1/* $NetBSD: npf.h,v 1.47 2014/08/10 19:09:43 rmind Exp $ */
2
3/*-
4 * Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
5 * All rights reserved.
6 *
7 * This material is based upon work partially supported by The
8 * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
9 *
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
12 * are met:
13 * 1. Redistributions of source code must retain the above copyright
14 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
20 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
21 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
22 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
23 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
24 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
25 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
26 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
27 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
28 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29 * POSSIBILITY OF SUCH DAMAGE.
30 */
31
32/*
33 * Public NPF interfaces.
34 */
35
36#ifndef _NPF_NET_H_
37#define _NPF_NET_H_
38
39#include <sys/param.h>
40#include <sys/types.h>
41
42#include <sys/ioctl.h>
43#include <prop/proplib.h>
44
45#include <netinet/in_systm.h>
46#include <netinet/in.h>
47
48#define NPF_VERSION 17
49
50/*
51 * Public declarations and definitions.
52 */
53
54/* Storage of address (both for IPv4 and IPv6) and netmask */
55typedef struct in6_addr npf_addr_t;
56typedef uint8_t npf_netmask_t;
57
58#define NPF_MAX_NETMASK (128)
59#define NPF_NO_NETMASK ((npf_netmask_t)~0)
60
61/* BPF coprocessor. */
62#if defined(NPF_BPFCOP)
63#define NPF_COP_L3 0
64#define NPF_COP_TABLE 1
65
66#define BPF_MW_IPVER 0
67#define BPF_MW_L4OFF 1
68#define BPF_MW_L4PROTO 2
69#endif
70/* The number of words used. */
71#define NPF_BPF_NWORDS 3
72
73#if defined(_KERNEL)
74
75#define NPF_DECISION_BLOCK 0
76#define NPF_DECISION_PASS 1
77
78#define NPF_EXT_MODULE(name, req) \
79 MODULE(MODULE_CLASS_MISC, name, (sizeof(req) - 1) ? ("npf," req) : "npf")
80
81#include <net/if.h>
82#include <netinet/ip.h>
83#include <netinet/ip6.h>
84#include <netinet/tcp.h>
85#include <netinet/udp.h>
86#include <netinet/ip_icmp.h>
87#include <netinet/icmp6.h>
88
89/*
90 * Network buffer interface.
91 */
92
93#define NBUF_DATAREF_RESET 0x01
94
95typedef struct {
96 struct mbuf * nb_mbuf0;
97 struct mbuf * nb_mbuf;
98 void * nb_nptr;
99 const ifnet_t * nb_ifp;
100 unsigned nb_ifid;
101 int nb_flags;
102} nbuf_t;
103
104void nbuf_init(nbuf_t *, struct mbuf *, const ifnet_t *);
105void nbuf_reset(nbuf_t *);
106struct mbuf * nbuf_head_mbuf(nbuf_t *);
107
108bool nbuf_flag_p(const nbuf_t *, int);
109void nbuf_unset_flag(nbuf_t *, int);
110
111void * nbuf_dataptr(nbuf_t *);
112size_t nbuf_offset(const nbuf_t *);
113void * nbuf_advance(nbuf_t *, size_t, size_t);
114
115void * nbuf_ensure_contig(nbuf_t *, size_t);
116void * nbuf_ensure_writable(nbuf_t *, size_t);
117
118bool nbuf_cksum_barrier(nbuf_t *, int);
119int nbuf_add_tag(nbuf_t *, uint32_t, uint32_t);
120int nbuf_find_tag(nbuf_t *, uint32_t, void **);
121
122/*
123 * Packet information cache.
124 */
125
126#define NPC_IP4 0x01 /* Indicates IPv4 header. */
127#define NPC_IP6 0x02 /* Indicates IPv6 header. */
128#define NPC_IPFRAG 0x04 /* IPv4/IPv6 fragment. */
129#define NPC_LAYER4 0x08 /* Layer 4 has been fetched. */
130
131#define NPC_TCP 0x10 /* TCP header. */
132#define NPC_UDP 0x20 /* UDP header. */
133#define NPC_ICMP 0x40 /* ICMP header. */
134#define NPC_ICMP_ID 0x80 /* ICMP with query ID. */
135
136#define NPC_ALG_EXEC 0x100 /* ALG execution. */
137
138#define NPC_IP46 (NPC_IP4|NPC_IP6)
139
140typedef struct {
141 /* Information flags and the nbuf. */
142 uint32_t npc_info;
143 nbuf_t * npc_nbuf;
144
145 /*
146 * Pointers to the IP source and destination addresses,
147 * and the address length (4 for IPv4 or 16 for IPv6).
148 */
149 npf_addr_t * npc_ips[2];
150 uint8_t npc_alen;
151
152 /* IP header length and L4 protocol. */
153 uint8_t npc_hlen;
154 uint16_t npc_proto;
155
156 /* IPv4, IPv6. */
157 union {
158 struct ip * v4;
159 struct ip6_hdr * v6;
160 } npc_ip;
161
162 /* TCP, UDP, ICMP. */
163 union {
164 struct tcphdr * tcp;
165 struct udphdr * udp;
166 struct icmp * icmp;
167 struct icmp6_hdr * icmp6;
168 void * hdr;
169 } npc_l4;
170} npf_cache_t;
171
172static inline bool
173npf_iscached(const npf_cache_t *npc, const int inf)
174{
175 KASSERT(npc->npc_nbuf != NULL);
176 return __predict_true((npc->npc_info & inf) != 0);
177}
178
179#define NPF_SRC 0
180#define NPF_DST 1
181
182/*
183 * NPF extensions and rule procedure interface.
184 */
185
186struct npf_rproc;
187typedef struct npf_rproc npf_rproc_t;
188
189void npf_rproc_assign(npf_rproc_t *, void *);
190
191typedef struct {
192 unsigned int version;
193 void * ctx;
194 int (*ctor)(npf_rproc_t *, prop_dictionary_t);
195 void (*dtor)(npf_rproc_t *, void *);
196 bool (*proc)(npf_cache_t *, void *, int *);
197} npf_ext_ops_t;
198
199void * npf_ext_register(const char *, const npf_ext_ops_t *);
200int npf_ext_unregister(void *);
201
202/*
203 * Misc.
204 */
205
206bool npf_autounload_p(void);
207
208#endif /* _KERNEL */
209
210/* Rule attributes. */
211#define NPF_RULE_PASS 0x00000001
212#define NPF_RULE_GROUP 0x00000002
213#define NPF_RULE_FINAL 0x00000004
214#define NPF_RULE_STATEFUL 0x00000008
215#define NPF_RULE_RETRST 0x00000010
216#define NPF_RULE_RETICMP 0x00000020
217#define NPF_RULE_DYNAMIC 0x00000040
218#define NPF_RULE_MULTIENDS 0x00000080
219
220#define NPF_DYNAMIC_GROUP (NPF_RULE_GROUP | NPF_RULE_DYNAMIC)
221
222#define NPF_RULE_IN 0x10000000
223#define NPF_RULE_OUT 0x20000000
224#define NPF_RULE_DIMASK (NPF_RULE_IN | NPF_RULE_OUT)
225#define NPF_RULE_FORW 0x40000000
226
227/* Private range of rule attributes (not public and should not be set). */
228#define NPF_RULE_PRIVMASK 0x0f000000
229
230#define NPF_RULE_MAXNAMELEN 64
231#define NPF_RULE_MAXKEYLEN 32
232
233/* Priority values. */
234#define NPF_PRI_FIRST (-2)
235#define NPF_PRI_LAST (-1)
236
237/* Types of code. */
238#define NPF_CODE_NC 1
239#define NPF_CODE_BPF 2
240
241/* Address translation types and flags. */
242#define NPF_NATIN 1
243#define NPF_NATOUT 2
244
245#define NPF_NAT_PORTS 0x01
246#define NPF_NAT_PORTMAP 0x02
247#define NPF_NAT_STATIC 0x04
248
249#define NPF_ALGO_NPT66 1
250
251/* Table types. */
252#define NPF_TABLE_HASH 1
253#define NPF_TABLE_TREE 2
254#define NPF_TABLE_CDB 3
255
256#define NPF_TABLE_MAXNAMELEN 32
257
258/* Layers. */
259#define NPF_LAYER_2 2
260#define NPF_LAYER_3 3
261
262/* XXX mbuf.h: just for now. */
263#define PACKET_TAG_NPF 10
264
265/*
266 * Rule commands (non-ioctl).
267 */
268
269#define NPF_CMD_RULE_ADD 1
270#define NPF_CMD_RULE_INSERT 2
271#define NPF_CMD_RULE_REMOVE 3
272#define NPF_CMD_RULE_REMKEY 4
273#define NPF_CMD_RULE_LIST 5
274#define NPF_CMD_RULE_FLUSH 6
275
276/*
277 * NPF ioctl(2): table commands and structures.
278 */
279
280#define NPF_CMD_TABLE_LOOKUP 1
281#define NPF_CMD_TABLE_ADD 2
282#define NPF_CMD_TABLE_REMOVE 3
283#define NPF_CMD_TABLE_LIST 4
284#define NPF_CMD_TABLE_FLUSH 5
285
286typedef struct npf_ioctl_ent {
287 int alen;
288 npf_addr_t addr;
289 npf_netmask_t mask;
290} npf_ioctl_ent_t;
291
292typedef struct npf_ioctl_buf {
293 void * buf;
294 size_t len;
295} npf_ioctl_buf_t;
296
297typedef struct npf_ioctl_table {
298 int nct_cmd;
299 const char * nct_name;
300 union {
301 npf_ioctl_ent_t ent;
302 npf_ioctl_buf_t buf;
303 } nct_data;
304} npf_ioctl_table_t;
305
306/*
307 * IOCTL operations.
308 */
309
310#define IOC_NPF_VERSION _IOR('N', 100, int)
311#define IOC_NPF_SWITCH _IOW('N', 101, int)
312#define IOC_NPF_LOAD _IOWR('N', 102, struct plistref)
313#define IOC_NPF_TABLE _IOW('N', 103, struct npf_ioctl_table)
314#define IOC_NPF_STATS _IOW('N', 104, void *)
315#define IOC_NPF_SAVE _IOR('N', 105, struct plistref)
316#define IOC_NPF_RULE _IOWR('N', 107, struct plistref)
317
318/*
319 * Statistics counters.
320 */
321
322typedef enum {
323 /* Packets passed. */
324 NPF_STAT_PASS_DEFAULT,
325 NPF_STAT_PASS_RULESET,
326 NPF_STAT_PASS_CONN,
327 /* Packets blocked. */
328 NPF_STAT_BLOCK_DEFAULT,
329 NPF_STAT_BLOCK_RULESET,
330 /* Connection and NAT entries. */
331 NPF_STAT_CONN_CREATE,
332 NPF_STAT_CONN_DESTROY,
333 NPF_STAT_NAT_CREATE,
334 NPF_STAT_NAT_DESTROY,
335 /* Invalid state cases. */
336 NPF_STAT_INVALID_STATE,
337 NPF_STAT_INVALID_STATE_TCP1,
338 NPF_STAT_INVALID_STATE_TCP2,
339 NPF_STAT_INVALID_STATE_TCP3,
340 /* Raced packets. */
341 NPF_STAT_RACE_CONN,
342 NPF_STAT_RACE_NAT,
343 /* Fragments. */
344 NPF_STAT_FRAGMENTS,
345 NPF_STAT_REASSEMBLY,
346 NPF_STAT_REASSFAIL,
347 /* Other errors. */
348 NPF_STAT_ERROR,
349 /* nbuf non-contiguous cases. */
350 NPF_STAT_NBUF_NONCONTIG,
351 NPF_STAT_NBUF_CONTIG_FAIL,
352 /* Count (last). */
353 NPF_STATS_COUNT
354} npf_stats_t;
355
356#define NPF_STATS_SIZE (sizeof(uint64_t) * NPF_STATS_COUNT)
357
358#endif /* _NPF_NET_H_ */
359