1 /* $NetBSD: npf.h,v 1.42 2014/06/29 00:05:24 rmind Exp $ */ 2 3 /*- 4 * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. 5 * All rights reserved. 6 * 7 * This material is based upon work partially supported by The 8 * NetBSD Foundation under a contract with Mindaugas Rasiukevicius. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 20 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 21 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 22 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 23 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 24 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 25 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 26 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 27 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 28 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 * POSSIBILITY OF SUCH DAMAGE. 30 */ 31 32 /* 33 * Public NPF interfaces. 34 */ 35 36 #ifndef _NPF_NET_H_ 37 #define _NPF_NET_H_ 38 39 #include <sys/param.h> 40 #include <sys/types.h> 41 42 #include <sys/ioctl.h> 43 #include <prop/proplib.h> 44 45 #include <netinet/in_systm.h> 46 #include <netinet/in.h> 47 48 #define NPF_VERSION 14 49 50 /* 51 * Public declarations and definitions. 52 */ 53 54 /* Storage of address (both for IPv4 and IPv6) and netmask */ 55 typedef struct in6_addr npf_addr_t; 56 typedef uint8_t npf_netmask_t; 57 58 #define NPF_MAX_NETMASK (128) 59 #define NPF_NO_NETMASK ((npf_netmask_t)~0) 60 61 /* BPF coprocessor. */ 62 #if defined(NPF_BPFCOP) 63 #define NPF_COP_L3 0 64 #define NPF_COP_TABLE 1 65 66 #define BPF_MW_IPVER 0 67 #define BPF_MW_L4OFF 1 68 #define BPF_MW_L4PROTO 2 69 #endif 70 /* The number of words used. */ 71 #define NPF_BPF_NWORDS 3 72 73 #if defined(_KERNEL) 74 75 #define NPF_DECISION_BLOCK 0 76 #define NPF_DECISION_PASS 1 77 78 #define NPF_EXT_MODULE(name, req) \ 79 MODULE(MODULE_CLASS_MISC, name, (sizeof(req) - 1) ? ("npf," req) : "npf") 80 81 /* 82 * Packet information cache. 83 */ 84 #include <net/if.h> 85 #include <netinet/ip.h> 86 #include <netinet/ip6.h> 87 #include <netinet/tcp.h> 88 #include <netinet/udp.h> 89 #include <netinet/ip_icmp.h> 90 #include <netinet/icmp6.h> 91 92 #define NPC_IP4 0x01 /* Indicates IPv4 header. */ 93 #define NPC_IP6 0x02 /* Indicates IPv6 header. */ 94 #define NPC_IPFRAG 0x04 /* IPv4/IPv6 fragment. */ 95 #define NPC_LAYER4 0x08 /* Layer 4 has been fetched. */ 96 97 #define NPC_TCP 0x10 /* TCP header. */ 98 #define NPC_UDP 0x20 /* UDP header. */ 99 #define NPC_ICMP 0x40 /* ICMP header. */ 100 #define NPC_ICMP_ID 0x80 /* ICMP with query ID. */ 101 102 #define NPC_ALG_EXEC 0x100 /* ALG execution. */ 103 104 #define NPC_IP46 (NPC_IP4|NPC_IP6) 105 106 typedef struct { 107 /* Information flags. */ 108 uint32_t npc_info; 109 110 /* 111 * Pointers to the IP source and destination addresses, 112 * and the address length (4 for IPv4 or 16 for IPv6). 113 */ 114 npf_addr_t * npc_ips[2]; 115 uint8_t npc_alen; 116 117 /* IP header length and L4 protocol. */ 118 uint8_t npc_hlen; 119 uint16_t npc_proto; 120 121 /* IPv4, IPv6. */ 122 union { 123 struct ip * v4; 124 struct ip6_hdr * v6; 125 } npc_ip; 126 127 /* TCP, UDP, ICMP. */ 128 union { 129 struct tcphdr * tcp; 130 struct udphdr * udp; 131 struct icmp * icmp; 132 struct icmp6_hdr * icmp6; 133 void * hdr; 134 } npc_l4; 135 } npf_cache_t; 136 137 static inline bool 138 npf_iscached(const npf_cache_t *npc, const int inf) 139 { 140 return __predict_true((npc->npc_info & inf) != 0); 141 } 142 143 #define NPF_SRC 0 144 #define NPF_DST 1 145 146 /* 147 * Network buffer interface. 148 */ 149 150 #define NBUF_DATAREF_RESET 0x01 151 152 typedef struct { 153 struct mbuf * nb_mbuf0; 154 struct mbuf * nb_mbuf; 155 void * nb_nptr; 156 const ifnet_t * nb_ifp; 157 unsigned nb_ifid; 158 int nb_flags; 159 } nbuf_t; 160 161 void nbuf_init(nbuf_t *, struct mbuf *, const ifnet_t *); 162 void nbuf_reset(nbuf_t *); 163 struct mbuf * nbuf_head_mbuf(nbuf_t *); 164 165 bool nbuf_flag_p(const nbuf_t *, int); 166 void nbuf_unset_flag(nbuf_t *, int); 167 168 void * nbuf_dataptr(nbuf_t *); 169 size_t nbuf_offset(const nbuf_t *); 170 void * nbuf_advance(nbuf_t *, size_t, size_t); 171 172 void * nbuf_ensure_contig(nbuf_t *, size_t); 173 void * nbuf_ensure_writable(nbuf_t *, size_t); 174 175 bool nbuf_cksum_barrier(nbuf_t *, int); 176 int nbuf_add_tag(nbuf_t *, uint32_t, uint32_t); 177 int nbuf_find_tag(nbuf_t *, uint32_t, void **); 178 179 /* 180 * NPF extensions and rule procedure interface. 181 */ 182 183 struct npf_rproc; 184 typedef struct npf_rproc npf_rproc_t; 185 186 void npf_rproc_assign(npf_rproc_t *, void *); 187 188 typedef struct { 189 unsigned int version; 190 void * ctx; 191 int (*ctor)(npf_rproc_t *, prop_dictionary_t); 192 void (*dtor)(npf_rproc_t *, void *); 193 bool (*proc)(npf_cache_t *, nbuf_t *, void *, int *); 194 } npf_ext_ops_t; 195 196 void * npf_ext_register(const char *, const npf_ext_ops_t *); 197 int npf_ext_unregister(void *); 198 199 /* 200 * Misc. 201 */ 202 203 bool npf_autounload_p(void); 204 205 #endif /* _KERNEL */ 206 207 /* Rule attributes. */ 208 #define NPF_RULE_PASS 0x00000001 209 #define NPF_RULE_GROUP 0x00000002 210 #define NPF_RULE_FINAL 0x00000004 211 #define NPF_RULE_STATEFUL 0x00000008 212 #define NPF_RULE_RETRST 0x00000010 213 #define NPF_RULE_RETICMP 0x00000020 214 #define NPF_RULE_DYNAMIC 0x00000040 215 #define NPF_RULE_MULTIENDS 0x00000080 216 217 #define NPF_DYNAMIC_GROUP (NPF_RULE_GROUP | NPF_RULE_DYNAMIC) 218 219 #define NPF_RULE_IN 0x10000000 220 #define NPF_RULE_OUT 0x20000000 221 #define NPF_RULE_DIMASK (NPF_RULE_IN | NPF_RULE_OUT) 222 #define NPF_RULE_FORW 0x40000000 223 224 /* Private range of rule attributes (not public and should not be set). */ 225 #define NPF_RULE_PRIVMASK 0x0f000000 226 227 #define NPF_RULE_MAXNAMELEN 64 228 #define NPF_RULE_MAXKEYLEN 32 229 230 /* Priority values. */ 231 #define NPF_PRI_FIRST (-2) 232 #define NPF_PRI_LAST (-1) 233 234 /* Types of code. */ 235 #define NPF_CODE_NC 1 236 #define NPF_CODE_BPF 2 237 238 /* Address translation types and flags. */ 239 #define NPF_NATIN 1 240 #define NPF_NATOUT 2 241 242 #define NPF_NAT_PORTS 0x01 243 #define NPF_NAT_PORTMAP 0x02 244 #define NPF_NAT_STATIC 0x04 245 246 #define NPF_ALGO_NPT66 1 247 248 /* Table types. */ 249 #define NPF_TABLE_HASH 1 250 #define NPF_TABLE_TREE 2 251 #define NPF_TABLE_CDB 3 252 253 #define NPF_TABLE_MAXNAMELEN 32 254 255 /* Layers. */ 256 #define NPF_LAYER_2 2 257 #define NPF_LAYER_3 3 258 259 /* XXX mbuf.h: just for now. */ 260 #define PACKET_TAG_NPF 10 261 262 /* 263 * Rule commands (non-ioctl). 264 */ 265 266 #define NPF_CMD_RULE_ADD 1 267 #define NPF_CMD_RULE_INSERT 2 268 #define NPF_CMD_RULE_REMOVE 3 269 #define NPF_CMD_RULE_REMKEY 4 270 #define NPF_CMD_RULE_LIST 5 271 #define NPF_CMD_RULE_FLUSH 6 272 273 /* 274 * NPF ioctl(2): table commands and structures. 275 */ 276 277 #define NPF_CMD_TABLE_LOOKUP 1 278 #define NPF_CMD_TABLE_ADD 2 279 #define NPF_CMD_TABLE_REMOVE 3 280 #define NPF_CMD_TABLE_LIST 4 281 #define NPF_CMD_TABLE_FLUSH 5 282 283 typedef struct npf_ioctl_ent { 284 int alen; 285 npf_addr_t addr; 286 npf_netmask_t mask; 287 } npf_ioctl_ent_t; 288 289 typedef struct npf_ioctl_buf { 290 void * buf; 291 size_t len; 292 } npf_ioctl_buf_t; 293 294 typedef struct npf_ioctl_table { 295 int nct_cmd; 296 const char * nct_name; 297 union { 298 npf_ioctl_ent_t ent; 299 npf_ioctl_buf_t buf; 300 } nct_data; 301 } npf_ioctl_table_t; 302 303 /* 304 * IOCTL operations. 305 */ 306 307 #define IOC_NPF_VERSION _IOR('N', 100, int) 308 #define IOC_NPF_SWITCH _IOW('N', 101, int) 309 #define IOC_NPF_RELOAD _IOWR('N', 102, struct plistref) 310 #define IOC_NPF_TABLE _IOW('N', 103, struct npf_ioctl_table) 311 #define IOC_NPF_STATS _IOW('N', 104, void *) 312 #define IOC_NPF_SESSIONS_SAVE _IOR('N', 105, struct plistref) 313 #define IOC_NPF_SESSIONS_LOAD _IOW('N', 106, struct plistref) 314 #define IOC_NPF_RULE _IOWR('N', 107, struct plistref) 315 #define IOC_NPF_GETCONF _IOR('N', 108, struct plistref) 316 317 /* 318 * Statistics counters. 319 */ 320 321 typedef enum { 322 /* Packets passed. */ 323 NPF_STAT_PASS_DEFAULT, 324 NPF_STAT_PASS_RULESET, 325 NPF_STAT_PASS_SESSION, 326 /* Packets blocked. */ 327 NPF_STAT_BLOCK_DEFAULT, 328 NPF_STAT_BLOCK_RULESET, 329 /* Session and NAT entries. */ 330 NPF_STAT_SESSION_CREATE, 331 NPF_STAT_SESSION_DESTROY, 332 NPF_STAT_NAT_CREATE, 333 NPF_STAT_NAT_DESTROY, 334 /* Invalid state cases. */ 335 NPF_STAT_INVALID_STATE, 336 NPF_STAT_INVALID_STATE_TCP1, 337 NPF_STAT_INVALID_STATE_TCP2, 338 NPF_STAT_INVALID_STATE_TCP3, 339 /* Raced packets. */ 340 NPF_STAT_RACE_SESSION, 341 NPF_STAT_RACE_NAT, 342 /* Fragments. */ 343 NPF_STAT_FRAGMENTS, 344 NPF_STAT_REASSEMBLY, 345 NPF_STAT_REASSFAIL, 346 /* Other errors. */ 347 NPF_STAT_ERROR, 348 /* nbuf non-contiguous cases. */ 349 NPF_STAT_NBUF_NONCONTIG, 350 NPF_STAT_NBUF_CONTIG_FAIL, 351 /* Count (last). */ 352 NPF_STATS_COUNT 353 } npf_stats_t; 354 355 #define NPF_STATS_SIZE (sizeof(uint64_t) * NPF_STATS_COUNT) 356 357 #endif /* _NPF_NET_H_ */ 358