master
1/*-
2 * Copyright (c) 2009-2014 The NetBSD Foundation, Inc.
3 * All rights reserved.
4 *
5 * This material is based upon work partially supported by The
6 * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
18 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
19 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
20 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
21 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
22 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
23 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
24 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
25 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
26 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27 * POSSIBILITY OF SUCH DAMAGE.
28 */
29
30/*
31 * Public NPF interfaces.
32 */
33
34#ifndef _NPF_NET_H_
35#define _NPF_NET_H_
36
37#include <sys/param.h>
38#include <sys/types.h>
39
40#define NPF_VERSION 22
41
42#if defined(_NPF_STANDALONE)
43#include "npf_stand.h"
44#else
45#include <sys/ioctl.h>
46#include <netinet/in_systm.h>
47#include <netinet/in.h>
48#endif
49
50struct npf;
51typedef struct npf npf_t;
52
53/*
54 * Storage of address (both for IPv4 and IPv6) and netmask.
55 */
56typedef union {
57 uint8_t word8[16];
58 uint16_t word16[8];
59 uint32_t word32[4];
60} npf_addr_t;
61
62typedef uint8_t npf_netmask_t;
63
64#define NPF_MAX_NETMASK (128)
65#define NPF_NO_NETMASK ((npf_netmask_t)~0)
66
67/* BPF coprocessor. */
68#if defined(NPF_BPFCOP)
69#define NPF_COP_L3 0
70#define NPF_COP_TABLE 1
71
72#define BPF_MW_IPVER 0
73#define BPF_MW_L4OFF 1
74#define BPF_MW_L4PROTO 2
75#endif
76/* The number of words used. */
77#define NPF_BPF_NWORDS 3
78
79/*
80 * In-kernel declarations and definitions.
81 */
82
83#if defined(_KERNEL) || defined(_NPF_STANDALONE)
84
85#define NPF_DECISION_BLOCK 0
86#define NPF_DECISION_PASS 1
87
88#define NPF_EXT_MODULE(name, req) \
89 MODULE(MODULE_CLASS_MISC, name, (sizeof(req) - 1) ? ("npf," req) : "npf")
90
91#include <net/if.h>
92#include <netinet/ip.h>
93#include <netinet/ip6.h>
94#include <netinet/tcp.h>
95#include <netinet/udp.h>
96#include <netinet/ip_icmp.h>
97#include <netinet/icmp6.h>
98
99/*
100 * Network buffer interface.
101 */
102
103#define NBUF_DATAREF_RESET 0x01
104
105struct mbuf;
106struct nbuf;
107typedef struct nbuf nbuf_t;
108
109void nbuf_init(npf_t *, nbuf_t *, struct mbuf *, const ifnet_t *);
110void nbuf_reset(nbuf_t *);
111struct mbuf * nbuf_head_mbuf(nbuf_t *);
112
113bool nbuf_flag_p(const nbuf_t *, int);
114void nbuf_unset_flag(nbuf_t *, int);
115
116void * nbuf_dataptr(nbuf_t *);
117size_t nbuf_offset(const nbuf_t *);
118void * nbuf_advance(nbuf_t *, size_t, size_t);
119
120void * nbuf_ensure_contig(nbuf_t *, size_t);
121void * nbuf_ensure_writable(nbuf_t *, size_t);
122
123bool nbuf_cksum_barrier(nbuf_t *, int);
124int nbuf_add_tag(nbuf_t *, uint32_t);
125int npf_mbuf_add_tag(nbuf_t *, struct mbuf *, uint32_t);
126int nbuf_find_tag(nbuf_t *, uint32_t *);
127
128/*
129 * Packet information cache.
130 */
131
132#define NPC_IP4 0x01 /* Indicates IPv4 header. */
133#define NPC_IP6 0x02 /* Indicates IPv6 header. */
134#define NPC_IPFRAG 0x04 /* IPv4/IPv6 fragment. */
135#define NPC_LAYER4 0x08 /* Layer 4 has been fetched. */
136
137#define NPC_TCP 0x10 /* TCP header. */
138#define NPC_UDP 0x20 /* UDP header. */
139#define NPC_ICMP 0x40 /* ICMP header. */
140#define NPC_ICMP_ID 0x80 /* ICMP with query ID. */
141
142#define NPC_ALG_EXEC 0x100 /* ALG execution. */
143
144#define NPC_FMTERR 0x200 /* Format error. */
145
146#define NPC_IP46 (NPC_IP4|NPC_IP6)
147
148struct npf_connkey;
149
150typedef struct {
151 /* NPF context, information flags and the nbuf. */
152 npf_t * npc_ctx;
153 uint32_t npc_info;
154 nbuf_t * npc_nbuf;
155
156 /*
157 * Pointers to the IP source and destination addresses,
158 * and the address length (4 for IPv4 or 16 for IPv6).
159 */
160 npf_addr_t * npc_ips[2];
161 uint8_t npc_alen;
162
163 /* IP header length and L4 protocol. */
164 uint32_t npc_hlen;
165 uint16_t npc_proto;
166
167 /* IPv4, IPv6. */
168 union {
169 struct ip * v4;
170 struct ip6_hdr * v6;
171 } npc_ip;
172
173 /* TCP, UDP, ICMP or other protocols. */
174 union {
175 struct tcphdr * tcp;
176 struct udphdr * udp;
177 struct icmp * icmp;
178 struct icmp6_hdr * icmp6;
179 void * hdr;
180 } npc_l4;
181
182 /*
183 * Override the connection key, if not NULL. This affects the
184 * behaviour of npf_conn_lookup() and npf_conn_establish().
185 * Note: npc_ckey is of npf_connkey_t type.
186 */
187 const void * npc_ckey;
188} npf_cache_t;
189
190static inline bool
191npf_iscached(const npf_cache_t *npc, const int inf)
192{
193 KASSERT(npc->npc_nbuf != NULL);
194 return __predict_true((npc->npc_info & inf) != 0);
195}
196
197/*
198 * Misc.
199 */
200
201bool npf_autounload_p(void);
202
203#endif /* _KERNEL */
204
205#define NPF_SRC 0
206#define NPF_DST 1
207
208/* Rule attributes. */
209#define NPF_RULE_PASS 0x00000001
210#define NPF_RULE_GROUP 0x00000002
211#define NPF_RULE_FINAL 0x00000004
212#define NPF_RULE_STATEFUL 0x00000008
213#define NPF_RULE_RETRST 0x00000010
214#define NPF_RULE_RETICMP 0x00000020
215#define NPF_RULE_DYNAMIC 0x00000040
216#define NPF_RULE_GSTATEFUL 0x00000080
217
218#define NPF_DYNAMIC_GROUP (NPF_RULE_GROUP | NPF_RULE_DYNAMIC)
219
220#define NPF_RULE_IN 0x10000000
221#define NPF_RULE_OUT 0x20000000
222#define NPF_RULE_DIMASK (NPF_RULE_IN | NPF_RULE_OUT)
223#define NPF_RULE_FORW 0x40000000
224
225/* Private range of rule attributes (not public and should not be set). */
226#define NPF_RULE_PRIVMASK 0x0f000000
227
228#define NPF_RULE_MAXNAMELEN 64
229#define NPF_RULE_MAXKEYLEN 32
230
231/* Priority values. */
232#define NPF_PRI_FIRST (-2)
233#define NPF_PRI_LAST (-1)
234
235/* Types of code. */
236#define NPF_CODE_BPF 1
237
238/* Address translation types and flags. */
239#define NPF_NATIN 1
240#define NPF_NATOUT 2
241
242#define NPF_NAT_PORTS 0x01
243#define NPF_NAT_PORTMAP 0x02
244#define NPF_NAT_STATIC 0x04
245
246#define NPF_NAT_PRIVMASK 0x0f000000
247
248#define NPF_ALGO_NONE 0
249#define NPF_ALGO_NETMAP 1
250#define NPF_ALGO_IPHASH 2
251#define NPF_ALGO_RR 3
252#define NPF_ALGO_NPT66 4
253
254/* Table types. */
255#define NPF_TABLE_IPSET 1
256#define NPF_TABLE_LPM 2
257#define NPF_TABLE_CONST 3
258#define NPF_TABLE_IFADDR 4
259
260#define NPF_TABLE_MAXNAMELEN 32
261
262/* Layers. */
263#define NPF_LAYER_2 2
264#define NPF_LAYER_3 3
265
266/*
267 * Flags passed via nbuf tags.
268 */
269#define NPF_NTAG_PASS 0x0001
270
271/*
272 * Rule commands (non-ioctl).
273 */
274
275#define NPF_CMD_RULE_ADD 1
276#define NPF_CMD_RULE_INSERT 2
277#define NPF_CMD_RULE_REMOVE 3
278#define NPF_CMD_RULE_REMKEY 4
279#define NPF_CMD_RULE_LIST 5
280#define NPF_CMD_RULE_FLUSH 6
281
282/*
283 * NPF ioctl(2): table commands and structures.
284 */
285
286#define NPF_CMD_TABLE_LOOKUP 1
287#define NPF_CMD_TABLE_ADD 2
288#define NPF_CMD_TABLE_REMOVE 3
289#define NPF_CMD_TABLE_LIST 4
290#define NPF_CMD_TABLE_FLUSH 5
291
292typedef struct npf_ioctl_ent {
293 int alen;
294 npf_addr_t addr;
295 npf_netmask_t mask;
296} npf_ioctl_ent_t;
297
298typedef struct npf_ioctl_buf {
299 void * buf;
300 size_t len;
301} npf_ioctl_buf_t;
302
303typedef struct npf_ioctl_table {
304 int nct_cmd;
305 const char * nct_name;
306 union {
307 npf_ioctl_ent_t ent;
308 npf_ioctl_buf_t buf;
309 } nct_data;
310} npf_ioctl_table_t;
311
312/*
313 * IOCTL operations.
314 */
315
316#define IOC_NPF_VERSION _IOR('N', 100, int)
317#define IOC_NPF_SWITCH _IOW('N', 101, int)
318#define IOC_NPF_LOAD _IOWR('N', 102, nvlist_ref_t)
319#define IOC_NPF_TABLE _IOW('N', 103, struct npf_ioctl_table)
320#define IOC_NPF_STATS _IOW('N', 104, void *)
321#define IOC_NPF_SAVE _IOR('N', 105, nvlist_ref_t)
322#define IOC_NPF_RULE _IOWR('N', 107, nvlist_ref_t)
323#define IOC_NPF_CONN_LOOKUP _IOWR('N', 108, nvlist_ref_t)
324#define IOC_NPF_TABLE_REPLACE _IOWR('N', 109, nvlist_ref_t)
325
326/*
327 * NPF error report.
328 */
329
330typedef struct {
331 int64_t id;
332 char * error_msg;
333 char * source_file;
334 unsigned source_line;
335} npf_error_t;
336
337/*
338 * Statistics counters.
339 */
340
341typedef enum {
342 /* Packets passed. */
343 NPF_STAT_PASS_DEFAULT,
344 NPF_STAT_PASS_RULESET,
345 NPF_STAT_PASS_CONN,
346 /* Packets blocked. */
347 NPF_STAT_BLOCK_DEFAULT,
348 NPF_STAT_BLOCK_RULESET,
349 /* Connection and NAT entries. */
350 NPF_STAT_CONN_CREATE,
351 NPF_STAT_CONN_DESTROY,
352 NPF_STAT_NAT_CREATE,
353 NPF_STAT_NAT_DESTROY,
354 /* Invalid state cases. */
355 NPF_STAT_INVALID_STATE,
356 NPF_STAT_INVALID_STATE_TCP1,
357 NPF_STAT_INVALID_STATE_TCP2,
358 NPF_STAT_INVALID_STATE_TCP3,
359 /* Raced packets. */
360 NPF_STAT_RACE_CONN,
361 NPF_STAT_RACE_NAT,
362 /* Fragments. */
363 NPF_STAT_FRAGMENTS,
364 NPF_STAT_REASSEMBLY,
365 NPF_STAT_REASSFAIL,
366 /* Other errors. */
367 NPF_STAT_ERROR,
368 /* nbuf non-contiguous cases. */
369 NPF_STAT_NBUF_NONCONTIG,
370 NPF_STAT_NBUF_CONTIG_FAIL,
371 /* Count (last). */
372 NPF_STATS_COUNT
373} npf_stats_t;
374
375#define NPF_STATS_SIZE (sizeof(uint64_t) * NPF_STATS_COUNT)
376
377#endif /* _NPF_NET_H_ */