Context Navigation

pfvar.h @ 6d9d7b1

55-freebsd-126-freebsd-12

Last change on this file since 6d9d7b1 was 0237319, checked in by Sebastian Huber <sebastian.huber@…>, on 05/23/17 at 11:18:31

Update due to Newlib 2017-06-07 changes

The following files are now provided by Newlib:

arpa/inet.h
net/if.h
netinet/in.h
netinet/tcp.h
sys/socket.h
sys/uio.h
sys/un.h

The <sys/param.h> and <sys/cpuset.h> are now compatible enough to be
used directly.

Update #2833.

Property mode set to 100644

File size: 50.3 KB

Line
1	/*
2	* Copyright (c) 2001 Daniel Hartmeier
3	* All rights reserved.
4	*
5	* Redistribution and use in source and binary forms, with or without
6	* modification, are permitted provided that the following conditions
7	* are met:
8	*
9	* - Redistributions of source code must retain the above copyright
10	* notice, this list of conditions and the following disclaimer.
11	* - Redistributions in binary form must reproduce the above
12	* copyright notice, this list of conditions and the following
13	* disclaimer in the documentation and/or other materials provided
14	* with the distribution.
15	*
16	* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
17	* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
18	* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
19	* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
20	* COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
21	* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
22	* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
23	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
24	* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
26	* ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27	* POSSIBILITY OF SUCH DAMAGE.
28	*
29	* $OpenBSD: pfvar.h,v 1.282 2009/01/29 15:12:28 pyr Exp $
30	* $FreeBSD$
31	*/
32
33	#ifndef _NET_PFVAR_H_
34	#define _NET_PFVAR_H_
35
36	#include <sys/param.h>
37	#include <sys/queue.h>
38	#include <sys/counter.h>
39	#include <sys/malloc.h>
40	#include <sys/refcount.h>
41	#include <sys/tree.h>
42	#include <vm/uma.h>
43
44	#include <net/radix.h>
45	#include <netinet/in.h>
46
47	#include <netpfil/pf/pf.h>
48	#include <netpfil/pf/pf_altq.h>
49	#include <netpfil/pf/pf_mtag.h>
50
51	struct pf_addr {
52	union {
53	struct in_addr v4;
54	struct in6_addr v6;
55	u_int8_t addr8[16];
56	u_int16_t addr16[8];
57	u_int32_t addr32[4];
58	} pfa; /* 128-bit address */
59	#define v4 pfa.v4
60	#define v6 pfa.v6
61	#define addr8 pfa.addr8
62	#define addr16 pfa.addr16
63	#define addr32 pfa.addr32
64	};
65
66	#define PFI_AFLAG_NETWORK 0x01
67	#define PFI_AFLAG_BROADCAST 0x02
68	#define PFI_AFLAG_PEER 0x04
69	#define PFI_AFLAG_MODEMASK 0x07
70	#define PFI_AFLAG_NOALIAS 0x08
71
72	struct pf_addr_wrap {
73	union {
74	struct {
75	struct pf_addr addr;
76	struct pf_addr mask;
77	} a;
78	char ifname[IFNAMSIZ];
79	char tblname[PF_TABLE_NAME_SIZE];
80	} v;
81	union {
82	struct pfi_dynaddr *dyn;
83	struct pfr_ktable *tbl;
84	int dyncnt;
85	int tblcnt;
86	} p;
87	u_int8_t type; /* PF_ADDR_* */
88	u_int8_t iflags; /* PFI_AFLAG_* */
89	};
90
91	#ifdef _KERNEL
92
93	struct pfi_dynaddr {
94	TAILQ_ENTRY(pfi_dynaddr) entry;
95	struct pf_addr pfid_addr4;
96	struct pf_addr pfid_mask4;
97	struct pf_addr pfid_addr6;
98	struct pf_addr pfid_mask6;
99	struct pfr_ktable *pfid_kt;
100	struct pfi_kif *pfid_kif;
101	int pfid_net; /* mask or 128 */
102	int pfid_acnt4; /* address count IPv4 */
103	int pfid_acnt6; /* address count IPv6 */
104	sa_family_t pfid_af; /* rule af */
105	u_int8_t pfid_iflags; /* PFI_AFLAG_* */
106	};
107
108	/*
109	* Address manipulation macros
110	*/
111	#define HTONL(x) (x) = htonl((__uint32_t)(x))
112	#define HTONS(x) (x) = htons((__uint16_t)(x))
113	#define NTOHL(x) (x) = ntohl((__uint32_t)(x))
114	#define NTOHS(x) (x) = ntohs((__uint16_t)(x))
115
116	#define PF_NAME "pf"
117
118	#define PF_HASHROW_ASSERT(h) mtx_assert(&(h)->lock, MA_OWNED)
119	#define PF_HASHROW_LOCK(h) mtx_lock(&(h)->lock)
120	#define PF_HASHROW_UNLOCK(h) mtx_unlock(&(h)->lock)
121
122	#define PF_STATE_LOCK(s) \
123	do { \
124	struct pf_idhash *_ih = &V_pf_idhash[PF_IDHASH(s)]; \
125	PF_HASHROW_LOCK(_ih); \
126	} while (0)
127
128	#define PF_STATE_UNLOCK(s) \
129	do { \
130	struct pf_idhash *_ih = &V_pf_idhash[PF_IDHASH((s))]; \
131	PF_HASHROW_UNLOCK(_ih); \
132	} while (0)
133
134	#ifdef INVARIANTS
135	#define PF_STATE_LOCK_ASSERT(s) \
136	do { \
137	struct pf_idhash *_ih = &V_pf_idhash[PF_IDHASH(s)]; \
138	PF_HASHROW_ASSERT(_ih); \
139	} while (0)
140	#else /* !INVARIANTS */
141	#define PF_STATE_LOCK_ASSERT(s) do {} while (0)
142	#endif /* INVARIANTS */
143
144	extern struct mtx pf_unlnkdrules_mtx;
145	#define PF_UNLNKDRULES_LOCK() mtx_lock(&pf_unlnkdrules_mtx)
146	#define PF_UNLNKDRULES_UNLOCK() mtx_unlock(&pf_unlnkdrules_mtx)
147
148	extern struct rwlock pf_rules_lock;
149	#define PF_RULES_RLOCK() rw_rlock(&pf_rules_lock)
150	#define PF_RULES_RUNLOCK() rw_runlock(&pf_rules_lock)
151	#define PF_RULES_WLOCK() rw_wlock(&pf_rules_lock)
152	#define PF_RULES_WUNLOCK() rw_wunlock(&pf_rules_lock)
153	#define PF_RULES_ASSERT() rw_assert(&pf_rules_lock, RA_LOCKED)
154	#define PF_RULES_RASSERT() rw_assert(&pf_rules_lock, RA_RLOCKED)
155	#define PF_RULES_WASSERT() rw_assert(&pf_rules_lock, RA_WLOCKED)
156
157	extern struct sx pf_end_lock;
158
159	#define PF_MODVER 1
160	#define PFLOG_MODVER 1
161	#define PFSYNC_MODVER 1
162
163	#define PFLOG_MINVER 1
164	#define PFLOG_PREFVER PFLOG_MODVER
165	#define PFLOG_MAXVER 1
166	#define PFSYNC_MINVER 1
167	#define PFSYNC_PREFVER PFSYNC_MODVER
168	#define PFSYNC_MAXVER 1
169
170	#ifdef INET
171	#ifndef INET6
172	#define PF_INET_ONLY
173	#endif /* ! INET6 */
174	#endif /* INET */
175
176	#ifdef INET6
177	#ifndef INET
178	#define PF_INET6_ONLY
179	#endif /* ! INET */
180	#endif /* INET6 */
181
182	#ifdef INET
183	#ifdef INET6
184	#define PF_INET_INET6
185	#endif /* INET6 */
186	#endif /* INET */
187
188	#else
189
190	#define PF_INET_INET6
191
192	#endif /* _KERNEL */
193
194	/* Both IPv4 and IPv6 */
195	#ifdef PF_INET_INET6
196
197	#define PF_AEQ(a, b, c) \
198	((c == AF_INET && (a)->addr32[0] == (b)->addr32[0]) \|\| \
199	(c == AF_INET6 && (a)->addr32[3] == (b)->addr32[3] && \
200	(a)->addr32[2] == (b)->addr32[2] && \
201	(a)->addr32[1] == (b)->addr32[1] && \
202	(a)->addr32[0] == (b)->addr32[0])) \
203
204	#define PF_ANEQ(a, b, c) \
205	((c == AF_INET && (a)->addr32[0] != (b)->addr32[0]) \|\| \
206	(c == AF_INET6 && ((a)->addr32[0] != (b)->addr32[0] \|\| \
207	(a)->addr32[1] != (b)->addr32[1] \|\| \
208	(a)->addr32[2] != (b)->addr32[2] \|\| \
209	(a)->addr32[3] != (b)->addr32[3]))) \
210
211	#define PF_AZERO(a, c) \
212	((c == AF_INET && !(a)->addr32[0]) \|\| \
213	(c == AF_INET6 && !(a)->addr32[0] && !(a)->addr32[1] && \
214	!(a)->addr32[2] && !(a)->addr32[3] )) \
215
216	#define PF_MATCHA(n, a, m, b, f) \
217	pf_match_addr(n, a, m, b, f)
218
219	#define PF_ACPY(a, b, f) \
220	pf_addrcpy(a, b, f)
221
222	#define PF_AINC(a, f) \
223	pf_addr_inc(a, f)
224
225	#define PF_POOLMASK(a, b, c, d, f) \
226	pf_poolmask(a, b, c, d, f)
227
228	#else
229
230	/* Just IPv6 */
231
232	#ifdef PF_INET6_ONLY
233
234	#define PF_AEQ(a, b, c) \
235	((a)->addr32[3] == (b)->addr32[3] && \
236	(a)->addr32[2] == (b)->addr32[2] && \
237	(a)->addr32[1] == (b)->addr32[1] && \
238	(a)->addr32[0] == (b)->addr32[0]) \
239
240	#define PF_ANEQ(a, b, c) \
241	((a)->addr32[3] != (b)->addr32[3] \|\| \
242	(a)->addr32[2] != (b)->addr32[2] \|\| \
243	(a)->addr32[1] != (b)->addr32[1] \|\| \
244	(a)->addr32[0] != (b)->addr32[0]) \
245
246	#define PF_AZERO(a, c) \
247	(!(a)->addr32[0] && \
248	!(a)->addr32[1] && \
249	!(a)->addr32[2] && \
250	!(a)->addr32[3] ) \
251
252	#define PF_MATCHA(n, a, m, b, f) \
253	pf_match_addr(n, a, m, b, f)
254
255	#define PF_ACPY(a, b, f) \
256	pf_addrcpy(a, b, f)
257
258	#define PF_AINC(a, f) \
259	pf_addr_inc(a, f)
260
261	#define PF_POOLMASK(a, b, c, d, f) \
262	pf_poolmask(a, b, c, d, f)
263
264	#else
265
266	/* Just IPv4 */
267	#ifdef PF_INET_ONLY
268
269	#define PF_AEQ(a, b, c) \
270	((a)->addr32[0] == (b)->addr32[0])
271
272	#define PF_ANEQ(a, b, c) \
273	((a)->addr32[0] != (b)->addr32[0])
274
275	#define PF_AZERO(a, c) \
276	(!(a)->addr32[0])
277
278	#define PF_MATCHA(n, a, m, b, f) \
279	pf_match_addr(n, a, m, b, f)
280
281	#define PF_ACPY(a, b, f) \
282	(a)->v4.s_addr = (b)->v4.s_addr
283
284	#define PF_AINC(a, f) \
285	do { \
286	(a)->addr32[0] = htonl(ntohl((a)->addr32[0]) + 1); \
287	} while (0)
288
289	#define PF_POOLMASK(a, b, c, d, f) \
290	do { \
291	(a)->addr32[0] = ((b)->addr32[0] & (c)->addr32[0]) \| \
292	(((c)->addr32[0] ^ 0xffffffff ) & (d)->addr32[0]); \
293	} while (0)
294
295	#endif /* PF_INET_ONLY */
296	#endif /* PF_INET6_ONLY */
297	#endif /* PF_INET_INET6 */
298
299	/*
300	* XXX callers not FIB-aware in our version of pf yet.
301	* OpenBSD fixed it later it seems, 2010/05/07 13:33:16 claudio.
302	*/
303	#define PF_MISMATCHAW(aw, x, af, neg, ifp, rtid) \
304	( \
305	(((aw)->type == PF_ADDR_NOROUTE && \
306	pf_routable((x), (af), NULL, (rtid))) \|\| \
307	(((aw)->type == PF_ADDR_URPFFAILED && (ifp) != NULL && \
308	pf_routable((x), (af), (ifp), (rtid))) \|\| \
309	((aw)->type == PF_ADDR_TABLE && \
310	!pfr_match_addr((aw)->p.tbl, (x), (af))) \|\| \
311	((aw)->type == PF_ADDR_DYNIFTL && \
312	!pfi_match_addr((aw)->p.dyn, (x), (af))) \|\| \
313	((aw)->type == PF_ADDR_RANGE && \
314	!pf_match_addr_range(&(aw)->v.a.addr, \
315	&(aw)->v.a.mask, (x), (af))) \|\| \
316	((aw)->type == PF_ADDR_ADDRMASK && \
317	!PF_AZERO(&(aw)->v.a.mask, (af)) && \
318	!PF_MATCHA(0, &(aw)->v.a.addr, \
319	&(aw)->v.a.mask, (x), (af))))) != \
320	(neg) \
321	)
322
323
324	struct pf_rule_uid {
325	uid_t uid[2];
326	u_int8_t op;
327	};
328
329	struct pf_rule_gid {
330	uid_t gid[2];
331	u_int8_t op;
332	};
333
334	struct pf_rule_addr {
335	struct pf_addr_wrap addr;
336	u_int16_t port[2];
337	u_int8_t neg;
338	u_int8_t port_op;
339	};
340
341	struct pf_pooladdr {
342	struct pf_addr_wrap addr;
343	TAILQ_ENTRY(pf_pooladdr) entries;
344	char ifname[IFNAMSIZ];
345	struct pfi_kif *kif;
346	};
347
348	TAILQ_HEAD(pf_palist, pf_pooladdr);
349
350	struct pf_poolhashkey {
351	union {
352	u_int8_t key8[16];
353	u_int16_t key16[8];
354	u_int32_t key32[4];
355	} pfk; /* 128-bit hash key */
356	#define key8 pfk.key8
357	#define key16 pfk.key16
358	#define key32 pfk.key32
359	};
360
361	struct pf_pool {
362	struct pf_palist list;
363	struct pf_pooladdr *cur;
364	struct pf_poolhashkey key;
365	struct pf_addr counter;
366	int tblidx;
367	u_int16_t proxy_port[2];
368	u_int8_t opts;
369	};
370
371
372	/* A packed Operating System description for fingerprinting */
373	typedef u_int32_t pf_osfp_t;
374	#define PF_OSFP_ANY ((pf_osfp_t)0)
375	#define PF_OSFP_UNKNOWN ((pf_osfp_t)-1)
376	#define PF_OSFP_NOMATCH ((pf_osfp_t)-2)
377
378	struct pf_osfp_entry {
379	SLIST_ENTRY(pf_osfp_entry) fp_entry;
380	pf_osfp_t fp_os;
381	int fp_enflags;
382	#define PF_OSFP_EXPANDED 0x001 /* expanded entry */
383	#define PF_OSFP_GENERIC 0x002 /* generic signature */
384	#define PF_OSFP_NODETAIL 0x004 /* no p0f details */
385	#define PF_OSFP_LEN 32
386	char fp_class_nm[PF_OSFP_LEN];
387	char fp_version_nm[PF_OSFP_LEN];
388	char fp_subtype_nm[PF_OSFP_LEN];
389	};
390	#define PF_OSFP_ENTRY_EQ(a, b) \
391	((a)->fp_os == (b)->fp_os && \
392	memcmp((a)->fp_class_nm, (b)->fp_class_nm, PF_OSFP_LEN) == 0 && \
393	memcmp((a)->fp_version_nm, (b)->fp_version_nm, PF_OSFP_LEN) == 0 && \
394	memcmp((a)->fp_subtype_nm, (b)->fp_subtype_nm, PF_OSFP_LEN) == 0)
395
396	/* handle pf_osfp_t packing */
397	#define _FP_RESERVED_BIT 1 /* For the special negative #defines */
398	#define _FP_UNUSED_BITS 1
399	#define _FP_CLASS_BITS 10 /* OS Class (Windows, Linux) */
400	#define _FP_VERSION_BITS 10 /* OS version (95, 98, NT, 2.4.54, 3.2) */
401	#define _FP_SUBTYPE_BITS 10 /* patch level (NT SP4, SP3, ECN patch) */
402	#define PF_OSFP_UNPACK(osfp, class, version, subtype) do { \
403	(class) = ((osfp) >> (_FP_VERSION_BITS+_FP_SUBTYPE_BITS)) & \
404	((1 << _FP_CLASS_BITS) - 1); \
405	(version) = ((osfp) >> _FP_SUBTYPE_BITS) & \
406	((1 << _FP_VERSION_BITS) - 1);\
407	(subtype) = (osfp) & ((1 << _FP_SUBTYPE_BITS) - 1); \
408	} while(0)
409	#define PF_OSFP_PACK(osfp, class, version, subtype) do { \
410	(osfp) = ((class) & ((1 << _FP_CLASS_BITS) - 1)) << (_FP_VERSION_BITS \
411	+ _FP_SUBTYPE_BITS); \
412	(osfp) \|= ((version) & ((1 << _FP_VERSION_BITS) - 1)) << \
413	_FP_SUBTYPE_BITS; \
414	(osfp) \|= (subtype) & ((1 << _FP_SUBTYPE_BITS) - 1); \
415	} while(0)
416
417	/* the fingerprint of an OSes TCP SYN packet */
418	typedef u_int64_t pf_tcpopts_t;
419	struct pf_os_fingerprint {
420	SLIST_HEAD(pf_osfp_enlist, pf_osfp_entry) fp_oses; /* list of matches */
421	pf_tcpopts_t fp_tcpopts; /* packed TCP options */
422	u_int16_t fp_wsize; /* TCP window size */
423	u_int16_t fp_psize; /* ip->ip_len */
424	u_int16_t fp_mss; /* TCP MSS */
425	u_int16_t fp_flags;
426	#define PF_OSFP_WSIZE_MOD 0x0001 /* Window modulus */
427	#define PF_OSFP_WSIZE_DC 0x0002 /* Window don't care */
428	#define PF_OSFP_WSIZE_MSS 0x0004 /* Window multiple of MSS */
429	#define PF_OSFP_WSIZE_MTU 0x0008 /* Window multiple of MTU */
430	#define PF_OSFP_PSIZE_MOD 0x0010 /* packet size modulus */
431	#define PF_OSFP_PSIZE_DC 0x0020 /* packet size don't care */
432	#define PF_OSFP_WSCALE 0x0040 /* TCP window scaling */
433	#define PF_OSFP_WSCALE_MOD 0x0080 /* TCP window scale modulus */
434	#define PF_OSFP_WSCALE_DC 0x0100 /* TCP window scale dont-care */
435	#define PF_OSFP_MSS 0x0200 /* TCP MSS */
436	#define PF_OSFP_MSS_MOD 0x0400 /* TCP MSS modulus */
437	#define PF_OSFP_MSS_DC 0x0800 /* TCP MSS dont-care */
438	#define PF_OSFP_DF 0x1000 /* IPv4 don't fragment bit */
439	#define PF_OSFP_TS0 0x2000 /* Zero timestamp */
440	#define PF_OSFP_INET6 0x4000 /* IPv6 */
441	u_int8_t fp_optcnt; /* TCP option count */
442	u_int8_t fp_wscale; /* TCP window scaling */
443	u_int8_t fp_ttl; /* IPv4 TTL */
444	#define PF_OSFP_MAXTTL_OFFSET 40
445	/* TCP options packing */
446	#define PF_OSFP_TCPOPT_NOP 0x0 /* TCP NOP option */
447	#define PF_OSFP_TCPOPT_WSCALE 0x1 /* TCP window scaling option */
448	#define PF_OSFP_TCPOPT_MSS 0x2 /* TCP max segment size opt */
449	#define PF_OSFP_TCPOPT_SACK 0x3 /* TCP SACK OK option */
450	#define PF_OSFP_TCPOPT_TS 0x4 /* TCP timestamp option */
451	#define PF_OSFP_TCPOPT_BITS 3 /* bits used by each option */
452	#define PF_OSFP_MAX_OPTS \
453	(sizeof(((struct pf_os_fingerprint )0)->fp_tcpopts) 8) \
454	/ PF_OSFP_TCPOPT_BITS
455
456	SLIST_ENTRY(pf_os_fingerprint) fp_next;
457	};
458
459	struct pf_osfp_ioctl {
460	struct pf_osfp_entry fp_os;
461	pf_tcpopts_t fp_tcpopts; /* packed TCP options */
462	u_int16_t fp_wsize; /* TCP window size */
463	u_int16_t fp_psize; /* ip->ip_len */
464	u_int16_t fp_mss; /* TCP MSS */
465	u_int16_t fp_flags;
466	u_int8_t fp_optcnt; /* TCP option count */
467	u_int8_t fp_wscale; /* TCP window scaling */
468	u_int8_t fp_ttl; /* IPv4 TTL */
469
470	int fp_getnum; /* DIOCOSFPGET number */
471	};
472
473
474	union pf_rule_ptr {
475	struct pf_rule *ptr;
476	u_int32_t nr;
477	};
478
479	#define PF_ANCHOR_NAME_SIZE 64
480
481	struct pf_rule {
482	struct pf_rule_addr src;
483	struct pf_rule_addr dst;
484	#define PF_SKIP_IFP 0
485	#define PF_SKIP_DIR 1
486	#define PF_SKIP_AF 2
487	#define PF_SKIP_PROTO 3
488	#define PF_SKIP_SRC_ADDR 4
489	#define PF_SKIP_SRC_PORT 5
490	#define PF_SKIP_DST_ADDR 6
491	#define PF_SKIP_DST_PORT 7
492	#define PF_SKIP_COUNT 8
493	union pf_rule_ptr skip[PF_SKIP_COUNT];
494	#define PF_RULE_LABEL_SIZE 64
495	char label[PF_RULE_LABEL_SIZE];
496	char ifname[IFNAMSIZ];
497	char qname[PF_QNAME_SIZE];
498	char pqname[PF_QNAME_SIZE];
499	#define PF_TAG_NAME_SIZE 64
500	char tagname[PF_TAG_NAME_SIZE];
501	char match_tagname[PF_TAG_NAME_SIZE];
502
503	char overload_tblname[PF_TABLE_NAME_SIZE];
504
505	TAILQ_ENTRY(pf_rule) entries;
506	struct pf_pool rpool;
507
508	u_int64_t evaluations;
509	u_int64_t packets[2];
510	u_int64_t bytes[2];
511
512	struct pfi_kif *kif;
513	struct pf_anchor *anchor;
514	struct pfr_ktable *overload_tbl;
515
516	pf_osfp_t os_fingerprint;
517
518	int rtableid;
519	u_int32_t timeout[PFTM_MAX];
520	u_int32_t max_states;
521	u_int32_t max_src_nodes;
522	u_int32_t max_src_states;
523	u_int32_t max_src_conn;
524	struct {
525	u_int32_t limit;
526	u_int32_t seconds;
527	} max_src_conn_rate;
528	u_int32_t qid;
529	u_int32_t pqid;
530	u_int32_t rt_listid;
531	u_int32_t nr;
532	u_int32_t prob;
533	uid_t cuid;
534	pid_t cpid;
535
536	counter_u64_t states_cur;
537	counter_u64_t states_tot;
538	counter_u64_t src_nodes;
539
540	u_int16_t return_icmp;
541	u_int16_t return_icmp6;
542	u_int16_t max_mss;
543	u_int16_t tag;
544	u_int16_t match_tag;
545	u_int16_t scrub_flags;
546
547	struct pf_rule_uid uid;
548	struct pf_rule_gid gid;
549
550	u_int32_t rule_flag;
551	u_int8_t action;
552	u_int8_t direction;
553	u_int8_t log;
554	u_int8_t logif;
555	u_int8_t quick;
556	u_int8_t ifnot;
557	u_int8_t match_tag_not;
558	u_int8_t natpass;
559
560	#define PF_STATE_NORMAL 0x1
561	#define PF_STATE_MODULATE 0x2
562	#define PF_STATE_SYNPROXY 0x3
563	u_int8_t keep_state;
564	sa_family_t af;
565	u_int8_t proto;
566	u_int8_t type;
567	u_int8_t code;
568	u_int8_t flags;
569	u_int8_t flagset;
570	u_int8_t min_ttl;
571	u_int8_t allow_opts;
572	u_int8_t rt;
573	u_int8_t return_ttl;
574	u_int8_t tos;
575	u_int8_t set_tos;
576	u_int8_t anchor_relative;
577	u_int8_t anchor_wildcard;
578
579	#define PF_FLUSH 0x01
580	#define PF_FLUSH_GLOBAL 0x02
581	u_int8_t flush;
582	#define PF_PRIO_ZERO 0xff /* match "prio 0" packets */
583	#define PF_PRIO_MAX 7
584	u_int8_t prio;
585	u_int8_t set_prio[2];
586
587	struct {
588	struct pf_addr addr;
589	u_int16_t port;
590	} divert;
591
592	uint64_t u_states_cur;
593	uint64_t u_states_tot;
594	uint64_t u_src_nodes;
595	};
596
597	/* rule flags */
598	#define PFRULE_DROP 0x0000
599	#define PFRULE_RETURNRST 0x0001
600	#define PFRULE_FRAGMENT 0x0002
601	#define PFRULE_RETURNICMP 0x0004
602	#define PFRULE_RETURN 0x0008
603	#define PFRULE_NOSYNC 0x0010
604	#define PFRULE_SRCTRACK 0x0020 /* track source states */
605	#define PFRULE_RULESRCTRACK 0x0040 /* per rule */
606	#define PFRULE_REFS 0x0080 /* rule has references */
607
608	/* scrub flags */
609	#define PFRULE_NODF 0x0100
610	#define PFRULE_RANDOMID 0x0800
611	#define PFRULE_REASSEMBLE_TCP 0x1000
612	#define PFRULE_SET_TOS 0x2000
613
614	/* rule flags again */
615	#define PFRULE_IFBOUND 0x00010000 /* if-bound */
616	#define PFRULE_STATESLOPPY 0x00020000 /* sloppy state tracking */
617
618	#define PFSTATE_HIWAT 10000 /* default state table size */
619	#define PFSTATE_ADAPT_START 6000 /* default adaptive timeout start */
620	#define PFSTATE_ADAPT_END 12000 /* default adaptive timeout end */
621
622
623	struct pf_threshold {
624	u_int32_t limit;
625	#define PF_THRESHOLD_MULT 1000
626	#define PF_THRESHOLD_MAX 0xffffffff / PF_THRESHOLD_MULT
627	u_int32_t seconds;
628	u_int32_t count;
629	u_int32_t last;
630	};
631
632	struct pf_src_node {
633	LIST_ENTRY(pf_src_node) entry;
634	struct pf_addr addr;
635	struct pf_addr raddr;
636	union pf_rule_ptr rule;
637	struct pfi_kif *kif;
638	u_int64_t bytes[2];
639	u_int64_t packets[2];
640	u_int32_t states;
641	u_int32_t conn;
642	struct pf_threshold conn_rate;
643	u_int32_t creation;
644	u_int32_t expire;
645	sa_family_t af;
646	u_int8_t ruletype;
647	};
648
649	#define PFSNODE_HIWAT 10000 /* default source node table size */
650
651	struct pf_state_scrub {
652	struct timeval pfss_last; /* time received last packet */
653	u_int32_t pfss_tsecr; /* last echoed timestamp */
654	u_int32_t pfss_tsval; /* largest timestamp */
655	u_int32_t pfss_tsval0; /* original timestamp */
656	u_int16_t pfss_flags;
657	#define PFSS_TIMESTAMP 0x0001 /* modulate timestamp */
658	#define PFSS_PAWS 0x0010 /* stricter PAWS checks */
659	#define PFSS_PAWS_IDLED 0x0020 /* was idle too long. no PAWS */
660	#define PFSS_DATA_TS 0x0040 /* timestamp on data packets */
661	#define PFSS_DATA_NOTS 0x0080 /* no timestamp on data packets */
662	u_int8_t pfss_ttl; /* stashed TTL */
663	u_int8_t pad;
664	u_int32_t pfss_ts_mod; /* timestamp modulation */
665	};
666
667	struct pf_state_host {
668	struct pf_addr addr;
669	u_int16_t port;
670	u_int16_t pad;
671	};
672
673	struct pf_state_peer {
674	struct pf_state_scrub scrub; / state is scrubbed */
675	u_int32_t seqlo; /* Max sequence number sent */
676	u_int32_t seqhi; /* Max the other end ACKd + win */
677	u_int32_t seqdiff; /* Sequence number modulator */
678	u_int16_t max_win; /* largest window (pre scaling) */
679	u_int16_t mss; /* Maximum segment size option */
680	u_int8_t state; /* active state level */
681	u_int8_t wscale; /* window scaling factor */
682	u_int8_t tcp_est; /* Did we reach TCPS_ESTABLISHED */
683	u_int8_t pad[1];
684	};
685
686	/* Keep synced with struct pf_state_key. */
687	struct pf_state_key_cmp {
688	struct pf_addr addr[2];
689	u_int16_t port[2];
690	sa_family_t af;
691	u_int8_t proto;
692	u_int8_t pad[2];
693	};
694
695	struct pf_state_key {
696	struct pf_addr addr[2];
697	u_int16_t port[2];
698	sa_family_t af;
699	u_int8_t proto;
700	u_int8_t pad[2];
701
702	LIST_ENTRY(pf_state_key) entry;
703	TAILQ_HEAD(, pf_state) states[2];
704	};
705
706	/* Keep synced with struct pf_state. */
707	struct pf_state_cmp {
708	u_int64_t id;
709	u_int32_t creatorid;
710	u_int8_t direction;
711	u_int8_t pad[3];
712	};
713
714	struct pf_state {
715	u_int64_t id;
716	u_int32_t creatorid;
717	u_int8_t direction;
718	u_int8_t pad[3];
719
720	u_int refs;
721	TAILQ_ENTRY(pf_state) sync_list;
722	TAILQ_ENTRY(pf_state) key_list[2];
723	LIST_ENTRY(pf_state) entry;
724	struct pf_state_peer src;
725	struct pf_state_peer dst;
726	union pf_rule_ptr rule;
727	union pf_rule_ptr anchor;
728	union pf_rule_ptr nat_rule;
729	struct pf_addr rt_addr;
730	struct pf_state_key key[2]; / addresses stack and wire */
731	struct pfi_kif *kif;
732	struct pfi_kif *rt_kif;
733	struct pf_src_node *src_node;
734	struct pf_src_node *nat_src_node;
735	u_int64_t packets[2];
736	u_int64_t bytes[2];
737	u_int32_t creation;
738	u_int32_t expire;
739	u_int32_t pfsync_time;
740	u_int16_t tag;
741	u_int8_t log;
742	u_int8_t state_flags;
743	#define PFSTATE_ALLOWOPTS 0x01
744	#define PFSTATE_SLOPPY 0x02
745	/* was PFSTATE_PFLOW 0x04 */
746	#define PFSTATE_NOSYNC 0x08
747	#define PFSTATE_ACK 0x10
748	#define PFSTATE_SETPRIO 0x0200
749	#define PFSTATE_SETMASK (PFSTATE_SETPRIO)
750	u_int8_t timeout;
751	u_int8_t sync_state; /* PFSYNC_S_x */
752
753	/* XXX */
754	u_int8_t sync_updates;
755	u_int8_t _tail[3];
756	};
757
758	/*
759	* Unified state structures for pulling states out of the kernel
760	* used by pfsync(4) and the pf(4) ioctl.
761	*/
762	struct pfsync_state_scrub {
763	u_int16_t pfss_flags;
764	u_int8_t pfss_ttl; /* stashed TTL */
765	#define PFSYNC_SCRUB_FLAG_VALID 0x01
766	u_int8_t scrub_flag;
767	u_int32_t pfss_ts_mod; /* timestamp modulation */
768	} __packed;
769
770	struct pfsync_state_peer {
771	struct pfsync_state_scrub scrub; /* state is scrubbed */
772	u_int32_t seqlo; /* Max sequence number sent */
773	u_int32_t seqhi; /* Max the other end ACKd + win */
774	u_int32_t seqdiff; /* Sequence number modulator */
775	u_int16_t max_win; /* largest window (pre scaling) */
776	u_int16_t mss; /* Maximum segment size option */
777	u_int8_t state; /* active state level */
778	u_int8_t wscale; /* window scaling factor */
779	u_int8_t pad[6];
780	} __packed;
781
782	struct pfsync_state_key {
783	struct pf_addr addr[2];
784	u_int16_t port[2];
785	};
786
787	struct pfsync_state {
788	u_int64_t id;
789	char ifname[IFNAMSIZ];
790	struct pfsync_state_key key[2];
791	struct pfsync_state_peer src;
792	struct pfsync_state_peer dst;
793	struct pf_addr rt_addr;
794	u_int32_t rule;
795	u_int32_t anchor;
796	u_int32_t nat_rule;
797	u_int32_t creation;
798	u_int32_t expire;
799	u_int32_t packets[2][2];
800	u_int32_t bytes[2][2];
801	u_int32_t creatorid;
802	sa_family_t af;
803	u_int8_t proto;
804	u_int8_t direction;
805	u_int8_t __spare[2];
806	u_int8_t log;
807	u_int8_t state_flags;
808	u_int8_t timeout;
809	u_int8_t sync_flags;
810	u_int8_t updates;
811	} __packed;
812
813	#ifdef _KERNEL
814	/* pfsync */
815	typedef int pfsync_state_import_t(struct pfsync_state *, u_int8_t);
816	typedef void pfsync_insert_state_t(struct pf_state *);
817	typedef void pfsync_update_state_t(struct pf_state *);
818	typedef void pfsync_delete_state_t(struct pf_state *);
819	typedef void pfsync_clear_states_t(u_int32_t, const char *);
820	typedef int pfsync_defer_t(struct pf_state , struct mbuf );
821
822	extern pfsync_state_import_t *pfsync_state_import_ptr;
823	extern pfsync_insert_state_t *pfsync_insert_state_ptr;
824	extern pfsync_update_state_t *pfsync_update_state_ptr;
825	extern pfsync_delete_state_t *pfsync_delete_state_ptr;
826	extern pfsync_clear_states_t *pfsync_clear_states_ptr;
827	extern pfsync_defer_t *pfsync_defer_ptr;
828
829	void pfsync_state_export(struct pfsync_state *,
830	struct pf_state *);
831
832	/* pflog */
833	struct pf_ruleset;
834	struct pf_pdesc;
835	typedef int pflog_packet_t(struct pfi_kif , struct mbuf , sa_family_t,
836	u_int8_t, u_int8_t, struct pf_rule , struct pf_rule ,
837	struct pf_ruleset , struct pf_pdesc , int);
838	extern pflog_packet_t *pflog_packet_ptr;
839
840	#endif /* _KERNEL */
841
842	#define PFSYNC_FLAG_SRCNODE 0x04
843	#define PFSYNC_FLAG_NATSRCNODE 0x08
844
845	/* for copies to/from network byte order */
846	/* ioctl interface also uses network byte order */
847	#define pf_state_peer_hton(s,d) do { \
848	(d)->seqlo = htonl((s)->seqlo); \
849	(d)->seqhi = htonl((s)->seqhi); \
850	(d)->seqdiff = htonl((s)->seqdiff); \
851	(d)->max_win = htons((s)->max_win); \
852	(d)->mss = htons((s)->mss); \
853	(d)->state = (s)->state; \
854	(d)->wscale = (s)->wscale; \
855	if ((s)->scrub) { \
856	(d)->scrub.pfss_flags = \
857	htons((s)->scrub->pfss_flags & PFSS_TIMESTAMP); \
858	(d)->scrub.pfss_ttl = (s)->scrub->pfss_ttl; \
859	(d)->scrub.pfss_ts_mod = htonl((s)->scrub->pfss_ts_mod);\
860	(d)->scrub.scrub_flag = PFSYNC_SCRUB_FLAG_VALID; \
861	} \
862	} while (0)
863
864	#define pf_state_peer_ntoh(s,d) do { \
865	(d)->seqlo = ntohl((s)->seqlo); \
866	(d)->seqhi = ntohl((s)->seqhi); \
867	(d)->seqdiff = ntohl((s)->seqdiff); \
868	(d)->max_win = ntohs((s)->max_win); \
869	(d)->mss = ntohs((s)->mss); \
870	(d)->state = (s)->state; \
871	(d)->wscale = (s)->wscale; \
872	if ((s)->scrub.scrub_flag == PFSYNC_SCRUB_FLAG_VALID && \
873	(d)->scrub != NULL) { \
874	(d)->scrub->pfss_flags = \
875	ntohs((s)->scrub.pfss_flags) & PFSS_TIMESTAMP; \
876	(d)->scrub->pfss_ttl = (s)->scrub.pfss_ttl; \
877	(d)->scrub->pfss_ts_mod = ntohl((s)->scrub.pfss_ts_mod);\
878	} \
879	} while (0)
880
881	#define pf_state_counter_hton(s,d) do { \
882	d[0] = htonl((s>>32)&0xffffffff); \
883	d[1] = htonl(s&0xffffffff); \
884	} while (0)
885
886	#define pf_state_counter_from_pfsync(s) \
887	(((u_int64_t)(s[0])<<32) \| (u_int64_t)(s[1]))
888
889	#define pf_state_counter_ntoh(s,d) do { \
890	d = ntohl(s[0]); \
891	d = d<<32; \
892	d += ntohl(s[1]); \
893	} while (0)
894
895	TAILQ_HEAD(pf_rulequeue, pf_rule);
896
897	struct pf_anchor;
898
899	struct pf_ruleset {
900	struct {
901	struct pf_rulequeue queues[2];
902	struct {
903	struct pf_rulequeue *ptr;
904	struct pf_rule **ptr_array;
905	u_int32_t rcount;
906	u_int32_t ticket;
907	int open;
908	} active, inactive;
909	} rules[PF_RULESET_MAX];
910	struct pf_anchor *anchor;
911	u_int32_t tticket;
912	int tables;
913	int topen;
914	};
915
916	RB_HEAD(pf_anchor_global, pf_anchor);
917	RB_HEAD(pf_anchor_node, pf_anchor);
918	struct pf_anchor {
919	RB_ENTRY(pf_anchor) entry_global;
920	RB_ENTRY(pf_anchor) entry_node;
921	struct pf_anchor *parent;
922	struct pf_anchor_node children;
923	char name[PF_ANCHOR_NAME_SIZE];
924	char path[MAXPATHLEN];
925	struct pf_ruleset ruleset;
926	int refcnt; /* anchor rules */
927	int match; /* XXX: used for pfctl black magic */
928	};
929	RB_PROTOTYPE(pf_anchor_global, pf_anchor, entry_global, pf_anchor_compare);
930	RB_PROTOTYPE(pf_anchor_node, pf_anchor, entry_node, pf_anchor_compare);
931
932	#define PF_RESERVED_ANCHOR "_pf"
933
934	#define PFR_TFLAG_PERSIST 0x00000001
935	#define PFR_TFLAG_CONST 0x00000002
936	#define PFR_TFLAG_ACTIVE 0x00000004
937	#define PFR_TFLAG_INACTIVE 0x00000008
938	#define PFR_TFLAG_REFERENCED 0x00000010
939	#define PFR_TFLAG_REFDANCHOR 0x00000020
940	#define PFR_TFLAG_COUNTERS 0x00000040
941	/* Adjust masks below when adding flags. */
942	#define PFR_TFLAG_USRMASK (PFR_TFLAG_PERSIST \| \
943	PFR_TFLAG_CONST \| \
944	PFR_TFLAG_COUNTERS)
945	#define PFR_TFLAG_SETMASK (PFR_TFLAG_ACTIVE \| \
946	PFR_TFLAG_INACTIVE \| \
947	PFR_TFLAG_REFERENCED \| \
948	PFR_TFLAG_REFDANCHOR)
949	#define PFR_TFLAG_ALLMASK (PFR_TFLAG_PERSIST \| \
950	PFR_TFLAG_CONST \| \
951	PFR_TFLAG_ACTIVE \| \
952	PFR_TFLAG_INACTIVE \| \
953	PFR_TFLAG_REFERENCED \| \
954	PFR_TFLAG_REFDANCHOR \| \
955	PFR_TFLAG_COUNTERS)
956
957	struct pf_anchor_stackframe;
958
959	struct pfr_table {
960	char pfrt_anchor[MAXPATHLEN];
961	char pfrt_name[PF_TABLE_NAME_SIZE];
962	u_int32_t pfrt_flags;
963	u_int8_t pfrt_fback;
964	};
965
966	enum { PFR_FB_NONE, PFR_FB_MATCH, PFR_FB_ADDED, PFR_FB_DELETED,
967	PFR_FB_CHANGED, PFR_FB_CLEARED, PFR_FB_DUPLICATE,
968	PFR_FB_NOTMATCH, PFR_FB_CONFLICT, PFR_FB_NOCOUNT, PFR_FB_MAX };
969
970	struct pfr_addr {
971	union {
972	struct in_addr _pfra_ip4addr;
973	struct in6_addr _pfra_ip6addr;
974	} pfra_u;
975	u_int8_t pfra_af;
976	u_int8_t pfra_net;
977	u_int8_t pfra_not;
978	u_int8_t pfra_fback;
979	};
980	#define pfra_ip4addr pfra_u._pfra_ip4addr
981	#define pfra_ip6addr pfra_u._pfra_ip6addr
982
983	enum { PFR_DIR_IN, PFR_DIR_OUT, PFR_DIR_MAX };
984	enum { PFR_OP_BLOCK, PFR_OP_PASS, PFR_OP_ADDR_MAX, PFR_OP_TABLE_MAX };
985	#define PFR_OP_XPASS PFR_OP_ADDR_MAX
986
987	struct pfr_astats {
988	struct pfr_addr pfras_a;
989	u_int64_t pfras_packets[PFR_DIR_MAX][PFR_OP_ADDR_MAX];
990	u_int64_t pfras_bytes[PFR_DIR_MAX][PFR_OP_ADDR_MAX];
991	long pfras_tzero;
992	};
993
994	enum { PFR_REFCNT_RULE, PFR_REFCNT_ANCHOR, PFR_REFCNT_MAX };
995
996	struct pfr_tstats {
997	struct pfr_table pfrts_t;
998	u_int64_t pfrts_packets[PFR_DIR_MAX][PFR_OP_TABLE_MAX];
999	u_int64_t pfrts_bytes[PFR_DIR_MAX][PFR_OP_TABLE_MAX];
1000	u_int64_t pfrts_match;
1001	u_int64_t pfrts_nomatch;
1002	long pfrts_tzero;
1003	int pfrts_cnt;
1004	int pfrts_refcnt[PFR_REFCNT_MAX];
1005	};
1006	#define pfrts_name pfrts_t.pfrt_name
1007	#define pfrts_flags pfrts_t.pfrt_flags
1008
1009	#ifndef _SOCKADDR_UNION_DEFINED
1010	#define _SOCKADDR_UNION_DEFINED
1011	union sockaddr_union {
1012	struct sockaddr sa;
1013	struct sockaddr_in sin;
1014	struct sockaddr_in6 sin6;
1015	};
1016	#endif /* _SOCKADDR_UNION_DEFINED */
1017
1018	struct pfr_kcounters {
1019	u_int64_t pfrkc_packets[PFR_DIR_MAX][PFR_OP_ADDR_MAX];
1020	u_int64_t pfrkc_bytes[PFR_DIR_MAX][PFR_OP_ADDR_MAX];
1021	};
1022
1023	SLIST_HEAD(pfr_kentryworkq, pfr_kentry);
1024	struct pfr_kentry {
1025	struct radix_node pfrke_node[2];
1026	union sockaddr_union pfrke_sa;
1027	SLIST_ENTRY(pfr_kentry) pfrke_workq;
1028	struct pfr_kcounters *pfrke_counters;
1029	long pfrke_tzero;
1030	u_int8_t pfrke_af;
1031	u_int8_t pfrke_net;
1032	u_int8_t pfrke_not;
1033	u_int8_t pfrke_mark;
1034	};
1035
1036	SLIST_HEAD(pfr_ktableworkq, pfr_ktable);
1037	RB_HEAD(pfr_ktablehead, pfr_ktable);
1038	struct pfr_ktable {
1039	struct pfr_tstats pfrkt_ts;
1040	RB_ENTRY(pfr_ktable) pfrkt_tree;
1041	SLIST_ENTRY(pfr_ktable) pfrkt_workq;
1042	struct radix_node_head *pfrkt_ip4;
1043	struct radix_node_head *pfrkt_ip6;
1044	struct pfr_ktable *pfrkt_shadow;
1045	struct pfr_ktable *pfrkt_root;
1046	struct pf_ruleset *pfrkt_rs;
1047	long pfrkt_larg;
1048	int pfrkt_nflags;
1049	};
1050	#define pfrkt_t pfrkt_ts.pfrts_t
1051	#define pfrkt_name pfrkt_t.pfrt_name
1052	#define pfrkt_anchor pfrkt_t.pfrt_anchor
1053	#define pfrkt_ruleset pfrkt_t.pfrt_ruleset
1054	#define pfrkt_flags pfrkt_t.pfrt_flags
1055	#define pfrkt_cnt pfrkt_ts.pfrts_cnt
1056	#define pfrkt_refcnt pfrkt_ts.pfrts_refcnt
1057	#define pfrkt_packets pfrkt_ts.pfrts_packets
1058	#define pfrkt_bytes pfrkt_ts.pfrts_bytes
1059	#define pfrkt_match pfrkt_ts.pfrts_match
1060	#define pfrkt_nomatch pfrkt_ts.pfrts_nomatch
1061	#define pfrkt_tzero pfrkt_ts.pfrts_tzero
1062
1063	/* keep synced with pfi_kif, used in RB_FIND */
1064	struct pfi_kif_cmp {
1065	char pfik_name[IFNAMSIZ];
1066	};
1067
1068	struct pfi_kif {
1069	char pfik_name[IFNAMSIZ];
1070	union {
1071	RB_ENTRY(pfi_kif) _pfik_tree;
1072	LIST_ENTRY(pfi_kif) _pfik_list;
1073	} _pfik_glue;
1074	#define pfik_tree _pfik_glue._pfik_tree
1075	#define pfik_list _pfik_glue._pfik_list
1076	u_int64_t pfik_packets[2][2][2];
1077	u_int64_t pfik_bytes[2][2][2];
1078	u_int32_t pfik_tzero;
1079	u_int pfik_flags;
1080	struct ifnet *pfik_ifp;
1081	struct ifg_group *pfik_group;
1082	u_int pfik_rulerefs;
1083	TAILQ_HEAD(, pfi_dynaddr) pfik_dynaddrs;
1084	};
1085
1086	#define PFI_IFLAG_REFS 0x0001 /* has state references */
1087	#define PFI_IFLAG_SKIP 0x0100 /* skip filtering on interface */
1088
1089	struct pf_pdesc {
1090	struct {
1091	int done;
1092	uid_t uid;
1093	gid_t gid;
1094	} lookup;
1095	u_int64_t tot_len; /* Make Mickey money */
1096	union {
1097	struct tcphdr *tcp;
1098	struct udphdr *udp;
1099	struct icmp *icmp;
1100	#ifdef INET6
1101	struct icmp6_hdr *icmp6;
1102	#endif /* INET6 */
1103	void *any;
1104	} hdr;
1105
1106	struct pf_rule nat_rule; / nat/rdr rule applied to packet */
1107	struct pf_addr src; / src address */
1108	struct pf_addr dst; / dst address */
1109	u_int16_t *sport;
1110	u_int16_t *dport;
1111	struct pf_mtag *pf_mtag;
1112
1113	u_int32_t p_len; /* total length of payload */
1114
1115	u_int16_t *ip_sum;
1116	u_int16_t *proto_sum;
1117	u_int16_t flags; /* Let SCRUB trigger behavior in
1118	* state code. Easier than tags */
1119	#define PFDESC_TCP_NORM 0x0001 /* TCP shall be statefully scrubbed */
1120	#define PFDESC_IP_REAS 0x0002 /* IP frags would've been reassembled */
1121	sa_family_t af;
1122	u_int8_t proto;
1123	u_int8_t tos;
1124	u_int8_t dir; /* direction */
1125	u_int8_t sidx; /* key index for source */
1126	u_int8_t didx; /* key index for destination */
1127	};
1128
1129	/* flags for RDR options */
1130	#define PF_DPORT_RANGE 0x01 /* Dest port uses range */
1131	#define PF_RPORT_RANGE 0x02 /* RDR'ed port uses range */
1132
1133	/* UDP state enumeration */
1134	#define PFUDPS_NO_TRAFFIC 0
1135	#define PFUDPS_SINGLE 1
1136	#define PFUDPS_MULTIPLE 2
1137
1138	#define PFUDPS_NSTATES 3 /* number of state levels */
1139
1140	#define PFUDPS_NAMES { \
1141	"NO_TRAFFIC", \
1142	"SINGLE", \
1143	"MULTIPLE", \
1144	NULL \
1145	}
1146
1147	/* Other protocol state enumeration */
1148	#define PFOTHERS_NO_TRAFFIC 0
1149	#define PFOTHERS_SINGLE 1
1150	#define PFOTHERS_MULTIPLE 2
1151
1152	#define PFOTHERS_NSTATES 3 /* number of state levels */
1153
1154	#define PFOTHERS_NAMES { \
1155	"NO_TRAFFIC", \
1156	"SINGLE", \
1157	"MULTIPLE", \
1158	NULL \
1159	}
1160
1161	#define ACTION_SET(a, x) \
1162	do { \
1163	if ((a) != NULL) \
1164	*(a) = (x); \
1165	} while (0)
1166
1167	#define REASON_SET(a, x) \
1168	do { \
1169	if ((a) != NULL) \
1170	*(a) = (x); \
1171	if (x < PFRES_MAX) \
1172	counter_u64_add(V_pf_status.counters[x], 1); \
1173	} while (0)
1174
1175	struct pf_kstatus {
1176	counter_u64_t counters[PFRES_MAX]; /* reason for passing/dropping */
1177	counter_u64_t lcounters[LCNT_MAX]; /* limit counters */
1178	counter_u64_t fcounters[FCNT_MAX]; /* state operation counters */
1179	counter_u64_t scounters[SCNT_MAX]; /* src_node operation counters */
1180	uint32_t states;
1181	uint32_t src_nodes;
1182	uint32_t running;
1183	uint32_t since;
1184	uint32_t debug;
1185	uint32_t hostid;
1186	char ifname[IFNAMSIZ];
1187	uint8_t pf_chksum[PF_MD5_DIGEST_LENGTH];
1188	};
1189
1190	struct pf_divert {
1191	union {
1192	struct in_addr ipv4;
1193	struct in6_addr ipv6;
1194	} addr;
1195	u_int16_t port;
1196	};
1197
1198	#define PFFRAG_FRENT_HIWAT 5000 /* Number of fragment entries */
1199	#define PFR_KENTRY_HIWAT 200000 /* Number of table entries */
1200
1201	/*
1202	* ioctl parameter structures
1203	*/
1204
1205	struct pfioc_pooladdr {
1206	u_int32_t action;
1207	u_int32_t ticket;
1208	u_int32_t nr;
1209	u_int32_t r_num;
1210	u_int8_t r_action;
1211	u_int8_t r_last;
1212	u_int8_t af;
1213	char anchor[MAXPATHLEN];
1214	struct pf_pooladdr addr;
1215	};
1216
1217	struct pfioc_rule {
1218	u_int32_t action;
1219	u_int32_t ticket;
1220	u_int32_t pool_ticket;
1221	u_int32_t nr;
1222	char anchor[MAXPATHLEN];
1223	char anchor_call[MAXPATHLEN];
1224	struct pf_rule rule;
1225	};
1226
1227	struct pfioc_natlook {
1228	struct pf_addr saddr;
1229	struct pf_addr daddr;
1230	struct pf_addr rsaddr;
1231	struct pf_addr rdaddr;
1232	u_int16_t sport;
1233	u_int16_t dport;
1234	u_int16_t rsport;
1235	u_int16_t rdport;
1236	sa_family_t af;
1237	u_int8_t proto;
1238	u_int8_t direction;
1239	};
1240
1241	struct pfioc_state {
1242	struct pfsync_state state;
1243	};
1244
1245	struct pfioc_src_node_kill {
1246	sa_family_t psnk_af;
1247	struct pf_rule_addr psnk_src;
1248	struct pf_rule_addr psnk_dst;
1249	u_int psnk_killed;
1250	};
1251
1252	struct pfioc_state_kill {
1253	struct pf_state_cmp psk_pfcmp;
1254	sa_family_t psk_af;
1255	int psk_proto;
1256	struct pf_rule_addr psk_src;
1257	struct pf_rule_addr psk_dst;
1258	char psk_ifname[IFNAMSIZ];
1259	char psk_label[PF_RULE_LABEL_SIZE];
1260	u_int psk_killed;
1261	};
1262
1263	struct pfioc_states {
1264	int ps_len;
1265	union {
1266	caddr_t psu_buf;
1267	struct pfsync_state *psu_states;
1268	} ps_u;
1269	#define ps_buf ps_u.psu_buf
1270	#define ps_states ps_u.psu_states
1271	};
1272
1273	struct pfioc_src_nodes {
1274	int psn_len;
1275	union {
1276	caddr_t psu_buf;
1277	struct pf_src_node *psu_src_nodes;
1278	} psn_u;
1279	#define psn_buf psn_u.psu_buf
1280	#define psn_src_nodes psn_u.psu_src_nodes
1281	};
1282
1283	struct pfioc_if {
1284	char ifname[IFNAMSIZ];
1285	};
1286
1287	struct pfioc_tm {
1288	int timeout;
1289	int seconds;
1290	};
1291
1292	struct pfioc_limit {
1293	int index;
1294	unsigned limit;
1295	};
1296
1297	struct pfioc_altq {
1298	u_int32_t action;
1299	u_int32_t ticket;
1300	u_int32_t nr;
1301	struct pf_altq altq;
1302	};
1303
1304	struct pfioc_qstats {
1305	u_int32_t ticket;
1306	u_int32_t nr;
1307	void *buf;
1308	int nbytes;
1309	u_int8_t scheduler;
1310	};
1311
1312	struct pfioc_ruleset {
1313	u_int32_t nr;
1314	char path[MAXPATHLEN];
1315	char name[PF_ANCHOR_NAME_SIZE];
1316	};
1317
1318	#define PF_RULESET_ALTQ (PF_RULESET_MAX)
1319	#define PF_RULESET_TABLE (PF_RULESET_MAX+1)
1320	struct pfioc_trans {
1321	int size; /* number of elements */
1322	int esize; /* size of each element in bytes */
1323	struct pfioc_trans_e {
1324	int rs_num;
1325	char anchor[MAXPATHLEN];
1326	u_int32_t ticket;
1327	} *array;
1328	};
1329
1330	#define PFR_FLAG_ATOMIC 0x00000001 /* unused */
1331	#define PFR_FLAG_DUMMY 0x00000002
1332	#define PFR_FLAG_FEEDBACK 0x00000004
1333	#define PFR_FLAG_CLSTATS 0x00000008
1334	#define PFR_FLAG_ADDRSTOO 0x00000010
1335	#define PFR_FLAG_REPLACE 0x00000020
1336	#define PFR_FLAG_ALLRSETS 0x00000040
1337	#define PFR_FLAG_ALLMASK 0x0000007F
1338	#ifdef _KERNEL
1339	#define PFR_FLAG_USERIOCTL 0x10000000
1340	#endif
1341
1342	struct pfioc_table {
1343	struct pfr_table pfrio_table;
1344	void *pfrio_buffer;
1345	int pfrio_esize;
1346	int pfrio_size;
1347	int pfrio_size2;
1348	int pfrio_nadd;
1349	int pfrio_ndel;
1350	int pfrio_nchange;
1351	int pfrio_flags;
1352	u_int32_t pfrio_ticket;
1353	};
1354	#define pfrio_exists pfrio_nadd
1355	#define pfrio_nzero pfrio_nadd
1356	#define pfrio_nmatch pfrio_nadd
1357	#define pfrio_naddr pfrio_size2
1358	#define pfrio_setflag pfrio_size2
1359	#define pfrio_clrflag pfrio_nadd
1360
1361	struct pfioc_iface {
1362	char pfiio_name[IFNAMSIZ];
1363	void *pfiio_buffer;
1364	int pfiio_esize;
1365	int pfiio_size;
1366	int pfiio_nzero;
1367	int pfiio_flags;
1368	};
1369
1370
1371	/*
1372	* ioctl operations
1373	*/
1374
1375	#define DIOCSTART _IO ('D', 1)
1376	#define DIOCSTOP _IO ('D', 2)
1377	#define DIOCADDRULE _IOWR('D', 4, struct pfioc_rule)
1378	#define DIOCGETRULES _IOWR('D', 6, struct pfioc_rule)
1379	#define DIOCGETRULE _IOWR('D', 7, struct pfioc_rule)
1380	/* XXX cut 8 - 17 */
1381	#define DIOCCLRSTATES _IOWR('D', 18, struct pfioc_state_kill)
1382	#define DIOCGETSTATE _IOWR('D', 19, struct pfioc_state)
1383	#define DIOCSETSTATUSIF _IOWR('D', 20, struct pfioc_if)
1384	#define DIOCGETSTATUS _IOWR('D', 21, struct pf_status)
1385	#define DIOCCLRSTATUS _IO ('D', 22)
1386	#define DIOCNATLOOK _IOWR('D', 23, struct pfioc_natlook)
1387	#define DIOCSETDEBUG _IOWR('D', 24, u_int32_t)
1388	#define DIOCGETSTATES _IOWR('D', 25, struct pfioc_states)
1389	#define DIOCCHANGERULE _IOWR('D', 26, struct pfioc_rule)
1390	/* XXX cut 26 - 28 */
1391	#define DIOCSETTIMEOUT _IOWR('D', 29, struct pfioc_tm)
1392	#define DIOCGETTIMEOUT _IOWR('D', 30, struct pfioc_tm)
1393	#define DIOCADDSTATE _IOWR('D', 37, struct pfioc_state)
1394	#define DIOCCLRRULECTRS _IO ('D', 38)
1395	#define DIOCGETLIMIT _IOWR('D', 39, struct pfioc_limit)
1396	#define DIOCSETLIMIT _IOWR('D', 40, struct pfioc_limit)
1397	#define DIOCKILLSTATES _IOWR('D', 41, struct pfioc_state_kill)
1398	#define DIOCSTARTALTQ _IO ('D', 42)
1399	#define DIOCSTOPALTQ _IO ('D', 43)
1400	#define DIOCADDALTQ _IOWR('D', 45, struct pfioc_altq)
1401	#define DIOCGETALTQS _IOWR('D', 47, struct pfioc_altq)
1402	#define DIOCGETALTQ _IOWR('D', 48, struct pfioc_altq)
1403	#define DIOCCHANGEALTQ _IOWR('D', 49, struct pfioc_altq)
1404	#define DIOCGETQSTATS _IOWR('D', 50, struct pfioc_qstats)
1405	#define DIOCBEGINADDRS _IOWR('D', 51, struct pfioc_pooladdr)
1406	#define DIOCADDADDR _IOWR('D', 52, struct pfioc_pooladdr)
1407	#define DIOCGETADDRS _IOWR('D', 53, struct pfioc_pooladdr)
1408	#define DIOCGETADDR _IOWR('D', 54, struct pfioc_pooladdr)
1409	#define DIOCCHANGEADDR _IOWR('D', 55, struct pfioc_pooladdr)
1410	/* XXX cut 55 - 57 */
1411	#define DIOCGETRULESETS _IOWR('D', 58, struct pfioc_ruleset)
1412	#define DIOCGETRULESET _IOWR('D', 59, struct pfioc_ruleset)
1413	#define DIOCRCLRTABLES _IOWR('D', 60, struct pfioc_table)
1414	#define DIOCRADDTABLES _IOWR('D', 61, struct pfioc_table)
1415	#define DIOCRDELTABLES _IOWR('D', 62, struct pfioc_table)
1416	#define DIOCRGETTABLES _IOWR('D', 63, struct pfioc_table)
1417	#define DIOCRGETTSTATS _IOWR('D', 64, struct pfioc_table)
1418	#define DIOCRCLRTSTATS _IOWR('D', 65, struct pfioc_table)
1419	#define DIOCRCLRADDRS _IOWR('D', 66, struct pfioc_table)
1420	#define DIOCRADDADDRS _IOWR('D', 67, struct pfioc_table)
1421	#define DIOCRDELADDRS _IOWR('D', 68, struct pfioc_table)
1422	#define DIOCRSETADDRS _IOWR('D', 69, struct pfioc_table)
1423	#define DIOCRGETADDRS _IOWR('D', 70, struct pfioc_table)
1424	#define DIOCRGETASTATS _IOWR('D', 71, struct pfioc_table)
1425	#define DIOCRCLRASTATS _IOWR('D', 72, struct pfioc_table)
1426	#define DIOCRTSTADDRS _IOWR('D', 73, struct pfioc_table)
1427	#define DIOCRSETTFLAGS _IOWR('D', 74, struct pfioc_table)
1428	#define DIOCRINADEFINE _IOWR('D', 77, struct pfioc_table)
1429	#define DIOCOSFPFLUSH _IO('D', 78)
1430	#define DIOCOSFPADD _IOWR('D', 79, struct pf_osfp_ioctl)
1431	#define DIOCOSFPGET _IOWR('D', 80, struct pf_osfp_ioctl)
1432	#define DIOCXBEGIN _IOWR('D', 81, struct pfioc_trans)
1433	#define DIOCXCOMMIT _IOWR('D', 82, struct pfioc_trans)
1434	#define DIOCXROLLBACK _IOWR('D', 83, struct pfioc_trans)
1435	#define DIOCGETSRCNODES _IOWR('D', 84, struct pfioc_src_nodes)
1436	#define DIOCCLRSRCNODES _IO('D', 85)
1437	#define DIOCSETHOSTID _IOWR('D', 86, u_int32_t)
1438	#define DIOCIGETIFACES _IOWR('D', 87, struct pfioc_iface)
1439	#define DIOCSETIFFLAG _IOWR('D', 89, struct pfioc_iface)
1440	#define DIOCCLRIFFLAG _IOWR('D', 90, struct pfioc_iface)
1441	#define DIOCKILLSRCNODES _IOWR('D', 91, struct pfioc_src_node_kill)
1442	struct pf_ifspeed {
1443	char ifname[IFNAMSIZ];
1444	u_int32_t baudrate;
1445	};
1446	#define DIOCGIFSPEED _IOWR('D', 92, struct pf_ifspeed)
1447
1448	#ifdef _KERNEL
1449	LIST_HEAD(pf_src_node_list, pf_src_node);
1450	struct pf_srchash {
1451	struct pf_src_node_list nodes;
1452	struct mtx lock;
1453	};
1454
1455	struct pf_keyhash {
1456	LIST_HEAD(, pf_state_key) keys;
1457	struct mtx lock;
1458	};
1459
1460	struct pf_idhash {
1461	LIST_HEAD(, pf_state) states;
1462	struct mtx lock;
1463	};
1464
1465	extern u_long pf_hashmask;
1466	extern u_long pf_srchashmask;
1467	#define PF_HASHSIZ (32768)
1468	VNET_DECLARE(struct pf_keyhash *, pf_keyhash);
1469	VNET_DECLARE(struct pf_idhash *, pf_idhash);
1470	#define V_pf_keyhash VNET(pf_keyhash)
1471	#define V_pf_idhash VNET(pf_idhash)
1472	VNET_DECLARE(struct pf_srchash *, pf_srchash);
1473	#define V_pf_srchash VNET(pf_srchash)
1474
1475	#define PF_IDHASH(s) (be64toh((s)->id) % (pf_hashmask + 1))
1476
1477	VNET_DECLARE(void *, pf_swi_cookie);
1478	#define V_pf_swi_cookie VNET(pf_swi_cookie)
1479
1480	VNET_DECLARE(uint64_t, pf_stateid[MAXCPU]);
1481	#define V_pf_stateid VNET(pf_stateid)
1482
1483	TAILQ_HEAD(pf_altqqueue, pf_altq);
1484	VNET_DECLARE(struct pf_altqqueue, pf_altqs[2]);
1485	#define V_pf_altqs VNET(pf_altqs)
1486	VNET_DECLARE(struct pf_palist, pf_pabuf);
1487	#define V_pf_pabuf VNET(pf_pabuf)
1488
1489	VNET_DECLARE(u_int32_t, ticket_altqs_active);
1490	#define V_ticket_altqs_active VNET(ticket_altqs_active)
1491	VNET_DECLARE(u_int32_t, ticket_altqs_inactive);
1492	#define V_ticket_altqs_inactive VNET(ticket_altqs_inactive)
1493	VNET_DECLARE(int, altqs_inactive_open);
1494	#define V_altqs_inactive_open VNET(altqs_inactive_open)
1495	VNET_DECLARE(u_int32_t, ticket_pabuf);
1496	#define V_ticket_pabuf VNET(ticket_pabuf)
1497	VNET_DECLARE(struct pf_altqqueue *, pf_altqs_active);
1498	#define V_pf_altqs_active VNET(pf_altqs_active)
1499	VNET_DECLARE(struct pf_altqqueue *, pf_altqs_inactive);
1500	#define V_pf_altqs_inactive VNET(pf_altqs_inactive)
1501
1502	VNET_DECLARE(struct pf_rulequeue, pf_unlinked_rules);
1503	#define V_pf_unlinked_rules VNET(pf_unlinked_rules)
1504
1505	void pf_initialize(void);
1506	void pf_mtag_initialize(void);
1507	void pf_mtag_cleanup(void);
1508	void pf_cleanup(void);
1509
1510	struct pf_mtag pf_get_mtag(struct mbuf );
1511
1512	extern void pf_calc_skip_steps(struct pf_rulequeue *);
1513	#ifdef ALTQ
1514	extern void pf_altq_ifnet_event(struct ifnet *, int);
1515	#endif
1516	VNET_DECLARE(uma_zone_t, pf_state_z);
1517	#define V_pf_state_z VNET(pf_state_z)
1518	VNET_DECLARE(uma_zone_t, pf_state_key_z);
1519	#define V_pf_state_key_z VNET(pf_state_key_z)
1520	VNET_DECLARE(uma_zone_t, pf_state_scrub_z);
1521	#define V_pf_state_scrub_z VNET(pf_state_scrub_z)
1522
1523	extern void pf_purge_thread(void *);
1524	extern void pf_unload_vnet_purge(void);
1525	extern void pf_intr(void *);
1526	extern void pf_purge_expired_src_nodes(void);
1527
1528	extern int pf_unlink_state(struct pf_state *, u_int);
1529	#define PF_ENTER_LOCKED 0x00000001
1530	#define PF_RETURN_LOCKED 0x00000002
1531	extern int pf_state_insert(struct pfi_kif *,
1532	struct pf_state_key *,
1533	struct pf_state_key *,
1534	struct pf_state *);
1535	extern void pf_free_state(struct pf_state *);
1536
1537	static __inline void
1538	pf_ref_state(struct pf_state *s)
1539	{
1540
1541	refcount_acquire(&s->refs);
1542	}
1543
1544	static __inline int
1545	pf_release_state(struct pf_state *s)
1546	{
1547
1548	if (refcount_release(&s->refs)) {
1549	pf_free_state(s);
1550	return (1);
1551	} else
1552	return (0);
1553	}
1554
1555	extern struct pf_state *pf_find_state_byid(uint64_t, uint32_t);
1556	extern struct pf_state pf_find_state_all(struct pf_state_key_cmp ,
1557	u_int, int *);
1558	extern struct pf_src_node pf_find_src_node(struct pf_addr ,
1559	struct pf_rule *, sa_family_t, int);
1560	extern void pf_unlink_src_node(struct pf_src_node *);
1561	extern u_int pf_free_src_nodes(struct pf_src_node_list *);
1562	extern void pf_print_state(struct pf_state *);
1563	extern void pf_print_flags(u_int8_t);
1564	extern u_int16_t pf_cksum_fixup(u_int16_t, u_int16_t, u_int16_t,
1565	u_int8_t);
1566	extern u_int16_t pf_proto_cksum_fixup(struct mbuf *, u_int16_t,
1567	u_int16_t, u_int16_t, u_int8_t);
1568
1569	VNET_DECLARE(struct ifnet *, sync_ifp);
1570	#define V_sync_ifp VNET(sync_ifp);
1571	VNET_DECLARE(struct pf_rule, pf_default_rule);
1572	#define V_pf_default_rule VNET(pf_default_rule)
1573	extern void pf_addrcpy(struct pf_addr , struct pf_addr ,
1574	u_int8_t);
1575	void pf_free_rule(struct pf_rule *);
1576
1577	#ifdef INET
1578	int pf_test(int, struct ifnet , struct mbuf , struct inpcb );
1579	int pf_normalize_ip(struct mbuf *, int, struct pfi_kif , u_short *,
1580	struct pf_pdesc *);
1581	#endif /* INET */
1582
1583	#ifdef INET6
1584	int pf_test6(int, struct ifnet , struct mbuf , struct inpcb );
1585	int pf_normalize_ip6(struct mbuf *, int, struct pfi_kif , u_short *,
1586	struct pf_pdesc *);
1587	void pf_poolmask(struct pf_addr , struct pf_addr,
1588	struct pf_addr , struct pf_addr , u_int8_t);
1589	void pf_addr_inc(struct pf_addr *, sa_family_t);
1590	int pf_refragment6(struct ifnet , struct mbuf , struct m_tag );
1591	#endif /* INET6 */
1592
1593	u_int32_t pf_new_isn(struct pf_state *);
1594	void pf_pull_hdr(struct mbuf , int, void , int, u_short , u_short *,
1595	sa_family_t);
1596	void pf_change_a(void , u_int16_t , u_int32_t, u_int8_t);
1597	void pf_change_proto_a(struct mbuf , void , u_int16_t *, u_int32_t,
1598	u_int8_t);
1599	void pf_change_tcp_a(struct mbuf , void , u_int16_t *, u_int32_t);
1600	void pf_send_deferred_syn(struct pf_state *);
1601	int pf_match_addr(u_int8_t, struct pf_addr , struct pf_addr ,
1602	struct pf_addr *, sa_family_t);
1603	int pf_match_addr_range(struct pf_addr , struct pf_addr ,
1604	struct pf_addr *, sa_family_t);
1605	int pf_match_port(u_int8_t, u_int16_t, u_int16_t, u_int16_t);
1606
1607	void pf_normalize_init(void);
1608	void pf_normalize_cleanup(void);
1609	int pf_normalize_tcp(int, struct pfi_kif , struct mbuf , int, int, void *,
1610	struct pf_pdesc *);
1611	void pf_normalize_tcp_cleanup(struct pf_state *);
1612	int pf_normalize_tcp_init(struct mbuf , int, struct pf_pdesc ,
1613	struct tcphdr , struct pf_state_peer , struct pf_state_peer *);
1614	int pf_normalize_tcp_stateful(struct mbuf , int, struct pf_pdesc ,
1615	u_short , struct tcphdr , struct pf_state *,
1616	struct pf_state_peer , struct pf_state_peer , int *);
1617	u_int32_t
1618	pf_state_expires(const struct pf_state *);
1619	void pf_purge_expired_fragments(void);
1620	int pf_routable(struct pf_addr addr, sa_family_t af, struct pfi_kif ,
1621	int);
1622	int pf_socket_lookup(int, struct pf_pdesc , struct mbuf );
1623	struct pf_state_key *pf_alloc_state_key(int);
1624	void pfr_initialize(void);
1625	void pfr_cleanup(void);
1626	int pfr_match_addr(struct pfr_ktable , struct pf_addr , sa_family_t);
1627	void pfr_update_stats(struct pfr_ktable , struct pf_addr , sa_family_t,
1628	u_int64_t, int, int, int);
1629	int pfr_pool_get(struct pfr_ktable , int , struct pf_addr *, sa_family_t);
1630	void pfr_dynaddr_update(struct pfr_ktable , struct pfi_dynaddr );
1631	struct pfr_ktable *
1632	pfr_attach_table(struct pf_ruleset , char );
1633	void pfr_detach_table(struct pfr_ktable *);
1634	int pfr_clr_tables(struct pfr_table , int , int);
1635	int pfr_add_tables(struct pfr_table , int, int , int);
1636	int pfr_del_tables(struct pfr_table , int, int , int);
1637	int pfr_get_tables(struct pfr_table , struct pfr_table , int *, int);
1638	int pfr_get_tstats(struct pfr_table , struct pfr_tstats , int *, int);
1639	int pfr_clr_tstats(struct pfr_table , int, int , int);
1640	int pfr_set_tflags(struct pfr_table , int, int, int, int , int *, int);
1641	int pfr_clr_addrs(struct pfr_table , int , int);
1642	int pfr_insert_kentry(struct pfr_ktable , struct pfr_addr , long);
1643	int pfr_add_addrs(struct pfr_table , struct pfr_addr , int, int *,
1644	int);
1645	int pfr_del_addrs(struct pfr_table , struct pfr_addr , int, int *,
1646	int);
1647	int pfr_set_addrs(struct pfr_table , struct pfr_addr , int, int *,
1648	int , int , int *, int, u_int32_t);
1649	int pfr_get_addrs(struct pfr_table , struct pfr_addr , int *, int);
1650	int pfr_get_astats(struct pfr_table , struct pfr_astats , int *, int);
1651	int pfr_clr_astats(struct pfr_table , struct pfr_addr , int, int *,
1652	int);
1653	int pfr_tst_addrs(struct pfr_table , struct pfr_addr , int, int *,
1654	int);
1655	int pfr_ina_begin(struct pfr_table , u_int32_t , int *, int);
1656	int pfr_ina_rollback(struct pfr_table , u_int32_t, int , int);
1657	int pfr_ina_commit(struct pfr_table , u_int32_t, int , int *, int);
1658	int pfr_ina_define(struct pfr_table , struct pfr_addr , int, int *,
1659	int *, u_int32_t, int);
1660
1661	MALLOC_DECLARE(PFI_MTYPE);
1662	VNET_DECLARE(struct pfi_kif *, pfi_all);
1663	#define V_pfi_all VNET(pfi_all)
1664
1665	void pfi_initialize(void);
1666	void pfi_initialize_vnet(void);
1667	void pfi_cleanup(void);
1668	void pfi_cleanup_vnet(void);
1669	void pfi_kif_ref(struct pfi_kif *);
1670	void pfi_kif_unref(struct pfi_kif *);
1671	struct pfi_kif pfi_kif_find(const char );
1672	struct pfi_kif pfi_kif_attach(struct pfi_kif , const char *);
1673	int pfi_kif_match(struct pfi_kif , struct pfi_kif );
1674	void pfi_kif_purge(void);
1675	int pfi_match_addr(struct pfi_dynaddr , struct pf_addr ,
1676	sa_family_t);
1677	int pfi_dynaddr_setup(struct pf_addr_wrap *, sa_family_t);
1678	void pfi_dynaddr_remove(struct pfi_dynaddr *);
1679	void pfi_dynaddr_copyout(struct pf_addr_wrap *);
1680	void pfi_update_status(const char , struct pf_status );
1681	void pfi_get_ifaces(const char , struct pfi_kif , int *);
1682	int pfi_set_flags(const char *, int);
1683	int pfi_clear_flags(const char *, int);
1684
1685	int pf_match_tag(struct mbuf , struct pf_rule , int *, int);
1686	int pf_tag_packet(struct mbuf , struct pf_pdesc , int);
1687	int pf_addr_cmp(struct pf_addr , struct pf_addr ,
1688	sa_family_t);
1689	void pf_qid2qname(u_int32_t, char *);
1690
1691	VNET_DECLARE(struct pf_kstatus, pf_status);
1692	#define V_pf_status VNET(pf_status)
1693
1694	struct pf_limit {
1695	uma_zone_t zone;
1696	u_int limit;
1697	};
1698	VNET_DECLARE(struct pf_limit, pf_limits[PF_LIMIT_MAX]);
1699	#define V_pf_limits VNET(pf_limits)
1700
1701	#endif /* _KERNEL */
1702
1703	#ifdef _KERNEL
1704	VNET_DECLARE(struct pf_anchor_global, pf_anchors);
1705	#define V_pf_anchors VNET(pf_anchors)
1706	VNET_DECLARE(struct pf_anchor, pf_main_anchor);
1707	#define V_pf_main_anchor VNET(pf_main_anchor)
1708	#define pf_main_ruleset V_pf_main_anchor.ruleset
1709	#endif
1710
1711	/* these ruleset functions can be linked into userland programs (pfctl) */
1712	int pf_get_ruleset_number(u_int8_t);
1713	void pf_init_ruleset(struct pf_ruleset *);
1714	int pf_anchor_setup(struct pf_rule *,
1715	const struct pf_ruleset , const char );
1716	int pf_anchor_copyout(const struct pf_ruleset *,
1717	const struct pf_rule , struct pfioc_rule );
1718	void pf_anchor_remove(struct pf_rule *);
1719	void pf_remove_if_empty_ruleset(struct pf_ruleset *);
1720	struct pf_ruleset pf_find_ruleset(const char );
1721	struct pf_ruleset pf_find_or_create_ruleset(const char );
1722	void pf_rs_initialize(void);
1723
1724	/* The fingerprint functions can be linked into userland programs (tcpdump) */
1725	int pf_osfp_add(struct pf_osfp_ioctl *);
1726	#ifdef _KERNEL
1727	struct pf_osfp_enlist *
1728	pf_osfp_fingerprint(struct pf_pdesc , struct mbuf , int,
1729	const struct tcphdr *);
1730	#endif /* _KERNEL */
1731	void pf_osfp_flush(void);
1732	int pf_osfp_get(struct pf_osfp_ioctl *);
1733	int pf_osfp_match(struct pf_osfp_enlist *, pf_osfp_t);
1734
1735	#ifdef _KERNEL
1736	void pf_print_host(struct pf_addr *, u_int16_t, u_int8_t);
1737
1738	void pf_step_into_anchor(struct pf_anchor_stackframe , int ,
1739	struct pf_ruleset , int, struct pf_rule ,
1740	struct pf_rule *, int );
1741	int pf_step_out_of_anchor(struct pf_anchor_stackframe , int ,
1742	struct pf_ruleset , int, struct pf_rule ,
1743	struct pf_rule *, int );
1744
1745	int pf_map_addr(u_int8_t, struct pf_rule *,
1746	struct pf_addr , struct pf_addr ,
1747	struct pf_addr , struct pf_src_node *);
1748	struct pf_rule pf_get_translation(struct pf_pdesc , struct mbuf *,
1749	int, int, struct pfi_kif , struct pf_src_node *,
1750	struct pf_state_key , struct pf_state_key ,
1751	struct pf_addr , struct pf_addr ,
1752	uint16_t, uint16_t, struct pf_anchor_stackframe *);
1753
1754	struct pf_state_key pf_state_key_setup(struct pf_pdesc , struct pf_addr *,
1755	struct pf_addr *, u_int16_t, u_int16_t);
1756	struct pf_state_key pf_state_key_clone(struct pf_state_key );
1757	#endif /* _KERNEL */
1758
1759	#endif /* _NET_PFVAR_H_ */

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: rtems-libbsd/freebsd/sys/net/pfvar.h @ 6d9d7b1

Download in other formats: