1/* $FreeBSD: head/sys/contrib/pf/net/pfvar.h 130613 2004-06-16 23:24:02Z mlaier $ */ 2/* $OpenBSD: pfvar.h,v 1.187 2004/03/22 04:54:18 mcbride Exp $ */ |
3 4/* 5 * Copyright (c) 2001 Daniel Hartmeier 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: --- 51 unchanged lines hidden (view full) --- 62#include <netinet/tcp_fsm.h> 63 64struct ip; 65 66#define PF_TCPS_PROXY_SRC ((TCP_NSTATES)+0) 67#define PF_TCPS_PROXY_DST ((TCP_NSTATES)+1) 68 69enum { PF_INOUT, PF_IN, PF_OUT }; |
70enum { PF_LAN_EXT, PF_EXT_GWY, PF_ID }; |
71enum { PF_PASS, PF_DROP, PF_SCRUB, PF_NAT, PF_NONAT, 72 PF_BINAT, PF_NOBINAT, PF_RDR, PF_NORDR, PF_SYNPROXY_DROP }; 73enum { PF_RULESET_SCRUB, PF_RULESET_FILTER, PF_RULESET_NAT, 74 PF_RULESET_BINAT, PF_RULESET_RDR, PF_RULESET_MAX }; 75enum { PF_OP_NONE, PF_OP_IRG, PF_OP_EQ, PF_OP_NE, PF_OP_LT, 76 PF_OP_LE, PF_OP_GT, PF_OP_GE, PF_OP_XRG, PF_OP_RRG }; 77enum { PF_DEBUG_NONE, PF_DEBUG_URGENT, PF_DEBUG_MISC, PF_DEBUG_NOISY }; 78enum { PF_CHANGE_NONE, PF_CHANGE_ADD_HEAD, PF_CHANGE_ADD_TAIL, --- 4 unchanged lines hidden (view full) --- 83 * PFTM_MAX, special cases afterwards. See pf_state_expires(). 84 */ 85enum { PFTM_TCP_FIRST_PACKET, PFTM_TCP_OPENING, PFTM_TCP_ESTABLISHED, 86 PFTM_TCP_CLOSING, PFTM_TCP_FIN_WAIT, PFTM_TCP_CLOSED, 87 PFTM_UDP_FIRST_PACKET, PFTM_UDP_SINGLE, PFTM_UDP_MULTIPLE, 88 PFTM_ICMP_FIRST_PACKET, PFTM_ICMP_ERROR_REPLY, 89 PFTM_OTHER_FIRST_PACKET, PFTM_OTHER_SINGLE, 90 PFTM_OTHER_MULTIPLE, PFTM_FRAG, PFTM_INTERVAL, |
91 PFTM_ADAPTIVE_START, PFTM_ADAPTIVE_END, PFTM_SRC_NODE, 92 PFTM_MAX, PFTM_PURGE, PFTM_UNTIL_PACKET }; |
93enum { PF_NOPFROUTE, PF_FASTROUTE, PF_ROUTETO, PF_DUPTO, PF_REPLYTO }; |
94enum { PF_LIMIT_STATES, PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS, PF_LIMIT_MAX }; |
95#define PF_POOL_IDMASK 0x0f 96enum { PF_POOL_NONE, PF_POOL_BITMASK, PF_POOL_RANDOM, 97 PF_POOL_SRCHASH, PF_POOL_ROUNDROBIN }; 98enum { PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE, PF_ADDR_DYNIFTL, 99 PF_ADDR_TABLE }; 100#define PF_POOL_TYPEMASK 0x0f |
101#define PF_POOL_STICKYADDR 0x20 |
102#define PF_WSCALE_FLAG 0x80 103#define PF_WSCALE_MASK 0x0f 104 105struct pf_addr { 106 union { 107 struct in_addr v4; 108 struct in6_addr v6; 109 u_int8_t addr8[16]; --- 4 unchanged lines hidden (view full) --- 114#define v6 pfa.v6 115#define addr8 pfa.addr8 116#define addr16 pfa.addr16 117#define addr32 pfa.addr32 118}; 119 120#define PF_TABLE_NAME_SIZE 32 121 |
122#define PFI_AFLAG_NETWORK 0x01 123#define PFI_AFLAG_BROADCAST 0x02 124#define PFI_AFLAG_PEER 0x04 125#define PFI_AFLAG_MODEMASK 0x07 126#define PFI_AFLAG_NOALIAS 0x08 127 |
128struct pf_addr_wrap { 129 union { 130 struct { 131 struct pf_addr addr; 132 struct pf_addr mask; 133 } a; 134 char ifname[IFNAMSIZ]; 135 char tblname[PF_TABLE_NAME_SIZE]; 136 } v; 137 union { |
138 struct pfi_dynaddr *dyn; |
139 struct pfr_ktable *tbl; |
140 int dyncnt; |
141 int tblcnt; 142 } p; 143 u_int8_t type; /* PF_ADDR_* */ |
144 u_int8_t iflags; /* PFI_AFLAG_* */ |
145}; 146 147#ifdef _KERNEL 148 |
149struct pfi_dynaddr { 150 struct pf_addr pfid_addr4; 151 struct pf_addr pfid_mask4; 152 struct pf_addr pfid_addr6; 153 struct pf_addr pfid_mask6; 154 struct pfr_ktable *pfid_kt; 155 struct pfi_kif *pfid_kif; 156 void *pfid_hook_cookie; 157 int pfid_net; /* optional mask, or 128 */ 158 int pfid_acnt4; /* address count, IPv4 */ 159 int pfid_acnt6; /* address count, IPv6 */ 160 sa_family_t pfid_af; /* rule address family */ 161 u_int8_t pfid_iflags; /* PFI_AFLAG_* */ |
162}; 163 164/* 165 * Address manipulation macros 166 */ 167 168#ifdef __FreeBSD__ 169#define splsoftnet() splnet() --- 49 unchanged lines hidden (view full) --- 219#define PFSYNC_MODVER 1 220 221#define PFLOG_MINVER 1 222#define PFLOG_PREFVER PFLOG_MODVER 223#define PFLOG_MAXVER 1 224#define PFSYNC_MINVER 1 225#define PFSYNC_PREFVER PFSYNC_MODVER 226#define PFSYNC_MAXVER 1 |
227 |
228/* prototyped for pf_subr.c */ 229struct hook_desc { 230 TAILQ_ENTRY(hook_desc) hd_list; 231 void (*hd_fn)(void *); 232 void *hd_arg; 233}; 234TAILQ_HEAD(hook_desc_head, hook_desc); 235 236void *hook_establish(struct hook_desc_head *, int, void (*)(void *), void *); 237void hook_disestablish(struct hook_desc_head *, void *); 238void dohooks(struct hook_desc_head *, int); 239 240#define HOOK_REMOVE 0x01 241#define HOOK_FREE 0x02 242#endif /* __FreeBSD__ */ 243 |
244#ifdef INET 245#ifndef INET6 246#define PF_INET_ONLY 247#endif /* ! INET6 */ 248#endif /* INET */ 249 250#ifdef INET6 251#ifndef INET --- 120 unchanged lines hidden (view full) --- 372 373#define PF_MISMATCHAW(aw, x, af, not) \ 374 ( \ 375 (((aw)->type == PF_ADDR_NOROUTE && \ 376 pf_routable((x), (af))) || \ 377 ((aw)->type == PF_ADDR_TABLE && \ 378 !pfr_match_addr((aw)->p.tbl, (x), (af))) || \ 379 ((aw)->type == PF_ADDR_DYNIFTL && \ |
380 !pfi_match_addr((aw)->p.dyn, (x), (af))) || \ |
381 ((aw)->type == PF_ADDR_ADDRMASK && \ 382 !PF_AZERO(&(aw)->v.a.mask, (af)) && \ 383 !PF_MATCHA(0, &(aw)->v.a.addr, \ 384 &(aw)->v.a.mask, (x), (af)))) != \ 385 (not) \ 386 ) 387 388struct pf_rule_uid { --- 12 unchanged lines hidden (view full) --- 401 u_int8_t not; 402 u_int8_t port_op; 403}; 404 405struct pf_pooladdr { 406 struct pf_addr_wrap addr; 407 TAILQ_ENTRY(pf_pooladdr) entries; 408 char ifname[IFNAMSIZ]; |
409 struct pfi_kif *kif; |
410}; 411 412TAILQ_HEAD(pf_palist, pf_pooladdr); 413 414struct pf_poolhashkey { 415 union { 416 u_int8_t key8[16]; 417 u_int16_t key16[8]; --- 132 unchanged lines hidden (view full) --- 550#define PF_SKIP_SRC_ADDR 4 551#define PF_SKIP_SRC_PORT 5 552#define PF_SKIP_DST_ADDR 6 553#define PF_SKIP_DST_PORT 7 554#define PF_SKIP_COUNT 8 555 union pf_rule_ptr skip[PF_SKIP_COUNT]; 556#define PF_RULE_LABEL_SIZE 64 557 char label[PF_RULE_LABEL_SIZE]; |
558#define PF_QNAME_SIZE 16 559 char ifname[IFNAMSIZ]; 560 char qname[PF_QNAME_SIZE]; 561 char pqname[PF_QNAME_SIZE]; 562#define PF_ANCHOR_NAME_SIZE 16 563 char anchorname[PF_ANCHOR_NAME_SIZE]; 564#define PF_TAG_NAME_SIZE 16 565 char tagname[PF_TAG_NAME_SIZE]; 566 char match_tagname[PF_TAG_NAME_SIZE]; 567 568 TAILQ_ENTRY(pf_rule) entries; 569 struct pf_pool rpool; 570 571 u_int64_t evaluations; 572 u_int64_t packets; 573 u_int64_t bytes; 574 |
575 struct pfi_kif *kif; |
576 struct pf_anchor *anchor; 577 578 pf_osfp_t os_fingerprint; |
579 580 u_int32_t timeout[PFTM_MAX]; |
581 u_int32_t states; 582 u_int32_t max_states; |
583 u_int32_t src_nodes; 584 u_int32_t max_src_nodes; 585 u_int32_t max_src_states; |
586 u_int32_t qid; 587 u_int32_t pqid; 588 u_int32_t rt_listid; 589 u_int32_t nr; 590 591 u_int16_t return_icmp; 592 u_int16_t return_icmp6; 593 u_int16_t max_mss; --- 30 unchanged lines hidden (view full) --- 624}; 625 626/* rule flags */ 627#define PFRULE_DROP 0x0000 628#define PFRULE_RETURNRST 0x0001 629#define PFRULE_FRAGMENT 0x0002 630#define PFRULE_RETURNICMP 0x0004 631#define PFRULE_RETURN 0x0008 |
632#define PFRULE_NOSYNC 0x0010 633#define PFRULE_SRCTRACK 0x0020 /* track source states */ 634#define PFRULE_RULESRCTRACK 0x0040 /* per rule */ |
635 636/* scrub flags */ 637#define PFRULE_NODF 0x0100 638#define PFRULE_FRAGCROP 0x0200 /* non-buffering frag cache */ 639#define PFRULE_FRAGDROP 0x0400 /* drop funny fragments */ 640#define PFRULE_RANDOMID 0x0800 641#define PFRULE_REASSEMBLE_TCP 0x1000 642 |
643/* rule flags again */ 644#define PFRULE_IFBOUND 0x00010000 /* if-bound */ 645#define PFRULE_GRBOUND 0x00020000 /* group-bound */ 646 |
647#define PFSTATE_HIWAT 10000 /* default state table size */ 648 |
649struct pf_src_node { 650 RB_ENTRY(pf_src_node) entry; 651 struct pf_addr addr; 652 struct pf_addr raddr; 653 union pf_rule_ptr rule; 654 struct pfi_kif *kif; 655 u_int32_t bytes; 656 u_int32_t packets; 657 u_int32_t states; 658 u_int32_t creation; 659 u_int32_t expire; 660 sa_family_t af; 661 u_int8_t ruletype; 662}; |
663 |
664#define PFSNODE_HIWAT 10000 /* default source node table size */ 665 |
666struct pf_state_scrub { 667 u_int16_t pfss_flags; 668#define PFSS_TIMESTAMP 0x0001 /* modulate timestamp */ 669 u_int8_t pfss_ttl; /* stashed TTL */ 670 u_int8_t pad; 671 u_int32_t pfss_ts_mod; /* timestamp modulation */ 672}; 673 --- 9 unchanged lines hidden (view full) --- 683 u_int32_t seqdiff; /* Sequence number modulator */ 684 u_int16_t max_win; /* largest window (pre scaling) */ 685 u_int8_t state; /* active state level */ 686 u_int8_t wscale; /* window scaling factor */ 687 u_int16_t mss; /* Maximum segment size option */ 688 struct pf_state_scrub *scrub; /* state is scrubbed */ 689}; 690 |
691TAILQ_HEAD(pf_state_queue, pf_state); 692 |
693struct pf_state { |
694 u_int64_t id; 695 union { 696 struct { 697 RB_ENTRY(pf_state) entry_lan_ext; 698 RB_ENTRY(pf_state) entry_ext_gwy; 699 RB_ENTRY(pf_state) entry_id; 700 TAILQ_ENTRY(pf_state) entry_updates; 701 struct pfi_kif *kif; 702 } s; 703 char ifname[IFNAMSIZ]; 704 } u; |
705 struct pf_state_host lan; 706 struct pf_state_host gwy; 707 struct pf_state_host ext; 708 struct pf_state_peer src; 709 struct pf_state_peer dst; 710 union pf_rule_ptr rule; 711 union pf_rule_ptr anchor; 712 union pf_rule_ptr nat_rule; 713 struct pf_addr rt_addr; |
714 struct pfi_kif *rt_kif; 715 struct pf_src_node *src_node; 716 struct pf_src_node *nat_src_node; |
717 u_int32_t creation; 718 u_int32_t expire; |
719 u_int32_t pfsync_time; |
720 u_int32_t packets[2]; 721 u_int32_t bytes[2]; |
722 u_int32_t creatorid; |
723 sa_family_t af; 724 u_int8_t proto; 725 u_int8_t direction; 726 u_int8_t log; 727 u_int8_t allow_opts; 728 u_int8_t timeout; |
729 u_int8_t sync_flags; 730#define PFSTATE_NOSYNC 0x01 731#define PFSTATE_FROMSYNC 0x02 732 u_int8_t pad; |
733}; 734 |
735TAILQ_HEAD(pf_rulequeue, pf_rule); 736 737struct pf_anchor; 738 739struct pf_ruleset { 740 TAILQ_ENTRY(pf_ruleset) entries; 741#define PF_RULESET_NAME_SIZE 16 742 char name[PF_RULESET_NAME_SIZE]; 743 struct { 744 struct pf_rulequeue queues[2]; 745 struct { 746 struct pf_rulequeue *ptr; 747 u_int32_t ticket; |
748 int open; |
749 } active, inactive; 750 } rules[PF_RULESET_MAX]; 751 struct pf_anchor *anchor; 752 u_int32_t tticket; 753 int tables; 754 int topen; 755}; 756 757TAILQ_HEAD(pf_rulesetqueue, pf_ruleset); 758 759struct pf_anchor { 760 TAILQ_ENTRY(pf_anchor) entries; 761 char name[PF_ANCHOR_NAME_SIZE]; 762 struct pf_rulesetqueue rulesets; 763 int tables; 764}; 765 766TAILQ_HEAD(pf_anchorqueue, pf_anchor); 767 |
768#define PF_RESERVED_ANCHOR "_pf" 769#define PF_INTERFACE_RULESET "_if" 770 |
771#define PFR_TFLAG_PERSIST 0x00000001 772#define PFR_TFLAG_CONST 0x00000002 773#define PFR_TFLAG_ACTIVE 0x00000004 774#define PFR_TFLAG_INACTIVE 0x00000008 775#define PFR_TFLAG_REFERENCED 0x00000010 776#define PFR_TFLAG_REFDANCHOR 0x00000020 777#define PFR_TFLAG_USRMASK 0x00000003 778#define PFR_TFLAG_SETMASK 0x0000003C --- 70 unchanged lines hidden (view full) --- 849 struct pfr_tstats pfrkt_ts; 850 RB_ENTRY(pfr_ktable) pfrkt_tree; 851 SLIST_ENTRY(pfr_ktable) pfrkt_workq; 852 struct radix_node_head *pfrkt_ip4; 853 struct radix_node_head *pfrkt_ip6; 854 struct pfr_ktable *pfrkt_shadow; 855 struct pfr_ktable *pfrkt_root; 856 struct pf_ruleset *pfrkt_rs; |
857 long pfrkt_larg; |
858 int pfrkt_nflags; 859}; 860#define pfrkt_t pfrkt_ts.pfrts_t 861#define pfrkt_name pfrkt_t.pfrt_name |
862#define pfrkt_anchor pfrkt_t.pfrt_anchor 863#define pfrkt_ruleset pfrkt_t.pfrt_ruleset |
864#define pfrkt_flags pfrkt_t.pfrt_flags 865#define pfrkt_cnt pfrkt_ts.pfrts_cnt 866#define pfrkt_refcnt pfrkt_ts.pfrts_refcnt 867#define pfrkt_packets pfrkt_ts.pfrts_packets 868#define pfrkt_bytes pfrkt_ts.pfrts_bytes 869#define pfrkt_match pfrkt_ts.pfrts_match 870#define pfrkt_nomatch pfrkt_ts.pfrts_nomatch 871#define pfrkt_tzero pfrkt_ts.pfrts_tzero 872 |
873RB_HEAD(pf_state_tree_lan_ext, pf_state); 874RB_PROTOTYPE(pf_state_tree_lan_ext, pf_state, 875 u.s.entry_lan_ext, pf_state_compare_lan_ext); 876 877RB_HEAD(pf_state_tree_ext_gwy, pf_state); 878RB_PROTOTYPE(pf_state_tree_ext_gwy, pf_state, 879 u.s.entry_ext_gwy, pf_state_compare_ext_gwy); 880 881struct pfi_if { 882 char pfif_name[IFNAMSIZ]; 883 u_int64_t pfif_packets[2][2][2]; 884 u_int64_t pfif_bytes[2][2][2]; 885 u_int64_t pfif_addcnt; 886 u_int64_t pfif_delcnt; 887 long pfif_tzero; 888 int pfif_states; 889 int pfif_rules; 890 int pfif_flags; 891}; 892 893TAILQ_HEAD(pfi_grouphead, pfi_kif); 894TAILQ_HEAD(pfi_statehead, pfi_kif); 895RB_HEAD(pfi_ifhead, pfi_kif); 896struct pfi_kif { 897 struct pfi_if pfik_if; 898 RB_ENTRY(pfi_kif) pfik_tree; 899 struct pf_state_tree_lan_ext pfik_lan_ext; 900 struct pf_state_tree_ext_gwy pfik_ext_gwy; 901 struct pfi_grouphead pfik_grouphead; 902 TAILQ_ENTRY(pfi_kif) pfik_instances; 903 TAILQ_ENTRY(pfi_kif) pfik_w_states; 904 struct hook_desc_head *pfik_ah_head; 905 void *pfik_ah_cookie; 906 struct pfi_kif *pfik_parent; 907 struct ifnet *pfik_ifp; 908 int pfik_states; 909 int pfik_rules; 910}; 911#define pfik_name pfik_if.pfif_name 912#define pfik_packets pfik_if.pfif_packets 913#define pfik_bytes pfik_if.pfif_bytes 914#define pfik_tzero pfik_if.pfif_tzero 915#define pfik_flags pfik_if.pfif_flags 916#define pfik_addcnt pfik_if.pfif_addcnt 917#define pfik_delcnt pfik_if.pfif_delcnt 918#define pfik_states pfik_if.pfif_states 919#define pfik_rules pfik_if.pfif_rules 920 921#define PFI_IFLAG_GROUP 0x0001 /* group of interfaces */ 922#define PFI_IFLAG_INSTANCE 0x0002 /* single instance */ 923#define PFI_IFLAG_CLONABLE 0x0010 /* clonable group */ 924#define PFI_IFLAG_DYNAMIC 0x0020 /* dynamic group */ 925#define PFI_IFLAG_ATTACHED 0x0040 /* interface attached */ 926#define PFI_IFLAG_PLACEHOLDER 0x8000 /* placeholder group/interface */ 927 |
928struct pf_pdesc { 929 u_int64_t tot_len; /* Make Mickey money */ 930 union { 931 struct tcphdr *tcp; 932 struct udphdr *udp; 933 struct icmp *icmp; 934#ifdef INET6 935 struct icmp6_hdr *icmp6; 936#endif /* INET6 */ 937 void *any; 938 } hdr; |
939 struct pf_addr baddr; /* address before translation */ 940 struct pf_addr naddr; /* address after translation */ 941 struct pf_rule *nat_rule; /* nat/rdr rule applied to packet */ |
942 struct pf_addr *src; 943 struct pf_addr *dst; 944 u_int16_t *ip_sum; 945 u_int32_t p_len; /* total length of payload */ 946 u_int16_t flags; /* Let SCRUB trigger behavior in 947 * state code. Easier than tags */ 948#define PFDESC_TCP_NORM 0x0001 /* TCP shall be statefully scrubbed */ 949 sa_family_t af; --- 52 unchanged lines hidden (view full) --- 1002 NULL \ 1003} 1004 1005#define FCNT_STATE_SEARCH 0 1006#define FCNT_STATE_INSERT 1 1007#define FCNT_STATE_REMOVALS 2 1008#define FCNT_MAX 3 1009 |
1010#define SCNT_SRC_NODE_SEARCH 0 1011#define SCNT_SRC_NODE_INSERT 1 1012#define SCNT_SRC_NODE_REMOVALS 2 1013#define SCNT_MAX 3 |
1014 1015#define ACTION_SET(a, x) \ 1016 do { \ 1017 if ((a) != NULL) \ 1018 *(a) = (x); \ 1019 } while (0) 1020 1021#define REASON_SET(a, x) \ 1022 do { \ 1023 if ((a) != NULL) \ 1024 *(a) = (x); \ 1025 if (x < PFRES_MAX) \ 1026 pf_status.counters[x]++; \ 1027 } while (0) 1028 1029struct pf_status { 1030 u_int64_t counters[PFRES_MAX]; 1031 u_int64_t fcounters[FCNT_MAX]; |
1032 u_int64_t scounters[SCNT_MAX]; |
1033 u_int64_t pcounters[2][2][3]; 1034 u_int64_t bcounters[2][2]; |
1035 u_int64_t stateid; |
1036 u_int32_t running; 1037 u_int32_t states; |
1038 u_int32_t src_nodes; |
1039 u_int32_t since; 1040 u_int32_t debug; |
1041 u_int32_t hostid; |
1042 char ifname[IFNAMSIZ]; 1043}; 1044 1045struct cbq_opts { 1046 u_int minburst; 1047 u_int maxburst; 1048 u_int pktsize; 1049 u_int maxpktsize; --- 115 unchanged lines hidden (view full) --- 1165}; 1166 1167struct pfioc_state_kill { 1168 /* XXX returns the number of states killed in psk_af */ 1169 sa_family_t psk_af; 1170 int psk_proto; 1171 struct pf_rule_addr psk_src; 1172 struct pf_rule_addr psk_dst; |
1173 char psk_ifname[IFNAMSIZ]; |
1174}; 1175 1176struct pfioc_states { 1177 int ps_len; 1178 union { 1179 caddr_t psu_buf; 1180 struct pf_state *psu_states; 1181 } ps_u; 1182#define ps_buf ps_u.psu_buf 1183#define ps_states ps_u.psu_states 1184}; 1185 |
1186struct pfioc_src_nodes { 1187 int psn_len; 1188 union { 1189 caddr_t psu_buf; 1190 struct pf_src_node *psu_src_nodes; 1191 } psn_u; 1192#define psn_buf psn_u.psu_buf 1193#define psn_src_nodes psn_u.psu_src_nodes 1194}; 1195 |
1196struct pfioc_if { 1197 char ifname[IFNAMSIZ]; 1198}; 1199 1200struct pfioc_tm { 1201 int timeout; 1202 int seconds; 1203}; --- 24 unchanged lines hidden (view full) --- 1228}; 1229 1230struct pfioc_ruleset { 1231 u_int32_t nr; 1232 char anchor[PF_ANCHOR_NAME_SIZE]; 1233 char name[PF_RULESET_NAME_SIZE]; 1234}; 1235 |
1236#define PF_RULESET_ALTQ (PF_RULESET_MAX) 1237#define PF_RULESET_TABLE (PF_RULESET_MAX+1) 1238struct pfioc_trans { 1239 int size; /* number of elements */ 1240 int esize; /* size of each element in bytes */ 1241 struct pfioc_trans_e { 1242 int rs_num; 1243 char anchor[PF_ANCHOR_NAME_SIZE]; 1244 char ruleset[PF_RULESET_NAME_SIZE]; 1245 u_int32_t ticket; 1246 } *array; 1247}; 1248 |
1249#define PFR_FLAG_ATOMIC 0x00000001 1250#define PFR_FLAG_DUMMY 0x00000002 1251#define PFR_FLAG_FEEDBACK 0x00000004 1252#define PFR_FLAG_CLSTATS 0x00000008 1253#define PFR_FLAG_ADDRSTOO 0x00000010 1254#define PFR_FLAG_REPLACE 0x00000020 1255#define PFR_FLAG_ALLRSETS 0x00000040 1256#define PFR_FLAG_ALLMASK 0x0000007F |
1257#ifdef _KERNEL 1258#define PFR_FLAG_USERIOCTL 0x10000000 1259#endif |
1260 1261struct pfioc_table { 1262 struct pfr_table pfrio_table; 1263 void *pfrio_buffer; 1264 int pfrio_esize; 1265 int pfrio_size; 1266 int pfrio_size2; 1267 int pfrio_nadd; --- 5 unchanged lines hidden (view full) --- 1273#define pfrio_exists pfrio_nadd 1274#define pfrio_nzero pfrio_nadd 1275#define pfrio_nmatch pfrio_nadd 1276#define pfrio_naddr pfrio_size2 1277#define pfrio_setflag pfrio_size2 1278#define pfrio_clrflag pfrio_nadd 1279 1280 |
1281#define PFI_FLAG_GROUP 0x0001 /* gets groups of interfaces */ 1282#define PFI_FLAG_INSTANCE 0x0002 /* gets single interfaces */ 1283#define PFI_FLAG_ALLMASK 0x0003 1284 1285struct pfioc_iface { 1286 char pfiio_name[IFNAMSIZ]; 1287 void *pfiio_buffer; 1288 int pfiio_esize; 1289 int pfiio_size; 1290 int pfiio_nzero; 1291 int pfiio_flags; 1292}; 1293 1294 |
1295/* 1296 * ioctl operations 1297 */ 1298 1299#define DIOCSTART _IO ('D', 1) 1300#define DIOCSTOP _IO ('D', 2) 1301#define DIOCBEGINRULES _IOWR('D', 3, struct pfioc_rule) 1302#define DIOCADDRULE _IOWR('D', 4, struct pfioc_rule) 1303#define DIOCCOMMITRULES _IOWR('D', 5, struct pfioc_rule) 1304#define DIOCGETRULES _IOWR('D', 6, struct pfioc_rule) 1305#define DIOCGETRULE _IOWR('D', 7, struct pfioc_rule) 1306/* XXX cut 8 - 17 */ |
1307#define DIOCCLRSTATES _IOWR('D', 18, struct pfioc_state_kill) |
1308#define DIOCGETSTATE _IOWR('D', 19, struct pfioc_state) 1309#define DIOCSETSTATUSIF _IOWR('D', 20, struct pfioc_if) 1310#define DIOCGETSTATUS _IOWR('D', 21, struct pf_status) 1311#define DIOCCLRSTATUS _IO ('D', 22) 1312#define DIOCNATLOOK _IOWR('D', 23, struct pfioc_natlook) 1313#define DIOCSETDEBUG _IOWR('D', 24, u_int32_t) 1314#define DIOCGETSTATES _IOWR('D', 25, struct pfioc_states) 1315#define DIOCCHANGERULE _IOWR('D', 26, struct pfioc_rule) --- 39 unchanged lines hidden (view full) --- 1355#define DIOCRTSTADDRS _IOWR('D', 73, struct pfioc_table) 1356#define DIOCRSETTFLAGS _IOWR('D', 74, struct pfioc_table) 1357#define DIOCRINABEGIN _IOWR('D', 75, struct pfioc_table) 1358#define DIOCRINACOMMIT _IOWR('D', 76, struct pfioc_table) 1359#define DIOCRINADEFINE _IOWR('D', 77, struct pfioc_table) 1360#define DIOCOSFPFLUSH _IO('D', 78) 1361#define DIOCOSFPADD _IOWR('D', 79, struct pf_osfp_ioctl) 1362#define DIOCOSFPGET _IOWR('D', 80, struct pf_osfp_ioctl) |
1363#define DIOCXBEGIN _IOWR('D', 81, struct pfioc_trans) 1364#define DIOCXCOMMIT _IOWR('D', 82, struct pfioc_trans) 1365#define DIOCXROLLBACK _IOWR('D', 83, struct pfioc_trans) 1366#define DIOCGETSRCNODES _IOWR('D', 84, struct pfioc_src_nodes) 1367#define DIOCCLRSRCNODES _IO('D', 85) 1368#define DIOCSETHOSTID _IOWR('D', 86, u_int32_t) 1369#define DIOCIGETIFACES _IOWR('D', 87, struct pfioc_iface) 1370#define DIOCICLRISTATS _IOWR('D', 88, struct pfioc_iface) |
1371#ifdef __FreeBSD__ 1372struct pf_ifspeed { 1373 char ifname[IFNAMSIZ]; 1374 u_int32_t baudrate; 1375}; |
1376#define DIOCGIFSPEED _IOWR('D', 89, struct pf_ifspeed) |
1377#endif 1378 1379#ifdef _KERNEL |
1380RB_HEAD(pf_src_tree, pf_src_node); 1381RB_PROTOTYPE(pf_src_tree, pf_src_node, entry, pf_src_compare); 1382extern struct pf_src_tree tree_src_tracking; |
1383 |
1384RB_HEAD(pf_state_tree_id, pf_state); 1385RB_PROTOTYPE(pf_state_tree_id, pf_state, 1386 entry_id, pf_state_compare_id); 1387extern struct pf_state_tree_id tree_id; 1388extern struct pf_state_queue state_updates; 1389 1390extern struct pf_anchorqueue pf_anchors; 1391extern struct pf_ruleset pf_main_ruleset; |
1392TAILQ_HEAD(pf_poolqueue, pf_pool); |
1393extern struct pf_poolqueue pf_pools[2]; |
1394TAILQ_HEAD(pf_altqqueue, pf_altq); |
1395extern struct pf_altqqueue pf_altqs[2]; 1396extern struct pf_palist pf_pabuf; 1397extern struct pfi_kif **pfi_index2kif; |
1398 |
1399extern u_int32_t ticket_altqs_active; 1400extern u_int32_t ticket_altqs_inactive; |
1401extern int altqs_inactive_open; |
1402extern u_int32_t ticket_pabuf; 1403extern struct pf_altqqueue *pf_altqs_active; 1404extern struct pf_altqqueue *pf_altqs_inactive; 1405extern struct pf_poolqueue *pf_pools_active; 1406extern struct pf_poolqueue *pf_pools_inactive; 1407extern int pf_tbladdr_setup(struct pf_ruleset *, 1408 struct pf_addr_wrap *); 1409extern void pf_tbladdr_remove(struct pf_addr_wrap *); 1410extern void pf_tbladdr_copyout(struct pf_addr_wrap *); |
1411extern void pf_calc_skip_steps(struct pf_rulequeue *); |
1412extern void pf_update_anchor_rules(void); 1413#ifdef __FreeBSD__ |
1414extern uma_zone_t pf_src_tree_pl, pf_rule_pl; |
1415extern uma_zone_t pf_state_pl, pf_altq_pl, pf_pooladdr_pl; 1416extern uma_zone_t pfr_ktable_pl, pfr_kentry_pl; 1417extern uma_zone_t pf_cache_pl, pf_cent_pl; 1418extern uma_zone_t pf_state_scrub_pl; |
1419extern uma_zone_t pfi_addr_pl; |
1420#else |
1421extern struct pool pf_src_tree_pl, pf_rule_pl; |
1422extern struct pool pf_state_pl, pf_altq_pl, pf_pooladdr_pl; 1423extern struct pool pf_state_scrub_pl; 1424#endif 1425extern void pf_purge_timeout(void *); |
1426extern void pf_purge_expired_src_nodes(void); |
1427extern void pf_purge_expired_states(void); |
1428extern int pf_insert_state(struct pfi_kif *, 1429 struct pf_state *); 1430extern int pf_insert_src_node(struct pf_src_node **, 1431 struct pf_rule *, struct pf_addr *, 1432 sa_family_t); 1433void pf_src_tree_remove_state(struct pf_state *); 1434extern struct pf_state *pf_find_state_byid(struct pf_state *); 1435extern struct pf_state *pf_find_state_all(struct pf_state *key, 1436 u_int8_t tree, int *more); |
1437extern struct pf_anchor *pf_find_anchor(const char *); 1438extern struct pf_ruleset *pf_find_ruleset(char *, char *); |
1439extern struct pf_ruleset *pf_find_or_create_ruleset( 1440 char[PF_ANCHOR_NAME_SIZE], 1441 char[PF_RULESET_NAME_SIZE]); |
1442extern void pf_remove_if_empty_ruleset( 1443 struct pf_ruleset *); 1444 |
1445extern struct ifnet *sync_ifp; |
1446extern struct pf_rule pf_default_rule; 1447extern void pf_addrcpy(struct pf_addr *, struct pf_addr *, 1448 u_int8_t); 1449void pf_rm_rule(struct pf_rulequeue *, 1450 struct pf_rule *); 1451 1452#ifdef INET 1453int pf_test(int, struct ifnet *, struct mbuf **); --- 4 unchanged lines hidden (view full) --- 1458void pf_poolmask(struct pf_addr *, struct pf_addr*, 1459 struct pf_addr *, struct pf_addr *, u_int8_t); 1460void pf_addr_inc(struct pf_addr *, sa_family_t); 1461#endif /* INET6 */ 1462 1463void *pf_pull_hdr(struct mbuf *, int, void *, int, u_short *, u_short *, 1464 sa_family_t); 1465void pf_change_a(void *, u_int16_t *, u_int32_t, u_int8_t); |
1466int pflog_packet(struct pfi_kif *, struct mbuf *, sa_family_t, u_int8_t, |
1467 u_int8_t, struct pf_rule *, struct pf_rule *, struct pf_ruleset *); 1468int pf_match_addr(u_int8_t, struct pf_addr *, struct pf_addr *, 1469 struct pf_addr *, sa_family_t); 1470int pf_match(u_int8_t, u_int32_t, u_int32_t, u_int32_t); 1471int pf_match_port(u_int8_t, u_int16_t, u_int16_t, u_int16_t); 1472int pf_match_uid(u_int8_t, uid_t, uid_t, uid_t); 1473int pf_match_gid(u_int8_t, gid_t, gid_t, gid_t); 1474 1475void pf_normalize_init(void); |
1476int pf_normalize_ip(struct mbuf **, int, struct pfi_kif *, u_short *); 1477int pf_normalize_ip6(struct mbuf **, int, struct pfi_kif *, u_short *); 1478int pf_normalize_tcp(int, struct pfi_kif *, struct mbuf *, int, int, void *, |
1479 struct pf_pdesc *); 1480void pf_normalize_tcp_cleanup(struct pf_state *); 1481int pf_normalize_tcp_init(struct mbuf *, int, struct pf_pdesc *, 1482 struct tcphdr *, struct pf_state_peer *, struct pf_state_peer *); 1483int pf_normalize_tcp_stateful(struct mbuf *, int, struct pf_pdesc *, 1484 u_short *, struct tcphdr *, struct pf_state_peer *, 1485 struct pf_state_peer *, int *); 1486u_int32_t 1487 pf_state_expires(const struct pf_state *); 1488void pf_purge_expired_fragments(void); 1489int pf_routable(struct pf_addr *addr, sa_family_t af); 1490void pfr_initialize(void); 1491int pfr_match_addr(struct pfr_ktable *, struct pf_addr *, sa_family_t); 1492void pfr_update_stats(struct pfr_ktable *, struct pf_addr *, sa_family_t, 1493 u_int64_t, int, int, int); 1494int pfr_pool_get(struct pfr_ktable *, int *, struct pf_addr *, 1495 struct pf_addr **, struct pf_addr **, sa_family_t); |
1496void pfr_dynaddr_update(struct pfr_ktable *, struct pfi_dynaddr *); |
1497struct pfr_ktable * 1498 pfr_attach_table(struct pf_ruleset *, char *); 1499void pfr_detach_table(struct pfr_ktable *); 1500int pfr_clr_tables(struct pfr_table *, int *, int); 1501int pfr_add_tables(struct pfr_table *, int, int *, int); 1502int pfr_del_tables(struct pfr_table *, int, int *, int); 1503int pfr_get_tables(struct pfr_table *, struct pfr_table *, int *, int); 1504int pfr_get_tstats(struct pfr_table *, struct pfr_tstats *, int *, int); --- 8 unchanged lines hidden (view full) --- 1513 int *, int *, int *, int); 1514int pfr_get_addrs(struct pfr_table *, struct pfr_addr *, int *, int); 1515int pfr_get_astats(struct pfr_table *, struct pfr_astats *, int *, int); 1516int pfr_clr_astats(struct pfr_table *, struct pfr_addr *, int, int *, 1517 int); 1518int pfr_tst_addrs(struct pfr_table *, struct pfr_addr *, int, int *, 1519 int); 1520int pfr_ina_begin(struct pfr_table *, u_int32_t *, int *, int); |
1521int pfr_ina_rollback(struct pfr_table *, u_int32_t, int *, int); |
1522int pfr_ina_commit(struct pfr_table *, u_int32_t, int *, int *, int); 1523int pfr_ina_define(struct pfr_table *, struct pfr_addr *, int, int *, 1524 int *, u_int32_t, int); 1525 |
1526void pfi_initialize(void); 1527#ifdef __FreeBSD__ 1528void pfi_cleanup(void); 1529#endif 1530void pfi_attach_clone(struct if_clone *); 1531void pfi_attach_ifnet(struct ifnet *); 1532void pfi_detach_ifnet(struct ifnet *); 1533struct pfi_kif *pfi_lookup_create(const char *); 1534struct pfi_kif *pfi_lookup_if(const char *); 1535int pfi_maybe_destroy(struct pfi_kif *); 1536struct pfi_kif *pfi_attach_rule(const char *); 1537void pfi_detach_rule(struct pfi_kif *); 1538void pfi_attach_state(struct pfi_kif *); 1539void pfi_detach_state(struct pfi_kif *); 1540int pfi_dynaddr_setup(struct pf_addr_wrap *, sa_family_t); 1541void pfi_dynaddr_copyout(struct pf_addr_wrap *); 1542void pfi_dynaddr_remove(struct pf_addr_wrap *); 1543void pfi_fill_oldstatus(struct pf_status *); 1544int pfi_clr_istats(const char *, int *, int); 1545int pfi_get_ifaces(const char *, struct pfi_if *, int *, int); 1546int pfi_match_addr(struct pfi_dynaddr *, struct pf_addr *, 1547 sa_family_t); 1548 1549extern struct pfi_statehead pfi_statehead; 1550 |
1551u_int16_t pf_tagname2tag(char *); 1552void pf_tag2tagname(u_int16_t, char *); 1553void pf_tag_unref(u_int16_t); 1554int pf_tag_packet(struct mbuf *, struct pf_tag *, int); |
1555u_int32_t pf_qname2qid(char *); 1556void pf_qid2qname(u_int32_t, char *); 1557void pf_qid_unref(u_int32_t); |
1558 1559extern struct pf_status pf_status; 1560 1561#ifdef __FreeBSD__ 1562extern uma_zone_t pf_frent_pl, pf_frag_pl; 1563#else 1564extern struct pool pf_frent_pl, pf_frag_pl; 1565#endif --- 64 unchanged lines hidden --- |