diff options
author | glebius <glebius@FreeBSD.org> | 2014-03-12 10:45:58 +0000 |
---|---|---|
committer | glebius <glebius@FreeBSD.org> | 2014-03-12 10:45:58 +0000 |
commit | f937dcf2bd0584087acec5d8dc92dd5dba177113 (patch) | |
tree | 8cbef21f45f26a80647ff8a0604c3c9c65c2bb40 | |
parent | eeff801556700aefbd569ad4bac5acdebcc3b9a8 (diff) | |
download | FreeBSD-src-f937dcf2bd0584087acec5d8dc92dd5dba177113.zip FreeBSD-src-f937dcf2bd0584087acec5d8dc92dd5dba177113.tar.gz |
Bulk sync of pf changes from head, in attempt to fixup broken build I
made in r263029.
Merge r257186,257215,257349,259736,261797.
These changesets split pfvar.h into several smaller headers and make
userland utilities to include only some of them.
31 files changed, 341 insertions, 199 deletions
diff --git a/contrib/libpcap/grammar.y b/contrib/libpcap/grammar.y index ac69db9..12a326e 100644 --- a/contrib/libpcap/grammar.y +++ b/contrib/libpcap/grammar.y @@ -56,7 +56,7 @@ struct rtentry; #include "gencode.h" #ifdef HAVE_NET_PFVAR_H #include <net/if.h> -#include <net/pfvar.h> +#include <netpfil/pf/pf.h> #include <net/if_pflog.h> #endif #include "ieee80211.h" diff --git a/contrib/tcpdump/print-ip.c b/contrib/tcpdump/print-ip.c index bc6cbcc..291901f 100644 --- a/contrib/tcpdump/print-ip.c +++ b/contrib/tcpdump/print-ip.c @@ -483,9 +483,11 @@ again: pgm_print(ipds->cp, ipds->len, (const u_char *)ipds->ip); break; +#if defined(HAVE_NET_PFVAR_H) case IPPROTO_PFSYNC: pfsync_ip_print(ipds->cp, ipds->len); break; +#endif default: if (ndo->ndo_nflag==0 && (proto = getprotobynumber(ipds->nh)) != NULL) diff --git a/etc/mtree/BSD.include.dist b/etc/mtree/BSD.include.dist index 02e9d07..a56d4b4 100644 --- a/etc/mtree/BSD.include.dist +++ b/etc/mtree/BSD.include.dist @@ -287,6 +287,10 @@ sig .. .. + netpfil + pf + .. + .. netsmb .. nfs diff --git a/include/Makefile b/include/Makefile index 44a54e3..0716400 100644 --- a/include/Makefile +++ b/include/Makefile @@ -280,6 +280,13 @@ symlinks: ${DESTDIR}${INCLUDEDIR}/netinet; \ done .endif +.if ${MK_PF} != "no" + cd ${.CURDIR}/../sys/netpfil/pf; \ + for h in *.h; do \ + ln -fs ../../../../sys/netpfil/pf/$$h \ + ${DESTDIR}${INCLUDEDIR}/netpfil/pf; \ + done +.endif cd ${.CURDIR}/../sys/crypto; \ for h in rijndael/rijndael.h; do \ ln -fs ../../../sys/crypto/$$h \ diff --git a/sbin/ifconfig/Makefile b/sbin/ifconfig/Makefile index a98840d..a10d1fb 100644 --- a/sbin/ifconfig/Makefile +++ b/sbin/ifconfig/Makefile @@ -40,7 +40,9 @@ LDADD+= -lbsdxml -lsbuf SRCS+= carp.c # SIOC[GS]VH support SRCS+= ifgroup.c # ... +.if ${MK_PF} != "no" SRCS+= ifpfsync.c # pfsync(4) support +.endif SRCS+= ifbridge.c # bridge support SRCS+= iflagg.c # lagg support diff --git a/sbin/ipfw/Makefile b/sbin/ipfw/Makefile index b25f38c..6aea26b 100644 --- a/sbin/ipfw/Makefile +++ b/sbin/ipfw/Makefile @@ -1,8 +1,16 @@ # $FreeBSD$ +.include <bsd.own.mk> + PROG= ipfw -SRCS= ipfw2.c dummynet.c ipv6.c main.c nat.c altq.c +SRCS= ipfw2.c dummynet.c ipv6.c main.c nat.c WARNS?= 2 + +.if ${MK_PF} != "no" +SRCS+= altq.c +CFLAGS+=-DPF +.endif + DPADD= ${LIBUTIL} LDADD= -lutil MAN= ipfw.8 diff --git a/sbin/ipfw/ipfw2.h b/sbin/ipfw/ipfw2.h index d592930..9abe6ee 100644 --- a/sbin/ipfw/ipfw2.h +++ b/sbin/ipfw/ipfw2.h @@ -266,11 +266,14 @@ void ipfw_flush(int force); void ipfw_zero(int ac, char *av[], int optname); void ipfw_list(int ac, char *av[], int show_counters); +#ifdef PF /* altq.c */ void altq_set_enabled(int enabled); u_int32_t altq_name_to_qid(const char *name); - void print_altq_cmd(struct _ipfw_insn_altq *altqptr); +#else +#define NO_ALTQ +#endif /* dummynet.c */ void dummynet_list(int ac, char *av[], int show_counters); diff --git a/sys/contrib/altq/altq/altq_cbq.c b/sys/contrib/altq/altq/altq_cbq.c index 0a33792..3991d1d 100644 --- a/sys/contrib/altq/altq/altq_cbq.c +++ b/sys/contrib/altq/altq/altq_cbq.c @@ -54,9 +54,12 @@ #endif #include <net/if.h> +#include <net/if_var.h> #include <netinet/in.h> -#include <net/pfvar.h> +#include <netpfil/pf/pf.h> +#include <netpfil/pf/pf_altq.h> +#include <netpfil/pf/pf_mtag.h> #include <altq/altq.h> #include <altq/altq_cbq.h> #ifdef ALTQ3_COMPAT diff --git a/sys/contrib/altq/altq/altq_cdnr.c b/sys/contrib/altq/altq/altq_cdnr.c index fca7041..ee36fe8 100644 --- a/sys/contrib/altq/altq/altq_cdnr.c +++ b/sys/contrib/altq/altq/altq_cdnr.c @@ -55,6 +55,7 @@ #include <netinet/ip6.h> #endif +#include <altq/if_altq.h> #include <altq/altq.h> #ifdef ALTQ3_COMPAT #include <altq/altq_conf.h> diff --git a/sys/contrib/altq/altq/altq_hfsc.c b/sys/contrib/altq/altq/altq_hfsc.c index f436bd5..0363016 100644 --- a/sys/contrib/altq/altq/altq_hfsc.c +++ b/sys/contrib/altq/altq/altq_hfsc.c @@ -66,9 +66,12 @@ #endif /* ALTQ3_COMPAT */ #include <net/if.h> +#include <net/if_var.h> #include <netinet/in.h> -#include <net/pfvar.h> +#include <netpfil/pf/pf.h> +#include <netpfil/pf/pf_altq.h> +#include <netpfil/pf/pf_mtag.h> #include <altq/altq.h> #include <altq/altq_hfsc.h> #ifdef ALTQ3_COMPAT diff --git a/sys/contrib/altq/altq/altq_priq.c b/sys/contrib/altq/altq/altq_priq.c index 72bad80..3ce65dc 100644 --- a/sys/contrib/altq/altq/altq_priq.c +++ b/sys/contrib/altq/altq/altq_priq.c @@ -51,9 +51,12 @@ #include <sys/queue.h> #include <net/if.h> +#include <net/if_var.h> #include <netinet/in.h> -#include <net/pfvar.h> +#include <netpfil/pf/pf.h> +#include <netpfil/pf/pf_altq.h> +#include <netpfil/pf/pf_mtag.h> #include <altq/altq.h> #ifdef ALTQ3_COMPAT #include <altq/altq_conf.h> diff --git a/sys/contrib/altq/altq/altq_red.c b/sys/contrib/altq/altq/altq_red.c index b92e005..defee29 100644 --- a/sys/contrib/altq/altq/altq_red.c +++ b/sys/contrib/altq/altq/altq_red.c @@ -86,6 +86,7 @@ #endif /* ALTQ3_COMPAT */ #include <net/if.h> +#include <net/if_var.h> #include <netinet/in.h> #include <netinet/in_systm.h> @@ -94,7 +95,9 @@ #include <netinet/ip6.h> #endif -#include <net/pfvar.h> +#include <netpfil/pf/pf.h> +#include <netpfil/pf/pf_altq.h> +#include <netpfil/pf/pf_mtag.h> #include <altq/altq.h> #include <altq/altq_red.h> #ifdef ALTQ3_COMPAT diff --git a/sys/contrib/altq/altq/altq_rio.c b/sys/contrib/altq/altq/altq_rio.c index a48cd6d..151debe 100644 --- a/sys/contrib/altq/altq/altq_rio.c +++ b/sys/contrib/altq/altq/altq_rio.c @@ -81,6 +81,7 @@ #endif #include <net/if.h> +#include <net/if_var.h> #include <netinet/in.h> #include <netinet/in_systm.h> @@ -89,7 +90,8 @@ #include <netinet/ip6.h> #endif -#include <net/pfvar.h> +#include <netpfil/pf/pf.h> +#include <netpfil/pf/pf_altq.h> #include <altq/altq.h> #include <altq/altq_cdnr.h> #include <altq/altq_red.h> diff --git a/sys/contrib/altq/altq/altq_rmclass.c b/sys/contrib/altq/altq/altq_rmclass.c index 83a8720..c433024 100644 --- a/sys/contrib/altq/altq/altq_rmclass.c +++ b/sys/contrib/altq/altq/altq_rmclass.c @@ -59,12 +59,14 @@ #endif #include <net/if.h> +#include <net/if_var.h> #ifdef ALTQ3_COMPAT #include <netinet/in.h> #include <netinet/in_systm.h> #include <netinet/ip.h> #endif +#include <altq/if_altq.h> #include <altq/altq.h> #include <altq/altq_rmclass.h> #include <altq/altq_rmclass_debug.h> diff --git a/sys/contrib/altq/altq/altq_subr.c b/sys/contrib/altq/altq/altq_subr.c index 2d7ce75..16b796a 100644 --- a/sys/contrib/altq/altq/altq_subr.c +++ b/sys/contrib/altq/altq/altq_subr.c @@ -49,6 +49,7 @@ #include <sys/queue.h> #include <net/if.h> +#include <net/if_var.h> #include <net/if_dl.h> #include <net/if_types.h> #ifdef __FreeBSD__ @@ -64,7 +65,8 @@ #include <netinet/tcp.h> #include <netinet/udp.h> -#include <net/pfvar.h> +#include <netpfil/pf/pf.h> +#include <netpfil/pf/pf_altq.h> #include <altq/altq.h> #ifdef ALTQ3_COMPAT #include <altq/altq_conf.h> diff --git a/sys/net/if_ethersubr.c b/sys/net/if_ethersubr.c index 26e6edb..ea22d33 100644 --- a/sys/net/if_ethersubr.c +++ b/sys/net/if_ethersubr.c @@ -62,10 +62,11 @@ #include <net/if_bridgevar.h> #include <net/if_vlan_var.h> #include <net/if_llatbl.h> -#include <net/pf_mtag.h> #include <net/pfil.h> #include <net/vnet.h> +#include <netpfil/pf/pf_mtag.h> + #if defined(INET) || defined(INET6) #include <netinet/in.h> #include <netinet/in_var.h> diff --git a/sys/net/pfvar.h b/sys/net/pfvar.h index 8751af8..b7fbf5f 100644 --- a/sys/net/pfvar.h +++ b/sys/net/pfvar.h @@ -42,82 +42,9 @@ #include <net/radix.h> #include <netinet/in.h> -#include <net/pf_mtag.h> - -#define PF_TCPS_PROXY_SRC ((TCP_NSTATES)+0) -#define PF_TCPS_PROXY_DST ((TCP_NSTATES)+1) - -#define PF_MD5_DIGEST_LENGTH 16 -#ifdef MD5_DIGEST_LENGTH -#if PF_MD5_DIGEST_LENGTH != MD5_DIGEST_LENGTH -#error -#endif -#endif - -enum { PF_INOUT, PF_IN, PF_OUT }; -enum { PF_PASS, PF_DROP, PF_SCRUB, PF_NOSCRUB, PF_NAT, PF_NONAT, - PF_BINAT, PF_NOBINAT, PF_RDR, PF_NORDR, PF_SYNPROXY_DROP, PF_DEFER }; -enum { PF_RULESET_SCRUB, PF_RULESET_FILTER, PF_RULESET_NAT, - PF_RULESET_BINAT, PF_RULESET_RDR, PF_RULESET_MAX }; -enum { PF_OP_NONE, PF_OP_IRG, PF_OP_EQ, PF_OP_NE, PF_OP_LT, - PF_OP_LE, PF_OP_GT, PF_OP_GE, PF_OP_XRG, PF_OP_RRG }; -enum { PF_DEBUG_NONE, PF_DEBUG_URGENT, PF_DEBUG_MISC, PF_DEBUG_NOISY }; -enum { PF_CHANGE_NONE, PF_CHANGE_ADD_HEAD, PF_CHANGE_ADD_TAIL, - PF_CHANGE_ADD_BEFORE, PF_CHANGE_ADD_AFTER, - PF_CHANGE_REMOVE, PF_CHANGE_GET_TICKET }; -enum { PF_GET_NONE, PF_GET_CLR_CNTR }; -enum { PF_SK_WIRE, PF_SK_STACK, PF_SK_BOTH }; - -/* - * Note about PFTM_*: real indices into pf_rule.timeout[] come before - * PFTM_MAX, special cases afterwards. See pf_state_expires(). - */ -enum { PFTM_TCP_FIRST_PACKET, PFTM_TCP_OPENING, PFTM_TCP_ESTABLISHED, - PFTM_TCP_CLOSING, PFTM_TCP_FIN_WAIT, PFTM_TCP_CLOSED, - PFTM_UDP_FIRST_PACKET, PFTM_UDP_SINGLE, PFTM_UDP_MULTIPLE, - PFTM_ICMP_FIRST_PACKET, PFTM_ICMP_ERROR_REPLY, - PFTM_OTHER_FIRST_PACKET, PFTM_OTHER_SINGLE, - PFTM_OTHER_MULTIPLE, PFTM_FRAG, PFTM_INTERVAL, - PFTM_ADAPTIVE_START, PFTM_ADAPTIVE_END, PFTM_SRC_NODE, - PFTM_TS_DIFF, PFTM_MAX, PFTM_PURGE, PFTM_UNLINKED }; - -/* PFTM default values */ -#define PFTM_TCP_FIRST_PACKET_VAL 120 /* First TCP packet */ -#define PFTM_TCP_OPENING_VAL 30 /* No response yet */ -#define PFTM_TCP_ESTABLISHED_VAL 24*60*60/* Established */ -#define PFTM_TCP_CLOSING_VAL 15 * 60 /* Half closed */ -#define PFTM_TCP_FIN_WAIT_VAL 45 /* Got both FINs */ -#define PFTM_TCP_CLOSED_VAL 90 /* Got a RST */ -#define PFTM_UDP_FIRST_PACKET_VAL 60 /* First UDP packet */ -#define PFTM_UDP_SINGLE_VAL 30 /* Unidirectional */ -#define PFTM_UDP_MULTIPLE_VAL 60 /* Bidirectional */ -#define PFTM_ICMP_FIRST_PACKET_VAL 20 /* First ICMP packet */ -#define PFTM_ICMP_ERROR_REPLY_VAL 10 /* Got error response */ -#define PFTM_OTHER_FIRST_PACKET_VAL 60 /* First packet */ -#define PFTM_OTHER_SINGLE_VAL 30 /* Unidirectional */ -#define PFTM_OTHER_MULTIPLE_VAL 60 /* Bidirectional */ -#define PFTM_FRAG_VAL 30 /* Fragment expire */ -#define PFTM_INTERVAL_VAL 10 /* Expire interval */ -#define PFTM_SRC_NODE_VAL 0 /* Source tracking */ -#define PFTM_TS_DIFF_VAL 30 /* Allowed TS diff */ - -enum { PF_NOPFROUTE, PF_FASTROUTE, PF_ROUTETO, PF_DUPTO, PF_REPLYTO }; -enum { PF_LIMIT_STATES, PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS, - PF_LIMIT_TABLE_ENTRIES, PF_LIMIT_MAX }; -#define PF_POOL_IDMASK 0x0f -enum { PF_POOL_NONE, PF_POOL_BITMASK, PF_POOL_RANDOM, - PF_POOL_SRCHASH, PF_POOL_ROUNDROBIN }; -enum { PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE, PF_ADDR_DYNIFTL, - PF_ADDR_TABLE, PF_ADDR_URPFFAILED, - PF_ADDR_RANGE }; -#define PF_POOL_TYPEMASK 0x0f -#define PF_POOL_STICKYADDR 0x20 -#define PF_WSCALE_FLAG 0x80 -#define PF_WSCALE_MASK 0x0f - -#define PF_LOG 0x01 -#define PF_LOG_ALL 0x02 -#define PF_LOG_SOCKET_LOOKUP 0x04 +#include <netpfil/pf/pf.h> +#include <netpfil/pf/pf_altq.h> +#include <netpfil/pf/pf_mtag.h> struct pf_addr { union { @@ -134,8 +61,6 @@ struct pf_addr { #define addr32 pfa.addr32 }; -#define PF_TABLE_NAME_SIZE 32 - #define PFI_AFLAG_NETWORK 0x01 #define PFI_AFLAG_BROADCAST 0x02 #define PFI_AFLAG_PEER 0x04 @@ -564,7 +489,6 @@ struct pf_rule { union pf_rule_ptr skip[PF_SKIP_COUNT]; #define PF_RULE_LABEL_SIZE 64 char label[PF_RULE_LABEL_SIZE]; -#define PF_QNAME_SIZE 64 char ifname[IFNAMSIZ]; char qname[PF_QNAME_SIZE]; char pqname[PF_QNAME_SIZE]; @@ -1199,43 +1123,6 @@ struct pf_pdesc { #define PF_DPORT_RANGE 0x01 /* Dest port uses range */ #define PF_RPORT_RANGE 0x02 /* RDR'ed port uses range */ -/* Reasons code for passing/dropping a packet */ -#define PFRES_MATCH 0 /* Explicit match of a rule */ -#define PFRES_BADOFF 1 /* Bad offset for pull_hdr */ -#define PFRES_FRAG 2 /* Dropping following fragment */ -#define PFRES_SHORT 3 /* Dropping short packet */ -#define PFRES_NORM 4 /* Dropping by normalizer */ -#define PFRES_MEMORY 5 /* Dropped due to lacking mem */ -#define PFRES_TS 6 /* Bad TCP Timestamp (RFC1323) */ -#define PFRES_CONGEST 7 /* Congestion (of ipintrq) */ -#define PFRES_IPOPTIONS 8 /* IP option */ -#define PFRES_PROTCKSUM 9 /* Protocol checksum invalid */ -#define PFRES_BADSTATE 10 /* State mismatch */ -#define PFRES_STATEINS 11 /* State insertion failure */ -#define PFRES_MAXSTATES 12 /* State limit */ -#define PFRES_SRCLIMIT 13 /* Source node/conn limit */ -#define PFRES_SYNPROXY 14 /* SYN proxy */ -#define PFRES_MAX 15 /* total+1 */ - -#define PFRES_NAMES { \ - "match", \ - "bad-offset", \ - "fragment", \ - "short", \ - "normalize", \ - "memory", \ - "bad-timestamp", \ - "congestion", \ - "ip-option", \ - "proto-cksum", \ - "state-mismatch", \ - "state-insert", \ - "state-limit", \ - "src-limit", \ - "synproxy", \ - NULL \ -} - /* Counters for other things we want to keep track of */ #define LCNT_STATES 0 /* states */ #define LCNT_SRCSTATES 1 /* max-src-states */ @@ -1326,69 +1213,6 @@ struct pf_status { u_int8_t pf_chksum[PF_MD5_DIGEST_LENGTH]; }; -struct cbq_opts { - u_int minburst; - u_int maxburst; - u_int pktsize; - u_int maxpktsize; - u_int ns_per_byte; - u_int maxidle; - int minidle; - u_int offtime; - int flags; -}; - -struct priq_opts { - int flags; -}; - -struct hfsc_opts { - /* real-time service curve */ - u_int rtsc_m1; /* slope of the 1st segment in bps */ - u_int rtsc_d; /* the x-projection of m1 in msec */ - u_int rtsc_m2; /* slope of the 2nd segment in bps */ - /* link-sharing service curve */ - u_int lssc_m1; - u_int lssc_d; - u_int lssc_m2; - /* upper-limit service curve */ - u_int ulsc_m1; - u_int ulsc_d; - u_int ulsc_m2; - int flags; -}; - -struct pf_altq { - char ifname[IFNAMSIZ]; - - void *altq_disc; /* discipline-specific state */ - TAILQ_ENTRY(pf_altq) entries; - - /* scheduler spec */ - u_int8_t scheduler; /* scheduler type */ - u_int16_t tbrsize; /* tokenbucket regulator size */ - u_int32_t ifbandwidth; /* interface bandwidth */ - - /* queue spec */ - char qname[PF_QNAME_SIZE]; /* queue name */ - char parent[PF_QNAME_SIZE]; /* parent name */ - u_int32_t parent_qid; /* parent queue id */ - u_int32_t bandwidth; /* queue bandwidth */ - u_int8_t priority; /* priority */ - u_int8_t local_flags; /* dynamic interface */ -#define PFALTQ_FLAG_IF_REMOVED 0x01 - - u_int16_t qlimit; /* queue size limit */ - u_int16_t flags; /* misc flags */ - union { - struct cbq_opts cbq_opts; - struct priq_opts priq_opts; - struct hfsc_opts hfsc_opts; - } pq_u; - - u_int32_t qid; /* return value */ -}; - struct pf_divert { union { struct in_addr ipv4; diff --git a/sys/netpfil/ipfw/ip_fw2.c b/sys/netpfil/ipfw/ip_fw2.c index 128afad..cd466bd 100644 --- a/sys/netpfil/ipfw/ip_fw2.c +++ b/sys/netpfil/ipfw/ip_fw2.c @@ -60,10 +60,11 @@ __FBSDID("$FreeBSD$"); #include <net/ethernet.h> /* for ETHERTYPE_IP */ #include <net/if.h> #include <net/route.h> -#include <net/pf_mtag.h> #include <net/pfil.h> #include <net/vnet.h> +#include <netpfil/pf/pf_mtag.h> + #include <netinet/in.h> #include <netinet/in_var.h> #include <netinet/in_pcb.h> diff --git a/sys/netpfil/pf/pf.c b/sys/netpfil/pf/pf.c index f3eb98e..cef5352 100644 --- a/sys/netpfil/pf/pf.c +++ b/sys/netpfil/pf/pf.c @@ -67,7 +67,6 @@ __FBSDID("$FreeBSD$"); #include <net/vnet.h> #include <net/pfvar.h> -#include <net/pf_mtag.h> #include <net/if_pflog.h> #include <net/if_pfsync.h> diff --git a/sys/netpfil/pf/pf.h b/sys/netpfil/pf/pf.h new file mode 100644 index 0000000..7d692d4 --- /dev/null +++ b/sys/netpfil/pf/pf.h @@ -0,0 +1,152 @@ +/* + * Copyright (c) 2001 Daniel Hartmeier + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * - Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * - Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + * + * $OpenBSD: pfvar.h,v 1.282 2009/01/29 15:12:28 pyr Exp $ + * $FreeBSD$ + */ + +#ifndef _NET_PF_H_ +#define _NET_PF_H_ + +#define PF_TCPS_PROXY_SRC ((TCP_NSTATES)+0) +#define PF_TCPS_PROXY_DST ((TCP_NSTATES)+1) + +#define PF_MD5_DIGEST_LENGTH 16 +#ifdef MD5_DIGEST_LENGTH +#if PF_MD5_DIGEST_LENGTH != MD5_DIGEST_LENGTH +#error +#endif +#endif + +enum { PF_INOUT, PF_IN, PF_OUT }; +enum { PF_PASS, PF_DROP, PF_SCRUB, PF_NOSCRUB, PF_NAT, PF_NONAT, + PF_BINAT, PF_NOBINAT, PF_RDR, PF_NORDR, PF_SYNPROXY_DROP, PF_DEFER }; +enum { PF_RULESET_SCRUB, PF_RULESET_FILTER, PF_RULESET_NAT, + PF_RULESET_BINAT, PF_RULESET_RDR, PF_RULESET_MAX }; +enum { PF_OP_NONE, PF_OP_IRG, PF_OP_EQ, PF_OP_NE, PF_OP_LT, + PF_OP_LE, PF_OP_GT, PF_OP_GE, PF_OP_XRG, PF_OP_RRG }; +enum { PF_DEBUG_NONE, PF_DEBUG_URGENT, PF_DEBUG_MISC, PF_DEBUG_NOISY }; +enum { PF_CHANGE_NONE, PF_CHANGE_ADD_HEAD, PF_CHANGE_ADD_TAIL, + PF_CHANGE_ADD_BEFORE, PF_CHANGE_ADD_AFTER, + PF_CHANGE_REMOVE, PF_CHANGE_GET_TICKET }; +enum { PF_GET_NONE, PF_GET_CLR_CNTR }; +enum { PF_SK_WIRE, PF_SK_STACK, PF_SK_BOTH }; + +/* + * Note about PFTM_*: real indices into pf_rule.timeout[] come before + * PFTM_MAX, special cases afterwards. See pf_state_expires(). + */ +enum { PFTM_TCP_FIRST_PACKET, PFTM_TCP_OPENING, PFTM_TCP_ESTABLISHED, + PFTM_TCP_CLOSING, PFTM_TCP_FIN_WAIT, PFTM_TCP_CLOSED, + PFTM_UDP_FIRST_PACKET, PFTM_UDP_SINGLE, PFTM_UDP_MULTIPLE, + PFTM_ICMP_FIRST_PACKET, PFTM_ICMP_ERROR_REPLY, + PFTM_OTHER_FIRST_PACKET, PFTM_OTHER_SINGLE, + PFTM_OTHER_MULTIPLE, PFTM_FRAG, PFTM_INTERVAL, + PFTM_ADAPTIVE_START, PFTM_ADAPTIVE_END, PFTM_SRC_NODE, + PFTM_TS_DIFF, PFTM_MAX, PFTM_PURGE, PFTM_UNLINKED, + PFTM_UNTIL_PACKET }; + +/* PFTM default values */ +#define PFTM_TCP_FIRST_PACKET_VAL 120 /* First TCP packet */ +#define PFTM_TCP_OPENING_VAL 30 /* No response yet */ +#define PFTM_TCP_ESTABLISHED_VAL 24*60*60/* Established */ +#define PFTM_TCP_CLOSING_VAL 15 * 60 /* Half closed */ +#define PFTM_TCP_FIN_WAIT_VAL 45 /* Got both FINs */ +#define PFTM_TCP_CLOSED_VAL 90 /* Got a RST */ +#define PFTM_UDP_FIRST_PACKET_VAL 60 /* First UDP packet */ +#define PFTM_UDP_SINGLE_VAL 30 /* Unidirectional */ +#define PFTM_UDP_MULTIPLE_VAL 60 /* Bidirectional */ +#define PFTM_ICMP_FIRST_PACKET_VAL 20 /* First ICMP packet */ +#define PFTM_ICMP_ERROR_REPLY_VAL 10 /* Got error response */ +#define PFTM_OTHER_FIRST_PACKET_VAL 60 /* First packet */ +#define PFTM_OTHER_SINGLE_VAL 30 /* Unidirectional */ +#define PFTM_OTHER_MULTIPLE_VAL 60 /* Bidirectional */ +#define PFTM_FRAG_VAL 30 /* Fragment expire */ +#define PFTM_INTERVAL_VAL 10 /* Expire interval */ +#define PFTM_SRC_NODE_VAL 0 /* Source tracking */ +#define PFTM_TS_DIFF_VAL 30 /* Allowed TS diff */ + +enum { PF_NOPFROUTE, PF_FASTROUTE, PF_ROUTETO, PF_DUPTO, PF_REPLYTO }; +enum { PF_LIMIT_STATES, PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS, + PF_LIMIT_TABLE_ENTRIES, PF_LIMIT_MAX }; +#define PF_POOL_IDMASK 0x0f +enum { PF_POOL_NONE, PF_POOL_BITMASK, PF_POOL_RANDOM, + PF_POOL_SRCHASH, PF_POOL_ROUNDROBIN }; +enum { PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE, PF_ADDR_DYNIFTL, + PF_ADDR_TABLE, PF_ADDR_URPFFAILED, + PF_ADDR_RANGE }; +#define PF_POOL_TYPEMASK 0x0f +#define PF_POOL_STICKYADDR 0x20 +#define PF_WSCALE_FLAG 0x80 +#define PF_WSCALE_MASK 0x0f + +#define PF_LOG 0x01 +#define PF_LOG_ALL 0x02 +#define PF_LOG_SOCKET_LOOKUP 0x04 + +/* Reasons code for passing/dropping a packet */ +#define PFRES_MATCH 0 /* Explicit match of a rule */ +#define PFRES_BADOFF 1 /* Bad offset for pull_hdr */ +#define PFRES_FRAG 2 /* Dropping following fragment */ +#define PFRES_SHORT 3 /* Dropping short packet */ +#define PFRES_NORM 4 /* Dropping by normalizer */ +#define PFRES_MEMORY 5 /* Dropped due to lacking mem */ +#define PFRES_TS 6 /* Bad TCP Timestamp (RFC1323) */ +#define PFRES_CONGEST 7 /* Congestion (of ipintrq) */ +#define PFRES_IPOPTIONS 8 /* IP option */ +#define PFRES_PROTCKSUM 9 /* Protocol checksum invalid */ +#define PFRES_BADSTATE 10 /* State mismatch */ +#define PFRES_STATEINS 11 /* State insertion failure */ +#define PFRES_MAXSTATES 12 /* State limit */ +#define PFRES_SRCLIMIT 13 /* Source node/conn limit */ +#define PFRES_SYNPROXY 14 /* SYN proxy */ +#define PFRES_MAX 15 /* total+1 */ + +#define PFRES_NAMES { \ + "match", \ + "bad-offset", \ + "fragment", \ + "short", \ + "normalize", \ + "memory", \ + "bad-timestamp", \ + "congestion", \ + "ip-option", \ + "proto-cksum", \ + "state-mismatch", \ + "state-insert", \ + "state-limit", \ + "src-limit", \ + "synproxy", \ + NULL \ +} + +#define PF_TABLE_NAME_SIZE 32 +#define PF_QNAME_SIZE 64 + +#endif /* _NET_PF_H_ */ diff --git a/sys/netpfil/pf/pf_altq.h b/sys/netpfil/pf/pf_altq.h new file mode 100644 index 0000000..eda0965 --- /dev/null +++ b/sys/netpfil/pf/pf_altq.h @@ -0,0 +1,99 @@ +/* + * Copyright (c) 2001 Daniel Hartmeier + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * - Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * - Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + * + * $OpenBSD: pfvar.h,v 1.282 2009/01/29 15:12:28 pyr Exp $ + * $FreeBSD$ + */ + +#ifndef _NET_PF_ALTQ_H_ +#define _NET_PF_ALTQ_H_ + +struct cbq_opts { + u_int minburst; + u_int maxburst; + u_int pktsize; + u_int maxpktsize; + u_int ns_per_byte; + u_int maxidle; + int minidle; + u_int offtime; + int flags; +}; + +struct priq_opts { + int flags; +}; + +struct hfsc_opts { + /* real-time service curve */ + u_int rtsc_m1; /* slope of the 1st segment in bps */ + u_int rtsc_d; /* the x-projection of m1 in msec */ + u_int rtsc_m2; /* slope of the 2nd segment in bps */ + /* link-sharing service curve */ + u_int lssc_m1; + u_int lssc_d; + u_int lssc_m2; + /* upper-limit service curve */ + u_int ulsc_m1; + u_int ulsc_d; + u_int ulsc_m2; + int flags; +}; + +struct pf_altq { + char ifname[IFNAMSIZ]; + + void *altq_disc; /* discipline-specific state */ + TAILQ_ENTRY(pf_altq) entries; + + /* scheduler spec */ + uint8_t scheduler; /* scheduler type */ + uint16_t tbrsize; /* tokenbucket regulator size */ + uint32_t ifbandwidth; /* interface bandwidth */ + + /* queue spec */ + char qname[PF_QNAME_SIZE]; /* queue name */ + char parent[PF_QNAME_SIZE]; /* parent name */ + uint32_t parent_qid; /* parent queue id */ + uint32_t bandwidth; /* queue bandwidth */ + uint8_t priority; /* priority */ + uint8_t local_flags; /* dynamic interface */ +#define PFALTQ_FLAG_IF_REMOVED 0x01 + + uint16_t qlimit; /* queue size limit */ + uint16_t flags; /* misc flags */ + union { + struct cbq_opts cbq_opts; + struct priq_opts priq_opts; + struct hfsc_opts hfsc_opts; + } pq_u; + + uint32_t qid; /* return value */ +}; + +#endif /* _NET_PF_ALTQ_H_ */ diff --git a/sys/netpfil/pf/pf_lb.c b/sys/netpfil/pf/pf_lb.c index 17d30fe..c93fbfd 100644 --- a/sys/netpfil/pf/pf_lb.c +++ b/sys/netpfil/pf/pf_lb.c @@ -48,7 +48,6 @@ __FBSDID("$FreeBSD$"); #include <net/if.h> #include <net/pfvar.h> #include <net/if_pflog.h> -#include <net/pf_mtag.h> #define DPFPRINTF(n, x) if (V_pf_status.debug >= (n)) printf x diff --git a/sys/net/pf_mtag.h b/sys/netpfil/pf/pf_mtag.h index baff00a..baff00a 100644 --- a/sys/net/pf_mtag.h +++ b/sys/netpfil/pf/pf_mtag.h diff --git a/sys/netpfil/pf/pf_norm.c b/sys/netpfil/pf/pf_norm.c index e1e9d5d..883b500 100644 --- a/sys/netpfil/pf/pf_norm.c +++ b/sys/netpfil/pf/pf_norm.c @@ -43,7 +43,6 @@ __FBSDID("$FreeBSD$"); #include <net/if.h> #include <net/vnet.h> #include <net/pfvar.h> -#include <net/pf_mtag.h> #include <net/if_pflog.h> #include <netinet/in.h> diff --git a/usr.bin/kdump/Makefile b/usr.bin/kdump/Makefile index f19bd16..1fe42f2 100644 --- a/usr.bin/kdump/Makefile +++ b/usr.bin/kdump/Makefile @@ -1,6 +1,8 @@ # @(#)Makefile 8.1 (Berkeley) 6/6/93 # $FreeBSD$ +.include <bsd.own.mk> + .if (${MACHINE_ARCH} == "amd64") SFX= 32 .endif @@ -12,6 +14,10 @@ SRCS= kdump_subr.c kdump.c ioctl.c subr.c DPSRCS= kdump_subr.h CFLAGS+= -I${.CURDIR}/../ktrace -I${.CURDIR} -I${.CURDIR}/../.. -I. +.if ${MK_PF} != "no" +CFLAGS+=-DPF +.endif + .if ${MACHINE_ARCH} == "amd64" || ${MACHINE_ARCH} == "i386" SRCS+= linux_syscalls.c .endif diff --git a/usr.bin/kdump/mkioctls b/usr.bin/kdump/mkioctls index 0dac684..a9ba860 100644 --- a/usr.bin/kdump/mkioctls +++ b/usr.bin/kdump/mkioctls @@ -21,7 +21,8 @@ LC_ALL=C; export LC_ALL # XXX should we use an ANSI cpp? ioctl_includes=$( cd $includedir - find -H -s * -name '*.h' | grep -v '.*disk.*\.h' | \ + find -H -s * -name '*.h' | \ + egrep -v '(.*disk.*|net/pfvar|net/if_pfsync)\.h' | \ xargs egrep -l \ '^#[ ]*define[ ]+[A-Za-z_][A-Za-z0-9_]*[ ]+_IO[^a-z0-9_]' | awk '{printf("#include <%s>\\n", $1)}' @@ -54,7 +55,10 @@ BEGIN { print "#include <net/ethernet.h>" print "#include <net/if.h>" print "#include <net/if_var.h>" + print "#ifdef PF" print "#include <net/pfvar.h>" + print "#include <net/if_pfsync.h>" + print "#endif" print "#include <net/route.h>" print "#include <netinet/in.h>" print "#include <netinet/ip_mroute.h>" diff --git a/usr.bin/netstat/Makefile b/usr.bin/netstat/Makefile index 1644aab..2432cfb 100644 --- a/usr.bin/netstat/Makefile +++ b/usr.bin/netstat/Makefile @@ -27,6 +27,10 @@ CFLAGS+=-DINET6 CFLAGS+=-DSDP .endif +.if ${MK_PF} != "no" +CFLAGS+=-DPF +.endif + BINGRP= kmem BINMODE=2555 DPADD= ${LIBKVM} ${LIBMEMSTAT} ${LIBUTIL} diff --git a/usr.bin/netstat/if.c b/usr.bin/netstat/if.c index 1ec0beb..e0f6e28 100644 --- a/usr.bin/netstat/if.c +++ b/usr.bin/netstat/if.c @@ -49,13 +49,15 @@ __FBSDID("$FreeBSD$"); #include <net/if_dl.h> #include <net/if_types.h> #include <net/ethernet.h> -#include <net/pfvar.h> -#include <net/if_pfsync.h> #include <netinet/in.h> #include <netinet/in_var.h> #include <netipx/ipx.h> #include <netipx/ipx_if.h> #include <arpa/inet.h> +#ifdef PF +#include <net/pfvar.h> +#include <net/if_pfsync.h> +#endif #include <err.h> #include <errno.h> @@ -81,6 +83,7 @@ static void sidewaysintpr(int); static char addr_buf[NI_MAXHOST]; /* for getnameinfo() */ #endif +#ifdef PF static const char* pfsyncacts[] = { /* PFSYNC_ACT_CLR */ "clear all request", /* PFSYNC_ACT_INS */ "state insert", @@ -155,6 +158,7 @@ pfsync_stats(u_long off, const char *name, int af1 __unused, int proto __unused) p(pfsyncs_oerrors, "\t\t%ju send error%s\n"); #undef p } +#endif /* PF */ /* * Display a formatted value, or a '-' in the same space. diff --git a/usr.bin/netstat/main.c b/usr.bin/netstat/main.c index 5c952ad..0876460 100644 --- a/usr.bin/netstat/main.c +++ b/usr.bin/netstat/main.c @@ -214,8 +214,10 @@ struct protox { pim_stats, NULL, "pim", 1, IPPROTO_PIM }, { -1, N_CARPSTAT, 1, NULL, carp_stats, NULL, "carp", 1, 0 }, +#ifdef PF { -1, N_PFSYNCSTAT, 1, NULL, pfsync_stats, NULL, "pfsync", 1, 0 }, +#endif { -1, N_ARPSTAT, 1, NULL, arp_stats, NULL, "arp", 1, 0 }, { -1, -1, 0, NULL, diff --git a/usr.sbin/bsnmpd/modules/Makefile b/usr.sbin/bsnmpd/modules/Makefile index d5706fe..45558b7 100644 --- a/usr.sbin/bsnmpd/modules/Makefile +++ b/usr.sbin/bsnmpd/modules/Makefile @@ -13,12 +13,15 @@ SUBDIR= ${_snmp_atm} \ snmp_hast \ snmp_hostres \ snmp_mibII \ - snmp_pf \ snmp_target \ snmp_usm \ snmp_vacm \ snmp_wlan +.if ${MK_PF} != "no" +SUBDIR+=snmp_pf +.endif + .if ${MK_NETGRAPH_SUPPORT} != "no" SUBDIR+=snmp_netgraph .endif diff --git a/usr.sbin/tcpdump/tcpdump/Makefile b/usr.sbin/tcpdump/tcpdump/Makefile index fe2a001..3ec7efd 100644 --- a/usr.sbin/tcpdump/tcpdump/Makefile +++ b/usr.sbin/tcpdump/tcpdump/Makefile @@ -89,7 +89,6 @@ SRCS= addrtoname.c \ print-olsr.c \ print-ospf.c \ print-otv.c \ - print-pfsync.c \ print-pgm.c \ print-pim.c \ print-ppi.c \ @@ -171,7 +170,8 @@ CFLAGS+= -DHAVE_LIBCRYPTO -DHAVE_OPENSSL_EVP_H .endif .if ${MK_PF} != "no" -SRCS+= print-pflog.c +SRCS+= print-pflog.c \ + print-pfsync.c CFLAGS+= -DHAVE_NET_PFVAR_H .endif |