// Copyright 2018 The Fuchsia Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
/// Direction is which way (Incoming or Outgoing) a packet is moving in the stack.
enum Direction {
enum Action {
PASS = 0;
DROP = 1;
enum SocketProtocol {
ANY = 0;
ICMP = 1;
TCP = 2;
UDP = 3;
ICMPV6 = 4;
/// PortRange specifies an inclusive range of port numbers.
struct PortRange {
uint16 start;
uint16 end;
/// Rule describes the conditions and the action of a rule.
struct Rule {
Action action;
Direction direction;
/// If true, no more rules will be tested.
bool quick;
SocketProtocol proto; src_subnet;
/// If true, matches any address that is NOT contained in the subnet.
bool src_subnet_invert_match;
PortRange src_port_range; dst_subnet;
/// If true, matches any address that is NOT contained in the subnet.
bool dst_subnet_invert_match;
PortRange dst_port_range;
uint32 nic;
bool log;
bool keep_state;
/// NAT is a special rule for Network Address Translation, which rewrites
/// the address of an outgoing packet.
struct Nat {
SocketProtocol proto; src_subnet; new_src_addr;
uint32 nic;
/// RDR is a special rule for Redirector, which forwards an incoming packet
/// to a machine inside the firewall.
struct Rdr {
SocketProtocol proto; dst_addr;
PortRange dst_port_range; new_dst_addr;
PortRange new_dst_port_range;
uint32 nic;