-
Notifications
You must be signed in to change notification settings - Fork 0
/
vnetFilter.h
207 lines (176 loc) · 7.45 KB
/
vnetFilter.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
/*********************************************************
* Copyright (C) 2006 VMware, Inc. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation version 2 and no later version.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program; if not, write to the Free Software Foundation, Inc.,
* 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*
*********************************************************/
/*
* vnetFilter.h --
*
* This file defines the external interface provided
* by the vmnet driver for host packet filter
* functionality. This functionality is likely to
* be eventually moved to a separate driver.
*
*/
#ifndef _VNETFILTER_H_
#define _VNETFILTER_H_
#define INCLUDE_ALLOW_USERLEVEL
#define INCLUDE_ALLOW_MODULE
#include "includeCheck.h"
#include "vm_basic_types.h"
/*
* Call:
* Windows vmnet driver using IOCTL_VNET_FILTERHOST2.
* Linux vmnet driver using SIOCSFILTERRULES.
*/
/* list of subcommands for the host filter ioctl() call */
#define VNET_FILTER_CMD_MIN 0x1000 /* equal to smallest sub-command */
#define VNET_FILTER_CMD_CREATE_RULE_SET 0x1000
#define VNET_FILTER_CMD_DELETE_RULE_SET 0x1001
#define VNET_FILTER_CMD_ADD_IPV4_RULE 0x1002
#define VNET_FILTER_CMD_ADD_IPV6_RULE 0x1003 /* not implemented */
#define VNET_FILTER_CMD_CHANGE_RULE_SET 0x1004
#define VNET_FILTER_CMD_SET_LOG_LEVEL 0x1005
#define VNET_FILTER_CMD_MAX 0x1005 /* equal to largest sub-command */
/* action for a rule or rule set */
/* VNet_CreateRuleSet.defaultAction */
/* VNet_AddIPv4Rule.action */
/* VNet_ChangeRuleSet.defaultAction */
#define VNET_FILTER_RULE_NO_CHANGE 0x2000
#define VNET_FILTER_RULE_BLOCK 0x2001
#define VNET_FILTER_RULE_ALLOW 0x2002
/* direction that should apply to a rule */
/* VNet_AddIPv4Rule.direction */
#define VNET_FILTER_DIRECTION_IN 0x3001
#define VNET_FILTER_DIRECTION_OUT 0x3002
#define VNET_FILTER_DIRECTION_BOTH 0x3003
/* used to change which rule set is used for host filtering */
/* VNet_ChangeRuleSet.activate */
#define VNET_FILTER_STATE_NO_CHANGE 0x4000
#define VNET_FILTER_STATE_ENABLE 0x4001
#define VNET_FILTER_STATE_DISABLE 0x4002
/* log Levels, cut and paste from bora/lib/public/policy.h */
#define VNET_FILTER_LOGLEVEL_NONE (0)
#define VNET_FILTER_LOGLEVEL_TERSE (1)
#define VNET_FILTER_LOGLEVEL_NORMAL (2)
#define VNET_FILTER_LOGLEVEL_VERBOSE (3)
#define VNET_FILTER_LOGLEVEL_MAXIMUM (4)
/* header that's common for all command structs */
typedef
#include "vmware_pack_begin.h"
struct VNet_RuleHeader {
uint32 type; /* type of struct */
uint32 ver; /* version of struct */
uint32 len; /* length of struct */
}
#include "vmware_pack_end.h"
VNet_RuleHeader;
typedef
#include "vmware_pack_begin.h"
struct VNet_CreateRuleSet {
VNet_RuleHeader header; /* type = VNET_FILTER_CMD_CREATE_RULE_SET, ver = 1,
len = sizeof(VNet_CreateRuleSet) */
uint32 ruleSetId; /* id of rule to delete (must be non-0) */
uint32 defaultAction; /* VNET_FILTER_RULE_DROP or VNET_FILTER_RULE_PERMIT */
}
#include "vmware_pack_end.h"
VNet_CreateRuleSet;
typedef
#include "vmware_pack_begin.h"
struct VNet_DeleteRuleSet {
VNet_RuleHeader header; /* type = VNET_FILTER_CMD_DELETE_RULE_SET, ver = 1,
len = sizeof(VNet_DeleteRuleSet) */
uint32 ruleSetId; /* rule set to delete (from VNet_CreateRuleSet.ruleSetId) */
}
#include "vmware_pack_end.h"
VNet_DeleteRuleSet;
typedef
#include "vmware_pack_begin.h"
struct VNet_AddIPv4Rule {
VNet_RuleHeader header; /* type = VNET_FILTER_CMD_ADD_IPV4_RULE, ver = 1,
len = sizeof(VNet_AddIPv4Rule) +
addrListLen * sizeof(VNet_IPv4Address) +
protoListLen * sizeof(VNet_IPv4Protocol) */
uint32 ruleSetId; /* rule set (from VNet_CreateRuleSet.ruleSetId) */
uint32 action; /* VNET_FILTER_RULE_DROP or VNET_FILTER_RULE_PERMIT */
uint32 direction; /* VNET_FILTER_DIRECTION_IN, VNET_FILTER_DIRECTION_OUT, or
VNET_FILTER_DIRECTION_BOTH */
uint32 addressListLen; /* Number of VNet_IPv4Address's that follow.
Must be at least one. Must equal 1 if addr==mask==0.
expected but not required: (addr & ~mask) == 0 */
uint32 proto; /* ~0 is don't care, otherwise protocol in IP header*/
uint32 portListLen; /* Number of VNet_IPv4Port's that follow the
VNet_IPv4Address's. Ports currently only apply for
TCP and UDP. Must be at least one, even if non-TCP or
non-UDP protocol is specified in 'proto' (use 0 or ~0 for
all elements in VNet_IPv4Port). Must equal 1 if all
elements in a VNet_IPv4Port are ~0. */
/* add flags for tracking in which direction the connection is established? */
}
#include "vmware_pack_end.h"
VNet_AddIPv4Rule;
/*
* VNet_AddIPv4Rule is immediately followed by 1 or more VNet_IPv4Address.
* The last VNet_IPv4Address is immediately followed by 1 or more VNet_IPv4Port.
*/
typedef
#include "vmware_pack_begin.h"
struct VNet_IPv4Address {
/* currently no fields for local address/mask (add them?) */
/* can specify don't care on IP address via addr==mask==0,
but only for a list with 1 item */
uint32 ipv4RemoteAddr; /* remote entity's address (dst on outbound, src on inbound) */
uint32 ipv4RemoteMask; /* remote entity's mask (dst on outbound, src on inbound) */
}
#include "vmware_pack_end.h"
VNet_IPv4Address;
typedef
#include "vmware_pack_begin.h"
struct VNet_IPv4Port {
/* can specify ~0 for all 4 only if one item in the list */
uint32 localPortLow; /* ~0 is don't care, otherwise low local range (inclusive) */
uint32 localPortHigh; /* ~0 is don't care, otherwise high local range (inclusive) */
uint32 remotePortLow; /* ~0 is don't care, otherwise low remote range (inclusive) */
uint32 remotePortHigh; /* ~0 is don't care, otherwise high remote range (inclusive) */
}
#include "vmware_pack_end.h"
VNet_IPv4Port;
// typedef struct VNet_IPv4Port VNet_IPv6Port;
typedef
#include "vmware_pack_begin.h"
struct VNet_ChangeRuleSet {
VNet_RuleHeader header; /* type = VNET_FILTER_CMD_CHANGE_RULE_SET, ver = 1,
len = sizeof(VNet_ChangeRuleSet) */
uint32 ruleSetId; /* rule set (from VNet_CreateRuleSet.ruleSetId) */
uint32 defaultAction; /* usually VNET_FILTER_RULE_NO_CHANGE, but can change default
rule via VNET_FILTER_RULE_DROP or VNET_FILTER_RULE_PERMIT */
uint32 activate; /* specify rule to use for filtering via
VNET_FILTER_STATE_ENABLE or VNET_FILTER_STATE_DISABLE.
Can use VNET_FILTER_STATE_NO_CHANGE to change only the
default rule of the rule set */
}
#include "vmware_pack_end.h"
VNet_ChangeRuleSet;
typedef
#include "vmware_pack_begin.h"
struct VNet_SetLogLevel {
VNet_RuleHeader header; /* type = VNET_FILTER_CMD_SET_LOG_LEVEL, */
/* ver = 1, */
/* len = sizeof(VNet_SetLogLevel) */
uint32 logLevel; /* the log level to set */
}
#include "vmware_pack_end.h"
VNet_SetLogLevel;
#endif // ifndef _VNETFILTER_H_