Chameleon

Chameleon Svn Source Tree

Root/tags/2.0/i386/include/netinet/ip_fw2.h

Source at commit 1808 created 12 years 4 months ago.
By blackosx, Revise layout of package installer 'Welcome' file so it looks cleaner. Change the copyright notice to begin from 2009 as seen in the Chameleon 2.0 r431 installer. Should this date be set earlier?
1/*
2 * Copyright (c) 2008 Apple Inc. All rights reserved.
3 *
4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. The rights granted to you under the License
10 * may not be used to create, or enable the creation or redistribution of,
11 * unlawful or unlicensed copies of an Apple operating system, or to
12 * circumvent, violate, or enable the circumvention or violation of, any
13 * terms of an Apple operating system software license agreement.
14 *
15 * Please obtain a copy of the License at
16 * http://www.opensource.apple.com/apsl/ and read it before using this file.
17 *
18 * The Original Code and all software distributed under the License are
19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
23 * Please see the License for the specific language governing rights and
24 * limitations under the License.
25 *
26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
27 */
28
29/*
30 * Copyright (c) 2002 Luigi Rizzo, Universita` di Pisa
31 *
32 * Redistribution and use in source and binary forms, with or without
33 * modification, are permitted provided that the following conditions
34 * are met:
35 * 1. Redistributions of source code must retain the above copyright
36 * notice, this list of conditions and the following disclaimer.
37 * 2. Redistributions in binary form must reproduce the above copyright
38 * notice, this list of conditions and the following disclaimer in the
39 * documentation and/or other materials provided with the distribution.
40 *
41 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * $FreeBSD: src/sys/netinet/ip_fw2.h,v 1.1.2.4 2003/07/17 06:03:39 luigi Exp $
54 */
55
56#ifndef _IPFW2_H
57#define _IPFW2_H
58
59/*
60 * Define IP Firewall event subclass, and associated events.
61 */
62
63/*!
64@defined KEV_IPFW_SUBCLASS
65@discussion The kernel event subclass for IP Firewall.
66*/
67#define KEV_IPFW_SUBCLASS1
68
69/*!
70@defined KEV_IPFW_ADD
71@discussion The event code indicating a rule has been added.
72*/
73#define KEV_IPFW_ADD1
74
75/*!
76@defined KEV_IPFW_DEL
77@discussion The event code indicating a rule has been removed.
78*/
79#define KEV_IPFW_DEL2
80
81/*!
82@defined KEV_IPFW_FLUSH
83@discussion The event code indicating the rule set has been flushed.
84*/
85#define KEV_IPFW_FLUSH3
86
87/*!
88@defined KEV_IPFW_ENABLE
89@discussion The event code indicating the enable flag has been changed
90*/
91#define KEV_IPFW_ENABLE4
92
93
94
95/*
96 * The kernel representation of ipfw rules is made of a list of
97 * 'instructions' (for all practical purposes equivalent to BPF
98 * instructions), which specify which fields of the packet
99 * (or its metadata) should be analysed.
100 *
101 * Each instruction is stored in a structure which begins with
102 * "ipfw_insn", and can contain extra fields depending on the
103 * instruction type (listed below).
104 * Note that the code is written so that individual instructions
105 * have a size which is a multiple of 32 bits. This means that, if
106 * such structures contain pointers or other 64-bit entities,
107 * (there is just one instance now) they may end up unaligned on
108 * 64-bit architectures, so the must be handled with care.
109 *
110 * "enum ipfw_opcodes" are the opcodes supported. We can have up
111 * to 256 different opcodes.
112 */
113
114enum ipfw_opcodes {/* arguments (4 byte each)*/
115O_NOP,
116
117O_IP_SRC,/* u32 = IP*/
118O_IP_SRC_MASK,/* ip = IP/mask*/
119O_IP_SRC_ME,/* none*/
120O_IP_SRC_SET,/* u32=base, arg1=len, bitmap*/
121
122O_IP_DST,/* u32 = IP*/
123O_IP_DST_MASK,/* ip = IP/mask*/
124O_IP_DST_ME,/* none*/
125O_IP_DST_SET,/* u32=base, arg1=len, bitmap*/
126
127O_IP_SRCPORT,/* (n)port list:mask 4 byte ea*/
128O_IP_DSTPORT,/* (n)port list:mask 4 byte ea*/
129O_PROTO,/* arg1=protocol*/
130
131O_MACADDR2,/* 2 mac addr:mask*/
132O_MAC_TYPE,/* same as srcport*/
133
134O_LAYER2,/* none*/
135O_IN,/* none*/
136O_FRAG,/* none*/
137
138O_RECV,/* none*/
139O_XMIT,/* none*/
140O_VIA,/* none*/
141
142O_IPOPT,/* arg1 = 2*u8 bitmap*/
143O_IPLEN,/* arg1 = len*/
144O_IPID,/* arg1 = id*/
145
146O_IPTOS,/* arg1 = id*/
147O_IPPRECEDENCE,/* arg1 = precedence << 5*/
148O_IPTTL,/* arg1 = TTL*/
149
150O_IPVER,/* arg1 = version*/
151O_UID,/* u32 = id*/
152O_GID,/* u32 = id*/
153O_ESTAB,/* none (tcp established)*/
154O_TCPFLAGS,/* arg1 = 2*u8 bitmap*/
155O_TCPWIN,/* arg1 = desired win*/
156O_TCPSEQ,/* u32 = desired seq.*/
157O_TCPACK,/* u32 = desired seq.*/
158O_ICMPTYPE,/* u32 = icmp bitmap*/
159O_TCPOPTS,/* arg1 = 2*u8 bitmap*/
160
161O_VERREVPATH,/* none*/
162
163O_PROBE_STATE,/* none*/
164O_KEEP_STATE,/* none*/
165O_LIMIT,/* ipfw_insn_limit*/
166O_LIMIT_PARENT,/* dyn_type, not an opcode.*/
167
168/*
169 * These are really 'actions'.
170 */
171
172O_LOG,/* ipfw_insn_log*/
173O_PROB,/* u32 = match probability*/
174
175O_CHECK_STATE,/* none*/
176O_ACCEPT,/* none*/
177O_DENY,/* none */
178O_REJECT,/* arg1=icmp arg (same as deny)*/
179O_COUNT,/* none*/
180O_SKIPTO,/* arg1=next rule number*/
181O_PIPE,/* arg1=pipe number*/
182O_QUEUE,/* arg1=queue number*/
183O_DIVERT,/* arg1=port number*/
184O_TEE,/* arg1=port number*/
185O_FORWARD_IP,/* fwd sockaddr*/
186O_FORWARD_MAC,/* fwd mac*/
187
188/*
189 * More opcodes.
190 */
191O_IPSEC,/* has ipsec history*/
192
193O_LAST_OPCODE/* not an opcode!*/
194};
195
196/*
197 * Template for instructions.
198 *
199 * ipfw_insn is used for all instructions which require no operands,
200 * a single 16-bit value (arg1), or a couple of 8-bit values.
201 *
202 * For other instructions which require different/larger arguments
203 * we have derived structures, ipfw_insn_*.
204 *
205 * The size of the instruction (in 32-bit words) is in the low
206 * 6 bits of "len". The 2 remaining bits are used to implement
207 * NOT and OR on individual instructions. Given a type, you can
208 * compute the length to be put in "len" using F_INSN_SIZE(t)
209 *
210 * F_NOTnegates the match result of the instruction.
211 *
212 * F_ORis used to build or blocks. By default, instructions
213 *are evaluated as part of a logical AND. An "or" block
214 *{ X or Y or Z } contains F_OR set in all but the last
215 *instruction of the block. A match will cause the code
216 *to skip past the last instruction of the block.
217 *
218 * NOTA BENE: in a couple of places we assume that
219 *sizeof(ipfw_insn) == sizeof(u_int32_t)
220 * this needs to be fixed.
221 *
222 */
223typedef struct_ipfw_insn {/* template for instructions */
224enum ipfw_opcodesopcode:8;
225u_int8_tlen;/* numer of 32-byte words */
226#defineF_NOT0x80
227#defineF_OR0x40
228#defineF_LEN_MASK0x3f
229#defineF_LEN(cmd)((cmd)->len & F_LEN_MASK)
230
231u_int16_targ1;
232} ipfw_insn;
233
234/*
235 * The F_INSN_SIZE(type) computes the size, in 4-byte words, of
236 * a given type.
237 */
238#defineF_INSN_SIZE(t)((sizeof (t))/sizeof(u_int32_t))
239
240/*
241 * This is used to store an array of 16-bit entries (ports etc.)
242 */
243typedef struct_ipfw_insn_u16 {
244ipfw_insn o;
245u_int16_t ports[2];/* there may be more */
246} ipfw_insn_u16;
247
248/*
249 * This is used to store an array of 32-bit entries
250 * (uid, single IPv4 addresses etc.)
251 */
252typedef struct_ipfw_insn_u32 {
253ipfw_insn o;
254u_int32_t d[1];/* one or more */
255} ipfw_insn_u32;
256
257/*
258 * This is used to store IP addr-mask pairs.
259 */
260typedef struct_ipfw_insn_ip {
261ipfw_insn o;
262struct in_addraddr;
263struct in_addrmask;
264} ipfw_insn_ip;
265
266/*
267 * This is used to forward to a given address (ip).
268 */
269typedef struct _ipfw_insn_sa {
270ipfw_insn o;
271struct sockaddr_in sa;
272} ipfw_insn_sa;
273
274/*
275 * This is used for MAC addr-mask pairs.
276 */
277typedef struct_ipfw_insn_mac {
278ipfw_insn o;
279u_char addr[12];/* dst[6] + src[6] */
280u_char mask[12];/* dst[6] + src[6] */
281} ipfw_insn_mac;
282
283/*
284 * This is used for interface match rules (recv xx, xmit xx).
285 */
286typedef struct_ipfw_insn_if {
287ipfw_insn o;
288union {
289struct in_addr ip;
290int32_t unit;
291} p;
292char name[IFNAMSIZ];
293} ipfw_insn_if;
294
295/*
296 * This is used for pipe and queue actions, which need to store
297 * a single pointer (which can have different size on different
298 * architectures.
299 * Note that, because of previous instructions, pipe_ptr might
300 * be unaligned in the overall structure, so it needs to be
301 * manipulated with care.
302 */
303typedef struct_ipfw_insn_pipe {
304ipfw_insno;
305void*pipe_ptr;/* XXX */
306} ipfw_insn_pipe;
307
308/*
309 * This is used for limit rules.
310 */
311typedef struct_ipfw_insn_limit {
312ipfw_insn o;
313u_int8_t _pad;
314u_int8_t limit_mask;/* combination of DYN_* below*/
315#defineDYN_SRC_ADDR0x1
316#defineDYN_SRC_PORT0x2
317#defineDYN_DST_ADDR0x4
318#defineDYN_DST_PORT0x8
319
320u_int16_t conn_limit;
321} ipfw_insn_limit;
322
323/*
324 * This is used for log instructions.
325 */
326typedef struct _ipfw_insn_log {
327 ipfw_insn o;
328u_int32_t max_log;/* how many do we log -- 0 = all */
329u_int32_t log_left;/* how many left to log */
330} ipfw_insn_log;
331
332/* Version of this API */
333#define IP_FW_VERSION_NONE 0
334#define IP_FW_VERSION_0 10/* old ipfw */
335#define IP_FW_VERSION_1 20/* ipfw in Jaguar/Panther */
336#define IP_FW_VERSION_2 30/* ipfw2 */
337#define IP_FW_CURRENT_API_VERSION IP_FW_VERSION_2
338
339/*
340 * Here we have the structure representing an ipfw rule.
341 *
342 * It starts with a general area (with link fields and counters)
343 * followed by an array of one or more instructions, which the code
344 * accesses as an array of 32-bit values.
345 *
346 * Given a rule pointer r:
347 *
348 * r->cmdis the start of the first instruction.
349 * ACTION_PTR(r)is the start of the first action (things to do
350 *once a rule matched).
351 *
352 * When assembling instruction, remember the following:
353 *
354 * + if a rule has a "keep-state" (or "limit") option, then the
355 *first instruction (at r->cmd) MUST BE an O_PROBE_STATE
356 * + if a rule has a "log" option, then the first action
357 *(at ACTION_PTR(r)) MUST be O_LOG
358 *
359 * NOTE: we use a simple linked list of rules because we never need
360 * to delete a rule without scanning the list. We do not use
361 *queue(3) macros for portability and readability.
362 */
363
364struct ip_fw {
365u_int32_t version;/* Version of this structure. MUST be set */
366/* by clients. Should always be */
367/* set to IP_FW_CURRENT_API_VERSION. */
368void *context;/* Context that is usable by user processes to */
369/* identify this rule. */
370struct ip_fw*next;/* linked list of rules*/
371struct ip_fw*next_rule;/* ptr to next [skipto] rule*/
372/* 'next_rule' is used to pass up 'set_disable' status*/
373
374u_int16_tact_ofs;/* offset of action in 32-bit units */
375u_int16_tcmd_len;/* # of 32-bit words in cmd*/
376u_int16_trulenum;/* rule number*/
377u_int8_tset;/* rule set (0..31)*/
378u_int32_tset_masks[2];/* masks for manipulating sets atomically */
379#defineRESVD_SET31/* set for default and persistent rules */
380u_int8_t_pad;/* padding*/
381
382/* These fields are present in all rules.*/
383u_int64_tpcnt;/* Packet counter*/
384u_int64_tbcnt;/* Byte counter*/
385u_int32_ttimestamp;/* tv_sec of last match*/
386
387u_int32_treserved_1;/* reserved - set to 0 */
388u_int32_treserved_2;/* reserved - set to 0 */
389
390ipfw_insncmd[1];/* storage for commands*/
391};
392
393#define ACTION_PTR(rule)\
394(ipfw_insn *)( (u_int32_t *)((rule)->cmd) + ((rule)->act_ofs) )
395
396#define RULESIZE(rule) (sizeof(struct ip_fw) + \
397((struct ip_fw *)(rule))->cmd_len * 4 - 4)
398
399/*
400 * This structure is used as a flow mask and a flow id for various
401 * parts of the code.
402 */
403struct ipfw_flow_id {
404u_int32_tdst_ip;
405u_int32_tsrc_ip;
406u_int16_tdst_port;
407u_int16_tsrc_port;
408u_int8_tproto;
409u_int8_tflags;/* protocol-specific flags */
410};
411
412/*
413 * Dynamic ipfw rule.
414 */
415typedef struct _ipfw_dyn_rule ipfw_dyn_rule;
416
417struct _ipfw_dyn_rule {
418ipfw_dyn_rule*next;/* linked list of rules.*/
419struct ip_fw *rule;/* pointer to rule*/
420/* 'rule' is used to pass up the rule number (from the parent)*/
421
422ipfw_dyn_rule *parent;/* pointer to parent rule*/
423u_int64_tpcnt;/* packet match counter*/
424u_int64_tbcnt;/* byte match counter*/
425struct ipfw_flow_id id;/* (masked) flow id*/
426u_int32_texpire;/* expire time*/
427u_int32_tbucket;/* which bucket in hash table*/
428u_int32_tstate;/* state of this rule (typically a
429 * combination of TCP flags)
430 */
431u_int32_tack_fwd;/* most recent ACKs in forward*/
432u_int32_tack_rev;/* and reverse directions (used*/
433/* to generate keepalives)*/
434u_int16_tdyn_type;/* rule type*/
435u_int16_tcount;/* refcount*/
436};
437
438/*
439 * Definitions for IP option names.
440 */
441#defineIP_FW_IPOPT_LSRR0x01
442#defineIP_FW_IPOPT_SSRR0x02
443#defineIP_FW_IPOPT_RR0x04
444#defineIP_FW_IPOPT_TS0x08
445
446/*
447 * Definitions for TCP option names.
448 */
449#defineIP_FW_TCPOPT_MSS0x01
450#defineIP_FW_TCPOPT_WINDOW0x02
451#defineIP_FW_TCPOPT_SACK0x04
452#defineIP_FW_TCPOPT_TS0x08
453#defineIP_FW_TCPOPT_CC0x10
454
455#defineICMP_REJECT_RST0x100/* fake ICMP code (send a TCP RST) */
456
457/*
458 * Main firewall chains definitions and global var's definitions.
459 */
460
461
462#endif /* _IPFW2_H */
463

Archive Download this file

Revision: 1808