1 /* $NetBSD: npf.h,v 1.47 2014/08/10 19:09:43 rmind Exp $ */
2
3 /*-
4 * Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
5 * All rights reserved.
6 *
7 * This material is based upon work partially supported by The
8 * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
9 *
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
12 * are met:
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
20 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
21 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
22 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
23 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
24 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
25 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
26 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
27 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
28 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29 * POSSIBILITY OF SUCH DAMAGE.
30 */
31
32 /*
33 * Public NPF interfaces.
34 */
35
36 #ifndef _NPF_NET_H_
37 #define _NPF_NET_H_
38
39 #include <sys/param.h>
40 #include <sys/types.h>
41
42 #include <sys/ioctl.h>
43 #include <prop/proplib.h>
44
45 #include <netinet/in_systm.h>
46 #include <netinet/in.h>
47
48 #define NPF_VERSION 17
49
50 /*
51 * Public declarations and definitions.
52 */
53
54 /* Storage of address (both for IPv4 and IPv6) and netmask */
55 typedef struct in6_addr npf_addr_t;
56 typedef uint8_t npf_netmask_t;
57
58 #define NPF_MAX_NETMASK (128)
59 #define NPF_NO_NETMASK ((npf_netmask_t)~0)
60
61 /* BPF coprocessor. */
62 #if defined(NPF_BPFCOP)
63 #define NPF_COP_L3 0
64 #define NPF_COP_TABLE 1
65
66 #define BPF_MW_IPVER 0
67 #define BPF_MW_L4OFF 1
68 #define BPF_MW_L4PROTO 2
69 #endif
70 /* The number of words used. */
71 #define NPF_BPF_NWORDS 3
72
73 #if defined(_KERNEL)
74
75 #define NPF_DECISION_BLOCK 0
76 #define NPF_DECISION_PASS 1
77
78 #define NPF_EXT_MODULE(name, req) \
79 MODULE(MODULE_CLASS_MISC, name, (sizeof(req) - 1) ? ("npf," req) : "npf")
80
81 #include <net/if.h>
82 #include <netinet/ip.h>
83 #include <netinet/ip6.h>
84 #include <netinet/tcp.h>
85 #include <netinet/udp.h>
86 #include <netinet/ip_icmp.h>
87 #include <netinet/icmp6.h>
88
89 /*
90 * Network buffer interface.
91 */
92
93 #define NBUF_DATAREF_RESET 0x01
94
95 typedef struct {
96 struct mbuf * nb_mbuf0;
97 struct mbuf * nb_mbuf;
98 void * nb_nptr;
99 const ifnet_t * nb_ifp;
100 unsigned nb_ifid;
101 int nb_flags;
102 } nbuf_t;
103
104 void nbuf_init(nbuf_t *, struct mbuf *, const ifnet_t *);
105 void nbuf_reset(nbuf_t *);
106 struct mbuf * nbuf_head_mbuf(nbuf_t *);
107
108 bool nbuf_flag_p(const nbuf_t *, int);
109 void nbuf_unset_flag(nbuf_t *, int);
110
111 void * nbuf_dataptr(nbuf_t *);
112 size_t nbuf_offset(const nbuf_t *);
113 void * nbuf_advance(nbuf_t *, size_t, size_t);
114
115 void * nbuf_ensure_contig(nbuf_t *, size_t);
116 void * nbuf_ensure_writable(nbuf_t *, size_t);
117
118 bool nbuf_cksum_barrier(nbuf_t *, int);
119 int nbuf_add_tag(nbuf_t *, uint32_t, uint32_t);
120 int nbuf_find_tag(nbuf_t *, uint32_t, void **);
121
122 /*
123 * Packet information cache.
124 */
125
126 #define NPC_IP4 0x01 /* Indicates IPv4 header. */
127 #define NPC_IP6 0x02 /* Indicates IPv6 header. */
128 #define NPC_IPFRAG 0x04 /* IPv4/IPv6 fragment. */
129 #define NPC_LAYER4 0x08 /* Layer 4 has been fetched. */
130
131 #define NPC_TCP 0x10 /* TCP header. */
132 #define NPC_UDP 0x20 /* UDP header. */
133 #define NPC_ICMP 0x40 /* ICMP header. */
134 #define NPC_ICMP_ID 0x80 /* ICMP with query ID. */
135
136 #define NPC_ALG_EXEC 0x100 /* ALG execution. */
137
138 #define NPC_IP46 (NPC_IP4|NPC_IP6)
139
140 typedef struct {
141 /* Information flags and the nbuf. */
142 uint32_t npc_info;
143 nbuf_t * npc_nbuf;
144
145 /*
146 * Pointers to the IP source and destination addresses,
147 * and the address length (4 for IPv4 or 16 for IPv6).
148 */
149 npf_addr_t * npc_ips[2];
150 uint8_t npc_alen;
151
152 /* IP header length and L4 protocol. */
153 uint8_t npc_hlen;
154 uint16_t npc_proto;
155
156 /* IPv4, IPv6. */
157 union {
158 struct ip * v4;
159 struct ip6_hdr * v6;
160 } npc_ip;
161
162 /* TCP, UDP, ICMP. */
163 union {
164 struct tcphdr * tcp;
165 struct udphdr * udp;
166 struct icmp * icmp;
167 struct icmp6_hdr * icmp6;
168 void * hdr;
169 } npc_l4;
170 } npf_cache_t;
171
172 static inline bool
npf_iscached(const npf_cache_t * npc,const int inf)173 npf_iscached(const npf_cache_t *npc, const int inf)
174 {
175 KASSERT(npc->npc_nbuf != NULL);
176 return __predict_true((npc->npc_info & inf) != 0);
177 }
178
179 #define NPF_SRC 0
180 #define NPF_DST 1
181
182 /*
183 * NPF extensions and rule procedure interface.
184 */
185
186 struct npf_rproc;
187 typedef struct npf_rproc npf_rproc_t;
188
189 void npf_rproc_assign(npf_rproc_t *, void *);
190
191 typedef struct {
192 unsigned int version;
193 void * ctx;
194 int (*ctor)(npf_rproc_t *, prop_dictionary_t);
195 void (*dtor)(npf_rproc_t *, void *);
196 bool (*proc)(npf_cache_t *, void *, int *);
197 } npf_ext_ops_t;
198
199 void * npf_ext_register(const char *, const npf_ext_ops_t *);
200 int npf_ext_unregister(void *);
201
202 /*
203 * Misc.
204 */
205
206 bool npf_autounload_p(void);
207
208 #endif /* _KERNEL */
209
210 /* Rule attributes. */
211 #define NPF_RULE_PASS 0x00000001
212 #define NPF_RULE_GROUP 0x00000002
213 #define NPF_RULE_FINAL 0x00000004
214 #define NPF_RULE_STATEFUL 0x00000008
215 #define NPF_RULE_RETRST 0x00000010
216 #define NPF_RULE_RETICMP 0x00000020
217 #define NPF_RULE_DYNAMIC 0x00000040
218 #define NPF_RULE_MULTIENDS 0x00000080
219
220 #define NPF_DYNAMIC_GROUP (NPF_RULE_GROUP | NPF_RULE_DYNAMIC)
221
222 #define NPF_RULE_IN 0x10000000
223 #define NPF_RULE_OUT 0x20000000
224 #define NPF_RULE_DIMASK (NPF_RULE_IN | NPF_RULE_OUT)
225 #define NPF_RULE_FORW 0x40000000
226
227 /* Private range of rule attributes (not public and should not be set). */
228 #define NPF_RULE_PRIVMASK 0x0f000000
229
230 #define NPF_RULE_MAXNAMELEN 64
231 #define NPF_RULE_MAXKEYLEN 32
232
233 /* Priority values. */
234 #define NPF_PRI_FIRST (-2)
235 #define NPF_PRI_LAST (-1)
236
237 /* Types of code. */
238 #define NPF_CODE_NC 1
239 #define NPF_CODE_BPF 2
240
241 /* Address translation types and flags. */
242 #define NPF_NATIN 1
243 #define NPF_NATOUT 2
244
245 #define NPF_NAT_PORTS 0x01
246 #define NPF_NAT_PORTMAP 0x02
247 #define NPF_NAT_STATIC 0x04
248
249 #define NPF_ALGO_NPT66 1
250
251 /* Table types. */
252 #define NPF_TABLE_HASH 1
253 #define NPF_TABLE_TREE 2
254 #define NPF_TABLE_CDB 3
255
256 #define NPF_TABLE_MAXNAMELEN 32
257
258 /* Layers. */
259 #define NPF_LAYER_2 2
260 #define NPF_LAYER_3 3
261
262 /* XXX mbuf.h: just for now. */
263 #define PACKET_TAG_NPF 10
264
265 /*
266 * Rule commands (non-ioctl).
267 */
268
269 #define NPF_CMD_RULE_ADD 1
270 #define NPF_CMD_RULE_INSERT 2
271 #define NPF_CMD_RULE_REMOVE 3
272 #define NPF_CMD_RULE_REMKEY 4
273 #define NPF_CMD_RULE_LIST 5
274 #define NPF_CMD_RULE_FLUSH 6
275
276 /*
277 * NPF ioctl(2): table commands and structures.
278 */
279
280 #define NPF_CMD_TABLE_LOOKUP 1
281 #define NPF_CMD_TABLE_ADD 2
282 #define NPF_CMD_TABLE_REMOVE 3
283 #define NPF_CMD_TABLE_LIST 4
284 #define NPF_CMD_TABLE_FLUSH 5
285
286 typedef struct npf_ioctl_ent {
287 int alen;
288 npf_addr_t addr;
289 npf_netmask_t mask;
290 } npf_ioctl_ent_t;
291
292 typedef struct npf_ioctl_buf {
293 void * buf;
294 size_t len;
295 } npf_ioctl_buf_t;
296
297 typedef struct npf_ioctl_table {
298 int nct_cmd;
299 const char * nct_name;
300 union {
301 npf_ioctl_ent_t ent;
302 npf_ioctl_buf_t buf;
303 } nct_data;
304 } npf_ioctl_table_t;
305
306 /*
307 * IOCTL operations.
308 */
309
310 #define IOC_NPF_VERSION _IOR('N', 100, int)
311 #define IOC_NPF_SWITCH _IOW('N', 101, int)
312 #define IOC_NPF_LOAD _IOWR('N', 102, struct plistref)
313 #define IOC_NPF_TABLE _IOW('N', 103, struct npf_ioctl_table)
314 #define IOC_NPF_STATS _IOW('N', 104, void *)
315 #define IOC_NPF_SAVE _IOR('N', 105, struct plistref)
316 #define IOC_NPF_RULE _IOWR('N', 107, struct plistref)
317
318 /*
319 * Statistics counters.
320 */
321
322 typedef enum {
323 /* Packets passed. */
324 NPF_STAT_PASS_DEFAULT,
325 NPF_STAT_PASS_RULESET,
326 NPF_STAT_PASS_CONN,
327 /* Packets blocked. */
328 NPF_STAT_BLOCK_DEFAULT,
329 NPF_STAT_BLOCK_RULESET,
330 /* Connection and NAT entries. */
331 NPF_STAT_CONN_CREATE,
332 NPF_STAT_CONN_DESTROY,
333 NPF_STAT_NAT_CREATE,
334 NPF_STAT_NAT_DESTROY,
335 /* Invalid state cases. */
336 NPF_STAT_INVALID_STATE,
337 NPF_STAT_INVALID_STATE_TCP1,
338 NPF_STAT_INVALID_STATE_TCP2,
339 NPF_STAT_INVALID_STATE_TCP3,
340 /* Raced packets. */
341 NPF_STAT_RACE_CONN,
342 NPF_STAT_RACE_NAT,
343 /* Fragments. */
344 NPF_STAT_FRAGMENTS,
345 NPF_STAT_REASSEMBLY,
346 NPF_STAT_REASSFAIL,
347 /* Other errors. */
348 NPF_STAT_ERROR,
349 /* nbuf non-contiguous cases. */
350 NPF_STAT_NBUF_NONCONTIG,
351 NPF_STAT_NBUF_CONTIG_FAIL,
352 /* Count (last). */
353 NPF_STATS_COUNT
354 } npf_stats_t;
355
356 #define NPF_STATS_SIZE (sizeof(uint64_t) * NPF_STATS_COUNT)
357
358 #endif /* _NPF_NET_H_ */
359