xref: /freebsd/sys/netpfil/pf/pf.h (revision fcb560670601b2a4d87bb31d7531c8dcc37ee71b)
1 /*
2  * Copyright (c) 2001 Daniel Hartmeier
3  * All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  *
9  *    - Redistributions of source code must retain the above copyright
10  *      notice, this list of conditions and the following disclaimer.
11  *    - Redistributions in binary form must reproduce the above
12  *      copyright notice, this list of conditions and the following
13  *      disclaimer in the documentation and/or other materials provided
14  *      with the distribution.
15  *
16  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
17  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
18  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
19  * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
20  * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
21  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
22  * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
23  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
24  * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
26  * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27  * POSSIBILITY OF SUCH DAMAGE.
28  *
29  *	$OpenBSD: pfvar.h,v 1.282 2009/01/29 15:12:28 pyr Exp $
30  *	$FreeBSD$
31  */
32 
33 #ifndef	_NET_PF_H_
34 #define	_NET_PF_H_
35 
36 #define	PF_TCPS_PROXY_SRC	((TCP_NSTATES)+0)
37 #define	PF_TCPS_PROXY_DST	((TCP_NSTATES)+1)
38 
39 #define	PF_MD5_DIGEST_LENGTH	16
40 #ifdef MD5_DIGEST_LENGTH
41 #if PF_MD5_DIGEST_LENGTH != MD5_DIGEST_LENGTH
42 #error
43 #endif
44 #endif
45 
46 enum	{ PF_INOUT, PF_IN, PF_OUT };
47 enum	{ PF_PASS, PF_DROP, PF_SCRUB, PF_NOSCRUB, PF_NAT, PF_NONAT,
48 	  PF_BINAT, PF_NOBINAT, PF_RDR, PF_NORDR, PF_SYNPROXY_DROP, PF_DEFER };
49 enum	{ PF_RULESET_SCRUB, PF_RULESET_FILTER, PF_RULESET_NAT,
50 	  PF_RULESET_BINAT, PF_RULESET_RDR, PF_RULESET_MAX };
51 enum	{ PF_OP_NONE, PF_OP_IRG, PF_OP_EQ, PF_OP_NE, PF_OP_LT,
52 	  PF_OP_LE, PF_OP_GT, PF_OP_GE, PF_OP_XRG, PF_OP_RRG };
53 enum	{ PF_DEBUG_NONE, PF_DEBUG_URGENT, PF_DEBUG_MISC, PF_DEBUG_NOISY };
54 enum	{ PF_CHANGE_NONE, PF_CHANGE_ADD_HEAD, PF_CHANGE_ADD_TAIL,
55 	  PF_CHANGE_ADD_BEFORE, PF_CHANGE_ADD_AFTER,
56 	  PF_CHANGE_REMOVE, PF_CHANGE_GET_TICKET };
57 enum	{ PF_GET_NONE, PF_GET_CLR_CNTR };
58 enum	{ PF_SK_WIRE, PF_SK_STACK, PF_SK_BOTH };
59 
60 /*
61  * Note about PFTM_*: real indices into pf_rule.timeout[] come before
62  * PFTM_MAX, special cases afterwards. See pf_state_expires().
63  */
64 enum	{ PFTM_TCP_FIRST_PACKET, PFTM_TCP_OPENING, PFTM_TCP_ESTABLISHED,
65 	  PFTM_TCP_CLOSING, PFTM_TCP_FIN_WAIT, PFTM_TCP_CLOSED,
66 	  PFTM_UDP_FIRST_PACKET, PFTM_UDP_SINGLE, PFTM_UDP_MULTIPLE,
67 	  PFTM_ICMP_FIRST_PACKET, PFTM_ICMP_ERROR_REPLY,
68 	  PFTM_OTHER_FIRST_PACKET, PFTM_OTHER_SINGLE,
69 	  PFTM_OTHER_MULTIPLE, PFTM_FRAG, PFTM_INTERVAL,
70 	  PFTM_ADAPTIVE_START, PFTM_ADAPTIVE_END, PFTM_SRC_NODE,
71 	  PFTM_TS_DIFF, PFTM_MAX, PFTM_PURGE, PFTM_UNLINKED };
72 
73 /* PFTM default values */
74 #define PFTM_TCP_FIRST_PACKET_VAL	120	/* First TCP packet */
75 #define PFTM_TCP_OPENING_VAL		30	/* No response yet */
76 #define PFTM_TCP_ESTABLISHED_VAL	24*60*60/* Established */
77 #define PFTM_TCP_CLOSING_VAL		15 * 60	/* Half closed */
78 #define PFTM_TCP_FIN_WAIT_VAL		45	/* Got both FINs */
79 #define PFTM_TCP_CLOSED_VAL		90	/* Got a RST */
80 #define PFTM_UDP_FIRST_PACKET_VAL	60	/* First UDP packet */
81 #define PFTM_UDP_SINGLE_VAL		30	/* Unidirectional */
82 #define PFTM_UDP_MULTIPLE_VAL		60	/* Bidirectional */
83 #define PFTM_ICMP_FIRST_PACKET_VAL	20	/* First ICMP packet */
84 #define PFTM_ICMP_ERROR_REPLY_VAL	10	/* Got error response */
85 #define PFTM_OTHER_FIRST_PACKET_VAL	60	/* First packet */
86 #define PFTM_OTHER_SINGLE_VAL		30	/* Unidirectional */
87 #define PFTM_OTHER_MULTIPLE_VAL		60	/* Bidirectional */
88 #define PFTM_FRAG_VAL			30	/* Fragment expire */
89 #define PFTM_INTERVAL_VAL		10	/* Expire interval */
90 #define PFTM_SRC_NODE_VAL		0	/* Source tracking */
91 #define PFTM_TS_DIFF_VAL		30	/* Allowed TS diff */
92 
93 enum	{ PF_NOPFROUTE, PF_FASTROUTE, PF_ROUTETO, PF_DUPTO, PF_REPLYTO };
94 enum	{ PF_LIMIT_STATES, PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS,
95 	  PF_LIMIT_TABLE_ENTRIES, PF_LIMIT_MAX };
96 #define PF_POOL_IDMASK		0x0f
97 enum	{ PF_POOL_NONE, PF_POOL_BITMASK, PF_POOL_RANDOM,
98 	  PF_POOL_SRCHASH, PF_POOL_ROUNDROBIN };
99 enum	{ PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE, PF_ADDR_DYNIFTL,
100 	  PF_ADDR_TABLE, PF_ADDR_URPFFAILED,
101 	  PF_ADDR_RANGE };
102 #define PF_POOL_TYPEMASK	0x0f
103 #define PF_POOL_STICKYADDR	0x20
104 #define	PF_WSCALE_FLAG		0x80
105 #define	PF_WSCALE_MASK		0x0f
106 
107 #define	PF_LOG			0x01
108 #define	PF_LOG_ALL		0x02
109 #define	PF_LOG_SOCKET_LOOKUP	0x04
110 
111 /* Reasons code for passing/dropping a packet */
112 #define PFRES_MATCH	0		/* Explicit match of a rule */
113 #define PFRES_BADOFF	1		/* Bad offset for pull_hdr */
114 #define PFRES_FRAG	2		/* Dropping following fragment */
115 #define PFRES_SHORT	3		/* Dropping short packet */
116 #define PFRES_NORM	4		/* Dropping by normalizer */
117 #define PFRES_MEMORY	5		/* Dropped due to lacking mem */
118 #define PFRES_TS	6		/* Bad TCP Timestamp (RFC1323) */
119 #define PFRES_CONGEST	7		/* Congestion (of ipintrq) */
120 #define PFRES_IPOPTIONS 8		/* IP option */
121 #define PFRES_PROTCKSUM 9		/* Protocol checksum invalid */
122 #define PFRES_BADSTATE	10		/* State mismatch */
123 #define PFRES_STATEINS	11		/* State insertion failure */
124 #define PFRES_MAXSTATES	12		/* State limit */
125 #define PFRES_SRCLIMIT	13		/* Source node/conn limit */
126 #define PFRES_SYNPROXY	14		/* SYN proxy */
127 #define PFRES_MAPFAILED	15		/* pf_map_addr() failed */
128 #define PFRES_MAX	16		/* total+1 */
129 
130 #define PFRES_NAMES { \
131 	"match", \
132 	"bad-offset", \
133 	"fragment", \
134 	"short", \
135 	"normalize", \
136 	"memory", \
137 	"bad-timestamp", \
138 	"congestion", \
139 	"ip-option", \
140 	"proto-cksum", \
141 	"state-mismatch", \
142 	"state-insert", \
143 	"state-limit", \
144 	"src-limit", \
145 	"synproxy", \
146 	"map-failed", \
147 	NULL \
148 }
149 
150 /* Counters for other things we want to keep track of */
151 #define LCNT_STATES		0	/* states */
152 #define LCNT_SRCSTATES		1	/* max-src-states */
153 #define LCNT_SRCNODES		2	/* max-src-nodes */
154 #define LCNT_SRCCONN		3	/* max-src-conn */
155 #define LCNT_SRCCONNRATE	4	/* max-src-conn-rate */
156 #define LCNT_OVERLOAD_TABLE	5	/* entry added to overload table */
157 #define LCNT_OVERLOAD_FLUSH	6	/* state entries flushed */
158 #define LCNT_MAX		7	/* total+1 */
159 
160 #define LCNT_NAMES { \
161 	"max states per rule", \
162 	"max-src-states", \
163 	"max-src-nodes", \
164 	"max-src-conn", \
165 	"max-src-conn-rate", \
166 	"overload table insertion", \
167 	"overload flush states", \
168 	NULL \
169 }
170 
171 /* state operation counters */
172 #define FCNT_STATE_SEARCH	0
173 #define FCNT_STATE_INSERT	1
174 #define FCNT_STATE_REMOVALS	2
175 #define FCNT_MAX		3
176 
177 /* src_node operation counters */
178 #define SCNT_SRC_NODE_SEARCH	0
179 #define SCNT_SRC_NODE_INSERT	1
180 #define SCNT_SRC_NODE_REMOVALS	2
181 #define SCNT_MAX		3
182 
183 #define	PF_TABLE_NAME_SIZE	32
184 #define	PF_QNAME_SIZE		64
185 
186 struct pf_status {
187 	uint64_t	counters[PFRES_MAX];
188 	uint64_t	lcounters[LCNT_MAX];
189 	uint64_t	fcounters[FCNT_MAX];
190 	uint64_t	scounters[SCNT_MAX];
191 	uint64_t	pcounters[2][2][3];
192 	uint64_t	bcounters[2][2];
193 	uint32_t	running;
194 	uint32_t	states;
195 	uint32_t	src_nodes;
196 	uint32_t	since;
197 	uint32_t	debug;
198 	uint32_t	hostid;
199 	char		ifname[IFNAMSIZ];
200 	uint8_t		pf_chksum[PF_MD5_DIGEST_LENGTH];
201 };
202 
203 #endif	/* _NET_PF_H_ */
204