1/* 2 * Copyright (c) 2008-2013 Apple Inc. All rights reserved. 3 * 4 * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ 5 * 6 * This file contains Original Code and/or Modifications of Original Code 7 * as defined in and that are subject to the Apple Public Source License 8 * Version 2.0 (the 'License'). You may not use this file except in 9 * compliance with the License. The rights granted to you under the License 10 * may not be used to create, or enable the creation or redistribution of, 11 * unlawful or unlicensed copies of an Apple operating system, or to 12 * circumvent, violate, or enable the circumvention or violation of, any 13 * terms of an Apple operating system software license agreement. 14 * 15 * Please obtain a copy of the License at 16 * http://www.opensource.apple.com/apsl/ and read it before using this file. 17 * 18 * The Original Code and all software distributed under the License are 19 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 20 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 21 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 22 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 23 * Please see the License for the specific language governing rights and 24 * limitations under the License. 25 * 26 * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ 27 */ 28/* 29 * Copyright (c) 1993 Daniel Boulet 30 * Copyright (c) 1994 Ugen J.S.Antsilevich 31 * 32 * Redistribution and use in source forms, with and without modification, 33 * are permitted provided that this entire comment appears intact. 34 * 35 * Redistribution in binary form may occur without any restrictions. 36 * Obviously, it would be nice if you gave credit where credit is due 37 * but requiring it would be too onerous. 38 * 39 * This software is provided ``AS IS'' without any warranties of any kind. 40 * 41 */ 42 43#ifndef _IP6_FW_H 44#define _IP6_FW_H 45#ifdef __APPLE_API_OBSOLETE 46 47#include <sys/appleapiopts.h> 48 49/* 50 * Define IPv6 Firewall event subclass, and associated events. 51 */ 52 53/*! 54 @defined KEV_IP6FW_SUBCLASS 55 @discussion The kernel event subclass for IPv6 Firewall. 56*/ 57#define KEV_IP6FW_SUBCLASS 2 58 59/*! 60 @defined KEV_IP6FW_ADD 61 @discussion The event code indicating a rule has been added. 62*/ 63#define KEV_IP6FW_ADD 1 64 65/*! 66 @defined KEV_IP6FW_DEL 67 @discussion The event code indicating a rule has been removed. 68*/ 69#define KEV_IP6FW_DEL 2 70 71/*! 72 @defined KEV_IP6FW_FLUSH 73 @discussion The event code indicating the rule set has been flushed. 74*/ 75#define KEV_IP6FW_FLUSH 3 76 77/*! 78 @defined KEV_IP6FW_FLUSH 79 @discussion The event code indicating the enable flag has been changed 80*/ 81#define KEV_IP6FW_ENABLE 4 82 83 84#include <net/if.h> 85 86#define IPV6_FW_CURRENT_API_VERSION 20 /* Version of this API */ 87 88 89/* 90 * This union structure identifies an interface, either explicitly 91 * by name or implicitly by IP address. The flags IP_FW_F_IIFNAME 92 * and IP_FW_F_OIFNAME say how to interpret this structure. An 93 * interface unit number of -1 matches any unit number, while an 94 * IP address of 0.0.0.0 indicates matches any interface. 95 * 96 * The receive and transmit interfaces are only compared against the 97 * the packet if the corresponding bit (IP_FW_F_IIFACE or IP_FW_F_OIFACE) 98 * is set. Note some packets lack a receive or transmit interface 99 * (in which case the missing "interface" never matches). 100 */ 101 102union ip6_fw_if { 103 struct in6_addr fu_via_ip6; /* Specified by IPv6 address */ 104 struct { /* Specified by interface name */ 105#define IP6FW_IFNLEN IFNAMSIZ 106 char name[IP6FW_IFNLEN]; 107 short unit; /* -1 means match any unit */ 108 } fu_via_if; 109}; 110 111/* 112 * Format of an IP firewall descriptor 113 * 114 * fw_src, fw_dst, fw_smsk, fw_dmsk are always stored in network byte order. 115 * fw_flg and fw_n*p are stored in host byte order (of course). 116 * Port numbers are stored in HOST byte order. 117 * Warning: setsockopt() will fail if sizeof(struct ip_fw) > MLEN (108) 118 */ 119 120 121struct ip6_fw { 122 u_int32_t version; /* Version of this structure. Should always be */ 123 /* set to IP6_FW_CURRENT_API_VERSION by clients. */ 124 void *context; /* Context that is usable by user processes to */ 125 /* identify this rule. */ 126 u_int32_t fw_pcnt,fw_bcnt; /* Packet and byte counters */ 127 struct in6_addr fw_src, fw_dst; /* Source and destination IPv6 addr */ 128 struct in6_addr fw_smsk, fw_dmsk; /* Mask for src and dest IPv6 addr */ 129 u_short fw_number; /* Rule number */ 130 u_short fw_flg; /* Flags word */ 131#define IPV6_FW_MAX_PORTS 10 /* A reasonable maximum */ 132 u_int fw_ipflg; /* IP flags word */ 133 u_short fw_pts[IPV6_FW_MAX_PORTS]; /* Array of port numbers to match */ 134 u_char fw_ip6opt,fw_ip6nopt; /* IPv6 options set/unset */ 135 u_char fw_tcpf,fw_tcpnf; /* TCP flags set/unset */ 136#define IPV6_FW_ICMPTYPES_DIM (256 / (sizeof(unsigned) * 8)) 137 unsigned fw_icmp6types[IPV6_FW_ICMPTYPES_DIM]; /* ICMP types bitmap */ 138 long timestamp; /* timestamp (tv_sec) of last match */ 139 union ip6_fw_if fw_in_if, fw_out_if;/* Incoming and outgoing interfaces */ 140 union { 141 u_short fu_divert_port; /* Divert/tee port (options IP6DIVERT) */ 142 u_short fu_skipto_rule; /* SKIPTO command rule number */ 143 u_short fu_reject_code; /* REJECT response code */ 144 } fw_un; 145 u_char fw_prot; /* IPv6 protocol */ 146 u_char fw_nports; /* N'of src ports and # of dst ports */ 147 /* in ports array (dst ports follow */ 148 /* src ports; max of 10 ports in all; */ 149 /* count of 0 means match all ports) */ 150}; 151 152#if defined(BSD_KERNEL_PRIVATE) 153#pragma pack(4) 154 155struct ip6_fw_32 { 156 u_int32_t version; /* Version of this structure. Should always be */ 157 /* set to IP6_FW_CURRENT_API_VERSION by clients. */ 158 user32_addr_t context; /* Context that is usable by user processes to */ 159 /* identify this rule. */ 160 u_int32_t fw_pcnt,fw_bcnt; /* Packet and byte counters */ 161 struct in6_addr fw_src, fw_dst; /* Source and destination IPv6 addr */ 162 struct in6_addr fw_smsk, fw_dmsk; /* Mask for src and dest IPv6 addr */ 163 u_short fw_number; /* Rule number */ 164 u_short fw_flg; /* Flags word */ 165#define IPV6_FW_MAX_PORTS 10 /* A reasonable maximum */ 166 u_int fw_ipflg; /* IP flags word */ 167 u_short fw_pts[IPV6_FW_MAX_PORTS]; /* Array of port numbers to match */ 168 u_char fw_ip6opt,fw_ip6nopt; /* IPv6 options set/unset */ 169 u_char fw_tcpf,fw_tcpnf; /* TCP flags set/unset */ 170#define IPV6_FW_ICMPTYPES_DIM (256 / (sizeof(unsigned) * 8)) 171 unsigned fw_icmp6types[IPV6_FW_ICMPTYPES_DIM]; /* ICMP types bitmap */ 172 user32_time_t timestamp; /* timestamp (tv_sec) of last match */ 173 union ip6_fw_if fw_in_if, fw_out_if;/* Incoming and outgoing interfaces */ 174 union { 175 u_short fu_divert_port; /* Divert/tee port (options IP6DIVERT) */ 176 u_short fu_skipto_rule; /* SKIPTO command rule number */ 177 u_short fu_reject_code; /* REJECT response code */ 178 } fw_un; 179 u_char fw_prot; /* IPv6 protocol */ 180 u_char fw_nports; /* N'of src ports and # of dst ports */ 181 /* in ports array (dst ports follow */ 182 /* src ports; max of 10 ports in all; */ 183 /* count of 0 means match all ports) */ 184}; 185 186#pragma pack() 187 188struct ip6_fw_64 { 189 u_int32_t version; /* Version of this structure. Should always be */ 190 /* set to IP6_FW_CURRENT_API_VERSION by clients. */ 191 __uint64_t context __attribute__((aligned(8))); /* Context that is usable by user processes to */ 192 /* identify this rule. */ 193 u_int32_t fw_pcnt,fw_bcnt; /* Packet and byte counters */ 194 struct in6_addr fw_src, fw_dst; /* Source and destination IPv6 addr */ 195 struct in6_addr fw_smsk, fw_dmsk; /* Mask for src and dest IPv6 addr */ 196 u_short fw_number; /* Rule number */ 197 u_short fw_flg; /* Flags word */ 198#define IPV6_FW_MAX_PORTS 10 /* A reasonable maximum */ 199 u_int fw_ipflg; /* IP flags word */ 200 u_short fw_pts[IPV6_FW_MAX_PORTS]; /* Array of port numbers to match */ 201 u_char fw_ip6opt,fw_ip6nopt; /* IPv6 options set/unset */ 202 u_char fw_tcpf,fw_tcpnf; /* TCP flags set/unset */ 203#define IPV6_FW_ICMPTYPES_DIM (256 / (sizeof(unsigned) * 8)) 204 unsigned fw_icmp6types[IPV6_FW_ICMPTYPES_DIM]; /* ICMP types bitmap */ 205 user64_time_t timestamp; /* timestamp (tv_sec) of last match */ 206 union ip6_fw_if fw_in_if, fw_out_if;/* Incoming and outgoing interfaces */ 207 union { 208 u_short fu_divert_port; /* Divert/tee port (options IP6DIVERT) */ 209 u_short fu_skipto_rule; /* SKIPTO command rule number */ 210 u_short fu_reject_code; /* REJECT response code */ 211 } fw_un; 212 u_char fw_prot; /* IPv6 protocol */ 213 u_char fw_nports; /* N'of src ports and # of dst ports */ 214 /* in ports array (dst ports follow */ 215 /* src ports; max of 10 ports in all; */ 216 /* count of 0 means match all ports) */ 217}; 218 219 220#endif /* BSD_KERNEL_PRIVATE */ 221 222#define IPV6_FW_GETNSRCP(rule) ((rule)->fw_nports & 0x0f) 223#define IPV6_FW_SETNSRCP(rule, n) do { \ 224 (rule)->fw_nports &= ~0x0f; \ 225 (rule)->fw_nports |= (n); \ 226 } while (0) 227#define IPV6_FW_GETNDSTP(rule) ((rule)->fw_nports >> 4) 228#define IPV6_FW_SETNDSTP(rule, n) do { \ 229 (rule)->fw_nports &= ~0xf0; \ 230 (rule)->fw_nports |= (n) << 4;\ 231 } while (0) 232 233#define fw_divert_port fw_un.fu_divert_port 234#define fw_skipto_rule fw_un.fu_skipto_rule 235#define fw_reject_code fw_un.fu_reject_code 236 237struct ip6_fw_chain { 238 LIST_ENTRY(ip6_fw_chain) chain; 239 struct ip6_fw *rule; 240}; 241 242/* 243 * Values for "flags" field . 244 */ 245#define IPV6_FW_F_IN 0x0001 /* Check inbound packets */ 246#define IPV6_FW_F_OUT 0x0002 /* Check outbound packets */ 247#define IPV6_FW_F_IIFACE 0x0004 /* Apply inbound interface test */ 248#define IPV6_FW_F_OIFACE 0x0008 /* Apply outbound interface test */ 249 250#define IPV6_FW_F_COMMAND 0x0070 /* Mask for type of chain entry: */ 251#define IPV6_FW_F_DENY 0x0000 /* This is a deny rule */ 252#define IPV6_FW_F_REJECT 0x0010 /* Deny and send a response packet */ 253#define IPV6_FW_F_ACCEPT 0x0020 /* This is an accept rule */ 254#define IPV6_FW_F_COUNT 0x0030 /* This is a count rule */ 255#define IPV6_FW_F_DIVERT 0x0040 /* This is a divert rule */ 256#define IPV6_FW_F_TEE 0x0050 /* This is a tee rule */ 257#define IPV6_FW_F_SKIPTO 0x0060 /* This is a skipto rule */ 258 259#define IPV6_FW_F_PRN 0x0080 /* Print if this rule matches */ 260 261#define IPV6_FW_F_SRNG 0x0100 /* The first two src ports are a min * 262 * and max range (stored in host byte * 263 * order). */ 264 265#define IPV6_FW_F_DRNG 0x0200 /* The first two dst ports are a min * 266 * and max range (stored in host byte * 267 * order). */ 268 269#define IPV6_FW_F_IIFNAME 0x0400 /* In interface by name/unit (not IP) */ 270#define IPV6_FW_F_OIFNAME 0x0800 /* Out interface by name/unit (not IP) */ 271 272#define IPV6_FW_F_INVSRC 0x1000 /* Invert sense of src check */ 273#define IPV6_FW_F_INVDST 0x2000 /* Invert sense of dst check */ 274 275#define IPV6_FW_F_FRAG 0x4000 /* Fragment */ 276 277#define IPV6_FW_F_ICMPBIT 0x8000 /* ICMP type bitmap is valid */ 278 279#define IPV6_FW_F_MASK 0xFFFF /* All possible flag bits mask */ 280 281/* 282 * Flags for the 'fw_ipflg' field, for comparing values of ip and its protocols. */ 283#define IPV6_FW_IF_TCPEST 0x00000020 /* established TCP connection */ 284#define IPV6_FW_IF_TCPMSK 0x00000020 /* mask of all TCP values */ 285 286/* 287 * For backwards compatibility with rules specifying "via iface" but 288 * not restricted to only "in" or "out" packets, we define this combination 289 * of bits to represent this configuration. 290 */ 291 292#define IF6_FW_F_VIAHACK (IPV6_FW_F_IN|IPV6_FW_F_OUT|IPV6_FW_F_IIFACE|IPV6_FW_F_OIFACE) 293 294/* 295 * Definitions for REJECT response codes. 296 * Values less than 256 correspond to ICMP unreachable codes. 297 */ 298#define IPV6_FW_REJECT_RST 0x0100 /* TCP packets: send RST */ 299 300/* 301 * Definitions for IPv6 option names. 302 */ 303#define IPV6_FW_IP6OPT_HOPOPT 0x01 304#define IPV6_FW_IP6OPT_ROUTE 0x02 305#define IPV6_FW_IP6OPT_FRAG 0x04 306#define IPV6_FW_IP6OPT_ESP 0x08 307#define IPV6_FW_IP6OPT_AH 0x10 308#define IPV6_FW_IP6OPT_NONXT 0x20 309#define IPV6_FW_IP6OPT_OPTS 0x40 310 311/* 312 * Definitions for TCP flags. 313 */ 314#define IPV6_FW_TCPF_FIN TH_FIN 315#define IPV6_FW_TCPF_SYN TH_SYN 316#define IPV6_FW_TCPF_RST TH_RST 317#define IPV6_FW_TCPF_PSH TH_PUSH 318#define IPV6_FW_TCPF_ACK TH_ACK 319#define IPV6_FW_TCPF_URG TH_URG 320 321/* 322 * Main firewall chains definitions and global var's definitions. 323 */ 324#ifdef BSD_KERNEL_PRIVATE 325 326#define M_IP6FW M_IPFW 327 328 329/* 330 * Function definitions. 331 */ 332void ip6_fw_init(void); 333void load_ip6fw(void); 334 335/* Firewall hooks */ 336struct ip6_hdr; 337struct sockopt; 338typedef int ip6_fw_chk_t(struct ip6_hdr**, struct ifnet*, 339 u_short *, struct mbuf**); 340typedef int ip6_fw_ctl_t(struct sockopt *); 341extern ip6_fw_chk_t *ip6_fw_chk_ptr; 342extern ip6_fw_ctl_t *ip6_fw_ctl_ptr; 343extern int ip6_fw_enable; 344 345#endif /* BSD_KERNEL_PRIVATE */ 346 347#endif /* __APPLE_API_OBSOLETE */ 348#endif /* _IP6_FW_H */ 349