Date: Sat, 26 Oct 2013 18:59:58 +0000 (UTC) From: Gleb Smirnoff <glebius@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r257186 - in head: contrib/libpcap sys/contrib/altq/altq sys/net Message-ID: <201310261859.r9QIxw57090334@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: glebius Date: Sat Oct 26 18:59:58 2013 New Revision: 257186 URL: http://svnweb.freebsd.org/changeset/base/257186 Log: Start splitting pfvar.h into internal and external parts. - Provide pf_altq.h that has only stuff needed for ALTQ. - Start pf.h, that would have all constant values and eventually non-kernel structures. - Build ALTQ w/o pfvar.h, include if_var.h, that before came via pollution. - Build tcpdump w/o pfvar.h. Sponsored by: Netflix Sponsored by: Nginx, Inc. Added: head/sys/net/pf.h - copied, changed from r257177, head/sys/net/pfvar.h head/sys/net/pf_altq.h - copied, changed from r257177, head/sys/net/pfvar.h Modified: head/contrib/libpcap/grammar.y head/sys/contrib/altq/altq/altq_cbq.c head/sys/contrib/altq/altq/altq_cdnr.c head/sys/contrib/altq/altq/altq_hfsc.c head/sys/contrib/altq/altq/altq_priq.c head/sys/contrib/altq/altq/altq_red.c head/sys/contrib/altq/altq/altq_rio.c head/sys/contrib/altq/altq/altq_rmclass.c head/sys/contrib/altq/altq/altq_subr.c head/sys/net/pfvar.h Modified: head/contrib/libpcap/grammar.y ============================================================================== --- head/contrib/libpcap/grammar.y Sat Oct 26 18:47:10 2013 (r257185) +++ head/contrib/libpcap/grammar.y Sat Oct 26 18:59:58 2013 (r257186) @@ -56,7 +56,7 @@ struct rtentry; #include "gencode.h" #ifdef HAVE_NET_PFVAR_H #include <net/if.h> -#include <net/pfvar.h> +#include <net/pf.h> #include <net/if_pflog.h> #endif #include "ieee80211.h" Modified: head/sys/contrib/altq/altq/altq_cbq.c ============================================================================== --- head/sys/contrib/altq/altq/altq_cbq.c Sat Oct 26 18:47:10 2013 (r257185) +++ head/sys/contrib/altq/altq/altq_cbq.c Sat Oct 26 18:59:58 2013 (r257186) @@ -54,9 +54,12 @@ #endif #include <net/if.h> +#include <net/if_var.h> #include <netinet/in.h> -#include <net/pfvar.h> +#include <net/pf.h> +#include <net/pf_altq.h> +#include <net/pf_mtag.h> #include <altq/altq.h> #include <altq/altq_cbq.h> #ifdef ALTQ3_COMPAT Modified: head/sys/contrib/altq/altq/altq_cdnr.c ============================================================================== --- head/sys/contrib/altq/altq/altq_cdnr.c Sat Oct 26 18:47:10 2013 (r257185) +++ head/sys/contrib/altq/altq/altq_cdnr.c Sat Oct 26 18:59:58 2013 (r257186) @@ -55,6 +55,7 @@ #include <netinet/ip6.h> #endif +#include <altq/if_altq.h> #include <altq/altq.h> #ifdef ALTQ3_COMPAT #include <altq/altq_conf.h> Modified: head/sys/contrib/altq/altq/altq_hfsc.c ============================================================================== --- head/sys/contrib/altq/altq/altq_hfsc.c Sat Oct 26 18:47:10 2013 (r257185) +++ head/sys/contrib/altq/altq/altq_hfsc.c Sat Oct 26 18:59:58 2013 (r257186) @@ -66,9 +66,12 @@ #endif /* ALTQ3_COMPAT */ #include <net/if.h> +#include <net/if_var.h> #include <netinet/in.h> -#include <net/pfvar.h> +#include <net/pf.h> +#include <net/pf_altq.h> +#include <net/pf_mtag.h> #include <altq/altq.h> #include <altq/altq_hfsc.h> #ifdef ALTQ3_COMPAT Modified: head/sys/contrib/altq/altq/altq_priq.c ============================================================================== --- head/sys/contrib/altq/altq/altq_priq.c Sat Oct 26 18:47:10 2013 (r257185) +++ head/sys/contrib/altq/altq/altq_priq.c Sat Oct 26 18:59:58 2013 (r257186) @@ -51,9 +51,12 @@ #include <sys/queue.h> #include <net/if.h> +#include <net/if_var.h> #include <netinet/in.h> -#include <net/pfvar.h> +#include <net/pf.h> +#include <net/pf_altq.h> +#include <net/pf_mtag.h> #include <altq/altq.h> #ifdef ALTQ3_COMPAT #include <altq/altq_conf.h> Modified: head/sys/contrib/altq/altq/altq_red.c ============================================================================== --- head/sys/contrib/altq/altq/altq_red.c Sat Oct 26 18:47:10 2013 (r257185) +++ head/sys/contrib/altq/altq/altq_red.c Sat Oct 26 18:59:58 2013 (r257186) @@ -86,6 +86,7 @@ #endif /* ALTQ3_COMPAT */ #include <net/if.h> +#include <net/if_var.h> #include <netinet/in.h> #include <netinet/in_systm.h> @@ -94,7 +95,9 @@ #include <netinet/ip6.h> #endif -#include <net/pfvar.h> +#include <net/pf.h> +#include <net/pf_altq.h> +#include <net/pf_mtag.h> #include <altq/altq.h> #include <altq/altq_red.h> #ifdef ALTQ3_COMPAT Modified: head/sys/contrib/altq/altq/altq_rio.c ============================================================================== --- head/sys/contrib/altq/altq/altq_rio.c Sat Oct 26 18:47:10 2013 (r257185) +++ head/sys/contrib/altq/altq/altq_rio.c Sat Oct 26 18:59:58 2013 (r257186) @@ -81,6 +81,7 @@ #endif #include <net/if.h> +#include <net/if_var.h> #include <netinet/in.h> #include <netinet/in_systm.h> @@ -89,7 +90,8 @@ #include <netinet/ip6.h> #endif -#include <net/pfvar.h> +#include <net/pf.h> +#include <net/pf_altq.h> #include <altq/altq.h> #include <altq/altq_cdnr.h> #include <altq/altq_red.h> Modified: head/sys/contrib/altq/altq/altq_rmclass.c ============================================================================== --- head/sys/contrib/altq/altq/altq_rmclass.c Sat Oct 26 18:47:10 2013 (r257185) +++ head/sys/contrib/altq/altq/altq_rmclass.c Sat Oct 26 18:59:58 2013 (r257186) @@ -59,12 +59,14 @@ #endif #include <net/if.h> +#include <net/if_var.h> #ifdef ALTQ3_COMPAT #include <netinet/in.h> #include <netinet/in_systm.h> #include <netinet/ip.h> #endif +#include <altq/if_altq.h> #include <altq/altq.h> #include <altq/altq_rmclass.h> #include <altq/altq_rmclass_debug.h> Modified: head/sys/contrib/altq/altq/altq_subr.c ============================================================================== --- head/sys/contrib/altq/altq/altq_subr.c Sat Oct 26 18:47:10 2013 (r257185) +++ head/sys/contrib/altq/altq/altq_subr.c Sat Oct 26 18:59:58 2013 (r257186) @@ -49,6 +49,7 @@ #include <sys/queue.h> #include <net/if.h> +#include <net/if_var.h> #include <net/if_dl.h> #include <net/if_types.h> #ifdef __FreeBSD__ @@ -64,7 +65,8 @@ #include <netinet/tcp.h> #include <netinet/udp.h> -#include <net/pfvar.h> +#include <net/pf.h> +#include <net/pf_altq.h> #include <altq/altq.h> #ifdef ALTQ3_COMPAT #include <altq/altq_conf.h> Copied and modified: head/sys/net/pf.h (from r257177, head/sys/net/pfvar.h) ============================================================================== --- head/sys/net/pfvar.h Sat Oct 26 18:03:36 2013 (r257177, copy source) +++ head/sys/net/pf.h Sat Oct 26 18:59:58 2013 (r257186) @@ -30,18 +30,8 @@ * $FreeBSD$ */ -#ifndef _NET_PFVAR_H_ -#define _NET_PFVAR_H_ - -#include <sys/param.h> -#include <sys/queue.h> -#include <sys/refcount.h> -#include <sys/tree.h> - -#include <net/radix.h> -#include <netinet/in.h> - -#include <net/pf_mtag.h> +#ifndef _NET_PF_H_ +#define _NET_PFAR_H_ #define PF_TCPS_PROXY_SRC ((TCP_NSTATES)+0) #define PF_TCPS_PROXY_DST ((TCP_NSTATES)+1) @@ -119,1082 +109,6 @@ enum { PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE #define PF_LOG_ALL 0x02 #define PF_LOG_SOCKET_LOOKUP 0x04 -struct pf_addr { - union { - struct in_addr v4; - struct in6_addr v6; - u_int8_t addr8[16]; - u_int16_t addr16[8]; - u_int32_t addr32[4]; - } pfa; /* 128-bit address */ -#define v4 pfa.v4 -#define v6 pfa.v6 -#define addr8 pfa.addr8 -#define addr16 pfa.addr16 -#define addr32 pfa.addr32 -}; - -#define PF_TABLE_NAME_SIZE 32 - -#define PFI_AFLAG_NETWORK 0x01 -#define PFI_AFLAG_BROADCAST 0x02 -#define PFI_AFLAG_PEER 0x04 -#define PFI_AFLAG_MODEMASK 0x07 -#define PFI_AFLAG_NOALIAS 0x08 - -struct pf_addr_wrap { - union { - struct { - struct pf_addr addr; - struct pf_addr mask; - } a; - char ifname[IFNAMSIZ]; - char tblname[PF_TABLE_NAME_SIZE]; - } v; - union { - struct pfi_dynaddr *dyn; - struct pfr_ktable *tbl; - int dyncnt; - int tblcnt; - } p; - u_int8_t type; /* PF_ADDR_* */ - u_int8_t iflags; /* PFI_AFLAG_* */ -}; - -#ifdef _KERNEL - -struct pfi_dynaddr { - TAILQ_ENTRY(pfi_dynaddr) entry; - struct pf_addr pfid_addr4; - struct pf_addr pfid_mask4; - struct pf_addr pfid_addr6; - struct pf_addr pfid_mask6; - struct pfr_ktable *pfid_kt; - struct pfi_kif *pfid_kif; - int pfid_net; /* mask or 128 */ - int pfid_acnt4; /* address count IPv4 */ - int pfid_acnt6; /* address count IPv6 */ - sa_family_t pfid_af; /* rule af */ - u_int8_t pfid_iflags; /* PFI_AFLAG_* */ -}; - -/* - * Address manipulation macros - */ -#define HTONL(x) (x) = htonl((__uint32_t)(x)) -#define HTONS(x) (x) = htons((__uint16_t)(x)) -#define NTOHL(x) (x) = ntohl((__uint32_t)(x)) -#define NTOHS(x) (x) = ntohs((__uint16_t)(x)) - -#define PF_NAME "pf" - -#define PF_HASHROW_ASSERT(h) mtx_assert(&(h)->lock, MA_OWNED) -#define PF_HASHROW_LOCK(h) mtx_lock(&(h)->lock) -#define PF_HASHROW_UNLOCK(h) mtx_unlock(&(h)->lock) - -#define PF_STATE_LOCK(s) \ - do { \ - struct pf_idhash *_ih = &V_pf_idhash[PF_IDHASH(s)]; \ - PF_HASHROW_LOCK(_ih); \ - } while (0) - -#define PF_STATE_UNLOCK(s) \ - do { \ - struct pf_idhash *_ih = &V_pf_idhash[PF_IDHASH((s))]; \ - PF_HASHROW_UNLOCK(_ih); \ - } while (0) - -#ifdef INVARIANTS -#define PF_STATE_LOCK_ASSERT(s) \ - do { \ - struct pf_idhash *_ih = &V_pf_idhash[PF_IDHASH(s)]; \ - PF_HASHROW_ASSERT(_ih); \ - } while (0) -#else /* !INVARIANTS */ -#define PF_STATE_LOCK_ASSERT(s) do {} while (0) -#endif /* INVARIANTS */ - -extern struct mtx pf_unlnkdrules_mtx; -#define PF_UNLNKDRULES_LOCK() mtx_lock(&pf_unlnkdrules_mtx) -#define PF_UNLNKDRULES_UNLOCK() mtx_unlock(&pf_unlnkdrules_mtx) - -extern struct rwlock pf_rules_lock; -#define PF_RULES_RLOCK() rw_rlock(&pf_rules_lock) -#define PF_RULES_RUNLOCK() rw_runlock(&pf_rules_lock) -#define PF_RULES_WLOCK() rw_wlock(&pf_rules_lock) -#define PF_RULES_WUNLOCK() rw_wunlock(&pf_rules_lock) -#define PF_RULES_ASSERT() rw_assert(&pf_rules_lock, RA_LOCKED) -#define PF_RULES_RASSERT() rw_assert(&pf_rules_lock, RA_RLOCKED) -#define PF_RULES_WASSERT() rw_assert(&pf_rules_lock, RA_WLOCKED) - -#define PF_MODVER 1 -#define PFLOG_MODVER 1 -#define PFSYNC_MODVER 1 - -#define PFLOG_MINVER 1 -#define PFLOG_PREFVER PFLOG_MODVER -#define PFLOG_MAXVER 1 -#define PFSYNC_MINVER 1 -#define PFSYNC_PREFVER PFSYNC_MODVER -#define PFSYNC_MAXVER 1 - -#ifdef INET -#ifndef INET6 -#define PF_INET_ONLY -#endif /* ! INET6 */ -#endif /* INET */ - -#ifdef INET6 -#ifndef INET -#define PF_INET6_ONLY -#endif /* ! INET */ -#endif /* INET6 */ - -#ifdef INET -#ifdef INET6 -#define PF_INET_INET6 -#endif /* INET6 */ -#endif /* INET */ - -#else - -#define PF_INET_INET6 - -#endif /* _KERNEL */ - -/* Both IPv4 and IPv6 */ -#ifdef PF_INET_INET6 - -#define PF_AEQ(a, b, c) \ - ((c == AF_INET && (a)->addr32[0] == (b)->addr32[0]) || \ - ((a)->addr32[3] == (b)->addr32[3] && \ - (a)->addr32[2] == (b)->addr32[2] && \ - (a)->addr32[1] == (b)->addr32[1] && \ - (a)->addr32[0] == (b)->addr32[0])) \ - -#define PF_ANEQ(a, b, c) \ - ((c == AF_INET && (a)->addr32[0] != (b)->addr32[0]) || \ - ((a)->addr32[3] != (b)->addr32[3] || \ - (a)->addr32[2] != (b)->addr32[2] || \ - (a)->addr32[1] != (b)->addr32[1] || \ - (a)->addr32[0] != (b)->addr32[0])) \ - -#define PF_AZERO(a, c) \ - ((c == AF_INET && !(a)->addr32[0]) || \ - (!(a)->addr32[0] && !(a)->addr32[1] && \ - !(a)->addr32[2] && !(a)->addr32[3] )) \ - -#define PF_MATCHA(n, a, m, b, f) \ - pf_match_addr(n, a, m, b, f) - -#define PF_ACPY(a, b, f) \ - pf_addrcpy(a, b, f) - -#define PF_AINC(a, f) \ - pf_addr_inc(a, f) - -#define PF_POOLMASK(a, b, c, d, f) \ - pf_poolmask(a, b, c, d, f) - -#else - -/* Just IPv6 */ - -#ifdef PF_INET6_ONLY - -#define PF_AEQ(a, b, c) \ - ((a)->addr32[3] == (b)->addr32[3] && \ - (a)->addr32[2] == (b)->addr32[2] && \ - (a)->addr32[1] == (b)->addr32[1] && \ - (a)->addr32[0] == (b)->addr32[0]) \ - -#define PF_ANEQ(a, b, c) \ - ((a)->addr32[3] != (b)->addr32[3] || \ - (a)->addr32[2] != (b)->addr32[2] || \ - (a)->addr32[1] != (b)->addr32[1] || \ - (a)->addr32[0] != (b)->addr32[0]) \ - -#define PF_AZERO(a, c) \ - (!(a)->addr32[0] && \ - !(a)->addr32[1] && \ - !(a)->addr32[2] && \ - !(a)->addr32[3] ) \ - -#define PF_MATCHA(n, a, m, b, f) \ - pf_match_addr(n, a, m, b, f) - -#define PF_ACPY(a, b, f) \ - pf_addrcpy(a, b, f) - -#define PF_AINC(a, f) \ - pf_addr_inc(a, f) - -#define PF_POOLMASK(a, b, c, d, f) \ - pf_poolmask(a, b, c, d, f) - -#else - -/* Just IPv4 */ -#ifdef PF_INET_ONLY - -#define PF_AEQ(a, b, c) \ - ((a)->addr32[0] == (b)->addr32[0]) - -#define PF_ANEQ(a, b, c) \ - ((a)->addr32[0] != (b)->addr32[0]) - -#define PF_AZERO(a, c) \ - (!(a)->addr32[0]) - -#define PF_MATCHA(n, a, m, b, f) \ - pf_match_addr(n, a, m, b, f) - -#define PF_ACPY(a, b, f) \ - (a)->v4.s_addr = (b)->v4.s_addr - -#define PF_AINC(a, f) \ - do { \ - (a)->addr32[0] = htonl(ntohl((a)->addr32[0]) + 1); \ - } while (0) - -#define PF_POOLMASK(a, b, c, d, f) \ - do { \ - (a)->addr32[0] = ((b)->addr32[0] & (c)->addr32[0]) | \ - (((c)->addr32[0] ^ 0xffffffff ) & (d)->addr32[0]); \ - } while (0) - -#endif /* PF_INET_ONLY */ -#endif /* PF_INET6_ONLY */ -#endif /* PF_INET_INET6 */ - -/* - * XXX callers not FIB-aware in our version of pf yet. - * OpenBSD fixed it later it seems, 2010/05/07 13:33:16 claudio. - */ -#define PF_MISMATCHAW(aw, x, af, neg, ifp, rtid) \ - ( \ - (((aw)->type == PF_ADDR_NOROUTE && \ - pf_routable((x), (af), NULL, (rtid))) || \ - (((aw)->type == PF_ADDR_URPFFAILED && (ifp) != NULL && \ - pf_routable((x), (af), (ifp), (rtid))) || \ - ((aw)->type == PF_ADDR_TABLE && \ - !pfr_match_addr((aw)->p.tbl, (x), (af))) || \ - ((aw)->type == PF_ADDR_DYNIFTL && \ - !pfi_match_addr((aw)->p.dyn, (x), (af))) || \ - ((aw)->type == PF_ADDR_RANGE && \ - !pf_match_addr_range(&(aw)->v.a.addr, \ - &(aw)->v.a.mask, (x), (af))) || \ - ((aw)->type == PF_ADDR_ADDRMASK && \ - !PF_AZERO(&(aw)->v.a.mask, (af)) && \ - !PF_MATCHA(0, &(aw)->v.a.addr, \ - &(aw)->v.a.mask, (x), (af))))) != \ - (neg) \ - ) - - -struct pf_rule_uid { - uid_t uid[2]; - u_int8_t op; -}; - -struct pf_rule_gid { - uid_t gid[2]; - u_int8_t op; -}; - -struct pf_rule_addr { - struct pf_addr_wrap addr; - u_int16_t port[2]; - u_int8_t neg; - u_int8_t port_op; -}; - -struct pf_pooladdr { - struct pf_addr_wrap addr; - TAILQ_ENTRY(pf_pooladdr) entries; - char ifname[IFNAMSIZ]; - struct pfi_kif *kif; -}; - -TAILQ_HEAD(pf_palist, pf_pooladdr); - -struct pf_poolhashkey { - union { - u_int8_t key8[16]; - u_int16_t key16[8]; - u_int32_t key32[4]; - } pfk; /* 128-bit hash key */ -#define key8 pfk.key8 -#define key16 pfk.key16 -#define key32 pfk.key32 -}; - -struct pf_pool { - struct pf_palist list; - struct pf_pooladdr *cur; - struct pf_poolhashkey key; - struct pf_addr counter; - int tblidx; - u_int16_t proxy_port[2]; - u_int8_t opts; -}; - - -/* A packed Operating System description for fingerprinting */ -typedef u_int32_t pf_osfp_t; -#define PF_OSFP_ANY ((pf_osfp_t)0) -#define PF_OSFP_UNKNOWN ((pf_osfp_t)-1) -#define PF_OSFP_NOMATCH ((pf_osfp_t)-2) - -struct pf_osfp_entry { - SLIST_ENTRY(pf_osfp_entry) fp_entry; - pf_osfp_t fp_os; - int fp_enflags; -#define PF_OSFP_EXPANDED 0x001 /* expanded entry */ -#define PF_OSFP_GENERIC 0x002 /* generic signature */ -#define PF_OSFP_NODETAIL 0x004 /* no p0f details */ -#define PF_OSFP_LEN 32 - char fp_class_nm[PF_OSFP_LEN]; - char fp_version_nm[PF_OSFP_LEN]; - char fp_subtype_nm[PF_OSFP_LEN]; -}; -#define PF_OSFP_ENTRY_EQ(a, b) \ - ((a)->fp_os == (b)->fp_os && \ - memcmp((a)->fp_class_nm, (b)->fp_class_nm, PF_OSFP_LEN) == 0 && \ - memcmp((a)->fp_version_nm, (b)->fp_version_nm, PF_OSFP_LEN) == 0 && \ - memcmp((a)->fp_subtype_nm, (b)->fp_subtype_nm, PF_OSFP_LEN) == 0) - -/* handle pf_osfp_t packing */ -#define _FP_RESERVED_BIT 1 /* For the special negative #defines */ -#define _FP_UNUSED_BITS 1 -#define _FP_CLASS_BITS 10 /* OS Class (Windows, Linux) */ -#define _FP_VERSION_BITS 10 /* OS version (95, 98, NT, 2.4.54, 3.2) */ -#define _FP_SUBTYPE_BITS 10 /* patch level (NT SP4, SP3, ECN patch) */ -#define PF_OSFP_UNPACK(osfp, class, version, subtype) do { \ - (class) = ((osfp) >> (_FP_VERSION_BITS+_FP_SUBTYPE_BITS)) & \ - ((1 << _FP_CLASS_BITS) - 1); \ - (version) = ((osfp) >> _FP_SUBTYPE_BITS) & \ - ((1 << _FP_VERSION_BITS) - 1);\ - (subtype) = (osfp) & ((1 << _FP_SUBTYPE_BITS) - 1); \ -} while(0) -#define PF_OSFP_PACK(osfp, class, version, subtype) do { \ - (osfp) = ((class) & ((1 << _FP_CLASS_BITS) - 1)) << (_FP_VERSION_BITS \ - + _FP_SUBTYPE_BITS); \ - (osfp) |= ((version) & ((1 << _FP_VERSION_BITS) - 1)) << \ - _FP_SUBTYPE_BITS; \ - (osfp) |= (subtype) & ((1 << _FP_SUBTYPE_BITS) - 1); \ -} while(0) - -/* the fingerprint of an OSes TCP SYN packet */ -typedef u_int64_t pf_tcpopts_t; -struct pf_os_fingerprint { - SLIST_HEAD(pf_osfp_enlist, pf_osfp_entry) fp_oses; /* list of matches */ - pf_tcpopts_t fp_tcpopts; /* packed TCP options */ - u_int16_t fp_wsize; /* TCP window size */ - u_int16_t fp_psize; /* ip->ip_len */ - u_int16_t fp_mss; /* TCP MSS */ - u_int16_t fp_flags; -#define PF_OSFP_WSIZE_MOD 0x0001 /* Window modulus */ -#define PF_OSFP_WSIZE_DC 0x0002 /* Window don't care */ -#define PF_OSFP_WSIZE_MSS 0x0004 /* Window multiple of MSS */ -#define PF_OSFP_WSIZE_MTU 0x0008 /* Window multiple of MTU */ -#define PF_OSFP_PSIZE_MOD 0x0010 /* packet size modulus */ -#define PF_OSFP_PSIZE_DC 0x0020 /* packet size don't care */ -#define PF_OSFP_WSCALE 0x0040 /* TCP window scaling */ -#define PF_OSFP_WSCALE_MOD 0x0080 /* TCP window scale modulus */ -#define PF_OSFP_WSCALE_DC 0x0100 /* TCP window scale dont-care */ -#define PF_OSFP_MSS 0x0200 /* TCP MSS */ -#define PF_OSFP_MSS_MOD 0x0400 /* TCP MSS modulus */ -#define PF_OSFP_MSS_DC 0x0800 /* TCP MSS dont-care */ -#define PF_OSFP_DF 0x1000 /* IPv4 don't fragment bit */ -#define PF_OSFP_TS0 0x2000 /* Zero timestamp */ -#define PF_OSFP_INET6 0x4000 /* IPv6 */ - u_int8_t fp_optcnt; /* TCP option count */ - u_int8_t fp_wscale; /* TCP window scaling */ - u_int8_t fp_ttl; /* IPv4 TTL */ -#define PF_OSFP_MAXTTL_OFFSET 40 -/* TCP options packing */ -#define PF_OSFP_TCPOPT_NOP 0x0 /* TCP NOP option */ -#define PF_OSFP_TCPOPT_WSCALE 0x1 /* TCP window scaling option */ -#define PF_OSFP_TCPOPT_MSS 0x2 /* TCP max segment size opt */ -#define PF_OSFP_TCPOPT_SACK 0x3 /* TCP SACK OK option */ -#define PF_OSFP_TCPOPT_TS 0x4 /* TCP timestamp option */ -#define PF_OSFP_TCPOPT_BITS 3 /* bits used by each option */ -#define PF_OSFP_MAX_OPTS \ - (sizeof(((struct pf_os_fingerprint *)0)->fp_tcpopts) * 8) \ - / PF_OSFP_TCPOPT_BITS - - SLIST_ENTRY(pf_os_fingerprint) fp_next; -}; - -struct pf_osfp_ioctl { - struct pf_osfp_entry fp_os; - pf_tcpopts_t fp_tcpopts; /* packed TCP options */ - u_int16_t fp_wsize; /* TCP window size */ - u_int16_t fp_psize; /* ip->ip_len */ - u_int16_t fp_mss; /* TCP MSS */ - u_int16_t fp_flags; - u_int8_t fp_optcnt; /* TCP option count */ - u_int8_t fp_wscale; /* TCP window scaling */ - u_int8_t fp_ttl; /* IPv4 TTL */ - - int fp_getnum; /* DIOCOSFPGET number */ -}; - - -union pf_rule_ptr { - struct pf_rule *ptr; - u_int32_t nr; -}; - -#define PF_ANCHOR_NAME_SIZE 64 - -struct pf_rule { - struct pf_rule_addr src; - struct pf_rule_addr dst; -#define PF_SKIP_IFP 0 -#define PF_SKIP_DIR 1 -#define PF_SKIP_AF 2 -#define PF_SKIP_PROTO 3 -#define PF_SKIP_SRC_ADDR 4 -#define PF_SKIP_SRC_PORT 5 -#define PF_SKIP_DST_ADDR 6 -#define PF_SKIP_DST_PORT 7 -#define PF_SKIP_COUNT 8 - union pf_rule_ptr skip[PF_SKIP_COUNT]; -#define PF_RULE_LABEL_SIZE 64 - char label[PF_RULE_LABEL_SIZE]; -#define PF_QNAME_SIZE 64 - char ifname[IFNAMSIZ]; - char qname[PF_QNAME_SIZE]; - char pqname[PF_QNAME_SIZE]; -#define PF_TAG_NAME_SIZE 64 - char tagname[PF_TAG_NAME_SIZE]; - char match_tagname[PF_TAG_NAME_SIZE]; - - char overload_tblname[PF_TABLE_NAME_SIZE]; - - TAILQ_ENTRY(pf_rule) entries; - struct pf_pool rpool; - - u_int64_t evaluations; - u_int64_t packets[2]; - u_int64_t bytes[2]; - - struct pfi_kif *kif; - struct pf_anchor *anchor; - struct pfr_ktable *overload_tbl; - - pf_osfp_t os_fingerprint; - - int rtableid; - u_int32_t timeout[PFTM_MAX]; - u_int32_t states_cur; - u_int32_t states_tot; - u_int32_t max_states; - u_int32_t src_nodes; - u_int32_t max_src_nodes; - u_int32_t max_src_states; - u_int32_t spare1; /* netgraph */ - u_int32_t max_src_conn; - struct { - u_int32_t limit; - u_int32_t seconds; - } max_src_conn_rate; - u_int32_t qid; - u_int32_t pqid; - u_int32_t rt_listid; - u_int32_t nr; - u_int32_t prob; - uid_t cuid; - pid_t cpid; - - u_int16_t return_icmp; - u_int16_t return_icmp6; - u_int16_t max_mss; - u_int16_t tag; - u_int16_t match_tag; - u_int16_t spare2; /* netgraph */ - - struct pf_rule_uid uid; - struct pf_rule_gid gid; - - u_int32_t rule_flag; - u_int8_t action; - u_int8_t direction; - u_int8_t log; - u_int8_t logif; - u_int8_t quick; - u_int8_t ifnot; - u_int8_t match_tag_not; - u_int8_t natpass; - -#define PF_STATE_NORMAL 0x1 -#define PF_STATE_MODULATE 0x2 -#define PF_STATE_SYNPROXY 0x3 - u_int8_t keep_state; - sa_family_t af; - u_int8_t proto; - u_int8_t type; - u_int8_t code; - u_int8_t flags; - u_int8_t flagset; - u_int8_t min_ttl; - u_int8_t allow_opts; - u_int8_t rt; - u_int8_t return_ttl; - u_int8_t tos; - u_int8_t set_tos; - u_int8_t anchor_relative; - u_int8_t anchor_wildcard; - -#define PF_FLUSH 0x01 -#define PF_FLUSH_GLOBAL 0x02 - u_int8_t flush; - - struct { - struct pf_addr addr; - u_int16_t port; - } divert; -}; - -/* rule flags */ -#define PFRULE_DROP 0x0000 -#define PFRULE_RETURNRST 0x0001 -#define PFRULE_FRAGMENT 0x0002 -#define PFRULE_RETURNICMP 0x0004 -#define PFRULE_RETURN 0x0008 -#define PFRULE_NOSYNC 0x0010 -#define PFRULE_SRCTRACK 0x0020 /* track source states */ -#define PFRULE_RULESRCTRACK 0x0040 /* per rule */ -#define PFRULE_REFS 0x0080 /* rule has references */ - -/* scrub flags */ -#define PFRULE_NODF 0x0100 -#define PFRULE_FRAGCROP 0x0200 /* non-buffering frag cache */ -#define PFRULE_FRAGDROP 0x0400 /* drop funny fragments */ -#define PFRULE_RANDOMID 0x0800 -#define PFRULE_REASSEMBLE_TCP 0x1000 -#define PFRULE_SET_TOS 0x2000 - -/* rule flags again */ -#define PFRULE_IFBOUND 0x00010000 /* if-bound */ -#define PFRULE_STATESLOPPY 0x00020000 /* sloppy state tracking */ - -#define PFSTATE_HIWAT 10000 /* default state table size */ -#define PFSTATE_ADAPT_START 6000 /* default adaptive timeout start */ -#define PFSTATE_ADAPT_END 12000 /* default adaptive timeout end */ - - -struct pf_threshold { - u_int32_t limit; -#define PF_THRESHOLD_MULT 1000 -#define PF_THRESHOLD_MAX 0xffffffff / PF_THRESHOLD_MULT - u_int32_t seconds; - u_int32_t count; - u_int32_t last; -}; - -struct pf_src_node { - LIST_ENTRY(pf_src_node) entry; - struct pf_addr addr; - struct pf_addr raddr; - union pf_rule_ptr rule; - struct pfi_kif *kif; - u_int64_t bytes[2]; - u_int64_t packets[2]; - u_int32_t states; - u_int32_t conn; - struct pf_threshold conn_rate; - u_int32_t creation; - u_int32_t expire; - sa_family_t af; - u_int8_t ruletype; -}; - -#define PFSNODE_HIWAT 10000 /* default source node table size */ - -struct pf_state_scrub { - struct timeval pfss_last; /* time received last packet */ - u_int32_t pfss_tsecr; /* last echoed timestamp */ - u_int32_t pfss_tsval; /* largest timestamp */ - u_int32_t pfss_tsval0; /* original timestamp */ - u_int16_t pfss_flags; -#define PFSS_TIMESTAMP 0x0001 /* modulate timestamp */ -#define PFSS_PAWS 0x0010 /* stricter PAWS checks */ -#define PFSS_PAWS_IDLED 0x0020 /* was idle too long. no PAWS */ -#define PFSS_DATA_TS 0x0040 /* timestamp on data packets */ -#define PFSS_DATA_NOTS 0x0080 /* no timestamp on data packets */ - u_int8_t pfss_ttl; /* stashed TTL */ - u_int8_t pad; - u_int32_t pfss_ts_mod; /* timestamp modulation */ -}; - -struct pf_state_host { - struct pf_addr addr; - u_int16_t port; - u_int16_t pad; -}; - -struct pf_state_peer { - struct pf_state_scrub *scrub; /* state is scrubbed */ - u_int32_t seqlo; /* Max sequence number sent */ - u_int32_t seqhi; /* Max the other end ACKd + win */ - u_int32_t seqdiff; /* Sequence number modulator */ - u_int16_t max_win; /* largest window (pre scaling) */ - u_int16_t mss; /* Maximum segment size option */ - u_int8_t state; /* active state level */ - u_int8_t wscale; /* window scaling factor */ - u_int8_t tcp_est; /* Did we reach TCPS_ESTABLISHED */ - u_int8_t pad[1]; -}; - -/* Keep synced with struct pf_state_key. */ -struct pf_state_key_cmp { - struct pf_addr addr[2]; - u_int16_t port[2]; - sa_family_t af; - u_int8_t proto; - u_int8_t pad[2]; -}; - -struct pf_state_key { - struct pf_addr addr[2]; - u_int16_t port[2]; - sa_family_t af; - u_int8_t proto; - u_int8_t pad[2]; - - LIST_ENTRY(pf_state_key) entry; - TAILQ_HEAD(, pf_state) states[2]; -}; - -/* Keep synced with struct pf_state. */ -struct pf_state_cmp { - u_int64_t id; - u_int32_t creatorid; - u_int8_t direction; - u_int8_t pad[3]; -}; - -struct pf_state { - u_int64_t id; - u_int32_t creatorid; - u_int8_t direction; - u_int8_t pad[3]; - - u_int refs; - TAILQ_ENTRY(pf_state) sync_list; - TAILQ_ENTRY(pf_state) key_list[2]; - LIST_ENTRY(pf_state) entry; - struct pf_state_peer src; - struct pf_state_peer dst; - union pf_rule_ptr rule; - union pf_rule_ptr anchor; - union pf_rule_ptr nat_rule; - struct pf_addr rt_addr; - struct pf_state_key *key[2]; /* addresses stack and wire */ - struct pfi_kif *kif; - struct pfi_kif *rt_kif; - struct pf_src_node *src_node; - struct pf_src_node *nat_src_node; - u_int64_t packets[2]; - u_int64_t bytes[2]; - u_int32_t creation; - u_int32_t expire; - u_int32_t pfsync_time; - u_int16_t tag; - u_int8_t log; - u_int8_t state_flags; -#define PFSTATE_ALLOWOPTS 0x01 -#define PFSTATE_SLOPPY 0x02 -/* was PFSTATE_PFLOW 0x04 */ -#define PFSTATE_NOSYNC 0x08 -#define PFSTATE_ACK 0x10 - u_int8_t timeout; - u_int8_t sync_state; /* PFSYNC_S_x */ - - /* XXX */ - u_int8_t sync_updates; - u_int8_t _tail[3]; -}; - -/* - * Unified state structures for pulling states out of the kernel - * used by pfsync(4) and the pf(4) ioctl. - */ -struct pfsync_state_scrub { - u_int16_t pfss_flags; - u_int8_t pfss_ttl; /* stashed TTL */ -#define PFSYNC_SCRUB_FLAG_VALID 0x01 - u_int8_t scrub_flag; - u_int32_t pfss_ts_mod; /* timestamp modulation */ -} __packed; - -struct pfsync_state_peer { - struct pfsync_state_scrub scrub; /* state is scrubbed */ - u_int32_t seqlo; /* Max sequence number sent */ - u_int32_t seqhi; /* Max the other end ACKd + win */ - u_int32_t seqdiff; /* Sequence number modulator */ - u_int16_t max_win; /* largest window (pre scaling) */ - u_int16_t mss; /* Maximum segment size option */ - u_int8_t state; /* active state level */ - u_int8_t wscale; /* window scaling factor */ - u_int8_t pad[6]; -} __packed; - -struct pfsync_state_key { - struct pf_addr addr[2]; - u_int16_t port[2]; -}; - -struct pfsync_state { - u_int64_t id; - char ifname[IFNAMSIZ]; - struct pfsync_state_key key[2]; - struct pfsync_state_peer src; - struct pfsync_state_peer dst; - struct pf_addr rt_addr; - u_int32_t rule; - u_int32_t anchor; - u_int32_t nat_rule; - u_int32_t creation; - u_int32_t expire; - u_int32_t packets[2][2]; - u_int32_t bytes[2][2]; - u_int32_t creatorid; - sa_family_t af; - u_int8_t proto; - u_int8_t direction; - u_int8_t __spare[2]; - u_int8_t log; - u_int8_t state_flags; - u_int8_t timeout; - u_int8_t sync_flags; - u_int8_t updates; -} __packed; - -#ifdef _KERNEL -/* pfsync */ -typedef int pfsync_state_import_t(struct pfsync_state *, u_int8_t); -typedef void pfsync_insert_state_t(struct pf_state *); -typedef void pfsync_update_state_t(struct pf_state *); -typedef void pfsync_delete_state_t(struct pf_state *); -typedef void pfsync_clear_states_t(u_int32_t, const char *); -typedef int pfsync_defer_t(struct pf_state *, struct mbuf *); - -extern pfsync_state_import_t *pfsync_state_import_ptr; -extern pfsync_insert_state_t *pfsync_insert_state_ptr; -extern pfsync_update_state_t *pfsync_update_state_ptr; -extern pfsync_delete_state_t *pfsync_delete_state_ptr; -extern pfsync_clear_states_t *pfsync_clear_states_ptr; -extern pfsync_defer_t *pfsync_defer_ptr; - -void pfsync_state_export(struct pfsync_state *, - struct pf_state *); - -/* pflog */ -struct pf_ruleset; -struct pf_pdesc; -typedef int pflog_packet_t(struct pfi_kif *, struct mbuf *, sa_family_t, - u_int8_t, u_int8_t, struct pf_rule *, struct pf_rule *, - struct pf_ruleset *, struct pf_pdesc *, int); -extern pflog_packet_t *pflog_packet_ptr; - -#define V_pf_end_threads VNET(pf_end_threads) -#endif /* _KERNEL */ - -#define PFSYNC_FLAG_SRCNODE 0x04 -#define PFSYNC_FLAG_NATSRCNODE 0x08 - -/* for copies to/from network byte order */ -/* ioctl interface also uses network byte order */ -#define pf_state_peer_hton(s,d) do { \ - (d)->seqlo = htonl((s)->seqlo); \ - (d)->seqhi = htonl((s)->seqhi); \ - (d)->seqdiff = htonl((s)->seqdiff); \ - (d)->max_win = htons((s)->max_win); \ - (d)->mss = htons((s)->mss); \ - (d)->state = (s)->state; \ - (d)->wscale = (s)->wscale; \ - if ((s)->scrub) { \ - (d)->scrub.pfss_flags = \ - htons((s)->scrub->pfss_flags & PFSS_TIMESTAMP); \ - (d)->scrub.pfss_ttl = (s)->scrub->pfss_ttl; \ - (d)->scrub.pfss_ts_mod = htonl((s)->scrub->pfss_ts_mod);\ - (d)->scrub.scrub_flag = PFSYNC_SCRUB_FLAG_VALID; \ - } \ -} while (0) - -#define pf_state_peer_ntoh(s,d) do { \ - (d)->seqlo = ntohl((s)->seqlo); \ - (d)->seqhi = ntohl((s)->seqhi); \ - (d)->seqdiff = ntohl((s)->seqdiff); \ - (d)->max_win = ntohs((s)->max_win); \ - (d)->mss = ntohs((s)->mss); \ - (d)->state = (s)->state; \ - (d)->wscale = (s)->wscale; \ - if ((s)->scrub.scrub_flag == PFSYNC_SCRUB_FLAG_VALID && \ - (d)->scrub != NULL) { \ - (d)->scrub->pfss_flags = \ - ntohs((s)->scrub.pfss_flags) & PFSS_TIMESTAMP; \ - (d)->scrub->pfss_ttl = (s)->scrub.pfss_ttl; \ - (d)->scrub->pfss_ts_mod = ntohl((s)->scrub.pfss_ts_mod);\ - } \ -} while (0) - -#define pf_state_counter_hton(s,d) do { \ - d[0] = htonl((s>>32)&0xffffffff); \ *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201310261859.r9QIxw57090334>