1 | /* $NetBSD: npf.h,v 1.47 2014/08/10 19:09:43 rmind Exp $ */ |
2 | |
3 | /*- |
4 | * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. |
5 | * All rights reserved. |
6 | * |
7 | * This material is based upon work partially supported by The |
8 | * NetBSD Foundation under a contract with Mindaugas Rasiukevicius. |
9 | * |
10 | * Redistribution and use in source and binary forms, with or without |
11 | * modification, are permitted provided that the following conditions |
12 | * are met: |
13 | * 1. Redistributions of source code must retain the above copyright |
14 | * notice, this list of conditions and the following disclaimer. |
15 | * 2. Redistributions in binary form must reproduce the above copyright |
16 | * notice, this list of conditions and the following disclaimer in the |
17 | * documentation and/or other materials provided with the distribution. |
18 | * |
19 | * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS |
20 | * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED |
21 | * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
22 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS |
23 | * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR |
24 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF |
25 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS |
26 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN |
27 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
28 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE |
29 | * POSSIBILITY OF SUCH DAMAGE. |
30 | */ |
31 | |
32 | /* |
33 | * Public NPF interfaces. |
34 | */ |
35 | |
36 | #ifndef _NPF_NET_H_ |
37 | #define _NPF_NET_H_ |
38 | |
39 | #include <sys/param.h> |
40 | #include <sys/types.h> |
41 | |
42 | #include <sys/ioctl.h> |
43 | #include <prop/proplib.h> |
44 | |
45 | #include <netinet/in_systm.h> |
46 | #include <netinet/in.h> |
47 | |
48 | #define NPF_VERSION 17 |
49 | |
50 | /* |
51 | * Public declarations and definitions. |
52 | */ |
53 | |
54 | /* Storage of address (both for IPv4 and IPv6) and netmask */ |
55 | typedef struct in6_addr npf_addr_t; |
56 | typedef uint8_t npf_netmask_t; |
57 | |
58 | #define NPF_MAX_NETMASK (128) |
59 | #define NPF_NO_NETMASK ((npf_netmask_t)~0) |
60 | |
61 | /* BPF coprocessor. */ |
62 | #if defined(NPF_BPFCOP) |
63 | #define NPF_COP_L3 0 |
64 | #define NPF_COP_TABLE 1 |
65 | |
66 | #define BPF_MW_IPVER 0 |
67 | #define BPF_MW_L4OFF 1 |
68 | #define BPF_MW_L4PROTO 2 |
69 | #endif |
70 | /* The number of words used. */ |
71 | #define NPF_BPF_NWORDS 3 |
72 | |
73 | #if defined(_KERNEL) |
74 | |
75 | #define NPF_DECISION_BLOCK 0 |
76 | #define NPF_DECISION_PASS 1 |
77 | |
78 | #define NPF_EXT_MODULE(name, req) \ |
79 | MODULE(MODULE_CLASS_MISC, name, (sizeof(req) - 1) ? ("npf," req) : "npf") |
80 | |
81 | #include <net/if.h> |
82 | #include <netinet/ip.h> |
83 | #include <netinet/ip6.h> |
84 | #include <netinet/tcp.h> |
85 | #include <netinet/udp.h> |
86 | #include <netinet/ip_icmp.h> |
87 | #include <netinet/icmp6.h> |
88 | |
89 | /* |
90 | * Network buffer interface. |
91 | */ |
92 | |
93 | #define NBUF_DATAREF_RESET 0x01 |
94 | |
95 | typedef struct { |
96 | struct mbuf * nb_mbuf0; |
97 | struct mbuf * nb_mbuf; |
98 | void * nb_nptr; |
99 | const ifnet_t * nb_ifp; |
100 | unsigned nb_ifid; |
101 | int nb_flags; |
102 | } nbuf_t; |
103 | |
104 | void nbuf_init(nbuf_t *, struct mbuf *, const ifnet_t *); |
105 | void nbuf_reset(nbuf_t *); |
106 | struct mbuf * nbuf_head_mbuf(nbuf_t *); |
107 | |
108 | bool nbuf_flag_p(const nbuf_t *, int); |
109 | void nbuf_unset_flag(nbuf_t *, int); |
110 | |
111 | void * nbuf_dataptr(nbuf_t *); |
112 | size_t nbuf_offset(const nbuf_t *); |
113 | void * nbuf_advance(nbuf_t *, size_t, size_t); |
114 | |
115 | void * nbuf_ensure_contig(nbuf_t *, size_t); |
116 | void * nbuf_ensure_writable(nbuf_t *, size_t); |
117 | |
118 | bool nbuf_cksum_barrier(nbuf_t *, int); |
119 | int nbuf_add_tag(nbuf_t *, uint32_t, uint32_t); |
120 | int nbuf_find_tag(nbuf_t *, uint32_t, void **); |
121 | |
122 | /* |
123 | * Packet information cache. |
124 | */ |
125 | |
126 | #define NPC_IP4 0x01 /* Indicates IPv4 header. */ |
127 | #define NPC_IP6 0x02 /* Indicates IPv6 header. */ |
128 | #define NPC_IPFRAG 0x04 /* IPv4/IPv6 fragment. */ |
129 | #define NPC_LAYER4 0x08 /* Layer 4 has been fetched. */ |
130 | |
131 | #define NPC_TCP 0x10 /* TCP header. */ |
132 | #define NPC_UDP 0x20 /* UDP header. */ |
133 | #define NPC_ICMP 0x40 /* ICMP header. */ |
134 | #define NPC_ICMP_ID 0x80 /* ICMP with query ID. */ |
135 | |
136 | #define NPC_ALG_EXEC 0x100 /* ALG execution. */ |
137 | |
138 | #define NPC_IP46 (NPC_IP4|NPC_IP6) |
139 | |
140 | typedef struct { |
141 | /* Information flags and the nbuf. */ |
142 | uint32_t npc_info; |
143 | nbuf_t * npc_nbuf; |
144 | |
145 | /* |
146 | * Pointers to the IP source and destination addresses, |
147 | * and the address length (4 for IPv4 or 16 for IPv6). |
148 | */ |
149 | npf_addr_t * npc_ips[2]; |
150 | uint8_t npc_alen; |
151 | |
152 | /* IP header length and L4 protocol. */ |
153 | uint8_t npc_hlen; |
154 | uint16_t npc_proto; |
155 | |
156 | /* IPv4, IPv6. */ |
157 | union { |
158 | struct ip * v4; |
159 | struct ip6_hdr * v6; |
160 | } npc_ip; |
161 | |
162 | /* TCP, UDP, ICMP. */ |
163 | union { |
164 | struct tcphdr * tcp; |
165 | struct udphdr * udp; |
166 | struct icmp * icmp; |
167 | struct icmp6_hdr * icmp6; |
168 | void * hdr; |
169 | } npc_l4; |
170 | } npf_cache_t; |
171 | |
172 | static inline bool |
173 | npf_iscached(const npf_cache_t *npc, const int inf) |
174 | { |
175 | KASSERT(npc->npc_nbuf != NULL); |
176 | return __predict_true((npc->npc_info & inf) != 0); |
177 | } |
178 | |
179 | #define NPF_SRC 0 |
180 | #define NPF_DST 1 |
181 | |
182 | /* |
183 | * NPF extensions and rule procedure interface. |
184 | */ |
185 | |
186 | struct npf_rproc; |
187 | typedef struct npf_rproc npf_rproc_t; |
188 | |
189 | void npf_rproc_assign(npf_rproc_t *, void *); |
190 | |
191 | typedef struct { |
192 | unsigned int version; |
193 | void * ctx; |
194 | int (*ctor)(npf_rproc_t *, prop_dictionary_t); |
195 | void (*dtor)(npf_rproc_t *, void *); |
196 | bool (*proc)(npf_cache_t *, void *, int *); |
197 | } npf_ext_ops_t; |
198 | |
199 | void * npf_ext_register(const char *, const npf_ext_ops_t *); |
200 | int npf_ext_unregister(void *); |
201 | |
202 | /* |
203 | * Misc. |
204 | */ |
205 | |
206 | bool npf_autounload_p(void); |
207 | |
208 | #endif /* _KERNEL */ |
209 | |
210 | /* Rule attributes. */ |
211 | #define NPF_RULE_PASS 0x00000001 |
212 | #define NPF_RULE_GROUP 0x00000002 |
213 | #define NPF_RULE_FINAL 0x00000004 |
214 | #define NPF_RULE_STATEFUL 0x00000008 |
215 | #define NPF_RULE_RETRST 0x00000010 |
216 | #define NPF_RULE_RETICMP 0x00000020 |
217 | #define NPF_RULE_DYNAMIC 0x00000040 |
218 | #define NPF_RULE_MULTIENDS 0x00000080 |
219 | |
220 | #define NPF_DYNAMIC_GROUP (NPF_RULE_GROUP | NPF_RULE_DYNAMIC) |
221 | |
222 | #define NPF_RULE_IN 0x10000000 |
223 | #define NPF_RULE_OUT 0x20000000 |
224 | #define NPF_RULE_DIMASK (NPF_RULE_IN | NPF_RULE_OUT) |
225 | #define NPF_RULE_FORW 0x40000000 |
226 | |
227 | /* Private range of rule attributes (not public and should not be set). */ |
228 | #define NPF_RULE_PRIVMASK 0x0f000000 |
229 | |
230 | #define NPF_RULE_MAXNAMELEN 64 |
231 | #define NPF_RULE_MAXKEYLEN 32 |
232 | |
233 | /* Priority values. */ |
234 | #define NPF_PRI_FIRST (-2) |
235 | #define NPF_PRI_LAST (-1) |
236 | |
237 | /* Types of code. */ |
238 | #define NPF_CODE_NC 1 |
239 | #define NPF_CODE_BPF 2 |
240 | |
241 | /* Address translation types and flags. */ |
242 | #define NPF_NATIN 1 |
243 | #define NPF_NATOUT 2 |
244 | |
245 | #define NPF_NAT_PORTS 0x01 |
246 | #define NPF_NAT_PORTMAP 0x02 |
247 | #define NPF_NAT_STATIC 0x04 |
248 | |
249 | #define NPF_ALGO_NPT66 1 |
250 | |
251 | /* Table types. */ |
252 | #define NPF_TABLE_HASH 1 |
253 | #define NPF_TABLE_TREE 2 |
254 | #define NPF_TABLE_CDB 3 |
255 | |
256 | #define NPF_TABLE_MAXNAMELEN 32 |
257 | |
258 | /* Layers. */ |
259 | #define NPF_LAYER_2 2 |
260 | #define NPF_LAYER_3 3 |
261 | |
262 | /* XXX mbuf.h: just for now. */ |
263 | #define PACKET_TAG_NPF 10 |
264 | |
265 | /* |
266 | * Rule commands (non-ioctl). |
267 | */ |
268 | |
269 | #define NPF_CMD_RULE_ADD 1 |
270 | #define NPF_CMD_RULE_INSERT 2 |
271 | #define NPF_CMD_RULE_REMOVE 3 |
272 | #define NPF_CMD_RULE_REMKEY 4 |
273 | #define NPF_CMD_RULE_LIST 5 |
274 | #define NPF_CMD_RULE_FLUSH 6 |
275 | |
276 | /* |
277 | * NPF ioctl(2): table commands and structures. |
278 | */ |
279 | |
280 | #define NPF_CMD_TABLE_LOOKUP 1 |
281 | #define NPF_CMD_TABLE_ADD 2 |
282 | #define NPF_CMD_TABLE_REMOVE 3 |
283 | #define NPF_CMD_TABLE_LIST 4 |
284 | #define NPF_CMD_TABLE_FLUSH 5 |
285 | |
286 | typedef struct npf_ioctl_ent { |
287 | int alen; |
288 | npf_addr_t addr; |
289 | npf_netmask_t mask; |
290 | } npf_ioctl_ent_t; |
291 | |
292 | typedef struct npf_ioctl_buf { |
293 | void * buf; |
294 | size_t len; |
295 | } npf_ioctl_buf_t; |
296 | |
297 | typedef struct npf_ioctl_table { |
298 | int nct_cmd; |
299 | const char * nct_name; |
300 | union { |
301 | npf_ioctl_ent_t ent; |
302 | npf_ioctl_buf_t buf; |
303 | } nct_data; |
304 | } npf_ioctl_table_t; |
305 | |
306 | /* |
307 | * IOCTL operations. |
308 | */ |
309 | |
310 | #define IOC_NPF_VERSION _IOR('N', 100, int) |
311 | #define IOC_NPF_SWITCH _IOW('N', 101, int) |
312 | #define IOC_NPF_LOAD _IOWR('N', 102, struct plistref) |
313 | #define IOC_NPF_TABLE _IOW('N', 103, struct npf_ioctl_table) |
314 | #define IOC_NPF_STATS _IOW('N', 104, void *) |
315 | #define IOC_NPF_SAVE _IOR('N', 105, struct plistref) |
316 | #define IOC_NPF_RULE _IOWR('N', 107, struct plistref) |
317 | |
318 | /* |
319 | * Statistics counters. |
320 | */ |
321 | |
322 | typedef enum { |
323 | /* Packets passed. */ |
324 | NPF_STAT_PASS_DEFAULT, |
325 | NPF_STAT_PASS_RULESET, |
326 | NPF_STAT_PASS_CONN, |
327 | /* Packets blocked. */ |
328 | NPF_STAT_BLOCK_DEFAULT, |
329 | NPF_STAT_BLOCK_RULESET, |
330 | /* Connection and NAT entries. */ |
331 | NPF_STAT_CONN_CREATE, |
332 | NPF_STAT_CONN_DESTROY, |
333 | NPF_STAT_NAT_CREATE, |
334 | NPF_STAT_NAT_DESTROY, |
335 | /* Invalid state cases. */ |
336 | NPF_STAT_INVALID_STATE, |
337 | NPF_STAT_INVALID_STATE_TCP1, |
338 | NPF_STAT_INVALID_STATE_TCP2, |
339 | NPF_STAT_INVALID_STATE_TCP3, |
340 | /* Raced packets. */ |
341 | NPF_STAT_RACE_CONN, |
342 | NPF_STAT_RACE_NAT, |
343 | /* Fragments. */ |
344 | NPF_STAT_FRAGMENTS, |
345 | NPF_STAT_REASSEMBLY, |
346 | NPF_STAT_REASSFAIL, |
347 | /* Other errors. */ |
348 | NPF_STAT_ERROR, |
349 | /* nbuf non-contiguous cases. */ |
350 | NPF_STAT_NBUF_NONCONTIG, |
351 | NPF_STAT_NBUF_CONTIG_FAIL, |
352 | /* Count (last). */ |
353 | NPF_STATS_COUNT |
354 | } npf_stats_t; |
355 | |
356 | #define NPF_STATS_SIZE (sizeof(uint64_t) * NPF_STATS_COUNT) |
357 | |
358 | #endif /* _NPF_NET_H_ */ |
359 | |