1,2c1,2
< /* $FreeBSD: head/sys/contrib/pf/net/pfvar.h 153725 2005-12-25 23:52:00Z mlaier $ */
< /* $OpenBSD: pfvar.h,v 1.213 2005/03/03 07:13:39 dhartmei Exp $ */
---
> /* $FreeBSD: head/sys/contrib/pf/net/pfvar.h 171168 2007-07-03 12:16:07Z mlaier $ */
> /* $OpenBSD: pfvar.h,v 1.244 2007/02/23 21:31:51 deraadt Exp $ */
40a41,46
> #ifdef __FreeBSD__
> #include <sys/lock.h>
> #include <sys/sx.h>
> #else
> #include <sys/rwlock.h>
> #endif
45a52
> #include <net/pf_mtag.h>
57a65
> struct ip6_hdr;
64a73,79
> #define PF_MD5_DIGEST_LENGTH 16
> #ifdef MD5_DIGEST_LENGTH
> #if PF_MD5_DIGEST_LENGTH != MD5_DIGEST_LENGTH
> #error
> #endif
> #endif
>
76a92,93
> enum { PF_GET_NONE, PF_GET_CLR_CNTR };
>
88c105,106
< PFTM_TS_DIFF, PFTM_MAX, PFTM_PURGE, PFTM_UNTIL_PACKET };
---
> PFTM_TS_DIFF, PFTM_MAX, PFTM_PURGE, PFTM_UNLINKED,
> PFTM_UNTIL_PACKET };
111c129,130
< enum { PF_LIMIT_STATES, PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS, PF_LIMIT_MAX };
---
> enum { PF_LIMIT_STATES, PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS,
> PF_LIMIT_TABLES, PF_LIMIT_TABLE_ENTRIES, PF_LIMIT_MAX };
116c135
< PF_ADDR_TABLE, PF_ADDR_RTLABEL };
---
> PF_ADDR_TABLE, PF_ADDR_RTLABEL, PF_ADDR_URPFFAILED };
121a141,144
> #define PF_LOG 0x01
> #define PF_LOG_ALL 0x02
> #define PF_LOG_SOCKET_LOOKUP 0x04
>
172,183c195,207
< struct pf_addr pfid_addr4;
< struct pf_addr pfid_mask4;
< struct pf_addr pfid_addr6;
< struct pf_addr pfid_mask6;
< struct pfr_ktable *pfid_kt;
< struct pfi_kif *pfid_kif;
< void *pfid_hook_cookie;
< int pfid_net; /* optional mask, or 128 */
< int pfid_acnt4; /* address count, IPv4 */
< int pfid_acnt6; /* address count, IPv6 */
< sa_family_t pfid_af; /* rule address family */
< u_int8_t pfid_iflags; /* PFI_AFLAG_* */
---
> TAILQ_ENTRY(pfi_dynaddr) entry;
> struct pf_addr pfid_addr4;
> struct pf_addr pfid_mask4;
> struct pf_addr pfid_addr6;
> struct pf_addr pfid_mask6;
> struct pfr_ktable *pfid_kt;
> struct pfi_kif *pfid_kif;
> void *pfid_hook_cookie;
> int pfid_net; /* mask or 128 */
> int pfid_acnt4; /* address count IPv4 */
> int pfid_acnt6; /* address count IPv6 */
> sa_family_t pfid_af; /* rule af */
> u_int8_t pfid_iflags; /* PFI_AFLAG_* */
249,263d272
<
< /* prototyped for pf_subr.c */
< struct hook_desc {
< TAILQ_ENTRY(hook_desc) hd_list;
< void (*hd_fn)(void *);
< void *hd_arg;
< };
< TAILQ_HEAD(hook_desc_head, hook_desc);
<
< void *hook_establish(struct hook_desc_head *, int, void (*)(void *), void *);
< void hook_disestablish(struct hook_desc_head *, void *);
< void dohooks(struct hook_desc_head *, int);
<
< #define HOOK_REMOVE 0x01
< #define HOOK_FREE 0x02
395,409c404,420
< #define PF_MISMATCHAW(aw, x, af, neg) \
< ( \
< (((aw)->type == PF_ADDR_NOROUTE && \
< pf_routable((x), (af))) || \
< ((aw)->type == PF_ADDR_RTLABEL && \
< !pf_rtlabel_match((x), (af), (aw))) || \
< ((aw)->type == PF_ADDR_TABLE && \
< !pfr_match_addr((aw)->p.tbl, (x), (af))) || \
< ((aw)->type == PF_ADDR_DYNIFTL && \
< !pfi_match_addr((aw)->p.dyn, (x), (af))) || \
< ((aw)->type == PF_ADDR_ADDRMASK && \
< !PF_AZERO(&(aw)->v.a.mask, (af)) && \
< !PF_MATCHA(0, &(aw)->v.a.addr, \
< &(aw)->v.a.mask, (x), (af)))) != \
< (neg) \
---
> #define PF_MISMATCHAW(aw, x, af, neg, ifp) \
> ( \
> (((aw)->type == PF_ADDR_NOROUTE && \
> pf_routable((x), (af), NULL)) || \
> (((aw)->type == PF_ADDR_URPFFAILED && (ifp) != NULL && \
> pf_routable((x), (af), (ifp))) || \
> ((aw)->type == PF_ADDR_RTLABEL && \
> !pf_rtlabel_match((x), (af), (aw))) || \
> ((aw)->type == PF_ADDR_TABLE && \
> !pfr_match_addr((aw)->p.tbl, (x), (af))) || \
> ((aw)->type == PF_ADDR_DYNIFTL && \
> !pfi_match_addr((aw)->p.dyn, (x), (af))) || \
> ((aw)->type == PF_ADDR_ADDRMASK && \
> !PF_AZERO(&(aw)->v.a.mask, (af)) && \
> !PF_MATCHA(0, &(aw)->v.a.addr, \
> &(aw)->v.a.mask, (x), (af))))) != \
> (neg) \
411a423
>
528a541
> #define PF_OSFP_INET6 0x4000 /* IPv6 */
584c597
< #define PF_QNAME_SIZE 16
---
> #define PF_QNAME_SIZE 64
588c601
< #define PF_TAG_NAME_SIZE 16
---
> #define PF_TAG_NAME_SIZE 64
598,599c611,612
< u_int64_t packets;
< u_int64_t bytes;
---
> u_int64_t packets[2];
> u_int64_t bytes[2];
606a620
> int rtableid;
622a637,638
> uid_t cuid;
> pid_t cpid;
636a653
> u_int8_t logif;
684d700
< #define PFRULE_GRBOUND 0x00020000 /* group-bound */
686a703,704
> #define PFSTATE_ADAPT_START 6000 /* default adaptive timeout start */
> #define PFSTATE_ADAPT_END 12000 /* default adaptive timeout end */
704,705c722,723
< u_int32_t bytes;
< u_int32_t packets;
---
> u_int64_t bytes[2];
> u_int64_t packets[2];
746a765
> u_int8_t tcp_est; /* Did we reach TCPS_ESTABLISHED */
747a767
> u_int8_t pad[3];
751a772,784
> /* keep synced with struct pf_state, used in RB_FIND */
> struct pf_state_cmp {
> u_int64_t id;
> u_int32_t creatorid;
> struct pf_state_host lan;
> struct pf_state_host gwy;
> struct pf_state_host ext;
> sa_family_t af;
> u_int8_t proto;
> u_int8_t direction;
> u_int8_t pad;
> };
>
753a787,806
> u_int32_t creatorid;
> struct pf_state_host lan;
> struct pf_state_host gwy;
> struct pf_state_host ext;
> sa_family_t af;
> u_int8_t proto;
> u_int8_t direction;
> #ifdef __FreeBSD__
> u_int8_t local_flags;
> #define PFSTATE_EXPIRING 0x01
> #else
> u_int8_t pad;
> #endif
> u_int8_t log;
> u_int8_t allow_opts;
> u_int8_t timeout;
> u_int8_t sync_flags;
> #define PFSTATE_NOSYNC 0x01
> #define PFSTATE_FROMSYNC 0x02
> #define PFSTATE_STALE 0x04
759c812
< TAILQ_ENTRY(pf_state) entry_updates;
---
> TAILQ_ENTRY(pf_state) entry_list;
764,766d816
< struct pf_state_host lan;
< struct pf_state_host gwy;
< struct pf_state_host ext;
775a826,827
> u_int64_t packets[2];
> u_int64_t bytes[2];
779,781d830
< u_int32_t packets[2];
< u_int32_t bytes[2];
< u_int32_t creatorid;
783,799d831
< sa_family_t af;
< u_int8_t proto;
< u_int8_t direction;
< u_int8_t log;
< u_int8_t allow_opts;
< u_int8_t timeout;
< u_int8_t sync_flags;
< #define PFSTATE_NOSYNC 0x01
< #define PFSTATE_FROMSYNC 0x02
< #define PFSTATE_STALE 0x04
< #ifdef __FreeBSD__
< u_int8_t local_flags;
< #define PFSTATE_EXPIRING 0x01
< #define PFSTATE_SRC_CONN 0x02
< #else
< u_int8_t pad;
< #endif
810a843,844
> struct pf_rule **ptr_array;
> u_int32_t rcount;
831a866
> int match;
957,969d991
< struct pfi_if {
< char pfif_name[IFNAMSIZ];
< u_int64_t pfif_packets[2][2][2];
< u_int64_t pfif_bytes[2][2][2];
< u_int64_t pfif_addcnt;
< u_int64_t pfif_delcnt;
< long pfif_tzero;
< int pfif_states;
< int pfif_rules;
< int pfif_flags;
< };
<
< TAILQ_HEAD(pfi_grouphead, pfi_kif);
971a994,999
>
> /* keep synced with pfi_kif, used in RB_FIND */
> struct pfi_kif_cmp {
> char pfik_name[IFNAMSIZ];
> };
>
973c1001
< struct pfi_if pfik_if;
---
> char pfik_name[IFNAMSIZ];
974a1003,1006
> u_int64_t pfik_packets[2][2][2];
> u_int64_t pfik_bytes[2][2][2];
> u_int32_t pfik_tzero;
> int pfik_flags;
977,978d1008
< struct pfi_grouphead pfik_grouphead;
< TAILQ_ENTRY(pfi_kif) pfik_instances;
980c1010
< struct hook_desc_head *pfik_ah_head;
---
> #ifndef __FreeBSD__
982c1012
< struct pfi_kif *pfik_parent;
---
> #endif
983a1014
> struct ifg_group *pfik_group;
985a1017
> TAILQ_HEAD(, pfi_dynaddr) pfik_dynaddrs;
987,995d1018
< #define pfik_name pfik_if.pfif_name
< #define pfik_packets pfik_if.pfif_packets
< #define pfik_bytes pfik_if.pfif_bytes
< #define pfik_tzero pfik_if.pfif_tzero
< #define pfik_flags pfik_if.pfif_flags
< #define pfik_addcnt pfik_if.pfif_addcnt
< #define pfik_delcnt pfik_if.pfif_delcnt
< #define pfik_states pfik_if.pfif_states
< #define pfik_rules pfik_if.pfif_rules
997,1001c1020,1025
< #define PFI_IFLAG_GROUP 0x0001 /* group of interfaces */
< #define PFI_IFLAG_INSTANCE 0x0002 /* single instance */
< #define PFI_IFLAG_CLONABLE 0x0010 /* clonable group */
< #define PFI_IFLAG_DYNAMIC 0x0020 /* dynamic group */
< #define PFI_IFLAG_ATTACHED 0x0040 /* interface attached */
---
> enum pfi_kif_refs {
> PFI_KIF_REF_NONE,
> PFI_KIF_REF_STATE,
> PFI_KIF_REF_RULE
> };
>
1002a1027
> /* XXX: revisist */
1006a1032,1037
> struct {
> int done;
> uid_t uid;
> gid_t gid;
> pid_t pid;
> } lookup;
1023a1055
> struct pf_mtag *pf_mtag;
1163a1196
> u_int8_t pf_chksum[PF_MD5_DIGEST_LENGTH];
1225a1259,1275
> #ifndef __FreeBSD__
>
> #define PF_TAG_GENERATED 0x01
> #define PF_TAG_FRAGCACHE 0x02
> #define PF_TAG_TRANSLATE_LOCALHOST 0x04
>
> struct pf_mtag {
> void *hdr; /* saved hdr pos in mbuf, for ECN */
> u_int rtableid; /* alternate routing table id */
> u_int32_t qid; /* queue id */
> u_int16_t tag; /* tag id */
> u_int8_t flags;
> u_int8_t routed;
> sa_family_t af; /* for ECN */
> };
> #endif
>
1241a1292,1295
> #define PFR_KTABLE_HIWAT 1000 /* Number of tables */
> #define PFR_KENTRY_HIWAT 200000 /* Number of table entries */
> #define PFR_KENTRY_HIWAT_SMALL 100000 /* Number of table entries (tiny hosts) */
>
1286a1341,1347
> struct pfioc_src_node_kill {
> /* XXX returns the number of src nodes killed in psnk_af */
> sa_family_t psnk_af;
> struct pf_rule_addr psnk_src;
> struct pf_rule_addr psnk_dst;
> };
>
1394,1398d1454
<
< #define PFI_FLAG_GROUP 0x0001 /* gets groups of interfaces */
< #define PFI_FLAG_INSTANCE 0x0002 /* gets single interfaces */
< #define PFI_FLAG_ALLMASK 0x0003
<
1477d1532
< #define DIOCICLRISTATS _IOWR('D', 88, struct pfioc_iface)
1479a1535
> #define DIOCKILLSRCNODES _IOWR('D', 91, struct pfioc_src_node_kill)
1485c1541
< #define DIOCGIFSPEED _IOWR('D', 91, struct pf_ifspeed)
---
> #define DIOCGIFSPEED _IOWR('D', 92, struct pf_ifspeed)
1497c1553
< extern struct pf_state_queue state_updates;
---
> extern struct pf_state_queue state_list;
1499,1500d1554
< extern struct pf_anchor_global pf_anchors;
< extern struct pf_ruleset pf_main_ruleset;
1506d1559
< extern struct pfi_kif **pfi_index2kif;
1533,1536c1586,1590
< extern void pf_purge_timeout(void *);
< extern void pf_purge_expired_src_nodes(void);
< extern void pf_purge_expired_states(void);
< extern void pf_purge_expired_state(struct pf_state *);
---
> extern void pf_purge_thread(void *);
> extern void pf_purge_expired_src_nodes(int);
> extern void pf_purge_expired_states(u_int32_t);
> extern void pf_unlink_state(struct pf_state *);
> extern void pf_free_state(struct pf_state *);
1543,1544c1597,1598
< extern struct pf_state *pf_find_state_byid(struct pf_state *);
< extern struct pf_state *pf_find_state_all(struct pf_state *key,
---
> extern struct pf_state *pf_find_state_byid(struct pf_state_cmp *);
> extern struct pf_state *pf_find_state_all(struct pf_state_cmp *key,
1548,1552d1601
< extern struct pf_anchor *pf_find_anchor(const char *);
< extern struct pf_ruleset *pf_find_ruleset(const char *);
< extern struct pf_ruleset *pf_find_or_create_ruleset(const char *);
< extern void pf_remove_if_empty_ruleset(
< struct pf_ruleset *);
1583a1633,1635
> #ifdef __FreeBSD__
> u_int32_t pf_new_isn(struct pf_state *);
> #endif
1588c1640,1641
< u_int8_t, struct pf_rule *, struct pf_rule *, struct pf_ruleset *);
---
> u_int8_t, struct pf_rule *, struct pf_rule *, struct pf_ruleset *,
> struct pf_pdesc *);
1612c1665
< int pf_routable(struct pf_addr *addr, sa_family_t af);
---
> int pf_routable(struct pf_addr *addr, sa_family_t af, struct pfi_kif *);
1613a1667,1671
> #ifdef __FreeBSD__
> int pf_socket_lookup(int, struct pf_pdesc *, struct inpcb *);
> #else
> int pf_socket_lookup(int, struct pf_pdesc *);
> #endif
1638c1696
< int *, int *, int *, int);
---
> int *, int *, int *, int, u_int32_t);
1650a1709,1711
> extern struct pfi_statehead pfi_statehead;
> extern struct pfi_kif *pfi_all;
>
1655c1716,1719
< void pfi_attach_clone(struct if_clone *);
---
> struct pfi_kif *pfi_kif_get(const char *);
> void pfi_kif_ref(struct pfi_kif *, enum pfi_kif_refs);
> void pfi_kif_unref(struct pfi_kif *, enum pfi_kif_refs);
> int pfi_kif_match(struct pfi_kif *, struct pfi_kif *);
1658,1664c1722,1726
< struct pfi_kif *pfi_lookup_create(const char *);
< struct pfi_kif *pfi_lookup_if(const char *);
< int pfi_maybe_destroy(struct pfi_kif *);
< struct pfi_kif *pfi_attach_rule(const char *);
< void pfi_detach_rule(struct pfi_kif *);
< void pfi_attach_state(struct pfi_kif *);
< void pfi_detach_state(struct pfi_kif *);
---
> void pfi_attach_ifgroup(struct ifg_group *);
> void pfi_detach_ifgroup(struct ifg_group *);
> void pfi_group_change(const char *);
> int pfi_match_addr(struct pfi_dynaddr *, struct pf_addr *,
> sa_family_t);
1666d1727
< void pfi_dynaddr_copyout(struct pf_addr_wrap *);
1667a1729
> void pfi_dynaddr_copyout(struct pf_addr_wrap *);
1669,1670c1731,1732
< int pfi_clr_istats(const char *, int *, int);
< int pfi_get_ifaces(const char *, struct pfi_if *, int *, int);
---
> int pfi_clr_istats(const char *);
> int pfi_get_ifaces(const char *, struct pfi_kif *, int *);
1673,1674d1734
< int pfi_match_addr(struct pfi_dynaddr *, struct pf_addr *,
< sa_family_t);
1676c1736,1747
< extern struct pfi_statehead pfi_statehead;
---
> u_int16_t pf_tagname2tag(char *);
> void pf_tag2tagname(u_int16_t, char *);
> void pf_tag_ref(u_int16_t);
> void pf_tag_unref(u_int16_t);
> int pf_tag_packet(struct mbuf *, struct pf_mtag *, int, int);
> u_int32_t pf_qname2qid(char *);
> void pf_qid2qname(u_int32_t, char *);
> void pf_qid_unref(u_int32_t);
> #ifndef __FreeBSD__
> struct pf_mtag *pf_find_mtag(struct mbuf *);
> struct pf_mtag *pf_get_mtag(struct mbuf *);
> #endif
1678,1686d1748
< u_int16_t pf_tagname2tag(char *);
< void pf_tag2tagname(u_int16_t, char *);
< void pf_tag_ref(u_int16_t);
< void pf_tag_unref(u_int16_t);
< int pf_tag_packet(struct mbuf *, struct pf_tag *, int);
< u_int32_t pf_qname2qid(char *);
< void pf_qid2qname(u_int32_t, char *);
< void pf_qid_unref(u_int32_t);
<
1690a1753
> extern struct sx pf_consistency_lock;
1692a1756
> extern struct rwlock pf_consistency_lock;
1734a1799,1826
> extern struct pf_anchor_global pf_anchors;
> extern struct pf_anchor pf_main_anchor;
> #define pf_main_ruleset pf_main_anchor.ruleset
>
> /* these ruleset functions can be linked into userland programs (pfctl) */
> int pf_get_ruleset_number(u_int8_t);
> void pf_init_ruleset(struct pf_ruleset *);
> int pf_anchor_setup(struct pf_rule *,
> const struct pf_ruleset *, const char *);
> int pf_anchor_copyout(const struct pf_ruleset *,
> const struct pf_rule *, struct pfioc_rule *);
> void pf_anchor_remove(struct pf_rule *);
> void pf_remove_if_empty_ruleset(struct pf_ruleset *);
> struct pf_anchor *pf_find_anchor(const char *);
> struct pf_ruleset *pf_find_ruleset(const char *);
> struct pf_ruleset *pf_find_or_create_ruleset(const char *);
> void pf_rs_initialize(void);
>
> #ifndef __FreeBSD__
> /* ?!? */
> #ifdef _KERNEL
> int pf_anchor_copyout(const struct pf_ruleset *,
> const struct pf_rule *, struct pfioc_rule *);
> void pf_anchor_remove(struct pf_rule *);
>
> #endif /* _KERNEL */
> #endif
>
1743c1835,1836
< pf_osfp_fingerprint_hdr(const struct ip *, const struct tcphdr *);
---
> pf_osfp_fingerprint_hdr(const struct ip *, const struct ip6_hdr *,
> const struct tcphdr *);
< /* $FreeBSD: head/sys/contrib/pf/net/pfvar.h 153725 2005-12-25 23:52:00Z mlaier $ */
< /* $OpenBSD: pfvar.h,v 1.213 2005/03/03 07:13:39 dhartmei Exp $ */
---
> /* $FreeBSD: head/sys/contrib/pf/net/pfvar.h 171168 2007-07-03 12:16:07Z mlaier $ */
> /* $OpenBSD: pfvar.h,v 1.244 2007/02/23 21:31:51 deraadt Exp $ */
40a41,46
> #ifdef __FreeBSD__
> #include <sys/lock.h>
> #include <sys/sx.h>
> #else
> #include <sys/rwlock.h>
> #endif
45a52
> #include <net/pf_mtag.h>
57a65
> struct ip6_hdr;
64a73,79
> #define PF_MD5_DIGEST_LENGTH 16
> #ifdef MD5_DIGEST_LENGTH
> #if PF_MD5_DIGEST_LENGTH != MD5_DIGEST_LENGTH
> #error
> #endif
> #endif
>
76a92,93
> enum { PF_GET_NONE, PF_GET_CLR_CNTR };
>
88c105,106
< PFTM_TS_DIFF, PFTM_MAX, PFTM_PURGE, PFTM_UNTIL_PACKET };
---
> PFTM_TS_DIFF, PFTM_MAX, PFTM_PURGE, PFTM_UNLINKED,
> PFTM_UNTIL_PACKET };
111c129,130
< enum { PF_LIMIT_STATES, PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS, PF_LIMIT_MAX };
---
> enum { PF_LIMIT_STATES, PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS,
> PF_LIMIT_TABLES, PF_LIMIT_TABLE_ENTRIES, PF_LIMIT_MAX };
116c135
< PF_ADDR_TABLE, PF_ADDR_RTLABEL };
---
> PF_ADDR_TABLE, PF_ADDR_RTLABEL, PF_ADDR_URPFFAILED };
121a141,144
> #define PF_LOG 0x01
> #define PF_LOG_ALL 0x02
> #define PF_LOG_SOCKET_LOOKUP 0x04
>
172,183c195,207
< struct pf_addr pfid_addr4;
< struct pf_addr pfid_mask4;
< struct pf_addr pfid_addr6;
< struct pf_addr pfid_mask6;
< struct pfr_ktable *pfid_kt;
< struct pfi_kif *pfid_kif;
< void *pfid_hook_cookie;
< int pfid_net; /* optional mask, or 128 */
< int pfid_acnt4; /* address count, IPv4 */
< int pfid_acnt6; /* address count, IPv6 */
< sa_family_t pfid_af; /* rule address family */
< u_int8_t pfid_iflags; /* PFI_AFLAG_* */
---
> TAILQ_ENTRY(pfi_dynaddr) entry;
> struct pf_addr pfid_addr4;
> struct pf_addr pfid_mask4;
> struct pf_addr pfid_addr6;
> struct pf_addr pfid_mask6;
> struct pfr_ktable *pfid_kt;
> struct pfi_kif *pfid_kif;
> void *pfid_hook_cookie;
> int pfid_net; /* mask or 128 */
> int pfid_acnt4; /* address count IPv4 */
> int pfid_acnt6; /* address count IPv6 */
> sa_family_t pfid_af; /* rule af */
> u_int8_t pfid_iflags; /* PFI_AFLAG_* */
249,263d272
<
< /* prototyped for pf_subr.c */
< struct hook_desc {
< TAILQ_ENTRY(hook_desc) hd_list;
< void (*hd_fn)(void *);
< void *hd_arg;
< };
< TAILQ_HEAD(hook_desc_head, hook_desc);
<
< void *hook_establish(struct hook_desc_head *, int, void (*)(void *), void *);
< void hook_disestablish(struct hook_desc_head *, void *);
< void dohooks(struct hook_desc_head *, int);
<
< #define HOOK_REMOVE 0x01
< #define HOOK_FREE 0x02
395,409c404,420
< #define PF_MISMATCHAW(aw, x, af, neg) \
< ( \
< (((aw)->type == PF_ADDR_NOROUTE && \
< pf_routable((x), (af))) || \
< ((aw)->type == PF_ADDR_RTLABEL && \
< !pf_rtlabel_match((x), (af), (aw))) || \
< ((aw)->type == PF_ADDR_TABLE && \
< !pfr_match_addr((aw)->p.tbl, (x), (af))) || \
< ((aw)->type == PF_ADDR_DYNIFTL && \
< !pfi_match_addr((aw)->p.dyn, (x), (af))) || \
< ((aw)->type == PF_ADDR_ADDRMASK && \
< !PF_AZERO(&(aw)->v.a.mask, (af)) && \
< !PF_MATCHA(0, &(aw)->v.a.addr, \
< &(aw)->v.a.mask, (x), (af)))) != \
< (neg) \
---
> #define PF_MISMATCHAW(aw, x, af, neg, ifp) \
> ( \
> (((aw)->type == PF_ADDR_NOROUTE && \
> pf_routable((x), (af), NULL)) || \
> (((aw)->type == PF_ADDR_URPFFAILED && (ifp) != NULL && \
> pf_routable((x), (af), (ifp))) || \
> ((aw)->type == PF_ADDR_RTLABEL && \
> !pf_rtlabel_match((x), (af), (aw))) || \
> ((aw)->type == PF_ADDR_TABLE && \
> !pfr_match_addr((aw)->p.tbl, (x), (af))) || \
> ((aw)->type == PF_ADDR_DYNIFTL && \
> !pfi_match_addr((aw)->p.dyn, (x), (af))) || \
> ((aw)->type == PF_ADDR_ADDRMASK && \
> !PF_AZERO(&(aw)->v.a.mask, (af)) && \
> !PF_MATCHA(0, &(aw)->v.a.addr, \
> &(aw)->v.a.mask, (x), (af))))) != \
> (neg) \
411a423
>
528a541
> #define PF_OSFP_INET6 0x4000 /* IPv6 */
584c597
< #define PF_QNAME_SIZE 16
---
> #define PF_QNAME_SIZE 64
588c601
< #define PF_TAG_NAME_SIZE 16
---
> #define PF_TAG_NAME_SIZE 64
598,599c611,612
< u_int64_t packets;
< u_int64_t bytes;
---
> u_int64_t packets[2];
> u_int64_t bytes[2];
606a620
> int rtableid;
622a637,638
> uid_t cuid;
> pid_t cpid;
636a653
> u_int8_t logif;
684d700
< #define PFRULE_GRBOUND 0x00020000 /* group-bound */
686a703,704
> #define PFSTATE_ADAPT_START 6000 /* default adaptive timeout start */
> #define PFSTATE_ADAPT_END 12000 /* default adaptive timeout end */
704,705c722,723
< u_int32_t bytes;
< u_int32_t packets;
---
> u_int64_t bytes[2];
> u_int64_t packets[2];
746a765
> u_int8_t tcp_est; /* Did we reach TCPS_ESTABLISHED */
747a767
> u_int8_t pad[3];
751a772,784
> /* keep synced with struct pf_state, used in RB_FIND */
> struct pf_state_cmp {
> u_int64_t id;
> u_int32_t creatorid;
> struct pf_state_host lan;
> struct pf_state_host gwy;
> struct pf_state_host ext;
> sa_family_t af;
> u_int8_t proto;
> u_int8_t direction;
> u_int8_t pad;
> };
>
753a787,806
> u_int32_t creatorid;
> struct pf_state_host lan;
> struct pf_state_host gwy;
> struct pf_state_host ext;
> sa_family_t af;
> u_int8_t proto;
> u_int8_t direction;
> #ifdef __FreeBSD__
> u_int8_t local_flags;
> #define PFSTATE_EXPIRING 0x01
> #else
> u_int8_t pad;
> #endif
> u_int8_t log;
> u_int8_t allow_opts;
> u_int8_t timeout;
> u_int8_t sync_flags;
> #define PFSTATE_NOSYNC 0x01
> #define PFSTATE_FROMSYNC 0x02
> #define PFSTATE_STALE 0x04
759c812
< TAILQ_ENTRY(pf_state) entry_updates;
---
> TAILQ_ENTRY(pf_state) entry_list;
764,766d816
< struct pf_state_host lan;
< struct pf_state_host gwy;
< struct pf_state_host ext;
775a826,827
> u_int64_t packets[2];
> u_int64_t bytes[2];
779,781d830
< u_int32_t packets[2];
< u_int32_t bytes[2];
< u_int32_t creatorid;
783,799d831
< sa_family_t af;
< u_int8_t proto;
< u_int8_t direction;
< u_int8_t log;
< u_int8_t allow_opts;
< u_int8_t timeout;
< u_int8_t sync_flags;
< #define PFSTATE_NOSYNC 0x01
< #define PFSTATE_FROMSYNC 0x02
< #define PFSTATE_STALE 0x04
< #ifdef __FreeBSD__
< u_int8_t local_flags;
< #define PFSTATE_EXPIRING 0x01
< #define PFSTATE_SRC_CONN 0x02
< #else
< u_int8_t pad;
< #endif
810a843,844
> struct pf_rule **ptr_array;
> u_int32_t rcount;
831a866
> int match;
957,969d991
< struct pfi_if {
< char pfif_name[IFNAMSIZ];
< u_int64_t pfif_packets[2][2][2];
< u_int64_t pfif_bytes[2][2][2];
< u_int64_t pfif_addcnt;
< u_int64_t pfif_delcnt;
< long pfif_tzero;
< int pfif_states;
< int pfif_rules;
< int pfif_flags;
< };
<
< TAILQ_HEAD(pfi_grouphead, pfi_kif);
971a994,999
>
> /* keep synced with pfi_kif, used in RB_FIND */
> struct pfi_kif_cmp {
> char pfik_name[IFNAMSIZ];
> };
>
973c1001
< struct pfi_if pfik_if;
---
> char pfik_name[IFNAMSIZ];
974a1003,1006
> u_int64_t pfik_packets[2][2][2];
> u_int64_t pfik_bytes[2][2][2];
> u_int32_t pfik_tzero;
> int pfik_flags;
977,978d1008
< struct pfi_grouphead pfik_grouphead;
< TAILQ_ENTRY(pfi_kif) pfik_instances;
980c1010
< struct hook_desc_head *pfik_ah_head;
---
> #ifndef __FreeBSD__
982c1012
< struct pfi_kif *pfik_parent;
---
> #endif
983a1014
> struct ifg_group *pfik_group;
985a1017
> TAILQ_HEAD(, pfi_dynaddr) pfik_dynaddrs;
987,995d1018
< #define pfik_name pfik_if.pfif_name
< #define pfik_packets pfik_if.pfif_packets
< #define pfik_bytes pfik_if.pfif_bytes
< #define pfik_tzero pfik_if.pfif_tzero
< #define pfik_flags pfik_if.pfif_flags
< #define pfik_addcnt pfik_if.pfif_addcnt
< #define pfik_delcnt pfik_if.pfif_delcnt
< #define pfik_states pfik_if.pfif_states
< #define pfik_rules pfik_if.pfif_rules
997,1001c1020,1025
< #define PFI_IFLAG_GROUP 0x0001 /* group of interfaces */
< #define PFI_IFLAG_INSTANCE 0x0002 /* single instance */
< #define PFI_IFLAG_CLONABLE 0x0010 /* clonable group */
< #define PFI_IFLAG_DYNAMIC 0x0020 /* dynamic group */
< #define PFI_IFLAG_ATTACHED 0x0040 /* interface attached */
---
> enum pfi_kif_refs {
> PFI_KIF_REF_NONE,
> PFI_KIF_REF_STATE,
> PFI_KIF_REF_RULE
> };
>
1002a1027
> /* XXX: revisist */
1006a1032,1037
> struct {
> int done;
> uid_t uid;
> gid_t gid;
> pid_t pid;
> } lookup;
1023a1055
> struct pf_mtag *pf_mtag;
1163a1196
> u_int8_t pf_chksum[PF_MD5_DIGEST_LENGTH];
1225a1259,1275
> #ifndef __FreeBSD__
>
> #define PF_TAG_GENERATED 0x01
> #define PF_TAG_FRAGCACHE 0x02
> #define PF_TAG_TRANSLATE_LOCALHOST 0x04
>
> struct pf_mtag {
> void *hdr; /* saved hdr pos in mbuf, for ECN */
> u_int rtableid; /* alternate routing table id */
> u_int32_t qid; /* queue id */
> u_int16_t tag; /* tag id */
> u_int8_t flags;
> u_int8_t routed;
> sa_family_t af; /* for ECN */
> };
> #endif
>
1241a1292,1295
> #define PFR_KTABLE_HIWAT 1000 /* Number of tables */
> #define PFR_KENTRY_HIWAT 200000 /* Number of table entries */
> #define PFR_KENTRY_HIWAT_SMALL 100000 /* Number of table entries (tiny hosts) */
>
1286a1341,1347
> struct pfioc_src_node_kill {
> /* XXX returns the number of src nodes killed in psnk_af */
> sa_family_t psnk_af;
> struct pf_rule_addr psnk_src;
> struct pf_rule_addr psnk_dst;
> };
>
1394,1398d1454
<
< #define PFI_FLAG_GROUP 0x0001 /* gets groups of interfaces */
< #define PFI_FLAG_INSTANCE 0x0002 /* gets single interfaces */
< #define PFI_FLAG_ALLMASK 0x0003
<
1477d1532
< #define DIOCICLRISTATS _IOWR('D', 88, struct pfioc_iface)
1479a1535
> #define DIOCKILLSRCNODES _IOWR('D', 91, struct pfioc_src_node_kill)
1485c1541
< #define DIOCGIFSPEED _IOWR('D', 91, struct pf_ifspeed)
---
> #define DIOCGIFSPEED _IOWR('D', 92, struct pf_ifspeed)
1497c1553
< extern struct pf_state_queue state_updates;
---
> extern struct pf_state_queue state_list;
1499,1500d1554
< extern struct pf_anchor_global pf_anchors;
< extern struct pf_ruleset pf_main_ruleset;
1506d1559
< extern struct pfi_kif **pfi_index2kif;
1533,1536c1586,1590
< extern void pf_purge_timeout(void *);
< extern void pf_purge_expired_src_nodes(void);
< extern void pf_purge_expired_states(void);
< extern void pf_purge_expired_state(struct pf_state *);
---
> extern void pf_purge_thread(void *);
> extern void pf_purge_expired_src_nodes(int);
> extern void pf_purge_expired_states(u_int32_t);
> extern void pf_unlink_state(struct pf_state *);
> extern void pf_free_state(struct pf_state *);
1543,1544c1597,1598
< extern struct pf_state *pf_find_state_byid(struct pf_state *);
< extern struct pf_state *pf_find_state_all(struct pf_state *key,
---
> extern struct pf_state *pf_find_state_byid(struct pf_state_cmp *);
> extern struct pf_state *pf_find_state_all(struct pf_state_cmp *key,
1548,1552d1601
< extern struct pf_anchor *pf_find_anchor(const char *);
< extern struct pf_ruleset *pf_find_ruleset(const char *);
< extern struct pf_ruleset *pf_find_or_create_ruleset(const char *);
< extern void pf_remove_if_empty_ruleset(
< struct pf_ruleset *);
1583a1633,1635
> #ifdef __FreeBSD__
> u_int32_t pf_new_isn(struct pf_state *);
> #endif
1588c1640,1641
< u_int8_t, struct pf_rule *, struct pf_rule *, struct pf_ruleset *);
---
> u_int8_t, struct pf_rule *, struct pf_rule *, struct pf_ruleset *,
> struct pf_pdesc *);
1612c1665
< int pf_routable(struct pf_addr *addr, sa_family_t af);
---
> int pf_routable(struct pf_addr *addr, sa_family_t af, struct pfi_kif *);
1613a1667,1671
> #ifdef __FreeBSD__
> int pf_socket_lookup(int, struct pf_pdesc *, struct inpcb *);
> #else
> int pf_socket_lookup(int, struct pf_pdesc *);
> #endif
1638c1696
< int *, int *, int *, int);
---
> int *, int *, int *, int, u_int32_t);
1650a1709,1711
> extern struct pfi_statehead pfi_statehead;
> extern struct pfi_kif *pfi_all;
>
1655c1716,1719
< void pfi_attach_clone(struct if_clone *);
---
> struct pfi_kif *pfi_kif_get(const char *);
> void pfi_kif_ref(struct pfi_kif *, enum pfi_kif_refs);
> void pfi_kif_unref(struct pfi_kif *, enum pfi_kif_refs);
> int pfi_kif_match(struct pfi_kif *, struct pfi_kif *);
1658,1664c1722,1726
< struct pfi_kif *pfi_lookup_create(const char *);
< struct pfi_kif *pfi_lookup_if(const char *);
< int pfi_maybe_destroy(struct pfi_kif *);
< struct pfi_kif *pfi_attach_rule(const char *);
< void pfi_detach_rule(struct pfi_kif *);
< void pfi_attach_state(struct pfi_kif *);
< void pfi_detach_state(struct pfi_kif *);
---
> void pfi_attach_ifgroup(struct ifg_group *);
> void pfi_detach_ifgroup(struct ifg_group *);
> void pfi_group_change(const char *);
> int pfi_match_addr(struct pfi_dynaddr *, struct pf_addr *,
> sa_family_t);
1666d1727
< void pfi_dynaddr_copyout(struct pf_addr_wrap *);
1667a1729
> void pfi_dynaddr_copyout(struct pf_addr_wrap *);
1669,1670c1731,1732
< int pfi_clr_istats(const char *, int *, int);
< int pfi_get_ifaces(const char *, struct pfi_if *, int *, int);
---
> int pfi_clr_istats(const char *);
> int pfi_get_ifaces(const char *, struct pfi_kif *, int *);
1673,1674d1734
< int pfi_match_addr(struct pfi_dynaddr *, struct pf_addr *,
< sa_family_t);
1676c1736,1747
< extern struct pfi_statehead pfi_statehead;
---
> u_int16_t pf_tagname2tag(char *);
> void pf_tag2tagname(u_int16_t, char *);
> void pf_tag_ref(u_int16_t);
> void pf_tag_unref(u_int16_t);
> int pf_tag_packet(struct mbuf *, struct pf_mtag *, int, int);
> u_int32_t pf_qname2qid(char *);
> void pf_qid2qname(u_int32_t, char *);
> void pf_qid_unref(u_int32_t);
> #ifndef __FreeBSD__
> struct pf_mtag *pf_find_mtag(struct mbuf *);
> struct pf_mtag *pf_get_mtag(struct mbuf *);
> #endif
1678,1686d1748
< u_int16_t pf_tagname2tag(char *);
< void pf_tag2tagname(u_int16_t, char *);
< void pf_tag_ref(u_int16_t);
< void pf_tag_unref(u_int16_t);
< int pf_tag_packet(struct mbuf *, struct pf_tag *, int);
< u_int32_t pf_qname2qid(char *);
< void pf_qid2qname(u_int32_t, char *);
< void pf_qid_unref(u_int32_t);
<
1690a1753
> extern struct sx pf_consistency_lock;
1692a1756
> extern struct rwlock pf_consistency_lock;
1734a1799,1826
> extern struct pf_anchor_global pf_anchors;
> extern struct pf_anchor pf_main_anchor;
> #define pf_main_ruleset pf_main_anchor.ruleset
>
> /* these ruleset functions can be linked into userland programs (pfctl) */
> int pf_get_ruleset_number(u_int8_t);
> void pf_init_ruleset(struct pf_ruleset *);
> int pf_anchor_setup(struct pf_rule *,
> const struct pf_ruleset *, const char *);
> int pf_anchor_copyout(const struct pf_ruleset *,
> const struct pf_rule *, struct pfioc_rule *);
> void pf_anchor_remove(struct pf_rule *);
> void pf_remove_if_empty_ruleset(struct pf_ruleset *);
> struct pf_anchor *pf_find_anchor(const char *);
> struct pf_ruleset *pf_find_ruleset(const char *);
> struct pf_ruleset *pf_find_or_create_ruleset(const char *);
> void pf_rs_initialize(void);
>
> #ifndef __FreeBSD__
> /* ?!? */
> #ifdef _KERNEL
> int pf_anchor_copyout(const struct pf_ruleset *,
> const struct pf_rule *, struct pfioc_rule *);
> void pf_anchor_remove(struct pf_rule *);
>
> #endif /* _KERNEL */
> #endif
>
1743c1835,1836
< pf_osfp_fingerprint_hdr(const struct ip *, const struct tcphdr *);
---
> pf_osfp_fingerprint_hdr(const struct ip *, const struct ip6_hdr *,
> const struct tcphdr *);