xref: /netbsd-src/sys/net/npf/npf.h (revision bdc22b2e01993381dcefeff2bc9b56ca75a4235c) 
1 /*	$NetBSD: npf.h,v 1.57 2018/04/19 21:50:09 christos Exp $	*/
2 
3 /*-
4  * Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
5  * All rights reserved.
6  *
7  * This material is based upon work partially supported by The
8  * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
9  *
10  * Redistribution and use in source and binary forms, with or without
11  * modification, are permitted provided that the following conditions
12  * are met:
13  * 1. Redistributions of source code must retain the above copyright
14  *    notice, this list of conditions and the following disclaimer.
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in the
17  *    documentation and/or other materials provided with the distribution.
18  *
19  * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
20  * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
21  * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
22  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
23  * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
24  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
25  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
26  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
27  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
28  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29  * POSSIBILITY OF SUCH DAMAGE.
30  */
31 
32 /*
33  * Public NPF interfaces.
34  */
35 
36 #ifndef _NPF_NET_H_
37 #define _NPF_NET_H_
38 
39 #include <sys/param.h>
40 #include <sys/types.h>
41 
42 #define	NPF_VERSION		19
43 
44 #if defined(_NPF_STANDALONE)
45 #include "npf_stand.h"
46 #else
47 #include <sys/ioctl.h>
48 #include <prop/proplib.h>
49 #include <netinet/in_systm.h>
50 #include <netinet/in.h>
51 #endif
52 
53 struct npf;
54 typedef struct npf npf_t;
55 
56 /*
57  * Storage of address (both for IPv4 and IPv6) and netmask.
58  */
59 typedef union {
60 	uint8_t			word8[16];
61 	uint16_t		word16[8];
62 	uint32_t		word32[4];
63 } npf_addr_t;
64 
65 typedef uint8_t			npf_netmask_t;
66 
67 #define	NPF_MAX_NETMASK		(128)
68 #define	NPF_NO_NETMASK		((npf_netmask_t)~0)
69 
70 /* BPF coprocessor. */
71 #if defined(NPF_BPFCOP)
72 #define	NPF_COP_L3		0
73 #define	NPF_COP_TABLE		1
74 
75 #define	BPF_MW_IPVER		0
76 #define	BPF_MW_L4OFF		1
77 #define	BPF_MW_L4PROTO		2
78 #endif
79 /* The number of words used. */
80 #define	NPF_BPF_NWORDS		3
81 
82 /*
83  * In-kernel declarations and definitions.
84  */
85 
86 #if defined(_KERNEL) || defined(_NPF_STANDALONE)
87 
88 #define	NPF_DECISION_BLOCK	0
89 #define	NPF_DECISION_PASS	1
90 
91 #define	NPF_EXT_MODULE(name, req)	\
92     MODULE(MODULE_CLASS_MISC, name, (sizeof(req) - 1) ? ("npf," req) : "npf")
93 
94 #include <net/if.h>
95 #include <netinet/ip.h>
96 #include <netinet/ip6.h>
97 #include <netinet/tcp.h>
98 #include <netinet/udp.h>
99 #include <netinet/ip_icmp.h>
100 #include <netinet/icmp6.h>
101 
102 /*
103  * Network buffer interface.
104  */
105 
106 #define	NBUF_DATAREF_RESET	0x01
107 
108 struct mbuf;
109 struct nbuf;
110 typedef struct nbuf nbuf_t;
111 
112 void		nbuf_init(npf_t *, nbuf_t *, struct mbuf *, const ifnet_t *);
113 void		nbuf_reset(nbuf_t *);
114 struct mbuf *	nbuf_head_mbuf(nbuf_t *);
115 
116 bool		nbuf_flag_p(const nbuf_t *, int);
117 void		nbuf_unset_flag(nbuf_t *, int);
118 
119 void *		nbuf_dataptr(nbuf_t *);
120 size_t		nbuf_offset(const nbuf_t *);
121 void *		nbuf_advance(nbuf_t *, size_t, size_t);
122 
123 void *		nbuf_ensure_contig(nbuf_t *, size_t);
124 void *		nbuf_ensure_writable(nbuf_t *, size_t);
125 
126 bool		nbuf_cksum_barrier(nbuf_t *, int);
127 int		nbuf_add_tag(nbuf_t *, uint32_t);
128 int		nbuf_find_tag(nbuf_t *, uint32_t *);
129 
130 /*
131  * Packet information cache.
132  */
133 
134 #define	NPC_IP4		0x01	/* Indicates IPv4 header. */
135 #define	NPC_IP6		0x02	/* Indicates IPv6 header. */
136 #define	NPC_IPFRAG	0x04	/* IPv4/IPv6 fragment. */
137 #define	NPC_LAYER4	0x08	/* Layer 4 has been fetched. */
138 
139 #define	NPC_TCP		0x10	/* TCP header. */
140 #define	NPC_UDP		0x20	/* UDP header. */
141 #define	NPC_ICMP	0x40	/* ICMP header. */
142 #define	NPC_ICMP_ID	0x80	/* ICMP with query ID. */
143 
144 #define	NPC_ALG_EXEC	0x100	/* ALG execution. */
145 
146 #define	NPC_FMTERR	0x200	/* Format error. */
147 
148 #define	NPC_IP46	(NPC_IP4|NPC_IP6)
149 
150 typedef struct {
151 	/* NPF context, information flags and the nbuf. */
152 	npf_t *			npc_ctx;
153 	uint32_t		npc_info;
154 	nbuf_t *		npc_nbuf;
155 
156 	/*
157 	 * Pointers to the IP source and destination addresses,
158 	 * and the address length (4 for IPv4 or 16 for IPv6).
159 	 */
160 	npf_addr_t *		npc_ips[2];
161 	uint8_t			npc_alen;
162 
163 	/* IP header length and L4 protocol. */
164 	uint32_t		npc_hlen;
165 	uint16_t		npc_proto;
166 
167 	/* IPv4, IPv6. */
168 	union {
169 		struct ip *		v4;
170 		struct ip6_hdr *	v6;
171 	} npc_ip;
172 
173 	/* TCP, UDP, ICMP. */
174 	union {
175 		struct tcphdr *		tcp;
176 		struct udphdr *		udp;
177 		struct icmp *		icmp;
178 		struct icmp6_hdr *	icmp6;
179 		void *			hdr;
180 	} npc_l4;
181 } npf_cache_t;
182 
183 static __inline bool
184 npf_iscached(const npf_cache_t *npc, const int inf)
185 {
186 	KASSERT(npc->npc_nbuf != NULL);
187 	return __predict_true((npc->npc_info & inf) != 0);
188 }
189 
190 #define	NPF_SRC		0
191 #define	NPF_DST		1
192 
193 /*
194  * NPF extensions and rule procedure interface.
195  */
196 
197 struct npf_rproc;
198 typedef struct npf_rproc	npf_rproc_t;
199 
200 typedef struct {
201 	uint64_t	mi_rid;
202 	u_int		mi_retfl;
203 	u_int		mi_di;
204 } npf_match_info_t;
205 
206 typedef struct {
207 	unsigned int	version;
208 	void *		ctx;
209 	int		(*ctor)(npf_rproc_t *, prop_dictionary_t);
210 	void		(*dtor)(npf_rproc_t *, void *);
211 	bool		(*proc)(npf_cache_t *, void *, const npf_match_info_t *,
212 				int *);
213 } npf_ext_ops_t;
214 
215 void *		npf_ext_register(npf_t *, const char *, const npf_ext_ops_t *);
216 int		npf_ext_unregister(npf_t *, void *);
217 void		npf_rproc_assign(npf_rproc_t *, void *);
218 
219 /*
220  * Misc.
221  */
222 
223 bool		npf_autounload_p(void);
224 
225 #endif	/* _KERNEL */
226 
227 /* Rule attributes. */
228 #define	NPF_RULE_PASS			0x00000001
229 #define	NPF_RULE_GROUP			0x00000002
230 #define	NPF_RULE_FINAL			0x00000004
231 #define	NPF_RULE_STATEFUL		0x00000008
232 #define	NPF_RULE_RETRST			0x00000010
233 #define	NPF_RULE_RETICMP		0x00000020
234 #define	NPF_RULE_DYNAMIC		0x00000040
235 #define	NPF_RULE_MULTIENDS		0x00000080
236 
237 #define	NPF_DYNAMIC_GROUP		(NPF_RULE_GROUP | NPF_RULE_DYNAMIC)
238 
239 #define	NPF_RULE_IN			0x10000000
240 #define	NPF_RULE_OUT			0x20000000
241 #define	NPF_RULE_DIMASK			(NPF_RULE_IN | NPF_RULE_OUT)
242 #define	NPF_RULE_FORW			0x40000000
243 
244 /* Private range of rule attributes (not public and should not be set). */
245 #define	NPF_RULE_PRIVMASK		0x0f000000
246 
247 #define	NPF_RULE_MAXNAMELEN		64
248 #define	NPF_RULE_MAXKEYLEN		32
249 
250 /* Priority values. */
251 #define	NPF_PRI_FIRST			(-2)
252 #define	NPF_PRI_LAST			(-1)
253 
254 /* Types of code. */
255 #define	NPF_CODE_NC			1
256 #define	NPF_CODE_BPF			2
257 
258 /* Address translation types and flags. */
259 #define	NPF_NATIN			1
260 #define	NPF_NATOUT			2
261 
262 #define	NPF_NAT_PORTS			0x01
263 #define	NPF_NAT_PORTMAP			0x02
264 #define	NPF_NAT_STATIC			0x04
265 
266 #define	NPF_ALGO_NPT66			1
267 
268 /* Table types. */
269 #define	NPF_TABLE_HASH			1
270 #define	NPF_TABLE_TREE			2
271 #define	NPF_TABLE_CDB			3
272 
273 #define	NPF_TABLE_MAXNAMELEN		32
274 
275 /* Layers. */
276 #define	NPF_LAYER_2			2
277 #define	NPF_LAYER_3			3
278 
279 /* XXX mbuf.h: just for now. */
280 #define	PACKET_TAG_NPF			10
281 #define	NPF_NTAG_PASS			0x0001
282 
283 /*
284  * Rule commands (non-ioctl).
285  */
286 
287 #define	NPF_CMD_RULE_ADD		1
288 #define	NPF_CMD_RULE_INSERT		2
289 #define	NPF_CMD_RULE_REMOVE		3
290 #define	NPF_CMD_RULE_REMKEY		4
291 #define	NPF_CMD_RULE_LIST		5
292 #define	NPF_CMD_RULE_FLUSH		6
293 
294 /*
295  * NPF ioctl(2): table commands and structures.
296  */
297 
298 #define	NPF_CMD_TABLE_LOOKUP		1
299 #define	NPF_CMD_TABLE_ADD		2
300 #define	NPF_CMD_TABLE_REMOVE		3
301 #define	NPF_CMD_TABLE_LIST		4
302 #define	NPF_CMD_TABLE_FLUSH		5
303 
304 typedef struct npf_ioctl_ent {
305 	int			alen;
306 	npf_addr_t		addr;
307 	npf_netmask_t		mask;
308 } npf_ioctl_ent_t;
309 
310 typedef struct npf_ioctl_buf {
311 	void *			buf;
312 	size_t			len;
313 } npf_ioctl_buf_t;
314 
315 typedef struct npf_ioctl_table {
316 	int			nct_cmd;
317 	const char *		nct_name;
318 	union {
319 		npf_ioctl_ent_t	ent;
320 		npf_ioctl_buf_t	buf;
321 	} nct_data;
322 } npf_ioctl_table_t;
323 
324 /*
325  * IOCTL operations.
326  */
327 
328 #define	IOC_NPF_VERSION		_IOR('N', 100, int)
329 #define	IOC_NPF_SWITCH		_IOW('N', 101, int)
330 #define	IOC_NPF_LOAD		_IOWR('N', 102, struct plistref)
331 #define	IOC_NPF_TABLE		_IOW('N', 103, struct npf_ioctl_table)
332 #define	IOC_NPF_STATS		_IOW('N', 104, void *)
333 #define	IOC_NPF_SAVE		_IOR('N', 105, struct plistref)
334 #define	IOC_NPF_RULE		_IOWR('N', 107, struct plistref)
335 #define	IOC_NPF_CONN_LOOKUP	_IOWR('N', 108, struct plistref)
336 
337 /*
338  * NPF error report.
339  */
340 
341 typedef struct {
342 	int64_t		id;
343 	char *		source_file;
344 	u_int		source_line;
345 } npf_error_t;
346 
347 /*
348  * Statistics counters.
349  */
350 
351 typedef enum {
352 	/* Packets passed. */
353 	NPF_STAT_PASS_DEFAULT,
354 	NPF_STAT_PASS_RULESET,
355 	NPF_STAT_PASS_CONN,
356 	/* Packets blocked. */
357 	NPF_STAT_BLOCK_DEFAULT,
358 	NPF_STAT_BLOCK_RULESET,
359 	/* Connection and NAT entries. */
360 	NPF_STAT_CONN_CREATE,
361 	NPF_STAT_CONN_DESTROY,
362 	NPF_STAT_NAT_CREATE,
363 	NPF_STAT_NAT_DESTROY,
364 	/* Invalid state cases. */
365 	NPF_STAT_INVALID_STATE,
366 	NPF_STAT_INVALID_STATE_TCP1,
367 	NPF_STAT_INVALID_STATE_TCP2,
368 	NPF_STAT_INVALID_STATE_TCP3,
369 	/* Raced packets. */
370 	NPF_STAT_RACE_CONN,
371 	NPF_STAT_RACE_NAT,
372 	/* Fragments. */
373 	NPF_STAT_FRAGMENTS,
374 	NPF_STAT_REASSEMBLY,
375 	NPF_STAT_REASSFAIL,
376 	/* Other errors. */
377 	NPF_STAT_ERROR,
378 	/* nbuf non-contiguous cases. */
379 	NPF_STAT_NBUF_NONCONTIG,
380 	NPF_STAT_NBUF_CONTIG_FAIL,
381 	/* Count (last). */
382 	NPF_STATS_COUNT
383 } npf_stats_t;
384 
385 #define	NPF_STATS_SIZE		(sizeof(uint64_t) * NPF_STATS_COUNT)
386 
387 #endif	/* _NPF_NET_H_ */
388