1 /* $NetBSD: npf.h,v 1.51 2016/12/10 19:05:45 christos Exp $ */ 2 3 /*- 4 * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. 5 * All rights reserved. 6 * 7 * This material is based upon work partially supported by The 8 * NetBSD Foundation under a contract with Mindaugas Rasiukevicius. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 20 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 21 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 22 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 23 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 24 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 25 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 26 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 27 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 28 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 * POSSIBILITY OF SUCH DAMAGE. 30 */ 31 32 /* 33 * Public NPF interfaces. 34 */ 35 36 #ifndef _NPF_NET_H_ 37 #define _NPF_NET_H_ 38 39 #include <sys/param.h> 40 #include <sys/types.h> 41 42 #include <sys/ioctl.h> 43 #include <prop/proplib.h> 44 45 #include <netinet/in_systm.h> 46 #include <netinet/in.h> 47 48 #define NPF_VERSION 18 49 50 /* 51 * Public declarations and definitions. 52 */ 53 54 /* Storage of address (both for IPv4 and IPv6) and netmask */ 55 typedef struct in6_addr npf_addr_t; 56 typedef uint8_t npf_netmask_t; 57 58 #define NPF_MAX_NETMASK (128) 59 #define NPF_NO_NETMASK ((npf_netmask_t)~0) 60 61 /* BPF coprocessor. */ 62 #if defined(NPF_BPFCOP) 63 #define NPF_COP_L3 0 64 #define NPF_COP_TABLE 1 65 66 #define BPF_MW_IPVER 0 67 #define BPF_MW_L4OFF 1 68 #define BPF_MW_L4PROTO 2 69 #endif 70 /* The number of words used. */ 71 #define NPF_BPF_NWORDS 3 72 73 #if defined(_KERNEL) 74 75 #define NPF_DECISION_BLOCK 0 76 #define NPF_DECISION_PASS 1 77 78 #define NPF_EXT_MODULE(name, req) \ 79 MODULE(MODULE_CLASS_MISC, name, (sizeof(req) - 1) ? ("npf," req) : "npf") 80 81 #include <net/if.h> 82 #include <netinet/ip.h> 83 #include <netinet/ip6.h> 84 #include <netinet/tcp.h> 85 #include <netinet/udp.h> 86 #include <netinet/ip_icmp.h> 87 #include <netinet/icmp6.h> 88 89 /* 90 * Network buffer interface. 91 */ 92 93 #define NBUF_DATAREF_RESET 0x01 94 95 typedef struct { 96 struct mbuf * nb_mbuf0; 97 struct mbuf * nb_mbuf; 98 void * nb_nptr; 99 const ifnet_t * nb_ifp; 100 unsigned nb_ifid; 101 int nb_flags; 102 } nbuf_t; 103 104 void nbuf_init(nbuf_t *, struct mbuf *, const ifnet_t *); 105 void nbuf_reset(nbuf_t *); 106 struct mbuf * nbuf_head_mbuf(nbuf_t *); 107 108 bool nbuf_flag_p(const nbuf_t *, int); 109 void nbuf_unset_flag(nbuf_t *, int); 110 111 void * nbuf_dataptr(nbuf_t *); 112 size_t nbuf_offset(const nbuf_t *); 113 void * nbuf_advance(nbuf_t *, size_t, size_t); 114 115 void * nbuf_ensure_contig(nbuf_t *, size_t); 116 void * nbuf_ensure_writable(nbuf_t *, size_t); 117 118 bool nbuf_cksum_barrier(nbuf_t *, int); 119 int nbuf_add_tag(nbuf_t *, uint32_t); 120 int nbuf_find_tag(nbuf_t *, uint32_t *); 121 122 /* 123 * Packet information cache. 124 */ 125 126 #define NPC_IP4 0x01 /* Indicates IPv4 header. */ 127 #define NPC_IP6 0x02 /* Indicates IPv6 header. */ 128 #define NPC_IPFRAG 0x04 /* IPv4/IPv6 fragment. */ 129 #define NPC_LAYER4 0x08 /* Layer 4 has been fetched. */ 130 131 #define NPC_TCP 0x10 /* TCP header. */ 132 #define NPC_UDP 0x20 /* UDP header. */ 133 #define NPC_ICMP 0x40 /* ICMP header. */ 134 #define NPC_ICMP_ID 0x80 /* ICMP with query ID. */ 135 136 #define NPC_ALG_EXEC 0x100 /* ALG execution. */ 137 138 #define NPC_IP46 (NPC_IP4|NPC_IP6) 139 140 typedef struct { 141 /* Information flags and the nbuf. */ 142 uint32_t npc_info; 143 nbuf_t * npc_nbuf; 144 145 /* 146 * Pointers to the IP source and destination addresses, 147 * and the address length (4 for IPv4 or 16 for IPv6). 148 */ 149 npf_addr_t * npc_ips[2]; 150 uint8_t npc_alen; 151 152 /* IP header length and L4 protocol. */ 153 uint8_t npc_hlen; 154 uint16_t npc_proto; 155 156 /* IPv4, IPv6. */ 157 union { 158 struct ip * v4; 159 struct ip6_hdr * v6; 160 } npc_ip; 161 162 /* TCP, UDP, ICMP. */ 163 union { 164 struct tcphdr * tcp; 165 struct udphdr * udp; 166 struct icmp * icmp; 167 struct icmp6_hdr * icmp6; 168 void * hdr; 169 } npc_l4; 170 } npf_cache_t; 171 172 static inline bool 173 npf_iscached(const npf_cache_t *npc, const int inf) 174 { 175 KASSERT(npc->npc_nbuf != NULL); 176 return __predict_true((npc->npc_info & inf) != 0); 177 } 178 179 #define NPF_SRC 0 180 #define NPF_DST 1 181 182 /* 183 * NPF extensions and rule procedure interface. 184 */ 185 186 struct npf_rproc; 187 typedef struct npf_rproc npf_rproc_t; 188 189 void npf_rproc_assign(npf_rproc_t *, void *); 190 191 typedef struct { 192 unsigned int version; 193 void * ctx; 194 int (*ctor)(npf_rproc_t *, prop_dictionary_t); 195 void (*dtor)(npf_rproc_t *, void *); 196 bool (*proc)(npf_cache_t *, void *, int *); 197 } npf_ext_ops_t; 198 199 void * npf_ext_register(const char *, const npf_ext_ops_t *); 200 int npf_ext_unregister(void *); 201 202 /* 203 * Misc. 204 */ 205 206 bool npf_autounload_p(void); 207 208 #endif /* _KERNEL */ 209 210 /* Rule attributes. */ 211 #define NPF_RULE_PASS 0x00000001 212 #define NPF_RULE_GROUP 0x00000002 213 #define NPF_RULE_FINAL 0x00000004 214 #define NPF_RULE_STATEFUL 0x00000008 215 #define NPF_RULE_RETRST 0x00000010 216 #define NPF_RULE_RETICMP 0x00000020 217 #define NPF_RULE_DYNAMIC 0x00000040 218 #define NPF_RULE_MULTIENDS 0x00000080 219 220 #define NPF_DYNAMIC_GROUP (NPF_RULE_GROUP | NPF_RULE_DYNAMIC) 221 222 #define NPF_RULE_IN 0x10000000 223 #define NPF_RULE_OUT 0x20000000 224 #define NPF_RULE_DIMASK (NPF_RULE_IN | NPF_RULE_OUT) 225 #define NPF_RULE_FORW 0x40000000 226 227 /* Private range of rule attributes (not public and should not be set). */ 228 #define NPF_RULE_PRIVMASK 0x0f000000 229 230 #define NPF_RULE_MAXNAMELEN 64 231 #define NPF_RULE_MAXKEYLEN 32 232 233 /* Priority values. */ 234 #define NPF_PRI_FIRST (-2) 235 #define NPF_PRI_LAST (-1) 236 237 /* Types of code. */ 238 #define NPF_CODE_NC 1 239 #define NPF_CODE_BPF 2 240 241 /* Address translation types and flags. */ 242 #define NPF_NATIN 1 243 #define NPF_NATOUT 2 244 245 #define NPF_NAT_PORTS 0x01 246 #define NPF_NAT_PORTMAP 0x02 247 #define NPF_NAT_STATIC 0x04 248 249 #define NPF_ALGO_NPT66 1 250 251 /* Table types. */ 252 #define NPF_TABLE_HASH 1 253 #define NPF_TABLE_TREE 2 254 #define NPF_TABLE_CDB 3 255 256 #define NPF_TABLE_MAXNAMELEN 32 257 258 /* Layers. */ 259 #define NPF_LAYER_2 2 260 #define NPF_LAYER_3 3 261 262 /* XXX mbuf.h: just for now. */ 263 #define PACKET_TAG_NPF 10 264 265 /* Packet tags. */ 266 #define NPF_NTAG_PASS 0x0001 267 268 /* 269 * Rule commands (non-ioctl). 270 */ 271 272 #define NPF_CMD_RULE_ADD 1 273 #define NPF_CMD_RULE_INSERT 2 274 #define NPF_CMD_RULE_REMOVE 3 275 #define NPF_CMD_RULE_REMKEY 4 276 #define NPF_CMD_RULE_LIST 5 277 #define NPF_CMD_RULE_FLUSH 6 278 279 /* 280 * NPF ioctl(2): table commands and structures. 281 */ 282 283 #define NPF_CMD_TABLE_LOOKUP 1 284 #define NPF_CMD_TABLE_ADD 2 285 #define NPF_CMD_TABLE_REMOVE 3 286 #define NPF_CMD_TABLE_LIST 4 287 #define NPF_CMD_TABLE_FLUSH 5 288 289 typedef struct npf_ioctl_ent { 290 int alen; 291 npf_addr_t addr; 292 npf_netmask_t mask; 293 } npf_ioctl_ent_t; 294 295 typedef struct npf_ioctl_buf { 296 void * buf; 297 size_t len; 298 } npf_ioctl_buf_t; 299 300 typedef struct npf_ioctl_table { 301 int nct_cmd; 302 const char * nct_name; 303 union { 304 npf_ioctl_ent_t ent; 305 npf_ioctl_buf_t buf; 306 } nct_data; 307 } npf_ioctl_table_t; 308 309 /* 310 * IOCTL operations. 311 */ 312 313 #define IOC_NPF_VERSION _IOR('N', 100, int) 314 #define IOC_NPF_SWITCH _IOW('N', 101, int) 315 #define IOC_NPF_LOAD _IOWR('N', 102, struct plistref) 316 #define IOC_NPF_TABLE _IOW('N', 103, struct npf_ioctl_table) 317 #define IOC_NPF_STATS _IOW('N', 104, void *) 318 #define IOC_NPF_SAVE _IOR('N', 105, struct plistref) 319 #define IOC_NPF_RULE _IOWR('N', 107, struct plistref) 320 #define IOC_NPF_CONN_LOOKUP _IOWR('N', 108, struct plistref) 321 322 /* 323 * Statistics counters. 324 */ 325 326 typedef enum { 327 /* Packets passed. */ 328 NPF_STAT_PASS_DEFAULT, 329 NPF_STAT_PASS_RULESET, 330 NPF_STAT_PASS_CONN, 331 /* Packets blocked. */ 332 NPF_STAT_BLOCK_DEFAULT, 333 NPF_STAT_BLOCK_RULESET, 334 /* Connection and NAT entries. */ 335 NPF_STAT_CONN_CREATE, 336 NPF_STAT_CONN_DESTROY, 337 NPF_STAT_NAT_CREATE, 338 NPF_STAT_NAT_DESTROY, 339 /* Invalid state cases. */ 340 NPF_STAT_INVALID_STATE, 341 NPF_STAT_INVALID_STATE_TCP1, 342 NPF_STAT_INVALID_STATE_TCP2, 343 NPF_STAT_INVALID_STATE_TCP3, 344 /* Raced packets. */ 345 NPF_STAT_RACE_CONN, 346 NPF_STAT_RACE_NAT, 347 /* Fragments. */ 348 NPF_STAT_FRAGMENTS, 349 NPF_STAT_REASSEMBLY, 350 NPF_STAT_REASSFAIL, 351 /* Other errors. */ 352 NPF_STAT_ERROR, 353 /* nbuf non-contiguous cases. */ 354 NPF_STAT_NBUF_NONCONTIG, 355 NPF_STAT_NBUF_CONTIG_FAIL, 356 /* Count (last). */ 357 NPF_STATS_COUNT 358 } npf_stats_t; 359 360 #define NPF_STATS_SIZE (sizeof(uint64_t) * NPF_STATS_COUNT) 361 362 #endif /* _NPF_NET_H_ */ 363