1 /* $OpenBSD: pfvar.h,v 1.254 2007/07/13 09:17:48 markus Exp $ */ 2 3 /* 4 * Copyright (c) 2004 The DragonFly Project. All rights reserved. 5 * 6 * Copyright (c) 2001 Daniel Hartmeier 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 13 * - Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * - Redistributions in binary form must reproduce the above 16 * copyright notice, this list of conditions and the following 17 * disclaimer in the documentation and/or other materials provided 18 * with the distribution. 19 * 20 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 21 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 22 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 23 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 24 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 25 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 26 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 27 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 28 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 30 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 31 * POSSIBILITY OF SUCH DAMAGE. 32 * 33 */ 34 35 #ifndef _NET_PFVAR_H_ 36 #define _NET_PFVAR_H_ 37 38 #include <sys/param.h> 39 #include <sys/types.h> 40 #include <sys/limits.h> 41 #include <sys/ioccom.h> 42 #include <sys/queue.h> 43 #include <sys/tree.h> 44 #include <sys/lock.h> 45 46 #include <net/radix.h> 47 #include <net/if_clone.h> 48 #include <netinet/in.h> 49 #include <netinet/in_pcb.h> 50 51 #ifdef _KERNEL 52 #include <vm/vm_zone.h> 53 #endif 54 55 /* 56 * XXX 57 * If we include <netipsec/keydb.h>, we need _KERNEL definition. 58 * This makes pfctl compilation difficult. 59 */ 60 union sockaddr_union { 61 struct sockaddr sa; 62 struct sockaddr_in sin; 63 struct sockaddr_in6 sin6; 64 }; 65 66 #include <netinet/tcp_fsm.h> 67 68 struct ip; 69 struct ip6_hdr; 70 71 #define PF_TCPS_PROXY_SRC ((TCP_NSTATES)+0) 72 #define PF_TCPS_PROXY_DST ((TCP_NSTATES)+1) 73 74 75 #define RTLABEL_LEN 32 76 #define IFG_ALL "all" /* group contains all interfaces */ 77 #define BPF_DIRECTION_OUT (1<<1) 78 #define PWAIT 0 79 #define RT_NUMFIBS 1 80 #define ALTQ_IS_ENABLED(ifq) ((ifq)->altq_flags & ALTQF_ENABLED) 81 82 83 #define PF_MD5_DIGEST_LENGTH 16 84 #ifdef MD5_DIGEST_LENGTH 85 #if PF_MD5_DIGEST_LENGTH != MD5_DIGEST_LENGTH 86 #error 87 #endif 88 #endif 89 90 enum { PF_INOUT, PF_IN, PF_OUT }; 91 enum { PF_LAN_EXT, PF_EXT_GWY, PF_ID }; 92 enum { PF_PASS, PF_DROP, PF_SCRUB, PF_NOSCRUB, PF_NAT, PF_NONAT, 93 PF_BINAT, PF_NOBINAT, PF_RDR, PF_NORDR, PF_SYNPROXY_DROP }; 94 enum { PF_RULESET_SCRUB, PF_RULESET_FILTER, PF_RULESET_NAT, 95 PF_RULESET_BINAT, PF_RULESET_RDR, PF_RULESET_MAX }; 96 enum { PF_OP_NONE, PF_OP_IRG, PF_OP_EQ, PF_OP_NE, PF_OP_LT, 97 PF_OP_LE, PF_OP_GT, PF_OP_GE, PF_OP_XRG, PF_OP_RRG }; 98 enum { PF_DEBUG_NONE, PF_DEBUG_URGENT, PF_DEBUG_MISC, PF_DEBUG_NOISY }; 99 enum { PF_CHANGE_NONE, PF_CHANGE_ADD_HEAD, PF_CHANGE_ADD_TAIL, 100 PF_CHANGE_ADD_BEFORE, PF_CHANGE_ADD_AFTER, 101 PF_CHANGE_REMOVE, PF_CHANGE_GET_TICKET }; 102 enum { PF_GET_NONE, PF_GET_CLR_CNTR }; 103 104 /* 105 * Note about PFTM_*: real indices into pf_rule.timeout[] come before 106 * PFTM_MAX, special cases afterwards. See pf_state_expires(). 107 */ 108 enum { PFTM_TCP_FIRST_PACKET, PFTM_TCP_OPENING, PFTM_TCP_ESTABLISHED, 109 PFTM_TCP_CLOSING, PFTM_TCP_FIN_WAIT, PFTM_TCP_CLOSED, 110 PFTM_UDP_FIRST_PACKET, PFTM_UDP_SINGLE, PFTM_UDP_MULTIPLE, 111 PFTM_ICMP_FIRST_PACKET, PFTM_ICMP_ERROR_REPLY, 112 PFTM_OTHER_FIRST_PACKET, PFTM_OTHER_SINGLE, 113 PFTM_OTHER_MULTIPLE, PFTM_FRAG, PFTM_INTERVAL, 114 PFTM_ADAPTIVE_START, PFTM_ADAPTIVE_END, PFTM_SRC_NODE, 115 PFTM_TS_DIFF, PFTM_MAX, PFTM_PURGE, PFTM_UNLINKED, 116 PFTM_UNTIL_PACKET }; 117 118 /* PFTM default values */ 119 #define PFTM_TCP_FIRST_PACKET_VAL 120 /* First TCP packet */ 120 #define PFTM_TCP_OPENING_VAL 30 /* No response yet */ 121 #define PFTM_TCP_ESTABLISHED_VAL 24*60*60/* Established */ 122 #define PFTM_TCP_CLOSING_VAL 15 * 60 /* Half closed */ 123 #define PFTM_TCP_FIN_WAIT_VAL 45 /* Got both FINs */ 124 #define PFTM_TCP_CLOSED_VAL 90 /* Got a RST */ 125 #define PFTM_UDP_FIRST_PACKET_VAL 60 /* First UDP packet */ 126 #define PFTM_UDP_SINGLE_VAL 30 /* Unidirectional */ 127 #define PFTM_UDP_MULTIPLE_VAL 60 /* Bidirectional */ 128 #define PFTM_ICMP_FIRST_PACKET_VAL 20 /* First ICMP packet */ 129 #define PFTM_ICMP_ERROR_REPLY_VAL 10 /* Got error response */ 130 #define PFTM_OTHER_FIRST_PACKET_VAL 60 /* First packet */ 131 #define PFTM_OTHER_SINGLE_VAL 30 /* Unidirectional */ 132 #define PFTM_OTHER_MULTIPLE_VAL 60 /* Bidirectional */ 133 #define PFTM_FRAG_VAL 30 /* Fragment expire */ 134 #define PFTM_INTERVAL_VAL 10 /* Expire interval */ 135 #define PFTM_SRC_NODE_VAL 0 /* Source tracking */ 136 #define PFTM_TS_DIFF_VAL 30 /* Allowed TS diff */ 137 138 enum { PF_NOPFROUTE, PF_FASTROUTE, PF_ROUTETO, PF_DUPTO, PF_REPLYTO }; 139 enum { PF_LIMIT_STATES, PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS, 140 PF_LIMIT_TABLES, PF_LIMIT_TABLE_ENTRIES, PF_LIMIT_MAX }; 141 #define PF_POOL_IDMASK 0x0f 142 enum { PF_POOL_NONE, PF_POOL_BITMASK, PF_POOL_RANDOM, 143 PF_POOL_SRCHASH, PF_POOL_ROUNDROBIN }; 144 enum { PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE, PF_ADDR_DYNIFTL, 145 PF_ADDR_TABLE, PF_ADDR_RTLABEL, PF_ADDR_URPFFAILED }; 146 #define PF_POOL_TYPEMASK 0x0f 147 #define PF_POOL_STICKYADDR 0x20 148 #define PF_WSCALE_FLAG 0x80 149 #define PF_WSCALE_MASK 0x0f 150 151 #define PF_LOG 0x01 152 #define PF_LOG_ALL 0x02 153 #define PF_LOG_SOCKET_LOOKUP 0x04 154 155 struct pf_addr { 156 union { 157 struct in_addr v4; 158 struct in6_addr v6; 159 u_int8_t addr8[16]; 160 u_int16_t addr16[8]; 161 u_int32_t addr32[4]; 162 } pfa; /* 128-bit address */ 163 #define v4 pfa.v4 164 #define v6 pfa.v6 165 #define addr8 pfa.addr8 166 #define addr16 pfa.addr16 167 #define addr32 pfa.addr32 168 }; 169 170 #define PF_TABLE_NAME_SIZE 32 171 172 #define PFI_AFLAG_NETWORK 0x01 173 #define PFI_AFLAG_BROADCAST 0x02 174 #define PFI_AFLAG_PEER 0x04 175 #define PFI_AFLAG_MODEMASK 0x07 176 #define PFI_AFLAG_NOALIAS 0x08 177 178 struct pf_addr_wrap { 179 union { 180 struct { 181 struct pf_addr addr; 182 struct pf_addr mask; 183 } a; 184 char ifname[IFNAMSIZ]; 185 char tblname[PF_TABLE_NAME_SIZE]; 186 char rtlabelname[RTLABEL_LEN]; 187 u_int32_t rtlabel; 188 } v; 189 union { 190 struct pfi_dynaddr *dyn; 191 struct pfr_ktable *tbl; 192 int dyncnt; 193 int tblcnt; 194 } p; 195 u_int8_t type; /* PF_ADDR_* */ 196 u_int8_t iflags; /* PFI_AFLAG_* */ 197 }; 198 199 #ifdef _KERNEL 200 201 struct pfi_dynaddr { 202 TAILQ_ENTRY(pfi_dynaddr) entry; 203 struct pf_addr pfid_addr4; 204 struct pf_addr pfid_mask4; 205 struct pf_addr pfid_addr6; 206 struct pf_addr pfid_mask6; 207 struct pfr_ktable *pfid_kt; 208 struct pfi_kif *pfid_kif; 209 void *pfid_hook_cookie; 210 int pfid_net; /* mask or 128 */ 211 int pfid_acnt4; /* address count IPv4 */ 212 int pfid_acnt6; /* address count IPv6 */ 213 sa_family_t pfid_af; /* rule af */ 214 u_int8_t pfid_iflags; /* PFI_AFLAG_* */ 215 }; 216 217 /* 218 * Address manipulation macros 219 */ 220 221 /* XXX correct values for zinit? */ 222 #define ZONE_CREATE(var, type, desc) \ 223 var = zinit(desc, sizeof(type), 1, ZONE_DESTROYABLE, 1); \ 224 if (var == NULL) break 225 #define ZONE_DESTROY(a) zdestroy(a) 226 227 #define pool_get(p, f) zalloc(*(p)) 228 #define pool_put(p, o) zfree(*(p), (o)) 229 230 #define NTOHS(x) (x) = ntohs((__uint16_t)(x)) 231 #define HTONS(x) (x) = htons((__uint16_t)(x)) 232 233 #define PF_NAME "pf" 234 235 #define PF_MODVER 1 236 #define PFLOG_MODVER 1 237 #define PFSYNC_MODVER 1 238 239 #define PFLOG_MINVER 1 240 #define PFLOG_PREFVER PFLOG_MODVER 241 #define PFLOG_MAXVER 1 242 #define PFSYNC_MINVER 1 243 #define PFSYNC_PREFVER PFSYNC_MODVER 244 #define PFSYNC_MAXVER 1 245 246 /* prototyped for pf_subr.c */ 247 struct hook_desc { 248 TAILQ_ENTRY(hook_desc) hd_list; 249 void (*hd_fn)(void *); 250 void *hd_arg; 251 }; 252 TAILQ_HEAD(hook_desc_head, hook_desc); 253 254 void *hook_establish(struct hook_desc_head *, int, void (*)(void *), void *); 255 void hook_disestablish(struct hook_desc_head *, void *); 256 void dohooks(struct hook_desc_head *, int); 257 258 #define HOOK_REMOVE 0x01 259 #define HOOK_FREE 0x02 260 261 #ifdef INET 262 #ifndef INET6 263 #define PF_INET_ONLY 264 #endif /* ! INET6 */ 265 #endif /* INET */ 266 267 #ifdef INET6 268 #ifndef INET 269 #define PF_INET6_ONLY 270 #endif /* ! INET */ 271 #endif /* INET6 */ 272 273 #ifdef INET 274 #ifdef INET6 275 #define PF_INET_INET6 276 #endif /* INET6 */ 277 #endif /* INET */ 278 279 #else 280 281 #define PF_INET_INET6 282 283 #endif /* _KERNEL */ 284 285 /* Both IPv4 and IPv6 */ 286 #ifdef PF_INET_INET6 287 288 #define PF_AEQ(a, b, c) \ 289 ((c == AF_INET && (a)->addr32[0] == (b)->addr32[0]) || \ 290 ((a)->addr32[3] == (b)->addr32[3] && \ 291 (a)->addr32[2] == (b)->addr32[2] && \ 292 (a)->addr32[1] == (b)->addr32[1] && \ 293 (a)->addr32[0] == (b)->addr32[0])) \ 294 295 #define PF_ANEQ(a, b, c) \ 296 ((c == AF_INET && (a)->addr32[0] != (b)->addr32[0]) || \ 297 ((a)->addr32[3] != (b)->addr32[3] || \ 298 (a)->addr32[2] != (b)->addr32[2] || \ 299 (a)->addr32[1] != (b)->addr32[1] || \ 300 (a)->addr32[0] != (b)->addr32[0])) \ 301 302 #define PF_AZERO(a, c) \ 303 ((c == AF_INET && !(a)->addr32[0]) || \ 304 (!(a)->addr32[0] && !(a)->addr32[1] && \ 305 !(a)->addr32[2] && !(a)->addr32[3] )) \ 306 307 #define PF_MATCHA(n, a, m, b, f) \ 308 pf_match_addr(n, a, m, b, f) 309 310 #define PF_ACPY(a, b, f) \ 311 pf_addrcpy(a, b, f) 312 313 #define PF_AINC(a, f) \ 314 pf_addr_inc(a, f) 315 316 #define PF_POOLMASK(a, b, c, d, f) \ 317 pf_poolmask(a, b, c, d, f) 318 319 #else 320 321 /* Just IPv6 */ 322 323 #ifdef PF_INET6_ONLY 324 325 #define PF_AEQ(a, b, c) \ 326 ((a)->addr32[3] == (b)->addr32[3] && \ 327 (a)->addr32[2] == (b)->addr32[2] && \ 328 (a)->addr32[1] == (b)->addr32[1] && \ 329 (a)->addr32[0] == (b)->addr32[0]) \ 330 331 #define PF_ANEQ(a, b, c) \ 332 ((a)->addr32[3] != (b)->addr32[3] || \ 333 (a)->addr32[2] != (b)->addr32[2] || \ 334 (a)->addr32[1] != (b)->addr32[1] || \ 335 (a)->addr32[0] != (b)->addr32[0]) \ 336 337 #define PF_AZERO(a, c) \ 338 (!(a)->addr32[0] && \ 339 !(a)->addr32[1] && \ 340 !(a)->addr32[2] && \ 341 !(a)->addr32[3] ) \ 342 343 #define PF_MATCHA(n, a, m, b, f) \ 344 pf_match_addr(n, a, m, b, f) 345 346 #define PF_ACPY(a, b, f) \ 347 pf_addrcpy(a, b, f) 348 349 #define PF_AINC(a, f) \ 350 pf_addr_inc(a, f) 351 352 #define PF_POOLMASK(a, b, c, d, f) \ 353 pf_poolmask(a, b, c, d, f) 354 355 #else 356 357 /* Just IPv4 */ 358 #ifdef PF_INET_ONLY 359 360 #define PF_AEQ(a, b, c) \ 361 ((a)->addr32[0] == (b)->addr32[0]) 362 363 #define PF_ANEQ(a, b, c) \ 364 ((a)->addr32[0] != (b)->addr32[0]) 365 366 #define PF_AZERO(a, c) \ 367 (!(a)->addr32[0]) 368 369 #define PF_MATCHA(n, a, m, b, f) \ 370 pf_match_addr(n, a, m, b, f) 371 372 #define PF_ACPY(a, b, f) \ 373 (a)->v4.s_addr = (b)->v4.s_addr 374 375 #define PF_AINC(a, f) \ 376 do { \ 377 (a)->addr32[0] = htonl(ntohl((a)->addr32[0]) + 1); \ 378 } while (0) 379 380 #define PF_POOLMASK(a, b, c, d, f) \ 381 do { \ 382 (a)->addr32[0] = ((b)->addr32[0] & (c)->addr32[0]) | \ 383 (((c)->addr32[0] ^ 0xffffffff ) & (d)->addr32[0]); \ 384 } while (0) 385 386 #endif /* PF_INET_ONLY */ 387 #endif /* PF_INET6_ONLY */ 388 #endif /* PF_INET_INET6 */ 389 390 #define PF_MISMATCHAW(aw, x, af, neg, ifp) \ 391 ( \ 392 (((aw)->type == PF_ADDR_NOROUTE && \ 393 pf_routable((x), (af), NULL)) || \ 394 (((aw)->type == PF_ADDR_URPFFAILED && (ifp) != NULL && \ 395 pf_routable((x), (af), (ifp))) || \ 396 ((aw)->type == PF_ADDR_RTLABEL && \ 397 !pf_rtlabel_match((x), (af), (aw))) || \ 398 ((aw)->type == PF_ADDR_TABLE && \ 399 !pfr_match_addr((aw)->p.tbl, (x), (af))) || \ 400 ((aw)->type == PF_ADDR_DYNIFTL && \ 401 !pfi_match_addr((aw)->p.dyn, (x), (af))) || \ 402 ((aw)->type == PF_ADDR_ADDRMASK && \ 403 !PF_AZERO(&(aw)->v.a.mask, (af)) && \ 404 !PF_MATCHA(0, &(aw)->v.a.addr, \ 405 &(aw)->v.a.mask, (x), (af))))) != \ 406 (neg) \ 407 ) 408 409 410 struct pf_rule_uid { 411 uid_t uid[2]; 412 u_int8_t op; 413 }; 414 415 struct pf_rule_gid { 416 uid_t gid[2]; 417 u_int8_t op; 418 }; 419 420 struct pf_rule_addr { 421 struct pf_addr_wrap addr; 422 u_int16_t port[2]; 423 u_int8_t neg; 424 u_int8_t port_op; 425 }; 426 427 struct pf_pooladdr { 428 struct pf_addr_wrap addr; 429 TAILQ_ENTRY(pf_pooladdr) entries; 430 char ifname[IFNAMSIZ]; 431 struct pfi_kif *kif; 432 }; 433 434 TAILQ_HEAD(pf_palist, pf_pooladdr); 435 436 struct pf_poolhashkey { 437 union { 438 u_int8_t key8[16]; 439 u_int16_t key16[8]; 440 u_int32_t key32[4]; 441 } pfk; /* 128-bit hash key */ 442 #define key8 pfk.key8 443 #define key16 pfk.key16 444 #define key32 pfk.key32 445 }; 446 447 struct pf_pool { 448 struct pf_palist list; 449 struct pf_pooladdr *cur; 450 struct pf_poolhashkey key; 451 struct pf_addr counter; 452 int tblidx; 453 u_int16_t proxy_port[2]; 454 u_int8_t port_op; 455 u_int8_t opts; 456 }; 457 458 459 /* A packed Operating System description for fingerprinting */ 460 typedef u_int32_t pf_osfp_t; 461 #define PF_OSFP_ANY ((pf_osfp_t)0) 462 #define PF_OSFP_UNKNOWN ((pf_osfp_t)-1) 463 #define PF_OSFP_NOMATCH ((pf_osfp_t)-2) 464 465 struct pf_osfp_entry { 466 SLIST_ENTRY(pf_osfp_entry) fp_entry; 467 pf_osfp_t fp_os; 468 int fp_enflags; 469 #define PF_OSFP_EXPANDED 0x001 /* expanded entry */ 470 #define PF_OSFP_GENERIC 0x002 /* generic signature */ 471 #define PF_OSFP_NODETAIL 0x004 /* no p0f details */ 472 #define PF_OSFP_LEN 32 473 char fp_class_nm[PF_OSFP_LEN]; 474 char fp_version_nm[PF_OSFP_LEN]; 475 char fp_subtype_nm[PF_OSFP_LEN]; 476 }; 477 #define PF_OSFP_ENTRY_EQ(a, b) \ 478 ((a)->fp_os == (b)->fp_os && \ 479 memcmp((a)->fp_class_nm, (b)->fp_class_nm, PF_OSFP_LEN) == 0 && \ 480 memcmp((a)->fp_version_nm, (b)->fp_version_nm, PF_OSFP_LEN) == 0 && \ 481 memcmp((a)->fp_subtype_nm, (b)->fp_subtype_nm, PF_OSFP_LEN) == 0) 482 483 /* handle pf_osfp_t packing */ 484 #define _FP_RESERVED_BIT 1 /* For the special negative #defines */ 485 #define _FP_UNUSED_BITS 1 486 #define _FP_CLASS_BITS 10 /* OS Class (Windows, Linux) */ 487 #define _FP_VERSION_BITS 10 /* OS version (95, 98, NT, 2.4.54, 3.2) */ 488 #define _FP_SUBTYPE_BITS 10 /* patch level (NT SP4, SP3, ECN patch) */ 489 #define PF_OSFP_UNPACK(osfp, class, version, subtype) do { \ 490 (class) = ((osfp) >> (_FP_VERSION_BITS+_FP_SUBTYPE_BITS)) & \ 491 ((1 << _FP_CLASS_BITS) - 1); \ 492 (version) = ((osfp) >> _FP_SUBTYPE_BITS) & \ 493 ((1 << _FP_VERSION_BITS) - 1);\ 494 (subtype) = (osfp) & ((1 << _FP_SUBTYPE_BITS) - 1); \ 495 } while(0) 496 #define PF_OSFP_PACK(osfp, class, version, subtype) do { \ 497 (osfp) = ((class) & ((1 << _FP_CLASS_BITS) - 1)) << (_FP_VERSION_BITS \ 498 + _FP_SUBTYPE_BITS); \ 499 (osfp) |= ((version) & ((1 << _FP_VERSION_BITS) - 1)) << \ 500 _FP_SUBTYPE_BITS; \ 501 (osfp) |= (subtype) & ((1 << _FP_SUBTYPE_BITS) - 1); \ 502 } while(0) 503 504 /* the fingerprint of an OSes TCP SYN packet */ 505 typedef u_int64_t pf_tcpopts_t; 506 struct pf_os_fingerprint { 507 SLIST_HEAD(pf_osfp_enlist, pf_osfp_entry) fp_oses; /* list of matches */ 508 pf_tcpopts_t fp_tcpopts; /* packed TCP options */ 509 u_int16_t fp_wsize; /* TCP window size */ 510 u_int16_t fp_psize; /* ip->ip_len */ 511 u_int16_t fp_mss; /* TCP MSS */ 512 u_int16_t fp_flags; 513 #define PF_OSFP_WSIZE_MOD 0x0001 /* Window modulus */ 514 #define PF_OSFP_WSIZE_DC 0x0002 /* Window don't care */ 515 #define PF_OSFP_WSIZE_MSS 0x0004 /* Window multiple of MSS */ 516 #define PF_OSFP_WSIZE_MTU 0x0008 /* Window multiple of MTU */ 517 #define PF_OSFP_PSIZE_MOD 0x0010 /* packet size modulus */ 518 #define PF_OSFP_PSIZE_DC 0x0020 /* packet size don't care */ 519 #define PF_OSFP_WSCALE 0x0040 /* TCP window scaling */ 520 #define PF_OSFP_WSCALE_MOD 0x0080 /* TCP window scale modulus */ 521 #define PF_OSFP_WSCALE_DC 0x0100 /* TCP window scale dont-care */ 522 #define PF_OSFP_MSS 0x0200 /* TCP MSS */ 523 #define PF_OSFP_MSS_MOD 0x0400 /* TCP MSS modulus */ 524 #define PF_OSFP_MSS_DC 0x0800 /* TCP MSS dont-care */ 525 #define PF_OSFP_DF 0x1000 /* IPv4 don't fragment bit */ 526 #define PF_OSFP_TS0 0x2000 /* Zero timestamp */ 527 #define PF_OSFP_INET6 0x4000 /* IPv6 */ 528 u_int8_t fp_optcnt; /* TCP option count */ 529 u_int8_t fp_wscale; /* TCP window scaling */ 530 u_int8_t fp_ttl; /* IPv4 TTL */ 531 #define PF_OSFP_MAXTTL_OFFSET 40 532 /* TCP options packing */ 533 #define PF_OSFP_TCPOPT_NOP 0x0 /* TCP NOP option */ 534 #define PF_OSFP_TCPOPT_WSCALE 0x1 /* TCP window scaling option */ 535 #define PF_OSFP_TCPOPT_MSS 0x2 /* TCP max segment size opt */ 536 #define PF_OSFP_TCPOPT_SACK 0x3 /* TCP SACK OK option */ 537 #define PF_OSFP_TCPOPT_TS 0x4 /* TCP timestamp option */ 538 #define PF_OSFP_TCPOPT_BITS 3 /* bits used by each option */ 539 #define PF_OSFP_MAX_OPTS \ 540 (sizeof(((struct pf_os_fingerprint *)0)->fp_tcpopts) * 8) \ 541 / PF_OSFP_TCPOPT_BITS 542 543 SLIST_ENTRY(pf_os_fingerprint) fp_next; 544 }; 545 546 struct pf_osfp_ioctl { 547 struct pf_osfp_entry fp_os; 548 pf_tcpopts_t fp_tcpopts; /* packed TCP options */ 549 u_int16_t fp_wsize; /* TCP window size */ 550 u_int16_t fp_psize; /* ip->ip_len */ 551 u_int16_t fp_mss; /* TCP MSS */ 552 u_int16_t fp_flags; 553 u_int8_t fp_optcnt; /* TCP option count */ 554 u_int8_t fp_wscale; /* TCP window scaling */ 555 u_int8_t fp_ttl; /* IPv4 TTL */ 556 557 int fp_getnum; /* DIOCOSFPGET number */ 558 }; 559 560 561 union pf_rule_ptr { 562 struct pf_rule *ptr; 563 u_int32_t nr; 564 }; 565 566 #define PF_ANCHOR_NAME_SIZE 64 567 568 struct pf_rule { 569 struct pf_rule_addr src; 570 struct pf_rule_addr dst; 571 #define PF_SKIP_IFP 0 572 #define PF_SKIP_DIR 1 573 #define PF_SKIP_AF 2 574 #define PF_SKIP_PROTO 3 575 #define PF_SKIP_SRC_ADDR 4 576 #define PF_SKIP_SRC_PORT 5 577 #define PF_SKIP_DST_ADDR 6 578 #define PF_SKIP_DST_PORT 7 579 #define PF_SKIP_COUNT 8 580 union pf_rule_ptr skip[PF_SKIP_COUNT]; 581 #define PF_RULE_LABEL_SIZE 64 582 char label[PF_RULE_LABEL_SIZE]; 583 #define PF_QNAME_SIZE 64 584 char ifname[IFNAMSIZ]; 585 char qname[PF_QNAME_SIZE]; 586 char pqname[PF_QNAME_SIZE]; 587 #define PF_TAG_NAME_SIZE 64 588 char tagname[PF_TAG_NAME_SIZE]; 589 char match_tagname[PF_TAG_NAME_SIZE]; 590 591 char overload_tblname[PF_TABLE_NAME_SIZE]; 592 593 TAILQ_ENTRY(pf_rule) entries; 594 struct pf_pool rpool; 595 596 u_int64_t evaluations; 597 u_int64_t packets[2]; 598 u_int64_t bytes[2]; 599 600 struct pfi_kif *kif; 601 struct pf_anchor *anchor; 602 struct pfr_ktable *overload_tbl; 603 604 pf_osfp_t os_fingerprint; 605 606 int rtableid; 607 u_int32_t timeout[PFTM_MAX]; 608 u_int32_t states; 609 u_int32_t max_states; 610 u_int32_t src_nodes; 611 u_int32_t max_src_nodes; 612 u_int32_t max_src_states; 613 u_int32_t max_src_conn; 614 struct { 615 u_int32_t limit; 616 u_int32_t seconds; 617 } max_src_conn_rate; 618 u_int32_t qid; 619 u_int32_t pqid; 620 u_int32_t rt_listid; 621 u_int32_t nr; 622 u_int32_t prob; 623 uid_t cuid; 624 pid_t cpid; 625 626 u_int16_t return_icmp; 627 u_int16_t return_icmp6; 628 u_int16_t max_mss; 629 u_int16_t tag; 630 u_int16_t match_tag; 631 632 struct pf_rule_uid uid; 633 struct pf_rule_gid gid; 634 635 u_int32_t rule_flag; 636 u_int8_t action; 637 u_int8_t direction; 638 u_int8_t log; 639 u_int8_t logif; 640 u_int8_t quick; 641 u_int8_t ifnot; 642 u_int8_t match_tag_not; 643 u_int8_t natpass; 644 645 #define PF_STATE_NORMAL 0x1 646 #define PF_STATE_MODULATE 0x2 647 #define PF_STATE_SYNPROXY 0x3 648 u_int8_t keep_state; 649 sa_family_t af; 650 u_int8_t proto; 651 u_int8_t type; 652 u_int8_t code; 653 u_int8_t flags; 654 u_int8_t flagset; 655 u_int8_t min_ttl; 656 u_int8_t allow_opts; 657 u_int8_t rt; 658 u_int8_t return_ttl; 659 u_int8_t tos; 660 u_int8_t anchor_relative; 661 u_int8_t anchor_wildcard; 662 663 #define PF_FLUSH 0x01 664 #define PF_FLUSH_GLOBAL 0x02 665 u_int8_t flush; 666 667 #define PF_PICKUPS_UNSPECIFIED 0 668 #define PF_PICKUPS_DISABLED 1 669 #define PF_PICKUPS_HASHONLY 2 670 #define PF_PICKUPS_ENABLED 3 671 u_int8_t pickup_mode; 672 u_int8_t unused01; /* available for use */ 673 }; 674 675 /* rule flags */ 676 #define PFRULE_DROP 0x0000 677 #define PFRULE_RETURNRST 0x0001 678 #define PFRULE_FRAGMENT 0x0002 679 #define PFRULE_RETURNICMP 0x0004 680 #define PFRULE_RETURN 0x0008 681 #define PFRULE_NOSYNC 0x0010 682 #define PFRULE_SRCTRACK 0x0020 /* track source states */ 683 #define PFRULE_RULESRCTRACK 0x0040 /* per rule */ 684 685 /* scrub flags */ 686 #define PFRULE_NODF 0x0100 687 #define PFRULE_FRAGCROP 0x0200 /* non-buffering frag cache */ 688 #define PFRULE_FRAGDROP 0x0400 /* drop funny fragments */ 689 #define PFRULE_RANDOMID 0x0800 690 #define PFRULE_REASSEMBLE_TCP 0x1000 691 692 /* rule flags again */ 693 #define PFRULE_IFBOUND 0x00010000 /* if-bound */ 694 695 #define PFSTATE_HIWAT 10000 /* default state table size */ 696 #define PFSTATE_ADAPT_START 6000 /* default adaptive timeout start */ 697 #define PFSTATE_ADAPT_END 12000 /* default adaptive timeout end */ 698 699 700 struct pf_threshold { 701 u_int32_t limit; 702 #define PF_THRESHOLD_MULT 1000 703 #define PF_THRESHOLD_MAX 0xffffffff / PF_THRESHOLD_MULT 704 u_int32_t seconds; 705 u_int32_t count; 706 u_int32_t last; 707 }; 708 709 struct pf_src_node { 710 RB_ENTRY(pf_src_node) entry; 711 struct pf_addr addr; 712 struct pf_addr raddr; 713 union pf_rule_ptr rule; 714 struct pfi_kif *kif; 715 u_int64_t bytes[2]; 716 u_int64_t packets[2]; 717 u_int32_t states; 718 u_int32_t conn; 719 struct pf_threshold conn_rate; 720 u_int32_t creation; 721 u_int32_t expire; 722 sa_family_t af; 723 u_int8_t ruletype; 724 }; 725 726 #define PFSNODE_HIWAT 10000 /* default source node table size */ 727 728 struct pf_state_scrub { 729 struct timeval pfss_last; /* time received last packet */ 730 u_int32_t pfss_tsecr; /* last echoed timestamp */ 731 u_int32_t pfss_tsval; /* largest timestamp */ 732 u_int32_t pfss_tsval0; /* original timestamp */ 733 u_int16_t pfss_flags; 734 #define PFSS_TIMESTAMP 0x0001 /* modulate timestamp */ 735 #define PFSS_PAWS 0x0010 /* stricter PAWS checks */ 736 #define PFSS_PAWS_IDLED 0x0020 /* was idle too long. no PAWS */ 737 #define PFSS_DATA_TS 0x0040 /* timestamp on data packets */ 738 #define PFSS_DATA_NOTS 0x0080 /* no timestamp on data packets */ 739 u_int8_t pfss_ttl; /* stashed TTL */ 740 u_int8_t pad; 741 u_int32_t pfss_ts_mod; /* timestamp modulation */ 742 }; 743 744 struct pf_state_host { 745 struct pf_addr addr; 746 u_int16_t port; 747 u_int16_t pad; 748 }; 749 750 struct pf_state_peer { 751 u_int32_t seqlo; /* Max sequence number sent */ 752 u_int32_t seqhi; /* Max the other end ACKd + win */ 753 u_int32_t seqdiff; /* Sequence number modulator */ 754 u_int16_t max_win; /* largest window (pre scaling) */ 755 u_int8_t state; /* active state level */ 756 u_int8_t wscale; /* window scaling factor */ 757 u_int16_t mss; /* Maximum segment size option */ 758 u_int8_t tcp_est; /* Did we reach TCPS_ESTABLISHED */ 759 struct pf_state_scrub *scrub; /* state is scrubbed */ 760 u_int8_t pad[3]; 761 }; 762 763 TAILQ_HEAD(pf_state_queue, pf_state); 764 765 /* keep synced with struct pf_state_key, used in RB_FIND */ 766 struct pf_state_key_cmp { 767 struct pf_state_host lan; 768 struct pf_state_host gwy; 769 struct pf_state_host ext; 770 sa_family_t af; 771 u_int8_t proto; 772 u_int8_t direction; 773 u_int8_t pad; 774 }; 775 776 TAILQ_HEAD(pf_statelist, pf_state); 777 778 struct pf_state_key { 779 struct pf_state_host lan; 780 struct pf_state_host gwy; 781 struct pf_state_host ext; 782 sa_family_t af; 783 u_int8_t proto; 784 u_int8_t direction; 785 u_int8_t pad; 786 787 RB_ENTRY(pf_state_key) entry_lan_ext; 788 RB_ENTRY(pf_state_key) entry_ext_gwy; 789 struct pf_statelist states; 790 u_short refcnt; /* same size as if_index */ 791 }; 792 793 794 /* keep synced with struct pf_state, used in RB_FIND */ 795 struct pf_state_cmp { 796 u_int64_t id; 797 u_int32_t creatorid; 798 u_int32_t pad; 799 }; 800 801 struct pf_state { 802 u_int64_t id; 803 u_int32_t creatorid; 804 u_int32_t pad; 805 806 TAILQ_ENTRY(pf_state) entry_list; 807 TAILQ_ENTRY(pf_state) next; 808 RB_ENTRY(pf_state) entry_id; 809 struct pf_state_peer src; 810 struct pf_state_peer dst; 811 union pf_rule_ptr rule; 812 union pf_rule_ptr anchor; 813 union pf_rule_ptr nat_rule; 814 struct pf_addr rt_addr; 815 struct pf_state_key *state_key; 816 struct pfi_kif *kif; 817 struct pfi_kif *rt_kif; 818 struct pf_src_node *src_node; 819 struct pf_src_node *nat_src_node; 820 u_int64_t packets[2]; 821 u_int64_t bytes[2]; 822 u_int32_t hash; 823 u_int32_t creation; 824 u_int32_t expire; 825 u_int32_t pfsync_time; 826 u_int16_t tag; 827 u_int8_t log; 828 u_int8_t allow_opts; 829 u_int8_t timeout; 830 u_int8_t sync_flags; 831 u_int8_t pickup_mode; 832 #define PFSTATE_NOSYNC 0x01 833 #define PFSTATE_FROMSYNC 0x02 834 #define PFSTATE_STALE 0x04 835 }; 836 837 /* 838 * Unified state structures for pulling states out of the kernel 839 * used by pfsync(4) and the pf(4) ioctl. 840 */ 841 struct pfsync_state_scrub { 842 u_int16_t pfss_flags; 843 u_int8_t pfss_ttl; /* stashed TTL */ 844 #define PFSYNC_SCRUB_FLAG_VALID 0x01 845 u_int8_t scrub_flag; 846 u_int32_t pfss_ts_mod; /* timestamp modulation */ 847 }; 848 849 struct pfsync_state_host { 850 struct pf_addr addr; 851 u_int16_t port; 852 u_int16_t pad[3]; 853 }; 854 855 struct pfsync_state_peer { 856 struct pfsync_state_scrub scrub; /* state is scrubbed */ 857 u_int32_t seqlo; /* Max sequence number sent */ 858 u_int32_t seqhi; /* Max the other end ACKd + win */ 859 u_int32_t seqdiff; /* Sequence number modulator */ 860 u_int16_t max_win; /* largest window (pre scaling) */ 861 u_int16_t mss; /* Maximum segment size option */ 862 u_int8_t state; /* active state level */ 863 u_int8_t wscale; /* window scaling factor */ 864 u_int8_t pad[6]; 865 }; 866 867 struct pfsync_state { 868 u_int32_t id[2]; 869 char ifname[IFNAMSIZ]; 870 struct pfsync_state_host lan; 871 struct pfsync_state_host gwy; 872 struct pfsync_state_host ext; 873 struct pfsync_state_peer src; 874 struct pfsync_state_peer dst; 875 struct pf_addr rt_addr; 876 u_int32_t rule; 877 u_int32_t anchor; 878 u_int32_t nat_rule; 879 u_int32_t creation; 880 u_int32_t expire; 881 u_int32_t packets[2][2]; 882 u_int32_t bytes[2][2]; 883 u_int32_t creatorid; 884 sa_family_t af; 885 u_int8_t proto; 886 u_int8_t direction; 887 u_int8_t log; 888 u_int8_t allow_opts; 889 u_int8_t timeout; 890 u_int8_t sync_flags; 891 u_int8_t updates; 892 }; 893 894 #define PFSYNC_FLAG_COMPRESS 0x01 895 #define PFSYNC_FLAG_STALE 0x02 896 #define PFSYNC_FLAG_SRCNODE 0x04 897 #define PFSYNC_FLAG_NATSRCNODE 0x08 898 #define PFSTATE_GOT_SYN_MASK (PFSTATE_GOT_SYN1|PFSTATE_GOT_SYN2) 899 #define PFSTATE_GOT_SYN1 0x04 /* got SYN in one direction */ 900 #define PFSTATE_GOT_SYN2 0x08 /* got SYN in the other direction */ 901 902 /* for copies to/from userland via pf_ioctl() */ 903 #define pf_state_peer_to_pfsync(s,d) do { \ 904 (d)->seqlo = (s)->seqlo; \ 905 (d)->seqhi = (s)->seqhi; \ 906 (d)->seqdiff = (s)->seqdiff; \ 907 (d)->max_win = (s)->max_win; \ 908 (d)->mss = (s)->mss; \ 909 (d)->state = (s)->state; \ 910 (d)->wscale = (s)->wscale; \ 911 if ((s)->scrub) { \ 912 (d)->scrub.pfss_flags = \ 913 (s)->scrub->pfss_flags & PFSS_TIMESTAMP; \ 914 (d)->scrub.pfss_ttl = (s)->scrub->pfss_ttl; \ 915 (d)->scrub.pfss_ts_mod = (s)->scrub->pfss_ts_mod; \ 916 (d)->scrub.scrub_flag = PFSYNC_SCRUB_FLAG_VALID; \ 917 } \ 918 } while (0) 919 920 #define pf_state_peer_from_pfsync(s,d) do { \ 921 (d)->seqlo = (s)->seqlo; \ 922 (d)->seqhi = (s)->seqhi; \ 923 (d)->seqdiff = (s)->seqdiff; \ 924 (d)->max_win = (s)->max_win; \ 925 (d)->mss = ntohs((s)->mss); \ 926 (d)->state = (s)->state; \ 927 (d)->wscale = (s)->wscale; \ 928 if ((s)->scrub.scrub_flag == PFSYNC_SCRUB_FLAG_VALID && \ 929 (d)->scrub != NULL) { \ 930 (d)->scrub->pfss_flags = \ 931 ntohs((s)->scrub.pfss_flags) & PFSS_TIMESTAMP; \ 932 (d)->scrub->pfss_ttl = (s)->scrub.pfss_ttl; \ 933 (d)->scrub->pfss_ts_mod = (s)->scrub.pfss_ts_mod; \ 934 } \ 935 } while (0) 936 937 #define pf_state_counter_to_pfsync(s,d) do { \ 938 d[0] = (s>>32)&0xffffffff; \ 939 d[1] = s&0xffffffff; \ 940 } while (0) 941 942 #define pf_state_counter_from_pfsync(s) \ 943 (((u_int64_t)(s[0])<<32) | (u_int64_t)(s[1])) 944 945 946 947 TAILQ_HEAD(pf_rulequeue, pf_rule); 948 949 struct pf_anchor; 950 951 struct pf_ruleset { 952 struct { 953 struct pf_rulequeue queues[2]; 954 struct { 955 struct pf_rulequeue *ptr; 956 struct pf_rule **ptr_array; 957 u_int32_t rcount; 958 u_int32_t ticket; 959 int open; 960 } active, inactive; 961 } rules[PF_RULESET_MAX]; 962 struct pf_anchor *anchor; 963 u_int32_t tticket; 964 int tables; 965 int topen; 966 }; 967 968 RB_HEAD(pf_anchor_global, pf_anchor); 969 RB_HEAD(pf_anchor_node, pf_anchor); 970 struct pf_anchor { 971 RB_ENTRY(pf_anchor) entry_global; 972 RB_ENTRY(pf_anchor) entry_node; 973 struct pf_anchor *parent; 974 struct pf_anchor_node children; 975 char name[PF_ANCHOR_NAME_SIZE]; 976 char path[MAXPATHLEN]; 977 struct pf_ruleset ruleset; 978 int refcnt; /* anchor rules */ 979 int match; 980 }; 981 RB_PROTOTYPE(pf_anchor_global, pf_anchor, entry_global, pf_anchor_compare); 982 RB_PROTOTYPE(pf_anchor_node, pf_anchor, entry_node, pf_anchor_compare); 983 984 #define PF_RESERVED_ANCHOR "_pf" 985 986 #define PFR_TFLAG_PERSIST 0x00000001 987 #define PFR_TFLAG_CONST 0x00000002 988 #define PFR_TFLAG_ACTIVE 0x00000004 989 #define PFR_TFLAG_INACTIVE 0x00000008 990 #define PFR_TFLAG_REFERENCED 0x00000010 991 #define PFR_TFLAG_REFDANCHOR 0x00000020 992 #define PFR_TFLAG_USRMASK 0x00000003 993 #define PFR_TFLAG_SETMASK 0x0000003C 994 #define PFR_TFLAG_ALLMASK 0x0000003F 995 996 struct pfr_table { 997 char pfrt_anchor[MAXPATHLEN]; 998 char pfrt_name[PF_TABLE_NAME_SIZE]; 999 u_int32_t pfrt_flags; 1000 u_int8_t pfrt_fback; 1001 }; 1002 1003 enum { PFR_FB_NONE, PFR_FB_MATCH, PFR_FB_ADDED, PFR_FB_DELETED, 1004 PFR_FB_CHANGED, PFR_FB_CLEARED, PFR_FB_DUPLICATE, 1005 PFR_FB_NOTMATCH, PFR_FB_CONFLICT, PFR_FB_MAX }; 1006 1007 struct pfr_addr { 1008 union { 1009 struct in_addr _pfra_ip4addr; 1010 struct in6_addr _pfra_ip6addr; 1011 } pfra_u; 1012 u_int8_t pfra_af; 1013 u_int8_t pfra_net; 1014 u_int8_t pfra_not; 1015 u_int8_t pfra_fback; 1016 }; 1017 #define pfra_ip4addr pfra_u._pfra_ip4addr 1018 #define pfra_ip6addr pfra_u._pfra_ip6addr 1019 1020 enum { PFR_DIR_IN, PFR_DIR_OUT, PFR_DIR_MAX }; 1021 enum { PFR_OP_BLOCK, PFR_OP_PASS, PFR_OP_ADDR_MAX, PFR_OP_TABLE_MAX }; 1022 #define PFR_OP_XPASS PFR_OP_ADDR_MAX 1023 1024 struct pfr_astats { 1025 struct pfr_addr pfras_a; 1026 u_int64_t pfras_packets[PFR_DIR_MAX][PFR_OP_ADDR_MAX]; 1027 u_int64_t pfras_bytes[PFR_DIR_MAX][PFR_OP_ADDR_MAX]; 1028 long pfras_tzero; 1029 }; 1030 1031 enum { PFR_REFCNT_RULE, PFR_REFCNT_ANCHOR, PFR_REFCNT_MAX }; 1032 1033 struct pfr_tstats { 1034 struct pfr_table pfrts_t; 1035 u_int64_t pfrts_packets[PFR_DIR_MAX][PFR_OP_TABLE_MAX]; 1036 u_int64_t pfrts_bytes[PFR_DIR_MAX][PFR_OP_TABLE_MAX]; 1037 u_int64_t pfrts_match; 1038 u_int64_t pfrts_nomatch; 1039 long pfrts_tzero; 1040 int pfrts_cnt; 1041 int pfrts_refcnt[PFR_REFCNT_MAX]; 1042 }; 1043 #define pfrts_name pfrts_t.pfrt_name 1044 #define pfrts_flags pfrts_t.pfrt_flags 1045 1046 SLIST_HEAD(pfr_kentryworkq, pfr_kentry); 1047 struct pfr_kentry { 1048 struct radix_node pfrke_node[2]; 1049 union sockaddr_union pfrke_sa; 1050 u_int64_t pfrke_packets[PFR_DIR_MAX][PFR_OP_ADDR_MAX]; 1051 u_int64_t pfrke_bytes[PFR_DIR_MAX][PFR_OP_ADDR_MAX]; 1052 SLIST_ENTRY(pfr_kentry) pfrke_workq; 1053 long pfrke_tzero; 1054 u_int8_t pfrke_af; 1055 u_int8_t pfrke_net; 1056 u_int8_t pfrke_not; 1057 u_int8_t pfrke_mark; 1058 u_int8_t pfrke_intrpool; 1059 }; 1060 1061 SLIST_HEAD(pfr_ktableworkq, pfr_ktable); 1062 RB_HEAD(pfr_ktablehead, pfr_ktable); 1063 struct pfr_ktable { 1064 struct pfr_tstats pfrkt_ts; 1065 RB_ENTRY(pfr_ktable) pfrkt_tree; 1066 SLIST_ENTRY(pfr_ktable) pfrkt_workq; 1067 struct radix_node_head *pfrkt_ip4; 1068 struct radix_node_head *pfrkt_ip6; 1069 struct pfr_ktable *pfrkt_shadow; 1070 struct pfr_ktable *pfrkt_root; 1071 struct pf_ruleset *pfrkt_rs; 1072 long pfrkt_larg; 1073 int pfrkt_nflags; 1074 }; 1075 #define pfrkt_t pfrkt_ts.pfrts_t 1076 #define pfrkt_name pfrkt_t.pfrt_name 1077 #define pfrkt_anchor pfrkt_t.pfrt_anchor 1078 #define pfrkt_ruleset pfrkt_t.pfrt_ruleset 1079 #define pfrkt_flags pfrkt_t.pfrt_flags 1080 #define pfrkt_cnt pfrkt_ts.pfrts_cnt 1081 #define pfrkt_refcnt pfrkt_ts.pfrts_refcnt 1082 #define pfrkt_packets pfrkt_ts.pfrts_packets 1083 #define pfrkt_bytes pfrkt_ts.pfrts_bytes 1084 #define pfrkt_match pfrkt_ts.pfrts_match 1085 #define pfrkt_nomatch pfrkt_ts.pfrts_nomatch 1086 #define pfrkt_tzero pfrkt_ts.pfrts_tzero 1087 1088 RB_HEAD(pf_state_tree_lan_ext, pf_state_key); 1089 RB_PROTOTYPE(pf_state_tree_lan_ext, pf_state_key, 1090 entry_lan_ext, pf_state_compare_lan_ext); 1091 1092 RB_HEAD(pf_state_tree_ext_gwy, pf_state_key); 1093 RB_PROTOTYPE(pf_state_tree_ext_gwy, pf_state_key, 1094 entry_ext_gwy, pf_state_compare_ext_gwy); 1095 1096 struct pfi_if { 1097 char pfif_name[IFNAMSIZ]; 1098 u_int64_t pfif_packets[2][2][2]; 1099 u_int64_t pfif_bytes[2][2][2]; 1100 u_int64_t pfif_addcnt; 1101 u_int64_t pfif_delcnt; 1102 long pfif_tzero; 1103 int pfif_states; 1104 int pfif_rules; 1105 int pfif_flags; 1106 }; 1107 1108 TAILQ_HEAD(pfi_grouphead, pfi_kif); 1109 TAILQ_HEAD(pfi_statehead, pfi_kif); 1110 RB_HEAD(pfi_ifhead, pfi_kif); 1111 1112 /* state tables */ 1113 extern struct pf_state_tree_lan_ext pf_statetbl_lan_ext; 1114 extern struct pf_state_tree_ext_gwy pf_statetbl_ext_gwy; 1115 1116 /* keep synced with pfi_kif, used in RB_FIND */ 1117 struct pfi_kif_cmp { 1118 char pfik_ifname[IFNAMSIZ]; 1119 }; 1120 1121 struct pfi_kif { 1122 struct pfi_if pfik_if; 1123 RB_ENTRY(pfi_kif) pfik_tree; 1124 u_int64_t pfik_packets[2][2][2]; 1125 u_int64_t pfik_bytes[2][2][2]; 1126 u_int32_t pfik_tzero; 1127 int pfik_flags; 1128 struct hook_desc_head *pfik_ah_head; 1129 void *pfik_ah_cookie; 1130 struct pfi_kif *pfik_parent; 1131 struct ifnet *pfik_ifp; 1132 struct ifg_group *pfik_group; 1133 int pfik_states; 1134 int pfik_rules; 1135 TAILQ_HEAD(, pfi_dynaddr) pfik_dynaddrs; 1136 }; 1137 #define pfik_name pfik_if.pfif_name 1138 #define pfik_packets pfik_if.pfif_packets 1139 #define pfik_bytes pfik_if.pfif_bytes 1140 #define pfik_tzero pfik_if.pfif_tzero 1141 #define pfik_flags pfik_if.pfif_flags 1142 #define pfik_addcnt pfik_if.pfif_addcnt 1143 #define pfik_delcnt pfik_if.pfif_delcnt 1144 #define pfik_states pfik_if.pfif_states 1145 #define pfik_rules pfik_if.pfif_rules 1146 1147 enum pfi_kif_refs { 1148 PFI_KIF_REF_NONE, 1149 PFI_KIF_REF_STATE, 1150 PFI_KIF_REF_RULE 1151 }; 1152 1153 #define PFI_IFLAG_GROUP 0x0001 /* group of interfaces */ 1154 #define PFI_IFLAG_INSTANCE 0x0002 /* single instance */ 1155 #define PFI_IFLAG_CLONABLE 0x0010 /* clonable group */ 1156 #define PFI_IFLAG_DYNAMIC 0x0020 /* dynamic group */ 1157 #define PFI_IFLAG_SKIP 0x0100 /* skip filtering on interface */ 1158 #define PFI_IFLAG_PLACEHOLDER 0x8000 /* placeholder group/interface */ 1159 1160 struct pf_pdesc { 1161 struct { 1162 int done; 1163 uid_t uid; 1164 gid_t gid; 1165 pid_t pid; 1166 } lookup; 1167 u_int64_t tot_len; /* Make Mickey money */ 1168 union { 1169 struct tcphdr *tcp; 1170 struct udphdr *udp; 1171 struct icmp *icmp; 1172 #ifdef INET6 1173 struct icmp6_hdr *icmp6; 1174 #endif /* INET6 */ 1175 void *any; 1176 } hdr; 1177 struct pf_addr baddr; /* address before translation */ 1178 struct pf_addr naddr; /* address after translation */ 1179 struct pf_rule *nat_rule; /* nat/rdr rule applied to packet */ 1180 struct pf_addr *src; 1181 struct pf_addr *dst; 1182 struct ether_header 1183 *eh; 1184 u_int16_t *ip_sum; 1185 u_int32_t p_len; /* total length of payload */ 1186 u_int16_t flags; /* Let SCRUB trigger behavior in 1187 * state code. Easier than tags */ 1188 #define PFDESC_TCP_NORM 0x0001 /* TCP shall be statefully scrubbed */ 1189 #define PFDESC_IP_REAS 0x0002 /* IP frags would've been reassembled */ 1190 sa_family_t af; 1191 u_int8_t proto; 1192 u_int8_t tos; 1193 }; 1194 1195 /* flags for RDR options */ 1196 #define PF_DPORT_RANGE 0x01 /* Dest port uses range */ 1197 #define PF_RPORT_RANGE 0x02 /* RDR'ed port uses range */ 1198 1199 /* Reasons code for passing/dropping a packet */ 1200 #define PFRES_MATCH 0 /* Explicit match of a rule */ 1201 #define PFRES_BADOFF 1 /* Bad offset for pull_hdr */ 1202 #define PFRES_FRAG 2 /* Dropping following fragment */ 1203 #define PFRES_SHORT 3 /* Dropping short packet */ 1204 #define PFRES_NORM 4 /* Dropping by normalizer */ 1205 #define PFRES_MEMORY 5 /* Dropped due to lacking mem */ 1206 #define PFRES_TS 6 /* Bad TCP Timestamp (RFC1323) */ 1207 #define PFRES_CONGEST 7 /* Congestion (of ipintrq) */ 1208 #define PFRES_IPOPTIONS 8 /* IP option */ 1209 #define PFRES_PROTCKSUM 9 /* Protocol checksum invalid */ 1210 #define PFRES_BADSTATE 10 /* State mismatch */ 1211 #define PFRES_STATEINS 11 /* State insertion failure */ 1212 #define PFRES_MAXSTATES 12 /* State limit */ 1213 #define PFRES_SRCLIMIT 13 /* Source node/conn limit */ 1214 #define PFRES_SYNPROXY 14 /* SYN proxy */ 1215 #define PFRES_MAX 15 /* total+1 */ 1216 1217 #define PFRES_NAMES { \ 1218 "match", \ 1219 "bad-offset", \ 1220 "fragment", \ 1221 "short", \ 1222 "normalize", \ 1223 "memory", \ 1224 "bad-timestamp", \ 1225 "congestion", \ 1226 "ip-option", \ 1227 "proto-cksum", \ 1228 "state-mismatch", \ 1229 "state-insert", \ 1230 "state-limit", \ 1231 "src-limit", \ 1232 "synproxy", \ 1233 NULL \ 1234 } 1235 1236 /* Counters for other things we want to keep track of */ 1237 #define LCNT_STATES 0 /* states */ 1238 #define LCNT_SRCSTATES 1 /* max-src-states */ 1239 #define LCNT_SRCNODES 2 /* max-src-nodes */ 1240 #define LCNT_SRCCONN 3 /* max-src-conn */ 1241 #define LCNT_SRCCONNRATE 4 /* max-src-conn-rate */ 1242 #define LCNT_OVERLOAD_TABLE 5 /* entry added to overload table */ 1243 #define LCNT_OVERLOAD_FLUSH 6 /* state entries flushed */ 1244 #define LCNT_MAX 7 /* total+1 */ 1245 1246 #define LCNT_NAMES { \ 1247 "max states per rule", \ 1248 "max-src-states", \ 1249 "max-src-nodes", \ 1250 "max-src-conn", \ 1251 "max-src-conn-rate", \ 1252 "overload table insertion", \ 1253 "overload flush states", \ 1254 NULL \ 1255 } 1256 1257 /* UDP state enumeration */ 1258 #define PFUDPS_NO_TRAFFIC 0 1259 #define PFUDPS_SINGLE 1 1260 #define PFUDPS_MULTIPLE 2 1261 1262 #define PFUDPS_NSTATES 3 /* number of state levels */ 1263 1264 #define PFUDPS_NAMES { \ 1265 "NO_TRAFFIC", \ 1266 "SINGLE", \ 1267 "MULTIPLE", \ 1268 NULL \ 1269 } 1270 1271 /* Other protocol state enumeration */ 1272 #define PFOTHERS_NO_TRAFFIC 0 1273 #define PFOTHERS_SINGLE 1 1274 #define PFOTHERS_MULTIPLE 2 1275 1276 #define PFOTHERS_NSTATES 3 /* number of state levels */ 1277 1278 #define PFOTHERS_NAMES { \ 1279 "NO_TRAFFIC", \ 1280 "SINGLE", \ 1281 "MULTIPLE", \ 1282 NULL \ 1283 } 1284 1285 #define FCNT_STATE_SEARCH 0 1286 #define FCNT_STATE_INSERT 1 1287 #define FCNT_STATE_REMOVALS 2 1288 #define FCNT_MAX 3 1289 1290 #define SCNT_SRC_NODE_SEARCH 0 1291 #define SCNT_SRC_NODE_INSERT 1 1292 #define SCNT_SRC_NODE_REMOVALS 2 1293 #define SCNT_MAX 3 1294 1295 #define ACTION_SET(a, x) \ 1296 do { \ 1297 if ((a) != NULL) \ 1298 *(a) = (x); \ 1299 } while (0) 1300 1301 #define REASON_SET(a, x) \ 1302 do { \ 1303 if ((a) != NULL) \ 1304 *(a) = (x); \ 1305 if (x < PFRES_MAX) \ 1306 pf_status.counters[x]++; \ 1307 } while (0) 1308 1309 struct pf_status { 1310 u_int64_t counters[PFRES_MAX]; 1311 u_int64_t lcounters[LCNT_MAX]; /* limit counters */ 1312 u_int64_t fcounters[FCNT_MAX]; 1313 u_int64_t scounters[SCNT_MAX]; 1314 u_int64_t pcounters[2][2][3]; 1315 u_int64_t bcounters[2][2]; 1316 u_int64_t stateid; 1317 u_int32_t running; 1318 u_int32_t states; 1319 u_int32_t src_nodes; 1320 u_int32_t since; 1321 u_int32_t debug; 1322 u_int32_t hostid; 1323 char ifname[IFNAMSIZ]; 1324 u_int8_t pf_chksum[PF_MD5_DIGEST_LENGTH]; 1325 }; 1326 1327 struct cbq_opts { 1328 u_int minburst; 1329 u_int maxburst; 1330 u_int pktsize; 1331 u_int maxpktsize; 1332 u_int ns_per_byte; 1333 u_int maxidle; 1334 int minidle; 1335 u_int offtime; 1336 int flags; 1337 }; 1338 1339 struct priq_opts { 1340 int flags; 1341 }; 1342 1343 struct hfsc_opts { 1344 /* real-time service curve */ 1345 u_int rtsc_m1; /* slope of the 1st segment in bps */ 1346 u_int rtsc_d; /* the x-projection of m1 in msec */ 1347 u_int rtsc_m2; /* slope of the 2nd segment in bps */ 1348 /* link-sharing service curve */ 1349 u_int lssc_m1; 1350 u_int lssc_d; 1351 u_int lssc_m2; 1352 /* upper-limit service curve */ 1353 u_int ulsc_m1; 1354 u_int ulsc_d; 1355 u_int ulsc_m2; 1356 int flags; 1357 }; 1358 1359 /* 1360 * XXX this needs some work 1361 */ 1362 struct fairq_opts { 1363 u_int nbuckets; /* hash buckets */ 1364 u_int hogs_m1; /* hog detection bandwidth */ 1365 int flags; 1366 1367 /* link-sharing service curve */ 1368 u_int lssc_m1; 1369 u_int lssc_d; 1370 u_int lssc_m2; 1371 }; 1372 1373 struct pf_altq { 1374 char ifname[IFNAMSIZ]; 1375 1376 void *altq_disc; /* discipline-specific state */ 1377 TAILQ_ENTRY(pf_altq) entries; 1378 1379 /* scheduler spec */ 1380 u_int8_t scheduler; /* scheduler type */ 1381 u_int16_t tbrsize; /* tokenbucket regulator size */ 1382 u_int32_t ifbandwidth; /* interface bandwidth */ 1383 1384 /* queue spec */ 1385 char qname[PF_QNAME_SIZE]; /* queue name */ 1386 char parent[PF_QNAME_SIZE]; /* parent name */ 1387 u_int32_t parent_qid; /* parent queue id */ 1388 u_int32_t bandwidth; /* queue bandwidth */ 1389 u_int8_t priority; /* priority */ 1390 u_int16_t qlimit; /* queue size limit */ 1391 u_int16_t flags; /* misc flags */ 1392 union { 1393 struct cbq_opts cbq_opts; 1394 struct priq_opts priq_opts; 1395 struct hfsc_opts hfsc_opts; 1396 struct fairq_opts fairq_opts; 1397 } pq_u; 1398 1399 u_int32_t qid; /* return value */ 1400 }; 1401 1402 #define PF_TAG_GENERATED 0x01 1403 #define PF_TAG_FRAGCACHE 0x02 1404 #define PF_TAG_TRANSLATE_LOCALHOST 0x04 1405 #define PF_TAG_STATE_HASHED 0x08 1406 1407 struct pf_tag { 1408 u_int16_t tag; /* tag id */ 1409 }; 1410 1411 struct pf_tagname { 1412 TAILQ_ENTRY(pf_tagname) entries; 1413 char name[PF_TAG_NAME_SIZE]; 1414 u_int16_t tag; 1415 int ref; 1416 }; 1417 1418 #define PFFRAG_FRENT_HIWAT 5000 /* Number of fragment entries */ 1419 #define PFFRAG_FRAG_HIWAT 1000 /* Number of fragmented packets */ 1420 #define PFFRAG_FRCENT_HIWAT 50000 /* Number of fragment cache entries */ 1421 #define PFFRAG_FRCACHE_HIWAT 10000 /* Number of fragment descriptors */ 1422 1423 #define PFR_KTABLE_HIWAT 1000 /* Number of tables */ 1424 #define PFR_KENTRY_HIWAT 200000 /* Number of table entries */ 1425 #define PFR_KENTRY_HIWAT_SMALL 100000 /* Number of table entries (tiny hosts) */ 1426 1427 /* 1428 * ioctl parameter structures 1429 */ 1430 1431 struct pfioc_pooladdr { 1432 u_int32_t action; 1433 u_int32_t ticket; 1434 u_int32_t nr; 1435 u_int32_t r_num; 1436 u_int8_t r_action; 1437 u_int8_t r_last; 1438 u_int8_t af; 1439 char anchor[MAXPATHLEN]; 1440 struct pf_pooladdr addr; 1441 }; 1442 1443 struct pfioc_rule { 1444 u_int32_t action; 1445 u_int32_t ticket; 1446 u_int32_t pool_ticket; 1447 u_int32_t nr; 1448 char anchor[MAXPATHLEN]; 1449 char anchor_call[MAXPATHLEN]; 1450 struct pf_rule rule; 1451 }; 1452 1453 struct pfioc_natlook { 1454 struct pf_addr saddr; 1455 struct pf_addr daddr; 1456 struct pf_addr rsaddr; 1457 struct pf_addr rdaddr; 1458 u_int16_t sport; 1459 u_int16_t dport; 1460 u_int16_t rsport; 1461 u_int16_t rdport; 1462 sa_family_t af; 1463 u_int8_t proto; 1464 u_int8_t direction; 1465 }; 1466 1467 struct pfioc_state { 1468 u_int32_t nr; 1469 void *state; 1470 }; 1471 1472 struct pfioc_src_node_kill { 1473 /* XXX returns the number of src nodes killed in psnk_af */ 1474 sa_family_t psnk_af; 1475 struct pf_rule_addr psnk_src; 1476 struct pf_rule_addr psnk_dst; 1477 }; 1478 1479 struct pfioc_state_kill { 1480 /* XXX returns the number of states killed in psk_af */ 1481 sa_family_t psk_af; 1482 int psk_proto; 1483 struct pf_rule_addr psk_src; 1484 struct pf_rule_addr psk_dst; 1485 char psk_ifname[IFNAMSIZ]; 1486 }; 1487 1488 struct pfioc_states { 1489 int ps_len; 1490 union { 1491 caddr_t psu_buf; 1492 struct pfsync_state *psu_states; 1493 } ps_u; 1494 #define ps_buf ps_u.psu_buf 1495 #define ps_states ps_u.psu_states 1496 }; 1497 1498 struct pfioc_src_nodes { 1499 int psn_len; 1500 union { 1501 caddr_t psu_buf; 1502 struct pf_src_node *psu_src_nodes; 1503 } psn_u; 1504 #define psn_buf psn_u.psu_buf 1505 #define psn_src_nodes psn_u.psu_src_nodes 1506 }; 1507 1508 struct pfioc_if { 1509 char ifname[IFNAMSIZ]; 1510 }; 1511 1512 struct pfioc_tm { 1513 int timeout; 1514 int seconds; 1515 }; 1516 1517 struct pfioc_limit { 1518 int index; 1519 unsigned limit; 1520 }; 1521 1522 struct pfioc_altq { 1523 u_int32_t action; 1524 u_int32_t ticket; 1525 u_int32_t nr; 1526 struct pf_altq altq; 1527 }; 1528 1529 struct pfioc_qstats { 1530 u_int32_t ticket; 1531 u_int32_t nr; 1532 void *buf; 1533 int nbytes; 1534 u_int8_t scheduler; 1535 }; 1536 1537 struct pfioc_anchor { 1538 u_int32_t nr; 1539 char name[PF_ANCHOR_NAME_SIZE]; 1540 }; 1541 1542 struct pfioc_ruleset { 1543 u_int32_t nr; 1544 char path[MAXPATHLEN]; 1545 char name[PF_ANCHOR_NAME_SIZE]; 1546 }; 1547 1548 #define PF_RULESET_ALTQ (PF_RULESET_MAX) 1549 #define PF_RULESET_TABLE (PF_RULESET_MAX+1) 1550 struct pfioc_trans { 1551 int size; /* number of elements */ 1552 int esize; /* size of each element in bytes */ 1553 struct pfioc_trans_e { 1554 int rs_num; 1555 char anchor[MAXPATHLEN]; 1556 u_int32_t ticket; 1557 } *array; 1558 }; 1559 1560 #define PFR_FLAG_ATOMIC 0x00000001 1561 #define PFR_FLAG_DUMMY 0x00000002 1562 #define PFR_FLAG_FEEDBACK 0x00000004 1563 #define PFR_FLAG_CLSTATS 0x00000008 1564 #define PFR_FLAG_ADDRSTOO 0x00000010 1565 #define PFR_FLAG_REPLACE 0x00000020 1566 #define PFR_FLAG_ALLRSETS 0x00000040 1567 #define PFR_FLAG_ALLMASK 0x0000007F 1568 #ifdef _KERNEL 1569 #define PFR_FLAG_USERIOCTL 0x10000000 1570 #endif 1571 1572 struct pfioc_table { 1573 struct pfr_table pfrio_table; 1574 void *pfrio_buffer; 1575 int pfrio_esize; 1576 int pfrio_size; 1577 int pfrio_size2; 1578 int pfrio_nadd; 1579 int pfrio_ndel; 1580 int pfrio_nchange; 1581 int pfrio_flags; 1582 u_int32_t pfrio_ticket; 1583 }; 1584 #define pfrio_exists pfrio_nadd 1585 #define pfrio_nzero pfrio_nadd 1586 #define pfrio_nmatch pfrio_nadd 1587 #define pfrio_naddr pfrio_size2 1588 #define pfrio_setflag pfrio_size2 1589 #define pfrio_clrflag pfrio_nadd 1590 1591 struct pfioc_iface { 1592 char pfiio_name[IFNAMSIZ]; 1593 void *pfiio_buffer; 1594 int pfiio_esize; 1595 int pfiio_size; 1596 int pfiio_nzero; 1597 int pfiio_flags; 1598 }; 1599 1600 1601 /* 1602 * ioctl operations 1603 */ 1604 1605 #define DIOCSTART _IO ('D', 1) 1606 #define DIOCSTOP _IO ('D', 2) 1607 #define DIOCBEGINRULES _IOWR('D', 3, struct pfioc_rule) 1608 #define DIOCADDRULE _IOWR('D', 4, struct pfioc_rule) 1609 #define DIOCCOMMITRULES _IOWR('D', 5, struct pfioc_rule) 1610 #define DIOCGETRULES _IOWR('D', 6, struct pfioc_rule) 1611 #define DIOCGETRULE _IOWR('D', 7, struct pfioc_rule) 1612 /* XXX cut 8 - 17 */ 1613 #define DIOCCLRSTATES _IOWR('D', 18, struct pfioc_state_kill) 1614 #define DIOCGETSTATE _IOWR('D', 19, struct pfioc_state) 1615 #define DIOCSETSTATUSIF _IOWR('D', 20, struct pfioc_if) 1616 #define DIOCGETSTATUS _IOWR('D', 21, struct pf_status) 1617 #define DIOCCLRSTATUS _IO ('D', 22) 1618 #define DIOCNATLOOK _IOWR('D', 23, struct pfioc_natlook) 1619 #define DIOCSETDEBUG _IOWR('D', 24, u_int32_t) 1620 #define DIOCGETSTATES _IOWR('D', 25, struct pfioc_states) 1621 #define DIOCCHANGERULE _IOWR('D', 26, struct pfioc_rule) 1622 /* XXX cut 26 - 28 */ 1623 #define DIOCSETTIMEOUT _IOWR('D', 29, struct pfioc_tm) 1624 #define DIOCGETTIMEOUT _IOWR('D', 30, struct pfioc_tm) 1625 #define DIOCADDSTATE _IOWR('D', 37, struct pfioc_state) 1626 #define DIOCCLRRULECTRS _IO ('D', 38) 1627 #define DIOCGETLIMIT _IOWR('D', 39, struct pfioc_limit) 1628 #define DIOCSETLIMIT _IOWR('D', 40, struct pfioc_limit) 1629 #define DIOCKILLSTATES _IOWR('D', 41, struct pfioc_state_kill) 1630 #define DIOCSTARTALTQ _IO ('D', 42) 1631 #define DIOCSTOPALTQ _IO ('D', 43) 1632 #define DIOCBEGINALTQS _IOWR('D', 44, u_int32_t) 1633 #define DIOCADDALTQ _IOWR('D', 45, struct pfioc_altq) 1634 #define DIOCCOMMITALTQS _IOWR('D', 46, u_int32_t) 1635 #define DIOCGETALTQS _IOWR('D', 47, struct pfioc_altq) 1636 #define DIOCGETALTQ _IOWR('D', 48, struct pfioc_altq) 1637 #define DIOCCHANGEALTQ _IOWR('D', 49, struct pfioc_altq) 1638 #define DIOCGETQSTATS _IOWR('D', 50, struct pfioc_qstats) 1639 #define DIOCBEGINADDRS _IOWR('D', 51, struct pfioc_pooladdr) 1640 #define DIOCADDADDR _IOWR('D', 52, struct pfioc_pooladdr) 1641 #define DIOCGETADDRS _IOWR('D', 53, struct pfioc_pooladdr) 1642 #define DIOCGETADDR _IOWR('D', 54, struct pfioc_pooladdr) 1643 #define DIOCCHANGEADDR _IOWR('D', 55, struct pfioc_pooladdr) 1644 #define DIOCGETRULESETS _IOWR('D', 58, struct pfioc_ruleset) 1645 #define DIOCGETRULESET _IOWR('D', 59, struct pfioc_ruleset) 1646 #define DIOCRCLRTABLES _IOWR('D', 60, struct pfioc_table) 1647 #define DIOCRADDTABLES _IOWR('D', 61, struct pfioc_table) 1648 #define DIOCRDELTABLES _IOWR('D', 62, struct pfioc_table) 1649 #define DIOCRGETTABLES _IOWR('D', 63, struct pfioc_table) 1650 #define DIOCRGETTSTATS _IOWR('D', 64, struct pfioc_table) 1651 #define DIOCRCLRTSTATS _IOWR('D', 65, struct pfioc_table) 1652 #define DIOCRCLRADDRS _IOWR('D', 66, struct pfioc_table) 1653 #define DIOCRADDADDRS _IOWR('D', 67, struct pfioc_table) 1654 #define DIOCRDELADDRS _IOWR('D', 68, struct pfioc_table) 1655 #define DIOCRSETADDRS _IOWR('D', 69, struct pfioc_table) 1656 #define DIOCRGETADDRS _IOWR('D', 70, struct pfioc_table) 1657 #define DIOCRGETASTATS _IOWR('D', 71, struct pfioc_table) 1658 #define DIOCRCLRASTATS _IOWR('D', 72, struct pfioc_table) 1659 #define DIOCRTSTADDRS _IOWR('D', 73, struct pfioc_table) 1660 #define DIOCRSETTFLAGS _IOWR('D', 74, struct pfioc_table) 1661 #define DIOCRINABEGIN _IOWR('D', 75, struct pfioc_table) 1662 #define DIOCRINACOMMIT _IOWR('D', 76, struct pfioc_table) 1663 #define DIOCRINADEFINE _IOWR('D', 77, struct pfioc_table) 1664 #define DIOCOSFPFLUSH _IO('D', 78) 1665 #define DIOCOSFPADD _IOWR('D', 79, struct pf_osfp_ioctl) 1666 #define DIOCOSFPGET _IOWR('D', 80, struct pf_osfp_ioctl) 1667 #define DIOCXBEGIN _IOWR('D', 81, struct pfioc_trans) 1668 #define DIOCXCOMMIT _IOWR('D', 82, struct pfioc_trans) 1669 #define DIOCXROLLBACK _IOWR('D', 83, struct pfioc_trans) 1670 #define DIOCGETSRCNODES _IOWR('D', 84, struct pfioc_src_nodes) 1671 #define DIOCCLRSRCNODES _IO('D', 85) 1672 #define DIOCSETHOSTID _IOWR('D', 86, u_int32_t) 1673 #define DIOCIGETIFACES _IOWR('D', 87, struct pfioc_iface) 1674 #define DIOCICLRISTATS _IOWR('D', 88, struct pfioc_iface) 1675 #define DIOCSETIFFLAG _IOWR('D', 89, struct pfioc_iface) 1676 #define DIOCCLRIFFLAG _IOWR('D', 90, struct pfioc_iface) 1677 #define DIOCKILLSRCNODES _IOWR('D', 91, struct pfioc_src_node_kill) 1678 struct pf_ifspeed { 1679 char ifname[IFNAMSIZ]; 1680 u_int32_t baudrate; 1681 }; 1682 #define DIOCGIFSPEED _IOWR('D', 89, struct pf_ifspeed) 1683 1684 #ifdef _KERNEL 1685 RB_HEAD(pf_src_tree, pf_src_node); 1686 RB_PROTOTYPE(pf_src_tree, pf_src_node, entry, pf_src_compare); 1687 extern struct pf_src_tree tree_src_tracking; 1688 1689 RB_HEAD(pf_state_tree_id, pf_state); 1690 RB_PROTOTYPE(pf_state_tree_id, pf_state, 1691 entry_id, pf_state_compare_id); 1692 extern struct pf_state_tree_id tree_id; 1693 extern struct pf_state_queue state_list; 1694 1695 TAILQ_HEAD(pf_poolqueue, pf_pool); 1696 extern struct pf_poolqueue pf_pools[2]; 1697 TAILQ_HEAD(pf_altqqueue, pf_altq); 1698 extern struct pf_altqqueue pf_altqs[2]; 1699 extern struct pf_palist pf_pabuf; 1700 1701 extern u_int32_t ticket_altqs_active; 1702 extern u_int32_t ticket_altqs_inactive; 1703 extern int altqs_inactive_open; 1704 extern u_int32_t ticket_pabuf; 1705 extern struct pf_altqqueue *pf_altqs_active; 1706 extern struct pf_altqqueue *pf_altqs_inactive; 1707 extern struct pf_poolqueue *pf_pools_active; 1708 extern struct pf_poolqueue *pf_pools_inactive; 1709 extern int pf_tbladdr_setup(struct pf_ruleset *, 1710 struct pf_addr_wrap *); 1711 extern void pf_tbladdr_remove(struct pf_addr_wrap *); 1712 extern void pf_tbladdr_copyout(struct pf_addr_wrap *); 1713 extern void pf_calc_skip_steps(struct pf_rulequeue *); 1714 extern vm_zone_t pf_src_tree_pl, pf_rule_pl; 1715 extern vm_zone_t pf_state_pl, pf_state_key_pl, pf_altq_pl, 1716 pf_pooladdr_pl; 1717 extern vm_zone_t pfr_ktable_pl, pfr_kentry_pl; 1718 extern vm_zone_t pfr_kentry_pl2; 1719 extern vm_zone_t pf_cache_pl, pf_cent_pl; 1720 extern vm_zone_t pf_state_scrub_pl; 1721 extern vm_zone_t pfi_addr_pl; 1722 extern void pf_purge_thread(void *); 1723 extern int pf_purge_expired_src_nodes(int); 1724 extern int pf_purge_expired_states(u_int32_t, int); 1725 extern void pf_unlink_state(struct pf_state *); 1726 extern void pf_free_state(struct pf_state *); 1727 extern int pf_insert_state(struct pfi_kif *, 1728 struct pf_state *); 1729 extern int pf_insert_src_node(struct pf_src_node **, 1730 struct pf_rule *, struct pf_addr *, 1731 sa_family_t); 1732 void pf_src_tree_remove_state(struct pf_state *); 1733 u_int32_t pf_state_hash(struct pf_state_key *sk); 1734 extern struct pf_state *pf_find_state_byid(struct pf_state_cmp *); 1735 extern struct pf_state *pf_find_state_all(struct pf_state_key_cmp *, 1736 u_int8_t, int *); 1737 extern void pf_print_state(struct pf_state *); 1738 extern void pf_print_flags(u_int8_t); 1739 extern u_int16_t pf_cksum_fixup(u_int16_t, u_int16_t, u_int16_t, 1740 u_int8_t); 1741 1742 extern struct ifnet *sync_ifp; 1743 extern struct pf_rule pf_default_rule; 1744 extern void pf_addrcpy(struct pf_addr *, struct pf_addr *, 1745 u_int8_t); 1746 void pf_rm_rule(struct pf_rulequeue *, 1747 struct pf_rule *); 1748 1749 #ifdef INET 1750 int pf_test(int, struct ifnet *, struct mbuf **, struct ether_header *, struct inpcb *); 1751 #endif /* INET */ 1752 1753 #ifdef INET6 1754 int pf_test6(int, struct ifnet *, struct mbuf **, struct ether_header *, struct inpcb *); 1755 void pf_poolmask(struct pf_addr *, struct pf_addr*, 1756 struct pf_addr *, struct pf_addr *, u_int8_t); 1757 void pf_addr_inc(struct pf_addr *, sa_family_t); 1758 #endif /* INET6 */ 1759 1760 u_int32_t pf_new_isn(struct pf_state_key *); /* From FreeBSD */ 1761 void *pf_pull_hdr(struct mbuf *, int, void *, int, u_short *, u_short *, 1762 sa_family_t); 1763 void pf_change_a(void *, u_int16_t *, u_int32_t, u_int8_t); 1764 int pflog_packet(struct pfi_kif *, struct mbuf *, sa_family_t, u_int8_t, 1765 u_int8_t, struct pf_rule *, struct pf_rule *, struct pf_ruleset *, 1766 struct pf_pdesc *); 1767 int pf_match_addr(u_int8_t, struct pf_addr *, struct pf_addr *, 1768 struct pf_addr *, sa_family_t); 1769 int pf_match(u_int8_t, u_int32_t, u_int32_t, u_int32_t); 1770 int pf_match_port(u_int8_t, u_int16_t, u_int16_t, u_int16_t); 1771 int pf_match_uid(u_int8_t, uid_t, uid_t, uid_t); 1772 int pf_match_gid(u_int8_t, gid_t, gid_t, gid_t); 1773 1774 void pf_normalize_init(void); 1775 int pf_normalize_ip(struct mbuf **, int, struct pfi_kif *, u_short *, 1776 struct pf_pdesc *); 1777 int pf_normalize_ip6(struct mbuf **, int, struct pfi_kif *, u_short *, 1778 struct pf_pdesc *); 1779 int pf_normalize_tcp(int, struct pfi_kif *, struct mbuf *, int, int, void *, 1780 struct pf_pdesc *); 1781 void pf_normalize_tcp_cleanup(struct pf_state *); 1782 int pf_normalize_tcp_init(struct mbuf *, int, struct pf_pdesc *, 1783 struct tcphdr *, struct pf_state_peer *, struct pf_state_peer *); 1784 int pf_normalize_tcp_stateful(struct mbuf *, int, struct pf_pdesc *, 1785 u_short *, struct tcphdr *, struct pf_state *, 1786 struct pf_state_peer *, struct pf_state_peer *, int *); 1787 u_int32_t 1788 pf_state_expires(const struct pf_state *); 1789 void pf_purge_expired_fragments(void); 1790 int pf_routable(struct pf_addr *addr, sa_family_t af, struct pfi_kif *); 1791 int pf_rtlabel_match(struct pf_addr *, sa_family_t, struct pf_addr_wrap *); 1792 int pf_socket_lookup(int, struct pf_pdesc *); 1793 struct pf_state_key * 1794 pf_alloc_state_key(struct pf_state *); 1795 void pfr_initialize(void); 1796 int pfr_match_addr(struct pfr_ktable *, struct pf_addr *, sa_family_t); 1797 void pfr_update_stats(struct pfr_ktable *, struct pf_addr *, sa_family_t, 1798 u_int64_t, int, int, int); 1799 int pfr_pool_get(struct pfr_ktable *, int *, struct pf_addr *, 1800 struct pf_addr **, struct pf_addr **, sa_family_t); 1801 void pfr_dynaddr_update(struct pfr_ktable *, struct pfi_dynaddr *); 1802 struct pfr_ktable * 1803 pfr_attach_table(struct pf_ruleset *, char *); 1804 void pfr_detach_table(struct pfr_ktable *); 1805 int pfr_clr_tables(struct pfr_table *, int *, int); 1806 int pfr_add_tables(struct pfr_table *, int, int *, int); 1807 int pfr_del_tables(struct pfr_table *, int, int *, int); 1808 int pfr_get_tables(struct pfr_table *, struct pfr_table *, int *, int); 1809 int pfr_get_tstats(struct pfr_table *, struct pfr_tstats *, int *, int); 1810 int pfr_clr_tstats(struct pfr_table *, int, int *, int); 1811 int pfr_set_tflags(struct pfr_table *, int, int, int, int *, int *, int); 1812 int pfr_clr_addrs(struct pfr_table *, int *, int); 1813 int pfr_insert_kentry(struct pfr_ktable *, struct pfr_addr *, long); 1814 int pfr_add_addrs(struct pfr_table *, struct pfr_addr *, int, int *, 1815 int); 1816 int pfr_del_addrs(struct pfr_table *, struct pfr_addr *, int, int *, 1817 int); 1818 int pfr_set_addrs(struct pfr_table *, struct pfr_addr *, int, int *, 1819 int *, int *, int *, int, u_int32_t); 1820 int pfr_get_addrs(struct pfr_table *, struct pfr_addr *, int *, int); 1821 int pfr_get_astats(struct pfr_table *, struct pfr_astats *, int *, int); 1822 int pfr_clr_astats(struct pfr_table *, struct pfr_addr *, int, int *, 1823 int); 1824 int pfr_tst_addrs(struct pfr_table *, struct pfr_addr *, int, int *, 1825 int); 1826 int pfr_ina_begin(struct pfr_table *, u_int32_t *, int *, int); 1827 int pfr_ina_rollback(struct pfr_table *, u_int32_t, int *, int); 1828 int pfr_ina_commit(struct pfr_table *, u_int32_t, int *, int *, int); 1829 int pfr_ina_define(struct pfr_table *, struct pfr_addr *, int, int *, 1830 int *, u_int32_t, int); 1831 1832 extern struct pfi_kif *pfi_all; 1833 1834 void pfi_initialize(void); 1835 struct pfi_kif *pfi_kif_get(const char *); 1836 void pfi_cleanup(void); 1837 void pfi_attach_clone(struct if_clone *); 1838 void pfi_kif_ref(struct pfi_kif *, enum pfi_kif_refs); 1839 void pfi_kif_unref(struct pfi_kif *, enum pfi_kif_refs); 1840 int pfi_kif_match(struct pfi_kif *, struct pfi_kif *); 1841 void pfi_attach_ifnet(struct ifnet *); 1842 void pfi_detach_ifnet(struct ifnet *); 1843 struct pfi_kif *pfi_lookup_create(const char *); 1844 struct pfi_kif *pfi_lookup_if(const char *); 1845 void pfi_attach_ifgroup(struct ifg_group *); 1846 void pfi_detach_ifgroup(struct ifg_group *); 1847 void pfi_group_change(const char *); 1848 int pfi_match_addr(struct pfi_dynaddr *, struct pf_addr *, 1849 sa_family_t); 1850 int pfi_dynaddr_setup(struct pf_addr_wrap *, sa_family_t); 1851 void pfi_dynaddr_remove(struct pf_addr_wrap *); 1852 void pfi_dynaddr_copyout(struct pf_addr_wrap *); 1853 void pfi_fill_oldstatus(struct pf_status *); 1854 int pfi_clr_istats(const char *); 1855 int pfi_get_ifaces(const char *, struct pfi_kif *, int *); 1856 int pfi_set_flags(const char *, int); 1857 int pfi_clear_flags(const char *, int); 1858 1859 u_int16_t pf_tagname2tag(char *); 1860 void pf_tag2tagname(u_int16_t, char *); 1861 void pf_tag_ref(u_int16_t); 1862 void pf_tag_unref(u_int16_t); 1863 int pf_tag_packet(struct mbuf *, int, int); 1864 u_int32_t pf_qname2qid(char *); 1865 void pf_qid2qname(u_int32_t, char *); 1866 void pf_qid_unref(u_int32_t); 1867 1868 extern struct pf_status pf_status; 1869 extern vm_zone_t pf_frent_pl, pf_frag_pl; 1870 extern struct lock pf_consistency_lock; 1871 1872 struct pf_pool_limit { 1873 void *pp; 1874 unsigned limit; 1875 }; 1876 extern struct pf_pool_limit pf_pool_limits[PF_LIMIT_MAX]; 1877 1878 struct pf_frent { 1879 LIST_ENTRY(pf_frent) fr_next; 1880 struct ip *fr_ip; 1881 struct mbuf *fr_m; 1882 }; 1883 1884 struct pf_frcache { 1885 LIST_ENTRY(pf_frcache) fr_next; 1886 uint16_t fr_off; 1887 uint16_t fr_end; 1888 }; 1889 1890 struct pf_fragment { 1891 RB_ENTRY(pf_fragment) fr_entry; 1892 TAILQ_ENTRY(pf_fragment) frag_next; 1893 struct in_addr fr_src; 1894 struct in_addr fr_dst; 1895 u_int8_t fr_p; /* protocol of this fragment */ 1896 u_int8_t fr_flags; /* status flags */ 1897 u_int16_t fr_id; /* fragment id for reassemble */ 1898 u_int16_t fr_max; /* fragment data max */ 1899 u_int32_t fr_timeout; 1900 #define fr_queue fr_u.fru_queue 1901 #define fr_cache fr_u.fru_cache 1902 union { 1903 LIST_HEAD(pf_fragq, pf_frent) fru_queue; /* buffering */ 1904 LIST_HEAD(pf_cacheq, pf_frcache) fru_cache; /* non-buf */ 1905 } fr_u; 1906 }; 1907 1908 #endif /* _KERNEL */ 1909 1910 extern struct pf_anchor_global pf_anchors; 1911 extern struct pf_anchor pf_main_anchor; 1912 #define pf_main_ruleset pf_main_anchor.ruleset 1913 1914 /* these ruleset functions can be linked into userland programs (pfctl) */ 1915 int pf_get_ruleset_number(u_int8_t); 1916 void pf_init_ruleset(struct pf_ruleset *); 1917 int pf_anchor_setup(struct pf_rule *, 1918 const struct pf_ruleset *, const char *); 1919 int pf_anchor_copyout(const struct pf_ruleset *, 1920 const struct pf_rule *, struct pfioc_rule *); 1921 void pf_anchor_remove(struct pf_rule *); 1922 void pf_remove_if_empty_ruleset(struct pf_ruleset *); 1923 struct pf_anchor *pf_find_anchor(const char *); 1924 struct pf_ruleset *pf_find_ruleset(const char *); 1925 struct pf_ruleset *pf_find_or_create_ruleset(const char *); 1926 void pf_rs_initialize(void); 1927 1928 /* The fingerprint functions can be linked into userland programs (tcpdump) */ 1929 int pf_osfp_add(struct pf_osfp_ioctl *); 1930 #ifdef _KERNEL 1931 struct pf_osfp_enlist * 1932 pf_osfp_fingerprint(struct pf_pdesc *, struct mbuf *, int, 1933 const struct tcphdr *); 1934 #endif /* _KERNEL */ 1935 struct pf_osfp_enlist * 1936 pf_osfp_fingerprint_hdr(const struct ip *, const struct ip6_hdr *, 1937 const struct tcphdr *); 1938 void pf_osfp_flush(void); 1939 int pf_osfp_get(struct pf_osfp_ioctl *); 1940 int pf_osfp_initialize(void); 1941 void pf_osfp_cleanup(void); 1942 int pf_osfp_match(struct pf_osfp_enlist *, pf_osfp_t); 1943 struct pf_os_fingerprint * 1944 pf_osfp_validate(void); 1945 1946 1947 #endif /* _NET_PFVAR_H_ */ 1948