1 /*- 2 * Copyright (c) 2002-2009 Luigi Rizzo, Universita` di Pisa 3 * 4 * Redistribution and use in source and binary forms, with or without 5 * modification, are permitted provided that the following conditions 6 * are met: 7 * 1. Redistributions of source code must retain the above copyright 8 * notice, this list of conditions and the following disclaimer. 9 * 2. Redistributions in binary form must reproduce the above copyright 10 * notice, this list of conditions and the following disclaimer in the 11 * documentation and/or other materials provided with the distribution. 12 * 13 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 14 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 15 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 16 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 17 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 18 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 19 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 20 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 21 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 22 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 23 * SUCH DAMAGE. 24 * 25 * $FreeBSD$ 26 */ 27 28 #ifndef _IPFW2_H 29 #define _IPFW2_H 30 31 /* 32 * The default rule number. By the design of ip_fw, the default rule 33 * is the last one, so its number can also serve as the highest number 34 * allowed for a rule. The ip_fw code relies on both meanings of this 35 * constant. 36 */ 37 #define IPFW_DEFAULT_RULE 65535 38 39 #define RESVD_SET 31 /*set for default and persistent rules*/ 40 #define IPFW_MAX_SETS 32 /* Number of sets supported by ipfw*/ 41 42 /* 43 * Default number of ipfw tables. 44 */ 45 #define IPFW_TABLES_MAX 65535 46 #define IPFW_TABLES_DEFAULT 128 47 48 /* 49 * Most commands (queue, pipe, tag, untag, limit...) can have a 16-bit 50 * argument between 1 and 65534. The value 0 (IP_FW_TARG) is used 51 * to represent 'tablearg' value, e.g. indicate the use of a 'tablearg' 52 * result of the most recent table() lookup. 53 * Note that 16bit is only a historical limit, resulting from 54 * the use of a 16-bit fields for that value. In reality, we can have 55 * 2^32 pipes, queues, tag values and so on. 56 */ 57 #define IPFW_ARG_MIN 1 58 #define IPFW_ARG_MAX 65534 59 #define IP_FW_TABLEARG 65535 /* Compat value for old clients */ 60 #define IP_FW_TARG 0 /* Current tablearg value */ 61 62 /* 63 * Number of entries in the call stack of the call/return commands. 64 * Call stack currently is an uint16_t array with rule numbers. 65 */ 66 #define IPFW_CALLSTACK_SIZE 16 67 68 /* IP_FW3 header/opcodes */ 69 typedef struct _ip_fw3_opheader { 70 uint16_t opcode; /* Operation opcode */ 71 uint16_t version; /* Opcode version */ 72 uint16_t reserved[2]; /* Align to 64-bit boundary */ 73 } ip_fw3_opheader; 74 75 /* IP_FW3 opcodes */ 76 #define IP_FW_TABLE_XADD 86 /* add entry */ 77 #define IP_FW_TABLE_XDEL 87 /* delete entry */ 78 #define IP_FW_TABLE_XGETSIZE 88 /* get table size (deprecated) */ 79 #define IP_FW_TABLE_XLIST 89 /* list table contents */ 80 #define IP_FW_TABLE_XDESTROY 90 /* destroy table */ 81 #define IP_FW_TABLES_XLIST 92 /* list all tables */ 82 #define IP_FW_TABLE_XINFO 93 /* request info for one table */ 83 #define IP_FW_TABLE_XFLUSH 94 /* flush table data */ 84 #define IP_FW_TABLE_XCREATE 95 /* create new table */ 85 #define IP_FW_TABLE_XMODIFY 96 /* modify existing table */ 86 #define IP_FW_XGET 97 /* Retrieve configuration */ 87 #define IP_FW_XADD 98 /* add rule */ 88 #define IP_FW_XDEL 99 /* del rule */ 89 #define IP_FW_XMOVE 100 /* move rules to different set */ 90 #define IP_FW_XZERO 101 /* clear accounting */ 91 #define IP_FW_XRESETLOG 102 /* zero rules logs */ 92 #define IP_FW_SET_SWAP 103 /* Swap between 2 sets */ 93 #define IP_FW_SET_MOVE 104 /* Move one set to another one */ 94 #define IP_FW_SET_ENABLE 105 /* Enable/disable sets */ 95 #define IP_FW_TABLE_XFIND 106 /* finds an entry */ 96 #define IP_FW_XIFLIST 107 /* list tracked interfaces */ 97 #define IP_FW_TABLES_ALIST 108 /* list table algorithms */ 98 #define IP_FW_TABLE_XSWAP 109 /* swap two tables */ 99 #define IP_FW_TABLE_VLIST 110 /* dump table value hash */ 100 101 #define IP_FW_NAT44_XCONFIG 111 /* Create/modify NAT44 instance */ 102 #define IP_FW_NAT44_DESTROY 112 /* Destroys NAT44 instance */ 103 #define IP_FW_NAT44_XGETCONFIG 113 /* Get NAT44 instance config */ 104 #define IP_FW_NAT44_LIST_NAT 114 /* List all NAT44 instances */ 105 #define IP_FW_NAT44_XGETLOG 115 /* Get log from NAT44 instance */ 106 107 #define IP_FW_DUMP_SOPTCODES 116 /* Dump available sopts/versions */ 108 109 /* 110 * The kernel representation of ipfw rules is made of a list of 111 * 'instructions' (for all practical purposes equivalent to BPF 112 * instructions), which specify which fields of the packet 113 * (or its metadata) should be analysed. 114 * 115 * Each instruction is stored in a structure which begins with 116 * "ipfw_insn", and can contain extra fields depending on the 117 * instruction type (listed below). 118 * Note that the code is written so that individual instructions 119 * have a size which is a multiple of 32 bits. This means that, if 120 * such structures contain pointers or other 64-bit entities, 121 * (there is just one instance now) they may end up unaligned on 122 * 64-bit architectures, so the must be handled with care. 123 * 124 * "enum ipfw_opcodes" are the opcodes supported. We can have up 125 * to 256 different opcodes. When adding new opcodes, they should 126 * be appended to the end of the opcode list before O_LAST_OPCODE, 127 * this will prevent the ABI from being broken, otherwise users 128 * will have to recompile ipfw(8) when they update the kernel. 129 */ 130 131 enum ipfw_opcodes { /* arguments (4 byte each) */ 132 O_NOP, 133 134 O_IP_SRC, /* u32 = IP */ 135 O_IP_SRC_MASK, /* ip = IP/mask */ 136 O_IP_SRC_ME, /* none */ 137 O_IP_SRC_SET, /* u32=base, arg1=len, bitmap */ 138 139 O_IP_DST, /* u32 = IP */ 140 O_IP_DST_MASK, /* ip = IP/mask */ 141 O_IP_DST_ME, /* none */ 142 O_IP_DST_SET, /* u32=base, arg1=len, bitmap */ 143 144 O_IP_SRCPORT, /* (n)port list:mask 4 byte ea */ 145 O_IP_DSTPORT, /* (n)port list:mask 4 byte ea */ 146 O_PROTO, /* arg1=protocol */ 147 148 O_MACADDR2, /* 2 mac addr:mask */ 149 O_MAC_TYPE, /* same as srcport */ 150 151 O_LAYER2, /* none */ 152 O_IN, /* none */ 153 O_FRAG, /* none */ 154 155 O_RECV, /* none */ 156 O_XMIT, /* none */ 157 O_VIA, /* none */ 158 159 O_IPOPT, /* arg1 = 2*u8 bitmap */ 160 O_IPLEN, /* arg1 = len */ 161 O_IPID, /* arg1 = id */ 162 163 O_IPTOS, /* arg1 = id */ 164 O_IPPRECEDENCE, /* arg1 = precedence << 5 */ 165 O_IPTTL, /* arg1 = TTL */ 166 167 O_IPVER, /* arg1 = version */ 168 O_UID, /* u32 = id */ 169 O_GID, /* u32 = id */ 170 O_ESTAB, /* none (tcp established) */ 171 O_TCPFLAGS, /* arg1 = 2*u8 bitmap */ 172 O_TCPWIN, /* arg1 = desired win */ 173 O_TCPSEQ, /* u32 = desired seq. */ 174 O_TCPACK, /* u32 = desired seq. */ 175 O_ICMPTYPE, /* u32 = icmp bitmap */ 176 O_TCPOPTS, /* arg1 = 2*u8 bitmap */ 177 178 O_VERREVPATH, /* none */ 179 O_VERSRCREACH, /* none */ 180 181 O_PROBE_STATE, /* none */ 182 O_KEEP_STATE, /* none */ 183 O_LIMIT, /* ipfw_insn_limit */ 184 O_LIMIT_PARENT, /* dyn_type, not an opcode. */ 185 186 /* 187 * These are really 'actions'. 188 */ 189 190 O_LOG, /* ipfw_insn_log */ 191 O_PROB, /* u32 = match probability */ 192 193 O_CHECK_STATE, /* none */ 194 O_ACCEPT, /* none */ 195 O_DENY, /* none */ 196 O_REJECT, /* arg1=icmp arg (same as deny) */ 197 O_COUNT, /* none */ 198 O_SKIPTO, /* arg1=next rule number */ 199 O_PIPE, /* arg1=pipe number */ 200 O_QUEUE, /* arg1=queue number */ 201 O_DIVERT, /* arg1=port number */ 202 O_TEE, /* arg1=port number */ 203 O_FORWARD_IP, /* fwd sockaddr */ 204 O_FORWARD_MAC, /* fwd mac */ 205 O_NAT, /* nope */ 206 O_REASS, /* none */ 207 208 /* 209 * More opcodes. 210 */ 211 O_IPSEC, /* has ipsec history */ 212 O_IP_SRC_LOOKUP, /* arg1=table number, u32=value */ 213 O_IP_DST_LOOKUP, /* arg1=table number, u32=value */ 214 O_ANTISPOOF, /* none */ 215 O_JAIL, /* u32 = id */ 216 O_ALTQ, /* u32 = altq classif. qid */ 217 O_DIVERTED, /* arg1=bitmap (1:loop, 2:out) */ 218 O_TCPDATALEN, /* arg1 = tcp data len */ 219 O_IP6_SRC, /* address without mask */ 220 O_IP6_SRC_ME, /* my addresses */ 221 O_IP6_SRC_MASK, /* address with the mask */ 222 O_IP6_DST, 223 O_IP6_DST_ME, 224 O_IP6_DST_MASK, 225 O_FLOW6ID, /* for flow id tag in the ipv6 pkt */ 226 O_ICMP6TYPE, /* icmp6 packet type filtering */ 227 O_EXT_HDR, /* filtering for ipv6 extension header */ 228 O_IP6, 229 230 /* 231 * actions for ng_ipfw 232 */ 233 O_NETGRAPH, /* send to ng_ipfw */ 234 O_NGTEE, /* copy to ng_ipfw */ 235 236 O_IP4, 237 238 O_UNREACH6, /* arg1=icmpv6 code arg (deny) */ 239 240 O_TAG, /* arg1=tag number */ 241 O_TAGGED, /* arg1=tag number */ 242 243 O_SETFIB, /* arg1=FIB number */ 244 O_FIB, /* arg1=FIB desired fib number */ 245 246 O_SOCKARG, /* socket argument */ 247 248 O_CALLRETURN, /* arg1=called rule number */ 249 250 O_FORWARD_IP6, /* fwd sockaddr_in6 */ 251 252 O_DSCP, /* 2 u32 = DSCP mask */ 253 O_SETDSCP, /* arg1=DSCP value */ 254 O_IP_FLOW_LOOKUP, /* arg1=table number, u32=value */ 255 256 O_LAST_OPCODE /* not an opcode! */ 257 }; 258 259 260 /* 261 * The extension header are filtered only for presence using a bit 262 * vector with a flag for each header. 263 */ 264 #define EXT_FRAGMENT 0x1 265 #define EXT_HOPOPTS 0x2 266 #define EXT_ROUTING 0x4 267 #define EXT_AH 0x8 268 #define EXT_ESP 0x10 269 #define EXT_DSTOPTS 0x20 270 #define EXT_RTHDR0 0x40 271 #define EXT_RTHDR2 0x80 272 273 /* 274 * Template for instructions. 275 * 276 * ipfw_insn is used for all instructions which require no operands, 277 * a single 16-bit value (arg1), or a couple of 8-bit values. 278 * 279 * For other instructions which require different/larger arguments 280 * we have derived structures, ipfw_insn_*. 281 * 282 * The size of the instruction (in 32-bit words) is in the low 283 * 6 bits of "len". The 2 remaining bits are used to implement 284 * NOT and OR on individual instructions. Given a type, you can 285 * compute the length to be put in "len" using F_INSN_SIZE(t) 286 * 287 * F_NOT negates the match result of the instruction. 288 * 289 * F_OR is used to build or blocks. By default, instructions 290 * are evaluated as part of a logical AND. An "or" block 291 * { X or Y or Z } contains F_OR set in all but the last 292 * instruction of the block. A match will cause the code 293 * to skip past the last instruction of the block. 294 * 295 * NOTA BENE: in a couple of places we assume that 296 * sizeof(ipfw_insn) == sizeof(u_int32_t) 297 * this needs to be fixed. 298 * 299 */ 300 typedef struct _ipfw_insn { /* template for instructions */ 301 u_int8_t opcode; 302 u_int8_t len; /* number of 32-bit words */ 303 #define F_NOT 0x80 304 #define F_OR 0x40 305 #define F_LEN_MASK 0x3f 306 #define F_LEN(cmd) ((cmd)->len & F_LEN_MASK) 307 308 u_int16_t arg1; 309 } ipfw_insn; 310 311 /* 312 * The F_INSN_SIZE(type) computes the size, in 4-byte words, of 313 * a given type. 314 */ 315 #define F_INSN_SIZE(t) ((sizeof (t))/sizeof(u_int32_t)) 316 317 /* 318 * This is used to store an array of 16-bit entries (ports etc.) 319 */ 320 typedef struct _ipfw_insn_u16 { 321 ipfw_insn o; 322 u_int16_t ports[2]; /* there may be more */ 323 } ipfw_insn_u16; 324 325 /* 326 * This is used to store an array of 32-bit entries 327 * (uid, single IPv4 addresses etc.) 328 */ 329 typedef struct _ipfw_insn_u32 { 330 ipfw_insn o; 331 u_int32_t d[1]; /* one or more */ 332 } ipfw_insn_u32; 333 334 /* 335 * This is used to store IP addr-mask pairs. 336 */ 337 typedef struct _ipfw_insn_ip { 338 ipfw_insn o; 339 struct in_addr addr; 340 struct in_addr mask; 341 } ipfw_insn_ip; 342 343 /* 344 * This is used to forward to a given address (ip). 345 */ 346 typedef struct _ipfw_insn_sa { 347 ipfw_insn o; 348 struct sockaddr_in sa; 349 } ipfw_insn_sa; 350 351 /* 352 * This is used to forward to a given address (ipv6). 353 */ 354 typedef struct _ipfw_insn_sa6 { 355 ipfw_insn o; 356 struct sockaddr_in6 sa; 357 } ipfw_insn_sa6; 358 359 /* 360 * This is used for MAC addr-mask pairs. 361 */ 362 typedef struct _ipfw_insn_mac { 363 ipfw_insn o; 364 u_char addr[12]; /* dst[6] + src[6] */ 365 u_char mask[12]; /* dst[6] + src[6] */ 366 } ipfw_insn_mac; 367 368 /* 369 * This is used for interface match rules (recv xx, xmit xx). 370 */ 371 typedef struct _ipfw_insn_if { 372 ipfw_insn o; 373 union { 374 struct in_addr ip; 375 int glob; 376 uint16_t kidx; 377 } p; 378 char name[IFNAMSIZ]; 379 } ipfw_insn_if; 380 381 /* 382 * This is used for storing an altq queue id number. 383 */ 384 typedef struct _ipfw_insn_altq { 385 ipfw_insn o; 386 u_int32_t qid; 387 } ipfw_insn_altq; 388 389 /* 390 * This is used for limit rules. 391 */ 392 typedef struct _ipfw_insn_limit { 393 ipfw_insn o; 394 u_int8_t _pad; 395 u_int8_t limit_mask; /* combination of DYN_* below */ 396 #define DYN_SRC_ADDR 0x1 397 #define DYN_SRC_PORT 0x2 398 #define DYN_DST_ADDR 0x4 399 #define DYN_DST_PORT 0x8 400 401 u_int16_t conn_limit; 402 } ipfw_insn_limit; 403 404 /* 405 * This is used for log instructions. 406 */ 407 typedef struct _ipfw_insn_log { 408 ipfw_insn o; 409 u_int32_t max_log; /* how many do we log -- 0 = all */ 410 u_int32_t log_left; /* how many left to log */ 411 } ipfw_insn_log; 412 413 /* Legacy NAT structures, compat only */ 414 #ifndef _KERNEL 415 /* 416 * Data structures required by both ipfw(8) and ipfw(4) but not part of the 417 * management API are protected by IPFW_INTERNAL. 418 */ 419 #ifdef IPFW_INTERNAL 420 /* Server pool support (LSNAT). */ 421 struct cfg_spool { 422 LIST_ENTRY(cfg_spool) _next; /* chain of spool instances */ 423 struct in_addr addr; 424 u_short port; 425 }; 426 #endif 427 428 /* Redirect modes id. */ 429 #define REDIR_ADDR 0x01 430 #define REDIR_PORT 0x02 431 #define REDIR_PROTO 0x04 432 433 #ifdef IPFW_INTERNAL 434 /* Nat redirect configuration. */ 435 struct cfg_redir { 436 LIST_ENTRY(cfg_redir) _next; /* chain of redir instances */ 437 u_int16_t mode; /* type of redirect mode */ 438 struct in_addr laddr; /* local ip address */ 439 struct in_addr paddr; /* public ip address */ 440 struct in_addr raddr; /* remote ip address */ 441 u_short lport; /* local port */ 442 u_short pport; /* public port */ 443 u_short rport; /* remote port */ 444 u_short pport_cnt; /* number of public ports */ 445 u_short rport_cnt; /* number of remote ports */ 446 int proto; /* protocol: tcp/udp */ 447 struct alias_link **alink; 448 /* num of entry in spool chain */ 449 u_int16_t spool_cnt; 450 /* chain of spool instances */ 451 LIST_HEAD(spool_chain, cfg_spool) spool_chain; 452 }; 453 #endif 454 455 #ifdef IPFW_INTERNAL 456 /* Nat configuration data struct. */ 457 struct cfg_nat { 458 /* chain of nat instances */ 459 LIST_ENTRY(cfg_nat) _next; 460 int id; /* nat id */ 461 struct in_addr ip; /* nat ip address */ 462 char if_name[IF_NAMESIZE]; /* interface name */ 463 int mode; /* aliasing mode */ 464 struct libalias *lib; /* libalias instance */ 465 /* number of entry in spool chain */ 466 int redir_cnt; 467 /* chain of redir instances */ 468 LIST_HEAD(redir_chain, cfg_redir) redir_chain; 469 }; 470 #endif 471 472 #define SOF_NAT sizeof(struct cfg_nat) 473 #define SOF_REDIR sizeof(struct cfg_redir) 474 #define SOF_SPOOL sizeof(struct cfg_spool) 475 476 #endif /* ifndef _KERNEL */ 477 478 479 struct nat44_cfg_spool { 480 struct in_addr addr; 481 uint16_t port; 482 uint16_t spare; 483 }; 484 #define NAT44_REDIR_ADDR 0x01 485 #define NAT44_REDIR_PORT 0x02 486 #define NAT44_REDIR_PROTO 0x04 487 488 /* Nat redirect configuration. */ 489 struct nat44_cfg_redir { 490 struct in_addr laddr; /* local ip address */ 491 struct in_addr paddr; /* public ip address */ 492 struct in_addr raddr; /* remote ip address */ 493 uint16_t lport; /* local port */ 494 uint16_t pport; /* public port */ 495 uint16_t rport; /* remote port */ 496 uint16_t pport_cnt; /* number of public ports */ 497 uint16_t rport_cnt; /* number of remote ports */ 498 uint16_t mode; /* type of redirect mode */ 499 uint16_t spool_cnt; /* num of entry in spool chain */ 500 uint16_t spare; 501 uint32_t proto; /* protocol: tcp/udp */ 502 }; 503 504 /* Nat configuration data struct. */ 505 struct nat44_cfg_nat { 506 char name[64]; /* nat name */ 507 char if_name[64]; /* interface name */ 508 uint32_t size; /* structure size incl. redirs */ 509 struct in_addr ip; /* nat IPv4 address */ 510 uint32_t mode; /* aliasing mode */ 511 uint32_t redir_cnt; /* number of entry in spool chain */ 512 }; 513 514 /* Nat command. */ 515 typedef struct _ipfw_insn_nat { 516 ipfw_insn o; 517 struct cfg_nat *nat; 518 } ipfw_insn_nat; 519 520 /* Apply ipv6 mask on ipv6 addr */ 521 #define APPLY_MASK(addr,mask) \ 522 (addr)->__u6_addr.__u6_addr32[0] &= (mask)->__u6_addr.__u6_addr32[0]; \ 523 (addr)->__u6_addr.__u6_addr32[1] &= (mask)->__u6_addr.__u6_addr32[1]; \ 524 (addr)->__u6_addr.__u6_addr32[2] &= (mask)->__u6_addr.__u6_addr32[2]; \ 525 (addr)->__u6_addr.__u6_addr32[3] &= (mask)->__u6_addr.__u6_addr32[3]; 526 527 /* Structure for ipv6 */ 528 typedef struct _ipfw_insn_ip6 { 529 ipfw_insn o; 530 struct in6_addr addr6; 531 struct in6_addr mask6; 532 } ipfw_insn_ip6; 533 534 /* Used to support icmp6 types */ 535 typedef struct _ipfw_insn_icmp6 { 536 ipfw_insn o; 537 uint32_t d[7]; /* XXX This number si related to the netinet/icmp6.h 538 * define ICMP6_MAXTYPE 539 * as follows: n = ICMP6_MAXTYPE/32 + 1 540 * Actually is 203 541 */ 542 } ipfw_insn_icmp6; 543 544 /* 545 * Here we have the structure representing an ipfw rule. 546 * 547 * Layout: 548 * struct ip_fw_rule 549 * [ counter block, size = rule->cntr_len ] 550 * [ one or more instructions, size = rule->cmd_len * 4 ] 551 * 552 * It starts with a general area (with link fields). 553 * Counter block may be next (if rule->cntr_len > 0), 554 * followed by an array of one or more instructions, which the code 555 * accesses as an array of 32-bit values. rule->cmd_len represents 556 * the total instructions legth in u32 worrd, while act_ofs represents 557 * rule action offset in u32 words. 558 * 559 * When assembling instruction, remember the following: 560 * 561 * + if a rule has a "keep-state" (or "limit") option, then the 562 * first instruction (at r->cmd) MUST BE an O_PROBE_STATE 563 * + if a rule has a "log" option, then the first action 564 * (at ACTION_PTR(r)) MUST be O_LOG 565 * + if a rule has an "altq" option, it comes after "log" 566 * + if a rule has an O_TAG option, it comes after "log" and "altq" 567 * 568 * 569 * All structures (excluding instructions) are u64-aligned. 570 * Please keep this. 571 */ 572 573 struct ip_fw_rule { 574 uint16_t act_ofs; /* offset of action in 32-bit units */ 575 uint16_t cmd_len; /* # of 32-bit words in cmd */ 576 uint16_t spare; 577 uint8_t set; /* rule set (0..31) */ 578 uint8_t flags; /* rule flags */ 579 uint32_t rulenum; /* rule number */ 580 uint32_t id; /* rule id */ 581 582 ipfw_insn cmd[1]; /* storage for commands */ 583 }; 584 #define IPFW_RULE_NOOPT 0x01 /* Has no options in body */ 585 586 /* Unaligned version */ 587 588 /* Base ipfw rule counter block. */ 589 struct ip_fw_bcounter { 590 uint16_t size; /* Size of counter block, bytes */ 591 uint8_t flags; /* flags for given block */ 592 uint8_t spare; 593 uint32_t timestamp; /* tv_sec of last match */ 594 uint64_t pcnt; /* Packet counter */ 595 uint64_t bcnt; /* Byte counter */ 596 }; 597 598 599 #ifndef _KERNEL 600 /* 601 * Legacy rule format 602 */ 603 struct ip_fw { 604 struct ip_fw *x_next; /* linked list of rules */ 605 struct ip_fw *next_rule; /* ptr to next [skipto] rule */ 606 /* 'next_rule' is used to pass up 'set_disable' status */ 607 608 uint16_t act_ofs; /* offset of action in 32-bit units */ 609 uint16_t cmd_len; /* # of 32-bit words in cmd */ 610 uint16_t rulenum; /* rule number */ 611 uint8_t set; /* rule set (0..31) */ 612 uint8_t _pad; /* padding */ 613 uint32_t id; /* rule id */ 614 615 /* These fields are present in all rules. */ 616 uint64_t pcnt; /* Packet counter */ 617 uint64_t bcnt; /* Byte counter */ 618 uint32_t timestamp; /* tv_sec of last match */ 619 620 ipfw_insn cmd[1]; /* storage for commands */ 621 }; 622 #endif 623 624 #define ACTION_PTR(rule) \ 625 (ipfw_insn *)( (u_int32_t *)((rule)->cmd) + ((rule)->act_ofs) ) 626 627 #define RULESIZE(rule) (sizeof(*(rule)) + (rule)->cmd_len * 4 - 4) 628 629 630 #if 1 // should be moved to in.h 631 /* 632 * This structure is used as a flow mask and a flow id for various 633 * parts of the code. 634 * addr_type is used in userland and kernel to mark the address type. 635 * fib is used in the kernel to record the fib in use. 636 * _flags is used in the kernel to store tcp flags for dynamic rules. 637 */ 638 struct ipfw_flow_id { 639 uint32_t dst_ip; 640 uint32_t src_ip; 641 uint16_t dst_port; 642 uint16_t src_port; 643 uint8_t fib; 644 uint8_t proto; 645 uint8_t _flags; /* protocol-specific flags */ 646 uint8_t addr_type; /* 4=ip4, 6=ip6, 1=ether ? */ 647 struct in6_addr dst_ip6; 648 struct in6_addr src_ip6; 649 uint32_t flow_id6; 650 uint32_t extra; /* queue/pipe or frag_id */ 651 }; 652 #endif 653 654 #define IS_IP6_FLOW_ID(id) ((id)->addr_type == 6) 655 656 /* 657 * Dynamic ipfw rule. 658 */ 659 typedef struct _ipfw_dyn_rule ipfw_dyn_rule; 660 661 struct _ipfw_dyn_rule { 662 ipfw_dyn_rule *next; /* linked list of rules. */ 663 struct ip_fw *rule; /* pointer to rule */ 664 /* 'rule' is used to pass up the rule number (from the parent) */ 665 666 ipfw_dyn_rule *parent; /* pointer to parent rule */ 667 u_int64_t pcnt; /* packet match counter */ 668 u_int64_t bcnt; /* byte match counter */ 669 struct ipfw_flow_id id; /* (masked) flow id */ 670 u_int32_t expire; /* expire time */ 671 u_int32_t bucket; /* which bucket in hash table */ 672 u_int32_t state; /* state of this rule (typically a 673 * combination of TCP flags) 674 */ 675 u_int32_t ack_fwd; /* most recent ACKs in forward */ 676 u_int32_t ack_rev; /* and reverse directions (used */ 677 /* to generate keepalives) */ 678 u_int16_t dyn_type; /* rule type */ 679 u_int16_t count; /* refcount */ 680 }; 681 682 /* 683 * Definitions for IP option names. 684 */ 685 #define IP_FW_IPOPT_LSRR 0x01 686 #define IP_FW_IPOPT_SSRR 0x02 687 #define IP_FW_IPOPT_RR 0x04 688 #define IP_FW_IPOPT_TS 0x08 689 690 /* 691 * Definitions for TCP option names. 692 */ 693 #define IP_FW_TCPOPT_MSS 0x01 694 #define IP_FW_TCPOPT_WINDOW 0x02 695 #define IP_FW_TCPOPT_SACK 0x04 696 #define IP_FW_TCPOPT_TS 0x08 697 #define IP_FW_TCPOPT_CC 0x10 698 699 #define ICMP_REJECT_RST 0x100 /* fake ICMP code (send a TCP RST) */ 700 #define ICMP6_UNREACH_RST 0x100 /* fake ICMPv6 code (send a TCP RST) */ 701 702 /* 703 * These are used for lookup tables. 704 */ 705 706 #define IPFW_TABLE_ADDR 1 /* Table for holding IPv4/IPv6 prefixes */ 707 #define IPFW_TABLE_INTERFACE 2 /* Table for holding interface names */ 708 #define IPFW_TABLE_NUMBER 3 /* Table for holding ports/uid/gid/etc */ 709 #define IPFW_TABLE_FLOW 4 /* Table for holding flow data */ 710 #define IPFW_TABLE_MAXTYPE 4 /* Maximum valid number */ 711 712 #define IPFW_TABLE_CIDR IPFW_TABLE_ADDR /* compat */ 713 714 /* Value types */ 715 #define IPFW_VTYPE_LEGACY 0xFFFFFFFF /* All data is filled in */ 716 #define IPFW_VTYPE_SKIPTO 0x00000001 /* skipto/call/callreturn */ 717 #define IPFW_VTYPE_PIPE 0x00000002 /* pipe/queue */ 718 #define IPFW_VTYPE_FIB 0x00000004 /* setfib */ 719 #define IPFW_VTYPE_NAT 0x00000008 /* nat */ 720 #define IPFW_VTYPE_DSCP 0x00000010 /* dscp */ 721 #define IPFW_VTYPE_TAG 0x00000020 /* tag/untag */ 722 #define IPFW_VTYPE_DIVERT 0x00000040 /* divert/tee */ 723 #define IPFW_VTYPE_NETGRAPH 0x00000080 /* netgraph/ngtee */ 724 #define IPFW_VTYPE_LIMIT 0x00000100 /* IPv6 nexthop */ 725 #define IPFW_VTYPE_NH4 0x00000200 /* IPv4 nexthop */ 726 #define IPFW_VTYPE_NH6 0x00000400 /* IPv6 nexthop */ 727 728 typedef struct _ipfw_table_entry { 729 in_addr_t addr; /* network address */ 730 u_int32_t value; /* value */ 731 u_int16_t tbl; /* table number */ 732 u_int8_t masklen; /* mask length */ 733 } ipfw_table_entry; 734 735 typedef struct _ipfw_table_xentry { 736 uint16_t len; /* Total entry length */ 737 uint8_t type; /* entry type */ 738 uint8_t masklen; /* mask length */ 739 uint16_t tbl; /* table number */ 740 uint16_t flags; /* record flags */ 741 uint32_t value; /* value */ 742 union { 743 /* Longest field needs to be aligned by 4-byte boundary */ 744 struct in6_addr addr6; /* IPv6 address */ 745 char iface[IF_NAMESIZE]; /* interface name */ 746 } k; 747 } ipfw_table_xentry; 748 #define IPFW_TCF_INET 0x01 /* CIDR flags: IPv4 record */ 749 750 typedef struct _ipfw_table { 751 u_int32_t size; /* size of entries in bytes */ 752 u_int32_t cnt; /* # of entries */ 753 u_int16_t tbl; /* table number */ 754 ipfw_table_entry ent[0]; /* entries */ 755 } ipfw_table; 756 757 typedef struct _ipfw_xtable { 758 ip_fw3_opheader opheader; /* IP_FW3 opcode */ 759 uint32_t size; /* size of entries in bytes */ 760 uint32_t cnt; /* # of entries */ 761 uint16_t tbl; /* table number */ 762 uint8_t type; /* table type */ 763 ipfw_table_xentry xent[0]; /* entries */ 764 } ipfw_xtable; 765 766 typedef struct _ipfw_obj_tlv { 767 uint16_t type; /* TLV type */ 768 uint16_t flags; /* TLV-specific flags */ 769 uint32_t length; /* Total length, aligned to u64 */ 770 } ipfw_obj_tlv; 771 #define IPFW_TLV_TBL_NAME 1 772 #define IPFW_TLV_TBLNAME_LIST 2 773 #define IPFW_TLV_RULE_LIST 3 774 #define IPFW_TLV_DYNSTATE_LIST 4 775 #define IPFW_TLV_TBL_ENT 5 776 #define IPFW_TLV_DYN_ENT 6 777 #define IPFW_TLV_RULE_ENT 7 778 #define IPFW_TLV_TBLENT_LIST 8 779 #define IPFW_TLV_RANGE 9 780 781 /* Object name TLV */ 782 typedef struct _ipfw_obj_ntlv { 783 ipfw_obj_tlv head; /* TLV header */ 784 uint16_t idx; /* Name index */ 785 uint8_t spare; /* unused */ 786 uint8_t type; /* object type, if applicable */ 787 uint32_t set; /* set, if applicable */ 788 char name[64]; /* Null-terminated name */ 789 } ipfw_obj_ntlv; 790 791 /* IPv4/IPv6 L4 flow description */ 792 struct tflow_entry { 793 uint8_t af; 794 uint8_t proto; 795 uint16_t spare; 796 uint16_t sport; 797 uint16_t dport; 798 union { 799 struct { 800 struct in_addr sip; 801 struct in_addr dip; 802 } a4; 803 struct { 804 struct in6_addr sip6; 805 struct in6_addr dip6; 806 } a6; 807 } a; 808 }; 809 810 typedef struct _ipfw_table_value { 811 uint32_t tag; /* O_TAG/O_TAGGED */ 812 uint32_t pipe; /* O_PIPE/O_QUEUE */ 813 uint16_t divert; /* O_DIVERT/O_TEE */ 814 uint16_t skipto; /* skipto, CALLRET */ 815 uint32_t netgraph; /* O_NETGRAPH/O_NGTEE */ 816 uint32_t fib; /* O_SETFIB */ 817 uint32_t nat; /* O_NAT */ 818 uint32_t nh4; 819 uint8_t dscp; 820 uint8_t spare0[3]; 821 struct in6_addr nh6; 822 uint32_t limit; /* O_LIMIT */ 823 uint32_t spare1; 824 uint64_t reserved; 825 } ipfw_table_value; 826 827 /* Table entry TLV */ 828 typedef struct _ipfw_obj_tentry { 829 ipfw_obj_tlv head; /* TLV header */ 830 uint8_t subtype; /* subtype (IPv4,IPv6) */ 831 uint8_t masklen; /* mask length */ 832 uint8_t result; /* request result */ 833 uint8_t spare0; 834 uint16_t idx; /* Table name index */ 835 uint16_t spare1; 836 union { 837 /* Longest field needs to be aligned by 8-byte boundary */ 838 struct in_addr addr; /* IPv4 address */ 839 uint32_t key; /* uid/gid/port */ 840 struct in6_addr addr6; /* IPv6 address */ 841 char iface[IF_NAMESIZE]; /* interface name */ 842 struct tflow_entry flow; 843 } k; 844 union { 845 ipfw_table_value value; /* value data */ 846 uint32_t kidx; /* value kernel index */ 847 } v; 848 } ipfw_obj_tentry; 849 #define IPFW_TF_UPDATE 0x01 /* Update record if exists */ 850 /* Container TLV */ 851 #define IPFW_CTF_ATOMIC 0x01 /* Perform atomic operation */ 852 /* Operation results */ 853 #define IPFW_TR_IGNORED 0 /* Entry was ignored (rollback) */ 854 #define IPFW_TR_ADDED 1 /* Entry was succesfully added */ 855 #define IPFW_TR_UPDATED 2 /* Entry was succesfully updated*/ 856 #define IPFW_TR_DELETED 3 /* Entry was succesfully deleted*/ 857 #define IPFW_TR_LIMIT 4 /* Entry was ignored (limit) */ 858 #define IPFW_TR_NOTFOUND 5 /* Entry was not found */ 859 #define IPFW_TR_EXISTS 6 /* Entry already exists */ 860 #define IPFW_TR_ERROR 7 /* Request has failed (unknown) */ 861 862 typedef struct _ipfw_obj_dyntlv { 863 ipfw_obj_tlv head; 864 ipfw_dyn_rule state; 865 } ipfw_obj_dyntlv; 866 #define IPFW_DF_LAST 0x01 /* Last state in chain */ 867 868 /* Containter TLVs */ 869 typedef struct _ipfw_obj_ctlv { 870 ipfw_obj_tlv head; /* TLV header */ 871 uint32_t count; /* Number of sub-TLVs */ 872 uint16_t objsize; /* Single object size */ 873 uint8_t version; /* TLV version */ 874 uint8_t flags; /* TLV-specific flags */ 875 } ipfw_obj_ctlv; 876 877 /* Range TLV */ 878 typedef struct _ipfw_range_tlv { 879 ipfw_obj_tlv head; /* TLV header */ 880 uint32_t flags; /* Range flags */ 881 uint16_t start_rule; /* Range start */ 882 uint16_t end_rule; /* Range end */ 883 uint32_t set; /* Range set to match */ 884 uint32_t new_set; /* New set to move/swap to */ 885 } ipfw_range_tlv; 886 #define IPFW_RCFLAG_RANGE 0x01 /* rule range is set */ 887 #define IPFW_RCFLAG_ALL 0x02 /* match ALL rules */ 888 #define IPFW_RCFLAG_SET 0x04 /* match rules in given set */ 889 /* User-settable flags */ 890 #define IPFW_RCFLAG_USER (IPFW_RCFLAG_RANGE | IPFW_RCFLAG_ALL | \ 891 IPFW_RCFLAG_SET) 892 /* Internally used flags */ 893 #define IPFW_RCFLAG_DEFAULT 0x0100 /* Do not skip defaul rule */ 894 895 typedef struct _ipfw_ta_tinfo { 896 uint32_t flags; /* Format flags */ 897 uint32_t spare; 898 uint8_t taclass4; /* algorithm class */ 899 uint8_t spare4; 900 uint16_t itemsize4; /* item size in runtime */ 901 uint32_t size4; /* runtime structure size */ 902 uint32_t count4; /* number of items in runtime */ 903 uint8_t taclass6; /* algorithm class */ 904 uint8_t spare6; 905 uint16_t itemsize6; /* item size in runtime */ 906 uint32_t size6; /* runtime structure size */ 907 uint32_t count6; /* number of items in runtime */ 908 } ipfw_ta_tinfo; 909 #define IPFW_TACLASS_HASH 1 /* algo is based on hash */ 910 #define IPFW_TACLASS_ARRAY 2 /* algo is based on array */ 911 #define IPFW_TACLASS_RADIX 3 /* algo is based on radix tree */ 912 913 #define IPFW_TATFLAGS_DATA 0x0001 /* Has data filled in */ 914 #define IPFW_TATFLAGS_AFDATA 0x0002 /* Separate data per AF */ 915 #define IPFW_TATFLAGS_AFITEM 0x0004 /* diff. items per AF */ 916 917 typedef struct _ipfw_xtable_info { 918 uint8_t type; /* table type (addr,iface,..) */ 919 uint8_t tflags; /* type flags */ 920 uint16_t mflags; /* modification flags */ 921 uint16_t flags; /* generic table flags */ 922 uint16_t spare[3]; 923 uint32_t vmask; /* bitmask with value types */ 924 uint32_t set; /* set table is in */ 925 uint32_t kidx; /* kernel index */ 926 uint32_t refcnt; /* number of references */ 927 uint32_t count; /* Number of records */ 928 uint32_t size; /* Total size of records(export)*/ 929 uint32_t limit; /* Max number of records */ 930 char tablename[64]; /* table name */ 931 char algoname[64]; /* algorithm name */ 932 ipfw_ta_tinfo ta_info; /* additional algo stats */ 933 } ipfw_xtable_info; 934 /* Generic table flags */ 935 #define IPFW_TGFLAGS_LOCKED 0x01 /* Tables is locked from changes*/ 936 /* Table type-specific flags */ 937 #define IPFW_TFFLAG_SRCIP 0x01 938 #define IPFW_TFFLAG_DSTIP 0x02 939 #define IPFW_TFFLAG_SRCPORT 0x04 940 #define IPFW_TFFLAG_DSTPORT 0x08 941 #define IPFW_TFFLAG_PROTO 0x10 942 /* Table modification flags */ 943 #define IPFW_TMFLAGS_LIMIT 0x0002 /* Change limit value */ 944 #define IPFW_TMFLAGS_LOCK 0x0004 /* Change table lock state */ 945 946 typedef struct _ipfw_iface_info { 947 char ifname[64]; /* interface name */ 948 uint32_t ifindex; /* interface index */ 949 uint32_t flags; /* flags */ 950 uint32_t refcnt; /* number of references */ 951 uint32_t gencnt; /* number of changes */ 952 uint64_t spare; 953 } ipfw_iface_info; 954 #define IPFW_IFFLAG_RESOLVED 0x01 /* Interface exists */ 955 956 typedef struct _ipfw_ta_info { 957 char algoname[64]; /* algorithm name */ 958 uint32_t type; /* lookup type */ 959 uint32_t flags; 960 uint32_t refcnt; 961 uint32_t spare0; 962 uint64_t spare1; 963 } ipfw_ta_info; 964 965 #define IPFW_OBJTYPE_TABLE 1 966 typedef struct _ipfw_obj_header { 967 ip_fw3_opheader opheader; /* IP_FW3 opcode */ 968 uint32_t spare; 969 uint16_t idx; /* object name index */ 970 uint8_t objtype; /* object type */ 971 uint8_t objsubtype; /* object subtype */ 972 ipfw_obj_ntlv ntlv; /* object name tlv */ 973 } ipfw_obj_header; 974 975 typedef struct _ipfw_obj_lheader { 976 ip_fw3_opheader opheader; /* IP_FW3 opcode */ 977 uint32_t set_mask; /* disabled set mask */ 978 uint32_t count; /* Total objects count */ 979 uint32_t size; /* Total size (incl. header) */ 980 uint32_t objsize; /* Size of one object */ 981 } ipfw_obj_lheader; 982 983 #define IPFW_CFG_GET_STATIC 0x01 984 #define IPFW_CFG_GET_STATES 0x02 985 #define IPFW_CFG_GET_COUNTERS 0x04 986 typedef struct _ipfw_cfg_lheader { 987 ip_fw3_opheader opheader; /* IP_FW3 opcode */ 988 uint32_t set_mask; /* enabled set mask */ 989 uint32_t spare; 990 uint32_t flags; /* Request flags */ 991 uint32_t size; /* neded buffer size */ 992 uint32_t start_rule; 993 uint32_t end_rule; 994 } ipfw_cfg_lheader; 995 996 typedef struct _ipfw_range_header { 997 ip_fw3_opheader opheader; /* IP_FW3 opcode */ 998 ipfw_range_tlv range; 999 } ipfw_range_header; 1000 1001 typedef struct _ipfw_sopt_info { 1002 uint16_t opcode; 1003 uint8_t version; 1004 uint8_t dir; 1005 uint8_t spare; 1006 uint64_t refcnt; 1007 } ipfw_sopt_info; 1008 1009 #endif /* _IPFW2_H */ 1010