pf.h revision 284571
1207536Smav/* 2207536Smav * Copyright (c) 2001 Daniel Hartmeier 3207536Smav * All rights reserved. 4207536Smav * 5207536Smav * Redistribution and use in source and binary forms, with or without 6207536Smav * modification, are permitted provided that the following conditions 7207536Smav * are met: 8207536Smav * 9207536Smav * - Redistributions of source code must retain the above copyright 10207536Smav * notice, this list of conditions and the following disclaimer. 11207536Smav * - Redistributions in binary form must reproduce the above 12207536Smav * copyright notice, this list of conditions and the following 13207536Smav * disclaimer in the documentation and/or other materials provided 14207536Smav * with the distribution. 15207536Smav * 16207536Smav * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 17207536Smav * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 18207536Smav * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 19207536Smav * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 20207536Smav * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 21207536Smav * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 22207536Smav * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 23207536Smav * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 24207536Smav * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25207536Smav * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 26207536Smav * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27207536Smav * POSSIBILITY OF SUCH DAMAGE. 28207536Smav * 29207536Smav * $OpenBSD: pfvar.h,v 1.282 2009/01/29 15:12:28 pyr Exp $ 30207536Smav * $FreeBSD: stable/10/sys/netpfil/pf/pf.h 284571 2015-06-18 20:34:39Z kp $ 31207536Smav */ 32207536Smav 33207536Smav#ifndef _NET_PF_H_ 34207536Smav#define _NET_PF_H_ 35207536Smav 36207536Smav#define PF_TCPS_PROXY_SRC ((TCP_NSTATES)+0) 37207536Smav#define PF_TCPS_PROXY_DST ((TCP_NSTATES)+1) 38207536Smav 39207536Smav#define PF_MD5_DIGEST_LENGTH 16 40207536Smav#ifdef MD5_DIGEST_LENGTH 41207536Smav#if PF_MD5_DIGEST_LENGTH != MD5_DIGEST_LENGTH 42207536Smav#error 43207536Smav#endif 44207536Smav#endif 45207536Smav 46220097Smavenum { PF_INOUT, PF_IN, PF_OUT, PF_FWD }; 47220097Smavenum { PF_PASS, PF_DROP, PF_SCRUB, PF_NOSCRUB, PF_NAT, PF_NONAT, 48207536Smav PF_BINAT, PF_NOBINAT, PF_RDR, PF_NORDR, PF_SYNPROXY_DROP, PF_DEFER }; 49207536Smavenum { PF_RULESET_SCRUB, PF_RULESET_FILTER, PF_RULESET_NAT, 50207536Smav PF_RULESET_BINAT, PF_RULESET_RDR, PF_RULESET_MAX }; 51207536Smavenum { PF_OP_NONE, PF_OP_IRG, PF_OP_EQ, PF_OP_NE, PF_OP_LT, 52207536Smav PF_OP_LE, PF_OP_GT, PF_OP_GE, PF_OP_XRG, PF_OP_RRG }; 53207536Smavenum { PF_DEBUG_NONE, PF_DEBUG_URGENT, PF_DEBUG_MISC, PF_DEBUG_NOISY }; 54207536Smavenum { PF_CHANGE_NONE, PF_CHANGE_ADD_HEAD, PF_CHANGE_ADD_TAIL, 55207536Smav PF_CHANGE_ADD_BEFORE, PF_CHANGE_ADD_AFTER, 56207536Smav PF_CHANGE_REMOVE, PF_CHANGE_GET_TICKET }; 57207536Smavenum { PF_GET_NONE, PF_GET_CLR_CNTR }; 58207536Smavenum { PF_SK_WIRE, PF_SK_STACK, PF_SK_BOTH }; 59207536Smav 60207536Smav/* 61207536Smav * Note about PFTM_*: real indices into pf_rule.timeout[] come before 62207536Smav * PFTM_MAX, special cases afterwards. See pf_state_expires(). 63207536Smav */ 64207536Smavenum { PFTM_TCP_FIRST_PACKET, PFTM_TCP_OPENING, PFTM_TCP_ESTABLISHED, 65207536Smav PFTM_TCP_CLOSING, PFTM_TCP_FIN_WAIT, PFTM_TCP_CLOSED, 66238873Shrs PFTM_UDP_FIRST_PACKET, PFTM_UDP_SINGLE, PFTM_UDP_MULTIPLE, 67207536Smav PFTM_ICMP_FIRST_PACKET, PFTM_ICMP_ERROR_REPLY, 68207536Smav PFTM_OTHER_FIRST_PACKET, PFTM_OTHER_SINGLE, 69257240Szbb PFTM_OTHER_MULTIPLE, PFTM_FRAG, PFTM_INTERVAL, 70257240Szbb PFTM_ADAPTIVE_START, PFTM_ADAPTIVE_END, PFTM_SRC_NODE, 71207536Smav PFTM_TS_DIFF, PFTM_MAX, PFTM_PURGE, PFTM_UNLINKED, 72207536Smav PFTM_UNTIL_PACKET }; 73207536Smav 74207536Smav/* PFTM default values */ 75207536Smav#define PFTM_TCP_FIRST_PACKET_VAL 120 /* First TCP packet */ 76207536Smav#define PFTM_TCP_OPENING_VAL 30 /* No response yet */ 77207536Smav#define PFTM_TCP_ESTABLISHED_VAL 24*60*60/* Established */ 78207536Smav#define PFTM_TCP_CLOSING_VAL 15 * 60 /* Half closed */ 79207536Smav#define PFTM_TCP_FIN_WAIT_VAL 45 /* Got both FINs */ 80207536Smav#define PFTM_TCP_CLOSED_VAL 90 /* Got a RST */ 81261410Sian#define PFTM_UDP_FIRST_PACKET_VAL 60 /* First UDP packet */ 82261410Sian#define PFTM_UDP_SINGLE_VAL 30 /* Unidirectional */ 83261410Sian#define PFTM_UDP_MULTIPLE_VAL 60 /* Bidirectional */ 84220097Smav#define PFTM_ICMP_FIRST_PACKET_VAL 20 /* First ICMP packet */ 85220097Smav#define PFTM_ICMP_ERROR_REPLY_VAL 10 /* Got error response */ 86220097Smav#define PFTM_OTHER_FIRST_PACKET_VAL 60 /* First packet */ 87207536Smav#define PFTM_OTHER_SINGLE_VAL 30 /* Unidirectional */ 88207536Smav#define PFTM_OTHER_MULTIPLE_VAL 60 /* Bidirectional */ 89207536Smav#define PFTM_FRAG_VAL 30 /* Fragment expire */ 90207536Smav#define PFTM_INTERVAL_VAL 10 /* Expire interval */ 91207536Smav#define PFTM_SRC_NODE_VAL 0 /* Source tracking */ 92207536Smav#define PFTM_TS_DIFF_VAL 30 /* Allowed TS diff */ 93207536Smav 94280393Smavenum { PF_NOPFROUTE, PF_FASTROUTE, PF_ROUTETO, PF_DUPTO, PF_REPLYTO }; 95207536Smavenum { PF_LIMIT_STATES, PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS, 96207536Smav PF_LIMIT_TABLE_ENTRIES, PF_LIMIT_MAX }; 97207536Smav#define PF_POOL_IDMASK 0x0f 98207536Smavenum { PF_POOL_NONE, PF_POOL_BITMASK, PF_POOL_RANDOM, 99207536Smav PF_POOL_SRCHASH, PF_POOL_ROUNDROBIN }; 100207536Smavenum { PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE, PF_ADDR_DYNIFTL, 101207536Smav PF_ADDR_TABLE, PF_ADDR_URPFFAILED, 102207536Smav PF_ADDR_RANGE }; 103207536Smav#define PF_POOL_TYPEMASK 0x0f 104207536Smav#define PF_POOL_STICKYADDR 0x20 105207536Smav#define PF_WSCALE_FLAG 0x80 106207536Smav#define PF_WSCALE_MASK 0x0f 107207536Smav 108207536Smav#define PF_LOG 0x01 109207536Smav#define PF_LOG_ALL 0x02 110207536Smav#define PF_LOG_SOCKET_LOOKUP 0x04 111207536Smav 112207536Smav/* Reasons code for passing/dropping a packet */ 113207536Smav#define PFRES_MATCH 0 /* Explicit match of a rule */ 114207536Smav#define PFRES_BADOFF 1 /* Bad offset for pull_hdr */ 115207536Smav#define PFRES_FRAG 2 /* Dropping following fragment */ 116207536Smav#define PFRES_SHORT 3 /* Dropping short packet */ 117271461Smav#define PFRES_NORM 4 /* Dropping by normalizer */ 118207536Smav#define PFRES_MEMORY 5 /* Dropped due to lacking mem */ 119207536Smav#define PFRES_TS 6 /* Bad TCP Timestamp (RFC1323) */ 120207536Smav#define PFRES_CONGEST 7 /* Congestion (of ipintrq) */ 121207536Smav#define PFRES_IPOPTIONS 8 /* IP option */ 122207536Smav#define PFRES_PROTCKSUM 9 /* Protocol checksum invalid */ 123207536Smav#define PFRES_BADSTATE 10 /* State mismatch */ 124207536Smav#define PFRES_STATEINS 11 /* State insertion failure */ 125207536Smav#define PFRES_MAXSTATES 12 /* State limit */ 126207536Smav#define PFRES_SRCLIMIT 13 /* Source node/conn limit */ 127207536Smav#define PFRES_SYNPROXY 14 /* SYN proxy */ 128207536Smav#define PFRES_MAX 15 /* total+1 */ 129207536Smav 130207536Smav#define PFRES_NAMES { \ 131207536Smav "match", \ 132207536Smav "bad-offset", \ 133207536Smav "fragment", \ 134207536Smav "short", \ 135207536Smav "normalize", \ 136207536Smav "memory", \ 137207536Smav "bad-timestamp", \ 138207536Smav "congestion", \ 139207536Smav "ip-option", \ 140207536Smav "proto-cksum", \ 141207536Smav "state-mismatch", \ 142207536Smav "state-insert", \ 143207536Smav "state-limit", \ 144207536Smav "src-limit", \ 145236952Smav "synproxy", \ 146236952Smav NULL \ 147207536Smav} 148208414Smav 149208414Smav/* Counters for other things we want to keep track of */ 150207536Smav#define LCNT_STATES 0 /* states */ 151207536Smav#define LCNT_SRCSTATES 1 /* max-src-states */ 152207536Smav#define LCNT_SRCNODES 2 /* max-src-nodes */ 153207536Smav#define LCNT_SRCCONN 3 /* max-src-conn */ 154207536Smav#define LCNT_SRCCONNRATE 4 /* max-src-conn-rate */ 155207536Smav#define LCNT_OVERLOAD_TABLE 5 /* entry added to overload table */ 156207536Smav#define LCNT_OVERLOAD_FLUSH 6 /* state entries flushed */ 157207536Smav#define LCNT_MAX 7 /* total+1 */ 158207536Smav 159207536Smav#define LCNT_NAMES { \ 160207536Smav "max states per rule", \ 161207536Smav "max-src-states", \ 162207536Smav "max-src-nodes", \ 163207536Smav "max-src-conn", \ 164207536Smav "max-src-conn-rate", \ 165207536Smav "overload table insertion", \ 166207536Smav "overload flush states", \ 167207536Smav NULL \ 168207536Smav} 169207536Smav 170207536Smav/* state operation counters */ 171207536Smav#define FCNT_STATE_SEARCH 0 172207536Smav#define FCNT_STATE_INSERT 1 173207536Smav#define FCNT_STATE_REMOVALS 2 174207536Smav#define FCNT_MAX 3 175207536Smav 176207536Smav/* src_node operation counters */ 177207536Smav#define SCNT_SRC_NODE_SEARCH 0 178207536Smav#define SCNT_SRC_NODE_INSERT 1 179207536Smav#define SCNT_SRC_NODE_REMOVALS 2 180207536Smav#define SCNT_MAX 3 181207536Smav 182207536Smav#define PF_TABLE_NAME_SIZE 32 183207536Smav#define PF_QNAME_SIZE 64 184207536Smav 185207536Smavstruct pf_status { 186207536Smav uint64_t counters[PFRES_MAX]; 187227849Shselasky uint64_t lcounters[LCNT_MAX]; 188227701Shselasky uint64_t fcounters[FCNT_MAX]; 189207536Smav uint64_t scounters[SCNT_MAX]; 190207536Smav uint64_t pcounters[2][2][3]; 191207536Smav uint64_t bcounters[2][2]; 192207536Smav uint32_t running; 193207536Smav uint32_t states; 194207536Smav uint32_t src_nodes; 195207536Smav uint32_t since; 196207536Smav uint32_t debug; 197207536Smav uint32_t hostid; 198207536Smav char ifname[IFNAMSIZ]; 199207536Smav uint8_t pf_chksum[PF_MD5_DIGEST_LENGTH]; 200207536Smav}; 201207536Smav 202207536Smav#endif /* _NET_PF_H_ */ 203207536Smav