xref: /freebsd/sys/net/pfil.h (revision 71625ec9ad2a9bc8c09784fbd23b759830e0ee5f)

/*	$NetBSD: pfil.h,v 1.22 2003/06/23 12:57:08 martin Exp $	*/

/*-
 * SPDX-License-Identifier: BSD-3-Clause
 *
 * Copyright (c) 2019 Gleb Smirnoff <glebius@FreeBSD.org>
 * Copyright (c) 1996 Matthew R. Green
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. The name of the author may not be used to endorse or promote products
 *    derived from this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */

#ifndef _NET_PFIL_H_
#define _NET_PFIL_H_

#include <sys/ioccom.h>

enum pfil_types {
	PFIL_TYPE_IP4,
	PFIL_TYPE_IP6,
	PFIL_TYPE_ETHERNET,
};

#define	MAXPFILNAME	64

struct pfilioc_head {
	char		pio_name[MAXPFILNAME];
	int		pio_nhooksin;
	int		pio_nhooksout;
	enum pfil_types	pio_type;
};

struct pfilioc_hook {
	char		pio_module[MAXPFILNAME];
	char		pio_ruleset[MAXPFILNAME];
	int		pio_flags;
	enum pfil_types pio_type;
};

struct pfilioc_list {
	u_int			 pio_nheads;
	u_int			 pio_nhooks;
	struct pfilioc_head	*pio_heads;
	struct pfilioc_hook	*pio_hooks;
};

struct pfilioc_link {
	char		pio_name[MAXPFILNAME];
	char		pio_module[MAXPFILNAME];
	char		pio_ruleset[MAXPFILNAME];
	int		pio_flags;
};

#define	PFILDEV			"pfil"
#define	PFILIOC_LISTHEADS	_IOWR('P', 1, struct pfilioc_list)
#define	PFILIOC_LISTHOOKS	_IOWR('P', 2, struct pfilioc_list)
#define	PFILIOC_LINK		_IOW('P', 3, struct pfilioc_link)

#define	PFIL_IN		0x00010000
#define	PFIL_OUT	0x00020000
#define	PFIL_FWD	0x00040000
#define	PFIL_DIR(f)	((f) & (PFIL_IN|PFIL_OUT))
#define	PFIL_HEADPTR	0x00100000
#define	PFIL_HOOKPTR	0x00200000
#define	PFIL_APPEND	0x00400000
#define	PFIL_UNLINK	0x00800000

#ifdef _KERNEL
struct mbuf;
struct ifnet;
struct inpcb;

typedef enum {
	PFIL_PASS = 0,
	PFIL_DROPPED,
	PFIL_CONSUMED,
	PFIL_REALLOCED,
} pfil_return_t;

typedef	pfil_return_t	(*pfil_mbuf_chk_t)(struct mbuf **, struct ifnet *, int,
			    void *, struct inpcb *);
typedef pfil_return_t	(*pfil_mem_chk_t)(void *, u_int, int, struct ifnet *,
			    void *, struct mbuf **);

/*
 * A pfil head is created by a packet intercept point.
 *
 * A pfil hook is created by a packet filter.
 *
 * Hooks are chained on heads.  Historically some hooking happens
 * automatically, e.g. ipfw(4), pf(4) and ipfilter(4) would register
 * theirselves on IPv4 and IPv6 input/output.
 */

typedef struct pfil_hook *	pfil_hook_t;
typedef struct pfil_head *	pfil_head_t;

/*
 * Give us a chance to modify pfil_xxx_args structures in future.
 */
#define	PFIL_VERSION	2

/* Argument structure used by packet filters to register themselves. */
struct pfil_hook_args {
	int		 pa_version;
	int		 pa_flags;
	enum pfil_types	 pa_type;
	pfil_mbuf_chk_t	 pa_mbuf_chk;
	pfil_mem_chk_t	 pa_mem_chk;
	void		*pa_ruleset;
	const char	*pa_modname;
	const char	*pa_rulname;
};

/* Public functions for pfil hook management by packet filters. */
pfil_hook_t	pfil_add_hook(struct pfil_hook_args *);
void		pfil_remove_hook(pfil_hook_t);

/* Argument structure used by ioctl() and packet filters to set filters. */
struct pfil_link_args {
	int		pa_version;
	int		pa_flags;
	union {
		const char	*pa_headname;
		pfil_head_t	 pa_head;
	};
	union {
		struct {
			const char	*pa_modname;
			const char	*pa_rulname;
		};
		pfil_hook_t	 pa_hook;
	};
};

/* Public function to configure filter chains.  Used by ioctl() and filters. */
int	pfil_link(struct pfil_link_args *);

/* Argument structure used by inspection points to register themselves. */
struct pfil_head_args {
	int		 pa_version;
	int		 pa_flags;
	enum pfil_types	 pa_type;
	const char	*pa_headname;
};

/* Public functions for pfil head management by inspection points. */
pfil_head_t	pfil_head_register(struct pfil_head_args *);
void		pfil_head_unregister(pfil_head_t);

/* Public functions to run the packet inspection by inspection points. */
int	pfil_mem_in(struct pfil_head *, void *, u_int, struct ifnet *,
    struct mbuf **);
int	pfil_mem_out(struct pfil_head *, void *, u_int, struct ifnet *,
    struct mbuf **);
int	pfil_mbuf_in(struct pfil_head *, struct mbuf **, struct ifnet *,
    struct inpcb *inp);
int	pfil_mbuf_out(struct pfil_head *, struct mbuf **, struct ifnet *,
    struct inpcb *inp);
int	pfil_mbuf_fwd(struct pfil_head *, struct mbuf **, struct ifnet *,
    struct inpcb *);

/*
 * Minimally exposed structure to avoid function call in case of absence
 * of any filters by protocols and macros to do the check.
 */
struct _pfil_head {
	int	head_nhooksin;
	int	head_nhooksout;
};
#define	PFIL_HOOKED_IN(p) (((struct _pfil_head *)(p))->head_nhooksin > 0)
#define	PFIL_HOOKED_OUT(p) (((struct _pfil_head *)(p))->head_nhooksout > 0)

#endif /* _KERNEL */
#endif /* _NET_PFIL_H_ */