1 /* $OpenBSD: pfvar.h,v 1.170 2003/08/22 21:50:34 david Exp $ */ 2 3 /* 4 * Copyright (c) 2001 Daniel Hartmeier 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 11 * - Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * - Redistributions in binary form must reproduce the above 14 * copyright notice, this list of conditions and the following 15 * disclaimer in the documentation and/or other materials provided 16 * with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 20 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 21 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 22 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 23 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 24 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 25 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 26 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 28 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 * POSSIBILITY OF SUCH DAMAGE. 30 * 31 */ 32 33 #ifndef _NET_PFVAR_H_ 34 #define _NET_PFVAR_H_ 35 36 #include <sys/types.h> 37 #include <sys/queue.h> 38 #include <sys/tree.h> 39 40 #include <net/radix.h> 41 #include <netinet/ip_ipsp.h> 42 #include <netinet/tcp_fsm.h> 43 44 struct ip; 45 46 #define PF_TCPS_PROXY_SRC ((TCP_NSTATES)+0) 47 #define PF_TCPS_PROXY_DST ((TCP_NSTATES)+1) 48 49 enum { PF_INOUT, PF_IN, PF_OUT }; 50 enum { PF_PASS, PF_DROP, PF_SCRUB, PF_NAT, PF_NONAT, 51 PF_BINAT, PF_NOBINAT, PF_RDR, PF_NORDR, PF_SYNPROXY_DROP }; 52 enum { PF_RULESET_SCRUB, PF_RULESET_FILTER, PF_RULESET_NAT, 53 PF_RULESET_BINAT, PF_RULESET_RDR, PF_RULESET_MAX }; 54 enum { PF_OP_NONE, PF_OP_IRG, PF_OP_EQ, PF_OP_NE, PF_OP_LT, 55 PF_OP_LE, PF_OP_GT, PF_OP_GE, PF_OP_XRG, PF_OP_RRG }; 56 enum { PF_DEBUG_NONE, PF_DEBUG_URGENT, PF_DEBUG_MISC, PF_DEBUG_NOISY }; 57 enum { PF_CHANGE_NONE, PF_CHANGE_ADD_HEAD, PF_CHANGE_ADD_TAIL, 58 PF_CHANGE_ADD_BEFORE, PF_CHANGE_ADD_AFTER, 59 PF_CHANGE_REMOVE, PF_CHANGE_GET_TICKET }; 60 /* 61 * Note about PFTM_*: real indices into pf_rule.timeout[] come before 62 * PFTM_MAX, special cases afterwards. See pf_state_expires(). 63 */ 64 enum { PFTM_TCP_FIRST_PACKET, PFTM_TCP_OPENING, PFTM_TCP_ESTABLISHED, 65 PFTM_TCP_CLOSING, PFTM_TCP_FIN_WAIT, PFTM_TCP_CLOSED, 66 PFTM_UDP_FIRST_PACKET, PFTM_UDP_SINGLE, PFTM_UDP_MULTIPLE, 67 PFTM_ICMP_FIRST_PACKET, PFTM_ICMP_ERROR_REPLY, 68 PFTM_OTHER_FIRST_PACKET, PFTM_OTHER_SINGLE, 69 PFTM_OTHER_MULTIPLE, PFTM_FRAG, PFTM_INTERVAL, 70 PFTM_ADAPTIVE_START, PFTM_ADAPTIVE_END, PFTM_MAX, 71 PFTM_PURGE, PFTM_UNTIL_PACKET }; 72 enum { PF_NOPFROUTE, PF_FASTROUTE, PF_ROUTETO, PF_DUPTO, PF_REPLYTO }; 73 enum { PF_LIMIT_STATES, PF_LIMIT_FRAGS, PF_LIMIT_MAX }; 74 #define PF_POOL_IDMASK 0x0f 75 enum { PF_POOL_NONE, PF_POOL_BITMASK, PF_POOL_RANDOM, 76 PF_POOL_SRCHASH, PF_POOL_ROUNDROBIN }; 77 enum { PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE, PF_ADDR_DYNIFTL, 78 PF_ADDR_TABLE }; 79 #define PF_POOL_TYPEMASK 0x0f 80 #define PF_WSCALE_FLAG 0x80 81 #define PF_WSCALE_MASK 0x0f 82 83 struct pf_addr { 84 union { 85 struct in_addr v4; 86 struct in6_addr v6; 87 u_int8_t addr8[16]; 88 u_int16_t addr16[8]; 89 u_int32_t addr32[4]; 90 } pfa; /* 128-bit address */ 91 #define v4 pfa.v4 92 #define v6 pfa.v6 93 #define addr8 pfa.addr8 94 #define addr16 pfa.addr16 95 #define addr32 pfa.addr32 96 }; 97 98 #define PF_TABLE_NAME_SIZE 32 99 100 struct pf_addr_wrap { 101 union { 102 struct { 103 struct pf_addr addr; 104 struct pf_addr mask; 105 } a; 106 char ifname[IFNAMSIZ]; 107 char tblname[PF_TABLE_NAME_SIZE]; 108 } v; 109 union { 110 struct pf_addr_dyn *dyn; 111 struct pfr_ktable *tbl; 112 int tblcnt; 113 } p; 114 u_int8_t type; /* PF_ADDR_* */ 115 }; 116 117 struct pf_addr_dyn { 118 char ifname[IFNAMSIZ]; 119 struct ifnet *ifp; 120 struct pf_addr *addr; 121 sa_family_t af; 122 void *hook_cookie; 123 u_int8_t undefined; 124 }; 125 126 /* 127 * Address manipulation macros 128 */ 129 130 #ifdef _KERNEL 131 132 #ifdef INET 133 #ifndef INET6 134 #define PF_INET_ONLY 135 #endif /* ! INET6 */ 136 #endif /* INET */ 137 138 #ifdef INET6 139 #ifndef INET 140 #define PF_INET6_ONLY 141 #endif /* ! INET */ 142 #endif /* INET6 */ 143 144 #ifdef INET 145 #ifdef INET6 146 #define PF_INET_INET6 147 #endif /* INET6 */ 148 #endif /* INET */ 149 150 #else 151 152 #define PF_INET_INET6 153 154 #endif /* _KERNEL */ 155 156 /* Both IPv4 and IPv6 */ 157 #ifdef PF_INET_INET6 158 159 #define PF_AEQ(a, b, c) \ 160 ((c == AF_INET && (a)->addr32[0] == (b)->addr32[0]) || \ 161 ((a)->addr32[3] == (b)->addr32[3] && \ 162 (a)->addr32[2] == (b)->addr32[2] && \ 163 (a)->addr32[1] == (b)->addr32[1] && \ 164 (a)->addr32[0] == (b)->addr32[0])) \ 165 166 #define PF_ANEQ(a, b, c) \ 167 ((c == AF_INET && (a)->addr32[0] != (b)->addr32[0]) || \ 168 ((a)->addr32[3] != (b)->addr32[3] || \ 169 (a)->addr32[2] != (b)->addr32[2] || \ 170 (a)->addr32[1] != (b)->addr32[1] || \ 171 (a)->addr32[0] != (b)->addr32[0])) \ 172 173 #define PF_AZERO(a, c) \ 174 ((c == AF_INET && !(a)->addr32[0]) || \ 175 (!(a)->addr32[0] && !(a)->addr32[1] && \ 176 !(a)->addr32[2] && !(a)->addr32[3] )) \ 177 178 #define PF_MATCHA(n, a, m, b, f) \ 179 pf_match_addr(n, a, m, b, f) 180 181 #define PF_ACPY(a, b, f) \ 182 pf_addrcpy(a, b, f) 183 184 #define PF_AINC(a, f) \ 185 pf_addr_inc(a, f) 186 187 #define PF_POOLMASK(a, b, c, d, f) \ 188 pf_poolmask(a, b, c, d, f) 189 190 #else 191 192 /* Just IPv6 */ 193 194 #ifdef PF_INET6_ONLY 195 196 #define PF_AEQ(a, b, c) \ 197 ((a)->addr32[3] == (b)->addr32[3] && \ 198 (a)->addr32[2] == (b)->addr32[2] && \ 199 (a)->addr32[1] == (b)->addr32[1] && \ 200 (a)->addr32[0] == (b)->addr32[0]) \ 201 202 #define PF_ANEQ(a, b, c) \ 203 ((a)->addr32[3] != (b)->addr32[3] || \ 204 (a)->addr32[2] != (b)->addr32[2] || \ 205 (a)->addr32[1] != (b)->addr32[1] || \ 206 (a)->addr32[0] != (b)->addr32[0]) \ 207 208 #define PF_AZERO(a, c) \ 209 (!(a)->addr32[0] && \ 210 !(a)->addr32[1] && \ 211 !(a)->addr32[2] && \ 212 !(a)->addr32[3] ) \ 213 214 #define PF_MATCHA(n, a, m, b, f) \ 215 pf_match_addr(n, a, m, b, f) 216 217 #define PF_ACPY(a, b, f) \ 218 pf_addrcpy(a, b, f) 219 220 #define PF_AINC(a, f) \ 221 pf_addr_inc(a, f) 222 223 #define PF_POOLMASK(a, b, c, d, f) \ 224 pf_poolmask(a, b, c, d, f) 225 226 #else 227 228 /* Just IPv4 */ 229 #ifdef PF_INET_ONLY 230 231 #define PF_AEQ(a, b, c) \ 232 ((a)->addr32[0] == (b)->addr32[0]) 233 234 #define PF_ANEQ(a, b, c) \ 235 ((a)->addr32[0] != (b)->addr32[0]) 236 237 #define PF_AZERO(a, c) \ 238 (!(a)->addr32[0]) 239 240 #define PF_MATCHA(n, a, m, b, f) \ 241 pf_match_addr(n, a, m, b, f) 242 243 #define PF_ACPY(a, b, f) \ 244 (a)->v4.s_addr = (b)->v4.s_addr 245 246 #define PF_AINC(a, f) \ 247 do { \ 248 (a)->addr32[0] = htonl(ntohl((a)->addr32[0]) + 1); \ 249 } while (0) 250 251 #define PF_POOLMASK(a, b, c, d, f) \ 252 do { \ 253 (a)->addr32[0] = ((b)->addr32[0] & (c)->addr32[0]) | \ 254 (((c)->addr32[0] ^ 0xffffffff ) & (d)->addr32[0]); \ 255 } while (0) 256 257 #endif /* PF_INET_ONLY */ 258 #endif /* PF_INET6_ONLY */ 259 #endif /* PF_INET_INET6 */ 260 261 #define PF_MISMATCHAW(aw, x, af, not) \ 262 ( \ 263 (((aw)->type == PF_ADDR_NOROUTE && \ 264 pf_routable((x), (af))) || \ 265 ((aw)->type == PF_ADDR_TABLE && \ 266 !pfr_match_addr((aw)->p.tbl, (x), (af))) || \ 267 ((aw)->type == PF_ADDR_DYNIFTL && \ 268 ((aw)->p.dyn->undefined || \ 269 (!PF_AZERO(&(aw)->v.a.mask, (af)) && \ 270 !PF_MATCHA(0, &(aw)->v.a.addr, \ 271 &(aw)->v.a.mask, (x), (af))))) || \ 272 ((aw)->type == PF_ADDR_ADDRMASK && \ 273 !PF_AZERO(&(aw)->v.a.mask, (af)) && \ 274 !PF_MATCHA(0, &(aw)->v.a.addr, \ 275 &(aw)->v.a.mask, (x), (af)))) != \ 276 (not) \ 277 ) 278 279 struct pf_rule_uid { 280 uid_t uid[2]; 281 u_int8_t op; 282 }; 283 284 struct pf_rule_gid { 285 uid_t gid[2]; 286 u_int8_t op; 287 }; 288 289 struct pf_rule_addr { 290 struct pf_addr_wrap addr; 291 u_int16_t port[2]; 292 u_int8_t not; 293 u_int8_t port_op; 294 }; 295 296 struct pf_pooladdr { 297 struct pf_addr_wrap addr; 298 TAILQ_ENTRY(pf_pooladdr) entries; 299 char ifname[IFNAMSIZ]; 300 struct ifnet *ifp; 301 }; 302 303 TAILQ_HEAD(pf_palist, pf_pooladdr); 304 305 struct pf_poolhashkey { 306 union { 307 u_int8_t key8[16]; 308 u_int16_t key16[8]; 309 u_int32_t key32[4]; 310 } pfk; /* 128-bit hash key */ 311 #define key8 pfk.key8 312 #define key16 pfk.key16 313 #define key32 pfk.key32 314 }; 315 316 struct pf_pool { 317 struct pf_palist list; 318 struct pf_pooladdr *cur; 319 struct pf_poolhashkey key; 320 struct pf_addr counter; 321 int tblidx; 322 u_int16_t proxy_port[2]; 323 u_int8_t port_op; 324 u_int8_t opts; 325 }; 326 327 328 /* A packed Operating System description for fingerprinting */ 329 typedef u_int32_t pf_osfp_t; 330 #define PF_OSFP_ANY ((pf_osfp_t)0) 331 #define PF_OSFP_UNKNOWN ((pf_osfp_t)-1) 332 #define PF_OSFP_NOMATCH ((pf_osfp_t)-2) 333 334 struct pf_osfp_entry { 335 SLIST_ENTRY(pf_osfp_entry) fp_entry; 336 pf_osfp_t fp_os; 337 int fp_enflags; 338 #define PF_OSFP_EXPANDED 0x001 /* expanded entry */ 339 #define PF_OSFP_GENERIC 0x002 /* generic signature */ 340 #define PF_OSFP_NODETAIL 0x004 /* no p0f details */ 341 #define PF_OSFP_LEN 32 342 char fp_class_nm[PF_OSFP_LEN]; 343 char fp_version_nm[PF_OSFP_LEN]; 344 char fp_subtype_nm[PF_OSFP_LEN]; 345 }; 346 #define PF_OSFP_ENTRY_EQ(a, b) \ 347 ((a)->fp_os == (b)->fp_os && \ 348 memcmp((a)->fp_class_nm, (b)->fp_class_nm, PF_OSFP_LEN) == 0 && \ 349 memcmp((a)->fp_version_nm, (b)->fp_version_nm, PF_OSFP_LEN) == 0 && \ 350 memcmp((a)->fp_subtype_nm, (b)->fp_subtype_nm, PF_OSFP_LEN) == 0) 351 352 /* handle pf_osfp_t packing */ 353 #define _FP_RESERVED_BIT 1 /* For the special negative #defines */ 354 #define _FP_UNUSED_BITS 1 355 #define _FP_CLASS_BITS 10 /* OS Class (Windows, Linux) */ 356 #define _FP_VERSION_BITS 10 /* OS version (95, 98, NT, 2.4.54, 3.2) */ 357 #define _FP_SUBTYPE_BITS 10 /* patch level (NT SP4, SP3, ECN patch) */ 358 #define PF_OSFP_UNPACK(osfp, class, version, subtype) do { \ 359 (class) = ((osfp) >> (_FP_VERSION_BITS+_FP_SUBTYPE_BITS)) & \ 360 ((1 << _FP_CLASS_BITS) - 1); \ 361 (version) = ((osfp) >> _FP_SUBTYPE_BITS) & \ 362 ((1 << _FP_VERSION_BITS) - 1);\ 363 (subtype) = (osfp) & ((1 << _FP_SUBTYPE_BITS) - 1); \ 364 } while(0) 365 #define PF_OSFP_PACK(osfp, class, version, subtype) do { \ 366 (osfp) = ((class) & ((1 << _FP_CLASS_BITS) - 1)) << (_FP_VERSION_BITS \ 367 + _FP_SUBTYPE_BITS); \ 368 (osfp) |= ((version) & ((1 << _FP_VERSION_BITS) - 1)) << \ 369 _FP_SUBTYPE_BITS; \ 370 (osfp) |= (subtype) & ((1 << _FP_SUBTYPE_BITS) - 1); \ 371 } while(0) 372 373 /* the fingerprint of an OSes TCP SYN packet */ 374 typedef u_int64_t pf_tcpopts_t; 375 struct pf_os_fingerprint { 376 SLIST_HEAD(pf_osfp_enlist, pf_osfp_entry) fp_oses; /* list of matches */ 377 pf_tcpopts_t fp_tcpopts; /* packed TCP options */ 378 u_int16_t fp_wsize; /* TCP window size */ 379 u_int16_t fp_psize; /* ip->ip_len */ 380 u_int16_t fp_mss; /* TCP MSS */ 381 u_int16_t fp_flags; 382 #define PF_OSFP_WSIZE_MOD 0x0001 /* Window modulus */ 383 #define PF_OSFP_WSIZE_DC 0x0002 /* Window don't care */ 384 #define PF_OSFP_WSIZE_MSS 0x0004 /* Window multiple of MSS */ 385 #define PF_OSFP_WSIZE_MTU 0x0008 /* Window multiple of MTU */ 386 #define PF_OSFP_PSIZE_MOD 0x0010 /* packet size modulus */ 387 #define PF_OSFP_PSIZE_DC 0x0020 /* packet size don't care */ 388 #define PF_OSFP_WSCALE 0x0040 /* TCP window scaling */ 389 #define PF_OSFP_WSCALE_MOD 0x0080 /* TCP window scale modulus */ 390 #define PF_OSFP_WSCALE_DC 0x0100 /* TCP window scale dont-care */ 391 #define PF_OSFP_MSS 0x0200 /* TCP MSS */ 392 #define PF_OSFP_MSS_MOD 0x0400 /* TCP MSS modulus */ 393 #define PF_OSFP_MSS_DC 0x0800 /* TCP MSS dont-care */ 394 #define PF_OSFP_DF 0x1000 /* IPv4 don't fragment bit */ 395 #define PF_OSFP_TS0 0x2000 /* Zero timestamp */ 396 u_int8_t fp_optcnt; /* TCP option count */ 397 u_int8_t fp_wscale; /* TCP window scaling */ 398 u_int8_t fp_ttl; /* IPv4 TTL */ 399 #define PF_OSFP_MAXTTL_OFFSET 40 400 /* TCP options packing */ 401 #define PF_OSFP_TCPOPT_NOP 0x0 /* TCP NOP option */ 402 #define PF_OSFP_TCPOPT_WSCALE 0x1 /* TCP window scaling option */ 403 #define PF_OSFP_TCPOPT_MSS 0x2 /* TCP max segment size opt */ 404 #define PF_OSFP_TCPOPT_SACK 0x3 /* TCP SACK OK option */ 405 #define PF_OSFP_TCPOPT_TS 0x4 /* TCP timestamp option */ 406 #define PF_OSFP_TCPOPT_BITS 3 /* bits used by each option */ 407 #define PF_OSFP_MAX_OPTS \ 408 (sizeof(((struct pf_os_fingerprint *)0)->fp_tcpopts) * 8) \ 409 / PF_OSFP_TCPOPT_BITS 410 411 SLIST_ENTRY(pf_os_fingerprint) fp_next; 412 }; 413 414 struct pf_osfp_ioctl { 415 struct pf_osfp_entry fp_os; 416 pf_tcpopts_t fp_tcpopts; /* packed TCP options */ 417 u_int16_t fp_wsize; /* TCP window size */ 418 u_int16_t fp_psize; /* ip->ip_len */ 419 u_int16_t fp_mss; /* TCP MSS */ 420 u_int16_t fp_flags; 421 u_int8_t fp_optcnt; /* TCP option count */ 422 u_int8_t fp_wscale; /* TCP window scaling */ 423 u_int8_t fp_ttl; /* IPv4 TTL */ 424 425 int fp_getnum; /* DIOCOSFPGET number */ 426 }; 427 428 429 union pf_rule_ptr { 430 struct pf_rule *ptr; 431 u_int32_t nr; 432 }; 433 434 struct pf_rule { 435 struct pf_rule_addr src; 436 struct pf_rule_addr dst; 437 #define PF_SKIP_IFP 0 438 #define PF_SKIP_DIR 1 439 #define PF_SKIP_AF 2 440 #define PF_SKIP_PROTO 3 441 #define PF_SKIP_SRC_ADDR 4 442 #define PF_SKIP_SRC_PORT 5 443 #define PF_SKIP_DST_ADDR 6 444 #define PF_SKIP_DST_PORT 7 445 #define PF_SKIP_COUNT 8 446 union pf_rule_ptr skip[PF_SKIP_COUNT]; 447 #define PF_RULE_LABEL_SIZE 64 448 char label[PF_RULE_LABEL_SIZE]; 449 u_int32_t timeout[PFTM_MAX]; 450 #define PF_QNAME_SIZE 16 451 char ifname[IFNAMSIZ]; 452 char qname[PF_QNAME_SIZE]; 453 char pqname[PF_QNAME_SIZE]; 454 #define PF_ANCHOR_NAME_SIZE 16 455 char anchorname[PF_ANCHOR_NAME_SIZE]; 456 #define PF_TAG_NAME_SIZE 16 457 char tagname[PF_TAG_NAME_SIZE]; 458 char match_tagname[PF_TAG_NAME_SIZE]; 459 460 TAILQ_ENTRY(pf_rule) entries; 461 struct pf_pool rpool; 462 463 u_int64_t evaluations; 464 u_int64_t packets; 465 u_int64_t bytes; 466 467 struct ifnet *ifp; 468 struct pf_anchor *anchor; 469 470 pf_osfp_t os_fingerprint; 471 u_int32_t states; 472 u_int32_t max_states; 473 u_int32_t qid; 474 u_int32_t pqid; 475 u_int32_t rt_listid; 476 u_int32_t nr; 477 478 u_int16_t return_icmp; 479 u_int16_t return_icmp6; 480 u_int16_t max_mss; 481 u_int16_t tag; 482 u_int16_t match_tag; 483 484 struct pf_rule_uid uid; 485 struct pf_rule_gid gid; 486 487 u_int32_t rule_flag; 488 u_int8_t action; 489 u_int8_t direction; 490 u_int8_t log; 491 u_int8_t quick; 492 u_int8_t ifnot; 493 u_int8_t match_tag_not; 494 u_int8_t natpass; 495 496 #define PF_STATE_NORMAL 0x1 497 #define PF_STATE_MODULATE 0x2 498 #define PF_STATE_SYNPROXY 0x3 499 u_int8_t keep_state; 500 sa_family_t af; 501 u_int8_t proto; 502 u_int8_t type; 503 u_int8_t code; 504 u_int8_t flags; 505 u_int8_t flagset; 506 u_int8_t min_ttl; 507 u_int8_t allow_opts; 508 u_int8_t rt; 509 u_int8_t return_ttl; 510 u_int8_t tos; 511 }; 512 513 /* rule flags */ 514 #define PFRULE_DROP 0x0000 515 #define PFRULE_RETURNRST 0x0001 516 #define PFRULE_FRAGMENT 0x0002 517 #define PFRULE_RETURNICMP 0x0004 518 #define PFRULE_RETURN 0x0008 519 520 /* scrub flags */ 521 #define PFRULE_NODF 0x0100 522 #define PFRULE_FRAGCROP 0x0200 /* non-buffering frag cache */ 523 #define PFRULE_FRAGDROP 0x0400 /* drop funny fragments */ 524 #define PFRULE_RANDOMID 0x0800 525 #define PFRULE_REASSEMBLE_TCP 0x1000 526 527 #define PFSTATE_HIWAT 10000 /* default state table size */ 528 529 530 struct pf_state_scrub { 531 u_int16_t pfss_flags; 532 #define PFSS_TIMESTAMP 0x0001 /* modulate timestamp */ 533 u_int8_t pfss_ttl; /* stashed TTL */ 534 u_int8_t pad; 535 u_int32_t pfss_ts_mod; /* timestamp modulation */ 536 }; 537 538 struct pf_state_host { 539 struct pf_addr addr; 540 u_int16_t port; 541 u_int16_t pad; 542 }; 543 544 struct pf_state_peer { 545 u_int32_t seqlo; /* Max sequence number sent */ 546 u_int32_t seqhi; /* Max the other end ACKd + win */ 547 u_int32_t seqdiff; /* Sequence number modulator */ 548 u_int16_t max_win; /* largest window (pre scaling) */ 549 u_int8_t state; /* active state level */ 550 u_int8_t wscale; /* window scaling factor */ 551 u_int16_t mss; /* Maximum segment size option */ 552 struct pf_state_scrub *scrub; /* state is scrubbed */ 553 }; 554 555 struct pf_state { 556 struct pf_state_host lan; 557 struct pf_state_host gwy; 558 struct pf_state_host ext; 559 struct pf_state_peer src; 560 struct pf_state_peer dst; 561 union pf_rule_ptr rule; 562 union pf_rule_ptr anchor; 563 union pf_rule_ptr nat_rule; 564 struct pf_addr rt_addr; 565 struct ifnet *rt_ifp; 566 u_int32_t creation; 567 u_int32_t expire; 568 u_int32_t packets[2]; 569 u_int32_t bytes[2]; 570 sa_family_t af; 571 u_int8_t proto; 572 u_int8_t direction; 573 u_int8_t log; 574 u_int8_t allow_opts; 575 u_int8_t timeout; 576 u_int8_t pad[2]; 577 }; 578 579 struct pf_tree_node { 580 RB_ENTRY(pf_tree_node) entry; 581 struct pf_state *state; 582 struct pf_addr addr[2]; 583 u_int16_t port[2]; 584 sa_family_t af; 585 u_int8_t proto; 586 }; 587 588 TAILQ_HEAD(pf_rulequeue, pf_rule); 589 590 struct pf_anchor; 591 592 struct pf_ruleset { 593 TAILQ_ENTRY(pf_ruleset) entries; 594 #define PF_RULESET_NAME_SIZE 16 595 char name[PF_RULESET_NAME_SIZE]; 596 struct { 597 struct pf_rulequeue queues[2]; 598 struct { 599 struct pf_rulequeue *ptr; 600 u_int32_t ticket; 601 } active, inactive; 602 } rules[PF_RULESET_MAX]; 603 struct pf_anchor *anchor; 604 u_int32_t tticket; 605 int tables; 606 int topen; 607 }; 608 609 TAILQ_HEAD(pf_rulesetqueue, pf_ruleset); 610 611 struct pf_anchor { 612 TAILQ_ENTRY(pf_anchor) entries; 613 char name[PF_ANCHOR_NAME_SIZE]; 614 struct pf_rulesetqueue rulesets; 615 int tables; 616 }; 617 618 TAILQ_HEAD(pf_anchorqueue, pf_anchor); 619 620 #define PFR_TFLAG_PERSIST 0x00000001 621 #define PFR_TFLAG_CONST 0x00000002 622 #define PFR_TFLAG_ACTIVE 0x00000004 623 #define PFR_TFLAG_INACTIVE 0x00000008 624 #define PFR_TFLAG_REFERENCED 0x00000010 625 #define PFR_TFLAG_REFDANCHOR 0x00000020 626 #define PFR_TFLAG_USRMASK 0x00000003 627 #define PFR_TFLAG_SETMASK 0x0000003C 628 #define PFR_TFLAG_ALLMASK 0x0000003F 629 630 struct pfr_table { 631 char pfrt_anchor[PF_ANCHOR_NAME_SIZE]; 632 char pfrt_ruleset[PF_RULESET_NAME_SIZE]; 633 char pfrt_name[PF_TABLE_NAME_SIZE]; 634 u_int32_t pfrt_flags; 635 u_int8_t pfrt_fback; 636 }; 637 638 enum { PFR_FB_NONE, PFR_FB_MATCH, PFR_FB_ADDED, PFR_FB_DELETED, 639 PFR_FB_CHANGED, PFR_FB_CLEARED, PFR_FB_DUPLICATE, 640 PFR_FB_NOTMATCH, PFR_FB_CONFLICT, PFR_FB_MAX }; 641 642 struct pfr_addr { 643 union { 644 struct in_addr _pfra_ip4addr; 645 struct in6_addr _pfra_ip6addr; 646 } pfra_u; 647 u_int8_t pfra_af; 648 u_int8_t pfra_net; 649 u_int8_t pfra_not; 650 u_int8_t pfra_fback; 651 }; 652 #define pfra_ip4addr pfra_u._pfra_ip4addr 653 #define pfra_ip6addr pfra_u._pfra_ip6addr 654 655 enum { PFR_DIR_IN, PFR_DIR_OUT, PFR_DIR_MAX }; 656 enum { PFR_OP_BLOCK, PFR_OP_PASS, PFR_OP_ADDR_MAX, PFR_OP_TABLE_MAX }; 657 #define PFR_OP_XPASS PFR_OP_ADDR_MAX 658 659 struct pfr_astats { 660 struct pfr_addr pfras_a; 661 u_int64_t pfras_packets[PFR_DIR_MAX][PFR_OP_ADDR_MAX]; 662 u_int64_t pfras_bytes[PFR_DIR_MAX][PFR_OP_ADDR_MAX]; 663 long pfras_tzero; 664 }; 665 666 enum { PFR_REFCNT_RULE, PFR_REFCNT_ANCHOR, PFR_REFCNT_MAX }; 667 668 struct pfr_tstats { 669 struct pfr_table pfrts_t; 670 u_int64_t pfrts_packets[PFR_DIR_MAX][PFR_OP_TABLE_MAX]; 671 u_int64_t pfrts_bytes[PFR_DIR_MAX][PFR_OP_TABLE_MAX]; 672 u_int64_t pfrts_match; 673 u_int64_t pfrts_nomatch; 674 long pfrts_tzero; 675 int pfrts_cnt; 676 int pfrts_refcnt[PFR_REFCNT_MAX]; 677 }; 678 #define pfrts_name pfrts_t.pfrt_name 679 #define pfrts_flags pfrts_t.pfrt_flags 680 681 SLIST_HEAD(pfr_kentryworkq, pfr_kentry); 682 struct pfr_kentry { 683 struct radix_node pfrke_node[2]; 684 union sockaddr_union pfrke_sa; 685 u_int64_t pfrke_packets[PFR_DIR_MAX][PFR_OP_ADDR_MAX]; 686 u_int64_t pfrke_bytes[PFR_DIR_MAX][PFR_OP_ADDR_MAX]; 687 SLIST_ENTRY(pfr_kentry) pfrke_workq; 688 long pfrke_tzero; 689 u_int8_t pfrke_af; 690 u_int8_t pfrke_net; 691 u_int8_t pfrke_not; 692 u_int8_t pfrke_mark; 693 }; 694 695 SLIST_HEAD(pfr_ktableworkq, pfr_ktable); 696 RB_HEAD(pfr_ktablehead, pfr_ktable); 697 struct pfr_ktable { 698 struct pfr_tstats pfrkt_ts; 699 RB_ENTRY(pfr_ktable) pfrkt_tree; 700 SLIST_ENTRY(pfr_ktable) pfrkt_workq; 701 struct radix_node_head *pfrkt_ip4; 702 struct radix_node_head *pfrkt_ip6; 703 struct pfr_ktable *pfrkt_shadow; 704 struct pfr_ktable *pfrkt_root; 705 struct pf_ruleset *pfrkt_rs; 706 int pfrkt_nflags; 707 }; 708 #define pfrkt_t pfrkt_ts.pfrts_t 709 #define pfrkt_name pfrkt_t.pfrt_name 710 #define pfrkt_anchor pfrkt_t.pfrt_anchor 711 #define pfrkt_ruleset pfrkt_t.pfrt_ruleset 712 #define pfrkt_flags pfrkt_t.pfrt_flags 713 #define pfrkt_cnt pfrkt_ts.pfrts_cnt 714 #define pfrkt_refcnt pfrkt_ts.pfrts_refcnt 715 #define pfrkt_packets pfrkt_ts.pfrts_packets 716 #define pfrkt_bytes pfrkt_ts.pfrts_bytes 717 #define pfrkt_match pfrkt_ts.pfrts_match 718 #define pfrkt_nomatch pfrkt_ts.pfrts_nomatch 719 #define pfrkt_tzero pfrkt_ts.pfrts_tzero 720 721 struct pf_pdesc { 722 u_int64_t tot_len; /* Make Mickey money */ 723 union { 724 struct tcphdr *tcp; 725 struct udphdr *udp; 726 struct icmp *icmp; 727 #ifdef INET6 728 struct icmp6_hdr *icmp6; 729 #endif /* INET6 */ 730 void *any; 731 } hdr; 732 struct pf_addr *src; 733 struct pf_addr *dst; 734 u_int16_t *ip_sum; 735 u_int32_t p_len; /* total length of payload */ 736 u_int16_t flags; /* Let SCRUB trigger behavior in 737 * state code. Easier than tags */ 738 #define PFDESC_TCP_NORM 0x0001 /* TCP shall be statefully scrubbed */ 739 sa_family_t af; 740 u_int8_t proto; 741 u_int8_t tos; 742 }; 743 744 /* flags for RDR options */ 745 #define PF_DPORT_RANGE 0x01 /* Dest port uses range */ 746 #define PF_RPORT_RANGE 0x02 /* RDR'ed port uses range */ 747 748 /* Reasons code for passing/dropping a packet */ 749 #define PFRES_MATCH 0 /* Explicit match of a rule */ 750 #define PFRES_BADOFF 1 /* Bad offset for pull_hdr */ 751 #define PFRES_FRAG 2 /* Dropping following fragment */ 752 #define PFRES_SHORT 3 /* Dropping short packet */ 753 #define PFRES_NORM 4 /* Dropping by normalizer */ 754 #define PFRES_MEMORY 5 /* Dropped due to lacking mem */ 755 #define PFRES_MAX 6 /* total+1 */ 756 757 #define PFRES_NAMES { \ 758 "match", \ 759 "bad-offset", \ 760 "fragment", \ 761 "short", \ 762 "normalize", \ 763 "memory", \ 764 NULL \ 765 } 766 767 /* UDP state enumeration */ 768 #define PFUDPS_NO_TRAFFIC 0 769 #define PFUDPS_SINGLE 1 770 #define PFUDPS_MULTIPLE 2 771 772 #define PFUDPS_NSTATES 3 /* number of state levels */ 773 774 #define PFUDPS_NAMES { \ 775 "NO_TRAFFIC", \ 776 "SINGLE", \ 777 "MULTIPLE", \ 778 NULL \ 779 } 780 781 /* Other protocol state enumeration */ 782 #define PFOTHERS_NO_TRAFFIC 0 783 #define PFOTHERS_SINGLE 1 784 #define PFOTHERS_MULTIPLE 2 785 786 #define PFOTHERS_NSTATES 3 /* number of state levels */ 787 788 #define PFOTHERS_NAMES { \ 789 "NO_TRAFFIC", \ 790 "SINGLE", \ 791 "MULTIPLE", \ 792 NULL \ 793 } 794 795 #define FCNT_STATE_SEARCH 0 796 #define FCNT_STATE_INSERT 1 797 #define FCNT_STATE_REMOVALS 2 798 #define FCNT_MAX 3 799 800 801 #define ACTION_SET(a, x) \ 802 do { \ 803 if ((a) != NULL) \ 804 *(a) = (x); \ 805 } while (0) 806 807 #define REASON_SET(a, x) \ 808 do { \ 809 if ((a) != NULL) \ 810 *(a) = (x); \ 811 if (x < PFRES_MAX) \ 812 pf_status.counters[x]++; \ 813 } while (0) 814 815 struct pf_status { 816 u_int64_t counters[PFRES_MAX]; 817 u_int64_t fcounters[FCNT_MAX]; 818 u_int64_t pcounters[2][2][3]; 819 u_int64_t bcounters[2][2]; 820 u_int32_t running; 821 u_int32_t states; 822 u_int32_t since; 823 u_int32_t debug; 824 char ifname[IFNAMSIZ]; 825 }; 826 827 struct cbq_opts { 828 u_int minburst; 829 u_int maxburst; 830 u_int pktsize; 831 u_int maxpktsize; 832 u_int ns_per_byte; 833 u_int maxidle; 834 int minidle; 835 u_int offtime; 836 int flags; 837 }; 838 839 struct priq_opts { 840 int flags; 841 }; 842 843 struct hfsc_opts { 844 /* real-time service curve */ 845 u_int rtsc_m1; /* slope of the 1st segment in bps */ 846 u_int rtsc_d; /* the x-projection of m1 in msec */ 847 u_int rtsc_m2; /* slope of the 2nd segment in bps */ 848 /* link-sharing service curve */ 849 u_int lssc_m1; 850 u_int lssc_d; 851 u_int lssc_m2; 852 /* upper-limit service curve */ 853 u_int ulsc_m1; 854 u_int ulsc_d; 855 u_int ulsc_m2; 856 int flags; 857 }; 858 859 struct pf_altq { 860 char ifname[IFNAMSIZ]; 861 862 void *altq_disc; /* discipline-specific state */ 863 TAILQ_ENTRY(pf_altq) entries; 864 865 /* scheduler spec */ 866 u_int8_t scheduler; /* scheduler type */ 867 u_int16_t tbrsize; /* tokenbucket regulator size */ 868 u_int32_t ifbandwidth; /* interface bandwidth */ 869 870 /* queue spec */ 871 char qname[PF_QNAME_SIZE]; /* queue name */ 872 char parent[PF_QNAME_SIZE]; /* parent name */ 873 u_int32_t parent_qid; /* parent queue id */ 874 u_int32_t bandwidth; /* queue bandwidth */ 875 u_int8_t priority; /* priority */ 876 u_int16_t qlimit; /* queue size limit */ 877 u_int16_t flags; /* misc flags */ 878 union { 879 struct cbq_opts cbq_opts; 880 struct priq_opts priq_opts; 881 struct hfsc_opts hfsc_opts; 882 } pq_u; 883 884 u_int32_t qid; /* return value */ 885 }; 886 887 struct pf_tag { 888 u_int16_t tag; /* tag id */ 889 }; 890 891 struct pf_tagname { 892 TAILQ_ENTRY(pf_tagname) entries; 893 char name[PF_TAG_NAME_SIZE]; 894 u_int16_t tag; 895 int ref; 896 }; 897 898 #define PFFRAG_FRENT_HIWAT 5000 /* Number of fragment entries */ 899 #define PFFRAG_FRAG_HIWAT 1000 /* Number of fragmented packets */ 900 #define PFFRAG_FRCENT_HIWAT 50000 /* Number of fragment cache entries */ 901 #define PFFRAG_FRCACHE_HIWAT 10000 /* Number of fragment descriptors */ 902 903 /* 904 * ioctl parameter structures 905 */ 906 907 struct pfioc_pooladdr { 908 u_int32_t action; 909 u_int32_t ticket; 910 u_int32_t nr; 911 u_int32_t r_num; 912 u_int8_t r_action; 913 u_int8_t r_last; 914 u_int8_t af; 915 char anchor[PF_ANCHOR_NAME_SIZE]; 916 char ruleset[PF_RULESET_NAME_SIZE]; 917 struct pf_pooladdr addr; 918 }; 919 920 struct pfioc_rule { 921 u_int32_t action; 922 u_int32_t ticket; 923 u_int32_t pool_ticket; 924 u_int32_t nr; 925 char anchor[PF_ANCHOR_NAME_SIZE]; 926 char ruleset[PF_RULESET_NAME_SIZE]; 927 struct pf_rule rule; 928 }; 929 930 struct pfioc_natlook { 931 struct pf_addr saddr; 932 struct pf_addr daddr; 933 struct pf_addr rsaddr; 934 struct pf_addr rdaddr; 935 u_int16_t sport; 936 u_int16_t dport; 937 u_int16_t rsport; 938 u_int16_t rdport; 939 sa_family_t af; 940 u_int8_t proto; 941 u_int8_t direction; 942 }; 943 944 struct pfioc_state { 945 u_int32_t nr; 946 struct pf_state state; 947 }; 948 949 struct pfioc_state_kill { 950 /* XXX returns the number of states killed in psk_af */ 951 sa_family_t psk_af; 952 int psk_proto; 953 struct pf_rule_addr psk_src; 954 struct pf_rule_addr psk_dst; 955 }; 956 957 struct pfioc_states { 958 int ps_len; 959 union { 960 caddr_t psu_buf; 961 struct pf_state *psu_states; 962 } ps_u; 963 #define ps_buf ps_u.psu_buf 964 #define ps_states ps_u.psu_states 965 }; 966 967 struct pfioc_if { 968 char ifname[IFNAMSIZ]; 969 }; 970 971 struct pfioc_tm { 972 int timeout; 973 int seconds; 974 }; 975 976 struct pfioc_limit { 977 int index; 978 unsigned limit; 979 }; 980 981 struct pfioc_altq { 982 u_int32_t action; 983 u_int32_t ticket; 984 u_int32_t nr; 985 struct pf_altq altq; 986 }; 987 988 struct pfioc_qstats { 989 u_int32_t ticket; 990 u_int32_t nr; 991 void *buf; 992 int nbytes; 993 u_int8_t scheduler; 994 }; 995 996 struct pfioc_anchor { 997 u_int32_t nr; 998 char name[PF_ANCHOR_NAME_SIZE]; 999 }; 1000 1001 struct pfioc_ruleset { 1002 u_int32_t nr; 1003 char anchor[PF_ANCHOR_NAME_SIZE]; 1004 char name[PF_RULESET_NAME_SIZE]; 1005 }; 1006 1007 #define PFR_FLAG_ATOMIC 0x00000001 1008 #define PFR_FLAG_DUMMY 0x00000002 1009 #define PFR_FLAG_FEEDBACK 0x00000004 1010 #define PFR_FLAG_CLSTATS 0x00000008 1011 #define PFR_FLAG_ADDRSTOO 0x00000010 1012 #define PFR_FLAG_REPLACE 0x00000020 1013 #define PFR_FLAG_ALLRSETS 0x00000040 1014 #define PFR_FLAG_ALLMASK 0x0000007F 1015 1016 struct pfioc_table { 1017 struct pfr_table pfrio_table; 1018 void *pfrio_buffer; 1019 int pfrio_esize; 1020 int pfrio_size; 1021 int pfrio_size2; 1022 int pfrio_nadd; 1023 int pfrio_ndel; 1024 int pfrio_nchange; 1025 int pfrio_flags; 1026 u_int32_t pfrio_ticket; 1027 }; 1028 #define pfrio_exists pfrio_nadd 1029 #define pfrio_nzero pfrio_nadd 1030 #define pfrio_nmatch pfrio_nadd 1031 #define pfrio_naddr pfrio_size2 1032 #define pfrio_setflag pfrio_size2 1033 #define pfrio_clrflag pfrio_nadd 1034 1035 1036 /* 1037 * ioctl operations 1038 */ 1039 1040 #define DIOCSTART _IO ('D', 1) 1041 #define DIOCSTOP _IO ('D', 2) 1042 #define DIOCBEGINRULES _IOWR('D', 3, struct pfioc_rule) 1043 #define DIOCADDRULE _IOWR('D', 4, struct pfioc_rule) 1044 #define DIOCCOMMITRULES _IOWR('D', 5, struct pfioc_rule) 1045 #define DIOCGETRULES _IOWR('D', 6, struct pfioc_rule) 1046 #define DIOCGETRULE _IOWR('D', 7, struct pfioc_rule) 1047 /* XXX cut 8 - 17 */ 1048 #define DIOCCLRSTATES _IO ('D', 18) 1049 #define DIOCGETSTATE _IOWR('D', 19, struct pfioc_state) 1050 #define DIOCSETSTATUSIF _IOWR('D', 20, struct pfioc_if) 1051 #define DIOCGETSTATUS _IOWR('D', 21, struct pf_status) 1052 #define DIOCCLRSTATUS _IO ('D', 22) 1053 #define DIOCNATLOOK _IOWR('D', 23, struct pfioc_natlook) 1054 #define DIOCSETDEBUG _IOWR('D', 24, u_int32_t) 1055 #define DIOCGETSTATES _IOWR('D', 25, struct pfioc_states) 1056 #define DIOCCHANGERULE _IOWR('D', 26, struct pfioc_rule) 1057 /* XXX cut 26 - 28 */ 1058 #define DIOCSETTIMEOUT _IOWR('D', 29, struct pfioc_tm) 1059 #define DIOCGETTIMEOUT _IOWR('D', 30, struct pfioc_tm) 1060 #define DIOCADDSTATE _IOWR('D', 37, struct pfioc_state) 1061 #define DIOCCLRRULECTRS _IO ('D', 38) 1062 #define DIOCGETLIMIT _IOWR('D', 39, struct pfioc_limit) 1063 #define DIOCSETLIMIT _IOWR('D', 40, struct pfioc_limit) 1064 #define DIOCKILLSTATES _IOWR('D', 41, struct pfioc_state_kill) 1065 #define DIOCSTARTALTQ _IO ('D', 42) 1066 #define DIOCSTOPALTQ _IO ('D', 43) 1067 #define DIOCBEGINALTQS _IOWR('D', 44, u_int32_t) 1068 #define DIOCADDALTQ _IOWR('D', 45, struct pfioc_altq) 1069 #define DIOCCOMMITALTQS _IOWR('D', 46, u_int32_t) 1070 #define DIOCGETALTQS _IOWR('D', 47, struct pfioc_altq) 1071 #define DIOCGETALTQ _IOWR('D', 48, struct pfioc_altq) 1072 #define DIOCCHANGEALTQ _IOWR('D', 49, struct pfioc_altq) 1073 #define DIOCGETQSTATS _IOWR('D', 50, struct pfioc_qstats) 1074 #define DIOCBEGINADDRS _IOWR('D', 51, struct pfioc_pooladdr) 1075 #define DIOCADDADDR _IOWR('D', 52, struct pfioc_pooladdr) 1076 #define DIOCGETADDRS _IOWR('D', 53, struct pfioc_pooladdr) 1077 #define DIOCGETADDR _IOWR('D', 54, struct pfioc_pooladdr) 1078 #define DIOCCHANGEADDR _IOWR('D', 55, struct pfioc_pooladdr) 1079 #define DIOCGETANCHORS _IOWR('D', 56, struct pfioc_anchor) 1080 #define DIOCGETANCHOR _IOWR('D', 57, struct pfioc_anchor) 1081 #define DIOCGETRULESETS _IOWR('D', 58, struct pfioc_ruleset) 1082 #define DIOCGETRULESET _IOWR('D', 59, struct pfioc_ruleset) 1083 #define DIOCRCLRTABLES _IOWR('D', 60, struct pfioc_table) 1084 #define DIOCRADDTABLES _IOWR('D', 61, struct pfioc_table) 1085 #define DIOCRDELTABLES _IOWR('D', 62, struct pfioc_table) 1086 #define DIOCRGETTABLES _IOWR('D', 63, struct pfioc_table) 1087 #define DIOCRGETTSTATS _IOWR('D', 64, struct pfioc_table) 1088 #define DIOCRCLRTSTATS _IOWR('D', 65, struct pfioc_table) 1089 #define DIOCRCLRADDRS _IOWR('D', 66, struct pfioc_table) 1090 #define DIOCRADDADDRS _IOWR('D', 67, struct pfioc_table) 1091 #define DIOCRDELADDRS _IOWR('D', 68, struct pfioc_table) 1092 #define DIOCRSETADDRS _IOWR('D', 69, struct pfioc_table) 1093 #define DIOCRGETADDRS _IOWR('D', 70, struct pfioc_table) 1094 #define DIOCRGETASTATS _IOWR('D', 71, struct pfioc_table) 1095 #define DIOCRCLRASTATS _IOWR('D', 72, struct pfioc_table) 1096 #define DIOCRTSTADDRS _IOWR('D', 73, struct pfioc_table) 1097 #define DIOCRSETTFLAGS _IOWR('D', 74, struct pfioc_table) 1098 #define DIOCRINABEGIN _IOWR('D', 75, struct pfioc_table) 1099 #define DIOCRINACOMMIT _IOWR('D', 76, struct pfioc_table) 1100 #define DIOCRINADEFINE _IOWR('D', 77, struct pfioc_table) 1101 #define DIOCOSFPFLUSH _IO('D', 78) 1102 #define DIOCOSFPADD _IOWR('D', 79, struct pf_osfp_ioctl) 1103 #define DIOCOSFPGET _IOWR('D', 80, struct pf_osfp_ioctl) 1104 1105 #ifdef _KERNEL 1106 RB_HEAD(pf_state_tree, pf_tree_node); 1107 RB_PROTOTYPE(pf_state_tree, pf_tree_node, entry, pf_state_compare); 1108 extern struct pf_state_tree tree_lan_ext, tree_ext_gwy; 1109 1110 extern struct pf_anchorqueue pf_anchors; 1111 extern struct pf_ruleset pf_main_ruleset; 1112 TAILQ_HEAD(pf_poolqueue, pf_pool); 1113 extern struct pf_poolqueue pf_pools[2]; 1114 TAILQ_HEAD(pf_altqqueue, pf_altq); 1115 extern struct pf_altqqueue pf_altqs[2]; 1116 extern struct pf_palist pf_pabuf; 1117 1118 1119 extern u_int32_t ticket_altqs_active; 1120 extern u_int32_t ticket_altqs_inactive; 1121 extern u_int32_t ticket_pabuf; 1122 extern struct pf_altqqueue *pf_altqs_active; 1123 extern struct pf_altqqueue *pf_altqs_inactive; 1124 extern struct pf_poolqueue *pf_pools_active; 1125 extern struct pf_poolqueue *pf_pools_inactive; 1126 extern int pf_tbladdr_setup(struct pf_ruleset *, 1127 struct pf_addr_wrap *); 1128 extern void pf_tbladdr_remove(struct pf_addr_wrap *); 1129 extern void pf_tbladdr_copyout(struct pf_addr_wrap *); 1130 extern int pf_dynaddr_setup(struct pf_addr_wrap *, 1131 sa_family_t); 1132 extern void pf_dynaddr_copyout(struct pf_addr_wrap *); 1133 extern void pf_dynaddr_remove(struct pf_addr_wrap *); 1134 extern void pf_calc_skip_steps(struct pf_rulequeue *); 1135 extern void pf_rule_set_qid(struct pf_rulequeue *); 1136 extern u_int32_t pf_qname_to_qid(char *); 1137 extern void pf_update_anchor_rules(void); 1138 extern struct pool pf_tree_pl, pf_rule_pl, pf_addr_pl; 1139 extern struct pool pf_state_pl, pf_altq_pl, pf_pooladdr_pl; 1140 extern struct pool pf_state_scrub_pl; 1141 extern void pf_purge_timeout(void *); 1142 extern void pf_purge_expired_states(void); 1143 extern int pf_insert_state(struct pf_state *); 1144 extern struct pf_state *pf_find_state(struct pf_state_tree *, 1145 struct pf_tree_node *); 1146 extern struct pf_anchor *pf_find_anchor(const char *); 1147 extern struct pf_ruleset *pf_find_ruleset(char *, char *); 1148 extern struct pf_ruleset *pf_find_or_create_ruleset(char *, char *); 1149 extern void pf_remove_if_empty_ruleset( 1150 struct pf_ruleset *); 1151 1152 extern struct ifnet *status_ifp; 1153 extern struct pf_rule pf_default_rule; 1154 extern void pf_addrcpy(struct pf_addr *, struct pf_addr *, 1155 u_int8_t); 1156 void pf_rm_rule(struct pf_rulequeue *, 1157 struct pf_rule *); 1158 1159 #ifdef INET 1160 int pf_test(int, struct ifnet *, struct mbuf **); 1161 #endif /* INET */ 1162 1163 #ifdef INET6 1164 int pf_test6(int, struct ifnet *, struct mbuf **); 1165 void pf_poolmask(struct pf_addr *, struct pf_addr*, 1166 struct pf_addr *, struct pf_addr *, u_int8_t); 1167 void pf_addr_inc(struct pf_addr *, sa_family_t); 1168 #endif /* INET6 */ 1169 1170 void *pf_pull_hdr(struct mbuf *, int, void *, int, u_short *, u_short *, 1171 sa_family_t); 1172 void pf_change_a(void *, u_int16_t *, u_int32_t, u_int8_t); 1173 int pflog_packet(struct ifnet *, struct mbuf *, sa_family_t, u_int8_t, 1174 u_int8_t, struct pf_rule *, struct pf_rule *, struct pf_ruleset *); 1175 int pf_match_addr(u_int8_t, struct pf_addr *, struct pf_addr *, 1176 struct pf_addr *, sa_family_t); 1177 int pf_match(u_int8_t, u_int32_t, u_int32_t, u_int32_t); 1178 int pf_match_port(u_int8_t, u_int16_t, u_int16_t, u_int16_t); 1179 int pf_match_uid(u_int8_t, uid_t, uid_t, uid_t); 1180 int pf_match_gid(u_int8_t, gid_t, gid_t, gid_t); 1181 1182 void pf_normalize_init(void); 1183 int pf_normalize_ip(struct mbuf **, int, struct ifnet *, u_short *); 1184 int pf_normalize_ip6(struct mbuf **, int, struct ifnet *, u_short *); 1185 int pf_normalize_tcp(int, struct ifnet *, struct mbuf *, int, int, void *, 1186 struct pf_pdesc *); 1187 void pf_normalize_tcp_cleanup(struct pf_state *); 1188 int pf_normalize_tcp_init(struct mbuf *, int, struct pf_pdesc *, 1189 struct tcphdr *, struct pf_state_peer *, struct pf_state_peer *); 1190 int pf_normalize_tcp_stateful(struct mbuf *, int, struct pf_pdesc *, 1191 u_short *, struct tcphdr *, struct pf_state_peer *, 1192 struct pf_state_peer *, int *); 1193 u_int32_t 1194 pf_state_expires(const struct pf_state *); 1195 void pf_purge_expired_fragments(void); 1196 int pf_routable(struct pf_addr *addr, sa_family_t af); 1197 void pfr_initialize(void); 1198 int pfr_match_addr(struct pfr_ktable *, struct pf_addr *, sa_family_t); 1199 void pfr_update_stats(struct pfr_ktable *, struct pf_addr *, sa_family_t, 1200 u_int64_t, int, int, int); 1201 int pfr_pool_get(struct pfr_ktable *, int *, struct pf_addr *, 1202 struct pf_addr **, struct pf_addr **, sa_family_t); 1203 struct pfr_ktable * 1204 pfr_attach_table(struct pf_ruleset *, char *); 1205 void pfr_detach_table(struct pfr_ktable *); 1206 int pfr_clr_tables(struct pfr_table *, int *, int); 1207 int pfr_add_tables(struct pfr_table *, int, int *, int); 1208 int pfr_del_tables(struct pfr_table *, int, int *, int); 1209 int pfr_get_tables(struct pfr_table *, struct pfr_table *, int *, int); 1210 int pfr_get_tstats(struct pfr_table *, struct pfr_tstats *, int *, int); 1211 int pfr_clr_tstats(struct pfr_table *, int, int *, int); 1212 int pfr_set_tflags(struct pfr_table *, int, int, int, int *, int *, int); 1213 int pfr_clr_addrs(struct pfr_table *, int *, int); 1214 int pfr_add_addrs(struct pfr_table *, struct pfr_addr *, int, int *, 1215 int); 1216 int pfr_del_addrs(struct pfr_table *, struct pfr_addr *, int, int *, 1217 int); 1218 int pfr_set_addrs(struct pfr_table *, struct pfr_addr *, int, int *, 1219 int *, int *, int *, int); 1220 int pfr_get_addrs(struct pfr_table *, struct pfr_addr *, int *, int); 1221 int pfr_get_astats(struct pfr_table *, struct pfr_astats *, int *, int); 1222 int pfr_clr_astats(struct pfr_table *, struct pfr_addr *, int, int *, 1223 int); 1224 int pfr_tst_addrs(struct pfr_table *, struct pfr_addr *, int, int *, 1225 int); 1226 int pfr_ina_begin(struct pfr_table *, u_int32_t *, int *, int); 1227 int pfr_ina_commit(struct pfr_table *, u_int32_t, int *, int *, int); 1228 int pfr_ina_define(struct pfr_table *, struct pfr_addr *, int, int *, 1229 int *, u_int32_t, int); 1230 1231 u_int16_t pf_tagname2tag(char *); 1232 void pf_tag2tagname(u_int16_t, char *); 1233 void pf_tag_unref(u_int16_t); 1234 int pf_tag_packet(struct mbuf *, struct pf_tag *, int); 1235 1236 extern struct pf_status pf_status; 1237 extern struct pool pf_frent_pl, pf_frag_pl; 1238 1239 struct pf_pool_limit { 1240 void *pp; 1241 unsigned limit; 1242 }; 1243 extern struct pf_pool_limit pf_pool_limits[PF_LIMIT_MAX]; 1244 1245 #endif /* _KERNEL */ 1246 1247 /* The fingerprint functions can be linked into userland programs (tcpdump) */ 1248 int pf_osfp_add(struct pf_osfp_ioctl *); 1249 #ifdef _KERNEL 1250 struct pf_osfp_enlist * 1251 pf_osfp_fingerprint(struct pf_pdesc *, struct mbuf *, int, 1252 const struct tcphdr *); 1253 #endif /* _KERNEL */ 1254 struct pf_osfp_enlist * 1255 pf_osfp_fingerprint_hdr(const struct ip *, const struct tcphdr *); 1256 void pf_osfp_flush(void); 1257 int pf_osfp_get(struct pf_osfp_ioctl *); 1258 void pf_osfp_initialize(void); 1259 int pf_osfp_match(struct pf_osfp_enlist *, pf_osfp_t); 1260 struct pf_os_fingerprint * 1261 pf_osfp_validate(void); 1262 1263 1264 #endif /* _NET_PFVAR_H_ */ 1265