| pfvar.h (130397) | pfvar.h (130613) |
|---|---|
| 1/* $FreeBSD: head/sys/contrib/pf/net/pfvar.h 130397 2004-06-13 01:36:31Z mlaier $ */ 2/* $OpenBSD: pfvar.h,v 1.170 2003/08/22 21:50:34 david Exp $ */ | 1/* $FreeBSD: head/sys/contrib/pf/net/pfvar.h 130613 2004-06-16 23:24:02Z mlaier $ */ 2/* $OpenBSD: pfvar.h,v 1.187 2004/03/22 04:54:18 mcbride Exp $ */ |
| 3 4/* 5 * Copyright (c) 2001 Daniel Hartmeier 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: --- 51 unchanged lines hidden (view full) --- 62#include <netinet/tcp_fsm.h> 63 64struct ip; 65 66#define PF_TCPS_PROXY_SRC ((TCP_NSTATES)+0) 67#define PF_TCPS_PROXY_DST ((TCP_NSTATES)+1) 68 69enum { PF_INOUT, PF_IN, PF_OUT }; | 3 4/* 5 * Copyright (c) 2001 Daniel Hartmeier 6 * All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: --- 51 unchanged lines hidden (view full) --- 62#include <netinet/tcp_fsm.h> 63 64struct ip; 65 66#define PF_TCPS_PROXY_SRC ((TCP_NSTATES)+0) 67#define PF_TCPS_PROXY_DST ((TCP_NSTATES)+1) 68 69enum { PF_INOUT, PF_IN, PF_OUT }; |
| 70enum { PF_LAN_EXT, PF_EXT_GWY, PF_ID }; |
|
| 70enum { PF_PASS, PF_DROP, PF_SCRUB, PF_NAT, PF_NONAT, 71 PF_BINAT, PF_NOBINAT, PF_RDR, PF_NORDR, PF_SYNPROXY_DROP }; 72enum { PF_RULESET_SCRUB, PF_RULESET_FILTER, PF_RULESET_NAT, 73 PF_RULESET_BINAT, PF_RULESET_RDR, PF_RULESET_MAX }; 74enum { PF_OP_NONE, PF_OP_IRG, PF_OP_EQ, PF_OP_NE, PF_OP_LT, 75 PF_OP_LE, PF_OP_GT, PF_OP_GE, PF_OP_XRG, PF_OP_RRG }; 76enum { PF_DEBUG_NONE, PF_DEBUG_URGENT, PF_DEBUG_MISC, PF_DEBUG_NOISY }; 77enum { PF_CHANGE_NONE, PF_CHANGE_ADD_HEAD, PF_CHANGE_ADD_TAIL, --- 4 unchanged lines hidden (view full) --- 82 * PFTM_MAX, special cases afterwards. See pf_state_expires(). 83 */ 84enum { PFTM_TCP_FIRST_PACKET, PFTM_TCP_OPENING, PFTM_TCP_ESTABLISHED, 85 PFTM_TCP_CLOSING, PFTM_TCP_FIN_WAIT, PFTM_TCP_CLOSED, 86 PFTM_UDP_FIRST_PACKET, PFTM_UDP_SINGLE, PFTM_UDP_MULTIPLE, 87 PFTM_ICMP_FIRST_PACKET, PFTM_ICMP_ERROR_REPLY, 88 PFTM_OTHER_FIRST_PACKET, PFTM_OTHER_SINGLE, 89 PFTM_OTHER_MULTIPLE, PFTM_FRAG, PFTM_INTERVAL, | 71enum { PF_PASS, PF_DROP, PF_SCRUB, PF_NAT, PF_NONAT, 72 PF_BINAT, PF_NOBINAT, PF_RDR, PF_NORDR, PF_SYNPROXY_DROP }; 73enum { PF_RULESET_SCRUB, PF_RULESET_FILTER, PF_RULESET_NAT, 74 PF_RULESET_BINAT, PF_RULESET_RDR, PF_RULESET_MAX }; 75enum { PF_OP_NONE, PF_OP_IRG, PF_OP_EQ, PF_OP_NE, PF_OP_LT, 76 PF_OP_LE, PF_OP_GT, PF_OP_GE, PF_OP_XRG, PF_OP_RRG }; 77enum { PF_DEBUG_NONE, PF_DEBUG_URGENT, PF_DEBUG_MISC, PF_DEBUG_NOISY }; 78enum { PF_CHANGE_NONE, PF_CHANGE_ADD_HEAD, PF_CHANGE_ADD_TAIL, --- 4 unchanged lines hidden (view full) --- 83 * PFTM_MAX, special cases afterwards. See pf_state_expires(). 84 */ 85enum { PFTM_TCP_FIRST_PACKET, PFTM_TCP_OPENING, PFTM_TCP_ESTABLISHED, 86 PFTM_TCP_CLOSING, PFTM_TCP_FIN_WAIT, PFTM_TCP_CLOSED, 87 PFTM_UDP_FIRST_PACKET, PFTM_UDP_SINGLE, PFTM_UDP_MULTIPLE, 88 PFTM_ICMP_FIRST_PACKET, PFTM_ICMP_ERROR_REPLY, 89 PFTM_OTHER_FIRST_PACKET, PFTM_OTHER_SINGLE, 90 PFTM_OTHER_MULTIPLE, PFTM_FRAG, PFTM_INTERVAL, |
| 90 PFTM_ADAPTIVE_START, PFTM_ADAPTIVE_END, PFTM_MAX, 91 PFTM_PURGE, PFTM_UNTIL_PACKET }; | 91 PFTM_ADAPTIVE_START, PFTM_ADAPTIVE_END, PFTM_SRC_NODE, 92 PFTM_MAX, PFTM_PURGE, PFTM_UNTIL_PACKET }; |
| 92enum { PF_NOPFROUTE, PF_FASTROUTE, PF_ROUTETO, PF_DUPTO, PF_REPLYTO }; | 93enum { PF_NOPFROUTE, PF_FASTROUTE, PF_ROUTETO, PF_DUPTO, PF_REPLYTO }; |
| 93enum { PF_LIMIT_STATES, PF_LIMIT_FRAGS, PF_LIMIT_MAX }; | 94enum { PF_LIMIT_STATES, PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS, PF_LIMIT_MAX }; |
| 94#define PF_POOL_IDMASK 0x0f 95enum { PF_POOL_NONE, PF_POOL_BITMASK, PF_POOL_RANDOM, 96 PF_POOL_SRCHASH, PF_POOL_ROUNDROBIN }; 97enum { PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE, PF_ADDR_DYNIFTL, 98 PF_ADDR_TABLE }; 99#define PF_POOL_TYPEMASK 0x0f | 95#define PF_POOL_IDMASK 0x0f 96enum { PF_POOL_NONE, PF_POOL_BITMASK, PF_POOL_RANDOM, 97 PF_POOL_SRCHASH, PF_POOL_ROUNDROBIN }; 98enum { PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE, PF_ADDR_DYNIFTL, 99 PF_ADDR_TABLE }; 100#define PF_POOL_TYPEMASK 0x0f |
| 101#define PF_POOL_STICKYADDR 0x20 |
|
| 100#define PF_WSCALE_FLAG 0x80 101#define PF_WSCALE_MASK 0x0f 102 103struct pf_addr { 104 union { 105 struct in_addr v4; 106 struct in6_addr v6; 107 u_int8_t addr8[16]; --- 4 unchanged lines hidden (view full) --- 112#define v6 pfa.v6 113#define addr8 pfa.addr8 114#define addr16 pfa.addr16 115#define addr32 pfa.addr32 116}; 117 118#define PF_TABLE_NAME_SIZE 32 119 | 102#define PF_WSCALE_FLAG 0x80 103#define PF_WSCALE_MASK 0x0f 104 105struct pf_addr { 106 union { 107 struct in_addr v4; 108 struct in6_addr v6; 109 u_int8_t addr8[16]; --- 4 unchanged lines hidden (view full) --- 114#define v6 pfa.v6 115#define addr8 pfa.addr8 116#define addr16 pfa.addr16 117#define addr32 pfa.addr32 118}; 119 120#define PF_TABLE_NAME_SIZE 32 121 |
| 122#define PFI_AFLAG_NETWORK 0x01 123#define PFI_AFLAG_BROADCAST 0x02 124#define PFI_AFLAG_PEER 0x04 125#define PFI_AFLAG_MODEMASK 0x07 126#define PFI_AFLAG_NOALIAS 0x08 127 |
|
| 120struct pf_addr_wrap { 121 union { 122 struct { 123 struct pf_addr addr; 124 struct pf_addr mask; 125 } a; 126 char ifname[IFNAMSIZ]; 127 char tblname[PF_TABLE_NAME_SIZE]; 128 } v; 129 union { | 128struct pf_addr_wrap { 129 union { 130 struct { 131 struct pf_addr addr; 132 struct pf_addr mask; 133 } a; 134 char ifname[IFNAMSIZ]; 135 char tblname[PF_TABLE_NAME_SIZE]; 136 } v; 137 union { |
| 130 struct pf_addr_dyn *dyn; | 138 struct pfi_dynaddr *dyn; |
| 131 struct pfr_ktable *tbl; | 139 struct pfr_ktable *tbl; |
| 140 int dyncnt; |
|
| 132 int tblcnt; 133 } p; 134 u_int8_t type; /* PF_ADDR_* */ | 141 int tblcnt; 142 } p; 143 u_int8_t type; /* PF_ADDR_* */ |
| 144 u_int8_t iflags; /* PFI_AFLAG_* */ |
|
| 135}; 136 137#ifdef _KERNEL 138 | 145}; 146 147#ifdef _KERNEL 148 |
| 139struct pf_addr_dyn { 140 char ifname[IFNAMSIZ]; 141 struct ifnet *ifp; 142 struct pf_addr *addr; 143 sa_family_t af; 144#ifdef __FreeBSD__ 145 eventhandler_tag hook_cookie; 146#else 147 void *hook_cookie; 148#endif 149 u_int8_t undefined; | 149struct pfi_dynaddr { 150 struct pf_addr pfid_addr4; 151 struct pf_addr pfid_mask4; 152 struct pf_addr pfid_addr6; 153 struct pf_addr pfid_mask6; 154 struct pfr_ktable *pfid_kt; 155 struct pfi_kif *pfid_kif; 156 void *pfid_hook_cookie; 157 int pfid_net; /* optional mask, or 128 */ 158 int pfid_acnt4; /* address count, IPv4 */ 159 int pfid_acnt6; /* address count, IPv6 */ 160 sa_family_t pfid_af; /* rule address family */ 161 u_int8_t pfid_iflags; /* PFI_AFLAG_* */ |
| 150}; 151 152/* 153 * Address manipulation macros 154 */ 155 156#ifdef __FreeBSD__ 157#define splsoftnet() splnet() --- 49 unchanged lines hidden (view full) --- 207#define PFSYNC_MODVER 1 208 209#define PFLOG_MINVER 1 210#define PFLOG_PREFVER PFLOG_MODVER 211#define PFLOG_MAXVER 1 212#define PFSYNC_MINVER 1 213#define PFSYNC_PREFVER PFSYNC_MODVER 214#define PFSYNC_MAXVER 1 | 162}; 163 164/* 165 * Address manipulation macros 166 */ 167 168#ifdef __FreeBSD__ 169#define splsoftnet() splnet() --- 49 unchanged lines hidden (view full) --- 219#define PFSYNC_MODVER 1 220 221#define PFLOG_MINVER 1 222#define PFLOG_PREFVER PFLOG_MODVER 223#define PFLOG_MAXVER 1 224#define PFSYNC_MINVER 1 225#define PFSYNC_PREFVER PFSYNC_MODVER 226#define PFSYNC_MAXVER 1 |
| 215#endif | |
| 216 | 227 |
| 228/* prototyped for pf_subr.c */ 229struct hook_desc { 230 TAILQ_ENTRY(hook_desc) hd_list; 231 void (*hd_fn)(void *); 232 void *hd_arg; 233}; 234TAILQ_HEAD(hook_desc_head, hook_desc); 235 236void *hook_establish(struct hook_desc_head *, int, void (*)(void *), void *); 237void hook_disestablish(struct hook_desc_head *, void *); 238void dohooks(struct hook_desc_head *, int); 239 240#define HOOK_REMOVE 0x01 241#define HOOK_FREE 0x02 242#endif /* __FreeBSD__ */ 243 |
|
| 217#ifdef INET 218#ifndef INET6 219#define PF_INET_ONLY 220#endif /* ! INET6 */ 221#endif /* INET */ 222 223#ifdef INET6 224#ifndef INET --- 120 unchanged lines hidden (view full) --- 345 346#define PF_MISMATCHAW(aw, x, af, not) \ 347 ( \ 348 (((aw)->type == PF_ADDR_NOROUTE && \ 349 pf_routable((x), (af))) || \ 350 ((aw)->type == PF_ADDR_TABLE && \ 351 !pfr_match_addr((aw)->p.tbl, (x), (af))) || \ 352 ((aw)->type == PF_ADDR_DYNIFTL && \ | 244#ifdef INET 245#ifndef INET6 246#define PF_INET_ONLY 247#endif /* ! INET6 */ 248#endif /* INET */ 249 250#ifdef INET6 251#ifndef INET --- 120 unchanged lines hidden (view full) --- 372 373#define PF_MISMATCHAW(aw, x, af, not) \ 374 ( \ 375 (((aw)->type == PF_ADDR_NOROUTE && \ 376 pf_routable((x), (af))) || \ 377 ((aw)->type == PF_ADDR_TABLE && \ 378 !pfr_match_addr((aw)->p.tbl, (x), (af))) || \ 379 ((aw)->type == PF_ADDR_DYNIFTL && \ |
| 353 ((aw)->p.dyn->undefined || \ 354 (!PF_AZERO(&(aw)->v.a.mask, (af)) && \ 355 !PF_MATCHA(0, &(aw)->v.a.addr, \ 356 &(aw)->v.a.mask, (x), (af))))) || \ | 380 !pfi_match_addr((aw)->p.dyn, (x), (af))) || \ |
| 357 ((aw)->type == PF_ADDR_ADDRMASK && \ 358 !PF_AZERO(&(aw)->v.a.mask, (af)) && \ 359 !PF_MATCHA(0, &(aw)->v.a.addr, \ 360 &(aw)->v.a.mask, (x), (af)))) != \ 361 (not) \ 362 ) 363 364struct pf_rule_uid { --- 12 unchanged lines hidden (view full) --- 377 u_int8_t not; 378 u_int8_t port_op; 379}; 380 381struct pf_pooladdr { 382 struct pf_addr_wrap addr; 383 TAILQ_ENTRY(pf_pooladdr) entries; 384 char ifname[IFNAMSIZ]; | 381 ((aw)->type == PF_ADDR_ADDRMASK && \ 382 !PF_AZERO(&(aw)->v.a.mask, (af)) && \ 383 !PF_MATCHA(0, &(aw)->v.a.addr, \ 384 &(aw)->v.a.mask, (x), (af)))) != \ 385 (not) \ 386 ) 387 388struct pf_rule_uid { --- 12 unchanged lines hidden (view full) --- 401 u_int8_t not; 402 u_int8_t port_op; 403}; 404 405struct pf_pooladdr { 406 struct pf_addr_wrap addr; 407 TAILQ_ENTRY(pf_pooladdr) entries; 408 char ifname[IFNAMSIZ]; |
| 385 struct ifnet *ifp; | 409 struct pfi_kif *kif; |
| 386}; 387 388TAILQ_HEAD(pf_palist, pf_pooladdr); 389 390struct pf_poolhashkey { 391 union { 392 u_int8_t key8[16]; 393 u_int16_t key16[8]; --- 132 unchanged lines hidden (view full) --- 526#define PF_SKIP_SRC_ADDR 4 527#define PF_SKIP_SRC_PORT 5 528#define PF_SKIP_DST_ADDR 6 529#define PF_SKIP_DST_PORT 7 530#define PF_SKIP_COUNT 8 531 union pf_rule_ptr skip[PF_SKIP_COUNT]; 532#define PF_RULE_LABEL_SIZE 64 533 char label[PF_RULE_LABEL_SIZE]; | 410}; 411 412TAILQ_HEAD(pf_palist, pf_pooladdr); 413 414struct pf_poolhashkey { 415 union { 416 u_int8_t key8[16]; 417 u_int16_t key16[8]; --- 132 unchanged lines hidden (view full) --- 550#define PF_SKIP_SRC_ADDR 4 551#define PF_SKIP_SRC_PORT 5 552#define PF_SKIP_DST_ADDR 6 553#define PF_SKIP_DST_PORT 7 554#define PF_SKIP_COUNT 8 555 union pf_rule_ptr skip[PF_SKIP_COUNT]; 556#define PF_RULE_LABEL_SIZE 64 557 char label[PF_RULE_LABEL_SIZE]; |
| 534 u_int32_t timeout[PFTM_MAX]; | |
| 535#define PF_QNAME_SIZE 16 536 char ifname[IFNAMSIZ]; 537 char qname[PF_QNAME_SIZE]; 538 char pqname[PF_QNAME_SIZE]; 539#define PF_ANCHOR_NAME_SIZE 16 540 char anchorname[PF_ANCHOR_NAME_SIZE]; 541#define PF_TAG_NAME_SIZE 16 542 char tagname[PF_TAG_NAME_SIZE]; 543 char match_tagname[PF_TAG_NAME_SIZE]; 544 545 TAILQ_ENTRY(pf_rule) entries; 546 struct pf_pool rpool; 547 548 u_int64_t evaluations; 549 u_int64_t packets; 550 u_int64_t bytes; 551 | 558#define PF_QNAME_SIZE 16 559 char ifname[IFNAMSIZ]; 560 char qname[PF_QNAME_SIZE]; 561 char pqname[PF_QNAME_SIZE]; 562#define PF_ANCHOR_NAME_SIZE 16 563 char anchorname[PF_ANCHOR_NAME_SIZE]; 564#define PF_TAG_NAME_SIZE 16 565 char tagname[PF_TAG_NAME_SIZE]; 566 char match_tagname[PF_TAG_NAME_SIZE]; 567 568 TAILQ_ENTRY(pf_rule) entries; 569 struct pf_pool rpool; 570 571 u_int64_t evaluations; 572 u_int64_t packets; 573 u_int64_t bytes; 574 |
| 552 struct ifnet *ifp; | 575 struct pfi_kif *kif; |
| 553 struct pf_anchor *anchor; 554 555 pf_osfp_t os_fingerprint; | 576 struct pf_anchor *anchor; 577 578 pf_osfp_t os_fingerprint; |
| 579 580 u_int32_t timeout[PFTM_MAX]; |
|
| 556 u_int32_t states; 557 u_int32_t max_states; | 581 u_int32_t states; 582 u_int32_t max_states; |
| 583 u_int32_t src_nodes; 584 u_int32_t max_src_nodes; 585 u_int32_t max_src_states; |
|
| 558 u_int32_t qid; 559 u_int32_t pqid; 560 u_int32_t rt_listid; 561 u_int32_t nr; 562 563 u_int16_t return_icmp; 564 u_int16_t return_icmp6; 565 u_int16_t max_mss; --- 30 unchanged lines hidden (view full) --- 596}; 597 598/* rule flags */ 599#define PFRULE_DROP 0x0000 600#define PFRULE_RETURNRST 0x0001 601#define PFRULE_FRAGMENT 0x0002 602#define PFRULE_RETURNICMP 0x0004 603#define PFRULE_RETURN 0x0008 | 586 u_int32_t qid; 587 u_int32_t pqid; 588 u_int32_t rt_listid; 589 u_int32_t nr; 590 591 u_int16_t return_icmp; 592 u_int16_t return_icmp6; 593 u_int16_t max_mss; --- 30 unchanged lines hidden (view full) --- 624}; 625 626/* rule flags */ 627#define PFRULE_DROP 0x0000 628#define PFRULE_RETURNRST 0x0001 629#define PFRULE_FRAGMENT 0x0002 630#define PFRULE_RETURNICMP 0x0004 631#define PFRULE_RETURN 0x0008 |
| 632#define PFRULE_NOSYNC 0x0010 633#define PFRULE_SRCTRACK 0x0020 /* track source states */ 634#define PFRULE_RULESRCTRACK 0x0040 /* per rule */ |
|
| 604 605/* scrub flags */ 606#define PFRULE_NODF 0x0100 607#define PFRULE_FRAGCROP 0x0200 /* non-buffering frag cache */ 608#define PFRULE_FRAGDROP 0x0400 /* drop funny fragments */ 609#define PFRULE_RANDOMID 0x0800 610#define PFRULE_REASSEMBLE_TCP 0x1000 611 | 635 636/* scrub flags */ 637#define PFRULE_NODF 0x0100 638#define PFRULE_FRAGCROP 0x0200 /* non-buffering frag cache */ 639#define PFRULE_FRAGDROP 0x0400 /* drop funny fragments */ 640#define PFRULE_RANDOMID 0x0800 641#define PFRULE_REASSEMBLE_TCP 0x1000 642 |
| 643/* rule flags again */ 644#define PFRULE_IFBOUND 0x00010000 /* if-bound */ 645#define PFRULE_GRBOUND 0x00020000 /* group-bound */ 646 |
|
| 612#define PFSTATE_HIWAT 10000 /* default state table size */ 613 | 647#define PFSTATE_HIWAT 10000 /* default state table size */ 648 |
| 649struct pf_src_node { 650 RB_ENTRY(pf_src_node) entry; 651 struct pf_addr addr; 652 struct pf_addr raddr; 653 union pf_rule_ptr rule; 654 struct pfi_kif *kif; 655 u_int32_t bytes; 656 u_int32_t packets; 657 u_int32_t states; 658 u_int32_t creation; 659 u_int32_t expire; 660 sa_family_t af; 661 u_int8_t ruletype; 662}; |
|
| 614 | 663 |
| 664#define PFSNODE_HIWAT 10000 /* default source node table size */ 665 |
|
| 615struct pf_state_scrub { 616 u_int16_t pfss_flags; 617#define PFSS_TIMESTAMP 0x0001 /* modulate timestamp */ 618 u_int8_t pfss_ttl; /* stashed TTL */ 619 u_int8_t pad; 620 u_int32_t pfss_ts_mod; /* timestamp modulation */ 621}; 622 --- 9 unchanged lines hidden (view full) --- 632 u_int32_t seqdiff; /* Sequence number modulator */ 633 u_int16_t max_win; /* largest window (pre scaling) */ 634 u_int8_t state; /* active state level */ 635 u_int8_t wscale; /* window scaling factor */ 636 u_int16_t mss; /* Maximum segment size option */ 637 struct pf_state_scrub *scrub; /* state is scrubbed */ 638}; 639 | 666struct pf_state_scrub { 667 u_int16_t pfss_flags; 668#define PFSS_TIMESTAMP 0x0001 /* modulate timestamp */ 669 u_int8_t pfss_ttl; /* stashed TTL */ 670 u_int8_t pad; 671 u_int32_t pfss_ts_mod; /* timestamp modulation */ 672}; 673 --- 9 unchanged lines hidden (view full) --- 683 u_int32_t seqdiff; /* Sequence number modulator */ 684 u_int16_t max_win; /* largest window (pre scaling) */ 685 u_int8_t state; /* active state level */ 686 u_int8_t wscale; /* window scaling factor */ 687 u_int16_t mss; /* Maximum segment size option */ 688 struct pf_state_scrub *scrub; /* state is scrubbed */ 689}; 690 |
| 691TAILQ_HEAD(pf_state_queue, pf_state); 692 |
|
| 640struct pf_state { | 693struct pf_state { |
| 694 u_int64_t id; 695 union { 696 struct { 697 RB_ENTRY(pf_state) entry_lan_ext; 698 RB_ENTRY(pf_state) entry_ext_gwy; 699 RB_ENTRY(pf_state) entry_id; 700 TAILQ_ENTRY(pf_state) entry_updates; 701 struct pfi_kif *kif; 702 } s; 703 char ifname[IFNAMSIZ]; 704 } u; |
|
| 641 struct pf_state_host lan; 642 struct pf_state_host gwy; 643 struct pf_state_host ext; 644 struct pf_state_peer src; 645 struct pf_state_peer dst; 646 union pf_rule_ptr rule; 647 union pf_rule_ptr anchor; 648 union pf_rule_ptr nat_rule; 649 struct pf_addr rt_addr; | 705 struct pf_state_host lan; 706 struct pf_state_host gwy; 707 struct pf_state_host ext; 708 struct pf_state_peer src; 709 struct pf_state_peer dst; 710 union pf_rule_ptr rule; 711 union pf_rule_ptr anchor; 712 union pf_rule_ptr nat_rule; 713 struct pf_addr rt_addr; |
| 650 struct ifnet *rt_ifp; | 714 struct pfi_kif *rt_kif; 715 struct pf_src_node *src_node; 716 struct pf_src_node *nat_src_node; |
| 651 u_int32_t creation; 652 u_int32_t expire; | 717 u_int32_t creation; 718 u_int32_t expire; |
| 719 u_int32_t pfsync_time; |
|
| 653 u_int32_t packets[2]; 654 u_int32_t bytes[2]; | 720 u_int32_t packets[2]; 721 u_int32_t bytes[2]; |
| 722 u_int32_t creatorid; |
|
| 655 sa_family_t af; 656 u_int8_t proto; 657 u_int8_t direction; 658 u_int8_t log; 659 u_int8_t allow_opts; 660 u_int8_t timeout; | 723 sa_family_t af; 724 u_int8_t proto; 725 u_int8_t direction; 726 u_int8_t log; 727 u_int8_t allow_opts; 728 u_int8_t timeout; |
| 661 u_int8_t pad[2]; | 729 u_int8_t sync_flags; 730#define PFSTATE_NOSYNC 0x01 731#define PFSTATE_FROMSYNC 0x02 732 u_int8_t pad; |
| 662}; 663 | 733}; 734 |
| 664struct pf_tree_node { 665 RB_ENTRY(pf_tree_node) entry; 666 struct pf_state *state; 667 struct pf_addr addr[2]; 668 u_int16_t port[2]; 669 sa_family_t af; 670 u_int8_t proto; 671}; 672 | |
| 673TAILQ_HEAD(pf_rulequeue, pf_rule); 674 675struct pf_anchor; 676 677struct pf_ruleset { 678 TAILQ_ENTRY(pf_ruleset) entries; 679#define PF_RULESET_NAME_SIZE 16 680 char name[PF_RULESET_NAME_SIZE]; 681 struct { 682 struct pf_rulequeue queues[2]; 683 struct { 684 struct pf_rulequeue *ptr; 685 u_int32_t ticket; | 735TAILQ_HEAD(pf_rulequeue, pf_rule); 736 737struct pf_anchor; 738 739struct pf_ruleset { 740 TAILQ_ENTRY(pf_ruleset) entries; 741#define PF_RULESET_NAME_SIZE 16 742 char name[PF_RULESET_NAME_SIZE]; 743 struct { 744 struct pf_rulequeue queues[2]; 745 struct { 746 struct pf_rulequeue *ptr; 747 u_int32_t ticket; |
| 748 int open; |
|
| 686 } active, inactive; 687 } rules[PF_RULESET_MAX]; 688 struct pf_anchor *anchor; 689 u_int32_t tticket; 690 int tables; 691 int topen; 692}; 693 694TAILQ_HEAD(pf_rulesetqueue, pf_ruleset); 695 696struct pf_anchor { 697 TAILQ_ENTRY(pf_anchor) entries; 698 char name[PF_ANCHOR_NAME_SIZE]; 699 struct pf_rulesetqueue rulesets; 700 int tables; 701}; 702 703TAILQ_HEAD(pf_anchorqueue, pf_anchor); 704 | 749 } active, inactive; 750 } rules[PF_RULESET_MAX]; 751 struct pf_anchor *anchor; 752 u_int32_t tticket; 753 int tables; 754 int topen; 755}; 756 757TAILQ_HEAD(pf_rulesetqueue, pf_ruleset); 758 759struct pf_anchor { 760 TAILQ_ENTRY(pf_anchor) entries; 761 char name[PF_ANCHOR_NAME_SIZE]; 762 struct pf_rulesetqueue rulesets; 763 int tables; 764}; 765 766TAILQ_HEAD(pf_anchorqueue, pf_anchor); 767 |
| 768#define PF_RESERVED_ANCHOR "_pf" 769#define PF_INTERFACE_RULESET "_if" 770 |
|
| 705#define PFR_TFLAG_PERSIST 0x00000001 706#define PFR_TFLAG_CONST 0x00000002 707#define PFR_TFLAG_ACTIVE 0x00000004 708#define PFR_TFLAG_INACTIVE 0x00000008 709#define PFR_TFLAG_REFERENCED 0x00000010 710#define PFR_TFLAG_REFDANCHOR 0x00000020 711#define PFR_TFLAG_USRMASK 0x00000003 712#define PFR_TFLAG_SETMASK 0x0000003C --- 70 unchanged lines hidden (view full) --- 783 struct pfr_tstats pfrkt_ts; 784 RB_ENTRY(pfr_ktable) pfrkt_tree; 785 SLIST_ENTRY(pfr_ktable) pfrkt_workq; 786 struct radix_node_head *pfrkt_ip4; 787 struct radix_node_head *pfrkt_ip6; 788 struct pfr_ktable *pfrkt_shadow; 789 struct pfr_ktable *pfrkt_root; 790 struct pf_ruleset *pfrkt_rs; | 771#define PFR_TFLAG_PERSIST 0x00000001 772#define PFR_TFLAG_CONST 0x00000002 773#define PFR_TFLAG_ACTIVE 0x00000004 774#define PFR_TFLAG_INACTIVE 0x00000008 775#define PFR_TFLAG_REFERENCED 0x00000010 776#define PFR_TFLAG_REFDANCHOR 0x00000020 777#define PFR_TFLAG_USRMASK 0x00000003 778#define PFR_TFLAG_SETMASK 0x0000003C --- 70 unchanged lines hidden (view full) --- 849 struct pfr_tstats pfrkt_ts; 850 RB_ENTRY(pfr_ktable) pfrkt_tree; 851 SLIST_ENTRY(pfr_ktable) pfrkt_workq; 852 struct radix_node_head *pfrkt_ip4; 853 struct radix_node_head *pfrkt_ip6; 854 struct pfr_ktable *pfrkt_shadow; 855 struct pfr_ktable *pfrkt_root; 856 struct pf_ruleset *pfrkt_rs; |
| 857 long pfrkt_larg; |
|
| 791 int pfrkt_nflags; 792}; 793#define pfrkt_t pfrkt_ts.pfrts_t 794#define pfrkt_name pfrkt_t.pfrt_name | 858 int pfrkt_nflags; 859}; 860#define pfrkt_t pfrkt_ts.pfrts_t 861#define pfrkt_name pfrkt_t.pfrt_name |
| 795#define pfrkt_anchor pfrkt_t.pfrt_anchor 796#define pfrkt_ruleset pfrkt_t.pfrt_ruleset | 862#define pfrkt_anchor pfrkt_t.pfrt_anchor 863#define pfrkt_ruleset pfrkt_t.pfrt_ruleset |
| 797#define pfrkt_flags pfrkt_t.pfrt_flags 798#define pfrkt_cnt pfrkt_ts.pfrts_cnt 799#define pfrkt_refcnt pfrkt_ts.pfrts_refcnt 800#define pfrkt_packets pfrkt_ts.pfrts_packets 801#define pfrkt_bytes pfrkt_ts.pfrts_bytes 802#define pfrkt_match pfrkt_ts.pfrts_match 803#define pfrkt_nomatch pfrkt_ts.pfrts_nomatch 804#define pfrkt_tzero pfrkt_ts.pfrts_tzero 805 | 864#define pfrkt_flags pfrkt_t.pfrt_flags 865#define pfrkt_cnt pfrkt_ts.pfrts_cnt 866#define pfrkt_refcnt pfrkt_ts.pfrts_refcnt 867#define pfrkt_packets pfrkt_ts.pfrts_packets 868#define pfrkt_bytes pfrkt_ts.pfrts_bytes 869#define pfrkt_match pfrkt_ts.pfrts_match 870#define pfrkt_nomatch pfrkt_ts.pfrts_nomatch 871#define pfrkt_tzero pfrkt_ts.pfrts_tzero 872 |
| 873RB_HEAD(pf_state_tree_lan_ext, pf_state); 874RB_PROTOTYPE(pf_state_tree_lan_ext, pf_state, 875 u.s.entry_lan_ext, pf_state_compare_lan_ext); 876 877RB_HEAD(pf_state_tree_ext_gwy, pf_state); 878RB_PROTOTYPE(pf_state_tree_ext_gwy, pf_state, 879 u.s.entry_ext_gwy, pf_state_compare_ext_gwy); 880 881struct pfi_if { 882 char pfif_name[IFNAMSIZ]; 883 u_int64_t pfif_packets[2][2][2]; 884 u_int64_t pfif_bytes[2][2][2]; 885 u_int64_t pfif_addcnt; 886 u_int64_t pfif_delcnt; 887 long pfif_tzero; 888 int pfif_states; 889 int pfif_rules; 890 int pfif_flags; 891}; 892 893TAILQ_HEAD(pfi_grouphead, pfi_kif); 894TAILQ_HEAD(pfi_statehead, pfi_kif); 895RB_HEAD(pfi_ifhead, pfi_kif); 896struct pfi_kif { 897 struct pfi_if pfik_if; 898 RB_ENTRY(pfi_kif) pfik_tree; 899 struct pf_state_tree_lan_ext pfik_lan_ext; 900 struct pf_state_tree_ext_gwy pfik_ext_gwy; 901 struct pfi_grouphead pfik_grouphead; 902 TAILQ_ENTRY(pfi_kif) pfik_instances; 903 TAILQ_ENTRY(pfi_kif) pfik_w_states; 904 struct hook_desc_head *pfik_ah_head; 905 void *pfik_ah_cookie; 906 struct pfi_kif *pfik_parent; 907 struct ifnet *pfik_ifp; 908 int pfik_states; 909 int pfik_rules; 910}; 911#define pfik_name pfik_if.pfif_name 912#define pfik_packets pfik_if.pfif_packets 913#define pfik_bytes pfik_if.pfif_bytes 914#define pfik_tzero pfik_if.pfif_tzero 915#define pfik_flags pfik_if.pfif_flags 916#define pfik_addcnt pfik_if.pfif_addcnt 917#define pfik_delcnt pfik_if.pfif_delcnt 918#define pfik_states pfik_if.pfif_states 919#define pfik_rules pfik_if.pfif_rules 920 921#define PFI_IFLAG_GROUP 0x0001 /* group of interfaces */ 922#define PFI_IFLAG_INSTANCE 0x0002 /* single instance */ 923#define PFI_IFLAG_CLONABLE 0x0010 /* clonable group */ 924#define PFI_IFLAG_DYNAMIC 0x0020 /* dynamic group */ 925#define PFI_IFLAG_ATTACHED 0x0040 /* interface attached */ 926#define PFI_IFLAG_PLACEHOLDER 0x8000 /* placeholder group/interface */ 927 |
|
| 806struct pf_pdesc { 807 u_int64_t tot_len; /* Make Mickey money */ 808 union { 809 struct tcphdr *tcp; 810 struct udphdr *udp; 811 struct icmp *icmp; 812#ifdef INET6 813 struct icmp6_hdr *icmp6; 814#endif /* INET6 */ 815 void *any; 816 } hdr; | 928struct pf_pdesc { 929 u_int64_t tot_len; /* Make Mickey money */ 930 union { 931 struct tcphdr *tcp; 932 struct udphdr *udp; 933 struct icmp *icmp; 934#ifdef INET6 935 struct icmp6_hdr *icmp6; 936#endif /* INET6 */ 937 void *any; 938 } hdr; |
| 939 struct pf_addr baddr; /* address before translation */ 940 struct pf_addr naddr; /* address after translation */ 941 struct pf_rule *nat_rule; /* nat/rdr rule applied to packet */ |
|
| 817 struct pf_addr *src; 818 struct pf_addr *dst; 819 u_int16_t *ip_sum; 820 u_int32_t p_len; /* total length of payload */ 821 u_int16_t flags; /* Let SCRUB trigger behavior in 822 * state code. Easier than tags */ 823#define PFDESC_TCP_NORM 0x0001 /* TCP shall be statefully scrubbed */ 824 sa_family_t af; --- 52 unchanged lines hidden (view full) --- 877 NULL \ 878} 879 880#define FCNT_STATE_SEARCH 0 881#define FCNT_STATE_INSERT 1 882#define FCNT_STATE_REMOVALS 2 883#define FCNT_MAX 3 884 | 942 struct pf_addr *src; 943 struct pf_addr *dst; 944 u_int16_t *ip_sum; 945 u_int32_t p_len; /* total length of payload */ 946 u_int16_t flags; /* Let SCRUB trigger behavior in 947 * state code. Easier than tags */ 948#define PFDESC_TCP_NORM 0x0001 /* TCP shall be statefully scrubbed */ 949 sa_family_t af; --- 52 unchanged lines hidden (view full) --- 1002 NULL \ 1003} 1004 1005#define FCNT_STATE_SEARCH 0 1006#define FCNT_STATE_INSERT 1 1007#define FCNT_STATE_REMOVALS 2 1008#define FCNT_MAX 3 1009 |
| 1010#define SCNT_SRC_NODE_SEARCH 0 1011#define SCNT_SRC_NODE_INSERT 1 1012#define SCNT_SRC_NODE_REMOVALS 2 1013#define SCNT_MAX 3 |
|
| 885 886#define ACTION_SET(a, x) \ 887 do { \ 888 if ((a) != NULL) \ 889 *(a) = (x); \ 890 } while (0) 891 892#define REASON_SET(a, x) \ 893 do { \ 894 if ((a) != NULL) \ 895 *(a) = (x); \ 896 if (x < PFRES_MAX) \ 897 pf_status.counters[x]++; \ 898 } while (0) 899 900struct pf_status { 901 u_int64_t counters[PFRES_MAX]; 902 u_int64_t fcounters[FCNT_MAX]; | 1014 1015#define ACTION_SET(a, x) \ 1016 do { \ 1017 if ((a) != NULL) \ 1018 *(a) = (x); \ 1019 } while (0) 1020 1021#define REASON_SET(a, x) \ 1022 do { \ 1023 if ((a) != NULL) \ 1024 *(a) = (x); \ 1025 if (x < PFRES_MAX) \ 1026 pf_status.counters[x]++; \ 1027 } while (0) 1028 1029struct pf_status { 1030 u_int64_t counters[PFRES_MAX]; 1031 u_int64_t fcounters[FCNT_MAX]; |
| 1032 u_int64_t scounters[SCNT_MAX]; |
|
| 903 u_int64_t pcounters[2][2][3]; 904 u_int64_t bcounters[2][2]; | 1033 u_int64_t pcounters[2][2][3]; 1034 u_int64_t bcounters[2][2]; |
| 1035 u_int64_t stateid; |
|
| 905 u_int32_t running; 906 u_int32_t states; | 1036 u_int32_t running; 1037 u_int32_t states; |
| 1038 u_int32_t src_nodes; |
|
| 907 u_int32_t since; 908 u_int32_t debug; | 1039 u_int32_t since; 1040 u_int32_t debug; |
| 1041 u_int32_t hostid; |
|
| 909 char ifname[IFNAMSIZ]; 910}; 911 912struct cbq_opts { 913 u_int minburst; 914 u_int maxburst; 915 u_int pktsize; 916 u_int maxpktsize; --- 115 unchanged lines hidden (view full) --- 1032}; 1033 1034struct pfioc_state_kill { 1035 /* XXX returns the number of states killed in psk_af */ 1036 sa_family_t psk_af; 1037 int psk_proto; 1038 struct pf_rule_addr psk_src; 1039 struct pf_rule_addr psk_dst; | 1042 char ifname[IFNAMSIZ]; 1043}; 1044 1045struct cbq_opts { 1046 u_int minburst; 1047 u_int maxburst; 1048 u_int pktsize; 1049 u_int maxpktsize; --- 115 unchanged lines hidden (view full) --- 1165}; 1166 1167struct pfioc_state_kill { 1168 /* XXX returns the number of states killed in psk_af */ 1169 sa_family_t psk_af; 1170 int psk_proto; 1171 struct pf_rule_addr psk_src; 1172 struct pf_rule_addr psk_dst; |
| 1173 char psk_ifname[IFNAMSIZ]; |
|
| 1040}; 1041 1042struct pfioc_states { 1043 int ps_len; 1044 union { 1045 caddr_t psu_buf; 1046 struct pf_state *psu_states; 1047 } ps_u; 1048#define ps_buf ps_u.psu_buf 1049#define ps_states ps_u.psu_states 1050}; 1051 | 1174}; 1175 1176struct pfioc_states { 1177 int ps_len; 1178 union { 1179 caddr_t psu_buf; 1180 struct pf_state *psu_states; 1181 } ps_u; 1182#define ps_buf ps_u.psu_buf 1183#define ps_states ps_u.psu_states 1184}; 1185 |
| 1186struct pfioc_src_nodes { 1187 int psn_len; 1188 union { 1189 caddr_t psu_buf; 1190 struct pf_src_node *psu_src_nodes; 1191 } psn_u; 1192#define psn_buf psn_u.psu_buf 1193#define psn_src_nodes psn_u.psu_src_nodes 1194}; 1195 |
|
| 1052struct pfioc_if { 1053 char ifname[IFNAMSIZ]; 1054}; 1055 1056struct pfioc_tm { 1057 int timeout; 1058 int seconds; 1059}; --- 24 unchanged lines hidden (view full) --- 1084}; 1085 1086struct pfioc_ruleset { 1087 u_int32_t nr; 1088 char anchor[PF_ANCHOR_NAME_SIZE]; 1089 char name[PF_RULESET_NAME_SIZE]; 1090}; 1091 | 1196struct pfioc_if { 1197 char ifname[IFNAMSIZ]; 1198}; 1199 1200struct pfioc_tm { 1201 int timeout; 1202 int seconds; 1203}; --- 24 unchanged lines hidden (view full) --- 1228}; 1229 1230struct pfioc_ruleset { 1231 u_int32_t nr; 1232 char anchor[PF_ANCHOR_NAME_SIZE]; 1233 char name[PF_RULESET_NAME_SIZE]; 1234}; 1235 |
| 1236#define PF_RULESET_ALTQ (PF_RULESET_MAX) 1237#define PF_RULESET_TABLE (PF_RULESET_MAX+1) 1238struct pfioc_trans { 1239 int size; /* number of elements */ 1240 int esize; /* size of each element in bytes */ 1241 struct pfioc_trans_e { 1242 int rs_num; 1243 char anchor[PF_ANCHOR_NAME_SIZE]; 1244 char ruleset[PF_RULESET_NAME_SIZE]; 1245 u_int32_t ticket; 1246 } *array; 1247}; 1248 |
|
| 1092#define PFR_FLAG_ATOMIC 0x00000001 1093#define PFR_FLAG_DUMMY 0x00000002 1094#define PFR_FLAG_FEEDBACK 0x00000004 1095#define PFR_FLAG_CLSTATS 0x00000008 1096#define PFR_FLAG_ADDRSTOO 0x00000010 1097#define PFR_FLAG_REPLACE 0x00000020 1098#define PFR_FLAG_ALLRSETS 0x00000040 1099#define PFR_FLAG_ALLMASK 0x0000007F | 1249#define PFR_FLAG_ATOMIC 0x00000001 1250#define PFR_FLAG_DUMMY 0x00000002 1251#define PFR_FLAG_FEEDBACK 0x00000004 1252#define PFR_FLAG_CLSTATS 0x00000008 1253#define PFR_FLAG_ADDRSTOO 0x00000010 1254#define PFR_FLAG_REPLACE 0x00000020 1255#define PFR_FLAG_ALLRSETS 0x00000040 1256#define PFR_FLAG_ALLMASK 0x0000007F |
| 1257#ifdef _KERNEL 1258#define PFR_FLAG_USERIOCTL 0x10000000 1259#endif |
|
| 1100 1101struct pfioc_table { 1102 struct pfr_table pfrio_table; 1103 void *pfrio_buffer; 1104 int pfrio_esize; 1105 int pfrio_size; 1106 int pfrio_size2; 1107 int pfrio_nadd; --- 5 unchanged lines hidden (view full) --- 1113#define pfrio_exists pfrio_nadd 1114#define pfrio_nzero pfrio_nadd 1115#define pfrio_nmatch pfrio_nadd 1116#define pfrio_naddr pfrio_size2 1117#define pfrio_setflag pfrio_size2 1118#define pfrio_clrflag pfrio_nadd 1119 1120 | 1260 1261struct pfioc_table { 1262 struct pfr_table pfrio_table; 1263 void *pfrio_buffer; 1264 int pfrio_esize; 1265 int pfrio_size; 1266 int pfrio_size2; 1267 int pfrio_nadd; --- 5 unchanged lines hidden (view full) --- 1273#define pfrio_exists pfrio_nadd 1274#define pfrio_nzero pfrio_nadd 1275#define pfrio_nmatch pfrio_nadd 1276#define pfrio_naddr pfrio_size2 1277#define pfrio_setflag pfrio_size2 1278#define pfrio_clrflag pfrio_nadd 1279 1280 |
| 1281#define PFI_FLAG_GROUP 0x0001 /* gets groups of interfaces */ 1282#define PFI_FLAG_INSTANCE 0x0002 /* gets single interfaces */ 1283#define PFI_FLAG_ALLMASK 0x0003 1284 1285struct pfioc_iface { 1286 char pfiio_name[IFNAMSIZ]; 1287 void *pfiio_buffer; 1288 int pfiio_esize; 1289 int pfiio_size; 1290 int pfiio_nzero; 1291 int pfiio_flags; 1292}; 1293 1294 |
|
| 1121/* 1122 * ioctl operations 1123 */ 1124 1125#define DIOCSTART _IO ('D', 1) 1126#define DIOCSTOP _IO ('D', 2) 1127#define DIOCBEGINRULES _IOWR('D', 3, struct pfioc_rule) 1128#define DIOCADDRULE _IOWR('D', 4, struct pfioc_rule) 1129#define DIOCCOMMITRULES _IOWR('D', 5, struct pfioc_rule) 1130#define DIOCGETRULES _IOWR('D', 6, struct pfioc_rule) 1131#define DIOCGETRULE _IOWR('D', 7, struct pfioc_rule) 1132/* XXX cut 8 - 17 */ | 1295/* 1296 * ioctl operations 1297 */ 1298 1299#define DIOCSTART _IO ('D', 1) 1300#define DIOCSTOP _IO ('D', 2) 1301#define DIOCBEGINRULES _IOWR('D', 3, struct pfioc_rule) 1302#define DIOCADDRULE _IOWR('D', 4, struct pfioc_rule) 1303#define DIOCCOMMITRULES _IOWR('D', 5, struct pfioc_rule) 1304#define DIOCGETRULES _IOWR('D', 6, struct pfioc_rule) 1305#define DIOCGETRULE _IOWR('D', 7, struct pfioc_rule) 1306/* XXX cut 8 - 17 */ |
| 1133#define DIOCCLRSTATES _IO ('D', 18) | 1307#define DIOCCLRSTATES _IOWR('D', 18, struct pfioc_state_kill) |
| 1134#define DIOCGETSTATE _IOWR('D', 19, struct pfioc_state) 1135#define DIOCSETSTATUSIF _IOWR('D', 20, struct pfioc_if) 1136#define DIOCGETSTATUS _IOWR('D', 21, struct pf_status) 1137#define DIOCCLRSTATUS _IO ('D', 22) 1138#define DIOCNATLOOK _IOWR('D', 23, struct pfioc_natlook) 1139#define DIOCSETDEBUG _IOWR('D', 24, u_int32_t) 1140#define DIOCGETSTATES _IOWR('D', 25, struct pfioc_states) 1141#define DIOCCHANGERULE _IOWR('D', 26, struct pfioc_rule) --- 39 unchanged lines hidden (view full) --- 1181#define DIOCRTSTADDRS _IOWR('D', 73, struct pfioc_table) 1182#define DIOCRSETTFLAGS _IOWR('D', 74, struct pfioc_table) 1183#define DIOCRINABEGIN _IOWR('D', 75, struct pfioc_table) 1184#define DIOCRINACOMMIT _IOWR('D', 76, struct pfioc_table) 1185#define DIOCRINADEFINE _IOWR('D', 77, struct pfioc_table) 1186#define DIOCOSFPFLUSH _IO('D', 78) 1187#define DIOCOSFPADD _IOWR('D', 79, struct pf_osfp_ioctl) 1188#define DIOCOSFPGET _IOWR('D', 80, struct pf_osfp_ioctl) | 1308#define DIOCGETSTATE _IOWR('D', 19, struct pfioc_state) 1309#define DIOCSETSTATUSIF _IOWR('D', 20, struct pfioc_if) 1310#define DIOCGETSTATUS _IOWR('D', 21, struct pf_status) 1311#define DIOCCLRSTATUS _IO ('D', 22) 1312#define DIOCNATLOOK _IOWR('D', 23, struct pfioc_natlook) 1313#define DIOCSETDEBUG _IOWR('D', 24, u_int32_t) 1314#define DIOCGETSTATES _IOWR('D', 25, struct pfioc_states) 1315#define DIOCCHANGERULE _IOWR('D', 26, struct pfioc_rule) --- 39 unchanged lines hidden (view full) --- 1355#define DIOCRTSTADDRS _IOWR('D', 73, struct pfioc_table) 1356#define DIOCRSETTFLAGS _IOWR('D', 74, struct pfioc_table) 1357#define DIOCRINABEGIN _IOWR('D', 75, struct pfioc_table) 1358#define DIOCRINACOMMIT _IOWR('D', 76, struct pfioc_table) 1359#define DIOCRINADEFINE _IOWR('D', 77, struct pfioc_table) 1360#define DIOCOSFPFLUSH _IO('D', 78) 1361#define DIOCOSFPADD _IOWR('D', 79, struct pf_osfp_ioctl) 1362#define DIOCOSFPGET _IOWR('D', 80, struct pf_osfp_ioctl) |
| 1363#define DIOCXBEGIN _IOWR('D', 81, struct pfioc_trans) 1364#define DIOCXCOMMIT _IOWR('D', 82, struct pfioc_trans) 1365#define DIOCXROLLBACK _IOWR('D', 83, struct pfioc_trans) 1366#define DIOCGETSRCNODES _IOWR('D', 84, struct pfioc_src_nodes) 1367#define DIOCCLRSRCNODES _IO('D', 85) 1368#define DIOCSETHOSTID _IOWR('D', 86, u_int32_t) 1369#define DIOCIGETIFACES _IOWR('D', 87, struct pfioc_iface) 1370#define DIOCICLRISTATS _IOWR('D', 88, struct pfioc_iface) |
|
| 1189#ifdef __FreeBSD__ 1190struct pf_ifspeed { 1191 char ifname[IFNAMSIZ]; 1192 u_int32_t baudrate; 1193}; | 1371#ifdef __FreeBSD__ 1372struct pf_ifspeed { 1373 char ifname[IFNAMSIZ]; 1374 u_int32_t baudrate; 1375}; |
| 1194#define DIOCGIFSPEED _IOWR('D', 81, struct pf_ifspeed) | 1376#define DIOCGIFSPEED _IOWR('D', 89, struct pf_ifspeed) |
| 1195#endif 1196 1197#ifdef _KERNEL | 1377#endif 1378 1379#ifdef _KERNEL |
| 1198RB_HEAD(pf_state_tree, pf_tree_node); 1199RB_PROTOTYPE(pf_state_tree, pf_tree_node, entry, pf_state_compare); 1200extern struct pf_state_tree tree_lan_ext, tree_ext_gwy; | 1380RB_HEAD(pf_src_tree, pf_src_node); 1381RB_PROTOTYPE(pf_src_tree, pf_src_node, entry, pf_src_compare); 1382extern struct pf_src_tree tree_src_tracking; |
| 1201 | 1383 |
| 1202extern struct pf_anchorqueue pf_anchors; 1203extern struct pf_ruleset pf_main_ruleset; | 1384RB_HEAD(pf_state_tree_id, pf_state); 1385RB_PROTOTYPE(pf_state_tree_id, pf_state, 1386 entry_id, pf_state_compare_id); 1387extern struct pf_state_tree_id tree_id; 1388extern struct pf_state_queue state_updates; 1389 1390extern struct pf_anchorqueue pf_anchors; 1391extern struct pf_ruleset pf_main_ruleset; |
| 1204TAILQ_HEAD(pf_poolqueue, pf_pool); | 1392TAILQ_HEAD(pf_poolqueue, pf_pool); |
| 1205extern struct pf_poolqueue pf_pools[2]; | 1393extern struct pf_poolqueue pf_pools[2]; |
| 1206TAILQ_HEAD(pf_altqqueue, pf_altq); | 1394TAILQ_HEAD(pf_altqqueue, pf_altq); |
| 1207extern struct pf_altqqueue pf_altqs[2]; 1208extern struct pf_palist pf_pabuf; | 1395extern struct pf_altqqueue pf_altqs[2]; 1396extern struct pf_palist pf_pabuf; 1397extern struct pfi_kif **pfi_index2kif; |
| 1209 | 1398 |
| 1210 | |
| 1211extern u_int32_t ticket_altqs_active; 1212extern u_int32_t ticket_altqs_inactive; | 1399extern u_int32_t ticket_altqs_active; 1400extern u_int32_t ticket_altqs_inactive; |
| 1401extern int altqs_inactive_open; |
|
| 1213extern u_int32_t ticket_pabuf; 1214extern struct pf_altqqueue *pf_altqs_active; 1215extern struct pf_altqqueue *pf_altqs_inactive; 1216extern struct pf_poolqueue *pf_pools_active; 1217extern struct pf_poolqueue *pf_pools_inactive; 1218extern int pf_tbladdr_setup(struct pf_ruleset *, 1219 struct pf_addr_wrap *); 1220extern void pf_tbladdr_remove(struct pf_addr_wrap *); 1221extern void pf_tbladdr_copyout(struct pf_addr_wrap *); | 1402extern u_int32_t ticket_pabuf; 1403extern struct pf_altqqueue *pf_altqs_active; 1404extern struct pf_altqqueue *pf_altqs_inactive; 1405extern struct pf_poolqueue *pf_pools_active; 1406extern struct pf_poolqueue *pf_pools_inactive; 1407extern int pf_tbladdr_setup(struct pf_ruleset *, 1408 struct pf_addr_wrap *); 1409extern void pf_tbladdr_remove(struct pf_addr_wrap *); 1410extern void pf_tbladdr_copyout(struct pf_addr_wrap *); |
| 1222extern int pf_dynaddr_setup(struct pf_addr_wrap *, 1223 sa_family_t); 1224extern void pf_dynaddr_copyout(struct pf_addr_wrap *); 1225extern void pf_dynaddr_remove(struct pf_addr_wrap *); | |
| 1226extern void pf_calc_skip_steps(struct pf_rulequeue *); | 1411extern void pf_calc_skip_steps(struct pf_rulequeue *); |
| 1227extern void pf_rule_set_qid(struct pf_rulequeue *); 1228extern u_int32_t pf_qname_to_qid(char *); | |
| 1229extern void pf_update_anchor_rules(void); 1230#ifdef __FreeBSD__ | 1412extern void pf_update_anchor_rules(void); 1413#ifdef __FreeBSD__ |
| 1231extern uma_zone_t pf_tree_pl, pf_rule_pl, pf_addr_pl; | 1414extern uma_zone_t pf_src_tree_pl, pf_rule_pl; |
| 1232extern uma_zone_t pf_state_pl, pf_altq_pl, pf_pooladdr_pl; 1233extern uma_zone_t pfr_ktable_pl, pfr_kentry_pl; 1234extern uma_zone_t pf_cache_pl, pf_cent_pl; 1235extern uma_zone_t pf_state_scrub_pl; | 1415extern uma_zone_t pf_state_pl, pf_altq_pl, pf_pooladdr_pl; 1416extern uma_zone_t pfr_ktable_pl, pfr_kentry_pl; 1417extern uma_zone_t pf_cache_pl, pf_cent_pl; 1418extern uma_zone_t pf_state_scrub_pl; |
| 1419extern uma_zone_t pfi_addr_pl; |
|
| 1236#else | 1420#else |
| 1237extern struct pool pf_tree_pl, pf_rule_pl, pf_addr_pl; | 1421extern struct pool pf_src_tree_pl, pf_rule_pl; |
| 1238extern struct pool pf_state_pl, pf_altq_pl, pf_pooladdr_pl; 1239extern struct pool pf_state_scrub_pl; 1240#endif 1241extern void pf_purge_timeout(void *); | 1422extern struct pool pf_state_pl, pf_altq_pl, pf_pooladdr_pl; 1423extern struct pool pf_state_scrub_pl; 1424#endif 1425extern void pf_purge_timeout(void *); |
| 1426extern void pf_purge_expired_src_nodes(void); |
|
| 1242extern void pf_purge_expired_states(void); | 1427extern void pf_purge_expired_states(void); |
| 1243extern int pf_insert_state(struct pf_state *); 1244extern struct pf_state *pf_find_state(struct pf_state_tree *, 1245 struct pf_tree_node *); | 1428extern int pf_insert_state(struct pfi_kif *, 1429 struct pf_state *); 1430extern int pf_insert_src_node(struct pf_src_node **, 1431 struct pf_rule *, struct pf_addr *, 1432 sa_family_t); 1433void pf_src_tree_remove_state(struct pf_state *); 1434extern struct pf_state *pf_find_state_byid(struct pf_state *); 1435extern struct pf_state *pf_find_state_all(struct pf_state *key, 1436 u_int8_t tree, int *more); |
| 1246extern struct pf_anchor *pf_find_anchor(const char *); 1247extern struct pf_ruleset *pf_find_ruleset(char *, char *); | 1437extern struct pf_anchor *pf_find_anchor(const char *); 1438extern struct pf_ruleset *pf_find_ruleset(char *, char *); |
| 1248extern struct pf_ruleset *pf_find_or_create_ruleset(char *, char *); | 1439extern struct pf_ruleset *pf_find_or_create_ruleset( 1440 char[PF_ANCHOR_NAME_SIZE], 1441 char[PF_RULESET_NAME_SIZE]); |
| 1249extern void pf_remove_if_empty_ruleset( 1250 struct pf_ruleset *); 1251 | 1442extern void pf_remove_if_empty_ruleset( 1443 struct pf_ruleset *); 1444 |
| 1252extern struct ifnet *status_ifp; | 1445extern struct ifnet *sync_ifp; |
| 1253extern struct pf_rule pf_default_rule; 1254extern void pf_addrcpy(struct pf_addr *, struct pf_addr *, 1255 u_int8_t); 1256void pf_rm_rule(struct pf_rulequeue *, 1257 struct pf_rule *); 1258 1259#ifdef INET 1260int pf_test(int, struct ifnet *, struct mbuf **); --- 4 unchanged lines hidden (view full) --- 1265void pf_poolmask(struct pf_addr *, struct pf_addr*, 1266 struct pf_addr *, struct pf_addr *, u_int8_t); 1267void pf_addr_inc(struct pf_addr *, sa_family_t); 1268#endif /* INET6 */ 1269 1270void *pf_pull_hdr(struct mbuf *, int, void *, int, u_short *, u_short *, 1271 sa_family_t); 1272void pf_change_a(void *, u_int16_t *, u_int32_t, u_int8_t); | 1446extern struct pf_rule pf_default_rule; 1447extern void pf_addrcpy(struct pf_addr *, struct pf_addr *, 1448 u_int8_t); 1449void pf_rm_rule(struct pf_rulequeue *, 1450 struct pf_rule *); 1451 1452#ifdef INET 1453int pf_test(int, struct ifnet *, struct mbuf **); --- 4 unchanged lines hidden (view full) --- 1458void pf_poolmask(struct pf_addr *, struct pf_addr*, 1459 struct pf_addr *, struct pf_addr *, u_int8_t); 1460void pf_addr_inc(struct pf_addr *, sa_family_t); 1461#endif /* INET6 */ 1462 1463void *pf_pull_hdr(struct mbuf *, int, void *, int, u_short *, u_short *, 1464 sa_family_t); 1465void pf_change_a(void *, u_int16_t *, u_int32_t, u_int8_t); |
| 1273int pflog_packet(struct ifnet *, struct mbuf *, sa_family_t, u_int8_t, | 1466int pflog_packet(struct pfi_kif *, struct mbuf *, sa_family_t, u_int8_t, |
| 1274 u_int8_t, struct pf_rule *, struct pf_rule *, struct pf_ruleset *); 1275int pf_match_addr(u_int8_t, struct pf_addr *, struct pf_addr *, 1276 struct pf_addr *, sa_family_t); 1277int pf_match(u_int8_t, u_int32_t, u_int32_t, u_int32_t); 1278int pf_match_port(u_int8_t, u_int16_t, u_int16_t, u_int16_t); 1279int pf_match_uid(u_int8_t, uid_t, uid_t, uid_t); 1280int pf_match_gid(u_int8_t, gid_t, gid_t, gid_t); 1281 1282void pf_normalize_init(void); | 1467 u_int8_t, struct pf_rule *, struct pf_rule *, struct pf_ruleset *); 1468int pf_match_addr(u_int8_t, struct pf_addr *, struct pf_addr *, 1469 struct pf_addr *, sa_family_t); 1470int pf_match(u_int8_t, u_int32_t, u_int32_t, u_int32_t); 1471int pf_match_port(u_int8_t, u_int16_t, u_int16_t, u_int16_t); 1472int pf_match_uid(u_int8_t, uid_t, uid_t, uid_t); 1473int pf_match_gid(u_int8_t, gid_t, gid_t, gid_t); 1474 1475void pf_normalize_init(void); |
| 1283int pf_normalize_ip(struct mbuf **, int, struct ifnet *, u_short *); 1284int pf_normalize_ip6(struct mbuf **, int, struct ifnet *, u_short *); 1285int pf_normalize_tcp(int, struct ifnet *, struct mbuf *, int, int, void *, | 1476int pf_normalize_ip(struct mbuf **, int, struct pfi_kif *, u_short *); 1477int pf_normalize_ip6(struct mbuf **, int, struct pfi_kif *, u_short *); 1478int pf_normalize_tcp(int, struct pfi_kif *, struct mbuf *, int, int, void *, |
| 1286 struct pf_pdesc *); 1287void pf_normalize_tcp_cleanup(struct pf_state *); 1288int pf_normalize_tcp_init(struct mbuf *, int, struct pf_pdesc *, 1289 struct tcphdr *, struct pf_state_peer *, struct pf_state_peer *); 1290int pf_normalize_tcp_stateful(struct mbuf *, int, struct pf_pdesc *, 1291 u_short *, struct tcphdr *, struct pf_state_peer *, 1292 struct pf_state_peer *, int *); 1293u_int32_t 1294 pf_state_expires(const struct pf_state *); 1295void pf_purge_expired_fragments(void); 1296int pf_routable(struct pf_addr *addr, sa_family_t af); 1297void pfr_initialize(void); 1298int pfr_match_addr(struct pfr_ktable *, struct pf_addr *, sa_family_t); 1299void pfr_update_stats(struct pfr_ktable *, struct pf_addr *, sa_family_t, 1300 u_int64_t, int, int, int); 1301int pfr_pool_get(struct pfr_ktable *, int *, struct pf_addr *, 1302 struct pf_addr **, struct pf_addr **, sa_family_t); | 1479 struct pf_pdesc *); 1480void pf_normalize_tcp_cleanup(struct pf_state *); 1481int pf_normalize_tcp_init(struct mbuf *, int, struct pf_pdesc *, 1482 struct tcphdr *, struct pf_state_peer *, struct pf_state_peer *); 1483int pf_normalize_tcp_stateful(struct mbuf *, int, struct pf_pdesc *, 1484 u_short *, struct tcphdr *, struct pf_state_peer *, 1485 struct pf_state_peer *, int *); 1486u_int32_t 1487 pf_state_expires(const struct pf_state *); 1488void pf_purge_expired_fragments(void); 1489int pf_routable(struct pf_addr *addr, sa_family_t af); 1490void pfr_initialize(void); 1491int pfr_match_addr(struct pfr_ktable *, struct pf_addr *, sa_family_t); 1492void pfr_update_stats(struct pfr_ktable *, struct pf_addr *, sa_family_t, 1493 u_int64_t, int, int, int); 1494int pfr_pool_get(struct pfr_ktable *, int *, struct pf_addr *, 1495 struct pf_addr **, struct pf_addr **, sa_family_t); |
| 1496void pfr_dynaddr_update(struct pfr_ktable *, struct pfi_dynaddr *); |
|
| 1303struct pfr_ktable * 1304 pfr_attach_table(struct pf_ruleset *, char *); 1305void pfr_detach_table(struct pfr_ktable *); 1306int pfr_clr_tables(struct pfr_table *, int *, int); 1307int pfr_add_tables(struct pfr_table *, int, int *, int); 1308int pfr_del_tables(struct pfr_table *, int, int *, int); 1309int pfr_get_tables(struct pfr_table *, struct pfr_table *, int *, int); 1310int pfr_get_tstats(struct pfr_table *, struct pfr_tstats *, int *, int); --- 8 unchanged lines hidden (view full) --- 1319 int *, int *, int *, int); 1320int pfr_get_addrs(struct pfr_table *, struct pfr_addr *, int *, int); 1321int pfr_get_astats(struct pfr_table *, struct pfr_astats *, int *, int); 1322int pfr_clr_astats(struct pfr_table *, struct pfr_addr *, int, int *, 1323 int); 1324int pfr_tst_addrs(struct pfr_table *, struct pfr_addr *, int, int *, 1325 int); 1326int pfr_ina_begin(struct pfr_table *, u_int32_t *, int *, int); | 1497struct pfr_ktable * 1498 pfr_attach_table(struct pf_ruleset *, char *); 1499void pfr_detach_table(struct pfr_ktable *); 1500int pfr_clr_tables(struct pfr_table *, int *, int); 1501int pfr_add_tables(struct pfr_table *, int, int *, int); 1502int pfr_del_tables(struct pfr_table *, int, int *, int); 1503int pfr_get_tables(struct pfr_table *, struct pfr_table *, int *, int); 1504int pfr_get_tstats(struct pfr_table *, struct pfr_tstats *, int *, int); --- 8 unchanged lines hidden (view full) --- 1513 int *, int *, int *, int); 1514int pfr_get_addrs(struct pfr_table *, struct pfr_addr *, int *, int); 1515int pfr_get_astats(struct pfr_table *, struct pfr_astats *, int *, int); 1516int pfr_clr_astats(struct pfr_table *, struct pfr_addr *, int, int *, 1517 int); 1518int pfr_tst_addrs(struct pfr_table *, struct pfr_addr *, int, int *, 1519 int); 1520int pfr_ina_begin(struct pfr_table *, u_int32_t *, int *, int); |
| 1521int pfr_ina_rollback(struct pfr_table *, u_int32_t, int *, int); |
|
| 1327int pfr_ina_commit(struct pfr_table *, u_int32_t, int *, int *, int); 1328int pfr_ina_define(struct pfr_table *, struct pfr_addr *, int, int *, 1329 int *, u_int32_t, int); 1330 | 1522int pfr_ina_commit(struct pfr_table *, u_int32_t, int *, int *, int); 1523int pfr_ina_define(struct pfr_table *, struct pfr_addr *, int, int *, 1524 int *, u_int32_t, int); 1525 |
| 1526void pfi_initialize(void); 1527#ifdef __FreeBSD__ 1528void pfi_cleanup(void); 1529#endif 1530void pfi_attach_clone(struct if_clone *); 1531void pfi_attach_ifnet(struct ifnet *); 1532void pfi_detach_ifnet(struct ifnet *); 1533struct pfi_kif *pfi_lookup_create(const char *); 1534struct pfi_kif *pfi_lookup_if(const char *); 1535int pfi_maybe_destroy(struct pfi_kif *); 1536struct pfi_kif *pfi_attach_rule(const char *); 1537void pfi_detach_rule(struct pfi_kif *); 1538void pfi_attach_state(struct pfi_kif *); 1539void pfi_detach_state(struct pfi_kif *); 1540int pfi_dynaddr_setup(struct pf_addr_wrap *, sa_family_t); 1541void pfi_dynaddr_copyout(struct pf_addr_wrap *); 1542void pfi_dynaddr_remove(struct pf_addr_wrap *); 1543void pfi_fill_oldstatus(struct pf_status *); 1544int pfi_clr_istats(const char *, int *, int); 1545int pfi_get_ifaces(const char *, struct pfi_if *, int *, int); 1546int pfi_match_addr(struct pfi_dynaddr *, struct pf_addr *, 1547 sa_family_t); 1548 1549extern struct pfi_statehead pfi_statehead; 1550 |
|
| 1331u_int16_t pf_tagname2tag(char *); 1332void pf_tag2tagname(u_int16_t, char *); 1333void pf_tag_unref(u_int16_t); 1334int pf_tag_packet(struct mbuf *, struct pf_tag *, int); | 1551u_int16_t pf_tagname2tag(char *); 1552void pf_tag2tagname(u_int16_t, char *); 1553void pf_tag_unref(u_int16_t); 1554int pf_tag_packet(struct mbuf *, struct pf_tag *, int); |
| 1555u_int32_t pf_qname2qid(char *); 1556void pf_qid2qname(u_int32_t, char *); 1557void pf_qid_unref(u_int32_t); |
|
| 1335 1336extern struct pf_status pf_status; 1337 1338#ifdef __FreeBSD__ 1339extern uma_zone_t pf_frent_pl, pf_frag_pl; 1340#else 1341extern struct pool pf_frent_pl, pf_frag_pl; 1342#endif --- 64 unchanged lines hidden --- | 1558 1559extern struct pf_status pf_status; 1560 1561#ifdef __FreeBSD__ 1562extern uma_zone_t pf_frent_pl, pf_frag_pl; 1563#else 1564extern struct pool pf_frent_pl, pf_frag_pl; 1565#endif --- 64 unchanged lines hidden --- |