X-Git-Url: https://git.saurik.com/apple/xnu.git/blobdiff_plain/1c79356b52d46aa6b508fb032f5ae709b1f2897b..935ed37a5c468c8a1c07408573c08b8b7ef80e8b:/bsd/netinet6/ip6_fw.h?ds=inline diff --git a/bsd/netinet6/ip6_fw.h b/bsd/netinet6/ip6_fw.h index 59c1fd933..1d996fef1 100644 --- a/bsd/netinet6/ip6_fw.h +++ b/bsd/netinet6/ip6_fw.h @@ -1,5 +1,30 @@ -/* $KAME: ip6_fw.h,v 1.2 2000/02/22 14:04:21 itojun Exp $ */ - +/* + * Copyright (c) 2002 Apple Computer, Inc. All rights reserved. + * + * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ + * + * This file contains Original Code and/or Modifications of Original Code + * as defined in and that are subject to the Apple Public Source License + * Version 2.0 (the 'License'). You may not use this file except in + * compliance with the License. The rights granted to you under the License + * may not be used to create, or enable the creation or redistribution of, + * unlawful or unlicensed copies of an Apple operating system, or to + * circumvent, violate, or enable the circumvention or violation of, any + * terms of an Apple operating system software license agreement. + * + * Please obtain a copy of the License at + * http://www.opensource.apple.com/apsl/ and read it before using this file. + * + * The Original Code and all software distributed under the License are + * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER + * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, + * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. + * Please see the License for the specific language governing rights and + * limitations under the License. + * + * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ + */ /* * Copyright (c) 1993 Daniel Boulet * Copyright (c) 1994 Ugen J.S.Antsilevich @@ -18,8 +43,51 @@ #ifndef _IP6_FW_H #define _IP6_FW_H +/* + * Define IPv6 Firewall event subclass, and associated events. + */ + +/*! + @defined KEV_IP6FW_SUBCLASS + @discussion The kernel event subclass for IPv6 Firewall. +*/ +#define KEV_IP6FW_SUBCLASS 2 + +/*! + @defined KEV_IP6FW_ADD + @discussion The event code indicating a rule has been added. +*/ +#define KEV_IP6FW_ADD 1 + +/*! + @defined KEV_IP6FW_DEL + @discussion The event code indicating a rule has been removed. +*/ +#define KEV_IP6FW_DEL 2 + +/*! + @defined KEV_IP6FW_FLUSH + @discussion The event code indicating the rule set has been flushed. +*/ +#define KEV_IP6FW_FLUSH 3 + +/*! + @defined KEV_IP6FW_FLUSH + @discussion The event code indicating the enable flag has been changed +*/ +#define KEV_IP6FW_ENABLE 4 + + + +#if !__LP64__ + +#include + #include +#define IPV6_FW_CURRENT_API_VERSION 20 /* Version of this API */ + + /* * This union structure identifies an interface, either explicitly * by name or implicitly by IP address. The flags IP_FW_F_IIFNAME @@ -36,8 +104,8 @@ union ip6_fw_if { struct in6_addr fu_via_ip6; /* Specified by IPv6 address */ struct { /* Specified by interface name */ -#define FW_IFNLEN IFNAMSIZ - char name[FW_IFNLEN]; +#define IP6FW_IFNLEN IFNAMSIZ + char name[IP6FW_IFNLEN]; short unit; /* -1 means match any unit */ } fu_via_if; }; @@ -52,16 +120,21 @@ union ip6_fw_if { */ struct ip6_fw { + u_int32_t version; /* Version of this structure. Should always be */ + /* set to IP6_FW_CURRENT_API_VERSION by clients. */ + void *context; /* Context that is usable by user processes to */ + /* identify this rule. */ u_long fw_pcnt,fw_bcnt; /* Packet and byte counters */ struct in6_addr fw_src, fw_dst; /* Source and destination IPv6 addr */ struct in6_addr fw_smsk, fw_dmsk; /* Mask for src and dest IPv6 addr */ u_short fw_number; /* Rule number */ u_short fw_flg; /* Flags word */ #define IPV6_FW_MAX_PORTS 10 /* A reasonable maximum */ + u_int fw_ipflg; /* IP flags word */ u_short fw_pts[IPV6_FW_MAX_PORTS]; /* Array of port numbers to match */ u_char fw_ip6opt,fw_ip6nopt; /* IPv6 options set/unset */ u_char fw_tcpf,fw_tcpnf; /* TCP flags set/unset */ -#define IPV6_FW_ICMPTYPES_DIM (32 / (sizeof(unsigned) * 8)) +#define IPV6_FW_ICMPTYPES_DIM (256 / (sizeof(unsigned) * 8)) unsigned fw_icmp6types[IPV6_FW_ICMPTYPES_DIM]; /* ICMP types bitmap */ long timestamp; /* timestamp (tv_sec) of last match */ union ip6_fw_if fw_in_if, fw_out_if;/* Incoming and outgoing interfaces */ @@ -136,6 +209,11 @@ struct ip6_fw_chain { #define IPV6_FW_F_MASK 0xFFFF /* All possible flag bits mask */ +/* + * Flags for the 'fw_ipflg' field, for comparing values of ip and its protocols. */ +#define IPV6_FW_IF_TCPEST 0x00000020 /* established TCP connection */ +#define IPV6_FW_IF_TCPMSK 0x00000020 /* mask of all TCP values */ + /* * For backwards compatibility with rules specifying "via iface" but * not restricted to only "in" or "out" packets, we define this combination @@ -170,36 +248,14 @@ struct ip6_fw_chain { #define IPV6_FW_TCPF_PSH TH_PUSH #define IPV6_FW_TCPF_ACK TH_ACK #define IPV6_FW_TCPF_URG TH_URG -#define IPV6_FW_TCPF_ESTAB 0x40 - -/* - * Names for IPV6_FW sysctl objects - */ -#define IP6FWCTL_DEBUG 1 -#define IP6FWCTL_VERBOSE 2 -#define IP6FWCTL_VERBLIMIT 3 -#define IP6FWCTL_MAXID 4 - -#define IP6FWCTL_NAMES { \ - { 0, 0 }, \ - { 0, 0 }, \ - { "debug", CTLTYPE_INT }, \ - { "verbose", CTLTYPE_INT }, \ - { "verbose_limit", CTLTYPE_INT }, \ -} - -#define IP6FWCTL_VARS { \ - 0, \ - 0, \ - &fw6_debug, \ - &fw6_verbose, \ - &fw6_verbose_limit, \ -} /* * Main firewall chains definitions and global var's definitions. */ -#if KERNEL +#ifdef KERNEL_PRIVATE + +#define M_IP6FW M_IPFW + /* * Function definitions. @@ -208,12 +264,15 @@ void ip6_fw_init(void); /* Firewall hooks */ struct ip6_hdr; -typedef int ip6_fw_chk_t __P((struct ip6_hdr**, struct ifnet*, - u_short *, struct mbuf**)); -typedef int ip6_fw_ctl_t __P((int, struct mbuf**)); +struct sockopt; +typedef int ip6_fw_chk_t(struct ip6_hdr**, struct ifnet*, + u_short *, struct mbuf**); +typedef int ip6_fw_ctl_t(struct sockopt *); extern ip6_fw_chk_t *ip6_fw_chk_ptr; extern ip6_fw_ctl_t *ip6_fw_ctl_ptr; +extern int ip6_fw_enable; -#endif /* KERNEL */ +#endif /* KERNEL_PRIVATE */ +#endif /* !__LP64__ */ #endif /* _IP6_FW_H */