/* IBM_PROLOG_BEGIN_TAG */ /* This is an automatically generated prolog. */ /* */ /* bos720 src/bos/kernel/net/net_rules.h 1.7.1.1 */ /* */ /* Licensed Materials - Property of IBM */ /* */ /* Restricted Materials of IBM */ /* */ /* COPYRIGHT International Business Machines Corp. 2006,2014 */ /* All Rights Reserved */ /* */ /* US Government Users Restricted Rights - Use, duplication or */ /* disclosure restricted by GSA ADP Schedule Contract with IBM Corp. */ /* */ /* IBM_PROLOG_END_TAG */ /* @(#)94 1.7.1.1 src/bos/kernel/net/net_rules.h, sysnet, bos720 2/21/14 12:41:01 */ /* * COMPONENT_NAME: SYSNET */ #ifndef _MLS_NET_RULES_H #define _MLS_NET_RULES_H #include #include #ifdef __cplusplus extern "C" { #endif #define INTNAMELEN 32 #define SECURITY_LEVELS \ sl_t min; \ sl_t max; \ sl_t deflt /* max count of incoming paf values */ #define MAXPAFCOUNT 256 #define CIPSO_TAG_TYPE_1_ENABLE 0x01 /* Bit mask enable of type 1 */ #define CIPSO_TAG_TYPE_2_ENABLE 0x02 /* Bit mask enable of type 2 */ #define CIPSO_TAG_TYPE_5_ENABLE 0x04 /* Bit mask enable of type 5 */ #define CIPSO_DEFAULT_TAG_TYPES (CIPSO_TAG_TYPE_1_ENABLE | \ CIPSO_TAG_TYPE_2_ENABLE | CIPSO_TAG_TYPE_5_ENABLE) #define CIPSO_DEFAULT_DOI 0x00001000 #define RIPSO_DEFAULT_EPAF 0 #define RIPSO_DEFAULT_TPAF 0 #define RIPSO_DEFAULT_RPAFS 0 #define RIPSO_DEFAULT_RPAFS_COUNT 0 /* Structure that represents the IP security option options for * host or interface rules. */ typedef struct mls_rule_ipso_s { uint32_t doi; /* doi for cipso packets to accept */ uint16_t inpafcount; /* number of recieve paf fields in inpafs */ uint16_t inpafs[MAXPAFCOUNT]; /* Array of in paf fields. */ uint16_t outpaf; /* paf for outgoing ripso packets. */ uint16_t errorpaf; /* paf for outoging ripso error packets */ uint16_t tagset; /* bitmask for tags to use for cipso */ } mls_rule_ipso_t; /* Structure that is a network host rule. * This rule is one that is used for configuring MLS host based * rules. */ typedef struct host_rule_t { union { uint32_t v4_addr; struct in6_addr v6_addr; #define tn_v4addr _hrule_addr.v4_addr #define tn_v6addr _hrule_addr.v6_addr } _hrule_addr; union { uint32_t v4_mask; struct in6_addr v6_mask; #define tn_v4mask _hrule_mask.v4_mask #define tn_v6mask _hrule_mask.v6_mask } _hrule_mask; uint32_t af; /* IPv4 or IPv6 address family? */ uint16_t port_s; /* starting port for the matching source port range */ uint16_t port_e; /* ending port range */ uint8_t proto; /* protocol, 0 for all */ uint8_t inout; uint16_t pad1; uint32_t pad2; union { uint32_t v4_destaddr; struct in6_addr v6_destaddr; #define tn_v4destaddr _hrule_destaddr.v4_destaddr #define tn_v6destaddr _hrule_destaddr.v6_destaddr } _hrule_destaddr; union { uint32_t v4_destmask; struct in6_addr v6_destmask; #define tn_v4destmask _hrule_destmask.v4_destmask #define tn_v6destmask _hrule_destmask.v6_destmask } _hrule_destmask; uint16_t destport_s; uint16_t destport_e; uint8_t destproto; uint8_t pad3; uint16_t pad4; /* pads needed to maintain 64-bit alignment */ SECURITY_LEVELS; /* this must be 64-bit aligned! */ uint32_t flags; mls_rule_ipso_t ipsooptions; uint32_t ref_cnt; uint32_t pad5; /* To align the prev and next pointers */ struct host_rule_t* hr_prev; struct host_rule_t* hr_next; } host_rule_t; /* Structure that is an network rule associated with interfaces. */ typedef struct int_rule_t { char name[INTNAMELEN]; /* must remain first item */ SECURITY_LEVELS; uint32_t flags; /* CIPSO and RIPSO options for the rule. */ mls_rule_ipso_t ipsooptions; struct int_rule_t* ir_prev; struct int_rule_t* ir_next; } int_rule_t; /* Structure used to interface with Trusted network configuration functions. */ typedef struct host_rule_req_s { uint32_t idx; uint32_t inout; uint32_t af; uint32_t pad; /* to keep the addr field aligned */ union { uint32_t v4_addr; struct in6_addr v6_addr; #define tn_v4reqaddr _hrulereq_addr.v4_addr #define tn_v6reqaddr _hrulereq_addr.v6_addr } _hrulereq_addr; } host_rule_req; typedef struct seclvl_t { SECURITY_LEVELS; } seclvl; #define secrule(x) ((seclvl*)(&((x)->min))) #define INRULE 0x0001 #define OUTRULE 0x0002 #define HOSTRULES_DROP_ALL 0x100 /* r - drop all packets to this host */ #define HOSTRULES_DROP_NOT 0x080 /* n - don't automatically drop */ #define HOSTRULES_DROP_DEF 0x000 /* i - use interface default << */ #define HOSTRULES_R_RIPSO 0x004 /* r - RIPSO ONLY */ #define HOSTRULES_R_CIPSO 0x008 /* c - CIPSO ONLY */ #define HOSTRULES_R_BOTH 0x00C /* e - either RIPSO or CIPSO */ #define HOSTRULES_R_NONE 0x010 /* n - neither RIPSO or CIPSO allowed */ #define HOSTRULES_R_ANY 0x01c /* a - anything is allowed */ #define HOSTRULES_R_DEF 0x000 /* i - use interface default << */ #define HOSTRULES_T_RIPSO 0x001 /* r - RIPSO inserted on outgoing */ #define HOSTRULES_T_CIPSO 0x002 /* c - CIPSO inserted on outgoing */ #define HOSTRULES_T_NONE 0x003 /* n - nothing is inserted */ #define HOSTRULES_T_DEF 0x000 /* i - use interface default << */ #define HOSTRULES_FLAGS_DEFAULT (HOSTRULES_DROP_DEF | HOSTRULES_R_DEF | HOSTRULES_T_DEF ) #define HOSTRULES_DROPMASK 0x0180 #define HOSTRULES_RFLAGMASK 0x001C #define HOSTRULES_TFLAGMASK 0x0003 #define HOSTRULES_DROP(x) (((x)&HOSTRULES_DROPMASK)) #define HOSTRULES_RFLAG(x) (((x)&HOSTRULES_RFLAGMASK)) #define HOSTRULES_TFLAG(x) (((x)&HOSTRULES_TFLAGMASK)) #define INTRULES_DROP_ALL 0x100 /* r - drop all packets to this host */ #define INTRULES_DROP_NOT 0x000 /* n - don't automatically drop << */ #define INTRULES_R_RIPSO 0x004 /* r - RIPSO ONLY */ #define INTRULES_R_CIPSO 0x008 /* c - CIPSO ONLY */ #define INTRULES_R_BOTH 0x00C /* e - either RIPSO or CIPSO */ #define INTRULES_R_NONE 0x010 /* n - neither RIPSO or CIPSO allowed */ #define INTRULES_R_ANY 0x01c /* a - anything is allowed */ #define INTRULES_R_DEF 0x020 /* i - allow the system default << */ #define INTRULES_T_RIPSO 0x001 /* r - RIPSO inserted on outgoing */ #define INTRULES_T_CIPSO 0x002 /* c - CIPSO inserted on outgoing */ #define INTRULES_T_NONE 0x000 /* n - nothing is inserted << */ #define INTRULES_FLAGS_DEFAULT (INTRULES_DROP_NOT | INTRULES_R_DEF | INTRULES_T_NONE ) #define INTRULES_DROPMASK 0x100 #define INTRULES_RFLAGMASK 0x03C #define INTRULES_TFLAGMASK 0x003 #define INTRULES_DROP(x) (((x)&INTRULES_DROPMASK)) #define INTRULES_RFLAG(x) (((x)&INTRULES_RFLAGMASK)) #define INTRULES_TFLAG(x) (((x)&INTRULES_TFLAGMASK)) #define SEND_CIPSOQ(hrule,ifrule) \ ( ((hrule) && \ ( HOSTRULES_TFLAG((hrule)->flags) == HOSTRULES_T_CIPSO)) || \ ((hrule) && \ ( HOSTRULES_TFLAG((hrule)->flags) == HOSTRULES_T_DEF) && \ ( INTRULES_TFLAG((ifrule)->flags) == INTRULES_T_CIPSO)) || \ ((!hrule) && \ ( INTRULES_TFLAG((ifrule)->flags) == INTRULES_T_CIPSO)) ) #define SEND_RIPSOQ(hrule,ifrule) \ ( ((hrule) && \ ( HOSTRULES_TFLAG((hrule)->flags) == HOSTRULES_T_RIPSO)) || \ ((hrule) && \ ( HOSTRULES_TFLAG((hrule)->flags) == HOSTRULES_T_DEF) && \ ( INTRULES_TFLAG((ifrule)->flags) == INTRULES_T_RIPSO)) || \ ((!hrule) && \ ( INTRULES_TFLAG((ifrule)->flags) == INTRULES_T_RIPSO)) ) #define SEND_NONEQ(hrule,ifrule) \ ( ((hrule) && \ ( HOSTRULES_TFLAG((hrule)->flags) == HOSTRULES_T_NONE)) || \ ((hrule) && \ ( HOSTRULES_TFLAG((hrule)->flags) == HOSTRULES_T_DEF) && \ ( INTRULES_TFLAG((ifrule)->flags) == INTRULES_T_NONE)) || \ ((!hrule) && \ ( INTRULES_TFLAG((ifrule)->flags) == INTRULES_T_NONE)) ) /* * Function: IN_RIPSOQ * * Description: * Determines if the rules specify that a RIPSO option is allowed * for an incoming packet from the given rules. * * Inputs: * hrule - Host rule to check, can be null * ifrule - Interface rule to check, can't be null * gDIFRule (global) - Global default interface rule. * * Returns: * nonzero if RIPSO is allowed incoming from the rules * 0 otherwise. * * Algorithm: * The host rule takes precedence if it exists. * The interface rule is next it can defer to defaults. * The global default options are next, gDIFRule, if they exist. * Finally the hard defaults are used. */ #define IN_RIPSOQ(hrule,ifrule) \ ( ((hrule) && \ ( HOSTRULES_RFLAG((hrule)->flags) & HOSTRULES_R_RIPSO) ) || \ ((hrule) && \ ( HOSTRULES_RFLAG((hrule)->flags) == HOSTRULES_R_DEF) && \ ( ( INTRULES_RFLAG((ifrule)->flags) & INTRULES_R_RIPSO) || \ ( ( INTRULES_RFLAG((ifrule)->flags) & INTRULES_R_DEF ) && \ ( (gDIFRule) && \ ( INTRULES_RFLAG((gDIFRule)->flags) & INTRULES_R_RIPSO )) || \ ( INTRULES_FLAGS_DEFAULT & INTRULES_R_RIPSO ) ) ) ) || \ ((!hrule) && \ ( INTRULES_RFLAG((ifrule)->flags) & INTRULES_R_RIPSO) ) || \ ((!hrule) && \ ( INTRULES_RFLAG((ifrule)->flags) & INTRULES_R_DEF) && \ ((gDIFRule) && \ ( INTRULES_RFLAG((gDIFRule)->flags) & INTRULES_R_RIPSO )) || \ ( INTRULES_FLAGS_DEFAULT & INTRULES_R_RIPSO ) ) ) /* * Function: IN_CIPSOQ * * Description: * Determines if the rules specify that a CIPSO option is allowed * for an incoming packet from the given rules. * * Inputs: * hrule - Host rule to check, can be null * ifrule - Interface rule to check, can't be null * gDIFRule (global) - Global default interface rule. * * Returns: * nonzero if CIPSO is allowed incoming from the rules * 0 otherwise. * * Algorithm: * The host rule takes precedence if it exists. * The interface rule is next it can defer to defaults. * The global default options are next, gDIFRule, if they exist. * Finally the hard defaults are used. */ #define IN_CIPSOQ(hrule,ifrule) \ ( ((hrule) && \ ( HOSTRULES_RFLAG((hrule)->flags) & HOSTRULES_R_CIPSO) ) || \ ((hrule) && \ ( HOSTRULES_RFLAG((hrule)->flags) == HOSTRULES_R_DEF) && \ ( ( INTRULES_RFLAG((ifrule)->flags) & INTRULES_R_CIPSO) || \ ( ( INTRULES_RFLAG((ifrule)->flags) & INTRULES_R_DEF ) && \ ( (gDIFRule) && \ ( INTRULES_RFLAG((gDIFRule)->flags) & INTRULES_R_CIPSO )) || \ ( INTRULES_FLAGS_DEFAULT & INTRULES_R_CIPSO ) ) )) || \ ((!hrule) && \ ( INTRULES_RFLAG((ifrule)->flags) & INTRULES_R_CIPSO) ) || \ ((!hrule) && \ ( INTRULES_RFLAG((ifrule)->flags) & INTRULES_R_DEF) && \ ((gDIFRule) && \ ( INTRULES_RFLAG((gDIFRule)->flags) & INTRULES_R_CIPSO )) || \ ( INTRULES_FLAGS_DEFAULT & INTRULES_R_CIPSO ) ) ) /* * Function: IN_NONEQ * * Description: * Determines if the rules specify that an option is not required. * * Inputs: * hrule - Host rule to check, can be null * ifrule - Interface rule to check, can't be null * gDIFRule (global) - Global default interface rule. * * Returns: * nonzero if no option is required * 0 otherwise. * * Algorithm: * The host rule takes precedence if it exists. * The interface rule is next it can defer to defaults. * The global default options are next, gDIFRule, if they exist. * Finally the hard defaults are used. */ #define IN_NONEQ(hrule,ifrule) \ ( ((hrule) && \ ( HOSTRULES_RFLAG((hrule)->flags) & HOSTRULES_R_NONE) ) || \ ((hrule) && \ ( HOSTRULES_RFLAG((hrule)->flags) == HOSTRULES_R_DEF) && \ ( ( INTRULES_RFLAG((ifrule)->flags) & INTRULES_R_NONE) || \ ( ( INTRULES_RFLAG((ifrule)->flags) & INTRULES_R_DEF ) && \ ( ( !gDIFRule ) || \ ( ( gDIFRule ) && \ ( INTRULES_RFLAG((gDIFRule)->flags) & INTRULES_R_NONE )))) )) || \ ((!hrule) && \ ( INTRULES_RFLAG((ifrule)->flags) & INTRULES_R_NONE) ) || \ ((!hrule) && \ ( INTRULES_RFLAG((ifrule)->flags) & INTRULES_R_DEF) && \ ( (!gDIFRule) || \ ( (gDIFRule) && \ ( INTRULES_RFLAG((gDIFRule)->flags) & (INTRULES_R_NONE|INTRULES_R_DEF) ))))) /* * Function: RULES_TPAF * * Description: * Gives the transmit paf for the given rules. * * Inputs: * hrule - Host rule to check, can be null * ifrule - Interface rule to check, can't be null * * Returns: * nonzero if no option is required * 0 otherwise. * * Algorithm: * The host rule takes precedence if it exists. * The interface rule is next. */ #define RULES_TPAF(hrule,ifrule) \ (((hrule) && \ (HOSTRULES_TFLAG((hrule)->flags) & HOSTRULES_T_RIPSO)) ? \ (hrule)->ipsooptions.outpaf : \ (ifrule)->ipsooptions.outpaf) /* * Function: RULES_EPAF * * Description: * Gives the paf for transmiting ICMP errors on recieves. * * Inputs: * hrule - Host rule to check, can be null * ifrule - Interface rule to check, can't be null * * Returns: * nonzero if no option is required * 0 otherwise. * * Algorithm: * The host rule takes precedence if it exists. * The interface rule is next. */ #define RULES_EPAF(hrule,ifrule) \ (((hrule) && \ (HOSTRULES_TFLAG((hrule)->flags) & HOSTRULES_T_RIPSO)) ? \ (hrule)->ipsooptions.errorpaf : \ (ifrule)->ipsooptions.errorpaf) /* * Function: RULES_RPAFS * * Description: * Determines the receive PAFs for the rules. * * Inputs: * hrule - Host rule to check, can be null * ifrule - Interface rule to check, can't be null * gDIFRule (global) - Global default interface rule. * * Returns: * nonzero if no option is required * 0 otherwise. * * Algorithm: * The host rule takes precedence if it exists. * The interface rule is next. * The global default options are next, gDIFRule, if they exist. * Finally the hard defaults are used. */ #define RULES_RPAFS(hrule,ifrule) \ (((hrule) && \ (HOSTRULES_RFLAG((hrule)->flags) & HOSTRULES_R_RIPSO)) ? \ &(hrule)->ipsooptions.inpafs : \ ((INTRULES_RFLAG((ifrule)->flags) & INTRULES_R_RIPSO) ? \ &(ifrule)->ipsooptions.inpafs : \ ((gDIFRule) ? \ &(gDIFRule)->ipsooptions.inpafs : \ RIPSO_DEFAULT_RPAFS))) /* * Function: RULES_RPAFS_COUNT * * Description: * Determines if the number of PAFs from the rules. * * Inputs: * hrule - Host rule to check, can be null * ifrule - Interface rule to check, can't be null * gDIFRule (global) - Global default interface rule. * * Returns: * nonzero if no option is required * 0 otherwise. * * Algorithm: * The host rule takes precedence if it exists. * The interface rule is next. * The global default options are next, gDIFRule, if they exist. * Finally the hard defaults are used. */ #define RULES_RPAFS_COUNT(hrule,ifrule) \ (((hrule) && \ (HOSTRULES_RFLAG((hrule)->flags) & HOSTRULES_R_RIPSO)) ? \ (hrule)->ipsooptions.inpafcount : \ ((INTRULES_RFLAG((ifrule)->flags) & INTRULES_R_RIPSO) ? \ (ifrule)->ipsooptions.inpafcount : \ ((gDIFRule) ? \ (gDIFRule)->ipsooptions.inpafcount : \ RIPSO_DEFAULT_RPAFS_COUNT))) /* * Function: RULES_RECEIVE_DOI * * Description: * Determines the receive DOI for the CIPSO options for the rule. * * Inputs: * hrule - Host rule to check, can be null * ifrule - Interface rule to check, can't be null * gDIFRule (global) - Global default interface rule. * * Returns: * nonzero if no option is required * 0 otherwise. * * Algorithm: * The host rule takes precedence if it exists. * The interface rule is next. * The global default options are next, gDIFRule, if they exist. * Finally the hard defaults are used. */ #define RULES_RECEIVE_DOI(hrule,ifrule) \ (((hrule) && \ (HOSTRULES_RFLAG((hrule)->flags) & HOSTRULES_R_CIPSO)) ? \ (hrule)->ipsooptions.doi : \ ((INTRULES_RFLAG((ifrule)->flags) & INTRULES_R_CIPSO) ? \ (ifrule)->ipsooptions.doi : \ ((gDIFRule) ? \ (gDIFRule)->ipsooptions.doi : \ CIPSO_DEFAULT_DOI))) /* * Function: RULES_RECEIVE_TAGSET * * Description: * Determines the receive TAGSET for the CIPSO options for the rule. * * Inputs: * hrule - Host rule to check, can be null * ifrule - Interface rule to check, can't be null * gDIFRule (global) - Global default interface rule. * * Returns: * nonzero if no option is required * 0 otherwise. * * Algorithm: * The host rule takes precedence if it exists. * The interface rule is next. * The global default options are next, gDIFRule, if they exist. * Finally the hard defaults are used. */ #define RULES_RECEIVE_TAGSET(hrule,ifrule) \ (((hrule) && \ (HOSTRULES_RFLAG((hrule)->flags) & HOSTRULES_R_CIPSO)) ? \ (hrule)->ipsooptions.tagset : \ ((INTRULES_RFLAG((ifrule)->flags) & INTRULES_R_CIPSO) ? \ (ifrule)->ipsooptions.tagset : \ ((gDIFRule) ? \ (gDIFRule)->ipsooptions.tagset : \ CIPSO_DEFAULT_TAG_TYPES))) /* * Function: RULES_SEND_DOI * * Description: * Determines the DOI to send for the rules. * * Inputs: * hrule - Host rule to check, can be null * ifrule - Interface rule to check, can't be null * * Returns: * nonzero if no option is required * 0 otherwise. * * Algorithm: * The host rule takes precedence if it exists. * The interface rule is next. */ #define RULES_SEND_DOI(hrule,ifrule) \ (((hrule) && \ (HOSTRULES_TFLAG((hrule)->flags) & HOSTRULES_T_CIPSO)) ? \ (hrule)->ipsooptions.doi : \ (ifrule)->ipsooptions.doi) /* * Function: RULES_SEND_TAGSET * * Description: * Determines the TAGSET to send for the rules. * * Inputs: * hrule - Host rule to check, can be null * ifrule - Interface rule to check, can't be null * * Returns: * nonzero if no option is required * 0 otherwise. * * Algorithm: * The host rule takes precedence if it exists. * The interface rule is next. */ #define RULES_SEND_TAGSET(hrule,ifrule) \ (((hrule) && \ (HOSTRULES_TFLAG((hrule)->flags) & HOSTRULES_T_CIPSO)) ? \ (hrule)->ipsooptions.tagset : \ (ifrule)->ipsooptions.tagset) #define DROPQ(hrule, ifrule) \ ( ((hrule) && HOSTRULES_DROP(hrule->flags) == HOSTRULES_DROP_ALL) || \ (((hrule) && HOSTRULES_DROP(hrule->flags) == HOSTRULES_DROP_DEF) && \ (INTRULES_DROP(ifrule->flags) == INTRULES_DROP_ALL)) || \ ((!hrule) && \ (INTRULES_DROP(ifrule->flags) == INTRULES_DROP_ALL)) ) typedef struct XRuleTbl_t { host_rule_t *head; int len; }RuleTbl_t; #ifdef __cplusplus } #endif #endif /* _MLS_NET_RULES_H */