branches/ErmaC/Enoch_Modules/i386/include/netinet6/ip6_fw.h - Chameleon Svn Source Tree - Chameleon open source boot loader project.

Root/branches/ErmaC/Enoch_Modules/i386/include/netinet6/ip6_fw.h

1	/*␊
2	* Copyright (c) 2008 Apple Computer, Inc. All rights reserved.␊
3	*␊
4	* @APPLE_OSREFERENCE_LICENSE_HEADER_START@␊
5	* ␊
6	* This file contains Original Code and/or Modifications of Original Code␊
7	* as defined in and that are subject to the Apple Public Source License␊
8	* Version 2.0 (the 'License'). You may not use this file except in␊
9	* compliance with the License. The rights granted to you under the License␊
10	* may not be used to create, or enable the creation or redistribution of,␊
11	* unlawful or unlicensed copies of an Apple operating system, or to␊
12	* circumvent, violate, or enable the circumvention or violation of, any␊
13	* terms of an Apple operating system software license agreement.␊
14	* ␊
15	* Please obtain a copy of the License at␊
16	* http://www.opensource.apple.com/apsl/ and read it before using this file.␊
17	* ␊
18	* The Original Code and all software distributed under the License are␊
19	* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER␊
20	* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,␊
21	* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,␊
22	* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.␊
23	* Please see the License for the specific language governing rights and␊
24	* limitations under the License.␊
25	* ␊
26	* @APPLE_OSREFERENCE_LICENSE_HEADER_END@␊
27	*/␊
28	/*␊
29	* Copyright (c) 1993 Daniel Boulet␊
30	* Copyright (c) 1994 Ugen J.S.Antsilevich␊
31	*␊
32	* Redistribution and use in source forms, with and without modification,␊
33	* are permitted provided that this entire comment appears intact.␊
34	*␊
35	* Redistribution in binary form may occur without any restrictions.␊
36	* Obviously, it would be nice if you gave credit where credit is due␊
37	* but requiring it would be too onerous.␊
38	*␊
39	* This software is provided ``AS IS'' without any warranties of any kind.␊
40	*␊
41	*/␊
42	␊
43	#ifndef _IP6_FW_H␊
44	#define _IP6_FW_H␊
45	␊
46	#include <sys/appleapiopts.h>␊
47	␊
48	/*␊
49	* Define IPv6 Firewall event subclass, and associated events.␊
50	*/␊
51	␊
52	/*!␊
53	␉@defined KEV_IP6FW_SUBCLASS␊
54	␉@discussion The kernel event subclass for IPv6 Firewall.␊
55	*/␊
56	#define KEV_IP6FW_SUBCLASS␉2␊
57	␊
58	/*!␊
59	␉@defined KEV_IP6FW_ADD␊
60	␉@discussion The event code indicating a rule has been added.␊
61	*/␊
62	#define KEV_IP6FW_ADD␉␉1␊
63	␊
64	/*!␊
65	␉@defined KEV_IP6FW_DEL␊
66	␉@discussion The event code indicating a rule has been removed.␊
67	*/␊
68	#define KEV_IP6FW_DEL␉␉2␊
69	␊
70	/*!␊
71	␉@defined KEV_IP6FW_FLUSH␊
72	␉@discussion The event code indicating the rule set has been flushed.␊
73	*/␊
74	#define KEV_IP6FW_FLUSH␉␉3␊
75	␊
76	/*!␊
77	␉@defined KEV_IP6FW_FLUSH␊
78	␉@discussion The event code indicating the enable flag has been changed ␊
79	*/␊
80	#define KEV_IP6FW_ENABLE␉4␊
81	␊
82	␊
83	#include <net/if.h>␊
84	␊
85	#define IPV6_FW_CURRENT_API_VERSION 20␉/* Version of this API */␊
86	␊
87	␊
88	/*␊
89	* This union structure identifies an interface, either explicitly␊
90	* by name or implicitly by IP address. The flags IP_FW_F_IIFNAME␊
91	* and IP_FW_F_OIFNAME say how to interpret this structure. An␊
92	* interface unit number of -1 matches any unit number, while an␊
93	* IP address of 0.0.0.0 indicates matches any interface.␊
94	*␊
95	* The receive and transmit interfaces are only compared against the␊
96	* the packet if the corresponding bit (IP_FW_F_IIFACE or IP_FW_F_OIFACE)␊
97	* is set. Note some packets lack a receive or transmit interface␊
98	* (in which case the missing "interface" never matches).␊
99	*/␊
100	␊
101	union ip6_fw_if {␊
102	struct in6_addr fu_via_ip6;␉/* Specified by IPv6 address */␊
103	struct {␉␉␉/* Specified by interface name */␊
104	#define IP6FW_IFNLEN IFNAMSIZ␊
105	␉ char name[IP6FW_IFNLEN];␊
106	␉ short unit;␉␉/* -1 means match any unit */␊
107	} fu_via_if;␊
108	};␊
109	␊
110	/*␊
111	* Format of an IP firewall descriptor␊
112	*␊
113	* fw_src, fw_dst, fw_smsk, fw_dmsk are always stored in network byte order.␊
114	* fw_flg and fw_n*p are stored in host byte order (of course).␊
115	* Port numbers are stored in HOST byte order.␊
116	* Warning: setsockopt() will fail if sizeof(struct ip_fw) > MLEN (108)␊
117	*/␊
118	␊
119	␊
120	struct ip6_fw {␊
121	␉u_int32_t version;␉␉/* Version of this structure. Should always be */␊
122	␉␉␉␉␉␉␉/* set to IP6_FW_CURRENT_API_VERSION by clients. */␊
123	␉void context;␉␉␉/ Context that is usable by user processes to */␊
124	␉␉␉␉␉␉␉/* identify this rule. */␊
125	u_int32_t fw_pcnt,fw_bcnt;␉␉/* Packet and byte counters */␊
126	struct in6_addr fw_src, fw_dst;␉/* Source and destination IPv6 addr */␊
127	struct in6_addr fw_smsk, fw_dmsk;␉/* Mask for src and dest IPv6 addr */␊
128	u_short fw_number;␉␉␉/* Rule number */␊
129	u_short fw_flg;␉␉␉/* Flags word */␊
130	#define IPV6_FW_MAX_PORTS␉10␉/* A reasonable maximum */␊
131	u_int fw_ipflg;␉␉␉/* IP flags word */␊
132	u_short fw_pts[IPV6_FW_MAX_PORTS];␉/* Array of port numbers to match */␊
133	u_char fw_ip6opt,fw_ip6nopt;␉/* IPv6 options set/unset */␊
134	u_char fw_tcpf,fw_tcpnf;␉␉/* TCP flags set/unset */␊
135	#define IPV6_FW_ICMPTYPES_DIM (256 / (sizeof(unsigned) * 8))␊
136	unsigned fw_icmp6types[IPV6_FW_ICMPTYPES_DIM]; /* ICMP types bitmap */␊
137	long timestamp;␉␉␉/* timestamp (tv_sec) of last match */␊
138	union ip6_fw_if fw_in_if, fw_out_if;/* Incoming and outgoing interfaces */␊
139	union {␊
140	␉u_short fu_divert_port;␉␉/* Divert/tee port (options IP6DIVERT) */␊
141	␉u_short fu_skipto_rule;␉␉/* SKIPTO command rule number */␊
142	␉u_short fu_reject_code;␉␉/* REJECT response code */␊
143	} fw_un;␊
144	u_char fw_prot;␉␉␉/* IPv6 protocol */␊
145	u_char fw_nports;␉␉␉/* N'of src ports and # of dst ports */␊
146	␉␉␉␉␉/* in ports array (dst ports follow */␊
147	␉␉␉␉␉/* src ports; max of 10 ports in all; */␊
148	␉␉␉␉␉/* count of 0 means match all ports) */␊
149	};␊
150	␊
151	␊
152	#define IPV6_FW_GETNSRCP(rule)␉␉((rule)->fw_nports & 0x0f)␊
153	#define IPV6_FW_SETNSRCP(rule, n)␉␉do {␉␉␉␉\␊
154	␉␉␉␉␉ (rule)->fw_nports &= ~0x0f;␉\␊
155	␉␉␉␉␉ (rule)->fw_nports \|= (n);␉\␊
156	␉␉␉␉␉} while (0)␊
157	#define IPV6_FW_GETNDSTP(rule)␉␉((rule)->fw_nports >> 4)␊
158	#define IPV6_FW_SETNDSTP(rule, n)␉␉do {␉␉␉␉\␊
159	␉␉␉␉␉ (rule)->fw_nports &= ~0xf0;␉\␊
160	␉␉␉␉␉ (rule)->fw_nports \|= (n) << 4;\␊
161	␉␉␉␉␉} while (0)␊
162	␊
163	#define fw_divert_port␉fw_un.fu_divert_port␊
164	#define fw_skipto_rule␉fw_un.fu_skipto_rule␊
165	#define fw_reject_code␉fw_un.fu_reject_code␊
166	␊
167	struct ip6_fw_chain {␊
168	LIST_ENTRY(ip6_fw_chain) chain;␊
169	struct ip6_fw *rule;␊
170	};␊
171	␊
172	/*␊
173	* Values for "flags" field .␊
174	*/␊
175	#define IPV6_FW_F_IN␉0x0001␉/* Check inbound packets␉␉*/␊
176	#define IPV6_FW_F_OUT␉0x0002␉/* Check outbound packets␉␉*/␊
177	#define IPV6_FW_F_IIFACE␉0x0004␉/* Apply inbound interface test␉␉*/␊
178	#define IPV6_FW_F_OIFACE␉0x0008␉/* Apply outbound interface test␉*/␊
179	␊
180	#define IPV6_FW_F_COMMAND 0x0070␉/* Mask for type of chain entry:␉*/␊
181	#define IPV6_FW_F_DENY␉0x0000␉/* This is a deny rule␉␉␉*/␊
182	#define IPV6_FW_F_REJECT␉0x0010␉/* Deny and send a response packet␉*/␊
183	#define IPV6_FW_F_ACCEPT␉0x0020␉/* This is an accept rule␉␉*/␊
184	#define IPV6_FW_F_COUNT␉0x0030␉/* This is a count rule␉␉␉*/␊
185	#define IPV6_FW_F_DIVERT␉0x0040␉/* This is a divert rule␉␉*/␊
186	#define IPV6_FW_F_TEE␉0x0050␉/* This is a tee rule␉␉␉*/␊
187	#define IPV6_FW_F_SKIPTO␉0x0060␉/* This is a skipto rule␉␉*/␊
188	␊
189	#define IPV6_FW_F_PRN␉0x0080␉/* Print if this rule matches␉␉*/␊
190	␊
191	#define IPV6_FW_F_SRNG␉0x0100␉/* The first two src ports are a min␉*␊
192	␉␉␉␉ * and max range (stored in host byte␉*␊
193	␉␉␉␉ * order).␉␉␉␉*/␊
194	␊
195	#define IPV6_FW_F_DRNG␉0x0200␉/* The first two dst ports are a min␉*␊
196	␉␉␉␉ * and max range (stored in host byte␉*␊
197	␉␉␉␉ * order).␉␉␉␉*/␊
198	␊
199	#define IPV6_FW_F_IIFNAME␉0x0400␉/* In interface by name/unit (not IP)␉*/␊
200	#define IPV6_FW_F_OIFNAME␉0x0800␉/* Out interface by name/unit (not IP)␉*/␊
201	␊
202	#define IPV6_FW_F_INVSRC␉0x1000␉/* Invert sense of src check␉␉*/␊
203	#define IPV6_FW_F_INVDST␉0x2000␉/* Invert sense of dst check␉␉*/␊
204	␊
205	#define IPV6_FW_F_FRAG␉0x4000␉/* Fragment␉␉␉␉*/␊
206	␊
207	#define IPV6_FW_F_ICMPBIT 0x8000␉/* ICMP type bitmap is valid␉␉*/␊
208	␊
209	#define IPV6_FW_F_MASK␉0xFFFF␉/* All possible flag bits mask␉␉*/␊
210	␊
211	/* ␊
212	* Flags for the 'fw_ipflg' field, for comparing values of ip and its protocols. */␊
213	#define␉IPV6_FW_IF_TCPEST 0x00000020␉/* established TCP connection␉*/␊
214	#define IPV6_FW_IF_TCPMSK 0x00000020␉/* mask of all TCP values */␊
215	␊
216	/*␊
217	* For backwards compatibility with rules specifying "via iface" but␊
218	* not restricted to only "in" or "out" packets, we define this combination␊
219	* of bits to represent this configuration.␊
220	*/␊
221	␊
222	#define IF6_FW_F_VIAHACK␉(IPV6_FW_F_IN\|IPV6_FW_F_OUT\|IPV6_FW_F_IIFACE\|IPV6_FW_F_OIFACE)␊
223	␊
224	/*␊
225	* Definitions for REJECT response codes.␊
226	* Values less than 256 correspond to ICMP unreachable codes.␊
227	*/␊
228	#define IPV6_FW_REJECT_RST␉0x0100␉␉/* TCP packets: send RST */␊
229	␊
230	/*␊
231	* Definitions for IPv6 option names.␊
232	*/␊
233	#define IPV6_FW_IP6OPT_HOPOPT␉0x01␊
234	#define IPV6_FW_IP6OPT_ROUTE␉0x02␊
235	#define IPV6_FW_IP6OPT_FRAG␉0x04␊
236	#define IPV6_FW_IP6OPT_ESP␉0x08␊
237	#define IPV6_FW_IP6OPT_AH␉0x10␊
238	#define IPV6_FW_IP6OPT_NONXT␉0x20␊
239	#define IPV6_FW_IP6OPT_OPTS␉0x40␊
240	␊
241	/*␊
242	* Definitions for TCP flags.␊
243	*/␊
244	#define IPV6_FW_TCPF_FIN␉TH_FIN␊
245	#define IPV6_FW_TCPF_SYN␉TH_SYN␊
246	#define IPV6_FW_TCPF_RST␉TH_RST␊
247	#define IPV6_FW_TCPF_PSH␉TH_PUSH␊
248	#define IPV6_FW_TCPF_ACK␉TH_ACK␊
249	#define IPV6_FW_TCPF_URG␉TH_URG␊
250	␊
251	/*␊
252	* Main firewall chains definitions and global var's definitions.␊
253	*/␊
254	␊
255	#endif /* _IP6_FW_H */␊
256

Download this file