![[BACK]](/cvsweb/icons/back.gif){kind=icon}
Return to ip_fw.h CVS log ![[TXT]](/cvsweb/icons/text.gif){kind=icon}
![[DIR]](/cvsweb/icons/dir.gif){kind=icon}
Up to [Apple XNU] / XNU / bsd / netinet|
Return to ip_fw.h CVS log | Up to [Apple XNU] / XNU / bsd / netinet |
1.1 root 1: /*
2: * Copyright (c) 2000 Apple Computer, Inc. All rights reserved.
3: *
4: * @APPLE_LICENSE_HEADER_START@
5: *
6: * The contents of this file constitute Original Code as defined in and
7: * are subject to the Apple Public Source License Version 1.1 (the
8: * "License"). You may not use this file except in compliance with the
9: * License. Please obtain a copy of the License at
10: * http://www.apple.com/publicsource and read it before using this file.
11: *
12: * This Original Code and all software distributed under the License are
13: * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER
14: * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
15: * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
16: * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the
17: * License for the specific language governing rights and limitations
18: * under the License.
19: *
20: * @APPLE_LICENSE_HEADER_END@
21: */
22: /*
23: * Copyright (c) 1993 Daniel Boulet
24: * Copyright (c) 1994 Ugen J.S.Antsilevich
25: *
26: * Redistribution and use in source forms, with and without modification,
27: * are permitted provided that this entire comment appears intact.
28: *
29: * Redistribution in binary form may occur without any restrictions.
30: * Obviously, it would be nice if you gave credit where credit is due
31: * but requiring it would be too onerous.
32: *
33: * This software is provided ``AS IS'' without any warranties of any kind.
34: *
35: */
36:
37: #ifndef _IP_FW_H
38: #define _IP_FW_H
39:
40: #include <sys/queue.h>
41:
42: /*
43: * This union structure identifies an interface, either explicitly
44: * by name or implicitly by IP address. The flags IP_FW_F_IIFNAME
45: * and IP_FW_F_OIFNAME say how to interpret this structure. An
46: * interface unit number of -1 matches any unit number, while an
47: * IP address of 0.0.0.0 indicates matches any interface.
48: *
49: * The receive and transmit interfaces are only compared against the
50: * the packet if the corresponding bit (IP_FW_F_IIFACE or IP_FW_F_OIFACE)
51: * is set. Note some packets lack a receive or transmit interface
52: * (in which case the missing "interface" never matches).
53: */
54:
55: union ip_fw_if {
56: struct in_addr fu_via_ip; /* Specified by IP address */
57: struct { /* Specified by interface name */
58: #define FW_IFNLEN 10 /* need room ! was IFNAMSIZ */
59: char name[FW_IFNLEN];
60: short unit; /* -1 means match any unit */
61: } fu_via_if;
62: };
63:
64: /*
65: * Format of an IP firewall descriptor
66: *
67: * fw_src, fw_dst, fw_smsk, fw_dmsk are always stored in network byte order.
68: * fw_flg and fw_n*p are stored in host byte order (of course).
69: * Port numbers are stored in HOST byte order.
70: * Warning: setsockopt() will fail if sizeof(struct ip_fw) > MLEN (108)
71: */
72:
73: struct ip_fw {
74: u_int64_t fw_pcnt,fw_bcnt; /* Packet and byte counters */
75: struct in_addr fw_src, fw_dst; /* Source and destination IP addr */
76: struct in_addr fw_smsk, fw_dmsk; /* Mask for src and dest IP addr */
77: u_short fw_number; /* Rule number */
78: u_int fw_flg; /* Flags word */
79: #define IP_FW_MAX_PORTS 10 /* A reasonable maximum */
80: union {
81: u_short fw_pts[IP_FW_MAX_PORTS]; /* Array of port numbers to match */
82: #define IP_FW_ICMPTYPES_MAX 128
83: #define IP_FW_ICMPTYPES_DIM (IP_FW_ICMPTYPES_MAX / (sizeof(unsigned) * 8))
84: unsigned fw_icmptypes[IP_FW_ICMPTYPES_DIM]; /* ICMP types bitmap */
85: } fw_uar;
86: u_char fw_ipopt,fw_ipnopt; /* IP options set/unset */
87: u_char fw_tcpf,fw_tcpnf; /* TCP flags set/unset */
88: long timestamp; /* timestamp (tv_sec) of last match */
89: union ip_fw_if fw_in_if, fw_out_if; /* Incoming and outgoing interfaces */
90: union {
91: u_short fu_divert_port; /* Divert/tee port (options IPDIVERT) */
92: u_short fu_pipe_nr; /* pipe number (option DUMMYNET) */
93: u_short fu_skipto_rule; /* SKIPTO command rule number */
94: u_short fu_reject_code; /* REJECT response code */
95: struct sockaddr_in fu_fwd_ip;
96: } fw_un;
97: u_char fw_prot; /* IP protocol */
98: u_char fw_nports; /* N'of src ports and # of dst ports */
99: /* in ports array (dst ports follow */
100: /* src ports; max of 10 ports in all; */
101: /* count of 0 means match all ports) */
102: void *pipe_ptr; /* Pipe ptr in case of dummynet pipe */
103: void *next_rule_ptr ; /* next rule in case of match */
104: };
105:
106: #define IP_FW_GETNSRCP(rule) ((rule)->fw_nports & 0x0f)
107: #define IP_FW_SETNSRCP(rule, n) do { \
108: (rule)->fw_nports &= ~0x0f; \
109: (rule)->fw_nports |= (n); \
110: } while (0)
111: #define IP_FW_GETNDSTP(rule) ((rule)->fw_nports >> 4)
112: #define IP_FW_SETNDSTP(rule, n) do { \
113: (rule)->fw_nports &= ~0xf0; \
114: (rule)->fw_nports |= (n) << 4;\
115: } while (0)
116:
117: #define fw_divert_port fw_un.fu_divert_port
118: #define fw_skipto_rule fw_un.fu_skipto_rule
119: #define fw_reject_code fw_un.fu_reject_code
120: #define fw_pipe_nr fw_un.fu_pipe_nr
121: #define fw_fwd_ip fw_un.fu_fwd_ip
122:
123: struct ip_fw_chain {
124: LIST_ENTRY(ip_fw_chain) chain;
125: struct ip_fw *rule;
126: };
127:
128: /*
129: * Values for "flags" field .
130: */
131: #define IP_FW_F_COMMAND 0x000000ff /* Mask for type of chain entry: */
132: #define IP_FW_F_DENY 0x00000000 /* This is a deny rule */
133: #define IP_FW_F_REJECT 0x00000001 /* Deny and send a response packet */
134: #define IP_FW_F_ACCEPT 0x00000002 /* This is an accept rule */
135: #define IP_FW_F_COUNT 0x00000003 /* This is a count rule */
136: #define IP_FW_F_DIVERT 0x00000004 /* This is a divert rule */
137: #define IP_FW_F_TEE 0x00000005 /* This is a tee rule */
138: #define IP_FW_F_SKIPTO 0x00000006 /* This is a skipto rule */
139: #define IP_FW_F_FWD 0x00000007 /* This is a "change forwarding address" rule */
140: #define IP_FW_F_PIPE 0x00000008 /* This is a dummynet rule */
141:
142: #define IP_FW_F_IN 0x00000100 /* Check inbound packets */
143: #define IP_FW_F_OUT 0x00000200 /* Check outbound packets */
144: #define IP_FW_F_IIFACE 0x00000400 /* Apply inbound interface test */
145: #define IP_FW_F_OIFACE 0x00000800 /* Apply outbound interface test */
146:
147: #define IP_FW_F_PRN 0x00001000 /* Print if this rule matches */
148:
149: #define IP_FW_F_SRNG 0x00002000 /* The first two src ports are a min *
150: * and max range (stored in host byte *
151: * order). */
152:
153: #define IP_FW_F_DRNG 0x00004000 /* The first two dst ports are a min *
154: * and max range (stored in host byte *
155: * order). */
156:
157: #define IP_FW_F_FRAG 0x00008000 /* Fragment */
158:
159: #define IP_FW_F_IIFNAME 0x00010000 /* In interface by name/unit (not IP) */
160: #define IP_FW_F_OIFNAME 0x00020000 /* Out interface by name/unit (not IP) */
161:
162: #define IP_FW_F_INVSRC 0x00040000 /* Invert sense of src check */
163: #define IP_FW_F_INVDST 0x00080000 /* Invert sense of dst check */
164:
165: #define IP_FW_F_ICMPBIT 0x00100000 /* ICMP type bitmap is valid */
166:
167: #define IP_FW_F_MASK 0x001FFFFF /* All possible flag bits mask */
168:
169: /*
170: * For backwards compatibility with rules specifying "via iface" but
171: * not restricted to only "in" or "out" packets, we define this combination
172: * of bits to represent this configuration.
173: */
174:
175: #define IF_FW_F_VIAHACK (IP_FW_F_IN|IP_FW_F_OUT|IP_FW_F_IIFACE|IP_FW_F_OIFACE)
176:
177: /*
178: * Definitions for REJECT response codes.
179: * Values less than 256 correspond to ICMP unreachable codes.
180: */
181: #define IP_FW_REJECT_RST 0x0100 /* TCP packets: send RST */
182:
183: /*
184: * Definitions for IP option names.
185: */
186: #define IP_FW_IPOPT_LSRR 0x01
187: #define IP_FW_IPOPT_SSRR 0x02
188: #define IP_FW_IPOPT_RR 0x04
189: #define IP_FW_IPOPT_TS 0x08
190:
191: /*
192: * Definitions for TCP flags.
193: */
194: #define IP_FW_TCPF_FIN TH_FIN
195: #define IP_FW_TCPF_SYN TH_SYN
196: #define IP_FW_TCPF_RST TH_RST
197: #define IP_FW_TCPF_PSH TH_PUSH
198: #define IP_FW_TCPF_ACK TH_ACK
199: #define IP_FW_TCPF_URG TH_URG
200: #define IP_FW_TCPF_ESTAB 0x40
201:
202: /*
203: * Main firewall chains definitions and global var's definitions.
204: */
205: #ifdef KERNEL
206:
207: /*
208: * Function definitions.
209: */
210: void ip_fw_init __P((void));
211:
212: /* Firewall hooks */
213: struct ip;
214: struct sockopt;
215: typedef int ip_fw_chk_t __P((struct ip **, int, struct ifnet *, u_int16_t *,
216: struct mbuf **, struct ip_fw_chain **, struct sockaddr_in **));
217: typedef int ip_fw_ctl_t __P((struct sockopt *));
218: extern ip_fw_chk_t *ip_fw_chk_ptr;
219: extern ip_fw_ctl_t *ip_fw_ctl_ptr;
220:
221: /* IP NAT hooks */
222: typedef int ip_nat_t __P((struct ip **, struct mbuf **, struct ifnet *, int));
223: typedef int ip_nat_ctl_t __P((struct sockopt *));
224: extern ip_nat_t *ip_nat_ptr;
225: extern ip_nat_ctl_t *ip_nat_ctl_ptr;
226: #define IP_NAT_IN 0x00000001
227: #define IP_NAT_OUT 0x00000002
228:
229: #endif /* KERNEL */
230:
231: #endif /* _IP_FW_H */
This archive runs on limited infrastructure. Preserving old code on modern bandwidth. Automated agents are requested to crawl responsibly.