summaryrefslogtreecommitdiffstats
path: root/sys/contrib/pf/net/pfvar.h
diff options
context:
space:
mode:
Diffstat (limited to 'sys/contrib/pf/net/pfvar.h')
-rw-r--r--sys/contrib/pf/net/pfvar.h533
1 files changed, 315 insertions, 218 deletions
diff --git a/sys/contrib/pf/net/pfvar.h b/sys/contrib/pf/net/pfvar.h
index d650f79..f741130 100644
--- a/sys/contrib/pf/net/pfvar.h
+++ b/sys/contrib/pf/net/pfvar.h
@@ -1,4 +1,5 @@
-/* $OpenBSD: pfvar.h,v 1.244 2007/02/23 21:31:51 deraadt Exp $ */
+/* $FreeBSD$ */
+/* $OpenBSD: pfvar.h,v 1.213 2005/03/03 07:13:39 dhartmei Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -37,26 +38,30 @@
#include <sys/types.h>
#include <sys/queue.h>
#include <sys/tree.h>
-#include <sys/rwlock.h>
#include <net/radix.h>
#include <net/route.h>
+#ifdef __FreeBSD__
+#include <net/if_clone.h>
+#include <vm/uma.h>
+#else
#include <netinet/ip_ipsp.h>
+#endif
+
+#ifdef __FreeBSD__
+#include <netinet/in.h>
+#endif
+
#include <netinet/tcp_fsm.h>
struct ip;
-struct ip6_hdr;
+#ifdef __FreeBSD__
+struct inpcb;
+#endif
#define PF_TCPS_PROXY_SRC ((TCP_NSTATES)+0)
#define PF_TCPS_PROXY_DST ((TCP_NSTATES)+1)
-#define PF_MD5_DIGEST_LENGTH 16
-#ifdef MD5_DIGEST_LENGTH
-#if PF_MD5_DIGEST_LENGTH != MD5_DIGEST_LENGTH
-#error
-#endif
-#endif
-
enum { PF_INOUT, PF_IN, PF_OUT };
enum { PF_LAN_EXT, PF_EXT_GWY, PF_ID };
enum { PF_PASS, PF_DROP, PF_SCRUB, PF_NOSCRUB, PF_NAT, PF_NONAT,
@@ -69,8 +74,6 @@ enum { PF_DEBUG_NONE, PF_DEBUG_URGENT, PF_DEBUG_MISC, PF_DEBUG_NOISY };
enum { PF_CHANGE_NONE, PF_CHANGE_ADD_HEAD, PF_CHANGE_ADD_TAIL,
PF_CHANGE_ADD_BEFORE, PF_CHANGE_ADD_AFTER,
PF_CHANGE_REMOVE, PF_CHANGE_GET_TICKET };
-enum { PF_GET_NONE, PF_GET_CLR_CNTR };
-
/*
* Note about PFTM_*: real indices into pf_rule.timeout[] come before
* PFTM_MAX, special cases afterwards. See pf_state_expires().
@@ -82,8 +85,7 @@ enum { PFTM_TCP_FIRST_PACKET, PFTM_TCP_OPENING, PFTM_TCP_ESTABLISHED,
PFTM_OTHER_FIRST_PACKET, PFTM_OTHER_SINGLE,
PFTM_OTHER_MULTIPLE, PFTM_FRAG, PFTM_INTERVAL,
PFTM_ADAPTIVE_START, PFTM_ADAPTIVE_END, PFTM_SRC_NODE,
- PFTM_TS_DIFF, PFTM_MAX, PFTM_PURGE, PFTM_UNLINKED,
- PFTM_UNTIL_PACKET };
+ PFTM_TS_DIFF, PFTM_MAX, PFTM_PURGE, PFTM_UNTIL_PACKET };
/* PFTM default values */
#define PFTM_TCP_FIRST_PACKET_VAL 120 /* First TCP packet */
@@ -106,22 +108,17 @@ enum { PFTM_TCP_FIRST_PACKET, PFTM_TCP_OPENING, PFTM_TCP_ESTABLISHED,
#define PFTM_TS_DIFF_VAL 30 /* Allowed TS diff */
enum { PF_NOPFROUTE, PF_FASTROUTE, PF_ROUTETO, PF_DUPTO, PF_REPLYTO };
-enum { PF_LIMIT_STATES, PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS,
- PF_LIMIT_TABLES, PF_LIMIT_TABLE_ENTRIES, PF_LIMIT_MAX };
+enum { PF_LIMIT_STATES, PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS, PF_LIMIT_MAX };
#define PF_POOL_IDMASK 0x0f
enum { PF_POOL_NONE, PF_POOL_BITMASK, PF_POOL_RANDOM,
PF_POOL_SRCHASH, PF_POOL_ROUNDROBIN };
enum { PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE, PF_ADDR_DYNIFTL,
- PF_ADDR_TABLE, PF_ADDR_RTLABEL, PF_ADDR_URPFFAILED };
+ PF_ADDR_TABLE, PF_ADDR_RTLABEL };
#define PF_POOL_TYPEMASK 0x0f
#define PF_POOL_STICKYADDR 0x20
#define PF_WSCALE_FLAG 0x80
#define PF_WSCALE_MASK 0x0f
-#define PF_LOG 0x01
-#define PF_LOG_ALL 0x02
-#define PF_LOG_SOCKET_LOOKUP 0x04
-
struct pf_addr {
union {
struct in_addr v4;
@@ -153,6 +150,9 @@ struct pf_addr_wrap {
} a;
char ifname[IFNAMSIZ];
char tblname[PF_TABLE_NAME_SIZE];
+#ifdef __FreeBSD__
+#define RTLABEL_LEN 32
+#endif
char rtlabelname[RTLABEL_LEN];
u_int32_t rtlabel;
} v;
@@ -169,25 +169,100 @@ struct pf_addr_wrap {
#ifdef _KERNEL
struct pfi_dynaddr {
- TAILQ_ENTRY(pfi_dynaddr) entry;
- struct pf_addr pfid_addr4;
- struct pf_addr pfid_mask4;
- struct pf_addr pfid_addr6;
- struct pf_addr pfid_mask6;
- struct pfr_ktable *pfid_kt;
- struct pfi_kif *pfid_kif;
- void *pfid_hook_cookie;
- int pfid_net; /* mask or 128 */
- int pfid_acnt4; /* address count IPv4 */
- int pfid_acnt6; /* address count IPv6 */
- sa_family_t pfid_af; /* rule af */
- u_int8_t pfid_iflags; /* PFI_AFLAG_* */
+ struct pf_addr pfid_addr4;
+ struct pf_addr pfid_mask4;
+ struct pf_addr pfid_addr6;
+ struct pf_addr pfid_mask6;
+ struct pfr_ktable *pfid_kt;
+ struct pfi_kif *pfid_kif;
+ void *pfid_hook_cookie;
+ int pfid_net; /* optional mask, or 128 */
+ int pfid_acnt4; /* address count, IPv4 */
+ int pfid_acnt6; /* address count, IPv6 */
+ sa_family_t pfid_af; /* rule address family */
+ u_int8_t pfid_iflags; /* PFI_AFLAG_* */
};
/*
* Address manipulation macros
*/
+#ifdef __FreeBSD__
+#define splsoftnet() splnet()
+
+#define HTONL(x) (x) = htonl((__uint32_t)(x))
+#define HTONS(x) (x) = htons((__uint16_t)(x))
+#define NTOHL(x) (x) = ntohl((__uint32_t)(x))
+#define NTOHS(x) (x) = ntohs((__uint16_t)(x))
+
+#define PF_NAME "pf"
+
+#define PR_NOWAIT M_NOWAIT
+#define pool_get(p, f) uma_zalloc(*(p), (f))
+#define pool_put(p, o) uma_zfree(*(p), (o))
+
+#define UMA_CREATE(var, type, desc) \
+ var = uma_zcreate(desc, sizeof(type), \
+ NULL, NULL, NULL, NULL, UMA_ALIGN_PTR, 0); \
+ if (var == NULL) break
+#define UMA_DESTROY(var) \
+ if(var) uma_zdestroy(var)
+
+extern struct mtx pf_task_mtx;
+
+#define PF_ASSERT(h) mtx_assert(&pf_task_mtx, (h))
+
+#define PF_LOCK() do { \
+ PF_ASSERT(MA_NOTOWNED); \
+ mtx_lock(&pf_task_mtx); \
+} while(0)
+#define PF_UNLOCK() do { \
+ PF_ASSERT(MA_OWNED); \
+ mtx_unlock(&pf_task_mtx); \
+} while(0)
+
+#define PF_COPYIN(uaddr, kaddr, len, r) do { \
+ PF_UNLOCK(); \
+ r = copyin((uaddr), (kaddr), (len)); \
+ PF_LOCK(); \
+} while(0)
+
+#define PF_COPYOUT(kaddr, uaddr, len, r) do { \
+ PF_UNLOCK(); \
+ r = copyout((kaddr), (uaddr), (len)); \
+ PF_LOCK(); \
+} while(0)
+
+extern void init_pf_mutex(void);
+extern void destroy_pf_mutex(void);
+
+#define PF_MODVER 1
+#define PFLOG_MODVER 1
+#define PFSYNC_MODVER 1
+
+#define PFLOG_MINVER 1
+#define PFLOG_PREFVER PFLOG_MODVER
+#define PFLOG_MAXVER 1
+#define PFSYNC_MINVER 1
+#define PFSYNC_PREFVER PFSYNC_MODVER
+#define PFSYNC_MAXVER 1
+
+/* prototyped for pf_subr.c */
+struct hook_desc {
+ TAILQ_ENTRY(hook_desc) hd_list;
+ void (*hd_fn)(void *);
+ void *hd_arg;
+};
+TAILQ_HEAD(hook_desc_head, hook_desc);
+
+void *hook_establish(struct hook_desc_head *, int, void (*)(void *), void *);
+void hook_disestablish(struct hook_desc_head *, void *);
+void dohooks(struct hook_desc_head *, int);
+
+#define HOOK_REMOVE 0x01
+#define HOOK_FREE 0x02
+#endif /* __FreeBSD__ */
+
#ifdef INET
#ifndef INET6
#define PF_INET_ONLY
@@ -317,26 +392,23 @@ struct pfi_dynaddr {
#endif /* PF_INET6_ONLY */
#endif /* PF_INET_INET6 */
-#define PF_MISMATCHAW(aw, x, af, neg, ifp) \
- ( \
- (((aw)->type == PF_ADDR_NOROUTE && \
- pf_routable((x), (af), NULL)) || \
- (((aw)->type == PF_ADDR_URPFFAILED && (ifp) != NULL && \
- pf_routable((x), (af), (ifp))) || \
- ((aw)->type == PF_ADDR_RTLABEL && \
- !pf_rtlabel_match((x), (af), (aw))) || \
- ((aw)->type == PF_ADDR_TABLE && \
- !pfr_match_addr((aw)->p.tbl, (x), (af))) || \
- ((aw)->type == PF_ADDR_DYNIFTL && \
- !pfi_match_addr((aw)->p.dyn, (x), (af))) || \
- ((aw)->type == PF_ADDR_ADDRMASK && \
- !PF_AZERO(&(aw)->v.a.mask, (af)) && \
- !PF_MATCHA(0, &(aw)->v.a.addr, \
- &(aw)->v.a.mask, (x), (af))))) != \
- (neg) \
+#define PF_MISMATCHAW(aw, x, af, neg) \
+ ( \
+ (((aw)->type == PF_ADDR_NOROUTE && \
+ pf_routable((x), (af))) || \
+ ((aw)->type == PF_ADDR_RTLABEL && \
+ !pf_rtlabel_match((x), (af), (aw))) || \
+ ((aw)->type == PF_ADDR_TABLE && \
+ !pfr_match_addr((aw)->p.tbl, (x), (af))) || \
+ ((aw)->type == PF_ADDR_DYNIFTL && \
+ !pfi_match_addr((aw)->p.dyn, (x), (af))) || \
+ ((aw)->type == PF_ADDR_ADDRMASK && \
+ !PF_AZERO(&(aw)->v.a.mask, (af)) && \
+ !PF_MATCHA(0, &(aw)->v.a.addr, \
+ &(aw)->v.a.mask, (x), (af)))) != \
+ (neg) \
)
-
struct pf_rule_uid {
uid_t uid[2];
u_int8_t op;
@@ -454,7 +526,6 @@ struct pf_os_fingerprint {
#define PF_OSFP_MSS_DC 0x0800 /* TCP MSS dont-care */
#define PF_OSFP_DF 0x1000 /* IPv4 don't fragment bit */
#define PF_OSFP_TS0 0x2000 /* Zero timestamp */
-#define PF_OSFP_INET6 0x4000 /* IPv6 */
u_int8_t fp_optcnt; /* TCP option count */
u_int8_t fp_wscale; /* TCP window scaling */
u_int8_t fp_ttl; /* IPv4 TTL */
@@ -510,11 +581,11 @@ struct pf_rule {
union pf_rule_ptr skip[PF_SKIP_COUNT];
#define PF_RULE_LABEL_SIZE 64
char label[PF_RULE_LABEL_SIZE];
-#define PF_QNAME_SIZE 64
+#define PF_QNAME_SIZE 16
char ifname[IFNAMSIZ];
char qname[PF_QNAME_SIZE];
char pqname[PF_QNAME_SIZE];
-#define PF_TAG_NAME_SIZE 64
+#define PF_TAG_NAME_SIZE 16
char tagname[PF_TAG_NAME_SIZE];
char match_tagname[PF_TAG_NAME_SIZE];
@@ -524,8 +595,8 @@ struct pf_rule {
struct pf_pool rpool;
u_int64_t evaluations;
- u_int64_t packets[2];
- u_int64_t bytes[2];
+ u_int64_t packets;
+ u_int64_t bytes;
struct pfi_kif *kif;
struct pf_anchor *anchor;
@@ -533,7 +604,6 @@ struct pf_rule {
pf_osfp_t os_fingerprint;
- int rtableid;
u_int32_t timeout[PFTM_MAX];
u_int32_t states;
u_int32_t max_states;
@@ -550,8 +620,6 @@ struct pf_rule {
u_int32_t rt_listid;
u_int32_t nr;
u_int32_t prob;
- uid_t cuid;
- pid_t cpid;
u_int16_t return_icmp;
u_int16_t return_icmp6;
@@ -566,7 +634,6 @@ struct pf_rule {
u_int8_t action;
u_int8_t direction;
u_int8_t log;
- u_int8_t logif;
u_int8_t quick;
u_int8_t ifnot;
u_int8_t match_tag_not;
@@ -614,10 +681,9 @@ struct pf_rule {
/* rule flags again */
#define PFRULE_IFBOUND 0x00010000 /* if-bound */
+#define PFRULE_GRBOUND 0x00020000 /* group-bound */
#define PFSTATE_HIWAT 10000 /* default state table size */
-#define PFSTATE_ADAPT_START 6000 /* default adaptive timeout start */
-#define PFSTATE_ADAPT_END 12000 /* default adaptive timeout end */
struct pf_threshold {
@@ -635,8 +701,8 @@ struct pf_src_node {
struct pf_addr raddr;
union pf_rule_ptr rule;
struct pfi_kif *kif;
- u_int64_t bytes[2];
- u_int64_t packets[2];
+ u_int32_t bytes;
+ u_int32_t packets;
u_int32_t states;
u_int32_t conn;
struct pf_threshold conn_rate;
@@ -678,53 +744,26 @@ struct pf_state_peer {
u_int8_t state; /* active state level */
u_int8_t wscale; /* window scaling factor */
u_int16_t mss; /* Maximum segment size option */
- u_int8_t tcp_est; /* Did we reach TCPS_ESTABLISHED */
struct pf_state_scrub *scrub; /* state is scrubbed */
- u_int8_t pad[3];
};
TAILQ_HEAD(pf_state_queue, pf_state);
-/* keep synced with struct pf_state, used in RB_FIND */
-struct pf_state_cmp {
- u_int64_t id;
- u_int32_t creatorid;
- struct pf_state_host lan;
- struct pf_state_host gwy;
- struct pf_state_host ext;
- sa_family_t af;
- u_int8_t proto;
- u_int8_t direction;
- u_int8_t pad;
-};
-
struct pf_state {
u_int64_t id;
- u_int32_t creatorid;
- struct pf_state_host lan;
- struct pf_state_host gwy;
- struct pf_state_host ext;
- sa_family_t af;
- u_int8_t proto;
- u_int8_t direction;
- u_int8_t pad;
- u_int8_t log;
- u_int8_t allow_opts;
- u_int8_t timeout;
- u_int8_t sync_flags;
-#define PFSTATE_NOSYNC 0x01
-#define PFSTATE_FROMSYNC 0x02
-#define PFSTATE_STALE 0x04
union {
struct {
RB_ENTRY(pf_state) entry_lan_ext;
RB_ENTRY(pf_state) entry_ext_gwy;
RB_ENTRY(pf_state) entry_id;
- TAILQ_ENTRY(pf_state) entry_list;
+ TAILQ_ENTRY(pf_state) entry_updates;
struct pfi_kif *kif;
} s;
char ifname[IFNAMSIZ];
} u;
+ struct pf_state_host lan;
+ struct pf_state_host gwy;
+ struct pf_state_host ext;
struct pf_state_peer src;
struct pf_state_peer dst;
union pf_rule_ptr rule;
@@ -734,12 +773,30 @@ struct pf_state {
struct pfi_kif *rt_kif;
struct pf_src_node *src_node;
struct pf_src_node *nat_src_node;
- u_int64_t packets[2];
- u_int64_t bytes[2];
u_int32_t creation;
u_int32_t expire;
u_int32_t pfsync_time;
+ u_int32_t packets[2];
+ u_int32_t bytes[2];
+ u_int32_t creatorid;
u_int16_t tag;
+ sa_family_t af;
+ u_int8_t proto;
+ u_int8_t direction;
+ u_int8_t log;
+ u_int8_t allow_opts;
+ u_int8_t timeout;
+ u_int8_t sync_flags;
+#define PFSTATE_NOSYNC 0x01
+#define PFSTATE_FROMSYNC 0x02
+#define PFSTATE_STALE 0x04
+#ifdef __FreeBSD__
+ u_int8_t local_flags;
+#define PFSTATE_EXPIRING 0x01
+#define PFSTATE_SRC_CONN 0x02
+#else
+ u_int8_t pad;
+#endif
};
TAILQ_HEAD(pf_rulequeue, pf_rule);
@@ -751,8 +808,6 @@ struct pf_ruleset {
struct pf_rulequeue queues[2];
struct {
struct pf_rulequeue *ptr;
- struct pf_rule **ptr_array;
- u_int32_t rcount;
u_int32_t ticket;
int open;
} active, inactive;
@@ -774,7 +829,6 @@ struct pf_anchor {
char path[MAXPATHLEN];
struct pf_ruleset ruleset;
int refcnt; /* anchor rules */
- int match;
};
RB_PROTOTYPE(pf_anchor_global, pf_anchor, entry_global, pf_anchor_compare);
RB_PROTOTYPE(pf_anchor_node, pf_anchor, entry_node, pf_anchor_compare);
@@ -841,6 +895,15 @@ struct pfr_tstats {
#define pfrts_name pfrts_t.pfrt_name
#define pfrts_flags pfrts_t.pfrt_flags
+#ifndef _SOCKADDR_UNION_DEFINED
+#define _SOCKADDR_UNION_DEFINED
+union sockaddr_union {
+ struct sockaddr sa;
+ struct sockaddr_in sin;
+ struct sockaddr_in6 sin6;
+};
+#endif /* _SOCKADDR_UNION_DEFINED */
+
SLIST_HEAD(pfr_kentryworkq, pfr_kentry);
struct pfr_kentry {
struct radix_node pfrke_node[2];
@@ -891,47 +954,56 @@ RB_HEAD(pf_state_tree_ext_gwy, pf_state);
RB_PROTOTYPE(pf_state_tree_ext_gwy, pf_state,
u.s.entry_ext_gwy, pf_state_compare_ext_gwy);
-TAILQ_HEAD(pfi_statehead, pfi_kif);
-RB_HEAD(pfi_ifhead, pfi_kif);
-
-/* keep synced with pfi_kif, used in RB_FIND */
-struct pfi_kif_cmp {
- char pfik_name[IFNAMSIZ];
+struct pfi_if {
+ char pfif_name[IFNAMSIZ];
+ u_int64_t pfif_packets[2][2][2];
+ u_int64_t pfif_bytes[2][2][2];
+ u_int64_t pfif_addcnt;
+ u_int64_t pfif_delcnt;
+ long pfif_tzero;
+ int pfif_states;
+ int pfif_rules;
+ int pfif_flags;
};
+TAILQ_HEAD(pfi_grouphead, pfi_kif);
+TAILQ_HEAD(pfi_statehead, pfi_kif);
+RB_HEAD(pfi_ifhead, pfi_kif);
struct pfi_kif {
- char pfik_name[IFNAMSIZ];
+ struct pfi_if pfik_if;
RB_ENTRY(pfi_kif) pfik_tree;
- u_int64_t pfik_packets[2][2][2];
- u_int64_t pfik_bytes[2][2][2];
- u_int32_t pfik_tzero;
- int pfik_flags;
struct pf_state_tree_lan_ext pfik_lan_ext;
struct pf_state_tree_ext_gwy pfik_ext_gwy;
+ struct pfi_grouphead pfik_grouphead;
+ TAILQ_ENTRY(pfi_kif) pfik_instances;
TAILQ_ENTRY(pfi_kif) pfik_w_states;
+ struct hook_desc_head *pfik_ah_head;
void *pfik_ah_cookie;
+ struct pfi_kif *pfik_parent;
struct ifnet *pfik_ifp;
- struct ifg_group *pfik_group;
int pfik_states;
int pfik_rules;
- TAILQ_HEAD(, pfi_dynaddr) pfik_dynaddrs;
};
-
-enum pfi_kif_refs {
- PFI_KIF_REF_NONE,
- PFI_KIF_REF_STATE,
- PFI_KIF_REF_RULE
-};
-
+#define pfik_name pfik_if.pfif_name
+#define pfik_packets pfik_if.pfif_packets
+#define pfik_bytes pfik_if.pfif_bytes
+#define pfik_tzero pfik_if.pfif_tzero
+#define pfik_flags pfik_if.pfif_flags
+#define pfik_addcnt pfik_if.pfif_addcnt
+#define pfik_delcnt pfik_if.pfif_delcnt
+#define pfik_states pfik_if.pfif_states
+#define pfik_rules pfik_if.pfif_rules
+
+#define PFI_IFLAG_GROUP 0x0001 /* group of interfaces */
+#define PFI_IFLAG_INSTANCE 0x0002 /* single instance */
+#define PFI_IFLAG_CLONABLE 0x0010 /* clonable group */
+#define PFI_IFLAG_DYNAMIC 0x0020 /* dynamic group */
+#define PFI_IFLAG_ATTACHED 0x0040 /* interface attached */
#define PFI_IFLAG_SKIP 0x0100 /* skip filtering on interface */
+#define PFI_IFLAG_SETABLE_MASK 0x0100 /* setable via DIOC{SET,CLR}IFFLAG */
+#define PFI_IFLAG_PLACEHOLDER 0x8000 /* placeholder group/interface */
struct pf_pdesc {
- struct {
- int done;
- uid_t uid;
- gid_t gid;
- pid_t pid;
- } lookup;
u_int64_t tot_len; /* Make Mickey money */
union {
struct tcphdr *tcp;
@@ -949,7 +1021,6 @@ struct pf_pdesc {
struct pf_addr *dst;
struct ether_header
*eh;
- struct pf_mtag *pf_mtag;
u_int16_t *ip_sum;
u_int32_t p_len; /* total length of payload */
u_int16_t flags; /* Let SCRUB trigger behavior in
@@ -1090,7 +1161,6 @@ struct pf_status {
u_int32_t debug;
u_int32_t hostid;
char ifname[IFNAMSIZ];
- u_int8_t pf_chksum[PF_MD5_DIGEST_LENGTH];
};
struct cbq_opts {
@@ -1153,20 +1223,6 @@ struct pf_altq {
u_int32_t qid; /* return value */
};
-#define PF_TAG_GENERATED 0x01
-#define PF_TAG_FRAGCACHE 0x02
-#define PF_TAG_TRANSLATE_LOCALHOST 0x04
-
-struct pf_mtag {
- void *hdr; /* saved hdr pos in mbuf, for ECN */
- u_int rtableid; /* alternate routing table id */
- u_int32_t qid; /* queue id */
- u_int16_t tag; /* tag id */
- u_int8_t flags;
- u_int8_t routed;
- sa_family_t af; /* for ECN */
-};
-
struct pf_tag {
u_int16_t tag; /* tag id */
};
@@ -1183,10 +1239,6 @@ struct pf_tagname {
#define PFFRAG_FRCENT_HIWAT 50000 /* Number of fragment cache entries */
#define PFFRAG_FRCACHE_HIWAT 10000 /* Number of fragment descriptors */
-#define PFR_KTABLE_HIWAT 1000 /* Number of tables */
-#define PFR_KENTRY_HIWAT 200000 /* Number of table entries */
-#define PFR_KENTRY_HIWAT_SMALL 100000 /* Number of table entries (tiny hosts) */
-
/*
* ioctl parameter structures
*/
@@ -1232,13 +1284,6 @@ struct pfioc_state {
struct pf_state state;
};
-struct pfioc_src_node_kill {
- /* XXX returns the number of src nodes killed in psnk_af */
- sa_family_t psnk_af;
- struct pf_rule_addr psnk_src;
- struct pf_rule_addr psnk_dst;
-};
-
struct pfioc_state_kill {
/* XXX returns the number of states killed in psk_af */
sa_family_t psk_af;
@@ -1346,6 +1391,11 @@ struct pfioc_table {
#define pfrio_setflag pfrio_size2
#define pfrio_clrflag pfrio_nadd
+
+#define PFI_FLAG_GROUP 0x0001 /* gets groups of interfaces */
+#define PFI_FLAG_INSTANCE 0x0002 /* gets single interfaces */
+#define PFI_FLAG_ALLMASK 0x0003
+
struct pfioc_iface {
char pfiio_name[IFNAMSIZ];
void *pfiio_buffer;
@@ -1424,9 +1474,16 @@ struct pfioc_iface {
#define DIOCCLRSRCNODES _IO('D', 85)
#define DIOCSETHOSTID _IOWR('D', 86, u_int32_t)
#define DIOCIGETIFACES _IOWR('D', 87, struct pfioc_iface)
+#define DIOCICLRISTATS _IOWR('D', 88, struct pfioc_iface)
#define DIOCSETIFFLAG _IOWR('D', 89, struct pfioc_iface)
#define DIOCCLRIFFLAG _IOWR('D', 90, struct pfioc_iface)
-#define DIOCKILLSRCNODES _IOWR('D', 91, struct pfioc_src_node_kill)
+#ifdef __FreeBSD__
+struct pf_ifspeed {
+ char ifname[IFNAMSIZ];
+ u_int32_t baudrate;
+};
+#define DIOCGIFSPEED _IOWR('D', 91, struct pf_ifspeed)
+#endif
#ifdef _KERNEL
RB_HEAD(pf_src_tree, pf_src_node);
@@ -1437,13 +1494,16 @@ RB_HEAD(pf_state_tree_id, pf_state);
RB_PROTOTYPE(pf_state_tree_id, pf_state,
entry_id, pf_state_compare_id);
extern struct pf_state_tree_id tree_id;
-extern struct pf_state_queue state_list;
+extern struct pf_state_queue state_updates;
+extern struct pf_anchor_global pf_anchors;
+extern struct pf_ruleset pf_main_ruleset;
TAILQ_HEAD(pf_poolqueue, pf_pool);
extern struct pf_poolqueue pf_pools[2];
TAILQ_HEAD(pf_altqqueue, pf_altq);
extern struct pf_altqqueue pf_altqs[2];
extern struct pf_palist pf_pabuf;
+extern struct pfi_kif **pfi_index2kif;
extern u_int32_t ticket_altqs_active;
extern u_int32_t ticket_altqs_inactive;
@@ -1458,25 +1518,38 @@ extern int pf_tbladdr_setup(struct pf_ruleset *,
extern void pf_tbladdr_remove(struct pf_addr_wrap *);
extern void pf_tbladdr_copyout(struct pf_addr_wrap *);
extern void pf_calc_skip_steps(struct pf_rulequeue *);
+#ifdef __FreeBSD__
+extern uma_zone_t pf_src_tree_pl, pf_rule_pl;
+extern uma_zone_t pf_state_pl, pf_altq_pl, pf_pooladdr_pl;
+extern uma_zone_t pfr_ktable_pl, pfr_kentry_pl, pfr_kentry_pl2;
+extern uma_zone_t pf_cache_pl, pf_cent_pl;
+extern uma_zone_t pf_state_scrub_pl;
+extern uma_zone_t pfi_addr_pl;
+#else
extern struct pool pf_src_tree_pl, pf_rule_pl;
extern struct pool pf_state_pl, pf_altq_pl, pf_pooladdr_pl;
extern struct pool pf_state_scrub_pl;
-extern void pf_purge_thread(void *);
-extern void pf_purge_expired_src_nodes(int);
-extern void pf_purge_expired_states(u_int32_t);
-extern void pf_unlink_state(struct pf_state *);
-extern void pf_free_state(struct pf_state *);
+#endif
+extern void pf_purge_timeout(void *);
+extern void pf_purge_expired_src_nodes(void);
+extern void pf_purge_expired_states(void);
+extern void pf_purge_expired_state(struct pf_state *);
extern int pf_insert_state(struct pfi_kif *,
struct pf_state *);
extern int pf_insert_src_node(struct pf_src_node **,
struct pf_rule *, struct pf_addr *,
sa_family_t);
void pf_src_tree_remove_state(struct pf_state *);
-extern struct pf_state *pf_find_state_byid(struct pf_state_cmp *);
-extern struct pf_state *pf_find_state_all(struct pf_state_cmp *key,
+extern struct pf_state *pf_find_state_byid(struct pf_state *);
+extern struct pf_state *pf_find_state_all(struct pf_state *key,
u_int8_t tree, int *more);
extern void pf_print_state(struct pf_state *);
extern void pf_print_flags(u_int8_t);
+extern struct pf_anchor *pf_find_anchor(const char *);
+extern struct pf_ruleset *pf_find_ruleset(const char *);
+extern struct pf_ruleset *pf_find_or_create_ruleset(const char *);
+extern void pf_remove_if_empty_ruleset(
+ struct pf_ruleset *);
extern u_int16_t pf_cksum_fixup(u_int16_t, u_int16_t, u_int16_t,
u_int8_t);
@@ -1488,11 +1561,21 @@ void pf_rm_rule(struct pf_rulequeue *,
struct pf_rule *);
#ifdef INET
+#ifdef __FreeBSD__
+int pf_test(int, struct ifnet *, struct mbuf **, struct ether_header *,
+ struct inpcb *);
+#else
int pf_test(int, struct ifnet *, struct mbuf **, struct ether_header *);
+#endif
#endif /* INET */
#ifdef INET6
+#ifdef __FreeBSD__
+int pf_test6(int, struct ifnet *, struct mbuf **, struct ether_header *,
+ struct inpcb *);
+#else
int pf_test6(int, struct ifnet *, struct mbuf **, struct ether_header *);
+#endif
void pf_poolmask(struct pf_addr *, struct pf_addr*,
struct pf_addr *, struct pf_addr *, u_int8_t);
void pf_addr_inc(struct pf_addr *, sa_family_t);
@@ -1502,8 +1585,7 @@ void *pf_pull_hdr(struct mbuf *, int, void *, int, u_short *, u_short *,
sa_family_t);
void pf_change_a(void *, u_int16_t *, u_int32_t, u_int8_t);
int pflog_packet(struct pfi_kif *, struct mbuf *, sa_family_t, u_int8_t,
- u_int8_t, struct pf_rule *, struct pf_rule *, struct pf_ruleset *,
- struct pf_pdesc *);
+ u_int8_t, struct pf_rule *, struct pf_rule *, struct pf_ruleset *);
int pf_match_addr(u_int8_t, struct pf_addr *, struct pf_addr *,
struct pf_addr *, sa_family_t);
int pf_match(u_int8_t, u_int32_t, u_int32_t, u_int32_t);
@@ -1527,9 +1609,8 @@ int pf_normalize_tcp_stateful(struct mbuf *, int, struct pf_pdesc *,
u_int32_t
pf_state_expires(const struct pf_state *);
void pf_purge_expired_fragments(void);
-int pf_routable(struct pf_addr *addr, sa_family_t af, struct pfi_kif *);
+int pf_routable(struct pf_addr *addr, sa_family_t af);
int pf_rtlabel_match(struct pf_addr *, sa_family_t, struct pf_addr_wrap *);
-int pf_socket_lookup(int, struct pf_pdesc *);
void pfr_initialize(void);
int pfr_match_addr(struct pfr_ktable *, struct pf_addr *, sa_family_t);
void pfr_update_stats(struct pfr_ktable *, struct pf_addr *, sa_family_t,
@@ -1554,7 +1635,7 @@ int pfr_add_addrs(struct pfr_table *, struct pfr_addr *, int, int *,
int pfr_del_addrs(struct pfr_table *, struct pfr_addr *, int, int *,
int);
int pfr_set_addrs(struct pfr_table *, struct pfr_addr *, int, int *,
- int *, int *, int *, int, u_int32_t);
+ int *, int *, int *, int);
int pfr_get_addrs(struct pfr_table *, struct pfr_addr *, int *, int);
int pfr_get_astats(struct pfr_table *, struct pfr_astats *, int *, int);
int pfr_clr_astats(struct pfr_table *, struct pfr_addr *, int, int *,
@@ -1567,44 +1648,49 @@ int pfr_ina_commit(struct pfr_table *, u_int32_t, int *, int *, int);
int pfr_ina_define(struct pfr_table *, struct pfr_addr *, int, int *,
int *, u_int32_t, int);
-extern struct pfi_statehead pfi_statehead;
-extern struct pfi_kif *pfi_all;
-
void pfi_initialize(void);
-struct pfi_kif *pfi_kif_get(const char *);
-void pfi_kif_ref(struct pfi_kif *, enum pfi_kif_refs);
-void pfi_kif_unref(struct pfi_kif *, enum pfi_kif_refs);
-int pfi_kif_match(struct pfi_kif *, struct pfi_kif *);
+#ifdef __FreeBSD__
+void pfi_cleanup(void);
+#endif
+void pfi_attach_clone(struct if_clone *);
void pfi_attach_ifnet(struct ifnet *);
void pfi_detach_ifnet(struct ifnet *);
-void pfi_attach_ifgroup(struct ifg_group *);
-void pfi_detach_ifgroup(struct ifg_group *);
-void pfi_group_change(const char *);
-int pfi_match_addr(struct pfi_dynaddr *, struct pf_addr *,
- sa_family_t);
+struct pfi_kif *pfi_lookup_create(const char *);
+struct pfi_kif *pfi_lookup_if(const char *);
+int pfi_maybe_destroy(struct pfi_kif *);
+struct pfi_kif *pfi_attach_rule(const char *);
+void pfi_detach_rule(struct pfi_kif *);
+void pfi_attach_state(struct pfi_kif *);
+void pfi_detach_state(struct pfi_kif *);
int pfi_dynaddr_setup(struct pf_addr_wrap *, sa_family_t);
-void pfi_dynaddr_remove(struct pf_addr_wrap *);
void pfi_dynaddr_copyout(struct pf_addr_wrap *);
+void pfi_dynaddr_remove(struct pf_addr_wrap *);
void pfi_fill_oldstatus(struct pf_status *);
-int pfi_clr_istats(const char *);
-int pfi_get_ifaces(const char *, struct pfi_kif *, int *);
+int pfi_clr_istats(const char *, int *, int);
+int pfi_get_ifaces(const char *, struct pfi_if *, int *, int);
int pfi_set_flags(const char *, int);
int pfi_clear_flags(const char *, int);
+int pfi_match_addr(struct pfi_dynaddr *, struct pf_addr *,
+ sa_family_t);
-u_int16_t pf_tagname2tag(char *);
-void pf_tag2tagname(u_int16_t, char *);
-void pf_tag_ref(u_int16_t);
-void pf_tag_unref(u_int16_t);
-int pf_tag_packet(struct mbuf *, struct pf_mtag *, int, int);
-u_int32_t pf_qname2qid(char *);
-void pf_qid2qname(u_int32_t, char *);
-void pf_qid_unref(u_int32_t);
-struct pf_mtag *pf_find_mtag(struct mbuf *);
-struct pf_mtag *pf_get_mtag(struct mbuf *);
+extern struct pfi_statehead pfi_statehead;
+
+u_int16_t pf_tagname2tag(char *);
+void pf_tag2tagname(u_int16_t, char *);
+void pf_tag_ref(u_int16_t);
+void pf_tag_unref(u_int16_t);
+int pf_tag_packet(struct mbuf *, struct pf_tag *, int);
+u_int32_t pf_qname2qid(char *);
+void pf_qid2qname(u_int32_t, char *);
+void pf_qid_unref(u_int32_t);
extern struct pf_status pf_status;
+
+#ifdef __FreeBSD__
+extern uma_zone_t pf_frent_pl, pf_frag_pl;
+#else
extern struct pool pf_frent_pl, pf_frag_pl;
-extern struct rwlock pf_consistency_lock;
+#endif
struct pf_pool_limit {
void *pp;
@@ -1612,30 +1698,37 @@ struct pf_pool_limit {
};
extern struct pf_pool_limit pf_pool_limits[PF_LIMIT_MAX];
-#endif /* _KERNEL */
+#ifdef __FreeBSD__
+struct pf_frent {
+ LIST_ENTRY(pf_frent) fr_next;
+ struct ip *fr_ip;
+ struct mbuf *fr_m;
+};
-extern struct pf_anchor_global pf_anchors;
-extern struct pf_anchor pf_main_anchor;
-#define pf_main_ruleset pf_main_anchor.ruleset
-
-/* these ruleset functions can be linked into userland programs (pfctl) */
-int pf_get_ruleset_number(u_int8_t);
-void pf_init_ruleset(struct pf_ruleset *);
-int pf_anchor_setup(struct pf_rule *,
- const struct pf_ruleset *, const char *);
-int pf_anchor_copyout(const struct pf_ruleset *,
- const struct pf_rule *, struct pfioc_rule *);
-void pf_anchor_remove(struct pf_rule *);
-void pf_remove_if_empty_ruleset(struct pf_ruleset *);
-struct pf_anchor *pf_find_anchor(const char *);
-struct pf_ruleset *pf_find_ruleset(const char *);
-struct pf_ruleset *pf_find_or_create_ruleset(const char *);
-void pf_rs_initialize(void);
+struct pf_frcache {
+ LIST_ENTRY(pf_frcache) fr_next;
+ uint16_t fr_off;
+ uint16_t fr_end;
+};
-#ifdef _KERNEL
-int pf_anchor_copyout(const struct pf_ruleset *,
- const struct pf_rule *, struct pfioc_rule *);
-void pf_anchor_remove(struct pf_rule *);
+struct pf_fragment {
+ RB_ENTRY(pf_fragment) fr_entry;
+ TAILQ_ENTRY(pf_fragment) frag_next;
+ struct in_addr fr_src;
+ struct in_addr fr_dst;
+ u_int8_t fr_p; /* protocol of this fragment */
+ u_int8_t fr_flags; /* status flags */
+ u_int16_t fr_id; /* fragment id for reassemble */
+ u_int16_t fr_max; /* fragment data max */
+ u_int32_t fr_timeout;
+#define fr_queue fr_u.fru_queue
+#define fr_cache fr_u.fru_cache
+ union {
+ LIST_HEAD(pf_fragq, pf_frent) fru_queue; /* buffering */
+ LIST_HEAD(pf_cacheq, pf_frcache) fru_cache; /* non-buf */
+ } fr_u;
+};
+#endif /* (__FreeBSD__) */
#endif /* _KERNEL */
@@ -1647,11 +1740,15 @@ struct pf_osfp_enlist *
const struct tcphdr *);
#endif /* _KERNEL */
struct pf_osfp_enlist *
- pf_osfp_fingerprint_hdr(const struct ip *, const struct ip6_hdr *,
- const struct tcphdr *);
+ pf_osfp_fingerprint_hdr(const struct ip *, const struct tcphdr *);
void pf_osfp_flush(void);
int pf_osfp_get(struct pf_osfp_ioctl *);
+#ifdef __FreeBSD__
+int pf_osfp_initialize(void);
+void pf_osfp_cleanup(void);
+#else
void pf_osfp_initialize(void);
+#endif
int pf_osfp_match(struct pf_osfp_enlist *, pf_osfp_t);
struct pf_os_fingerprint *
pf_osfp_validate(void);
OpenPOWER on IntegriCloud