summaryrefslogtreecommitdiff
path: root/net/pfvar.h
diff options
context:
space:
mode:
Diffstat (limited to 'net/pfvar.h')
-rw-r--r--net/pfvar.h247
1 files changed, 176 insertions, 71 deletions
diff --git a/net/pfvar.h b/net/pfvar.h
index d650f7997045..1cea3385e15c 100644
--- a/net/pfvar.h
+++ b/net/pfvar.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: pfvar.h,v 1.244 2007/02/23 21:31:51 deraadt Exp $ */
+/* $OpenBSD: pfvar.h,v 1.254 2007/07/13 09:17:48 markus Exp $ */
/*
* Copyright (c) 2001 Daniel Hartmeier
@@ -685,10 +685,8 @@ struct pf_state_peer {
TAILQ_HEAD(pf_state_queue, pf_state);
-/* keep synced with struct pf_state, used in RB_FIND */
-struct pf_state_cmp {
- u_int64_t id;
- u_int32_t creatorid;
+/* keep synced with struct pf_state_key, used in RB_FIND */
+struct pf_state_key_cmp {
struct pf_state_host lan;
struct pf_state_host gwy;
struct pf_state_host ext;
@@ -698,9 +696,9 @@ struct pf_state_cmp {
u_int8_t pad;
};
-struct pf_state {
- u_int64_t id;
- u_int32_t creatorid;
+TAILQ_HEAD(pf_statelist, pf_state);
+
+struct pf_state_key {
struct pf_state_host lan;
struct pf_state_host gwy;
struct pf_state_host ext;
@@ -708,39 +706,161 @@ struct pf_state {
u_int8_t proto;
u_int8_t direction;
u_int8_t pad;
- u_int8_t log;
- u_int8_t allow_opts;
- u_int8_t timeout;
- u_int8_t sync_flags;
+
+ RB_ENTRY(pf_state_key) entry_lan_ext;
+ RB_ENTRY(pf_state_key) entry_ext_gwy;
+ struct pf_statelist states;
+ u_short refcnt; /* same size as if_index */
+};
+
+
+/* keep synced with struct pf_state, used in RB_FIND */
+struct pf_state_cmp {
+ u_int64_t id;
+ u_int32_t creatorid;
+ u_int32_t pad;
+};
+
+struct pf_state {
+ u_int64_t id;
+ u_int32_t creatorid;
+ u_int32_t pad;
+
+ TAILQ_ENTRY(pf_state) entry_list;
+ TAILQ_ENTRY(pf_state) next;
+ RB_ENTRY(pf_state) entry_id;
+ struct pf_state_peer src;
+ struct pf_state_peer dst;
+ union pf_rule_ptr rule;
+ union pf_rule_ptr anchor;
+ union pf_rule_ptr nat_rule;
+ struct pf_addr rt_addr;
+ struct pf_state_key *state_key;
+ struct pfi_kif *kif;
+ struct pfi_kif *rt_kif;
+ struct pf_src_node *src_node;
+ struct pf_src_node *nat_src_node;
+ u_int64_t packets[2];
+ u_int64_t bytes[2];
+ u_int32_t creation;
+ u_int32_t expire;
+ u_int32_t pfsync_time;
+ u_int16_t tag;
+ u_int8_t log;
+ u_int8_t allow_opts;
+ u_int8_t timeout;
+ u_int8_t sync_flags;
#define PFSTATE_NOSYNC 0x01
#define PFSTATE_FROMSYNC 0x02
#define PFSTATE_STALE 0x04
- union {
- struct {
- RB_ENTRY(pf_state) entry_lan_ext;
- RB_ENTRY(pf_state) entry_ext_gwy;
- RB_ENTRY(pf_state) entry_id;
- TAILQ_ENTRY(pf_state) entry_list;
- struct pfi_kif *kif;
- } s;
- char ifname[IFNAMSIZ];
- } u;
- struct pf_state_peer src;
- struct pf_state_peer dst;
- union pf_rule_ptr rule;
- union pf_rule_ptr anchor;
- union pf_rule_ptr nat_rule;
+};
+
+/*
+ * Unified state structures for pulling states out of the kernel
+ * used by pfsync(4) and the pf(4) ioctl.
+ */
+struct pfsync_state_scrub {
+ u_int16_t pfss_flags;
+ u_int8_t pfss_ttl; /* stashed TTL */
+#define PFSYNC_SCRUB_FLAG_VALID 0x01
+ u_int8_t scrub_flag;
+ u_int32_t pfss_ts_mod; /* timestamp modulation */
+} __packed;
+
+struct pfsync_state_host {
+ struct pf_addr addr;
+ u_int16_t port;
+ u_int16_t pad[3];
+} __packed;
+
+struct pfsync_state_peer {
+ struct pfsync_state_scrub scrub; /* state is scrubbed */
+ u_int32_t seqlo; /* Max sequence number sent */
+ u_int32_t seqhi; /* Max the other end ACKd + win */
+ u_int32_t seqdiff; /* Sequence number modulator */
+ u_int16_t max_win; /* largest window (pre scaling) */
+ u_int16_t mss; /* Maximum segment size option */
+ u_int8_t state; /* active state level */
+ u_int8_t wscale; /* window scaling factor */
+ u_int8_t pad[6];
+} __packed;
+
+struct pfsync_state {
+ u_int32_t id[2];
+ char ifname[IFNAMSIZ];
+ struct pfsync_state_host lan;
+ struct pfsync_state_host gwy;
+ struct pfsync_state_host ext;
+ struct pfsync_state_peer src;
+ struct pfsync_state_peer dst;
struct pf_addr rt_addr;
- struct pfi_kif *rt_kif;
- struct pf_src_node *src_node;
- struct pf_src_node *nat_src_node;
- u_int64_t packets[2];
- u_int64_t bytes[2];
+ u_int32_t rule;
+ u_int32_t anchor;
+ u_int32_t nat_rule;
u_int32_t creation;
u_int32_t expire;
- u_int32_t pfsync_time;
- u_int16_t tag;
-};
+ u_int32_t packets[2][2];
+ u_int32_t bytes[2][2];
+ u_int32_t creatorid;
+ sa_family_t af;
+ u_int8_t proto;
+ u_int8_t direction;
+ u_int8_t log;
+ u_int8_t allow_opts;
+ u_int8_t timeout;
+ u_int8_t sync_flags;
+ u_int8_t updates;
+} __packed;
+
+#define PFSYNC_FLAG_COMPRESS 0x01
+#define PFSYNC_FLAG_STALE 0x02
+#define PFSYNC_FLAG_SRCNODE 0x04
+#define PFSYNC_FLAG_NATSRCNODE 0x08
+
+/* for copies to/from userland via pf_ioctl() */
+#define pf_state_peer_to_pfsync(s,d) do { \
+ (d)->seqlo = (s)->seqlo; \
+ (d)->seqhi = (s)->seqhi; \
+ (d)->seqdiff = (s)->seqdiff; \
+ (d)->max_win = (s)->max_win; \
+ (d)->mss = (s)->mss; \
+ (d)->state = (s)->state; \
+ (d)->wscale = (s)->wscale; \
+ if ((s)->scrub) { \
+ (d)->scrub.pfss_flags = \
+ (s)->scrub->pfss_flags & PFSS_TIMESTAMP; \
+ (d)->scrub.pfss_ttl = (s)->scrub->pfss_ttl; \
+ (d)->scrub.pfss_ts_mod = (s)->scrub->pfss_ts_mod; \
+ (d)->scrub.scrub_flag = PFSYNC_SCRUB_FLAG_VALID; \
+ } \
+} while (0)
+
+#define pf_state_peer_from_pfsync(s,d) do { \
+ (d)->seqlo = (s)->seqlo; \
+ (d)->seqhi = (s)->seqhi; \
+ (d)->seqdiff = (s)->seqdiff; \
+ (d)->max_win = (s)->max_win; \
+ (d)->mss = ntohs((s)->mss); \
+ (d)->state = (s)->state; \
+ (d)->wscale = (s)->wscale; \
+ if ((s)->scrub.scrub_flag == PFSYNC_SCRUB_FLAG_VALID && \
+ (d)->scrub != NULL) { \
+ (d)->scrub->pfss_flags = \
+ ntohs((s)->scrub.pfss_flags) & PFSS_TIMESTAMP; \
+ (d)->scrub->pfss_ttl = (s)->scrub.pfss_ttl; \
+ (d)->scrub->pfss_ts_mod = (s)->scrub.pfss_ts_mod; \
+ } \
+} while (0)
+
+#define pf_state_counter_to_pfsync(s,d) do { \
+ d[0] = (s>>32)&0xffffffff; \
+ d[1] = s&0xffffffff; \
+} while (0)
+
+#define pf_state_counter_from_pfsync(s) \
+ (((u_int64_t)(s[0])<<32) | (u_int64_t)(s[1]))
+
+
TAILQ_HEAD(pf_rulequeue, pf_rule);
@@ -883,17 +1003,20 @@ struct pfr_ktable {
#define pfrkt_nomatch pfrkt_ts.pfrts_nomatch
#define pfrkt_tzero pfrkt_ts.pfrts_tzero
-RB_HEAD(pf_state_tree_lan_ext, pf_state);
-RB_PROTOTYPE(pf_state_tree_lan_ext, pf_state,
- u.s.entry_lan_ext, pf_state_compare_lan_ext);
+RB_HEAD(pf_state_tree_lan_ext, pf_state_key);
+RB_PROTOTYPE(pf_state_tree_lan_ext, pf_state_key,
+ entry_lan_ext, pf_state_compare_lan_ext);
-RB_HEAD(pf_state_tree_ext_gwy, pf_state);
-RB_PROTOTYPE(pf_state_tree_ext_gwy, pf_state,
- u.s.entry_ext_gwy, pf_state_compare_ext_gwy);
+RB_HEAD(pf_state_tree_ext_gwy, pf_state_key);
+RB_PROTOTYPE(pf_state_tree_ext_gwy, pf_state_key,
+ entry_ext_gwy, pf_state_compare_ext_gwy);
-TAILQ_HEAD(pfi_statehead, pfi_kif);
RB_HEAD(pfi_ifhead, pfi_kif);
+/* state tables */
+extern struct pf_state_tree_lan_ext pf_statetbl_lan_ext;
+extern struct pf_state_tree_ext_gwy pf_statetbl_ext_gwy;
+
/* keep synced with pfi_kif, used in RB_FIND */
struct pfi_kif_cmp {
char pfik_name[IFNAMSIZ];
@@ -906,9 +1029,6 @@ struct pfi_kif {
u_int64_t pfik_bytes[2][2][2];
u_int32_t pfik_tzero;
int pfik_flags;
- struct pf_state_tree_lan_ext pfik_lan_ext;
- struct pf_state_tree_ext_gwy pfik_ext_gwy;
- TAILQ_ENTRY(pfi_kif) pfik_w_states;
void *pfik_ah_cookie;
struct ifnet *pfik_ifp;
struct ifg_group *pfik_group;
@@ -949,7 +1069,6 @@ struct pf_pdesc {
struct pf_addr *dst;
struct ether_header
*eh;
- struct pf_mtag *pf_mtag;
u_int16_t *ip_sum;
u_int32_t p_len; /* total length of payload */
u_int16_t flags; /* Let SCRUB trigger behavior in
@@ -1153,20 +1272,6 @@ struct pf_altq {
u_int32_t qid; /* return value */
};
-#define PF_TAG_GENERATED 0x01
-#define PF_TAG_FRAGCACHE 0x02
-#define PF_TAG_TRANSLATE_LOCALHOST 0x04
-
-struct pf_mtag {
- void *hdr; /* saved hdr pos in mbuf, for ECN */
- u_int rtableid; /* alternate routing table id */
- u_int32_t qid; /* queue id */
- u_int16_t tag; /* tag id */
- u_int8_t flags;
- u_int8_t routed;
- sa_family_t af; /* for ECN */
-};
-
struct pf_tag {
u_int16_t tag; /* tag id */
};
@@ -1228,8 +1333,8 @@ struct pfioc_natlook {
};
struct pfioc_state {
- u_int32_t nr;
- struct pf_state state;
+ u_int32_t nr;
+ void *state;
};
struct pfioc_src_node_kill {
@@ -1251,8 +1356,8 @@ struct pfioc_state_kill {
struct pfioc_states {
int ps_len;
union {
- caddr_t psu_buf;
- struct pf_state *psu_states;
+ caddr_t psu_buf;
+ struct pfsync_state *psu_states;
} ps_u;
#define ps_buf ps_u.psu_buf
#define ps_states ps_u.psu_states
@@ -1459,7 +1564,8 @@ extern void pf_tbladdr_remove(struct pf_addr_wrap *);
extern void pf_tbladdr_copyout(struct pf_addr_wrap *);
extern void pf_calc_skip_steps(struct pf_rulequeue *);
extern struct pool pf_src_tree_pl, pf_rule_pl;
-extern struct pool pf_state_pl, pf_altq_pl, pf_pooladdr_pl;
+extern struct pool pf_state_pl, pf_state_key_pl, pf_altq_pl,
+ pf_pooladdr_pl;
extern struct pool pf_state_scrub_pl;
extern void pf_purge_thread(void *);
extern void pf_purge_expired_src_nodes(int);
@@ -1473,8 +1579,8 @@ extern int pf_insert_src_node(struct pf_src_node **,
sa_family_t);
void pf_src_tree_remove_state(struct pf_state *);
extern struct pf_state *pf_find_state_byid(struct pf_state_cmp *);
-extern struct pf_state *pf_find_state_all(struct pf_state_cmp *key,
- u_int8_t tree, int *more);
+extern struct pf_state *pf_find_state_all(struct pf_state_key_cmp *,
+ u_int8_t, int *);
extern void pf_print_state(struct pf_state *);
extern void pf_print_flags(u_int8_t);
extern u_int16_t pf_cksum_fixup(u_int16_t, u_int16_t, u_int16_t,
@@ -1530,6 +1636,8 @@ void pf_purge_expired_fragments(void);
int pf_routable(struct pf_addr *addr, sa_family_t af, struct pfi_kif *);
int pf_rtlabel_match(struct pf_addr *, sa_family_t, struct pf_addr_wrap *);
int pf_socket_lookup(int, struct pf_pdesc *);
+struct pf_state_key *
+ pf_alloc_state_key(struct pf_state *);
void pfr_initialize(void);
int pfr_match_addr(struct pfr_ktable *, struct pf_addr *, sa_family_t);
void pfr_update_stats(struct pfr_ktable *, struct pf_addr *, sa_family_t,
@@ -1567,7 +1675,6 @@ int pfr_ina_commit(struct pfr_table *, u_int32_t, int *, int *, int);
int pfr_ina_define(struct pfr_table *, struct pfr_addr *, int, int *,
int *, u_int32_t, int);
-extern struct pfi_statehead pfi_statehead;
extern struct pfi_kif *pfi_all;
void pfi_initialize(void);
@@ -1595,12 +1702,10 @@ u_int16_t pf_tagname2tag(char *);
void pf_tag2tagname(u_int16_t, char *);
void pf_tag_ref(u_int16_t);
void pf_tag_unref(u_int16_t);
-int pf_tag_packet(struct mbuf *, struct pf_mtag *, int, int);
+int pf_tag_packet(struct mbuf *, int, int);
u_int32_t pf_qname2qid(char *);
void pf_qid2qname(u_int32_t, char *);
void pf_qid_unref(u_int32_t);
-struct pf_mtag *pf_find_mtag(struct mbuf *);
-struct pf_mtag *pf_get_mtag(struct mbuf *);
extern struct pf_status pf_status;
extern struct pool pf_frent_pl, pf_frag_pl;
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-25 04:56:42 +0000