2 * Copyright (c) 2001 Daniel Hartmeier
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * - Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
11 * - Redistributions in binary form must reproduce the above
12 * copyright notice, this list of conditions and the following
13 * disclaimer in the documentation and/or other materials provided
14 * with the distribution.
16 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
17 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
18 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
19 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
20 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
21 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
22 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
23 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
24 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
26 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27 * POSSIBILITY OF SUCH DAMAGE.
29 * $OpenBSD: pfvar.h,v 1.282 2009/01/29 15:12:28 pyr Exp $
36 #define PF_TCPS_PROXY_SRC ((TCP_NSTATES)+0)
37 #define PF_TCPS_PROXY_DST ((TCP_NSTATES)+1)
39 #define PF_MD5_DIGEST_LENGTH 16
40 #ifdef MD5_DIGEST_LENGTH
41 #if PF_MD5_DIGEST_LENGTH != MD5_DIGEST_LENGTH
46 enum { PF_INOUT, PF_IN, PF_OUT, PF_FWD };
47 enum { PF_PASS, PF_DROP, PF_SCRUB, PF_NOSCRUB, PF_NAT, PF_NONAT,
48 PF_BINAT, PF_NOBINAT, PF_RDR, PF_NORDR, PF_SYNPROXY_DROP, PF_DEFER };
49 enum { PF_RULESET_SCRUB, PF_RULESET_FILTER, PF_RULESET_NAT,
50 PF_RULESET_BINAT, PF_RULESET_RDR, PF_RULESET_MAX };
51 enum { PF_OP_NONE, PF_OP_IRG, PF_OP_EQ, PF_OP_NE, PF_OP_LT,
52 PF_OP_LE, PF_OP_GT, PF_OP_GE, PF_OP_XRG, PF_OP_RRG };
53 enum { PF_DEBUG_NONE, PF_DEBUG_URGENT, PF_DEBUG_MISC, PF_DEBUG_NOISY };
54 enum { PF_CHANGE_NONE, PF_CHANGE_ADD_HEAD, PF_CHANGE_ADD_TAIL,
55 PF_CHANGE_ADD_BEFORE, PF_CHANGE_ADD_AFTER,
56 PF_CHANGE_REMOVE, PF_CHANGE_GET_TICKET };
57 enum { PF_GET_NONE, PF_GET_CLR_CNTR };
58 enum { PF_SK_WIRE, PF_SK_STACK, PF_SK_BOTH };
61 * Note about PFTM_*: real indices into pf_rule.timeout[] come before
62 * PFTM_MAX, special cases afterwards. See pf_state_expires().
64 enum { PFTM_TCP_FIRST_PACKET, PFTM_TCP_OPENING, PFTM_TCP_ESTABLISHED,
65 PFTM_TCP_CLOSING, PFTM_TCP_FIN_WAIT, PFTM_TCP_CLOSED,
66 PFTM_UDP_FIRST_PACKET, PFTM_UDP_SINGLE, PFTM_UDP_MULTIPLE,
67 PFTM_ICMP_FIRST_PACKET, PFTM_ICMP_ERROR_REPLY,
68 PFTM_OTHER_FIRST_PACKET, PFTM_OTHER_SINGLE,
69 PFTM_OTHER_MULTIPLE, PFTM_FRAG, PFTM_INTERVAL,
70 PFTM_ADAPTIVE_START, PFTM_ADAPTIVE_END, PFTM_SRC_NODE,
71 PFTM_TS_DIFF, PFTM_MAX, PFTM_PURGE, PFTM_UNLINKED,
74 /* PFTM default values */
75 #define PFTM_TCP_FIRST_PACKET_VAL 120 /* First TCP packet */
76 #define PFTM_TCP_OPENING_VAL 30 /* No response yet */
77 #define PFTM_TCP_ESTABLISHED_VAL 24*60*60/* Established */
78 #define PFTM_TCP_CLOSING_VAL 15 * 60 /* Half closed */
79 #define PFTM_TCP_FIN_WAIT_VAL 45 /* Got both FINs */
80 #define PFTM_TCP_CLOSED_VAL 90 /* Got a RST */
81 #define PFTM_UDP_FIRST_PACKET_VAL 60 /* First UDP packet */
82 #define PFTM_UDP_SINGLE_VAL 30 /* Unidirectional */
83 #define PFTM_UDP_MULTIPLE_VAL 60 /* Bidirectional */
84 #define PFTM_ICMP_FIRST_PACKET_VAL 20 /* First ICMP packet */
85 #define PFTM_ICMP_ERROR_REPLY_VAL 10 /* Got error response */
86 #define PFTM_OTHER_FIRST_PACKET_VAL 60 /* First packet */
87 #define PFTM_OTHER_SINGLE_VAL 30 /* Unidirectional */
88 #define PFTM_OTHER_MULTIPLE_VAL 60 /* Bidirectional */
89 #define PFTM_FRAG_VAL 30 /* Fragment expire */
90 #define PFTM_INTERVAL_VAL 10 /* Expire interval */
91 #define PFTM_SRC_NODE_VAL 0 /* Source tracking */
92 #define PFTM_TS_DIFF_VAL 30 /* Allowed TS diff */
94 enum { PF_NOPFROUTE, PF_FASTROUTE, PF_ROUTETO, PF_DUPTO, PF_REPLYTO };
95 enum { PF_LIMIT_STATES, PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS,
96 PF_LIMIT_TABLE_ENTRIES, PF_LIMIT_MAX };
97 #define PF_POOL_IDMASK 0x0f
98 enum { PF_POOL_NONE, PF_POOL_BITMASK, PF_POOL_RANDOM,
99 PF_POOL_SRCHASH, PF_POOL_ROUNDROBIN };
100 enum { PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE, PF_ADDR_DYNIFTL,
101 PF_ADDR_TABLE, PF_ADDR_URPFFAILED,
103 #define PF_POOL_TYPEMASK 0x0f
104 #define PF_POOL_STICKYADDR 0x20
105 #define PF_WSCALE_FLAG 0x80
106 #define PF_WSCALE_MASK 0x0f
109 #define PF_LOG_ALL 0x02
110 #define PF_LOG_SOCKET_LOOKUP 0x04
112 /* Reasons code for passing/dropping a packet */
113 #define PFRES_MATCH 0 /* Explicit match of a rule */
114 #define PFRES_BADOFF 1 /* Bad offset for pull_hdr */
115 #define PFRES_FRAG 2 /* Dropping following fragment */
116 #define PFRES_SHORT 3 /* Dropping short packet */
117 #define PFRES_NORM 4 /* Dropping by normalizer */
118 #define PFRES_MEMORY 5 /* Dropped due to lacking mem */
119 #define PFRES_TS 6 /* Bad TCP Timestamp (RFC1323) */
120 #define PFRES_CONGEST 7 /* Congestion (of ipintrq) */
121 #define PFRES_IPOPTIONS 8 /* IP option */
122 #define PFRES_PROTCKSUM 9 /* Protocol checksum invalid */
123 #define PFRES_BADSTATE 10 /* State mismatch */
124 #define PFRES_STATEINS 11 /* State insertion failure */
125 #define PFRES_MAXSTATES 12 /* State limit */
126 #define PFRES_SRCLIMIT 13 /* Source node/conn limit */
127 #define PFRES_SYNPROXY 14 /* SYN proxy */
128 #define PFRES_MAX 15 /* total+1 */
130 #define PFRES_NAMES { \
149 /* Counters for other things we want to keep track of */
150 #define LCNT_STATES 0 /* states */
151 #define LCNT_SRCSTATES 1 /* max-src-states */
152 #define LCNT_SRCNODES 2 /* max-src-nodes */
153 #define LCNT_SRCCONN 3 /* max-src-conn */
154 #define LCNT_SRCCONNRATE 4 /* max-src-conn-rate */
155 #define LCNT_OVERLOAD_TABLE 5 /* entry added to overload table */
156 #define LCNT_OVERLOAD_FLUSH 6 /* state entries flushed */
157 #define LCNT_MAX 7 /* total+1 */
159 #define LCNT_NAMES { \
160 "max states per rule", \
164 "max-src-conn-rate", \
165 "overload table insertion", \
166 "overload flush states", \
170 /* state operation counters */
171 #define FCNT_STATE_SEARCH 0
172 #define FCNT_STATE_INSERT 1
173 #define FCNT_STATE_REMOVALS 2
176 /* src_node operation counters */
177 #define SCNT_SRC_NODE_SEARCH 0
178 #define SCNT_SRC_NODE_INSERT 1
179 #define SCNT_SRC_NODE_REMOVALS 2
182 #define PF_TABLE_NAME_SIZE 32
183 #define PF_QNAME_SIZE 64
186 uint64_t counters[PFRES_MAX];
187 uint64_t lcounters[LCNT_MAX];
188 uint64_t fcounters[FCNT_MAX];
189 uint64_t scounters[SCNT_MAX];
190 uint64_t pcounters[2][2][3];
191 uint64_t bcounters[2][2];
198 char ifname[IFNAMSIZ];
199 uint8_t pf_chksum[PF_MD5_DIGEST_LENGTH];
202 #endif /* _NET_PF_H_ */