1 /* $NetBSD: npf.h,v 1.6 2011/01/18 20:33:45 rmind Exp $ */ 2 3 /*- 4 * Copyright (c) 2009-2011 The NetBSD Foundation, Inc. 5 * All rights reserved. 6 * 7 * This material is based upon work partially supported by The 8 * NetBSD Foundation under a contract with Mindaugas Rasiukevicius. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 20 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 21 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 22 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 23 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 24 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 25 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 26 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 27 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 28 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 * POSSIBILITY OF SUCH DAMAGE. 30 */ 31 32 /* 33 * Public NPF interfaces. 34 */ 35 36 #ifndef _NPF_H_ 37 #define _NPF_H_ 38 39 #include <sys/param.h> 40 #include <sys/types.h> 41 42 #include <sys/ioctl.h> 43 #include <prop/proplib.h> 44 45 #ifdef _NPF_TESTING 46 #include "testing.h" 47 #endif 48 49 #define NPF_VERSION 1 50 51 /* 52 * Public declarations. 53 */ 54 55 struct npf_ruleset; 56 struct npf_rule; 57 struct npf_hook; 58 59 typedef struct npf_rproc npf_rproc_t; 60 typedef struct npf_ruleset npf_ruleset_t; 61 typedef struct npf_rule npf_rule_t; 62 typedef struct npf_hook npf_hook_t; 63 64 /* 65 * Public definitions. 66 */ 67 68 typedef void nbuf_t; 69 70 #if defined(_KERNEL) || defined(_NPF_TESTING) 71 72 #include <netinet/in_systm.h> 73 #include <netinet/in.h> 74 #include <netinet/ip.h> 75 #include <netinet/ip6.h> 76 #include <netinet/tcp.h> 77 #include <netinet/udp.h> 78 #include <netinet/ip_icmp.h> 79 80 /* 81 * Storage of address, both IPv4 and IPv6. 82 */ 83 typedef struct in6_addr npf_addr_t; 84 85 /* 86 * Packet information cache. 87 */ 88 89 #define NPC_IP4 0x01 /* Indicates fetched IPv4 header. */ 90 #define NPC_IP6 0x02 /* Indicates IPv6 header. */ 91 #define NPC_IPFRAG 0x04 /* IPv4 fragment. */ 92 #define NPC_LAYER4 0x08 /* Layer 4 has been fetched. */ 93 94 #define NPC_TCP 0x10 /* TCP header. */ 95 #define NPC_UDP 0x20 /* UDP header. */ 96 #define NPC_ICMP 0x40 /* ICMP header. */ 97 #define NPC_ICMP_ID 0x80 /* ICMP with query ID. */ 98 99 #define NPC_IP46 (NPC_IP4|NPC_IP6) 100 101 typedef struct { 102 /* Information flags. */ 103 uint32_t npc_info; 104 /* Pointers to the IP v4/v6 addresses. */ 105 npf_addr_t * npc_srcip; 106 npf_addr_t * npc_dstip; 107 /* Size (v4 or v6) of IP addresses. */ 108 int npc_ipsz; 109 /* IPv4, IPv6. */ 110 union { 111 struct ip v4; 112 struct ip6_hdr v6; 113 } npc_ip; 114 /* TCP, UDP, ICMP. */ 115 union { 116 struct tcphdr tcp; 117 struct udphdr udp; 118 struct icmp icmp; 119 } npc_l4; 120 } npf_cache_t; 121 122 static inline bool 123 npf_iscached(const npf_cache_t *npc, const int inf) 124 { 125 126 return __predict_true((npc->npc_info & inf) != 0); 127 } 128 129 static inline int 130 npf_cache_ipproto(const npf_cache_t *npc) 131 { 132 const struct ip *ip = &npc->npc_ip.v4; 133 134 KASSERT(npf_iscached(npc, NPC_IP46)); 135 return ip->ip_p; 136 } 137 138 /* Network buffer interface. */ 139 void * nbuf_dataptr(void *); 140 void * nbuf_advance(nbuf_t **, void *, u_int); 141 int nbuf_advfetch(nbuf_t **, void **, u_int, size_t, void *); 142 int nbuf_advstore(nbuf_t **, void **, u_int, size_t, void *); 143 int nbuf_fetch_datum(nbuf_t *, void *, size_t, void *); 144 int nbuf_store_datum(nbuf_t *, void *, size_t, void *); 145 146 int nbuf_add_tag(nbuf_t *, uint32_t, uint32_t); 147 int nbuf_find_tag(nbuf_t *, uint32_t, void **); 148 149 /* Ruleset interface. */ 150 npf_rule_t * npf_rule_alloc(prop_dictionary_t, npf_rproc_t *, void *, size_t); 151 void npf_rule_free(npf_rule_t *); 152 void npf_activate_rule(npf_rule_t *); 153 void npf_deactivate_rule(npf_rule_t *); 154 155 npf_hook_t * npf_hook_register(npf_rule_t *, 156 void (*)(npf_cache_t *, nbuf_t *, void *), void *); 157 void npf_hook_unregister(npf_rule_t *, npf_hook_t *); 158 159 #endif /* _KERNEL */ 160 161 /* Rule attributes. */ 162 #define NPF_RULE_PASS 0x0001 163 #define NPF_RULE_DEFAULT 0x0002 164 #define NPF_RULE_FINAL 0x0004 165 #define NPF_RULE_KEEPSTATE 0x0008 166 #define NPF_RULE_RETRST 0x0010 167 #define NPF_RULE_RETICMP 0x0020 168 169 #define NPF_RULE_IN 0x10000000 170 #define NPF_RULE_OUT 0x20000000 171 #define NPF_RULE_DIMASK (NPF_RULE_IN | NPF_RULE_OUT) 172 173 /* Rule procedure flags. */ 174 #define NPF_RPROC_LOG 0x0001 175 #define NPF_RPROC_NORMALIZE 0x0002 176 177 /* Address translation types and flags. */ 178 #define NPF_NATIN 1 179 #define NPF_NATOUT 2 180 181 #define NPF_NAT_PORTS 0x01 182 #define NPF_NAT_PORTMAP 0x02 183 184 /* Table types. */ 185 #define NPF_TABLE_HASH 1 186 #define NPF_TABLE_RBTREE 2 187 188 /* Layers. */ 189 #define NPF_LAYER_2 2 190 #define NPF_LAYER_3 3 191 192 /* XXX mbuf.h: just for now. */ 193 #define PACKET_TAG_NPF 10 194 195 /* 196 * IOCTL structures. 197 */ 198 199 #define NPF_IOCTL_TBLENT_ADD 1 200 #define NPF_IOCTL_TBLENT_REM 2 201 202 typedef struct npf_ioctl_table { 203 int nct_action; 204 u_int nct_tid; 205 in_addr_t nct_addr; 206 in_addr_t nct_mask; 207 int _reserved; 208 } npf_ioctl_table_t; 209 210 typedef enum { 211 /* Packets passed. */ 212 NPF_STAT_PASS_DEFAULT, 213 NPF_STAT_PASS_RULESET, 214 NPF_STAT_PASS_SESSION, 215 /* Packets blocked. */ 216 NPF_STAT_BLOCK_DEFAULT, 217 NPF_STAT_BLOCK_RULESET, 218 /* Session and NAT entries. */ 219 NPF_STAT_SESSION_CREATE, 220 NPF_STAT_SESSION_DESTROY, 221 NPF_STAT_NAT_CREATE, 222 NPF_STAT_NAT_DESTROY, 223 /* Invalid state cases. */ 224 NPF_STAT_INVALID_STATE, 225 NPF_STAT_INVALID_STATE_TCP1, 226 NPF_STAT_INVALID_STATE_TCP2, 227 NPF_STAT_INVALID_STATE_TCP3, 228 /* Raced packets. */ 229 NPF_STAT_RACE_SESSION, 230 NPF_STAT_RACE_NAT, 231 /* Rule procedure cases. */ 232 NPF_STAT_RPROC_LOG, 233 NPF_STAT_RPROC_NORM, 234 /* Other errors. */ 235 NPF_STAT_ERROR, 236 /* Count (last). */ 237 NPF_STATS_COUNT 238 } npf_stats_t; 239 240 #define NPF_STATS_SIZE (sizeof(uint64_t) * NPF_STATS_COUNT) 241 242 /* 243 * IOCTL operations. 244 */ 245 246 #define IOC_NPF_VERSION _IOR('N', 100, int) 247 #define IOC_NPF_SWITCH _IOW('N', 101, int) 248 #define IOC_NPF_RELOAD _IOW('N', 102, struct plistref) 249 #define IOC_NPF_TABLE _IOW('N', 103, struct npf_ioctl_table) 250 #define IOC_NPF_STATS _IOW('N', 104, void *) 251 #define IOC_NPF_SESSIONS_SAVE _IOR('N', 105, struct plistref) 252 #define IOC_NPF_SESSIONS_LOAD _IOW('N', 106, struct plistref) 253 254 #endif /* _NPF_H_ */ 255