Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]
FreeBSD/Linux Kernel Cross Reference
sys/netpfil/pf/pf.h
Version:
- FREEBSD - FREEBSD-13-STABLE - FREEBSD-13-0 - FREEBSD-12-STABLE - FREEBSD-12-0 - FREEBSD-11-STABLE - FREEBSD-11-0 - FREEBSD-10-STABLE - FREEBSD-10-0 - FREEBSD-9-STABLE - FREEBSD-9-0 - FREEBSD-8-STABLE - FREEBSD-8-0 - FREEBSD-7-STABLE - FREEBSD-7-0 - FREEBSD-6-STABLE - FREEBSD-6-0 - FREEBSD-5-STABLE - FREEBSD-5-0 - FREEBSD-4-STABLE - FREEBSD-3-STABLE - FREEBSD22 - l41 - OPENBSD - linux-2.6 - MK84 - PLAN9 - xnu-8792
SearchContext: - none - 3 - 10
SearchContext: - none - 3 - 10
1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2001 Daniel Hartmeier 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 11 * - Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * - Redistributions in binary form must reproduce the above 14 * copyright notice, this list of conditions and the following 15 * disclaimer in the documentation and/or other materials provided 16 * with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 20 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 21 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 22 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 23 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 24 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 25 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 26 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 28 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 * POSSIBILITY OF SUCH DAMAGE. 30 * 31 * $OpenBSD: pfvar.h,v 1.282 2009/01/29 15:12:28 pyr Exp $ 32 * $FreeBSD$ 33 */ 34 35 #ifndef _NET_PF_H_ 36 #define _NET_PF_H_ 37 38 #include <sys/tree.h> 39 40 #define PF_TCPS_PROXY_SRC ((TCP_NSTATES)+0) 41 #define PF_TCPS_PROXY_DST ((TCP_NSTATES)+1) 42 43 #define PF_MD5_DIGEST_LENGTH 16 44 #ifdef MD5_DIGEST_LENGTH 45 #if PF_MD5_DIGEST_LENGTH != MD5_DIGEST_LENGTH 46 #error 47 #endif 48 #endif 49 50 enum { PF_INOUT, PF_IN, PF_OUT }; 51 enum { PF_PASS, PF_DROP, PF_SCRUB, PF_NOSCRUB, PF_NAT, PF_NONAT, 52 PF_BINAT, PF_NOBINAT, PF_RDR, PF_NORDR, PF_SYNPROXY_DROP, PF_DEFER, 53 PF_MATCH }; 54 enum { PF_RULESET_SCRUB, PF_RULESET_FILTER, PF_RULESET_NAT, 55 PF_RULESET_BINAT, PF_RULESET_RDR, PF_RULESET_MAX }; 56 enum { PF_OP_NONE, PF_OP_IRG, PF_OP_EQ, PF_OP_NE, PF_OP_LT, 57 PF_OP_LE, PF_OP_GT, PF_OP_GE, PF_OP_XRG, PF_OP_RRG }; 58 enum { PF_DEBUG_NONE, PF_DEBUG_URGENT, PF_DEBUG_MISC, PF_DEBUG_NOISY }; 59 enum { PF_CHANGE_NONE, PF_CHANGE_ADD_HEAD, PF_CHANGE_ADD_TAIL, 60 PF_CHANGE_ADD_BEFORE, PF_CHANGE_ADD_AFTER, 61 PF_CHANGE_REMOVE, PF_CHANGE_GET_TICKET }; 62 enum { PF_GET_NONE, PF_GET_CLR_CNTR }; 63 enum { PF_SK_WIRE, PF_SK_STACK, PF_SK_BOTH }; 64 enum { PF_PEER_SRC, PF_PEER_DST, PF_PEER_BOTH }; 65 66 /* 67 * Note about PFTM_*: real indices into pf_rule.timeout[] come before 68 * PFTM_MAX, special cases afterwards. See pf_state_expires(). 69 */ 70 enum { PFTM_TCP_FIRST_PACKET, PFTM_TCP_OPENING, PFTM_TCP_ESTABLISHED, 71 PFTM_TCP_CLOSING, PFTM_TCP_FIN_WAIT, PFTM_TCP_CLOSED, 72 PFTM_UDP_FIRST_PACKET, PFTM_UDP_SINGLE, PFTM_UDP_MULTIPLE, 73 PFTM_ICMP_FIRST_PACKET, PFTM_ICMP_ERROR_REPLY, 74 PFTM_OTHER_FIRST_PACKET, PFTM_OTHER_SINGLE, 75 PFTM_OTHER_MULTIPLE, PFTM_FRAG, PFTM_INTERVAL, 76 PFTM_ADAPTIVE_START, PFTM_ADAPTIVE_END, PFTM_SRC_NODE, 77 PFTM_TS_DIFF, PFTM_MAX, PFTM_PURGE, PFTM_UNLINKED }; 78 79 /* PFTM default values */ 80 #define PFTM_TCP_FIRST_PACKET_VAL 120 /* First TCP packet */ 81 #define PFTM_TCP_OPENING_VAL 30 /* No response yet */ 82 #define PFTM_TCP_ESTABLISHED_VAL 24*60*60/* Established */ 83 #define PFTM_TCP_CLOSING_VAL 15 * 60 /* Half closed */ 84 #define PFTM_TCP_FIN_WAIT_VAL 45 /* Got both FINs */ 85 #define PFTM_TCP_CLOSED_VAL 90 /* Got a RST */ 86 #define PFTM_UDP_FIRST_PACKET_VAL 60 /* First UDP packet */ 87 #define PFTM_UDP_SINGLE_VAL 30 /* Unidirectional */ 88 #define PFTM_UDP_MULTIPLE_VAL 60 /* Bidirectional */ 89 #define PFTM_ICMP_FIRST_PACKET_VAL 20 /* First ICMP packet */ 90 #define PFTM_ICMP_ERROR_REPLY_VAL 10 /* Got error response */ 91 #define PFTM_OTHER_FIRST_PACKET_VAL 60 /* First packet */ 92 #define PFTM_OTHER_SINGLE_VAL 30 /* Unidirectional */ 93 #define PFTM_OTHER_MULTIPLE_VAL 60 /* Bidirectional */ 94 #define PFTM_FRAG_VAL 30 /* Fragment expire */ 95 #define PFTM_INTERVAL_VAL 10 /* Expire interval */ 96 #define PFTM_SRC_NODE_VAL 0 /* Source tracking */ 97 #define PFTM_TS_DIFF_VAL 30 /* Allowed TS diff */ 98 99 enum { PF_NOPFROUTE, PF_FASTROUTE, PF_ROUTETO, PF_DUPTO, PF_REPLYTO }; 100 enum { PF_LIMIT_STATES, PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS, 101 PF_LIMIT_TABLE_ENTRIES, PF_LIMIT_MAX }; 102 #define PF_POOL_IDMASK 0x0f 103 enum { PF_POOL_NONE, PF_POOL_BITMASK, PF_POOL_RANDOM, 104 PF_POOL_SRCHASH, PF_POOL_ROUNDROBIN }; 105 enum { PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE, PF_ADDR_DYNIFTL, 106 PF_ADDR_TABLE, PF_ADDR_URPFFAILED, 107 PF_ADDR_RANGE }; 108 #define PF_POOL_TYPEMASK 0x0f 109 #define PF_POOL_STICKYADDR 0x20 110 #define PF_WSCALE_FLAG 0x80 111 #define PF_WSCALE_MASK 0x0f 112 113 #define PF_LOG 0x01 114 #define PF_LOG_ALL 0x02 115 #define PF_LOG_SOCKET_LOOKUP 0x04 116 117 /* Reasons code for passing/dropping a packet */ 118 #define PFRES_MATCH 0 /* Explicit match of a rule */ 119 #define PFRES_BADOFF 1 /* Bad offset for pull_hdr */ 120 #define PFRES_FRAG 2 /* Dropping following fragment */ 121 #define PFRES_SHORT 3 /* Dropping short packet */ 122 #define PFRES_NORM 4 /* Dropping by normalizer */ 123 #define PFRES_MEMORY 5 /* Dropped due to lacking mem */ 124 #define PFRES_TS 6 /* Bad TCP Timestamp (RFC1323) */ 125 #define PFRES_CONGEST 7 /* Congestion (of ipintrq) */ 126 #define PFRES_IPOPTIONS 8 /* IP option */ 127 #define PFRES_PROTCKSUM 9 /* Protocol checksum invalid */ 128 #define PFRES_BADSTATE 10 /* State mismatch */ 129 #define PFRES_STATEINS 11 /* State insertion failure */ 130 #define PFRES_MAXSTATES 12 /* State limit */ 131 #define PFRES_SRCLIMIT 13 /* Source node/conn limit */ 132 #define PFRES_SYNPROXY 14 /* SYN proxy */ 133 #define PFRES_MAPFAILED 15 /* pf_map_addr() failed */ 134 #define PFRES_MAX 16 /* total+1 */ 135 136 #define PFRES_NAMES { \ 137 "match", \ 138 "bad-offset", \ 139 "fragment", \ 140 "short", \ 141 "normalize", \ 142 "memory", \ 143 "bad-timestamp", \ 144 "congestion", \ 145 "ip-option", \ 146 "proto-cksum", \ 147 "state-mismatch", \ 148 "state-insert", \ 149 "state-limit", \ 150 "src-limit", \ 151 "synproxy", \ 152 "map-failed", \ 153 NULL \ 154 } 155 156 /* Counters for other things we want to keep track of */ 157 #define LCNT_STATES 0 /* states */ 158 #define LCNT_SRCSTATES 1 /* max-src-states */ 159 #define LCNT_SRCNODES 2 /* max-src-nodes */ 160 #define LCNT_SRCCONN 3 /* max-src-conn */ 161 #define LCNT_SRCCONNRATE 4 /* max-src-conn-rate */ 162 #define LCNT_OVERLOAD_TABLE 5 /* entry added to overload table */ 163 #define LCNT_OVERLOAD_FLUSH 6 /* state entries flushed */ 164 #define LCNT_MAX 7 /* total+1 */ 165 /* Only available via the nvlist-based API */ 166 #define KLCNT_SYNFLOODS 7 /* synfloods detected */ 167 #define KLCNT_SYNCOOKIES_SENT 8 /* syncookies sent */ 168 #define KLCNT_SYNCOOKIES_VALID 9 /* syncookies validated */ 169 #define KLCNT_MAX 10 /* total+1 */ 170 171 #define LCNT_NAMES { \ 172 "max states per rule", \ 173 "max-src-states", \ 174 "max-src-nodes", \ 175 "max-src-conn", \ 176 "max-src-conn-rate", \ 177 "overload table insertion", \ 178 "overload flush states", \ 179 NULL \ 180 } 181 #define KLCNT_NAMES { \ 182 "max states per rule", \ 183 "max-src-states", \ 184 "max-src-nodes", \ 185 "max-src-conn", \ 186 "max-src-conn-rate", \ 187 "overload table insertion", \ 188 "overload flush states", \ 189 "synfloods detected", \ 190 "syncookies sent", \ 191 "syncookies validated", \ 192 NULL \ 193 } 194 195 /* state operation counters */ 196 #define FCNT_STATE_SEARCH 0 197 #define FCNT_STATE_INSERT 1 198 #define FCNT_STATE_REMOVALS 2 199 #define FCNT_MAX 3 200 201 #ifdef _KERNEL 202 #define FCNT_NAMES { \ 203 "searches", \ 204 "inserts", \ 205 "removals", \ 206 NULL \ 207 } 208 #endif 209 210 /* src_node operation counters */ 211 #define SCNT_SRC_NODE_SEARCH 0 212 #define SCNT_SRC_NODE_INSERT 1 213 #define SCNT_SRC_NODE_REMOVALS 2 214 #define SCNT_MAX 3 215 216 #define PF_TABLE_NAME_SIZE 32 217 #define PF_QNAME_SIZE 64 218 219 struct pfioc_nv { 220 void *data; 221 size_t len; /* The length of the nvlist data. */ 222 size_t size; /* The total size of the data buffer. */ 223 }; 224 225 struct pf_rule; 226 227 /* keep synced with pfi_kif, used in RB_FIND */ 228 struct pfi_kif_cmp { 229 char pfik_name[IFNAMSIZ]; 230 }; 231 232 struct pfi_kif { 233 char pfik_name[IFNAMSIZ]; 234 union { 235 RB_ENTRY(pfi_kif) _pfik_tree; 236 LIST_ENTRY(pfi_kif) _pfik_list; 237 } _pfik_glue; 238 #define pfik_tree _pfik_glue._pfik_tree 239 #define pfik_list _pfik_glue._pfik_list 240 u_int64_t pfik_packets[2][2][2]; 241 u_int64_t pfik_bytes[2][2][2]; 242 u_int32_t pfik_tzero; 243 u_int pfik_flags; 244 struct ifnet *pfik_ifp; 245 struct ifg_group *pfik_group; 246 u_int pfik_rulerefs; 247 TAILQ_HEAD(, pfi_dynaddr) pfik_dynaddrs; 248 }; 249 250 struct pf_status { 251 uint64_t counters[PFRES_MAX]; 252 uint64_t lcounters[LCNT_MAX]; 253 uint64_t fcounters[FCNT_MAX]; 254 uint64_t scounters[SCNT_MAX]; 255 uint64_t pcounters[2][2][3]; 256 uint64_t bcounters[2][2]; 257 uint32_t running; 258 uint32_t states; 259 uint32_t src_nodes; 260 uint32_t since; 261 uint32_t debug; 262 uint32_t hostid; 263 char ifname[IFNAMSIZ]; 264 uint8_t pf_chksum[PF_MD5_DIGEST_LENGTH]; 265 }; 266 267 struct pf_addr { 268 union { 269 struct in_addr v4; 270 struct in6_addr v6; 271 u_int8_t addr8[16]; 272 u_int16_t addr16[8]; 273 u_int32_t addr32[4]; 274 } pfa; /* 128-bit address */ 275 #define v4 pfa.v4 276 #define v6 pfa.v6 277 #define addr8 pfa.addr8 278 #define addr16 pfa.addr16 279 #define addr32 pfa.addr32 280 }; 281 282 #define PFI_AFLAG_NETWORK 0x01 283 #define PFI_AFLAG_BROADCAST 0x02 284 #define PFI_AFLAG_PEER 0x04 285 #define PFI_AFLAG_MODEMASK 0x07 286 #define PFI_AFLAG_NOALIAS 0x08 287 288 struct pf_addr_wrap { 289 union { 290 struct { 291 struct pf_addr addr; 292 struct pf_addr mask; 293 } a; 294 char ifname[IFNAMSIZ]; 295 char tblname[PF_TABLE_NAME_SIZE]; 296 } v; 297 union { 298 struct pfi_dynaddr *dyn; 299 struct pfr_ktable *tbl; 300 int dyncnt; 301 int tblcnt; 302 } p; 303 u_int8_t type; /* PF_ADDR_* */ 304 u_int8_t iflags; /* PFI_AFLAG_* */ 305 }; 306 307 union pf_rule_ptr { 308 struct pf_rule *ptr; 309 u_int32_t nr; 310 }; 311 312 struct pf_rule_uid { 313 uid_t uid[2]; 314 u_int8_t op; 315 }; 316 317 struct pf_rule_gid { 318 uid_t gid[2]; 319 u_int8_t op; 320 }; 321 322 struct pf_rule_addr { 323 struct pf_addr_wrap addr; 324 u_int16_t port[2]; 325 u_int8_t neg; 326 u_int8_t port_op; 327 }; 328 329 struct pf_pooladdr { 330 struct pf_addr_wrap addr; 331 TAILQ_ENTRY(pf_pooladdr) entries; 332 char ifname[IFNAMSIZ]; 333 struct pfi_kif *kif; 334 }; 335 336 TAILQ_HEAD(pf_palist, pf_pooladdr); 337 338 struct pf_poolhashkey { 339 union { 340 u_int8_t key8[16]; 341 u_int16_t key16[8]; 342 u_int32_t key32[4]; 343 } pfk; /* 128-bit hash key */ 344 #define key8 pfk.key8 345 #define key16 pfk.key16 346 #define key32 pfk.key32 347 }; 348 349 struct pf_mape_portset { 350 u_int8_t offset; 351 u_int8_t psidlen; 352 u_int16_t psid; 353 }; 354 355 struct pf_pool { 356 struct pf_palist list; 357 struct pf_pooladdr *cur; 358 struct pf_poolhashkey key; 359 struct pf_addr counter; 360 int tblidx; 361 u_int16_t proxy_port[2]; 362 u_int8_t opts; 363 }; 364 365 /* A packed Operating System description for fingerprinting */ 366 typedef u_int32_t pf_osfp_t; 367 #define PF_OSFP_ANY ((pf_osfp_t)0) 368 #define PF_OSFP_UNKNOWN ((pf_osfp_t)-1) 369 #define PF_OSFP_NOMATCH ((pf_osfp_t)-2) 370 371 struct pf_osfp_entry { 372 SLIST_ENTRY(pf_osfp_entry) fp_entry; 373 pf_osfp_t fp_os; 374 int fp_enflags; 375 #define PF_OSFP_EXPANDED 0x001 /* expanded entry */ 376 #define PF_OSFP_GENERIC 0x002 /* generic signature */ 377 #define PF_OSFP_NODETAIL 0x004 /* no p0f details */ 378 #define PF_OSFP_LEN 32 379 char fp_class_nm[PF_OSFP_LEN]; 380 char fp_version_nm[PF_OSFP_LEN]; 381 char fp_subtype_nm[PF_OSFP_LEN]; 382 }; 383 #define PF_OSFP_ENTRY_EQ(a, b) \ 384 ((a)->fp_os == (b)->fp_os && \ 385 memcmp((a)->fp_class_nm, (b)->fp_class_nm, PF_OSFP_LEN) == 0 && \ 386 memcmp((a)->fp_version_nm, (b)->fp_version_nm, PF_OSFP_LEN) == 0 && \ 387 memcmp((a)->fp_subtype_nm, (b)->fp_subtype_nm, PF_OSFP_LEN) == 0) 388 389 /* handle pf_osfp_t packing */ 390 #define _FP_RESERVED_BIT 1 /* For the special negative #defines */ 391 #define _FP_UNUSED_BITS 1 392 #define _FP_CLASS_BITS 10 /* OS Class (Windows, Linux) */ 393 #define _FP_VERSION_BITS 10 /* OS version (95, 98, NT, 2.4.54, 3.2) */ 394 #define _FP_SUBTYPE_BITS 10 /* patch level (NT SP4, SP3, ECN patch) */ 395 #define PF_OSFP_UNPACK(osfp, class, version, subtype) do { \ 396 (class) = ((osfp) >> (_FP_VERSION_BITS+_FP_SUBTYPE_BITS)) & \ 397 ((1 << _FP_CLASS_BITS) - 1); \ 398 (version) = ((osfp) >> _FP_SUBTYPE_BITS) & \ 399 ((1 << _FP_VERSION_BITS) - 1);\ 400 (subtype) = (osfp) & ((1 << _FP_SUBTYPE_BITS) - 1); \ 401 } while(0) 402 #define PF_OSFP_PACK(osfp, class, version, subtype) do { \ 403 (osfp) = ((class) & ((1 << _FP_CLASS_BITS) - 1)) << (_FP_VERSION_BITS \ 404 + _FP_SUBTYPE_BITS); \ 405 (osfp) |= ((version) & ((1 << _FP_VERSION_BITS) - 1)) << \ 406 _FP_SUBTYPE_BITS; \ 407 (osfp) |= (subtype) & ((1 << _FP_SUBTYPE_BITS) - 1); \ 408 } while(0) 409 410 /* the fingerprint of an OSes TCP SYN packet */ 411 typedef u_int64_t pf_tcpopts_t; 412 struct pf_os_fingerprint { 413 SLIST_HEAD(pf_osfp_enlist, pf_osfp_entry) fp_oses; /* list of matches */ 414 pf_tcpopts_t fp_tcpopts; /* packed TCP options */ 415 u_int16_t fp_wsize; /* TCP window size */ 416 u_int16_t fp_psize; /* ip->ip_len */ 417 u_int16_t fp_mss; /* TCP MSS */ 418 u_int16_t fp_flags; 419 #define PF_OSFP_WSIZE_MOD 0x0001 /* Window modulus */ 420 #define PF_OSFP_WSIZE_DC 0x0002 /* Window don't care */ 421 #define PF_OSFP_WSIZE_MSS 0x0004 /* Window multiple of MSS */ 422 #define PF_OSFP_WSIZE_MTU 0x0008 /* Window multiple of MTU */ 423 #define PF_OSFP_PSIZE_MOD 0x0010 /* packet size modulus */ 424 #define PF_OSFP_PSIZE_DC 0x0020 /* packet size don't care */ 425 #define PF_OSFP_WSCALE 0x0040 /* TCP window scaling */ 426 #define PF_OSFP_WSCALE_MOD 0x0080 /* TCP window scale modulus */ 427 #define PF_OSFP_WSCALE_DC 0x0100 /* TCP window scale dont-care */ 428 #define PF_OSFP_MSS 0x0200 /* TCP MSS */ 429 #define PF_OSFP_MSS_MOD 0x0400 /* TCP MSS modulus */ 430 #define PF_OSFP_MSS_DC 0x0800 /* TCP MSS dont-care */ 431 #define PF_OSFP_DF 0x1000 /* IPv4 don't fragment bit */ 432 #define PF_OSFP_TS0 0x2000 /* Zero timestamp */ 433 #define PF_OSFP_INET6 0x4000 /* IPv6 */ 434 u_int8_t fp_optcnt; /* TCP option count */ 435 u_int8_t fp_wscale; /* TCP window scaling */ 436 u_int8_t fp_ttl; /* IPv4 TTL */ 437 #define PF_OSFP_MAXTTL_OFFSET 40 438 /* TCP options packing */ 439 #define PF_OSFP_TCPOPT_NOP 0x0 /* TCP NOP option */ 440 #define PF_OSFP_TCPOPT_WSCALE 0x1 /* TCP window scaling option */ 441 #define PF_OSFP_TCPOPT_MSS 0x2 /* TCP max segment size opt */ 442 #define PF_OSFP_TCPOPT_SACK 0x3 /* TCP SACK OK option */ 443 #define PF_OSFP_TCPOPT_TS 0x4 /* TCP timestamp option */ 444 #define PF_OSFP_TCPOPT_BITS 3 /* bits used by each option */ 445 #define PF_OSFP_MAX_OPTS \ 446 (sizeof(((struct pf_os_fingerprint *)0)->fp_tcpopts) * 8) \ 447 / PF_OSFP_TCPOPT_BITS 448 449 SLIST_ENTRY(pf_os_fingerprint) fp_next; 450 }; 451 452 struct pf_osfp_ioctl { 453 struct pf_osfp_entry fp_os; 454 pf_tcpopts_t fp_tcpopts; /* packed TCP options */ 455 u_int16_t fp_wsize; /* TCP window size */ 456 u_int16_t fp_psize; /* ip->ip_len */ 457 u_int16_t fp_mss; /* TCP MSS */ 458 u_int16_t fp_flags; 459 u_int8_t fp_optcnt; /* TCP option count */ 460 u_int8_t fp_wscale; /* TCP window scaling */ 461 u_int8_t fp_ttl; /* IPv4 TTL */ 462 463 int fp_getnum; /* DIOCOSFPGET number */ 464 }; 465 466 #define PF_ANCHOR_NAME_SIZE 64 467 468 struct pf_rule { 469 struct pf_rule_addr src; 470 struct pf_rule_addr dst; 471 #define PF_SKIP_IFP 0 472 #define PF_SKIP_DIR 1 473 #define PF_SKIP_AF 2 474 #define PF_SKIP_PROTO 3 475 #define PF_SKIP_SRC_ADDR 4 476 #define PF_SKIP_SRC_PORT 5 477 #define PF_SKIP_DST_ADDR 6 478 #define PF_SKIP_DST_PORT 7 479 #define PF_SKIP_COUNT 8 480 union pf_rule_ptr skip[PF_SKIP_COUNT]; 481 #define PF_RULE_LABEL_SIZE 64 482 #define PF_RULE_MAX_LABEL_COUNT 5 483 char label[PF_RULE_LABEL_SIZE]; 484 char ifname[IFNAMSIZ]; 485 char qname[PF_QNAME_SIZE]; 486 char pqname[PF_QNAME_SIZE]; 487 #define PF_TAG_NAME_SIZE 64 488 char tagname[PF_TAG_NAME_SIZE]; 489 char match_tagname[PF_TAG_NAME_SIZE]; 490 491 char overload_tblname[PF_TABLE_NAME_SIZE]; 492 493 TAILQ_ENTRY(pf_rule) entries; 494 struct pf_pool rpool; 495 496 u_int64_t evaluations; 497 u_int64_t packets[2]; 498 u_int64_t bytes[2]; 499 500 struct pfi_kif *kif; 501 struct pf_anchor *anchor; 502 struct pfr_ktable *overload_tbl; 503 504 pf_osfp_t os_fingerprint; 505 506 int rtableid; 507 u_int32_t timeout[PFTM_MAX]; 508 u_int32_t max_states; 509 u_int32_t max_src_nodes; 510 u_int32_t max_src_states; 511 u_int32_t max_src_conn; 512 struct { 513 u_int32_t limit; 514 u_int32_t seconds; 515 } max_src_conn_rate; 516 u_int32_t qid; 517 u_int32_t pqid; 518 u_int32_t rt_listid; 519 u_int32_t nr; 520 u_int32_t prob; 521 uid_t cuid; 522 pid_t cpid; 523 524 counter_u64_t states_cur; 525 counter_u64_t states_tot; 526 counter_u64_t src_nodes; 527 528 u_int16_t return_icmp; 529 u_int16_t return_icmp6; 530 u_int16_t max_mss; 531 u_int16_t tag; 532 u_int16_t match_tag; 533 u_int16_t scrub_flags; 534 535 struct pf_rule_uid uid; 536 struct pf_rule_gid gid; 537 538 u_int32_t rule_flag; 539 u_int8_t action; 540 u_int8_t direction; 541 u_int8_t log; 542 u_int8_t logif; 543 u_int8_t quick; 544 u_int8_t ifnot; 545 u_int8_t match_tag_not; 546 u_int8_t natpass; 547 548 #define PF_STATE_NORMAL 0x1 549 #define PF_STATE_MODULATE 0x2 550 #define PF_STATE_SYNPROXY 0x3 551 u_int8_t keep_state; 552 sa_family_t af; 553 u_int8_t proto; 554 u_int8_t type; 555 u_int8_t code; 556 u_int8_t flags; 557 u_int8_t flagset; 558 u_int8_t min_ttl; 559 u_int8_t allow_opts; 560 u_int8_t rt; 561 u_int8_t return_ttl; 562 u_int8_t tos; 563 u_int8_t set_tos; 564 u_int8_t anchor_relative; 565 u_int8_t anchor_wildcard; 566 567 #define PF_FLUSH 0x01 568 #define PF_FLUSH_GLOBAL 0x02 569 u_int8_t flush; 570 #define PF_PRIO_ZERO 0xff /* match "prio 0" packets */ 571 #define PF_PRIO_MAX 7 572 u_int8_t prio; 573 u_int8_t set_prio[2]; 574 575 struct { 576 struct pf_addr addr; 577 u_int16_t port; 578 } divert; 579 580 uint64_t u_states_cur; 581 uint64_t u_states_tot; 582 uint64_t u_src_nodes; 583 }; 584 585 /* rule flags */ 586 #define PFRULE_DROP 0x0000 587 #define PFRULE_RETURNRST 0x0001 588 #define PFRULE_FRAGMENT 0x0002 589 #define PFRULE_RETURNICMP 0x0004 590 #define PFRULE_RETURN 0x0008 591 #define PFRULE_NOSYNC 0x0010 592 #define PFRULE_SRCTRACK 0x0020 /* track source states */ 593 #define PFRULE_RULESRCTRACK 0x0040 /* per rule */ 594 595 #ifdef _KERNEL 596 #define PFRULE_REFS 0x0080 /* rule has references */ 597 #endif 598 599 /* scrub flags */ 600 #define PFRULE_NODF 0x0100 601 #define PFRULE_FRAGMENT_NOREASS 0x0200 602 #define PFRULE_RANDOMID 0x0800 603 #define PFRULE_REASSEMBLE_TCP 0x1000 604 #define PFRULE_SET_TOS 0x2000 605 606 /* rule flags again */ 607 #define PFRULE_IFBOUND 0x00010000 /* if-bound */ 608 #define PFRULE_STATESLOPPY 0x00020000 /* sloppy state tracking */ 609 610 #define PFSTATE_HIWAT 100000 /* default state table size */ 611 #define PFSTATE_ADAPT_START 60000 /* default adaptive timeout start */ 612 #define PFSTATE_ADAPT_END 120000 /* default adaptive timeout end */ 613 614 615 struct pf_threshold { 616 u_int32_t limit; 617 #define PF_THRESHOLD_MULT 1000 618 #define PF_THRESHOLD_MAX 0xffffffff / PF_THRESHOLD_MULT 619 u_int32_t seconds; 620 u_int32_t count; 621 u_int32_t last; 622 }; 623 624 struct pf_src_node { 625 LIST_ENTRY(pf_src_node) entry; 626 struct pf_addr addr; 627 struct pf_addr raddr; 628 union pf_rule_ptr rule; 629 struct pfi_kif *kif; 630 u_int64_t bytes[2]; 631 u_int64_t packets[2]; 632 u_int32_t states; 633 u_int32_t conn; 634 struct pf_threshold conn_rate; 635 u_int32_t creation; 636 u_int32_t expire; 637 sa_family_t af; 638 u_int8_t ruletype; 639 }; 640 641 #define PFSNODE_HIWAT 10000 /* default source node table size */ 642 643 TAILQ_HEAD(pf_rulequeue, pf_rule); 644 645 struct pf_anchor; 646 647 struct pf_ruleset { 648 struct { 649 struct pf_rulequeue queues[2]; 650 struct { 651 struct pf_rulequeue *ptr; 652 struct pf_rule **ptr_array; 653 u_int32_t rcount; 654 u_int32_t ticket; 655 int open; 656 } active, inactive; 657 } rules[PF_RULESET_MAX]; 658 struct pf_anchor *anchor; 659 u_int32_t tticket; 660 int tables; 661 int topen; 662 }; 663 664 RB_HEAD(pf_anchor_global, pf_anchor); 665 RB_HEAD(pf_anchor_node, pf_anchor); 666 struct pf_anchor { 667 RB_ENTRY(pf_anchor) entry_global; 668 RB_ENTRY(pf_anchor) entry_node; 669 struct pf_anchor *parent; 670 struct pf_anchor_node children; 671 char name[PF_ANCHOR_NAME_SIZE]; 672 char path[MAXPATHLEN]; 673 struct pf_ruleset ruleset; 674 int refcnt; /* anchor rules */ 675 int match; /* XXX: used for pfctl black magic */ 676 }; 677 RB_PROTOTYPE(pf_anchor_global, pf_anchor, entry_global, pf_anchor_compare); 678 RB_PROTOTYPE(pf_anchor_node, pf_anchor, entry_node, pf_anchor_compare); 679 680 int pf_get_ruleset_number(u_int8_t); 681 682 #endif /* _NET_PF_H_ */
Cache object: 3fa49129743a69e961c4bfcb8ad87b4a
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]