Annotation of sys/net/pfvar.h, Revision 1.1.1.1
1.1 nbrk 1: /* $OpenBSD: pfvar.h,v 1.254 2007/07/13 09:17:48 markus Exp $ */
2:
3: /*
4: * Copyright (c) 2001 Daniel Hartmeier
5: * All rights reserved.
6: *
7: * Redistribution and use in source and binary forms, with or without
8: * modification, are permitted provided that the following conditions
9: * are met:
10: *
11: * - Redistributions of source code must retain the above copyright
12: * notice, this list of conditions and the following disclaimer.
13: * - Redistributions in binary form must reproduce the above
14: * copyright notice, this list of conditions and the following
15: * disclaimer in the documentation and/or other materials provided
16: * with the distribution.
17: *
18: * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19: * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20: * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
21: * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
22: * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
23: * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
24: * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
25: * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26: * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27: * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
28: * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29: * POSSIBILITY OF SUCH DAMAGE.
30: *
31: */
32:
33: #ifndef _NET_PFVAR_H_
34: #define _NET_PFVAR_H_
35:
36: #include <sys/param.h>
37: #include <sys/types.h>
38: #include <sys/queue.h>
39: #include <sys/tree.h>
40: #include <sys/rwlock.h>
41:
42: #include <net/radix.h>
43: #include <net/route.h>
44: #include <netinet/ip_ipsp.h>
45: #include <netinet/tcp_fsm.h>
46:
47: struct ip;
48: struct ip6_hdr;
49:
50: #define PF_TCPS_PROXY_SRC ((TCP_NSTATES)+0)
51: #define PF_TCPS_PROXY_DST ((TCP_NSTATES)+1)
52:
53: #define PF_MD5_DIGEST_LENGTH 16
54: #ifdef MD5_DIGEST_LENGTH
55: #if PF_MD5_DIGEST_LENGTH != MD5_DIGEST_LENGTH
56: #error
57: #endif
58: #endif
59:
60: enum { PF_INOUT, PF_IN, PF_OUT };
61: enum { PF_LAN_EXT, PF_EXT_GWY, PF_ID };
62: enum { PF_PASS, PF_DROP, PF_SCRUB, PF_NOSCRUB, PF_NAT, PF_NONAT,
63: PF_BINAT, PF_NOBINAT, PF_RDR, PF_NORDR, PF_SYNPROXY_DROP };
64: enum { PF_RULESET_SCRUB, PF_RULESET_FILTER, PF_RULESET_NAT,
65: PF_RULESET_BINAT, PF_RULESET_RDR, PF_RULESET_MAX };
66: enum { PF_OP_NONE, PF_OP_IRG, PF_OP_EQ, PF_OP_NE, PF_OP_LT,
67: PF_OP_LE, PF_OP_GT, PF_OP_GE, PF_OP_XRG, PF_OP_RRG };
68: enum { PF_DEBUG_NONE, PF_DEBUG_URGENT, PF_DEBUG_MISC, PF_DEBUG_NOISY };
69: enum { PF_CHANGE_NONE, PF_CHANGE_ADD_HEAD, PF_CHANGE_ADD_TAIL,
70: PF_CHANGE_ADD_BEFORE, PF_CHANGE_ADD_AFTER,
71: PF_CHANGE_REMOVE, PF_CHANGE_GET_TICKET };
72: enum { PF_GET_NONE, PF_GET_CLR_CNTR };
73:
74: /*
75: * Note about PFTM_*: real indices into pf_rule.timeout[] come before
76: * PFTM_MAX, special cases afterwards. See pf_state_expires().
77: */
78: enum { PFTM_TCP_FIRST_PACKET, PFTM_TCP_OPENING, PFTM_TCP_ESTABLISHED,
79: PFTM_TCP_CLOSING, PFTM_TCP_FIN_WAIT, PFTM_TCP_CLOSED,
80: PFTM_UDP_FIRST_PACKET, PFTM_UDP_SINGLE, PFTM_UDP_MULTIPLE,
81: PFTM_ICMP_FIRST_PACKET, PFTM_ICMP_ERROR_REPLY,
82: PFTM_OTHER_FIRST_PACKET, PFTM_OTHER_SINGLE,
83: PFTM_OTHER_MULTIPLE, PFTM_FRAG, PFTM_INTERVAL,
84: PFTM_ADAPTIVE_START, PFTM_ADAPTIVE_END, PFTM_SRC_NODE,
85: PFTM_TS_DIFF, PFTM_MAX, PFTM_PURGE, PFTM_UNLINKED,
86: PFTM_UNTIL_PACKET };
87:
88: /* PFTM default values */
89: #define PFTM_TCP_FIRST_PACKET_VAL 120 /* First TCP packet */
90: #define PFTM_TCP_OPENING_VAL 30 /* No response yet */
91: #define PFTM_TCP_ESTABLISHED_VAL 24*60*60/* Established */
92: #define PFTM_TCP_CLOSING_VAL 15 * 60 /* Half closed */
93: #define PFTM_TCP_FIN_WAIT_VAL 45 /* Got both FINs */
94: #define PFTM_TCP_CLOSED_VAL 90 /* Got a RST */
95: #define PFTM_UDP_FIRST_PACKET_VAL 60 /* First UDP packet */
96: #define PFTM_UDP_SINGLE_VAL 30 /* Unidirectional */
97: #define PFTM_UDP_MULTIPLE_VAL 60 /* Bidirectional */
98: #define PFTM_ICMP_FIRST_PACKET_VAL 20 /* First ICMP packet */
99: #define PFTM_ICMP_ERROR_REPLY_VAL 10 /* Got error response */
100: #define PFTM_OTHER_FIRST_PACKET_VAL 60 /* First packet */
101: #define PFTM_OTHER_SINGLE_VAL 30 /* Unidirectional */
102: #define PFTM_OTHER_MULTIPLE_VAL 60 /* Bidirectional */
103: #define PFTM_FRAG_VAL 30 /* Fragment expire */
104: #define PFTM_INTERVAL_VAL 10 /* Expire interval */
105: #define PFTM_SRC_NODE_VAL 0 /* Source tracking */
106: #define PFTM_TS_DIFF_VAL 30 /* Allowed TS diff */
107:
108: enum { PF_NOPFROUTE, PF_FASTROUTE, PF_ROUTETO, PF_DUPTO, PF_REPLYTO };
109: enum { PF_LIMIT_STATES, PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS,
110: PF_LIMIT_TABLES, PF_LIMIT_TABLE_ENTRIES, PF_LIMIT_MAX };
111: #define PF_POOL_IDMASK 0x0f
112: enum { PF_POOL_NONE, PF_POOL_BITMASK, PF_POOL_RANDOM,
113: PF_POOL_SRCHASH, PF_POOL_ROUNDROBIN };
114: enum { PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE, PF_ADDR_DYNIFTL,
115: PF_ADDR_TABLE, PF_ADDR_RTLABEL, PF_ADDR_URPFFAILED };
116: #define PF_POOL_TYPEMASK 0x0f
117: #define PF_POOL_STICKYADDR 0x20
118: #define PF_WSCALE_FLAG 0x80
119: #define PF_WSCALE_MASK 0x0f
120:
121: #define PF_LOG 0x01
122: #define PF_LOG_ALL 0x02
123: #define PF_LOG_SOCKET_LOOKUP 0x04
124:
125: struct pf_addr {
126: union {
127: struct in_addr v4;
128: struct in6_addr v6;
129: u_int8_t addr8[16];
130: u_int16_t addr16[8];
131: u_int32_t addr32[4];
132: } pfa; /* 128-bit address */
133: #define v4 pfa.v4
134: #define v6 pfa.v6
135: #define addr8 pfa.addr8
136: #define addr16 pfa.addr16
137: #define addr32 pfa.addr32
138: };
139:
140: #define PF_TABLE_NAME_SIZE 32
141:
142: #define PFI_AFLAG_NETWORK 0x01
143: #define PFI_AFLAG_BROADCAST 0x02
144: #define PFI_AFLAG_PEER 0x04
145: #define PFI_AFLAG_MODEMASK 0x07
146: #define PFI_AFLAG_NOALIAS 0x08
147:
148: struct pf_addr_wrap {
149: union {
150: struct {
151: struct pf_addr addr;
152: struct pf_addr mask;
153: } a;
154: char ifname[IFNAMSIZ];
155: char tblname[PF_TABLE_NAME_SIZE];
156: char rtlabelname[RTLABEL_LEN];
157: u_int32_t rtlabel;
158: } v;
159: union {
160: struct pfi_dynaddr *dyn;
161: struct pfr_ktable *tbl;
162: int dyncnt;
163: int tblcnt;
164: } p;
165: u_int8_t type; /* PF_ADDR_* */
166: u_int8_t iflags; /* PFI_AFLAG_* */
167: };
168:
169: #ifdef _KERNEL
170:
171: struct pfi_dynaddr {
172: TAILQ_ENTRY(pfi_dynaddr) entry;
173: struct pf_addr pfid_addr4;
174: struct pf_addr pfid_mask4;
175: struct pf_addr pfid_addr6;
176: struct pf_addr pfid_mask6;
177: struct pfr_ktable *pfid_kt;
178: struct pfi_kif *pfid_kif;
179: void *pfid_hook_cookie;
180: int pfid_net; /* mask or 128 */
181: int pfid_acnt4; /* address count IPv4 */
182: int pfid_acnt6; /* address count IPv6 */
183: sa_family_t pfid_af; /* rule af */
184: u_int8_t pfid_iflags; /* PFI_AFLAG_* */
185: };
186:
187: /*
188: * Address manipulation macros
189: */
190:
191: #ifdef INET
192: #ifndef INET6
193: #define PF_INET_ONLY
194: #endif /* ! INET6 */
195: #endif /* INET */
196:
197: #ifdef INET6
198: #ifndef INET
199: #define PF_INET6_ONLY
200: #endif /* ! INET */
201: #endif /* INET6 */
202:
203: #ifdef INET
204: #ifdef INET6
205: #define PF_INET_INET6
206: #endif /* INET6 */
207: #endif /* INET */
208:
209: #else
210:
211: #define PF_INET_INET6
212:
213: #endif /* _KERNEL */
214:
215: /* Both IPv4 and IPv6 */
216: #ifdef PF_INET_INET6
217:
218: #define PF_AEQ(a, b, c) \
219: ((c == AF_INET && (a)->addr32[0] == (b)->addr32[0]) || \
220: ((a)->addr32[3] == (b)->addr32[3] && \
221: (a)->addr32[2] == (b)->addr32[2] && \
222: (a)->addr32[1] == (b)->addr32[1] && \
223: (a)->addr32[0] == (b)->addr32[0])) \
224:
225: #define PF_ANEQ(a, b, c) \
226: ((c == AF_INET && (a)->addr32[0] != (b)->addr32[0]) || \
227: ((a)->addr32[3] != (b)->addr32[3] || \
228: (a)->addr32[2] != (b)->addr32[2] || \
229: (a)->addr32[1] != (b)->addr32[1] || \
230: (a)->addr32[0] != (b)->addr32[0])) \
231:
232: #define PF_AZERO(a, c) \
233: ((c == AF_INET && !(a)->addr32[0]) || \
234: (!(a)->addr32[0] && !(a)->addr32[1] && \
235: !(a)->addr32[2] && !(a)->addr32[3] )) \
236:
237: #define PF_MATCHA(n, a, m, b, f) \
238: pf_match_addr(n, a, m, b, f)
239:
240: #define PF_ACPY(a, b, f) \
241: pf_addrcpy(a, b, f)
242:
243: #define PF_AINC(a, f) \
244: pf_addr_inc(a, f)
245:
246: #define PF_POOLMASK(a, b, c, d, f) \
247: pf_poolmask(a, b, c, d, f)
248:
249: #else
250:
251: /* Just IPv6 */
252:
253: #ifdef PF_INET6_ONLY
254:
255: #define PF_AEQ(a, b, c) \
256: ((a)->addr32[3] == (b)->addr32[3] && \
257: (a)->addr32[2] == (b)->addr32[2] && \
258: (a)->addr32[1] == (b)->addr32[1] && \
259: (a)->addr32[0] == (b)->addr32[0]) \
260:
261: #define PF_ANEQ(a, b, c) \
262: ((a)->addr32[3] != (b)->addr32[3] || \
263: (a)->addr32[2] != (b)->addr32[2] || \
264: (a)->addr32[1] != (b)->addr32[1] || \
265: (a)->addr32[0] != (b)->addr32[0]) \
266:
267: #define PF_AZERO(a, c) \
268: (!(a)->addr32[0] && \
269: !(a)->addr32[1] && \
270: !(a)->addr32[2] && \
271: !(a)->addr32[3] ) \
272:
273: #define PF_MATCHA(n, a, m, b, f) \
274: pf_match_addr(n, a, m, b, f)
275:
276: #define PF_ACPY(a, b, f) \
277: pf_addrcpy(a, b, f)
278:
279: #define PF_AINC(a, f) \
280: pf_addr_inc(a, f)
281:
282: #define PF_POOLMASK(a, b, c, d, f) \
283: pf_poolmask(a, b, c, d, f)
284:
285: #else
286:
287: /* Just IPv4 */
288: #ifdef PF_INET_ONLY
289:
290: #define PF_AEQ(a, b, c) \
291: ((a)->addr32[0] == (b)->addr32[0])
292:
293: #define PF_ANEQ(a, b, c) \
294: ((a)->addr32[0] != (b)->addr32[0])
295:
296: #define PF_AZERO(a, c) \
297: (!(a)->addr32[0])
298:
299: #define PF_MATCHA(n, a, m, b, f) \
300: pf_match_addr(n, a, m, b, f)
301:
302: #define PF_ACPY(a, b, f) \
303: (a)->v4.s_addr = (b)->v4.s_addr
304:
305: #define PF_AINC(a, f) \
306: do { \
307: (a)->addr32[0] = htonl(ntohl((a)->addr32[0]) + 1); \
308: } while (0)
309:
310: #define PF_POOLMASK(a, b, c, d, f) \
311: do { \
312: (a)->addr32[0] = ((b)->addr32[0] & (c)->addr32[0]) | \
313: (((c)->addr32[0] ^ 0xffffffff ) & (d)->addr32[0]); \
314: } while (0)
315:
316: #endif /* PF_INET_ONLY */
317: #endif /* PF_INET6_ONLY */
318: #endif /* PF_INET_INET6 */
319:
320: #define PF_MISMATCHAW(aw, x, af, neg, ifp) \
321: ( \
322: (((aw)->type == PF_ADDR_NOROUTE && \
323: pf_routable((x), (af), NULL)) || \
324: (((aw)->type == PF_ADDR_URPFFAILED && (ifp) != NULL && \
325: pf_routable((x), (af), (ifp))) || \
326: ((aw)->type == PF_ADDR_RTLABEL && \
327: !pf_rtlabel_match((x), (af), (aw))) || \
328: ((aw)->type == PF_ADDR_TABLE && \
329: !pfr_match_addr((aw)->p.tbl, (x), (af))) || \
330: ((aw)->type == PF_ADDR_DYNIFTL && \
331: !pfi_match_addr((aw)->p.dyn, (x), (af))) || \
332: ((aw)->type == PF_ADDR_ADDRMASK && \
333: !PF_AZERO(&(aw)->v.a.mask, (af)) && \
334: !PF_MATCHA(0, &(aw)->v.a.addr, \
335: &(aw)->v.a.mask, (x), (af))))) != \
336: (neg) \
337: )
338:
339:
340: struct pf_rule_uid {
341: uid_t uid[2];
342: u_int8_t op;
343: };
344:
345: struct pf_rule_gid {
346: uid_t gid[2];
347: u_int8_t op;
348: };
349:
350: struct pf_rule_addr {
351: struct pf_addr_wrap addr;
352: u_int16_t port[2];
353: u_int8_t neg;
354: u_int8_t port_op;
355: };
356:
357: struct pf_pooladdr {
358: struct pf_addr_wrap addr;
359: TAILQ_ENTRY(pf_pooladdr) entries;
360: char ifname[IFNAMSIZ];
361: struct pfi_kif *kif;
362: };
363:
364: TAILQ_HEAD(pf_palist, pf_pooladdr);
365:
366: struct pf_poolhashkey {
367: union {
368: u_int8_t key8[16];
369: u_int16_t key16[8];
370: u_int32_t key32[4];
371: } pfk; /* 128-bit hash key */
372: #define key8 pfk.key8
373: #define key16 pfk.key16
374: #define key32 pfk.key32
375: };
376:
377: struct pf_pool {
378: struct pf_palist list;
379: struct pf_pooladdr *cur;
380: struct pf_poolhashkey key;
381: struct pf_addr counter;
382: int tblidx;
383: u_int16_t proxy_port[2];
384: u_int8_t port_op;
385: u_int8_t opts;
386: };
387:
388:
389: /* A packed Operating System description for fingerprinting */
390: typedef u_int32_t pf_osfp_t;
391: #define PF_OSFP_ANY ((pf_osfp_t)0)
392: #define PF_OSFP_UNKNOWN ((pf_osfp_t)-1)
393: #define PF_OSFP_NOMATCH ((pf_osfp_t)-2)
394:
395: struct pf_osfp_entry {
396: SLIST_ENTRY(pf_osfp_entry) fp_entry;
397: pf_osfp_t fp_os;
398: int fp_enflags;
399: #define PF_OSFP_EXPANDED 0x001 /* expanded entry */
400: #define PF_OSFP_GENERIC 0x002 /* generic signature */
401: #define PF_OSFP_NODETAIL 0x004 /* no p0f details */
402: #define PF_OSFP_LEN 32
403: char fp_class_nm[PF_OSFP_LEN];
404: char fp_version_nm[PF_OSFP_LEN];
405: char fp_subtype_nm[PF_OSFP_LEN];
406: };
407: #define PF_OSFP_ENTRY_EQ(a, b) \
408: ((a)->fp_os == (b)->fp_os && \
409: memcmp((a)->fp_class_nm, (b)->fp_class_nm, PF_OSFP_LEN) == 0 && \
410: memcmp((a)->fp_version_nm, (b)->fp_version_nm, PF_OSFP_LEN) == 0 && \
411: memcmp((a)->fp_subtype_nm, (b)->fp_subtype_nm, PF_OSFP_LEN) == 0)
412:
413: /* handle pf_osfp_t packing */
414: #define _FP_RESERVED_BIT 1 /* For the special negative #defines */
415: #define _FP_UNUSED_BITS 1
416: #define _FP_CLASS_BITS 10 /* OS Class (Windows, Linux) */
417: #define _FP_VERSION_BITS 10 /* OS version (95, 98, NT, 2.4.54, 3.2) */
418: #define _FP_SUBTYPE_BITS 10 /* patch level (NT SP4, SP3, ECN patch) */
419: #define PF_OSFP_UNPACK(osfp, class, version, subtype) do { \
420: (class) = ((osfp) >> (_FP_VERSION_BITS+_FP_SUBTYPE_BITS)) & \
421: ((1 << _FP_CLASS_BITS) - 1); \
422: (version) = ((osfp) >> _FP_SUBTYPE_BITS) & \
423: ((1 << _FP_VERSION_BITS) - 1);\
424: (subtype) = (osfp) & ((1 << _FP_SUBTYPE_BITS) - 1); \
425: } while(0)
426: #define PF_OSFP_PACK(osfp, class, version, subtype) do { \
427: (osfp) = ((class) & ((1 << _FP_CLASS_BITS) - 1)) << (_FP_VERSION_BITS \
428: + _FP_SUBTYPE_BITS); \
429: (osfp) |= ((version) & ((1 << _FP_VERSION_BITS) - 1)) << \
430: _FP_SUBTYPE_BITS; \
431: (osfp) |= (subtype) & ((1 << _FP_SUBTYPE_BITS) - 1); \
432: } while(0)
433:
434: /* the fingerprint of an OSes TCP SYN packet */
435: typedef u_int64_t pf_tcpopts_t;
436: struct pf_os_fingerprint {
437: SLIST_HEAD(pf_osfp_enlist, pf_osfp_entry) fp_oses; /* list of matches */
438: pf_tcpopts_t fp_tcpopts; /* packed TCP options */
439: u_int16_t fp_wsize; /* TCP window size */
440: u_int16_t fp_psize; /* ip->ip_len */
441: u_int16_t fp_mss; /* TCP MSS */
442: u_int16_t fp_flags;
443: #define PF_OSFP_WSIZE_MOD 0x0001 /* Window modulus */
444: #define PF_OSFP_WSIZE_DC 0x0002 /* Window don't care */
445: #define PF_OSFP_WSIZE_MSS 0x0004 /* Window multiple of MSS */
446: #define PF_OSFP_WSIZE_MTU 0x0008 /* Window multiple of MTU */
447: #define PF_OSFP_PSIZE_MOD 0x0010 /* packet size modulus */
448: #define PF_OSFP_PSIZE_DC 0x0020 /* packet size don't care */
449: #define PF_OSFP_WSCALE 0x0040 /* TCP window scaling */
450: #define PF_OSFP_WSCALE_MOD 0x0080 /* TCP window scale modulus */
451: #define PF_OSFP_WSCALE_DC 0x0100 /* TCP window scale dont-care */
452: #define PF_OSFP_MSS 0x0200 /* TCP MSS */
453: #define PF_OSFP_MSS_MOD 0x0400 /* TCP MSS modulus */
454: #define PF_OSFP_MSS_DC 0x0800 /* TCP MSS dont-care */
455: #define PF_OSFP_DF 0x1000 /* IPv4 don't fragment bit */
456: #define PF_OSFP_TS0 0x2000 /* Zero timestamp */
457: #define PF_OSFP_INET6 0x4000 /* IPv6 */
458: u_int8_t fp_optcnt; /* TCP option count */
459: u_int8_t fp_wscale; /* TCP window scaling */
460: u_int8_t fp_ttl; /* IPv4 TTL */
461: #define PF_OSFP_MAXTTL_OFFSET 40
462: /* TCP options packing */
463: #define PF_OSFP_TCPOPT_NOP 0x0 /* TCP NOP option */
464: #define PF_OSFP_TCPOPT_WSCALE 0x1 /* TCP window scaling option */
465: #define PF_OSFP_TCPOPT_MSS 0x2 /* TCP max segment size opt */
466: #define PF_OSFP_TCPOPT_SACK 0x3 /* TCP SACK OK option */
467: #define PF_OSFP_TCPOPT_TS 0x4 /* TCP timestamp option */
468: #define PF_OSFP_TCPOPT_BITS 3 /* bits used by each option */
469: #define PF_OSFP_MAX_OPTS \
470: (sizeof(((struct pf_os_fingerprint *)0)->fp_tcpopts) * 8) \
471: / PF_OSFP_TCPOPT_BITS
472:
473: SLIST_ENTRY(pf_os_fingerprint) fp_next;
474: };
475:
476: struct pf_osfp_ioctl {
477: struct pf_osfp_entry fp_os;
478: pf_tcpopts_t fp_tcpopts; /* packed TCP options */
479: u_int16_t fp_wsize; /* TCP window size */
480: u_int16_t fp_psize; /* ip->ip_len */
481: u_int16_t fp_mss; /* TCP MSS */
482: u_int16_t fp_flags;
483: u_int8_t fp_optcnt; /* TCP option count */
484: u_int8_t fp_wscale; /* TCP window scaling */
485: u_int8_t fp_ttl; /* IPv4 TTL */
486:
487: int fp_getnum; /* DIOCOSFPGET number */
488: };
489:
490:
491: union pf_rule_ptr {
492: struct pf_rule *ptr;
493: u_int32_t nr;
494: };
495:
496: #define PF_ANCHOR_NAME_SIZE 64
497:
498: struct pf_rule {
499: struct pf_rule_addr src;
500: struct pf_rule_addr dst;
501: #define PF_SKIP_IFP 0
502: #define PF_SKIP_DIR 1
503: #define PF_SKIP_AF 2
504: #define PF_SKIP_PROTO 3
505: #define PF_SKIP_SRC_ADDR 4
506: #define PF_SKIP_SRC_PORT 5
507: #define PF_SKIP_DST_ADDR 6
508: #define PF_SKIP_DST_PORT 7
509: #define PF_SKIP_COUNT 8
510: union pf_rule_ptr skip[PF_SKIP_COUNT];
511: #define PF_RULE_LABEL_SIZE 64
512: char label[PF_RULE_LABEL_SIZE];
513: #define PF_QNAME_SIZE 64
514: char ifname[IFNAMSIZ];
515: char qname[PF_QNAME_SIZE];
516: char pqname[PF_QNAME_SIZE];
517: #define PF_TAG_NAME_SIZE 64
518: char tagname[PF_TAG_NAME_SIZE];
519: char match_tagname[PF_TAG_NAME_SIZE];
520:
521: char overload_tblname[PF_TABLE_NAME_SIZE];
522:
523: TAILQ_ENTRY(pf_rule) entries;
524: struct pf_pool rpool;
525:
526: u_int64_t evaluations;
527: u_int64_t packets[2];
528: u_int64_t bytes[2];
529:
530: struct pfi_kif *kif;
531: struct pf_anchor *anchor;
532: struct pfr_ktable *overload_tbl;
533:
534: pf_osfp_t os_fingerprint;
535:
536: int rtableid;
537: u_int32_t timeout[PFTM_MAX];
538: u_int32_t states;
539: u_int32_t max_states;
540: u_int32_t src_nodes;
541: u_int32_t max_src_nodes;
542: u_int32_t max_src_states;
543: u_int32_t max_src_conn;
544: struct {
545: u_int32_t limit;
546: u_int32_t seconds;
547: } max_src_conn_rate;
548: u_int32_t qid;
549: u_int32_t pqid;
550: u_int32_t rt_listid;
551: u_int32_t nr;
552: u_int32_t prob;
553: uid_t cuid;
554: pid_t cpid;
555:
556: u_int16_t return_icmp;
557: u_int16_t return_icmp6;
558: u_int16_t max_mss;
559: u_int16_t tag;
560: u_int16_t match_tag;
561:
562: struct pf_rule_uid uid;
563: struct pf_rule_gid gid;
564:
565: u_int32_t rule_flag;
566: u_int8_t action;
567: u_int8_t direction;
568: u_int8_t log;
569: u_int8_t logif;
570: u_int8_t quick;
571: u_int8_t ifnot;
572: u_int8_t match_tag_not;
573: u_int8_t natpass;
574:
575: #define PF_STATE_NORMAL 0x1
576: #define PF_STATE_MODULATE 0x2
577: #define PF_STATE_SYNPROXY 0x3
578: u_int8_t keep_state;
579: sa_family_t af;
580: u_int8_t proto;
581: u_int8_t type;
582: u_int8_t code;
583: u_int8_t flags;
584: u_int8_t flagset;
585: u_int8_t min_ttl;
586: u_int8_t allow_opts;
587: u_int8_t rt;
588: u_int8_t return_ttl;
589: u_int8_t tos;
590: u_int8_t anchor_relative;
591: u_int8_t anchor_wildcard;
592:
593: #define PF_FLUSH 0x01
594: #define PF_FLUSH_GLOBAL 0x02
595: u_int8_t flush;
596: };
597:
598: /* rule flags */
599: #define PFRULE_DROP 0x0000
600: #define PFRULE_RETURNRST 0x0001
601: #define PFRULE_FRAGMENT 0x0002
602: #define PFRULE_RETURNICMP 0x0004
603: #define PFRULE_RETURN 0x0008
604: #define PFRULE_NOSYNC 0x0010
605: #define PFRULE_SRCTRACK 0x0020 /* track source states */
606: #define PFRULE_RULESRCTRACK 0x0040 /* per rule */
607:
608: /* scrub flags */
609: #define PFRULE_NODF 0x0100
610: #define PFRULE_FRAGCROP 0x0200 /* non-buffering frag cache */
611: #define PFRULE_FRAGDROP 0x0400 /* drop funny fragments */
612: #define PFRULE_RANDOMID 0x0800
613: #define PFRULE_REASSEMBLE_TCP 0x1000
614:
615: /* rule flags again */
616: #define PFRULE_IFBOUND 0x00010000 /* if-bound */
617:
618: #define PFSTATE_HIWAT 10000 /* default state table size */
619: #define PFSTATE_ADAPT_START 6000 /* default adaptive timeout start */
620: #define PFSTATE_ADAPT_END 12000 /* default adaptive timeout end */
621:
622:
623: struct pf_threshold {
624: u_int32_t limit;
625: #define PF_THRESHOLD_MULT 1000
626: #define PF_THRESHOLD_MAX 0xffffffff / PF_THRESHOLD_MULT
627: u_int32_t seconds;
628: u_int32_t count;
629: u_int32_t last;
630: };
631:
632: struct pf_src_node {
633: RB_ENTRY(pf_src_node) entry;
634: struct pf_addr addr;
635: struct pf_addr raddr;
636: union pf_rule_ptr rule;
637: struct pfi_kif *kif;
638: u_int64_t bytes[2];
639: u_int64_t packets[2];
640: u_int32_t states;
641: u_int32_t conn;
642: struct pf_threshold conn_rate;
643: u_int32_t creation;
644: u_int32_t expire;
645: sa_family_t af;
646: u_int8_t ruletype;
647: };
648:
649: #define PFSNODE_HIWAT 10000 /* default source node table size */
650:
651: struct pf_state_scrub {
652: struct timeval pfss_last; /* time received last packet */
653: u_int32_t pfss_tsecr; /* last echoed timestamp */
654: u_int32_t pfss_tsval; /* largest timestamp */
655: u_int32_t pfss_tsval0; /* original timestamp */
656: u_int16_t pfss_flags;
657: #define PFSS_TIMESTAMP 0x0001 /* modulate timestamp */
658: #define PFSS_PAWS 0x0010 /* stricter PAWS checks */
659: #define PFSS_PAWS_IDLED 0x0020 /* was idle too long. no PAWS */
660: #define PFSS_DATA_TS 0x0040 /* timestamp on data packets */
661: #define PFSS_DATA_NOTS 0x0080 /* no timestamp on data packets */
662: u_int8_t pfss_ttl; /* stashed TTL */
663: u_int8_t pad;
664: u_int32_t pfss_ts_mod; /* timestamp modulation */
665: };
666:
667: struct pf_state_host {
668: struct pf_addr addr;
669: u_int16_t port;
670: u_int16_t pad;
671: };
672:
673: struct pf_state_peer {
674: u_int32_t seqlo; /* Max sequence number sent */
675: u_int32_t seqhi; /* Max the other end ACKd + win */
676: u_int32_t seqdiff; /* Sequence number modulator */
677: u_int16_t max_win; /* largest window (pre scaling) */
678: u_int8_t state; /* active state level */
679: u_int8_t wscale; /* window scaling factor */
680: u_int16_t mss; /* Maximum segment size option */
681: u_int8_t tcp_est; /* Did we reach TCPS_ESTABLISHED */
682: struct pf_state_scrub *scrub; /* state is scrubbed */
683: u_int8_t pad[3];
684: };
685:
686: TAILQ_HEAD(pf_state_queue, pf_state);
687:
688: /* keep synced with struct pf_state_key, used in RB_FIND */
689: struct pf_state_key_cmp {
690: struct pf_state_host lan;
691: struct pf_state_host gwy;
692: struct pf_state_host ext;
693: sa_family_t af;
694: u_int8_t proto;
695: u_int8_t direction;
696: u_int8_t pad;
697: };
698:
699: TAILQ_HEAD(pf_statelist, pf_state);
700:
701: struct pf_state_key {
702: struct pf_state_host lan;
703: struct pf_state_host gwy;
704: struct pf_state_host ext;
705: sa_family_t af;
706: u_int8_t proto;
707: u_int8_t direction;
708: u_int8_t pad;
709:
710: RB_ENTRY(pf_state_key) entry_lan_ext;
711: RB_ENTRY(pf_state_key) entry_ext_gwy;
712: struct pf_statelist states;
713: u_short refcnt; /* same size as if_index */
714: };
715:
716:
717: /* keep synced with struct pf_state, used in RB_FIND */
718: struct pf_state_cmp {
719: u_int64_t id;
720: u_int32_t creatorid;
721: u_int32_t pad;
722: };
723:
724: struct pf_state {
725: u_int64_t id;
726: u_int32_t creatorid;
727: u_int32_t pad;
728:
729: TAILQ_ENTRY(pf_state) entry_list;
730: TAILQ_ENTRY(pf_state) next;
731: RB_ENTRY(pf_state) entry_id;
732: struct pf_state_peer src;
733: struct pf_state_peer dst;
734: union pf_rule_ptr rule;
735: union pf_rule_ptr anchor;
736: union pf_rule_ptr nat_rule;
737: struct pf_addr rt_addr;
738: struct pf_state_key *state_key;
739: struct pfi_kif *kif;
740: struct pfi_kif *rt_kif;
741: struct pf_src_node *src_node;
742: struct pf_src_node *nat_src_node;
743: u_int64_t packets[2];
744: u_int64_t bytes[2];
745: u_int32_t creation;
746: u_int32_t expire;
747: u_int32_t pfsync_time;
748: u_int16_t tag;
749: u_int8_t log;
750: u_int8_t allow_opts;
751: u_int8_t timeout;
752: u_int8_t sync_flags;
753: #define PFSTATE_NOSYNC 0x01
754: #define PFSTATE_FROMSYNC 0x02
755: #define PFSTATE_STALE 0x04
756: };
757:
758: /*
759: * Unified state structures for pulling states out of the kernel
760: * used by pfsync(4) and the pf(4) ioctl.
761: */
762: struct pfsync_state_scrub {
763: u_int16_t pfss_flags;
764: u_int8_t pfss_ttl; /* stashed TTL */
765: #define PFSYNC_SCRUB_FLAG_VALID 0x01
766: u_int8_t scrub_flag;
767: u_int32_t pfss_ts_mod; /* timestamp modulation */
768: } __packed;
769:
770: struct pfsync_state_host {
771: struct pf_addr addr;
772: u_int16_t port;
773: u_int16_t pad[3];
774: } __packed;
775:
776: struct pfsync_state_peer {
777: struct pfsync_state_scrub scrub; /* state is scrubbed */
778: u_int32_t seqlo; /* Max sequence number sent */
779: u_int32_t seqhi; /* Max the other end ACKd + win */
780: u_int32_t seqdiff; /* Sequence number modulator */
781: u_int16_t max_win; /* largest window (pre scaling) */
782: u_int16_t mss; /* Maximum segment size option */
783: u_int8_t state; /* active state level */
784: u_int8_t wscale; /* window scaling factor */
785: u_int8_t pad[6];
786: } __packed;
787:
788: struct pfsync_state {
789: u_int32_t id[2];
790: char ifname[IFNAMSIZ];
791: struct pfsync_state_host lan;
792: struct pfsync_state_host gwy;
793: struct pfsync_state_host ext;
794: struct pfsync_state_peer src;
795: struct pfsync_state_peer dst;
796: struct pf_addr rt_addr;
797: u_int32_t rule;
798: u_int32_t anchor;
799: u_int32_t nat_rule;
800: u_int32_t creation;
801: u_int32_t expire;
802: u_int32_t packets[2][2];
803: u_int32_t bytes[2][2];
804: u_int32_t creatorid;
805: sa_family_t af;
806: u_int8_t proto;
807: u_int8_t direction;
808: u_int8_t log;
809: u_int8_t allow_opts;
810: u_int8_t timeout;
811: u_int8_t sync_flags;
812: u_int8_t updates;
813: } __packed;
814:
815: #define PFSYNC_FLAG_COMPRESS 0x01
816: #define PFSYNC_FLAG_STALE 0x02
817: #define PFSYNC_FLAG_SRCNODE 0x04
818: #define PFSYNC_FLAG_NATSRCNODE 0x08
819:
820: /* for copies to/from userland via pf_ioctl() */
821: #define pf_state_peer_to_pfsync(s,d) do { \
822: (d)->seqlo = (s)->seqlo; \
823: (d)->seqhi = (s)->seqhi; \
824: (d)->seqdiff = (s)->seqdiff; \
825: (d)->max_win = (s)->max_win; \
826: (d)->mss = (s)->mss; \
827: (d)->state = (s)->state; \
828: (d)->wscale = (s)->wscale; \
829: if ((s)->scrub) { \
830: (d)->scrub.pfss_flags = \
831: (s)->scrub->pfss_flags & PFSS_TIMESTAMP; \
832: (d)->scrub.pfss_ttl = (s)->scrub->pfss_ttl; \
833: (d)->scrub.pfss_ts_mod = (s)->scrub->pfss_ts_mod; \
834: (d)->scrub.scrub_flag = PFSYNC_SCRUB_FLAG_VALID; \
835: } \
836: } while (0)
837:
838: #define pf_state_peer_from_pfsync(s,d) do { \
839: (d)->seqlo = (s)->seqlo; \
840: (d)->seqhi = (s)->seqhi; \
841: (d)->seqdiff = (s)->seqdiff; \
842: (d)->max_win = (s)->max_win; \
843: (d)->mss = ntohs((s)->mss); \
844: (d)->state = (s)->state; \
845: (d)->wscale = (s)->wscale; \
846: if ((s)->scrub.scrub_flag == PFSYNC_SCRUB_FLAG_VALID && \
847: (d)->scrub != NULL) { \
848: (d)->scrub->pfss_flags = \
849: ntohs((s)->scrub.pfss_flags) & PFSS_TIMESTAMP; \
850: (d)->scrub->pfss_ttl = (s)->scrub.pfss_ttl; \
851: (d)->scrub->pfss_ts_mod = (s)->scrub.pfss_ts_mod; \
852: } \
853: } while (0)
854:
855: #define pf_state_counter_to_pfsync(s,d) do { \
856: d[0] = (s>>32)&0xffffffff; \
857: d[1] = s&0xffffffff; \
858: } while (0)
859:
860: #define pf_state_counter_from_pfsync(s) \
861: (((u_int64_t)(s[0])<<32) | (u_int64_t)(s[1]))
862:
863:
864:
865: TAILQ_HEAD(pf_rulequeue, pf_rule);
866:
867: struct pf_anchor;
868:
869: struct pf_ruleset {
870: struct {
871: struct pf_rulequeue queues[2];
872: struct {
873: struct pf_rulequeue *ptr;
874: struct pf_rule **ptr_array;
875: u_int32_t rcount;
876: u_int32_t ticket;
877: int open;
878: } active, inactive;
879: } rules[PF_RULESET_MAX];
880: struct pf_anchor *anchor;
881: u_int32_t tticket;
882: int tables;
883: int topen;
884: };
885:
886: RB_HEAD(pf_anchor_global, pf_anchor);
887: RB_HEAD(pf_anchor_node, pf_anchor);
888: struct pf_anchor {
889: RB_ENTRY(pf_anchor) entry_global;
890: RB_ENTRY(pf_anchor) entry_node;
891: struct pf_anchor *parent;
892: struct pf_anchor_node children;
893: char name[PF_ANCHOR_NAME_SIZE];
894: char path[MAXPATHLEN];
895: struct pf_ruleset ruleset;
896: int refcnt; /* anchor rules */
897: int match;
898: };
899: RB_PROTOTYPE(pf_anchor_global, pf_anchor, entry_global, pf_anchor_compare);
900: RB_PROTOTYPE(pf_anchor_node, pf_anchor, entry_node, pf_anchor_compare);
901:
902: #define PF_RESERVED_ANCHOR "_pf"
903:
904: #define PFR_TFLAG_PERSIST 0x00000001
905: #define PFR_TFLAG_CONST 0x00000002
906: #define PFR_TFLAG_ACTIVE 0x00000004
907: #define PFR_TFLAG_INACTIVE 0x00000008
908: #define PFR_TFLAG_REFERENCED 0x00000010
909: #define PFR_TFLAG_REFDANCHOR 0x00000020
910: #define PFR_TFLAG_USRMASK 0x00000003
911: #define PFR_TFLAG_SETMASK 0x0000003C
912: #define PFR_TFLAG_ALLMASK 0x0000003F
913:
914: struct pfr_table {
915: char pfrt_anchor[MAXPATHLEN];
916: char pfrt_name[PF_TABLE_NAME_SIZE];
917: u_int32_t pfrt_flags;
918: u_int8_t pfrt_fback;
919: };
920:
921: enum { PFR_FB_NONE, PFR_FB_MATCH, PFR_FB_ADDED, PFR_FB_DELETED,
922: PFR_FB_CHANGED, PFR_FB_CLEARED, PFR_FB_DUPLICATE,
923: PFR_FB_NOTMATCH, PFR_FB_CONFLICT, PFR_FB_MAX };
924:
925: struct pfr_addr {
926: union {
927: struct in_addr _pfra_ip4addr;
928: struct in6_addr _pfra_ip6addr;
929: } pfra_u;
930: u_int8_t pfra_af;
931: u_int8_t pfra_net;
932: u_int8_t pfra_not;
933: u_int8_t pfra_fback;
934: };
935: #define pfra_ip4addr pfra_u._pfra_ip4addr
936: #define pfra_ip6addr pfra_u._pfra_ip6addr
937:
938: enum { PFR_DIR_IN, PFR_DIR_OUT, PFR_DIR_MAX };
939: enum { PFR_OP_BLOCK, PFR_OP_PASS, PFR_OP_ADDR_MAX, PFR_OP_TABLE_MAX };
940: #define PFR_OP_XPASS PFR_OP_ADDR_MAX
941:
942: struct pfr_astats {
943: struct pfr_addr pfras_a;
944: u_int64_t pfras_packets[PFR_DIR_MAX][PFR_OP_ADDR_MAX];
945: u_int64_t pfras_bytes[PFR_DIR_MAX][PFR_OP_ADDR_MAX];
946: long pfras_tzero;
947: };
948:
949: enum { PFR_REFCNT_RULE, PFR_REFCNT_ANCHOR, PFR_REFCNT_MAX };
950:
951: struct pfr_tstats {
952: struct pfr_table pfrts_t;
953: u_int64_t pfrts_packets[PFR_DIR_MAX][PFR_OP_TABLE_MAX];
954: u_int64_t pfrts_bytes[PFR_DIR_MAX][PFR_OP_TABLE_MAX];
955: u_int64_t pfrts_match;
956: u_int64_t pfrts_nomatch;
957: long pfrts_tzero;
958: int pfrts_cnt;
959: int pfrts_refcnt[PFR_REFCNT_MAX];
960: };
961: #define pfrts_name pfrts_t.pfrt_name
962: #define pfrts_flags pfrts_t.pfrt_flags
963:
964: SLIST_HEAD(pfr_kentryworkq, pfr_kentry);
965: struct pfr_kentry {
966: struct radix_node pfrke_node[2];
967: union sockaddr_union pfrke_sa;
968: u_int64_t pfrke_packets[PFR_DIR_MAX][PFR_OP_ADDR_MAX];
969: u_int64_t pfrke_bytes[PFR_DIR_MAX][PFR_OP_ADDR_MAX];
970: SLIST_ENTRY(pfr_kentry) pfrke_workq;
971: long pfrke_tzero;
972: u_int8_t pfrke_af;
973: u_int8_t pfrke_net;
974: u_int8_t pfrke_not;
975: u_int8_t pfrke_mark;
976: u_int8_t pfrke_intrpool;
977: };
978:
979: SLIST_HEAD(pfr_ktableworkq, pfr_ktable);
980: RB_HEAD(pfr_ktablehead, pfr_ktable);
981: struct pfr_ktable {
982: struct pfr_tstats pfrkt_ts;
983: RB_ENTRY(pfr_ktable) pfrkt_tree;
984: SLIST_ENTRY(pfr_ktable) pfrkt_workq;
985: struct radix_node_head *pfrkt_ip4;
986: struct radix_node_head *pfrkt_ip6;
987: struct pfr_ktable *pfrkt_shadow;
988: struct pfr_ktable *pfrkt_root;
989: struct pf_ruleset *pfrkt_rs;
990: long pfrkt_larg;
991: int pfrkt_nflags;
992: };
993: #define pfrkt_t pfrkt_ts.pfrts_t
994: #define pfrkt_name pfrkt_t.pfrt_name
995: #define pfrkt_anchor pfrkt_t.pfrt_anchor
996: #define pfrkt_ruleset pfrkt_t.pfrt_ruleset
997: #define pfrkt_flags pfrkt_t.pfrt_flags
998: #define pfrkt_cnt pfrkt_ts.pfrts_cnt
999: #define pfrkt_refcnt pfrkt_ts.pfrts_refcnt
1000: #define pfrkt_packets pfrkt_ts.pfrts_packets
1001: #define pfrkt_bytes pfrkt_ts.pfrts_bytes
1002: #define pfrkt_match pfrkt_ts.pfrts_match
1003: #define pfrkt_nomatch pfrkt_ts.pfrts_nomatch
1004: #define pfrkt_tzero pfrkt_ts.pfrts_tzero
1005:
1006: RB_HEAD(pf_state_tree_lan_ext, pf_state_key);
1007: RB_PROTOTYPE(pf_state_tree_lan_ext, pf_state_key,
1008: entry_lan_ext, pf_state_compare_lan_ext);
1009:
1010: RB_HEAD(pf_state_tree_ext_gwy, pf_state_key);
1011: RB_PROTOTYPE(pf_state_tree_ext_gwy, pf_state_key,
1012: entry_ext_gwy, pf_state_compare_ext_gwy);
1013:
1014: RB_HEAD(pfi_ifhead, pfi_kif);
1015:
1016: /* state tables */
1017: extern struct pf_state_tree_lan_ext pf_statetbl_lan_ext;
1018: extern struct pf_state_tree_ext_gwy pf_statetbl_ext_gwy;
1019:
1020: /* keep synced with pfi_kif, used in RB_FIND */
1021: struct pfi_kif_cmp {
1022: char pfik_name[IFNAMSIZ];
1023: };
1024:
1025: struct pfi_kif {
1026: char pfik_name[IFNAMSIZ];
1027: RB_ENTRY(pfi_kif) pfik_tree;
1028: u_int64_t pfik_packets[2][2][2];
1029: u_int64_t pfik_bytes[2][2][2];
1030: u_int32_t pfik_tzero;
1031: int pfik_flags;
1032: void *pfik_ah_cookie;
1033: struct ifnet *pfik_ifp;
1034: struct ifg_group *pfik_group;
1035: int pfik_states;
1036: int pfik_rules;
1037: TAILQ_HEAD(, pfi_dynaddr) pfik_dynaddrs;
1038: };
1039:
1040: enum pfi_kif_refs {
1041: PFI_KIF_REF_NONE,
1042: PFI_KIF_REF_STATE,
1043: PFI_KIF_REF_RULE
1044: };
1045:
1046: #define PFI_IFLAG_SKIP 0x0100 /* skip filtering on interface */
1047:
1048: struct pf_pdesc {
1049: struct {
1050: int done;
1051: uid_t uid;
1052: gid_t gid;
1053: pid_t pid;
1054: } lookup;
1055: u_int64_t tot_len; /* Make Mickey money */
1056: union {
1057: struct tcphdr *tcp;
1058: struct udphdr *udp;
1059: struct icmp *icmp;
1060: #ifdef INET6
1061: struct icmp6_hdr *icmp6;
1062: #endif /* INET6 */
1063: void *any;
1064: } hdr;
1065: struct pf_addr baddr; /* address before translation */
1066: struct pf_addr naddr; /* address after translation */
1067: struct pf_rule *nat_rule; /* nat/rdr rule applied to packet */
1068: struct pf_addr *src;
1069: struct pf_addr *dst;
1070: struct ether_header
1071: *eh;
1072: u_int16_t *ip_sum;
1073: u_int32_t p_len; /* total length of payload */
1074: u_int16_t flags; /* Let SCRUB trigger behavior in
1075: * state code. Easier than tags */
1076: #define PFDESC_TCP_NORM 0x0001 /* TCP shall be statefully scrubbed */
1077: #define PFDESC_IP_REAS 0x0002 /* IP frags would've been reassembled */
1078: sa_family_t af;
1079: u_int8_t proto;
1080: u_int8_t tos;
1081: };
1082:
1083: /* flags for RDR options */
1084: #define PF_DPORT_RANGE 0x01 /* Dest port uses range */
1085: #define PF_RPORT_RANGE 0x02 /* RDR'ed port uses range */
1086:
1087: /* Reasons code for passing/dropping a packet */
1088: #define PFRES_MATCH 0 /* Explicit match of a rule */
1089: #define PFRES_BADOFF 1 /* Bad offset for pull_hdr */
1090: #define PFRES_FRAG 2 /* Dropping following fragment */
1091: #define PFRES_SHORT 3 /* Dropping short packet */
1092: #define PFRES_NORM 4 /* Dropping by normalizer */
1093: #define PFRES_MEMORY 5 /* Dropped due to lacking mem */
1094: #define PFRES_TS 6 /* Bad TCP Timestamp (RFC1323) */
1095: #define PFRES_CONGEST 7 /* Congestion (of ipintrq) */
1096: #define PFRES_IPOPTIONS 8 /* IP option */
1097: #define PFRES_PROTCKSUM 9 /* Protocol checksum invalid */
1098: #define PFRES_BADSTATE 10 /* State mismatch */
1099: #define PFRES_STATEINS 11 /* State insertion failure */
1100: #define PFRES_MAXSTATES 12 /* State limit */
1101: #define PFRES_SRCLIMIT 13 /* Source node/conn limit */
1102: #define PFRES_SYNPROXY 14 /* SYN proxy */
1103: #define PFRES_MAX 15 /* total+1 */
1104:
1105: #define PFRES_NAMES { \
1106: "match", \
1107: "bad-offset", \
1108: "fragment", \
1109: "short", \
1110: "normalize", \
1111: "memory", \
1112: "bad-timestamp", \
1113: "congestion", \
1114: "ip-option", \
1115: "proto-cksum", \
1116: "state-mismatch", \
1117: "state-insert", \
1118: "state-limit", \
1119: "src-limit", \
1120: "synproxy", \
1121: NULL \
1122: }
1123:
1124: /* Counters for other things we want to keep track of */
1125: #define LCNT_STATES 0 /* states */
1126: #define LCNT_SRCSTATES 1 /* max-src-states */
1127: #define LCNT_SRCNODES 2 /* max-src-nodes */
1128: #define LCNT_SRCCONN 3 /* max-src-conn */
1129: #define LCNT_SRCCONNRATE 4 /* max-src-conn-rate */
1130: #define LCNT_OVERLOAD_TABLE 5 /* entry added to overload table */
1131: #define LCNT_OVERLOAD_FLUSH 6 /* state entries flushed */
1132: #define LCNT_MAX 7 /* total+1 */
1133:
1134: #define LCNT_NAMES { \
1135: "max states per rule", \
1136: "max-src-states", \
1137: "max-src-nodes", \
1138: "max-src-conn", \
1139: "max-src-conn-rate", \
1140: "overload table insertion", \
1141: "overload flush states", \
1142: NULL \
1143: }
1144:
1145: /* UDP state enumeration */
1146: #define PFUDPS_NO_TRAFFIC 0
1147: #define PFUDPS_SINGLE 1
1148: #define PFUDPS_MULTIPLE 2
1149:
1150: #define PFUDPS_NSTATES 3 /* number of state levels */
1151:
1152: #define PFUDPS_NAMES { \
1153: "NO_TRAFFIC", \
1154: "SINGLE", \
1155: "MULTIPLE", \
1156: NULL \
1157: }
1158:
1159: /* Other protocol state enumeration */
1160: #define PFOTHERS_NO_TRAFFIC 0
1161: #define PFOTHERS_SINGLE 1
1162: #define PFOTHERS_MULTIPLE 2
1163:
1164: #define PFOTHERS_NSTATES 3 /* number of state levels */
1165:
1166: #define PFOTHERS_NAMES { \
1167: "NO_TRAFFIC", \
1168: "SINGLE", \
1169: "MULTIPLE", \
1170: NULL \
1171: }
1172:
1173: #define FCNT_STATE_SEARCH 0
1174: #define FCNT_STATE_INSERT 1
1175: #define FCNT_STATE_REMOVALS 2
1176: #define FCNT_MAX 3
1177:
1178: #define SCNT_SRC_NODE_SEARCH 0
1179: #define SCNT_SRC_NODE_INSERT 1
1180: #define SCNT_SRC_NODE_REMOVALS 2
1181: #define SCNT_MAX 3
1182:
1183: #define ACTION_SET(a, x) \
1184: do { \
1185: if ((a) != NULL) \
1186: *(a) = (x); \
1187: } while (0)
1188:
1189: #define REASON_SET(a, x) \
1190: do { \
1191: if ((a) != NULL) \
1192: *(a) = (x); \
1193: if (x < PFRES_MAX) \
1194: pf_status.counters[x]++; \
1195: } while (0)
1196:
1197: struct pf_status {
1198: u_int64_t counters[PFRES_MAX];
1199: u_int64_t lcounters[LCNT_MAX]; /* limit counters */
1200: u_int64_t fcounters[FCNT_MAX];
1201: u_int64_t scounters[SCNT_MAX];
1202: u_int64_t pcounters[2][2][3];
1203: u_int64_t bcounters[2][2];
1204: u_int64_t stateid;
1205: u_int32_t running;
1206: u_int32_t states;
1207: u_int32_t src_nodes;
1208: u_int32_t since;
1209: u_int32_t debug;
1210: u_int32_t hostid;
1211: char ifname[IFNAMSIZ];
1212: u_int8_t pf_chksum[PF_MD5_DIGEST_LENGTH];
1213: };
1214:
1215: struct cbq_opts {
1216: u_int minburst;
1217: u_int maxburst;
1218: u_int pktsize;
1219: u_int maxpktsize;
1220: u_int ns_per_byte;
1221: u_int maxidle;
1222: int minidle;
1223: u_int offtime;
1224: int flags;
1225: };
1226:
1227: struct priq_opts {
1228: int flags;
1229: };
1230:
1231: struct hfsc_opts {
1232: /* real-time service curve */
1233: u_int rtsc_m1; /* slope of the 1st segment in bps */
1234: u_int rtsc_d; /* the x-projection of m1 in msec */
1235: u_int rtsc_m2; /* slope of the 2nd segment in bps */
1236: /* link-sharing service curve */
1237: u_int lssc_m1;
1238: u_int lssc_d;
1239: u_int lssc_m2;
1240: /* upper-limit service curve */
1241: u_int ulsc_m1;
1242: u_int ulsc_d;
1243: u_int ulsc_m2;
1244: int flags;
1245: };
1246:
1247: struct pf_altq {
1248: char ifname[IFNAMSIZ];
1249:
1250: void *altq_disc; /* discipline-specific state */
1251: TAILQ_ENTRY(pf_altq) entries;
1252:
1253: /* scheduler spec */
1254: u_int8_t scheduler; /* scheduler type */
1255: u_int16_t tbrsize; /* tokenbucket regulator size */
1256: u_int32_t ifbandwidth; /* interface bandwidth */
1257:
1258: /* queue spec */
1259: char qname[PF_QNAME_SIZE]; /* queue name */
1260: char parent[PF_QNAME_SIZE]; /* parent name */
1261: u_int32_t parent_qid; /* parent queue id */
1262: u_int32_t bandwidth; /* queue bandwidth */
1263: u_int8_t priority; /* priority */
1264: u_int16_t qlimit; /* queue size limit */
1265: u_int16_t flags; /* misc flags */
1266: union {
1267: struct cbq_opts cbq_opts;
1268: struct priq_opts priq_opts;
1269: struct hfsc_opts hfsc_opts;
1270: } pq_u;
1271:
1272: u_int32_t qid; /* return value */
1273: };
1274:
1275: struct pf_tag {
1276: u_int16_t tag; /* tag id */
1277: };
1278:
1279: struct pf_tagname {
1280: TAILQ_ENTRY(pf_tagname) entries;
1281: char name[PF_TAG_NAME_SIZE];
1282: u_int16_t tag;
1283: int ref;
1284: };
1285:
1286: #define PFFRAG_FRENT_HIWAT 5000 /* Number of fragment entries */
1287: #define PFFRAG_FRAG_HIWAT 1000 /* Number of fragmented packets */
1288: #define PFFRAG_FRCENT_HIWAT 50000 /* Number of fragment cache entries */
1289: #define PFFRAG_FRCACHE_HIWAT 10000 /* Number of fragment descriptors */
1290:
1291: #define PFR_KTABLE_HIWAT 1000 /* Number of tables */
1292: #define PFR_KENTRY_HIWAT 200000 /* Number of table entries */
1293: #define PFR_KENTRY_HIWAT_SMALL 100000 /* Number of table entries (tiny hosts) */
1294:
1295: /*
1296: * ioctl parameter structures
1297: */
1298:
1299: struct pfioc_pooladdr {
1300: u_int32_t action;
1301: u_int32_t ticket;
1302: u_int32_t nr;
1303: u_int32_t r_num;
1304: u_int8_t r_action;
1305: u_int8_t r_last;
1306: u_int8_t af;
1307: char anchor[MAXPATHLEN];
1308: struct pf_pooladdr addr;
1309: };
1310:
1311: struct pfioc_rule {
1312: u_int32_t action;
1313: u_int32_t ticket;
1314: u_int32_t pool_ticket;
1315: u_int32_t nr;
1316: char anchor[MAXPATHLEN];
1317: char anchor_call[MAXPATHLEN];
1318: struct pf_rule rule;
1319: };
1320:
1321: struct pfioc_natlook {
1322: struct pf_addr saddr;
1323: struct pf_addr daddr;
1324: struct pf_addr rsaddr;
1325: struct pf_addr rdaddr;
1326: u_int16_t sport;
1327: u_int16_t dport;
1328: u_int16_t rsport;
1329: u_int16_t rdport;
1330: sa_family_t af;
1331: u_int8_t proto;
1332: u_int8_t direction;
1333: };
1334:
1335: struct pfioc_state {
1336: u_int32_t nr;
1337: void *state;
1338: };
1339:
1340: struct pfioc_src_node_kill {
1341: /* XXX returns the number of src nodes killed in psnk_af */
1342: sa_family_t psnk_af;
1343: struct pf_rule_addr psnk_src;
1344: struct pf_rule_addr psnk_dst;
1345: };
1346:
1347: struct pfioc_state_kill {
1348: /* XXX returns the number of states killed in psk_af */
1349: sa_family_t psk_af;
1350: int psk_proto;
1351: struct pf_rule_addr psk_src;
1352: struct pf_rule_addr psk_dst;
1353: char psk_ifname[IFNAMSIZ];
1354: };
1355:
1356: struct pfioc_states {
1357: int ps_len;
1358: union {
1359: caddr_t psu_buf;
1360: struct pfsync_state *psu_states;
1361: } ps_u;
1362: #define ps_buf ps_u.psu_buf
1363: #define ps_states ps_u.psu_states
1364: };
1365:
1366: struct pfioc_src_nodes {
1367: int psn_len;
1368: union {
1369: caddr_t psu_buf;
1370: struct pf_src_node *psu_src_nodes;
1371: } psn_u;
1372: #define psn_buf psn_u.psu_buf
1373: #define psn_src_nodes psn_u.psu_src_nodes
1374: };
1375:
1376: struct pfioc_if {
1377: char ifname[IFNAMSIZ];
1378: };
1379:
1380: struct pfioc_tm {
1381: int timeout;
1382: int seconds;
1383: };
1384:
1385: struct pfioc_limit {
1386: int index;
1387: unsigned limit;
1388: };
1389:
1390: struct pfioc_altq {
1391: u_int32_t action;
1392: u_int32_t ticket;
1393: u_int32_t nr;
1394: struct pf_altq altq;
1395: };
1396:
1397: struct pfioc_qstats {
1398: u_int32_t ticket;
1399: u_int32_t nr;
1400: void *buf;
1401: int nbytes;
1402: u_int8_t scheduler;
1403: };
1404:
1405: struct pfioc_ruleset {
1406: u_int32_t nr;
1407: char path[MAXPATHLEN];
1408: char name[PF_ANCHOR_NAME_SIZE];
1409: };
1410:
1411: #define PF_RULESET_ALTQ (PF_RULESET_MAX)
1412: #define PF_RULESET_TABLE (PF_RULESET_MAX+1)
1413: struct pfioc_trans {
1414: int size; /* number of elements */
1415: int esize; /* size of each element in bytes */
1416: struct pfioc_trans_e {
1417: int rs_num;
1418: char anchor[MAXPATHLEN];
1419: u_int32_t ticket;
1420: } *array;
1421: };
1422:
1423: #define PFR_FLAG_ATOMIC 0x00000001
1424: #define PFR_FLAG_DUMMY 0x00000002
1425: #define PFR_FLAG_FEEDBACK 0x00000004
1426: #define PFR_FLAG_CLSTATS 0x00000008
1427: #define PFR_FLAG_ADDRSTOO 0x00000010
1428: #define PFR_FLAG_REPLACE 0x00000020
1429: #define PFR_FLAG_ALLRSETS 0x00000040
1430: #define PFR_FLAG_ALLMASK 0x0000007F
1431: #ifdef _KERNEL
1432: #define PFR_FLAG_USERIOCTL 0x10000000
1433: #endif
1434:
1435: struct pfioc_table {
1436: struct pfr_table pfrio_table;
1437: void *pfrio_buffer;
1438: int pfrio_esize;
1439: int pfrio_size;
1440: int pfrio_size2;
1441: int pfrio_nadd;
1442: int pfrio_ndel;
1443: int pfrio_nchange;
1444: int pfrio_flags;
1445: u_int32_t pfrio_ticket;
1446: };
1447: #define pfrio_exists pfrio_nadd
1448: #define pfrio_nzero pfrio_nadd
1449: #define pfrio_nmatch pfrio_nadd
1450: #define pfrio_naddr pfrio_size2
1451: #define pfrio_setflag pfrio_size2
1452: #define pfrio_clrflag pfrio_nadd
1453:
1454: struct pfioc_iface {
1455: char pfiio_name[IFNAMSIZ];
1456: void *pfiio_buffer;
1457: int pfiio_esize;
1458: int pfiio_size;
1459: int pfiio_nzero;
1460: int pfiio_flags;
1461: };
1462:
1463:
1464: /*
1465: * ioctl operations
1466: */
1467:
1468: #define DIOCSTART _IO ('D', 1)
1469: #define DIOCSTOP _IO ('D', 2)
1470: #define DIOCADDRULE _IOWR('D', 4, struct pfioc_rule)
1471: #define DIOCGETRULES _IOWR('D', 6, struct pfioc_rule)
1472: #define DIOCGETRULE _IOWR('D', 7, struct pfioc_rule)
1473: /* XXX cut 8 - 17 */
1474: #define DIOCCLRSTATES _IOWR('D', 18, struct pfioc_state_kill)
1475: #define DIOCGETSTATE _IOWR('D', 19, struct pfioc_state)
1476: #define DIOCSETSTATUSIF _IOWR('D', 20, struct pfioc_if)
1477: #define DIOCGETSTATUS _IOWR('D', 21, struct pf_status)
1478: #define DIOCCLRSTATUS _IO ('D', 22)
1479: #define DIOCNATLOOK _IOWR('D', 23, struct pfioc_natlook)
1480: #define DIOCSETDEBUG _IOWR('D', 24, u_int32_t)
1481: #define DIOCGETSTATES _IOWR('D', 25, struct pfioc_states)
1482: #define DIOCCHANGERULE _IOWR('D', 26, struct pfioc_rule)
1483: /* XXX cut 26 - 28 */
1484: #define DIOCSETTIMEOUT _IOWR('D', 29, struct pfioc_tm)
1485: #define DIOCGETTIMEOUT _IOWR('D', 30, struct pfioc_tm)
1486: #define DIOCADDSTATE _IOWR('D', 37, struct pfioc_state)
1487: #define DIOCCLRRULECTRS _IO ('D', 38)
1488: #define DIOCGETLIMIT _IOWR('D', 39, struct pfioc_limit)
1489: #define DIOCSETLIMIT _IOWR('D', 40, struct pfioc_limit)
1490: #define DIOCKILLSTATES _IOWR('D', 41, struct pfioc_state_kill)
1491: #define DIOCSTARTALTQ _IO ('D', 42)
1492: #define DIOCSTOPALTQ _IO ('D', 43)
1493: #define DIOCADDALTQ _IOWR('D', 45, struct pfioc_altq)
1494: #define DIOCGETALTQS _IOWR('D', 47, struct pfioc_altq)
1495: #define DIOCGETALTQ _IOWR('D', 48, struct pfioc_altq)
1496: #define DIOCCHANGEALTQ _IOWR('D', 49, struct pfioc_altq)
1497: #define DIOCGETQSTATS _IOWR('D', 50, struct pfioc_qstats)
1498: #define DIOCBEGINADDRS _IOWR('D', 51, struct pfioc_pooladdr)
1499: #define DIOCADDADDR _IOWR('D', 52, struct pfioc_pooladdr)
1500: #define DIOCGETADDRS _IOWR('D', 53, struct pfioc_pooladdr)
1501: #define DIOCGETADDR _IOWR('D', 54, struct pfioc_pooladdr)
1502: #define DIOCCHANGEADDR _IOWR('D', 55, struct pfioc_pooladdr)
1503: /* XXX cut 55 - 57 */
1504: #define DIOCGETRULESETS _IOWR('D', 58, struct pfioc_ruleset)
1505: #define DIOCGETRULESET _IOWR('D', 59, struct pfioc_ruleset)
1506: #define DIOCRCLRTABLES _IOWR('D', 60, struct pfioc_table)
1507: #define DIOCRADDTABLES _IOWR('D', 61, struct pfioc_table)
1508: #define DIOCRDELTABLES _IOWR('D', 62, struct pfioc_table)
1509: #define DIOCRGETTABLES _IOWR('D', 63, struct pfioc_table)
1510: #define DIOCRGETTSTATS _IOWR('D', 64, struct pfioc_table)
1511: #define DIOCRCLRTSTATS _IOWR('D', 65, struct pfioc_table)
1512: #define DIOCRCLRADDRS _IOWR('D', 66, struct pfioc_table)
1513: #define DIOCRADDADDRS _IOWR('D', 67, struct pfioc_table)
1514: #define DIOCRDELADDRS _IOWR('D', 68, struct pfioc_table)
1515: #define DIOCRSETADDRS _IOWR('D', 69, struct pfioc_table)
1516: #define DIOCRGETADDRS _IOWR('D', 70, struct pfioc_table)
1517: #define DIOCRGETASTATS _IOWR('D', 71, struct pfioc_table)
1518: #define DIOCRCLRASTATS _IOWR('D', 72, struct pfioc_table)
1519: #define DIOCRTSTADDRS _IOWR('D', 73, struct pfioc_table)
1520: #define DIOCRSETTFLAGS _IOWR('D', 74, struct pfioc_table)
1521: #define DIOCRINADEFINE _IOWR('D', 77, struct pfioc_table)
1522: #define DIOCOSFPFLUSH _IO('D', 78)
1523: #define DIOCOSFPADD _IOWR('D', 79, struct pf_osfp_ioctl)
1524: #define DIOCOSFPGET _IOWR('D', 80, struct pf_osfp_ioctl)
1525: #define DIOCXBEGIN _IOWR('D', 81, struct pfioc_trans)
1526: #define DIOCXCOMMIT _IOWR('D', 82, struct pfioc_trans)
1527: #define DIOCXROLLBACK _IOWR('D', 83, struct pfioc_trans)
1528: #define DIOCGETSRCNODES _IOWR('D', 84, struct pfioc_src_nodes)
1529: #define DIOCCLRSRCNODES _IO('D', 85)
1530: #define DIOCSETHOSTID _IOWR('D', 86, u_int32_t)
1531: #define DIOCIGETIFACES _IOWR('D', 87, struct pfioc_iface)
1532: #define DIOCSETIFFLAG _IOWR('D', 89, struct pfioc_iface)
1533: #define DIOCCLRIFFLAG _IOWR('D', 90, struct pfioc_iface)
1534: #define DIOCKILLSRCNODES _IOWR('D', 91, struct pfioc_src_node_kill)
1535:
1536: #ifdef _KERNEL
1537: RB_HEAD(pf_src_tree, pf_src_node);
1538: RB_PROTOTYPE(pf_src_tree, pf_src_node, entry, pf_src_compare);
1539: extern struct pf_src_tree tree_src_tracking;
1540:
1541: RB_HEAD(pf_state_tree_id, pf_state);
1542: RB_PROTOTYPE(pf_state_tree_id, pf_state,
1543: entry_id, pf_state_compare_id);
1544: extern struct pf_state_tree_id tree_id;
1545: extern struct pf_state_queue state_list;
1546:
1547: TAILQ_HEAD(pf_poolqueue, pf_pool);
1548: extern struct pf_poolqueue pf_pools[2];
1549: TAILQ_HEAD(pf_altqqueue, pf_altq);
1550: extern struct pf_altqqueue pf_altqs[2];
1551: extern struct pf_palist pf_pabuf;
1552:
1553: extern u_int32_t ticket_altqs_active;
1554: extern u_int32_t ticket_altqs_inactive;
1555: extern int altqs_inactive_open;
1556: extern u_int32_t ticket_pabuf;
1557: extern struct pf_altqqueue *pf_altqs_active;
1558: extern struct pf_altqqueue *pf_altqs_inactive;
1559: extern struct pf_poolqueue *pf_pools_active;
1560: extern struct pf_poolqueue *pf_pools_inactive;
1561: extern int pf_tbladdr_setup(struct pf_ruleset *,
1562: struct pf_addr_wrap *);
1563: extern void pf_tbladdr_remove(struct pf_addr_wrap *);
1564: extern void pf_tbladdr_copyout(struct pf_addr_wrap *);
1565: extern void pf_calc_skip_steps(struct pf_rulequeue *);
1566: extern struct pool pf_src_tree_pl, pf_rule_pl;
1567: extern struct pool pf_state_pl, pf_state_key_pl, pf_altq_pl,
1568: pf_pooladdr_pl;
1569: extern struct pool pf_state_scrub_pl;
1570: extern void pf_purge_thread(void *);
1571: extern void pf_purge_expired_src_nodes(int);
1572: extern void pf_purge_expired_states(u_int32_t);
1573: extern void pf_unlink_state(struct pf_state *);
1574: extern void pf_free_state(struct pf_state *);
1575: extern int pf_insert_state(struct pfi_kif *,
1576: struct pf_state *);
1577: extern int pf_insert_src_node(struct pf_src_node **,
1578: struct pf_rule *, struct pf_addr *,
1579: sa_family_t);
1580: void pf_src_tree_remove_state(struct pf_state *);
1581: extern struct pf_state *pf_find_state_byid(struct pf_state_cmp *);
1582: extern struct pf_state *pf_find_state_all(struct pf_state_key_cmp *,
1583: u_int8_t, int *);
1584: extern void pf_print_state(struct pf_state *);
1585: extern void pf_print_flags(u_int8_t);
1586: extern u_int16_t pf_cksum_fixup(u_int16_t, u_int16_t, u_int16_t,
1587: u_int8_t);
1588:
1589: extern struct ifnet *sync_ifp;
1590: extern struct pf_rule pf_default_rule;
1591: extern void pf_addrcpy(struct pf_addr *, struct pf_addr *,
1592: u_int8_t);
1593: void pf_rm_rule(struct pf_rulequeue *,
1594: struct pf_rule *);
1595:
1596: #ifdef INET
1597: int pf_test(int, struct ifnet *, struct mbuf **, struct ether_header *);
1598: #endif /* INET */
1599:
1600: #ifdef INET6
1601: int pf_test6(int, struct ifnet *, struct mbuf **, struct ether_header *);
1602: void pf_poolmask(struct pf_addr *, struct pf_addr*,
1603: struct pf_addr *, struct pf_addr *, u_int8_t);
1604: void pf_addr_inc(struct pf_addr *, sa_family_t);
1605: #endif /* INET6 */
1606:
1607: void *pf_pull_hdr(struct mbuf *, int, void *, int, u_short *, u_short *,
1608: sa_family_t);
1609: void pf_change_a(void *, u_int16_t *, u_int32_t, u_int8_t);
1610: int pflog_packet(struct pfi_kif *, struct mbuf *, sa_family_t, u_int8_t,
1611: u_int8_t, struct pf_rule *, struct pf_rule *, struct pf_ruleset *,
1612: struct pf_pdesc *);
1613: int pf_match_addr(u_int8_t, struct pf_addr *, struct pf_addr *,
1614: struct pf_addr *, sa_family_t);
1615: int pf_match(u_int8_t, u_int32_t, u_int32_t, u_int32_t);
1616: int pf_match_port(u_int8_t, u_int16_t, u_int16_t, u_int16_t);
1617: int pf_match_uid(u_int8_t, uid_t, uid_t, uid_t);
1618: int pf_match_gid(u_int8_t, gid_t, gid_t, gid_t);
1619:
1620: void pf_normalize_init(void);
1621: int pf_normalize_ip(struct mbuf **, int, struct pfi_kif *, u_short *,
1622: struct pf_pdesc *);
1623: int pf_normalize_ip6(struct mbuf **, int, struct pfi_kif *, u_short *,
1624: struct pf_pdesc *);
1625: int pf_normalize_tcp(int, struct pfi_kif *, struct mbuf *, int, int, void *,
1626: struct pf_pdesc *);
1627: void pf_normalize_tcp_cleanup(struct pf_state *);
1628: int pf_normalize_tcp_init(struct mbuf *, int, struct pf_pdesc *,
1629: struct tcphdr *, struct pf_state_peer *, struct pf_state_peer *);
1630: int pf_normalize_tcp_stateful(struct mbuf *, int, struct pf_pdesc *,
1631: u_short *, struct tcphdr *, struct pf_state *,
1632: struct pf_state_peer *, struct pf_state_peer *, int *);
1633: u_int32_t
1634: pf_state_expires(const struct pf_state *);
1635: void pf_purge_expired_fragments(void);
1636: int pf_routable(struct pf_addr *addr, sa_family_t af, struct pfi_kif *);
1637: int pf_rtlabel_match(struct pf_addr *, sa_family_t, struct pf_addr_wrap *);
1638: int pf_socket_lookup(int, struct pf_pdesc *);
1639: struct pf_state_key *
1640: pf_alloc_state_key(struct pf_state *);
1641: void pfr_initialize(void);
1642: int pfr_match_addr(struct pfr_ktable *, struct pf_addr *, sa_family_t);
1643: void pfr_update_stats(struct pfr_ktable *, struct pf_addr *, sa_family_t,
1644: u_int64_t, int, int, int);
1645: int pfr_pool_get(struct pfr_ktable *, int *, struct pf_addr *,
1646: struct pf_addr **, struct pf_addr **, sa_family_t);
1647: void pfr_dynaddr_update(struct pfr_ktable *, struct pfi_dynaddr *);
1648: struct pfr_ktable *
1649: pfr_attach_table(struct pf_ruleset *, char *);
1650: void pfr_detach_table(struct pfr_ktable *);
1651: int pfr_clr_tables(struct pfr_table *, int *, int);
1652: int pfr_add_tables(struct pfr_table *, int, int *, int);
1653: int pfr_del_tables(struct pfr_table *, int, int *, int);
1654: int pfr_get_tables(struct pfr_table *, struct pfr_table *, int *, int);
1655: int pfr_get_tstats(struct pfr_table *, struct pfr_tstats *, int *, int);
1656: int pfr_clr_tstats(struct pfr_table *, int, int *, int);
1657: int pfr_set_tflags(struct pfr_table *, int, int, int, int *, int *, int);
1658: int pfr_clr_addrs(struct pfr_table *, int *, int);
1659: int pfr_insert_kentry(struct pfr_ktable *, struct pfr_addr *, long);
1660: int pfr_add_addrs(struct pfr_table *, struct pfr_addr *, int, int *,
1661: int);
1662: int pfr_del_addrs(struct pfr_table *, struct pfr_addr *, int, int *,
1663: int);
1664: int pfr_set_addrs(struct pfr_table *, struct pfr_addr *, int, int *,
1665: int *, int *, int *, int, u_int32_t);
1666: int pfr_get_addrs(struct pfr_table *, struct pfr_addr *, int *, int);
1667: int pfr_get_astats(struct pfr_table *, struct pfr_astats *, int *, int);
1668: int pfr_clr_astats(struct pfr_table *, struct pfr_addr *, int, int *,
1669: int);
1670: int pfr_tst_addrs(struct pfr_table *, struct pfr_addr *, int, int *,
1671: int);
1672: int pfr_ina_begin(struct pfr_table *, u_int32_t *, int *, int);
1673: int pfr_ina_rollback(struct pfr_table *, u_int32_t, int *, int);
1674: int pfr_ina_commit(struct pfr_table *, u_int32_t, int *, int *, int);
1675: int pfr_ina_define(struct pfr_table *, struct pfr_addr *, int, int *,
1676: int *, u_int32_t, int);
1677:
1678: extern struct pfi_kif *pfi_all;
1679:
1680: void pfi_initialize(void);
1681: struct pfi_kif *pfi_kif_get(const char *);
1682: void pfi_kif_ref(struct pfi_kif *, enum pfi_kif_refs);
1683: void pfi_kif_unref(struct pfi_kif *, enum pfi_kif_refs);
1684: int pfi_kif_match(struct pfi_kif *, struct pfi_kif *);
1685: void pfi_attach_ifnet(struct ifnet *);
1686: void pfi_detach_ifnet(struct ifnet *);
1687: void pfi_attach_ifgroup(struct ifg_group *);
1688: void pfi_detach_ifgroup(struct ifg_group *);
1689: void pfi_group_change(const char *);
1690: int pfi_match_addr(struct pfi_dynaddr *, struct pf_addr *,
1691: sa_family_t);
1692: int pfi_dynaddr_setup(struct pf_addr_wrap *, sa_family_t);
1693: void pfi_dynaddr_remove(struct pf_addr_wrap *);
1694: void pfi_dynaddr_copyout(struct pf_addr_wrap *);
1695: void pfi_fill_oldstatus(struct pf_status *);
1696: int pfi_clr_istats(const char *);
1697: int pfi_get_ifaces(const char *, struct pfi_kif *, int *);
1698: int pfi_set_flags(const char *, int);
1699: int pfi_clear_flags(const char *, int);
1700:
1701: u_int16_t pf_tagname2tag(char *);
1702: void pf_tag2tagname(u_int16_t, char *);
1703: void pf_tag_ref(u_int16_t);
1704: void pf_tag_unref(u_int16_t);
1705: int pf_tag_packet(struct mbuf *, int, int);
1706: u_int32_t pf_qname2qid(char *);
1707: void pf_qid2qname(u_int32_t, char *);
1708: void pf_qid_unref(u_int32_t);
1709:
1710: extern struct pf_status pf_status;
1711: extern struct pool pf_frent_pl, pf_frag_pl;
1712: extern struct rwlock pf_consistency_lock;
1713:
1714: struct pf_pool_limit {
1715: void *pp;
1716: unsigned limit;
1717: };
1718: extern struct pf_pool_limit pf_pool_limits[PF_LIMIT_MAX];
1719:
1720: #endif /* _KERNEL */
1721:
1722: extern struct pf_anchor_global pf_anchors;
1723: extern struct pf_anchor pf_main_anchor;
1724: #define pf_main_ruleset pf_main_anchor.ruleset
1725:
1726: /* these ruleset functions can be linked into userland programs (pfctl) */
1727: int pf_get_ruleset_number(u_int8_t);
1728: void pf_init_ruleset(struct pf_ruleset *);
1729: int pf_anchor_setup(struct pf_rule *,
1730: const struct pf_ruleset *, const char *);
1731: int pf_anchor_copyout(const struct pf_ruleset *,
1732: const struct pf_rule *, struct pfioc_rule *);
1733: void pf_anchor_remove(struct pf_rule *);
1734: void pf_remove_if_empty_ruleset(struct pf_ruleset *);
1735: struct pf_anchor *pf_find_anchor(const char *);
1736: struct pf_ruleset *pf_find_ruleset(const char *);
1737: struct pf_ruleset *pf_find_or_create_ruleset(const char *);
1738: void pf_rs_initialize(void);
1739:
1740: #ifdef _KERNEL
1741: int pf_anchor_copyout(const struct pf_ruleset *,
1742: const struct pf_rule *, struct pfioc_rule *);
1743: void pf_anchor_remove(struct pf_rule *);
1744:
1745: #endif /* _KERNEL */
1746:
1747: /* The fingerprint functions can be linked into userland programs (tcpdump) */
1748: int pf_osfp_add(struct pf_osfp_ioctl *);
1749: #ifdef _KERNEL
1750: struct pf_osfp_enlist *
1751: pf_osfp_fingerprint(struct pf_pdesc *, struct mbuf *, int,
1752: const struct tcphdr *);
1753: #endif /* _KERNEL */
1754: struct pf_osfp_enlist *
1755: pf_osfp_fingerprint_hdr(const struct ip *, const struct ip6_hdr *,
1756: const struct tcphdr *);
1757: void pf_osfp_flush(void);
1758: int pf_osfp_get(struct pf_osfp_ioctl *);
1759: void pf_osfp_initialize(void);
1760: int pf_osfp_match(struct pf_osfp_enlist *, pf_osfp_t);
1761: struct pf_os_fingerprint *
1762: pf_osfp_validate(void);
1763:
1764:
1765: #endif /* _NET_PFVAR_H_ */
CVSweb
![[BACK]](/icons/back.gif){kind=icon}
Return to pfvar.h CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / sys / net