![[BACK]](/cvsweb/icons/back.gif){kind=icon}
Return to ip_fw.h CVS log ![[TXT]](/cvsweb/icons/text.gif){kind=icon}
![[DIR]](/cvsweb/icons/dir.gif){kind=icon}
Up to [Apple XNU] / XNU / bsd / netinet|
Return to ip_fw.h CVS log | Up to [Apple XNU] / XNU / bsd / netinet |
1.1 ! root 1: /* ! 2: * Copyright (c) 2000 Apple Computer, Inc. All rights reserved. ! 3: * ! 4: * @APPLE_LICENSE_HEADER_START@ ! 5: * ! 6: * The contents of this file constitute Original Code as defined in and ! 7: * are subject to the Apple Public Source License Version 1.1 (the ! 8: * "License"). You may not use this file except in compliance with the ! 9: * License. Please obtain a copy of the License at ! 10: * http://www.apple.com/publicsource and read it before using this file. ! 11: * ! 12: * This Original Code and all software distributed under the License are ! 13: * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER ! 14: * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, ! 15: * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, ! 16: * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the ! 17: * License for the specific language governing rights and limitations ! 18: * under the License. ! 19: * ! 20: * @APPLE_LICENSE_HEADER_END@ ! 21: */ ! 22: /* ! 23: * Copyright (c) 1993 Daniel Boulet ! 24: * Copyright (c) 1994 Ugen J.S.Antsilevich ! 25: * ! 26: * Redistribution and use in source forms, with and without modification, ! 27: * are permitted provided that this entire comment appears intact. ! 28: * ! 29: * Redistribution in binary form may occur without any restrictions. ! 30: * Obviously, it would be nice if you gave credit where credit is due ! 31: * but requiring it would be too onerous. ! 32: * ! 33: * This software is provided ``AS IS'' without any warranties of any kind. ! 34: * ! 35: */ ! 36: ! 37: #ifndef _IP_FW_H ! 38: #define _IP_FW_H ! 39: ! 40: #include <sys/queue.h> ! 41: ! 42: /* ! 43: * This union structure identifies an interface, either explicitly ! 44: * by name or implicitly by IP address. The flags IP_FW_F_IIFNAME ! 45: * and IP_FW_F_OIFNAME say how to interpret this structure. An ! 46: * interface unit number of -1 matches any unit number, while an ! 47: * IP address of 0.0.0.0 indicates matches any interface. ! 48: * ! 49: * The receive and transmit interfaces are only compared against the ! 50: * the packet if the corresponding bit (IP_FW_F_IIFACE or IP_FW_F_OIFACE) ! 51: * is set. Note some packets lack a receive or transmit interface ! 52: * (in which case the missing "interface" never matches). ! 53: */ ! 54: ! 55: union ip_fw_if { ! 56: struct in_addr fu_via_ip; /* Specified by IP address */ ! 57: struct { /* Specified by interface name */ ! 58: #define FW_IFNLEN 10 /* need room ! was IFNAMSIZ */ ! 59: char name[FW_IFNLEN]; ! 60: short unit; /* -1 means match any unit */ ! 61: } fu_via_if; ! 62: }; ! 63: ! 64: /* ! 65: * Format of an IP firewall descriptor ! 66: * ! 67: * fw_src, fw_dst, fw_smsk, fw_dmsk are always stored in network byte order. ! 68: * fw_flg and fw_n*p are stored in host byte order (of course). ! 69: * Port numbers are stored in HOST byte order. ! 70: * Warning: setsockopt() will fail if sizeof(struct ip_fw) > MLEN (108) ! 71: */ ! 72: ! 73: struct ip_fw { ! 74: u_int64_t fw_pcnt,fw_bcnt; /* Packet and byte counters */ ! 75: struct in_addr fw_src, fw_dst; /* Source and destination IP addr */ ! 76: struct in_addr fw_smsk, fw_dmsk; /* Mask for src and dest IP addr */ ! 77: u_short fw_number; /* Rule number */ ! 78: u_int fw_flg; /* Flags word */ ! 79: #define IP_FW_MAX_PORTS 10 /* A reasonable maximum */ ! 80: union { ! 81: u_short fw_pts[IP_FW_MAX_PORTS]; /* Array of port numbers to match */ ! 82: #define IP_FW_ICMPTYPES_MAX 128 ! 83: #define IP_FW_ICMPTYPES_DIM (IP_FW_ICMPTYPES_MAX / (sizeof(unsigned) * 8)) ! 84: unsigned fw_icmptypes[IP_FW_ICMPTYPES_DIM]; /* ICMP types bitmap */ ! 85: } fw_uar; ! 86: u_char fw_ipopt,fw_ipnopt; /* IP options set/unset */ ! 87: u_char fw_tcpf,fw_tcpnf; /* TCP flags set/unset */ ! 88: long timestamp; /* timestamp (tv_sec) of last match */ ! 89: union ip_fw_if fw_in_if, fw_out_if; /* Incoming and outgoing interfaces */ ! 90: union { ! 91: u_short fu_divert_port; /* Divert/tee port (options IPDIVERT) */ ! 92: u_short fu_pipe_nr; /* pipe number (option DUMMYNET) */ ! 93: u_short fu_skipto_rule; /* SKIPTO command rule number */ ! 94: u_short fu_reject_code; /* REJECT response code */ ! 95: struct sockaddr_in fu_fwd_ip; ! 96: } fw_un; ! 97: u_char fw_prot; /* IP protocol */ ! 98: u_char fw_nports; /* N'of src ports and # of dst ports */ ! 99: /* in ports array (dst ports follow */ ! 100: /* src ports; max of 10 ports in all; */ ! 101: /* count of 0 means match all ports) */ ! 102: void *pipe_ptr; /* Pipe ptr in case of dummynet pipe */ ! 103: void *next_rule_ptr ; /* next rule in case of match */ ! 104: }; ! 105: ! 106: #define IP_FW_GETNSRCP(rule) ((rule)->fw_nports & 0x0f) ! 107: #define IP_FW_SETNSRCP(rule, n) do { \ ! 108: (rule)->fw_nports &= ~0x0f; \ ! 109: (rule)->fw_nports |= (n); \ ! 110: } while (0) ! 111: #define IP_FW_GETNDSTP(rule) ((rule)->fw_nports >> 4) ! 112: #define IP_FW_SETNDSTP(rule, n) do { \ ! 113: (rule)->fw_nports &= ~0xf0; \ ! 114: (rule)->fw_nports |= (n) << 4;\ ! 115: } while (0) ! 116: ! 117: #define fw_divert_port fw_un.fu_divert_port ! 118: #define fw_skipto_rule fw_un.fu_skipto_rule ! 119: #define fw_reject_code fw_un.fu_reject_code ! 120: #define fw_pipe_nr fw_un.fu_pipe_nr ! 121: #define fw_fwd_ip fw_un.fu_fwd_ip ! 122: ! 123: struct ip_fw_chain { ! 124: LIST_ENTRY(ip_fw_chain) chain; ! 125: struct ip_fw *rule; ! 126: }; ! 127: ! 128: /* ! 129: * Values for "flags" field . ! 130: */ ! 131: #define IP_FW_F_COMMAND 0x000000ff /* Mask for type of chain entry: */ ! 132: #define IP_FW_F_DENY 0x00000000 /* This is a deny rule */ ! 133: #define IP_FW_F_REJECT 0x00000001 /* Deny and send a response packet */ ! 134: #define IP_FW_F_ACCEPT 0x00000002 /* This is an accept rule */ ! 135: #define IP_FW_F_COUNT 0x00000003 /* This is a count rule */ ! 136: #define IP_FW_F_DIVERT 0x00000004 /* This is a divert rule */ ! 137: #define IP_FW_F_TEE 0x00000005 /* This is a tee rule */ ! 138: #define IP_FW_F_SKIPTO 0x00000006 /* This is a skipto rule */ ! 139: #define IP_FW_F_FWD 0x00000007 /* This is a "change forwarding address" rule */ ! 140: #define IP_FW_F_PIPE 0x00000008 /* This is a dummynet rule */ ! 141: ! 142: #define IP_FW_F_IN 0x00000100 /* Check inbound packets */ ! 143: #define IP_FW_F_OUT 0x00000200 /* Check outbound packets */ ! 144: #define IP_FW_F_IIFACE 0x00000400 /* Apply inbound interface test */ ! 145: #define IP_FW_F_OIFACE 0x00000800 /* Apply outbound interface test */ ! 146: ! 147: #define IP_FW_F_PRN 0x00001000 /* Print if this rule matches */ ! 148: ! 149: #define IP_FW_F_SRNG 0x00002000 /* The first two src ports are a min * ! 150: * and max range (stored in host byte * ! 151: * order). */ ! 152: ! 153: #define IP_FW_F_DRNG 0x00004000 /* The first two dst ports are a min * ! 154: * and max range (stored in host byte * ! 155: * order). */ ! 156: ! 157: #define IP_FW_F_FRAG 0x00008000 /* Fragment */ ! 158: ! 159: #define IP_FW_F_IIFNAME 0x00010000 /* In interface by name/unit (not IP) */ ! 160: #define IP_FW_F_OIFNAME 0x00020000 /* Out interface by name/unit (not IP) */ ! 161: ! 162: #define IP_FW_F_INVSRC 0x00040000 /* Invert sense of src check */ ! 163: #define IP_FW_F_INVDST 0x00080000 /* Invert sense of dst check */ ! 164: ! 165: #define IP_FW_F_ICMPBIT 0x00100000 /* ICMP type bitmap is valid */ ! 166: ! 167: #define IP_FW_F_MASK 0x001FFFFF /* All possible flag bits mask */ ! 168: ! 169: /* ! 170: * For backwards compatibility with rules specifying "via iface" but ! 171: * not restricted to only "in" or "out" packets, we define this combination ! 172: * of bits to represent this configuration. ! 173: */ ! 174: ! 175: #define IF_FW_F_VIAHACK (IP_FW_F_IN|IP_FW_F_OUT|IP_FW_F_IIFACE|IP_FW_F_OIFACE) ! 176: ! 177: /* ! 178: * Definitions for REJECT response codes. ! 179: * Values less than 256 correspond to ICMP unreachable codes. ! 180: */ ! 181: #define IP_FW_REJECT_RST 0x0100 /* TCP packets: send RST */ ! 182: ! 183: /* ! 184: * Definitions for IP option names. ! 185: */ ! 186: #define IP_FW_IPOPT_LSRR 0x01 ! 187: #define IP_FW_IPOPT_SSRR 0x02 ! 188: #define IP_FW_IPOPT_RR 0x04 ! 189: #define IP_FW_IPOPT_TS 0x08 ! 190: ! 191: /* ! 192: * Definitions for TCP flags. ! 193: */ ! 194: #define IP_FW_TCPF_FIN TH_FIN ! 195: #define IP_FW_TCPF_SYN TH_SYN ! 196: #define IP_FW_TCPF_RST TH_RST ! 197: #define IP_FW_TCPF_PSH TH_PUSH ! 198: #define IP_FW_TCPF_ACK TH_ACK ! 199: #define IP_FW_TCPF_URG TH_URG ! 200: #define IP_FW_TCPF_ESTAB 0x40 ! 201: ! 202: /* ! 203: * Main firewall chains definitions and global var's definitions. ! 204: */ ! 205: #ifdef KERNEL ! 206: ! 207: /* ! 208: * Function definitions. ! 209: */ ! 210: void ip_fw_init __P((void)); ! 211: ! 212: /* Firewall hooks */ ! 213: struct ip; ! 214: struct sockopt; ! 215: typedef int ip_fw_chk_t __P((struct ip **, int, struct ifnet *, u_int16_t *, ! 216: struct mbuf **, struct ip_fw_chain **, struct sockaddr_in **)); ! 217: typedef int ip_fw_ctl_t __P((struct sockopt *)); ! 218: extern ip_fw_chk_t *ip_fw_chk_ptr; ! 219: extern ip_fw_ctl_t *ip_fw_ctl_ptr; ! 220: ! 221: /* IP NAT hooks */ ! 222: typedef int ip_nat_t __P((struct ip **, struct mbuf **, struct ifnet *, int)); ! 223: typedef int ip_nat_ctl_t __P((struct sockopt *)); ! 224: extern ip_nat_t *ip_nat_ptr; ! 225: extern ip_nat_ctl_t *ip_nat_ctl_ptr; ! 226: #define IP_NAT_IN 0x00000001 ! 227: #define IP_NAT_OUT 0x00000002 ! 228: ! 229: #endif /* KERNEL */ ! 230: ! 231: #endif /* _IP_FW_H */
This archive runs on limited infrastructure. Preserving old code on modern bandwidth. Automated agents are requested to crawl responsibly.