-/* $KAME: ip6_fw.h,v 1.2 2000/02/22 14:04:21 itojun Exp $ */
-
+/*
+ * Copyright (c) 2002 Apple Computer, Inc. All rights reserved.
+ *
+ * @APPLE_OSREFERENCE_LICENSE_HEADER_START@
+ *
+ * This file contains Original Code and/or Modifications of Original Code
+ * as defined in and that are subject to the Apple Public Source License
+ * Version 2.0 (the 'License'). You may not use this file except in
+ * compliance with the License. The rights granted to you under the License
+ * may not be used to create, or enable the creation or redistribution of,
+ * unlawful or unlicensed copies of an Apple operating system, or to
+ * circumvent, violate, or enable the circumvention or violation of, any
+ * terms of an Apple operating system software license agreement.
+ *
+ * Please obtain a copy of the License at
+ * http://www.opensource.apple.com/apsl/ and read it before using this file.
+ *
+ * The Original Code and all software distributed under the License are
+ * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
+ * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
+ * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
+ * Please see the License for the specific language governing rights and
+ * limitations under the License.
+ *
+ * @APPLE_OSREFERENCE_LICENSE_HEADER_END@
+ */
/*
* Copyright (c) 1993 Daniel Boulet
* Copyright (c) 1994 Ugen J.S.Antsilevich
#ifndef _IP6_FW_H
#define _IP6_FW_H
+/*
+ * Define IPv6 Firewall event subclass, and associated events.
+ */
+
+/*!
+ @defined KEV_IP6FW_SUBCLASS
+ @discussion The kernel event subclass for IPv6 Firewall.
+*/
+#define KEV_IP6FW_SUBCLASS 2
+
+/*!
+ @defined KEV_IP6FW_ADD
+ @discussion The event code indicating a rule has been added.
+*/
+#define KEV_IP6FW_ADD 1
+
+/*!
+ @defined KEV_IP6FW_DEL
+ @discussion The event code indicating a rule has been removed.
+*/
+#define KEV_IP6FW_DEL 2
+
+/*!
+ @defined KEV_IP6FW_FLUSH
+ @discussion The event code indicating the rule set has been flushed.
+*/
+#define KEV_IP6FW_FLUSH 3
+
+/*!
+ @defined KEV_IP6FW_FLUSH
+ @discussion The event code indicating the enable flag has been changed
+*/
+#define KEV_IP6FW_ENABLE 4
+
+
+
+#if !__LP64__
+
+#include <sys/appleapiopts.h>
+
#include <net/if.h>
+#define IPV6_FW_CURRENT_API_VERSION 20 /* Version of this API */
+
+
/*
* This union structure identifies an interface, either explicitly
* by name or implicitly by IP address. The flags IP_FW_F_IIFNAME
union ip6_fw_if {
struct in6_addr fu_via_ip6; /* Specified by IPv6 address */
struct { /* Specified by interface name */
-#define FW_IFNLEN IFNAMSIZ
- char name[FW_IFNLEN];
+#define IP6FW_IFNLEN IFNAMSIZ
+ char name[IP6FW_IFNLEN];
short unit; /* -1 means match any unit */
} fu_via_if;
};
*/
struct ip6_fw {
+ u_int32_t version; /* Version of this structure. Should always be */
+ /* set to IP6_FW_CURRENT_API_VERSION by clients. */
+ void *context; /* Context that is usable by user processes to */
+ /* identify this rule. */
u_long fw_pcnt,fw_bcnt; /* Packet and byte counters */
struct in6_addr fw_src, fw_dst; /* Source and destination IPv6 addr */
struct in6_addr fw_smsk, fw_dmsk; /* Mask for src and dest IPv6 addr */
u_short fw_number; /* Rule number */
u_short fw_flg; /* Flags word */
#define IPV6_FW_MAX_PORTS 10 /* A reasonable maximum */
+ u_int fw_ipflg; /* IP flags word */
u_short fw_pts[IPV6_FW_MAX_PORTS]; /* Array of port numbers to match */
u_char fw_ip6opt,fw_ip6nopt; /* IPv6 options set/unset */
u_char fw_tcpf,fw_tcpnf; /* TCP flags set/unset */
-#define IPV6_FW_ICMPTYPES_DIM (32 / (sizeof(unsigned) * 8))
+#define IPV6_FW_ICMPTYPES_DIM (256 / (sizeof(unsigned) * 8))
unsigned fw_icmp6types[IPV6_FW_ICMPTYPES_DIM]; /* ICMP types bitmap */
long timestamp; /* timestamp (tv_sec) of last match */
union ip6_fw_if fw_in_if, fw_out_if;/* Incoming and outgoing interfaces */
#define IPV6_FW_F_MASK 0xFFFF /* All possible flag bits mask */
+/*
+ * Flags for the 'fw_ipflg' field, for comparing values of ip and its protocols. */
+#define IPV6_FW_IF_TCPEST 0x00000020 /* established TCP connection */
+#define IPV6_FW_IF_TCPMSK 0x00000020 /* mask of all TCP values */
+
/*
* For backwards compatibility with rules specifying "via iface" but
* not restricted to only "in" or "out" packets, we define this combination
#define IPV6_FW_TCPF_PSH TH_PUSH
#define IPV6_FW_TCPF_ACK TH_ACK
#define IPV6_FW_TCPF_URG TH_URG
-#define IPV6_FW_TCPF_ESTAB 0x40
-
-/*
- * Names for IPV6_FW sysctl objects
- */
-#define IP6FWCTL_DEBUG 1
-#define IP6FWCTL_VERBOSE 2
-#define IP6FWCTL_VERBLIMIT 3
-#define IP6FWCTL_MAXID 4
-
-#define IP6FWCTL_NAMES { \
- { 0, 0 }, \
- { 0, 0 }, \
- { "debug", CTLTYPE_INT }, \
- { "verbose", CTLTYPE_INT }, \
- { "verbose_limit", CTLTYPE_INT }, \
-}
-
-#define IP6FWCTL_VARS { \
- 0, \
- 0, \
- &fw6_debug, \
- &fw6_verbose, \
- &fw6_verbose_limit, \
-}
/*
* Main firewall chains definitions and global var's definitions.
*/
-#if KERNEL
+#ifdef KERNEL_PRIVATE
+
+#define M_IP6FW M_IPFW
+
/*
* Function definitions.
/* Firewall hooks */
struct ip6_hdr;
-typedef int ip6_fw_chk_t __P((struct ip6_hdr**, struct ifnet*,
- u_short *, struct mbuf**));
-typedef int ip6_fw_ctl_t __P((int, struct mbuf**));
+struct sockopt;
+typedef int ip6_fw_chk_t(struct ip6_hdr**, struct ifnet*,
+ u_short *, struct mbuf**);
+typedef int ip6_fw_ctl_t(struct sockopt *);
extern ip6_fw_chk_t *ip6_fw_chk_ptr;
extern ip6_fw_ctl_t *ip6_fw_ctl_ptr;
+extern int ip6_fw_enable;
-#endif /* KERNEL */
+#endif /* KERNEL_PRIVATE */
+#endif /* !__LP64__ */
#endif /* _IP6_FW_H */
projects / apple / xnu.git / blobdiff