1 /* 2 * Copyright (c) 2001 Daniel Hartmeier 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 9 * - Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * - Redistributions in binary form must reproduce the above 12 * copyright notice, this list of conditions and the following 13 * disclaimer in the documentation and/or other materials provided 14 * with the distribution. 15 * 16 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 17 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 18 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 19 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 20 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 21 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 22 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 23 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 24 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 26 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27 * POSSIBILITY OF SUCH DAMAGE. 28 * 29 * $OpenBSD: pfvar.h,v 1.282 2009/01/29 15:12:28 pyr Exp $ 30 * $FreeBSD$ 31 */ 32 33 #ifndef _NET_PF_H_ 34 #define _NET_PF_H_ 35 36 #define PF_TCPS_PROXY_SRC ((TCP_NSTATES)+0) 37 #define PF_TCPS_PROXY_DST ((TCP_NSTATES)+1) 38 39 #define PF_MD5_DIGEST_LENGTH 16 40 #ifdef MD5_DIGEST_LENGTH 41 #if PF_MD5_DIGEST_LENGTH != MD5_DIGEST_LENGTH 42 #error 43 #endif 44 #endif 45 46 enum { PF_INOUT, PF_IN, PF_OUT }; 47 enum { PF_PASS, PF_DROP, PF_SCRUB, PF_NOSCRUB, PF_NAT, PF_NONAT, 48 PF_BINAT, PF_NOBINAT, PF_RDR, PF_NORDR, PF_SYNPROXY_DROP, PF_DEFER }; 49 enum { PF_RULESET_SCRUB, PF_RULESET_FILTER, PF_RULESET_NAT, 50 PF_RULESET_BINAT, PF_RULESET_RDR, PF_RULESET_MAX }; 51 enum { PF_OP_NONE, PF_OP_IRG, PF_OP_EQ, PF_OP_NE, PF_OP_LT, 52 PF_OP_LE, PF_OP_GT, PF_OP_GE, PF_OP_XRG, PF_OP_RRG }; 53 enum { PF_DEBUG_NONE, PF_DEBUG_URGENT, PF_DEBUG_MISC, PF_DEBUG_NOISY }; 54 enum { PF_CHANGE_NONE, PF_CHANGE_ADD_HEAD, PF_CHANGE_ADD_TAIL, 55 PF_CHANGE_ADD_BEFORE, PF_CHANGE_ADD_AFTER, 56 PF_CHANGE_REMOVE, PF_CHANGE_GET_TICKET }; 57 enum { PF_GET_NONE, PF_GET_CLR_CNTR }; 58 enum { PF_SK_WIRE, PF_SK_STACK, PF_SK_BOTH }; 59 60 /* 61 * Note about PFTM_*: real indices into pf_rule.timeout[] come before 62 * PFTM_MAX, special cases afterwards. See pf_state_expires(). 63 */ 64 enum { PFTM_TCP_FIRST_PACKET, PFTM_TCP_OPENING, PFTM_TCP_ESTABLISHED, 65 PFTM_TCP_CLOSING, PFTM_TCP_FIN_WAIT, PFTM_TCP_CLOSED, 66 PFTM_UDP_FIRST_PACKET, PFTM_UDP_SINGLE, PFTM_UDP_MULTIPLE, 67 PFTM_ICMP_FIRST_PACKET, PFTM_ICMP_ERROR_REPLY, 68 PFTM_OTHER_FIRST_PACKET, PFTM_OTHER_SINGLE, 69 PFTM_OTHER_MULTIPLE, PFTM_FRAG, PFTM_INTERVAL, 70 PFTM_ADAPTIVE_START, PFTM_ADAPTIVE_END, PFTM_SRC_NODE, 71 PFTM_TS_DIFF, PFTM_MAX, PFTM_PURGE, PFTM_UNLINKED }; 72 73 /* PFTM default values */ 74 #define PFTM_TCP_FIRST_PACKET_VAL 120 /* First TCP packet */ 75 #define PFTM_TCP_OPENING_VAL 30 /* No response yet */ 76 #define PFTM_TCP_ESTABLISHED_VAL 24*60*60/* Established */ 77 #define PFTM_TCP_CLOSING_VAL 15 * 60 /* Half closed */ 78 #define PFTM_TCP_FIN_WAIT_VAL 45 /* Got both FINs */ 79 #define PFTM_TCP_CLOSED_VAL 90 /* Got a RST */ 80 #define PFTM_UDP_FIRST_PACKET_VAL 60 /* First UDP packet */ 81 #define PFTM_UDP_SINGLE_VAL 30 /* Unidirectional */ 82 #define PFTM_UDP_MULTIPLE_VAL 60 /* Bidirectional */ 83 #define PFTM_ICMP_FIRST_PACKET_VAL 20 /* First ICMP packet */ 84 #define PFTM_ICMP_ERROR_REPLY_VAL 10 /* Got error response */ 85 #define PFTM_OTHER_FIRST_PACKET_VAL 60 /* First packet */ 86 #define PFTM_OTHER_SINGLE_VAL 30 /* Unidirectional */ 87 #define PFTM_OTHER_MULTIPLE_VAL 60 /* Bidirectional */ 88 #define PFTM_FRAG_VAL 30 /* Fragment expire */ 89 #define PFTM_INTERVAL_VAL 10 /* Expire interval */ 90 #define PFTM_SRC_NODE_VAL 0 /* Source tracking */ 91 #define PFTM_TS_DIFF_VAL 30 /* Allowed TS diff */ 92 93 enum { PF_NOPFROUTE, PF_FASTROUTE, PF_ROUTETO, PF_DUPTO, PF_REPLYTO }; 94 enum { PF_LIMIT_STATES, PF_LIMIT_SRC_NODES, PF_LIMIT_FRAGS, 95 PF_LIMIT_TABLE_ENTRIES, PF_LIMIT_MAX }; 96 #define PF_POOL_IDMASK 0x0f 97 enum { PF_POOL_NONE, PF_POOL_BITMASK, PF_POOL_RANDOM, 98 PF_POOL_SRCHASH, PF_POOL_ROUNDROBIN }; 99 enum { PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE, PF_ADDR_DYNIFTL, 100 PF_ADDR_TABLE, PF_ADDR_URPFFAILED, 101 PF_ADDR_RANGE }; 102 #define PF_POOL_TYPEMASK 0x0f 103 #define PF_POOL_STICKYADDR 0x20 104 #define PF_WSCALE_FLAG 0x80 105 #define PF_WSCALE_MASK 0x0f 106 107 #define PF_LOG 0x01 108 #define PF_LOG_ALL 0x02 109 #define PF_LOG_SOCKET_LOOKUP 0x04 110 111 /* Reasons code for passing/dropping a packet */ 112 #define PFRES_MATCH 0 /* Explicit match of a rule */ 113 #define PFRES_BADOFF 1 /* Bad offset for pull_hdr */ 114 #define PFRES_FRAG 2 /* Dropping following fragment */ 115 #define PFRES_SHORT 3 /* Dropping short packet */ 116 #define PFRES_NORM 4 /* Dropping by normalizer */ 117 #define PFRES_MEMORY 5 /* Dropped due to lacking mem */ 118 #define PFRES_TS 6 /* Bad TCP Timestamp (RFC1323) */ 119 #define PFRES_CONGEST 7 /* Congestion (of ipintrq) */ 120 #define PFRES_IPOPTIONS 8 /* IP option */ 121 #define PFRES_PROTCKSUM 9 /* Protocol checksum invalid */ 122 #define PFRES_BADSTATE 10 /* State mismatch */ 123 #define PFRES_STATEINS 11 /* State insertion failure */ 124 #define PFRES_MAXSTATES 12 /* State limit */ 125 #define PFRES_SRCLIMIT 13 /* Source node/conn limit */ 126 #define PFRES_SYNPROXY 14 /* SYN proxy */ 127 #define PFRES_MAPFAILED 15 /* pf_map_addr() failed */ 128 #define PFRES_MAX 16 /* total+1 */ 129 130 #define PFRES_NAMES { \ 131 "match", \ 132 "bad-offset", \ 133 "fragment", \ 134 "short", \ 135 "normalize", \ 136 "memory", \ 137 "bad-timestamp", \ 138 "congestion", \ 139 "ip-option", \ 140 "proto-cksum", \ 141 "state-mismatch", \ 142 "state-insert", \ 143 "state-limit", \ 144 "src-limit", \ 145 "synproxy", \ 146 "map-failed", \ 147 NULL \ 148 } 149 150 /* Counters for other things we want to keep track of */ 151 #define LCNT_STATES 0 /* states */ 152 #define LCNT_SRCSTATES 1 /* max-src-states */ 153 #define LCNT_SRCNODES 2 /* max-src-nodes */ 154 #define LCNT_SRCCONN 3 /* max-src-conn */ 155 #define LCNT_SRCCONNRATE 4 /* max-src-conn-rate */ 156 #define LCNT_OVERLOAD_TABLE 5 /* entry added to overload table */ 157 #define LCNT_OVERLOAD_FLUSH 6 /* state entries flushed */ 158 #define LCNT_MAX 7 /* total+1 */ 159 160 #define LCNT_NAMES { \ 161 "max states per rule", \ 162 "max-src-states", \ 163 "max-src-nodes", \ 164 "max-src-conn", \ 165 "max-src-conn-rate", \ 166 "overload table insertion", \ 167 "overload flush states", \ 168 NULL \ 169 } 170 171 /* state operation counters */ 172 #define FCNT_STATE_SEARCH 0 173 #define FCNT_STATE_INSERT 1 174 #define FCNT_STATE_REMOVALS 2 175 #define FCNT_MAX 3 176 177 /* src_node operation counters */ 178 #define SCNT_SRC_NODE_SEARCH 0 179 #define SCNT_SRC_NODE_INSERT 1 180 #define SCNT_SRC_NODE_REMOVALS 2 181 #define SCNT_MAX 3 182 183 #define PF_TABLE_NAME_SIZE 32 184 #define PF_QNAME_SIZE 64 185 186 struct pf_status { 187 uint64_t counters[PFRES_MAX]; 188 uint64_t lcounters[LCNT_MAX]; 189 uint64_t fcounters[FCNT_MAX]; 190 uint64_t scounters[SCNT_MAX]; 191 uint64_t pcounters[2][2][3]; 192 uint64_t bcounters[2][2]; 193 uint32_t running; 194 uint32_t states; 195 uint32_t src_nodes; 196 uint32_t since; 197 uint32_t debug; 198 uint32_t hostid; 199 char ifname[IFNAMSIZ]; 200 uint8_t pf_chksum[PF_MD5_DIGEST_LENGTH]; 201 }; 202 203 #endif /* _NET_PF_H_ */ 204