1/* 2 * Copyright (c) 2008-2013 Apple Inc. All rights reserved. 3 * 4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. The rights granted to you under the License 10 * may not be used to create, or enable the creation or redistribution of, 11 * unlawful or unlicensed copies of an Apple operating system, or to 12 * circumvent, violate, or enable the circumvention or violation of, any 13 * terms of an Apple operating system software license agreement. 14 * 15 * Please obtain a copy of the License at 16 * http://www.opensource.apple.com/apsl/ and read it before using this file. 17 * 18 * The Original Code and all software distributed under the License are 19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 23 * Please see the License for the specific language governing rights and 24 * limitations under the License. 25 * 26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ 27 */ 28 29/* 30 * Copyright (c) 2002 Luigi Rizzo, Universita` di Pisa 31 * 32 * Redistribution and use in source and binary forms, with or without 33 * modification, are permitted provided that the following conditions 34 * are met: 35 * 1. Redistributions of source code must retain the above copyright 36 * notice, this list of conditions and the following disclaimer. 37 * 2. Redistributions in binary form must reproduce the above copyright 38 * notice, this list of conditions and the following disclaimer in the 39 * documentation and/or other materials provided with the distribution. 40 * 41 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * $FreeBSD: src/sys/netinet/ip_fw2.h,v 1.1.2.4 2003/07/17 06:03:39 luigi Exp $ 54 */ 55 56#ifndef _IPFW2_H 57#define _IPFW2_H 58#ifdef __APPLE_API_OBSOLETE 59 60/* 61 * Define IP Firewall event subclass, and associated events. 62 */ 63 64/*! 65 @defined KEV_IPFW_SUBCLASS 66 @discussion The kernel event subclass for IP Firewall. 67*/ 68#define KEV_IPFW_SUBCLASS 1 69 70/*! 71 @defined KEV_IPFW_ADD 72 @discussion The event code indicating a rule has been added. 73*/ 74#define KEV_IPFW_ADD 1 75 76/*! 77 @defined KEV_IPFW_DEL 78 @discussion The event code indicating a rule has been removed. 79*/ 80#define KEV_IPFW_DEL 2 81 82/*! 83 @defined KEV_IPFW_FLUSH 84 @discussion The event code indicating the rule set has been flushed. 85*/ 86#define KEV_IPFW_FLUSH 3 87 88/*! 89 @defined KEV_IPFW_ENABLE 90 @discussion The event code indicating the enable flag has been changed 91*/ 92#define KEV_IPFW_ENABLE 4 93 94 95 96/* 97 * The kernel representation of ipfw rules is made of a list of 98 * 'instructions' (for all practical purposes equivalent to BPF 99 * instructions), which specify which fields of the packet 100 * (or its metadata) should be analysed. 101 * 102 * Each instruction is stored in a structure which begins with 103 * "ipfw_insn", and can contain extra fields depending on the 104 * instruction type (listed below). 105 * Note that the code is written so that individual instructions 106 * have a size which is a multiple of 32 bits. This means that, if 107 * such structures contain pointers or other 64-bit entities, 108 * (there is just one instance now) they may end up unaligned on 109 * 64-bit architectures, so the must be handled with care. 110 * 111 * "enum ipfw_opcodes" are the opcodes supported. We can have up 112 * to 256 different opcodes. 113 */ 114 115enum ipfw_opcodes { /* arguments (4 byte each) */ 116 O_NOP, 117 118 O_IP_SRC, /* u32 = IP */ 119 O_IP_SRC_MASK, /* ip = IP/mask */ 120 O_IP_SRC_ME, /* none */ 121 O_IP_SRC_SET, /* u32=base, arg1=len, bitmap */ 122 123 O_IP_DST, /* u32 = IP */ 124 O_IP_DST_MASK, /* ip = IP/mask */ 125 O_IP_DST_ME, /* none */ 126 O_IP_DST_SET, /* u32=base, arg1=len, bitmap */ 127 128 O_IP_SRCPORT, /* (n)port list:mask 4 byte ea */ 129 O_IP_DSTPORT, /* (n)port list:mask 4 byte ea */ 130 O_PROTO, /* arg1=protocol */ 131 132 O_MACADDR2, /* 2 mac addr:mask */ 133 O_MAC_TYPE, /* same as srcport */ 134 135 O_LAYER2, /* none */ 136 O_IN, /* none */ 137 O_FRAG, /* none */ 138 139 O_RECV, /* none */ 140 O_XMIT, /* none */ 141 O_VIA, /* none */ 142 143 O_IPOPT, /* arg1 = 2*u8 bitmap */ 144 O_IPLEN, /* arg1 = len */ 145 O_IPID, /* arg1 = id */ 146 147 O_IPTOS, /* arg1 = id */ 148 O_IPPRECEDENCE, /* arg1 = precedence << 5 */ 149 O_IPTTL, /* arg1 = TTL */ 150 151 O_IPVER, /* arg1 = version */ 152 O_UID, /* u32 = id */ 153 O_GID, /* u32 = id */ 154 O_ESTAB, /* none (tcp established) */ 155 O_TCPFLAGS, /* arg1 = 2*u8 bitmap */ 156 O_TCPWIN, /* arg1 = desired win */ 157 O_TCPSEQ, /* u32 = desired seq. */ 158 O_TCPACK, /* u32 = desired seq. */ 159 O_ICMPTYPE, /* u32 = icmp bitmap */ 160 O_TCPOPTS, /* arg1 = 2*u8 bitmap */ 161 162 O_VERREVPATH, /* none */ 163 164 O_PROBE_STATE, /* none */ 165 O_KEEP_STATE, /* none */ 166 O_LIMIT, /* ipfw_insn_limit */ 167 O_LIMIT_PARENT, /* dyn_type, not an opcode. */ 168 169 /* 170 * These are really 'actions'. 171 */ 172 173 O_LOG, /* ipfw_insn_log */ 174 O_PROB, /* u32 = match probability */ 175 176 O_CHECK_STATE, /* none */ 177 O_ACCEPT, /* none */ 178 O_DENY, /* none */ 179 O_REJECT, /* arg1=icmp arg (same as deny) */ 180 O_COUNT, /* none */ 181 O_SKIPTO, /* arg1=next rule number */ 182 O_PIPE, /* arg1=pipe number */ 183 O_QUEUE, /* arg1=queue number */ 184 O_DIVERT, /* arg1=port number */ 185 O_TEE, /* arg1=port number */ 186 O_FORWARD_IP, /* fwd sockaddr */ 187 O_FORWARD_MAC, /* fwd mac */ 188 189 /* 190 * More opcodes. 191 */ 192 O_IPSEC, /* has ipsec history */ 193 194 O_LAST_OPCODE /* not an opcode! */ 195}; 196 197/* 198 * Template for instructions. 199 * 200 * ipfw_insn is used for all instructions which require no operands, 201 * a single 16-bit value (arg1), or a couple of 8-bit values. 202 * 203 * For other instructions which require different/larger arguments 204 * we have derived structures, ipfw_insn_*. 205 * 206 * The size of the instruction (in 32-bit words) is in the low 207 * 6 bits of "len". The 2 remaining bits are used to implement 208 * NOT and OR on individual instructions. Given a type, you can 209 * compute the length to be put in "len" using F_INSN_SIZE(t) 210 * 211 * F_NOT negates the match result of the instruction. 212 * 213 * F_OR is used to build or blocks. By default, instructions 214 * are evaluated as part of a logical AND. An "or" block 215 * { X or Y or Z } contains F_OR set in all but the last 216 * instruction of the block. A match will cause the code 217 * to skip past the last instruction of the block. 218 * 219 * NOTA BENE: in a couple of places we assume that 220 * sizeof(ipfw_insn) == sizeof(u_int32_t) 221 * this needs to be fixed. 222 * 223 */ 224typedef struct _ipfw_insn { /* template for instructions */ 225 enum ipfw_opcodes opcode:8; 226 u_int8_t len; /* numer of 32-byte words */ 227#define F_NOT 0x80 228#define F_OR 0x40 229#define F_LEN_MASK 0x3f 230#define F_LEN(cmd) ((cmd)->len & F_LEN_MASK) 231 232 u_int16_t arg1; 233} ipfw_insn; 234 235/* 236 * The F_INSN_SIZE(type) computes the size, in 4-byte words, of 237 * a given type. 238 */ 239#define F_INSN_SIZE(t) ((sizeof (t))/sizeof(u_int32_t)) 240 241/* 242 * This is used to store an array of 16-bit entries (ports etc.) 243 */ 244typedef struct _ipfw_insn_u16 { 245 ipfw_insn o; 246 u_int16_t ports[2]; /* there may be more */ 247} ipfw_insn_u16; 248 249/* 250 * This is used to store an array of 32-bit entries 251 * (uid, single IPv4 addresses etc.) 252 */ 253typedef struct _ipfw_insn_u32 { 254 ipfw_insn o; 255 u_int32_t d[1]; /* one or more */ 256} ipfw_insn_u32; 257 258/* 259 * This is used to store IP addr-mask pairs. 260 */ 261typedef struct _ipfw_insn_ip { 262 ipfw_insn o; 263 struct in_addr addr; 264 struct in_addr mask; 265} ipfw_insn_ip; 266 267/* 268 * This is used to forward to a given address (ip). 269 */ 270typedef struct _ipfw_insn_sa { 271 ipfw_insn o; 272 struct sockaddr_in sa; 273} ipfw_insn_sa; 274 275/* 276 * This is used for MAC addr-mask pairs. 277 */ 278typedef struct _ipfw_insn_mac { 279 ipfw_insn o; 280 u_char addr[12]; /* dst[6] + src[6] */ 281 u_char mask[12]; /* dst[6] + src[6] */ 282} ipfw_insn_mac; 283 284/* 285 * This is used for interface match rules (recv xx, xmit xx). 286 */ 287typedef struct _ipfw_insn_if { 288 ipfw_insn o; 289 union { 290 struct in_addr ip; 291 int32_t unit; 292 } p; 293 char name[IFNAMSIZ]; 294} ipfw_insn_if; 295 296/* 297 * This is used for pipe and queue actions, which need to store 298 * a single pointer (which can have different size on different 299 * architectures. 300 * Note that, because of previous instructions, pipe_ptr might 301 * be unaligned in the overall structure, so it needs to be 302 * manipulated with care. 303 */ 304typedef struct _ipfw_insn_pipe { 305 ipfw_insn o; 306 void *pipe_ptr; /* XXX */ 307} ipfw_insn_pipe; 308 309/* 310 * This is used for limit rules. 311 */ 312typedef struct _ipfw_insn_limit { 313 ipfw_insn o; 314 u_int8_t _pad; 315 u_int8_t limit_mask; /* combination of DYN_* below */ 316#define DYN_SRC_ADDR 0x1 317#define DYN_SRC_PORT 0x2 318#define DYN_DST_ADDR 0x4 319#define DYN_DST_PORT 0x8 320 321 u_int16_t conn_limit; 322} ipfw_insn_limit; 323 324/* 325 * This is used for log instructions. 326 */ 327typedef struct _ipfw_insn_log { 328 ipfw_insn o; 329 u_int32_t max_log; /* how many do we log -- 0 = all */ 330 u_int32_t log_left; /* how many left to log */ 331} ipfw_insn_log; 332 333/* Version of this API */ 334#define IP_FW_VERSION_NONE 0 335#define IP_FW_VERSION_0 10 /* old ipfw */ 336#define IP_FW_VERSION_1 20 /* ipfw in Jaguar/Panther */ 337#define IP_FW_VERSION_2 30 /* ipfw2 */ 338#define IP_FW_CURRENT_API_VERSION IP_FW_VERSION_2 339 340/* 341 * Here we have the structure representing an ipfw rule. 342 * 343 * It starts with a general area (with link fields and counters) 344 * followed by an array of one or more instructions, which the code 345 * accesses as an array of 32-bit values. 346 * 347 * Given a rule pointer r: 348 * 349 * r->cmd is the start of the first instruction. 350 * ACTION_PTR(r) is the start of the first action (things to do 351 * once a rule matched). 352 * 353 * When assembling instruction, remember the following: 354 * 355 * + if a rule has a "keep-state" (or "limit") option, then the 356 * first instruction (at r->cmd) MUST BE an O_PROBE_STATE 357 * + if a rule has a "log" option, then the first action 358 * (at ACTION_PTR(r)) MUST be O_LOG 359 * 360 * NOTE: we use a simple linked list of rules because we never need 361 * to delete a rule without scanning the list. We do not use 362 * queue(3) macros for portability and readability. 363 */ 364 365struct ip_fw { 366 u_int32_t version; /* Version of this structure. MUST be set */ 367 /* by clients. Should always be */ 368 /* set to IP_FW_CURRENT_API_VERSION. */ 369 void *context; /* Context that is usable by user processes to */ 370 /* identify this rule. */ 371 struct ip_fw *next; /* linked list of rules */ 372 struct ip_fw *next_rule; /* ptr to next [skipto] rule */ 373 /* 'next_rule' is used to pass up 'set_disable' status */ 374 375 u_int16_t act_ofs; /* offset of action in 32-bit units */ 376 u_int16_t cmd_len; /* # of 32-bit words in cmd */ 377 u_int16_t rulenum; /* rule number */ 378 u_int8_t set; /* rule set (0..31) */ 379 u_int32_t set_masks[2]; /* masks for manipulating sets atomically */ 380#define RESVD_SET 31 /* set for default and persistent rules */ 381 u_int8_t _pad; /* padding */ 382 383 /* These fields are present in all rules. */ 384 u_int64_t pcnt; /* Packet counter */ 385 u_int64_t bcnt; /* Byte counter */ 386 u_int32_t timestamp; /* tv_sec of last match */ 387 388 u_int32_t reserved_1; /* reserved - set to 0 */ 389 u_int32_t reserved_2; /* reserved - set to 0 */ 390 391 ipfw_insn cmd[1]; /* storage for commands */ 392}; 393 394#define ACTION_PTR(rule) \ 395 (ipfw_insn *)( (u_int32_t *)((rule)->cmd) + ((rule)->act_ofs) ) 396 397#define RULESIZE(rule) (sizeof(struct ip_fw) + \ 398 ((struct ip_fw *)(rule))->cmd_len * 4 - 4) 399 400/* 401 * This structure is used as a flow mask and a flow id for various 402 * parts of the code. 403 */ 404struct ipfw_flow_id { 405 u_int32_t dst_ip; 406 u_int32_t src_ip; 407 u_int16_t dst_port; 408 u_int16_t src_port; 409 u_int8_t proto; 410 u_int8_t flags; /* protocol-specific flags */ 411}; 412 413/* 414 * Dynamic ipfw rule. 415 */ 416typedef struct _ipfw_dyn_rule ipfw_dyn_rule; 417 418#ifdef XNU_KERNEL_PRIVATE 419 420#include <netinet/ip_flowid.h> 421 422/* 423 * Note: 424 * The internal version of "struct _ipfw_dyn_rule" differs from 425 * its external version because the field "id" is of type 426 * "struct ip_flow_id" in the internal version. The type of the 427 * field "id" for the external version is "ipfw_dyn_rule for 428 * backwards compatibility reasons. 429 */ 430 431struct _ipfw_dyn_rule { 432 ipfw_dyn_rule *next; /* linked list of rules. */ 433 struct ip_fw *rule; /* pointer to rule */ 434 /* 'rule' is used to pass up the rule number (from the parent) */ 435 436 ipfw_dyn_rule *parent; /* pointer to parent rule */ 437 u_int64_t pcnt; /* packet match counter */ 438 u_int64_t bcnt; /* byte match counter */ 439 struct ip_flow_id id; /* (masked) flow id */ 440 u_int32_t expire; /* expire time */ 441 u_int32_t bucket; /* which bucket in hash table */ 442 u_int32_t state; /* state of this rule (typically a 443 * combination of TCP flags) 444 */ 445 u_int32_t ack_fwd; /* most recent ACKs in forward */ 446 u_int32_t ack_rev; /* and reverse directions (used */ 447 /* to generate keepalives) */ 448 u_int16_t dyn_type; /* rule type */ 449 u_int16_t count; /* refcount */ 450}; 451#else /* XNU_KERNEL_PRIVATE */ 452struct _ipfw_dyn_rule { 453 ipfw_dyn_rule *next; /* linked list of rules. */ 454 struct ip_fw *rule; /* pointer to rule */ 455 /* 'rule' is used to pass up the rule number (from the parent) */ 456 457 ipfw_dyn_rule *parent; /* pointer to parent rule */ 458 u_int64_t pcnt; /* packet match counter */ 459 u_int64_t bcnt; /* byte match counter */ 460 struct ipfw_flow_id id; /* (masked) flow id */ 461 u_int32_t expire; /* expire time */ 462 u_int32_t bucket; /* which bucket in hash table */ 463 u_int32_t state; /* state of this rule (typically a 464 * combination of TCP flags) 465 */ 466 u_int32_t ack_fwd; /* most recent ACKs in forward */ 467 u_int32_t ack_rev; /* and reverse directions (used */ 468 /* to generate keepalives) */ 469 u_int16_t dyn_type; /* rule type */ 470 u_int16_t count; /* refcount */ 471}; 472#endif /* XNU_KERNEL_PRIVATE */ 473 474/* 475 * Definitions for IP option names. 476 */ 477#define IP_FW_IPOPT_LSRR 0x01 478#define IP_FW_IPOPT_SSRR 0x02 479#define IP_FW_IPOPT_RR 0x04 480#define IP_FW_IPOPT_TS 0x08 481 482/* 483 * Definitions for TCP option names. 484 */ 485#define IP_FW_TCPOPT_MSS 0x01 486#define IP_FW_TCPOPT_WINDOW 0x02 487#define IP_FW_TCPOPT_SACK 0x04 488#define IP_FW_TCPOPT_TS 0x08 489#define IP_FW_TCPOPT_CC 0x10 490 491#define ICMP_REJECT_RST 0x100 /* fake ICMP code (send a TCP RST) */ 492 493/* 494 * Main firewall chains definitions and global var's definitions. 495 */ 496#ifdef BSD_KERNEL_PRIVATE 497 498#pragma pack(4) 499struct ip_fw_32{ 500 u_int32_t version; /* Version of this structure. MUST be set */ 501 /* by clients. Should always be */ 502 /* set to IP_FW_CURRENT_API_VERSION. */ 503 user32_addr_t context; /* Context that is usable by user processes to */ 504 /* identify this rule. */ 505 user32_addr_t next; /* linked list of rules */ 506 user32_addr_t next_rule;/* ptr to next [skipto] rule */ 507 /* 'next_rule' is used to pass up 'set_disable' status */ 508 509 u_int16_t act_ofs; /* offset of action in 32-bit units */ 510 u_int16_t cmd_len; /* # of 32-bit words in cmd */ 511 u_int16_t rulenum; /* rule number */ 512 u_int8_t set; /* rule set (0..31) */ 513 u_int32_t set_masks[2]; /* masks for manipulating sets atomically */ 514#define RESVD_SET 31 /* set for default and persistent rules */ 515 u_int8_t _pad; /* padding */ 516 517 /* These fields are present in all rules. */ 518 u_int64_t pcnt; /* Packet counter */ 519 u_int64_t bcnt; /* Byte counter */ 520 u_int32_t timestamp; /* tv_sec of last match */ 521 522 u_int32_t reserved_1; /* reserved - set to 0 */ 523 u_int32_t reserved_2; /* reserved - set to 0 */ 524 525 ipfw_insn cmd[1]; /* storage for commands */ 526}; 527 528#pragma pack() 529 530struct ip_fw_64{ 531 u_int32_t version; /* Version of this structure. MUST be set */ 532 /* by clients. Should always be */ 533 /* set to IP_FW_CURRENT_API_VERSION. */ 534 __uint64_t context __attribute__((aligned(8))); /* Context that is usable by user processes to */ 535 /* identify this rule. */ 536 user64_addr_t next; /* linked list of rules */ 537 user64_addr_t next_rule; /* ptr to next [skipto] rule */ 538 /* 'next_rule' is used to pass up 'set_disable' status */ 539 540 u_int16_t act_ofs; /* offset of action in 32-bit units */ 541 u_int16_t cmd_len; /* # of 32-bit words in cmd */ 542 u_int16_t rulenum; /* rule number */ 543 u_int8_t set; /* rule set (0..31) */ 544 u_int32_t set_masks[2]; /* masks for manipulating sets atomically */ 545#define RESVD_SET 31 /* set for default and persistent rules */ 546 u_int8_t _pad; /* padding */ 547 548 /* These fields are present in all rules. */ 549 u_int64_t pcnt __attribute__((aligned(8))); /* Packet counter */ 550 u_int64_t bcnt __attribute__((aligned(8))); /* Byte counter */ 551 u_int32_t timestamp; /* tv_sec of last match */ 552 553 u_int32_t reserved_1; /* reserved - set to 0 */ 554 u_int32_t reserved_2; /* reserved - set to 0 */ 555 556 ipfw_insn cmd[1]; /* storage for commands */ 557}; 558 559 560typedef struct _ipfw_dyn_rule_64 ipfw_dyn_rule_64; 561typedef struct _ipfw_dyn_rule_32 ipfw_dyn_rule_32; 562 563#pragma pack(4) 564struct _ipfw_dyn_rule_32 { 565 user32_addr_t next; /* linked list of rules. */ 566 user32_addr_t rule; /* pointer to rule */ 567 /* 'rule' is used to pass up the rule number (from the parent) */ 568 569 user32_addr_t parent; /* pointer to parent rule */ 570 u_int64_t pcnt; /* packet match counter */ 571 u_int64_t bcnt; /* byte match counter */ 572 struct ipfw_flow_id id; /* (masked) flow id */ 573 u_int32_t expire; /* expire time */ 574 u_int32_t bucket; /* which bucket in hash table */ 575 u_int32_t state; /* state of this rule (typically a 576 * combination of TCP flags) 577 */ 578 u_int32_t ack_fwd; /* most recent ACKs in forward */ 579 u_int32_t ack_rev; /* and reverse directions (used */ 580 /* to generate keepalives) */ 581 u_int16_t dyn_type; /* rule type */ 582 u_int16_t count; /* refcount */ 583}; 584 585#pragma pack() 586 587struct _ipfw_dyn_rule_64 { 588 user64_addr_t next; /* linked list of rules. */ 589 user64_addr_t rule; /* pointer to rule */ 590 /* 'rule' is used to pass up the rule number (from the parent) */ 591 592 user64_addr_t parent; /* pointer to parent rule */ 593 u_int64_t pcnt; /* packet match counter */ 594 u_int64_t bcnt; /* byte match counter */ 595 struct ipfw_flow_id id; /* (masked) flow id */ 596 u_int32_t expire; /* expire time */ 597 u_int32_t bucket; /* which bucket in hash table */ 598 u_int32_t state; /* state of this rule (typically a 599 * combination of TCP flags) 600 */ 601 u_int32_t ack_fwd; /* most recent ACKs in forward */ 602 u_int32_t ack_rev; /* and reverse directions (used */ 603 /* to generate keepalives) */ 604 u_int16_t dyn_type; /* rule type */ 605 u_int16_t count; /* refcount */ 606}; 607 608 609typedef struct _ipfw_insn_pipe_64 { 610 ipfw_insn o; 611 user64_addr_t pipe_ptr; /* XXX */ 612} ipfw_insn_pipe_64; 613 614typedef struct _ipfw_insn_pipe_32{ 615 ipfw_insn o; 616 user32_addr_t pipe_ptr; /* XXX */ 617} ipfw_insn_pipe_32; 618 619 620#define IPFW_DEFAULT_RULE 65535 621 622#if IPFIREWALL 623 624#define IP_FW_PORT_DYNT_FLAG 0x10000 625#define IP_FW_PORT_TEE_FLAG 0x20000 626#define IP_FW_PORT_DENY_FLAG 0x40000 627 628#ifdef PRIVATE 629#include <netinet/ip_flowid.h> 630#else 631struct ip_fw_args; 632#endif 633/* 634 * Function definitions. 635 */ 636 637/* Firewall hooks */ 638struct sockopt; 639struct dn_flow_set; 640 641void flush_pipe_ptrs(struct dn_flow_set *match); /* used by dummynet */ 642void ipfw_init(void); /* called from raw_ip.c: load_ipfw() */ 643 644typedef int ip_fw_chk_t (struct ip_fw_args *args); 645typedef int ip_fw_ctl_t (struct sockopt *); 646extern ip_fw_chk_t *ip_fw_chk_ptr; 647extern ip_fw_ctl_t *ip_fw_ctl_ptr; 648extern int fw_one_pass; 649extern int fw_enable; 650#define IPFW_LOADED (ip_fw_chk_ptr != NULL) 651#endif /* IPFIREWALL */ 652#endif /* BSD_KERNEL_PRIVATE */ 653 654#endif /* __APPLE_API_OBSOLETE */ 655#endif /* _IPFW2_H */ 656