1 /*- 2 * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. 3 * All rights reserved. 4 * 5 * This material is based upon work partially supported by The 6 * NetBSD Foundation under a contract with Mindaugas Rasiukevicius. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 18 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 19 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 20 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 21 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 22 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 23 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 24 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 25 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 26 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27 * POSSIBILITY OF SUCH DAMAGE. 28 */ 29 30 /* 31 * Public NPF interfaces. 32 */ 33 34 #ifndef _NPF_NET_H_ 35 #define _NPF_NET_H_ 36 37 #include <sys/param.h> 38 #include <sys/types.h> 39 40 #define NPF_VERSION 22 41 42 #if defined(_NPF_STANDALONE) 43 #include "npf_stand.h" 44 #else 45 #include <sys/ioctl.h> 46 #include <netinet/in_systm.h> 47 #include <netinet/in.h> 48 #endif 49 50 struct npf; 51 typedef struct npf npf_t; 52 53 /* 54 * Storage of address (both for IPv4 and IPv6) and netmask. 55 */ 56 typedef union { 57 uint8_t word8[16]; 58 uint16_t word16[8]; 59 uint32_t word32[4]; 60 } npf_addr_t; 61 62 typedef uint8_t npf_netmask_t; 63 64 #define NPF_MAX_NETMASK (128) 65 #define NPF_NO_NETMASK ((npf_netmask_t)~0) 66 67 /* BPF coprocessor. */ 68 #if defined(NPF_BPFCOP) 69 #define NPF_COP_L3 0 70 #define NPF_COP_TABLE 1 71 72 #define BPF_MW_IPVER 0 73 #define BPF_MW_L4OFF 1 74 #define BPF_MW_L4PROTO 2 75 #endif 76 /* The number of words used. */ 77 #define NPF_BPF_NWORDS 3 78 79 /* 80 * In-kernel declarations and definitions. 81 */ 82 83 #if defined(_KERNEL) || defined(_NPF_STANDALONE) 84 85 #define NPF_DECISION_BLOCK 0 86 #define NPF_DECISION_PASS 1 87 88 #define NPF_EXT_MODULE(name, req) \ 89 MODULE(MODULE_CLASS_MISC, name, (sizeof(req) - 1) ? ("npf," req) : "npf") 90 91 #include <net/if.h> 92 #include <netinet/ip.h> 93 #include <netinet/ip6.h> 94 #include <netinet/tcp.h> 95 #include <netinet/udp.h> 96 #include <netinet/ip_icmp.h> 97 #include <netinet/icmp6.h> 98 99 /* 100 * Network buffer interface. 101 */ 102 103 #define NBUF_DATAREF_RESET 0x01 104 105 struct mbuf; 106 struct nbuf; 107 typedef struct nbuf nbuf_t; 108 109 void nbuf_init(npf_t *, nbuf_t *, struct mbuf *, const ifnet_t *); 110 void nbuf_reset(nbuf_t *); 111 struct mbuf * nbuf_head_mbuf(nbuf_t *); 112 113 bool nbuf_flag_p(const nbuf_t *, int); 114 void nbuf_unset_flag(nbuf_t *, int); 115 116 void * nbuf_dataptr(nbuf_t *); 117 size_t nbuf_offset(const nbuf_t *); 118 void * nbuf_advance(nbuf_t *, size_t, size_t); 119 120 void * nbuf_ensure_contig(nbuf_t *, size_t); 121 void * nbuf_ensure_writable(nbuf_t *, size_t); 122 123 bool nbuf_cksum_barrier(nbuf_t *, int); 124 int nbuf_add_tag(nbuf_t *, uint32_t); 125 int npf_mbuf_add_tag(nbuf_t *, struct mbuf *, uint32_t); 126 int nbuf_find_tag(nbuf_t *, uint32_t *); 127 128 /* 129 * Packet information cache. 130 */ 131 132 #define NPC_IP4 0x01 /* Indicates IPv4 header. */ 133 #define NPC_IP6 0x02 /* Indicates IPv6 header. */ 134 #define NPC_IPFRAG 0x04 /* IPv4/IPv6 fragment. */ 135 #define NPC_LAYER4 0x08 /* Layer 4 has been fetched. */ 136 137 #define NPC_TCP 0x10 /* TCP header. */ 138 #define NPC_UDP 0x20 /* UDP header. */ 139 #define NPC_ICMP 0x40 /* ICMP header. */ 140 #define NPC_ICMP_ID 0x80 /* ICMP with query ID. */ 141 142 #define NPC_ALG_EXEC 0x100 /* ALG execution. */ 143 144 #define NPC_FMTERR 0x200 /* Format error. */ 145 146 #define NPC_IP46 (NPC_IP4|NPC_IP6) 147 148 struct npf_connkey; 149 150 typedef struct { 151 /* NPF context, information flags and the nbuf. */ 152 npf_t * npc_ctx; 153 uint32_t npc_info; 154 nbuf_t * npc_nbuf; 155 156 /* 157 * Pointers to the IP source and destination addresses, 158 * and the address length (4 for IPv4 or 16 for IPv6). 159 */ 160 npf_addr_t * npc_ips[2]; 161 uint8_t npc_alen; 162 163 /* IP header length and L4 protocol. */ 164 uint32_t npc_hlen; 165 uint16_t npc_proto; 166 167 /* IPv4, IPv6. */ 168 union { 169 struct ip * v4; 170 struct ip6_hdr * v6; 171 } npc_ip; 172 173 /* TCP, UDP, ICMP or other protocols. */ 174 union { 175 struct tcphdr * tcp; 176 struct udphdr * udp; 177 struct icmp * icmp; 178 struct icmp6_hdr * icmp6; 179 void * hdr; 180 } npc_l4; 181 182 /* 183 * Override the connection key, if not NULL. This affects the 184 * behaviour of npf_conn_lookup() and npf_conn_establish(). 185 * Note: npc_ckey is of npf_connkey_t type. 186 */ 187 const void * npc_ckey; 188 } npf_cache_t; 189 190 static inline bool 191 npf_iscached(const npf_cache_t *npc, const int inf) 192 { 193 KASSERT(npc->npc_nbuf != NULL); 194 return __predict_true((npc->npc_info & inf) != 0); 195 } 196 197 /* 198 * Misc. 199 */ 200 201 bool npf_autounload_p(void); 202 203 #endif /* _KERNEL */ 204 205 #define NPF_SRC 0 206 #define NPF_DST 1 207 208 /* Rule attributes. */ 209 #define NPF_RULE_PASS 0x00000001 210 #define NPF_RULE_GROUP 0x00000002 211 #define NPF_RULE_FINAL 0x00000004 212 #define NPF_RULE_STATEFUL 0x00000008 213 #define NPF_RULE_RETRST 0x00000010 214 #define NPF_RULE_RETICMP 0x00000020 215 #define NPF_RULE_DYNAMIC 0x00000040 216 #define NPF_RULE_GSTATEFUL 0x00000080 217 218 #define NPF_DYNAMIC_GROUP (NPF_RULE_GROUP | NPF_RULE_DYNAMIC) 219 220 #define NPF_RULE_IN 0x10000000 221 #define NPF_RULE_OUT 0x20000000 222 #define NPF_RULE_DIMASK (NPF_RULE_IN | NPF_RULE_OUT) 223 #define NPF_RULE_FORW 0x40000000 224 225 /* Private range of rule attributes (not public and should not be set). */ 226 #define NPF_RULE_PRIVMASK 0x0f000000 227 228 #define NPF_RULE_MAXNAMELEN 64 229 #define NPF_RULE_MAXKEYLEN 32 230 231 /* Priority values. */ 232 #define NPF_PRI_FIRST (-2) 233 #define NPF_PRI_LAST (-1) 234 235 /* Types of code. */ 236 #define NPF_CODE_BPF 1 237 238 /* Address translation types and flags. */ 239 #define NPF_NATIN 1 240 #define NPF_NATOUT 2 241 242 #define NPF_NAT_PORTS 0x01 243 #define NPF_NAT_PORTMAP 0x02 244 #define NPF_NAT_STATIC 0x04 245 246 #define NPF_NAT_PRIVMASK 0x0f000000 247 248 #define NPF_ALGO_NONE 0 249 #define NPF_ALGO_NETMAP 1 250 #define NPF_ALGO_IPHASH 2 251 #define NPF_ALGO_RR 3 252 #define NPF_ALGO_NPT66 4 253 254 /* Table types. */ 255 #define NPF_TABLE_IPSET 1 256 #define NPF_TABLE_LPM 2 257 #define NPF_TABLE_CONST 3 258 #define NPF_TABLE_IFADDR 4 259 260 #define NPF_TABLE_MAXNAMELEN 32 261 262 /* Layers. */ 263 #define NPF_LAYER_2 2 264 #define NPF_LAYER_3 3 265 266 /* 267 * Flags passed via nbuf tags. 268 */ 269 #define NPF_NTAG_PASS 0x0001 270 271 /* 272 * Rule commands (non-ioctl). 273 */ 274 275 #define NPF_CMD_RULE_ADD 1 276 #define NPF_CMD_RULE_INSERT 2 277 #define NPF_CMD_RULE_REMOVE 3 278 #define NPF_CMD_RULE_REMKEY 4 279 #define NPF_CMD_RULE_LIST 5 280 #define NPF_CMD_RULE_FLUSH 6 281 282 /* 283 * NPF ioctl(2): table commands and structures. 284 */ 285 286 #define NPF_CMD_TABLE_LOOKUP 1 287 #define NPF_CMD_TABLE_ADD 2 288 #define NPF_CMD_TABLE_REMOVE 3 289 #define NPF_CMD_TABLE_LIST 4 290 #define NPF_CMD_TABLE_FLUSH 5 291 292 typedef struct npf_ioctl_ent { 293 int alen; 294 npf_addr_t addr; 295 npf_netmask_t mask; 296 } npf_ioctl_ent_t; 297 298 typedef struct npf_ioctl_buf { 299 void * buf; 300 size_t len; 301 } npf_ioctl_buf_t; 302 303 typedef struct npf_ioctl_table { 304 int nct_cmd; 305 const char * nct_name; 306 union { 307 npf_ioctl_ent_t ent; 308 npf_ioctl_buf_t buf; 309 } nct_data; 310 } npf_ioctl_table_t; 311 312 /* 313 * IOCTL operations. 314 */ 315 316 #define IOC_NPF_VERSION _IOR('N', 100, int) 317 #define IOC_NPF_SWITCH _IOW('N', 101, int) 318 #define IOC_NPF_LOAD _IOWR('N', 102, nvlist_ref_t) 319 #define IOC_NPF_TABLE _IOW('N', 103, struct npf_ioctl_table) 320 #define IOC_NPF_STATS _IOW('N', 104, void *) 321 #define IOC_NPF_SAVE _IOR('N', 105, nvlist_ref_t) 322 #define IOC_NPF_RULE _IOWR('N', 107, nvlist_ref_t) 323 #define IOC_NPF_CONN_LOOKUP _IOWR('N', 108, nvlist_ref_t) 324 #define IOC_NPF_TABLE_REPLACE _IOWR('N', 109, nvlist_ref_t) 325 326 /* 327 * NPF error report. 328 */ 329 330 typedef struct { 331 int64_t id; 332 char * error_msg; 333 char * source_file; 334 unsigned source_line; 335 } npf_error_t; 336 337 /* 338 * Statistics counters. 339 */ 340 341 typedef enum { 342 /* Packets passed. */ 343 NPF_STAT_PASS_DEFAULT, 344 NPF_STAT_PASS_RULESET, 345 NPF_STAT_PASS_CONN, 346 /* Packets blocked. */ 347 NPF_STAT_BLOCK_DEFAULT, 348 NPF_STAT_BLOCK_RULESET, 349 /* Connection and NAT entries. */ 350 NPF_STAT_CONN_CREATE, 351 NPF_STAT_CONN_DESTROY, 352 NPF_STAT_NAT_CREATE, 353 NPF_STAT_NAT_DESTROY, 354 /* Invalid state cases. */ 355 NPF_STAT_INVALID_STATE, 356 NPF_STAT_INVALID_STATE_TCP1, 357 NPF_STAT_INVALID_STATE_TCP2, 358 NPF_STAT_INVALID_STATE_TCP3, 359 /* Raced packets. */ 360 NPF_STAT_RACE_CONN, 361 NPF_STAT_RACE_NAT, 362 /* Fragments. */ 363 NPF_STAT_FRAGMENTS, 364 NPF_STAT_REASSEMBLY, 365 NPF_STAT_REASSFAIL, 366 /* Other errors. */ 367 NPF_STAT_ERROR, 368 /* nbuf non-contiguous cases. */ 369 NPF_STAT_NBUF_NONCONTIG, 370 NPF_STAT_NBUF_CONTIG_FAIL, 371 /* Count (last). */ 372 NPF_STATS_COUNT 373 } npf_stats_t; 374 375 #define NPF_STATS_SIZE (sizeof(uint64_t) * NPF_STATS_COUNT) 376 377 #endif /* _NPF_NET_H_ */ 378