Root/
| Source at commit 1808 created 12 years 4 months ago. By blackosx, Revise layout of package installer 'Welcome' file so it looks cleaner. Change the copyright notice to begin from 2009 as seen in the Chameleon 2.0 r431 installer. Should this date be set earlier? | |
|---|---|
| 1 | /*␊ |
| 2 | * Copyright (c) 2008 Apple Computer, Inc. All rights reserved.␊ |
| 3 | *␊ |
| 4 | * @APPLE_OSREFERENCE_LICENSE_HEADER_START@␊ |
| 5 | * ␊ |
| 6 | * This file contains Original Code and/or Modifications of Original Code␊ |
| 7 | * as defined in and that are subject to the Apple Public Source License␊ |
| 8 | * Version 2.0 (the 'License'). You may not use this file except in␊ |
| 9 | * compliance with the License. The rights granted to you under the License␊ |
| 10 | * may not be used to create, or enable the creation or redistribution of,␊ |
| 11 | * unlawful or unlicensed copies of an Apple operating system, or to␊ |
| 12 | * circumvent, violate, or enable the circumvention or violation of, any␊ |
| 13 | * terms of an Apple operating system software license agreement.␊ |
| 14 | * ␊ |
| 15 | * Please obtain a copy of the License at␊ |
| 16 | * http://www.opensource.apple.com/apsl/ and read it before using this file.␊ |
| 17 | * ␊ |
| 18 | * The Original Code and all software distributed under the License are␊ |
| 19 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER␊ |
| 20 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,␊ |
| 21 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,␊ |
| 22 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.␊ |
| 23 | * Please see the License for the specific language governing rights and␊ |
| 24 | * limitations under the License.␊ |
| 25 | * ␊ |
| 26 | * @APPLE_OSREFERENCE_LICENSE_HEADER_END@␊ |
| 27 | */␊ |
| 28 | /*␊ |
| 29 | * Copyright (c) 1993 Daniel Boulet␊ |
| 30 | * Copyright (c) 1994 Ugen J.S.Antsilevich␊ |
| 31 | *␊ |
| 32 | * Redistribution and use in source forms, with and without modification,␊ |
| 33 | * are permitted provided that this entire comment appears intact.␊ |
| 34 | *␊ |
| 35 | * Redistribution in binary form may occur without any restrictions.␊ |
| 36 | * Obviously, it would be nice if you gave credit where credit is due␊ |
| 37 | * but requiring it would be too onerous.␊ |
| 38 | *␊ |
| 39 | * This software is provided ``AS IS'' without any warranties of any kind.␊ |
| 40 | *␊ |
| 41 | */␊ |
| 42 | ␊ |
| 43 | #ifndef _IP6_FW_H␊ |
| 44 | #define _IP6_FW_H␊ |
| 45 | ␊ |
| 46 | #include <sys/appleapiopts.h>␊ |
| 47 | ␊ |
| 48 | /*␊ |
| 49 | * Define IPv6 Firewall event subclass, and associated events.␊ |
| 50 | */␊ |
| 51 | ␊ |
| 52 | /*!␊ |
| 53 | ␉@defined KEV_IP6FW_SUBCLASS␊ |
| 54 | ␉@discussion The kernel event subclass for IPv6 Firewall.␊ |
| 55 | */␊ |
| 56 | #define KEV_IP6FW_SUBCLASS␉2␊ |
| 57 | ␊ |
| 58 | /*!␊ |
| 59 | ␉@defined KEV_IP6FW_ADD␊ |
| 60 | ␉@discussion The event code indicating a rule has been added.␊ |
| 61 | */␊ |
| 62 | #define KEV_IP6FW_ADD␉␉1␊ |
| 63 | ␊ |
| 64 | /*!␊ |
| 65 | ␉@defined KEV_IP6FW_DEL␊ |
| 66 | ␉@discussion The event code indicating a rule has been removed.␊ |
| 67 | */␊ |
| 68 | #define KEV_IP6FW_DEL␉␉2␊ |
| 69 | ␊ |
| 70 | /*!␊ |
| 71 | ␉@defined KEV_IP6FW_FLUSH␊ |
| 72 | ␉@discussion The event code indicating the rule set has been flushed.␊ |
| 73 | */␊ |
| 74 | #define KEV_IP6FW_FLUSH␉␉3␊ |
| 75 | ␊ |
| 76 | /*!␊ |
| 77 | ␉@defined KEV_IP6FW_FLUSH␊ |
| 78 | ␉@discussion The event code indicating the enable flag has been changed ␊ |
| 79 | */␊ |
| 80 | #define KEV_IP6FW_ENABLE␉4␊ |
| 81 | ␊ |
| 82 | ␊ |
| 83 | #include <net/if.h>␊ |
| 84 | ␊ |
| 85 | #define IPV6_FW_CURRENT_API_VERSION 20␉/* Version of this API */␊ |
| 86 | ␊ |
| 87 | ␊ |
| 88 | /*␊ |
| 89 | * This union structure identifies an interface, either explicitly␊ |
| 90 | * by name or implicitly by IP address. The flags IP_FW_F_IIFNAME␊ |
| 91 | * and IP_FW_F_OIFNAME say how to interpret this structure. An␊ |
| 92 | * interface unit number of -1 matches any unit number, while an␊ |
| 93 | * IP address of 0.0.0.0 indicates matches any interface.␊ |
| 94 | *␊ |
| 95 | * The receive and transmit interfaces are only compared against the␊ |
| 96 | * the packet if the corresponding bit (IP_FW_F_IIFACE or IP_FW_F_OIFACE)␊ |
| 97 | * is set. Note some packets lack a receive or transmit interface␊ |
| 98 | * (in which case the missing "interface" never matches).␊ |
| 99 | */␊ |
| 100 | ␊ |
| 101 | union ip6_fw_if {␊ |
| 102 | struct in6_addr fu_via_ip6;␉/* Specified by IPv6 address */␊ |
| 103 | struct {␉␉␉/* Specified by interface name */␊ |
| 104 | #define IP6FW_IFNLEN IFNAMSIZ␊ |
| 105 | ␉ char name[IP6FW_IFNLEN];␊ |
| 106 | ␉ short unit;␉␉/* -1 means match any unit */␊ |
| 107 | } fu_via_if;␊ |
| 108 | };␊ |
| 109 | ␊ |
| 110 | /*␊ |
| 111 | * Format of an IP firewall descriptor␊ |
| 112 | *␊ |
| 113 | * fw_src, fw_dst, fw_smsk, fw_dmsk are always stored in network byte order.␊ |
| 114 | * fw_flg and fw_n*p are stored in host byte order (of course).␊ |
| 115 | * Port numbers are stored in HOST byte order.␊ |
| 116 | * Warning: setsockopt() will fail if sizeof(struct ip_fw) > MLEN (108)␊ |
| 117 | */␊ |
| 118 | ␊ |
| 119 | ␊ |
| 120 | struct ip6_fw {␊ |
| 121 | ␉u_int32_t version;␉␉/* Version of this structure. Should always be */␊ |
| 122 | ␉␉␉␉␉␉␉/* set to IP6_FW_CURRENT_API_VERSION by clients. */␊ |
| 123 | ␉void *context;␉␉␉/* Context that is usable by user processes to */␊ |
| 124 | ␉␉␉␉␉␉␉/* identify this rule. */␊ |
| 125 | u_int32_t fw_pcnt,fw_bcnt;␉␉/* Packet and byte counters */␊ |
| 126 | struct in6_addr fw_src, fw_dst;␉/* Source and destination IPv6 addr */␊ |
| 127 | struct in6_addr fw_smsk, fw_dmsk;␉/* Mask for src and dest IPv6 addr */␊ |
| 128 | u_short fw_number;␉␉␉/* Rule number */␊ |
| 129 | u_short fw_flg;␉␉␉/* Flags word */␊ |
| 130 | #define IPV6_FW_MAX_PORTS␉10␉/* A reasonable maximum */␊ |
| 131 | u_int fw_ipflg;␉␉␉/* IP flags word */␊ |
| 132 | u_short fw_pts[IPV6_FW_MAX_PORTS];␉/* Array of port numbers to match */␊ |
| 133 | u_char fw_ip6opt,fw_ip6nopt;␉/* IPv6 options set/unset */␊ |
| 134 | u_char fw_tcpf,fw_tcpnf;␉␉/* TCP flags set/unset */␊ |
| 135 | #define IPV6_FW_ICMPTYPES_DIM (256 / (sizeof(unsigned) * 8))␊ |
| 136 | unsigned fw_icmp6types[IPV6_FW_ICMPTYPES_DIM]; /* ICMP types bitmap */␊ |
| 137 | long timestamp;␉␉␉/* timestamp (tv_sec) of last match */␊ |
| 138 | union ip6_fw_if fw_in_if, fw_out_if;/* Incoming and outgoing interfaces */␊ |
| 139 | union {␊ |
| 140 | ␉u_short fu_divert_port;␉␉/* Divert/tee port (options IP6DIVERT) */␊ |
| 141 | ␉u_short fu_skipto_rule;␉␉/* SKIPTO command rule number */␊ |
| 142 | ␉u_short fu_reject_code;␉␉/* REJECT response code */␊ |
| 143 | } fw_un;␊ |
| 144 | u_char fw_prot;␉␉␉/* IPv6 protocol */␊ |
| 145 | u_char fw_nports;␉␉␉/* N'of src ports and # of dst ports */␊ |
| 146 | ␉␉␉␉␉/* in ports array (dst ports follow */␊ |
| 147 | ␉␉␉␉␉/* src ports; max of 10 ports in all; */␊ |
| 148 | ␉␉␉␉␉/* count of 0 means match all ports) */␊ |
| 149 | };␊ |
| 150 | ␊ |
| 151 | ␊ |
| 152 | #define IPV6_FW_GETNSRCP(rule)␉␉((rule)->fw_nports & 0x0f)␊ |
| 153 | #define IPV6_FW_SETNSRCP(rule, n)␉␉do {␉␉␉␉\␊ |
| 154 | ␉␉␉␉␉ (rule)->fw_nports &= ~0x0f;␉\␊ |
| 155 | ␉␉␉␉␉ (rule)->fw_nports |= (n);␉\␊ |
| 156 | ␉␉␉␉␉} while (0)␊ |
| 157 | #define IPV6_FW_GETNDSTP(rule)␉␉((rule)->fw_nports >> 4)␊ |
| 158 | #define IPV6_FW_SETNDSTP(rule, n)␉␉do {␉␉␉␉\␊ |
| 159 | ␉␉␉␉␉ (rule)->fw_nports &= ~0xf0;␉\␊ |
| 160 | ␉␉␉␉␉ (rule)->fw_nports |= (n) << 4;\␊ |
| 161 | ␉␉␉␉␉} while (0)␊ |
| 162 | ␊ |
| 163 | #define fw_divert_port␉fw_un.fu_divert_port␊ |
| 164 | #define fw_skipto_rule␉fw_un.fu_skipto_rule␊ |
| 165 | #define fw_reject_code␉fw_un.fu_reject_code␊ |
| 166 | ␊ |
| 167 | struct ip6_fw_chain {␊ |
| 168 | LIST_ENTRY(ip6_fw_chain) chain;␊ |
| 169 | struct ip6_fw *rule;␊ |
| 170 | };␊ |
| 171 | ␊ |
| 172 | /*␊ |
| 173 | * Values for "flags" field .␊ |
| 174 | */␊ |
| 175 | #define IPV6_FW_F_IN␉0x0001␉/* Check inbound packets␉␉*/␊ |
| 176 | #define IPV6_FW_F_OUT␉0x0002␉/* Check outbound packets␉␉*/␊ |
| 177 | #define IPV6_FW_F_IIFACE␉0x0004␉/* Apply inbound interface test␉␉*/␊ |
| 178 | #define IPV6_FW_F_OIFACE␉0x0008␉/* Apply outbound interface test␉*/␊ |
| 179 | ␊ |
| 180 | #define IPV6_FW_F_COMMAND 0x0070␉/* Mask for type of chain entry:␉*/␊ |
| 181 | #define IPV6_FW_F_DENY␉0x0000␉/* This is a deny rule␉␉␉*/␊ |
| 182 | #define IPV6_FW_F_REJECT␉0x0010␉/* Deny and send a response packet␉*/␊ |
| 183 | #define IPV6_FW_F_ACCEPT␉0x0020␉/* This is an accept rule␉␉*/␊ |
| 184 | #define IPV6_FW_F_COUNT␉0x0030␉/* This is a count rule␉␉␉*/␊ |
| 185 | #define IPV6_FW_F_DIVERT␉0x0040␉/* This is a divert rule␉␉*/␊ |
| 186 | #define IPV6_FW_F_TEE␉0x0050␉/* This is a tee rule␉␉␉*/␊ |
| 187 | #define IPV6_FW_F_SKIPTO␉0x0060␉/* This is a skipto rule␉␉*/␊ |
| 188 | ␊ |
| 189 | #define IPV6_FW_F_PRN␉0x0080␉/* Print if this rule matches␉␉*/␊ |
| 190 | ␊ |
| 191 | #define IPV6_FW_F_SRNG␉0x0100␉/* The first two src ports are a min␉*␊ |
| 192 | ␉␉␉␉ * and max range (stored in host byte␉*␊ |
| 193 | ␉␉␉␉ * order).␉␉␉␉*/␊ |
| 194 | ␊ |
| 195 | #define IPV6_FW_F_DRNG␉0x0200␉/* The first two dst ports are a min␉*␊ |
| 196 | ␉␉␉␉ * and max range (stored in host byte␉*␊ |
| 197 | ␉␉␉␉ * order).␉␉␉␉*/␊ |
| 198 | ␊ |
| 199 | #define IPV6_FW_F_IIFNAME␉0x0400␉/* In interface by name/unit (not IP)␉*/␊ |
| 200 | #define IPV6_FW_F_OIFNAME␉0x0800␉/* Out interface by name/unit (not IP)␉*/␊ |
| 201 | ␊ |
| 202 | #define IPV6_FW_F_INVSRC␉0x1000␉/* Invert sense of src check␉␉*/␊ |
| 203 | #define IPV6_FW_F_INVDST␉0x2000␉/* Invert sense of dst check␉␉*/␊ |
| 204 | ␊ |
| 205 | #define IPV6_FW_F_FRAG␉0x4000␉/* Fragment␉␉␉␉*/␊ |
| 206 | ␊ |
| 207 | #define IPV6_FW_F_ICMPBIT 0x8000␉/* ICMP type bitmap is valid␉␉*/␊ |
| 208 | ␊ |
| 209 | #define IPV6_FW_F_MASK␉0xFFFF␉/* All possible flag bits mask␉␉*/␊ |
| 210 | ␊ |
| 211 | /* ␊ |
| 212 | * Flags for the 'fw_ipflg' field, for comparing values of ip and its protocols. */␊ |
| 213 | #define␉IPV6_FW_IF_TCPEST 0x00000020␉/* established TCP connection␉*/␊ |
| 214 | #define IPV6_FW_IF_TCPMSK 0x00000020␉/* mask of all TCP values */␊ |
| 215 | ␊ |
| 216 | /*␊ |
| 217 | * For backwards compatibility with rules specifying "via iface" but␊ |
| 218 | * not restricted to only "in" or "out" packets, we define this combination␊ |
| 219 | * of bits to represent this configuration.␊ |
| 220 | */␊ |
| 221 | ␊ |
| 222 | #define IF6_FW_F_VIAHACK␉(IPV6_FW_F_IN|IPV6_FW_F_OUT|IPV6_FW_F_IIFACE|IPV6_FW_F_OIFACE)␊ |
| 223 | ␊ |
| 224 | /*␊ |
| 225 | * Definitions for REJECT response codes.␊ |
| 226 | * Values less than 256 correspond to ICMP unreachable codes.␊ |
| 227 | */␊ |
| 228 | #define IPV6_FW_REJECT_RST␉0x0100␉␉/* TCP packets: send RST */␊ |
| 229 | ␊ |
| 230 | /*␊ |
| 231 | * Definitions for IPv6 option names.␊ |
| 232 | */␊ |
| 233 | #define IPV6_FW_IP6OPT_HOPOPT␉0x01␊ |
| 234 | #define IPV6_FW_IP6OPT_ROUTE␉0x02␊ |
| 235 | #define IPV6_FW_IP6OPT_FRAG␉0x04␊ |
| 236 | #define IPV6_FW_IP6OPT_ESP␉0x08␊ |
| 237 | #define IPV6_FW_IP6OPT_AH␉0x10␊ |
| 238 | #define IPV6_FW_IP6OPT_NONXT␉0x20␊ |
| 239 | #define IPV6_FW_IP6OPT_OPTS␉0x40␊ |
| 240 | ␊ |
| 241 | /*␊ |
| 242 | * Definitions for TCP flags.␊ |
| 243 | */␊ |
| 244 | #define IPV6_FW_TCPF_FIN␉TH_FIN␊ |
| 245 | #define IPV6_FW_TCPF_SYN␉TH_SYN␊ |
| 246 | #define IPV6_FW_TCPF_RST␉TH_RST␊ |
| 247 | #define IPV6_FW_TCPF_PSH␉TH_PUSH␊ |
| 248 | #define IPV6_FW_TCPF_ACK␉TH_ACK␊ |
| 249 | #define IPV6_FW_TCPF_URG␉TH_URG␊ |
| 250 | ␊ |
| 251 | /*␊ |
| 252 | * Main firewall chains definitions and global var's definitions.␊ |
| 253 | */␊ |
| 254 | ␊ |
| 255 | #endif /* _IP6_FW_H */␊ |
| 256 | |
