xref: /netbsd-src/sys/net/npf/npf.h (revision 6a493d6bc668897c91594964a732d38505b70cbb) 
1 /*	$NetBSD: npf.h,v 1.34 2013/12/06 01:33:37 rmind Exp $	*/
2 
3 /*-
4  * Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
5  * All rights reserved.
6  *
7  * This material is based upon work partially supported by The
8  * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
9  *
10  * Redistribution and use in source and binary forms, with or without
11  * modification, are permitted provided that the following conditions
12  * are met:
13  * 1. Redistributions of source code must retain the above copyright
14  *    notice, this list of conditions and the following disclaimer.
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in the
17  *    documentation and/or other materials provided with the distribution.
18  *
19  * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
20  * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
21  * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
22  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
23  * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
24  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
25  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
26  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
27  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
28  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29  * POSSIBILITY OF SUCH DAMAGE.
30  */
31 
32 /*
33  * Public NPF interfaces.
34  */
35 
36 #ifndef _NPF_NET_H_
37 #define _NPF_NET_H_
38 
39 #include <sys/param.h>
40 #include <sys/types.h>
41 
42 #include <sys/ioctl.h>
43 #include <prop/proplib.h>
44 
45 #include <netinet/in_systm.h>
46 #include <netinet/in.h>
47 
48 #define	NPF_VERSION		12
49 
50 /*
51  * Public declarations and definitions.
52  */
53 
54 /* Storage of address (both for IPv4 and IPv6) and netmask */
55 typedef struct in6_addr		npf_addr_t;
56 typedef uint8_t			npf_netmask_t;
57 
58 #define	NPF_MAX_NETMASK		(128)
59 #define	NPF_NO_NETMASK		((npf_netmask_t)~0)
60 
61 /* BPF coprocessor. */
62 #if defined(NPF_BPFCOP)
63 #define	NPF_COP_L3		0
64 #define	NPF_COP_TABLE		1
65 
66 #define	BPF_MW_IPVER		0
67 #define	BPF_MW_L4OFF		1
68 #define	BPF_MW_L4PROTO		2
69 #endif
70 
71 #if defined(_KERNEL)
72 
73 #define	NPF_DECISION_BLOCK	0
74 #define	NPF_DECISION_PASS	1
75 
76 #define	NPF_EXT_MODULE(name, req)	\
77     MODULE(MODULE_CLASS_MISC, name, (sizeof(req) - 1) ? ("npf," req) : "npf")
78 
79 /*
80  * Packet information cache.
81  */
82 #include <net/if.h>
83 #include <netinet/ip.h>
84 #include <netinet/ip6.h>
85 #include <netinet/tcp.h>
86 #include <netinet/udp.h>
87 #include <netinet/ip_icmp.h>
88 #include <netinet/icmp6.h>
89 
90 #define	NPC_IP4		0x01	/* Indicates fetched IPv4 header. */
91 #define	NPC_IP6		0x02	/* Indicates IPv6 header. */
92 #define	NPC_IPFRAG	0x04	/* IPv4/IPv6 fragment. */
93 #define	NPC_LAYER4	0x08	/* Layer 4 has been fetched. */
94 
95 #define	NPC_TCP		0x10	/* TCP header. */
96 #define	NPC_UDP		0x20	/* UDP header. */
97 #define	NPC_ICMP	0x40	/* ICMP header. */
98 #define	NPC_ICMP_ID	0x80	/* ICMP with query ID. */
99 
100 #define	NPC_ALG_EXEC	0x100	/* ALG execution. */
101 
102 #define	NPC_IP46	(NPC_IP4|NPC_IP6)
103 
104 typedef struct {
105 	/* Information flags. */
106 	uint32_t		npc_info;
107 
108 	/*
109 	 * Pointers to the IP source and destination addresses,
110 	 * and the address length (4 for IPv4 or 16 for IPv6).
111 	 */
112 	npf_addr_t *		npc_ips[2];
113 	uint8_t			npc_alen;
114 
115 	/* IP header length and L4 protocol. */
116 	uint8_t			npc_hlen;
117 	uint16_t		npc_proto;
118 
119 	/* IPv4, IPv6. */
120 	union {
121 		struct ip *		v4;
122 		struct ip6_hdr *	v6;
123 	} npc_ip;
124 
125 	/* TCP, UDP, ICMP. */
126 	union {
127 		struct tcphdr *		tcp;
128 		struct udphdr *		udp;
129 		struct icmp *		icmp;
130 		struct icmp6_hdr *	icmp6;
131 		void *			hdr;
132 	} npc_l4;
133 } npf_cache_t;
134 
135 static inline bool
136 npf_iscached(const npf_cache_t *npc, const int inf)
137 {
138 	return __predict_true((npc->npc_info & inf) != 0);
139 }
140 
141 #define	NPF_SRC		0
142 #define	NPF_DST		1
143 
144 /*
145  * Network buffer interface.
146  */
147 
148 #define	NBUF_DATAREF_RESET	0x01
149 
150 typedef struct {
151 	struct mbuf *	nb_mbuf0;
152 	struct mbuf *	nb_mbuf;
153 	void *		nb_nptr;
154 	const ifnet_t *	nb_ifp;
155 	unsigned	nb_ifid;
156 	int		nb_flags;
157 } nbuf_t;
158 
159 void		nbuf_init(nbuf_t *, struct mbuf *, const ifnet_t *);
160 void		nbuf_reset(nbuf_t *);
161 struct mbuf *	nbuf_head_mbuf(nbuf_t *);
162 
163 bool		nbuf_flag_p(const nbuf_t *, int);
164 void		nbuf_unset_flag(nbuf_t *, int);
165 
166 void *		nbuf_dataptr(nbuf_t *);
167 size_t		nbuf_offset(const nbuf_t *);
168 void *		nbuf_advance(nbuf_t *, size_t, size_t);
169 
170 void *		nbuf_ensure_contig(nbuf_t *, size_t);
171 void *		nbuf_ensure_writable(nbuf_t *, size_t);
172 
173 bool		nbuf_cksum_barrier(nbuf_t *, int);
174 int		nbuf_add_tag(nbuf_t *, uint32_t, uint32_t);
175 int		nbuf_find_tag(nbuf_t *, uint32_t, void **);
176 
177 /*
178  * NPF extensions and rule procedure interface.
179  */
180 
181 struct npf_rproc;
182 typedef struct npf_rproc	npf_rproc_t;
183 
184 void		npf_rproc_assign(npf_rproc_t *, void *);
185 
186 typedef struct {
187 	unsigned int	version;
188 	void *		ctx;
189 	int		(*ctor)(npf_rproc_t *, prop_dictionary_t);
190 	void		(*dtor)(npf_rproc_t *, void *);
191 	void		(*proc)(npf_cache_t *, nbuf_t *, void *, int *);
192 } npf_ext_ops_t;
193 
194 void *		npf_ext_register(const char *, const npf_ext_ops_t *);
195 int		npf_ext_unregister(void *);
196 
197 /*
198  * Misc.
199  */
200 
201 bool		npf_autounload_p(void);
202 
203 #endif	/* _KERNEL */
204 
205 /* Rule attributes. */
206 #define	NPF_RULE_PASS			0x0001
207 #define	NPF_RULE_GROUP			0x0002
208 #define	NPF_RULE_FINAL			0x0004
209 #define	NPF_RULE_STATEFUL		0x0008
210 #define	NPF_RULE_RETRST			0x0010
211 #define	NPF_RULE_RETICMP		0x0020
212 #define	NPF_RULE_DYNAMIC		0x0040
213 
214 #define	NPF_DYNAMIC_GROUP		(NPF_RULE_GROUP | NPF_RULE_DYNAMIC)
215 
216 #define	NPF_RULE_IN			0x10000000
217 #define	NPF_RULE_OUT			0x20000000
218 #define	NPF_RULE_DIMASK			(NPF_RULE_IN | NPF_RULE_OUT)
219 #define	NPF_RULE_FORW			0x40000000
220 
221 #define	NPF_RULE_MAXNAMELEN		64
222 #define	NPF_RULE_MAXKEYLEN		32
223 
224 /* Priority values. */
225 #define	NPF_PRI_FIRST			(-2)
226 #define	NPF_PRI_LAST			(-1)
227 
228 /* Types of code. */
229 #define	NPF_CODE_NC			1
230 #define	NPF_CODE_BPF			2
231 
232 /* Address translation types and flags. */
233 #define	NPF_NATIN			1
234 #define	NPF_NATOUT			2
235 
236 #define	NPF_NAT_PORTS			0x01
237 #define	NPF_NAT_PORTMAP			0x02
238 
239 /* Table types. */
240 #define	NPF_TABLE_HASH			1
241 #define	NPF_TABLE_TREE			2
242 
243 #define	NPF_TABLE_MAXNAMELEN		32
244 
245 /* Layers. */
246 #define	NPF_LAYER_2			2
247 #define	NPF_LAYER_3			3
248 
249 /* XXX mbuf.h: just for now. */
250 #define	PACKET_TAG_NPF			10
251 
252 /*
253  * Rule commands (non-ioctl).
254  */
255 
256 #define	NPF_CMD_RULE_ADD		1
257 #define	NPF_CMD_RULE_INSERT		2
258 #define	NPF_CMD_RULE_REMOVE		3
259 #define	NPF_CMD_RULE_REMKEY		4
260 #define	NPF_CMD_RULE_LIST		5
261 #define	NPF_CMD_RULE_FLUSH		6
262 
263 /*
264  * NPF ioctl(2): table commands and structures.
265  */
266 
267 #define	NPF_CMD_TABLE_LOOKUP		1
268 #define	NPF_CMD_TABLE_ADD		2
269 #define	NPF_CMD_TABLE_REMOVE		3
270 #define	NPF_CMD_TABLE_LIST		4
271 #define	NPF_CMD_TABLE_FLUSH		5
272 
273 typedef struct npf_ioctl_ent {
274 	int			alen;
275 	npf_addr_t		addr;
276 	npf_netmask_t		mask;
277 } npf_ioctl_ent_t;
278 
279 typedef struct npf_ioctl_buf {
280 	void *			buf;
281 	size_t			len;
282 } npf_ioctl_buf_t;
283 
284 typedef struct npf_ioctl_table {
285 	int			nct_cmd;
286 	const char *		nct_name;
287 	union {
288 		npf_ioctl_ent_t	ent;
289 		npf_ioctl_buf_t	buf;
290 	} nct_data;
291 } npf_ioctl_table_t;
292 
293 /*
294  * IOCTL operations.
295  */
296 
297 #define	IOC_NPF_VERSION		_IOR('N', 100, int)
298 #define	IOC_NPF_SWITCH		_IOW('N', 101, int)
299 #define	IOC_NPF_RELOAD		_IOWR('N', 102, struct plistref)
300 #define	IOC_NPF_TABLE		_IOW('N', 103, struct npf_ioctl_table)
301 #define	IOC_NPF_STATS		_IOW('N', 104, void *)
302 #define	IOC_NPF_SESSIONS_SAVE	_IOR('N', 105, struct plistref)
303 #define	IOC_NPF_SESSIONS_LOAD	_IOW('N', 106, struct plistref)
304 #define	IOC_NPF_RULE		_IOWR('N', 107, struct plistref)
305 #define	IOC_NPF_GETCONF		_IOR('N', 108, struct plistref)
306 
307 /*
308  * Statistics counters.
309  */
310 
311 typedef enum {
312 	/* Packets passed. */
313 	NPF_STAT_PASS_DEFAULT,
314 	NPF_STAT_PASS_RULESET,
315 	NPF_STAT_PASS_SESSION,
316 	/* Packets blocked. */
317 	NPF_STAT_BLOCK_DEFAULT,
318 	NPF_STAT_BLOCK_RULESET,
319 	/* Session and NAT entries. */
320 	NPF_STAT_SESSION_CREATE,
321 	NPF_STAT_SESSION_DESTROY,
322 	NPF_STAT_NAT_CREATE,
323 	NPF_STAT_NAT_DESTROY,
324 	/* Invalid state cases. */
325 	NPF_STAT_INVALID_STATE,
326 	NPF_STAT_INVALID_STATE_TCP1,
327 	NPF_STAT_INVALID_STATE_TCP2,
328 	NPF_STAT_INVALID_STATE_TCP3,
329 	/* Raced packets. */
330 	NPF_STAT_RACE_SESSION,
331 	NPF_STAT_RACE_NAT,
332 	/* Fragments. */
333 	NPF_STAT_FRAGMENTS,
334 	NPF_STAT_REASSEMBLY,
335 	NPF_STAT_REASSFAIL,
336 	/* Other errors. */
337 	NPF_STAT_ERROR,
338 	/* nbuf non-contiguous cases. */
339 	NPF_STAT_NBUF_NONCONTIG,
340 	NPF_STAT_NBUF_CONTIG_FAIL,
341 	/* Count (last). */
342 	NPF_STATS_COUNT
343 } npf_stats_t;
344 
345 #define	NPF_STATS_SIZE		(sizeof(uint64_t) * NPF_STATS_COUNT)
346 
347 #endif	/* _NPF_NET_H_ */
348