1 /*-
2 * Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
3 * All rights reserved.
4 *
5 * This material is based upon work partially supported by The
6 * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
18 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
19 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
20 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
21 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
22 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
23 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
24 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
25 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
26 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27 * POSSIBILITY OF SUCH DAMAGE.
28 */
29
30 /*
31 * Public NPF interfaces.
32 */
33
34 #ifndef _NPF_NET_H_
35 #define _NPF_NET_H_
36
37 #include <sys/param.h>
38 #include <sys/types.h>
39
40 #define NPF_VERSION 22
41
42 #if defined(_NPF_STANDALONE)
43 #include "npf_stand.h"
44 #else
45 #include <sys/ioctl.h>
46 #include <netinet/in_systm.h>
47 #include <netinet/in.h>
48 #endif
49
50 struct npf;
51 typedef struct npf npf_t;
52
53 /*
54 * Storage of address (both for IPv4 and IPv6) and netmask.
55 */
56 typedef union {
57 uint8_t word8[16];
58 uint16_t word16[8];
59 uint32_t word32[4];
60 } npf_addr_t;
61
62 typedef uint8_t npf_netmask_t;
63
64 #define NPF_MAX_NETMASK (128)
65 #define NPF_NO_NETMASK ((npf_netmask_t)~0)
66
67 /* BPF coprocessor. */
68 #if defined(NPF_BPFCOP)
69 #define NPF_COP_L3 0
70 #define NPF_COP_TABLE 1
71
72 #define BPF_MW_IPVER 0
73 #define BPF_MW_L4OFF 1
74 #define BPF_MW_L4PROTO 2
75 #endif
76 /* The number of words used. */
77 #define NPF_BPF_NWORDS 3
78
79 /*
80 * In-kernel declarations and definitions.
81 */
82
83 #if defined(_KERNEL) || defined(_NPF_STANDALONE)
84
85 #define NPF_DECISION_BLOCK 0
86 #define NPF_DECISION_PASS 1
87
88 #define NPF_EXT_MODULE(name, req) \
89 MODULE(MODULE_CLASS_MISC, name, (sizeof(req) - 1) ? ("npf," req) : "npf")
90
91 #include <net/if.h>
92 #include <netinet/ip.h>
93 #include <netinet/ip6.h>
94 #include <netinet/tcp.h>
95 #include <netinet/udp.h>
96 #include <netinet/ip_icmp.h>
97 #include <netinet/icmp6.h>
98
99 /*
100 * Network buffer interface.
101 */
102
103 #define NBUF_DATAREF_RESET 0x01
104
105 struct mbuf;
106 struct nbuf;
107 typedef struct nbuf nbuf_t;
108
109 void nbuf_init(npf_t *, nbuf_t *, struct mbuf *, const ifnet_t *);
110 void nbuf_reset(nbuf_t *);
111 struct mbuf * nbuf_head_mbuf(nbuf_t *);
112
113 bool nbuf_flag_p(const nbuf_t *, int);
114 void nbuf_unset_flag(nbuf_t *, int);
115
116 void * nbuf_dataptr(nbuf_t *);
117 size_t nbuf_offset(const nbuf_t *);
118 void * nbuf_advance(nbuf_t *, size_t, size_t);
119
120 void * nbuf_ensure_contig(nbuf_t *, size_t);
121 void * nbuf_ensure_writable(nbuf_t *, size_t);
122
123 bool nbuf_cksum_barrier(nbuf_t *, int);
124 int nbuf_add_tag(nbuf_t *, uint32_t);
125 int npf_mbuf_add_tag(nbuf_t *, struct mbuf *, uint32_t);
126 int nbuf_find_tag(nbuf_t *, uint32_t *);
127
128 /*
129 * Packet information cache.
130 */
131
132 #define NPC_IP4 0x01 /* Indicates IPv4 header. */
133 #define NPC_IP6 0x02 /* Indicates IPv6 header. */
134 #define NPC_IPFRAG 0x04 /* IPv4/IPv6 fragment. */
135 #define NPC_LAYER4 0x08 /* Layer 4 has been fetched. */
136
137 #define NPC_TCP 0x10 /* TCP header. */
138 #define NPC_UDP 0x20 /* UDP header. */
139 #define NPC_ICMP 0x40 /* ICMP header. */
140 #define NPC_ICMP_ID 0x80 /* ICMP with query ID. */
141
142 #define NPC_ALG_EXEC 0x100 /* ALG execution. */
143
144 #define NPC_FMTERR 0x200 /* Format error. */
145
146 #define NPC_IP46 (NPC_IP4|NPC_IP6)
147
148 struct npf_connkey;
149
150 typedef struct {
151 /* NPF context, information flags and the nbuf. */
152 npf_t * npc_ctx;
153 uint32_t npc_info;
154 nbuf_t * npc_nbuf;
155
156 /*
157 * Pointers to the IP source and destination addresses,
158 * and the address length (4 for IPv4 or 16 for IPv6).
159 */
160 npf_addr_t * npc_ips[2];
161 uint8_t npc_alen;
162
163 /* IP header length and L4 protocol. */
164 uint32_t npc_hlen;
165 uint16_t npc_proto;
166
167 /* IPv4, IPv6. */
168 union {
169 struct ip * v4;
170 struct ip6_hdr * v6;
171 } npc_ip;
172
173 /* TCP, UDP, ICMP or other protocols. */
174 union {
175 struct tcphdr * tcp;
176 struct udphdr * udp;
177 struct icmp * icmp;
178 struct icmp6_hdr * icmp6;
179 void * hdr;
180 } npc_l4;
181
182 /*
183 * Override the connection key, if not NULL. This affects the
184 * behaviour of npf_conn_lookup() and npf_conn_establish().
185 * Note: npc_ckey is of npf_connkey_t type.
186 */
187 const void * npc_ckey;
188 } npf_cache_t;
189
190 static inline bool
npf_iscached(const npf_cache_t * npc,const int inf)191 npf_iscached(const npf_cache_t *npc, const int inf)
192 {
193 KASSERT(npc->npc_nbuf != NULL);
194 return __predict_true((npc->npc_info & inf) != 0);
195 }
196
197 /*
198 * Misc.
199 */
200
201 bool npf_autounload_p(void);
202
203 #endif /* _KERNEL */
204
205 #define NPF_SRC 0
206 #define NPF_DST 1
207
208 /* Rule attributes. */
209 #define NPF_RULE_PASS 0x00000001
210 #define NPF_RULE_GROUP 0x00000002
211 #define NPF_RULE_FINAL 0x00000004
212 #define NPF_RULE_STATEFUL 0x00000008
213 #define NPF_RULE_RETRST 0x00000010
214 #define NPF_RULE_RETICMP 0x00000020
215 #define NPF_RULE_DYNAMIC 0x00000040
216 #define NPF_RULE_GSTATEFUL 0x00000080
217
218 #define NPF_DYNAMIC_GROUP (NPF_RULE_GROUP | NPF_RULE_DYNAMIC)
219
220 #define NPF_RULE_IN 0x10000000
221 #define NPF_RULE_OUT 0x20000000
222 #define NPF_RULE_DIMASK (NPF_RULE_IN | NPF_RULE_OUT)
223 #define NPF_RULE_FORW 0x40000000
224
225 /* Private range of rule attributes (not public and should not be set). */
226 #define NPF_RULE_PRIVMASK 0x0f000000
227
228 #define NPF_RULE_MAXNAMELEN 64
229 #define NPF_RULE_MAXKEYLEN 32
230
231 /* Priority values. */
232 #define NPF_PRI_FIRST (-2)
233 #define NPF_PRI_LAST (-1)
234
235 /* Types of code. */
236 #define NPF_CODE_BPF 1
237
238 /* Address translation types and flags. */
239 #define NPF_NATIN 1
240 #define NPF_NATOUT 2
241
242 #define NPF_NAT_PORTS 0x01
243 #define NPF_NAT_PORTMAP 0x02
244 #define NPF_NAT_STATIC 0x04
245
246 #define NPF_NAT_PRIVMASK 0x0f000000
247
248 #define NPF_ALGO_NONE 0
249 #define NPF_ALGO_NETMAP 1
250 #define NPF_ALGO_IPHASH 2
251 #define NPF_ALGO_RR 3
252 #define NPF_ALGO_NPT66 4
253
254 /* Table types. */
255 #define NPF_TABLE_IPSET 1
256 #define NPF_TABLE_LPM 2
257 #define NPF_TABLE_CONST 3
258 #define NPF_TABLE_IFADDR 4
259
260 #define NPF_TABLE_MAXNAMELEN 32
261
262 /* Layers. */
263 #define NPF_LAYER_2 2
264 #define NPF_LAYER_3 3
265
266 /*
267 * Flags passed via nbuf tags.
268 */
269 #define NPF_NTAG_PASS 0x0001
270
271 /*
272 * Rule commands (non-ioctl).
273 */
274
275 #define NPF_CMD_RULE_ADD 1
276 #define NPF_CMD_RULE_INSERT 2
277 #define NPF_CMD_RULE_REMOVE 3
278 #define NPF_CMD_RULE_REMKEY 4
279 #define NPF_CMD_RULE_LIST 5
280 #define NPF_CMD_RULE_FLUSH 6
281
282 /*
283 * NPF ioctl(2): table commands and structures.
284 */
285
286 #define NPF_CMD_TABLE_LOOKUP 1
287 #define NPF_CMD_TABLE_ADD 2
288 #define NPF_CMD_TABLE_REMOVE 3
289 #define NPF_CMD_TABLE_LIST 4
290 #define NPF_CMD_TABLE_FLUSH 5
291
292 typedef struct npf_ioctl_ent {
293 int alen;
294 npf_addr_t addr;
295 npf_netmask_t mask;
296 } npf_ioctl_ent_t;
297
298 typedef struct npf_ioctl_buf {
299 void * buf;
300 size_t len;
301 } npf_ioctl_buf_t;
302
303 typedef struct npf_ioctl_table {
304 int nct_cmd;
305 const char * nct_name;
306 union {
307 npf_ioctl_ent_t ent;
308 npf_ioctl_buf_t buf;
309 } nct_data;
310 } npf_ioctl_table_t;
311
312 /*
313 * IOCTL operations.
314 */
315
316 #define IOC_NPF_VERSION _IOR('N', 100, int)
317 #define IOC_NPF_SWITCH _IOW('N', 101, int)
318 #define IOC_NPF_LOAD _IOWR('N', 102, nvlist_ref_t)
319 #define IOC_NPF_TABLE _IOW('N', 103, struct npf_ioctl_table)
320 #define IOC_NPF_STATS _IOW('N', 104, void *)
321 #define IOC_NPF_SAVE _IOR('N', 105, nvlist_ref_t)
322 #define IOC_NPF_RULE _IOWR('N', 107, nvlist_ref_t)
323 #define IOC_NPF_CONN_LOOKUP _IOWR('N', 108, nvlist_ref_t)
324 #define IOC_NPF_TABLE_REPLACE _IOWR('N', 109, nvlist_ref_t)
325
326 /*
327 * NPF error report.
328 */
329
330 typedef struct {
331 int64_t id;
332 char * error_msg;
333 char * source_file;
334 unsigned source_line;
335 } npf_error_t;
336
337 /*
338 * Statistics counters.
339 */
340
341 typedef enum {
342 /* Packets passed. */
343 NPF_STAT_PASS_DEFAULT,
344 NPF_STAT_PASS_RULESET,
345 NPF_STAT_PASS_CONN,
346 /* Packets blocked. */
347 NPF_STAT_BLOCK_DEFAULT,
348 NPF_STAT_BLOCK_RULESET,
349 /* Connection and NAT entries. */
350 NPF_STAT_CONN_CREATE,
351 NPF_STAT_CONN_DESTROY,
352 NPF_STAT_NAT_CREATE,
353 NPF_STAT_NAT_DESTROY,
354 /* Invalid state cases. */
355 NPF_STAT_INVALID_STATE,
356 NPF_STAT_INVALID_STATE_TCP1,
357 NPF_STAT_INVALID_STATE_TCP2,
358 NPF_STAT_INVALID_STATE_TCP3,
359 /* Raced packets. */
360 NPF_STAT_RACE_CONN,
361 NPF_STAT_RACE_NAT,
362 /* Fragments. */
363 NPF_STAT_FRAGMENTS,
364 NPF_STAT_REASSEMBLY,
365 NPF_STAT_REASSFAIL,
366 /* Other errors. */
367 NPF_STAT_ERROR,
368 /* nbuf non-contiguous cases. */
369 NPF_STAT_NBUF_NONCONTIG,
370 NPF_STAT_NBUF_CONTIG_FAIL,
371 /* Count (last). */
372 NPF_STATS_COUNT
373 } npf_stats_t;
374
375 #define NPF_STATS_SIZE (sizeof(uint64_t) * NPF_STATS_COUNT)
376
377 #endif /* _NPF_NET_H_ */
378