊
153	#define IP_FW_GETNDSTP(rule)␉␉((rule)->fw_nports >> 4)␊
154	#define IP_FW_SETNDSTP(rule, n)␉␉do {␉␉␉␉\␊
155	␉␉␉␉␉ (rule)->fw_nports &= ~0xf0;␉\␊
156	␉␉␉␉␉ (rule)->fw_nports \|= (n) << 4;\␊
157	␉␉␉␉␉} while (0)␊
158	␊
159	#define fw_divert_port␉fw_un.fu_divert_port␊
160	#define fw_skipto_rule␉fw_un.fu_skipto_rule␊
161	#define fw_reject_code␉fw_un.fu_reject_code␊
162	#define fw_pipe_nr␉fw_un.fu_pipe_nr␊
163	#define fw_fwd_ip␉fw_un.fu_fwd_ip␊
164	␊
165	struct ip_fw_chain {␊
166	␉LIST_ENTRY(ip_fw_chain) next;␊
167	␉struct ip_fw *rule;␊
168	};␊
169	␊
170	/*␊
171	* Flow mask/flow id for each queue.␊
172	*/␊
173	struct ipfw_flow_id {␊
174	u_int32_t dst_ip, src_ip ;␊
175	u_int16_t dst_port, src_port ; ␊
176	u_int8_t proto ; ␊
177	u_int8_t flags ; /* protocol-specific flags */␊
178	} ;␊
179	␊
180	/*␊
181	* dynamic ipfw rule␊
182	*/␊
183	struct ipfw_dyn_rule {␊
184	struct ipfw_dyn_rule *next ;␊
185	␊
186	struct ipfw_flow_id id ;␊
187	struct ipfw_flow_id mask ;␊
188	struct ip_fw_chain chain ;␉␉/ pointer to parent rule␉*/␊
189	u_int32_t type ;␉␉␉/* rule type␉␉␉*/␊
190	u_int32_t expire ;␉␉␉/* expire time␉␉␉*/␊
191	u_int64_t pcnt, bcnt;␉␉/* match counters␉␉*/␊
192	u_int32_t bucket ;␉␉␉/* which bucket in hash table␉*/␊
193	u_int32_t state ;␉␉␉/* state of this rule (typ. a */␊
194	␉␉␉␉␉/* combination of TCP flags)␉*/␊
195	} ;␊
196	␊
197	/*␊
198	* Values for "flags" field .␊
199	*/␊
200	#define IP_FW_F_COMMAND 0x000000ff␉/* Mask for type of chain entry:␉*/␊
201	#define IP_FW_F_DENY␉0x00000000␉/* This is a deny rule␉␉␉*/␊
202	#define IP_FW_F_REJECT␉0x00000001␉/* Deny and send a response packet␉*/␊
203	#define IP_FW_F_ACCEPT␉0x00000002␉/* This is an accept rule␉␉*/␊
204	#define IP_FW_F_COUNT␉0x00000003␉/* This is a count rule␉␉␉*/␊
205	#define IP_FW_F_DIVERT␉0x00000004␉/* This is a divert rule␉␉*/␊
206	#define IP_FW_F_TEE␉0x00000005␉/* This is a tee rule␉␉␉*/␊
207	#define IP_FW_F_SKIPTO␉0x00000006␉/* This is a skipto rule␉␉*/␊
208	#define IP_FW_F_FWD␉0x00000007␉/* This is a "change forwarding address" rule */␊
209	#define IP_FW_F_PIPE␉0x00000008␉/* This is a dummynet rule */␊
210	#define IP_FW_F_QUEUE␉0x00000009␉/* This is a dummynet queue */␊
211	␊
212	#define IP_FW_F_IN␉0x00000100␉/* Check inbound packets␉␉*/␊
213	#define IP_FW_F_OUT␉0x00000200␉/* Check outbound packets␉␉*/␊
214	#define IP_FW_F_IIFACE␉0x00000400␉/* Apply inbound interface test␉␉*/␊
215	#define IP_FW_F_OIFACE␉0x00000800␉/* Apply outbound interface test␉*/␊
216	␊
217	#define IP_FW_F_PRN␉0x00001000␉/* Print if this rule matches␉␉*/␊
218	␊
219	#define IP_FW_F_SRNG␉0x00002000␉/* The first two src ports are a min␉*␊
220	␉␉␉␉␉ * and max range (stored in host byte␉*␊
221	␉␉␉␉␉ * order).␉␉␉␉*/␊
222	␊
223	#define IP_FW_F_DRNG␉0x00004000␉/* The first two dst ports are a min␉*␊
224	␉␉␉␉␉ * and max range (stored in host byte␉*␊
225	␉␉␉␉␉ * order).␉␉␉␉*/␊
226	␊
227	#define IP_FW_F_FRAG␉0x00008000␉/* Fragment␉␉␉␉*/␊
228	␊
229	#define IP_FW_F_IIFNAME␉0x00010000␉/* In interface by name/unit (not IP)␉*/␊
230	#define IP_FW_F_OIFNAME␉0x00020000␉/* Out interface by name/unit (not IP)␉*/␊
231	␊
232	#define IP_FW_F_INVSRC␉0x00040000␉/* Invert sense of src check␉␉*/␊
233	#define IP_FW_F_INVDST␉0x00080000␉/* Invert sense of dst check␉␉*/␊
234	␊
235	#define IP_FW_F_ICMPBIT 0x00100000␉/* ICMP type bitmap is valid␉␉*/␊
236	␊
237	#define IP_FW_F_UID␉0x00200000␉/* filter by uid␉␉␉*/␊
238	␊
239	#define IP_FW_F_RND_MATCH 0x00800000␉/* probabilistic rule match␉␉*/␊
240	#define IP_FW_F_SMSK␉0x01000000␉/* src-port + mask ␉␉␉*/␊
241	#define IP_FW_F_DMSK␉0x02000000␉/* dst-port + mask ␉␉␉*/␊
242	#define␉IP_FW_BRIDGED␉0x04000000␉/* only match bridged packets␉␉*/␊
243	#define IP_FW_F_KEEP_S␉0x08000000␉/* keep state␉ ␉␉␉*/␊
244	#define IP_FW_F_CHECK_S␉0x10000000␉/* check state␉ ␉␉␉*/␊
245	␊
246	#define IP_FW_F_SME␉0x20000000␉/* source = me␉␉␉␉*/␊
247	#define IP_FW_F_DME␉0x40000000␉/* destination = me␉␉␉*/␊
248	␊
249	#define IP_FW_F_MASK␉0x7FFFFFFF␉/* All possible flag bits mask␉␉*/␊
250	␊
251	/*␊
252	* Flags for the 'fw_ipflg' field, for comparing values of ip and its protocols.␊
253	*/␊
254	#define␉IP_FW_IF_TCPEST␉0x00000020␉/* established TCP connection */␊
255	#define␉IP_FW_IF_TCPMSK␉0x00000020␉/* mask of all TCP values */␊
256	␊
257	/*␊
258	* For backwards compatibility with rules specifying "via iface" but␊
259	* not restricted to only "in" or "out" packets, we define this combination␊
260	* of bits to represent this configuration.␊
261	*/␊
262	␊
263	#define IF_FW_F_VIAHACK␉(IP_FW_F_IN\|IP_FW_F_OUT\|IP_FW_F_IIFACE\|IP_FW_F_OIFACE)␊
264	␊
265	/*␊
266	* Definitions for REJECT response codes.␊
267	* Values less than 256 correspond to ICMP unreachable codes.␊
268	*/␊
269	#define IP_FW_REJECT_RST␉0x0100␉␉/* TCP packets: send RST */␊
270	␊
271	/*␊
272	* Definitions for IP option names.␊
273	*/␊
274	#define IP_FW_IPOPT_LSRR␉0x01␊
275	#define IP_FW_IPOPT_SSRR␉0x02␊
276	#define IP_FW_IPOPT_RR␉␉0x04␊
277	#define IP_FW_IPOPT_TS␉␉0x08␊
278	␊
279	/*␊
280	* Definitions for TCP option names.␊
281	*/␊
282	#define IP_FW_TCPOPT_MSS␉0x01␊
283	#define IP_FW_TCPOPT_WINDOW␉0x02␊
284	#define IP_FW_TCPOPT_SACK␉0x04␊
285	#define IP_FW_TCPOPT_TS␉␉0x08␊
286	#define IP_FW_TCPOPT_CC␉␉0x10␊
287	␊
288	/*␊
289	* Definitions for TCP flags.␊
290	*/␊
291	#define IP_FW_TCPF_FIN␉␉TH_FIN␊
292	#define IP_FW_TCPF_SYN␉␉TH_SYN␊
293	#define IP_FW_TCPF_RST␉␉TH_RST␊
294	#define IP_FW_TCPF_PSH␉␉TH_PUSH␊
295	#define IP_FW_TCPF_ACK␉␉TH_ACK␊
296	#define IP_FW_TCPF_URG␉␉TH_URG␊
297	␊
298	/*␊
299	* Main firewall chains definitions and global var's definitions.␊
300	*/␊
301	␊
302	#endif /* !IPFW2 */␊
303	#endif /* _IP_FW_H */␊
304

Download this file