2 * SPDX-License-Identifier: BSD-2-Clause
4 * Copyright (c) 2001 Daniel Hartmeier
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
11 * - Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * - Redistributions in binary form must reproduce the above
14 * copyright notice, this list of conditions and the following
15 * disclaimer in the documentation and/or other materials provided
16 * with the distribution.
18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
21 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
22 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
23 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
24 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
25 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
28 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29 * POSSIBILITY OF SUCH DAMAGE.
31 * $OpenBSD: pfvar.h,v 1.282 2009/01/29 15:12:28 pyr Exp $
40 #define PF_TCPS_PROXY_SRC ((TCP_NSTATES)+0)
41 #define PF_TCPS_PROXY_DST ((TCP_NSTATES)+1)
43 #define PF_MD5_DIGEST_LENGTH 16
44 #ifdef MD5_DIGEST_LENGTH
45 #if PF_MD5_DIGEST_LENGTH != MD5_DIGEST_LENGTH
50 enum { PF_INOUT, PF_IN, PF_OUT };
51 enum { PF_PASS, PF_DROP, PF_SCRUB, PF_NOSCRUB, PF_NAT, PF_NONAT,
52 PF_BINAT, PF_NOBINAT, PF_RDR, PF_NORDR, PF_SYNPROXY_DROP, PF_DEFER };
53 enum { PF_RULESET_SCRUB, PF_RULESET_FILTER, PF_RULESET_NAT,
54 PF_RULESET_BINAT, PF_RULESET_RDR, PF_RULESET_MAX };
55 enum { PF_OP_NONE, PF_OP_IRG, PF_OP_EQ, PF_OP_NE, PF_OP_LT,
56 PF_OP_LE, PF_OP_GT, PF_OP_GE, PF_OP_XRG, PF_OP_RRG };
57 enum { PF_DEBUG_NONE, PF_DEBUG_URGENT, PF_DEBUG_MISC, PF_DEBUG_NOISY };
58 enum { PF_CHANGE_NONE, PF_CHANGE_ADD_HEAD, PF_CHANGE_ADD_TAIL,
59 PF_CHANGE_ADD_BEFORE, PF_CHANGE_ADD_AFTER,
60 PF_CHANGE_REMOVE, PF_CHANGE_GET_TICKET };
61 enum { PF_GET_NONE, PF_GET_CLR_CNTR };
62 enum { PF_SK_WIRE, PF_SK_STACK, PF_SK_BOTH };
65 * Note about PFTM_*: real indices into pf_rule.timeout[] come before
66 * PFTM_MAX, special cases afterwards. See pf_state_expires().
68 enum { PFTM_TCP_FIRST_PACKET, PFTM_TCP_OPENING, PFTM_TCP_ESTABLISHED,
69 PFTM_TCP_CLOSING, PFTM_TCP_FIN_WAIT, PFTM_TCP_CLOSED,
70 PFTM_UDP_FIRST_PACKET, PFTM_UDP_SINGLE, PFTM_UDP_MULTIPLE,
71 PFTM_ICMP_FIRST_PACKET, PFTM_ICMP_ERROR_REPLY,
72 PFTM_OTHER_FIRST_PACKET, PFTM_OTHER_SINGLE,
73 PFTM_OTHER_MULTIPLE, PFTM_FRAG, PFTM_INTERVAL,
74 PFTM_ADAPTIVE_START, PFTM_ADAPTIVE_END, PFTM_SRC_NODE,
75 PFTM_TS_DIFF, PFTM_MAX, PFTM_PURGE, PFTM_UNLINKED };
77 /* PFTM default values */
78 #define PFTM_TCP_FIRST_PACKET_VAL 120 /* First TCP packet */
79 #define PFTM_TCP_OPENING_VAL 30 /* No response yet */
80 #define PFTM_TCP_ESTABLISHED_VAL 24*60*60/* Established */
81 #define PFTM_TCP_CLOSING_VAL 15 * 60 /* Half closed */
82 #define PFTM_TCP_FIN_WAIT_VAL 45 /* Got both FINs */
83 #define PFTM_TCP_CLOSED_VAL 90 /* Got a RST */
84 #define PFTM_UDP_FIRST_PACKET_VAL 60 /* First UDP packet */
85 #define PFTM_UDP_SINGLE_VAL 30 /* Unidirectional */
86 #define PFTM_UDP_MULTIPLE_VAL 60 /* Bidirectional */
87 #define PFTM_ICMP_FIRST_PACKET_VAL 20 /* First ICMP packet */
88 #define PFTM_ICMP_ERROR_REPLY_VAL 10 /* Got error response */
89 #define PFTM_OTHER_FIRST_PACKET_VAL 60 /* First packet */
90 #define PFTM_OTHER_SINGLE_VAL 30 /* Unidirectional */
91 #define PFTM_OTHER_MULTIPLE_VAL 60 /* Bidirectional */
92 #define PFTM_FRAG_VAL 30 /* Fragment expire */
93 #define PFTM_INTERVAL_VAL 10 /* Expire interval */
94 #define PFTM_SRC_NODE_VAL 0 /* Source tracking */
95 #define PFTM_TS_DIFF_VAL 30 /* Allowed TS diff */
97 enum { PF_NOPFROUTE, PF_FASTROUTE, PF_ROUTETO, PF_DUPTO, PF_REPLYTO };
98 enum { PF_LIMIT_STATES, PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS,
99 PF_LIMIT_TABLE_ENTRIES, PF_LIMIT_MAX };
100 #define PF_POOL_IDMASK 0x0f
101 enum { PF_POOL_NONE, PF_POOL_BITMASK, PF_POOL_RANDOM,
102 PF_POOL_SRCHASH, PF_POOL_ROUNDROBIN };
103 enum { PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE, PF_ADDR_DYNIFTL,
104 PF_ADDR_TABLE, PF_ADDR_URPFFAILED,
106 #define PF_POOL_TYPEMASK 0x0f
107 #define PF_POOL_STICKYADDR 0x20
108 #define PF_WSCALE_FLAG 0x80
109 #define PF_WSCALE_MASK 0x0f
112 #define PF_LOG_ALL 0x02
113 #define PF_LOG_SOCKET_LOOKUP 0x04
115 /* Reasons code for passing/dropping a packet */
116 #define PFRES_MATCH 0 /* Explicit match of a rule */
117 #define PFRES_BADOFF 1 /* Bad offset for pull_hdr */
118 #define PFRES_FRAG 2 /* Dropping following fragment */
119 #define PFRES_SHORT 3 /* Dropping short packet */
120 #define PFRES_NORM 4 /* Dropping by normalizer */
121 #define PFRES_MEMORY 5 /* Dropped due to lacking mem */
122 #define PFRES_TS 6 /* Bad TCP Timestamp (RFC1323) */
123 #define PFRES_CONGEST 7 /* Congestion (of ipintrq) */
124 #define PFRES_IPOPTIONS 8 /* IP option */
125 #define PFRES_PROTCKSUM 9 /* Protocol checksum invalid */
126 #define PFRES_BADSTATE 10 /* State mismatch */
127 #define PFRES_STATEINS 11 /* State insertion failure */
128 #define PFRES_MAXSTATES 12 /* State limit */
129 #define PFRES_SRCLIMIT 13 /* Source node/conn limit */
130 #define PFRES_SYNPROXY 14 /* SYN proxy */
131 #define PFRES_MAPFAILED 15 /* pf_map_addr() failed */
132 #define PFRES_MAX 16 /* total+1 */
134 #define PFRES_NAMES { \
154 /* Counters for other things we want to keep track of */
155 #define LCNT_STATES 0 /* states */
156 #define LCNT_SRCSTATES 1 /* max-src-states */
157 #define LCNT_SRCNODES 2 /* max-src-nodes */
158 #define LCNT_SRCCONN 3 /* max-src-conn */
159 #define LCNT_SRCCONNRATE 4 /* max-src-conn-rate */
160 #define LCNT_OVERLOAD_TABLE 5 /* entry added to overload table */
161 #define LCNT_OVERLOAD_FLUSH 6 /* state entries flushed */
162 #define LCNT_MAX 7 /* total+1 */
164 #define LCNT_NAMES { \
165 "max states per rule", \
169 "max-src-conn-rate", \
170 "overload table insertion", \
171 "overload flush states", \
175 /* state operation counters */
176 #define FCNT_STATE_SEARCH 0
177 #define FCNT_STATE_INSERT 1
178 #define FCNT_STATE_REMOVALS 2
181 /* src_node operation counters */
182 #define SCNT_SRC_NODE_SEARCH 0
183 #define SCNT_SRC_NODE_INSERT 1
184 #define SCNT_SRC_NODE_REMOVALS 2
187 #define PF_TABLE_NAME_SIZE 32
188 #define PF_QNAME_SIZE 64
192 size_t len; /* The length of the nvlist data. */
193 size_t size; /* The total size of the data buffer. */
198 /* keep synced with pfi_kif, used in RB_FIND */
200 char pfik_name[IFNAMSIZ];
204 char pfik_name[IFNAMSIZ];
206 RB_ENTRY(pfi_kif) _pfik_tree;
207 LIST_ENTRY(pfi_kif) _pfik_list;
209 #define pfik_tree _pfik_glue._pfik_tree
210 #define pfik_list _pfik_glue._pfik_list
211 u_int64_t pfik_packets[2][2][2];
212 u_int64_t pfik_bytes[2][2][2];
213 u_int32_t pfik_tzero;
215 struct ifnet *pfik_ifp;
216 struct ifg_group *pfik_group;
218 TAILQ_HEAD(, pfi_dynaddr) pfik_dynaddrs;
222 uint64_t counters[PFRES_MAX];
223 uint64_t lcounters[LCNT_MAX];
224 uint64_t fcounters[FCNT_MAX];
225 uint64_t scounters[SCNT_MAX];
226 uint64_t pcounters[2][2][3];
227 uint64_t bcounters[2][2];
234 char ifname[IFNAMSIZ];
235 uint8_t pf_chksum[PF_MD5_DIGEST_LENGTH];
245 } pfa; /* 128-bit address */
248 #define addr8 pfa.addr8
249 #define addr16 pfa.addr16
250 #define addr32 pfa.addr32
253 #define PFI_AFLAG_NETWORK 0x01
254 #define PFI_AFLAG_BROADCAST 0x02
255 #define PFI_AFLAG_PEER 0x04
256 #define PFI_AFLAG_MODEMASK 0x07
257 #define PFI_AFLAG_NOALIAS 0x08
259 struct pf_addr_wrap {
265 char ifname[IFNAMSIZ];
266 char tblname[PF_TABLE_NAME_SIZE];
269 struct pfi_dynaddr *dyn;
270 struct pfr_ktable *tbl;
274 u_int8_t type; /* PF_ADDR_* */
275 u_int8_t iflags; /* PFI_AFLAG_* */
293 struct pf_rule_addr {
294 struct pf_addr_wrap addr;
301 struct pf_addr_wrap addr;
302 TAILQ_ENTRY(pf_pooladdr) entries;
303 char ifname[IFNAMSIZ];
307 TAILQ_HEAD(pf_palist, pf_pooladdr);
309 struct pf_poolhashkey {
314 } pfk; /* 128-bit hash key */
315 #define key8 pfk.key8
316 #define key16 pfk.key16
317 #define key32 pfk.key32
320 struct pf_mape_portset {
327 struct pf_palist list;
328 struct pf_pooladdr *cur;
329 struct pf_poolhashkey key;
330 struct pf_addr counter;
332 u_int16_t proxy_port[2];
336 /* A packed Operating System description for fingerprinting */
337 typedef u_int32_t pf_osfp_t;
338 #define PF_OSFP_ANY ((pf_osfp_t)0)
339 #define PF_OSFP_UNKNOWN ((pf_osfp_t)-1)
340 #define PF_OSFP_NOMATCH ((pf_osfp_t)-2)
342 struct pf_osfp_entry {
343 SLIST_ENTRY(pf_osfp_entry) fp_entry;
346 #define PF_OSFP_EXPANDED 0x001 /* expanded entry */
347 #define PF_OSFP_GENERIC 0x002 /* generic signature */
348 #define PF_OSFP_NODETAIL 0x004 /* no p0f details */
349 #define PF_OSFP_LEN 32
350 char fp_class_nm[PF_OSFP_LEN];
351 char fp_version_nm[PF_OSFP_LEN];
352 char fp_subtype_nm[PF_OSFP_LEN];
354 #define PF_OSFP_ENTRY_EQ(a, b) \
355 ((a)->fp_os == (b)->fp_os && \
356 memcmp((a)->fp_class_nm, (b)->fp_class_nm, PF_OSFP_LEN) == 0 && \
357 memcmp((a)->fp_version_nm, (b)->fp_version_nm, PF_OSFP_LEN) == 0 && \
358 memcmp((a)->fp_subtype_nm, (b)->fp_subtype_nm, PF_OSFP_LEN) == 0)
360 /* handle pf_osfp_t packing */
361 #define _FP_RESERVED_BIT 1 /* For the special negative #defines */
362 #define _FP_UNUSED_BITS 1
363 #define _FP_CLASS_BITS 10 /* OS Class (Windows, Linux) */
364 #define _FP_VERSION_BITS 10 /* OS version (95, 98, NT, 2.4.54, 3.2) */
365 #define _FP_SUBTYPE_BITS 10 /* patch level (NT SP4, SP3, ECN patch) */
366 #define PF_OSFP_UNPACK(osfp, class, version, subtype) do { \
367 (class) = ((osfp) >> (_FP_VERSION_BITS+_FP_SUBTYPE_BITS)) & \
368 ((1 << _FP_CLASS_BITS) - 1); \
369 (version) = ((osfp) >> _FP_SUBTYPE_BITS) & \
370 ((1 << _FP_VERSION_BITS) - 1);\
371 (subtype) = (osfp) & ((1 << _FP_SUBTYPE_BITS) - 1); \
373 #define PF_OSFP_PACK(osfp, class, version, subtype) do { \
374 (osfp) = ((class) & ((1 << _FP_CLASS_BITS) - 1)) << (_FP_VERSION_BITS \
375 + _FP_SUBTYPE_BITS); \
376 (osfp) |= ((version) & ((1 << _FP_VERSION_BITS) - 1)) << \
378 (osfp) |= (subtype) & ((1 << _FP_SUBTYPE_BITS) - 1); \
381 /* the fingerprint of an OSes TCP SYN packet */
382 typedef u_int64_t pf_tcpopts_t;
383 struct pf_os_fingerprint {
384 SLIST_HEAD(pf_osfp_enlist, pf_osfp_entry) fp_oses; /* list of matches */
385 pf_tcpopts_t fp_tcpopts; /* packed TCP options */
386 u_int16_t fp_wsize; /* TCP window size */
387 u_int16_t fp_psize; /* ip->ip_len */
388 u_int16_t fp_mss; /* TCP MSS */
390 #define PF_OSFP_WSIZE_MOD 0x0001 /* Window modulus */
391 #define PF_OSFP_WSIZE_DC 0x0002 /* Window don't care */
392 #define PF_OSFP_WSIZE_MSS 0x0004 /* Window multiple of MSS */
393 #define PF_OSFP_WSIZE_MTU 0x0008 /* Window multiple of MTU */
394 #define PF_OSFP_PSIZE_MOD 0x0010 /* packet size modulus */
395 #define PF_OSFP_PSIZE_DC 0x0020 /* packet size don't care */
396 #define PF_OSFP_WSCALE 0x0040 /* TCP window scaling */
397 #define PF_OSFP_WSCALE_MOD 0x0080 /* TCP window scale modulus */
398 #define PF_OSFP_WSCALE_DC 0x0100 /* TCP window scale dont-care */
399 #define PF_OSFP_MSS 0x0200 /* TCP MSS */
400 #define PF_OSFP_MSS_MOD 0x0400 /* TCP MSS modulus */
401 #define PF_OSFP_MSS_DC 0x0800 /* TCP MSS dont-care */
402 #define PF_OSFP_DF 0x1000 /* IPv4 don't fragment bit */
403 #define PF_OSFP_TS0 0x2000 /* Zero timestamp */
404 #define PF_OSFP_INET6 0x4000 /* IPv6 */
405 u_int8_t fp_optcnt; /* TCP option count */
406 u_int8_t fp_wscale; /* TCP window scaling */
407 u_int8_t fp_ttl; /* IPv4 TTL */
408 #define PF_OSFP_MAXTTL_OFFSET 40
409 /* TCP options packing */
410 #define PF_OSFP_TCPOPT_NOP 0x0 /* TCP NOP option */
411 #define PF_OSFP_TCPOPT_WSCALE 0x1 /* TCP window scaling option */
412 #define PF_OSFP_TCPOPT_MSS 0x2 /* TCP max segment size opt */
413 #define PF_OSFP_TCPOPT_SACK 0x3 /* TCP SACK OK option */
414 #define PF_OSFP_TCPOPT_TS 0x4 /* TCP timestamp option */
415 #define PF_OSFP_TCPOPT_BITS 3 /* bits used by each option */
416 #define PF_OSFP_MAX_OPTS \
417 (sizeof(((struct pf_os_fingerprint *)0)->fp_tcpopts) * 8) \
418 / PF_OSFP_TCPOPT_BITS
420 SLIST_ENTRY(pf_os_fingerprint) fp_next;
423 struct pf_osfp_ioctl {
424 struct pf_osfp_entry fp_os;
425 pf_tcpopts_t fp_tcpopts; /* packed TCP options */
426 u_int16_t fp_wsize; /* TCP window size */
427 u_int16_t fp_psize; /* ip->ip_len */
428 u_int16_t fp_mss; /* TCP MSS */
430 u_int8_t fp_optcnt; /* TCP option count */
431 u_int8_t fp_wscale; /* TCP window scaling */
432 u_int8_t fp_ttl; /* IPv4 TTL */
434 int fp_getnum; /* DIOCOSFPGET number */
437 #define PF_ANCHOR_NAME_SIZE 64
440 struct pf_rule_addr src;
441 struct pf_rule_addr dst;
442 #define PF_SKIP_IFP 0
443 #define PF_SKIP_DIR 1
445 #define PF_SKIP_PROTO 3
446 #define PF_SKIP_SRC_ADDR 4
447 #define PF_SKIP_SRC_PORT 5
448 #define PF_SKIP_DST_ADDR 6
449 #define PF_SKIP_DST_PORT 7
450 #define PF_SKIP_COUNT 8
451 union pf_rule_ptr skip[PF_SKIP_COUNT];
452 #define PF_RULE_LABEL_SIZE 64
453 #define PF_RULE_MAX_LABEL_COUNT 5
454 char label[PF_RULE_LABEL_SIZE];
455 char ifname[IFNAMSIZ];
456 char qname[PF_QNAME_SIZE];
457 char pqname[PF_QNAME_SIZE];
458 #define PF_TAG_NAME_SIZE 64
459 char tagname[PF_TAG_NAME_SIZE];
460 char match_tagname[PF_TAG_NAME_SIZE];
462 char overload_tblname[PF_TABLE_NAME_SIZE];
464 TAILQ_ENTRY(pf_rule) entries;
465 struct pf_pool rpool;
467 u_int64_t evaluations;
468 u_int64_t packets[2];
472 struct pf_anchor *anchor;
473 struct pfr_ktable *overload_tbl;
475 pf_osfp_t os_fingerprint;
478 u_int32_t timeout[PFTM_MAX];
479 u_int32_t max_states;
480 u_int32_t max_src_nodes;
481 u_int32_t max_src_states;
482 u_int32_t max_src_conn;
495 counter_u64_t states_cur;
496 counter_u64_t states_tot;
497 counter_u64_t src_nodes;
499 u_int16_t return_icmp;
500 u_int16_t return_icmp6;
504 u_int16_t scrub_flags;
506 struct pf_rule_uid uid;
507 struct pf_rule_gid gid;
516 u_int8_t match_tag_not;
519 #define PF_STATE_NORMAL 0x1
520 #define PF_STATE_MODULATE 0x2
521 #define PF_STATE_SYNPROXY 0x3
535 u_int8_t anchor_relative;
536 u_int8_t anchor_wildcard;
538 #define PF_FLUSH 0x01
539 #define PF_FLUSH_GLOBAL 0x02
541 #define PF_PRIO_ZERO 0xff /* match "prio 0" packets */
542 #define PF_PRIO_MAX 7
544 u_int8_t set_prio[2];
551 uint64_t u_states_cur;
552 uint64_t u_states_tot;
553 uint64_t u_src_nodes;
557 #define PFRULE_DROP 0x0000
558 #define PFRULE_RETURNRST 0x0001
559 #define PFRULE_FRAGMENT 0x0002
560 #define PFRULE_RETURNICMP 0x0004
561 #define PFRULE_RETURN 0x0008
562 #define PFRULE_NOSYNC 0x0010
563 #define PFRULE_SRCTRACK 0x0020 /* track source states */
564 #define PFRULE_RULESRCTRACK 0x0040 /* per rule */
565 #define PFRULE_REFS 0x0080 /* rule has references */
568 #define PFRULE_NODF 0x0100
569 #define PFRULE_RANDOMID 0x0800
570 #define PFRULE_REASSEMBLE_TCP 0x1000
571 #define PFRULE_SET_TOS 0x2000
573 /* rule flags again */
574 #define PFRULE_IFBOUND 0x00010000 /* if-bound */
575 #define PFRULE_STATESLOPPY 0x00020000 /* sloppy state tracking */
577 #define PFSTATE_HIWAT 100000 /* default state table size */
578 #define PFSTATE_ADAPT_START 60000 /* default adaptive timeout start */
579 #define PFSTATE_ADAPT_END 120000 /* default adaptive timeout end */
582 struct pf_threshold {
584 #define PF_THRESHOLD_MULT 1000
585 #define PF_THRESHOLD_MAX 0xffffffff / PF_THRESHOLD_MULT
592 LIST_ENTRY(pf_src_node) entry;
594 struct pf_addr raddr;
595 union pf_rule_ptr rule;
598 u_int64_t packets[2];
601 struct pf_threshold conn_rate;
608 #define PFSNODE_HIWAT 10000 /* default source node table size */
610 TAILQ_HEAD(pf_rulequeue, pf_rule);
616 struct pf_rulequeue queues[2];
618 struct pf_rulequeue *ptr;
619 struct pf_rule **ptr_array;
624 } rules[PF_RULESET_MAX];
625 struct pf_anchor *anchor;
631 RB_HEAD(pf_anchor_global, pf_anchor);
632 RB_HEAD(pf_anchor_node, pf_anchor);
634 RB_ENTRY(pf_anchor) entry_global;
635 RB_ENTRY(pf_anchor) entry_node;
636 struct pf_anchor *parent;
637 struct pf_anchor_node children;
638 char name[PF_ANCHOR_NAME_SIZE];
639 char path[MAXPATHLEN];
640 struct pf_ruleset ruleset;
641 int refcnt; /* anchor rules */
642 int match; /* XXX: used for pfctl black magic */
644 RB_PROTOTYPE(pf_anchor_global, pf_anchor, entry_global, pf_anchor_compare);
645 RB_PROTOTYPE(pf_anchor_node, pf_anchor, entry_node, pf_anchor_compare);
647 int pf_get_ruleset_number(u_int8_t);
649 #endif /* _NET_PF_H_ */