Annotation of sys/net/pfvar.h, Revision 1.1
1.1 ! nbrk 1: /* $OpenBSD: pfvar.h,v 1.254 2007/07/13 09:17:48 markus Exp $ */
! 2:
! 3: /*
! 4: * Copyright (c) 2001 Daniel Hartmeier
! 5: * All rights reserved.
! 6: *
! 7: * Redistribution and use in source and binary forms, with or without
! 8: * modification, are permitted provided that the following conditions
! 9: * are met:
! 10: *
! 11: * - Redistributions of source code must retain the above copyright
! 12: * notice, this list of conditions and the following disclaimer.
! 13: * - Redistributions in binary form must reproduce the above
! 14: * copyright notice, this list of conditions and the following
! 15: * disclaimer in the documentation and/or other materials provided
! 16: * with the distribution.
! 17: *
! 18: * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
! 19: * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
! 20: * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
! 21: * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
! 22: * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
! 23: * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
! 24: * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
! 25: * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
! 26: * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
! 27: * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
! 28: * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
! 29: * POSSIBILITY OF SUCH DAMAGE.
! 30: *
! 31: */
! 32:
! 33: #ifndef _NET_PFVAR_H_
! 34: #define _NET_PFVAR_H_
! 35:
! 36: #include <sys/param.h>
! 37: #include <sys/types.h>
! 38: #include <sys/queue.h>
! 39: #include <sys/tree.h>
! 40: #include <sys/rwlock.h>
! 41:
! 42: #include <net/radix.h>
! 43: #include <net/route.h>
! 44: #include <netinet/ip_ipsp.h>
! 45: #include <netinet/tcp_fsm.h>
! 46:
! 47: struct ip;
! 48: struct ip6_hdr;
! 49:
! 50: #define PF_TCPS_PROXY_SRC ((TCP_NSTATES)+0)
! 51: #define PF_TCPS_PROXY_DST ((TCP_NSTATES)+1)
! 52:
! 53: #define PF_MD5_DIGEST_LENGTH 16
! 54: #ifdef MD5_DIGEST_LENGTH
! 55: #if PF_MD5_DIGEST_LENGTH != MD5_DIGEST_LENGTH
! 56: #error
! 57: #endif
! 58: #endif
! 59:
! 60: enum { PF_INOUT, PF_IN, PF_OUT };
! 61: enum { PF_LAN_EXT, PF_EXT_GWY, PF_ID };
! 62: enum { PF_PASS, PF_DROP, PF_SCRUB, PF_NOSCRUB, PF_NAT, PF_NONAT,
! 63: PF_BINAT, PF_NOBINAT, PF_RDR, PF_NORDR, PF_SYNPROXY_DROP };
! 64: enum { PF_RULESET_SCRUB, PF_RULESET_FILTER, PF_RULESET_NAT,
! 65: PF_RULESET_BINAT, PF_RULESET_RDR, PF_RULESET_MAX };
! 66: enum { PF_OP_NONE, PF_OP_IRG, PF_OP_EQ, PF_OP_NE, PF_OP_LT,
! 67: PF_OP_LE, PF_OP_GT, PF_OP_GE, PF_OP_XRG, PF_OP_RRG };
! 68: enum { PF_DEBUG_NONE, PF_DEBUG_URGENT, PF_DEBUG_MISC, PF_DEBUG_NOISY };
! 69: enum { PF_CHANGE_NONE, PF_CHANGE_ADD_HEAD, PF_CHANGE_ADD_TAIL,
! 70: PF_CHANGE_ADD_BEFORE, PF_CHANGE_ADD_AFTER,
! 71: PF_CHANGE_REMOVE, PF_CHANGE_GET_TICKET };
! 72: enum { PF_GET_NONE, PF_GET_CLR_CNTR };
! 73:
! 74: /*
! 75: * Note about PFTM_*: real indices into pf_rule.timeout[] come before
! 76: * PFTM_MAX, special cases afterwards. See pf_state_expires().
! 77: */
! 78: enum { PFTM_TCP_FIRST_PACKET, PFTM_TCP_OPENING, PFTM_TCP_ESTABLISHED,
! 79: PFTM_TCP_CLOSING, PFTM_TCP_FIN_WAIT, PFTM_TCP_CLOSED,
! 80: PFTM_UDP_FIRST_PACKET, PFTM_UDP_SINGLE, PFTM_UDP_MULTIPLE,
! 81: PFTM_ICMP_FIRST_PACKET, PFTM_ICMP_ERROR_REPLY,
! 82: PFTM_OTHER_FIRST_PACKET, PFTM_OTHER_SINGLE,
! 83: PFTM_OTHER_MULTIPLE, PFTM_FRAG, PFTM_INTERVAL,
! 84: PFTM_ADAPTIVE_START, PFTM_ADAPTIVE_END, PFTM_SRC_NODE,
! 85: PFTM_TS_DIFF, PFTM_MAX, PFTM_PURGE, PFTM_UNLINKED,
! 86: PFTM_UNTIL_PACKET };
! 87:
! 88: /* PFTM default values */
! 89: #define PFTM_TCP_FIRST_PACKET_VAL 120 /* First TCP packet */
! 90: #define PFTM_TCP_OPENING_VAL 30 /* No response yet */
! 91: #define PFTM_TCP_ESTABLISHED_VAL 24*60*60/* Established */
! 92: #define PFTM_TCP_CLOSING_VAL 15 * 60 /* Half closed */
! 93: #define PFTM_TCP_FIN_WAIT_VAL 45 /* Got both FINs */
! 94: #define PFTM_TCP_CLOSED_VAL 90 /* Got a RST */
! 95: #define PFTM_UDP_FIRST_PACKET_VAL 60 /* First UDP packet */
! 96: #define PFTM_UDP_SINGLE_VAL 30 /* Unidirectional */
! 97: #define PFTM_UDP_MULTIPLE_VAL 60 /* Bidirectional */
! 98: #define PFTM_ICMP_FIRST_PACKET_VAL 20 /* First ICMP packet */
! 99: #define PFTM_ICMP_ERROR_REPLY_VAL 10 /* Got error response */
! 100: #define PFTM_OTHER_FIRST_PACKET_VAL 60 /* First packet */
! 101: #define PFTM_OTHER_SINGLE_VAL 30 /* Unidirectional */
! 102: #define PFTM_OTHER_MULTIPLE_VAL 60 /* Bidirectional */
! 103: #define PFTM_FRAG_VAL 30 /* Fragment expire */
! 104: #define PFTM_INTERVAL_VAL 10 /* Expire interval */
! 105: #define PFTM_SRC_NODE_VAL 0 /* Source tracking */
! 106: #define PFTM_TS_DIFF_VAL 30 /* Allowed TS diff */
! 107:
! 108: enum { PF_NOPFROUTE, PF_FASTROUTE, PF_ROUTETO, PF_DUPTO, PF_REPLYTO };
! 109: enum { PF_LIMIT_STATES, PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS,
! 110: PF_LIMIT_TABLES, PF_LIMIT_TABLE_ENTRIES, PF_LIMIT_MAX };
! 111: #define PF_POOL_IDMASK 0x0f
! 112: enum { PF_POOL_NONE, PF_POOL_BITMASK, PF_POOL_RANDOM,
! 113: PF_POOL_SRCHASH, PF_POOL_ROUNDROBIN };
! 114: enum { PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE, PF_ADDR_DYNIFTL,
! 115: PF_ADDR_TABLE, PF_ADDR_RTLABEL, PF_ADDR_URPFFAILED };
! 116: #define PF_POOL_TYPEMASK 0x0f
! 117: #define PF_POOL_STICKYADDR 0x20
! 118: #define PF_WSCALE_FLAG 0x80
! 119: #define PF_WSCALE_MASK 0x0f
! 120:
! 121: #define PF_LOG 0x01
! 122: #define PF_LOG_ALL 0x02
! 123: #define PF_LOG_SOCKET_LOOKUP 0x04
! 124:
! 125: struct pf_addr {
! 126: union {
! 127: struct in_addr v4;
! 128: struct in6_addr v6;
! 129: u_int8_t addr8[16];
! 130: u_int16_t addr16[8];
! 131: u_int32_t addr32[4];
! 132: } pfa; /* 128-bit address */
! 133: #define v4 pfa.v4
! 134: #define v6 pfa.v6
! 135: #define addr8 pfa.addr8
! 136: #define addr16 pfa.addr16
! 137: #define addr32 pfa.addr32
! 138: };
! 139:
! 140: #define PF_TABLE_NAME_SIZE 32
! 141:
! 142: #define PFI_AFLAG_NETWORK 0x01
! 143: #define PFI_AFLAG_BROADCAST 0x02
! 144: #define PFI_AFLAG_PEER 0x04
! 145: #define PFI_AFLAG_MODEMASK 0x07
! 146: #define PFI_AFLAG_NOALIAS 0x08
! 147:
! 148: struct pf_addr_wrap {
! 149: union {
! 150: struct {
! 151: struct pf_addr addr;
! 152: struct pf_addr mask;
! 153: } a;
! 154: char ifname[IFNAMSIZ];
! 155: char tblname[PF_TABLE_NAME_SIZE];
! 156: char rtlabelname[RTLABEL_LEN];
! 157: u_int32_t rtlabel;
! 158: } v;
! 159: union {
! 160: struct pfi_dynaddr *dyn;
! 161: struct pfr_ktable *tbl;
! 162: int dyncnt;
! 163: int tblcnt;
! 164: } p;
! 165: u_int8_t type; /* PF_ADDR_* */
! 166: u_int8_t iflags; /* PFI_AFLAG_* */
! 167: };
! 168:
! 169: #ifdef _KERNEL
! 170:
! 171: struct pfi_dynaddr {
! 172: TAILQ_ENTRY(pfi_dynaddr) entry;
! 173: struct pf_addr pfid_addr4;
! 174: struct pf_addr pfid_mask4;
! 175: struct pf_addr pfid_addr6;
! 176: struct pf_addr pfid_mask6;
! 177: struct pfr_ktable *pfid_kt;
! 178: struct pfi_kif *pfid_kif;
! 179: void *pfid_hook_cookie;
! 180: int pfid_net; /* mask or 128 */
! 181: int pfid_acnt4; /* address count IPv4 */
! 182: int pfid_acnt6; /* address count IPv6 */
! 183: sa_family_t pfid_af; /* rule af */
! 184: u_int8_t pfid_iflags; /* PFI_AFLAG_* */
! 185: };
! 186:
! 187: /*
! 188: * Address manipulation macros
! 189: */
! 190:
! 191: #ifdef INET
! 192: #ifndef INET6
! 193: #define PF_INET_ONLY
! 194: #endif /* ! INET6 */
! 195: #endif /* INET */
! 196:
! 197: #ifdef INET6
! 198: #ifndef INET
! 199: #define PF_INET6_ONLY
! 200: #endif /* ! INET */
! 201: #endif /* INET6 */
! 202:
! 203: #ifdef INET
! 204: #ifdef INET6
! 205: #define PF_INET_INET6
! 206: #endif /* INET6 */
! 207: #endif /* INET */
! 208:
! 209: #else
! 210:
! 211: #define PF_INET_INET6
! 212:
! 213: #endif /* _KERNEL */
! 214:
! 215: /* Both IPv4 and IPv6 */
! 216: #ifdef PF_INET_INET6
! 217:
! 218: #define PF_AEQ(a, b, c) \
! 219: ((c == AF_INET && (a)->addr32[0] == (b)->addr32[0]) || \
! 220: ((a)->addr32[3] == (b)->addr32[3] && \
! 221: (a)->addr32[2] == (b)->addr32[2] && \
! 222: (a)->addr32[1] == (b)->addr32[1] && \
! 223: (a)->addr32[0] == (b)->addr32[0])) \
! 224:
! 225: #define PF_ANEQ(a, b, c) \
! 226: ((c == AF_INET && (a)->addr32[0] != (b)->addr32[0]) || \
! 227: ((a)->addr32[3] != (b)->addr32[3] || \
! 228: (a)->addr32[2] != (b)->addr32[2] || \
! 229: (a)->addr32[1] != (b)->addr32[1] || \
! 230: (a)->addr32[0] != (b)->addr32[0])) \
! 231:
! 232: #define PF_AZERO(a, c) \
! 233: ((c == AF_INET && !(a)->addr32[0]) || \
! 234: (!(a)->addr32[0] && !(a)->addr32[1] && \
! 235: !(a)->addr32[2] && !(a)->addr32[3] )) \
! 236:
! 237: #define PF_MATCHA(n, a, m, b, f) \
! 238: pf_match_addr(n, a, m, b, f)
! 239:
! 240: #define PF_ACPY(a, b, f) \
! 241: pf_addrcpy(a, b, f)
! 242:
! 243: #define PF_AINC(a, f) \
! 244: pf_addr_inc(a, f)
! 245:
! 246: #define PF_POOLMASK(a, b, c, d, f) \
! 247: pf_poolmask(a, b, c, d, f)
! 248:
! 249: #else
! 250:
! 251: /* Just IPv6 */
! 252:
! 253: #ifdef PF_INET6_ONLY
! 254:
! 255: #define PF_AEQ(a, b, c) \
! 256: ((a)->addr32[3] == (b)->addr32[3] && \
! 257: (a)->addr32[2] == (b)->addr32[2] && \
! 258: (a)->addr32[1] == (b)->addr32[1] && \
! 259: (a)->addr32[0] == (b)->addr32[0]) \
! 260:
! 261: #define PF_ANEQ(a, b, c) \
! 262: ((a)->addr32[3] != (b)->addr32[3] || \
! 263: (a)->addr32[2] != (b)->addr32[2] || \
! 264: (a)->addr32[1] != (b)->addr32[1] || \
! 265: (a)->addr32[0] != (b)->addr32[0]) \
! 266:
! 267: #define PF_AZERO(a, c) \
! 268: (!(a)->addr32[0] && \
! 269: !(a)->addr32[1] && \
! 270: !(a)->addr32[2] && \
! 271: !(a)->addr32[3] ) \
! 272:
! 273: #define PF_MATCHA(n, a, m, b, f) \
! 274: pf_match_addr(n, a, m, b, f)
! 275:
! 276: #define PF_ACPY(a, b, f) \
! 277: pf_addrcpy(a, b, f)
! 278:
! 279: #define PF_AINC(a, f) \
! 280: pf_addr_inc(a, f)
! 281:
! 282: #define PF_POOLMASK(a, b, c, d, f) \
! 283: pf_poolmask(a, b, c, d, f)
! 284:
! 285: #else
! 286:
! 287: /* Just IPv4 */
! 288: #ifdef PF_INET_ONLY
! 289:
! 290: #define PF_AEQ(a, b, c) \
! 291: ((a)->addr32[0] == (b)->addr32[0])
! 292:
! 293: #define PF_ANEQ(a, b, c) \
! 294: ((a)->addr32[0] != (b)->addr32[0])
! 295:
! 296: #define PF_AZERO(a, c) \
! 297: (!(a)->addr32[0])
! 298:
! 299: #define PF_MATCHA(n, a, m, b, f) \
! 300: pf_match_addr(n, a, m, b, f)
! 301:
! 302: #define PF_ACPY(a, b, f) \
! 303: (a)->v4.s_addr = (b)->v4.s_addr
! 304:
! 305: #define PF_AINC(a, f) \
! 306: do { \
! 307: (a)->addr32[0] = htonl(ntohl((a)->addr32[0]) + 1); \
! 308: } while (0)
! 309:
! 310: #define PF_POOLMASK(a, b, c, d, f) \
! 311: do { \
! 312: (a)->addr32[0] = ((b)->addr32[0] & (c)->addr32[0]) | \
! 313: (((c)->addr32[0] ^ 0xffffffff ) & (d)->addr32[0]); \
! 314: } while (0)
! 315:
! 316: #endif /* PF_INET_ONLY */
! 317: #endif /* PF_INET6_ONLY */
! 318: #endif /* PF_INET_INET6 */
! 319:
! 320: #define PF_MISMATCHAW(aw, x, af, neg, ifp) \
! 321: ( \
! 322: (((aw)->type == PF_ADDR_NOROUTE && \
! 323: pf_routable((x), (af), NULL)) || \
! 324: (((aw)->type == PF_ADDR_URPFFAILED && (ifp) != NULL && \
! 325: pf_routable((x), (af), (ifp))) || \
! 326: ((aw)->type == PF_ADDR_RTLABEL && \
! 327: !pf_rtlabel_match((x), (af), (aw))) || \
! 328: ((aw)->type == PF_ADDR_TABLE && \
! 329: !pfr_match_addr((aw)->p.tbl, (x), (af))) || \
! 330: ((aw)->type == PF_ADDR_DYNIFTL && \
! 331: !pfi_match_addr((aw)->p.dyn, (x), (af))) || \
! 332: ((aw)->type == PF_ADDR_ADDRMASK && \
! 333: !PF_AZERO(&(aw)->v.a.mask, (af)) && \
! 334: !PF_MATCHA(0, &(aw)->v.a.addr, \
! 335: &(aw)->v.a.mask, (x), (af))))) != \
! 336: (neg) \
! 337: )
! 338:
! 339:
! 340: struct pf_rule_uid {
! 341: uid_t uid[2];
! 342: u_int8_t op;
! 343: };
! 344:
! 345: struct pf_rule_gid {
! 346: uid_t gid[2];
! 347: u_int8_t op;
! 348: };
! 349:
! 350: struct pf_rule_addr {
! 351: struct pf_addr_wrap addr;
! 352: u_int16_t port[2];
! 353: u_int8_t neg;
! 354: u_int8_t port_op;
! 355: };
! 356:
! 357: struct pf_pooladdr {
! 358: struct pf_addr_wrap addr;
! 359: TAILQ_ENTRY(pf_pooladdr) entries;
! 360: char ifname[IFNAMSIZ];
! 361: struct pfi_kif *kif;
! 362: };
! 363:
! 364: TAILQ_HEAD(pf_palist, pf_pooladdr);
! 365:
! 366: struct pf_poolhashkey {
! 367: union {
! 368: u_int8_t key8[16];
! 369: u_int16_t key16[8];
! 370: u_int32_t key32[4];
! 371: } pfk; /* 128-bit hash key */
! 372: #define key8 pfk.key8
! 373: #define key16 pfk.key16
! 374: #define key32 pfk.key32
! 375: };
! 376:
! 377: struct pf_pool {
! 378: struct pf_palist list;
! 379: struct pf_pooladdr *cur;
! 380: struct pf_poolhashkey key;
! 381: struct pf_addr counter;
! 382: int tblidx;
! 383: u_int16_t proxy_port[2];
! 384: u_int8_t port_op;
! 385: u_int8_t opts;
! 386: };
! 387:
! 388:
! 389: /* A packed Operating System description for fingerprinting */
! 390: typedef u_int32_t pf_osfp_t;
! 391: #define PF_OSFP_ANY ((pf_osfp_t)0)
! 392: #define PF_OSFP_UNKNOWN ((pf_osfp_t)-1)
! 393: #define PF_OSFP_NOMATCH ((pf_osfp_t)-2)
! 394:
! 395: struct pf_osfp_entry {
! 396: SLIST_ENTRY(pf_osfp_entry) fp_entry;
! 397: pf_osfp_t fp_os;
! 398: int fp_enflags;
! 399: #define PF_OSFP_EXPANDED 0x001 /* expanded entry */
! 400: #define PF_OSFP_GENERIC 0x002 /* generic signature */
! 401: #define PF_OSFP_NODETAIL 0x004 /* no p0f details */
! 402: #define PF_OSFP_LEN 32
! 403: char fp_class_nm[PF_OSFP_LEN];
! 404: char fp_version_nm[PF_OSFP_LEN];
! 405: char fp_subtype_nm[PF_OSFP_LEN];
! 406: };
! 407: #define PF_OSFP_ENTRY_EQ(a, b) \
! 408: ((a)->fp_os == (b)->fp_os && \
! 409: memcmp((a)->fp_class_nm, (b)->fp_class_nm, PF_OSFP_LEN) == 0 && \
! 410: memcmp((a)->fp_version_nm, (b)->fp_version_nm, PF_OSFP_LEN) == 0 && \
! 411: memcmp((a)->fp_subtype_nm, (b)->fp_subtype_nm, PF_OSFP_LEN) == 0)
! 412:
! 413: /* handle pf_osfp_t packing */
! 414: #define _FP_RESERVED_BIT 1 /* For the special negative #defines */
! 415: #define _FP_UNUSED_BITS 1
! 416: #define _FP_CLASS_BITS 10 /* OS Class (Windows, Linux) */
! 417: #define _FP_VERSION_BITS 10 /* OS version (95, 98, NT, 2.4.54, 3.2) */
! 418: #define _FP_SUBTYPE_BITS 10 /* patch level (NT SP4, SP3, ECN patch) */
! 419: #define PF_OSFP_UNPACK(osfp, class, version, subtype) do { \
! 420: (class) = ((osfp) >> (_FP_VERSION_BITS+_FP_SUBTYPE_BITS)) & \
! 421: ((1 << _FP_CLASS_BITS) - 1); \
! 422: (version) = ((osfp) >> _FP_SUBTYPE_BITS) & \
! 423: ((1 << _FP_VERSION_BITS) - 1);\
! 424: (subtype) = (osfp) & ((1 << _FP_SUBTYPE_BITS) - 1); \
! 425: } while(0)
! 426: #define PF_OSFP_PACK(osfp, class, version, subtype) do { \
! 427: (osfp) = ((class) & ((1 << _FP_CLASS_BITS) - 1)) << (_FP_VERSION_BITS \
! 428: + _FP_SUBTYPE_BITS); \
! 429: (osfp) |= ((version) & ((1 << _FP_VERSION_BITS) - 1)) << \
! 430: _FP_SUBTYPE_BITS; \
! 431: (osfp) |= (subtype) & ((1 << _FP_SUBTYPE_BITS) - 1); \
! 432: } while(0)
! 433:
! 434: /* the fingerprint of an OSes TCP SYN packet */
! 435: typedef u_int64_t pf_tcpopts_t;
! 436: struct pf_os_fingerprint {
! 437: SLIST_HEAD(pf_osfp_enlist, pf_osfp_entry) fp_oses; /* list of matches */
! 438: pf_tcpopts_t fp_tcpopts; /* packed TCP options */
! 439: u_int16_t fp_wsize; /* TCP window size */
! 440: u_int16_t fp_psize; /* ip->ip_len */
! 441: u_int16_t fp_mss; /* TCP MSS */
! 442: u_int16_t fp_flags;
! 443: #define PF_OSFP_WSIZE_MOD 0x0001 /* Window modulus */
! 444: #define PF_OSFP_WSIZE_DC 0x0002 /* Window don't care */
! 445: #define PF_OSFP_WSIZE_MSS 0x0004 /* Window multiple of MSS */
! 446: #define PF_OSFP_WSIZE_MTU 0x0008 /* Window multiple of MTU */
! 447: #define PF_OSFP_PSIZE_MOD 0x0010 /* packet size modulus */
! 448: #define PF_OSFP_PSIZE_DC 0x0020 /* packet size don't care */
! 449: #define PF_OSFP_WSCALE 0x0040 /* TCP window scaling */
! 450: #define PF_OSFP_WSCALE_MOD 0x0080 /* TCP window scale modulus */
! 451: #define PF_OSFP_WSCALE_DC 0x0100 /* TCP window scale dont-care */
! 452: #define PF_OSFP_MSS 0x0200 /* TCP MSS */
! 453: #define PF_OSFP_MSS_MOD 0x0400 /* TCP MSS modulus */
! 454: #define PF_OSFP_MSS_DC 0x0800 /* TCP MSS dont-care */
! 455: #define PF_OSFP_DF 0x1000 /* IPv4 don't fragment bit */
! 456: #define PF_OSFP_TS0 0x2000 /* Zero timestamp */
! 457: #define PF_OSFP_INET6 0x4000 /* IPv6 */
! 458: u_int8_t fp_optcnt; /* TCP option count */
! 459: u_int8_t fp_wscale; /* TCP window scaling */
! 460: u_int8_t fp_ttl; /* IPv4 TTL */
! 461: #define PF_OSFP_MAXTTL_OFFSET 40
! 462: /* TCP options packing */
! 463: #define PF_OSFP_TCPOPT_NOP 0x0 /* TCP NOP option */
! 464: #define PF_OSFP_TCPOPT_WSCALE 0x1 /* TCP window scaling option */
! 465: #define PF_OSFP_TCPOPT_MSS 0x2 /* TCP max segment size opt */
! 466: #define PF_OSFP_TCPOPT_SACK 0x3 /* TCP SACK OK option */
! 467: #define PF_OSFP_TCPOPT_TS 0x4 /* TCP timestamp option */
! 468: #define PF_OSFP_TCPOPT_BITS 3 /* bits used by each option */
! 469: #define PF_OSFP_MAX_OPTS \
! 470: (sizeof(((struct pf_os_fingerprint *)0)->fp_tcpopts) * 8) \
! 471: / PF_OSFP_TCPOPT_BITS
! 472:
! 473: SLIST_ENTRY(pf_os_fingerprint) fp_next;
! 474: };
! 475:
! 476: struct pf_osfp_ioctl {
! 477: struct pf_osfp_entry fp_os;
! 478: pf_tcpopts_t fp_tcpopts; /* packed TCP options */
! 479: u_int16_t fp_wsize; /* TCP window size */
! 480: u_int16_t fp_psize; /* ip->ip_len */
! 481: u_int16_t fp_mss; /* TCP MSS */
! 482: u_int16_t fp_flags;
! 483: u_int8_t fp_optcnt; /* TCP option count */
! 484: u_int8_t fp_wscale; /* TCP window scaling */
! 485: u_int8_t fp_ttl; /* IPv4 TTL */
! 486:
! 487: int fp_getnum; /* DIOCOSFPGET number */
! 488: };
! 489:
! 490:
! 491: union pf_rule_ptr {
! 492: struct pf_rule *ptr;
! 493: u_int32_t nr;
! 494: };
! 495:
! 496: #define PF_ANCHOR_NAME_SIZE 64
! 497:
! 498: struct pf_rule {
! 499: struct pf_rule_addr src;
! 500: struct pf_rule_addr dst;
! 501: #define PF_SKIP_IFP 0
! 502: #define PF_SKIP_DIR 1
! 503: #define PF_SKIP_AF 2
! 504: #define PF_SKIP_PROTO 3
! 505: #define PF_SKIP_SRC_ADDR 4
! 506: #define PF_SKIP_SRC_PORT 5
! 507: #define PF_SKIP_DST_ADDR 6
! 508: #define PF_SKIP_DST_PORT 7
! 509: #define PF_SKIP_COUNT 8
! 510: union pf_rule_ptr skip[PF_SKIP_COUNT];
! 511: #define PF_RULE_LABEL_SIZE 64
! 512: char label[PF_RULE_LABEL_SIZE];
! 513: #define PF_QNAME_SIZE 64
! 514: char ifname[IFNAMSIZ];
! 515: char qname[PF_QNAME_SIZE];
! 516: char pqname[PF_QNAME_SIZE];
! 517: #define PF_TAG_NAME_SIZE 64
! 518: char tagname[PF_TAG_NAME_SIZE];
! 519: char match_tagname[PF_TAG_NAME_SIZE];
! 520:
! 521: char overload_tblname[PF_TABLE_NAME_SIZE];
! 522:
! 523: TAILQ_ENTRY(pf_rule) entries;
! 524: struct pf_pool rpool;
! 525:
! 526: u_int64_t evaluations;
! 527: u_int64_t packets[2];
! 528: u_int64_t bytes[2];
! 529:
! 530: struct pfi_kif *kif;
! 531: struct pf_anchor *anchor;
! 532: struct pfr_ktable *overload_tbl;
! 533:
! 534: pf_osfp_t os_fingerprint;
! 535:
! 536: int rtableid;
! 537: u_int32_t timeout[PFTM_MAX];
! 538: u_int32_t states;
! 539: u_int32_t max_states;
! 540: u_int32_t src_nodes;
! 541: u_int32_t max_src_nodes;
! 542: u_int32_t max_src_states;
! 543: u_int32_t max_src_conn;
! 544: struct {
! 545: u_int32_t limit;
! 546: u_int32_t seconds;
! 547: } max_src_conn_rate;
! 548: u_int32_t qid;
! 549: u_int32_t pqid;
! 550: u_int32_t rt_listid;
! 551: u_int32_t nr;
! 552: u_int32_t prob;
! 553: uid_t cuid;
! 554: pid_t cpid;
! 555:
! 556: u_int16_t return_icmp;
! 557: u_int16_t return_icmp6;
! 558: u_int16_t max_mss;
! 559: u_int16_t tag;
! 560: u_int16_t match_tag;
! 561:
! 562: struct pf_rule_uid uid;
! 563: struct pf_rule_gid gid;
! 564:
! 565: u_int32_t rule_flag;
! 566: u_int8_t action;
! 567: u_int8_t direction;
! 568: u_int8_t log;
! 569: u_int8_t logif;
! 570: u_int8_t quick;
! 571: u_int8_t ifnot;
! 572: u_int8_t match_tag_not;
! 573: u_int8_t natpass;
! 574:
! 575: #define PF_STATE_NORMAL 0x1
! 576: #define PF_STATE_MODULATE 0x2
! 577: #define PF_STATE_SYNPROXY 0x3
! 578: u_int8_t keep_state;
! 579: sa_family_t af;
! 580: u_int8_t proto;
! 581: u_int8_t type;
! 582: u_int8_t code;
! 583: u_int8_t flags;
! 584: u_int8_t flagset;
! 585: u_int8_t min_ttl;
! 586: u_int8_t allow_opts;
! 587: u_int8_t rt;
! 588: u_int8_t return_ttl;
! 589: u_int8_t tos;
! 590: u_int8_t anchor_relative;
! 591: u_int8_t anchor_wildcard;
! 592:
! 593: #define PF_FLUSH 0x01
! 594: #define PF_FLUSH_GLOBAL 0x02
! 595: u_int8_t flush;
! 596: };
! 597:
! 598: /* rule flags */
! 599: #define PFRULE_DROP 0x0000
! 600: #define PFRULE_RETURNRST 0x0001
! 601: #define PFRULE_FRAGMENT 0x0002
! 602: #define PFRULE_RETURNICMP 0x0004
! 603: #define PFRULE_RETURN 0x0008
! 604: #define PFRULE_NOSYNC 0x0010
! 605: #define PFRULE_SRCTRACK 0x0020 /* track source states */
! 606: #define PFRULE_RULESRCTRACK 0x0040 /* per rule */
! 607:
! 608: /* scrub flags */
! 609: #define PFRULE_NODF 0x0100
! 610: #define PFRULE_FRAGCROP 0x0200 /* non-buffering frag cache */
! 611: #define PFRULE_FRAGDROP 0x0400 /* drop funny fragments */
! 612: #define PFRULE_RANDOMID 0x0800
! 613: #define PFRULE_REASSEMBLE_TCP 0x1000
! 614:
! 615: /* rule flags again */
! 616: #define PFRULE_IFBOUND 0x00010000 /* if-bound */
! 617:
! 618: #define PFSTATE_HIWAT 10000 /* default state table size */
! 619: #define PFSTATE_ADAPT_START 6000 /* default adaptive timeout start */
! 620: #define PFSTATE_ADAPT_END 12000 /* default adaptive timeout end */
! 621:
! 622:
! 623: struct pf_threshold {
! 624: u_int32_t limit;
! 625: #define PF_THRESHOLD_MULT 1000
! 626: #define PF_THRESHOLD_MAX 0xffffffff / PF_THRESHOLD_MULT
! 627: u_int32_t seconds;
! 628: u_int32_t count;
! 629: u_int32_t last;
! 630: };
! 631:
! 632: struct pf_src_node {
! 633: RB_ENTRY(pf_src_node) entry;
! 634: struct pf_addr addr;
! 635: struct pf_addr raddr;
! 636: union pf_rule_ptr rule;
! 637: struct pfi_kif *kif;
! 638: u_int64_t bytes[2];
! 639: u_int64_t packets[2];
! 640: u_int32_t states;
! 641: u_int32_t conn;
! 642: struct pf_threshold conn_rate;
! 643: u_int32_t creation;
! 644: u_int32_t expire;
! 645: sa_family_t af;
! 646: u_int8_t ruletype;
! 647: };
! 648:
! 649: #define PFSNODE_HIWAT 10000 /* default source node table size */
! 650:
! 651: struct pf_state_scrub {
! 652: struct timeval pfss_last; /* time received last packet */
! 653: u_int32_t pfss_tsecr; /* last echoed timestamp */
! 654: u_int32_t pfss_tsval; /* largest timestamp */
! 655: u_int32_t pfss_tsval0; /* original timestamp */
! 656: u_int16_t pfss_flags;
! 657: #define PFSS_TIMESTAMP 0x0001 /* modulate timestamp */
! 658: #define PFSS_PAWS 0x0010 /* stricter PAWS checks */
! 659: #define PFSS_PAWS_IDLED 0x0020 /* was idle too long. no PAWS */
! 660: #define PFSS_DATA_TS 0x0040 /* timestamp on data packets */
! 661: #define PFSS_DATA_NOTS 0x0080 /* no timestamp on data packets */
! 662: u_int8_t pfss_ttl; /* stashed TTL */
! 663: u_int8_t pad;
! 664: u_int32_t pfss_ts_mod; /* timestamp modulation */
! 665: };
! 666:
! 667: struct pf_state_host {
! 668: struct pf_addr addr;
! 669: u_int16_t port;
! 670: u_int16_t pad;
! 671: };
! 672:
! 673: struct pf_state_peer {
! 674: u_int32_t seqlo; /* Max sequence number sent */
! 675: u_int32_t seqhi; /* Max the other end ACKd + win */
! 676: u_int32_t seqdiff; /* Sequence number modulator */
! 677: u_int16_t max_win; /* largest window (pre scaling) */
! 678: u_int8_t state; /* active state level */
! 679: u_int8_t wscale; /* window scaling factor */
! 680: u_int16_t mss; /* Maximum segment size option */
! 681: u_int8_t tcp_est; /* Did we reach TCPS_ESTABLISHED */
! 682: struct pf_state_scrub *scrub; /* state is scrubbed */
! 683: u_int8_t pad[3];
! 684: };
! 685:
! 686: TAILQ_HEAD(pf_state_queue, pf_state);
! 687:
! 688: /* keep synced with struct pf_state_key, used in RB_FIND */
! 689: struct pf_state_key_cmp {
! 690: struct pf_state_host lan;
! 691: struct pf_state_host gwy;
! 692: struct pf_state_host ext;
! 693: sa_family_t af;
! 694: u_int8_t proto;
! 695: u_int8_t direction;
! 696: u_int8_t pad;
! 697: };
! 698:
! 699: TAILQ_HEAD(pf_statelist, pf_state);
! 700:
! 701: struct pf_state_key {
! 702: struct pf_state_host lan;
! 703: struct pf_state_host gwy;
! 704: struct pf_state_host ext;
! 705: sa_family_t af;
! 706: u_int8_t proto;
! 707: u_int8_t direction;
! 708: u_int8_t pad;
! 709:
! 710: RB_ENTRY(pf_state_key) entry_lan_ext;
! 711: RB_ENTRY(pf_state_key) entry_ext_gwy;
! 712: struct pf_statelist states;
! 713: u_short refcnt; /* same size as if_index */
! 714: };
! 715:
! 716:
! 717: /* keep synced with struct pf_state, used in RB_FIND */
! 718: struct pf_state_cmp {
! 719: u_int64_t id;
! 720: u_int32_t creatorid;
! 721: u_int32_t pad;
! 722: };
! 723:
! 724: struct pf_state {
! 725: u_int64_t id;
! 726: u_int32_t creatorid;
! 727: u_int32_t pad;
! 728:
! 729: TAILQ_ENTRY(pf_state) entry_list;
! 730: TAILQ_ENTRY(pf_state) next;
! 731: RB_ENTRY(pf_state) entry_id;
! 732: struct pf_state_peer src;
! 733: struct pf_state_peer dst;
! 734: union pf_rule_ptr rule;
! 735: union pf_rule_ptr anchor;
! 736: union pf_rule_ptr nat_rule;
! 737: struct pf_addr rt_addr;
! 738: struct pf_state_key *state_key;
! 739: struct pfi_kif *kif;
! 740: struct pfi_kif *rt_kif;
! 741: struct pf_src_node *src_node;
! 742: struct pf_src_node *nat_src_node;
! 743: u_int64_t packets[2];
! 744: u_int64_t bytes[2];
! 745: u_int32_t creation;
! 746: u_int32_t expire;
! 747: u_int32_t pfsync_time;
! 748: u_int16_t tag;
! 749: u_int8_t log;
! 750: u_int8_t allow_opts;
! 751: u_int8_t timeout;
! 752: u_int8_t sync_flags;
! 753: #define PFSTATE_NOSYNC 0x01
! 754: #define PFSTATE_FROMSYNC 0x02
! 755: #define PFSTATE_STALE 0x04
! 756: };
! 757:
! 758: /*
! 759: * Unified state structures for pulling states out of the kernel
! 760: * used by pfsync(4) and the pf(4) ioctl.
! 761: */
! 762: struct pfsync_state_scrub {
! 763: u_int16_t pfss_flags;
! 764: u_int8_t pfss_ttl; /* stashed TTL */
! 765: #define PFSYNC_SCRUB_FLAG_VALID 0x01
! 766: u_int8_t scrub_flag;
! 767: u_int32_t pfss_ts_mod; /* timestamp modulation */
! 768: } __packed;
! 769:
! 770: struct pfsync_state_host {
! 771: struct pf_addr addr;
! 772: u_int16_t port;
! 773: u_int16_t pad[3];
! 774: } __packed;
! 775:
! 776: struct pfsync_state_peer {
! 777: struct pfsync_state_scrub scrub; /* state is scrubbed */
! 778: u_int32_t seqlo; /* Max sequence number sent */
! 779: u_int32_t seqhi; /* Max the other end ACKd + win */
! 780: u_int32_t seqdiff; /* Sequence number modulator */
! 781: u_int16_t max_win; /* largest window (pre scaling) */
! 782: u_int16_t mss; /* Maximum segment size option */
! 783: u_int8_t state; /* active state level */
! 784: u_int8_t wscale; /* window scaling factor */
! 785: u_int8_t pad[6];
! 786: } __packed;
! 787:
! 788: struct pfsync_state {
! 789: u_int32_t id[2];
! 790: char ifname[IFNAMSIZ];
! 791: struct pfsync_state_host lan;
! 792: struct pfsync_state_host gwy;
! 793: struct pfsync_state_host ext;
! 794: struct pfsync_state_peer src;
! 795: struct pfsync_state_peer dst;
! 796: struct pf_addr rt_addr;
! 797: u_int32_t rule;
! 798: u_int32_t anchor;
! 799: u_int32_t nat_rule;
! 800: u_int32_t creation;
! 801: u_int32_t expire;
! 802: u_int32_t packets[2][2];
! 803: u_int32_t bytes[2][2];
! 804: u_int32_t creatorid;
! 805: sa_family_t af;
! 806: u_int8_t proto;
! 807: u_int8_t direction;
! 808: u_int8_t log;
! 809: u_int8_t allow_opts;
! 810: u_int8_t timeout;
! 811: u_int8_t sync_flags;
! 812: u_int8_t updates;
! 813: } __packed;
! 814:
! 815: #define PFSYNC_FLAG_COMPRESS 0x01
! 816: #define PFSYNC_FLAG_STALE 0x02
! 817: #define PFSYNC_FLAG_SRCNODE 0x04
! 818: #define PFSYNC_FLAG_NATSRCNODE 0x08
! 819:
! 820: /* for copies to/from userland via pf_ioctl() */
! 821: #define pf_state_peer_to_pfsync(s,d) do { \
! 822: (d)->seqlo = (s)->seqlo; \
! 823: (d)->seqhi = (s)->seqhi; \
! 824: (d)->seqdiff = (s)->seqdiff; \
! 825: (d)->max_win = (s)->max_win; \
! 826: (d)->mss = (s)->mss; \
! 827: (d)->state = (s)->state; \
! 828: (d)->wscale = (s)->wscale; \
! 829: if ((s)->scrub) { \
! 830: (d)->scrub.pfss_flags = \
! 831: (s)->scrub->pfss_flags & PFSS_TIMESTAMP; \
! 832: (d)->scrub.pfss_ttl = (s)->scrub->pfss_ttl; \
! 833: (d)->scrub.pfss_ts_mod = (s)->scrub->pfss_ts_mod; \
! 834: (d)->scrub.scrub_flag = PFSYNC_SCRUB_FLAG_VALID; \
! 835: } \
! 836: } while (0)
! 837:
! 838: #define pf_state_peer_from_pfsync(s,d) do { \
! 839: (d)->seqlo = (s)->seqlo; \
! 840: (d)->seqhi = (s)->seqhi; \
! 841: (d)->seqdiff = (s)->seqdiff; \
! 842: (d)->max_win = (s)->max_win; \
! 843: (d)->mss = ntohs((s)->mss); \
! 844: (d)->state = (s)->state; \
! 845: (d)->wscale = (s)->wscale; \
! 846: if ((s)->scrub.scrub_flag == PFSYNC_SCRUB_FLAG_VALID && \
! 847: (d)->scrub != NULL) { \
! 848: (d)->scrub->pfss_flags = \
! 849: ntohs((s)->scrub.pfss_flags) & PFSS_TIMESTAMP; \
! 850: (d)->scrub->pfss_ttl = (s)->scrub.pfss_ttl; \
! 851: (d)->scrub->pfss_ts_mod = (s)->scrub.pfss_ts_mod; \
! 852: } \
! 853: } while (0)
! 854:
! 855: #define pf_state_counter_to_pfsync(s,d) do { \
! 856: d[0] = (s>>32)&0xffffffff; \
! 857: d[1] = s&0xffffffff; \
! 858: } while (0)
! 859:
! 860: #define pf_state_counter_from_pfsync(s) \
! 861: (((u_int64_t)(s[0])<<32) | (u_int64_t)(s[1]))
! 862:
! 863:
! 864:
! 865: TAILQ_HEAD(pf_rulequeue, pf_rule);
! 866:
! 867: struct pf_anchor;
! 868:
! 869: struct pf_ruleset {
! 870: struct {
! 871: struct pf_rulequeue queues[2];
! 872: struct {
! 873: struct pf_rulequeue *ptr;
! 874: struct pf_rule **ptr_array;
! 875: u_int32_t rcount;
! 876: u_int32_t ticket;
! 877: int open;
! 878: } active, inactive;
! 879: } rules[PF_RULESET_MAX];
! 880: struct pf_anchor *anchor;
! 881: u_int32_t tticket;
! 882: int tables;
! 883: int topen;
! 884: };
! 885:
! 886: RB_HEAD(pf_anchor_global, pf_anchor);
! 887: RB_HEAD(pf_anchor_node, pf_anchor);
! 888: struct pf_anchor {
! 889: RB_ENTRY(pf_anchor) entry_global;
! 890: RB_ENTRY(pf_anchor) entry_node;
! 891: struct pf_anchor *parent;
! 892: struct pf_anchor_node children;
! 893: char name[PF_ANCHOR_NAME_SIZE];
! 894: char path[MAXPATHLEN];
! 895: struct pf_ruleset ruleset;
! 896: int refcnt; /* anchor rules */
! 897: int match;
! 898: };
! 899: RB_PROTOTYPE(pf_anchor_global, pf_anchor, entry_global, pf_anchor_compare);
! 900: RB_PROTOTYPE(pf_anchor_node, pf_anchor, entry_node, pf_anchor_compare);
! 901:
! 902: #define PF_RESERVED_ANCHOR "_pf"
! 903:
! 904: #define PFR_TFLAG_PERSIST 0x00000001
! 905: #define PFR_TFLAG_CONST 0x00000002
! 906: #define PFR_TFLAG_ACTIVE 0x00000004
! 907: #define PFR_TFLAG_INACTIVE 0x00000008
! 908: #define PFR_TFLAG_REFERENCED 0x00000010
! 909: #define PFR_TFLAG_REFDANCHOR 0x00000020
! 910: #define PFR_TFLAG_USRMASK 0x00000003
! 911: #define PFR_TFLAG_SETMASK 0x0000003C
! 912: #define PFR_TFLAG_ALLMASK 0x0000003F
! 913:
! 914: struct pfr_table {
! 915: char pfrt_anchor[MAXPATHLEN];
! 916: char pfrt_name[PF_TABLE_NAME_SIZE];
! 917: u_int32_t pfrt_flags;
! 918: u_int8_t pfrt_fback;
! 919: };
! 920:
! 921: enum { PFR_FB_NONE, PFR_FB_MATCH, PFR_FB_ADDED, PFR_FB_DELETED,
! 922: PFR_FB_CHANGED, PFR_FB_CLEARED, PFR_FB_DUPLICATE,
! 923: PFR_FB_NOTMATCH, PFR_FB_CONFLICT, PFR_FB_MAX };
! 924:
! 925: struct pfr_addr {
! 926: union {
! 927: struct in_addr _pfra_ip4addr;
! 928: struct in6_addr _pfra_ip6addr;
! 929: } pfra_u;
! 930: u_int8_t pfra_af;
! 931: u_int8_t pfra_net;
! 932: u_int8_t pfra_not;
! 933: u_int8_t pfra_fback;
! 934: };
! 935: #define pfra_ip4addr pfra_u._pfra_ip4addr
! 936: #define pfra_ip6addr pfra_u._pfra_ip6addr
! 937:
! 938: enum { PFR_DIR_IN, PFR_DIR_OUT, PFR_DIR_MAX };
! 939: enum { PFR_OP_BLOCK, PFR_OP_PASS, PFR_OP_ADDR_MAX, PFR_OP_TABLE_MAX };
! 940: #define PFR_OP_XPASS PFR_OP_ADDR_MAX
! 941:
! 942: struct pfr_astats {
! 943: struct pfr_addr pfras_a;
! 944: u_int64_t pfras_packets[PFR_DIR_MAX][PFR_OP_ADDR_MAX];
! 945: u_int64_t pfras_bytes[PFR_DIR_MAX][PFR_OP_ADDR_MAX];
! 946: long pfras_tzero;
! 947: };
! 948:
! 949: enum { PFR_REFCNT_RULE, PFR_REFCNT_ANCHOR, PFR_REFCNT_MAX };
! 950:
! 951: struct pfr_tstats {
! 952: struct pfr_table pfrts_t;
! 953: u_int64_t pfrts_packets[PFR_DIR_MAX][PFR_OP_TABLE_MAX];
! 954: u_int64_t pfrts_bytes[PFR_DIR_MAX][PFR_OP_TABLE_MAX];
! 955: u_int64_t pfrts_match;
! 956: u_int64_t pfrts_nomatch;
! 957: long pfrts_tzero;
! 958: int pfrts_cnt;
! 959: int pfrts_refcnt[PFR_REFCNT_MAX];
! 960: };
! 961: #define pfrts_name pfrts_t.pfrt_name
! 962: #define pfrts_flags pfrts_t.pfrt_flags
! 963:
! 964: SLIST_HEAD(pfr_kentryworkq, pfr_kentry);
! 965: struct pfr_kentry {
! 966: struct radix_node pfrke_node[2];
! 967: union sockaddr_union pfrke_sa;
! 968: u_int64_t pfrke_packets[PFR_DIR_MAX][PFR_OP_ADDR_MAX];
! 969: u_int64_t pfrke_bytes[PFR_DIR_MAX][PFR_OP_ADDR_MAX];
! 970: SLIST_ENTRY(pfr_kentry) pfrke_workq;
! 971: long pfrke_tzero;
! 972: u_int8_t pfrke_af;
! 973: u_int8_t pfrke_net;
! 974: u_int8_t pfrke_not;
! 975: u_int8_t pfrke_mark;
! 976: u_int8_t pfrke_intrpool;
! 977: };
! 978:
! 979: SLIST_HEAD(pfr_ktableworkq, pfr_ktable);
! 980: RB_HEAD(pfr_ktablehead, pfr_ktable);
! 981: struct pfr_ktable {
! 982: struct pfr_tstats pfrkt_ts;
! 983: RB_ENTRY(pfr_ktable) pfrkt_tree;
! 984: SLIST_ENTRY(pfr_ktable) pfrkt_workq;
! 985: struct radix_node_head *pfrkt_ip4;
! 986: struct radix_node_head *pfrkt_ip6;
! 987: struct pfr_ktable *pfrkt_shadow;
! 988: struct pfr_ktable *pfrkt_root;
! 989: struct pf_ruleset *pfrkt_rs;
! 990: long pfrkt_larg;
! 991: int pfrkt_nflags;
! 992: };
! 993: #define pfrkt_t pfrkt_ts.pfrts_t
! 994: #define pfrkt_name pfrkt_t.pfrt_name
! 995: #define pfrkt_anchor pfrkt_t.pfrt_anchor
! 996: #define pfrkt_ruleset pfrkt_t.pfrt_ruleset
! 997: #define pfrkt_flags pfrkt_t.pfrt_flags
! 998: #define pfrkt_cnt pfrkt_ts.pfrts_cnt
! 999: #define pfrkt_refcnt pfrkt_ts.pfrts_refcnt
! 1000: #define pfrkt_packets pfrkt_ts.pfrts_packets
! 1001: #define pfrkt_bytes pfrkt_ts.pfrts_bytes
! 1002: #define pfrkt_match pfrkt_ts.pfrts_match
! 1003: #define pfrkt_nomatch pfrkt_ts.pfrts_nomatch
! 1004: #define pfrkt_tzero pfrkt_ts.pfrts_tzero
! 1005:
! 1006: RB_HEAD(pf_state_tree_lan_ext, pf_state_key);
! 1007: RB_PROTOTYPE(pf_state_tree_lan_ext, pf_state_key,
! 1008: entry_lan_ext, pf_state_compare_lan_ext);
! 1009:
! 1010: RB_HEAD(pf_state_tree_ext_gwy, pf_state_key);
! 1011: RB_PROTOTYPE(pf_state_tree_ext_gwy, pf_state_key,
! 1012: entry_ext_gwy, pf_state_compare_ext_gwy);
! 1013:
! 1014: RB_HEAD(pfi_ifhead, pfi_kif);
! 1015:
! 1016: /* state tables */
! 1017: extern struct pf_state_tree_lan_ext pf_statetbl_lan_ext;
! 1018: extern struct pf_state_tree_ext_gwy pf_statetbl_ext_gwy;
! 1019:
! 1020: /* keep synced with pfi_kif, used in RB_FIND */
! 1021: struct pfi_kif_cmp {
! 1022: char pfik_name[IFNAMSIZ];
! 1023: };
! 1024:
! 1025: struct pfi_kif {
! 1026: char pfik_name[IFNAMSIZ];
! 1027: RB_ENTRY(pfi_kif) pfik_tree;
! 1028: u_int64_t pfik_packets[2][2][2];
! 1029: u_int64_t pfik_bytes[2][2][2];
! 1030: u_int32_t pfik_tzero;
! 1031: int pfik_flags;
! 1032: void *pfik_ah_cookie;
! 1033: struct ifnet *pfik_ifp;
! 1034: struct ifg_group *pfik_group;
! 1035: int pfik_states;
! 1036: int pfik_rules;
! 1037: TAILQ_HEAD(, pfi_dynaddr) pfik_dynaddrs;
! 1038: };
! 1039:
! 1040: enum pfi_kif_refs {
! 1041: PFI_KIF_REF_NONE,
! 1042: PFI_KIF_REF_STATE,
! 1043: PFI_KIF_REF_RULE
! 1044: };
! 1045:
! 1046: #define PFI_IFLAG_SKIP 0x0100 /* skip filtering on interface */
! 1047:
! 1048: struct pf_pdesc {
! 1049: struct {
! 1050: int done;
! 1051: uid_t uid;
! 1052: gid_t gid;
! 1053: pid_t pid;
! 1054: } lookup;
! 1055: u_int64_t tot_len; /* Make Mickey money */
! 1056: union {
! 1057: struct tcphdr *tcp;
! 1058: struct udphdr *udp;
! 1059: struct icmp *icmp;
! 1060: #ifdef INET6
! 1061: struct icmp6_hdr *icmp6;
! 1062: #endif /* INET6 */
! 1063: void *any;
! 1064: } hdr;
! 1065: struct pf_addr baddr; /* address before translation */
! 1066: struct pf_addr naddr; /* address after translation */
! 1067: struct pf_rule *nat_rule; /* nat/rdr rule applied to packet */
! 1068: struct pf_addr *src;
! 1069: struct pf_addr *dst;
! 1070: struct ether_header
! 1071: *eh;
! 1072: u_int16_t *ip_sum;
! 1073: u_int32_t p_len; /* total length of payload */
! 1074: u_int16_t flags; /* Let SCRUB trigger behavior in
! 1075: * state code. Easier than tags */
! 1076: #define PFDESC_TCP_NORM 0x0001 /* TCP shall be statefully scrubbed */
! 1077: #define PFDESC_IP_REAS 0x0002 /* IP frags would've been reassembled */
! 1078: sa_family_t af;
! 1079: u_int8_t proto;
! 1080: u_int8_t tos;
! 1081: };
! 1082:
! 1083: /* flags for RDR options */
! 1084: #define PF_DPORT_RANGE 0x01 /* Dest port uses range */
! 1085: #define PF_RPORT_RANGE 0x02 /* RDR'ed port uses range */
! 1086:
! 1087: /* Reasons code for passing/dropping a packet */
! 1088: #define PFRES_MATCH 0 /* Explicit match of a rule */
! 1089: #define PFRES_BADOFF 1 /* Bad offset for pull_hdr */
! 1090: #define PFRES_FRAG 2 /* Dropping following fragment */
! 1091: #define PFRES_SHORT 3 /* Dropping short packet */
! 1092: #define PFRES_NORM 4 /* Dropping by normalizer */
! 1093: #define PFRES_MEMORY 5 /* Dropped due to lacking mem */
! 1094: #define PFRES_TS 6 /* Bad TCP Timestamp (RFC1323) */
! 1095: #define PFRES_CONGEST 7 /* Congestion (of ipintrq) */
! 1096: #define PFRES_IPOPTIONS 8 /* IP option */
! 1097: #define PFRES_PROTCKSUM 9 /* Protocol checksum invalid */
! 1098: #define PFRES_BADSTATE 10 /* State mismatch */
! 1099: #define PFRES_STATEINS 11 /* State insertion failure */
! 1100: #define PFRES_MAXSTATES 12 /* State limit */
! 1101: #define PFRES_SRCLIMIT 13 /* Source node/conn limit */
! 1102: #define PFRES_SYNPROXY 14 /* SYN proxy */
! 1103: #define PFRES_MAX 15 /* total+1 */
! 1104:
! 1105: #define PFRES_NAMES { \
! 1106: "match", \
! 1107: "bad-offset", \
! 1108: "fragment", \
! 1109: "short", \
! 1110: "normalize", \
! 1111: "memory", \
! 1112: "bad-timestamp", \
! 1113: "congestion", \
! 1114: "ip-option", \
! 1115: "proto-cksum", \
! 1116: "state-mismatch", \
! 1117: "state-insert", \
! 1118: "state-limit", \
! 1119: "src-limit", \
! 1120: "synproxy", \
! 1121: NULL \
! 1122: }
! 1123:
! 1124: /* Counters for other things we want to keep track of */
! 1125: #define LCNT_STATES 0 /* states */
! 1126: #define LCNT_SRCSTATES 1 /* max-src-states */
! 1127: #define LCNT_SRCNODES 2 /* max-src-nodes */
! 1128: #define LCNT_SRCCONN 3 /* max-src-conn */
! 1129: #define LCNT_SRCCONNRATE 4 /* max-src-conn-rate */
! 1130: #define LCNT_OVERLOAD_TABLE 5 /* entry added to overload table */
! 1131: #define LCNT_OVERLOAD_FLUSH 6 /* state entries flushed */
! 1132: #define LCNT_MAX 7 /* total+1 */
! 1133:
! 1134: #define LCNT_NAMES { \
! 1135: "max states per rule", \
! 1136: "max-src-states", \
! 1137: "max-src-nodes", \
! 1138: "max-src-conn", \
! 1139: "max-src-conn-rate", \
! 1140: "overload table insertion", \
! 1141: "overload flush states", \
! 1142: NULL \
! 1143: }
! 1144:
! 1145: /* UDP state enumeration */
! 1146: #define PFUDPS_NO_TRAFFIC 0
! 1147: #define PFUDPS_SINGLE 1
! 1148: #define PFUDPS_MULTIPLE 2
! 1149:
! 1150: #define PFUDPS_NSTATES 3 /* number of state levels */
! 1151:
! 1152: #define PFUDPS_NAMES { \
! 1153: "NO_TRAFFIC", \
! 1154: "SINGLE", \
! 1155: "MULTIPLE", \
! 1156: NULL \
! 1157: }
! 1158:
! 1159: /* Other protocol state enumeration */
! 1160: #define PFOTHERS_NO_TRAFFIC 0
! 1161: #define PFOTHERS_SINGLE 1
! 1162: #define PFOTHERS_MULTIPLE 2
! 1163:
! 1164: #define PFOTHERS_NSTATES 3 /* number of state levels */
! 1165:
! 1166: #define PFOTHERS_NAMES { \
! 1167: "NO_TRAFFIC", \
! 1168: "SINGLE", \
! 1169: "MULTIPLE", \
! 1170: NULL \
! 1171: }
! 1172:
! 1173: #define FCNT_STATE_SEARCH 0
! 1174: #define FCNT_STATE_INSERT 1
! 1175: #define FCNT_STATE_REMOVALS 2
! 1176: #define FCNT_MAX 3
! 1177:
! 1178: #define SCNT_SRC_NODE_SEARCH 0
! 1179: #define SCNT_SRC_NODE_INSERT 1
! 1180: #define SCNT_SRC_NODE_REMOVALS 2
! 1181: #define SCNT_MAX 3
! 1182:
! 1183: #define ACTION_SET(a, x) \
! 1184: do { \
! 1185: if ((a) != NULL) \
! 1186: *(a) = (x); \
! 1187: } while (0)
! 1188:
! 1189: #define REASON_SET(a, x) \
! 1190: do { \
! 1191: if ((a) != NULL) \
! 1192: *(a) = (x); \
! 1193: if (x < PFRES_MAX) \
! 1194: pf_status.counters[x]++; \
! 1195: } while (0)
! 1196:
! 1197: struct pf_status {
! 1198: u_int64_t counters[PFRES_MAX];
! 1199: u_int64_t lcounters[LCNT_MAX]; /* limit counters */
! 1200: u_int64_t fcounters[FCNT_MAX];
! 1201: u_int64_t scounters[SCNT_MAX];
! 1202: u_int64_t pcounters[2][2][3];
! 1203: u_int64_t bcounters[2][2];
! 1204: u_int64_t stateid;
! 1205: u_int32_t running;
! 1206: u_int32_t states;
! 1207: u_int32_t src_nodes;
! 1208: u_int32_t since;
! 1209: u_int32_t debug;
! 1210: u_int32_t hostid;
! 1211: char ifname[IFNAMSIZ];
! 1212: u_int8_t pf_chksum[PF_MD5_DIGEST_LENGTH];
! 1213: };
! 1214:
! 1215: struct cbq_opts {
! 1216: u_int minburst;
! 1217: u_int maxburst;
! 1218: u_int pktsize;
! 1219: u_int maxpktsize;
! 1220: u_int ns_per_byte;
! 1221: u_int maxidle;
! 1222: int minidle;
! 1223: u_int offtime;
! 1224: int flags;
! 1225: };
! 1226:
! 1227: struct priq_opts {
! 1228: int flags;
! 1229: };
! 1230:
! 1231: struct hfsc_opts {
! 1232: /* real-time service curve */
! 1233: u_int rtsc_m1; /* slope of the 1st segment in bps */
! 1234: u_int rtsc_d; /* the x-projection of m1 in msec */
! 1235: u_int rtsc_m2; /* slope of the 2nd segment in bps */
! 1236: /* link-sharing service curve */
! 1237: u_int lssc_m1;
! 1238: u_int lssc_d;
! 1239: u_int lssc_m2;
! 1240: /* upper-limit service curve */
! 1241: u_int ulsc_m1;
! 1242: u_int ulsc_d;
! 1243: u_int ulsc_m2;
! 1244: int flags;
! 1245: };
! 1246:
! 1247: struct pf_altq {
! 1248: char ifname[IFNAMSIZ];
! 1249:
! 1250: void *altq_disc; /* discipline-specific state */
! 1251: TAILQ_ENTRY(pf_altq) entries;
! 1252:
! 1253: /* scheduler spec */
! 1254: u_int8_t scheduler; /* scheduler type */
! 1255: u_int16_t tbrsize; /* tokenbucket regulator size */
! 1256: u_int32_t ifbandwidth; /* interface bandwidth */
! 1257:
! 1258: /* queue spec */
! 1259: char qname[PF_QNAME_SIZE]; /* queue name */
! 1260: char parent[PF_QNAME_SIZE]; /* parent name */
! 1261: u_int32_t parent_qid; /* parent queue id */
! 1262: u_int32_t bandwidth; /* queue bandwidth */
! 1263: u_int8_t priority; /* priority */
! 1264: u_int16_t qlimit; /* queue size limit */
! 1265: u_int16_t flags; /* misc flags */
! 1266: union {
! 1267: struct cbq_opts cbq_opts;
! 1268: struct priq_opts priq_opts;
! 1269: struct hfsc_opts hfsc_opts;
! 1270: } pq_u;
! 1271:
! 1272: u_int32_t qid; /* return value */
! 1273: };
! 1274:
! 1275: struct pf_tag {
! 1276: u_int16_t tag; /* tag id */
! 1277: };
! 1278:
! 1279: struct pf_tagname {
! 1280: TAILQ_ENTRY(pf_tagname) entries;
! 1281: char name[PF_TAG_NAME_SIZE];
! 1282: u_int16_t tag;
! 1283: int ref;
! 1284: };
! 1285:
! 1286: #define PFFRAG_FRENT_HIWAT 5000 /* Number of fragment entries */
! 1287: #define PFFRAG_FRAG_HIWAT 1000 /* Number of fragmented packets */
! 1288: #define PFFRAG_FRCENT_HIWAT 50000 /* Number of fragment cache entries */
! 1289: #define PFFRAG_FRCACHE_HIWAT 10000 /* Number of fragment descriptors */
! 1290:
! 1291: #define PFR_KTABLE_HIWAT 1000 /* Number of tables */
! 1292: #define PFR_KENTRY_HIWAT 200000 /* Number of table entries */
! 1293: #define PFR_KENTRY_HIWAT_SMALL 100000 /* Number of table entries (tiny hosts) */
! 1294:
! 1295: /*
! 1296: * ioctl parameter structures
! 1297: */
! 1298:
! 1299: struct pfioc_pooladdr {
! 1300: u_int32_t action;
! 1301: u_int32_t ticket;
! 1302: u_int32_t nr;
! 1303: u_int32_t r_num;
! 1304: u_int8_t r_action;
! 1305: u_int8_t r_last;
! 1306: u_int8_t af;
! 1307: char anchor[MAXPATHLEN];
! 1308: struct pf_pooladdr addr;
! 1309: };
! 1310:
! 1311: struct pfioc_rule {
! 1312: u_int32_t action;
! 1313: u_int32_t ticket;
! 1314: u_int32_t pool_ticket;
! 1315: u_int32_t nr;
! 1316: char anchor[MAXPATHLEN];
! 1317: char anchor_call[MAXPATHLEN];
! 1318: struct pf_rule rule;
! 1319: };
! 1320:
! 1321: struct pfioc_natlook {
! 1322: struct pf_addr saddr;
! 1323: struct pf_addr daddr;
! 1324: struct pf_addr rsaddr;
! 1325: struct pf_addr rdaddr;
! 1326: u_int16_t sport;
! 1327: u_int16_t dport;
! 1328: u_int16_t rsport;
! 1329: u_int16_t rdport;
! 1330: sa_family_t af;
! 1331: u_int8_t proto;
! 1332: u_int8_t direction;
! 1333: };
! 1334:
! 1335: struct pfioc_state {
! 1336: u_int32_t nr;
! 1337: void *state;
! 1338: };
! 1339:
! 1340: struct pfioc_src_node_kill {
! 1341: /* XXX returns the number of src nodes killed in psnk_af */
! 1342: sa_family_t psnk_af;
! 1343: struct pf_rule_addr psnk_src;
! 1344: struct pf_rule_addr psnk_dst;
! 1345: };
! 1346:
! 1347: struct pfioc_state_kill {
! 1348: /* XXX returns the number of states killed in psk_af */
! 1349: sa_family_t psk_af;
! 1350: int psk_proto;
! 1351: struct pf_rule_addr psk_src;
! 1352: struct pf_rule_addr psk_dst;
! 1353: char psk_ifname[IFNAMSIZ];
! 1354: };
! 1355:
! 1356: struct pfioc_states {
! 1357: int ps_len;
! 1358: union {
! 1359: caddr_t psu_buf;
! 1360: struct pfsync_state *psu_states;
! 1361: } ps_u;
! 1362: #define ps_buf ps_u.psu_buf
! 1363: #define ps_states ps_u.psu_states
! 1364: };
! 1365:
! 1366: struct pfioc_src_nodes {
! 1367: int psn_len;
! 1368: union {
! 1369: caddr_t psu_buf;
! 1370: struct pf_src_node *psu_src_nodes;
! 1371: } psn_u;
! 1372: #define psn_buf psn_u.psu_buf
! 1373: #define psn_src_nodes psn_u.psu_src_nodes
! 1374: };
! 1375:
! 1376: struct pfioc_if {
! 1377: char ifname[IFNAMSIZ];
! 1378: };
! 1379:
! 1380: struct pfioc_tm {
! 1381: int timeout;
! 1382: int seconds;
! 1383: };
! 1384:
! 1385: struct pfioc_limit {
! 1386: int index;
! 1387: unsigned limit;
! 1388: };
! 1389:
! 1390: struct pfioc_altq {
! 1391: u_int32_t action;
! 1392: u_int32_t ticket;
! 1393: u_int32_t nr;
! 1394: struct pf_altq altq;
! 1395: };
! 1396:
! 1397: struct pfioc_qstats {
! 1398: u_int32_t ticket;
! 1399: u_int32_t nr;
! 1400: void *buf;
! 1401: int nbytes;
! 1402: u_int8_t scheduler;
! 1403: };
! 1404:
! 1405: struct pfioc_ruleset {
! 1406: u_int32_t nr;
! 1407: char path[MAXPATHLEN];
! 1408: char name[PF_ANCHOR_NAME_SIZE];
! 1409: };
! 1410:
! 1411: #define PF_RULESET_ALTQ (PF_RULESET_MAX)
! 1412: #define PF_RULESET_TABLE (PF_RULESET_MAX+1)
! 1413: struct pfioc_trans {
! 1414: int size; /* number of elements */
! 1415: int esize; /* size of each element in bytes */
! 1416: struct pfioc_trans_e {
! 1417: int rs_num;
! 1418: char anchor[MAXPATHLEN];
! 1419: u_int32_t ticket;
! 1420: } *array;
! 1421: };
! 1422:
! 1423: #define PFR_FLAG_ATOMIC 0x00000001
! 1424: #define PFR_FLAG_DUMMY 0x00000002
! 1425: #define PFR_FLAG_FEEDBACK 0x00000004
! 1426: #define PFR_FLAG_CLSTATS 0x00000008
! 1427: #define PFR_FLAG_ADDRSTOO 0x00000010
! 1428: #define PFR_FLAG_REPLACE 0x00000020
! 1429: #define PFR_FLAG_ALLRSETS 0x00000040
! 1430: #define PFR_FLAG_ALLMASK 0x0000007F
! 1431: #ifdef _KERNEL
! 1432: #define PFR_FLAG_USERIOCTL 0x10000000
! 1433: #endif
! 1434:
! 1435: struct pfioc_table {
! 1436: struct pfr_table pfrio_table;
! 1437: void *pfrio_buffer;
! 1438: int pfrio_esize;
! 1439: int pfrio_size;
! 1440: int pfrio_size2;
! 1441: int pfrio_nadd;
! 1442: int pfrio_ndel;
! 1443: int pfrio_nchange;
! 1444: int pfrio_flags;
! 1445: u_int32_t pfrio_ticket;
! 1446: };
! 1447: #define pfrio_exists pfrio_nadd
! 1448: #define pfrio_nzero pfrio_nadd
! 1449: #define pfrio_nmatch pfrio_nadd
! 1450: #define pfrio_naddr pfrio_size2
! 1451: #define pfrio_setflag pfrio_size2
! 1452: #define pfrio_clrflag pfrio_nadd
! 1453:
! 1454: struct pfioc_iface {
! 1455: char pfiio_name[IFNAMSIZ];
! 1456: void *pfiio_buffer;
! 1457: int pfiio_esize;
! 1458: int pfiio_size;
! 1459: int pfiio_nzero;
! 1460: int pfiio_flags;
! 1461: };
! 1462:
! 1463:
! 1464: /*
! 1465: * ioctl operations
! 1466: */
! 1467:
! 1468: #define DIOCSTART _IO ('D', 1)
! 1469: #define DIOCSTOP _IO ('D', 2)
! 1470: #define DIOCADDRULE _IOWR('D', 4, struct pfioc_rule)
! 1471: #define DIOCGETRULES _IOWR('D', 6, struct pfioc_rule)
! 1472: #define DIOCGETRULE _IOWR('D', 7, struct pfioc_rule)
! 1473: /* XXX cut 8 - 17 */
! 1474: #define DIOCCLRSTATES _IOWR('D', 18, struct pfioc_state_kill)
! 1475: #define DIOCGETSTATE _IOWR('D', 19, struct pfioc_state)
! 1476: #define DIOCSETSTATUSIF _IOWR('D', 20, struct pfioc_if)
! 1477: #define DIOCGETSTATUS _IOWR('D', 21, struct pf_status)
! 1478: #define DIOCCLRSTATUS _IO ('D', 22)
! 1479: #define DIOCNATLOOK _IOWR('D', 23, struct pfioc_natlook)
! 1480: #define DIOCSETDEBUG _IOWR('D', 24, u_int32_t)
! 1481: #define DIOCGETSTATES _IOWR('D', 25, struct pfioc_states)
! 1482: #define DIOCCHANGERULE _IOWR('D', 26, struct pfioc_rule)
! 1483: /* XXX cut 26 - 28 */
! 1484: #define DIOCSETTIMEOUT _IOWR('D', 29, struct pfioc_tm)
! 1485: #define DIOCGETTIMEOUT _IOWR('D', 30, struct pfioc_tm)
! 1486: #define DIOCADDSTATE _IOWR('D', 37, struct pfioc_state)
! 1487: #define DIOCCLRRULECTRS _IO ('D', 38)
! 1488: #define DIOCGETLIMIT _IOWR('D', 39, struct pfioc_limit)
! 1489: #define DIOCSETLIMIT _IOWR('D', 40, struct pfioc_limit)
! 1490: #define DIOCKILLSTATES _IOWR('D', 41, struct pfioc_state_kill)
! 1491: #define DIOCSTARTALTQ _IO ('D', 42)
! 1492: #define DIOCSTOPALTQ _IO ('D', 43)
! 1493: #define DIOCADDALTQ _IOWR('D', 45, struct pfioc_altq)
! 1494: #define DIOCGETALTQS _IOWR('D', 47, struct pfioc_altq)
! 1495: #define DIOCGETALTQ _IOWR('D', 48, struct pfioc_altq)
! 1496: #define DIOCCHANGEALTQ _IOWR('D', 49, struct pfioc_altq)
! 1497: #define DIOCGETQSTATS _IOWR('D', 50, struct pfioc_qstats)
! 1498: #define DIOCBEGINADDRS _IOWR('D', 51, struct pfioc_pooladdr)
! 1499: #define DIOCADDADDR _IOWR('D', 52, struct pfioc_pooladdr)
! 1500: #define DIOCGETADDRS _IOWR('D', 53, struct pfioc_pooladdr)
! 1501: #define DIOCGETADDR _IOWR('D', 54, struct pfioc_pooladdr)
! 1502: #define DIOCCHANGEADDR _IOWR('D', 55, struct pfioc_pooladdr)
! 1503: /* XXX cut 55 - 57 */
! 1504: #define DIOCGETRULESETS _IOWR('D', 58, struct pfioc_ruleset)
! 1505: #define DIOCGETRULESET _IOWR('D', 59, struct pfioc_ruleset)
! 1506: #define DIOCRCLRTABLES _IOWR('D', 60, struct pfioc_table)
! 1507: #define DIOCRADDTABLES _IOWR('D', 61, struct pfioc_table)
! 1508: #define DIOCRDELTABLES _IOWR('D', 62, struct pfioc_table)
! 1509: #define DIOCRGETTABLES _IOWR('D', 63, struct pfioc_table)
! 1510: #define DIOCRGETTSTATS _IOWR('D', 64, struct pfioc_table)
! 1511: #define DIOCRCLRTSTATS _IOWR('D', 65, struct pfioc_table)
! 1512: #define DIOCRCLRADDRS _IOWR('D', 66, struct pfioc_table)
! 1513: #define DIOCRADDADDRS _IOWR('D', 67, struct pfioc_table)
! 1514: #define DIOCRDELADDRS _IOWR('D', 68, struct pfioc_table)
! 1515: #define DIOCRSETADDRS _IOWR('D', 69, struct pfioc_table)
! 1516: #define DIOCRGETADDRS _IOWR('D', 70, struct pfioc_table)
! 1517: #define DIOCRGETASTATS _IOWR('D', 71, struct pfioc_table)
! 1518: #define DIOCRCLRASTATS _IOWR('D', 72, struct pfioc_table)
! 1519: #define DIOCRTSTADDRS _IOWR('D', 73, struct pfioc_table)
! 1520: #define DIOCRSETTFLAGS _IOWR('D', 74, struct pfioc_table)
! 1521: #define DIOCRINADEFINE _IOWR('D', 77, struct pfioc_table)
! 1522: #define DIOCOSFPFLUSH _IO('D', 78)
! 1523: #define DIOCOSFPADD _IOWR('D', 79, struct pf_osfp_ioctl)
! 1524: #define DIOCOSFPGET _IOWR('D', 80, struct pf_osfp_ioctl)
! 1525: #define DIOCXBEGIN _IOWR('D', 81, struct pfioc_trans)
! 1526: #define DIOCXCOMMIT _IOWR('D', 82, struct pfioc_trans)
! 1527: #define DIOCXROLLBACK _IOWR('D', 83, struct pfioc_trans)
! 1528: #define DIOCGETSRCNODES _IOWR('D', 84, struct pfioc_src_nodes)
! 1529: #define DIOCCLRSRCNODES _IO('D', 85)
! 1530: #define DIOCSETHOSTID _IOWR('D', 86, u_int32_t)
! 1531: #define DIOCIGETIFACES _IOWR('D', 87, struct pfioc_iface)
! 1532: #define DIOCSETIFFLAG _IOWR('D', 89, struct pfioc_iface)
! 1533: #define DIOCCLRIFFLAG _IOWR('D', 90, struct pfioc_iface)
! 1534: #define DIOCKILLSRCNODES _IOWR('D', 91, struct pfioc_src_node_kill)
! 1535:
! 1536: #ifdef _KERNEL
! 1537: RB_HEAD(pf_src_tree, pf_src_node);
! 1538: RB_PROTOTYPE(pf_src_tree, pf_src_node, entry, pf_src_compare);
! 1539: extern struct pf_src_tree tree_src_tracking;
! 1540:
! 1541: RB_HEAD(pf_state_tree_id, pf_state);
! 1542: RB_PROTOTYPE(pf_state_tree_id, pf_state,
! 1543: entry_id, pf_state_compare_id);
! 1544: extern struct pf_state_tree_id tree_id;
! 1545: extern struct pf_state_queue state_list;
! 1546:
! 1547: TAILQ_HEAD(pf_poolqueue, pf_pool);
! 1548: extern struct pf_poolqueue pf_pools[2];
! 1549: TAILQ_HEAD(pf_altqqueue, pf_altq);
! 1550: extern struct pf_altqqueue pf_altqs[2];
! 1551: extern struct pf_palist pf_pabuf;
! 1552:
! 1553: extern u_int32_t ticket_altqs_active;
! 1554: extern u_int32_t ticket_altqs_inactive;
! 1555: extern int altqs_inactive_open;
! 1556: extern u_int32_t ticket_pabuf;
! 1557: extern struct pf_altqqueue *pf_altqs_active;
! 1558: extern struct pf_altqqueue *pf_altqs_inactive;
! 1559: extern struct pf_poolqueue *pf_pools_active;
! 1560: extern struct pf_poolqueue *pf_pools_inactive;
! 1561: extern int pf_tbladdr_setup(struct pf_ruleset *,
! 1562: struct pf_addr_wrap *);
! 1563: extern void pf_tbladdr_remove(struct pf_addr_wrap *);
! 1564: extern void pf_tbladdr_copyout(struct pf_addr_wrap *);
! 1565: extern void pf_calc_skip_steps(struct pf_rulequeue *);
! 1566: extern struct pool pf_src_tree_pl, pf_rule_pl;
! 1567: extern struct pool pf_state_pl, pf_state_key_pl, pf_altq_pl,
! 1568: pf_pooladdr_pl;
! 1569: extern struct pool pf_state_scrub_pl;
! 1570: extern void pf_purge_thread(void *);
! 1571: extern void pf_purge_expired_src_nodes(int);
! 1572: extern void pf_purge_expired_states(u_int32_t);
! 1573: extern void pf_unlink_state(struct pf_state *);
! 1574: extern void pf_free_state(struct pf_state *);
! 1575: extern int pf_insert_state(struct pfi_kif *,
! 1576: struct pf_state *);
! 1577: extern int pf_insert_src_node(struct pf_src_node **,
! 1578: struct pf_rule *, struct pf_addr *,
! 1579: sa_family_t);
! 1580: void pf_src_tree_remove_state(struct pf_state *);
! 1581: extern struct pf_state *pf_find_state_byid(struct pf_state_cmp *);
! 1582: extern struct pf_state *pf_find_state_all(struct pf_state_key_cmp *,
! 1583: u_int8_t, int *);
! 1584: extern void pf_print_state(struct pf_state *);
! 1585: extern void pf_print_flags(u_int8_t);
! 1586: extern u_int16_t pf_cksum_fixup(u_int16_t, u_int16_t, u_int16_t,
! 1587: u_int8_t);
! 1588:
! 1589: extern struct ifnet *sync_ifp;
! 1590: extern struct pf_rule pf_default_rule;
! 1591: extern void pf_addrcpy(struct pf_addr *, struct pf_addr *,
! 1592: u_int8_t);
! 1593: void pf_rm_rule(struct pf_rulequeue *,
! 1594: struct pf_rule *);
! 1595:
! 1596: #ifdef INET
! 1597: int pf_test(int, struct ifnet *, struct mbuf **, struct ether_header *);
! 1598: #endif /* INET */
! 1599:
! 1600: #ifdef INET6
! 1601: int pf_test6(int, struct ifnet *, struct mbuf **, struct ether_header *);
! 1602: void pf_poolmask(struct pf_addr *, struct pf_addr*,
! 1603: struct pf_addr *, struct pf_addr *, u_int8_t);
! 1604: void pf_addr_inc(struct pf_addr *, sa_family_t);
! 1605: #endif /* INET6 */
! 1606:
! 1607: void *pf_pull_hdr(struct mbuf *, int, void *, int, u_short *, u_short *,
! 1608: sa_family_t);
! 1609: void pf_change_a(void *, u_int16_t *, u_int32_t, u_int8_t);
! 1610: int pflog_packet(struct pfi_kif *, struct mbuf *, sa_family_t, u_int8_t,
! 1611: u_int8_t, struct pf_rule *, struct pf_rule *, struct pf_ruleset *,
! 1612: struct pf_pdesc *);
! 1613: int pf_match_addr(u_int8_t, struct pf_addr *, struct pf_addr *,
! 1614: struct pf_addr *, sa_family_t);
! 1615: int pf_match(u_int8_t, u_int32_t, u_int32_t, u_int32_t);
! 1616: int pf_match_port(u_int8_t, u_int16_t, u_int16_t, u_int16_t);
! 1617: int pf_match_uid(u_int8_t, uid_t, uid_t, uid_t);
! 1618: int pf_match_gid(u_int8_t, gid_t, gid_t, gid_t);
! 1619:
! 1620: void pf_normalize_init(void);
! 1621: int pf_normalize_ip(struct mbuf **, int, struct pfi_kif *, u_short *,
! 1622: struct pf_pdesc *);
! 1623: int pf_normalize_ip6(struct mbuf **, int, struct pfi_kif *, u_short *,
! 1624: struct pf_pdesc *);
! 1625: int pf_normalize_tcp(int, struct pfi_kif *, struct mbuf *, int, int, void *,
! 1626: struct pf_pdesc *);
! 1627: void pf_normalize_tcp_cleanup(struct pf_state *);
! 1628: int pf_normalize_tcp_init(struct mbuf *, int, struct pf_pdesc *,
! 1629: struct tcphdr *, struct pf_state_peer *, struct pf_state_peer *);
! 1630: int pf_normalize_tcp_stateful(struct mbuf *, int, struct pf_pdesc *,
! 1631: u_short *, struct tcphdr *, struct pf_state *,
! 1632: struct pf_state_peer *, struct pf_state_peer *, int *);
! 1633: u_int32_t
! 1634: pf_state_expires(const struct pf_state *);
! 1635: void pf_purge_expired_fragments(void);
! 1636: int pf_routable(struct pf_addr *addr, sa_family_t af, struct pfi_kif *);
! 1637: int pf_rtlabel_match(struct pf_addr *, sa_family_t, struct pf_addr_wrap *);
! 1638: int pf_socket_lookup(int, struct pf_pdesc *);
! 1639: struct pf_state_key *
! 1640: pf_alloc_state_key(struct pf_state *);
! 1641: void pfr_initialize(void);
! 1642: int pfr_match_addr(struct pfr_ktable *, struct pf_addr *, sa_family_t);
! 1643: void pfr_update_stats(struct pfr_ktable *, struct pf_addr *, sa_family_t,
! 1644: u_int64_t, int, int, int);
! 1645: int pfr_pool_get(struct pfr_ktable *, int *, struct pf_addr *,
! 1646: struct pf_addr **, struct pf_addr **, sa_family_t);
! 1647: void pfr_dynaddr_update(struct pfr_ktable *, struct pfi_dynaddr *);
! 1648: struct pfr_ktable *
! 1649: pfr_attach_table(struct pf_ruleset *, char *);
! 1650: void pfr_detach_table(struct pfr_ktable *);
! 1651: int pfr_clr_tables(struct pfr_table *, int *, int);
! 1652: int pfr_add_tables(struct pfr_table *, int, int *, int);
! 1653: int pfr_del_tables(struct pfr_table *, int, int *, int);
! 1654: int pfr_get_tables(struct pfr_table *, struct pfr_table *, int *, int);
! 1655: int pfr_get_tstats(struct pfr_table *, struct pfr_tstats *, int *, int);
! 1656: int pfr_clr_tstats(struct pfr_table *, int, int *, int);
! 1657: int pfr_set_tflags(struct pfr_table *, int, int, int, int *, int *, int);
! 1658: int pfr_clr_addrs(struct pfr_table *, int *, int);
! 1659: int pfr_insert_kentry(struct pfr_ktable *, struct pfr_addr *, long);
! 1660: int pfr_add_addrs(struct pfr_table *, struct pfr_addr *, int, int *,
! 1661: int);
! 1662: int pfr_del_addrs(struct pfr_table *, struct pfr_addr *, int, int *,
! 1663: int);
! 1664: int pfr_set_addrs(struct pfr_table *, struct pfr_addr *, int, int *,
! 1665: int *, int *, int *, int, u_int32_t);
! 1666: int pfr_get_addrs(struct pfr_table *, struct pfr_addr *, int *, int);
! 1667: int pfr_get_astats(struct pfr_table *, struct pfr_astats *, int *, int);
! 1668: int pfr_clr_astats(struct pfr_table *, struct pfr_addr *, int, int *,
! 1669: int);
! 1670: int pfr_tst_addrs(struct pfr_table *, struct pfr_addr *, int, int *,
! 1671: int);
! 1672: int pfr_ina_begin(struct pfr_table *, u_int32_t *, int *, int);
! 1673: int pfr_ina_rollback(struct pfr_table *, u_int32_t, int *, int);
! 1674: int pfr_ina_commit(struct pfr_table *, u_int32_t, int *, int *, int);
! 1675: int pfr_ina_define(struct pfr_table *, struct pfr_addr *, int, int *,
! 1676: int *, u_int32_t, int);
! 1677:
! 1678: extern struct pfi_kif *pfi_all;
! 1679:
! 1680: void pfi_initialize(void);
! 1681: struct pfi_kif *pfi_kif_get(const char *);
! 1682: void pfi_kif_ref(struct pfi_kif *, enum pfi_kif_refs);
! 1683: void pfi_kif_unref(struct pfi_kif *, enum pfi_kif_refs);
! 1684: int pfi_kif_match(struct pfi_kif *, struct pfi_kif *);
! 1685: void pfi_attach_ifnet(struct ifnet *);
! 1686: void pfi_detach_ifnet(struct ifnet *);
! 1687: void pfi_attach_ifgroup(struct ifg_group *);
! 1688: void pfi_detach_ifgroup(struct ifg_group *);
! 1689: void pfi_group_change(const char *);
! 1690: int pfi_match_addr(struct pfi_dynaddr *, struct pf_addr *,
! 1691: sa_family_t);
! 1692: int pfi_dynaddr_setup(struct pf_addr_wrap *, sa_family_t);
! 1693: void pfi_dynaddr_remove(struct pf_addr_wrap *);
! 1694: void pfi_dynaddr_copyout(struct pf_addr_wrap *);
! 1695: void pfi_fill_oldstatus(struct pf_status *);
! 1696: int pfi_clr_istats(const char *);
! 1697: int pfi_get_ifaces(const char *, struct pfi_kif *, int *);
! 1698: int pfi_set_flags(const char *, int);
! 1699: int pfi_clear_flags(const char *, int);
! 1700:
! 1701: u_int16_t pf_tagname2tag(char *);
! 1702: void pf_tag2tagname(u_int16_t, char *);
! 1703: void pf_tag_ref(u_int16_t);
! 1704: void pf_tag_unref(u_int16_t);
! 1705: int pf_tag_packet(struct mbuf *, int, int);
! 1706: u_int32_t pf_qname2qid(char *);
! 1707: void pf_qid2qname(u_int32_t, char *);
! 1708: void pf_qid_unref(u_int32_t);
! 1709:
! 1710: extern struct pf_status pf_status;
! 1711: extern struct pool pf_frent_pl, pf_frag_pl;
! 1712: extern struct rwlock pf_consistency_lock;
! 1713:
! 1714: struct pf_pool_limit {
! 1715: void *pp;
! 1716: unsigned limit;
! 1717: };
! 1718: extern struct pf_pool_limit pf_pool_limits[PF_LIMIT_MAX];
! 1719:
! 1720: #endif /* _KERNEL */
! 1721:
! 1722: extern struct pf_anchor_global pf_anchors;
! 1723: extern struct pf_anchor pf_main_anchor;
! 1724: #define pf_main_ruleset pf_main_anchor.ruleset
! 1725:
! 1726: /* these ruleset functions can be linked into userland programs (pfctl) */
! 1727: int pf_get_ruleset_number(u_int8_t);
! 1728: void pf_init_ruleset(struct pf_ruleset *);
! 1729: int pf_anchor_setup(struct pf_rule *,
! 1730: const struct pf_ruleset *, const char *);
! 1731: int pf_anchor_copyout(const struct pf_ruleset *,
! 1732: const struct pf_rule *, struct pfioc_rule *);
! 1733: void pf_anchor_remove(struct pf_rule *);
! 1734: void pf_remove_if_empty_ruleset(struct pf_ruleset *);
! 1735: struct pf_anchor *pf_find_anchor(const char *);
! 1736: struct pf_ruleset *pf_find_ruleset(const char *);
! 1737: struct pf_ruleset *pf_find_or_create_ruleset(const char *);
! 1738: void pf_rs_initialize(void);
! 1739:
! 1740: #ifdef _KERNEL
! 1741: int pf_anchor_copyout(const struct pf_ruleset *,
! 1742: const struct pf_rule *, struct pfioc_rule *);
! 1743: void pf_anchor_remove(struct pf_rule *);
! 1744:
! 1745: #endif /* _KERNEL */
! 1746:
! 1747: /* The fingerprint functions can be linked into userland programs (tcpdump) */
! 1748: int pf_osfp_add(struct pf_osfp_ioctl *);
! 1749: #ifdef _KERNEL
! 1750: struct pf_osfp_enlist *
! 1751: pf_osfp_fingerprint(struct pf_pdesc *, struct mbuf *, int,
! 1752: const struct tcphdr *);
! 1753: #endif /* _KERNEL */
! 1754: struct pf_osfp_enlist *
! 1755: pf_osfp_fingerprint_hdr(const struct ip *, const struct ip6_hdr *,
! 1756: const struct tcphdr *);
! 1757: void pf_osfp_flush(void);
! 1758: int pf_osfp_get(struct pf_osfp_ioctl *);
! 1759: void pf_osfp_initialize(void);
! 1760: int pf_osfp_match(struct pf_osfp_enlist *, pf_osfp_t);
! 1761: struct pf_os_fingerprint *
! 1762: pf_osfp_validate(void);
! 1763:
! 1764:
! 1765: #endif /* _NET_PFVAR_H_ */
CVSweb
![[BACK]](/icons/back.gif){kind=icon}
Return to pfvar.h CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / sys / net