netpfil/pf/pf.h

126258Smlaier/*
126258Smlaier * Copyright (c) 2001 Daniel Hartmeier
126258Smlaier * All rights reserved.
126258Smlaier *
126258Smlaier * Redistribution and use in source and binary forms, with or without
126258Smlaier * modification, are permitted provided that the following conditions
126258Smlaier * are met:
126258Smlaier *
126258Smlaier *    - Redistributions of source code must retain the above copyright
126258Smlaier *      notice, this list of conditions and the following disclaimer.
126258Smlaier *    - Redistributions in binary form must reproduce the above
126258Smlaier *      copyright notice, this list of conditions and the following
126258Smlaier *      disclaimer in the documentation and/or other materials provided
126258Smlaier *      with the distribution.
126258Smlaier *
126258Smlaier * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
126258Smlaier * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
126258Smlaier * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
126258Smlaier * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
126258Smlaier * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
126258Smlaier * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
126258Smlaier * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
126258Smlaier * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
126258Smlaier * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
126258Smlaier * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
126258Smlaier * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
126258Smlaier * POSSIBILITY OF SUCH DAMAGE.
126258Smlaier *
240644Sglebius *	$OpenBSD: pfvar.h,v 1.282 2009/01/29 15:12:28 pyr Exp $
240640Sglebius *	$FreeBSD$
126258Smlaier */
126258Smlaier
257186Sglebius#ifndef	_NET_PF_H_
263086Sglebius#define	_NET_PF_H_
126258Smlaier
126258Smlaier#define	PF_TCPS_PROXY_SRC	((TCP_NSTATES)+0)
126258Smlaier#define	PF_TCPS_PROXY_DST	((TCP_NSTATES)+1)
126258Smlaier
171168Smlaier#define	PF_MD5_DIGEST_LENGTH	16
171168Smlaier#ifdef MD5_DIGEST_LENGTH
171168Smlaier#if PF_MD5_DIGEST_LENGTH != MD5_DIGEST_LENGTH
171168Smlaier#error
171168Smlaier#endif
171168Smlaier#endif
171168Smlaier
126258Smlaierenum	{ PF_INOUT, PF_IN, PF_OUT };
145836Smlaierenum	{ PF_PASS, PF_DROP, PF_SCRUB, PF_NOSCRUB, PF_NAT, PF_NONAT,
223637Sbz	  PF_BINAT, PF_NOBINAT, PF_RDR, PF_NORDR, PF_SYNPROXY_DROP, PF_DEFER };
126258Smlaierenum	{ PF_RULESET_SCRUB, PF_RULESET_FILTER, PF_RULESET_NAT,
126258Smlaier	  PF_RULESET_BINAT, PF_RULESET_RDR, PF_RULESET_MAX };
126258Smlaierenum	{ PF_OP_NONE, PF_OP_IRG, PF_OP_EQ, PF_OP_NE, PF_OP_LT,
126258Smlaier	  PF_OP_LE, PF_OP_GT, PF_OP_GE, PF_OP_XRG, PF_OP_RRG };
126258Smlaierenum	{ PF_DEBUG_NONE, PF_DEBUG_URGENT, PF_DEBUG_MISC, PF_DEBUG_NOISY };
126258Smlaierenum	{ PF_CHANGE_NONE, PF_CHANGE_ADD_HEAD, PF_CHANGE_ADD_TAIL,
126258Smlaier	  PF_CHANGE_ADD_BEFORE, PF_CHANGE_ADD_AFTER,
126258Smlaier	  PF_CHANGE_REMOVE, PF_CHANGE_GET_TICKET };
171168Smlaierenum	{ PF_GET_NONE, PF_GET_CLR_CNTR };
223637Sbzenum	{ PF_SK_WIRE, PF_SK_STACK, PF_SK_BOTH };
171168Smlaier
126258Smlaier/*
126258Smlaier * Note about PFTM_*: real indices into pf_rule.timeout[] come before
126258Smlaier * PFTM_MAX, special cases afterwards. See pf_state_expires().
126258Smlaier */
126258Smlaierenum	{ PFTM_TCP_FIRST_PACKET, PFTM_TCP_OPENING, PFTM_TCP_ESTABLISHED,
126258Smlaier	  PFTM_TCP_CLOSING, PFTM_TCP_FIN_WAIT, PFTM_TCP_CLOSED,
126258Smlaier	  PFTM_UDP_FIRST_PACKET, PFTM_UDP_SINGLE, PFTM_UDP_MULTIPLE,
126258Smlaier	  PFTM_ICMP_FIRST_PACKET, PFTM_ICMP_ERROR_REPLY,
126258Smlaier	  PFTM_OTHER_FIRST_PACKET, PFTM_OTHER_SINGLE,
126258Smlaier	  PFTM_OTHER_MULTIPLE, PFTM_FRAG, PFTM_INTERVAL,
130613Smlaier	  PFTM_ADAPTIVE_START, PFTM_ADAPTIVE_END, PFTM_SRC_NODE,
171168Smlaier	  PFTM_TS_DIFF, PFTM_MAX, PFTM_PURGE, PFTM_UNLINKED,
171168Smlaier	  PFTM_UNTIL_PACKET };
145836Smlaier
145836Smlaier/* PFTM default values */
145836Smlaier#define PFTM_TCP_FIRST_PACKET_VAL	120	/* First TCP packet */
145836Smlaier#define PFTM_TCP_OPENING_VAL		30	/* No response yet */
145836Smlaier#define PFTM_TCP_ESTABLISHED_VAL	24*60*60/* Established */
145836Smlaier#define PFTM_TCP_CLOSING_VAL		15 * 60	/* Half closed */
145836Smlaier#define PFTM_TCP_FIN_WAIT_VAL		45	/* Got both FINs */
145836Smlaier#define PFTM_TCP_CLOSED_VAL		90	/* Got a RST */
145836Smlaier#define PFTM_UDP_FIRST_PACKET_VAL	60	/* First UDP packet */
145836Smlaier#define PFTM_UDP_SINGLE_VAL		30	/* Unidirectional */
145836Smlaier#define PFTM_UDP_MULTIPLE_VAL		60	/* Bidirectional */
145836Smlaier#define PFTM_ICMP_FIRST_PACKET_VAL	20	/* First ICMP packet */
145836Smlaier#define PFTM_ICMP_ERROR_REPLY_VAL	10	/* Got error response */
145836Smlaier#define PFTM_OTHER_FIRST_PACKET_VAL	60	/* First packet */
145836Smlaier#define PFTM_OTHER_SINGLE_VAL		30	/* Unidirectional */
145836Smlaier#define PFTM_OTHER_MULTIPLE_VAL		60	/* Bidirectional */
145836Smlaier#define PFTM_FRAG_VAL			30	/* Fragment expire */
145836Smlaier#define PFTM_INTERVAL_VAL		10	/* Expire interval */
145836Smlaier#define PFTM_SRC_NODE_VAL		0	/* Source tracking */
145836Smlaier#define PFTM_TS_DIFF_VAL		30	/* Allowed TS diff */
145836Smlaier
126258Smlaierenum	{ PF_NOPFROUTE, PF_FASTROUTE, PF_ROUTETO, PF_DUPTO, PF_REPLYTO };
171168Smlaierenum	{ PF_LIMIT_STATES, PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS,
240233Sglebius	  PF_LIMIT_TABLE_ENTRIES, PF_LIMIT_MAX };
126258Smlaier#define PF_POOL_IDMASK		0x0f
126258Smlaierenum	{ PF_POOL_NONE, PF_POOL_BITMASK, PF_POOL_RANDOM,
126258Smlaier	  PF_POOL_SRCHASH, PF_POOL_ROUNDROBIN };
126258Smlaierenum	{ PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE, PF_ADDR_DYNIFTL,
240233Sglebius	  PF_ADDR_TABLE, PF_ADDR_URPFFAILED,
223637Sbz	  PF_ADDR_RANGE };
126258Smlaier#define PF_POOL_TYPEMASK	0x0f
130613Smlaier#define PF_POOL_STICKYADDR	0x20
126258Smlaier#define	PF_WSCALE_FLAG		0x80
126258Smlaier#define	PF_WSCALE_MASK		0x0f
126258Smlaier
171168Smlaier#define	PF_LOG			0x01
171168Smlaier#define	PF_LOG_ALL		0x02
171168Smlaier#define	PF_LOG_SOCKET_LOOKUP	0x04
171168Smlaier
126258Smlaier/* Reasons code for passing/dropping a packet */
126258Smlaier#define PFRES_MATCH	0		/* Explicit match of a rule */
126258Smlaier#define PFRES_BADOFF	1		/* Bad offset for pull_hdr */
126258Smlaier#define PFRES_FRAG	2		/* Dropping following fragment */
126258Smlaier#define PFRES_SHORT	3		/* Dropping short packet */
126258Smlaier#define PFRES_NORM	4		/* Dropping by normalizer */
126258Smlaier#define PFRES_MEMORY	5		/* Dropped due to lacking mem */
145836Smlaier#define PFRES_TS	6		/* Bad TCP Timestamp (RFC1323) */
145836Smlaier#define PFRES_CONGEST	7		/* Congestion (of ipintrq) */
145836Smlaier#define PFRES_IPOPTIONS 8		/* IP option */
145836Smlaier#define PFRES_PROTCKSUM 9		/* Protocol checksum invalid */
145836Smlaier#define PFRES_BADSTATE	10		/* State mismatch */
145836Smlaier#define PFRES_STATEINS	11		/* State insertion failure */
145836Smlaier#define PFRES_MAXSTATES	12		/* State limit */
145836Smlaier#define PFRES_SRCLIMIT	13		/* Source node/conn limit */
145836Smlaier#define PFRES_SYNPROXY	14		/* SYN proxy */
270925Sglebius#define PFRES_MAX	15		/* total+1 */
126258Smlaier
126258Smlaier#define PFRES_NAMES { \
126258Smlaier	"match", \
126258Smlaier	"bad-offset", \
126258Smlaier	"fragment", \
126258Smlaier	"short", \
126258Smlaier	"normalize", \
126258Smlaier	"memory", \
145836Smlaier	"bad-timestamp", \
145836Smlaier	"congestion", \
145836Smlaier	"ip-option", \
145836Smlaier	"proto-cksum", \
145836Smlaier	"state-mismatch", \
145836Smlaier	"state-insert", \
145836Smlaier	"state-limit", \
145836Smlaier	"src-limit", \
145836Smlaier	"synproxy", \
126258Smlaier	NULL \
126258Smlaier}
126258Smlaier
270574Sglebius/* Counters for other things we want to keep track of */
270574Sglebius#define LCNT_STATES		0	/* states */
270574Sglebius#define LCNT_SRCSTATES		1	/* max-src-states */
270574Sglebius#define LCNT_SRCNODES		2	/* max-src-nodes */
270574Sglebius#define LCNT_SRCCONN		3	/* max-src-conn */
270574Sglebius#define LCNT_SRCCONNRATE	4	/* max-src-conn-rate */
270574Sglebius#define LCNT_OVERLOAD_TABLE	5	/* entry added to overload table */
270574Sglebius#define LCNT_OVERLOAD_FLUSH	6	/* state entries flushed */
270574Sglebius#define LCNT_MAX		7	/* total+1 */
270574Sglebius
270574Sglebius#define LCNT_NAMES { \
270574Sglebius	"max states per rule", \
270574Sglebius	"max-src-states", \
270574Sglebius	"max-src-nodes", \
270574Sglebius	"max-src-conn", \
270574Sglebius	"max-src-conn-rate", \
270574Sglebius	"overload table insertion", \
270574Sglebius	"overload flush states", \
270574Sglebius	NULL \
270574Sglebius}
270574Sglebius
270574Sglebius/* state operation counters */
270574Sglebius#define FCNT_STATE_SEARCH	0
270574Sglebius#define FCNT_STATE_INSERT	1
270574Sglebius#define FCNT_STATE_REMOVALS	2
270574Sglebius#define FCNT_MAX		3
270574Sglebius
270574Sglebius/* src_node operation counters */
270574Sglebius#define SCNT_SRC_NODE_SEARCH	0
270574Sglebius#define SCNT_SRC_NODE_INSERT	1
270574Sglebius#define SCNT_SRC_NODE_REMOVALS	2
270574Sglebius#define SCNT_MAX		3
270574Sglebius
257186Sglebius#define	PF_TABLE_NAME_SIZE	32
257186Sglebius#define	PF_QNAME_SIZE		64
145836Smlaier
270574Sglebiusstruct pf_status {
270574Sglebius	uint64_t	counters[PFRES_MAX];
270574Sglebius	uint64_t	lcounters[LCNT_MAX];
270574Sglebius	uint64_t	fcounters[FCNT_MAX];
270574Sglebius	uint64_t	scounters[SCNT_MAX];
270574Sglebius	uint64_t	pcounters[2][2][3];
270574Sglebius	uint64_t	bcounters[2][2];
270574Sglebius	uint32_t	running;
270574Sglebius	uint32_t	states;
270574Sglebius	uint32_t	src_nodes;
270574Sglebius	uint32_t	since;
270574Sglebius	uint32_t	debug;
270574Sglebius	uint32_t	hostid;
270574Sglebius	char		ifname[IFNAMSIZ];
270574Sglebius	uint8_t		pf_chksum[PF_MD5_DIGEST_LENGTH];
270574Sglebius};
270574Sglebius
257186Sglebius#endif	/* _NET_PF_H_ */