2 * SPDX-License-Identifier: BSD-2-Clause
4 * Copyright (c) 2001 Daniel Hartmeier
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
11 * - Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * - Redistributions in binary form must reproduce the above
14 * copyright notice, this list of conditions and the following
15 * disclaimer in the documentation and/or other materials provided
16 * with the distribution.
18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
21 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
22 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
23 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
24 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
25 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
28 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29 * POSSIBILITY OF SUCH DAMAGE.
31 * $OpenBSD: pfvar.h,v 1.282 2009/01/29 15:12:28 pyr Exp $
40 #define PF_TCPS_PROXY_SRC ((TCP_NSTATES)+0)
41 #define PF_TCPS_PROXY_DST ((TCP_NSTATES)+1)
43 #define PF_MD5_DIGEST_LENGTH 16
44 #ifdef MD5_DIGEST_LENGTH
45 #if PF_MD5_DIGEST_LENGTH != MD5_DIGEST_LENGTH
50 enum { PF_INOUT, PF_IN, PF_OUT };
51 enum { PF_PASS, PF_DROP, PF_SCRUB, PF_NOSCRUB, PF_NAT, PF_NONAT,
52 PF_BINAT, PF_NOBINAT, PF_RDR, PF_NORDR, PF_SYNPROXY_DROP, PF_DEFER };
53 enum { PF_RULESET_SCRUB, PF_RULESET_FILTER, PF_RULESET_NAT,
54 PF_RULESET_BINAT, PF_RULESET_RDR, PF_RULESET_MAX };
55 enum { PF_OP_NONE, PF_OP_IRG, PF_OP_EQ, PF_OP_NE, PF_OP_LT,
56 PF_OP_LE, PF_OP_GT, PF_OP_GE, PF_OP_XRG, PF_OP_RRG };
57 enum { PF_DEBUG_NONE, PF_DEBUG_URGENT, PF_DEBUG_MISC, PF_DEBUG_NOISY };
58 enum { PF_CHANGE_NONE, PF_CHANGE_ADD_HEAD, PF_CHANGE_ADD_TAIL,
59 PF_CHANGE_ADD_BEFORE, PF_CHANGE_ADD_AFTER,
60 PF_CHANGE_REMOVE, PF_CHANGE_GET_TICKET };
61 enum { PF_GET_NONE, PF_GET_CLR_CNTR };
62 enum { PF_SK_WIRE, PF_SK_STACK, PF_SK_BOTH };
65 * Note about PFTM_*: real indices into pf_rule.timeout[] come before
66 * PFTM_MAX, special cases afterwards. See pf_state_expires().
68 enum { PFTM_TCP_FIRST_PACKET, PFTM_TCP_OPENING, PFTM_TCP_ESTABLISHED,
69 PFTM_TCP_CLOSING, PFTM_TCP_FIN_WAIT, PFTM_TCP_CLOSED,
70 PFTM_UDP_FIRST_PACKET, PFTM_UDP_SINGLE, PFTM_UDP_MULTIPLE,
71 PFTM_ICMP_FIRST_PACKET, PFTM_ICMP_ERROR_REPLY,
72 PFTM_OTHER_FIRST_PACKET, PFTM_OTHER_SINGLE,
73 PFTM_OTHER_MULTIPLE, PFTM_FRAG, PFTM_INTERVAL,
74 PFTM_ADAPTIVE_START, PFTM_ADAPTIVE_END, PFTM_SRC_NODE,
75 PFTM_TS_DIFF, PFTM_MAX, PFTM_PURGE, PFTM_UNLINKED };
77 /* PFTM default values */
78 #define PFTM_TCP_FIRST_PACKET_VAL 120 /* First TCP packet */
79 #define PFTM_TCP_OPENING_VAL 30 /* No response yet */
80 #define PFTM_TCP_ESTABLISHED_VAL 24*60*60/* Established */
81 #define PFTM_TCP_CLOSING_VAL 15 * 60 /* Half closed */
82 #define PFTM_TCP_FIN_WAIT_VAL 45 /* Got both FINs */
83 #define PFTM_TCP_CLOSED_VAL 90 /* Got a RST */
84 #define PFTM_UDP_FIRST_PACKET_VAL 60 /* First UDP packet */
85 #define PFTM_UDP_SINGLE_VAL 30 /* Unidirectional */
86 #define PFTM_UDP_MULTIPLE_VAL 60 /* Bidirectional */
87 #define PFTM_ICMP_FIRST_PACKET_VAL 20 /* First ICMP packet */
88 #define PFTM_ICMP_ERROR_REPLY_VAL 10 /* Got error response */
89 #define PFTM_OTHER_FIRST_PACKET_VAL 60 /* First packet */
90 #define PFTM_OTHER_SINGLE_VAL 30 /* Unidirectional */
91 #define PFTM_OTHER_MULTIPLE_VAL 60 /* Bidirectional */
92 #define PFTM_FRAG_VAL 30 /* Fragment expire */
93 #define PFTM_INTERVAL_VAL 10 /* Expire interval */
94 #define PFTM_SRC_NODE_VAL 0 /* Source tracking */
95 #define PFTM_TS_DIFF_VAL 30 /* Allowed TS diff */
97 enum { PF_NOPFROUTE, PF_FASTROUTE, PF_ROUTETO, PF_DUPTO, PF_REPLYTO };
98 enum { PF_LIMIT_STATES, PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS,
99 PF_LIMIT_TABLE_ENTRIES, PF_LIMIT_MAX };
100 #define PF_POOL_IDMASK 0x0f
101 enum { PF_POOL_NONE, PF_POOL_BITMASK, PF_POOL_RANDOM,
102 PF_POOL_SRCHASH, PF_POOL_ROUNDROBIN };
103 enum { PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE, PF_ADDR_DYNIFTL,
104 PF_ADDR_TABLE, PF_ADDR_URPFFAILED,
106 #define PF_POOL_TYPEMASK 0x0f
107 #define PF_POOL_STICKYADDR 0x20
108 #define PF_WSCALE_FLAG 0x80
109 #define PF_WSCALE_MASK 0x0f
112 #define PF_LOG_ALL 0x02
113 #define PF_LOG_SOCKET_LOOKUP 0x04
115 /* Reasons code for passing/dropping a packet */
116 #define PFRES_MATCH 0 /* Explicit match of a rule */
117 #define PFRES_BADOFF 1 /* Bad offset for pull_hdr */
118 #define PFRES_FRAG 2 /* Dropping following fragment */
119 #define PFRES_SHORT 3 /* Dropping short packet */
120 #define PFRES_NORM 4 /* Dropping by normalizer */
121 #define PFRES_MEMORY 5 /* Dropped due to lacking mem */
122 #define PFRES_TS 6 /* Bad TCP Timestamp (RFC1323) */
123 #define PFRES_CONGEST 7 /* Congestion (of ipintrq) */
124 #define PFRES_IPOPTIONS 8 /* IP option */
125 #define PFRES_PROTCKSUM 9 /* Protocol checksum invalid */
126 #define PFRES_BADSTATE 10 /* State mismatch */
127 #define PFRES_STATEINS 11 /* State insertion failure */
128 #define PFRES_MAXSTATES 12 /* State limit */
129 #define PFRES_SRCLIMIT 13 /* Source node/conn limit */
130 #define PFRES_SYNPROXY 14 /* SYN proxy */
131 #define PFRES_MAPFAILED 15 /* pf_map_addr() failed */
132 #define PFRES_MAX 16 /* total+1 */
134 #define PFRES_NAMES { \
154 /* Counters for other things we want to keep track of */
155 #define LCNT_STATES 0 /* states */
156 #define LCNT_SRCSTATES 1 /* max-src-states */
157 #define LCNT_SRCNODES 2 /* max-src-nodes */
158 #define LCNT_SRCCONN 3 /* max-src-conn */
159 #define LCNT_SRCCONNRATE 4 /* max-src-conn-rate */
160 #define LCNT_OVERLOAD_TABLE 5 /* entry added to overload table */
161 #define LCNT_OVERLOAD_FLUSH 6 /* state entries flushed */
162 #define LCNT_MAX 7 /* total+1 */
164 #define LCNT_NAMES { \
165 "max states per rule", \
169 "max-src-conn-rate", \
170 "overload table insertion", \
171 "overload flush states", \
175 /* state operation counters */
176 #define FCNT_STATE_SEARCH 0
177 #define FCNT_STATE_INSERT 1
178 #define FCNT_STATE_REMOVALS 2
181 /* src_node operation counters */
182 #define SCNT_SRC_NODE_SEARCH 0
183 #define SCNT_SRC_NODE_INSERT 1
184 #define SCNT_SRC_NODE_REMOVALS 2
187 #define PF_TABLE_NAME_SIZE 32
188 #define PF_QNAME_SIZE 64
193 uint64_t counters[PFRES_MAX];
194 uint64_t lcounters[LCNT_MAX];
195 uint64_t fcounters[FCNT_MAX];
196 uint64_t scounters[SCNT_MAX];
197 uint64_t pcounters[2][2][3];
198 uint64_t bcounters[2][2];
205 char ifname[IFNAMSIZ];
206 uint8_t pf_chksum[PF_MD5_DIGEST_LENGTH];
216 } pfa; /* 128-bit address */
219 #define addr8 pfa.addr8
220 #define addr16 pfa.addr16
221 #define addr32 pfa.addr32
224 #define PFI_AFLAG_NETWORK 0x01
225 #define PFI_AFLAG_BROADCAST 0x02
226 #define PFI_AFLAG_PEER 0x04
227 #define PFI_AFLAG_MODEMASK 0x07
228 #define PFI_AFLAG_NOALIAS 0x08
230 struct pf_addr_wrap {
236 char ifname[IFNAMSIZ];
237 char tblname[PF_TABLE_NAME_SIZE];
240 struct pfi_dynaddr *dyn;
241 struct pfr_ktable *tbl;
245 u_int8_t type; /* PF_ADDR_* */
246 u_int8_t iflags; /* PFI_AFLAG_* */
264 struct pf_rule_addr {
265 struct pf_addr_wrap addr;
272 struct pf_addr_wrap addr;
273 TAILQ_ENTRY(pf_pooladdr) entries;
274 char ifname[IFNAMSIZ];
278 TAILQ_HEAD(pf_palist, pf_pooladdr);
280 struct pf_poolhashkey {
285 } pfk; /* 128-bit hash key */
286 #define key8 pfk.key8
287 #define key16 pfk.key16
288 #define key32 pfk.key32
292 struct pf_palist list;
293 struct pf_pooladdr *cur;
294 struct pf_poolhashkey key;
295 struct pf_addr counter;
297 u_int16_t proxy_port[2];
301 /* A packed Operating System description for fingerprinting */
302 typedef u_int32_t pf_osfp_t;
303 #define PF_OSFP_ANY ((pf_osfp_t)0)
304 #define PF_OSFP_UNKNOWN ((pf_osfp_t)-1)
305 #define PF_OSFP_NOMATCH ((pf_osfp_t)-2)
307 struct pf_osfp_entry {
308 SLIST_ENTRY(pf_osfp_entry) fp_entry;
311 #define PF_OSFP_EXPANDED 0x001 /* expanded entry */
312 #define PF_OSFP_GENERIC 0x002 /* generic signature */
313 #define PF_OSFP_NODETAIL 0x004 /* no p0f details */
314 #define PF_OSFP_LEN 32
315 char fp_class_nm[PF_OSFP_LEN];
316 char fp_version_nm[PF_OSFP_LEN];
317 char fp_subtype_nm[PF_OSFP_LEN];
319 #define PF_OSFP_ENTRY_EQ(a, b) \
320 ((a)->fp_os == (b)->fp_os && \
321 memcmp((a)->fp_class_nm, (b)->fp_class_nm, PF_OSFP_LEN) == 0 && \
322 memcmp((a)->fp_version_nm, (b)->fp_version_nm, PF_OSFP_LEN) == 0 && \
323 memcmp((a)->fp_subtype_nm, (b)->fp_subtype_nm, PF_OSFP_LEN) == 0)
325 /* handle pf_osfp_t packing */
326 #define _FP_RESERVED_BIT 1 /* For the special negative #defines */
327 #define _FP_UNUSED_BITS 1
328 #define _FP_CLASS_BITS 10 /* OS Class (Windows, Linux) */
329 #define _FP_VERSION_BITS 10 /* OS version (95, 98, NT, 2.4.54, 3.2) */
330 #define _FP_SUBTYPE_BITS 10 /* patch level (NT SP4, SP3, ECN patch) */
331 #define PF_OSFP_UNPACK(osfp, class, version, subtype) do { \
332 (class) = ((osfp) >> (_FP_VERSION_BITS+_FP_SUBTYPE_BITS)) & \
333 ((1 << _FP_CLASS_BITS) - 1); \
334 (version) = ((osfp) >> _FP_SUBTYPE_BITS) & \
335 ((1 << _FP_VERSION_BITS) - 1);\
336 (subtype) = (osfp) & ((1 << _FP_SUBTYPE_BITS) - 1); \
338 #define PF_OSFP_PACK(osfp, class, version, subtype) do { \
339 (osfp) = ((class) & ((1 << _FP_CLASS_BITS) - 1)) << (_FP_VERSION_BITS \
340 + _FP_SUBTYPE_BITS); \
341 (osfp) |= ((version) & ((1 << _FP_VERSION_BITS) - 1)) << \
343 (osfp) |= (subtype) & ((1 << _FP_SUBTYPE_BITS) - 1); \
346 /* the fingerprint of an OSes TCP SYN packet */
347 typedef u_int64_t pf_tcpopts_t;
348 struct pf_os_fingerprint {
349 SLIST_HEAD(pf_osfp_enlist, pf_osfp_entry) fp_oses; /* list of matches */
350 pf_tcpopts_t fp_tcpopts; /* packed TCP options */
351 u_int16_t fp_wsize; /* TCP window size */
352 u_int16_t fp_psize; /* ip->ip_len */
353 u_int16_t fp_mss; /* TCP MSS */
355 #define PF_OSFP_WSIZE_MOD 0x0001 /* Window modulus */
356 #define PF_OSFP_WSIZE_DC 0x0002 /* Window don't care */
357 #define PF_OSFP_WSIZE_MSS 0x0004 /* Window multiple of MSS */
358 #define PF_OSFP_WSIZE_MTU 0x0008 /* Window multiple of MTU */
359 #define PF_OSFP_PSIZE_MOD 0x0010 /* packet size modulus */
360 #define PF_OSFP_PSIZE_DC 0x0020 /* packet size don't care */
361 #define PF_OSFP_WSCALE 0x0040 /* TCP window scaling */
362 #define PF_OSFP_WSCALE_MOD 0x0080 /* TCP window scale modulus */
363 #define PF_OSFP_WSCALE_DC 0x0100 /* TCP window scale dont-care */
364 #define PF_OSFP_MSS 0x0200 /* TCP MSS */
365 #define PF_OSFP_MSS_MOD 0x0400 /* TCP MSS modulus */
366 #define PF_OSFP_MSS_DC 0x0800 /* TCP MSS dont-care */
367 #define PF_OSFP_DF 0x1000 /* IPv4 don't fragment bit */
368 #define PF_OSFP_TS0 0x2000 /* Zero timestamp */
369 #define PF_OSFP_INET6 0x4000 /* IPv6 */
370 u_int8_t fp_optcnt; /* TCP option count */
371 u_int8_t fp_wscale; /* TCP window scaling */
372 u_int8_t fp_ttl; /* IPv4 TTL */
373 #define PF_OSFP_MAXTTL_OFFSET 40
374 /* TCP options packing */
375 #define PF_OSFP_TCPOPT_NOP 0x0 /* TCP NOP option */
376 #define PF_OSFP_TCPOPT_WSCALE 0x1 /* TCP window scaling option */
377 #define PF_OSFP_TCPOPT_MSS 0x2 /* TCP max segment size opt */
378 #define PF_OSFP_TCPOPT_SACK 0x3 /* TCP SACK OK option */
379 #define PF_OSFP_TCPOPT_TS 0x4 /* TCP timestamp option */
380 #define PF_OSFP_TCPOPT_BITS 3 /* bits used by each option */
381 #define PF_OSFP_MAX_OPTS \
382 (sizeof(((struct pf_os_fingerprint *)0)->fp_tcpopts) * 8) \
383 / PF_OSFP_TCPOPT_BITS
385 SLIST_ENTRY(pf_os_fingerprint) fp_next;
388 struct pf_osfp_ioctl {
389 struct pf_osfp_entry fp_os;
390 pf_tcpopts_t fp_tcpopts; /* packed TCP options */
391 u_int16_t fp_wsize; /* TCP window size */
392 u_int16_t fp_psize; /* ip->ip_len */
393 u_int16_t fp_mss; /* TCP MSS */
395 u_int8_t fp_optcnt; /* TCP option count */
396 u_int8_t fp_wscale; /* TCP window scaling */
397 u_int8_t fp_ttl; /* IPv4 TTL */
399 int fp_getnum; /* DIOCOSFPGET number */
402 #define PF_ANCHOR_NAME_SIZE 64
405 struct pf_rule_addr src;
406 struct pf_rule_addr dst;
407 #define PF_SKIP_IFP 0
408 #define PF_SKIP_DIR 1
410 #define PF_SKIP_PROTO 3
411 #define PF_SKIP_SRC_ADDR 4
412 #define PF_SKIP_SRC_PORT 5
413 #define PF_SKIP_DST_ADDR 6
414 #define PF_SKIP_DST_PORT 7
415 #define PF_SKIP_COUNT 8
416 union pf_rule_ptr skip[PF_SKIP_COUNT];
417 #define PF_RULE_LABEL_SIZE 64
418 char label[PF_RULE_LABEL_SIZE];
419 char ifname[IFNAMSIZ];
420 char qname[PF_QNAME_SIZE];
421 char pqname[PF_QNAME_SIZE];
422 #define PF_TAG_NAME_SIZE 64
423 char tagname[PF_TAG_NAME_SIZE];
424 char match_tagname[PF_TAG_NAME_SIZE];
426 char overload_tblname[PF_TABLE_NAME_SIZE];
428 TAILQ_ENTRY(pf_rule) entries;
429 struct pf_pool rpool;
431 u_int64_t evaluations;
432 u_int64_t packets[2];
436 struct pf_anchor *anchor;
437 struct pfr_ktable *overload_tbl;
439 pf_osfp_t os_fingerprint;
442 u_int32_t timeout[PFTM_MAX];
443 u_int32_t max_states;
444 u_int32_t max_src_nodes;
445 u_int32_t max_src_states;
446 u_int32_t max_src_conn;
459 counter_u64_t states_cur;
460 counter_u64_t states_tot;
461 counter_u64_t src_nodes;
463 u_int16_t return_icmp;
464 u_int16_t return_icmp6;
468 u_int16_t scrub_flags;
470 struct pf_rule_uid uid;
471 struct pf_rule_gid gid;
480 u_int8_t match_tag_not;
483 #define PF_STATE_NORMAL 0x1
484 #define PF_STATE_MODULATE 0x2
485 #define PF_STATE_SYNPROXY 0x3
499 u_int8_t anchor_relative;
500 u_int8_t anchor_wildcard;
502 #define PF_FLUSH 0x01
503 #define PF_FLUSH_GLOBAL 0x02
505 #define PF_PRIO_ZERO 0xff /* match "prio 0" packets */
506 #define PF_PRIO_MAX 7
508 u_int8_t set_prio[2];
515 uint64_t u_states_cur;
516 uint64_t u_states_tot;
517 uint64_t u_src_nodes;
521 #define PFRULE_DROP 0x0000
522 #define PFRULE_RETURNRST 0x0001
523 #define PFRULE_FRAGMENT 0x0002
524 #define PFRULE_RETURNICMP 0x0004
525 #define PFRULE_RETURN 0x0008
526 #define PFRULE_NOSYNC 0x0010
527 #define PFRULE_SRCTRACK 0x0020 /* track source states */
528 #define PFRULE_RULESRCTRACK 0x0040 /* per rule */
529 #define PFRULE_REFS 0x0080 /* rule has references */
532 #define PFRULE_NODF 0x0100
533 #define PFRULE_RANDOMID 0x0800
534 #define PFRULE_REASSEMBLE_TCP 0x1000
535 #define PFRULE_SET_TOS 0x2000
537 /* rule flags again */
538 #define PFRULE_IFBOUND 0x00010000 /* if-bound */
539 #define PFRULE_STATESLOPPY 0x00020000 /* sloppy state tracking */
541 #define PFSTATE_HIWAT 100000 /* default state table size */
542 #define PFSTATE_ADAPT_START 60000 /* default adaptive timeout start */
543 #define PFSTATE_ADAPT_END 120000 /* default adaptive timeout end */
546 struct pf_threshold {
548 #define PF_THRESHOLD_MULT 1000
549 #define PF_THRESHOLD_MAX 0xffffffff / PF_THRESHOLD_MULT
556 LIST_ENTRY(pf_src_node) entry;
558 struct pf_addr raddr;
559 union pf_rule_ptr rule;
562 u_int64_t packets[2];
565 struct pf_threshold conn_rate;
572 #define PFSNODE_HIWAT 10000 /* default source node table size */
574 TAILQ_HEAD(pf_rulequeue, pf_rule);
580 struct pf_rulequeue queues[2];
582 struct pf_rulequeue *ptr;
583 struct pf_rule **ptr_array;
588 } rules[PF_RULESET_MAX];
589 struct pf_anchor *anchor;
595 RB_HEAD(pf_anchor_global, pf_anchor);
596 RB_HEAD(pf_anchor_node, pf_anchor);
598 RB_ENTRY(pf_anchor) entry_global;
599 RB_ENTRY(pf_anchor) entry_node;
600 struct pf_anchor *parent;
601 struct pf_anchor_node children;
602 char name[PF_ANCHOR_NAME_SIZE];
603 char path[MAXPATHLEN];
604 struct pf_ruleset ruleset;
605 int refcnt; /* anchor rules */
606 int match; /* XXX: used for pfctl black magic */
608 RB_PROTOTYPE(pf_anchor_global, pf_anchor, entry_global, pf_anchor_compare);
609 RB_PROTOTYPE(pf_anchor_node, pf_anchor, entry_node, pf_anchor_compare);
611 /* these ruleset functions can be linked into userland programs (pfctl) */
612 int pf_get_ruleset_number(u_int8_t);
613 void pf_init_ruleset(struct pf_ruleset *);
614 int pf_anchor_setup(struct pf_rule *,
615 const struct pf_ruleset *, const char *);
616 void pf_remove_if_empty_ruleset(struct pf_ruleset *);
617 struct pf_ruleset *pf_find_ruleset(const char *);
618 struct pf_ruleset *pf_find_or_create_ruleset(const char *);
620 #endif /* _NET_PF_H_ */