ip_fw.h revision 316444
1/*- 2 * Copyright (c) 2002-2009 Luigi Rizzo, Universita` di Pisa 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 1. Redistributions of source code must retain the above copyright 8 * notice, this list of conditions and the following disclaimer. 9 * 2. Redistributions in binary form must reproduce the above copyright 10 * notice, this list of conditions and the following disclaimer in the 11 * documentation and/or other materials provided with the distribution. 12 * 13 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 14 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 15 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 16 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 17 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 18 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 19 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 20 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 21 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 22 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 23 * SUCH DAMAGE. 24 * 25 * $FreeBSD: stable/11/sys/netinet/ip_fw.h 316444 2017-04-03 07:30:47Z ae $ 26 */ 27 28#ifndef _IPFW2_H 29#define _IPFW2_H 30 31/* 32 * The default rule number. By the design of ip_fw, the default rule 33 * is the last one, so its number can also serve as the highest number 34 * allowed for a rule. The ip_fw code relies on both meanings of this 35 * constant. 36 */ 37#define IPFW_DEFAULT_RULE 65535 38 39#define RESVD_SET 31 /*set for default and persistent rules*/ 40#define IPFW_MAX_SETS 32 /* Number of sets supported by ipfw*/ 41 42/* 43 * Compat values for old clients 44 */ 45#ifndef _KERNEL 46#define IPFW_TABLES_MAX 65535 47#define IPFW_TABLES_DEFAULT 128 48#endif 49 50/* 51 * Most commands (queue, pipe, tag, untag, limit...) can have a 16-bit 52 * argument between 1 and 65534. The value 0 (IP_FW_TARG) is used 53 * to represent 'tablearg' value, e.g. indicate the use of a 'tablearg' 54 * result of the most recent table() lookup. 55 * Note that 16bit is only a historical limit, resulting from 56 * the use of a 16-bit fields for that value. In reality, we can have 57 * 2^32 pipes, queues, tag values and so on. 58 */ 59#define IPFW_ARG_MIN 1 60#define IPFW_ARG_MAX 65534 61#define IP_FW_TABLEARG 65535 /* Compat value for old clients */ 62#define IP_FW_TARG 0 /* Current tablearg value */ 63#define IP_FW_NAT44_GLOBAL 65535 /* arg1 value for "nat global" */ 64 65/* 66 * Number of entries in the call stack of the call/return commands. 67 * Call stack currently is an uint16_t array with rule numbers. 68 */ 69#define IPFW_CALLSTACK_SIZE 16 70 71/* IP_FW3 header/opcodes */ 72typedef struct _ip_fw3_opheader { 73 uint16_t opcode; /* Operation opcode */ 74 uint16_t version; /* Opcode version */ 75 uint16_t reserved[2]; /* Align to 64-bit boundary */ 76} ip_fw3_opheader; 77 78/* IP_FW3 opcodes */ 79#define IP_FW_TABLE_XADD 86 /* add entry */ 80#define IP_FW_TABLE_XDEL 87 /* delete entry */ 81#define IP_FW_TABLE_XGETSIZE 88 /* get table size (deprecated) */ 82#define IP_FW_TABLE_XLIST 89 /* list table contents */ 83#define IP_FW_TABLE_XDESTROY 90 /* destroy table */ 84#define IP_FW_TABLES_XLIST 92 /* list all tables */ 85#define IP_FW_TABLE_XINFO 93 /* request info for one table */ 86#define IP_FW_TABLE_XFLUSH 94 /* flush table data */ 87#define IP_FW_TABLE_XCREATE 95 /* create new table */ 88#define IP_FW_TABLE_XMODIFY 96 /* modify existing table */ 89#define IP_FW_XGET 97 /* Retrieve configuration */ 90#define IP_FW_XADD 98 /* add rule */ 91#define IP_FW_XDEL 99 /* del rule */ 92#define IP_FW_XMOVE 100 /* move rules to different set */ 93#define IP_FW_XZERO 101 /* clear accounting */ 94#define IP_FW_XRESETLOG 102 /* zero rules logs */ 95#define IP_FW_SET_SWAP 103 /* Swap between 2 sets */ 96#define IP_FW_SET_MOVE 104 /* Move one set to another one */ 97#define IP_FW_SET_ENABLE 105 /* Enable/disable sets */ 98#define IP_FW_TABLE_XFIND 106 /* finds an entry */ 99#define IP_FW_XIFLIST 107 /* list tracked interfaces */ 100#define IP_FW_TABLES_ALIST 108 /* list table algorithms */ 101#define IP_FW_TABLE_XSWAP 109 /* swap two tables */ 102#define IP_FW_TABLE_VLIST 110 /* dump table value hash */ 103 104#define IP_FW_NAT44_XCONFIG 111 /* Create/modify NAT44 instance */ 105#define IP_FW_NAT44_DESTROY 112 /* Destroys NAT44 instance */ 106#define IP_FW_NAT44_XGETCONFIG 113 /* Get NAT44 instance config */ 107#define IP_FW_NAT44_LIST_NAT 114 /* List all NAT44 instances */ 108#define IP_FW_NAT44_XGETLOG 115 /* Get log from NAT44 instance */ 109 110#define IP_FW_DUMP_SOPTCODES 116 /* Dump available sopts/versions */ 111#define IP_FW_DUMP_SRVOBJECTS 117 /* Dump existing named objects */ 112 113#define IP_FW_NPTV6_CREATE 150 /* Create NPTv6 instance */ 114#define IP_FW_NPTV6_DESTROY 151 /* Destroy NPTv6 instance */ 115#define IP_FW_NPTV6_CONFIG 152 /* Modify NPTv6 instance */ 116#define IP_FW_NPTV6_LIST 153 /* List NPTv6 instances */ 117#define IP_FW_NPTV6_STATS 154 /* Get NPTv6 instance statistics */ 118#define IP_FW_NPTV6_RESET_STATS 155 /* Reset NPTv6 instance statistics */ 119 120/* 121 * The kernel representation of ipfw rules is made of a list of 122 * 'instructions' (for all practical purposes equivalent to BPF 123 * instructions), which specify which fields of the packet 124 * (or its metadata) should be analysed. 125 * 126 * Each instruction is stored in a structure which begins with 127 * "ipfw_insn", and can contain extra fields depending on the 128 * instruction type (listed below). 129 * Note that the code is written so that individual instructions 130 * have a size which is a multiple of 32 bits. This means that, if 131 * such structures contain pointers or other 64-bit entities, 132 * (there is just one instance now) they may end up unaligned on 133 * 64-bit architectures, so the must be handled with care. 134 * 135 * "enum ipfw_opcodes" are the opcodes supported. We can have up 136 * to 256 different opcodes. When adding new opcodes, they should 137 * be appended to the end of the opcode list before O_LAST_OPCODE, 138 * this will prevent the ABI from being broken, otherwise users 139 * will have to recompile ipfw(8) when they update the kernel. 140 */ 141 142enum ipfw_opcodes { /* arguments (4 byte each) */ 143 O_NOP, 144 145 O_IP_SRC, /* u32 = IP */ 146 O_IP_SRC_MASK, /* ip = IP/mask */ 147 O_IP_SRC_ME, /* none */ 148 O_IP_SRC_SET, /* u32=base, arg1=len, bitmap */ 149 150 O_IP_DST, /* u32 = IP */ 151 O_IP_DST_MASK, /* ip = IP/mask */ 152 O_IP_DST_ME, /* none */ 153 O_IP_DST_SET, /* u32=base, arg1=len, bitmap */ 154 155 O_IP_SRCPORT, /* (n)port list:mask 4 byte ea */ 156 O_IP_DSTPORT, /* (n)port list:mask 4 byte ea */ 157 O_PROTO, /* arg1=protocol */ 158 159 O_MACADDR2, /* 2 mac addr:mask */ 160 O_MAC_TYPE, /* same as srcport */ 161 162 O_LAYER2, /* none */ 163 O_IN, /* none */ 164 O_FRAG, /* none */ 165 166 O_RECV, /* none */ 167 O_XMIT, /* none */ 168 O_VIA, /* none */ 169 170 O_IPOPT, /* arg1 = 2*u8 bitmap */ 171 O_IPLEN, /* arg1 = len */ 172 O_IPID, /* arg1 = id */ 173 174 O_IPTOS, /* arg1 = id */ 175 O_IPPRECEDENCE, /* arg1 = precedence << 5 */ 176 O_IPTTL, /* arg1 = TTL */ 177 178 O_IPVER, /* arg1 = version */ 179 O_UID, /* u32 = id */ 180 O_GID, /* u32 = id */ 181 O_ESTAB, /* none (tcp established) */ 182 O_TCPFLAGS, /* arg1 = 2*u8 bitmap */ 183 O_TCPWIN, /* arg1 = desired win */ 184 O_TCPSEQ, /* u32 = desired seq. */ 185 O_TCPACK, /* u32 = desired seq. */ 186 O_ICMPTYPE, /* u32 = icmp bitmap */ 187 O_TCPOPTS, /* arg1 = 2*u8 bitmap */ 188 189 O_VERREVPATH, /* none */ 190 O_VERSRCREACH, /* none */ 191 192 O_PROBE_STATE, /* none */ 193 O_KEEP_STATE, /* none */ 194 O_LIMIT, /* ipfw_insn_limit */ 195 O_LIMIT_PARENT, /* dyn_type, not an opcode. */ 196 197 /* 198 * These are really 'actions'. 199 */ 200 201 O_LOG, /* ipfw_insn_log */ 202 O_PROB, /* u32 = match probability */ 203 204 O_CHECK_STATE, /* none */ 205 O_ACCEPT, /* none */ 206 O_DENY, /* none */ 207 O_REJECT, /* arg1=icmp arg (same as deny) */ 208 O_COUNT, /* none */ 209 O_SKIPTO, /* arg1=next rule number */ 210 O_PIPE, /* arg1=pipe number */ 211 O_QUEUE, /* arg1=queue number */ 212 O_DIVERT, /* arg1=port number */ 213 O_TEE, /* arg1=port number */ 214 O_FORWARD_IP, /* fwd sockaddr */ 215 O_FORWARD_MAC, /* fwd mac */ 216 O_NAT, /* nope */ 217 O_REASS, /* none */ 218 219 /* 220 * More opcodes. 221 */ 222 O_IPSEC, /* has ipsec history */ 223 O_IP_SRC_LOOKUP, /* arg1=table number, u32=value */ 224 O_IP_DST_LOOKUP, /* arg1=table number, u32=value */ 225 O_ANTISPOOF, /* none */ 226 O_JAIL, /* u32 = id */ 227 O_ALTQ, /* u32 = altq classif. qid */ 228 O_DIVERTED, /* arg1=bitmap (1:loop, 2:out) */ 229 O_TCPDATALEN, /* arg1 = tcp data len */ 230 O_IP6_SRC, /* address without mask */ 231 O_IP6_SRC_ME, /* my addresses */ 232 O_IP6_SRC_MASK, /* address with the mask */ 233 O_IP6_DST, 234 O_IP6_DST_ME, 235 O_IP6_DST_MASK, 236 O_FLOW6ID, /* for flow id tag in the ipv6 pkt */ 237 O_ICMP6TYPE, /* icmp6 packet type filtering */ 238 O_EXT_HDR, /* filtering for ipv6 extension header */ 239 O_IP6, 240 241 /* 242 * actions for ng_ipfw 243 */ 244 O_NETGRAPH, /* send to ng_ipfw */ 245 O_NGTEE, /* copy to ng_ipfw */ 246 247 O_IP4, 248 249 O_UNREACH6, /* arg1=icmpv6 code arg (deny) */ 250 251 O_TAG, /* arg1=tag number */ 252 O_TAGGED, /* arg1=tag number */ 253 254 O_SETFIB, /* arg1=FIB number */ 255 O_FIB, /* arg1=FIB desired fib number */ 256 257 O_SOCKARG, /* socket argument */ 258 259 O_CALLRETURN, /* arg1=called rule number */ 260 261 O_FORWARD_IP6, /* fwd sockaddr_in6 */ 262 263 O_DSCP, /* 2 u32 = DSCP mask */ 264 O_SETDSCP, /* arg1=DSCP value */ 265 O_IP_FLOW_LOOKUP, /* arg1=table number, u32=value */ 266 267 O_EXTERNAL_ACTION, /* arg1=id of external action handler */ 268 O_EXTERNAL_INSTANCE, /* arg1=id of eaction handler instance */ 269 270 O_LAST_OPCODE /* not an opcode! */ 271}; 272 273/* 274 * The extension header are filtered only for presence using a bit 275 * vector with a flag for each header. 276 */ 277#define EXT_FRAGMENT 0x1 278#define EXT_HOPOPTS 0x2 279#define EXT_ROUTING 0x4 280#define EXT_AH 0x8 281#define EXT_ESP 0x10 282#define EXT_DSTOPTS 0x20 283#define EXT_RTHDR0 0x40 284#define EXT_RTHDR2 0x80 285 286/* 287 * Template for instructions. 288 * 289 * ipfw_insn is used for all instructions which require no operands, 290 * a single 16-bit value (arg1), or a couple of 8-bit values. 291 * 292 * For other instructions which require different/larger arguments 293 * we have derived structures, ipfw_insn_*. 294 * 295 * The size of the instruction (in 32-bit words) is in the low 296 * 6 bits of "len". The 2 remaining bits are used to implement 297 * NOT and OR on individual instructions. Given a type, you can 298 * compute the length to be put in "len" using F_INSN_SIZE(t) 299 * 300 * F_NOT negates the match result of the instruction. 301 * 302 * F_OR is used to build or blocks. By default, instructions 303 * are evaluated as part of a logical AND. An "or" block 304 * { X or Y or Z } contains F_OR set in all but the last 305 * instruction of the block. A match will cause the code 306 * to skip past the last instruction of the block. 307 * 308 * NOTA BENE: in a couple of places we assume that 309 * sizeof(ipfw_insn) == sizeof(u_int32_t) 310 * this needs to be fixed. 311 * 312 */ 313typedef struct _ipfw_insn { /* template for instructions */ 314 u_int8_t opcode; 315 u_int8_t len; /* number of 32-bit words */ 316#define F_NOT 0x80 317#define F_OR 0x40 318#define F_LEN_MASK 0x3f 319#define F_LEN(cmd) ((cmd)->len & F_LEN_MASK) 320 321 u_int16_t arg1; 322} ipfw_insn; 323 324/* 325 * The F_INSN_SIZE(type) computes the size, in 4-byte words, of 326 * a given type. 327 */ 328#define F_INSN_SIZE(t) ((sizeof (t))/sizeof(u_int32_t)) 329 330/* 331 * This is used to store an array of 16-bit entries (ports etc.) 332 */ 333typedef struct _ipfw_insn_u16 { 334 ipfw_insn o; 335 u_int16_t ports[2]; /* there may be more */ 336} ipfw_insn_u16; 337 338/* 339 * This is used to store an array of 32-bit entries 340 * (uid, single IPv4 addresses etc.) 341 */ 342typedef struct _ipfw_insn_u32 { 343 ipfw_insn o; 344 u_int32_t d[1]; /* one or more */ 345} ipfw_insn_u32; 346 347/* 348 * This is used to store IP addr-mask pairs. 349 */ 350typedef struct _ipfw_insn_ip { 351 ipfw_insn o; 352 struct in_addr addr; 353 struct in_addr mask; 354} ipfw_insn_ip; 355 356/* 357 * This is used to forward to a given address (ip). 358 */ 359typedef struct _ipfw_insn_sa { 360 ipfw_insn o; 361 struct sockaddr_in sa; 362} ipfw_insn_sa; 363 364/* 365 * This is used to forward to a given address (ipv6). 366 */ 367typedef struct _ipfw_insn_sa6 { 368 ipfw_insn o; 369 struct sockaddr_in6 sa; 370} ipfw_insn_sa6; 371 372/* 373 * This is used for MAC addr-mask pairs. 374 */ 375typedef struct _ipfw_insn_mac { 376 ipfw_insn o; 377 u_char addr[12]; /* dst[6] + src[6] */ 378 u_char mask[12]; /* dst[6] + src[6] */ 379} ipfw_insn_mac; 380 381/* 382 * This is used for interface match rules (recv xx, xmit xx). 383 */ 384typedef struct _ipfw_insn_if { 385 ipfw_insn o; 386 union { 387 struct in_addr ip; 388 int glob; 389 uint16_t kidx; 390 } p; 391 char name[IFNAMSIZ]; 392} ipfw_insn_if; 393 394/* 395 * This is used for storing an altq queue id number. 396 */ 397typedef struct _ipfw_insn_altq { 398 ipfw_insn o; 399 u_int32_t qid; 400} ipfw_insn_altq; 401 402/* 403 * This is used for limit rules. 404 */ 405typedef struct _ipfw_insn_limit { 406 ipfw_insn o; 407 u_int8_t _pad; 408 u_int8_t limit_mask; /* combination of DYN_* below */ 409#define DYN_SRC_ADDR 0x1 410#define DYN_SRC_PORT 0x2 411#define DYN_DST_ADDR 0x4 412#define DYN_DST_PORT 0x8 413 414 u_int16_t conn_limit; 415} ipfw_insn_limit; 416 417/* 418 * This is used for log instructions. 419 */ 420typedef struct _ipfw_insn_log { 421 ipfw_insn o; 422 u_int32_t max_log; /* how many do we log -- 0 = all */ 423 u_int32_t log_left; /* how many left to log */ 424} ipfw_insn_log; 425 426/* Legacy NAT structures, compat only */ 427#ifndef _KERNEL 428/* 429 * Data structures required by both ipfw(8) and ipfw(4) but not part of the 430 * management API are protected by IPFW_INTERNAL. 431 */ 432#ifdef IPFW_INTERNAL 433/* Server pool support (LSNAT). */ 434struct cfg_spool { 435 LIST_ENTRY(cfg_spool) _next; /* chain of spool instances */ 436 struct in_addr addr; 437 u_short port; 438}; 439#endif 440 441/* Redirect modes id. */ 442#define REDIR_ADDR 0x01 443#define REDIR_PORT 0x02 444#define REDIR_PROTO 0x04 445 446#ifdef IPFW_INTERNAL 447/* Nat redirect configuration. */ 448struct cfg_redir { 449 LIST_ENTRY(cfg_redir) _next; /* chain of redir instances */ 450 u_int16_t mode; /* type of redirect mode */ 451 struct in_addr laddr; /* local ip address */ 452 struct in_addr paddr; /* public ip address */ 453 struct in_addr raddr; /* remote ip address */ 454 u_short lport; /* local port */ 455 u_short pport; /* public port */ 456 u_short rport; /* remote port */ 457 u_short pport_cnt; /* number of public ports */ 458 u_short rport_cnt; /* number of remote ports */ 459 int proto; /* protocol: tcp/udp */ 460 struct alias_link **alink; 461 /* num of entry in spool chain */ 462 u_int16_t spool_cnt; 463 /* chain of spool instances */ 464 LIST_HEAD(spool_chain, cfg_spool) spool_chain; 465}; 466#endif 467 468#ifdef IPFW_INTERNAL 469/* Nat configuration data struct. */ 470struct cfg_nat { 471 /* chain of nat instances */ 472 LIST_ENTRY(cfg_nat) _next; 473 int id; /* nat id */ 474 struct in_addr ip; /* nat ip address */ 475 char if_name[IF_NAMESIZE]; /* interface name */ 476 int mode; /* aliasing mode */ 477 struct libalias *lib; /* libalias instance */ 478 /* number of entry in spool chain */ 479 int redir_cnt; 480 /* chain of redir instances */ 481 LIST_HEAD(redir_chain, cfg_redir) redir_chain; 482}; 483#endif 484 485#define SOF_NAT sizeof(struct cfg_nat) 486#define SOF_REDIR sizeof(struct cfg_redir) 487#define SOF_SPOOL sizeof(struct cfg_spool) 488 489#endif /* ifndef _KERNEL */ 490 491 492struct nat44_cfg_spool { 493 struct in_addr addr; 494 uint16_t port; 495 uint16_t spare; 496}; 497#define NAT44_REDIR_ADDR 0x01 498#define NAT44_REDIR_PORT 0x02 499#define NAT44_REDIR_PROTO 0x04 500 501/* Nat redirect configuration. */ 502struct nat44_cfg_redir { 503 struct in_addr laddr; /* local ip address */ 504 struct in_addr paddr; /* public ip address */ 505 struct in_addr raddr; /* remote ip address */ 506 uint16_t lport; /* local port */ 507 uint16_t pport; /* public port */ 508 uint16_t rport; /* remote port */ 509 uint16_t pport_cnt; /* number of public ports */ 510 uint16_t rport_cnt; /* number of remote ports */ 511 uint16_t mode; /* type of redirect mode */ 512 uint16_t spool_cnt; /* num of entry in spool chain */ 513 uint16_t spare; 514 uint32_t proto; /* protocol: tcp/udp */ 515}; 516 517/* Nat configuration data struct. */ 518struct nat44_cfg_nat { 519 char name[64]; /* nat name */ 520 char if_name[64]; /* interface name */ 521 uint32_t size; /* structure size incl. redirs */ 522 struct in_addr ip; /* nat IPv4 address */ 523 uint32_t mode; /* aliasing mode */ 524 uint32_t redir_cnt; /* number of entry in spool chain */ 525}; 526 527/* Nat command. */ 528typedef struct _ipfw_insn_nat { 529 ipfw_insn o; 530 struct cfg_nat *nat; 531} ipfw_insn_nat; 532 533/* Apply ipv6 mask on ipv6 addr */ 534#define APPLY_MASK(addr,mask) \ 535 (addr)->__u6_addr.__u6_addr32[0] &= (mask)->__u6_addr.__u6_addr32[0]; \ 536 (addr)->__u6_addr.__u6_addr32[1] &= (mask)->__u6_addr.__u6_addr32[1]; \ 537 (addr)->__u6_addr.__u6_addr32[2] &= (mask)->__u6_addr.__u6_addr32[2]; \ 538 (addr)->__u6_addr.__u6_addr32[3] &= (mask)->__u6_addr.__u6_addr32[3]; 539 540/* Structure for ipv6 */ 541typedef struct _ipfw_insn_ip6 { 542 ipfw_insn o; 543 struct in6_addr addr6; 544 struct in6_addr mask6; 545} ipfw_insn_ip6; 546 547/* Used to support icmp6 types */ 548typedef struct _ipfw_insn_icmp6 { 549 ipfw_insn o; 550 uint32_t d[7]; /* XXX This number si related to the netinet/icmp6.h 551 * define ICMP6_MAXTYPE 552 * as follows: n = ICMP6_MAXTYPE/32 + 1 553 * Actually is 203 554 */ 555} ipfw_insn_icmp6; 556 557/* 558 * Here we have the structure representing an ipfw rule. 559 * 560 * Layout: 561 * struct ip_fw_rule 562 * [ counter block, size = rule->cntr_len ] 563 * [ one or more instructions, size = rule->cmd_len * 4 ] 564 * 565 * It starts with a general area (with link fields). 566 * Counter block may be next (if rule->cntr_len > 0), 567 * followed by an array of one or more instructions, which the code 568 * accesses as an array of 32-bit values. rule->cmd_len represents 569 * the total instructions legth in u32 worrd, while act_ofs represents 570 * rule action offset in u32 words. 571 * 572 * When assembling instruction, remember the following: 573 * 574 * + if a rule has a "keep-state" (or "limit") option, then the 575 * first instruction (at r->cmd) MUST BE an O_PROBE_STATE 576 * + if a rule has a "log" option, then the first action 577 * (at ACTION_PTR(r)) MUST be O_LOG 578 * + if a rule has an "altq" option, it comes after "log" 579 * + if a rule has an O_TAG option, it comes after "log" and "altq" 580 * 581 * 582 * All structures (excluding instructions) are u64-aligned. 583 * Please keep this. 584 */ 585 586struct ip_fw_rule { 587 uint16_t act_ofs; /* offset of action in 32-bit units */ 588 uint16_t cmd_len; /* # of 32-bit words in cmd */ 589 uint16_t spare; 590 uint8_t set; /* rule set (0..31) */ 591 uint8_t flags; /* rule flags */ 592 uint32_t rulenum; /* rule number */ 593 uint32_t id; /* rule id */ 594 595 ipfw_insn cmd[1]; /* storage for commands */ 596}; 597#define IPFW_RULE_NOOPT 0x01 /* Has no options in body */ 598 599/* Unaligned version */ 600 601/* Base ipfw rule counter block. */ 602struct ip_fw_bcounter { 603 uint16_t size; /* Size of counter block, bytes */ 604 uint8_t flags; /* flags for given block */ 605 uint8_t spare; 606 uint32_t timestamp; /* tv_sec of last match */ 607 uint64_t pcnt; /* Packet counter */ 608 uint64_t bcnt; /* Byte counter */ 609}; 610 611 612#ifndef _KERNEL 613/* 614 * Legacy rule format 615 */ 616struct ip_fw { 617 struct ip_fw *x_next; /* linked list of rules */ 618 struct ip_fw *next_rule; /* ptr to next [skipto] rule */ 619 /* 'next_rule' is used to pass up 'set_disable' status */ 620 621 uint16_t act_ofs; /* offset of action in 32-bit units */ 622 uint16_t cmd_len; /* # of 32-bit words in cmd */ 623 uint16_t rulenum; /* rule number */ 624 uint8_t set; /* rule set (0..31) */ 625 uint8_t _pad; /* padding */ 626 uint32_t id; /* rule id */ 627 628 /* These fields are present in all rules. */ 629 uint64_t pcnt; /* Packet counter */ 630 uint64_t bcnt; /* Byte counter */ 631 uint32_t timestamp; /* tv_sec of last match */ 632 633 ipfw_insn cmd[1]; /* storage for commands */ 634}; 635#endif 636 637#define ACTION_PTR(rule) \ 638 (ipfw_insn *)( (u_int32_t *)((rule)->cmd) + ((rule)->act_ofs) ) 639 640#define RULESIZE(rule) (sizeof(*(rule)) + (rule)->cmd_len * 4 - 4) 641 642 643#if 1 // should be moved to in.h 644/* 645 * This structure is used as a flow mask and a flow id for various 646 * parts of the code. 647 * addr_type is used in userland and kernel to mark the address type. 648 * fib is used in the kernel to record the fib in use. 649 * _flags is used in the kernel to store tcp flags for dynamic rules. 650 */ 651struct ipfw_flow_id { 652 uint32_t dst_ip; 653 uint32_t src_ip; 654 uint16_t dst_port; 655 uint16_t src_port; 656 uint8_t fib; 657 uint8_t proto; 658 uint8_t _flags; /* protocol-specific flags */ 659 uint8_t addr_type; /* 4=ip4, 6=ip6, 1=ether ? */ 660 struct in6_addr dst_ip6; 661 struct in6_addr src_ip6; 662 uint32_t flow_id6; 663 uint32_t extra; /* queue/pipe or frag_id */ 664}; 665#endif 666 667#define IS_IP6_FLOW_ID(id) ((id)->addr_type == 6) 668 669/* 670 * Dynamic ipfw rule. 671 */ 672typedef struct _ipfw_dyn_rule ipfw_dyn_rule; 673 674struct _ipfw_dyn_rule { 675 ipfw_dyn_rule *next; /* linked list of rules. */ 676 struct ip_fw *rule; /* pointer to rule */ 677 /* 'rule' is used to pass up the rule number (from the parent) */ 678 679 ipfw_dyn_rule *parent; /* pointer to parent rule */ 680 u_int64_t pcnt; /* packet match counter */ 681 u_int64_t bcnt; /* byte match counter */ 682 struct ipfw_flow_id id; /* (masked) flow id */ 683 u_int32_t expire; /* expire time */ 684 u_int32_t bucket; /* which bucket in hash table */ 685 u_int32_t state; /* state of this rule (typically a 686 * combination of TCP flags) 687 */ 688 u_int32_t ack_fwd; /* most recent ACKs in forward */ 689 u_int32_t ack_rev; /* and reverse directions (used */ 690 /* to generate keepalives) */ 691 u_int16_t dyn_type; /* rule type */ 692 u_int16_t count; /* refcount */ 693 u_int16_t kidx; /* index of named object */ 694} __packed __aligned(8); 695 696/* 697 * Definitions for IP option names. 698 */ 699#define IP_FW_IPOPT_LSRR 0x01 700#define IP_FW_IPOPT_SSRR 0x02 701#define IP_FW_IPOPT_RR 0x04 702#define IP_FW_IPOPT_TS 0x08 703 704/* 705 * Definitions for TCP option names. 706 */ 707#define IP_FW_TCPOPT_MSS 0x01 708#define IP_FW_TCPOPT_WINDOW 0x02 709#define IP_FW_TCPOPT_SACK 0x04 710#define IP_FW_TCPOPT_TS 0x08 711#define IP_FW_TCPOPT_CC 0x10 712 713#define ICMP_REJECT_RST 0x100 /* fake ICMP code (send a TCP RST) */ 714#define ICMP6_UNREACH_RST 0x100 /* fake ICMPv6 code (send a TCP RST) */ 715 716/* 717 * These are used for lookup tables. 718 */ 719 720#define IPFW_TABLE_ADDR 1 /* Table for holding IPv4/IPv6 prefixes */ 721#define IPFW_TABLE_INTERFACE 2 /* Table for holding interface names */ 722#define IPFW_TABLE_NUMBER 3 /* Table for holding ports/uid/gid/etc */ 723#define IPFW_TABLE_FLOW 4 /* Table for holding flow data */ 724#define IPFW_TABLE_MAXTYPE 4 /* Maximum valid number */ 725 726#define IPFW_TABLE_CIDR IPFW_TABLE_ADDR /* compat */ 727 728/* Value types */ 729#define IPFW_VTYPE_LEGACY 0xFFFFFFFF /* All data is filled in */ 730#define IPFW_VTYPE_SKIPTO 0x00000001 /* skipto/call/callreturn */ 731#define IPFW_VTYPE_PIPE 0x00000002 /* pipe/queue */ 732#define IPFW_VTYPE_FIB 0x00000004 /* setfib */ 733#define IPFW_VTYPE_NAT 0x00000008 /* nat */ 734#define IPFW_VTYPE_DSCP 0x00000010 /* dscp */ 735#define IPFW_VTYPE_TAG 0x00000020 /* tag/untag */ 736#define IPFW_VTYPE_DIVERT 0x00000040 /* divert/tee */ 737#define IPFW_VTYPE_NETGRAPH 0x00000080 /* netgraph/ngtee */ 738#define IPFW_VTYPE_LIMIT 0x00000100 /* limit */ 739#define IPFW_VTYPE_NH4 0x00000200 /* IPv4 nexthop */ 740#define IPFW_VTYPE_NH6 0x00000400 /* IPv6 nexthop */ 741 742typedef struct _ipfw_table_entry { 743 in_addr_t addr; /* network address */ 744 u_int32_t value; /* value */ 745 u_int16_t tbl; /* table number */ 746 u_int8_t masklen; /* mask length */ 747} ipfw_table_entry; 748 749typedef struct _ipfw_table_xentry { 750 uint16_t len; /* Total entry length */ 751 uint8_t type; /* entry type */ 752 uint8_t masklen; /* mask length */ 753 uint16_t tbl; /* table number */ 754 uint16_t flags; /* record flags */ 755 uint32_t value; /* value */ 756 union { 757 /* Longest field needs to be aligned by 4-byte boundary */ 758 struct in6_addr addr6; /* IPv6 address */ 759 char iface[IF_NAMESIZE]; /* interface name */ 760 } k; 761} ipfw_table_xentry; 762#define IPFW_TCF_INET 0x01 /* CIDR flags: IPv4 record */ 763 764typedef struct _ipfw_table { 765 u_int32_t size; /* size of entries in bytes */ 766 u_int32_t cnt; /* # of entries */ 767 u_int16_t tbl; /* table number */ 768 ipfw_table_entry ent[0]; /* entries */ 769} ipfw_table; 770 771typedef struct _ipfw_xtable { 772 ip_fw3_opheader opheader; /* IP_FW3 opcode */ 773 uint32_t size; /* size of entries in bytes */ 774 uint32_t cnt; /* # of entries */ 775 uint16_t tbl; /* table number */ 776 uint8_t type; /* table type */ 777 ipfw_table_xentry xent[0]; /* entries */ 778} ipfw_xtable; 779 780typedef struct _ipfw_obj_tlv { 781 uint16_t type; /* TLV type */ 782 uint16_t flags; /* TLV-specific flags */ 783 uint32_t length; /* Total length, aligned to u64 */ 784} ipfw_obj_tlv; 785#define IPFW_TLV_TBL_NAME 1 786#define IPFW_TLV_TBLNAME_LIST 2 787#define IPFW_TLV_RULE_LIST 3 788#define IPFW_TLV_DYNSTATE_LIST 4 789#define IPFW_TLV_TBL_ENT 5 790#define IPFW_TLV_DYN_ENT 6 791#define IPFW_TLV_RULE_ENT 7 792#define IPFW_TLV_TBLENT_LIST 8 793#define IPFW_TLV_RANGE 9 794#define IPFW_TLV_EACTION 10 795#define IPFW_TLV_COUNTERS 11 796#define IPFW_TLV_STATE_NAME 14 797 798#define IPFW_TLV_EACTION_BASE 1000 799#define IPFW_TLV_EACTION_NAME(arg) (IPFW_TLV_EACTION_BASE + (arg)) 800 801/* Object name TLV */ 802typedef struct _ipfw_obj_ntlv { 803 ipfw_obj_tlv head; /* TLV header */ 804 uint16_t idx; /* Name index */ 805 uint8_t set; /* set, if applicable */ 806 uint8_t type; /* object type, if applicable */ 807 uint32_t spare; /* unused */ 808 char name[64]; /* Null-terminated name */ 809} ipfw_obj_ntlv; 810 811/* IPv4/IPv6 L4 flow description */ 812struct tflow_entry { 813 uint8_t af; 814 uint8_t proto; 815 uint16_t spare; 816 uint16_t sport; 817 uint16_t dport; 818 union { 819 struct { 820 struct in_addr sip; 821 struct in_addr dip; 822 } a4; 823 struct { 824 struct in6_addr sip6; 825 struct in6_addr dip6; 826 } a6; 827 } a; 828}; 829 830typedef struct _ipfw_table_value { 831 uint32_t tag; /* O_TAG/O_TAGGED */ 832 uint32_t pipe; /* O_PIPE/O_QUEUE */ 833 uint16_t divert; /* O_DIVERT/O_TEE */ 834 uint16_t skipto; /* skipto, CALLRET */ 835 uint32_t netgraph; /* O_NETGRAPH/O_NGTEE */ 836 uint32_t fib; /* O_SETFIB */ 837 uint32_t nat; /* O_NAT */ 838 uint32_t nh4; 839 uint8_t dscp; 840 uint8_t spare0; 841 uint16_t spare1; 842 struct in6_addr nh6; 843 uint32_t limit; /* O_LIMIT */ 844 uint32_t zoneid; /* scope zone id for nh6 */ 845 uint64_t reserved; 846} ipfw_table_value; 847 848/* Table entry TLV */ 849typedef struct _ipfw_obj_tentry { 850 ipfw_obj_tlv head; /* TLV header */ 851 uint8_t subtype; /* subtype (IPv4,IPv6) */ 852 uint8_t masklen; /* mask length */ 853 uint8_t result; /* request result */ 854 uint8_t spare0; 855 uint16_t idx; /* Table name index */ 856 uint16_t spare1; 857 union { 858 /* Longest field needs to be aligned by 8-byte boundary */ 859 struct in_addr addr; /* IPv4 address */ 860 uint32_t key; /* uid/gid/port */ 861 struct in6_addr addr6; /* IPv6 address */ 862 char iface[IF_NAMESIZE]; /* interface name */ 863 struct tflow_entry flow; 864 } k; 865 union { 866 ipfw_table_value value; /* value data */ 867 uint32_t kidx; /* value kernel index */ 868 } v; 869} ipfw_obj_tentry; 870#define IPFW_TF_UPDATE 0x01 /* Update record if exists */ 871/* Container TLV */ 872#define IPFW_CTF_ATOMIC 0x01 /* Perform atomic operation */ 873/* Operation results */ 874#define IPFW_TR_IGNORED 0 /* Entry was ignored (rollback) */ 875#define IPFW_TR_ADDED 1 /* Entry was successfully added */ 876#define IPFW_TR_UPDATED 2 /* Entry was successfully updated*/ 877#define IPFW_TR_DELETED 3 /* Entry was successfully deleted*/ 878#define IPFW_TR_LIMIT 4 /* Entry was ignored (limit) */ 879#define IPFW_TR_NOTFOUND 5 /* Entry was not found */ 880#define IPFW_TR_EXISTS 6 /* Entry already exists */ 881#define IPFW_TR_ERROR 7 /* Request has failed (unknown) */ 882 883typedef struct _ipfw_obj_dyntlv { 884 ipfw_obj_tlv head; 885 ipfw_dyn_rule state; 886} ipfw_obj_dyntlv; 887#define IPFW_DF_LAST 0x01 /* Last state in chain */ 888 889/* Containter TLVs */ 890typedef struct _ipfw_obj_ctlv { 891 ipfw_obj_tlv head; /* TLV header */ 892 uint32_t count; /* Number of sub-TLVs */ 893 uint16_t objsize; /* Single object size */ 894 uint8_t version; /* TLV version */ 895 uint8_t flags; /* TLV-specific flags */ 896} ipfw_obj_ctlv; 897 898/* Range TLV */ 899typedef struct _ipfw_range_tlv { 900 ipfw_obj_tlv head; /* TLV header */ 901 uint32_t flags; /* Range flags */ 902 uint16_t start_rule; /* Range start */ 903 uint16_t end_rule; /* Range end */ 904 uint32_t set; /* Range set to match */ 905 uint32_t new_set; /* New set to move/swap to */ 906} ipfw_range_tlv; 907#define IPFW_RCFLAG_RANGE 0x01 /* rule range is set */ 908#define IPFW_RCFLAG_ALL 0x02 /* match ALL rules */ 909#define IPFW_RCFLAG_SET 0x04 /* match rules in given set */ 910/* User-settable flags */ 911#define IPFW_RCFLAG_USER (IPFW_RCFLAG_RANGE | IPFW_RCFLAG_ALL | \ 912 IPFW_RCFLAG_SET) 913/* Internally used flags */ 914#define IPFW_RCFLAG_DEFAULT 0x0100 /* Do not skip defaul rule */ 915 916typedef struct _ipfw_ta_tinfo { 917 uint32_t flags; /* Format flags */ 918 uint32_t spare; 919 uint8_t taclass4; /* algorithm class */ 920 uint8_t spare4; 921 uint16_t itemsize4; /* item size in runtime */ 922 uint32_t size4; /* runtime structure size */ 923 uint32_t count4; /* number of items in runtime */ 924 uint8_t taclass6; /* algorithm class */ 925 uint8_t spare6; 926 uint16_t itemsize6; /* item size in runtime */ 927 uint32_t size6; /* runtime structure size */ 928 uint32_t count6; /* number of items in runtime */ 929} ipfw_ta_tinfo; 930#define IPFW_TACLASS_HASH 1 /* algo is based on hash */ 931#define IPFW_TACLASS_ARRAY 2 /* algo is based on array */ 932#define IPFW_TACLASS_RADIX 3 /* algo is based on radix tree */ 933 934#define IPFW_TATFLAGS_DATA 0x0001 /* Has data filled in */ 935#define IPFW_TATFLAGS_AFDATA 0x0002 /* Separate data per AF */ 936#define IPFW_TATFLAGS_AFITEM 0x0004 /* diff. items per AF */ 937 938typedef struct _ipfw_xtable_info { 939 uint8_t type; /* table type (addr,iface,..) */ 940 uint8_t tflags; /* type flags */ 941 uint16_t mflags; /* modification flags */ 942 uint16_t flags; /* generic table flags */ 943 uint16_t spare[3]; 944 uint32_t vmask; /* bitmask with value types */ 945 uint32_t set; /* set table is in */ 946 uint32_t kidx; /* kernel index */ 947 uint32_t refcnt; /* number of references */ 948 uint32_t count; /* Number of records */ 949 uint32_t size; /* Total size of records(export)*/ 950 uint32_t limit; /* Max number of records */ 951 char tablename[64]; /* table name */ 952 char algoname[64]; /* algorithm name */ 953 ipfw_ta_tinfo ta_info; /* additional algo stats */ 954} ipfw_xtable_info; 955/* Generic table flags */ 956#define IPFW_TGFLAGS_LOCKED 0x01 /* Tables is locked from changes*/ 957/* Table type-specific flags */ 958#define IPFW_TFFLAG_SRCIP 0x01 959#define IPFW_TFFLAG_DSTIP 0x02 960#define IPFW_TFFLAG_SRCPORT 0x04 961#define IPFW_TFFLAG_DSTPORT 0x08 962#define IPFW_TFFLAG_PROTO 0x10 963/* Table modification flags */ 964#define IPFW_TMFLAGS_LIMIT 0x0002 /* Change limit value */ 965#define IPFW_TMFLAGS_LOCK 0x0004 /* Change table lock state */ 966 967typedef struct _ipfw_iface_info { 968 char ifname[64]; /* interface name */ 969 uint32_t ifindex; /* interface index */ 970 uint32_t flags; /* flags */ 971 uint32_t refcnt; /* number of references */ 972 uint32_t gencnt; /* number of changes */ 973 uint64_t spare; 974} ipfw_iface_info; 975#define IPFW_IFFLAG_RESOLVED 0x01 /* Interface exists */ 976 977typedef struct _ipfw_ta_info { 978 char algoname[64]; /* algorithm name */ 979 uint32_t type; /* lookup type */ 980 uint32_t flags; 981 uint32_t refcnt; 982 uint32_t spare0; 983 uint64_t spare1; 984} ipfw_ta_info; 985 986typedef struct _ipfw_obj_header { 987 ip_fw3_opheader opheader; /* IP_FW3 opcode */ 988 uint32_t spare; 989 uint16_t idx; /* object name index */ 990 uint8_t objtype; /* object type */ 991 uint8_t objsubtype; /* object subtype */ 992 ipfw_obj_ntlv ntlv; /* object name tlv */ 993} ipfw_obj_header; 994 995typedef struct _ipfw_obj_lheader { 996 ip_fw3_opheader opheader; /* IP_FW3 opcode */ 997 uint32_t set_mask; /* disabled set mask */ 998 uint32_t count; /* Total objects count */ 999 uint32_t size; /* Total size (incl. header) */ 1000 uint32_t objsize; /* Size of one object */ 1001} ipfw_obj_lheader; 1002 1003#define IPFW_CFG_GET_STATIC 0x01 1004#define IPFW_CFG_GET_STATES 0x02 1005#define IPFW_CFG_GET_COUNTERS 0x04 1006typedef struct _ipfw_cfg_lheader { 1007 ip_fw3_opheader opheader; /* IP_FW3 opcode */ 1008 uint32_t set_mask; /* enabled set mask */ 1009 uint32_t spare; 1010 uint32_t flags; /* Request flags */ 1011 uint32_t size; /* neded buffer size */ 1012 uint32_t start_rule; 1013 uint32_t end_rule; 1014} ipfw_cfg_lheader; 1015 1016typedef struct _ipfw_range_header { 1017 ip_fw3_opheader opheader; /* IP_FW3 opcode */ 1018 ipfw_range_tlv range; 1019} ipfw_range_header; 1020 1021typedef struct _ipfw_sopt_info { 1022 uint16_t opcode; 1023 uint8_t version; 1024 uint8_t dir; 1025 uint8_t spare; 1026 uint64_t refcnt; 1027} ipfw_sopt_info; 1028 1029#endif /* _IPFW2_H */ 1030