Root/
Source at commit 1808 created 12 years 4 months ago. By blackosx, Revise layout of package installer 'Welcome' file so it looks cleaner. Change the copyright notice to begin from 2009 as seen in the Chameleon 2.0 r431 installer. Should this date be set earlier? | |
---|---|
1 | /*␊ |
2 | * Copyright (c) 2008 Apple Inc. All rights reserved.␊ |
3 | *␊ |
4 | * @APPLE_OSREFERENCE_LICENSE_HEADER_START@␊ |
5 | *␊ |
6 | * This file contains Original Code and/or Modifications of Original Code␊ |
7 | * as defined in and that are subject to the Apple Public Source License␊ |
8 | * Version 2.0 (the 'License'). You may not use this file except in␊ |
9 | * compliance with the License. The rights granted to you under the License␊ |
10 | * may not be used to create, or enable the creation or redistribution of,␊ |
11 | * unlawful or unlicensed copies of an Apple operating system, or to␊ |
12 | * circumvent, violate, or enable the circumvention or violation of, any␊ |
13 | * terms of an Apple operating system software license agreement.␊ |
14 | *␊ |
15 | * Please obtain a copy of the License at␊ |
16 | * http://www.opensource.apple.com/apsl/ and read it before using this file.␊ |
17 | *␊ |
18 | * The Original Code and all software distributed under the License are␊ |
19 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER␊ |
20 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,␊ |
21 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,␊ |
22 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.␊ |
23 | * Please see the License for the specific language governing rights and␊ |
24 | * limitations under the License.␊ |
25 | *␊ |
26 | * @APPLE_OSREFERENCE_LICENSE_HEADER_END@␊ |
27 | */␊ |
28 | ␊ |
29 | /*␊ |
30 | * Copyright (c) 2002 Luigi Rizzo, Universita` di Pisa␊ |
31 | *␊ |
32 | * Redistribution and use in source and binary forms, with or without␊ |
33 | * modification, are permitted provided that the following conditions␊ |
34 | * are met:␊ |
35 | * 1. Redistributions of source code must retain the above copyright␊ |
36 | * notice, this list of conditions and the following disclaimer.␊ |
37 | * 2. Redistributions in binary form must reproduce the above copyright␊ |
38 | * notice, this list of conditions and the following disclaimer in the␊ |
39 | * documentation and/or other materials provided with the distribution.␊ |
40 | *␊ |
41 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND␊ |
42 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE␊ |
43 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE␊ |
44 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE␊ |
45 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL␊ |
46 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS␊ |
47 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)␊ |
48 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT␊ |
49 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY␊ |
50 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF␊ |
51 | * SUCH DAMAGE.␊ |
52 | *␊ |
53 | * $FreeBSD: src/sys/netinet/ip_fw2.h,v 1.1.2.4 2003/07/17 06:03:39 luigi Exp $␊ |
54 | */␊ |
55 | ␊ |
56 | #ifndef _IPFW2_H␊ |
57 | #define _IPFW2_H␊ |
58 | ␊ |
59 | /*␊ |
60 | * Define IP Firewall event subclass, and associated events.␊ |
61 | */␊ |
62 | ␊ |
63 | /*!␊ |
64 | ␉@defined KEV_IPFW_SUBCLASS␊ |
65 | ␉@discussion The kernel event subclass for IP Firewall.␊ |
66 | */␊ |
67 | #define KEV_IPFW_SUBCLASS␉1␊ |
68 | ␊ |
69 | /*!␊ |
70 | ␉@defined KEV_IPFW_ADD␊ |
71 | ␉@discussion The event code indicating a rule has been added.␊ |
72 | */␊ |
73 | #define KEV_IPFW_ADD␉␉1␊ |
74 | ␊ |
75 | /*!␊ |
76 | ␉@defined KEV_IPFW_DEL␊ |
77 | ␉@discussion The event code indicating a rule has been removed.␊ |
78 | */␊ |
79 | #define KEV_IPFW_DEL␉␉2␊ |
80 | ␊ |
81 | /*!␊ |
82 | ␉@defined KEV_IPFW_FLUSH␊ |
83 | ␉@discussion The event code indicating the rule set has been flushed.␊ |
84 | */␊ |
85 | #define KEV_IPFW_FLUSH␉␉3␊ |
86 | ␊ |
87 | /*!␊ |
88 | ␉@defined KEV_IPFW_ENABLE␊ |
89 | ␉@discussion The event code indicating the enable flag has been changed ␊ |
90 | */␊ |
91 | #define KEV_IPFW_ENABLE␉␉4␊ |
92 | ␊ |
93 | ␊ |
94 | ␊ |
95 | /*␊ |
96 | * The kernel representation of ipfw rules is made of a list of␊ |
97 | * 'instructions' (for all practical purposes equivalent to BPF␊ |
98 | * instructions), which specify which fields of the packet␊ |
99 | * (or its metadata) should be analysed.␊ |
100 | *␊ |
101 | * Each instruction is stored in a structure which begins with␊ |
102 | * "ipfw_insn", and can contain extra fields depending on the␊ |
103 | * instruction type (listed below).␊ |
104 | * Note that the code is written so that individual instructions␊ |
105 | * have a size which is a multiple of 32 bits. This means that, if␊ |
106 | * such structures contain pointers or other 64-bit entities,␊ |
107 | * (there is just one instance now) they may end up unaligned on␊ |
108 | * 64-bit architectures, so the must be handled with care.␊ |
109 | *␊ |
110 | * "enum ipfw_opcodes" are the opcodes supported. We can have up␊ |
111 | * to 256 different opcodes.␊ |
112 | */␊ |
113 | ␊ |
114 | enum ipfw_opcodes {␉␉/* arguments (4 byte each)␉*/␊ |
115 | ␉O_NOP,␊ |
116 | ␊ |
117 | ␉O_IP_SRC,␉␉/* u32 = IP␉␉␉*/␊ |
118 | ␉O_IP_SRC_MASK,␉␉/* ip = IP/mask␉␉␉*/␊ |
119 | ␉O_IP_SRC_ME,␉␉/* none␉␉␉␉*/␊ |
120 | ␉O_IP_SRC_SET,␉␉/* u32=base, arg1=len, bitmap␉*/␊ |
121 | ␊ |
122 | ␉O_IP_DST,␉␉/* u32 = IP␉␉␉*/␊ |
123 | ␉O_IP_DST_MASK,␉␉/* ip = IP/mask␉␉␉*/␊ |
124 | ␉O_IP_DST_ME,␉␉/* none␉␉␉␉*/␊ |
125 | ␉O_IP_DST_SET,␉␉/* u32=base, arg1=len, bitmap␉*/␊ |
126 | ␊ |
127 | ␉O_IP_SRCPORT,␉␉/* (n)port list:mask 4 byte ea␉*/␊ |
128 | ␉O_IP_DSTPORT,␉␉/* (n)port list:mask 4 byte ea␉*/␊ |
129 | ␉O_PROTO,␉␉/* arg1=protocol␉␉*/␊ |
130 | ␊ |
131 | ␉O_MACADDR2,␉␉/* 2 mac addr:mask␉␉*/␊ |
132 | ␉O_MAC_TYPE,␉␉/* same as srcport␉␉*/␊ |
133 | ␊ |
134 | ␉O_LAYER2,␉␉/* none␉␉␉␉*/␊ |
135 | ␉O_IN,␉␉␉/* none␉␉␉␉*/␊ |
136 | ␉O_FRAG,␉␉␉/* none␉␉␉␉*/␊ |
137 | ␊ |
138 | ␉O_RECV,␉␉␉/* none␉␉␉␉*/␊ |
139 | ␉O_XMIT,␉␉␉/* none␉␉␉␉*/␊ |
140 | ␉O_VIA,␉␉␉/* none␉␉␉␉*/␊ |
141 | ␊ |
142 | ␉O_IPOPT,␉␉/* arg1 = 2*u8 bitmap␉␉*/␊ |
143 | ␉O_IPLEN,␉␉/* arg1 = len␉␉␉*/␊ |
144 | ␉O_IPID,␉␉␉/* arg1 = id␉␉␉*/␊ |
145 | ␊ |
146 | ␉O_IPTOS,␉␉/* arg1 = id␉␉␉*/␊ |
147 | ␉O_IPPRECEDENCE,␉␉/* arg1 = precedence << 5␉*/␊ |
148 | ␉O_IPTTL,␉␉/* arg1 = TTL␉␉␉*/␊ |
149 | ␊ |
150 | ␉O_IPVER,␉␉/* arg1 = version␉␉*/␊ |
151 | ␉O_UID,␉␉␉/* u32 = id␉␉␉*/␊ |
152 | ␉O_GID,␉␉␉/* u32 = id␉␉␉*/␊ |
153 | ␉O_ESTAB,␉␉/* none (tcp established)␉*/␊ |
154 | ␉O_TCPFLAGS,␉␉/* arg1 = 2*u8 bitmap␉␉*/␊ |
155 | ␉O_TCPWIN,␉␉/* arg1 = desired win␉␉*/␊ |
156 | ␉O_TCPSEQ,␉␉/* u32 = desired seq.␉␉*/␊ |
157 | ␉O_TCPACK,␉␉/* u32 = desired seq.␉␉*/␊ |
158 | ␉O_ICMPTYPE,␉␉/* u32 = icmp bitmap␉␉*/␊ |
159 | ␉O_TCPOPTS,␉␉/* arg1 = 2*u8 bitmap␉␉*/␊ |
160 | ␊ |
161 | ␉O_VERREVPATH,␉␉/* none␉␉␉␉*/␊ |
162 | ␊ |
163 | ␉O_PROBE_STATE,␉␉/* none␉␉␉␉*/␊ |
164 | ␉O_KEEP_STATE,␉␉/* none␉␉␉␉*/␊ |
165 | ␉O_LIMIT,␉␉/* ipfw_insn_limit␉␉*/␊ |
166 | ␉O_LIMIT_PARENT,␉␉/* dyn_type, not an opcode.␉*/␊ |
167 | ␊ |
168 | ␉/*␊ |
169 | ␉ * These are really 'actions'.␊ |
170 | ␉ */␊ |
171 | ␊ |
172 | ␉O_LOG,␉␉␉/* ipfw_insn_log␉␉*/␊ |
173 | ␉O_PROB,␉␉␉/* u32 = match probability␉*/␊ |
174 | ␊ |
175 | ␉O_CHECK_STATE,␉␉/* none␉␉␉␉*/␊ |
176 | ␉O_ACCEPT,␉␉/* none␉␉␉␉*/␊ |
177 | ␉O_DENY,␉␉␉/* none ␉␉␉*/␊ |
178 | ␉O_REJECT,␉␉/* arg1=icmp arg (same as deny)␉*/␊ |
179 | ␉O_COUNT,␉␉/* none␉␉␉␉*/␊ |
180 | ␉O_SKIPTO,␉␉/* arg1=next rule number␉*/␊ |
181 | ␉O_PIPE,␉␉␉/* arg1=pipe number␉␉*/␊ |
182 | ␉O_QUEUE,␉␉/* arg1=queue number␉␉*/␊ |
183 | ␉O_DIVERT,␉␉/* arg1=port number␉␉*/␊ |
184 | ␉O_TEE,␉␉␉/* arg1=port number␉␉*/␊ |
185 | ␉O_FORWARD_IP,␉␉/* fwd sockaddr␉␉␉*/␊ |
186 | ␉O_FORWARD_MAC,␉␉/* fwd mac␉␉␉*/␊ |
187 | ␊ |
188 | ␉/*␊ |
189 | ␉ * More opcodes.␊ |
190 | ␉ */␊ |
191 | ␉O_IPSEC,␉␉/* has ipsec history␉␉*/␊ |
192 | ␊ |
193 | ␉O_LAST_OPCODE␉␉/* not an opcode!␉␉*/␊ |
194 | };␊ |
195 | ␊ |
196 | /*␊ |
197 | * Template for instructions.␊ |
198 | *␊ |
199 | * ipfw_insn is used for all instructions which require no operands,␊ |
200 | * a single 16-bit value (arg1), or a couple of 8-bit values.␊ |
201 | *␊ |
202 | * For other instructions which require different/larger arguments␊ |
203 | * we have derived structures, ipfw_insn_*.␊ |
204 | *␊ |
205 | * The size of the instruction (in 32-bit words) is in the low␊ |
206 | * 6 bits of "len". The 2 remaining bits are used to implement␊ |
207 | * NOT and OR on individual instructions. Given a type, you can␊ |
208 | * compute the length to be put in "len" using F_INSN_SIZE(t)␊ |
209 | *␊ |
210 | * F_NOT␉negates the match result of the instruction.␊ |
211 | *␊ |
212 | * F_OR␉␉is used to build or blocks. By default, instructions␊ |
213 | *␉␉are evaluated as part of a logical AND. An "or" block␊ |
214 | *␉␉{ X or Y or Z } contains F_OR set in all but the last␊ |
215 | *␉␉instruction of the block. A match will cause the code␊ |
216 | *␉␉to skip past the last instruction of the block.␊ |
217 | *␊ |
218 | * NOTA BENE: in a couple of places we assume that␊ |
219 | *␉sizeof(ipfw_insn) == sizeof(u_int32_t)␊ |
220 | * this needs to be fixed.␊ |
221 | *␊ |
222 | */␊ |
223 | typedef struct␉_ipfw_insn {␉/* template for instructions */␊ |
224 | ␉enum ipfw_opcodes␉opcode:8;␊ |
225 | ␉u_int8_t␉len;␉/* numer of 32-byte words */␊ |
226 | #define␉F_NOT␉␉0x80␊ |
227 | #define␉F_OR␉␉0x40␊ |
228 | #define␉F_LEN_MASK␉0x3f␊ |
229 | #define␉F_LEN(cmd)␉((cmd)->len & F_LEN_MASK)␊ |
230 | ␊ |
231 | ␉u_int16_t␉arg1;␊ |
232 | } ipfw_insn;␊ |
233 | ␊ |
234 | /*␊ |
235 | * The F_INSN_SIZE(type) computes the size, in 4-byte words, of␊ |
236 | * a given type.␊ |
237 | */␊ |
238 | #define␉F_INSN_SIZE(t)␉((sizeof (t))/sizeof(u_int32_t))␊ |
239 | ␊ |
240 | /*␊ |
241 | * This is used to store an array of 16-bit entries (ports etc.)␊ |
242 | */␊ |
243 | typedef struct␉_ipfw_insn_u16 {␊ |
244 | ␉ipfw_insn o;␊ |
245 | ␉u_int16_t ports[2];␉/* there may be more */␊ |
246 | } ipfw_insn_u16;␊ |
247 | ␊ |
248 | /*␊ |
249 | * This is used to store an array of 32-bit entries␊ |
250 | * (uid, single IPv4 addresses etc.)␊ |
251 | */␊ |
252 | typedef struct␉_ipfw_insn_u32 {␊ |
253 | ␉ipfw_insn o;␊ |
254 | ␉u_int32_t d[1];␉/* one or more */␊ |
255 | } ipfw_insn_u32;␊ |
256 | ␊ |
257 | /*␊ |
258 | * This is used to store IP addr-mask pairs.␊ |
259 | */␊ |
260 | typedef struct␉_ipfw_insn_ip {␊ |
261 | ␉ipfw_insn o;␊ |
262 | ␉struct in_addr␉addr;␊ |
263 | ␉struct in_addr␉mask;␊ |
264 | } ipfw_insn_ip;␊ |
265 | ␊ |
266 | /*␊ |
267 | * This is used to forward to a given address (ip).␊ |
268 | */␊ |
269 | typedef struct _ipfw_insn_sa {␊ |
270 | ␉ipfw_insn o;␊ |
271 | ␉struct sockaddr_in sa;␊ |
272 | } ipfw_insn_sa;␊ |
273 | ␊ |
274 | /*␊ |
275 | * This is used for MAC addr-mask pairs.␊ |
276 | */␊ |
277 | typedef struct␉_ipfw_insn_mac {␊ |
278 | ␉ipfw_insn o;␊ |
279 | ␉u_char addr[12];␉/* dst[6] + src[6] */␊ |
280 | ␉u_char mask[12];␉/* dst[6] + src[6] */␊ |
281 | } ipfw_insn_mac;␊ |
282 | ␊ |
283 | /*␊ |
284 | * This is used for interface match rules (recv xx, xmit xx).␊ |
285 | */␊ |
286 | typedef struct␉_ipfw_insn_if {␊ |
287 | ␉ipfw_insn o;␊ |
288 | ␉union {␊ |
289 | ␉␉struct in_addr ip;␊ |
290 | ␉␉int32_t unit;␊ |
291 | ␉} p;␊ |
292 | ␉char name[IFNAMSIZ];␊ |
293 | } ipfw_insn_if;␊ |
294 | ␊ |
295 | /*␊ |
296 | * This is used for pipe and queue actions, which need to store␊ |
297 | * a single pointer (which can have different size on different␊ |
298 | * architectures.␊ |
299 | * Note that, because of previous instructions, pipe_ptr might␊ |
300 | * be unaligned in the overall structure, so it needs to be␊ |
301 | * manipulated with care.␊ |
302 | */␊ |
303 | typedef struct␉_ipfw_insn_pipe {␊ |
304 | ␉ipfw_insn␉o;␊ |
305 | ␉void␉␉*pipe_ptr;␉/* XXX */␊ |
306 | } ipfw_insn_pipe;␊ |
307 | ␊ |
308 | /*␊ |
309 | * This is used for limit rules.␊ |
310 | */␊ |
311 | typedef struct␉_ipfw_insn_limit {␊ |
312 | ␉ipfw_insn o;␊ |
313 | ␉u_int8_t _pad;␊ |
314 | ␉u_int8_t limit_mask;␉/* combination of DYN_* below␉*/␊ |
315 | #define␉DYN_SRC_ADDR␉0x1␊ |
316 | #define␉DYN_SRC_PORT␉0x2␊ |
317 | #define␉DYN_DST_ADDR␉0x4␊ |
318 | #define␉DYN_DST_PORT␉0x8␊ |
319 | ␊ |
320 | ␉u_int16_t conn_limit;␊ |
321 | } ipfw_insn_limit;␊ |
322 | ␊ |
323 | /*␊ |
324 | * This is used for log instructions.␊ |
325 | */␊ |
326 | typedef struct _ipfw_insn_log {␊ |
327 | ipfw_insn o;␊ |
328 | ␉u_int32_t max_log;␉/* how many do we log -- 0 = all */␊ |
329 | ␉u_int32_t log_left;␉/* how many left to log ␉*/␊ |
330 | } ipfw_insn_log;␊ |
331 | ␊ |
332 | /* Version of this API */␊ |
333 | #define IP_FW_VERSION_NONE 0 ␊ |
334 | #define IP_FW_VERSION_0 10␉/* old ipfw */␊ |
335 | #define IP_FW_VERSION_1 20␉/* ipfw in Jaguar/Panther */␊ |
336 | #define IP_FW_VERSION_2 30␉/* ipfw2 */␊ |
337 | #define IP_FW_CURRENT_API_VERSION IP_FW_VERSION_2 ␊ |
338 | ␊ |
339 | /*␊ |
340 | * Here we have the structure representing an ipfw rule.␊ |
341 | *␊ |
342 | * It starts with a general area (with link fields and counters)␊ |
343 | * followed by an array of one or more instructions, which the code␊ |
344 | * accesses as an array of 32-bit values.␊ |
345 | *␊ |
346 | * Given a rule pointer r:␊ |
347 | *␊ |
348 | * r->cmd␉␉is the start of the first instruction.␊ |
349 | * ACTION_PTR(r)␉is the start of the first action (things to do␊ |
350 | *␉␉␉once a rule matched).␊ |
351 | *␊ |
352 | * When assembling instruction, remember the following:␊ |
353 | *␊ |
354 | * + if a rule has a "keep-state" (or "limit") option, then the␊ |
355 | *␉first instruction (at r->cmd) MUST BE an O_PROBE_STATE␊ |
356 | * + if a rule has a "log" option, then the first action␊ |
357 | *␉(at ACTION_PTR(r)) MUST be O_LOG␊ |
358 | *␊ |
359 | * NOTE: we use a simple linked list of rules because we never need␊ |
360 | * ␉to delete a rule without scanning the list. We do not use␊ |
361 | *␉queue(3) macros for portability and readability.␊ |
362 | */␊ |
363 | ␊ |
364 | struct ip_fw {␊ |
365 | ␉u_int32_t version;␉␉/* Version of this structure. MUST be set */␊ |
366 | ␉␉␉␉␉␉␉/* by clients. Should always be */␊ |
367 | ␉␉␉␉␉␉␉/* set to IP_FW_CURRENT_API_VERSION. */␊ |
368 | ␉void *context;␉␉␉/* Context that is usable by user processes to */␊ |
369 | ␉␉␉␉␉␉␉/* identify this rule. */␊ |
370 | ␉struct ip_fw␉*next;␉␉/* linked list of rules␉␉*/␊ |
371 | ␉struct ip_fw␉*next_rule;␉/* ptr to next [skipto] rule␉*/␊ |
372 | ␉/* 'next_rule' is used to pass up 'set_disable' status␉␉*/␊ |
373 | ␊ |
374 | ␉u_int16_t␉act_ofs;␉/* offset of action in 32-bit units */␊ |
375 | ␉u_int16_t␉cmd_len;␉/* # of 32-bit words in cmd␉*/␊ |
376 | ␉u_int16_t␉rulenum;␉/* rule number␉␉␉*/␊ |
377 | ␉u_int8_t␉set;␉␉/* rule set (0..31)␉␉*/␊ |
378 | ␉u_int32_t␉set_masks[2];␉/* masks for manipulating sets atomically */␊ |
379 | #define␉RESVD_SET␉31␉/* set for default and persistent rules */␊ |
380 | ␉u_int8_t␉_pad;␉␉/* padding␉␉␉*/␊ |
381 | ␊ |
382 | ␉/* These fields are present in all rules.␉␉␉*/␊ |
383 | ␉u_int64_t␉pcnt;␉␉/* Packet counter␉␉*/␊ |
384 | ␉u_int64_t␉bcnt;␉␉/* Byte counter␉␉␉*/␊ |
385 | ␉u_int32_t␉timestamp;␉/* tv_sec of last match␉␉*/␊ |
386 | ␉␊ |
387 | ␉u_int32_t␉reserved_1;␉/* reserved - set to 0 */␊ |
388 | ␉u_int32_t␉reserved_2;␉/* reserved - set to 0 */␊ |
389 | ␊ |
390 | ␉ipfw_insn␉cmd[1];␉␉/* storage for commands␉␉*/␊ |
391 | };␊ |
392 | ␊ |
393 | #define ACTION_PTR(rule)␉␉␉␉\␊ |
394 | ␉(ipfw_insn *)( (u_int32_t *)((rule)->cmd) + ((rule)->act_ofs) )␊ |
395 | ␊ |
396 | #define RULESIZE(rule) (sizeof(struct ip_fw) + \␊ |
397 | ␉((struct ip_fw *)(rule))->cmd_len * 4 - 4)␊ |
398 | ␊ |
399 | /*␊ |
400 | * This structure is used as a flow mask and a flow id for various␊ |
401 | * parts of the code.␊ |
402 | */␊ |
403 | struct ipfw_flow_id {␊ |
404 | ␉u_int32_t␉dst_ip;␊ |
405 | ␉u_int32_t␉src_ip;␊ |
406 | ␉u_int16_t␉dst_port;␊ |
407 | ␉u_int16_t␉src_port;␊ |
408 | ␉u_int8_t␉proto;␊ |
409 | ␉u_int8_t␉flags;␉/* protocol-specific flags */␊ |
410 | };␊ |
411 | ␊ |
412 | /*␊ |
413 | * Dynamic ipfw rule.␊ |
414 | */␊ |
415 | typedef struct _ipfw_dyn_rule ipfw_dyn_rule;␊ |
416 | ␊ |
417 | struct _ipfw_dyn_rule {␊ |
418 | ␉ipfw_dyn_rule␉*next;␉␉/* linked list of rules.␉*/␊ |
419 | ␉struct ip_fw *rule;␉␉/* pointer to rule␉␉*/␊ |
420 | ␉/* 'rule' is used to pass up the rule number (from the parent)␉*/␊ |
421 | ␊ |
422 | ␉ipfw_dyn_rule *parent;␉␉/* pointer to parent rule␉*/␊ |
423 | ␉u_int64_t␉pcnt;␉␉/* packet match counter␉␉*/␊ |
424 | ␉u_int64_t␉bcnt;␉␉/* byte match counter␉␉*/␊ |
425 | ␉struct ipfw_flow_id id;␉␉/* (masked) flow id␉␉*/␊ |
426 | ␉u_int32_t␉expire;␉␉/* expire time␉␉␉*/␊ |
427 | ␉u_int32_t␉bucket;␉␉/* which bucket in hash table␉*/␊ |
428 | ␉u_int32_t␉state;␉␉/* state of this rule (typically a␊ |
429 | ␉␉␉␉␉ * combination of TCP flags)␊ |
430 | ␉␉␉␉␉ */␊ |
431 | ␉u_int32_t␉ack_fwd;␉/* most recent ACKs in forward␉*/␊ |
432 | ␉u_int32_t␉ack_rev;␉/* and reverse directions (used␉*/␊ |
433 | ␉␉␉␉␉/* to generate keepalives)␉*/␊ |
434 | ␉u_int16_t␉dyn_type;␉/* rule type␉␉␉*/␊ |
435 | ␉u_int16_t␉count;␉␉/* refcount␉␉␉*/␊ |
436 | };␊ |
437 | ␊ |
438 | /*␊ |
439 | * Definitions for IP option names.␊ |
440 | */␊ |
441 | #define␉IP_FW_IPOPT_LSRR␉0x01␊ |
442 | #define␉IP_FW_IPOPT_SSRR␉0x02␊ |
443 | #define␉IP_FW_IPOPT_RR␉␉0x04␊ |
444 | #define␉IP_FW_IPOPT_TS␉␉0x08␊ |
445 | ␊ |
446 | /*␊ |
447 | * Definitions for TCP option names.␊ |
448 | */␊ |
449 | #define␉IP_FW_TCPOPT_MSS␉0x01␊ |
450 | #define␉IP_FW_TCPOPT_WINDOW␉0x02␊ |
451 | #define␉IP_FW_TCPOPT_SACK␉0x04␊ |
452 | #define␉IP_FW_TCPOPT_TS␉␉0x08␊ |
453 | #define␉IP_FW_TCPOPT_CC␉␉0x10␊ |
454 | ␊ |
455 | #define␉ICMP_REJECT_RST␉␉0x100␉/* fake ICMP code (send a TCP RST) */␊ |
456 | ␊ |
457 | /*␊ |
458 | * Main firewall chains definitions and global var's definitions.␊ |
459 | */␊ |
460 | ␊ |
461 | ␊ |
462 | #endif /* _IPFW2_H */␊ |
463 |