| 1 | /*- |
|---|---|
| 2 | * Copyright (c) 2009-2014 The NetBSD Foundation, Inc. |
| 3 | * All rights reserved. |
| 4 | * |
| 5 | * This material is based upon work partially supported by The |
| 6 | * NetBSD Foundation under a contract with Mindaugas Rasiukevicius. |
| 7 | * |
| 8 | * Redistribution and use in source and binary forms, with or without |
| 9 | * modification, are permitted provided that the following conditions |
| 10 | * are met: |
| 11 | * 1. Redistributions of source code must retain the above copyright |
| 12 | * notice, this list of conditions and the following disclaimer. |
| 13 | * 2. Redistributions in binary form must reproduce the above copyright |
| 14 | * notice, this list of conditions and the following disclaimer in the |
| 15 | * documentation and/or other materials provided with the distribution. |
| 16 | * |
| 17 | * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS |
| 18 | * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED |
| 19 | * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
| 20 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS |
| 21 | * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR |
| 22 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF |
| 23 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS |
| 24 | * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN |
| 25 | * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
| 26 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE |
| 27 | * POSSIBILITY OF SUCH DAMAGE. |
| 28 | */ |
| 29 | |
| 30 | /* |
| 31 | * Public NPF interfaces. |
| 32 | */ |
| 33 | |
| 34 | #ifndef _NPF_NET_H_ |
| 35 | #define _NPF_NET_H_ |
| 36 | |
| 37 | #include <sys/param.h> |
| 38 | #include <sys/types.h> |
| 39 | |
| 40 | #define NPF_VERSION 21 |
| 41 | |
| 42 | #if defined(_NPF_STANDALONE) |
| 43 | #include "npf_stand.h" |
| 44 | #else |
| 45 | #include <sys/ioctl.h> |
| 46 | #include <netinet/in_systm.h> |
| 47 | #include <netinet/in.h> |
| 48 | #endif |
| 49 | |
| 50 | struct npf; |
| 51 | typedef struct npf npf_t; |
| 52 | |
| 53 | /* |
| 54 | * Storage of address (both for IPv4 and IPv6) and netmask. |
| 55 | */ |
| 56 | typedef union { |
| 57 | uint8_t word8[16]; |
| 58 | uint16_t word16[8]; |
| 59 | uint32_t word32[4]; |
| 60 | } npf_addr_t; |
| 61 | |
| 62 | typedef uint8_t npf_netmask_t; |
| 63 | |
| 64 | #define NPF_MAX_NETMASK (128) |
| 65 | #define NPF_NO_NETMASK ((npf_netmask_t)~0) |
| 66 | |
| 67 | /* BPF coprocessor. */ |
| 68 | #if defined(NPF_BPFCOP) |
| 69 | #define NPF_COP_L3 0 |
| 70 | #define NPF_COP_TABLE 1 |
| 71 | |
| 72 | #define BPF_MW_IPVER 0 |
| 73 | #define BPF_MW_L4OFF 1 |
| 74 | #define BPF_MW_L4PROTO 2 |
| 75 | #endif |
| 76 | /* The number of words used. */ |
| 77 | #define NPF_BPF_NWORDS 3 |
| 78 | |
| 79 | /* |
| 80 | * In-kernel declarations and definitions. |
| 81 | */ |
| 82 | |
| 83 | #if defined(_KERNEL) || defined(_NPF_STANDALONE) |
| 84 | |
| 85 | #define NPF_DECISION_BLOCK 0 |
| 86 | #define NPF_DECISION_PASS 1 |
| 87 | |
| 88 | #define NPF_EXT_MODULE(name, req) \ |
| 89 | MODULE(MODULE_CLASS_MISC, name, (sizeof(req) - 1) ? ("npf," req) : "npf") |
| 90 | |
| 91 | #include <net/if.h> |
| 92 | #include <netinet/ip.h> |
| 93 | #include <netinet/ip6.h> |
| 94 | #include <netinet/tcp.h> |
| 95 | #include <netinet/udp.h> |
| 96 | #include <netinet/ip_icmp.h> |
| 97 | #include <netinet/icmp6.h> |
| 98 | |
| 99 | /* |
| 100 | * Network buffer interface. |
| 101 | */ |
| 102 | |
| 103 | #define NBUF_DATAREF_RESET 0x01 |
| 104 | |
| 105 | struct mbuf; |
| 106 | struct nbuf; |
| 107 | typedef struct nbuf nbuf_t; |
| 108 | |
| 109 | void nbuf_init(npf_t *, nbuf_t *, struct mbuf *, const ifnet_t *); |
| 110 | void nbuf_reset(nbuf_t *); |
| 111 | struct mbuf * nbuf_head_mbuf(nbuf_t *); |
| 112 | |
| 113 | bool nbuf_flag_p(const nbuf_t *, int); |
| 114 | void nbuf_unset_flag(nbuf_t *, int); |
| 115 | |
| 116 | void * nbuf_dataptr(nbuf_t *); |
| 117 | size_t nbuf_offset(const nbuf_t *); |
| 118 | void * nbuf_advance(nbuf_t *, size_t, size_t); |
| 119 | |
| 120 | void * nbuf_ensure_contig(nbuf_t *, size_t); |
| 121 | void * nbuf_ensure_writable(nbuf_t *, size_t); |
| 122 | |
| 123 | bool nbuf_cksum_barrier(nbuf_t *, int); |
| 124 | int nbuf_add_tag(nbuf_t *, uint32_t); |
| 125 | int nbuf_find_tag(nbuf_t *, uint32_t *); |
| 126 | |
| 127 | /* |
| 128 | * Packet information cache. |
| 129 | */ |
| 130 | |
| 131 | #define NPC_IP4 0x01 /* Indicates IPv4 header. */ |
| 132 | #define NPC_IP6 0x02 /* Indicates IPv6 header. */ |
| 133 | #define NPC_IPFRAG 0x04 /* IPv4/IPv6 fragment. */ |
| 134 | #define NPC_LAYER4 0x08 /* Layer 4 has been fetched. */ |
| 135 | |
| 136 | #define NPC_TCP 0x10 /* TCP header. */ |
| 137 | #define NPC_UDP 0x20 /* UDP header. */ |
| 138 | #define NPC_ICMP 0x40 /* ICMP header. */ |
| 139 | #define NPC_ICMP_ID 0x80 /* ICMP with query ID. */ |
| 140 | |
| 141 | #define NPC_ALG_EXEC 0x100 /* ALG execution. */ |
| 142 | |
| 143 | #define NPC_FMTERR 0x200 /* Format error. */ |
| 144 | |
| 145 | #define NPC_IP46 (NPC_IP4|NPC_IP6) |
| 146 | |
| 147 | typedef struct { |
| 148 | /* NPF context, information flags and the nbuf. */ |
| 149 | npf_t * npc_ctx; |
| 150 | uint32_t npc_info; |
| 151 | nbuf_t * npc_nbuf; |
| 152 | |
| 153 | /* |
| 154 | * Pointers to the IP source and destination addresses, |
| 155 | * and the address length (4 for IPv4 or 16 for IPv6). |
| 156 | */ |
| 157 | npf_addr_t * npc_ips[2]; |
| 158 | uint8_t npc_alen; |
| 159 | |
| 160 | /* IP header length and L4 protocol. */ |
| 161 | uint32_t npc_hlen; |
| 162 | uint16_t npc_proto; |
| 163 | |
| 164 | /* IPv4, IPv6. */ |
| 165 | union { |
| 166 | struct ip * v4; |
| 167 | struct ip6_hdr * v6; |
| 168 | } npc_ip; |
| 169 | |
| 170 | /* TCP, UDP, ICMP. */ |
| 171 | union { |
| 172 | struct tcphdr * tcp; |
| 173 | struct udphdr * udp; |
| 174 | struct icmp * icmp; |
| 175 | struct icmp6_hdr * icmp6; |
| 176 | void * hdr; |
| 177 | } npc_l4; |
| 178 | } npf_cache_t; |
| 179 | |
| 180 | static inline bool |
| 181 | npf_iscached(const npf_cache_t *npc, const int inf) |
| 182 | { |
| 183 | KASSERT(npc->npc_nbuf != NULL); |
| 184 | return __predict_true((npc->npc_info & inf) != 0); |
| 185 | } |
| 186 | |
| 187 | #define NPF_SRC 0 |
| 188 | #define NPF_DST 1 |
| 189 | |
| 190 | /* |
| 191 | * Misc. |
| 192 | */ |
| 193 | |
| 194 | bool npf_autounload_p(void); |
| 195 | |
| 196 | #endif /* _KERNEL */ |
| 197 | |
| 198 | /* Rule attributes. */ |
| 199 | #define NPF_RULE_PASS 0x00000001 |
| 200 | #define NPF_RULE_GROUP 0x00000002 |
| 201 | #define NPF_RULE_FINAL 0x00000004 |
| 202 | #define NPF_RULE_STATEFUL 0x00000008 |
| 203 | #define NPF_RULE_RETRST 0x00000010 |
| 204 | #define NPF_RULE_RETICMP 0x00000020 |
| 205 | #define NPF_RULE_DYNAMIC 0x00000040 |
| 206 | #define NPF_RULE_MULTIENDS 0x00000080 |
| 207 | |
| 208 | #define NPF_DYNAMIC_GROUP (NPF_RULE_GROUP | NPF_RULE_DYNAMIC) |
| 209 | |
| 210 | #define NPF_RULE_IN 0x10000000 |
| 211 | #define NPF_RULE_OUT 0x20000000 |
| 212 | #define NPF_RULE_DIMASK (NPF_RULE_IN | NPF_RULE_OUT) |
| 213 | #define NPF_RULE_FORW 0x40000000 |
| 214 | |
| 215 | /* Private range of rule attributes (not public and should not be set). */ |
| 216 | #define NPF_RULE_PRIVMASK 0x0f000000 |
| 217 | |
| 218 | #define NPF_RULE_MAXNAMELEN 64 |
| 219 | #define NPF_RULE_MAXKEYLEN 32 |
| 220 | |
| 221 | /* Priority values. */ |
| 222 | #define NPF_PRI_FIRST (-2) |
| 223 | #define NPF_PRI_LAST (-1) |
| 224 | |
| 225 | /* Types of code. */ |
| 226 | #define NPF_CODE_BPF 1 |
| 227 | |
| 228 | /* Address translation types and flags. */ |
| 229 | #define NPF_NATIN 1 |
| 230 | #define NPF_NATOUT 2 |
| 231 | |
| 232 | #define NPF_NAT_PORTS 0x01 |
| 233 | #define NPF_NAT_PORTMAP 0x02 |
| 234 | #define NPF_NAT_STATIC 0x04 |
| 235 | |
| 236 | #define NPF_NAT_PRIVMASK 0x0f000000 |
| 237 | |
| 238 | #define NPF_ALGO_NONE 0 |
| 239 | #define NPF_ALGO_NETMAP 1 |
| 240 | #define NPF_ALGO_IPHASH 2 |
| 241 | #define NPF_ALGO_RR 3 |
| 242 | #define NPF_ALGO_NPT66 4 |
| 243 | |
| 244 | /* Table types. */ |
| 245 | #define NPF_TABLE_IPSET 1 |
| 246 | #define NPF_TABLE_LPM 2 |
| 247 | #define NPF_TABLE_CONST 3 |
| 248 | #define NPF_TABLE_IFADDR 4 |
| 249 | |
| 250 | #define NPF_TABLE_MAXNAMELEN 32 |
| 251 | |
| 252 | /* Layers. */ |
| 253 | #define NPF_LAYER_2 2 |
| 254 | #define NPF_LAYER_3 3 |
| 255 | |
| 256 | /* XXX mbuf.h: just for now. */ |
| 257 | #define PACKET_TAG_NPF 10 |
| 258 | #define NPF_NTAG_PASS 0x0001 |
| 259 | |
| 260 | /* |
| 261 | * Rule commands (non-ioctl). |
| 262 | */ |
| 263 | |
| 264 | #define NPF_CMD_RULE_ADD 1 |
| 265 | #define NPF_CMD_RULE_INSERT 2 |
| 266 | #define NPF_CMD_RULE_REMOVE 3 |
| 267 | #define NPF_CMD_RULE_REMKEY 4 |
| 268 | #define NPF_CMD_RULE_LIST 5 |
| 269 | #define NPF_CMD_RULE_FLUSH 6 |
| 270 | |
| 271 | /* |
| 272 | * NPF ioctl(2): table commands and structures. |
| 273 | */ |
| 274 | |
| 275 | #define NPF_CMD_TABLE_LOOKUP 1 |
| 276 | #define NPF_CMD_TABLE_ADD 2 |
| 277 | #define NPF_CMD_TABLE_REMOVE 3 |
| 278 | #define NPF_CMD_TABLE_LIST 4 |
| 279 | #define NPF_CMD_TABLE_FLUSH 5 |
| 280 | |
| 281 | typedef struct npf_ioctl_ent { |
| 282 | int alen; |
| 283 | npf_addr_t addr; |
| 284 | npf_netmask_t mask; |
| 285 | } npf_ioctl_ent_t; |
| 286 | |
| 287 | typedef struct npf_ioctl_buf { |
| 288 | void * buf; |
| 289 | size_t len; |
| 290 | } npf_ioctl_buf_t; |
| 291 | |
| 292 | typedef struct npf_ioctl_table { |
| 293 | int nct_cmd; |
| 294 | const char * nct_name; |
| 295 | union { |
| 296 | npf_ioctl_ent_t ent; |
| 297 | npf_ioctl_buf_t buf; |
| 298 | } nct_data; |
| 299 | } npf_ioctl_table_t; |
| 300 | |
| 301 | /* |
| 302 | * IOCTL operations. |
| 303 | */ |
| 304 | |
| 305 | #define IOC_NPF_VERSION _IOR('N', 100, int) |
| 306 | #define IOC_NPF_SWITCH _IOW('N', 101, int) |
| 307 | #define IOC_NPF_LOAD _IOWR('N', 102, nvlist_ref_t) |
| 308 | #define IOC_NPF_TABLE _IOW('N', 103, struct npf_ioctl_table) |
| 309 | #define IOC_NPF_STATS _IOW('N', 104, void *) |
| 310 | #define IOC_NPF_SAVE _IOR('N', 105, nvlist_ref_t) |
| 311 | #define IOC_NPF_RULE _IOWR('N', 107, nvlist_ref_t) |
| 312 | #define IOC_NPF_CONN_LOOKUP _IOWR('N', 108, nvlist_ref_t) |
| 313 | |
| 314 | /* |
| 315 | * NPF error report. |
| 316 | */ |
| 317 | |
| 318 | typedef struct { |
| 319 | int64_t id; |
| 320 | char * source_file; |
| 321 | u_int source_line; |
| 322 | } npf_error_t; |
| 323 | |
| 324 | /* |
| 325 | * Statistics counters. |
| 326 | */ |
| 327 | |
| 328 | typedef enum { |
| 329 | /* Packets passed. */ |
| 330 | NPF_STAT_PASS_DEFAULT, |
| 331 | NPF_STAT_PASS_RULESET, |
| 332 | NPF_STAT_PASS_CONN, |
| 333 | /* Packets blocked. */ |
| 334 | NPF_STAT_BLOCK_DEFAULT, |
| 335 | NPF_STAT_BLOCK_RULESET, |
| 336 | /* Connection and NAT entries. */ |
| 337 | NPF_STAT_CONN_CREATE, |
| 338 | NPF_STAT_CONN_DESTROY, |
| 339 | NPF_STAT_NAT_CREATE, |
| 340 | NPF_STAT_NAT_DESTROY, |
| 341 | /* Invalid state cases. */ |
| 342 | NPF_STAT_INVALID_STATE, |
| 343 | NPF_STAT_INVALID_STATE_TCP1, |
| 344 | NPF_STAT_INVALID_STATE_TCP2, |
| 345 | NPF_STAT_INVALID_STATE_TCP3, |
| 346 | /* Raced packets. */ |
| 347 | NPF_STAT_RACE_CONN, |
| 348 | NPF_STAT_RACE_NAT, |
| 349 | /* Fragments. */ |
| 350 | NPF_STAT_FRAGMENTS, |
| 351 | NPF_STAT_REASSEMBLY, |
| 352 | NPF_STAT_REASSFAIL, |
| 353 | /* Other errors. */ |
| 354 | NPF_STAT_ERROR, |
| 355 | /* nbuf non-contiguous cases. */ |
| 356 | NPF_STAT_NBUF_NONCONTIG, |
| 357 | NPF_STAT_NBUF_CONTIG_FAIL, |
| 358 | /* Count (last). */ |
| 359 | NPF_STATS_COUNT |
| 360 | } npf_stats_t; |
| 361 | |
| 362 | #define NPF_STATS_SIZE (sizeof(uint64_t) * NPF_STATS_COUNT) |
| 363 | |
| 364 | #endif /* _NPF_NET_H_ */ |
| 365 |
Generated while processing netbsd/lib/libnpf/npf.c
Generated on 2019-Jul-19 from project netbsd revision f9da89e0d
Powered by 
Code Browser 2.1
Generator usage only permitted with license.