Project

General

Profile

Statistics
| Revision:

root / lab4 / .minix-src / include / net / pfvar.h @ 14

History | View | Annotate | Download (52.5 KB)

1 13 up20180614
/*        $NetBSD: pfvar.h,v 1.22 2014/06/05 23:48:16 rmind Exp $        */
2
/*        $OpenBSD: pfvar.h,v 1.254 2007/07/13 09:17:48 markus Exp $ */
3
4
/*
5
 * Copyright (c) 2001 Daniel Hartmeier
6
 * All rights reserved.
7
 *
8
 * Redistribution and use in source and binary forms, with or without
9
 * modification, are permitted provided that the following conditions
10
 * are met:
11
 *
12
 *    - Redistributions of source code must retain the above copyright
13
 *      notice, this list of conditions and the following disclaimer.
14
 *    - Redistributions in binary form must reproduce the above
15
 *      copyright notice, this list of conditions and the following
16
 *      disclaimer in the documentation and/or other materials provided
17
 *      with the distribution.
18
 *
19
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
20
 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
21
 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
22
 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
23
 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
24
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
25
 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
26
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
27
 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
29
 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30
 * POSSIBILITY OF SUCH DAMAGE.
31
 *
32
 */
33
34
#ifndef _NET_PFVAR_H_
35
#define _NET_PFVAR_H_
36
37
#include <sys/param.h>
38
#include <sys/types.h>
39
#include <sys/queue.h>
40
#include <sys/tree.h>
41
#include <sys/rwlock.h>
42
43
#include <net/radix.h>
44
#if !defined(__NetBSD__) && !defined(__minix)
45
#include <net/route.h>
46
#include <netinet/ip_ipsp.h>
47
#else /* __NetBSD__ || __minix */
48
/* files above include netinet/in.h so include it too for compatibility */
49
#include <netinet/in.h>
50
#endif /* __NetBSD__ || __minix */
51
#include <netinet/tcp_fsm.h>
52
53
#if defined(__NetBSD__) && defined(_KERNEL)
54
#include <net/if_compat.h>
55
#include <net/pf_mtag.h>
56
#endif /* __NetBSD__ && _KERNEL */
57
58
struct ip;
59
struct ip6_hdr;
60
61
#define        PF_TCPS_PROXY_SRC        ((TCP_NSTATES)+0)
62
#define        PF_TCPS_PROXY_DST        ((TCP_NSTATES)+1)
63
64
#define        PF_MD5_DIGEST_LENGTH        16
65
#ifdef MD5_DIGEST_LENGTH
66
#if PF_MD5_DIGEST_LENGTH != MD5_DIGEST_LENGTH
67
#error
68
#endif
69
#endif
70
71
enum        { PF_INOUT, PF_IN, PF_OUT };
72
enum        { PF_LAN_EXT, PF_EXT_GWY, PF_ID };
73
enum        { PF_PASS, PF_DROP, PF_SCRUB, PF_NOSCRUB, PF_NAT, PF_NONAT,
74
          PF_BINAT, PF_NOBINAT, PF_RDR, PF_NORDR, PF_SYNPROXY_DROP };
75
enum        { PF_RULESET_SCRUB, PF_RULESET_FILTER, PF_RULESET_NAT,
76
          PF_RULESET_BINAT, PF_RULESET_RDR, PF_RULESET_MAX };
77
enum        { PF_OP_NONE, PF_OP_IRG, PF_OP_EQ, PF_OP_NE, PF_OP_LT,
78
          PF_OP_LE, PF_OP_GT, PF_OP_GE, PF_OP_XRG, PF_OP_RRG };
79
enum        { PF_DEBUG_NONE, PF_DEBUG_URGENT, PF_DEBUG_MISC, PF_DEBUG_NOISY };
80
enum        { PF_CHANGE_NONE, PF_CHANGE_ADD_HEAD, PF_CHANGE_ADD_TAIL,
81
          PF_CHANGE_ADD_BEFORE, PF_CHANGE_ADD_AFTER,
82
          PF_CHANGE_REMOVE, PF_CHANGE_GET_TICKET };
83
enum        { PF_GET_NONE, PF_GET_CLR_CNTR };
84
85
/*
86
 * Note about PFTM_*: real indices into pf_rule.timeout[] come before
87
 * PFTM_MAX, special cases afterwards. See pf_state_expires().
88
 */
89
enum        { PFTM_TCP_FIRST_PACKET, PFTM_TCP_OPENING, PFTM_TCP_ESTABLISHED,
90
          PFTM_TCP_CLOSING, PFTM_TCP_FIN_WAIT, PFTM_TCP_CLOSED,
91
          PFTM_UDP_FIRST_PACKET, PFTM_UDP_SINGLE, PFTM_UDP_MULTIPLE,
92
          PFTM_ICMP_FIRST_PACKET, PFTM_ICMP_ERROR_REPLY,
93
          PFTM_OTHER_FIRST_PACKET, PFTM_OTHER_SINGLE,
94
          PFTM_OTHER_MULTIPLE, PFTM_FRAG, PFTM_INTERVAL,
95
          PFTM_ADAPTIVE_START, PFTM_ADAPTIVE_END, PFTM_SRC_NODE,
96
          PFTM_TS_DIFF, PFTM_MAX, PFTM_PURGE, PFTM_UNLINKED,
97
          PFTM_UNTIL_PACKET };
98
99
/* PFTM default values */
100
#define PFTM_TCP_FIRST_PACKET_VAL        120        /* First TCP packet */
101
#define PFTM_TCP_OPENING_VAL                30        /* No response yet */
102
#define PFTM_TCP_ESTABLISHED_VAL        24*60*60/* Established */
103
#define PFTM_TCP_CLOSING_VAL                15 * 60        /* Half closed */
104
#define PFTM_TCP_FIN_WAIT_VAL                45        /* Got both FINs */
105
#define PFTM_TCP_CLOSED_VAL                90        /* Got a RST */
106
#define PFTM_UDP_FIRST_PACKET_VAL        60        /* First UDP packet */
107
#define PFTM_UDP_SINGLE_VAL                30        /* Unidirectional */
108
#define PFTM_UDP_MULTIPLE_VAL                60        /* Bidirectional */
109
#define PFTM_ICMP_FIRST_PACKET_VAL        20        /* First ICMP packet */
110
#define PFTM_ICMP_ERROR_REPLY_VAL        10        /* Got error response */
111
#define PFTM_OTHER_FIRST_PACKET_VAL        60        /* First packet */
112
#define PFTM_OTHER_SINGLE_VAL                30        /* Unidirectional */
113
#define PFTM_OTHER_MULTIPLE_VAL                60        /* Bidirectional */
114
#define PFTM_FRAG_VAL                        30        /* Fragment expire */
115
#define PFTM_INTERVAL_VAL                10        /* Expire interval */
116
#define PFTM_SRC_NODE_VAL                0        /* Source tracking */
117
#define PFTM_TS_DIFF_VAL                30        /* Allowed TS diff */
118
119
enum        { PF_NOPFROUTE, PF_FASTROUTE, PF_ROUTETO, PF_DUPTO, PF_REPLYTO };
120
enum        { PF_LIMIT_STATES, PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS,
121
          PF_LIMIT_TABLES, PF_LIMIT_TABLE_ENTRIES, PF_LIMIT_MAX };
122
#define PF_POOL_IDMASK                0x0f
123
enum        { PF_POOL_NONE, PF_POOL_BITMASK, PF_POOL_RANDOM,
124
          PF_POOL_SRCHASH, PF_POOL_ROUNDROBIN };
125
enum        { PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE, PF_ADDR_DYNIFTL,
126
          PF_ADDR_TABLE, PF_ADDR_RTLABEL, PF_ADDR_URPFFAILED };
127
#define PF_POOL_TYPEMASK        0x0f
128
#define PF_POOL_STICKYADDR        0x20
129
#define        PF_WSCALE_FLAG                0x80
130
#define        PF_WSCALE_MASK                0x0f
131
132
#define        PF_LOG                        0x01
133
#define        PF_LOG_ALL                0x02
134
#define        PF_LOG_SOCKET_LOOKUP        0x04
135
136
struct pf_addr {
137
        union {
138
                struct in_addr                v4;
139
                struct in6_addr                v6;
140
                u_int8_t                addr8[16];
141
                u_int16_t                addr16[8];
142
                u_int32_t                addr32[4];
143
        } pfa;                    /* 128-bit address */
144
#define v4        pfa.v4
145
#define v6        pfa.v6
146
#define addr8        pfa.addr8
147
#define addr16        pfa.addr16
148
#define addr32        pfa.addr32
149
};
150
151
#define        PF_TABLE_NAME_SIZE         32
152
153
#define PFI_AFLAG_NETWORK        0x01
154
#define PFI_AFLAG_BROADCAST        0x02
155
#define PFI_AFLAG_PEER                0x04
156
#define PFI_AFLAG_MODEMASK        0x07
157
#define PFI_AFLAG_NOALIAS        0x08
158
159
#ifndef RTLABEL_LEN
160
#define RTLABEL_LEN        32
161
#endif
162
163
struct pf_addr_wrap {
164
        union {
165
                struct {
166
                        struct pf_addr                 addr;
167
                        struct pf_addr                 mask;
168
                }                         a;
169
                char                         ifname[IFNAMSIZ];
170
                char                         tblname[PF_TABLE_NAME_SIZE];
171
                char                         rtlabelname[RTLABEL_LEN];
172
                u_int32_t                 rtlabel;
173
        }                         v;
174
        union {
175
                struct pfi_dynaddr        *dyn;
176
                struct pfr_ktable        *tbl;
177
                int                         dyncnt;
178
                int                         tblcnt;
179
        }                         p;
180
        u_int8_t                 type;                /* PF_ADDR_* */
181
        u_int8_t                 iflags;        /* PFI_AFLAG_* */
182
};
183
184
#ifdef _KERNEL
185
186
struct pfi_dynaddr {
187
        TAILQ_ENTRY(pfi_dynaddr)         entry;
188
        struct pf_addr                         pfid_addr4;
189
        struct pf_addr                         pfid_mask4;
190
        struct pf_addr                         pfid_addr6;
191
        struct pf_addr                         pfid_mask6;
192
        struct pfr_ktable                *pfid_kt;
193
        struct pfi_kif                        *pfid_kif;
194
        void                                *pfid_hook_cookie;
195
        int                                 pfid_net;        /* mask or 128 */
196
        int                                 pfid_acnt4;        /* address count IPv4 */
197
        int                                 pfid_acnt6;        /* address count IPv6 */
198
        sa_family_t                         pfid_af;        /* rule af */
199
        u_int8_t                         pfid_iflags;        /* PFI_AFLAG_* */
200
};
201
202
/*
203
 * Address manipulation macros
204
 */
205
206
#ifdef INET
207
#ifndef INET6
208
#define PF_INET_ONLY
209
#endif /* ! INET6 */
210
#endif /* INET */
211
212
#ifdef INET6
213
#ifndef INET
214
#define PF_INET6_ONLY
215
#endif /* ! INET */
216
#endif /* INET6 */
217
218
#ifdef INET
219
#ifdef INET6
220
#define PF_INET_INET6
221
#endif /* INET6 */
222
#endif /* INET */
223
224
#else
225
226
#define PF_INET_INET6
227
228
#endif /* _KERNEL */
229
230
/* Both IPv4 and IPv6 */
231
#ifdef PF_INET_INET6
232
233
#define PF_AEQ(a, b, c) \
234
        ((c == AF_INET && (a)->addr32[0] == (b)->addr32[0]) || \
235
        ((a)->addr32[3] == (b)->addr32[3] && \
236
        (a)->addr32[2] == (b)->addr32[2] && \
237
        (a)->addr32[1] == (b)->addr32[1] && \
238
        (a)->addr32[0] == (b)->addr32[0])) \
239
240
#define PF_ANEQ(a, b, c) \
241
        ((c == AF_INET && (a)->addr32[0] != (b)->addr32[0]) || \
242
        ((a)->addr32[3] != (b)->addr32[3] || \
243
        (a)->addr32[2] != (b)->addr32[2] || \
244
        (a)->addr32[1] != (b)->addr32[1] || \
245
        (a)->addr32[0] != (b)->addr32[0])) \
246
247
#define PF_AZERO(a, c) \
248
        ((c == AF_INET && !(a)->addr32[0]) || \
249
        (!(a)->addr32[0] && !(a)->addr32[1] && \
250
        !(a)->addr32[2] && !(a)->addr32[3] )) \
251
252
#define PF_MATCHA(n, a, m, b, f) \
253
        pf_match_addr(n, a, m, b, f)
254
255
#define PF_ACPY(a, b, f) \
256
        pf_addrcpy(a, b, f)
257
258
#define PF_AINC(a, f) \
259
        pf_addr_inc(a, f)
260
261
#define PF_POOLMASK(a, b, c, d, f) \
262
        pf_poolmask(a, b, c, d, f)
263
264
#else
265
266
/* Just IPv6 */
267
268
#ifdef PF_INET6_ONLY
269
270
#define PF_AEQ(a, b, c) \
271
        ((a)->addr32[3] == (b)->addr32[3] && \
272
        (a)->addr32[2] == (b)->addr32[2] && \
273
        (a)->addr32[1] == (b)->addr32[1] && \
274
        (a)->addr32[0] == (b)->addr32[0]) \
275
276
#define PF_ANEQ(a, b, c) \
277
        ((a)->addr32[3] != (b)->addr32[3] || \
278
        (a)->addr32[2] != (b)->addr32[2] || \
279
        (a)->addr32[1] != (b)->addr32[1] || \
280
        (a)->addr32[0] != (b)->addr32[0]) \
281
282
#define PF_AZERO(a, c) \
283
        (!(a)->addr32[0] && \
284
        !(a)->addr32[1] && \
285
        !(a)->addr32[2] && \
286
        !(a)->addr32[3] ) \
287
288
#define PF_MATCHA(n, a, m, b, f) \
289
        pf_match_addr(n, a, m, b, f)
290
291
#define PF_ACPY(a, b, f) \
292
        pf_addrcpy(a, b, f)
293
294
#define PF_AINC(a, f) \
295
        pf_addr_inc(a, f)
296
297
#define PF_POOLMASK(a, b, c, d, f) \
298
        pf_poolmask(a, b, c, d, f)
299
300
#else
301
302
/* Just IPv4 */
303
#ifdef PF_INET_ONLY
304
305
#define PF_AEQ(a, b, c) \
306
        ((a)->addr32[0] == (b)->addr32[0])
307
308
#define PF_ANEQ(a, b, c) \
309
        ((a)->addr32[0] != (b)->addr32[0])
310
311
#define PF_AZERO(a, c) \
312
        (!(a)->addr32[0])
313
314
#define PF_MATCHA(n, a, m, b, f) \
315
        pf_match_addr(n, a, m, b, f)
316
317
#define PF_ACPY(a, b, f) \
318
        (a)->v4.s_addr = (b)->v4.s_addr
319
320
#define PF_AINC(a, f) \
321
        do { \
322
                (a)->addr32[0] = htonl(ntohl((a)->addr32[0]) + 1); \
323
        } while (0)
324
325
#define PF_POOLMASK(a, b, c, d, f) \
326
        do { \
327
                (a)->addr32[0] = ((b)->addr32[0] & (c)->addr32[0]) | \
328
                (((c)->addr32[0] ^ 0xffffffff ) & (d)->addr32[0]); \
329
        } while (0)
330
331
#endif /* PF_INET_ONLY */
332
#endif /* PF_INET6_ONLY */
333
#endif /* PF_INET_INET6 */
334
335
#define        PF_MISMATCHAW(aw, x, af, neg, ifp)                                \
336
        (                                                                \
337
                (((aw)->type == PF_ADDR_NOROUTE &&                        \
338
                    pf_routable((x), (af), NULL)) ||                        \
339
                (((aw)->type == PF_ADDR_URPFFAILED && (ifp) != NULL &&        \
340
                    pf_routable((x), (af), (ifp))) ||                        \
341
                ((aw)->type == PF_ADDR_RTLABEL &&                        \
342
                    !pf_rtlabel_match((x), (af), (aw))) ||                \
343
                ((aw)->type == PF_ADDR_TABLE &&                                \
344
                    !pfr_match_addr((aw)->p.tbl, (x), (af))) ||                \
345
                ((aw)->type == PF_ADDR_DYNIFTL &&                        \
346
                    !pfi_match_addr((aw)->p.dyn, (x), (af))) ||         \
347
                ((aw)->type == PF_ADDR_ADDRMASK &&                        \
348
                    !PF_AZERO(&(aw)->v.a.mask, (af)) &&                        \
349
                    !PF_MATCHA(0, &(aw)->v.a.addr,                        \
350
                    &(aw)->v.a.mask, (x), (af))))) !=                        \
351
                (neg)                                                        \
352
        )
353
354
355
struct pf_rule_uid {
356
        uid_t                 uid[2];
357
        u_int8_t         op;
358
};
359
360
struct pf_rule_gid {
361
        uid_t                 gid[2];
362
        u_int8_t         op;
363
};
364
365
struct pf_rule_addr {
366
        struct pf_addr_wrap         addr;
367
        u_int16_t                 port[2];
368
        u_int8_t                 neg;
369
        u_int8_t                 port_op;
370
};
371
372
struct pf_pooladdr {
373
        struct pf_addr_wrap                 addr;
374
        TAILQ_ENTRY(pf_pooladdr)         entries;
375
        char                                 ifname[IFNAMSIZ];
376
        struct pfi_kif                        *kif;
377
};
378
379
TAILQ_HEAD(pf_palist, pf_pooladdr);
380
381
struct pf_poolhashkey {
382
        union {
383
                u_int8_t                key8[16];
384
                u_int16_t                key16[8];
385
                u_int32_t                key32[4];
386
        } pfk;                    /* 128-bit hash key */
387
#define key8        pfk.key8
388
#define key16        pfk.key16
389
#define key32        pfk.key32
390
};
391
392
struct pf_pool {
393
        struct pf_palist         list;
394
        struct pf_pooladdr        *cur;
395
        struct pf_poolhashkey         key;
396
        struct pf_addr                 counter;
397
        int                         tblidx;
398
        u_int16_t                 proxy_port[2];
399
        u_int8_t                 port_op;
400
        u_int8_t                 opts;
401
};
402
403
404
/* A packed Operating System description for fingerprinting */
405
typedef u_int32_t pf_osfp_t;
406
#define PF_OSFP_ANY        ((pf_osfp_t)0)
407
#define PF_OSFP_UNKNOWN        ((pf_osfp_t)-1)
408
#define PF_OSFP_NOMATCH        ((pf_osfp_t)-2)
409
410
struct pf_osfp_entry {
411
        SLIST_ENTRY(pf_osfp_entry) fp_entry;
412
        pf_osfp_t                fp_os;
413
        int                        fp_enflags;
414
#define PF_OSFP_EXPANDED        0x001                /* expanded entry */
415
#define PF_OSFP_GENERIC                0x002                /* generic signature */
416
#define PF_OSFP_NODETAIL        0x004                /* no p0f details */
417
#define PF_OSFP_LEN        32
418
        char                        fp_class_nm[PF_OSFP_LEN];
419
        char                        fp_version_nm[PF_OSFP_LEN];
420
        char                        fp_subtype_nm[PF_OSFP_LEN];
421
};
422
#define PF_OSFP_ENTRY_EQ(a, b) \
423
    ((a)->fp_os == (b)->fp_os && \
424
    memcmp((a)->fp_class_nm, (b)->fp_class_nm, PF_OSFP_LEN) == 0 && \
425
    memcmp((a)->fp_version_nm, (b)->fp_version_nm, PF_OSFP_LEN) == 0 && \
426
    memcmp((a)->fp_subtype_nm, (b)->fp_subtype_nm, PF_OSFP_LEN) == 0)
427
428
/* handle pf_osfp_t packing */
429
#define _FP_RESERVED_BIT        1  /* For the special negative #defines */
430
#define _FP_UNUSED_BITS                1
431
#define _FP_CLASS_BITS                10 /* OS Class (Windows, Linux) */
432
#define _FP_VERSION_BITS        10 /* OS version (95, 98, NT, 2.4.54, 3.2) */
433
#define _FP_SUBTYPE_BITS        10 /* patch level (NT SP4, SP3, ECN patch) */
434
#define PF_OSFP_UNPACK(osfp, class, version, subtype) do { \
435
        (class) = ((osfp) >> (_FP_VERSION_BITS+_FP_SUBTYPE_BITS)) & \
436
            ((1 << _FP_CLASS_BITS) - 1); \
437
        (version) = ((osfp) >> _FP_SUBTYPE_BITS) & \
438
            ((1 << _FP_VERSION_BITS) - 1);\
439
        (subtype) = (osfp) & ((1 << _FP_SUBTYPE_BITS) - 1); \
440
} while(0)
441
#define PF_OSFP_PACK(osfp, class, version, subtype) do { \
442
        (osfp) = ((class) & ((1 << _FP_CLASS_BITS) - 1)) << (_FP_VERSION_BITS \
443
            + _FP_SUBTYPE_BITS); \
444
        (osfp) |= ((version) & ((1 << _FP_VERSION_BITS) - 1)) << \
445
            _FP_SUBTYPE_BITS; \
446
        (osfp) |= (subtype) & ((1 << _FP_SUBTYPE_BITS) - 1); \
447
} while(0)
448
449
/* the fingerprint of an OSes TCP SYN packet */
450
typedef u_int64_t        pf_tcpopts_t;
451
struct pf_os_fingerprint {
452
        SLIST_HEAD(pf_osfp_enlist, pf_osfp_entry) fp_oses; /* list of matches */
453
        pf_tcpopts_t                fp_tcpopts;        /* packed TCP options */
454
        u_int16_t                fp_wsize;        /* TCP window size */
455
        u_int16_t                fp_psize;        /* ip->ip_len */
456
        u_int16_t                fp_mss;                /* TCP MSS */
457
        u_int16_t                fp_flags;
458
#define PF_OSFP_WSIZE_MOD        0x0001                /* Window modulus */
459
#define PF_OSFP_WSIZE_DC        0x0002                /* Window don't care */
460
#define PF_OSFP_WSIZE_MSS        0x0004                /* Window multiple of MSS */
461
#define PF_OSFP_WSIZE_MTU        0x0008                /* Window multiple of MTU */
462
#define PF_OSFP_PSIZE_MOD        0x0010                /* packet size modulus */
463
#define PF_OSFP_PSIZE_DC        0x0020                /* packet size don't care */
464
#define PF_OSFP_WSCALE                0x0040                /* TCP window scaling */
465
#define PF_OSFP_WSCALE_MOD        0x0080                /* TCP window scale modulus */
466
#define PF_OSFP_WSCALE_DC        0x0100                /* TCP window scale dont-care */
467
#define PF_OSFP_MSS                0x0200                /* TCP MSS */
468
#define PF_OSFP_MSS_MOD                0x0400                /* TCP MSS modulus */
469
#define PF_OSFP_MSS_DC                0x0800                /* TCP MSS dont-care */
470
#define PF_OSFP_DF                0x1000                /* IPv4 don't fragment bit */
471
#define PF_OSFP_TS0                0x2000                /* Zero timestamp */
472
#define PF_OSFP_INET6                0x4000                /* IPv6 */
473
        u_int8_t                fp_optcnt;        /* TCP option count */
474
        u_int8_t                fp_wscale;        /* TCP window scaling */
475
        u_int8_t                fp_ttl;                /* IPv4 TTL */
476
#define PF_OSFP_MAXTTL_OFFSET        40
477
/* TCP options packing */
478
#define PF_OSFP_TCPOPT_NOP        0x0                /* TCP NOP option */
479
#define PF_OSFP_TCPOPT_WSCALE        0x1                /* TCP window scaling option */
480
#define PF_OSFP_TCPOPT_MSS        0x2                /* TCP max segment size opt */
481
#define PF_OSFP_TCPOPT_SACK        0x3                /* TCP SACK OK option */
482
#define PF_OSFP_TCPOPT_TS        0x4                /* TCP timestamp option */
483
#define PF_OSFP_TCPOPT_BITS        3                /* bits used by each option */
484
#define PF_OSFP_MAX_OPTS \
485
    (sizeof(((struct pf_os_fingerprint *)0)->fp_tcpopts) * 8) \
486
    / PF_OSFP_TCPOPT_BITS
487
488
        SLIST_ENTRY(pf_os_fingerprint)        fp_next;
489
};
490
491
struct pf_osfp_ioctl {
492
        struct pf_osfp_entry        fp_os;
493
        pf_tcpopts_t                fp_tcpopts;        /* packed TCP options */
494
        u_int16_t                fp_wsize;        /* TCP window size */
495
        u_int16_t                fp_psize;        /* ip->ip_len */
496
        u_int16_t                fp_mss;                /* TCP MSS */
497
        u_int16_t                fp_flags;
498
        u_int8_t                fp_optcnt;        /* TCP option count */
499
        u_int8_t                fp_wscale;        /* TCP window scaling */
500
        u_int8_t                fp_ttl;                /* IPv4 TTL */
501
502
        int                        fp_getnum;        /* DIOCOSFPGET number */
503
};
504
505
506
union pf_rule_ptr {
507
        struct pf_rule                *ptr;
508
        u_int32_t                 nr;
509
};
510
511
#define        PF_ANCHOR_NAME_SIZE         64
512
513
struct pf_rule {
514
        struct pf_rule_addr         src;
515
        struct pf_rule_addr         dst;
516
#define PF_SKIP_IFP                0
517
#define PF_SKIP_DIR                1
518
#define PF_SKIP_AF                2
519
#define PF_SKIP_PROTO                3
520
#define PF_SKIP_SRC_ADDR        4
521
#define PF_SKIP_SRC_PORT        5
522
#define PF_SKIP_DST_ADDR        6
523
#define PF_SKIP_DST_PORT        7
524
#define PF_SKIP_COUNT                8
525
        union pf_rule_ptr         skip[PF_SKIP_COUNT];
526
#define PF_RULE_LABEL_SIZE         64
527
        char                         label[PF_RULE_LABEL_SIZE];
528
#define PF_QNAME_SIZE                 64
529
        char                         ifname[IFNAMSIZ];
530
        char                         qname[PF_QNAME_SIZE];
531
        char                         pqname[PF_QNAME_SIZE];
532
#define        PF_TAG_NAME_SIZE         64
533
        char                         tagname[PF_TAG_NAME_SIZE];
534
        char                         match_tagname[PF_TAG_NAME_SIZE];
535
536
        char                         overload_tblname[PF_TABLE_NAME_SIZE];
537
538
        TAILQ_ENTRY(pf_rule)         entries;
539
        struct pf_pool                 rpool;
540
541
        u_int64_t                 evaluations;
542
        u_int64_t                 packets[2];
543
        u_int64_t                 bytes[2];
544
545
        struct pfi_kif                *kif;
546
        struct pf_anchor        *anchor;
547
        struct pfr_ktable        *overload_tbl;
548
549
        pf_osfp_t                 os_fingerprint;
550
551
        int                         rtableid;
552
        u_int32_t                 timeout[PFTM_MAX];
553
        u_int32_t                 states;
554
        u_int32_t                 max_states;
555
        u_int32_t                 src_nodes;
556
        u_int32_t                 max_src_nodes;
557
        u_int32_t                 max_src_states;
558
        u_int32_t                 max_src_conn;
559
        struct {
560
                u_int32_t                limit;
561
                u_int32_t                seconds;
562
        }                         max_src_conn_rate;
563
        u_int32_t                 qid;
564
        u_int32_t                 pqid;
565
        u_int32_t                 rt_listid;
566
        u_int32_t                 nr;
567
        u_int32_t                 prob;
568
        uid_t                         cuid;
569
        pid_t                         cpid;
570
571
        u_int16_t                 return_icmp;
572
        u_int16_t                 return_icmp6;
573
        u_int16_t                 max_mss;
574
        u_int16_t                 tag;
575
        u_int16_t                 match_tag;
576
577
        struct pf_rule_uid         uid;
578
        struct pf_rule_gid         gid;
579
580
        u_int32_t                 rule_flag;
581
        u_int8_t                 action;
582
        u_int8_t                 direction;
583
        u_int8_t                 log;
584
        u_int8_t                 logif;
585
        u_int8_t                 quick;
586
        u_int8_t                 ifnot;
587
        u_int8_t                 match_tag_not;
588
        u_int8_t                 natpass;
589
590
#define PF_STATE_NORMAL                0x1
591
#define PF_STATE_MODULATE        0x2
592
#define PF_STATE_SYNPROXY        0x3
593
        u_int8_t                 keep_state;
594
        sa_family_t                 af;
595
        u_int8_t                 proto;
596
        u_int8_t                 type;
597
        u_int8_t                 code;
598
        u_int8_t                 flags;
599
        u_int8_t                 flagset;
600
        u_int8_t                 min_ttl;
601
        u_int8_t                 allow_opts;
602
        u_int8_t                 rt;
603
        u_int8_t                 return_ttl;
604
        u_int8_t                 tos;
605
        u_int8_t                 anchor_relative;
606
        u_int8_t                 anchor_wildcard;
607
608
#define PF_FLUSH                0x01
609
#define PF_FLUSH_GLOBAL                0x02
610
        u_int8_t                 flush;
611
};
612
613
/* rule flags */
614
#define        PFRULE_DROP                0x0000
615
#define        PFRULE_RETURNRST        0x0001
616
#define        PFRULE_FRAGMENT                0x0002
617
#define        PFRULE_RETURNICMP        0x0004
618
#define        PFRULE_RETURN                0x0008
619
#define        PFRULE_NOSYNC                0x0010
620
#define PFRULE_SRCTRACK                0x0020  /* track source states */
621
#define PFRULE_RULESRCTRACK        0x0040  /* per rule */
622
623
/* scrub flags */
624
#define        PFRULE_NODF                0x0100
625
#define        PFRULE_FRAGCROP                0x0200        /* non-buffering frag cache */
626
#define        PFRULE_FRAGDROP                0x0400        /* drop funny fragments */
627
#define PFRULE_RANDOMID                0x0800
628
#define PFRULE_REASSEMBLE_TCP        0x1000
629
630
/* rule flags again */
631
#define PFRULE_IFBOUND                0x00010000        /* if-bound */
632
633
#define PFSTATE_HIWAT                10000        /* default state table size */
634
#define PFSTATE_ADAPT_START        6000        /* default adaptive timeout start */
635
#define PFSTATE_ADAPT_END        12000        /* default adaptive timeout end */
636
637
638
struct pf_threshold {
639
        u_int32_t        limit;
640
#define        PF_THRESHOLD_MULT        1000
641
#define PF_THRESHOLD_MAX        0xffffffff / PF_THRESHOLD_MULT
642
        u_int32_t        seconds;
643
        u_int32_t        count;
644
        u_int32_t        last;
645
};
646
647
struct pf_src_node {
648
        RB_ENTRY(pf_src_node) entry;
649
        struct pf_addr         addr;
650
        struct pf_addr         raddr;
651
        union pf_rule_ptr rule;
652
        struct pfi_kif        *kif;
653
        u_int64_t         bytes[2];
654
        u_int64_t         packets[2];
655
        u_int32_t         states;
656
        u_int32_t         conn;
657
        struct pf_threshold        conn_rate;
658
        u_int32_t         creation;
659
        u_int32_t         expire;
660
        sa_family_t         af;
661
        u_int8_t         ruletype;
662
};
663
664
#define PFSNODE_HIWAT                10000        /* default source node table size */
665
666
struct pf_state_scrub {
667
        struct timeval        pfss_last;        /* time received last packet        */
668
        u_int32_t        pfss_tsecr;        /* last echoed timestamp        */
669
        u_int32_t        pfss_tsval;        /* largest timestamp                */
670
        u_int32_t        pfss_tsval0;        /* original timestamp                */
671
        u_int16_t        pfss_flags;
672
#define PFSS_TIMESTAMP        0x0001                /* modulate timestamp                */
673
#define PFSS_PAWS        0x0010                /* stricter PAWS checks                */
674
#define PFSS_PAWS_IDLED        0x0020                /* was idle too long.  no PAWS        */
675
#define PFSS_DATA_TS        0x0040                /* timestamp on data packets        */
676
#define PFSS_DATA_NOTS        0x0080                /* no timestamp on data packets        */
677
        u_int8_t        pfss_ttl;        /* stashed TTL                        */
678
        u_int8_t        pad;
679
        u_int32_t        pfss_ts_mod;        /* timestamp modulation                */
680
};
681
682
struct pf_state_host {
683
        struct pf_addr        addr;
684
        u_int16_t        port;
685
        u_int16_t        pad;
686
};
687
688
struct pf_state_peer {
689
        u_int32_t        seqlo;                /* Max sequence number sent        */
690
        u_int32_t        seqhi;                /* Max the other end ACKd + win        */
691
        u_int32_t        seqdiff;        /* Sequence number modulator        */
692
        u_int16_t        max_win;        /* largest window (pre scaling)        */
693
        u_int8_t        state;                /* active state level                */
694
        u_int8_t        wscale;                /* window scaling factor        */
695
        u_int16_t        mss;                /* Maximum segment size option        */
696
        u_int8_t        tcp_est;        /* Did we reach TCPS_ESTABLISHED */
697
        struct pf_state_scrub        *scrub;        /* state is scrubbed                */
698
        u_int8_t        pad[3];
699
};
700
701
TAILQ_HEAD(pf_state_queue, pf_state);
702
703
/* keep synced with struct pf_state_key, used in RB_FIND */
704
struct pf_state_key_cmp {
705
        struct pf_state_host lan;
706
        struct pf_state_host gwy;
707
        struct pf_state_host ext;
708
        sa_family_t         af;
709
        u_int8_t         proto;
710
        u_int8_t         direction;
711
        u_int8_t         pad;
712
};
713
714
TAILQ_HEAD(pf_statelist, pf_state);
715
716
struct pf_state_key {
717
        struct pf_state_host lan;
718
        struct pf_state_host gwy;
719
        struct pf_state_host ext;
720
        sa_family_t         af;
721
        u_int8_t         proto;
722
        u_int8_t         direction;
723
        u_int8_t         pad;
724
725
        RB_ENTRY(pf_state_key)         entry_lan_ext;
726
        RB_ENTRY(pf_state_key)         entry_ext_gwy;
727
        struct pf_statelist         states;
728
        u_short                 refcnt;        /* same size as if_index */
729
};
730
731
732
/* keep synced with struct pf_state, used in RB_FIND */
733
struct pf_state_cmp {
734
        u_int64_t         id;
735
        u_int32_t         creatorid;
736
        u_int32_t         pad;
737
};
738
739
struct pf_state {
740
        u_int64_t                 id;
741
        u_int32_t                 creatorid;
742
        u_int32_t                 pad;
743
744
        TAILQ_ENTRY(pf_state)         entry_list;
745
        TAILQ_ENTRY(pf_state)         next;
746
        RB_ENTRY(pf_state)         entry_id;
747
        struct pf_state_peer         src;
748
        struct pf_state_peer         dst;
749
        union pf_rule_ptr         rule;
750
        union pf_rule_ptr         anchor;
751
        union pf_rule_ptr         nat_rule;
752
        struct pf_addr                 rt_addr;
753
        struct pf_state_key        *state_key;
754
        struct pfi_kif                *kif;
755
        struct pfi_kif                *rt_kif;
756
        struct pf_src_node        *src_node;
757
        struct pf_src_node        *nat_src_node;
758
        u_int64_t                 packets[2];
759
        u_int64_t                 bytes[2];
760
        u_int32_t                 creation;
761
        u_int32_t                 expire;
762
        u_int32_t                 pfsync_time;
763
        u_int16_t                 tag;
764
        u_int8_t                 log;
765
        u_int8_t                 allow_opts;
766
        u_int8_t                 timeout;
767
        u_int8_t                 sync_flags;
768
#define        PFSTATE_NOSYNC         0x01
769
#define        PFSTATE_FROMSYNC 0x02
770
#define        PFSTATE_STALE         0x04
771
};
772
773
/*
774
 * Unified state structures for pulling states out of the kernel
775
 * used by pfsync(4) and the pf(4) ioctl.
776
 */
777
struct pfsync_state_scrub {
778
        u_int16_t        pfss_flags;
779
        u_int8_t        pfss_ttl;        /* stashed TTL                */
780
#define PFSYNC_SCRUB_FLAG_VALID         0x01
781
        u_int8_t        scrub_flag;
782
        u_int32_t        pfss_ts_mod;        /* timestamp modulation        */
783
} __packed;
784
785
struct pfsync_state_host {
786
        struct pf_addr        addr;
787
        u_int16_t        port;
788
        u_int16_t        pad[3];
789
} __packed;
790
791
struct pfsync_state_peer {
792
        struct pfsync_state_scrub scrub;        /* state is scrubbed        */
793
        u_int32_t        seqlo;                /* Max sequence number sent        */
794
        u_int32_t        seqhi;                /* Max the other end ACKd + win        */
795
        u_int32_t        seqdiff;        /* Sequence number modulator        */
796
        u_int16_t        max_win;        /* largest window (pre scaling)        */
797
        u_int16_t        mss;                /* Maximum segment size option        */
798
        u_int8_t        state;                /* active state level                */
799
        u_int8_t        wscale;                /* window scaling factor        */
800
        u_int8_t        pad[6];
801
} __packed;
802
803
struct pfsync_state {
804
        u_int32_t         id[2];
805
        char                 ifname[IFNAMSIZ];
806
        struct pfsync_state_host lan;
807
        struct pfsync_state_host gwy;
808
        struct pfsync_state_host ext;
809
        struct pfsync_state_peer src;
810
        struct pfsync_state_peer dst;
811
        struct pf_addr         rt_addr;
812
        u_int32_t         rule;
813
        u_int32_t         anchor;
814
        u_int32_t         nat_rule;
815
        u_int32_t         creation;
816
        u_int32_t         expire;
817
        u_int32_t         packets[2][2];
818
        u_int32_t         bytes[2][2];
819
        u_int32_t         creatorid;
820
        sa_family_t         af;
821
        u_int8_t         proto;
822
        u_int8_t         direction;
823
        u_int8_t         log;
824
        u_int8_t         allow_opts;
825
        u_int8_t         timeout;
826
        u_int8_t         sync_flags;
827
        u_int8_t         updates;
828
} __packed;
829
830
#define PFSYNC_FLAG_COMPRESS         0x01
831
#define PFSYNC_FLAG_STALE        0x02
832
#define PFSYNC_FLAG_SRCNODE        0x04
833
#define PFSYNC_FLAG_NATSRCNODE        0x08
834
835
/* for copies to/from userland via pf_ioctl() */
836
#define pf_state_peer_to_pfsync(s,d) do {        \
837
        (d)->seqlo = (s)->seqlo;                \
838
        (d)->seqhi = (s)->seqhi;                \
839
        (d)->seqdiff = (s)->seqdiff;                \
840
        (d)->max_win = (s)->max_win;                \
841
        (d)->mss = (s)->mss;                        \
842
        (d)->state = (s)->state;                \
843
        (d)->wscale = (s)->wscale;                \
844
        if ((s)->scrub) {                                                \
845
                (d)->scrub.pfss_flags =                                 \
846
                    (s)->scrub->pfss_flags & PFSS_TIMESTAMP;                \
847
                (d)->scrub.pfss_ttl = (s)->scrub->pfss_ttl;                \
848
                (d)->scrub.pfss_ts_mod = (s)->scrub->pfss_ts_mod;        \
849
                (d)->scrub.scrub_flag = PFSYNC_SCRUB_FLAG_VALID;        \
850
        }                                                                \
851
} while (0)
852
853
#define pf_state_peer_from_pfsync(s,d) do {        \
854
        (d)->seqlo = (s)->seqlo;                \
855
        (d)->seqhi = (s)->seqhi;                \
856
        (d)->seqdiff = (s)->seqdiff;                \
857
        (d)->max_win = (s)->max_win;                \
858
        (d)->mss = ntohs((s)->mss);                \
859
        (d)->state = (s)->state;                \
860
        (d)->wscale = (s)->wscale;                \
861
        if ((s)->scrub.scrub_flag == PFSYNC_SCRUB_FLAG_VALID &&         \
862
            (d)->scrub != NULL) {                                        \
863
                (d)->scrub->pfss_flags =                                \
864
                    ntohs((s)->scrub.pfss_flags) & PFSS_TIMESTAMP;        \
865
                (d)->scrub->pfss_ttl = (s)->scrub.pfss_ttl;                \
866
                (d)->scrub->pfss_ts_mod = (s)->scrub.pfss_ts_mod;        \
867
        }                                                                \
868
} while (0)
869
870
#define pf_state_counter_to_pfsync(s,d) do {                        \
871
        d[0] = (s>>32)&0xffffffff;                                \
872
        d[1] = s&0xffffffff;                                        \
873
} while (0)
874
875
#define pf_state_counter_from_pfsync(s)                \
876
        (((u_int64_t)(s[0])<<32) | (u_int64_t)(s[1]))
877
878
879
880
TAILQ_HEAD(pf_rulequeue, pf_rule);
881
882
struct pf_anchor;
883
884
struct pf_ruleset {
885
        struct {
886
                struct pf_rulequeue         queues[2];
887
                struct {
888
                        struct pf_rulequeue        *ptr;
889
                        struct pf_rule                **ptr_array;
890
                        u_int32_t                 rcount;
891
                        u_int32_t                 ticket;
892
                        int                         open;
893
                }                         active, inactive;
894
        }                         rules[PF_RULESET_MAX];
895
        struct pf_anchor        *anchor;
896
        u_int32_t                 tticket;
897
        int                         tables;
898
        int                         topen;
899
};
900
901
RB_HEAD(pf_anchor_global, pf_anchor);
902
RB_HEAD(pf_anchor_node, pf_anchor);
903
struct pf_anchor {
904
        RB_ENTRY(pf_anchor)         entry_global;
905
        RB_ENTRY(pf_anchor)         entry_node;
906
        struct pf_anchor        *parent;
907
        struct pf_anchor_node         children;
908
        char                         name[PF_ANCHOR_NAME_SIZE];
909
        char                         path[MAXPATHLEN];
910
        struct pf_ruleset         ruleset;
911
        int                         refcnt;        /* anchor rules */
912
        int                         match;
913
};
914
RB_PROTOTYPE(pf_anchor_global, pf_anchor, entry_global, pf_anchor_compare);
915
RB_PROTOTYPE(pf_anchor_node, pf_anchor, entry_node, pf_anchor_compare);
916
917
#define PF_RESERVED_ANCHOR        "_pf"
918
919
#define PFR_TFLAG_PERSIST        0x00000001
920
#define PFR_TFLAG_CONST                0x00000002
921
#define PFR_TFLAG_ACTIVE        0x00000004
922
#define PFR_TFLAG_INACTIVE        0x00000008
923
#define PFR_TFLAG_REFERENCED        0x00000010
924
#define PFR_TFLAG_REFDANCHOR        0x00000020
925
#define PFR_TFLAG_USRMASK        0x00000003
926
#define PFR_TFLAG_SETMASK        0x0000003C
927
#define PFR_TFLAG_ALLMASK        0x0000003F
928
929
struct pfr_table {
930
        char                         pfrt_anchor[MAXPATHLEN];
931
        char                         pfrt_name[PF_TABLE_NAME_SIZE];
932
        u_int32_t                 pfrt_flags;
933
        u_int8_t                 pfrt_fback;
934
};
935
936
enum { PFR_FB_NONE, PFR_FB_MATCH, PFR_FB_ADDED, PFR_FB_DELETED,
937
        PFR_FB_CHANGED, PFR_FB_CLEARED, PFR_FB_DUPLICATE,
938
        PFR_FB_NOTMATCH, PFR_FB_CONFLICT, PFR_FB_MAX };
939
940
struct pfr_addr {
941
        union {
942
                struct in_addr         _pfra_ip4addr;
943
                struct in6_addr         _pfra_ip6addr;
944
        }                 pfra_u;
945
        u_int8_t         pfra_af;
946
        u_int8_t         pfra_net;
947
        u_int8_t         pfra_not;
948
        u_int8_t         pfra_fback;
949
};
950
#define        pfra_ip4addr        pfra_u._pfra_ip4addr
951
#define        pfra_ip6addr        pfra_u._pfra_ip6addr
952
953
enum { PFR_DIR_IN, PFR_DIR_OUT, PFR_DIR_MAX };
954
enum { PFR_OP_BLOCK, PFR_OP_PASS, PFR_OP_ADDR_MAX, PFR_OP_TABLE_MAX };
955
#define PFR_OP_XPASS        PFR_OP_ADDR_MAX
956
957
struct pfr_astats {
958
        struct pfr_addr         pfras_a;
959
        u_int64_t         pfras_packets[PFR_DIR_MAX][PFR_OP_ADDR_MAX];
960
        u_int64_t         pfras_bytes[PFR_DIR_MAX][PFR_OP_ADDR_MAX];
961
        long                 pfras_tzero;
962
};
963
964
enum { PFR_REFCNT_RULE, PFR_REFCNT_ANCHOR, PFR_REFCNT_MAX };
965
966
struct pfr_tstats {
967
        struct pfr_table pfrts_t;
968
        u_int64_t         pfrts_packets[PFR_DIR_MAX][PFR_OP_TABLE_MAX];
969
        u_int64_t         pfrts_bytes[PFR_DIR_MAX][PFR_OP_TABLE_MAX];
970
        u_int64_t         pfrts_match;
971
        u_int64_t         pfrts_nomatch;
972
        long                 pfrts_tzero;
973
        int                 pfrts_cnt;
974
        int                 pfrts_refcnt[PFR_REFCNT_MAX];
975
};
976
#define        pfrts_name        pfrts_t.pfrt_name
977
#define pfrts_flags        pfrts_t.pfrt_flags
978
979
#ifndef _SOCKADDR_UNION_DEFINED
980
#define _SOCKADDR_UNION_DEFINED
981
union sockaddr_union {
982
        struct sockaddr                sa;
983
        struct sockaddr_in        sin;
984
        struct sockaddr_in6        sin6;
985
};
986
#endif /* _SOCKADDR_UNION_DEFINED */
987
988
SLIST_HEAD(pfr_kentryworkq, pfr_kentry);
989
struct pfr_kentry {
990
        struct radix_node         pfrke_node[2];
991
        union sockaddr_union         pfrke_sa;
992
        u_int64_t                 pfrke_packets[PFR_DIR_MAX][PFR_OP_ADDR_MAX];
993
        u_int64_t                 pfrke_bytes[PFR_DIR_MAX][PFR_OP_ADDR_MAX];
994
        SLIST_ENTRY(pfr_kentry)         pfrke_workq;
995
        long                         pfrke_tzero;
996
        u_int8_t                 pfrke_af;
997
        u_int8_t                 pfrke_net;
998
        u_int8_t                 pfrke_not;
999
        u_int8_t                 pfrke_mark;
1000
        u_int8_t                 pfrke_intrpool;
1001
};
1002
1003
SLIST_HEAD(pfr_ktableworkq, pfr_ktable);
1004
RB_HEAD(pfr_ktablehead, pfr_ktable);
1005
struct pfr_ktable {
1006
        struct pfr_tstats         pfrkt_ts;
1007
        RB_ENTRY(pfr_ktable)         pfrkt_tree;
1008
        SLIST_ENTRY(pfr_ktable)         pfrkt_workq;
1009
        struct radix_node_head        *pfrkt_ip4;
1010
        struct radix_node_head        *pfrkt_ip6;
1011
        struct pfr_ktable        *pfrkt_shadow;
1012
        struct pfr_ktable        *pfrkt_root;
1013
        struct pf_ruleset        *pfrkt_rs;
1014
        long                         pfrkt_larg;
1015
        int                         pfrkt_nflags;
1016
};
1017
#define pfrkt_t                pfrkt_ts.pfrts_t
1018
#define pfrkt_name        pfrkt_t.pfrt_name
1019
#define pfrkt_anchor        pfrkt_t.pfrt_anchor
1020
#define pfrkt_ruleset        pfrkt_t.pfrt_ruleset
1021
#define pfrkt_flags        pfrkt_t.pfrt_flags
1022
#define pfrkt_cnt        pfrkt_ts.pfrts_cnt
1023
#define pfrkt_refcnt        pfrkt_ts.pfrts_refcnt
1024
#define pfrkt_packets        pfrkt_ts.pfrts_packets
1025
#define pfrkt_bytes        pfrkt_ts.pfrts_bytes
1026
#define pfrkt_match        pfrkt_ts.pfrts_match
1027
#define pfrkt_nomatch        pfrkt_ts.pfrts_nomatch
1028
#define pfrkt_tzero        pfrkt_ts.pfrts_tzero
1029
1030
RB_HEAD(pf_state_tree_lan_ext, pf_state_key);
1031
RB_PROTOTYPE(pf_state_tree_lan_ext, pf_state_key,
1032
    entry_lan_ext, pf_state_compare_lan_ext);
1033
1034
RB_HEAD(pf_state_tree_ext_gwy, pf_state_key);
1035
RB_PROTOTYPE(pf_state_tree_ext_gwy, pf_state_key,
1036
    entry_ext_gwy, pf_state_compare_ext_gwy);
1037
1038
RB_HEAD(pfi_ifhead, pfi_kif);
1039
1040
/* state tables */
1041
extern struct pf_state_tree_lan_ext         pf_statetbl_lan_ext;
1042
extern struct pf_state_tree_ext_gwy         pf_statetbl_ext_gwy;
1043
1044
/* keep synced with pfi_kif, used in RB_FIND */
1045
struct pfi_kif_cmp {
1046
        char                                 pfik_name[IFNAMSIZ];
1047
};
1048
1049
struct pfi_kif {
1050
        char                                 pfik_name[IFNAMSIZ];
1051
        RB_ENTRY(pfi_kif)                 pfik_tree;
1052
        u_int64_t                         pfik_packets[2][2][2];
1053
        u_int64_t                         pfik_bytes[2][2][2];
1054
        u_int32_t                         pfik_tzero;
1055
        int                                 pfik_flags;
1056
        void                                *pfik_ah_cookie;
1057
        struct ifnet                        *pfik_ifp;
1058
        struct ifg_group                *pfik_group;
1059
        int                                 pfik_states;
1060
        int                                 pfik_rules;
1061
        TAILQ_HEAD(, pfi_dynaddr)         pfik_dynaddrs;
1062
};
1063
1064
enum pfi_kif_refs {
1065
        PFI_KIF_REF_NONE,
1066
        PFI_KIF_REF_STATE,
1067
        PFI_KIF_REF_RULE
1068
};
1069
1070
#define PFI_IFLAG_SKIP                0x0100        /* skip filtering on interface */
1071
1072
struct pf_pdesc {
1073
        struct {
1074
                int         done;
1075
                uid_t         uid;
1076
                gid_t         gid;
1077
                pid_t         pid;
1078
        }                 lookup;
1079
        u_int64_t         tot_len;        /* Make Mickey money */
1080
        union {
1081
                struct tcphdr                *tcp;
1082
                struct udphdr                *udp;
1083
                struct icmp                *icmp;
1084
#ifdef INET6
1085
                struct icmp6_hdr        *icmp6;
1086
#endif /* INET6 */
1087
                void                        *any;
1088
        } hdr;
1089
        struct pf_addr         baddr;                /* address before translation */
1090
        struct pf_addr         naddr;                /* address after translation */
1091
        struct pf_rule        *nat_rule;        /* nat/rdr rule applied to packet */
1092
        struct pf_addr        *src;
1093
        struct pf_addr        *dst;
1094
        struct ether_header
1095
                        *eh;
1096
        u_int16_t        *ip_sum;
1097
        u_int32_t         p_len;                /* total length of payload */
1098
        u_int16_t         flags;                /* Let SCRUB trigger behavior in
1099
                                         * state code. Easier than tags */
1100
#define PFDESC_TCP_NORM        0x0001                /* TCP shall be statefully scrubbed */
1101
#define PFDESC_IP_REAS        0x0002                /* IP frags would've been reassembled */
1102
        sa_family_t         af;
1103
        u_int8_t         proto;
1104
        u_int8_t         tos;
1105
};
1106
1107
/* flags for RDR options */
1108
#define PF_DPORT_RANGE        0x01                /* Dest port uses range */
1109
#define PF_RPORT_RANGE        0x02                /* RDR'ed port uses range */
1110
1111
/* Reasons code for passing/dropping a packet */
1112
#define PFRES_MATCH        0                /* Explicit match of a rule */
1113
#define PFRES_BADOFF        1                /* Bad offset for pull_hdr */
1114
#define PFRES_FRAG        2                /* Dropping following fragment */
1115
#define PFRES_SHORT        3                /* Dropping short packet */
1116
#define PFRES_NORM        4                /* Dropping by normalizer */
1117
#define PFRES_MEMORY        5                /* Dropped due to lacking mem */
1118
#define PFRES_TS        6                /* Bad TCP Timestamp (RFC1323) */
1119
#define PFRES_CONGEST        7                /* Congestion (of IP queue) */
1120
#define PFRES_IPOPTIONS 8                /* IP option */
1121
#define PFRES_PROTCKSUM 9                /* Protocol checksum invalid */
1122
#define PFRES_BADSTATE        10                /* State mismatch */
1123
#define PFRES_STATEINS        11                /* State insertion failure */
1124
#define PFRES_MAXSTATES        12                /* State limit */
1125
#define PFRES_SRCLIMIT        13                /* Source node/conn limit */
1126
#define PFRES_SYNPROXY        14                /* SYN proxy */
1127
#define PFRES_STATELOCKED 15    /* state table locked */
1128
#define PFRES_MAX        16                /* total+1 */
1129
1130
#define PFRES_NAMES { \
1131
        "match", \
1132
        "bad-offset", \
1133
        "fragment", \
1134
        "short", \
1135
        "normalize", \
1136
        "memory", \
1137
        "bad-timestamp", \
1138
        "congestion", \
1139
        "ip-option", \
1140
        "proto-cksum", \
1141
        "state-mismatch", \
1142
        "state-insert", \
1143
        "state-limit", \
1144
        "src-limit", \
1145
        "synproxy", \
1146
        "state-locked", \
1147
        NULL \
1148
}
1149
1150
/* Counters for other things we want to keep track of */
1151
#define LCNT_STATES                0        /* states */
1152
#define LCNT_SRCSTATES                1        /* max-src-states */
1153
#define LCNT_SRCNODES                2        /* max-src-nodes */
1154
#define LCNT_SRCCONN                3        /* max-src-conn */
1155
#define LCNT_SRCCONNRATE        4        /* max-src-conn-rate */
1156
#define LCNT_OVERLOAD_TABLE        5        /* entry added to overload table */
1157
#define LCNT_OVERLOAD_FLUSH        6        /* state entries flushed */
1158
#define LCNT_MAX                7        /* total+1 */
1159
1160
#define LCNT_NAMES { \
1161
        "max states per rule", \
1162
        "max-src-states", \
1163
        "max-src-nodes", \
1164
        "max-src-conn", \
1165
        "max-src-conn-rate", \
1166
        "overload table insertion", \
1167
        "overload flush states", \
1168
        NULL \
1169
}
1170
1171
/* UDP state enumeration */
1172
#define PFUDPS_NO_TRAFFIC        0
1173
#define PFUDPS_SINGLE                1
1174
#define PFUDPS_MULTIPLE                2
1175
1176
#define PFUDPS_NSTATES                3        /* number of state levels */
1177
1178
#define PFUDPS_NAMES { \
1179
        "NO_TRAFFIC", \
1180
        "SINGLE", \
1181
        "MULTIPLE", \
1182
        NULL \
1183
}
1184
1185
/* Other protocol state enumeration */
1186
#define PFOTHERS_NO_TRAFFIC        0
1187
#define PFOTHERS_SINGLE                1
1188
#define PFOTHERS_MULTIPLE        2
1189
1190
#define PFOTHERS_NSTATES        3        /* number of state levels */
1191
1192
#define PFOTHERS_NAMES { \
1193
        "NO_TRAFFIC", \
1194
        "SINGLE", \
1195
        "MULTIPLE", \
1196
        NULL \
1197
}
1198
1199
#define FCNT_STATE_SEARCH        0
1200
#define FCNT_STATE_INSERT        1
1201
#define FCNT_STATE_REMOVALS        2
1202
#define FCNT_MAX                3
1203
1204
#define SCNT_SRC_NODE_SEARCH        0
1205
#define SCNT_SRC_NODE_INSERT        1
1206
#define SCNT_SRC_NODE_REMOVALS        2
1207
#define SCNT_MAX                3
1208
1209
#define ACTION_SET(a, x) \
1210
        do { \
1211
                if ((a) != NULL) \
1212
                        *(a) = (x); \
1213
        } while (0)
1214
1215
#define REASON_SET(a, x) \
1216
        do { \
1217
                if ((a) != NULL) \
1218
                        *(a) = (x); \
1219
                if (x < PFRES_MAX) \
1220
                        pf_status.counters[x]++; \
1221
        } while (0)
1222
#define REASON_SET_NOPTR(a, x) \
1223
        do { \
1224
                *(a) = (x); \
1225
                if (x < PFRES_MAX) \
1226
                        pf_status.counters[x]++; \
1227
        } while (0)
1228
1229
struct pf_status {
1230
        u_int64_t        counters[PFRES_MAX];
1231
        u_int64_t        lcounters[LCNT_MAX];        /* limit counters */
1232
        u_int64_t        fcounters[FCNT_MAX];
1233
        u_int64_t        scounters[SCNT_MAX];
1234
        u_int64_t        pcounters[2][2][3];
1235
        u_int64_t        bcounters[2][2];
1236
        u_int64_t        stateid;
1237
        u_int32_t        running;
1238
        u_int32_t        states;
1239
        u_int32_t        src_nodes;
1240
        u_int32_t        since;
1241
        u_int32_t        debug;
1242
        u_int32_t        hostid;
1243
        char                ifname[IFNAMSIZ];
1244
        u_int8_t        pf_chksum[PF_MD5_DIGEST_LENGTH];
1245
};
1246
1247
struct cbq_opts {
1248
        u_int                minburst;
1249
        u_int                maxburst;
1250
        u_int                pktsize;
1251
        u_int                maxpktsize;
1252
        u_int                ns_per_byte;
1253
        u_int                maxidle;
1254
        int                minidle;
1255
        u_int                offtime;
1256
        int                flags;
1257
};
1258
1259
struct priq_opts {
1260
        int                flags;
1261
};
1262
1263
struct hfsc_opts {
1264
        /* real-time service curve */
1265
        u_int                rtsc_m1;        /* slope of the 1st segment in bps */
1266
        u_int                rtsc_d;                /* the x-projection of m1 in msec */
1267
        u_int                rtsc_m2;        /* slope of the 2nd segment in bps */
1268
        /* link-sharing service curve */
1269
        u_int                lssc_m1;
1270
        u_int                lssc_d;
1271
        u_int                lssc_m2;
1272
        /* upper-limit service curve */
1273
        u_int                ulsc_m1;
1274
        u_int                ulsc_d;
1275
        u_int                ulsc_m2;
1276
        int                flags;
1277
};
1278
1279
struct pf_altq {
1280
        char                         ifname[IFNAMSIZ];
1281
1282
        void                        *altq_disc;        /* discipline-specific state */
1283
        TAILQ_ENTRY(pf_altq)         entries;
1284
1285
        /* scheduler spec */
1286
        u_int8_t                 scheduler;        /* scheduler type */
1287
        u_int16_t                 tbrsize;        /* tokenbucket regulator size */
1288
        u_int32_t                 ifbandwidth;        /* interface bandwidth */
1289
1290
        /* queue spec */
1291
        char                         qname[PF_QNAME_SIZE];        /* queue name */
1292
        char                         parent[PF_QNAME_SIZE];        /* parent name */
1293
        u_int32_t                 parent_qid;        /* parent queue id */
1294
        u_int32_t                 bandwidth;        /* queue bandwidth */
1295
        u_int8_t                 priority;        /* priority */
1296
        u_int16_t                 qlimit;        /* queue size limit */
1297
        u_int16_t                 flags;                /* misc flags */
1298
        union {
1299
                struct cbq_opts                 cbq_opts;
1300
                struct priq_opts         priq_opts;
1301
                struct hfsc_opts         hfsc_opts;
1302
        } pq_u;
1303
1304
        u_int32_t                 qid;                /* return value */
1305
};
1306
1307
struct pf_tag {
1308
        u_int16_t        tag;                /* tag id */
1309
};
1310
1311
struct pf_tagname {
1312
        TAILQ_ENTRY(pf_tagname)        entries;
1313
        char                        name[PF_TAG_NAME_SIZE];
1314
        u_int16_t                tag;
1315
        int                        ref;
1316
};
1317
1318
#define PFFRAG_FRENT_HIWAT        5000        /* Number of fragment entries */
1319
#define PFFRAG_FRAG_HIWAT        1000        /* Number of fragmented packets */
1320
#define PFFRAG_FRCENT_HIWAT        50000        /* Number of fragment cache entries */
1321
#define PFFRAG_FRCACHE_HIWAT        10000        /* Number of fragment descriptors */
1322
1323
#define PFR_KTABLE_HIWAT        1000        /* Number of tables */
1324
#define PFR_KENTRY_HIWAT        200000        /* Number of table entries */
1325
#define PFR_KENTRY_HIWAT_SMALL        100000        /* Number of table entries (tiny hosts) */
1326
1327
/*
1328
 * ioctl parameter structures
1329
 */
1330
1331
struct pfioc_pooladdr {
1332
        u_int32_t                 action;
1333
        u_int32_t                 ticket;
1334
        u_int32_t                 nr;
1335
        u_int32_t                 r_num;
1336
        u_int8_t                 r_action;
1337
        u_int8_t                 r_last;
1338
        u_int8_t                 af;
1339
        char                         anchor[MAXPATHLEN];
1340
        struct pf_pooladdr         addr;
1341
};
1342
1343
struct pfioc_rule {
1344
        u_int32_t         action;
1345
        u_int32_t         ticket;
1346
        u_int32_t         pool_ticket;
1347
        u_int32_t         nr;
1348
        char                 anchor[MAXPATHLEN];
1349
        char                 anchor_call[MAXPATHLEN];
1350
        struct pf_rule         rule;
1351
};
1352
1353
struct pfioc_natlook {
1354
        struct pf_addr         saddr;
1355
        struct pf_addr         daddr;
1356
        struct pf_addr         rsaddr;
1357
        struct pf_addr         rdaddr;
1358
        u_int16_t         sport;
1359
        u_int16_t         dport;
1360
        u_int16_t         rsport;
1361
        u_int16_t         rdport;
1362
        sa_family_t         af;
1363
        u_int8_t         proto;
1364
        u_int8_t         direction;
1365
};
1366
1367
struct pfioc_state {
1368
        u_int32_t          nr;
1369
        void                *state;
1370
};
1371
1372
struct pfioc_src_node_kill {
1373
        /* XXX returns the number of src nodes killed in psnk_af */
1374
        sa_family_t psnk_af;
1375
        struct pf_rule_addr psnk_src;
1376
        struct pf_rule_addr psnk_dst;
1377
};
1378
1379
struct pfioc_state_kill {
1380
        /* XXX returns the number of states killed in psk_af */
1381
        sa_family_t                psk_af;
1382
        int                        psk_proto;
1383
        struct pf_rule_addr        psk_src;
1384
        struct pf_rule_addr        psk_dst;
1385
        char                        psk_ifname[IFNAMSIZ];
1386
};
1387
1388
struct pfioc_states {
1389
        int        ps_len;
1390
        union {
1391
                void                        *psu_buf;
1392
                struct pfsync_state        *psu_states;
1393
        } ps_u;
1394
#define ps_buf                ps_u.psu_buf
1395
#define ps_states        ps_u.psu_states
1396
};
1397
1398
struct pfioc_src_nodes {
1399
        int        psn_len;
1400
        union {
1401
                void                        *psu_buf;
1402
                struct pf_src_node        *psu_src_nodes;
1403
        } psn_u;
1404
#define psn_buf                psn_u.psu_buf
1405
#define psn_src_nodes        psn_u.psu_src_nodes
1406
};
1407
1408
struct pfioc_if {
1409
        char                 ifname[IFNAMSIZ];
1410
};
1411
1412
struct pfioc_tm {
1413
        int                 timeout;
1414
        int                 seconds;
1415
};
1416
1417
struct pfioc_limit {
1418
        int                 index;
1419
        unsigned         limit;
1420
};
1421
1422
struct pfioc_altq {
1423
        u_int32_t         action;
1424
        u_int32_t         ticket;
1425
        u_int32_t         nr;
1426
        struct pf_altq         altq;
1427
};
1428
1429
struct pfioc_qstats {
1430
        u_int32_t         ticket;
1431
        u_int32_t         nr;
1432
        void                *buf;
1433
        int                 nbytes;
1434
        u_int8_t         scheduler;
1435
};
1436
1437
struct pfioc_ruleset {
1438
        u_int32_t         nr;
1439
        char                 path[MAXPATHLEN];
1440
        char                 name[PF_ANCHOR_NAME_SIZE];
1441
};
1442
1443
#define PF_RULESET_ALTQ                (PF_RULESET_MAX)
1444
#define PF_RULESET_TABLE        (PF_RULESET_MAX+1)
1445
struct pfioc_trans {
1446
        int                 size;        /* number of elements */
1447
        int                 esize; /* size of each element in bytes */
1448
        struct pfioc_trans_e {
1449
                int                rs_num;
1450
                char                anchor[MAXPATHLEN];
1451
                u_int32_t        ticket;
1452
        }                *array;
1453
};
1454
1455
#define PFR_FLAG_ATOMIC                0x00000001
1456
#define PFR_FLAG_DUMMY                0x00000002
1457
#define PFR_FLAG_FEEDBACK        0x00000004
1458
#define PFR_FLAG_CLSTATS        0x00000008
1459
#define PFR_FLAG_ADDRSTOO        0x00000010
1460
#define PFR_FLAG_REPLACE        0x00000020
1461
#define PFR_FLAG_ALLRSETS        0x00000040
1462
#define PFR_FLAG_ALLMASK        0x0000007F
1463
#ifdef _KERNEL
1464
#define PFR_FLAG_USERIOCTL        0x10000000
1465
#endif
1466
1467
struct pfioc_table {
1468
        struct pfr_table         pfrio_table;
1469
        void                        *pfrio_buffer;
1470
        int                         pfrio_esize;
1471
        int                         pfrio_size;
1472
        int                         pfrio_size2;
1473
        int                         pfrio_nadd;
1474
        int                         pfrio_ndel;
1475
        int                         pfrio_nchange;
1476
        int                         pfrio_flags;
1477
        u_int32_t                 pfrio_ticket;
1478
};
1479
#define        pfrio_exists        pfrio_nadd
1480
#define        pfrio_nzero        pfrio_nadd
1481
#define        pfrio_nmatch        pfrio_nadd
1482
#define pfrio_naddr        pfrio_size2
1483
#define pfrio_setflag        pfrio_size2
1484
#define pfrio_clrflag        pfrio_nadd
1485
1486
struct pfioc_iface {
1487
        char         pfiio_name[IFNAMSIZ];
1488
        void        *pfiio_buffer;
1489
        int         pfiio_esize;
1490
        int         pfiio_size;
1491
        int         pfiio_nzero;
1492
        int         pfiio_flags;
1493
};
1494
1495
1496
/*
1497
 * ioctl operations
1498
 */
1499
1500
#define DIOCSTART        _IO  ('D',  1)
1501
#define DIOCSTOP        _IO  ('D',  2)
1502
#define DIOCADDRULE        _IOWR('D',  4, struct pfioc_rule)
1503
#define DIOCGETRULES        _IOWR('D',  6, struct pfioc_rule)
1504
#define DIOCGETRULE        _IOWR('D',  7, struct pfioc_rule)
1505
#define DIOCSETLCK  _IOWR('D', 8, uint32_t)
1506
/* XXX cut 9 - 17 */
1507
#define DIOCCLRSTATES        _IOWR('D', 18, struct pfioc_state_kill)
1508
#define DIOCGETSTATE        _IOWR('D', 19, struct pfioc_state)
1509
#define DIOCSETSTATUSIF _IOWR('D', 20, struct pfioc_if)
1510
#define DIOCGETSTATUS        _IOWR('D', 21, struct pf_status)
1511
#define DIOCCLRSTATUS        _IO  ('D', 22)
1512
#define DIOCNATLOOK        _IOWR('D', 23, struct pfioc_natlook)
1513
#define DIOCSETDEBUG        _IOWR('D', 24, u_int32_t)
1514
#define DIOCGETSTATES        _IOWR('D', 25, struct pfioc_states)
1515
#define DIOCCHANGERULE        _IOWR('D', 26, struct pfioc_rule)
1516
/* XXX cut 26 - 28 */
1517
#define DIOCSETTIMEOUT        _IOWR('D', 29, struct pfioc_tm)
1518
#define DIOCGETTIMEOUT        _IOWR('D', 30, struct pfioc_tm)
1519
#define DIOCADDSTATE        _IOWR('D', 37, struct pfioc_state)
1520
#define DIOCCLRRULECTRS        _IO  ('D', 38)
1521
#define DIOCGETLIMIT        _IOWR('D', 39, struct pfioc_limit)
1522
#define DIOCSETLIMIT        _IOWR('D', 40, struct pfioc_limit)
1523
#define DIOCKILLSTATES        _IOWR('D', 41, struct pfioc_state_kill)
1524
#define DIOCSTARTALTQ        _IO  ('D', 42)
1525
#define DIOCSTOPALTQ        _IO  ('D', 43)
1526
#define DIOCADDALTQ        _IOWR('D', 45, struct pfioc_altq)
1527
#define DIOCGETALTQS        _IOWR('D', 47, struct pfioc_altq)
1528
#define DIOCGETALTQ        _IOWR('D', 48, struct pfioc_altq)
1529
#define DIOCCHANGEALTQ        _IOWR('D', 49, struct pfioc_altq)
1530
#define DIOCGETQSTATS        _IOWR('D', 50, struct pfioc_qstats)
1531
#define DIOCBEGINADDRS        _IOWR('D', 51, struct pfioc_pooladdr)
1532
#define DIOCADDADDR        _IOWR('D', 52, struct pfioc_pooladdr)
1533
#define DIOCGETADDRS        _IOWR('D', 53, struct pfioc_pooladdr)
1534
#define DIOCGETADDR        _IOWR('D', 54, struct pfioc_pooladdr)
1535
#define DIOCCHANGEADDR        _IOWR('D', 55, struct pfioc_pooladdr)
1536
#define DIOCADDSTATES   _IOWR('D', 56, struct pfioc_states)
1537
/* XXX cut 57 - 57 */
1538
#define        DIOCGETRULESETS        _IOWR('D', 58, struct pfioc_ruleset)
1539
#define        DIOCGETRULESET        _IOWR('D', 59, struct pfioc_ruleset)
1540
#define        DIOCRCLRTABLES        _IOWR('D', 60, struct pfioc_table)
1541
#define        DIOCRADDTABLES        _IOWR('D', 61, struct pfioc_table)
1542
#define        DIOCRDELTABLES        _IOWR('D', 62, struct pfioc_table)
1543
#define        DIOCRGETTABLES        _IOWR('D', 63, struct pfioc_table)
1544
#define        DIOCRGETTSTATS        _IOWR('D', 64, struct pfioc_table)
1545
#define DIOCRCLRTSTATS  _IOWR('D', 65, struct pfioc_table)
1546
#define        DIOCRCLRADDRS        _IOWR('D', 66, struct pfioc_table)
1547
#define        DIOCRADDADDRS        _IOWR('D', 67, struct pfioc_table)
1548
#define        DIOCRDELADDRS        _IOWR('D', 68, struct pfioc_table)
1549
#define        DIOCRSETADDRS        _IOWR('D', 69, struct pfioc_table)
1550
#define        DIOCRGETADDRS        _IOWR('D', 70, struct pfioc_table)
1551
#define        DIOCRGETASTATS        _IOWR('D', 71, struct pfioc_table)
1552
#define DIOCRCLRASTATS  _IOWR('D', 72, struct pfioc_table)
1553
#define        DIOCRTSTADDRS        _IOWR('D', 73, struct pfioc_table)
1554
#define        DIOCRSETTFLAGS        _IOWR('D', 74, struct pfioc_table)
1555
#define DIOCRINADEFINE        _IOWR('D', 77, struct pfioc_table)
1556
#define DIOCOSFPFLUSH        _IO('D', 78)
1557
#define DIOCOSFPADD        _IOWR('D', 79, struct pf_osfp_ioctl)
1558
#define DIOCOSFPGET        _IOWR('D', 80, struct pf_osfp_ioctl)
1559
#define DIOCXBEGIN      _IOWR('D', 81, struct pfioc_trans)
1560
#define DIOCXCOMMIT     _IOWR('D', 82, struct pfioc_trans)
1561
#define DIOCXROLLBACK   _IOWR('D', 83, struct pfioc_trans)
1562
#define DIOCGETSRCNODES        _IOWR('D', 84, struct pfioc_src_nodes)
1563
#define DIOCCLRSRCNODES        _IO('D', 85)
1564
#define DIOCSETHOSTID        _IOWR('D', 86, u_int32_t)
1565
#define DIOCIGETIFACES        _IOWR('D', 87, struct pfioc_iface)
1566
#define DIOCSETIFFLAG        _IOWR('D', 89, struct pfioc_iface)
1567
#define DIOCCLRIFFLAG        _IOWR('D', 90, struct pfioc_iface)
1568
#define DIOCKILLSRCNODES        _IOWR('D', 91, struct pfioc_src_node_kill)
1569
1570
#ifdef _KERNEL
1571
RB_HEAD(pf_src_tree, pf_src_node);
1572
RB_PROTOTYPE(pf_src_tree, pf_src_node, entry, pf_src_compare);
1573
extern struct pf_src_tree tree_src_tracking;
1574
1575
RB_HEAD(pf_state_tree_id, pf_state);
1576
RB_PROTOTYPE(pf_state_tree_id, pf_state,
1577
    entry_id, pf_state_compare_id);
1578
extern struct pf_state_tree_id tree_id;
1579
extern struct pf_state_queue state_list;
1580
1581
TAILQ_HEAD(pf_poolqueue, pf_pool);
1582
extern struct pf_poolqueue                  pf_pools[2];
1583
TAILQ_HEAD(pf_altqqueue, pf_altq);
1584
extern struct pf_altqqueue                  pf_altqs[2];
1585
extern struct pf_palist                          pf_pabuf;
1586
1587
extern u_int32_t                 ticket_altqs_active;
1588
extern u_int32_t                 ticket_altqs_inactive;
1589
extern int                         altqs_inactive_open;
1590
extern u_int32_t                 ticket_pabuf;
1591
extern struct pf_altqqueue        *pf_altqs_active;
1592
extern struct pf_altqqueue        *pf_altqs_inactive;
1593
extern struct pf_poolqueue        *pf_pools_active;
1594
extern struct pf_poolqueue        *pf_pools_inactive;
1595
extern int                         pf_tbladdr_setup(struct pf_ruleset *,
1596
                                    struct pf_addr_wrap *);
1597
extern void                         pf_tbladdr_remove(struct pf_addr_wrap *);
1598
extern void                         pf_tbladdr_copyout(struct pf_addr_wrap *);
1599
extern void                         pf_calc_skip_steps(struct pf_rulequeue *);
1600
extern struct pool                 pf_src_tree_pl, pf_rule_pl;
1601
extern struct pool                 pf_state_pl, pf_state_key_pl, pf_altq_pl,
1602
                                    pf_pooladdr_pl;
1603
extern struct pool                 pf_state_scrub_pl;
1604
extern void                         pf_purge_thread(void *);
1605
extern void                         pf_purge_expired_src_nodes(int);
1606
extern void                         pf_purge_expired_states(u_int32_t);
1607
extern void                         pf_unlink_state(struct pf_state *);
1608
extern void                         pf_free_state(struct pf_state *);
1609
extern int                         pf_insert_state(struct pfi_kif *,
1610
                                    struct pf_state *);
1611
extern int                         pf_insert_src_node(struct pf_src_node **,
1612
                                    struct pf_rule *, struct pf_addr *,
1613
                                    sa_family_t);
1614
void                                 pf_src_tree_remove_state(struct pf_state *);
1615
extern struct pf_state                *pf_find_state_byid(struct pf_state_cmp *);
1616
extern struct pf_state                *pf_find_state_all(struct pf_state_key_cmp *,
1617
                                    u_int8_t, int *);
1618
extern void                         pf_print_state(struct pf_state *);
1619
extern void                         pf_print_flags(u_int8_t);
1620
extern u_int16_t                 pf_cksum_fixup(u_int16_t, u_int16_t, u_int16_t,
1621
                                    u_int8_t);
1622
1623
extern struct ifnet                *sync_ifp;
1624
extern struct pf_rule                 pf_default_rule;
1625
extern void                         pf_addrcpy(struct pf_addr *,
1626
                                    const struct pf_addr *, u_int8_t);
1627
void                                 pf_rm_rule(struct pf_rulequeue *,
1628
                                    struct pf_rule *);
1629
1630
#ifdef INET
1631
int        pf_test(int, struct ifnet *, struct mbuf **, struct ether_header *);
1632
#endif /* INET */
1633
1634
#ifdef INET6
1635
int        pf_test6(int, struct ifnet *, struct mbuf **, struct ether_header *);
1636
void        pf_poolmask(struct pf_addr *, struct pf_addr*,
1637
            struct pf_addr *, const struct pf_addr *, u_int8_t);
1638
void        pf_addr_inc(struct pf_addr *, sa_family_t);
1639
#endif /* INET6 */
1640
1641
void   *pf_pull_hdr(struct mbuf *, int, void *, int, u_short *, u_short *,
1642
            sa_family_t);
1643
void        pf_change_a(void *, u_int16_t *, u_int32_t, u_int8_t);
1644
int        pflog_packet(struct pfi_kif *, struct mbuf *, sa_family_t, u_int8_t,
1645
            u_int8_t, struct pf_rule *, struct pf_rule *, struct pf_ruleset *,
1646
            struct pf_pdesc *);
1647
int        pf_match_addr(u_int8_t, struct pf_addr *, struct pf_addr *,
1648
            struct pf_addr *, sa_family_t);
1649
int        pf_match(u_int8_t, u_int32_t, u_int32_t, u_int32_t);
1650
int        pf_match_port(u_int8_t, u_int16_t, u_int16_t, u_int16_t);
1651
int        pf_match_uid(u_int8_t, uid_t, uid_t, uid_t);
1652
int        pf_match_gid(u_int8_t, gid_t, gid_t, gid_t);
1653
1654
void        pf_normalize_init(void);
1655
#ifdef _MODULE
1656
void        pf_normalize_destroy(void);
1657
#endif /* _MODULE */
1658
int        pf_normalize_ip(struct mbuf **, int, struct pfi_kif *, u_short *,
1659
            struct pf_pdesc *);
1660
int        pf_normalize_ip6(struct mbuf **, int, struct pfi_kif *, u_short *,
1661
            struct pf_pdesc *);
1662
int        pf_normalize_tcp(int, struct pfi_kif *, struct mbuf *, int, int, void *,
1663
            struct pf_pdesc *);
1664
void        pf_normalize_tcp_cleanup(struct pf_state *);
1665
int        pf_normalize_tcp_init(struct mbuf *, int, struct pf_pdesc *,
1666
            struct tcphdr *, struct pf_state_peer *, struct pf_state_peer *);
1667
int        pf_normalize_tcp_stateful(struct mbuf *, int, struct pf_pdesc *,
1668
            u_short *, struct tcphdr *, struct pf_state *,
1669
            struct pf_state_peer *, struct pf_state_peer *, int *);
1670
u_int32_t
1671
        pf_state_expires(const struct pf_state *);
1672
void        pf_purge_expired_fragments(void);
1673
int        pf_routable(struct pf_addr *addr, sa_family_t af, struct pfi_kif *);
1674
int        pf_rtlabel_match(struct pf_addr *, sa_family_t, struct pf_addr_wrap *);
1675
int        pf_socket_lookup(int, struct pf_pdesc *);
1676
struct pf_state_key *
1677
        pf_alloc_state_key(struct pf_state *);
1678
void        pfr_initialize(void);
1679
#ifdef _MODULE
1680
void        pfr_destroy(void);
1681
#endif /* _MODULE */
1682
int        pfr_match_addr(struct pfr_ktable *, struct pf_addr *, sa_family_t);
1683
void        pfr_update_stats(struct pfr_ktable *, struct pf_addr *, sa_family_t,
1684
            u_int64_t, int, int, int);
1685
int        pfr_pool_get(struct pfr_ktable *, int *, struct pf_addr *,
1686
            struct pf_addr **, struct pf_addr **, sa_family_t);
1687
void        pfr_dynaddr_update(struct pfr_ktable *, struct pfi_dynaddr *);
1688
struct pfr_ktable *
1689
        pfr_attach_table(struct pf_ruleset *, char *);
1690
void        pfr_detach_table(struct pfr_ktable *);
1691
int        pfr_clr_tables(struct pfr_table *, int *, int);
1692
int        pfr_add_tables(struct pfr_table *, int, int *, int);
1693
int        pfr_del_tables(struct pfr_table *, int, int *, int);
1694
int        pfr_get_tables(struct pfr_table *, struct pfr_table *, int *, int);
1695
int        pfr_get_tstats(struct pfr_table *, struct pfr_tstats *, int *, int);
1696
int        pfr_clr_tstats(struct pfr_table *, int, int *, int);
1697
int        pfr_set_tflags(struct pfr_table *, int, int, int, int *, int *, int);
1698
int        pfr_clr_addrs(struct pfr_table *, int *, int);
1699
int        pfr_insert_kentry(struct pfr_ktable *, struct pfr_addr *, long);
1700
int        pfr_add_addrs(struct pfr_table *, struct pfr_addr *, int, int *,
1701
            int);
1702
int        pfr_del_addrs(struct pfr_table *, struct pfr_addr *, int, int *,
1703
            int);
1704
int        pfr_set_addrs(struct pfr_table *, struct pfr_addr *, int, int *,
1705
            int *, int *, int *, int, u_int32_t);
1706
int        pfr_get_addrs(struct pfr_table *, struct pfr_addr *, int *, int);
1707
int        pfr_get_astats(struct pfr_table *, struct pfr_astats *, int *, int);
1708
int        pfr_clr_astats(struct pfr_table *, struct pfr_addr *, int, int *,
1709
            int);
1710
int        pfr_tst_addrs(struct pfr_table *, struct pfr_addr *, int, int *,
1711
            int);
1712
int        pfr_ina_begin(struct pfr_table *, u_int32_t *, int *, int);
1713
int        pfr_ina_rollback(struct pfr_table *, u_int32_t, int *, int);
1714
int        pfr_ina_commit(struct pfr_table *, u_int32_t, int *, int *, int);
1715
int        pfr_ina_define(struct pfr_table *, struct pfr_addr *, int, int *,
1716
            int *, u_int32_t, int);
1717
1718
extern struct pfi_kif                *pfi_all;
1719
1720
void                 pfi_initialize(void);
1721
#ifdef _MODULE
1722
void                 pfi_destroy(void);
1723
#endif /* _MODULE */
1724
struct pfi_kif        *pfi_kif_get(const char *);
1725
void                 pfi_kif_ref(struct pfi_kif *, enum pfi_kif_refs);
1726
void                 pfi_kif_unref(struct pfi_kif *, enum pfi_kif_refs);
1727
int                 pfi_kif_match(struct pfi_kif *, struct pfi_kif *);
1728
void                 pfi_attach_ifnet(struct ifnet *);
1729
void                 pfi_detach_ifnet(struct ifnet *);
1730
void                 pfi_attach_ifgroup(struct ifg_group *);
1731
void                 pfi_detach_ifgroup(struct ifg_group *);
1732
void                 pfi_group_change(const char *);
1733
int                 pfi_match_addr(struct pfi_dynaddr *, struct pf_addr *,
1734
                    sa_family_t);
1735
int                 pfi_dynaddr_setup(struct pf_addr_wrap *, sa_family_t);
1736
void                 pfi_dynaddr_remove(struct pf_addr_wrap *);
1737
void                 pfi_dynaddr_copyout(struct pf_addr_wrap *);
1738
void                 pfi_fill_oldstatus(struct pf_status *);
1739
int                 pfi_clr_istats(const char *);
1740
int                 pfi_get_ifaces(const char *, struct pfi_kif *, int *);
1741
int                 pfi_set_flags(const char *, int);
1742
int                 pfi_clear_flags(const char *, int);
1743
1744
u_int16_t         pf_tagname2tag(char *);
1745
void                 pf_tag2tagname(u_int16_t, char *);
1746
void                 pf_tag_ref(u_int16_t);
1747
void                 pf_tag_unref(u_int16_t);
1748
int                 pf_tag_packet(struct mbuf *, int, int);
1749
u_int32_t         pf_qname2qid(char *);
1750
void                 pf_qid2qname(u_int32_t, char *);
1751
void                 pf_qid_unref(u_int32_t);
1752
1753
extern struct pf_status        pf_status;
1754
extern struct pool        pf_frent_pl, pf_frag_pl;
1755
#ifdef __NetBSD__
1756
extern krwlock_t        pf_consistency_lock;
1757
#else
1758
extern struct rwlock        pf_consistency_lock;
1759
#endif /* !__NetBSD__ */
1760
1761
struct pf_pool_limit {
1762
        void                *pp;
1763
        unsigned         limit;
1764
};
1765
extern struct pf_pool_limit        pf_pool_limits[PF_LIMIT_MAX];
1766
1767
/*
1768
 * misc compatibility definitions
1769
 */
1770
#if !defined(PRIu32)
1771
#define        PRIu32        "u"        /* XXX */
1772
#endif
1773
1774
#if !defined(NO_PID)
1775
#define NO_PID                (PID_MAX + 1)
1776
#endif
1777
1778
#if defined(__NetBSD__)
1779
/* rwlock compatibility definitions */
1780
#define rw_enter_write(a)        rw_enter((a), (RW_WRITER))
1781
#define rw_exit_write(a)        rw_exit((a))
1782
#define rw_enter_read(a)        rw_enter((a), (RW_READER))
1783
#define rw_exit_read(a)                rw_exit((a))
1784
#endif /* __NetBSD__ */
1785
1786
#endif /* _KERNEL */
1787
1788
extern struct pf_anchor_global  pf_anchors;
1789
extern struct pf_anchor        pf_main_anchor;
1790
#define pf_main_ruleset        pf_main_anchor.ruleset
1791
1792
/* these ruleset functions can be linked into userland programs (pfctl) */
1793
int                         pf_get_ruleset_number(u_int8_t);
1794
void                         pf_init_ruleset(struct pf_ruleset *);
1795
int                         pf_anchor_setup(struct pf_rule *,
1796
                            const struct pf_ruleset *, const char *);
1797
int                         pf_anchor_copyout(const struct pf_ruleset *,
1798
                            const struct pf_rule *, struct pfioc_rule *);
1799
void                         pf_anchor_remove(struct pf_rule *);
1800
void                         pf_remove_if_empty_ruleset(struct pf_ruleset *);
1801
struct pf_anchor        *pf_find_anchor(const char *);
1802
struct pf_ruleset        *pf_find_ruleset(const char *);
1803
struct pf_ruleset        *pf_find_or_create_ruleset(const char *);
1804
void                         pf_rs_initialize(void);
1805
1806
#ifdef _KERNEL
1807
int                         pf_anchor_copyout(const struct pf_ruleset *,
1808
                            const struct pf_rule *, struct pfioc_rule *);
1809
void                         pf_anchor_remove(struct pf_rule *);
1810
1811
#endif /* _KERNEL */
1812
1813
/* The fingerprint functions can be linked into userland programs (tcpdump) */
1814
int        pf_osfp_add(struct pf_osfp_ioctl *);
1815
#ifdef _KERNEL
1816
struct pf_osfp_enlist *
1817
        pf_osfp_fingerprint(struct pf_pdesc *, struct mbuf *, int,
1818
            const struct tcphdr *);
1819
#endif /* _KERNEL */
1820
struct pf_osfp_enlist *
1821
        pf_osfp_fingerprint_hdr(const struct ip *, const struct ip6_hdr *,
1822
            const struct tcphdr *);
1823
void        pf_osfp_flush(void);
1824
int        pf_osfp_get(struct pf_osfp_ioctl *);
1825
void        pf_osfp_initialize(void);
1826
#ifdef _MODULE
1827
void        pf_osfp_destroy(void);
1828
#endif /* _MODULE */
1829
int        pf_osfp_match(struct pf_osfp_enlist *, pf_osfp_t);
1830
struct pf_os_fingerprint *
1831
        pf_osfp_validate(void);
1832
1833
1834
#endif /* _NET_PFVAR_H_ */