1 /* 2 * Copyright (c) 2010-2014 The DragonFly Project. All rights reserved. 3 * Copyright (c) 2001 Daniel Hartmeier. All rights reserved. 4 * Originally imported from OpenBSD. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * - Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * - Redistributions in binary form must reproduce the above 13 * copyright notice, this list of conditions and the following 14 * disclaimer in the documentation and/or other materials provided 15 * with the distribution. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 18 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 19 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 20 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 21 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 22 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 23 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 24 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 25 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 26 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 27 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 28 * POSSIBILITY OF SUCH DAMAGE. 29 */ 30 31 #ifndef _NET_PFVAR_H_ 32 #define _NET_PFVAR_H_ 33 34 #include <sys/param.h> 35 #include <sys/types.h> 36 #include <sys/limits.h> 37 #include <sys/ioccom.h> 38 #include <sys/queue.h> 39 #include <sys/tree.h> 40 #include <sys/lock.h> 41 42 #include <net/radix.h> 43 #include <net/if_clone.h> 44 #include <netinet/in.h> 45 #include <netinet/in_pcb.h> 46 47 48 /* 49 * XXX 50 * If we include <netipsec/keydb.h>, we need _KERNEL definition. 51 * This makes pfctl compilation difficult. 52 */ 53 union sockaddr_union { 54 struct sockaddr sa; 55 struct sockaddr_in sin; 56 struct sockaddr_in6 sin6; 57 }; 58 59 #include <netinet/tcp_fsm.h> 60 61 struct ip; 62 struct ip6_hdr; 63 struct pf_state; 64 65 extern struct lwkt_token pf_token; 66 extern struct lwkt_token pf_gtoken; 67 68 #define PF_TCPS_PROXY_SRC ((TCP_NSTATES)+0) 69 #define PF_TCPS_PROXY_DST ((TCP_NSTATES)+1) 70 71 72 #define RTLABEL_LEN 32 73 #define BPF_DIRECTION_OUT (1<<1) 74 #define PWAIT 0 75 #define RT_NUMFIBS 1 76 #define ALTQ_IS_ENABLED(ifq) ((ifq)->altq_flags & ALTQF_ENABLED) 77 78 #define PF_MD5_DIGEST_LENGTH 16 79 #ifdef MD5_DIGEST_LENGTH 80 #if PF_MD5_DIGEST_LENGTH != MD5_DIGEST_LENGTH 81 #error 82 #endif 83 #endif 84 85 enum { PF_INOUT, PF_IN, PF_OUT }; 86 enum { PF_PASS, PF_DROP, PF_SCRUB, PF_NOSCRUB, PF_NAT, PF_NONAT, 87 PF_BINAT, PF_NOBINAT, PF_RDR, PF_NORDR, PF_SYNPROXY_DROP }; 88 enum { PF_RULESET_SCRUB, PF_RULESET_FILTER, PF_RULESET_NAT, 89 PF_RULESET_BINAT, PF_RULESET_RDR, PF_RULESET_MAX }; 90 enum { PF_OP_NONE, PF_OP_IRG, PF_OP_EQ, PF_OP_NE, PF_OP_LT, 91 PF_OP_LE, PF_OP_GT, PF_OP_GE, PF_OP_XRG, PF_OP_RRG }; 92 enum { PF_DEBUG_NONE, PF_DEBUG_URGENT, PF_DEBUG_MISC, PF_DEBUG_NOISY }; 93 enum { PF_CHANGE_NONE, PF_CHANGE_ADD_HEAD, PF_CHANGE_ADD_TAIL, 94 PF_CHANGE_ADD_BEFORE, PF_CHANGE_ADD_AFTER, 95 PF_CHANGE_REMOVE, PF_CHANGE_GET_TICKET }; 96 enum { PF_GET_NONE, PF_GET_CLR_CNTR }; 97 enum { PF_SK_WIRE, PF_SK_STACK, PF_SK_BOTH }; 98 99 /* 100 * Note about PFTM_*: real indices into pf_rule.timeout[] come before 101 * PFTM_MAX, special cases afterwards. See pf_state_expires(). 102 */ 103 enum { PFTM_TCP_FIRST_PACKET, PFTM_TCP_OPENING, PFTM_TCP_ESTABLISHED, 104 PFTM_TCP_CLOSING, PFTM_TCP_FIN_WAIT, PFTM_TCP_CLOSED, 105 PFTM_UDP_FIRST_PACKET, PFTM_UDP_SINGLE, PFTM_UDP_MULTIPLE, 106 PFTM_ICMP_FIRST_PACKET, PFTM_ICMP_ERROR_REPLY, 107 PFTM_OTHER_FIRST_PACKET, PFTM_OTHER_SINGLE, 108 PFTM_OTHER_MULTIPLE, PFTM_FRAG, PFTM_INTERVAL, 109 PFTM_ADAPTIVE_START, PFTM_ADAPTIVE_END, PFTM_SRC_NODE, 110 PFTM_TS_DIFF, PFTM_MAX, PFTM_PURGE, PFTM_UNLINKED, 111 PFTM_UNTIL_PACKET }; 112 113 /* PFTM default values */ 114 #define PFTM_TCP_FIRST_PACKET_VAL 120 /* First TCP packet */ 115 #define PFTM_TCP_OPENING_VAL 30 /* No response yet */ 116 #define PFTM_TCP_ESTABLISHED_VAL (24*60*60)/* Established */ 117 #define PFTM_TCP_CLOSING_VAL (15 * 60) /* Half closed */ 118 #define PFTM_TCP_FIN_WAIT_VAL 45 /* Got both FINs */ 119 #define PFTM_TCP_CLOSED_VAL 90 /* Got a RST */ 120 #define PFTM_UDP_FIRST_PACKET_VAL 60 /* First UDP packet */ 121 #define PFTM_UDP_SINGLE_VAL 30 /* Unidirectional */ 122 #define PFTM_UDP_MULTIPLE_VAL 60 /* Bidirectional */ 123 #define PFTM_ICMP_FIRST_PACKET_VAL 20 /* First ICMP packet */ 124 #define PFTM_ICMP_ERROR_REPLY_VAL 10 /* Got error response */ 125 #define PFTM_OTHER_FIRST_PACKET_VAL 60 /* First packet */ 126 #define PFTM_OTHER_SINGLE_VAL 30 /* Unidirectional */ 127 #define PFTM_OTHER_MULTIPLE_VAL 60 /* Bidirectional */ 128 #define PFTM_FRAG_VAL 30 /* Fragment expire */ 129 #define PFTM_INTERVAL_VAL 10 /* Expire interval */ 130 #define PFTM_SRC_NODE_VAL 0 /* Source tracking */ 131 #define PFTM_TS_DIFF_VAL 30 /* Allowed TS diff */ 132 133 enum { PF_NOPFROUTE, PF_FASTROUTE, PF_ROUTETO, PF_DUPTO, PF_REPLYTO }; 134 enum { PF_LIMIT_STATES, PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS, 135 PF_LIMIT_TABLES, PF_LIMIT_TABLE_ENTRIES, PF_LIMIT_MAX }; 136 #define PF_POOL_IDMASK 0x0f 137 enum { PF_POOL_NONE, PF_POOL_BITMASK, PF_POOL_RANDOM, 138 PF_POOL_SRCHASH, PF_POOL_ROUNDROBIN }; 139 enum { PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE, PF_ADDR_DYNIFTL, 140 PF_ADDR_TABLE, PF_ADDR_RTLABEL, PF_ADDR_URPFFAILED, 141 PF_ADDR_RANGE }; 142 #define PF_POOL_TYPEMASK 0x0f 143 #define PF_POOL_STICKYADDR 0x20 144 #define PF_WSCALE_FLAG 0x80 145 #define PF_WSCALE_MASK 0x0f 146 147 #define PF_LOG 0x01 148 #define PF_LOG_ALL 0x02 149 #define PF_LOG_SOCKET_LOOKUP 0x04 150 151 #define PR_WAITOK 0x0001 /* M_WAITOK */ 152 #define PR_NOWAIT 0x0002 /* M_NOWAIT */ 153 #define PR_LIMITFAIL 0x0004 /* M_CANFAIL */ 154 #define PR_ZERO 0x0008 /* M_ZERO */ 155 156 157 struct pf_addr { 158 union { 159 struct in_addr v4; 160 struct in6_addr v6; 161 u_int8_t addr8[16]; 162 u_int16_t addr16[8]; 163 u_int32_t addr32[4]; 164 } pfa; /* 128-bit address */ 165 #define v4 pfa.v4 166 #define v6 pfa.v6 167 #define addr8 pfa.addr8 168 #define addr16 pfa.addr16 169 #define addr32 pfa.addr32 170 }; 171 172 #define PF_TABLE_NAME_SIZE 32 173 174 #define PFI_AFLAG_NETWORK 0x01 175 #define PFI_AFLAG_BROADCAST 0x02 176 #define PFI_AFLAG_PEER 0x04 177 #define PFI_AFLAG_MODEMASK 0x07 178 #define PFI_AFLAG_NOALIAS 0x08 179 180 struct pf_addr_wrap { 181 union { 182 struct { 183 struct pf_addr addr; 184 struct pf_addr mask; 185 } a; 186 char ifname[IFNAMSIZ]; 187 char tblname[PF_TABLE_NAME_SIZE]; 188 char rtlabelname[RTLABEL_LEN]; 189 u_int32_t rtlabel; 190 } v; 191 union { 192 struct pfi_dynaddr *dyn; 193 struct pfr_ktable *tbl; 194 int dyncnt; 195 int tblcnt; 196 } p; 197 u_int8_t type; /* PF_ADDR_* */ 198 u_int8_t iflags; /* PFI_AFLAG_* */ 199 }; 200 201 #ifdef _KERNEL 202 203 #ifdef MALLOC_DECLARE 204 MALLOC_DECLARE(M_PF); 205 #endif 206 207 struct pfi_dynaddr { 208 TAILQ_ENTRY(pfi_dynaddr) entry; 209 struct pf_addr pfid_addr4; 210 struct pf_addr pfid_mask4; 211 struct pf_addr pfid_addr6; 212 struct pf_addr pfid_mask6; 213 struct pfr_ktable *pfid_kt; 214 struct pfi_kif *pfid_kif; 215 void *pfid_hook_cookie; 216 int pfid_net; /* mask or 128 */ 217 int pfid_acnt4; /* address count IPv4 */ 218 int pfid_acnt6; /* address count IPv6 */ 219 sa_family_t pfid_af; /* rule af */ 220 u_int8_t pfid_iflags; /* PFI_AFLAG_* */ 221 }; 222 223 /* 224 * Address manipulation macros 225 */ 226 227 #define NTOHS(x) (x) = ntohs((__uint16_t)(x)) 228 #define HTONS(x) (x) = htons((__uint16_t)(x)) 229 230 #define PF_NAME "pf" 231 232 #define PF_MODVER 44 233 #define PFLOG_MODVER 44 234 #define PFSYNC_MODVER 44 235 236 #define PFLOG_MINVER 44 237 #define PFLOG_PREFVER PFLOG_MODVER 238 #define PFLOG_MAXVER 44 239 #define PFSYNC_MINVER 44 240 #define PFSYNC_PREFVER PFSYNC_MODVER 241 #define PFSYNC_MAXVER 44 242 243 /* prototyped for pf_subr.c */ 244 struct hook_desc { 245 TAILQ_ENTRY(hook_desc) hd_list; 246 void (*hd_fn)(void *); 247 void *hd_arg; 248 }; 249 TAILQ_HEAD(hook_desc_head, hook_desc); 250 251 void *hook_establish(struct hook_desc_head *, int, void (*)(void *), void *); 252 void hook_disestablish(struct hook_desc_head *, void *); 253 void dohooks(struct hook_desc_head *, int); 254 255 #define HOOK_REMOVE 0x01 256 #define HOOK_FREE 0x02 257 258 #ifdef INET 259 #ifndef INET6 260 #define PF_INET_ONLY 261 #endif /* ! INET6 */ 262 #endif /* INET */ 263 264 #ifdef INET6 265 #ifndef INET 266 #define PF_INET6_ONLY 267 #endif /* ! INET */ 268 #endif /* INET6 */ 269 270 #ifdef INET 271 #ifdef INET6 272 #define PF_INET_INET6 273 #endif /* INET6 */ 274 #endif /* INET */ 275 276 #else 277 278 #define PF_INET_INET6 279 280 #endif /* _KERNEL */ 281 282 /* Both IPv4 and IPv6 */ 283 #ifdef PF_INET_INET6 284 285 #define PF_AEQ(a, b, c) \ 286 ((c == AF_INET && (a)->addr32[0] == (b)->addr32[0]) || \ 287 ((c == AF_INET6 && (a)->addr32[3] == (b)->addr32[3] && \ 288 (a)->addr32[2] == (b)->addr32[2] && \ 289 (a)->addr32[1] == (b)->addr32[1] && \ 290 (a)->addr32[0] == (b)->addr32[0]))) \ 291 292 #define PF_ANEQ(a, b, c) \ 293 ((c == AF_INET && (a)->addr32[0] != (b)->addr32[0]) || \ 294 ((c == AF_INET6 && ((a)->addr32[3] != (b)->addr32[3] || \ 295 (a)->addr32[2] != (b)->addr32[2] || \ 296 (a)->addr32[1] != (b)->addr32[1] || \ 297 (a)->addr32[0] != (b)->addr32[0])))) \ 298 299 #define PF_AZERO(a, c) \ 300 ((c == AF_INET && !(a)->addr32[0]) || \ 301 ((c == AF_INET6 && !(a)->addr32[0] && !(a)->addr32[1] && \ 302 !(a)->addr32[2] && !(a)->addr32[3]))) \ 303 304 #define PF_MATCHA(n, a, m, b, f) \ 305 pf_match_addr(n, a, m, b, f) 306 307 #define PF_ACPY(a, b, f) \ 308 pf_addrcpy(a, b, f) 309 310 #define PF_AINC(a, f) \ 311 pf_addr_inc(a, f) 312 313 #define PF_POOLMASK(a, b, c, d, f) \ 314 pf_poolmask(a, b, c, d, f) 315 316 #else 317 318 /* Just IPv6 */ 319 320 #ifdef PF_INET6_ONLY 321 322 #define PF_AEQ(a, b, c) \ 323 ((a)->addr32[3] == (b)->addr32[3] && \ 324 (a)->addr32[2] == (b)->addr32[2] && \ 325 (a)->addr32[1] == (b)->addr32[1] && \ 326 (a)->addr32[0] == (b)->addr32[0]) \ 327 328 #define PF_ANEQ(a, b, c) \ 329 ((a)->addr32[3] != (b)->addr32[3] || \ 330 (a)->addr32[2] != (b)->addr32[2] || \ 331 (a)->addr32[1] != (b)->addr32[1] || \ 332 (a)->addr32[0] != (b)->addr32[0]) \ 333 334 #define PF_AZERO(a, c) \ 335 (!(a)->addr32[0] && \ 336 !(a)->addr32[1] && \ 337 !(a)->addr32[2] && \ 338 !(a)->addr32[3] ) \ 339 340 #define PF_MATCHA(n, a, m, b, f) \ 341 pf_match_addr(n, a, m, b, f) 342 343 #define PF_ACPY(a, b, f) \ 344 pf_addrcpy(a, b, f) 345 346 #define PF_AINC(a, f) \ 347 pf_addr_inc(a, f) 348 349 #define PF_POOLMASK(a, b, c, d, f) \ 350 pf_poolmask(a, b, c, d, f) 351 352 #else 353 354 /* Just IPv4 */ 355 #ifdef PF_INET_ONLY 356 357 #define PF_AEQ(a, b, c) \ 358 ((a)->addr32[0] == (b)->addr32[0]) 359 360 #define PF_ANEQ(a, b, c) \ 361 ((a)->addr32[0] != (b)->addr32[0]) 362 363 #define PF_AZERO(a, c) \ 364 (!(a)->addr32[0]) 365 366 #define PF_MATCHA(n, a, m, b, f) \ 367 pf_match_addr(n, a, m, b, f) 368 369 #define PF_ACPY(a, b, f) \ 370 (a)->v4.s_addr = (b)->v4.s_addr 371 372 #define PF_AINC(a, f) \ 373 do { \ 374 (a)->addr32[0] = htonl(ntohl((a)->addr32[0]) + 1); \ 375 } while (0) 376 377 #define PF_POOLMASK(a, b, c, d, f) \ 378 do { \ 379 (a)->addr32[0] = ((b)->addr32[0] & (c)->addr32[0]) | \ 380 (((c)->addr32[0] ^ 0xffffffff ) & (d)->addr32[0]); \ 381 } while (0) 382 383 #endif /* PF_INET_ONLY */ 384 #endif /* PF_INET6_ONLY */ 385 #endif /* PF_INET_INET6 */ 386 387 #define PF_MISMATCHAW(aw, x, af, neg, ifp) \ 388 ( \ 389 (((aw)->type == PF_ADDR_NOROUTE && \ 390 pf_routable((x), (af), NULL)) || \ 391 (((aw)->type == PF_ADDR_URPFFAILED && (ifp) != NULL && \ 392 pf_routable((x), (af), (ifp))) || \ 393 ((aw)->type == PF_ADDR_RTLABEL && \ 394 !pf_rtlabel_match((x), (af), (aw))) || \ 395 ((aw)->type == PF_ADDR_TABLE && \ 396 !pfr_match_addr((aw)->p.tbl, (x), (af))) || \ 397 ((aw)->type == PF_ADDR_DYNIFTL && \ 398 !pfi_match_addr((aw)->p.dyn, (x), (af))) || \ 399 ((aw)->type == PF_ADDR_RANGE && \ 400 !pf_match_addr_range(&(aw)->v.a.addr, \ 401 &(aw)->v.a.mask, (x), (af))) || \ 402 ((aw)->type == PF_ADDR_ADDRMASK && \ 403 !PF_AZERO(&(aw)->v.a.mask, (af)) && \ 404 !PF_MATCHA(0, &(aw)->v.a.addr, \ 405 &(aw)->v.a.mask, (x), (af))))) != \ 406 (neg) \ 407 ) 408 409 struct pf_rule_uid { 410 uid_t uid[2]; 411 u_int8_t op; 412 }; 413 414 struct pf_rule_gid { 415 uid_t gid[2]; 416 u_int8_t op; 417 }; 418 419 struct pf_rule_addr { 420 struct pf_addr_wrap addr; 421 u_int16_t port[2]; 422 u_int8_t neg; 423 u_int8_t port_op; 424 }; 425 426 struct pf_pooladdr { 427 struct pf_addr_wrap addr; 428 TAILQ_ENTRY(pf_pooladdr) entries; 429 char ifname[IFNAMSIZ]; 430 struct pfi_kif *kif; 431 }; 432 433 TAILQ_HEAD(pf_palist, pf_pooladdr); 434 435 struct pf_poolhashkey { 436 union { 437 u_int8_t key8[16]; 438 u_int16_t key16[8]; 439 u_int32_t key32[4]; 440 } pfk; /* 128-bit hash key */ 441 #define key8 pfk.key8 442 #define key16 pfk.key16 443 #define key32 pfk.key32 444 }; 445 446 struct pf_pool { 447 struct pf_palist list; 448 struct pf_pooladdr *cur; 449 struct pf_poolhashkey key; 450 struct pf_addr counter; 451 int tblidx; 452 u_int16_t proxy_port[2]; 453 u_int8_t port_op; 454 u_int8_t opts; 455 }; 456 457 458 /* A packed Operating System description for fingerprinting */ 459 typedef u_int32_t pf_osfp_t; 460 #define PF_OSFP_ANY ((pf_osfp_t)0) 461 #define PF_OSFP_UNKNOWN ((pf_osfp_t)-1) 462 #define PF_OSFP_NOMATCH ((pf_osfp_t)-2) 463 464 struct pf_osfp_entry { 465 SLIST_ENTRY(pf_osfp_entry) fp_entry; 466 pf_osfp_t fp_os; 467 int fp_enflags; 468 #define PF_OSFP_EXPANDED 0x001 /* expanded entry */ 469 #define PF_OSFP_GENERIC 0x002 /* generic signature */ 470 #define PF_OSFP_NODETAIL 0x004 /* no p0f details */ 471 #define PF_OSFP_LEN 32 472 char fp_class_nm[PF_OSFP_LEN]; 473 char fp_version_nm[PF_OSFP_LEN]; 474 char fp_subtype_nm[PF_OSFP_LEN]; 475 }; 476 #define PF_OSFP_ENTRY_EQ(a, b) \ 477 ((a)->fp_os == (b)->fp_os && \ 478 memcmp((a)->fp_class_nm, (b)->fp_class_nm, PF_OSFP_LEN) == 0 && \ 479 memcmp((a)->fp_version_nm, (b)->fp_version_nm, PF_OSFP_LEN) == 0 && \ 480 memcmp((a)->fp_subtype_nm, (b)->fp_subtype_nm, PF_OSFP_LEN) == 0) 481 482 /* handle pf_osfp_t packing */ 483 #define _FP_RESERVED_BIT 1 /* For the special negative #defines */ 484 #define _FP_UNUSED_BITS 1 485 #define _FP_CLASS_BITS 10 /* OS Class (Windows, Linux) */ 486 #define _FP_VERSION_BITS 10 /* OS version (95, 98, NT, 2.4.54, 3.2) */ 487 #define _FP_SUBTYPE_BITS 10 /* patch level (NT SP4, SP3, ECN patch) */ 488 #define PF_OSFP_UNPACK(osfp, class, version, subtype) do { \ 489 (class) = ((osfp) >> (_FP_VERSION_BITS+_FP_SUBTYPE_BITS)) & \ 490 ((1 << _FP_CLASS_BITS) - 1); \ 491 (version) = ((osfp) >> _FP_SUBTYPE_BITS) & \ 492 ((1 << _FP_VERSION_BITS) - 1);\ 493 (subtype) = (osfp) & ((1 << _FP_SUBTYPE_BITS) - 1); \ 494 } while(0) 495 #define PF_OSFP_PACK(osfp, class, version, subtype) do { \ 496 (osfp) = ((class) & ((1 << _FP_CLASS_BITS) - 1)) << (_FP_VERSION_BITS \ 497 + _FP_SUBTYPE_BITS); \ 498 (osfp) |= ((version) & ((1 << _FP_VERSION_BITS) - 1)) << \ 499 _FP_SUBTYPE_BITS; \ 500 (osfp) |= (subtype) & ((1 << _FP_SUBTYPE_BITS) - 1); \ 501 } while(0) 502 503 /* the fingerprint of an OSes TCP SYN packet */ 504 typedef u_int64_t pf_tcpopts_t; 505 struct pf_os_fingerprint { 506 SLIST_HEAD(pf_osfp_enlist, pf_osfp_entry) fp_oses; /* list of matches */ 507 pf_tcpopts_t fp_tcpopts; /* packed TCP options */ 508 u_int16_t fp_wsize; /* TCP window size */ 509 u_int16_t fp_psize; /* ip->ip_len (host order) */ 510 u_int16_t fp_mss; /* TCP MSS */ 511 u_int16_t fp_flags; 512 #define PF_OSFP_WSIZE_MOD 0x0001 /* Window modulus */ 513 #define PF_OSFP_WSIZE_DC 0x0002 /* Window don't care */ 514 #define PF_OSFP_WSIZE_MSS 0x0004 /* Window multiple of MSS */ 515 #define PF_OSFP_WSIZE_MTU 0x0008 /* Window multiple of MTU */ 516 #define PF_OSFP_PSIZE_MOD 0x0010 /* packet size modulus */ 517 #define PF_OSFP_PSIZE_DC 0x0020 /* packet size don't care */ 518 #define PF_OSFP_WSCALE 0x0040 /* TCP window scaling */ 519 #define PF_OSFP_WSCALE_MOD 0x0080 /* TCP window scale modulus */ 520 #define PF_OSFP_WSCALE_DC 0x0100 /* TCP window scale dont-care */ 521 #define PF_OSFP_MSS 0x0200 /* TCP MSS */ 522 #define PF_OSFP_MSS_MOD 0x0400 /* TCP MSS modulus */ 523 #define PF_OSFP_MSS_DC 0x0800 /* TCP MSS dont-care */ 524 #define PF_OSFP_DF 0x1000 /* IPv4 don't fragment bit */ 525 #define PF_OSFP_TS0 0x2000 /* Zero timestamp */ 526 #define PF_OSFP_INET6 0x4000 /* IPv6 */ 527 u_int8_t fp_optcnt; /* TCP option count */ 528 u_int8_t fp_wscale; /* TCP window scaling */ 529 u_int8_t fp_ttl; /* IPv4 TTL */ 530 #define PF_OSFP_MAXTTL_OFFSET 40 531 /* TCP options packing */ 532 #define PF_OSFP_TCPOPT_NOP 0x0 /* TCP NOP option */ 533 #define PF_OSFP_TCPOPT_WSCALE 0x1 /* TCP window scaling option */ 534 #define PF_OSFP_TCPOPT_MSS 0x2 /* TCP max segment size opt */ 535 #define PF_OSFP_TCPOPT_SACK 0x3 /* TCP SACK OK option */ 536 #define PF_OSFP_TCPOPT_TS 0x4 /* TCP timestamp option */ 537 #define PF_OSFP_TCPOPT_BITS 3 /* bits used by each option */ 538 #define PF_OSFP_MAX_OPTS \ 539 (sizeof(((struct pf_os_fingerprint *)0)->fp_tcpopts) * 8) \ 540 / PF_OSFP_TCPOPT_BITS 541 542 SLIST_ENTRY(pf_os_fingerprint) fp_next; 543 }; 544 545 struct pf_osfp_ioctl { 546 struct pf_osfp_entry fp_os; 547 pf_tcpopts_t fp_tcpopts; /* packed TCP options */ 548 u_int16_t fp_wsize; /* TCP window size */ 549 u_int16_t fp_psize; /* ip->ip_len (host order) */ 550 u_int16_t fp_mss; /* TCP MSS */ 551 u_int16_t fp_flags; 552 u_int8_t fp_optcnt; /* TCP option count */ 553 u_int8_t fp_wscale; /* TCP window scaling */ 554 u_int8_t fp_ttl; /* IPv4 TTL */ 555 556 int fp_getnum; /* DIOCOSFPGET number */ 557 }; 558 559 560 union pf_rule_ptr { 561 struct pf_rule *ptr; 562 u_int32_t nr; 563 }; 564 565 #define PF_ANCHOR_NAME_SIZE 64 566 567 struct pf_rule { 568 struct pf_rule_addr src; 569 struct pf_rule_addr dst; 570 #define PF_SKIP_IFP 0 571 #define PF_SKIP_DIR 1 572 #define PF_SKIP_AF 2 573 #define PF_SKIP_PROTO 3 574 #define PF_SKIP_SRC_ADDR 4 575 #define PF_SKIP_SRC_PORT 5 576 #define PF_SKIP_DST_ADDR 6 577 #define PF_SKIP_DST_PORT 7 578 #define PF_SKIP_COUNT 8 579 union pf_rule_ptr skip[PF_SKIP_COUNT]; 580 #define PF_RULE_LABEL_SIZE 64 581 char label[PF_RULE_LABEL_SIZE]; 582 #define PF_QNAME_SIZE 64 583 char ifname[IFNAMSIZ]; 584 char qname[PF_QNAME_SIZE]; 585 char pqname[PF_QNAME_SIZE]; 586 #define PF_TAG_NAME_SIZE 64 587 char tagname[PF_TAG_NAME_SIZE]; 588 char match_tagname[PF_TAG_NAME_SIZE]; 589 590 char overload_tblname[PF_TABLE_NAME_SIZE]; 591 592 TAILQ_ENTRY(pf_rule) entries; 593 struct pf_pool rpool; 594 595 u_int64_t evaluations; 596 u_int64_t packets[2]; 597 u_int64_t bytes[2]; 598 599 struct pfi_kif *kif; 600 struct pf_anchor *anchor; 601 struct pfr_ktable *overload_tbl; 602 603 pf_osfp_t os_fingerprint; 604 605 int rtableid; 606 u_int32_t timeout[PFTM_MAX]; 607 u_int32_t states_cur; 608 u_int32_t states_tot; 609 u_int32_t max_states; 610 u_int32_t src_nodes; 611 u_int32_t max_src_nodes; 612 u_int32_t max_src_states; 613 u_int32_t max_src_conn; 614 struct { 615 u_int32_t limit; 616 u_int32_t seconds; 617 } max_src_conn_rate; 618 u_int32_t qid; 619 u_int32_t pqid; 620 u_int32_t rt_listid; 621 u_int32_t nr; 622 u_int32_t prob; 623 uid_t cuid; 624 pid_t cpid; 625 626 u_int16_t return_icmp; 627 u_int16_t return_icmp6; 628 u_int16_t max_mss; 629 u_int16_t tag; 630 u_int16_t match_tag; 631 632 struct pf_rule_uid uid; 633 struct pf_rule_gid gid; 634 635 u_int32_t rule_flag; 636 u_int8_t action; 637 u_int8_t direction; 638 u_int8_t log; 639 u_int8_t logif; 640 u_int8_t quick; 641 u_int8_t ifnot; 642 u_int8_t match_tag_not; 643 u_int8_t natpass; 644 645 #define PF_STATE_NORMAL 0x1 646 #define PF_STATE_MODULATE 0x2 647 #define PF_STATE_SYNPROXY 0x3 648 u_int8_t keep_state; 649 sa_family_t af; 650 u_int8_t proto; 651 u_int8_t type; 652 u_int8_t code; 653 u_int8_t flags; 654 u_int8_t flagset; 655 u_int8_t min_ttl; 656 u_int8_t allow_opts; 657 u_int8_t rt; 658 u_int8_t return_ttl; 659 u_int8_t tos; 660 u_int8_t set_tos; 661 u_int8_t anchor_relative; 662 u_int8_t anchor_wildcard; 663 664 #define PF_FLUSH 0x01 665 #define PF_FLUSH_GLOBAL 0x02 666 u_int8_t flush; 667 668 struct { 669 struct pf_addr addr; 670 u_int16_t port; 671 } divert; 672 673 #define PF_PICKUPS_UNSPECIFIED 0 674 #define PF_PICKUPS_DISABLED 1 675 #define PF_PICKUPS_HASHONLY 2 676 #define PF_PICKUPS_ENABLED 3 677 u_int8_t pickup_mode; 678 u_int8_t unused01; /* available for use */ 679 }; 680 681 /* rule flags */ 682 #define PFRULE_DROP 0x0000 683 #define PFRULE_RETURNRST 0x0001 684 #define PFRULE_FRAGMENT 0x0002 685 #define PFRULE_RETURNICMP 0x0004 686 #define PFRULE_RETURN 0x0008 687 #define PFRULE_NOSYNC 0x0010 688 #define PFRULE_SRCTRACK 0x0020 /* track source states */ 689 #define PFRULE_RULESRCTRACK 0x0040 /* per rule */ 690 691 /* scrub flags */ 692 #define PFRULE_NODF 0x0100 693 #define PFRULE_FRAGCROP 0x0200 /* non-buffering frag cache */ 694 #define PFRULE_FRAGDROP 0x0400 /* drop funny fragments */ 695 #define PFRULE_RANDOMID 0x0800 696 #define PFRULE_REASSEMBLE_TCP 0x1000 697 #define PFRULE_SET_TOS 0x2000 698 699 /* rule flags again */ 700 #define PFRULE_IFBOUND 0x00010000 /* if-bound */ 701 #define PFRULE_STATESLOPPY 0x00020000 /* sloppy state tracking */ 702 703 #define PFSTATE_HIWAT 50000 /* default state table size */ 704 #define PFSTATE_ADAPT_START 30000 /* default adaptive timeout start */ 705 #define PFSTATE_ADAPT_END 60000 /* default adaptive timeout end */ 706 707 708 struct pf_threshold { 709 u_int32_t limit; 710 #define PF_THRESHOLD_MULT 1000 711 #define PF_THRESHOLD_MAX 0xffffffff / PF_THRESHOLD_MULT 712 u_int32_t seconds; 713 u_int32_t count; 714 u_int32_t last; 715 }; 716 717 struct pf_src_node { 718 RB_ENTRY(pf_src_node) entry; 719 struct pf_addr addr; 720 struct pf_addr raddr; 721 union pf_rule_ptr rule; 722 struct pfi_kif *kif; 723 u_int64_t bytes[2]; 724 u_int64_t packets[2]; 725 u_int32_t states; 726 u_int32_t conn; 727 struct pf_threshold conn_rate; 728 u_int32_t creation; 729 u_int32_t expire; 730 sa_family_t af; 731 u_int8_t ruletype; 732 }; 733 734 #define PFSNODE_HIWAT 10000 /* default source node table size */ 735 736 struct pf_state_scrub { 737 struct timeval pfss_last; /* time received last packet */ 738 u_int32_t pfss_tsecr; /* last echoed timestamp */ 739 u_int32_t pfss_tsval; /* largest timestamp */ 740 u_int32_t pfss_tsval0; /* original timestamp */ 741 u_int16_t pfss_flags; 742 #define PFSS_TIMESTAMP 0x0001 /* modulate timestamp */ 743 #define PFSS_PAWS 0x0010 /* stricter PAWS checks */ 744 #define PFSS_PAWS_IDLED 0x0020 /* was idle too long. no PAWS */ 745 #define PFSS_DATA_TS 0x0040 /* timestamp on data packets */ 746 #define PFSS_DATA_NOTS 0x0080 /* no timestamp on data packets */ 747 u_int8_t pfss_ttl; /* stashed TTL */ 748 u_int8_t pad; 749 u_int32_t pfss_ts_mod; /* timestamp modulation */ 750 }; 751 752 struct pf_state_host { 753 struct pf_addr addr; 754 u_int16_t port; 755 u_int16_t pad; 756 }; 757 758 struct pf_state_peer { 759 struct pf_state_scrub *scrub; /* state is scrubbed */ 760 u_int32_t seqlo; /* Max sequence number sent */ 761 u_int32_t seqhi; /* Max the other end ACKd + win */ 762 u_int32_t seqdiff; /* Sequence number modulator */ 763 u_int16_t max_win; /* largest window (pre scaling) */ 764 u_int16_t mss; /* Maximum segment size option */ 765 u_int8_t state; /* active state level */ 766 u_int8_t wscale; /* window scaling factor */ 767 u_int8_t tcp_est; /* Did we reach TCPS_ESTABLISHED */ 768 u_int8_t pad[1]; 769 }; 770 771 TAILQ_HEAD(pf_state_queue, pf_state); 772 773 /* keep synced with struct pf_state_key, used in RB_FIND */ 774 struct pf_state_key_cmp { 775 struct pf_addr addr[2]; 776 u_int16_t port[2]; 777 sa_family_t af; 778 u_int8_t proto; 779 u_int8_t pad[2]; 780 }; 781 782 struct pf_state_item { 783 TAILQ_ENTRY(pf_state_item) entry; 784 struct pf_state *s; 785 }; 786 787 TAILQ_HEAD(pf_statelisthead, pf_state_item); 788 789 struct pf_state_key { 790 struct pf_addr addr[2]; 791 u_int16_t port[2]; 792 sa_family_t af; 793 u_int8_t proto; 794 u_int8_t pad[2]; 795 796 RB_ENTRY(pf_state_key) entry; 797 struct pf_statelisthead states; 798 struct pf_state_key *reverse; 799 struct inpcb *inp; 800 }; 801 802 #define PF_STATE_KEY_HASH_LENGTH offsetof(struct pf_state_key, pad[0]) 803 804 /* keep synced with struct pf_state, used in RB_FIND */ 805 struct pf_state_cmp { 806 u_int64_t id; 807 u_int32_t creatorid; 808 u_int8_t direction; 809 u_int8_t pad[3]; 810 }; 811 812 #if defined(_KERNEL) || defined(_KERNEL_STRUCTURES) 813 814 struct pf_state { 815 u_int64_t id; 816 u_int32_t creatorid; 817 u_int8_t direction; 818 u_int8_t cpuid; 819 u_int8_t pad[2]; 820 821 TAILQ_ENTRY(pf_state) entry_list; 822 RB_ENTRY(pf_state) entry_id; 823 struct pf_state_peer src; 824 struct pf_state_peer dst; 825 union pf_rule_ptr rule; 826 union pf_rule_ptr anchor; 827 union pf_rule_ptr nat_rule; 828 struct pf_addr rt_addr; 829 struct pf_state_key *key[2]; /* addresses stack and wire */ 830 struct pfi_kif *kif; 831 struct pfi_kif *rt_kif; 832 struct pf_src_node *src_node; 833 struct pf_src_node *nat_src_node; 834 u_int64_t packets[2]; 835 u_int64_t bytes[2]; 836 u_int32_t hash; 837 u_int32_t creation; 838 u_int32_t expire; 839 u_int32_t pfsync_time; 840 u_int16_t tag; 841 u_int8_t log; 842 u_int8_t state_flags; 843 u_int8_t timeout; 844 u_int8_t sync_flags; 845 u_int8_t pickup_mode; 846 struct lock lk; 847 }; 848 849 #endif 850 851 /* 852 * state_flags 853 */ 854 #define PFSTATE_ALLOWOPTS 0x01 855 #define PFSTATE_SLOPPY 0x02 856 #define PFSTATE_STACK_GLOBAL 0x04 /* pf_state_key[1] is global */ 857 #define PFSTATE_CREATEINPROG 0x08 /* prevent find from finding it */ 858 #define PFSTATE_HALF_DUPLEX 0x10 /* collision against translation */ 859 860 /* 861 * sync_flags 862 */ 863 #define PFSTATE_NOSYNC 0x01 864 #define PFSTATE_FROMSYNC 0x02 865 #define PFSTATE_STALE 0x04 866 867 /* 868 * Unified state structures for pulling states out of the kernel 869 * used by pfsync(4) and the pf(4) ioctl. 870 */ 871 struct pfsync_state_scrub { 872 u_int16_t pfss_flags; 873 u_int8_t pfss_ttl; /* stashed TTL */ 874 #define PFSYNC_SCRUB_FLAG_VALID 0x01 875 u_int8_t scrub_flag; 876 u_int32_t pfss_ts_mod; /* timestamp modulation */ 877 } __packed; 878 879 struct pfsync_state_peer { 880 struct pfsync_state_scrub scrub; /* state is scrubbed */ 881 u_int32_t seqlo; /* Max sequence number sent */ 882 u_int32_t seqhi; /* Max the other end ACKd + win */ 883 u_int32_t seqdiff; /* Sequence number modulator */ 884 u_int16_t max_win; /* largest window (pre scaling) */ 885 u_int16_t mss; /* Maximum segment size option */ 886 u_int8_t state; /* active state level */ 887 u_int8_t wscale; /* window scaling factor */ 888 u_int8_t pad[6]; 889 } __packed; 890 891 struct pfsync_state_key { 892 struct pf_addr addr[2]; 893 u_int16_t port[2]; 894 }; 895 896 struct pfsync_state { 897 u_int32_t id[2]; 898 char ifname[IFNAMSIZ]; 899 struct pfsync_state_key key[2]; 900 struct pfsync_state_peer src; 901 struct pfsync_state_peer dst; 902 struct pf_addr rt_addr; 903 u_int32_t rule; 904 u_int32_t anchor; 905 u_int32_t nat_rule; 906 u_int32_t creation; 907 u_int32_t expire; 908 u_int32_t packets[2][2]; 909 u_int32_t bytes[2][2]; 910 u_int32_t creatorid; 911 sa_family_t af; 912 u_int8_t proto; 913 u_int8_t direction; 914 u_int8_t log; 915 u_int8_t state_flags; 916 u_int8_t timeout; 917 u_int8_t sync_flags; 918 u_int8_t updates; 919 u_int8_t pickup_mode; 920 u_int16_t cpuid; 921 u_int16_t reserved01; /* future expansion */ 922 u_int32_t reserved02; 923 u_int16_t reserved03[8]; 924 u_int32_t reserved04[8]; 925 }; 926 927 #define PFSYNC_FLAG_COMPRESS 0x01 928 #define PFSYNC_FLAG_STALE 0x02 929 #define PFSYNC_FLAG_SRCNODE 0x04 930 #define PFSYNC_FLAG_NATSRCNODE 0x08 931 #define PFSTATE_GOT_SYN_MASK (PFSTATE_GOT_SYN1|PFSTATE_GOT_SYN2) 932 #define PFSTATE_GOT_SYN1 0x04 /* got SYN in one direction */ 933 #define PFSTATE_GOT_SYN2 0x08 /* got SYN in the other direction */ 934 935 /* for copies to/from network byte order */ 936 /* ioctl interface also uses network byte order */ 937 #define pf_state_peer_hton(s,d) do { \ 938 (d)->seqlo = htonl((s)->seqlo); \ 939 (d)->seqhi = htonl((s)->seqhi); \ 940 (d)->seqdiff = htonl((s)->seqdiff); \ 941 (d)->max_win = htons((s)->max_win); \ 942 (d)->mss = htons((s)->mss); \ 943 (d)->state = (s)->state; \ 944 (d)->wscale = (s)->wscale; \ 945 if ((s)->scrub) { \ 946 (d)->scrub.pfss_flags = \ 947 htons((s)->scrub->pfss_flags & PFSS_TIMESTAMP); \ 948 (d)->scrub.pfss_ttl = (s)->scrub->pfss_ttl; \ 949 (d)->scrub.pfss_ts_mod = htonl((s)->scrub->pfss_ts_mod);\ 950 (d)->scrub.scrub_flag = PFSYNC_SCRUB_FLAG_VALID; \ 951 } \ 952 } while (0) 953 954 #define pf_state_peer_ntoh(s,d) do { \ 955 (d)->seqlo = ntohl((s)->seqlo); \ 956 (d)->seqhi = ntohl((s)->seqhi); \ 957 (d)->seqdiff = ntohl((s)->seqdiff); \ 958 (d)->max_win = ntohs((s)->max_win); \ 959 (d)->mss = ntohs((s)->mss); \ 960 (d)->state = (s)->state; \ 961 (d)->wscale = (s)->wscale; \ 962 if ((s)->scrub.scrub_flag == PFSYNC_SCRUB_FLAG_VALID && \ 963 (d)->scrub != NULL) { \ 964 (d)->scrub->pfss_flags = \ 965 ntohs((s)->scrub.pfss_flags) & PFSS_TIMESTAMP; \ 966 (d)->scrub->pfss_ttl = (s)->scrub.pfss_ttl; \ 967 (d)->scrub->pfss_ts_mod = ntohl((s)->scrub.pfss_ts_mod);\ 968 } \ 969 } while (0) 970 971 #define pf_state_counter_hton(s,d) do { \ 972 d[0] = htonl((s>>32)&0xffffffff); \ 973 d[1] = htonl(s&0xffffffff); \ 974 } while (0) 975 976 #define pf_state_counter_from_pfsync(s) \ 977 (((u_int64_t)(s[0])<<32) | (u_int64_t)(s[1])) 978 979 #define pf_state_counter_ntoh(s,d) do { \ 980 d = ntohl(s[0]); \ 981 d = d<<32; \ 982 d += ntohl(s[1]); \ 983 } while (0) 984 985 TAILQ_HEAD(pf_rulequeue, pf_rule); 986 987 struct pf_anchor; 988 989 struct pf_ruleset { 990 struct { 991 struct pf_rulequeue queues[2]; 992 struct { 993 struct pf_rulequeue *ptr; 994 struct pf_rule **ptr_array; 995 u_int32_t rcount; 996 u_int32_t ticket; 997 int open; 998 } active, inactive; 999 } rules[PF_RULESET_MAX]; 1000 struct pf_anchor *anchor; 1001 u_int32_t tticket; 1002 int tables; 1003 int topen; 1004 }; 1005 1006 RB_HEAD(pf_anchor_global, pf_anchor); 1007 RB_HEAD(pf_anchor_node, pf_anchor); 1008 struct pf_anchor { 1009 RB_ENTRY(pf_anchor) entry_global; 1010 RB_ENTRY(pf_anchor) entry_node; 1011 struct pf_anchor *parent; 1012 struct pf_anchor_node children; 1013 char name[PF_ANCHOR_NAME_SIZE]; 1014 char path[MAXPATHLEN]; 1015 struct pf_ruleset ruleset; 1016 int refcnt; /* anchor rules */ 1017 int match; 1018 }; 1019 RB_PROTOTYPE(pf_anchor_global, pf_anchor, entry_global, pf_anchor_compare); 1020 RB_PROTOTYPE(pf_anchor_node, pf_anchor, entry_node, pf_anchor_compare); 1021 1022 #define PF_RESERVED_ANCHOR "_pf" 1023 1024 #define PFR_TFLAG_PERSIST 0x00000001 1025 #define PFR_TFLAG_CONST 0x00000002 1026 #define PFR_TFLAG_ACTIVE 0x00000004 1027 #define PFR_TFLAG_INACTIVE 0x00000008 1028 #define PFR_TFLAG_REFERENCED 0x00000010 1029 #define PFR_TFLAG_REFDANCHOR 0x00000020 1030 #define PFR_TFLAG_COUNTERS 0x00000040 1031 /* Adjust masks below when adding flags. */ 1032 #define PFR_TFLAG_USRMASK 0x00000043 1033 #define PFR_TFLAG_SETMASK 0x0000003C 1034 #define PFR_TFLAG_ALLMASK 0x0000007F 1035 1036 struct pfr_table { 1037 char pfrt_anchor[MAXPATHLEN]; 1038 char pfrt_name[PF_TABLE_NAME_SIZE]; 1039 u_int32_t pfrt_flags; 1040 u_int8_t pfrt_fback; 1041 }; 1042 1043 enum { PFR_FB_NONE, PFR_FB_MATCH, PFR_FB_ADDED, PFR_FB_DELETED, 1044 PFR_FB_CHANGED, PFR_FB_CLEARED, PFR_FB_DUPLICATE, 1045 PFR_FB_NOTMATCH, PFR_FB_CONFLICT, PFR_FB_NOCOUNT, PFR_FB_MAX }; 1046 1047 struct pfr_addr { 1048 union { 1049 struct in_addr _pfra_ip4addr; 1050 struct in6_addr _pfra_ip6addr; 1051 } pfra_u; 1052 u_int8_t pfra_af; 1053 u_int8_t pfra_net; 1054 u_int8_t pfra_not; 1055 u_int8_t pfra_fback; 1056 }; 1057 #define pfra_ip4addr pfra_u._pfra_ip4addr 1058 #define pfra_ip6addr pfra_u._pfra_ip6addr 1059 1060 enum { PFR_DIR_IN, PFR_DIR_OUT, PFR_DIR_MAX }; 1061 enum { PFR_OP_BLOCK, PFR_OP_PASS, PFR_OP_ADDR_MAX, PFR_OP_TABLE_MAX }; 1062 #define PFR_OP_XPASS PFR_OP_ADDR_MAX 1063 1064 struct pfr_astats { 1065 struct pfr_addr pfras_a; 1066 u_int64_t pfras_packets[PFR_DIR_MAX][PFR_OP_ADDR_MAX]; 1067 u_int64_t pfras_bytes[PFR_DIR_MAX][PFR_OP_ADDR_MAX]; 1068 long pfras_tzero; 1069 }; 1070 1071 enum { PFR_REFCNT_RULE, PFR_REFCNT_ANCHOR, PFR_REFCNT_MAX }; 1072 1073 struct pfr_tstats { 1074 struct pfr_table pfrts_t; 1075 u_int64_t pfrts_packets[PFR_DIR_MAX][PFR_OP_TABLE_MAX]; 1076 u_int64_t pfrts_bytes[PFR_DIR_MAX][PFR_OP_TABLE_MAX]; 1077 u_int64_t pfrts_match; 1078 u_int64_t pfrts_nomatch; 1079 long pfrts_tzero; 1080 int pfrts_cnt; 1081 int pfrts_refcnt[PFR_REFCNT_MAX]; 1082 }; 1083 #define pfrts_name pfrts_t.pfrt_name 1084 #define pfrts_flags pfrts_t.pfrt_flags 1085 1086 struct pfr_kcounters { 1087 u_int64_t pfrkc_packets[PFR_DIR_MAX][PFR_OP_ADDR_MAX]; 1088 u_int64_t pfrkc_bytes[PFR_DIR_MAX][PFR_OP_ADDR_MAX]; 1089 }; 1090 1091 SLIST_HEAD(pfr_kentryworkq, pfr_kentry); 1092 struct pfr_kentry { 1093 struct radix_node pfrke_node[2]; 1094 union sockaddr_union pfrke_sa; 1095 SLIST_ENTRY(pfr_kentry) pfrke_workq; 1096 union { 1097 1098 struct pfr_kcounters *pfrke_counters; 1099 #if 0 1100 struct pfr_kroute *pfrke_route; 1101 #endif 1102 } u; 1103 long pfrke_tzero; 1104 u_int8_t pfrke_af; 1105 u_int8_t pfrke_net; 1106 u_int8_t pfrke_not; 1107 u_int8_t pfrke_mark; 1108 u_int8_t pfrke_intrpool; 1109 }; 1110 #define pfrke_counters u.pfrke_counters 1111 #define pfrke_route u.pfrke_route 1112 1113 1114 SLIST_HEAD(pfr_ktableworkq, pfr_ktable); 1115 RB_HEAD(pfr_ktablehead, pfr_ktable); 1116 struct pfr_ktable { 1117 struct pfr_tstats pfrkt_ts; 1118 RB_ENTRY(pfr_ktable) pfrkt_tree; 1119 SLIST_ENTRY(pfr_ktable) pfrkt_workq; 1120 struct radix_node_head *pfrkt_ip4; 1121 struct radix_node_head *pfrkt_ip6; 1122 struct pfr_ktable *pfrkt_shadow; 1123 struct pfr_ktable *pfrkt_root; 1124 struct pf_ruleset *pfrkt_rs; 1125 long pfrkt_larg; 1126 int pfrkt_nflags; 1127 }; 1128 #define pfrkt_t pfrkt_ts.pfrts_t 1129 #define pfrkt_name pfrkt_t.pfrt_name 1130 #define pfrkt_anchor pfrkt_t.pfrt_anchor 1131 #define pfrkt_ruleset pfrkt_t.pfrt_ruleset 1132 #define pfrkt_flags pfrkt_t.pfrt_flags 1133 #define pfrkt_cnt pfrkt_ts.pfrts_cnt 1134 #define pfrkt_refcnt pfrkt_ts.pfrts_refcnt 1135 #define pfrkt_packets pfrkt_ts.pfrts_packets 1136 #define pfrkt_bytes pfrkt_ts.pfrts_bytes 1137 #define pfrkt_match pfrkt_ts.pfrts_match 1138 #define pfrkt_nomatch pfrkt_ts.pfrts_nomatch 1139 #define pfrkt_tzero pfrkt_ts.pfrts_tzero 1140 1141 RB_HEAD(pf_state_tree, pf_state_key); 1142 RB_PROTOTYPE(pf_state_tree, pf_state_key, entry, pf_state_compare_key); 1143 RB_HEAD(pf_state_rtree, pf_state_key); 1144 RB_PROTOTYPE(pf_state_rtree, pf_state_key, entry, pf_state_compare_rkey); 1145 1146 RB_HEAD(pf_state_tree_ext_gwy, pf_state_key); 1147 RB_PROTOTYPE(pf_state_tree_ext_gwy, pf_state_key, 1148 entry_ext_gwy, pf_state_compare_ext_gwy); 1149 1150 struct pfi_if { 1151 char pfif_name[IFNAMSIZ]; 1152 u_int64_t pfif_packets[2][2][2]; 1153 u_int64_t pfif_bytes[2][2][2]; 1154 u_int64_t pfif_addcnt; 1155 u_int64_t pfif_delcnt; 1156 long pfif_tzero; 1157 int pfif_states; 1158 int pfif_rules; 1159 int pfif_flags; 1160 }; 1161 1162 TAILQ_HEAD(pfi_grouphead, pfi_kif); 1163 TAILQ_HEAD(pfi_statehead, pfi_kif); 1164 RB_HEAD(pfi_ifhead, pfi_kif); 1165 1166 /* keep synced with pfi_kif, used in RB_FIND */ 1167 struct pfi_kif_cmp { 1168 char pfik_name[IFNAMSIZ]; 1169 }; 1170 1171 struct pfi_kif { 1172 char pfik_name[IFNAMSIZ]; 1173 RB_ENTRY(pfi_kif) pfik_tree; 1174 u_int64_t pfik_packets[2][2][2]; 1175 u_int64_t pfik_bytes[2][2][2]; 1176 u_int32_t pfik_tzero; 1177 int pfik_flags; 1178 struct ifnet *pfik_ifp; 1179 struct ifg_group *pfik_group; 1180 int pfik_states; 1181 int pfik_rules; 1182 TAILQ_HEAD(, pfi_dynaddr) pfik_dynaddrs; 1183 }; 1184 1185 enum pfi_kif_refs { 1186 PFI_KIF_REF_NONE, 1187 PFI_KIF_REF_STATE, 1188 PFI_KIF_REF_RULE 1189 }; 1190 1191 #define PFI_IFLAG_GROUP 0x0001 /* group of interfaces */ 1192 #define PFI_IFLAG_INSTANCE 0x0002 /* single instance */ 1193 #define PFI_IFLAG_CLONABLE 0x0010 /* clonable group */ 1194 #define PFI_IFLAG_DYNAMIC 0x0020 /* dynamic group */ 1195 #define PFI_IFLAG_SKIP 0x0100 /* skip filtering on interface */ 1196 #define PFI_IFLAG_PLACEHOLDER 0x8000 /* placeholder group/interface */ 1197 1198 struct pf_pdesc { 1199 struct { 1200 int done; 1201 uid_t uid; 1202 gid_t gid; 1203 pid_t pid; 1204 } lookup; 1205 u_int64_t tot_len; /* Make Mickey money */ 1206 union { 1207 struct tcphdr *tcp; 1208 struct udphdr *udp; 1209 struct icmp *icmp; 1210 #ifdef INET6 1211 struct icmp6_hdr *icmp6; 1212 #endif /* INET6 */ 1213 void *any; 1214 } hdr; 1215 1216 struct pf_rule *nat_rule; /* nat/rdr rule applied to packet */ 1217 struct ether_header 1218 *eh; 1219 struct pf_addr *src; /* src address */ 1220 struct pf_addr *dst; /* dst address */ 1221 u_int16_t *sport; 1222 u_int16_t *dport; 1223 1224 u_int32_t p_len; /* total length of payload */ 1225 1226 u_int16_t *ip_sum; 1227 u_int16_t *proto_sum; 1228 u_int16_t flags; /* Let SCRUB trigger behavior in 1229 * state code. Easier than tags */ 1230 #define PFDESC_TCP_NORM 0x0001 /* TCP shall be statefully scrubbed */ 1231 #define PFDESC_IP_REAS 0x0002 /* IP frags would've been reassembled */ 1232 sa_family_t af; 1233 u_int8_t proto; 1234 u_int8_t tos; 1235 u_int8_t dir; /* direction */ 1236 u_int8_t sidx; /* key index for source */ 1237 u_int8_t didx; /* key index for destination */ 1238 u_int8_t not_cpu_localized; /* translation not localized */ 1239 }; 1240 1241 /* flags for RDR options */ 1242 #define PF_DPORT_RANGE 0x01 /* Dest port uses range */ 1243 #define PF_RPORT_RANGE 0x02 /* RDR'ed port uses range */ 1244 1245 /* Reasons code for passing/dropping a packet */ 1246 #define PFRES_MATCH 0 /* Explicit match of a rule */ 1247 #define PFRES_BADOFF 1 /* Bad offset for pull_hdr */ 1248 #define PFRES_FRAG 2 /* Dropping following fragment */ 1249 #define PFRES_SHORT 3 /* Dropping short packet */ 1250 #define PFRES_NORM 4 /* Dropping by normalizer */ 1251 #define PFRES_MEMORY 5 /* Dropped due to lacking mem */ 1252 #define PFRES_TS 6 /* Bad TCP Timestamp (RFC1323) */ 1253 #define PFRES_CONGEST 7 /* Congestion (of ipintrq) */ 1254 #define PFRES_IPOPTIONS 8 /* IP option */ 1255 #define PFRES_PROTCKSUM 9 /* Protocol checksum invalid */ 1256 #define PFRES_BADSTATE 10 /* State mismatch */ 1257 #define PFRES_STATEINS 11 /* State insertion failure */ 1258 #define PFRES_MAXSTATES 12 /* State limit */ 1259 #define PFRES_SRCLIMIT 13 /* Source node/conn limit */ 1260 #define PFRES_SYNPROXY 14 /* SYN proxy */ 1261 #define PFRES_MAX 15 /* total+1 */ 1262 1263 #define PFRES_NAMES { \ 1264 "match", \ 1265 "bad-offset", \ 1266 "fragment", \ 1267 "short", \ 1268 "normalize", \ 1269 "memory", \ 1270 "bad-timestamp", \ 1271 "congestion", \ 1272 "ip-option", \ 1273 "proto-cksum", \ 1274 "state-mismatch", \ 1275 "state-insert", \ 1276 "state-limit", \ 1277 "src-limit", \ 1278 "synproxy", \ 1279 NULL \ 1280 } 1281 1282 /* Counters for other things we want to keep track of */ 1283 #define LCNT_STATES 0 /* states */ 1284 #define LCNT_SRCSTATES 1 /* max-src-states */ 1285 #define LCNT_SRCNODES 2 /* max-src-nodes */ 1286 #define LCNT_SRCCONN 3 /* max-src-conn */ 1287 #define LCNT_SRCCONNRATE 4 /* max-src-conn-rate */ 1288 #define LCNT_OVERLOAD_TABLE 5 /* entry added to overload table */ 1289 #define LCNT_OVERLOAD_FLUSH 6 /* state entries flushed */ 1290 #define LCNT_MAX 7 /* total+1 */ 1291 1292 #define LCNT_NAMES { \ 1293 "max states per rule", \ 1294 "max-src-states", \ 1295 "max-src-nodes", \ 1296 "max-src-conn", \ 1297 "max-src-conn-rate", \ 1298 "overload table insertion", \ 1299 "overload flush states", \ 1300 NULL \ 1301 } 1302 1303 /* UDP state enumeration */ 1304 #define PFUDPS_NO_TRAFFIC 0 1305 #define PFUDPS_SINGLE 1 1306 #define PFUDPS_MULTIPLE 2 1307 1308 #define PFUDPS_NSTATES 3 /* number of state levels */ 1309 1310 #define PFUDPS_NAMES { \ 1311 "NO_TRAFFIC", \ 1312 "SINGLE", \ 1313 "MULTIPLE", \ 1314 NULL \ 1315 } 1316 1317 /* Other protocol state enumeration */ 1318 #define PFOTHERS_NO_TRAFFIC 0 1319 #define PFOTHERS_SINGLE 1 1320 #define PFOTHERS_MULTIPLE 2 1321 1322 #define PFOTHERS_NSTATES 3 /* number of state levels */ 1323 1324 #define PFOTHERS_NAMES { \ 1325 "NO_TRAFFIC", \ 1326 "SINGLE", \ 1327 "MULTIPLE", \ 1328 NULL \ 1329 } 1330 1331 #define FCNT_STATE_SEARCH 0 1332 #define FCNT_STATE_INSERT 1 1333 #define FCNT_STATE_REMOVALS 2 1334 #define FCNT_MAX 3 1335 1336 #define SCNT_SRC_NODE_SEARCH 0 1337 #define SCNT_SRC_NODE_INSERT 1 1338 #define SCNT_SRC_NODE_REMOVALS 2 1339 #define SCNT_MAX 3 1340 1341 #define ACTION_SET(a, x) \ 1342 do { \ 1343 if ((a) != NULL) \ 1344 *(a) = (x); \ 1345 } while (0) 1346 1347 #define PF_INC_COUNTER(x) pf_counters[mycpu->gd_cpuid].counters[(x)]++ 1348 #define PF_INC_LCOUNTER(x) pf_counters[mycpu->gd_cpuid].lcounters[(x)]++ 1349 #define PF_INC_FCOUNTER(x) pf_counters[mycpu->gd_cpuid].fcounters[(x)]++ 1350 #define PF_INC_SCOUNTER(x) pf_counters[mycpu->gd_cpuid].scounters[(x)]++ 1351 1352 #define REASON_SET(a, x) \ 1353 do { \ 1354 u_short *r = (a); /* keep -Waddress happy */ \ 1355 if (r != NULL) \ 1356 *r = (x); \ 1357 if ((x) < PFRES_MAX) \ 1358 PF_INC_COUNTER(x); \ 1359 } while (0) 1360 1361 struct pf_counters { 1362 u_int64_t counters[PFRES_MAX]; 1363 u_int64_t lcounters[LCNT_MAX]; /* limit counters */ 1364 u_int64_t fcounters[FCNT_MAX]; 1365 u_int64_t scounters[SCNT_MAX]; 1366 } __cachealign; 1367 1368 struct pf_status { 1369 u_int64_t counters[PFRES_MAX]; 1370 u_int64_t lcounters[LCNT_MAX]; /* limit counters */ 1371 u_int64_t fcounters[FCNT_MAX]; 1372 u_int64_t scounters[SCNT_MAX]; 1373 u_int64_t pcounters[2][2][3]; 1374 u_int64_t bcounters[2][2]; 1375 u_int64_t stateid; /* atomic */ 1376 u_int32_t running; 1377 u_int32_t states; /* atomic */ 1378 u_int32_t src_nodes; /* atomic */ 1379 u_int32_t since; 1380 u_int32_t debug; 1381 u_int32_t hostid; 1382 char ifname[IFNAMSIZ]; 1383 u_int8_t pf_chksum[PF_MD5_DIGEST_LENGTH]; 1384 }; 1385 1386 struct cbq_opts { 1387 u_int minburst; 1388 u_int maxburst; 1389 u_int pktsize; 1390 u_int maxpktsize; 1391 u_int ns_per_byte; 1392 u_int maxidle; 1393 int minidle; 1394 u_int offtime; 1395 int flags; 1396 }; 1397 1398 struct priq_opts { 1399 int flags; 1400 }; 1401 1402 struct hfsc_opts { 1403 /* real-time service curve */ 1404 u_int rtsc_m1; /* slope of the 1st segment in bps */ 1405 u_int rtsc_d; /* the x-projection of m1 in msec */ 1406 u_int rtsc_m2; /* slope of the 2nd segment in bps */ 1407 /* link-sharing service curve */ 1408 u_int lssc_m1; 1409 u_int lssc_d; 1410 u_int lssc_m2; 1411 /* upper-limit service curve */ 1412 u_int ulsc_m1; 1413 u_int ulsc_d; 1414 u_int ulsc_m2; 1415 int flags; 1416 }; 1417 1418 /* 1419 * XXX this needs some work 1420 */ 1421 struct fairq_opts { 1422 u_int nbuckets; /* hash buckets */ 1423 u_int hogs_m1; /* hog detection bandwidth */ 1424 int flags; 1425 1426 /* link-sharing service curve */ 1427 u_int lssc_m1; 1428 u_int lssc_d; 1429 u_int lssc_m2; 1430 }; 1431 1432 struct pf_altq { 1433 char ifname[IFNAMSIZ]; 1434 1435 void *altq_disc; /* discipline-specific state */ 1436 TAILQ_ENTRY(pf_altq) entries; 1437 1438 /* scheduler spec */ 1439 u_int8_t scheduler; /* scheduler type */ 1440 u_int16_t tbrsize; /* tokenbucket regulator size */ 1441 u_int32_t ifbandwidth; /* interface bandwidth */ 1442 1443 /* queue spec */ 1444 char qname[PF_QNAME_SIZE]; /* queue name */ 1445 char parent[PF_QNAME_SIZE]; /* parent name */ 1446 u_int32_t parent_qid; /* parent queue id */ 1447 u_int32_t bandwidth; /* queue bandwidth */ 1448 u_int8_t priority; /* priority */ 1449 u_int16_t qlimit; /* queue size limit */ 1450 u_int16_t flags; /* misc flags */ 1451 union { 1452 struct cbq_opts cbq_opts; 1453 struct priq_opts priq_opts; 1454 struct hfsc_opts hfsc_opts; 1455 struct fairq_opts fairq_opts; 1456 } pq_u; 1457 1458 u_int32_t qid; /* return value */ 1459 }; 1460 1461 /* 1462 * DO NOT USE PF_TAG_GENERATED! Set PF_MBUF_TAGGED in fw_flags instead and 1463 * then clear pf.flags. The mbuf allocator does not automatically clear 1464 * the pf fields in the mbuf packet header. 1465 */ 1466 /*#define PF_TAG_GENERATED 0x01*/ 1467 #define PF_TAG_FRAGCACHE 0x02 1468 #define PF_TAG_TRANSLATE_LOCALHOST 0x04 1469 #define PF_TAG_STATE_HASHED 0x08 1470 1471 struct pf_tagname { 1472 TAILQ_ENTRY(pf_tagname) entries; 1473 char name[PF_TAG_NAME_SIZE]; 1474 u_int16_t tag; 1475 int ref; 1476 }; 1477 1478 struct pf_divert { 1479 union { 1480 struct in_addr ipv4; 1481 struct in6_addr ipv6; 1482 } addr; 1483 u_int16_t port; 1484 }; 1485 1486 #define PFFRAG_FRENT_HIWAT 5000 /* Number of fragment entries */ 1487 #define PFFRAG_FRAG_HIWAT 1000 /* Number of fragmented packets */ 1488 #define PFFRAG_FRCENT_HIWAT 50000 /* Number of fragment cache entries */ 1489 #define PFFRAG_FRCACHE_HIWAT 10000 /* Number of fragment descriptors */ 1490 1491 #define PFR_KTABLE_HIWAT 1000 /* Number of tables */ 1492 #define PFR_KENTRY_HIWAT 200000 /* Number of table entries */ 1493 #define PFR_KENTRY_HIWAT_SMALL 100000 /* Number of table entries (tiny hosts) */ 1494 1495 /* 1496 * ioctl parameter structures 1497 */ 1498 1499 struct pfioc_pooladdr { 1500 u_int32_t action; 1501 u_int32_t ticket; 1502 u_int32_t nr; 1503 u_int32_t r_num; 1504 u_int8_t r_action; 1505 u_int8_t r_last; 1506 u_int8_t af; 1507 char anchor[MAXPATHLEN]; 1508 struct pf_pooladdr addr; 1509 }; 1510 1511 struct pfioc_rule { 1512 u_int32_t action; 1513 u_int32_t ticket; 1514 u_int32_t pool_ticket; 1515 u_int32_t nr; 1516 char anchor[MAXPATHLEN]; 1517 char anchor_call[MAXPATHLEN]; 1518 struct pf_rule rule; 1519 }; 1520 1521 struct pfioc_natlook { 1522 struct pf_addr saddr; 1523 struct pf_addr daddr; 1524 struct pf_addr rsaddr; 1525 struct pf_addr rdaddr; 1526 u_int16_t sport; 1527 u_int16_t dport; 1528 u_int16_t rsport; 1529 u_int16_t rdport; 1530 sa_family_t af; 1531 u_int8_t proto; 1532 u_int8_t direction; 1533 }; 1534 1535 struct pfioc_state { 1536 struct pfsync_state state; 1537 }; 1538 1539 struct pfioc_src_node_kill { 1540 sa_family_t psnk_af; 1541 struct pf_rule_addr psnk_src; 1542 struct pf_rule_addr psnk_dst; 1543 u_int psnk_killed; 1544 }; 1545 1546 struct pfioc_state_kill { 1547 struct pf_state_cmp psk_pfcmp; 1548 sa_family_t psk_af; 1549 int psk_proto; 1550 struct pf_rule_addr psk_src; 1551 struct pf_rule_addr psk_dst; 1552 char psk_ifname[IFNAMSIZ]; 1553 char psk_label[PF_RULE_LABEL_SIZE]; 1554 u_int psk_killed; 1555 }; 1556 1557 struct pfioc_states { 1558 int ps_len; 1559 union { 1560 caddr_t psu_buf; 1561 struct pfsync_state *psu_states; 1562 } ps_u; 1563 #define ps_buf ps_u.psu_buf 1564 #define ps_states ps_u.psu_states 1565 }; 1566 1567 struct pfioc_src_nodes { 1568 int psn_len; 1569 union { 1570 caddr_t psu_buf; 1571 struct pf_src_node *psu_src_nodes; 1572 } psn_u; 1573 #define psn_buf psn_u.psu_buf 1574 #define psn_src_nodes psn_u.psu_src_nodes 1575 }; 1576 1577 struct pfioc_if { 1578 char ifname[IFNAMSIZ]; 1579 }; 1580 1581 struct pfioc_tm { 1582 int timeout; 1583 int seconds; 1584 }; 1585 1586 struct pfioc_limit { 1587 int index; 1588 unsigned limit; 1589 }; 1590 1591 struct pfioc_altq { 1592 u_int32_t action; 1593 u_int32_t ticket; 1594 u_int32_t nr; 1595 struct pf_altq altq; 1596 }; 1597 1598 struct pfioc_qstats { 1599 u_int32_t ticket; 1600 u_int32_t nr; 1601 void *buf; 1602 int nbytes; 1603 u_int8_t scheduler; 1604 }; 1605 1606 struct pfioc_anchor { 1607 u_int32_t nr; 1608 char name[PF_ANCHOR_NAME_SIZE]; 1609 }; 1610 1611 struct pfioc_ruleset { 1612 u_int32_t nr; 1613 char path[MAXPATHLEN]; 1614 char name[PF_ANCHOR_NAME_SIZE]; 1615 }; 1616 1617 #define PF_RULESET_ALTQ (PF_RULESET_MAX) 1618 #define PF_RULESET_TABLE (PF_RULESET_MAX+1) 1619 struct pfioc_trans { 1620 int size; /* number of elements */ 1621 int esize; /* size of each element in bytes */ 1622 struct pfioc_trans_e { 1623 int rs_num; 1624 char anchor[MAXPATHLEN]; 1625 u_int32_t ticket; 1626 } *array; 1627 }; 1628 1629 #define PFR_FLAG_ATOMIC 0x00000001 1630 #define PFR_FLAG_DUMMY 0x00000002 1631 #define PFR_FLAG_FEEDBACK 0x00000004 1632 #define PFR_FLAG_CLSTATS 0x00000008 1633 #define PFR_FLAG_ADDRSTOO 0x00000010 1634 #define PFR_FLAG_REPLACE 0x00000020 1635 #define PFR_FLAG_ALLRSETS 0x00000040 1636 #define PFR_FLAG_ALLMASK 0x0000007F 1637 #ifdef _KERNEL 1638 #define PFR_FLAG_USERIOCTL 0x10000000 1639 #endif 1640 1641 struct pfioc_table { 1642 struct pfr_table pfrio_table; 1643 void *pfrio_buffer; 1644 int pfrio_esize; 1645 int pfrio_size; 1646 int pfrio_size2; 1647 int pfrio_nadd; 1648 int pfrio_ndel; 1649 int pfrio_nchange; 1650 int pfrio_flags; 1651 u_int32_t pfrio_ticket; 1652 }; 1653 #define pfrio_exists pfrio_nadd 1654 #define pfrio_nzero pfrio_nadd 1655 #define pfrio_nmatch pfrio_nadd 1656 #define pfrio_naddr pfrio_size2 1657 #define pfrio_setflag pfrio_size2 1658 #define pfrio_clrflag pfrio_nadd 1659 1660 struct pfioc_iface { 1661 char pfiio_name[IFNAMSIZ]; 1662 void *pfiio_buffer; 1663 int pfiio_esize; 1664 int pfiio_size; 1665 int pfiio_nzero; 1666 int pfiio_flags; 1667 }; 1668 1669 1670 /* 1671 * ioctl operations 1672 */ 1673 1674 #define DIOCSTART _IO ('D', 1) 1675 #define DIOCSTOP _IO ('D', 2) 1676 #define DIOCBEGINRULES _IOWR('D', 3, struct pfioc_rule) 1677 #define DIOCADDRULE _IOWR('D', 4, struct pfioc_rule) 1678 #define DIOCCOMMITRULES _IOWR('D', 5, struct pfioc_rule) 1679 #define DIOCGETRULES _IOWR('D', 6, struct pfioc_rule) 1680 #define DIOCGETRULE _IOWR('D', 7, struct pfioc_rule) 1681 /* XXX cut 8 - 17 */ 1682 #define DIOCCLRSTATES _IOWR('D', 18, struct pfioc_state_kill) 1683 #define DIOCGETSTATE _IOWR('D', 19, struct pfioc_state) 1684 #define DIOCSETSTATUSIF _IOWR('D', 20, struct pfioc_if) 1685 #define DIOCGETSTATUS _IOWR('D', 21, struct pf_status) 1686 #define DIOCCLRSTATUS _IO ('D', 22) 1687 #define DIOCNATLOOK _IOWR('D', 23, struct pfioc_natlook) 1688 #define DIOCSETDEBUG _IOWR('D', 24, u_int32_t) 1689 #define DIOCGETSTATES _IOWR('D', 25, struct pfioc_states) 1690 #define DIOCCHANGERULE _IOWR('D', 26, struct pfioc_rule) 1691 /* XXX cut 26 - 28 */ 1692 #define DIOCSETTIMEOUT _IOWR('D', 29, struct pfioc_tm) 1693 #define DIOCGETTIMEOUT _IOWR('D', 30, struct pfioc_tm) 1694 #define DIOCADDSTATE _IOWR('D', 37, struct pfioc_state) 1695 #define DIOCCLRRULECTRS _IO ('D', 38) 1696 #define DIOCGETLIMIT _IOWR('D', 39, struct pfioc_limit) 1697 #define DIOCSETLIMIT _IOWR('D', 40, struct pfioc_limit) 1698 #define DIOCKILLSTATES _IOWR('D', 41, struct pfioc_state_kill) 1699 #define DIOCSTARTALTQ _IO ('D', 42) 1700 #define DIOCSTOPALTQ _IO ('D', 43) 1701 #define DIOCBEGINALTQS _IOWR('D', 44, u_int32_t) 1702 #define DIOCADDALTQ _IOWR('D', 45, struct pfioc_altq) 1703 #define DIOCCOMMITALTQS _IOWR('D', 46, u_int32_t) 1704 #define DIOCGETALTQS _IOWR('D', 47, struct pfioc_altq) 1705 #define DIOCGETALTQ _IOWR('D', 48, struct pfioc_altq) 1706 #define DIOCCHANGEALTQ _IOWR('D', 49, struct pfioc_altq) 1707 #define DIOCGETQSTATS _IOWR('D', 50, struct pfioc_qstats) 1708 #define DIOCBEGINADDRS _IOWR('D', 51, struct pfioc_pooladdr) 1709 #define DIOCADDADDR _IOWR('D', 52, struct pfioc_pooladdr) 1710 #define DIOCGETADDRS _IOWR('D', 53, struct pfioc_pooladdr) 1711 #define DIOCGETADDR _IOWR('D', 54, struct pfioc_pooladdr) 1712 #define DIOCCHANGEADDR _IOWR('D', 55, struct pfioc_pooladdr) 1713 /* XXX cut 55 - 57 */ 1714 #define DIOCGETRULESETS _IOWR('D', 58, struct pfioc_ruleset) 1715 #define DIOCGETRULESET _IOWR('D', 59, struct pfioc_ruleset) 1716 #define DIOCRCLRTABLES _IOWR('D', 60, struct pfioc_table) 1717 #define DIOCRADDTABLES _IOWR('D', 61, struct pfioc_table) 1718 #define DIOCRDELTABLES _IOWR('D', 62, struct pfioc_table) 1719 #define DIOCRGETTABLES _IOWR('D', 63, struct pfioc_table) 1720 #define DIOCRGETTSTATS _IOWR('D', 64, struct pfioc_table) 1721 #define DIOCRCLRTSTATS _IOWR('D', 65, struct pfioc_table) 1722 #define DIOCRCLRADDRS _IOWR('D', 66, struct pfioc_table) 1723 #define DIOCRADDADDRS _IOWR('D', 67, struct pfioc_table) 1724 #define DIOCRDELADDRS _IOWR('D', 68, struct pfioc_table) 1725 #define DIOCRSETADDRS _IOWR('D', 69, struct pfioc_table) 1726 #define DIOCRGETADDRS _IOWR('D', 70, struct pfioc_table) 1727 #define DIOCRGETASTATS _IOWR('D', 71, struct pfioc_table) 1728 #define DIOCRCLRASTATS _IOWR('D', 72, struct pfioc_table) 1729 #define DIOCRTSTADDRS _IOWR('D', 73, struct pfioc_table) 1730 #define DIOCRSETTFLAGS _IOWR('D', 74, struct pfioc_table) 1731 #define DIOCRINABEGIN _IOWR('D', 75, struct pfioc_table) 1732 #define DIOCRINACOMMIT _IOWR('D', 76, struct pfioc_table) 1733 #define DIOCRINADEFINE _IOWR('D', 77, struct pfioc_table) 1734 #define DIOCOSFPFLUSH _IO('D', 78) 1735 #define DIOCOSFPADD _IOWR('D', 79, struct pf_osfp_ioctl) 1736 #define DIOCOSFPGET _IOWR('D', 80, struct pf_osfp_ioctl) 1737 #define DIOCXBEGIN _IOWR('D', 81, struct pfioc_trans) 1738 #define DIOCXCOMMIT _IOWR('D', 82, struct pfioc_trans) 1739 #define DIOCXROLLBACK _IOWR('D', 83, struct pfioc_trans) 1740 #define DIOCGETSRCNODES _IOWR('D', 84, struct pfioc_src_nodes) 1741 #define DIOCCLRSRCNODES _IO('D', 85) 1742 #define DIOCSETHOSTID _IOWR('D', 86, u_int32_t) 1743 #define DIOCIGETIFACES _IOWR('D', 87, struct pfioc_iface) 1744 #define DIOCICLRISTATS _IOWR('D', 88, struct pfioc_iface) 1745 #define DIOCSETIFFLAG _IOWR('D', 89, struct pfioc_iface) 1746 #define DIOCCLRIFFLAG _IOWR('D', 90, struct pfioc_iface) 1747 #define DIOCKILLSRCNODES _IOWR('D', 91, struct pfioc_src_node_kill) 1748 struct pf_ifspeed { 1749 char ifname[IFNAMSIZ]; 1750 u_int32_t baudrate; 1751 }; 1752 #define DIOCGIFSPEED _IOWR('D', 89, struct pf_ifspeed) 1753 1754 #ifdef _KERNEL 1755 RB_HEAD(pf_src_tree, pf_src_node); 1756 RB_PROTOTYPE(pf_src_tree, pf_src_node, entry, pf_src_compare); 1757 1758 RB_HEAD(pf_state_tree_id, pf_state); 1759 RB_PROTOTYPE(pf_state_tree_id, pf_state, 1760 entry_id, pf_state_compare_id); 1761 1762 extern struct pf_src_tree *tree_src_tracking; /* ncpus */ 1763 extern struct pf_state_tree_id *tree_id; /* ncpus */ 1764 extern struct pf_state_queue *state_list; /* ncpus */ 1765 extern struct pf_counters *pf_counters; /* ncpus */ 1766 extern struct pf_state **purge_cur; /* ncpus */ 1767 extern struct pf_state_tree *pf_statetbl; /* ncpus + 1 */ 1768 1769 TAILQ_HEAD(pf_poolqueue, pf_pool); 1770 extern struct pf_poolqueue pf_pools[2]; 1771 TAILQ_HEAD(pf_altqqueue, pf_altq); 1772 extern struct pf_altqqueue pf_altqs[2]; 1773 extern struct pf_palist pf_pabuf; 1774 1775 extern u_int32_t ticket_altqs_active; 1776 extern u_int32_t ticket_altqs_inactive; 1777 extern int altqs_inactive_open; 1778 extern u_int32_t ticket_pabuf; 1779 extern struct pf_altqqueue *pf_altqs_active; 1780 extern struct pf_altqqueue *pf_altqs_inactive; 1781 extern struct pf_poolqueue *pf_pools_active; 1782 extern struct pf_poolqueue *pf_pools_inactive; 1783 extern int pf_tbladdr_setup(struct pf_ruleset *, 1784 struct pf_addr_wrap *); 1785 extern void pf_tbladdr_remove(struct pf_addr_wrap *); 1786 extern void pf_tbladdr_copyout(struct pf_addr_wrap *); 1787 extern void pf_calc_skip_steps(struct pf_rulequeue *); 1788 extern struct malloc_type *pf_src_tree_pl, *pf_rule_pl; 1789 extern struct malloc_type *pf_state_pl, *pf_state_key_pl, *pf_state_item_pl, 1790 *pf_altq_pl, *pf_pooladdr_pl; 1791 extern struct malloc_type *pfr_ktable_pl, *pfr_kentry_pl; 1792 extern struct malloc_type *pfr_kentry_pl2; 1793 extern struct malloc_type *pf_cache_pl, *pf_cent_pl; 1794 extern struct malloc_type *pf_state_scrub_pl; 1795 extern struct malloc_type *pfi_addr_pl; 1796 extern void pf_purge_thread(void *); 1797 extern int pf_purge_expired_src_nodes(int); 1798 extern int pf_purge_expired_states(u_int32_t, int); 1799 extern void pf_unlink_state(struct pf_state *); 1800 extern void pf_free_state(struct pf_state *); 1801 extern int pf_state_insert(struct pfi_kif *, 1802 struct pf_state_key *, 1803 struct pf_state_key *, 1804 struct pf_state *); 1805 extern int pf_insert_src_node(struct pf_src_node **, 1806 struct pf_rule *, struct pf_addr *, 1807 sa_family_t); 1808 void pf_src_tree_remove_state(struct pf_state *); 1809 u_int32_t pf_state_hash(struct pf_state_key *sk); 1810 extern struct pf_state *pf_find_state_byid(struct pf_state_cmp *); 1811 extern struct pf_state *pf_find_state_all(struct pf_state_key_cmp *, 1812 u_int, int *); 1813 extern void pf_print_state(struct pf_state *); 1814 extern void pf_print_flags(u_int8_t); 1815 extern u_int16_t pf_cksum_fixup(u_int16_t, u_int16_t, u_int16_t, 1816 u_int8_t); 1817 1818 extern struct ifnet *sync_ifp; 1819 extern struct pf_rule pf_default_rule; 1820 extern void pf_addrcpy(struct pf_addr *, struct pf_addr *, 1821 u_int8_t); 1822 void pf_rm_rule(struct pf_rulequeue *, 1823 struct pf_rule *); 1824 struct pf_divert *pf_find_divert(struct mbuf *); 1825 1826 #ifdef INET 1827 int pf_test(int, struct ifnet *, struct mbuf **, struct ether_header *, struct inpcb *); 1828 #endif /* INET */ 1829 1830 #ifdef INET6 1831 int pf_test6(int, struct ifnet *, struct mbuf **, struct ether_header *, struct inpcb *); 1832 void pf_poolmask(struct pf_addr *, struct pf_addr*, 1833 struct pf_addr *, struct pf_addr *, u_int8_t); 1834 void pf_addr_inc(struct pf_addr *, sa_family_t); 1835 #endif /* INET6 */ 1836 1837 void *pf_pull_hdr(struct mbuf *, int, void *, int, u_short *, u_short *, 1838 sa_family_t); 1839 void pf_change_a(void *, u_int16_t *, u_int32_t, u_int8_t); 1840 int pflog_packet(struct pfi_kif *, struct mbuf *, sa_family_t, u_int8_t, 1841 u_int8_t, struct pf_rule *, struct pf_rule *, struct pf_ruleset *, 1842 struct pf_pdesc *); 1843 int pf_match_addr(u_int8_t, struct pf_addr *, struct pf_addr *, 1844 struct pf_addr *, sa_family_t); 1845 int pf_match_addr_range(struct pf_addr *, struct pf_addr *, 1846 struct pf_addr *, sa_family_t); 1847 int pf_match(u_int8_t, u_int32_t, u_int32_t, u_int32_t); 1848 int pf_match_port(u_int8_t, u_int16_t, u_int16_t, u_int16_t); 1849 int pf_match_uid(u_int8_t, uid_t, uid_t, uid_t); 1850 int pf_match_gid(u_int8_t, gid_t, gid_t, gid_t); 1851 1852 void pf_normalize_init(void); 1853 void pf_normalize_unload(void); 1854 int pf_normalize_ip(struct mbuf **, int, struct pfi_kif *, u_short *, 1855 struct pf_pdesc *); 1856 int pf_normalize_ip6(struct mbuf **, int, struct pfi_kif *, u_short *, 1857 struct pf_pdesc *); 1858 int pf_normalize_tcp(int, struct pfi_kif *, struct mbuf *, int, int, void *, 1859 struct pf_pdesc *); 1860 void pf_normalize_tcp_cleanup(struct pf_state *); 1861 int pf_normalize_tcp_init(struct mbuf *, int, struct pf_pdesc *, 1862 struct tcphdr *, struct pf_state_peer *, struct pf_state_peer *); 1863 int pf_normalize_tcp_stateful(struct mbuf *, int, struct pf_pdesc *, 1864 u_short *, struct tcphdr *, struct pf_state *, 1865 struct pf_state_peer *, struct pf_state_peer *, int *); 1866 u_int32_t 1867 pf_state_expires(const struct pf_state *); 1868 void pf_purge_expired_fragments(void); 1869 int pf_routable(struct pf_addr *addr, sa_family_t af, struct pfi_kif *); 1870 int pf_rtlabel_match(struct pf_addr *, sa_family_t, struct pf_addr_wrap *); 1871 int pf_socket_lookup(int, struct pf_pdesc *); 1872 struct pf_state_key *pf_alloc_state_key(int); 1873 int pf_state_key_attach(struct pf_state_key *, struct pf_state *, int); 1874 void pfr_initialize(void); 1875 int pfr_match_addr(struct pfr_ktable *, struct pf_addr *, sa_family_t); 1876 void pfr_update_stats(struct pfr_ktable *, struct pf_addr *, sa_family_t, 1877 u_int64_t, int, int, int); 1878 int pfr_pool_get(struct pfr_ktable *, int *, struct pf_addr *, 1879 struct pf_addr **, struct pf_addr **, sa_family_t); 1880 void pfr_dynaddr_update(struct pfr_ktable *, struct pfi_dynaddr *); 1881 struct pfr_ktable * 1882 pfr_attach_table(struct pf_ruleset *, char *); 1883 void pfr_detach_table(struct pfr_ktable *); 1884 int pfr_clr_tables(struct pfr_table *, int *, int); 1885 int pfr_add_tables(struct pfr_table *, int, int *, int); 1886 int pfr_del_tables(struct pfr_table *, int, int *, int); 1887 int pfr_get_tables(struct pfr_table *, struct pfr_table *, int *, int); 1888 int pfr_get_tstats(struct pfr_table *, struct pfr_tstats *, int *, int); 1889 int pfr_clr_tstats(struct pfr_table *, int, int *, int); 1890 int pfr_set_tflags(struct pfr_table *, int, int, int, int *, int *, int); 1891 int pfr_clr_addrs(struct pfr_table *, int *, int); 1892 int pfr_insert_kentry(struct pfr_ktable *, struct pfr_addr *, long); 1893 int pfr_add_addrs(struct pfr_table *, struct pfr_addr *, int, int *, 1894 int); 1895 int pfr_del_addrs(struct pfr_table *, struct pfr_addr *, int, int *, 1896 int); 1897 int pfr_set_addrs(struct pfr_table *, struct pfr_addr *, int, int *, 1898 int *, int *, int *, int, u_int32_t); 1899 int pfr_get_addrs(struct pfr_table *, struct pfr_addr *, int *, int); 1900 int pfr_get_astats(struct pfr_table *, struct pfr_astats *, int *, int); 1901 int pfr_clr_astats(struct pfr_table *, struct pfr_addr *, int, int *, 1902 int); 1903 int pfr_tst_addrs(struct pfr_table *, struct pfr_addr *, int, int *, 1904 int); 1905 int pfr_ina_begin(struct pfr_table *, u_int32_t *, int *, int); 1906 int pfr_ina_rollback(struct pfr_table *, u_int32_t, int *, int); 1907 int pfr_ina_commit(struct pfr_table *, u_int32_t, int *, int *, int); 1908 int pfr_ina_define(struct pfr_table *, struct pfr_addr *, int, int *, 1909 int *, u_int32_t, int); 1910 1911 extern struct pfi_kif *pfi_all; 1912 1913 void pfi_initialize(void); 1914 struct pfi_kif *pfi_kif_get(const char *); 1915 void pfi_cleanup(void); 1916 void pfi_attach_clone(struct if_clone *); 1917 void pfi_kif_ref(struct pfi_kif *, enum pfi_kif_refs); 1918 void pfi_kif_unref(struct pfi_kif *, enum pfi_kif_refs); 1919 struct pfi_kif *pfi_kif_find(const char *); 1920 int pfi_kif_match(struct pfi_kif *, struct pfi_kif *); 1921 void pfi_attach_ifnet(struct ifnet *); 1922 void pfi_detach_ifnet(struct ifnet *); 1923 struct pfi_kif *pfi_lookup_create(const char *); 1924 struct pfi_kif *pfi_lookup_if(const char *); 1925 void pfi_attach_ifgroup(struct ifg_group *); 1926 void pfi_detach_ifgroup(struct ifg_group *); 1927 void pfi_group_change(const char *); 1928 int pfi_match_addr(struct pfi_dynaddr *, struct pf_addr *, 1929 sa_family_t); 1930 int pfi_dynaddr_setup(struct pf_addr_wrap *, sa_family_t); 1931 void pfi_dynaddr_remove(struct pf_addr_wrap *); 1932 void pfi_dynaddr_copyout(struct pf_addr_wrap *); 1933 void pfi_update_status(const char *, struct pf_status *); 1934 int pfi_get_ifaces(const char *, struct pfi_kif *, int *); 1935 int pfi_set_flags(const char *, int); 1936 int pfi_clear_flags(const char *, int); 1937 1938 int pf_match_tag(struct mbuf *, struct pf_rule *, int *); 1939 u_int16_t pf_tagname2tag(char *); 1940 void pf_tag2tagname(u_int16_t, char *); 1941 void pf_tag_ref(u_int16_t); 1942 void pf_tag_unref(u_int16_t); 1943 int pf_tag_packet(struct mbuf *, int, int); 1944 u_int32_t pf_qname2qid(char *); 1945 void pf_qid2qname(u_int32_t, char *); 1946 void pf_qid_unref(u_int32_t); 1947 1948 extern struct pf_status pf_status; 1949 extern struct malloc_type *pf_frent_pl, *pf_frag_pl; 1950 extern struct lock pf_consistency_lock; 1951 extern struct lock pf_global_statetbl_lock; 1952 1953 struct pf_pool_limit { 1954 void *pp; 1955 unsigned limit; 1956 }; 1957 extern struct pf_pool_limit pf_pool_limits[PF_LIMIT_MAX]; 1958 1959 struct pf_frent { 1960 LIST_ENTRY(pf_frent) fr_next; 1961 struct ip *fr_ip; 1962 struct mbuf *fr_m; 1963 }; 1964 1965 struct pf_frcache { 1966 LIST_ENTRY(pf_frcache) fr_next; 1967 uint16_t fr_off; 1968 uint16_t fr_end; 1969 }; 1970 1971 struct pf_fragment { 1972 RB_ENTRY(pf_fragment) fr_entry; 1973 TAILQ_ENTRY(pf_fragment) frag_next; 1974 struct in_addr fr_src; 1975 struct in_addr fr_dst; 1976 u_int8_t fr_p; /* protocol of this fragment */ 1977 u_int8_t fr_flags; /* status flags */ 1978 u_int16_t fr_id; /* fragment id for reassemble */ 1979 u_int16_t fr_max; /* fragment data max */ 1980 u_int32_t fr_timeout; 1981 #define fr_queue fr_u.fru_queue 1982 #define fr_cache fr_u.fru_cache 1983 union { 1984 LIST_HEAD(pf_fragq, pf_frent) fru_queue; /* buffering */ 1985 LIST_HEAD(pf_cacheq, pf_frcache) fru_cache; /* non-buf */ 1986 } fr_u; 1987 }; 1988 1989 #endif /* _KERNEL */ 1990 1991 extern struct radix_node_head *pf_maskhead; 1992 extern struct pf_anchor_global pf_anchors; 1993 extern struct pf_anchor pf_main_anchor; 1994 #define pf_main_ruleset pf_main_anchor.ruleset 1995 1996 /* these ruleset functions can be linked into userland programs (pfctl) */ 1997 int pf_get_ruleset_number(u_int8_t); 1998 void pf_init_ruleset(struct pf_ruleset *); 1999 int pf_anchor_setup(struct pf_rule *, 2000 const struct pf_ruleset *, const char *); 2001 int pf_anchor_copyout(const struct pf_ruleset *, 2002 const struct pf_rule *, struct pfioc_rule *); 2003 void pf_anchor_remove(struct pf_rule *); 2004 void pf_remove_if_empty_ruleset(struct pf_ruleset *); 2005 struct pf_anchor *pf_find_anchor(const char *); 2006 struct pf_ruleset *pf_find_ruleset(const char *); 2007 struct pf_ruleset *pf_find_or_create_ruleset(const char *); 2008 void pf_rs_initialize(void); 2009 2010 /* The fingerprint functions can be linked into userland programs (tcpdump) */ 2011 int pf_osfp_add(struct pf_osfp_ioctl *); 2012 #ifdef _KERNEL 2013 struct pf_osfp_enlist * 2014 pf_osfp_fingerprint(struct pf_pdesc *, struct mbuf *, int, 2015 const struct tcphdr *); 2016 #endif /* _KERNEL */ 2017 struct pf_osfp_enlist * 2018 pf_osfp_fingerprint_hdr(const struct ip *, const struct ip6_hdr *, 2019 const struct tcphdr *); 2020 void pf_osfp_flush(void); 2021 int pf_osfp_get(struct pf_osfp_ioctl *); 2022 void pf_osfp_initialize(void); 2023 int pf_osfp_match(struct pf_osfp_enlist *, pf_osfp_t); 2024 struct pf_os_fingerprint * 2025 pf_osfp_validate(void); 2026 2027 2028 #endif /* _NET_PFVAR_H_ */ 2029