Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]
FreeBSD/Linux Kernel Cross Reference
sys/net/pfvar.h
Version:
- FREEBSD - FREEBSD-13-STABLE - FREEBSD-13-0 - FREEBSD-12-STABLE - FREEBSD-12-0 - FREEBSD-11-STABLE - FREEBSD-11-0 - FREEBSD-10-STABLE - FREEBSD-10-0 - FREEBSD-9-STABLE - FREEBSD-9-0 - FREEBSD-8-STABLE - FREEBSD-8-0 - FREEBSD-7-STABLE - FREEBSD-7-0 - FREEBSD-6-STABLE - FREEBSD-6-0 - FREEBSD-5-STABLE - FREEBSD-5-0 - FREEBSD-4-STABLE - FREEBSD-3-STABLE - FREEBSD22 - l41 - OPENBSD - linux-2.6 - MK84 - PLAN9 - xnu-8792
SearchContext: - none - 3 - 10
SearchContext: - none - 3 - 10
1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2001 Daniel Hartmeier 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 11 * - Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * - Redistributions in binary form must reproduce the above 14 * copyright notice, this list of conditions and the following 15 * disclaimer in the documentation and/or other materials provided 16 * with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 20 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 21 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 22 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 23 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 24 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 25 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 26 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 28 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 * POSSIBILITY OF SUCH DAMAGE. 30 * 31 * $OpenBSD: pfvar.h,v 1.282 2009/01/29 15:12:28 pyr Exp $ 32 * $FreeBSD$ 33 */ 34 35 #ifndef _NET_PFVAR_H_ 36 #define _NET_PFVAR_H_ 37 38 #include <sys/param.h> 39 #include <sys/queue.h> 40 #include <sys/counter.h> 41 #include <sys/cpuset.h> 42 #include <sys/malloc.h> 43 #include <sys/nv.h> 44 #include <sys/refcount.h> 45 #include <sys/sysctl.h> 46 #include <sys/smp.h> 47 #include <sys/lock.h> 48 #include <sys/rmlock.h> 49 #include <sys/tree.h> 50 #include <sys/seq.h> 51 #include <vm/uma.h> 52 53 #include <net/radix.h> 54 #include <netinet/in.h> 55 #ifdef _KERNEL 56 #include <netinet/ip.h> 57 #include <netinet/tcp.h> 58 #include <netinet/udp.h> 59 #include <netinet/ip_icmp.h> 60 #include <netinet/icmp6.h> 61 #endif 62 63 #include <netpfil/pf/pf.h> 64 #include <netpfil/pf/pf_altq.h> 65 #include <netpfil/pf/pf_mtag.h> 66 67 #ifdef _KERNEL 68 69 #if defined(__arm__) 70 #define PF_WANT_32_TO_64_COUNTER 71 #endif 72 73 /* 74 * A hybrid of 32-bit and 64-bit counters which can be used on platforms where 75 * counter(9) is very expensive. 76 * 77 * As 32-bit counters are expected to overflow, a periodic job sums them up to 78 * a saved 64-bit state. Fetching the value still walks all CPUs to get the most 79 * current snapshot. 80 */ 81 #ifdef PF_WANT_32_TO_64_COUNTER 82 struct pf_counter_u64_pcpu { 83 u_int32_t current; 84 u_int32_t snapshot; 85 }; 86 87 struct pf_counter_u64 { 88 struct pf_counter_u64_pcpu *pfcu64_pcpu; 89 u_int64_t pfcu64_value; 90 seq_t pfcu64_seqc; 91 }; 92 93 static inline int 94 pf_counter_u64_init(struct pf_counter_u64 *pfcu64, int flags) 95 { 96 97 pfcu64->pfcu64_value = 0; 98 pfcu64->pfcu64_seqc = 0; 99 pfcu64->pfcu64_pcpu = uma_zalloc_pcpu(pcpu_zone_64, flags | M_ZERO); 100 if (__predict_false(pfcu64->pfcu64_pcpu == NULL)) 101 return (ENOMEM); 102 return (0); 103 } 104 105 static inline void 106 pf_counter_u64_deinit(struct pf_counter_u64 *pfcu64) 107 { 108 109 uma_zfree_pcpu(pcpu_zone_64, pfcu64->pfcu64_pcpu); 110 } 111 112 static inline void 113 pf_counter_u64_critical_enter(void) 114 { 115 116 critical_enter(); 117 } 118 119 static inline void 120 pf_counter_u64_critical_exit(void) 121 { 122 123 critical_exit(); 124 } 125 126 static inline void 127 pf_counter_u64_add_protected(struct pf_counter_u64 *pfcu64, uint32_t n) 128 { 129 struct pf_counter_u64_pcpu *pcpu; 130 u_int32_t val; 131 132 MPASS(curthread->td_critnest > 0); 133 pcpu = zpcpu_get(pfcu64->pfcu64_pcpu); 134 val = atomic_load_int(&pcpu->current); 135 atomic_store_int(&pcpu->current, val + n); 136 } 137 138 static inline void 139 pf_counter_u64_add(struct pf_counter_u64 *pfcu64, uint32_t n) 140 { 141 142 critical_enter(); 143 pf_counter_u64_add_protected(pfcu64, n); 144 critical_exit(); 145 } 146 147 static inline u_int64_t 148 pf_counter_u64_periodic(struct pf_counter_u64 *pfcu64) 149 { 150 struct pf_counter_u64_pcpu *pcpu; 151 u_int64_t sum; 152 u_int32_t val; 153 int cpu; 154 155 MPASS(curthread->td_critnest > 0); 156 seq_write_begin(&pfcu64->pfcu64_seqc); 157 sum = pfcu64->pfcu64_value; 158 CPU_FOREACH(cpu) { 159 pcpu = zpcpu_get_cpu(pfcu64->pfcu64_pcpu, cpu); 160 val = atomic_load_int(&pcpu->current); 161 sum += (uint32_t)(val - pcpu->snapshot); 162 pcpu->snapshot = val; 163 } 164 pfcu64->pfcu64_value = sum; 165 seq_write_end(&pfcu64->pfcu64_seqc); 166 return (sum); 167 } 168 169 static inline u_int64_t 170 pf_counter_u64_fetch(const struct pf_counter_u64 *pfcu64) 171 { 172 struct pf_counter_u64_pcpu *pcpu; 173 u_int64_t sum; 174 seq_t seqc; 175 int cpu; 176 177 for (;;) { 178 seqc = seq_load(&pfcu64->pfcu64_seqc); 179 sum = 0; 180 CPU_FOREACH(cpu) { 181 pcpu = zpcpu_get_cpu(pfcu64->pfcu64_pcpu, cpu); 182 sum += (uint32_t)(atomic_load_int(&pcpu->current) -pcpu->snapshot); 183 } 184 sum += pfcu64->pfcu64_value; 185 if (seq_consistent(&pfcu64->pfcu64_seqc, seqc)) 186 break; 187 } 188 return (sum); 189 } 190 191 static inline void 192 pf_counter_u64_zero_protected(struct pf_counter_u64 *pfcu64) 193 { 194 struct pf_counter_u64_pcpu *pcpu; 195 int cpu; 196 197 MPASS(curthread->td_critnest > 0); 198 seq_write_begin(&pfcu64->pfcu64_seqc); 199 CPU_FOREACH(cpu) { 200 pcpu = zpcpu_get_cpu(pfcu64->pfcu64_pcpu, cpu); 201 pcpu->snapshot = atomic_load_int(&pcpu->current); 202 } 203 pfcu64->pfcu64_value = 0; 204 seq_write_end(&pfcu64->pfcu64_seqc); 205 } 206 207 static inline void 208 pf_counter_u64_zero(struct pf_counter_u64 *pfcu64) 209 { 210 211 critical_enter(); 212 pf_counter_u64_zero_protected(pfcu64); 213 critical_exit(); 214 } 215 #else 216 struct pf_counter_u64 { 217 counter_u64_t counter; 218 }; 219 220 static inline int 221 pf_counter_u64_init(struct pf_counter_u64 *pfcu64, int flags) 222 { 223 224 pfcu64->counter = counter_u64_alloc(flags); 225 if (__predict_false(pfcu64->counter == NULL)) 226 return (ENOMEM); 227 return (0); 228 } 229 230 static inline void 231 pf_counter_u64_deinit(struct pf_counter_u64 *pfcu64) 232 { 233 234 counter_u64_free(pfcu64->counter); 235 } 236 237 static inline void 238 pf_counter_u64_critical_enter(void) 239 { 240 241 } 242 243 static inline void 244 pf_counter_u64_critical_exit(void) 245 { 246 247 } 248 249 static inline void 250 pf_counter_u64_add_protected(struct pf_counter_u64 *pfcu64, uint32_t n) 251 { 252 253 counter_u64_add(pfcu64->counter, n); 254 } 255 256 static inline void 257 pf_counter_u64_add(struct pf_counter_u64 *pfcu64, uint32_t n) 258 { 259 260 pf_counter_u64_add_protected(pfcu64, n); 261 } 262 263 static inline u_int64_t 264 pf_counter_u64_fetch(const struct pf_counter_u64 *pfcu64) 265 { 266 267 return (counter_u64_fetch(pfcu64->counter)); 268 } 269 270 static inline void 271 pf_counter_u64_zero_protected(struct pf_counter_u64 *pfcu64) 272 { 273 274 counter_u64_zero(pfcu64->counter); 275 } 276 277 static inline void 278 pf_counter_u64_zero(struct pf_counter_u64 *pfcu64) 279 { 280 281 pf_counter_u64_zero_protected(pfcu64); 282 } 283 #endif 284 285 SYSCTL_DECL(_net_pf); 286 MALLOC_DECLARE(M_PFHASH); 287 288 struct pfi_dynaddr { 289 TAILQ_ENTRY(pfi_dynaddr) entry; 290 struct pf_addr pfid_addr4; 291 struct pf_addr pfid_mask4; 292 struct pf_addr pfid_addr6; 293 struct pf_addr pfid_mask6; 294 struct pfr_ktable *pfid_kt; 295 struct pfi_kkif *pfid_kif; 296 int pfid_net; /* mask or 128 */ 297 int pfid_acnt4; /* address count IPv4 */ 298 int pfid_acnt6; /* address count IPv6 */ 299 sa_family_t pfid_af; /* rule af */ 300 u_int8_t pfid_iflags; /* PFI_AFLAG_* */ 301 }; 302 303 /* 304 * Address manipulation macros 305 */ 306 #define HTONL(x) (x) = htonl((__uint32_t)(x)) 307 #define HTONS(x) (x) = htons((__uint16_t)(x)) 308 #define NTOHL(x) (x) = ntohl((__uint32_t)(x)) 309 #define NTOHS(x) (x) = ntohs((__uint16_t)(x)) 310 311 #define PF_NAME "pf" 312 313 #define PF_HASHROW_ASSERT(h) mtx_assert(&(h)->lock, MA_OWNED) 314 #define PF_HASHROW_LOCK(h) mtx_lock(&(h)->lock) 315 #define PF_HASHROW_UNLOCK(h) mtx_unlock(&(h)->lock) 316 317 #ifdef INVARIANTS 318 #define PF_STATE_LOCK(s) \ 319 do { \ 320 struct pf_kstate *_s = (s); \ 321 struct pf_idhash *_ih = &V_pf_idhash[PF_IDHASH(_s)]; \ 322 MPASS(_s->lock == &_ih->lock); \ 323 mtx_lock(_s->lock); \ 324 } while (0) 325 #define PF_STATE_UNLOCK(s) \ 326 do { \ 327 struct pf_kstate *_s = (s); \ 328 struct pf_idhash *_ih = &V_pf_idhash[PF_IDHASH(_s)]; \ 329 MPASS(_s->lock == &_ih->lock); \ 330 mtx_unlock(_s->lock); \ 331 } while (0) 332 #else 333 #define PF_STATE_LOCK(s) mtx_lock(s->lock) 334 #define PF_STATE_UNLOCK(s) mtx_unlock(s->lock) 335 #endif 336 337 #ifdef INVARIANTS 338 #define PF_STATE_LOCK_ASSERT(s) \ 339 do { \ 340 struct pf_kstate *_s = (s); \ 341 struct pf_idhash *_ih = &V_pf_idhash[PF_IDHASH(_s)]; \ 342 MPASS(_s->lock == &_ih->lock); \ 343 PF_HASHROW_ASSERT(_ih); \ 344 } while (0) 345 #else /* !INVARIANTS */ 346 #define PF_STATE_LOCK_ASSERT(s) do {} while (0) 347 #endif /* INVARIANTS */ 348 349 extern struct mtx_padalign pf_unlnkdrules_mtx; 350 #define PF_UNLNKDRULES_LOCK() mtx_lock(&pf_unlnkdrules_mtx) 351 #define PF_UNLNKDRULES_UNLOCK() mtx_unlock(&pf_unlnkdrules_mtx) 352 #define PF_UNLNKDRULES_ASSERT() mtx_assert(&pf_unlnkdrules_mtx, MA_OWNED) 353 354 extern struct rmlock pf_rules_lock; 355 #define PF_RULES_RLOCK_TRACKER struct rm_priotracker _pf_rules_tracker 356 #define PF_RULES_RLOCK() rm_rlock(&pf_rules_lock, &_pf_rules_tracker) 357 #define PF_RULES_RUNLOCK() rm_runlock(&pf_rules_lock, &_pf_rules_tracker) 358 #define PF_RULES_WLOCK() rm_wlock(&pf_rules_lock) 359 #define PF_RULES_WUNLOCK() rm_wunlock(&pf_rules_lock) 360 #define PF_RULES_WOWNED() rm_wowned(&pf_rules_lock) 361 #define PF_RULES_ASSERT() rm_assert(&pf_rules_lock, RA_LOCKED) 362 #define PF_RULES_RASSERT() rm_assert(&pf_rules_lock, RA_RLOCKED) 363 #define PF_RULES_WASSERT() rm_assert(&pf_rules_lock, RA_WLOCKED) 364 365 extern struct mtx_padalign pf_table_stats_lock; 366 #define PF_TABLE_STATS_LOCK() mtx_lock(&pf_table_stats_lock) 367 #define PF_TABLE_STATS_UNLOCK() mtx_unlock(&pf_table_stats_lock) 368 #define PF_TABLE_STATS_OWNED() mtx_owned(&pf_table_stats_lock) 369 #define PF_TABLE_STATS_ASSERT() mtx_assert(&pf_rules_lock, MA_OWNED) 370 371 extern struct sx pf_end_lock; 372 373 #define PF_MODVER 1 374 #define PFLOG_MODVER 1 375 #define PFSYNC_MODVER 1 376 377 #define PFLOG_MINVER 1 378 #define PFLOG_PREFVER PFLOG_MODVER 379 #define PFLOG_MAXVER 1 380 #define PFSYNC_MINVER 1 381 #define PFSYNC_PREFVER PFSYNC_MODVER 382 #define PFSYNC_MAXVER 1 383 384 #ifdef INET 385 #ifndef INET6 386 #define PF_INET_ONLY 387 #endif /* ! INET6 */ 388 #endif /* INET */ 389 390 #ifdef INET6 391 #ifndef INET 392 #define PF_INET6_ONLY 393 #endif /* ! INET */ 394 #endif /* INET6 */ 395 396 #ifdef INET 397 #ifdef INET6 398 #define PF_INET_INET6 399 #endif /* INET6 */ 400 #endif /* INET */ 401 402 #else 403 404 #define PF_INET_INET6 405 406 #endif /* _KERNEL */ 407 408 /* Both IPv4 and IPv6 */ 409 #ifdef PF_INET_INET6 410 411 #define PF_AEQ(a, b, c) \ 412 ((c == AF_INET && (a)->addr32[0] == (b)->addr32[0]) || \ 413 (c == AF_INET6 && (a)->addr32[3] == (b)->addr32[3] && \ 414 (a)->addr32[2] == (b)->addr32[2] && \ 415 (a)->addr32[1] == (b)->addr32[1] && \ 416 (a)->addr32[0] == (b)->addr32[0])) \ 417 418 #define PF_ANEQ(a, b, c) \ 419 ((c == AF_INET && (a)->addr32[0] != (b)->addr32[0]) || \ 420 (c == AF_INET6 && ((a)->addr32[0] != (b)->addr32[0] || \ 421 (a)->addr32[1] != (b)->addr32[1] || \ 422 (a)->addr32[2] != (b)->addr32[2] || \ 423 (a)->addr32[3] != (b)->addr32[3]))) \ 424 425 #define PF_AZERO(a, c) \ 426 ((c == AF_INET && !(a)->addr32[0]) || \ 427 (c == AF_INET6 && !(a)->addr32[0] && !(a)->addr32[1] && \ 428 !(a)->addr32[2] && !(a)->addr32[3] )) \ 429 430 #define PF_MATCHA(n, a, m, b, f) \ 431 pf_match_addr(n, a, m, b, f) 432 433 #define PF_ACPY(a, b, f) \ 434 pf_addrcpy(a, b, f) 435 436 #define PF_AINC(a, f) \ 437 pf_addr_inc(a, f) 438 439 #define PF_POOLMASK(a, b, c, d, f) \ 440 pf_poolmask(a, b, c, d, f) 441 442 #else 443 444 /* Just IPv6 */ 445 446 #ifdef PF_INET6_ONLY 447 448 #define PF_AEQ(a, b, c) \ 449 ((a)->addr32[3] == (b)->addr32[3] && \ 450 (a)->addr32[2] == (b)->addr32[2] && \ 451 (a)->addr32[1] == (b)->addr32[1] && \ 452 (a)->addr32[0] == (b)->addr32[0]) \ 453 454 #define PF_ANEQ(a, b, c) \ 455 ((a)->addr32[3] != (b)->addr32[3] || \ 456 (a)->addr32[2] != (b)->addr32[2] || \ 457 (a)->addr32[1] != (b)->addr32[1] || \ 458 (a)->addr32[0] != (b)->addr32[0]) \ 459 460 #define PF_AZERO(a, c) \ 461 (!(a)->addr32[0] && \ 462 !(a)->addr32[1] && \ 463 !(a)->addr32[2] && \ 464 !(a)->addr32[3] ) \ 465 466 #define PF_MATCHA(n, a, m, b, f) \ 467 pf_match_addr(n, a, m, b, f) 468 469 #define PF_ACPY(a, b, f) \ 470 pf_addrcpy(a, b, f) 471 472 #define PF_AINC(a, f) \ 473 pf_addr_inc(a, f) 474 475 #define PF_POOLMASK(a, b, c, d, f) \ 476 pf_poolmask(a, b, c, d, f) 477 478 #else 479 480 /* Just IPv4 */ 481 #ifdef PF_INET_ONLY 482 483 #define PF_AEQ(a, b, c) \ 484 ((a)->addr32[0] == (b)->addr32[0]) 485 486 #define PF_ANEQ(a, b, c) \ 487 ((a)->addr32[0] != (b)->addr32[0]) 488 489 #define PF_AZERO(a, c) \ 490 (!(a)->addr32[0]) 491 492 #define PF_MATCHA(n, a, m, b, f) \ 493 pf_match_addr(n, a, m, b, f) 494 495 #define PF_ACPY(a, b, f) \ 496 (a)->v4.s_addr = (b)->v4.s_addr 497 498 #define PF_AINC(a, f) \ 499 do { \ 500 (a)->addr32[0] = htonl(ntohl((a)->addr32[0]) + 1); \ 501 } while (0) 502 503 #define PF_POOLMASK(a, b, c, d, f) \ 504 do { \ 505 (a)->addr32[0] = ((b)->addr32[0] & (c)->addr32[0]) | \ 506 (((c)->addr32[0] ^ 0xffffffff ) & (d)->addr32[0]); \ 507 } while (0) 508 509 #endif /* PF_INET_ONLY */ 510 #endif /* PF_INET6_ONLY */ 511 #endif /* PF_INET_INET6 */ 512 513 /* 514 * XXX callers not FIB-aware in our version of pf yet. 515 * OpenBSD fixed it later it seems, 2010/05/07 13:33:16 claudio. 516 */ 517 #define PF_MISMATCHAW(aw, x, af, neg, ifp, rtid) \ 518 ( \ 519 (((aw)->type == PF_ADDR_NOROUTE && \ 520 pf_routable((x), (af), NULL, (rtid))) || \ 521 (((aw)->type == PF_ADDR_URPFFAILED && (ifp) != NULL && \ 522 pf_routable((x), (af), (ifp), (rtid))) || \ 523 ((aw)->type == PF_ADDR_TABLE && \ 524 !pfr_match_addr((aw)->p.tbl, (x), (af))) || \ 525 ((aw)->type == PF_ADDR_DYNIFTL && \ 526 !pfi_match_addr((aw)->p.dyn, (x), (af))) || \ 527 ((aw)->type == PF_ADDR_RANGE && \ 528 !pf_match_addr_range(&(aw)->v.a.addr, \ 529 &(aw)->v.a.mask, (x), (af))) || \ 530 ((aw)->type == PF_ADDR_ADDRMASK && \ 531 !PF_AZERO(&(aw)->v.a.mask, (af)) && \ 532 !PF_MATCHA(0, &(aw)->v.a.addr, \ 533 &(aw)->v.a.mask, (x), (af))))) != \ 534 (neg) \ 535 ) 536 537 #define PF_ALGNMNT(off) (((off) % 2) == 0) 538 539 #ifdef _KERNEL 540 541 struct pf_kpooladdr { 542 struct pf_addr_wrap addr; 543 TAILQ_ENTRY(pf_kpooladdr) entries; 544 char ifname[IFNAMSIZ]; 545 struct pfi_kkif *kif; 546 }; 547 548 TAILQ_HEAD(pf_kpalist, pf_kpooladdr); 549 550 struct pf_kpool { 551 struct mtx mtx; 552 struct pf_kpalist list; 553 struct pf_kpooladdr *cur; 554 struct pf_poolhashkey key; 555 struct pf_addr counter; 556 struct pf_mape_portset mape; 557 int tblidx; 558 u_int16_t proxy_port[2]; 559 u_int8_t opts; 560 }; 561 562 struct pf_rule_actions { 563 uint16_t qid; 564 uint16_t pqid; 565 }; 566 567 union pf_krule_ptr { 568 struct pf_krule *ptr; 569 u_int32_t nr; 570 }; 571 572 struct pf_krule { 573 struct pf_rule_addr src; 574 struct pf_rule_addr dst; 575 union pf_krule_ptr skip[PF_SKIP_COUNT]; 576 char label[PF_RULE_MAX_LABEL_COUNT][PF_RULE_LABEL_SIZE]; 577 uint32_t ridentifier; 578 char ifname[IFNAMSIZ]; 579 char qname[PF_QNAME_SIZE]; 580 char pqname[PF_QNAME_SIZE]; 581 char tagname[PF_TAG_NAME_SIZE]; 582 char match_tagname[PF_TAG_NAME_SIZE]; 583 584 char overload_tblname[PF_TABLE_NAME_SIZE]; 585 586 TAILQ_ENTRY(pf_krule) entries; 587 struct pf_kpool rpool; 588 589 struct pf_counter_u64 evaluations; 590 struct pf_counter_u64 packets[2]; 591 struct pf_counter_u64 bytes[2]; 592 593 struct pfi_kkif *kif; 594 struct pf_kanchor *anchor; 595 struct pfr_ktable *overload_tbl; 596 597 pf_osfp_t os_fingerprint; 598 599 int rtableid; 600 u_int32_t timeout[PFTM_MAX]; 601 u_int32_t max_states; 602 u_int32_t max_src_nodes; 603 u_int32_t max_src_states; 604 u_int32_t max_src_conn; 605 struct { 606 u_int32_t limit; 607 u_int32_t seconds; 608 } max_src_conn_rate; 609 u_int16_t qid; 610 u_int16_t pqid; 611 u_int32_t nr; 612 u_int32_t prob; 613 uid_t cuid; 614 pid_t cpid; 615 616 counter_u64_t states_cur; 617 counter_u64_t states_tot; 618 counter_u64_t src_nodes; 619 620 u_int16_t return_icmp; 621 u_int16_t return_icmp6; 622 u_int16_t max_mss; 623 u_int16_t tag; 624 u_int16_t match_tag; 625 u_int16_t scrub_flags; 626 627 struct pf_rule_uid uid; 628 struct pf_rule_gid gid; 629 630 u_int32_t rule_flag; 631 uint32_t rule_ref; 632 u_int8_t action; 633 u_int8_t direction; 634 u_int8_t log; 635 u_int8_t logif; 636 u_int8_t quick; 637 u_int8_t ifnot; 638 u_int8_t match_tag_not; 639 u_int8_t natpass; 640 641 u_int8_t keep_state; 642 sa_family_t af; 643 u_int8_t proto; 644 u_int8_t type; 645 u_int8_t code; 646 u_int8_t flags; 647 u_int8_t flagset; 648 u_int8_t min_ttl; 649 u_int8_t allow_opts; 650 u_int8_t rt; 651 u_int8_t return_ttl; 652 u_int8_t tos; 653 u_int8_t set_tos; 654 u_int8_t anchor_relative; 655 u_int8_t anchor_wildcard; 656 657 u_int8_t flush; 658 u_int8_t prio; 659 u_int8_t set_prio[2]; 660 661 struct { 662 struct pf_addr addr; 663 u_int16_t port; 664 } divert; 665 666 #ifdef PF_WANT_32_TO_64_COUNTER 667 LIST_ENTRY(pf_krule) allrulelist; 668 bool allrulelinked; 669 #endif 670 }; 671 672 struct pf_ksrc_node { 673 LIST_ENTRY(pf_ksrc_node) entry; 674 struct pf_addr addr; 675 struct pf_addr raddr; 676 union pf_krule_ptr rule; 677 struct pfi_kkif *kif; 678 counter_u64_t bytes[2]; 679 counter_u64_t packets[2]; 680 u_int32_t states; 681 u_int32_t conn; 682 struct pf_threshold conn_rate; 683 u_int32_t creation; 684 u_int32_t expire; 685 sa_family_t af; 686 u_int8_t ruletype; 687 }; 688 #endif 689 690 struct pf_state_scrub { 691 struct timeval pfss_last; /* time received last packet */ 692 u_int32_t pfss_tsecr; /* last echoed timestamp */ 693 u_int32_t pfss_tsval; /* largest timestamp */ 694 u_int32_t pfss_tsval0; /* original timestamp */ 695 u_int16_t pfss_flags; 696 #define PFSS_TIMESTAMP 0x0001 /* modulate timestamp */ 697 #define PFSS_PAWS 0x0010 /* stricter PAWS checks */ 698 #define PFSS_PAWS_IDLED 0x0020 /* was idle too long. no PAWS */ 699 #define PFSS_DATA_TS 0x0040 /* timestamp on data packets */ 700 #define PFSS_DATA_NOTS 0x0080 /* no timestamp on data packets */ 701 u_int8_t pfss_ttl; /* stashed TTL */ 702 u_int8_t pad; 703 u_int32_t pfss_ts_mod; /* timestamp modulation */ 704 }; 705 706 struct pf_state_host { 707 struct pf_addr addr; 708 u_int16_t port; 709 u_int16_t pad; 710 }; 711 712 struct pf_state_peer { 713 struct pf_state_scrub *scrub; /* state is scrubbed */ 714 u_int32_t seqlo; /* Max sequence number sent */ 715 u_int32_t seqhi; /* Max the other end ACKd + win */ 716 u_int32_t seqdiff; /* Sequence number modulator */ 717 u_int16_t max_win; /* largest window (pre scaling) */ 718 u_int16_t mss; /* Maximum segment size option */ 719 u_int8_t state; /* active state level */ 720 u_int8_t wscale; /* window scaling factor */ 721 u_int8_t tcp_est; /* Did we reach TCPS_ESTABLISHED */ 722 u_int8_t pad[1]; 723 }; 724 725 /* Keep synced with struct pf_state_key. */ 726 struct pf_state_key_cmp { 727 struct pf_addr addr[2]; 728 u_int16_t port[2]; 729 sa_family_t af; 730 u_int8_t proto; 731 u_int8_t pad[2]; 732 }; 733 734 struct pf_state_key { 735 struct pf_addr addr[2]; 736 u_int16_t port[2]; 737 sa_family_t af; 738 u_int8_t proto; 739 u_int8_t pad[2]; 740 741 LIST_ENTRY(pf_state_key) entry; 742 TAILQ_HEAD(, pf_kstate) states[2]; 743 }; 744 745 /* Keep synced with struct pf_kstate. */ 746 struct pf_state_cmp { 747 u_int64_t id; 748 u_int32_t creatorid; 749 u_int8_t direction; 750 u_int8_t pad[3]; 751 }; 752 753 #define PFSTATE_ALLOWOPTS 0x01 754 #define PFSTATE_SLOPPY 0x02 755 /* was PFSTATE_PFLOW 0x04 */ 756 #define PFSTATE_NOSYNC 0x08 757 #define PFSTATE_ACK 0x10 758 #define PFSTATE_SETPRIO 0x0200 759 #define PFSTATE_SETMASK (PFSTATE_SETPRIO) 760 761 struct pf_state_scrub_export { 762 uint16_t pfss_flags; 763 uint8_t pfss_ttl; /* stashed TTL */ 764 #define PF_SCRUB_FLAG_VALID 0x01 765 uint8_t scrub_flag; 766 uint32_t pfss_ts_mod; /* timestamp modulation */ 767 }; 768 769 struct pf_state_key_export { 770 struct pf_addr addr[2]; 771 uint16_t port[2]; 772 }; 773 774 struct pf_state_peer_export { 775 struct pf_state_scrub_export scrub; /* state is scrubbed */ 776 uint32_t seqlo; /* Max sequence number sent */ 777 uint32_t seqhi; /* Max the other end ACKd + win */ 778 uint32_t seqdiff; /* Sequence number modulator */ 779 uint16_t max_win; /* largest window (pre scaling) */ 780 uint16_t mss; /* Maximum segment size option */ 781 uint8_t state; /* active state level */ 782 uint8_t wscale; /* window scaling factor */ 783 uint8_t dummy[6]; 784 }; 785 _Static_assert(sizeof(struct pf_state_peer_export) == 32, "size incorrect"); 786 787 struct pf_state_export { 788 uint64_t version; 789 #define PF_STATE_VERSION 20210706 790 uint64_t id; 791 char ifname[IFNAMSIZ]; 792 char orig_ifname[IFNAMSIZ]; 793 struct pf_state_key_export key[2]; 794 struct pf_state_peer_export src; 795 struct pf_state_peer_export dst; 796 struct pf_addr rt_addr; 797 uint32_t rule; 798 uint32_t anchor; 799 uint32_t nat_rule; 800 uint32_t creation; 801 uint32_t expire; 802 uint32_t spare0; 803 uint64_t packets[2]; 804 uint64_t bytes[2]; 805 uint32_t creatorid; 806 uint32_t spare1; 807 sa_family_t af; 808 uint8_t proto; 809 uint8_t direction; 810 uint8_t log; 811 uint8_t state_flags; 812 uint8_t timeout; 813 uint8_t sync_flags; 814 uint8_t updates; 815 816 uint8_t spare[112]; 817 }; 818 _Static_assert(sizeof(struct pf_state_export) == 384, "size incorrect"); 819 820 #ifdef _KERNEL 821 struct pf_kstate { 822 /* 823 * Area shared with pf_state_cmp 824 */ 825 u_int64_t id; 826 u_int32_t creatorid; 827 u_int8_t direction; 828 u_int8_t pad[3]; 829 /* 830 * end of the area 831 */ 832 833 u_int8_t state_flags; 834 u_int8_t timeout; 835 u_int8_t sync_state; /* PFSYNC_S_x */ 836 u_int8_t sync_updates; /* XXX */ 837 u_int refs; 838 struct mtx *lock; 839 TAILQ_ENTRY(pf_kstate) sync_list; 840 TAILQ_ENTRY(pf_kstate) key_list[2]; 841 LIST_ENTRY(pf_kstate) entry; 842 struct pf_state_peer src; 843 struct pf_state_peer dst; 844 union pf_krule_ptr rule; 845 union pf_krule_ptr anchor; 846 union pf_krule_ptr nat_rule; 847 struct pf_addr rt_addr; 848 struct pf_state_key *key[2]; /* addresses stack and wire */ 849 struct pfi_kkif *kif; 850 struct pfi_kkif *orig_kif; /* The real kif, even if we're a floating state (i.e. if == V_pfi_all). */ 851 struct pfi_kkif *rt_kif; 852 struct pf_ksrc_node *src_node; 853 struct pf_ksrc_node *nat_src_node; 854 u_int64_t packets[2]; 855 u_int64_t bytes[2]; 856 u_int32_t creation; 857 u_int32_t expire; 858 u_int32_t pfsync_time; 859 u_int16_t qid; 860 u_int16_t pqid; 861 u_int16_t tag; 862 u_int8_t log; 863 }; 864 865 /* 866 * Size <= fits 13 objects per page on LP64. Try to not grow the struct beyond that. 867 */ 868 _Static_assert(sizeof(struct pf_kstate) <= 312, "pf_kstate size crosses 312 bytes"); 869 #endif 870 871 /* 872 * Unified state structures for pulling states out of the kernel 873 * used by pfsync(4) and the pf(4) ioctl. 874 */ 875 struct pfsync_state_scrub { 876 u_int16_t pfss_flags; 877 u_int8_t pfss_ttl; /* stashed TTL */ 878 #define PFSYNC_SCRUB_FLAG_VALID 0x01 879 u_int8_t scrub_flag; 880 u_int32_t pfss_ts_mod; /* timestamp modulation */ 881 } __packed; 882 883 struct pfsync_state_peer { 884 struct pfsync_state_scrub scrub; /* state is scrubbed */ 885 u_int32_t seqlo; /* Max sequence number sent */ 886 u_int32_t seqhi; /* Max the other end ACKd + win */ 887 u_int32_t seqdiff; /* Sequence number modulator */ 888 u_int16_t max_win; /* largest window (pre scaling) */ 889 u_int16_t mss; /* Maximum segment size option */ 890 u_int8_t state; /* active state level */ 891 u_int8_t wscale; /* window scaling factor */ 892 u_int8_t pad[6]; 893 } __packed; 894 895 struct pfsync_state_key { 896 struct pf_addr addr[2]; 897 u_int16_t port[2]; 898 }; 899 900 struct pfsync_state { 901 u_int64_t id; 902 char ifname[IFNAMSIZ]; 903 struct pfsync_state_key key[2]; 904 struct pfsync_state_peer src; 905 struct pfsync_state_peer dst; 906 struct pf_addr rt_addr; 907 u_int32_t rule; 908 u_int32_t anchor; 909 u_int32_t nat_rule; 910 u_int32_t creation; 911 u_int32_t expire; 912 u_int32_t packets[2][2]; 913 u_int32_t bytes[2][2]; 914 u_int32_t creatorid; 915 sa_family_t af; 916 u_int8_t proto; 917 u_int8_t direction; 918 u_int8_t __spare[2]; 919 u_int8_t log; 920 u_int8_t state_flags; 921 u_int8_t timeout; 922 u_int8_t sync_flags; 923 u_int8_t updates; 924 } __packed; 925 926 #ifdef _KERNEL 927 /* pfsync */ 928 typedef int pfsync_state_import_t(struct pfsync_state *, u_int8_t); 929 typedef void pfsync_insert_state_t(struct pf_kstate *); 930 typedef void pfsync_update_state_t(struct pf_kstate *); 931 typedef void pfsync_delete_state_t(struct pf_kstate *); 932 typedef void pfsync_clear_states_t(u_int32_t, const char *); 933 typedef int pfsync_defer_t(struct pf_kstate *, struct mbuf *); 934 typedef void pfsync_detach_ifnet_t(struct ifnet *); 935 936 VNET_DECLARE(pfsync_state_import_t *, pfsync_state_import_ptr); 937 #define V_pfsync_state_import_ptr VNET(pfsync_state_import_ptr) 938 VNET_DECLARE(pfsync_insert_state_t *, pfsync_insert_state_ptr); 939 #define V_pfsync_insert_state_ptr VNET(pfsync_insert_state_ptr) 940 VNET_DECLARE(pfsync_update_state_t *, pfsync_update_state_ptr); 941 #define V_pfsync_update_state_ptr VNET(pfsync_update_state_ptr) 942 VNET_DECLARE(pfsync_delete_state_t *, pfsync_delete_state_ptr); 943 #define V_pfsync_delete_state_ptr VNET(pfsync_delete_state_ptr) 944 VNET_DECLARE(pfsync_clear_states_t *, pfsync_clear_states_ptr); 945 #define V_pfsync_clear_states_ptr VNET(pfsync_clear_states_ptr) 946 VNET_DECLARE(pfsync_defer_t *, pfsync_defer_ptr); 947 #define V_pfsync_defer_ptr VNET(pfsync_defer_ptr) 948 extern pfsync_detach_ifnet_t *pfsync_detach_ifnet_ptr; 949 950 void pfsync_state_export(struct pfsync_state *, 951 struct pf_kstate *); 952 void pf_state_export(struct pf_state_export *, 953 struct pf_kstate *); 954 955 /* pflog */ 956 struct pf_kruleset; 957 struct pf_pdesc; 958 typedef int pflog_packet_t(struct pfi_kkif *, struct mbuf *, sa_family_t, 959 u_int8_t, u_int8_t, struct pf_krule *, struct pf_krule *, 960 struct pf_kruleset *, struct pf_pdesc *, int); 961 extern pflog_packet_t *pflog_packet_ptr; 962 963 #endif /* _KERNEL */ 964 965 #define PFSYNC_FLAG_SRCNODE 0x04 966 #define PFSYNC_FLAG_NATSRCNODE 0x08 967 968 /* for copies to/from network byte order */ 969 /* ioctl interface also uses network byte order */ 970 #define pf_state_peer_hton(s,d) do { \ 971 (d)->seqlo = htonl((s)->seqlo); \ 972 (d)->seqhi = htonl((s)->seqhi); \ 973 (d)->seqdiff = htonl((s)->seqdiff); \ 974 (d)->max_win = htons((s)->max_win); \ 975 (d)->mss = htons((s)->mss); \ 976 (d)->state = (s)->state; \ 977 (d)->wscale = (s)->wscale; \ 978 if ((s)->scrub) { \ 979 (d)->scrub.pfss_flags = \ 980 htons((s)->scrub->pfss_flags & PFSS_TIMESTAMP); \ 981 (d)->scrub.pfss_ttl = (s)->scrub->pfss_ttl; \ 982 (d)->scrub.pfss_ts_mod = htonl((s)->scrub->pfss_ts_mod);\ 983 (d)->scrub.scrub_flag = PFSYNC_SCRUB_FLAG_VALID; \ 984 } \ 985 } while (0) 986 987 #define pf_state_peer_ntoh(s,d) do { \ 988 (d)->seqlo = ntohl((s)->seqlo); \ 989 (d)->seqhi = ntohl((s)->seqhi); \ 990 (d)->seqdiff = ntohl((s)->seqdiff); \ 991 (d)->max_win = ntohs((s)->max_win); \ 992 (d)->mss = ntohs((s)->mss); \ 993 (d)->state = (s)->state; \ 994 (d)->wscale = (s)->wscale; \ 995 if ((s)->scrub.scrub_flag == PFSYNC_SCRUB_FLAG_VALID && \ 996 (d)->scrub != NULL) { \ 997 (d)->scrub->pfss_flags = \ 998 ntohs((s)->scrub.pfss_flags) & PFSS_TIMESTAMP; \ 999 (d)->scrub->pfss_ttl = (s)->scrub.pfss_ttl; \ 1000 (d)->scrub->pfss_ts_mod = ntohl((s)->scrub.pfss_ts_mod);\ 1001 } \ 1002 } while (0) 1003 1004 #define pf_state_counter_hton(s,d) do { \ 1005 d[0] = htonl((s>>32)&0xffffffff); \ 1006 d[1] = htonl(s&0xffffffff); \ 1007 } while (0) 1008 1009 #define pf_state_counter_from_pfsync(s) \ 1010 (((u_int64_t)(s[0])<<32) | (u_int64_t)(s[1])) 1011 1012 #define pf_state_counter_ntoh(s,d) do { \ 1013 d = ntohl(s[0]); \ 1014 d = d<<32; \ 1015 d += ntohl(s[1]); \ 1016 } while (0) 1017 1018 TAILQ_HEAD(pf_krulequeue, pf_krule); 1019 1020 struct pf_kanchor; 1021 1022 struct pf_kruleset { 1023 struct { 1024 struct pf_krulequeue queues[2]; 1025 struct { 1026 struct pf_krulequeue *ptr; 1027 struct pf_krule **ptr_array; 1028 u_int32_t rcount; 1029 u_int32_t ticket; 1030 int open; 1031 } active, inactive; 1032 } rules[PF_RULESET_MAX]; 1033 struct pf_kanchor *anchor; 1034 u_int32_t tticket; 1035 int tables; 1036 int topen; 1037 }; 1038 1039 RB_HEAD(pf_kanchor_global, pf_kanchor); 1040 RB_HEAD(pf_kanchor_node, pf_kanchor); 1041 struct pf_kanchor { 1042 RB_ENTRY(pf_kanchor) entry_global; 1043 RB_ENTRY(pf_kanchor) entry_node; 1044 struct pf_kanchor *parent; 1045 struct pf_kanchor_node children; 1046 char name[PF_ANCHOR_NAME_SIZE]; 1047 char path[MAXPATHLEN]; 1048 struct pf_kruleset ruleset; 1049 int refcnt; /* anchor rules */ 1050 }; 1051 RB_PROTOTYPE(pf_kanchor_global, pf_kanchor, entry_global, pf_anchor_compare); 1052 RB_PROTOTYPE(pf_kanchor_node, pf_kanchor, entry_node, pf_kanchor_compare); 1053 1054 #define PF_RESERVED_ANCHOR "_pf" 1055 1056 #define PFR_TFLAG_PERSIST 0x00000001 1057 #define PFR_TFLAG_CONST 0x00000002 1058 #define PFR_TFLAG_ACTIVE 0x00000004 1059 #define PFR_TFLAG_INACTIVE 0x00000008 1060 #define PFR_TFLAG_REFERENCED 0x00000010 1061 #define PFR_TFLAG_REFDANCHOR 0x00000020 1062 #define PFR_TFLAG_COUNTERS 0x00000040 1063 /* Adjust masks below when adding flags. */ 1064 #define PFR_TFLAG_USRMASK (PFR_TFLAG_PERSIST | \ 1065 PFR_TFLAG_CONST | \ 1066 PFR_TFLAG_COUNTERS) 1067 #define PFR_TFLAG_SETMASK (PFR_TFLAG_ACTIVE | \ 1068 PFR_TFLAG_INACTIVE | \ 1069 PFR_TFLAG_REFERENCED | \ 1070 PFR_TFLAG_REFDANCHOR) 1071 #define PFR_TFLAG_ALLMASK (PFR_TFLAG_PERSIST | \ 1072 PFR_TFLAG_CONST | \ 1073 PFR_TFLAG_ACTIVE | \ 1074 PFR_TFLAG_INACTIVE | \ 1075 PFR_TFLAG_REFERENCED | \ 1076 PFR_TFLAG_REFDANCHOR | \ 1077 PFR_TFLAG_COUNTERS) 1078 1079 struct pf_kanchor_stackframe; 1080 1081 struct pfr_table { 1082 char pfrt_anchor[MAXPATHLEN]; 1083 char pfrt_name[PF_TABLE_NAME_SIZE]; 1084 u_int32_t pfrt_flags; 1085 u_int8_t pfrt_fback; 1086 }; 1087 1088 enum { PFR_FB_NONE, PFR_FB_MATCH, PFR_FB_ADDED, PFR_FB_DELETED, 1089 PFR_FB_CHANGED, PFR_FB_CLEARED, PFR_FB_DUPLICATE, 1090 PFR_FB_NOTMATCH, PFR_FB_CONFLICT, PFR_FB_NOCOUNT, PFR_FB_MAX }; 1091 1092 struct pfr_addr { 1093 union { 1094 struct in_addr _pfra_ip4addr; 1095 struct in6_addr _pfra_ip6addr; 1096 } pfra_u; 1097 u_int8_t pfra_af; 1098 u_int8_t pfra_net; 1099 u_int8_t pfra_not; 1100 u_int8_t pfra_fback; 1101 }; 1102 #define pfra_ip4addr pfra_u._pfra_ip4addr 1103 #define pfra_ip6addr pfra_u._pfra_ip6addr 1104 1105 enum { PFR_DIR_IN, PFR_DIR_OUT, PFR_DIR_MAX }; 1106 enum { PFR_OP_BLOCK, PFR_OP_PASS, PFR_OP_ADDR_MAX, PFR_OP_TABLE_MAX }; 1107 enum { PFR_TYPE_PACKETS, PFR_TYPE_BYTES, PFR_TYPE_MAX }; 1108 #define PFR_NUM_COUNTERS (PFR_DIR_MAX * PFR_OP_ADDR_MAX * PFR_TYPE_MAX) 1109 #define PFR_OP_XPASS PFR_OP_ADDR_MAX 1110 1111 struct pfr_astats { 1112 struct pfr_addr pfras_a; 1113 u_int64_t pfras_packets[PFR_DIR_MAX][PFR_OP_ADDR_MAX]; 1114 u_int64_t pfras_bytes[PFR_DIR_MAX][PFR_OP_ADDR_MAX]; 1115 long pfras_tzero; 1116 }; 1117 1118 enum { PFR_REFCNT_RULE, PFR_REFCNT_ANCHOR, PFR_REFCNT_MAX }; 1119 1120 struct pfr_tstats { 1121 struct pfr_table pfrts_t; 1122 u_int64_t pfrts_packets[PFR_DIR_MAX][PFR_OP_TABLE_MAX]; 1123 u_int64_t pfrts_bytes[PFR_DIR_MAX][PFR_OP_TABLE_MAX]; 1124 u_int64_t pfrts_match; 1125 u_int64_t pfrts_nomatch; 1126 long pfrts_tzero; 1127 int pfrts_cnt; 1128 int pfrts_refcnt[PFR_REFCNT_MAX]; 1129 }; 1130 1131 #ifdef _KERNEL 1132 1133 struct pfr_kstate_counter { 1134 counter_u64_t pkc_pcpu; 1135 u_int64_t pkc_zero; 1136 }; 1137 1138 static inline int 1139 pfr_kstate_counter_init(struct pfr_kstate_counter *pfrc, int flags) 1140 { 1141 1142 pfrc->pkc_zero = 0; 1143 pfrc->pkc_pcpu = counter_u64_alloc(flags); 1144 if (pfrc->pkc_pcpu == NULL) 1145 return (ENOMEM); 1146 return (0); 1147 } 1148 1149 static inline void 1150 pfr_kstate_counter_deinit(struct pfr_kstate_counter *pfrc) 1151 { 1152 1153 counter_u64_free(pfrc->pkc_pcpu); 1154 } 1155 1156 static inline u_int64_t 1157 pfr_kstate_counter_fetch(struct pfr_kstate_counter *pfrc) 1158 { 1159 u_int64_t c; 1160 1161 c = counter_u64_fetch(pfrc->pkc_pcpu); 1162 c -= pfrc->pkc_zero; 1163 return (c); 1164 } 1165 1166 static inline void 1167 pfr_kstate_counter_zero(struct pfr_kstate_counter *pfrc) 1168 { 1169 u_int64_t c; 1170 1171 c = counter_u64_fetch(pfrc->pkc_pcpu); 1172 pfrc->pkc_zero = c; 1173 } 1174 1175 static inline void 1176 pfr_kstate_counter_add(struct pfr_kstate_counter *pfrc, int64_t n) 1177 { 1178 1179 counter_u64_add(pfrc->pkc_pcpu, n); 1180 } 1181 1182 struct pfr_ktstats { 1183 struct pfr_table pfrts_t; 1184 struct pfr_kstate_counter pfrkts_packets[PFR_DIR_MAX][PFR_OP_TABLE_MAX]; 1185 struct pfr_kstate_counter pfrkts_bytes[PFR_DIR_MAX][PFR_OP_TABLE_MAX]; 1186 struct pfr_kstate_counter pfrkts_match; 1187 struct pfr_kstate_counter pfrkts_nomatch; 1188 long pfrkts_tzero; 1189 int pfrkts_cnt; 1190 int pfrkts_refcnt[PFR_REFCNT_MAX]; 1191 }; 1192 1193 #endif /* _KERNEL */ 1194 1195 #define pfrts_name pfrts_t.pfrt_name 1196 #define pfrts_flags pfrts_t.pfrt_flags 1197 1198 #ifndef _SOCKADDR_UNION_DEFINED 1199 #define _SOCKADDR_UNION_DEFINED 1200 union sockaddr_union { 1201 struct sockaddr sa; 1202 struct sockaddr_in sin; 1203 struct sockaddr_in6 sin6; 1204 }; 1205 #endif /* _SOCKADDR_UNION_DEFINED */ 1206 1207 struct pfr_kcounters { 1208 counter_u64_t pfrkc_counters; 1209 long pfrkc_tzero; 1210 }; 1211 #define pfr_kentry_counter(kc, dir, op, t) \ 1212 ((kc)->pfrkc_counters + \ 1213 (dir) * PFR_OP_ADDR_MAX * PFR_TYPE_MAX + (op) * PFR_TYPE_MAX + (t)) 1214 1215 #ifdef _KERNEL 1216 SLIST_HEAD(pfr_kentryworkq, pfr_kentry); 1217 struct pfr_kentry { 1218 struct radix_node pfrke_node[2]; 1219 union sockaddr_union pfrke_sa; 1220 SLIST_ENTRY(pfr_kentry) pfrke_workq; 1221 struct pfr_kcounters pfrke_counters; 1222 u_int8_t pfrke_af; 1223 u_int8_t pfrke_net; 1224 u_int8_t pfrke_not; 1225 u_int8_t pfrke_mark; 1226 }; 1227 1228 SLIST_HEAD(pfr_ktableworkq, pfr_ktable); 1229 RB_HEAD(pfr_ktablehead, pfr_ktable); 1230 struct pfr_ktable { 1231 struct pfr_ktstats pfrkt_kts; 1232 RB_ENTRY(pfr_ktable) pfrkt_tree; 1233 SLIST_ENTRY(pfr_ktable) pfrkt_workq; 1234 struct radix_node_head *pfrkt_ip4; 1235 struct radix_node_head *pfrkt_ip6; 1236 struct pfr_ktable *pfrkt_shadow; 1237 struct pfr_ktable *pfrkt_root; 1238 struct pf_kruleset *pfrkt_rs; 1239 long pfrkt_larg; 1240 int pfrkt_nflags; 1241 }; 1242 #define pfrkt_t pfrkt_kts.pfrts_t 1243 #define pfrkt_name pfrkt_t.pfrt_name 1244 #define pfrkt_anchor pfrkt_t.pfrt_anchor 1245 #define pfrkt_ruleset pfrkt_t.pfrt_ruleset 1246 #define pfrkt_flags pfrkt_t.pfrt_flags 1247 #define pfrkt_cnt pfrkt_kts.pfrkts_cnt 1248 #define pfrkt_refcnt pfrkt_kts.pfrkts_refcnt 1249 #define pfrkt_packets pfrkt_kts.pfrkts_packets 1250 #define pfrkt_bytes pfrkt_kts.pfrkts_bytes 1251 #define pfrkt_match pfrkt_kts.pfrkts_match 1252 #define pfrkt_nomatch pfrkt_kts.pfrkts_nomatch 1253 #define pfrkt_tzero pfrkt_kts.pfrkts_tzero 1254 #endif 1255 1256 #ifdef _KERNEL 1257 struct pfi_kkif { 1258 char pfik_name[IFNAMSIZ]; 1259 union { 1260 RB_ENTRY(pfi_kkif) _pfik_tree; 1261 LIST_ENTRY(pfi_kkif) _pfik_list; 1262 } _pfik_glue; 1263 #define pfik_tree _pfik_glue._pfik_tree 1264 #define pfik_list _pfik_glue._pfik_list 1265 struct pf_counter_u64 pfik_packets[2][2][2]; 1266 struct pf_counter_u64 pfik_bytes[2][2][2]; 1267 u_int32_t pfik_tzero; 1268 u_int pfik_flags; 1269 struct ifnet *pfik_ifp; 1270 struct ifg_group *pfik_group; 1271 u_int pfik_rulerefs; 1272 TAILQ_HEAD(, pfi_dynaddr) pfik_dynaddrs; 1273 #ifdef PF_WANT_32_TO_64_COUNTER 1274 LIST_ENTRY(pfi_kkif) pfik_allkiflist; 1275 #endif 1276 }; 1277 #endif 1278 1279 #define PFI_IFLAG_REFS 0x0001 /* has state references */ 1280 #define PFI_IFLAG_SKIP 0x0100 /* skip filtering on interface */ 1281 1282 #ifdef _KERNEL 1283 struct pf_pdesc { 1284 struct { 1285 int done; 1286 uid_t uid; 1287 gid_t gid; 1288 } lookup; 1289 u_int64_t tot_len; /* Make Mickey money */ 1290 union pf_headers { 1291 struct tcphdr tcp; 1292 struct udphdr udp; 1293 struct icmp icmp; 1294 #ifdef INET6 1295 struct icmp6_hdr icmp6; 1296 #endif /* INET6 */ 1297 char any[0]; 1298 } hdr; 1299 1300 struct pf_krule *nat_rule; /* nat/rdr rule applied to packet */ 1301 struct pf_addr *src; /* src address */ 1302 struct pf_addr *dst; /* dst address */ 1303 u_int16_t *sport; 1304 u_int16_t *dport; 1305 struct pf_mtag *pf_mtag; 1306 struct pf_rule_actions act; 1307 1308 u_int32_t p_len; /* total length of payload */ 1309 1310 u_int16_t *ip_sum; 1311 u_int16_t *proto_sum; 1312 u_int16_t flags; /* Let SCRUB trigger behavior in 1313 * state code. Easier than tags */ 1314 #define PFDESC_TCP_NORM 0x0001 /* TCP shall be statefully scrubbed */ 1315 #define PFDESC_IP_REAS 0x0002 /* IP frags would've been reassembled */ 1316 sa_family_t af; 1317 u_int8_t proto; 1318 u_int8_t tos; 1319 u_int8_t dir; /* direction */ 1320 u_int8_t sidx; /* key index for source */ 1321 u_int8_t didx; /* key index for destination */ 1322 }; 1323 #endif 1324 1325 /* flags for RDR options */ 1326 #define PF_DPORT_RANGE 0x01 /* Dest port uses range */ 1327 #define PF_RPORT_RANGE 0x02 /* RDR'ed port uses range */ 1328 1329 /* UDP state enumeration */ 1330 #define PFUDPS_NO_TRAFFIC 0 1331 #define PFUDPS_SINGLE 1 1332 #define PFUDPS_MULTIPLE 2 1333 1334 #define PFUDPS_NSTATES 3 /* number of state levels */ 1335 1336 #define PFUDPS_NAMES { \ 1337 "NO_TRAFFIC", \ 1338 "SINGLE", \ 1339 "MULTIPLE", \ 1340 NULL \ 1341 } 1342 1343 /* Other protocol state enumeration */ 1344 #define PFOTHERS_NO_TRAFFIC 0 1345 #define PFOTHERS_SINGLE 1 1346 #define PFOTHERS_MULTIPLE 2 1347 1348 #define PFOTHERS_NSTATES 3 /* number of state levels */ 1349 1350 #define PFOTHERS_NAMES { \ 1351 "NO_TRAFFIC", \ 1352 "SINGLE", \ 1353 "MULTIPLE", \ 1354 NULL \ 1355 } 1356 1357 #define ACTION_SET(a, x) \ 1358 do { \ 1359 if ((a) != NULL) \ 1360 *(a) = (x); \ 1361 } while (0) 1362 1363 #define REASON_SET(a, x) \ 1364 do { \ 1365 if ((a) != NULL) \ 1366 *(a) = (x); \ 1367 if (x < PFRES_MAX) \ 1368 counter_u64_add(V_pf_status.counters[x], 1); \ 1369 } while (0) 1370 1371 enum pf_syncookies_mode { 1372 PF_SYNCOOKIES_NEVER = 0, 1373 PF_SYNCOOKIES_ALWAYS = 1, 1374 PF_SYNCOOKIES_ADAPTIVE = 2, 1375 PF_SYNCOOKIES_MODE_MAX = PF_SYNCOOKIES_ADAPTIVE 1376 }; 1377 1378 #define PF_SYNCOOKIES_HIWATPCT 25 1379 #define PF_SYNCOOKIES_LOWATPCT (PF_SYNCOOKIES_HIWATPCT / 2) 1380 1381 #ifdef _KERNEL 1382 struct pf_kstatus { 1383 counter_u64_t counters[PFRES_MAX]; /* reason for passing/dropping */ 1384 counter_u64_t lcounters[KLCNT_MAX]; /* limit counters */ 1385 struct pf_counter_u64 fcounters[FCNT_MAX]; /* state operation counters */ 1386 counter_u64_t scounters[SCNT_MAX]; /* src_node operation counters */ 1387 uint32_t states; 1388 uint32_t src_nodes; 1389 uint32_t running; 1390 uint32_t since; 1391 uint32_t debug; 1392 uint32_t hostid; 1393 char ifname[IFNAMSIZ]; 1394 uint8_t pf_chksum[PF_MD5_DIGEST_LENGTH]; 1395 bool keep_counters; 1396 enum pf_syncookies_mode syncookies_mode; 1397 bool syncookies_active; 1398 uint64_t syncookies_inflight[2]; 1399 uint32_t states_halfopen; 1400 }; 1401 #endif 1402 1403 struct pf_divert { 1404 union { 1405 struct in_addr ipv4; 1406 struct in6_addr ipv6; 1407 } addr; 1408 u_int16_t port; 1409 }; 1410 1411 #define PFFRAG_FRENT_HIWAT 5000 /* Number of fragment entries */ 1412 #define PFR_KENTRY_HIWAT 200000 /* Number of table entries */ 1413 1414 /* 1415 * Limit the length of the fragment queue traversal. Remember 1416 * search entry points based on the fragment offset. 1417 */ 1418 #define PF_FRAG_ENTRY_POINTS 16 1419 1420 /* 1421 * The number of entries in the fragment queue must be limited 1422 * to avoid DoS by linear searching. Instead of a global limit, 1423 * use a limit per entry point. For large packets these sum up. 1424 */ 1425 #define PF_FRAG_ENTRY_LIMIT 64 1426 1427 /* 1428 * ioctl parameter structures 1429 */ 1430 1431 struct pfioc_pooladdr { 1432 u_int32_t action; 1433 u_int32_t ticket; 1434 u_int32_t nr; 1435 u_int32_t r_num; 1436 u_int8_t r_action; 1437 u_int8_t r_last; 1438 u_int8_t af; 1439 char anchor[MAXPATHLEN]; 1440 struct pf_pooladdr addr; 1441 }; 1442 1443 struct pfioc_rule { 1444 u_int32_t action; 1445 u_int32_t ticket; 1446 u_int32_t pool_ticket; 1447 u_int32_t nr; 1448 char anchor[MAXPATHLEN]; 1449 char anchor_call[MAXPATHLEN]; 1450 struct pf_rule rule; 1451 }; 1452 1453 struct pfioc_natlook { 1454 struct pf_addr saddr; 1455 struct pf_addr daddr; 1456 struct pf_addr rsaddr; 1457 struct pf_addr rdaddr; 1458 u_int16_t sport; 1459 u_int16_t dport; 1460 u_int16_t rsport; 1461 u_int16_t rdport; 1462 sa_family_t af; 1463 u_int8_t proto; 1464 u_int8_t direction; 1465 }; 1466 1467 struct pfioc_state { 1468 struct pfsync_state state; 1469 }; 1470 1471 struct pfioc_src_node_kill { 1472 sa_family_t psnk_af; 1473 struct pf_rule_addr psnk_src; 1474 struct pf_rule_addr psnk_dst; 1475 u_int psnk_killed; 1476 }; 1477 1478 #ifdef _KERNEL 1479 struct pf_kstate_kill { 1480 struct pf_state_cmp psk_pfcmp; 1481 sa_family_t psk_af; 1482 int psk_proto; 1483 struct pf_rule_addr psk_src; 1484 struct pf_rule_addr psk_dst; 1485 struct pf_rule_addr psk_rt_addr; 1486 char psk_ifname[IFNAMSIZ]; 1487 char psk_label[PF_RULE_LABEL_SIZE]; 1488 u_int psk_killed; 1489 bool psk_kill_match; 1490 }; 1491 #endif 1492 1493 struct pfioc_state_kill { 1494 struct pf_state_cmp psk_pfcmp; 1495 sa_family_t psk_af; 1496 int psk_proto; 1497 struct pf_rule_addr psk_src; 1498 struct pf_rule_addr psk_dst; 1499 char psk_ifname[IFNAMSIZ]; 1500 char psk_label[PF_RULE_LABEL_SIZE]; 1501 u_int psk_killed; 1502 }; 1503 1504 struct pfioc_states { 1505 int ps_len; 1506 union { 1507 caddr_t psu_buf; 1508 struct pfsync_state *psu_states; 1509 } ps_u; 1510 #define ps_buf ps_u.psu_buf 1511 #define ps_states ps_u.psu_states 1512 }; 1513 1514 struct pfioc_states_v2 { 1515 int ps_len; 1516 uint64_t ps_req_version; 1517 union { 1518 caddr_t psu_buf; 1519 struct pf_state_export *psu_states; 1520 } ps_u; 1521 #define ps_buf ps_u.psu_buf 1522 #define ps_states ps_u.psu_states 1523 }; 1524 1525 struct pfioc_src_nodes { 1526 int psn_len; 1527 union { 1528 caddr_t psu_buf; 1529 struct pf_src_node *psu_src_nodes; 1530 } psn_u; 1531 #define psn_buf psn_u.psu_buf 1532 #define psn_src_nodes psn_u.psu_src_nodes 1533 }; 1534 1535 struct pfioc_if { 1536 char ifname[IFNAMSIZ]; 1537 }; 1538 1539 struct pfioc_tm { 1540 int timeout; 1541 int seconds; 1542 }; 1543 1544 struct pfioc_limit { 1545 int index; 1546 unsigned limit; 1547 }; 1548 1549 struct pfioc_altq_v0 { 1550 u_int32_t action; 1551 u_int32_t ticket; 1552 u_int32_t nr; 1553 struct pf_altq_v0 altq; 1554 }; 1555 1556 struct pfioc_altq_v1 { 1557 u_int32_t action; 1558 u_int32_t ticket; 1559 u_int32_t nr; 1560 /* 1561 * Placed here so code that only uses the above parameters can be 1562 * written entirely in terms of the v0 or v1 type. 1563 */ 1564 u_int32_t version; 1565 struct pf_altq_v1 altq; 1566 }; 1567 1568 /* 1569 * Latest version of struct pfioc_altq_vX. This must move in lock-step with 1570 * the latest version of struct pf_altq_vX as it has that struct as a 1571 * member. 1572 */ 1573 #define PFIOC_ALTQ_VERSION PF_ALTQ_VERSION 1574 1575 struct pfioc_qstats_v0 { 1576 u_int32_t ticket; 1577 u_int32_t nr; 1578 void *buf; 1579 int nbytes; 1580 u_int8_t scheduler; 1581 }; 1582 1583 struct pfioc_qstats_v1 { 1584 u_int32_t ticket; 1585 u_int32_t nr; 1586 void *buf; 1587 int nbytes; 1588 u_int8_t scheduler; 1589 /* 1590 * Placed here so code that only uses the above parameters can be 1591 * written entirely in terms of the v0 or v1 type. 1592 */ 1593 u_int32_t version; /* Requested version of stats struct */ 1594 }; 1595 1596 /* Latest version of struct pfioc_qstats_vX */ 1597 #define PFIOC_QSTATS_VERSION 1 1598 1599 struct pfioc_ruleset { 1600 u_int32_t nr; 1601 char path[MAXPATHLEN]; 1602 char name[PF_ANCHOR_NAME_SIZE]; 1603 }; 1604 1605 #define PF_RULESET_ALTQ (PF_RULESET_MAX) 1606 #define PF_RULESET_TABLE (PF_RULESET_MAX+1) 1607 struct pfioc_trans { 1608 int size; /* number of elements */ 1609 int esize; /* size of each element in bytes */ 1610 struct pfioc_trans_e { 1611 int rs_num; 1612 char anchor[MAXPATHLEN]; 1613 u_int32_t ticket; 1614 } *array; 1615 }; 1616 1617 #define PFR_FLAG_ATOMIC 0x00000001 /* unused */ 1618 #define PFR_FLAG_DUMMY 0x00000002 1619 #define PFR_FLAG_FEEDBACK 0x00000004 1620 #define PFR_FLAG_CLSTATS 0x00000008 1621 #define PFR_FLAG_ADDRSTOO 0x00000010 1622 #define PFR_FLAG_REPLACE 0x00000020 1623 #define PFR_FLAG_ALLRSETS 0x00000040 1624 #define PFR_FLAG_ALLMASK 0x0000007F 1625 #ifdef _KERNEL 1626 #define PFR_FLAG_USERIOCTL 0x10000000 1627 #endif 1628 1629 struct pfioc_table { 1630 struct pfr_table pfrio_table; 1631 void *pfrio_buffer; 1632 int pfrio_esize; 1633 int pfrio_size; 1634 int pfrio_size2; 1635 int pfrio_nadd; 1636 int pfrio_ndel; 1637 int pfrio_nchange; 1638 int pfrio_flags; 1639 u_int32_t pfrio_ticket; 1640 }; 1641 #define pfrio_exists pfrio_nadd 1642 #define pfrio_nzero pfrio_nadd 1643 #define pfrio_nmatch pfrio_nadd 1644 #define pfrio_naddr pfrio_size2 1645 #define pfrio_setflag pfrio_size2 1646 #define pfrio_clrflag pfrio_nadd 1647 1648 struct pfioc_iface { 1649 char pfiio_name[IFNAMSIZ]; 1650 void *pfiio_buffer; 1651 int pfiio_esize; 1652 int pfiio_size; 1653 int pfiio_nzero; 1654 int pfiio_flags; 1655 }; 1656 1657 1658 /* 1659 * ioctl operations 1660 */ 1661 1662 #define DIOCSTART _IO ('D', 1) 1663 #define DIOCSTOP _IO ('D', 2) 1664 #define DIOCADDRULE _IOWR('D', 4, struct pfioc_rule) 1665 #define DIOCADDRULENV _IOWR('D', 4, struct pfioc_nv) 1666 #define DIOCGETRULES _IOWR('D', 6, struct pfioc_rule) 1667 #define DIOCGETRULE _IOWR('D', 7, struct pfioc_rule) 1668 #define DIOCGETRULENV _IOWR('D', 7, struct pfioc_nv) 1669 /* XXX cut 8 - 17 */ 1670 #define DIOCCLRSTATES _IOWR('D', 18, struct pfioc_state_kill) 1671 #define DIOCCLRSTATESNV _IOWR('D', 18, struct pfioc_nv) 1672 #define DIOCGETSTATE _IOWR('D', 19, struct pfioc_state) 1673 #define DIOCGETSTATENV _IOWR('D', 19, struct pfioc_nv) 1674 #define DIOCSETSTATUSIF _IOWR('D', 20, struct pfioc_if) 1675 #define DIOCGETSTATUS _IOWR('D', 21, struct pf_status) 1676 #define DIOCGETSTATUSNV _IOWR('D', 21, struct pfioc_nv) 1677 #define DIOCCLRSTATUS _IO ('D', 22) 1678 #define DIOCNATLOOK _IOWR('D', 23, struct pfioc_natlook) 1679 #define DIOCSETDEBUG _IOWR('D', 24, u_int32_t) 1680 #define DIOCGETSTATES _IOWR('D', 25, struct pfioc_states) 1681 #define DIOCCHANGERULE _IOWR('D', 26, struct pfioc_rule) 1682 /* XXX cut 26 - 28 */ 1683 #define DIOCSETTIMEOUT _IOWR('D', 29, struct pfioc_tm) 1684 #define DIOCGETTIMEOUT _IOWR('D', 30, struct pfioc_tm) 1685 #define DIOCADDSTATE _IOWR('D', 37, struct pfioc_state) 1686 #define DIOCCLRRULECTRS _IO ('D', 38) 1687 #define DIOCGETLIMIT _IOWR('D', 39, struct pfioc_limit) 1688 #define DIOCSETLIMIT _IOWR('D', 40, struct pfioc_limit) 1689 #define DIOCKILLSTATES _IOWR('D', 41, struct pfioc_state_kill) 1690 #define DIOCKILLSTATESNV _IOWR('D', 41, struct pfioc_nv) 1691 #define DIOCSTARTALTQ _IO ('D', 42) 1692 #define DIOCSTOPALTQ _IO ('D', 43) 1693 #define DIOCADDALTQV0 _IOWR('D', 45, struct pfioc_altq_v0) 1694 #define DIOCADDALTQV1 _IOWR('D', 45, struct pfioc_altq_v1) 1695 #define DIOCGETALTQSV0 _IOWR('D', 47, struct pfioc_altq_v0) 1696 #define DIOCGETALTQSV1 _IOWR('D', 47, struct pfioc_altq_v1) 1697 #define DIOCGETALTQV0 _IOWR('D', 48, struct pfioc_altq_v0) 1698 #define DIOCGETALTQV1 _IOWR('D', 48, struct pfioc_altq_v1) 1699 #define DIOCCHANGEALTQV0 _IOWR('D', 49, struct pfioc_altq_v0) 1700 #define DIOCCHANGEALTQV1 _IOWR('D', 49, struct pfioc_altq_v1) 1701 #define DIOCGETQSTATSV0 _IOWR('D', 50, struct pfioc_qstats_v0) 1702 #define DIOCGETQSTATSV1 _IOWR('D', 50, struct pfioc_qstats_v1) 1703 #define DIOCBEGINADDRS _IOWR('D', 51, struct pfioc_pooladdr) 1704 #define DIOCADDADDR _IOWR('D', 52, struct pfioc_pooladdr) 1705 #define DIOCGETADDRS _IOWR('D', 53, struct pfioc_pooladdr) 1706 #define DIOCGETADDR _IOWR('D', 54, struct pfioc_pooladdr) 1707 #define DIOCCHANGEADDR _IOWR('D', 55, struct pfioc_pooladdr) 1708 /* XXX cut 55 - 57 */ 1709 #define DIOCGETRULESETS _IOWR('D', 58, struct pfioc_ruleset) 1710 #define DIOCGETRULESET _IOWR('D', 59, struct pfioc_ruleset) 1711 #define DIOCRCLRTABLES _IOWR('D', 60, struct pfioc_table) 1712 #define DIOCRADDTABLES _IOWR('D', 61, struct pfioc_table) 1713 #define DIOCRDELTABLES _IOWR('D', 62, struct pfioc_table) 1714 #define DIOCRGETTABLES _IOWR('D', 63, struct pfioc_table) 1715 #define DIOCRGETTSTATS _IOWR('D', 64, struct pfioc_table) 1716 #define DIOCRCLRTSTATS _IOWR('D', 65, struct pfioc_table) 1717 #define DIOCRCLRADDRS _IOWR('D', 66, struct pfioc_table) 1718 #define DIOCRADDADDRS _IOWR('D', 67, struct pfioc_table) 1719 #define DIOCRDELADDRS _IOWR('D', 68, struct pfioc_table) 1720 #define DIOCRSETADDRS _IOWR('D', 69, struct pfioc_table) 1721 #define DIOCRGETADDRS _IOWR('D', 70, struct pfioc_table) 1722 #define DIOCRGETASTATS _IOWR('D', 71, struct pfioc_table) 1723 #define DIOCRCLRASTATS _IOWR('D', 72, struct pfioc_table) 1724 #define DIOCRTSTADDRS _IOWR('D', 73, struct pfioc_table) 1725 #define DIOCRSETTFLAGS _IOWR('D', 74, struct pfioc_table) 1726 #define DIOCRINADEFINE _IOWR('D', 77, struct pfioc_table) 1727 #define DIOCOSFPFLUSH _IO('D', 78) 1728 #define DIOCOSFPADD _IOWR('D', 79, struct pf_osfp_ioctl) 1729 #define DIOCOSFPGET _IOWR('D', 80, struct pf_osfp_ioctl) 1730 #define DIOCXBEGIN _IOWR('D', 81, struct pfioc_trans) 1731 #define DIOCXCOMMIT _IOWR('D', 82, struct pfioc_trans) 1732 #define DIOCXROLLBACK _IOWR('D', 83, struct pfioc_trans) 1733 #define DIOCGETSRCNODES _IOWR('D', 84, struct pfioc_src_nodes) 1734 #define DIOCCLRSRCNODES _IO('D', 85) 1735 #define DIOCSETHOSTID _IOWR('D', 86, u_int32_t) 1736 #define DIOCIGETIFACES _IOWR('D', 87, struct pfioc_iface) 1737 #define DIOCSETIFFLAG _IOWR('D', 89, struct pfioc_iface) 1738 #define DIOCCLRIFFLAG _IOWR('D', 90, struct pfioc_iface) 1739 #define DIOCKILLSRCNODES _IOWR('D', 91, struct pfioc_src_node_kill) 1740 #define DIOCKEEPCOUNTERS _IOWR('D', 92, struct pfioc_nv) 1741 #define DIOCGETSTATESV2 _IOWR('D', 93, struct pfioc_states_v2) 1742 #define DIOCGETSYNCOOKIES _IOWR('D', 94, struct pfioc_nv) 1743 #define DIOCSETSYNCOOKIES _IOWR('D', 95, struct pfioc_nv) 1744 1745 struct pf_ifspeed_v0 { 1746 char ifname[IFNAMSIZ]; 1747 u_int32_t baudrate; 1748 }; 1749 1750 struct pf_ifspeed_v1 { 1751 char ifname[IFNAMSIZ]; 1752 u_int32_t baudrate32; 1753 /* layout identical to struct pf_ifspeed_v0 up to this point */ 1754 u_int64_t baudrate; 1755 }; 1756 1757 /* Latest version of struct pf_ifspeed_vX */ 1758 #define PF_IFSPEED_VERSION 1 1759 1760 #define DIOCGIFSPEEDV0 _IOWR('D', 92, struct pf_ifspeed_v0) 1761 #define DIOCGIFSPEEDV1 _IOWR('D', 92, struct pf_ifspeed_v1) 1762 1763 /* 1764 * Compatibility and convenience macros 1765 */ 1766 #ifndef _KERNEL 1767 #ifdef PFIOC_USE_LATEST 1768 /* 1769 * Maintaining in-tree consumers of the ioctl interface is easier when that 1770 * code can be written in terms old names that refer to the latest interface 1771 * version as that reduces the required changes in the consumers to those 1772 * that are functionally necessary to accommodate a new interface version. 1773 */ 1774 #define pfioc_altq __CONCAT(pfioc_altq_v, PFIOC_ALTQ_VERSION) 1775 #define pfioc_qstats __CONCAT(pfioc_qstats_v, PFIOC_QSTATS_VERSION) 1776 #define pf_ifspeed __CONCAT(pf_ifspeed_v, PF_IFSPEED_VERSION) 1777 1778 #define DIOCADDALTQ __CONCAT(DIOCADDALTQV, PFIOC_ALTQ_VERSION) 1779 #define DIOCGETALTQS __CONCAT(DIOCGETALTQSV, PFIOC_ALTQ_VERSION) 1780 #define DIOCGETALTQ __CONCAT(DIOCGETALTQV, PFIOC_ALTQ_VERSION) 1781 #define DIOCCHANGEALTQ __CONCAT(DIOCCHANGEALTQV, PFIOC_ALTQ_VERSION) 1782 #define DIOCGETQSTATS __CONCAT(DIOCGETQSTATSV, PFIOC_QSTATS_VERSION) 1783 #define DIOCGIFSPEED __CONCAT(DIOCGIFSPEEDV, PF_IFSPEED_VERSION) 1784 #else 1785 /* 1786 * When building out-of-tree code that is written for the old interface, 1787 * such as may exist in ports for example, resolve the old struct tags and 1788 * ioctl command names to the v0 versions. 1789 */ 1790 #define pfioc_altq __CONCAT(pfioc_altq_v, 0) 1791 #define pfioc_qstats __CONCAT(pfioc_qstats_v, 0) 1792 #define pf_ifspeed __CONCAT(pf_ifspeed_v, 0) 1793 1794 #define DIOCADDALTQ __CONCAT(DIOCADDALTQV, 0) 1795 #define DIOCGETALTQS __CONCAT(DIOCGETALTQSV, 0) 1796 #define DIOCGETALTQ __CONCAT(DIOCGETALTQV, 0) 1797 #define DIOCCHANGEALTQ __CONCAT(DIOCCHANGEALTQV, 0) 1798 #define DIOCGETQSTATS __CONCAT(DIOCGETQSTATSV, 0) 1799 #define DIOCGIFSPEED __CONCAT(DIOCGIFSPEEDV, 0) 1800 #endif /* PFIOC_USE_LATEST */ 1801 #endif /* _KERNEL */ 1802 1803 #ifdef _KERNEL 1804 LIST_HEAD(pf_ksrc_node_list, pf_ksrc_node); 1805 struct pf_srchash { 1806 struct pf_ksrc_node_list nodes; 1807 struct mtx lock; 1808 }; 1809 1810 struct pf_keyhash { 1811 LIST_HEAD(, pf_state_key) keys; 1812 struct mtx lock; 1813 }; 1814 1815 struct pf_idhash { 1816 LIST_HEAD(, pf_kstate) states; 1817 struct mtx lock; 1818 }; 1819 1820 extern u_long pf_ioctl_maxcount; 1821 extern u_long pf_hashmask; 1822 extern u_long pf_srchashmask; 1823 #define PF_HASHSIZ (131072) 1824 #define PF_SRCHASHSIZ (PF_HASHSIZ/4) 1825 VNET_DECLARE(struct pf_keyhash *, pf_keyhash); 1826 VNET_DECLARE(struct pf_idhash *, pf_idhash); 1827 #define V_pf_keyhash VNET(pf_keyhash) 1828 #define V_pf_idhash VNET(pf_idhash) 1829 VNET_DECLARE(struct pf_srchash *, pf_srchash); 1830 #define V_pf_srchash VNET(pf_srchash) 1831 1832 #define PF_IDHASH(s) (be64toh((s)->id) % (pf_hashmask + 1)) 1833 1834 VNET_DECLARE(void *, pf_swi_cookie); 1835 #define V_pf_swi_cookie VNET(pf_swi_cookie) 1836 VNET_DECLARE(struct intr_event *, pf_swi_ie); 1837 #define V_pf_swi_ie VNET(pf_swi_ie) 1838 1839 VNET_DECLARE(uint64_t, pf_stateid[MAXCPU]); 1840 #define V_pf_stateid VNET(pf_stateid) 1841 1842 TAILQ_HEAD(pf_altqqueue, pf_altq); 1843 VNET_DECLARE(struct pf_altqqueue, pf_altqs[4]); 1844 #define V_pf_altqs VNET(pf_altqs) 1845 VNET_DECLARE(struct pf_kpalist, pf_pabuf); 1846 #define V_pf_pabuf VNET(pf_pabuf) 1847 1848 VNET_DECLARE(u_int32_t, ticket_altqs_active); 1849 #define V_ticket_altqs_active VNET(ticket_altqs_active) 1850 VNET_DECLARE(u_int32_t, ticket_altqs_inactive); 1851 #define V_ticket_altqs_inactive VNET(ticket_altqs_inactive) 1852 VNET_DECLARE(int, altqs_inactive_open); 1853 #define V_altqs_inactive_open VNET(altqs_inactive_open) 1854 VNET_DECLARE(u_int32_t, ticket_pabuf); 1855 #define V_ticket_pabuf VNET(ticket_pabuf) 1856 VNET_DECLARE(struct pf_altqqueue *, pf_altqs_active); 1857 #define V_pf_altqs_active VNET(pf_altqs_active) 1858 VNET_DECLARE(struct pf_altqqueue *, pf_altq_ifs_active); 1859 #define V_pf_altq_ifs_active VNET(pf_altq_ifs_active) 1860 VNET_DECLARE(struct pf_altqqueue *, pf_altqs_inactive); 1861 #define V_pf_altqs_inactive VNET(pf_altqs_inactive) 1862 VNET_DECLARE(struct pf_altqqueue *, pf_altq_ifs_inactive); 1863 #define V_pf_altq_ifs_inactive VNET(pf_altq_ifs_inactive) 1864 1865 VNET_DECLARE(struct pf_krulequeue, pf_unlinked_rules); 1866 #define V_pf_unlinked_rules VNET(pf_unlinked_rules) 1867 1868 #ifdef PF_WANT_32_TO_64_COUNTER 1869 LIST_HEAD(allkiflist_head, pfi_kkif); 1870 VNET_DECLARE(struct allkiflist_head, pf_allkiflist); 1871 #define V_pf_allkiflist VNET(pf_allkiflist) 1872 VNET_DECLARE(size_t, pf_allkifcount); 1873 #define V_pf_allkifcount VNET(pf_allkifcount) 1874 VNET_DECLARE(struct pfi_kkif *, pf_kifmarker); 1875 #define V_pf_kifmarker VNET(pf_kifmarker) 1876 1877 LIST_HEAD(allrulelist_head, pf_krule); 1878 VNET_DECLARE(struct allrulelist_head, pf_allrulelist); 1879 #define V_pf_allrulelist VNET(pf_allrulelist) 1880 VNET_DECLARE(size_t, pf_allrulecount); 1881 #define V_pf_allrulecount VNET(pf_allrulecount) 1882 VNET_DECLARE(struct pf_krule *, pf_rulemarker); 1883 #define V_pf_rulemarker VNET(pf_rulemarker) 1884 #endif 1885 1886 void pf_initialize(void); 1887 void pf_mtag_initialize(void); 1888 void pf_mtag_cleanup(void); 1889 void pf_cleanup(void); 1890 1891 struct pf_mtag *pf_get_mtag(struct mbuf *); 1892 1893 extern void pf_calc_skip_steps(struct pf_krulequeue *); 1894 #ifdef ALTQ 1895 extern void pf_altq_ifnet_event(struct ifnet *, int); 1896 #endif 1897 VNET_DECLARE(uma_zone_t, pf_state_z); 1898 #define V_pf_state_z VNET(pf_state_z) 1899 VNET_DECLARE(uma_zone_t, pf_state_key_z); 1900 #define V_pf_state_key_z VNET(pf_state_key_z) 1901 VNET_DECLARE(uma_zone_t, pf_state_scrub_z); 1902 #define V_pf_state_scrub_z VNET(pf_state_scrub_z) 1903 1904 extern void pf_purge_thread(void *); 1905 extern void pf_unload_vnet_purge(void); 1906 extern void pf_intr(void *); 1907 extern void pf_purge_expired_src_nodes(void); 1908 1909 extern int pf_unlink_state(struct pf_kstate *, u_int); 1910 #define PF_ENTER_LOCKED 0x00000001 1911 #define PF_RETURN_LOCKED 0x00000002 1912 extern int pf_state_insert(struct pfi_kkif *, 1913 struct pfi_kkif *, 1914 struct pf_state_key *, 1915 struct pf_state_key *, 1916 struct pf_kstate *); 1917 extern struct pf_kstate *pf_alloc_state(int); 1918 extern void pf_free_state(struct pf_kstate *); 1919 1920 static __inline void 1921 pf_ref_state(struct pf_kstate *s) 1922 { 1923 1924 refcount_acquire(&s->refs); 1925 } 1926 1927 static __inline int 1928 pf_release_state(struct pf_kstate *s) 1929 { 1930 1931 if (refcount_release(&s->refs)) { 1932 pf_free_state(s); 1933 return (1); 1934 } else 1935 return (0); 1936 } 1937 1938 static __inline int 1939 pf_release_staten(struct pf_kstate *s, u_int n) 1940 { 1941 1942 if (refcount_releasen(&s->refs, n)) { 1943 pf_free_state(s); 1944 return (1); 1945 } else 1946 return (0); 1947 } 1948 1949 extern struct pf_kstate *pf_find_state_byid(uint64_t, uint32_t); 1950 extern struct pf_kstate *pf_find_state_all(struct pf_state_key_cmp *, 1951 u_int, int *); 1952 extern bool pf_find_state_all_exists(struct pf_state_key_cmp *, 1953 u_int); 1954 extern struct pf_ksrc_node *pf_find_src_node(struct pf_addr *, 1955 struct pf_krule *, sa_family_t, int); 1956 extern void pf_unlink_src_node(struct pf_ksrc_node *); 1957 extern u_int pf_free_src_nodes(struct pf_ksrc_node_list *); 1958 extern void pf_print_state(struct pf_kstate *); 1959 extern void pf_print_flags(u_int8_t); 1960 extern u_int16_t pf_cksum_fixup(u_int16_t, u_int16_t, u_int16_t, 1961 u_int8_t); 1962 extern u_int16_t pf_proto_cksum_fixup(struct mbuf *, u_int16_t, 1963 u_int16_t, u_int16_t, u_int8_t); 1964 1965 VNET_DECLARE(struct ifnet *, sync_ifp); 1966 #define V_sync_ifp VNET(sync_ifp); 1967 VNET_DECLARE(struct pf_krule, pf_default_rule); 1968 #define V_pf_default_rule VNET(pf_default_rule) 1969 extern void pf_addrcpy(struct pf_addr *, struct pf_addr *, 1970 u_int8_t); 1971 void pf_free_rule(struct pf_krule *); 1972 1973 #ifdef INET 1974 int pf_test(int, int, struct ifnet *, struct mbuf **, struct inpcb *); 1975 int pf_normalize_ip(struct mbuf **, int, struct pfi_kkif *, u_short *, 1976 struct pf_pdesc *); 1977 #endif /* INET */ 1978 1979 #ifdef INET6 1980 int pf_test6(int, int, struct ifnet *, struct mbuf **, struct inpcb *); 1981 int pf_normalize_ip6(struct mbuf **, int, struct pfi_kkif *, u_short *, 1982 struct pf_pdesc *); 1983 void pf_poolmask(struct pf_addr *, struct pf_addr*, 1984 struct pf_addr *, struct pf_addr *, u_int8_t); 1985 void pf_addr_inc(struct pf_addr *, sa_family_t); 1986 int pf_refragment6(struct ifnet *, struct mbuf **, struct m_tag *); 1987 #endif /* INET6 */ 1988 1989 u_int32_t pf_new_isn(struct pf_kstate *); 1990 void *pf_pull_hdr(struct mbuf *, int, void *, int, u_short *, u_short *, 1991 sa_family_t); 1992 void pf_change_a(void *, u_int16_t *, u_int32_t, u_int8_t); 1993 void pf_change_proto_a(struct mbuf *, void *, u_int16_t *, u_int32_t, 1994 u_int8_t); 1995 void pf_change_tcp_a(struct mbuf *, void *, u_int16_t *, u_int32_t); 1996 void pf_patch_16_unaligned(struct mbuf *, u_int16_t *, void *, u_int16_t, 1997 bool, u_int8_t); 1998 void pf_patch_32_unaligned(struct mbuf *, u_int16_t *, void *, u_int32_t, 1999 bool, u_int8_t); 2000 void pf_send_deferred_syn(struct pf_kstate *); 2001 int pf_match_addr(u_int8_t, struct pf_addr *, struct pf_addr *, 2002 struct pf_addr *, sa_family_t); 2003 int pf_match_addr_range(struct pf_addr *, struct pf_addr *, 2004 struct pf_addr *, sa_family_t); 2005 int pf_match_port(u_int8_t, u_int16_t, u_int16_t, u_int16_t); 2006 2007 void pf_normalize_init(void); 2008 void pf_normalize_cleanup(void); 2009 int pf_normalize_tcp(int, struct pfi_kkif *, struct mbuf *, int, int, void *, 2010 struct pf_pdesc *); 2011 void pf_normalize_tcp_cleanup(struct pf_kstate *); 2012 int pf_normalize_tcp_init(struct mbuf *, int, struct pf_pdesc *, 2013 struct tcphdr *, struct pf_state_peer *, struct pf_state_peer *); 2014 int pf_normalize_tcp_stateful(struct mbuf *, int, struct pf_pdesc *, 2015 u_short *, struct tcphdr *, struct pf_kstate *, 2016 struct pf_state_peer *, struct pf_state_peer *, int *); 2017 u_int32_t 2018 pf_state_expires(const struct pf_kstate *); 2019 void pf_purge_expired_fragments(void); 2020 void pf_purge_fragments(uint32_t); 2021 int pf_routable(struct pf_addr *addr, sa_family_t af, struct pfi_kkif *, 2022 int); 2023 int pf_socket_lookup(int, struct pf_pdesc *, struct mbuf *); 2024 struct pf_state_key *pf_alloc_state_key(int); 2025 void pfr_initialize(void); 2026 void pfr_cleanup(void); 2027 int pfr_match_addr(struct pfr_ktable *, struct pf_addr *, sa_family_t); 2028 void pfr_update_stats(struct pfr_ktable *, struct pf_addr *, sa_family_t, 2029 u_int64_t, int, int, int); 2030 int pfr_pool_get(struct pfr_ktable *, int *, struct pf_addr *, sa_family_t); 2031 void pfr_dynaddr_update(struct pfr_ktable *, struct pfi_dynaddr *); 2032 struct pfr_ktable * 2033 pfr_attach_table(struct pf_kruleset *, char *); 2034 void pfr_detach_table(struct pfr_ktable *); 2035 int pfr_clr_tables(struct pfr_table *, int *, int); 2036 int pfr_add_tables(struct pfr_table *, int, int *, int); 2037 int pfr_del_tables(struct pfr_table *, int, int *, int); 2038 int pfr_table_count(struct pfr_table *, int); 2039 int pfr_get_tables(struct pfr_table *, struct pfr_table *, int *, int); 2040 int pfr_get_tstats(struct pfr_table *, struct pfr_tstats *, int *, int); 2041 int pfr_clr_tstats(struct pfr_table *, int, int *, int); 2042 int pfr_set_tflags(struct pfr_table *, int, int, int, int *, int *, int); 2043 int pfr_clr_addrs(struct pfr_table *, int *, int); 2044 int pfr_insert_kentry(struct pfr_ktable *, struct pfr_addr *, long); 2045 int pfr_add_addrs(struct pfr_table *, struct pfr_addr *, int, int *, 2046 int); 2047 int pfr_del_addrs(struct pfr_table *, struct pfr_addr *, int, int *, 2048 int); 2049 int pfr_set_addrs(struct pfr_table *, struct pfr_addr *, int, int *, 2050 int *, int *, int *, int, u_int32_t); 2051 int pfr_get_addrs(struct pfr_table *, struct pfr_addr *, int *, int); 2052 int pfr_get_astats(struct pfr_table *, struct pfr_astats *, int *, int); 2053 int pfr_clr_astats(struct pfr_table *, struct pfr_addr *, int, int *, 2054 int); 2055 int pfr_tst_addrs(struct pfr_table *, struct pfr_addr *, int, int *, 2056 int); 2057 int pfr_ina_begin(struct pfr_table *, u_int32_t *, int *, int); 2058 int pfr_ina_rollback(struct pfr_table *, u_int32_t, int *, int); 2059 int pfr_ina_commit(struct pfr_table *, u_int32_t, int *, int *, int); 2060 int pfr_ina_define(struct pfr_table *, struct pfr_addr *, int, int *, 2061 int *, u_int32_t, int); 2062 2063 MALLOC_DECLARE(PFI_MTYPE); 2064 VNET_DECLARE(struct pfi_kkif *, pfi_all); 2065 #define V_pfi_all VNET(pfi_all) 2066 2067 void pfi_initialize(void); 2068 void pfi_initialize_vnet(void); 2069 void pfi_cleanup(void); 2070 void pfi_cleanup_vnet(void); 2071 void pfi_kkif_ref(struct pfi_kkif *); 2072 void pfi_kkif_unref(struct pfi_kkif *); 2073 struct pfi_kkif *pfi_kkif_find(const char *); 2074 struct pfi_kkif *pfi_kkif_attach(struct pfi_kkif *, const char *); 2075 int pfi_kkif_match(struct pfi_kkif *, struct pfi_kkif *); 2076 void pfi_kkif_purge(void); 2077 int pfi_match_addr(struct pfi_dynaddr *, struct pf_addr *, 2078 sa_family_t); 2079 int pfi_dynaddr_setup(struct pf_addr_wrap *, sa_family_t); 2080 void pfi_dynaddr_remove(struct pfi_dynaddr *); 2081 void pfi_dynaddr_copyout(struct pf_addr_wrap *); 2082 void pfi_update_status(const char *, struct pf_status *); 2083 void pfi_get_ifaces(const char *, struct pfi_kif *, int *); 2084 int pfi_set_flags(const char *, int); 2085 int pfi_clear_flags(const char *, int); 2086 2087 int pf_match_tag(struct mbuf *, struct pf_krule *, int *, int); 2088 int pf_tag_packet(struct mbuf *, struct pf_pdesc *, int); 2089 int pf_addr_cmp(struct pf_addr *, struct pf_addr *, 2090 sa_family_t); 2091 2092 u_int16_t pf_get_mss(struct mbuf *, int, u_int16_t, sa_family_t); 2093 u_int8_t pf_get_wscale(struct mbuf *, int, u_int16_t, sa_family_t); 2094 struct mbuf *pf_build_tcp(const struct pf_krule *, sa_family_t, 2095 const struct pf_addr *, const struct pf_addr *, 2096 u_int16_t, u_int16_t, u_int32_t, u_int32_t, 2097 u_int8_t, u_int16_t, u_int16_t, u_int8_t, int, 2098 u_int16_t); 2099 void pf_send_tcp(const struct pf_krule *, sa_family_t, 2100 const struct pf_addr *, const struct pf_addr *, 2101 u_int16_t, u_int16_t, u_int32_t, u_int32_t, 2102 u_int8_t, u_int16_t, u_int16_t, u_int8_t, int, 2103 u_int16_t); 2104 2105 void pf_syncookies_init(void); 2106 void pf_syncookies_cleanup(void); 2107 int pf_get_syncookies(struct pfioc_nv *); 2108 int pf_set_syncookies(struct pfioc_nv *); 2109 int pf_synflood_check(struct pf_pdesc *); 2110 void pf_syncookie_send(struct mbuf *m, int off, 2111 struct pf_pdesc *); 2112 bool pf_syncookie_check(struct pf_pdesc *); 2113 u_int8_t pf_syncookie_validate(struct pf_pdesc *); 2114 struct mbuf * pf_syncookie_recreate_syn(uint8_t, int, 2115 struct pf_pdesc *); 2116 2117 VNET_DECLARE(struct pf_kstatus, pf_status); 2118 #define V_pf_status VNET(pf_status) 2119 2120 struct pf_limit { 2121 uma_zone_t zone; 2122 u_int limit; 2123 }; 2124 VNET_DECLARE(struct pf_limit, pf_limits[PF_LIMIT_MAX]); 2125 #define V_pf_limits VNET(pf_limits) 2126 2127 #endif /* _KERNEL */ 2128 2129 #ifdef _KERNEL 2130 VNET_DECLARE(struct pf_kanchor_global, pf_anchors); 2131 #define V_pf_anchors VNET(pf_anchors) 2132 VNET_DECLARE(struct pf_kanchor, pf_main_anchor); 2133 #define V_pf_main_anchor VNET(pf_main_anchor) 2134 #define pf_main_ruleset V_pf_main_anchor.ruleset 2135 2136 int pf_get_ruleset_number(u_int8_t); 2137 void pf_init_kruleset(struct pf_kruleset *); 2138 int pf_kanchor_setup(struct pf_krule *, 2139 const struct pf_kruleset *, const char *); 2140 int pf_kanchor_nvcopyout(const struct pf_kruleset *, 2141 const struct pf_krule *, nvlist_t *); 2142 int pf_kanchor_copyout(const struct pf_kruleset *, 2143 const struct pf_krule *, struct pfioc_rule *); 2144 void pf_kanchor_remove(struct pf_krule *); 2145 void pf_remove_if_empty_kruleset(struct pf_kruleset *); 2146 struct pf_kruleset *pf_find_kruleset(const char *); 2147 struct pf_kruleset *pf_find_or_create_kruleset(const char *); 2148 void pf_rs_initialize(void); 2149 2150 struct pf_krule *pf_krule_alloc(void); 2151 void pf_krule_free(struct pf_krule *); 2152 #endif 2153 2154 /* The fingerprint functions can be linked into userland programs (tcpdump) */ 2155 int pf_osfp_add(struct pf_osfp_ioctl *); 2156 #ifdef _KERNEL 2157 struct pf_osfp_enlist * 2158 pf_osfp_fingerprint(struct pf_pdesc *, struct mbuf *, int, 2159 const struct tcphdr *); 2160 #endif /* _KERNEL */ 2161 void pf_osfp_flush(void); 2162 int pf_osfp_get(struct pf_osfp_ioctl *); 2163 int pf_osfp_match(struct pf_osfp_enlist *, pf_osfp_t); 2164 2165 #ifdef _KERNEL 2166 void pf_print_host(struct pf_addr *, u_int16_t, u_int8_t); 2167 2168 void pf_step_into_anchor(struct pf_kanchor_stackframe *, int *, 2169 struct pf_kruleset **, int, struct pf_krule **, 2170 struct pf_krule **, int *); 2171 int pf_step_out_of_anchor(struct pf_kanchor_stackframe *, int *, 2172 struct pf_kruleset **, int, struct pf_krule **, 2173 struct pf_krule **, int *); 2174 2175 int pf_map_addr(u_int8_t, struct pf_krule *, 2176 struct pf_addr *, struct pf_addr *, 2177 struct pf_addr *, struct pf_ksrc_node **); 2178 struct pf_krule *pf_get_translation(struct pf_pdesc *, struct mbuf *, 2179 int, int, struct pfi_kkif *, struct pf_ksrc_node **, 2180 struct pf_state_key **, struct pf_state_key **, 2181 struct pf_addr *, struct pf_addr *, 2182 uint16_t, uint16_t, struct pf_kanchor_stackframe *); 2183 2184 struct pf_state_key *pf_state_key_setup(struct pf_pdesc *, struct pf_addr *, 2185 struct pf_addr *, u_int16_t, u_int16_t); 2186 struct pf_state_key *pf_state_key_clone(struct pf_state_key *); 2187 2188 struct pfi_kkif *pf_kkif_create(int); 2189 void pf_kkif_free(struct pfi_kkif *); 2190 void pf_kkif_zero(struct pfi_kkif *); 2191 #endif /* _KERNEL */ 2192 2193 #endif /* _NET_PFVAR_H_ */
Cache object: fdd03869a76b86fa197a16d634be1e19
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]