1 /* $FreeBSD$ */ 2 /* $NetBSD: pfil.h,v 1.22 2003/06/23 12:57:08 martin Exp $ */ 3 4 /*- 5 * SPDX-License-Identifier: BSD-3-Clause 6 * 7 * Copyright (c) 2019 Gleb Smirnoff <glebius@FreeBSD.org> 8 * Copyright (c) 1996 Matthew R. Green 9 * All rights reserved. 10 * 11 * Redistribution and use in source and binary forms, with or without 12 * modification, are permitted provided that the following conditions 13 * are met: 14 * 1. Redistributions of source code must retain the above copyright 15 * notice, this list of conditions and the following disclaimer. 16 * 2. Redistributions in binary form must reproduce the above copyright 17 * notice, this list of conditions and the following disclaimer in the 18 * documentation and/or other materials provided with the distribution. 19 * 3. The name of the author may not be used to endorse or promote products 20 * derived from this software without specific prior written permission. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 23 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 24 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 25 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 26 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 27 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 28 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED 29 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 30 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32 * SUCH DAMAGE. 33 */ 34 35 #ifndef _NET_PFIL_H_ 36 #define _NET_PFIL_H_ 37 38 #include <sys/ioccom.h> 39 40 enum pfil_types { 41 PFIL_TYPE_IP4, 42 PFIL_TYPE_IP6, 43 PFIL_TYPE_ETHERNET, 44 }; 45 46 #define MAXPFILNAME 64 47 48 struct pfilioc_head { 49 char pio_name[MAXPFILNAME]; 50 int pio_nhooksin; 51 int pio_nhooksout; 52 enum pfil_types pio_type; 53 }; 54 55 struct pfilioc_hook { 56 char pio_module[MAXPFILNAME]; 57 char pio_ruleset[MAXPFILNAME]; 58 int pio_flags; 59 enum pfil_types pio_type; 60 }; 61 62 struct pfilioc_list { 63 u_int pio_nheads; 64 u_int pio_nhooks; 65 struct pfilioc_head *pio_heads; 66 struct pfilioc_hook *pio_hooks; 67 }; 68 69 struct pfilioc_link { 70 char pio_name[MAXPFILNAME]; 71 char pio_module[MAXPFILNAME]; 72 char pio_ruleset[MAXPFILNAME]; 73 int pio_flags; 74 }; 75 76 #define PFILDEV "pfil" 77 #define PFILIOC_LISTHEADS _IOWR('P', 1, struct pfilioc_list) 78 #define PFILIOC_LISTHOOKS _IOWR('P', 2, struct pfilioc_list) 79 #define PFILIOC_LINK _IOW('P', 3, struct pfilioc_link) 80 81 #define PFIL_IN 0x00010000 82 #define PFIL_OUT 0x00020000 83 #define PFIL_FWD 0x00040000 84 #define PFIL_DIR(f) ((f) & (PFIL_IN|PFIL_OUT)) 85 #define PFIL_MEMPTR 0x00080000 86 #define PFIL_HEADPTR 0x00100000 87 #define PFIL_HOOKPTR 0x00200000 88 #define PFIL_APPEND 0x00400000 89 #define PFIL_UNLINK 0x00800000 90 #define PFIL_LENMASK 0x0000ffff 91 #define PFIL_LENGTH(f) ((f) & PFIL_LENMASK) 92 93 #ifdef _KERNEL 94 struct mbuf; 95 struct ifnet; 96 struct inpcb; 97 98 typedef union { 99 struct mbuf **m; 100 void *mem; 101 } pfil_packet_t __attribute__((__transparent_union__)); 102 103 typedef enum { 104 PFIL_PASS = 0, 105 PFIL_DROPPED, 106 PFIL_CONSUMED, 107 PFIL_REALLOCED, 108 } pfil_return_t; 109 110 typedef pfil_return_t (*pfil_func_t)(pfil_packet_t, struct ifnet *, int, 111 void *, struct inpcb *); 112 /* 113 * A pfil head is created by a packet intercept point. 114 * 115 * A pfil hook is created by a packet filter. 116 * 117 * Hooks are chained on heads. Historically some hooking happens 118 * automatically, e.g. ipfw(4), pf(4) and ipfilter(4) would register 119 * theirselves on IPv4 and IPv6 input/output. 120 */ 121 122 typedef struct pfil_hook * pfil_hook_t; 123 typedef struct pfil_head * pfil_head_t; 124 125 /* 126 * Give us a chance to modify pfil_xxx_args structures in future. 127 */ 128 #define PFIL_VERSION 1 129 130 /* Argument structure used by packet filters to register themselves. */ 131 struct pfil_hook_args { 132 int pa_version; 133 int pa_flags; 134 enum pfil_types pa_type; 135 pfil_func_t pa_func; 136 void *pa_ruleset; 137 const char *pa_modname; 138 const char *pa_rulname; 139 }; 140 141 /* Public functions for pfil hook management by packet filters. */ 142 pfil_hook_t pfil_add_hook(struct pfil_hook_args *); 143 void pfil_remove_hook(pfil_hook_t); 144 145 /* Argument structure used by ioctl() and packet filters to set filters. */ 146 struct pfil_link_args { 147 int pa_version; 148 int pa_flags; 149 union { 150 const char *pa_headname; 151 pfil_head_t pa_head; 152 }; 153 union { 154 struct { 155 const char *pa_modname; 156 const char *pa_rulname; 157 }; 158 pfil_hook_t pa_hook; 159 }; 160 }; 161 162 /* Public function to configure filter chains. Used by ioctl() and filters. */ 163 int pfil_link(struct pfil_link_args *); 164 165 /* Argument structure used by inspection points to register themselves. */ 166 struct pfil_head_args { 167 int pa_version; 168 int pa_flags; 169 enum pfil_types pa_type; 170 const char *pa_headname; 171 }; 172 173 /* Public functions for pfil head management by inspection points. */ 174 pfil_head_t pfil_head_register(struct pfil_head_args *); 175 void pfil_head_unregister(pfil_head_t); 176 177 /* Public functions to run the packet inspection by inspection points. */ 178 int pfil_run_hooks(struct pfil_head *, pfil_packet_t, struct ifnet *, int, 179 struct inpcb *inp); 180 /* 181 * Minimally exposed structure to avoid function call in case of absence 182 * of any filters by protocols and macros to do the check. 183 */ 184 struct _pfil_head { 185 int head_nhooksin; 186 int head_nhooksout; 187 }; 188 #define PFIL_HOOKED_IN(p) (((struct _pfil_head *)(p))->head_nhooksin > 0) 189 #define PFIL_HOOKED_OUT(p) (((struct _pfil_head *)(p))->head_nhooksout > 0) 190 191 #endif /* _KERNEL */ 192 #endif /* _NET_PFIL_H_ */ 193