1 /*- 2 * Copyright (c) 2009-2025 The NetBSD Foundation, Inc. 3 * All rights reserved. 4 * 5 * This material is based upon work partially supported by The 6 * NetBSD Foundation under a contract with Mindaugas Rasiukevicius. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 18 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 19 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 20 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 21 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 22 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 23 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 24 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 25 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 26 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27 * POSSIBILITY OF SUCH DAMAGE. 28 */ 29 30 /* 31 * Public NPF interfaces. 32 */ 33 34 #ifndef _NPF_NET_H_ 35 #define _NPF_NET_H_ 36 37 #include <sys/param.h> 38 #include <sys/types.h> 39 40 #define NPF_VERSION 22 41 42 #if defined(_NPF_STANDALONE) 43 #include "npf_stand.h" 44 #else 45 #include <sys/ioctl.h> 46 #include <netinet/in_systm.h> 47 #include <netinet/in.h> 48 #include <net/if_ether.h> 49 #endif 50 51 struct npf; 52 typedef struct npf npf_t; 53 54 /* 55 * Storage of address (both for IPv4 and IPv6) and netmask. 56 */ 57 typedef union { 58 uint8_t word8[16]; 59 uint16_t word16[8]; 60 uint32_t word32[4]; 61 } npf_addr_t; 62 63 /* 64 * use a single type for both user id and group id 65 */ 66 struct r_id { 67 uint32_t id[2]; 68 uint8_t op; 69 }; 70 71 typedef struct r_id rid_t; 72 typedef uint8_t npf_netmask_t; 73 74 #define NPF_MAX_NETMASK (128) 75 #define NPF_NO_NETMASK ((npf_netmask_t)~0) 76 77 /* BPF coprocessor. */ 78 #if defined(NPF_BPFCOP) 79 #define NPF_COP_L3 0 80 #define NPF_COP_TABLE 1 81 82 #define BPF_MW_IPVER 0 83 #define BPF_MW_L4OFF 1 84 #define BPF_MW_L4PROTO 2 85 #endif 86 /* The number of words used. */ 87 #define NPF_BPF_NWORDS 3 88 89 /* 90 * In-kernel declarations and definitions. 91 */ 92 93 #if defined(_KERNEL) || defined(_NPF_STANDALONE) 94 95 #define NPF_DECISION_BLOCK 0 96 #define NPF_DECISION_PASS 1 97 98 #define NPF_EXT_MODULE(name, req) \ 99 MODULE(MODULE_CLASS_MISC, name, (sizeof(req) - 1) ? ("npf," req) : "npf") 100 101 #include <net/if.h> 102 #include <netinet/ip.h> 103 #include <netinet/ip6.h> 104 #include <netinet/tcp.h> 105 #include <netinet/udp.h> 106 #include <netinet/ip_icmp.h> 107 #include <netinet/icmp6.h> 108 109 /* 110 * Network buffer interface. 111 */ 112 113 #define NBUF_DATAREF_RESET 0x01 114 115 struct mbuf; 116 struct nbuf; 117 typedef struct nbuf nbuf_t; 118 119 void nbuf_init(npf_t *, nbuf_t *, struct mbuf *, const ifnet_t *); 120 void nbuf_reset(nbuf_t *); 121 struct mbuf * nbuf_head_mbuf(nbuf_t *); 122 123 bool nbuf_flag_p(const nbuf_t *, int); 124 void nbuf_unset_flag(nbuf_t *, int); 125 126 void * nbuf_dataptr(nbuf_t *); 127 size_t nbuf_offset(const nbuf_t *); 128 void * nbuf_advance(nbuf_t *, size_t, size_t); 129 130 void * nbuf_ensure_contig(nbuf_t *, size_t); 131 void * nbuf_ensure_writable(nbuf_t *, size_t); 132 133 bool nbuf_cksum_barrier(nbuf_t *, int); 134 int nbuf_add_tag(nbuf_t *, uint32_t); 135 int npf_mbuf_add_tag(nbuf_t *, struct mbuf *, uint32_t); 136 int nbuf_find_tag(nbuf_t *, uint32_t *); 137 138 /* 139 * Packet information cache. 140 */ 141 142 #define NPC_IP4 0x01 /* Indicates IPv4 header. */ 143 #define NPC_IP6 0x02 /* Indicates IPv6 header. */ 144 #define NPC_IPFRAG 0x04 /* IPv4/IPv6 fragment. */ 145 #define NPC_LAYER4 0x08 /* Layer 4 has been fetched. */ 146 147 #define NPC_TCP 0x10 /* TCP header. */ 148 #define NPC_UDP 0x20 /* UDP header. */ 149 #define NPC_ICMP 0x40 /* ICMP header. */ 150 #define NPC_ICMP_ID 0x80 /* ICMP with query ID. */ 151 152 #define NPC_ALG_EXEC 0x100 /* ALG execution. */ 153 154 #define NPC_FMTERR 0x200 /* Format error. */ 155 #define NPC_LAYER2 0x400 /* ether header */ 156 157 #define NPC_IP46 (NPC_IP4|NPC_IP6) 158 159 struct npf_connkey; 160 161 typedef struct { 162 /* NPF context, information flags and the nbuf. */ 163 npf_t * npc_ctx; 164 uint32_t npc_info; 165 nbuf_t * npc_nbuf; 166 167 struct ether_header ether; 168 uint8_t ether_type; 169 170 /* 171 * Pointers to the IP source and destination addresses, 172 * and the address length (4 for IPv4 or 16 for IPv6). 173 */ 174 npf_addr_t * npc_ips[2]; 175 uint8_t npc_alen; 176 177 /* IP header length and L4 protocol. */ 178 uint32_t npc_hlen; 179 uint16_t npc_proto; 180 181 /* IPv4, IPv6. */ 182 union { 183 struct ip * v4; 184 struct ip6_hdr * v6; 185 } npc_ip; 186 187 /* TCP, UDP, ICMP or other protocols. */ 188 union { 189 struct tcphdr * tcp; 190 struct udphdr * udp; 191 struct icmp * icmp; 192 struct icmp6_hdr * icmp6; 193 void * hdr; 194 } npc_l4; 195 196 /* 197 * Override the connection key, if not NULL. This affects the 198 * behaviour of npf_conn_lookup() and npf_conn_establish(). 199 * Note: npc_ckey is of npf_connkey_t type. 200 */ 201 const void * npc_ckey; 202 } npf_cache_t; 203 204 static inline bool 205 npf_iscached(const npf_cache_t *npc, const int inf) 206 { 207 KASSERT(npc->npc_nbuf != NULL); 208 return __predict_true((npc->npc_info & inf) != 0); 209 } 210 211 /* 212 * Misc. 213 */ 214 215 bool npf_autounload_p(void); 216 217 #endif /* _KERNEL */ 218 219 #define NPF_SRC 0 220 #define NPF_DST 1 221 222 /* Rule attributes. */ 223 #define NPF_RULE_PASS 0x00000001 224 #define NPF_RULE_GROUP 0x00000002 225 #define NPF_RULE_FINAL 0x00000004 226 #define NPF_RULE_STATEFUL 0x00000008 227 #define NPF_RULE_RETRST 0x00000010 228 #define NPF_RULE_RETICMP 0x00000020 229 #define NPF_RULE_DYNAMIC 0x00000040 230 #define NPF_RULE_GSTATEFUL 0x00000080 231 #define NPF_RULE_LAYER_3 0x00000100 232 #define NPF_RULE_LAYER_2 0x00000200 233 234 #define NPF_DYNAMIC_GROUP (NPF_RULE_GROUP | NPF_RULE_DYNAMIC) 235 236 #define NPF_RULE_IN 0x10000000 237 #define NPF_RULE_OUT 0x20000000 238 #define NPF_RULE_DIMASK (NPF_RULE_IN | NPF_RULE_OUT) 239 #define NPF_RULE_FORW 0x40000000 240 241 /* Private range of rule attributes (not public and should not be set). */ 242 #define NPF_RULE_PRIVMASK 0x0f000000 243 244 #define NPF_RULE_MAXNAMELEN 64 245 #define NPF_RULE_MAXKEYLEN 32 246 247 /* Priority values. */ 248 #define NPF_PRI_FIRST (-2) 249 #define NPF_PRI_LAST (-1) 250 251 /* Types of code. */ 252 #define NPF_CODE_BPF 1 253 254 /* Address translation types and flags. */ 255 #define NPF_NATIN 1 256 #define NPF_NATOUT 2 257 258 #define NPF_NAT_PORTS 0x01 259 #define NPF_NAT_PORTMAP 0x02 260 #define NPF_NAT_STATIC 0x04 261 262 #define NPF_NAT_PRIVMASK 0x0f000000 263 264 #define NPF_ALGO_NONE 0 265 #define NPF_ALGO_NETMAP 1 266 #define NPF_ALGO_IPHASH 2 267 #define NPF_ALGO_RR 3 268 #define NPF_ALGO_NPT66 4 269 270 /* Table types. */ 271 #define NPF_TABLE_IPSET 1 272 #define NPF_TABLE_LPM 2 273 #define NPF_TABLE_CONST 3 274 #define NPF_TABLE_IFADDR 4 275 276 #define NPF_TABLE_MAXNAMELEN 32 277 278 /* 279 * Flags passed via nbuf tags. 280 */ 281 #define NPF_NTAG_PASS 0x0001 282 283 /* 284 * Rule commands (non-ioctl). 285 */ 286 287 #define NPF_CMD_RULE_ADD 1 288 #define NPF_CMD_RULE_INSERT 2 289 #define NPF_CMD_RULE_REMOVE 3 290 #define NPF_CMD_RULE_REMKEY 4 291 #define NPF_CMD_RULE_LIST 5 292 #define NPF_CMD_RULE_FLUSH 6 293 294 /* 295 * NPF ioctl(2): table commands and structures. 296 */ 297 298 #define NPF_CMD_TABLE_LOOKUP 1 299 #define NPF_CMD_TABLE_ADD 2 300 #define NPF_CMD_TABLE_REMOVE 3 301 #define NPF_CMD_TABLE_LIST 4 302 #define NPF_CMD_TABLE_FLUSH 5 303 304 typedef struct npf_ioctl_ent { 305 int alen; 306 npf_addr_t addr; 307 npf_netmask_t mask; 308 } npf_ioctl_ent_t; 309 310 typedef struct npf_ioctl_buf { 311 void * buf; 312 size_t len; 313 } npf_ioctl_buf_t; 314 315 typedef struct npf_ioctl_table { 316 int nct_cmd; 317 const char * nct_name; 318 union { 319 npf_ioctl_ent_t ent; 320 npf_ioctl_buf_t buf; 321 } nct_data; 322 } npf_ioctl_table_t; 323 324 /* 325 * IOCTL operations. 326 */ 327 328 #define IOC_NPF_VERSION _IOR('N', 100, int) 329 #define IOC_NPF_SWITCH _IOW('N', 101, int) 330 #define IOC_NPF_LOAD _IOWR('N', 102, nvlist_ref_t) 331 #define IOC_NPF_TABLE _IOW('N', 103, struct npf_ioctl_table) 332 #define IOC_NPF_STATS _IOW('N', 104, void *) 333 #define IOC_NPF_SAVE _IOR('N', 105, nvlist_ref_t) 334 #define IOC_NPF_RULE _IOWR('N', 107, nvlist_ref_t) 335 #define IOC_NPF_CONN_LOOKUP _IOWR('N', 108, nvlist_ref_t) 336 #define IOC_NPF_TABLE_REPLACE _IOWR('N', 109, nvlist_ref_t) 337 338 /* 339 * NPF error report. 340 */ 341 342 typedef struct { 343 int64_t id; 344 char * error_msg; 345 char * source_file; 346 unsigned source_line; 347 } npf_error_t; 348 349 /* 350 * Statistics counters. 351 */ 352 353 typedef enum { 354 /* Packets passed. */ 355 NPF_STAT_PASS_DEFAULT, 356 NPF_STAT_PASS_RULESET, 357 NPF_STAT_PASS_CONN, 358 NPF_ETHER_STAT_PASS, 359 /* Packets blocked. */ 360 NPF_STAT_BLOCK_DEFAULT, 361 NPF_STAT_BLOCK_RULESET, 362 NPF_ETHER_STAT_BLOCK, 363 /* Connection and NAT entries. */ 364 NPF_STAT_CONN_CREATE, 365 NPF_STAT_CONN_DESTROY, 366 NPF_STAT_NAT_CREATE, 367 NPF_STAT_NAT_DESTROY, 368 /* Invalid state cases. */ 369 NPF_STAT_INVALID_STATE, 370 NPF_STAT_INVALID_STATE_TCP1, 371 NPF_STAT_INVALID_STATE_TCP2, 372 NPF_STAT_INVALID_STATE_TCP3, 373 /* Raced packets. */ 374 NPF_STAT_RACE_CONN, 375 NPF_STAT_RACE_NAT, 376 /* Fragments. */ 377 NPF_STAT_FRAGMENTS, 378 NPF_STAT_REASSEMBLY, 379 NPF_STAT_REASSFAIL, 380 /* Other errors. */ 381 NPF_STAT_ERROR, 382 /* nbuf non-contiguous cases. */ 383 NPF_STAT_NBUF_NONCONTIG, 384 NPF_STAT_NBUF_CONTIG_FAIL, 385 /* Count (last). */ 386 NPF_STATS_COUNT 387 } npf_stats_t; 388 389 #define NPF_STATS_SIZE (sizeof(uint64_t) * NPF_STATS_COUNT) 390 391 /* unary and binary operators */ 392 enum { 393 NPF_OP_NONE, 394 NPF_OP_EQ, 395 NPF_OP_NE, 396 NPF_OP_LE, 397 NPF_OP_LT, 398 NPF_OP_GE, 399 NPF_OP_GT, 400 NPF_OP_XRG, 401 NPF_OP_IRG 402 }; 403 404 #endif /* _NPF_NET_H_ */ 405
Indexes created Sat Sep 20 22:09:52 GMT 2025