Deleted Added
sdiff udiff text old ( 240736 ) new ( 257186 )
full compact
pfvar.h (240736) pfvar.h (257186)
1/*
2 * Copyright (c) 2001 Daniel Hartmeier
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *

--- 13 unchanged lines hidden (view full) ---

22 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
23 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
24 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
26 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27 * POSSIBILITY OF SUCH DAMAGE.
28 *
29 * $OpenBSD: pfvar.h,v 1.282 2009/01/29 15:12:28 pyr Exp $
1/*
2 * Copyright (c) 2001 Daniel Hartmeier
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 *

--- 13 unchanged lines hidden (view full) ---

22 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
23 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
24 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
26 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27 * POSSIBILITY OF SUCH DAMAGE.
28 *
29 * $OpenBSD: pfvar.h,v 1.282 2009/01/29 15:12:28 pyr Exp $
30 * $FreeBSD: head/sys/net/pfvar.h 240736 2012-09-20 06:52:05Z glebius $
30 * $FreeBSD: head/sys/net/pfvar.h 257186 2013-10-26 18:59:58Z glebius $
31 */
32
33#ifndef _NET_PFVAR_H_
34#define _NET_PFVAR_H_
35
36#include <sys/param.h>
37#include <sys/queue.h>
38#include <sys/refcount.h>
39#include <sys/tree.h>
40
41#include <net/radix.h>
42#include <netinet/in.h>
43
31 */
32
33#ifndef _NET_PFVAR_H_
34#define _NET_PFVAR_H_
35
36#include <sys/param.h>
37#include <sys/queue.h>
38#include <sys/refcount.h>
39#include <sys/tree.h>
40
41#include <net/radix.h>
42#include <netinet/in.h>
43
44#include <net/pf.h>
45#include <net/pf_altq.h>
44#include <net/pf_mtag.h>
45
46#include <net/pf_mtag.h>
47
46#define PF_TCPS_PROXY_SRC ((TCP_NSTATES)+0)
47#define PF_TCPS_PROXY_DST ((TCP_NSTATES)+1)
48
49#define PF_MD5_DIGEST_LENGTH 16
50#ifdef MD5_DIGEST_LENGTH
51#if PF_MD5_DIGEST_LENGTH != MD5_DIGEST_LENGTH
52#error
53#endif
54#endif
55
56enum { PF_INOUT, PF_IN, PF_OUT };
57enum { PF_PASS, PF_DROP, PF_SCRUB, PF_NOSCRUB, PF_NAT, PF_NONAT,
58 PF_BINAT, PF_NOBINAT, PF_RDR, PF_NORDR, PF_SYNPROXY_DROP, PF_DEFER };
59enum { PF_RULESET_SCRUB, PF_RULESET_FILTER, PF_RULESET_NAT,
60 PF_RULESET_BINAT, PF_RULESET_RDR, PF_RULESET_MAX };
61enum { PF_OP_NONE, PF_OP_IRG, PF_OP_EQ, PF_OP_NE, PF_OP_LT,
62 PF_OP_LE, PF_OP_GT, PF_OP_GE, PF_OP_XRG, PF_OP_RRG };
63enum { PF_DEBUG_NONE, PF_DEBUG_URGENT, PF_DEBUG_MISC, PF_DEBUG_NOISY };
64enum { PF_CHANGE_NONE, PF_CHANGE_ADD_HEAD, PF_CHANGE_ADD_TAIL,
65 PF_CHANGE_ADD_BEFORE, PF_CHANGE_ADD_AFTER,
66 PF_CHANGE_REMOVE, PF_CHANGE_GET_TICKET };
67enum { PF_GET_NONE, PF_GET_CLR_CNTR };
68enum { PF_SK_WIRE, PF_SK_STACK, PF_SK_BOTH };
69
70/*
71 * Note about PFTM_*: real indices into pf_rule.timeout[] come before
72 * PFTM_MAX, special cases afterwards. See pf_state_expires().
73 */
74enum { PFTM_TCP_FIRST_PACKET, PFTM_TCP_OPENING, PFTM_TCP_ESTABLISHED,
75 PFTM_TCP_CLOSING, PFTM_TCP_FIN_WAIT, PFTM_TCP_CLOSED,
76 PFTM_UDP_FIRST_PACKET, PFTM_UDP_SINGLE, PFTM_UDP_MULTIPLE,
77 PFTM_ICMP_FIRST_PACKET, PFTM_ICMP_ERROR_REPLY,
78 PFTM_OTHER_FIRST_PACKET, PFTM_OTHER_SINGLE,
79 PFTM_OTHER_MULTIPLE, PFTM_FRAG, PFTM_INTERVAL,
80 PFTM_ADAPTIVE_START, PFTM_ADAPTIVE_END, PFTM_SRC_NODE,
81 PFTM_TS_DIFF, PFTM_MAX, PFTM_PURGE, PFTM_UNLINKED,
82 PFTM_UNTIL_PACKET };
83
84/* PFTM default values */
85#define PFTM_TCP_FIRST_PACKET_VAL 120 /* First TCP packet */
86#define PFTM_TCP_OPENING_VAL 30 /* No response yet */
87#define PFTM_TCP_ESTABLISHED_VAL 24*60*60/* Established */
88#define PFTM_TCP_CLOSING_VAL 15 * 60 /* Half closed */
89#define PFTM_TCP_FIN_WAIT_VAL 45 /* Got both FINs */
90#define PFTM_TCP_CLOSED_VAL 90 /* Got a RST */
91#define PFTM_UDP_FIRST_PACKET_VAL 60 /* First UDP packet */
92#define PFTM_UDP_SINGLE_VAL 30 /* Unidirectional */
93#define PFTM_UDP_MULTIPLE_VAL 60 /* Bidirectional */
94#define PFTM_ICMP_FIRST_PACKET_VAL 20 /* First ICMP packet */
95#define PFTM_ICMP_ERROR_REPLY_VAL 10 /* Got error response */
96#define PFTM_OTHER_FIRST_PACKET_VAL 60 /* First packet */
97#define PFTM_OTHER_SINGLE_VAL 30 /* Unidirectional */
98#define PFTM_OTHER_MULTIPLE_VAL 60 /* Bidirectional */
99#define PFTM_FRAG_VAL 30 /* Fragment expire */
100#define PFTM_INTERVAL_VAL 10 /* Expire interval */
101#define PFTM_SRC_NODE_VAL 0 /* Source tracking */
102#define PFTM_TS_DIFF_VAL 30 /* Allowed TS diff */
103
104enum { PF_NOPFROUTE, PF_FASTROUTE, PF_ROUTETO, PF_DUPTO, PF_REPLYTO };
105enum { PF_LIMIT_STATES, PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS,
106 PF_LIMIT_TABLE_ENTRIES, PF_LIMIT_MAX };
107#define PF_POOL_IDMASK 0x0f
108enum { PF_POOL_NONE, PF_POOL_BITMASK, PF_POOL_RANDOM,
109 PF_POOL_SRCHASH, PF_POOL_ROUNDROBIN };
110enum { PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE, PF_ADDR_DYNIFTL,
111 PF_ADDR_TABLE, PF_ADDR_URPFFAILED,
112 PF_ADDR_RANGE };
113#define PF_POOL_TYPEMASK 0x0f
114#define PF_POOL_STICKYADDR 0x20
115#define PF_WSCALE_FLAG 0x80
116#define PF_WSCALE_MASK 0x0f
117
118#define PF_LOG 0x01
119#define PF_LOG_ALL 0x02
120#define PF_LOG_SOCKET_LOOKUP 0x04
121
122struct pf_addr {
123 union {
124 struct in_addr v4;
125 struct in6_addr v6;
126 u_int8_t addr8[16];
127 u_int16_t addr16[8];
128 u_int32_t addr32[4];
129 } pfa; /* 128-bit address */
130#define v4 pfa.v4
131#define v6 pfa.v6
132#define addr8 pfa.addr8
133#define addr16 pfa.addr16
134#define addr32 pfa.addr32
135};
136
48struct pf_addr {
49 union {
50 struct in_addr v4;
51 struct in6_addr v6;
52 u_int8_t addr8[16];
53 u_int16_t addr16[8];
54 u_int32_t addr32[4];
55 } pfa; /* 128-bit address */
56#define v4 pfa.v4
57#define v6 pfa.v6
58#define addr8 pfa.addr8
59#define addr16 pfa.addr16
60#define addr32 pfa.addr32
61};
62
137#define PF_TABLE_NAME_SIZE 32
138
139#define PFI_AFLAG_NETWORK 0x01
140#define PFI_AFLAG_BROADCAST 0x02
141#define PFI_AFLAG_PEER 0x04
142#define PFI_AFLAG_MODEMASK 0x07
143#define PFI_AFLAG_NOALIAS 0x08
144
145struct pf_addr_wrap {
146 union {

--- 412 unchanged lines hidden (view full) ---

559#define PF_SKIP_SRC_ADDR 4
560#define PF_SKIP_SRC_PORT 5
561#define PF_SKIP_DST_ADDR 6
562#define PF_SKIP_DST_PORT 7
563#define PF_SKIP_COUNT 8
564 union pf_rule_ptr skip[PF_SKIP_COUNT];
565#define PF_RULE_LABEL_SIZE 64
566 char label[PF_RULE_LABEL_SIZE];
63#define PFI_AFLAG_NETWORK 0x01
64#define PFI_AFLAG_BROADCAST 0x02
65#define PFI_AFLAG_PEER 0x04
66#define PFI_AFLAG_MODEMASK 0x07
67#define PFI_AFLAG_NOALIAS 0x08
68
69struct pf_addr_wrap {
70 union {

--- 412 unchanged lines hidden (view full) ---

483#define PF_SKIP_SRC_ADDR 4
484#define PF_SKIP_SRC_PORT 5
485#define PF_SKIP_DST_ADDR 6
486#define PF_SKIP_DST_PORT 7
487#define PF_SKIP_COUNT 8
488 union pf_rule_ptr skip[PF_SKIP_COUNT];
489#define PF_RULE_LABEL_SIZE 64
490 char label[PF_RULE_LABEL_SIZE];
567#define PF_QNAME_SIZE 64
568 char ifname[IFNAMSIZ];
569 char qname[PF_QNAME_SIZE];
570 char pqname[PF_QNAME_SIZE];
571#define PF_TAG_NAME_SIZE 64
572 char tagname[PF_TAG_NAME_SIZE];
573 char match_tagname[PF_TAG_NAME_SIZE];
574
575 char overload_tblname[PF_TABLE_NAME_SIZE];

--- 614 unchanged lines hidden (view full) ---

1190 u_int8_t sidx; /* key index for source */
1191 u_int8_t didx; /* key index for destination */
1192};
1193
1194/* flags for RDR options */
1195#define PF_DPORT_RANGE 0x01 /* Dest port uses range */
1196#define PF_RPORT_RANGE 0x02 /* RDR'ed port uses range */
1197
491 char ifname[IFNAMSIZ];
492 char qname[PF_QNAME_SIZE];
493 char pqname[PF_QNAME_SIZE];
494#define PF_TAG_NAME_SIZE 64
495 char tagname[PF_TAG_NAME_SIZE];
496 char match_tagname[PF_TAG_NAME_SIZE];
497
498 char overload_tblname[PF_TABLE_NAME_SIZE];

--- 614 unchanged lines hidden (view full) ---

1113 u_int8_t sidx; /* key index for source */
1114 u_int8_t didx; /* key index for destination */
1115};
1116
1117/* flags for RDR options */
1118#define PF_DPORT_RANGE 0x01 /* Dest port uses range */
1119#define PF_RPORT_RANGE 0x02 /* RDR'ed port uses range */
1120
1198/* Reasons code for passing/dropping a packet */
1199#define PFRES_MATCH 0 /* Explicit match of a rule */
1200#define PFRES_BADOFF 1 /* Bad offset for pull_hdr */
1201#define PFRES_FRAG 2 /* Dropping following fragment */
1202#define PFRES_SHORT 3 /* Dropping short packet */
1203#define PFRES_NORM 4 /* Dropping by normalizer */
1204#define PFRES_MEMORY 5 /* Dropped due to lacking mem */
1205#define PFRES_TS 6 /* Bad TCP Timestamp (RFC1323) */
1206#define PFRES_CONGEST 7 /* Congestion (of ipintrq) */
1207#define PFRES_IPOPTIONS 8 /* IP option */
1208#define PFRES_PROTCKSUM 9 /* Protocol checksum invalid */
1209#define PFRES_BADSTATE 10 /* State mismatch */
1210#define PFRES_STATEINS 11 /* State insertion failure */
1211#define PFRES_MAXSTATES 12 /* State limit */
1212#define PFRES_SRCLIMIT 13 /* Source node/conn limit */
1213#define PFRES_SYNPROXY 14 /* SYN proxy */
1214#define PFRES_MAX 15 /* total+1 */
1215
1216#define PFRES_NAMES { \
1217 "match", \
1218 "bad-offset", \
1219 "fragment", \
1220 "short", \
1221 "normalize", \
1222 "memory", \
1223 "bad-timestamp", \
1224 "congestion", \
1225 "ip-option", \
1226 "proto-cksum", \
1227 "state-mismatch", \
1228 "state-insert", \
1229 "state-limit", \
1230 "src-limit", \
1231 "synproxy", \
1232 NULL \
1233}
1234
1235/* Counters for other things we want to keep track of */
1236#define LCNT_STATES 0 /* states */
1237#define LCNT_SRCSTATES 1 /* max-src-states */
1238#define LCNT_SRCNODES 2 /* max-src-nodes */
1239#define LCNT_SRCCONN 3 /* max-src-conn */
1240#define LCNT_SRCCONNRATE 4 /* max-src-conn-rate */
1241#define LCNT_OVERLOAD_TABLE 5 /* entry added to overload table */
1242#define LCNT_OVERLOAD_FLUSH 6 /* state entries flushed */

--- 74 unchanged lines hidden (view full) ---

1317 u_int32_t src_nodes;
1318 u_int32_t since;
1319 u_int32_t debug;
1320 u_int32_t hostid;
1321 char ifname[IFNAMSIZ];
1322 u_int8_t pf_chksum[PF_MD5_DIGEST_LENGTH];
1323};
1324
1121/* Counters for other things we want to keep track of */
1122#define LCNT_STATES 0 /* states */
1123#define LCNT_SRCSTATES 1 /* max-src-states */
1124#define LCNT_SRCNODES 2 /* max-src-nodes */
1125#define LCNT_SRCCONN 3 /* max-src-conn */
1126#define LCNT_SRCCONNRATE 4 /* max-src-conn-rate */
1127#define LCNT_OVERLOAD_TABLE 5 /* entry added to overload table */
1128#define LCNT_OVERLOAD_FLUSH 6 /* state entries flushed */

--- 74 unchanged lines hidden (view full) ---

1203 u_int32_t src_nodes;
1204 u_int32_t since;
1205 u_int32_t debug;
1206 u_int32_t hostid;
1207 char ifname[IFNAMSIZ];
1208 u_int8_t pf_chksum[PF_MD5_DIGEST_LENGTH];
1209};
1210
1325struct cbq_opts {
1326 u_int minburst;
1327 u_int maxburst;
1328 u_int pktsize;
1329 u_int maxpktsize;
1330 u_int ns_per_byte;
1331 u_int maxidle;
1332 int minidle;
1333 u_int offtime;
1334 int flags;
1335};
1336
1337struct priq_opts {
1338 int flags;
1339};
1340
1341struct hfsc_opts {
1342 /* real-time service curve */
1343 u_int rtsc_m1; /* slope of the 1st segment in bps */
1344 u_int rtsc_d; /* the x-projection of m1 in msec */
1345 u_int rtsc_m2; /* slope of the 2nd segment in bps */
1346 /* link-sharing service curve */
1347 u_int lssc_m1;
1348 u_int lssc_d;
1349 u_int lssc_m2;
1350 /* upper-limit service curve */
1351 u_int ulsc_m1;
1352 u_int ulsc_d;
1353 u_int ulsc_m2;
1354 int flags;
1355};
1356
1357struct pf_altq {
1358 char ifname[IFNAMSIZ];
1359
1360 void *altq_disc; /* discipline-specific state */
1361 TAILQ_ENTRY(pf_altq) entries;
1362
1363 /* scheduler spec */
1364 u_int8_t scheduler; /* scheduler type */
1365 u_int16_t tbrsize; /* tokenbucket regulator size */
1366 u_int32_t ifbandwidth; /* interface bandwidth */
1367
1368 /* queue spec */
1369 char qname[PF_QNAME_SIZE]; /* queue name */
1370 char parent[PF_QNAME_SIZE]; /* parent name */
1371 u_int32_t parent_qid; /* parent queue id */
1372 u_int32_t bandwidth; /* queue bandwidth */
1373 u_int8_t priority; /* priority */
1374 u_int8_t local_flags; /* dynamic interface */
1375#define PFALTQ_FLAG_IF_REMOVED 0x01
1376
1377 u_int16_t qlimit; /* queue size limit */
1378 u_int16_t flags; /* misc flags */
1379 union {
1380 struct cbq_opts cbq_opts;
1381 struct priq_opts priq_opts;
1382 struct hfsc_opts hfsc_opts;
1383 } pq_u;
1384
1385 u_int32_t qid; /* return value */
1386};
1387
1388struct pf_divert {
1389 union {
1390 struct in_addr ipv4;
1391 struct in6_addr ipv6;
1392 } addr;
1393 u_int16_t port;
1394};
1395

--- 548 unchanged lines hidden --- 		1211struct pf_divert {
1212 union {
1213 struct in_addr ipv4;
1214 struct in6_addr ipv6;
1215 } addr;
1216 u_int16_t port;
1217};
1218

--- 548 unchanged lines hidden ---