search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
ipfw3: remove legacy macros
[dragonfly.git] / sys / net / ipfw3 / ip_fw3.h
bloba6699dc26709018879eaa52aa493597cba3b67e5
1 /*
2 * Copyright (c) 1993 Daniel Boulet
3 * Copyright (c) 1994 Ugen J.S.Antsilevich
4 * Copyright (c) 2002 Luigi Rizzo, Universita` di Pisa
5 * Copyright (c) 2015 The DragonFly Project. All rights reserved.
6 *
7 * This code is derived from software contributed to The DragonFly Project
8 * by Bill Yuan <bycn82@dragonflybsd.org>
9 *
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
12 * are met:
13 *
14 * 1. Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * 2. Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in
18 * the documentation and/or other materials provided with the
19 * distribution.
20 * 3. Neither the name of The DragonFly Project nor the names of its
21 * contributors may be used to endorse or promote products derived
22 * from this software without specific, prior written permission.
23 *
24 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
25 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
26 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
27 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
28 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
29 * INCIDENTAL, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES (INCLUDING,
30 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
31 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
32 * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
33 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
34 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 * SUCH DAMAGE.
36 *
37 */
38
39 #ifndef _IP_FW3_H_
40 #define _IP_FW3_H_
41
42 #include <net/bpf.h>
43
44 #ifdef _KERNEL
45 #include <net/netisr2.h>
46
47 int ip_fw3_sockopt(struct sockopt *);
48 extern int ip_fw3_loaded;
49 #endif
50
51 #define IPFW3_LOADED (ip_fw3_loaded)
52
53 /*
54 * _IPFW2_H is from ipfw/ip_fw2.h, both cannot be included past this
55 * point but we need both the IPFW2_LOADED and IPFW3_LOADED macros
56 */
57 #ifndef _IPFW2_H
58 #define _IPFW2_H
59
60 #define RESERVED_SIZE 12
61 #define SIZE_OF_IPFWINSN 8
62 #define LEN_OF_IPFWINSN 2
63 #define IPFW_DEFAULT_RULE 65535 /* rulenum for the default rule */
64 #define IPFW_DEFAULT_SET 31 /* set number for the default rule */
65
66 /*
67 * Template for instructions.
68 *
69 * ipfw_insn is used for all instructions which require no operands,
70 * a single 16-bit value (arg1), or a couple of 8-bit values.
71 *
72 * For other instructions which require different/larger arguments
73 * we have derived structures, ipfw_insn_*.
74 *
75 * The size of the instruction (in 32-bit words) is in the low
76 * 6 bits of "len". The 2 remaining bits are used to implement
77 * NOT and OR on individual instructions. Given a type, you can
78 * compute the length to be put in "len" using F_INSN_SIZE(t)
79 *
80 * F_NOT negates the match result of the instruction.
81 *
82 * F_OR is used to build or blocks. By default, instructions
83 * are evaluated as part of a logical AND. An "or" block
84 * { X or Y or Z } contains F_OR set in all but the last
85 * instruction of the block. A match will cause the code
86 * to skip past the last instruction of the block.
87 *
88 * NOTA BENE: in a couple of places we assume that
89 * sizeof(ipfw_insn) == sizeof(uint32_t)
90 * this needs to be fixed.
91 *
92 */
93
94 #define F_NOT 0x80
95 #define F_OR 0x40
96 #define F_LEN_MASK 0x3f
97 #define F_LEN(cmd) ((cmd)->len & F_LEN_MASK)
98
99 typedef struct _ipfw_insn { /* template for instructions */
100 uint8_t opcode;
101 uint8_t len; /* numer of 32-byte words */
102 uint16_t arg1;
103
104 uint8_t module;
105 uint8_t arg3;
106 uint16_t arg2;
107 } ipfw_insn;
108
109 /*
110 * The F_INSN_SIZE(type) computes the size, in 4-byte words, of
111 * a given type.
112 */
113 #define F_INSN_SIZE(t) ((sizeof (t))/sizeof(uint32_t))
114
115 #define MTAG_IPFW 1148380143 /* IPFW-tagged cookie */
116
117 /*
118 * This is used to store an array of 16-bit entries (ports etc.)
119 */
120 typedef struct _ipfw_insn_u16 {
121 ipfw_insn o;
122 uint16_t ports[2]; /* there may be more */
123 } ipfw_insn_u16;
124
125 /*
126 * This is used to store an array of 32-bit entries
127 * (uid, single IPv4 addresses etc.)
128 */
129 typedef struct _ipfw_insn_u32 {
130 ipfw_insn o;
131 uint32_t d[1]; /* one or more */
132 } ipfw_insn_u32;
133
134 /*
135 * This is used to store IP addr-mask pairs.
136 */
137 typedef struct _ipfw_insn_ip {
138 ipfw_insn o;
139 struct in_addr addr;
140 struct in_addr mask;
141 } ipfw_insn_ip;
142
143 /*
144 * This is used to forward to a given address (ip)
145 */
146 typedef struct _ipfw_insn_sa {
147 ipfw_insn o;
148 struct sockaddr_in sa;
149 } ipfw_insn_sa;
150
151 /*
152 * This is used for MAC addr-mask pairs.
153 */
154 typedef struct _ipfw_insn_mac {
155 ipfw_insn o;
156 u_char addr[12]; /* dst[6] + src[6] */
157 u_char mask[12]; /* dst[6] + src[6] */
158 } ipfw_insn_mac;
159
160 /*
161 * This is used for interface match rules (recv xx, xmit xx)
162 */
163 typedef struct _ipfw_insn_if {
164 ipfw_insn o;
165 union {
166 struct in_addr ip;
167 int glob;
168 } p;
169 char name[IFNAMSIZ];
170 } ipfw_insn_if;
171
172 /*
173 * This is used for pipe and queue actions, which need to store
174 * a single pointer (which can have different size on different
175 * architectures.
176 */
177 typedef struct _ipfw_insn_pipe {
178 ipfw_insn o;
179 void *pipe_ptr;
180 } ipfw_insn_pipe;
181
182 /*
183 * This is used for limit rules.
184 */
185 typedef struct _ipfw_insn_limit {
186 ipfw_insn o;
187 uint8_t _pad;
188 uint8_t limit_mask; /* combination of DYN_* below */
189 #define DYN_SRC_ADDR 0x1
190 #define DYN_SRC_PORT 0x2
191 #define DYN_DST_ADDR 0x4
192 #define DYN_DST_PORT 0x8
193
194 uint16_t conn_limit;
195 } ipfw_insn_limit;
196
197 /*
198 * This is used for bpf filtering.
199 */
200 typedef struct _ipfw_insn_bpf {
201 ipfw_insn o;
202 char bf_str[128];
203 u_int bf_len;
204 struct bpf_insn bf_insn[1];
205 } ipfw_insn_bpf;
206
207 /*
208 * Here we have the structure representing an ipfw rule.
209 *
210 * It starts with a general area (with link fields and counters)
211 * followed by an array of one or more instructions, which the code
212 * accesses as an array of 32-bit values.
213 *
214 * Given a rule pointer r:
215 *
216 * r->cmd is the start of the first instruction.
217 * ACTION_PTR(r) is the start of the first action (things to do
218 * once a rule matched).
219 *
220 * When assembling instruction, remember the following:
221 *
222 * + if a rule has a "keep-state" (or "limit") option, then the
223 * first instruction (at r->cmd) MUST BE an O_PROBE_STATE
224 * + if a rule has a "log" option, then the first action
225 * (at ACTION_PTR(r)) MUST be O_LOG
226 *
227 * NOTE: we use a simple linked list of rules because we never need
228 * to delete a rule without scanning the list. We do not use
229 * queue(3) macros for portability and readability.
230 */
231
232 struct ip_fw {
233 struct ip_fw *next; /* linked list of rules */
234 struct ip_fw *next_rule; /* ptr to next [skipto] rule */
235 uint16_t act_ofs; /* offset of action in 32-bit units */
236 uint16_t cmd_len; /* # of 32-bit words in cmd */
237 uint16_t rulenum; /* rule number */
238 uint8_t set; /* rule set (0..31) */
239 uint8_t flags; /* IPFW_USR_F_ */
240
241 /* These fields are present in all rules. */
242 uint64_t pcnt; /* Packet counter */
243 uint64_t bcnt; /* Byte counter */
244 uint32_t timestamp; /* tv_sec of last match */
245
246 struct ip_fw *sibling; /* pointer to the rule in next CPU */
247
248 ipfw_insn cmd[1]; /* storage for commands */
249 };
250
251
252 #define IPFW_RULE_F_INVALID 0x1
253 #define IPFW_RULE_F_STATE 0x2
254
255 #define RULESIZE(rule) (sizeof(struct ip_fw) + (rule)->cmd_len * 4 - SIZE_OF_IPFWINSN)
256
257 /*
258 * This structure is used as a flow mask and a flow id for various
259 * parts of the code.
260 */
261 struct ipfw_flow_id {
262 uint32_t dst_ip;
263 uint32_t src_ip;
264 uint16_t dst_port;
265 uint16_t src_port;
266 uint8_t proto;
267 uint8_t flags; /* protocol-specific flags */
268 };
269
270 struct ip_fw_state {
271 struct ip_fw_state *next;
272 struct ipfw_flow_id flow_id;
273 struct ip_fw *stub;
274
275 uint64_t pcnt; /* packet match counter */
276 uint64_t bcnt; /* byte match counter */
277
278 uint16_t lifetime;
279 uint32_t timestamp;
280 uint32_t expiry;
281 };
282
283
284 /* ipfw_chk/ip_fw_chk_ptr return values */
285 #define IP_FW_PASS 0
286 #define IP_FW_DENY 1
287 #define IP_FW_DIVERT 2
288 #define IP_FW_TEE 3
289 #define IP_FW_DUMMYNET 4
290 #define IP_FW_NAT 5
291 #define IP_FW_ROUTE 6
292
293 /* ipfw_chk controller values */
294 #define IP_FW_CTL_NO 0
295 #define IP_FW_CTL_DONE 1
296 #define IP_FW_CTL_AGAIN 2
297 #define IP_FW_CTL_NEXT 3
298 #define IP_FW_CTL_NAT 4
299 #define IP_FW_CTL_LOOP 5
300 #define IP_FW_CTL_CHK_STATE 6
301
302 #define IP_FW_NOT_MATCH 0
303 #define IP_FW_MATCH 1
304
305 /*
306 * arguments for calling ipfw_chk() and dummynet_io(). We put them
307 * all into a structure because this way it is easier and more
308 * efficient to pass variables around and extend the interface.
309 */
310 struct ip_fw_args {
311 struct mbuf *m; /* the mbuf chain */
312 struct ifnet *oif; /* output interface */
313 struct ip_fw *rule; /* matching rule */
314 struct ether_header *eh; /* for bridged packets */
315
316 struct ipfw_flow_id f_id; /* grabbed from IP header */
317
318 /*
319 * Depend on the return value of ipfw_chk/ip_fw_chk_ptr
320 * 'cookie' field may save following information:
321 *
322 * IP_FW_TEE or IP_FW_DIVERT
323 * The divert port number
324 *
325 * IP_FW_DUMMYNET
326 * The pipe or queue number
327 */
328 uint32_t cookie;
329 };
330
331 #ifdef _KERNEL
332 /*
333 * Function definitions.
334 */
335 int ip_fw_sockopt(struct sockopt *);
336 int ipfw_ctl_x(struct sockopt *sopt);
337
338 /* Firewall hooks */
339 struct sockopt;
340 struct dn_flow_set;
341
342 typedef int ip_fw_chk_t(struct ip_fw_args *);
343 typedef int ip_fw_ctl_t(struct sockopt *);
344 typedef struct mbuf
345 *ip_fw_dn_io_t(struct mbuf *, int, int, struct ip_fw_args *);
346
347
348 extern ip_fw_chk_t *ip_fw_chk_ptr;
349 extern ip_fw_ctl_t *ip_fw_ctl_x_ptr;
350 extern ip_fw_dn_io_t *ip_fw_dn_io_ptr;
351
352 extern int fw3_one_pass;
353 extern int fw3_enable;
354
355
356 #define IPFW_CFGCPUID 0
357 #define IPFW_CFGPORT netisr_cpuport(IPFW_CFGCPUID)
358 #define IPFW_ASSERT_CFGPORT(msgport) \
359 KASSERT((msgport) == IPFW_CFGPORT, ("not IPFW CFGPORT"))
360
361 #define IPFW_TABLES_MAX 32
362
363 /* root of place holding all information, per-cpu */
364 struct ipfw_context {
365 struct ip_fw *ipfw_rule_chain; /* list of rules*/
366 struct ip_fw *ipfw_default_rule; /* default rule */
367 struct ipfw_state_context *state_ctx;
368 struct ipfw_table_context *table_ctx;
369 uint16_t state_hash_size;
370 uint32_t ipfw_set_disable;
371 };
372
373 /* place to hold the states */
374 struct ipfw_state_context {
375 struct ip_fw_state *state;
376 struct ip_fw_state *last;
377 int count;
378 };
379
380
381 typedef void (*filter_func)(int *cmd_ctl,int *cmd_val,struct ip_fw_args **args,
382 struct ip_fw **f,ipfw_insn *cmd,uint16_t ip_len);
383 void register_ipfw_filter_funcs(int module,int opcode,filter_func func);
384 void unregister_ipfw_filter_funcs(int module,filter_func func);
385 void register_ipfw_module(int module_id,char *module_name);
386 int unregister_ipfw_module(int module_id);
387
388 #endif
389
390 #define ACTION_PTR(rule) \
391 (ipfw_insn *)((uint32_t *)((rule)->cmd) + ((rule)->act_ofs))
392
393
394
395 struct ipfw_ioc_rule {
396 uint16_t act_ofs; /* offset of action in 32-bit units */
397 uint16_t cmd_len; /* # of 32-bit words in cmd */
398 uint16_t rulenum; /* rule number */
399 uint8_t set; /* rule set (0..31) */
400 uint8_t usr_flags; /* IPFW_USR_F_ */
401
402 /* Rule set information */
403 uint32_t set_disable; /* disabled rule sets */
404 uint32_t static_count; /* # of static rules */
405 uint32_t static_len; /* total length of static rules */
406
407 /* Statistics */
408 uint64_t pcnt; /* Packet counter */
409 uint64_t bcnt; /* Byte counter */
410 uint32_t timestamp; /* tv_sec of last match */
411
412 uint8_t reserved[RESERVED_SIZE];
413
414 ipfw_insn cmd[1]; /* storage for commands */
415 };
416
417 #define IPFW_USR_F_NORULE 0x01
418
419 #define IPFW_RULE_SIZE_MAX 255 /* unit: uint32_t */
420
421 #define IOC_RULESIZE(rule) \
422 (sizeof(struct ipfw_ioc_rule) + (rule)->cmd_len * 4 - SIZE_OF_IPFWINSN)
423
424 struct ipfw_ioc_flowid {
425 uint16_t type; /* ETHERTYPE_ */
426 uint16_t pad;
427 union {
428 struct {
429 uint32_t dst_ip;
430 uint32_t src_ip;
431 uint16_t dst_port;
432 uint16_t src_port;
433 uint8_t proto;
434 } ip;
435 uint8_t pad[64];
436 } u;
437 };
438
439 struct ipfw_ioc_state {
440 uint64_t pcnt; /* packet match counter */
441 uint64_t bcnt; /* byte match counter */
442 uint16_t lifetime;
443 uint32_t timestamp; /* alive time */
444 uint32_t expiry; /* expire time */
445
446 uint16_t rulenum;
447 uint16_t cpuid;
448 struct ipfw_flow_id flow_id; /* proto +src/dst ip/port */
449 uint8_t reserved[16];
450 };
451
452 /*
453 * Definitions for IP option names.
454 */
455 #define IP_FW_IPOPT_LSRR 0x01
456 #define IP_FW_IPOPT_SSRR 0x02
457 #define IP_FW_IPOPT_RR 0x04
458 #define IP_FW_IPOPT_TS 0x08
459
460 /*
461 * Definitions for TCP option names.
462 */
463 #define IP_FW_TCPOPT_MSS 0x01
464 #define IP_FW_TCPOPT_WINDOW 0x02
465 #define IP_FW_TCPOPT_SACK 0x04
466 #define IP_FW_TCPOPT_TS 0x08
467 #define IP_FW_TCPOPT_CC 0x10
468
469 #define ICMP_REJECT_RST 0x100 /* fake ICMP code (send a TCP RST) */
470
471 struct ipfw_module{
472 int type;
473 int id;
474 char name[20];
475 };
476
477 /*
478 * type of the keyword, it indecates the position of the keyword in the rule
479 * BEFORE ACTION FROM TO FILTER OTHER
480 */
481 #define NONE 0
482 #define BEFORE 1
483 #define ACTION 2
484 #define PROTO 3
485 #define FROM 4
486 #define TO 5
487 #define FILTER 6
488 #define AFTER 7
489
490 #define NOT_IN_USE 0
491 #define IN_USE 1
492
493
494 #define NEED1(msg) {if (ac < 1) errx(EX_USAGE, msg);}
495 #define NEED2(msg) {if (ac < 2) errx(EX_USAGE, msg);}
496 #define NEED(c, n, msg) {if (c < n) errx(EX_USAGE, msg);}
497
498 #define NEXT_ARG ac--; if(ac > 0){av++;}
499 #define NEXT_ARG1 (*ac)--; if(*ac > 0){(*av)++;}
500
501 #define MATCH_REVERSE 0
502 #define MATCH_FORWARD 1
503 #define MATCH_NONE 2
504 #define MATCH_UNKNOWN 3
505
506 #define L3HDR(T, ip) ((T *)((uint32_t *)(ip) + (ip)->ip_hl))
507
508 /* IP_FW_X header/opcodes */
509 typedef struct _ip_fw_x_header {
510 uint16_t opcode; /* Operation opcode */
511 uint16_t _pad; /* Opcode version */
512 } ip_fw_x_header;
513
514 typedef void ipfw_basic_delete_state_t(struct ip_fw *);
515 typedef void ipfw_basic_append_state_t(struct ipfw_ioc_state *);
516 typedef void ipfw_sync_send_state_t(struct ip_fw_state *, int cpu, int hash);
517
518 /* IP_FW3 opcodes */
519
520 #define IP_FW_ADD 50 /* add a firewall rule to chain */
521 #define IP_FW_DEL 51 /* delete a firewall rule from chain */
522 #define IP_FW_FLUSH 52 /* flush firewall rule chain */
523 #define IP_FW_ZERO 53 /* clear single/all firewall counter(s) */
524 #define IP_FW_GET 54 /* get entire firewall rule chain */
525 #define IP_FW_RESETLOG 55 /* reset logging counters */
526
527 #define IP_DUMMYNET_CONFIGURE 60 /* add/configure a dummynet pipe */
528 #define IP_DUMMYNET_DEL 61 /* delete a dummynet pipe from chain */
529 #define IP_DUMMYNET_FLUSH 62 /* flush dummynet */
530 #define IP_DUMMYNET_GET 64 /* get entire dummynet pipes */
531
532 #define IP_FW_MODULE 67 /* get modules names */
533
534 #define IP_FW_NAT_ADD 68 /* add/config a nat rule */
535 #define IP_FW_NAT_DEL 69 /* delete a nat rule */
536 #define IP_FW_NAT_FLUSH 70 /* get configuration of a nat rule */
537 #define IP_FW_NAT_GET 71 /* get config of a nat rule */
538 #define IP_FW_NAT_GET_RECORD 72 /* get nat record of a nat rule */
539
540 #define IP_FW_STATE_ADD 56 /* add one state */
541 #define IP_FW_STATE_DEL 57 /* delete states of one rulenum */
542 #define IP_FW_STATE_FLUSH 58 /* flush all states */
543
544 #define IP_FW_TABLE_CREATE 73 /* table_create */
545 #define IP_FW_TABLE_DELETE 74 /* table_delete */
546 #define IP_FW_TABLE_APPEND 75 /* table_append */
547 #define IP_FW_TABLE_REMOVE 76 /* table_remove */
548 #define IP_FW_TABLE_LIST 77 /* table_list */
549 #define IP_FW_TABLE_FLUSH 78 /* table_flush */
550 #define IP_FW_TABLE_SHOW 79 /* table_show */
551 #define IP_FW_TABLE_TEST 80 /* table_test */
552 #define IP_FW_TABLE_RENAME 81 /* rename a table */
553
554 /* opcodes for ipfw3sync */
555 #define IP_FW_SYNC_SHOW_CONF 82 /* show sync config */
556 #define IP_FW_SYNC_SHOW_STATUS 83 /* show edge & centre running status */
557
558 #define IP_FW_SYNC_EDGE_CONF 84 /* config sync edge */
559 #define IP_FW_SYNC_EDGE_START 85 /* start the edge */
560 #define IP_FW_SYNC_EDGE_STOP 86 /* stop the edge */
561 #define IP_FW_SYNC_EDGE_TEST 87 /* test sync edge */
562 #define IP_FW_SYNC_EDGE_CLEAR 88 /* stop and clear the edge */
563
564 #define IP_FW_SYNC_CENTRE_CONF 89 /* config sync centre */
565 #define IP_FW_SYNC_CENTRE_START 90 /* start the centre */
566 #define IP_FW_SYNC_CENTRE_STOP 91 /* stop the centre */
567 #define IP_FW_SYNC_CENTRE_TEST 92 /* test sync centre */
568 #define IP_FW_SYNC_CENTRE_CLEAR 93 /* stop and clear the centre */
569 #endif
570
571 #endif /* _IP_FW3_H_ */
DragonFly BSD