1 files changed, 196 insertions, 0 deletions

diff --git a/sys/net/pfil.h b/sys/net/pfil.h
new file mode 100644
index 000000000000..af465ea492bb
--- /dev/null
+++ b/sys/net/pfil.h
@@ -0,0 +1,196 @@
+/*	$NetBSD: pfil.h,v 1.22 2003/06/23 12:57:08 martin Exp $	*/
+
+/*-
+ * SPDX-License-Identifier: BSD-3-Clause
+ *
+ * Copyright (c) 2019 Gleb Smirnoff <glebius@FreeBSD.org>
+ * Copyright (c) 1996 Matthew R. Green
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. The name of the author may not be used to endorse or promote products
+ *    derived from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+ * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
+ * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef _NET_PFIL_H_
+#define _NET_PFIL_H_
+
+#include <sys/ioccom.h>
+
+enum pfil_types {
+	PFIL_TYPE_IP4,
+	PFIL_TYPE_IP6,
+	PFIL_TYPE_ETHERNET,
+};
+
+#define	MAXPFILNAME	64
+
+struct pfilioc_head {
+	char		pio_name[MAXPFILNAME];
+	int		pio_nhooksin;
+	int		pio_nhooksout;
+	enum pfil_types	pio_type;
+};
+
+struct pfilioc_hook {
+	char		pio_module[MAXPFILNAME];
+	char		pio_ruleset[MAXPFILNAME];
+	int		pio_flags;
+	enum pfil_types pio_type;
+};
+
+struct pfilioc_list {
+	u_int			 pio_nheads;
+	u_int			 pio_nhooks;
+	struct pfilioc_head	*pio_heads;
+	struct pfilioc_hook	*pio_hooks;
+};
+
+struct pfilioc_link {
+	char		pio_name[MAXPFILNAME];
+	char		pio_module[MAXPFILNAME];
+	char		pio_ruleset[MAXPFILNAME];
+	int		pio_flags;
+};
+
+#define	PFILDEV			"pfil"
+#define	PFILIOC_LISTHEADS	_IOWR('P', 1, struct pfilioc_list)
+#define	PFILIOC_LISTHOOKS	_IOWR('P', 2, struct pfilioc_list)
+#define	PFILIOC_LINK		_IOW('P', 3, struct pfilioc_link)
+
+#define	PFIL_IN		0x00010000
+#define	PFIL_OUT	0x00020000
+#define	PFIL_FWD	0x00040000
+#define	PFIL_DIR(f)	((f) & (PFIL_IN|PFIL_OUT))
+#define	PFIL_HEADPTR	0x00100000
+#define	PFIL_HOOKPTR	0x00200000
+#define	PFIL_APPEND	0x00400000
+#define	PFIL_UNLINK	0x00800000
+
+#ifdef _KERNEL
+struct mbuf;
+struct ifnet;
+struct inpcb;
+
+typedef enum {
+	PFIL_PASS = 0,
+	PFIL_DROPPED,
+	PFIL_CONSUMED,
+	PFIL_REALLOCED,
+} pfil_return_t;
+
+typedef	pfil_return_t	(*pfil_mbuf_chk_t)(struct mbuf **, struct ifnet *, int,
+			    void *, struct inpcb *);
+typedef pfil_return_t	(*pfil_mem_chk_t)(void *, u_int, int, struct ifnet *,
+			    void *, struct mbuf **);
+
+/*
+ * A pfil head is created by a packet intercept point.
+ *
+ * A pfil hook is created by a packet filter.
+ *
+ * Hooks are chained on heads.  Historically some hooking happens
+ * automatically, e.g. ipfw(4), pf(4) and ipfilter(4) would register
+ * theirselves on IPv4 and IPv6 input/output.
+ */
+
+typedef struct pfil_hook *	pfil_hook_t;
+typedef struct pfil_head *	pfil_head_t;
+
+/*
+ * Give us a chance to modify pfil_xxx_args structures in future.
+ */
+#define	PFIL_VERSION	2
+
+/* Argument structure used by packet filters to register themselves. */
+struct pfil_hook_args {
+	int		 pa_version;
+	int		 pa_flags;
+	enum pfil_types	 pa_type;
+	pfil_mbuf_chk_t	 pa_mbuf_chk;
+	pfil_mem_chk_t	 pa_mem_chk;
+	void		*pa_ruleset;
+	const char	*pa_modname;
+	const char	*pa_rulname;
+};
+
+/* Public functions for pfil hook management by packet filters. */
+pfil_hook_t	pfil_add_hook(struct pfil_hook_args *);
+void		pfil_remove_hook(pfil_hook_t);
+
+/* Argument structure used by ioctl() and packet filters to set filters. */
+struct pfil_link_args {
+	int		pa_version;
+	int		pa_flags;
+	union {
+		const char	*pa_headname;
+		pfil_head_t	 pa_head;
+	};
+	union {
+		struct {
+			const char	*pa_modname;
+			const char	*pa_rulname;
+		};
+		pfil_hook_t	 pa_hook;
+	};
+};
+
+/* Public function to configure filter chains.  Used by ioctl() and filters. */
+int	pfil_link(struct pfil_link_args *);
+
+/* Argument structure used by inspection points to register themselves. */
+struct pfil_head_args {
+	int		 pa_version;
+	int		 pa_flags;
+	enum pfil_types	 pa_type;
+	const char	*pa_headname;
+};
+
+/* Public functions for pfil head management by inspection points. */
+pfil_head_t	pfil_head_register(struct pfil_head_args *);
+void		pfil_head_unregister(pfil_head_t);
+
+/* Public functions to run the packet inspection by inspection points. */
+int	pfil_mem_in(struct pfil_head *, void *, u_int, struct ifnet *,
+    struct mbuf **);
+int	pfil_mem_out(struct pfil_head *, void *, u_int, struct ifnet *,
+    struct mbuf **);
+int	pfil_mbuf_in(struct pfil_head *, struct mbuf **, struct ifnet *,
+    struct inpcb *inp);
+int	pfil_mbuf_out(struct pfil_head *, struct mbuf **, struct ifnet *,
+    struct inpcb *inp);
+int	pfil_mbuf_fwd(struct pfil_head *, struct mbuf **, struct ifnet *,
+    struct inpcb *);
+
+/*
+ * Minimally exposed structure to avoid function call in case of absence
+ * of any filters by protocols and macros to do the check.
+ */
+struct _pfil_head {
+	int	head_nhooksin;
+	int	head_nhooksout;
+};
+#define	PFIL_HOOKED_IN(p) (((struct _pfil_head *)(p))->head_nhooksin > 0)
+#define	PFIL_HOOKED_OUT(p) (((struct _pfil_head *)(p))->head_nhooksout > 0)
+
+#endif /* _KERNEL */
+#endif /* _NET_PFIL_H_ */