Author: glebius
Date: Sat Oct 26 18:59:58 2013
New Revision: 257186
URL: http://svnweb.freebsd.org/changeset/base/257186
Log:
Start splitting pfvar.h into internal and external parts.
- Provide pf_altq.h that has only stuff needed for ALTQ.
- Start pf.h, that would have all constant values and
eventually non-kernel structures.
- Build ALTQ w/o pfvar.h, include if_var.h, that before
came via pollution.
- Build tcpdump w/o pfvar.h.
Sponsored by: Netflix
Sponsored by: Nginx, Inc.
Added:
head/sys/net/pf.h
- copied, changed from r257177, head/sys/net/pfvar.h
head/sys/net/pf_altq.h
- copied, changed from r257177, head/sys/net/pfvar.h
Modified:
head/contrib/libpcap/grammar.y
head/sys/contrib/altq/altq/altq_cbq.c
head/sys/contrib/altq/altq/altq_cdnr.c
head/sys/contrib/altq/altq/altq_hfsc.c
head/sys/contrib/altq/altq/altq_priq.c
head/sys/contrib/altq/altq/altq_red.c
head/sys/contrib/altq/altq/altq_rio.c
head/sys/contrib/altq/altq/altq_rmclass.c
head/sys/contrib/altq/altq/altq_subr.c
head/sys/net/pfvar.h
Modified: head/contrib/libpcap/grammar.y
==============================================================================
--- head/contrib/libpcap/grammar.y Sat Oct 26 18:47:10 2013
(r257185)
+++ head/contrib/libpcap/grammar.y Sat Oct 26 18:59:58 2013
(r257186)
@@ -56,7 +56,7 @@ struct rtentry;
#include "gencode.h"
#ifdef HAVE_NET_PFVAR_H
#include <net/if.h>
-#include <net/pfvar.h>
+#include <net/pf.h>
#include <net/if_pflog.h>
#endif
#include "ieee80211.h"
Modified: head/sys/contrib/altq/altq/altq_cbq.c
==============================================================================
--- head/sys/contrib/altq/altq/altq_cbq.c Sat Oct 26 18:47:10 2013
(r257185)
+++ head/sys/contrib/altq/altq/altq_cbq.c Sat Oct 26 18:59:58 2013
(r257186)
@@ -54,9 +54,12 @@
#endif
#include <net/if.h>
+#include <net/if_var.h>
#include <netinet/in.h>
-#include <net/pfvar.h>
+#include <net/pf.h>
+#include <net/pf_altq.h>
+#include <net/pf_mtag.h>
#include <altq/altq.h>
#include <altq/altq_cbq.h>
#ifdef ALTQ3_COMPAT
Modified: head/sys/contrib/altq/altq/altq_cdnr.c
==============================================================================
--- head/sys/contrib/altq/altq/altq_cdnr.c Sat Oct 26 18:47:10 2013
(r257185)
+++ head/sys/contrib/altq/altq/altq_cdnr.c Sat Oct 26 18:59:58 2013
(r257186)
@@ -55,6 +55,7 @@
#include <netinet/ip6.h>
#endif
+#include <altq/if_altq.h>
#include <altq/altq.h>
#ifdef ALTQ3_COMPAT
#include <altq/altq_conf.h>
Modified: head/sys/contrib/altq/altq/altq_hfsc.c
==============================================================================
--- head/sys/contrib/altq/altq/altq_hfsc.c Sat Oct 26 18:47:10 2013
(r257185)
+++ head/sys/contrib/altq/altq/altq_hfsc.c Sat Oct 26 18:59:58 2013
(r257186)
@@ -66,9 +66,12 @@
#endif /* ALTQ3_COMPAT */
#include <net/if.h>
+#include <net/if_var.h>
#include <netinet/in.h>
-#include <net/pfvar.h>
+#include <net/pf.h>
+#include <net/pf_altq.h>
+#include <net/pf_mtag.h>
#include <altq/altq.h>
#include <altq/altq_hfsc.h>
#ifdef ALTQ3_COMPAT
Modified: head/sys/contrib/altq/altq/altq_priq.c
==============================================================================
--- head/sys/contrib/altq/altq/altq_priq.c Sat Oct 26 18:47:10 2013
(r257185)
+++ head/sys/contrib/altq/altq/altq_priq.c Sat Oct 26 18:59:58 2013
(r257186)
@@ -51,9 +51,12 @@
#include <sys/queue.h>
#include <net/if.h>
+#include <net/if_var.h>
#include <netinet/in.h>
-#include <net/pfvar.h>
+#include <net/pf.h>
+#include <net/pf_altq.h>
+#include <net/pf_mtag.h>
#include <altq/altq.h>
#ifdef ALTQ3_COMPAT
#include <altq/altq_conf.h>
Modified: head/sys/contrib/altq/altq/altq_red.c
==============================================================================
--- head/sys/contrib/altq/altq/altq_red.c Sat Oct 26 18:47:10 2013
(r257185)
+++ head/sys/contrib/altq/altq/altq_red.c Sat Oct 26 18:59:58 2013
(r257186)
@@ -86,6 +86,7 @@
#endif /* ALTQ3_COMPAT */
#include <net/if.h>
+#include <net/if_var.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
@@ -94,7 +95,9 @@
#include <netinet/ip6.h>
#endif
-#include <net/pfvar.h>
+#include <net/pf.h>
+#include <net/pf_altq.h>
+#include <net/pf_mtag.h>
#include <altq/altq.h>
#include <altq/altq_red.h>
#ifdef ALTQ3_COMPAT
Modified: head/sys/contrib/altq/altq/altq_rio.c
==============================================================================
--- head/sys/contrib/altq/altq/altq_rio.c Sat Oct 26 18:47:10 2013
(r257185)
+++ head/sys/contrib/altq/altq/altq_rio.c Sat Oct 26 18:59:58 2013
(r257186)
@@ -81,6 +81,7 @@
#endif
#include <net/if.h>
+#include <net/if_var.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
@@ -89,7 +90,8 @@
#include <netinet/ip6.h>
#endif
-#include <net/pfvar.h>
+#include <net/pf.h>
+#include <net/pf_altq.h>
#include <altq/altq.h>
#include <altq/altq_cdnr.h>
#include <altq/altq_red.h>
Modified: head/sys/contrib/altq/altq/altq_rmclass.c
==============================================================================
--- head/sys/contrib/altq/altq/altq_rmclass.c Sat Oct 26 18:47:10 2013
(r257185)
+++ head/sys/contrib/altq/altq/altq_rmclass.c Sat Oct 26 18:59:58 2013
(r257186)
@@ -59,12 +59,14 @@
#endif
#include <net/if.h>
+#include <net/if_var.h>
#ifdef ALTQ3_COMPAT
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#endif
+#include <altq/if_altq.h>
#include <altq/altq.h>
#include <altq/altq_rmclass.h>
#include <altq/altq_rmclass_debug.h>
Modified: head/sys/contrib/altq/altq/altq_subr.c
==============================================================================
--- head/sys/contrib/altq/altq/altq_subr.c Sat Oct 26 18:47:10 2013
(r257185)
+++ head/sys/contrib/altq/altq/altq_subr.c Sat Oct 26 18:59:58 2013
(r257186)
@@ -49,6 +49,7 @@
#include <sys/queue.h>
#include <net/if.h>
+#include <net/if_var.h>
#include <net/if_dl.h>
#include <net/if_types.h>
#ifdef __FreeBSD__
@@ -64,7 +65,8 @@
#include <netinet/tcp.h>
#include <netinet/udp.h>
-#include <net/pfvar.h>
+#include <net/pf.h>
+#include <net/pf_altq.h>
#include <altq/altq.h>
#ifdef ALTQ3_COMPAT
#include <altq/altq_conf.h>
Copied and modified: head/sys/net/pf.h (from r257177, head/sys/net/pfvar.h)
==============================================================================
--- head/sys/net/pfvar.h Sat Oct 26 18:03:36 2013 (r257177, copy
source)
+++ head/sys/net/pf.h Sat Oct 26 18:59:58 2013 (r257186)
@@ -30,18 +30,8 @@
* $FreeBSD$
*/
-#ifndef _NET_PFVAR_H_
-#define _NET_PFVAR_H_
-
-#include <sys/param.h>
-#include <sys/queue.h>
-#include <sys/refcount.h>
-#include <sys/tree.h>
-
-#include <net/radix.h>
-#include <netinet/in.h>
-
-#include <net/pf_mtag.h>
+#ifndef _NET_PF_H_
+#define _NET_PFAR_H_
#define PF_TCPS_PROXY_SRC ((TCP_NSTATES)+0)
#define PF_TCPS_PROXY_DST ((TCP_NSTATES)+1)
@@ -119,1082 +109,6 @@ enum { PF_ADDR_ADDRMASK, PF_ADDR_NOROUTE
#define PF_LOG_ALL 0x02
#define PF_LOG_SOCKET_LOOKUP 0x04
-struct pf_addr {
- union {
- struct in_addr v4;
- struct in6_addr v6;
- u_int8_t addr8[16];
- u_int16_t addr16[8];
- u_int32_t addr32[4];
- } pfa; /* 128-bit address */
-#define v4 pfa.v4
-#define v6 pfa.v6
-#define addr8 pfa.addr8
-#define addr16 pfa.addr16
-#define addr32 pfa.addr32
-};
-
-#define PF_TABLE_NAME_SIZE 32
-
-#define PFI_AFLAG_NETWORK 0x01
-#define PFI_AFLAG_BROADCAST 0x02
-#define PFI_AFLAG_PEER 0x04
-#define PFI_AFLAG_MODEMASK 0x07
-#define PFI_AFLAG_NOALIAS 0x08
-
-struct pf_addr_wrap {
- union {
- struct {
- struct pf_addr addr;
- struct pf_addr mask;
- } a;
- char ifname[IFNAMSIZ];
- char tblname[PF_TABLE_NAME_SIZE];
- } v;
- union {
- struct pfi_dynaddr *dyn;
- struct pfr_ktable *tbl;
- int dyncnt;
- int tblcnt;
- } p;
- u_int8_t type; /* PF_ADDR_* */
- u_int8_t iflags; /* PFI_AFLAG_* */
-};
-
-#ifdef _KERNEL
-
-struct pfi_dynaddr {
- TAILQ_ENTRY(pfi_dynaddr) entry;
- struct pf_addr pfid_addr4;
- struct pf_addr pfid_mask4;
- struct pf_addr pfid_addr6;
- struct pf_addr pfid_mask6;
- struct pfr_ktable *pfid_kt;
- struct pfi_kif *pfid_kif;
- int pfid_net; /* mask or 128 */
- int pfid_acnt4; /* address count IPv4 */
- int pfid_acnt6; /* address count IPv6 */
- sa_family_t pfid_af; /* rule af */
- u_int8_t pfid_iflags; /* PFI_AFLAG_* */
-};
-
-/*
- * Address manipulation macros
- */
-#define HTONL(x) (x) = htonl((__uint32_t)(x))
-#define HTONS(x) (x) = htons((__uint16_t)(x))
-#define NTOHL(x) (x) = ntohl((__uint32_t)(x))
-#define NTOHS(x) (x) = ntohs((__uint16_t)(x))
-
-#define PF_NAME "pf"
-
-#define PF_HASHROW_ASSERT(h) mtx_assert(&(h)->lock, MA_OWNED)
-#define PF_HASHROW_LOCK(h) mtx_lock(&(h)->lock)
-#define PF_HASHROW_UNLOCK(h) mtx_unlock(&(h)->lock)
-
-#define PF_STATE_LOCK(s)
\
- do { \
- struct pf_idhash *_ih = &V_pf_idhash[PF_IDHASH(s)]; \
- PF_HASHROW_LOCK(_ih); \
- } while (0)
-
-#define PF_STATE_UNLOCK(s)
\
- do { \
- struct pf_idhash *_ih = &V_pf_idhash[PF_IDHASH((s))]; \
- PF_HASHROW_UNLOCK(_ih); \
- } while (0)
-
-#ifdef INVARIANTS
-#define PF_STATE_LOCK_ASSERT(s)
\
- do { \
- struct pf_idhash *_ih = &V_pf_idhash[PF_IDHASH(s)]; \
- PF_HASHROW_ASSERT(_ih); \
- } while (0)
-#else /* !INVARIANTS */
-#define PF_STATE_LOCK_ASSERT(s) do {} while (0)
-#endif /* INVARIANTS */
-
-extern struct mtx pf_unlnkdrules_mtx;
-#define PF_UNLNKDRULES_LOCK() mtx_lock(&pf_unlnkdrules_mtx)
-#define PF_UNLNKDRULES_UNLOCK() mtx_unlock(&pf_unlnkdrules_mtx)
-
-extern struct rwlock pf_rules_lock;
-#define PF_RULES_RLOCK() rw_rlock(&pf_rules_lock)
-#define PF_RULES_RUNLOCK() rw_runlock(&pf_rules_lock)
-#define PF_RULES_WLOCK() rw_wlock(&pf_rules_lock)
-#define PF_RULES_WUNLOCK() rw_wunlock(&pf_rules_lock)
-#define PF_RULES_ASSERT() rw_assert(&pf_rules_lock, RA_LOCKED)
-#define PF_RULES_RASSERT() rw_assert(&pf_rules_lock, RA_RLOCKED)
-#define PF_RULES_WASSERT() rw_assert(&pf_rules_lock, RA_WLOCKED)
-
-#define PF_MODVER 1
-#define PFLOG_MODVER 1
-#define PFSYNC_MODVER 1
-
-#define PFLOG_MINVER 1
-#define PFLOG_PREFVER PFLOG_MODVER
-#define PFLOG_MAXVER 1
-#define PFSYNC_MINVER 1
-#define PFSYNC_PREFVER PFSYNC_MODVER
-#define PFSYNC_MAXVER 1
-
-#ifdef INET
-#ifndef INET6
-#define PF_INET_ONLY
-#endif /* ! INET6 */
-#endif /* INET */
-
-#ifdef INET6
-#ifndef INET
-#define PF_INET6_ONLY
-#endif /* ! INET */
-#endif /* INET6 */
-
-#ifdef INET
-#ifdef INET6
-#define PF_INET_INET6
-#endif /* INET6 */
-#endif /* INET */
-
-#else
-
-#define PF_INET_INET6
-
-#endif /* _KERNEL */
-
-/* Both IPv4 and IPv6 */
-#ifdef PF_INET_INET6
-
-#define PF_AEQ(a, b, c) \
- ((c == AF_INET && (a)->addr32[0] == (b)->addr32[0]) || \
- ((a)->addr32[3] == (b)->addr32[3] && \
- (a)->addr32[2] == (b)->addr32[2] && \
- (a)->addr32[1] == (b)->addr32[1] && \
- (a)->addr32[0] == (b)->addr32[0])) \
-
-#define PF_ANEQ(a, b, c) \
- ((c == AF_INET && (a)->addr32[0] != (b)->addr32[0]) || \
- ((a)->addr32[3] != (b)->addr32[3] || \
- (a)->addr32[2] != (b)->addr32[2] || \
- (a)->addr32[1] != (b)->addr32[1] || \
- (a)->addr32[0] != (b)->addr32[0])) \
-
-#define PF_AZERO(a, c) \
- ((c == AF_INET && !(a)->addr32[0]) || \
- (!(a)->addr32[0] && !(a)->addr32[1] && \
- !(a)->addr32[2] && !(a)->addr32[3] )) \
-
-#define PF_MATCHA(n, a, m, b, f) \
- pf_match_addr(n, a, m, b, f)
-
-#define PF_ACPY(a, b, f) \
- pf_addrcpy(a, b, f)
-
-#define PF_AINC(a, f) \
- pf_addr_inc(a, f)
-
-#define PF_POOLMASK(a, b, c, d, f) \
- pf_poolmask(a, b, c, d, f)
-
-#else
-
-/* Just IPv6 */
-
-#ifdef PF_INET6_ONLY
-
-#define PF_AEQ(a, b, c) \
- ((a)->addr32[3] == (b)->addr32[3] && \
- (a)->addr32[2] == (b)->addr32[2] && \
- (a)->addr32[1] == (b)->addr32[1] && \
- (a)->addr32[0] == (b)->addr32[0]) \
-
-#define PF_ANEQ(a, b, c) \
- ((a)->addr32[3] != (b)->addr32[3] || \
- (a)->addr32[2] != (b)->addr32[2] || \
- (a)->addr32[1] != (b)->addr32[1] || \
- (a)->addr32[0] != (b)->addr32[0]) \
-
-#define PF_AZERO(a, c) \
- (!(a)->addr32[0] && \
- !(a)->addr32[1] && \
- !(a)->addr32[2] && \
- !(a)->addr32[3] ) \
-
-#define PF_MATCHA(n, a, m, b, f) \
- pf_match_addr(n, a, m, b, f)
-
-#define PF_ACPY(a, b, f) \
- pf_addrcpy(a, b, f)
-
-#define PF_AINC(a, f) \
- pf_addr_inc(a, f)
-
-#define PF_POOLMASK(a, b, c, d, f) \
- pf_poolmask(a, b, c, d, f)
-
-#else
-
-/* Just IPv4 */
-#ifdef PF_INET_ONLY
-
-#define PF_AEQ(a, b, c) \
- ((a)->addr32[0] == (b)->addr32[0])
-
-#define PF_ANEQ(a, b, c) \
- ((a)->addr32[0] != (b)->addr32[0])
-
-#define PF_AZERO(a, c) \
- (!(a)->addr32[0])
-
-#define PF_MATCHA(n, a, m, b, f) \
- pf_match_addr(n, a, m, b, f)
-
-#define PF_ACPY(a, b, f) \
- (a)->v4.s_addr = (b)->v4.s_addr
-
-#define PF_AINC(a, f) \
- do { \
- (a)->addr32[0] = htonl(ntohl((a)->addr32[0]) + 1); \
- } while (0)
-
-#define PF_POOLMASK(a, b, c, d, f) \
- do { \
- (a)->addr32[0] = ((b)->addr32[0] & (c)->addr32[0]) | \
- (((c)->addr32[0] ^ 0xffffffff ) & (d)->addr32[0]); \
- } while (0)
-
-#endif /* PF_INET_ONLY */
-#endif /* PF_INET6_ONLY */
-#endif /* PF_INET_INET6 */
-
-/*
- * XXX callers not FIB-aware in our version of pf yet.
- * OpenBSD fixed it later it seems, 2010/05/07 13:33:16 claudio.
- */
-#define PF_MISMATCHAW(aw, x, af, neg, ifp, rtid)
\
- ( \
- (((aw)->type == PF_ADDR_NOROUTE && \
- pf_routable((x), (af), NULL, (rtid))) || \
- (((aw)->type == PF_ADDR_URPFFAILED && (ifp) != NULL && \
- pf_routable((x), (af), (ifp), (rtid))) || \
- ((aw)->type == PF_ADDR_TABLE && \
- !pfr_match_addr((aw)->p.tbl, (x), (af))) || \
- ((aw)->type == PF_ADDR_DYNIFTL && \
- !pfi_match_addr((aw)->p.dyn, (x), (af))) || \
- ((aw)->type == PF_ADDR_RANGE && \
- !pf_match_addr_range(&(aw)->v.a.addr, \
- &(aw)->v.a.mask, (x), (af))) || \
- ((aw)->type == PF_ADDR_ADDRMASK && \
- !PF_AZERO(&(aw)->v.a.mask, (af)) && \
- !PF_MATCHA(0, &(aw)->v.a.addr, \
- &(aw)->v.a.mask, (x), (af))))) != \
- (neg) \
- )
-
-
-struct pf_rule_uid {
- uid_t uid[2];
- u_int8_t op;
-};
-
-struct pf_rule_gid {
- uid_t gid[2];
- u_int8_t op;
-};
-
-struct pf_rule_addr {
- struct pf_addr_wrap addr;
- u_int16_t port[2];
- u_int8_t neg;
- u_int8_t port_op;
-};
-
-struct pf_pooladdr {
- struct pf_addr_wrap addr;
- TAILQ_ENTRY(pf_pooladdr) entries;
- char ifname[IFNAMSIZ];
- struct pfi_kif *kif;
-};
-
-TAILQ_HEAD(pf_palist, pf_pooladdr);
-
-struct pf_poolhashkey {
- union {
- u_int8_t key8[16];
- u_int16_t key16[8];
- u_int32_t key32[4];
- } pfk; /* 128-bit hash key */
-#define key8 pfk.key8
-#define key16 pfk.key16
-#define key32 pfk.key32
-};
-
-struct pf_pool {
- struct pf_palist list;
- struct pf_pooladdr *cur;
- struct pf_poolhashkey key;
- struct pf_addr counter;
- int tblidx;
- u_int16_t proxy_port[2];
- u_int8_t opts;
-};
-
-
-/* A packed Operating System description for fingerprinting */
-typedef u_int32_t pf_osfp_t;
-#define PF_OSFP_ANY ((pf_osfp_t)0)
-#define PF_OSFP_UNKNOWN ((pf_osfp_t)-1)
-#define PF_OSFP_NOMATCH ((pf_osfp_t)-2)
-
-struct pf_osfp_entry {
- SLIST_ENTRY(pf_osfp_entry) fp_entry;
- pf_osfp_t fp_os;
- int fp_enflags;
-#define PF_OSFP_EXPANDED 0x001 /* expanded entry */
-#define PF_OSFP_GENERIC 0x002 /* generic signature */
-#define PF_OSFP_NODETAIL 0x004 /* no p0f details */
-#define PF_OSFP_LEN 32
- char fp_class_nm[PF_OSFP_LEN];
- char fp_version_nm[PF_OSFP_LEN];
- char fp_subtype_nm[PF_OSFP_LEN];
-};
-#define PF_OSFP_ENTRY_EQ(a, b) \
- ((a)->fp_os == (b)->fp_os && \
- memcmp((a)->fp_class_nm, (b)->fp_class_nm, PF_OSFP_LEN) == 0 && \
- memcmp((a)->fp_version_nm, (b)->fp_version_nm, PF_OSFP_LEN) == 0 && \
- memcmp((a)->fp_subtype_nm, (b)->fp_subtype_nm, PF_OSFP_LEN) == 0)
-
-/* handle pf_osfp_t packing */
-#define _FP_RESERVED_BIT 1 /* For the special negative #defines */
-#define _FP_UNUSED_BITS 1
-#define _FP_CLASS_BITS 10 /* OS Class (Windows, Linux) */
-#define _FP_VERSION_BITS 10 /* OS version (95, 98, NT, 2.4.54, 3.2) */
-#define _FP_SUBTYPE_BITS 10 /* patch level (NT SP4, SP3, ECN patch) */
-#define PF_OSFP_UNPACK(osfp, class, version, subtype) do { \
- (class) = ((osfp) >> (_FP_VERSION_BITS+_FP_SUBTYPE_BITS)) & \
- ((1 << _FP_CLASS_BITS) - 1); \
- (version) = ((osfp) >> _FP_SUBTYPE_BITS) & \
- ((1 << _FP_VERSION_BITS) - 1);\
- (subtype) = (osfp) & ((1 << _FP_SUBTYPE_BITS) - 1); \
-} while(0)
-#define PF_OSFP_PACK(osfp, class, version, subtype) do { \
- (osfp) = ((class) & ((1 << _FP_CLASS_BITS) - 1)) << (_FP_VERSION_BITS \
- + _FP_SUBTYPE_BITS); \
- (osfp) |= ((version) & ((1 << _FP_VERSION_BITS) - 1)) << \
- _FP_SUBTYPE_BITS; \
- (osfp) |= (subtype) & ((1 << _FP_SUBTYPE_BITS) - 1); \
-} while(0)
-
-/* the fingerprint of an OSes TCP SYN packet */
-typedef u_int64_t pf_tcpopts_t;
-struct pf_os_fingerprint {
- SLIST_HEAD(pf_osfp_enlist, pf_osfp_entry) fp_oses; /* list of matches */
- pf_tcpopts_t fp_tcpopts; /* packed TCP options */
- u_int16_t fp_wsize; /* TCP window size */
- u_int16_t fp_psize; /* ip->ip_len */
- u_int16_t fp_mss; /* TCP MSS */
- u_int16_t fp_flags;
-#define PF_OSFP_WSIZE_MOD 0x0001 /* Window modulus */
-#define PF_OSFP_WSIZE_DC 0x0002 /* Window don't care */
-#define PF_OSFP_WSIZE_MSS 0x0004 /* Window multiple of MSS */
-#define PF_OSFP_WSIZE_MTU 0x0008 /* Window multiple of MTU */
-#define PF_OSFP_PSIZE_MOD 0x0010 /* packet size modulus */
-#define PF_OSFP_PSIZE_DC 0x0020 /* packet size don't care */
-#define PF_OSFP_WSCALE 0x0040 /* TCP window scaling */
-#define PF_OSFP_WSCALE_MOD 0x0080 /* TCP window scale modulus */
-#define PF_OSFP_WSCALE_DC 0x0100 /* TCP window scale dont-care */
-#define PF_OSFP_MSS 0x0200 /* TCP MSS */
-#define PF_OSFP_MSS_MOD 0x0400 /* TCP MSS modulus */
-#define PF_OSFP_MSS_DC 0x0800 /* TCP MSS dont-care */
-#define PF_OSFP_DF 0x1000 /* IPv4 don't fragment bit */
-#define PF_OSFP_TS0 0x2000 /* Zero timestamp */
-#define PF_OSFP_INET6 0x4000 /* IPv6 */
- u_int8_t fp_optcnt; /* TCP option count */
- u_int8_t fp_wscale; /* TCP window scaling */
- u_int8_t fp_ttl; /* IPv4 TTL */
-#define PF_OSFP_MAXTTL_OFFSET 40
-/* TCP options packing */
-#define PF_OSFP_TCPOPT_NOP 0x0 /* TCP NOP option */
-#define PF_OSFP_TCPOPT_WSCALE 0x1 /* TCP window scaling option */
-#define PF_OSFP_TCPOPT_MSS 0x2 /* TCP max segment size opt */
-#define PF_OSFP_TCPOPT_SACK 0x3 /* TCP SACK OK option */
-#define PF_OSFP_TCPOPT_TS 0x4 /* TCP timestamp option */
-#define PF_OSFP_TCPOPT_BITS 3 /* bits used by each option */
-#define PF_OSFP_MAX_OPTS \
- (sizeof(((struct pf_os_fingerprint *)0)->fp_tcpopts) * 8) \
- / PF_OSFP_TCPOPT_BITS
-
- SLIST_ENTRY(pf_os_fingerprint) fp_next;
-};
-
-struct pf_osfp_ioctl {
- struct pf_osfp_entry fp_os;
- pf_tcpopts_t fp_tcpopts; /* packed TCP options */
- u_int16_t fp_wsize; /* TCP window size */
- u_int16_t fp_psize; /* ip->ip_len */
- u_int16_t fp_mss; /* TCP MSS */
- u_int16_t fp_flags;
- u_int8_t fp_optcnt; /* TCP option count */
- u_int8_t fp_wscale; /* TCP window scaling */
- u_int8_t fp_ttl; /* IPv4 TTL */
-
- int fp_getnum; /* DIOCOSFPGET number */
-};
-
-
-union pf_rule_ptr {
- struct pf_rule *ptr;
- u_int32_t nr;
-};
-
-#define PF_ANCHOR_NAME_SIZE 64
-
-struct pf_rule {
- struct pf_rule_addr src;
- struct pf_rule_addr dst;
-#define PF_SKIP_IFP 0
-#define PF_SKIP_DIR 1
-#define PF_SKIP_AF 2
-#define PF_SKIP_PROTO 3
-#define PF_SKIP_SRC_ADDR 4
-#define PF_SKIP_SRC_PORT 5
-#define PF_SKIP_DST_ADDR 6
-#define PF_SKIP_DST_PORT 7
-#define PF_SKIP_COUNT 8
- union pf_rule_ptr skip[PF_SKIP_COUNT];
-#define PF_RULE_LABEL_SIZE 64
- char label[PF_RULE_LABEL_SIZE];
-#define PF_QNAME_SIZE 64
- char ifname[IFNAMSIZ];
- char qname[PF_QNAME_SIZE];
- char pqname[PF_QNAME_SIZE];
-#define PF_TAG_NAME_SIZE 64
- char tagname[PF_TAG_NAME_SIZE];
- char match_tagname[PF_TAG_NAME_SIZE];
-
- char overload_tblname[PF_TABLE_NAME_SIZE];
-
- TAILQ_ENTRY(pf_rule) entries;
- struct pf_pool rpool;
-
- u_int64_t evaluations;
- u_int64_t packets[2];
- u_int64_t bytes[2];
-
- struct pfi_kif *kif;
- struct pf_anchor *anchor;
- struct pfr_ktable *overload_tbl;
-
- pf_osfp_t os_fingerprint;
-
- int rtableid;
- u_int32_t timeout[PFTM_MAX];
- u_int32_t states_cur;
- u_int32_t states_tot;
- u_int32_t max_states;
- u_int32_t src_nodes;
- u_int32_t max_src_nodes;
- u_int32_t max_src_states;
- u_int32_t spare1; /* netgraph */
- u_int32_t max_src_conn;
- struct {
- u_int32_t limit;
- u_int32_t seconds;
- } max_src_conn_rate;
- u_int32_t qid;
- u_int32_t pqid;
- u_int32_t rt_listid;
- u_int32_t nr;
- u_int32_t prob;
- uid_t cuid;
- pid_t cpid;
-
- u_int16_t return_icmp;
- u_int16_t return_icmp6;
- u_int16_t max_mss;
- u_int16_t tag;
- u_int16_t match_tag;
- u_int16_t spare2; /* netgraph */
-
- struct pf_rule_uid uid;
- struct pf_rule_gid gid;
-
- u_int32_t rule_flag;
- u_int8_t action;
- u_int8_t direction;
- u_int8_t log;
- u_int8_t logif;
- u_int8_t quick;
- u_int8_t ifnot;
- u_int8_t match_tag_not;
- u_int8_t natpass;
-
-#define PF_STATE_NORMAL 0x1
-#define PF_STATE_MODULATE 0x2
-#define PF_STATE_SYNPROXY 0x3
- u_int8_t keep_state;
- sa_family_t af;
- u_int8_t proto;
- u_int8_t type;
- u_int8_t code;
- u_int8_t flags;
- u_int8_t flagset;
- u_int8_t min_ttl;
- u_int8_t allow_opts;
- u_int8_t rt;
- u_int8_t return_ttl;
- u_int8_t tos;
- u_int8_t set_tos;
- u_int8_t anchor_relative;
- u_int8_t anchor_wildcard;
-
-#define PF_FLUSH 0x01
-#define PF_FLUSH_GLOBAL 0x02
- u_int8_t flush;
-
- struct {
- struct pf_addr addr;
- u_int16_t port;
- } divert;
-};
-
-/* rule flags */
-#define PFRULE_DROP 0x0000
-#define PFRULE_RETURNRST 0x0001
-#define PFRULE_FRAGMENT 0x0002
-#define PFRULE_RETURNICMP 0x0004
-#define PFRULE_RETURN 0x0008
-#define PFRULE_NOSYNC 0x0010
-#define PFRULE_SRCTRACK 0x0020 /* track source states */
-#define PFRULE_RULESRCTRACK 0x0040 /* per rule */
-#define PFRULE_REFS 0x0080 /* rule has references */
-
-/* scrub flags */
-#define PFRULE_NODF 0x0100
-#define PFRULE_FRAGCROP 0x0200 /* non-buffering frag cache */
-#define PFRULE_FRAGDROP 0x0400 /* drop funny fragments */
-#define PFRULE_RANDOMID 0x0800
-#define PFRULE_REASSEMBLE_TCP 0x1000
-#define PFRULE_SET_TOS 0x2000
-
-/* rule flags again */
-#define PFRULE_IFBOUND 0x00010000 /* if-bound */
-#define PFRULE_STATESLOPPY 0x00020000 /* sloppy state tracking */
-
-#define PFSTATE_HIWAT 10000 /* default state table size */
-#define PFSTATE_ADAPT_START 6000 /* default adaptive timeout start */
-#define PFSTATE_ADAPT_END 12000 /* default adaptive timeout end */
-
-
-struct pf_threshold {
- u_int32_t limit;
-#define PF_THRESHOLD_MULT 1000
-#define PF_THRESHOLD_MAX 0xffffffff / PF_THRESHOLD_MULT
- u_int32_t seconds;
- u_int32_t count;
- u_int32_t last;
-};
-
-struct pf_src_node {
- LIST_ENTRY(pf_src_node) entry;
- struct pf_addr addr;
- struct pf_addr raddr;
- union pf_rule_ptr rule;
- struct pfi_kif *kif;
- u_int64_t bytes[2];
- u_int64_t packets[2];
- u_int32_t states;
- u_int32_t conn;
- struct pf_threshold conn_rate;
- u_int32_t creation;
- u_int32_t expire;
- sa_family_t af;
- u_int8_t ruletype;
-};
-
-#define PFSNODE_HIWAT 10000 /* default source node table size */
-
-struct pf_state_scrub {
- struct timeval pfss_last; /* time received last packet */
- u_int32_t pfss_tsecr; /* last echoed timestamp */
- u_int32_t pfss_tsval; /* largest timestamp */
- u_int32_t pfss_tsval0; /* original timestamp */
- u_int16_t pfss_flags;
-#define PFSS_TIMESTAMP 0x0001 /* modulate timestamp */
-#define PFSS_PAWS 0x0010 /* stricter PAWS checks */
-#define PFSS_PAWS_IDLED 0x0020 /* was idle too long. no PAWS
*/
-#define PFSS_DATA_TS 0x0040 /* timestamp on data packets */
-#define PFSS_DATA_NOTS 0x0080 /* no timestamp on data packets */
- u_int8_t pfss_ttl; /* stashed TTL */
- u_int8_t pad;
- u_int32_t pfss_ts_mod; /* timestamp modulation */
-};
-
-struct pf_state_host {
- struct pf_addr addr;
- u_int16_t port;
- u_int16_t pad;
-};
-
-struct pf_state_peer {
- struct pf_state_scrub *scrub; /* state is scrubbed */
- u_int32_t seqlo; /* Max sequence number sent */
- u_int32_t seqhi; /* Max the other end ACKd + win */
- u_int32_t seqdiff; /* Sequence number modulator */
- u_int16_t max_win; /* largest window (pre scaling) */
- u_int16_t mss; /* Maximum segment size option */
- u_int8_t state; /* active state level */
- u_int8_t wscale; /* window scaling factor */
- u_int8_t tcp_est; /* Did we reach TCPS_ESTABLISHED */
- u_int8_t pad[1];
-};
-
-/* Keep synced with struct pf_state_key. */
-struct pf_state_key_cmp {
- struct pf_addr addr[2];
- u_int16_t port[2];
- sa_family_t af;
- u_int8_t proto;
- u_int8_t pad[2];
-};
-
-struct pf_state_key {
- struct pf_addr addr[2];
- u_int16_t port[2];
- sa_family_t af;
- u_int8_t proto;
- u_int8_t pad[2];
-
- LIST_ENTRY(pf_state_key) entry;
- TAILQ_HEAD(, pf_state) states[2];
-};
-
-/* Keep synced with struct pf_state. */
-struct pf_state_cmp {
- u_int64_t id;
- u_int32_t creatorid;
- u_int8_t direction;
- u_int8_t pad[3];
-};
-
-struct pf_state {
- u_int64_t id;
- u_int32_t creatorid;
- u_int8_t direction;
- u_int8_t pad[3];
-
- u_int refs;
- TAILQ_ENTRY(pf_state) sync_list;
- TAILQ_ENTRY(pf_state) key_list[2];
- LIST_ENTRY(pf_state) entry;
- struct pf_state_peer src;
- struct pf_state_peer dst;
- union pf_rule_ptr rule;
- union pf_rule_ptr anchor;
- union pf_rule_ptr nat_rule;
- struct pf_addr rt_addr;
- struct pf_state_key *key[2]; /* addresses stack and wire */
- struct pfi_kif *kif;
- struct pfi_kif *rt_kif;
- struct pf_src_node *src_node;
- struct pf_src_node *nat_src_node;
- u_int64_t packets[2];
- u_int64_t bytes[2];
- u_int32_t creation;
- u_int32_t expire;
- u_int32_t pfsync_time;
- u_int16_t tag;
- u_int8_t log;
- u_int8_t state_flags;
-#define PFSTATE_ALLOWOPTS 0x01
-#define PFSTATE_SLOPPY 0x02
-/* was PFSTATE_PFLOW 0x04 */
-#define PFSTATE_NOSYNC 0x08
-#define PFSTATE_ACK 0x10
- u_int8_t timeout;
- u_int8_t sync_state; /* PFSYNC_S_x */
-
- /* XXX */
- u_int8_t sync_updates;
- u_int8_t _tail[3];
-};
-
-/*
- * Unified state structures for pulling states out of the kernel
- * used by pfsync(4) and the pf(4) ioctl.
- */
-struct pfsync_state_scrub {
- u_int16_t pfss_flags;
- u_int8_t pfss_ttl; /* stashed TTL */
-#define PFSYNC_SCRUB_FLAG_VALID 0x01
- u_int8_t scrub_flag;
- u_int32_t pfss_ts_mod; /* timestamp modulation */
-} __packed;
-
-struct pfsync_state_peer {
- struct pfsync_state_scrub scrub; /* state is scrubbed */
- u_int32_t seqlo; /* Max sequence number sent */
- u_int32_t seqhi; /* Max the other end ACKd + win */
- u_int32_t seqdiff; /* Sequence number modulator */
- u_int16_t max_win; /* largest window (pre scaling) */
- u_int16_t mss; /* Maximum segment size option */
- u_int8_t state; /* active state level */
- u_int8_t wscale; /* window scaling factor */
- u_int8_t pad[6];
-} __packed;
-
-struct pfsync_state_key {
- struct pf_addr addr[2];
- u_int16_t port[2];
-};
-
-struct pfsync_state {
- u_int64_t id;
- char ifname[IFNAMSIZ];
- struct pfsync_state_key key[2];
- struct pfsync_state_peer src;
- struct pfsync_state_peer dst;
- struct pf_addr rt_addr;
- u_int32_t rule;
- u_int32_t anchor;
- u_int32_t nat_rule;
- u_int32_t creation;
- u_int32_t expire;
- u_int32_t packets[2][2];
- u_int32_t bytes[2][2];
- u_int32_t creatorid;
- sa_family_t af;
- u_int8_t proto;
- u_int8_t direction;
- u_int8_t __spare[2];
- u_int8_t log;
- u_int8_t state_flags;
- u_int8_t timeout;
- u_int8_t sync_flags;
- u_int8_t updates;
-} __packed;
-
-#ifdef _KERNEL
-/* pfsync */
-typedef int pfsync_state_import_t(struct pfsync_state *, u_int8_t);
-typedef void pfsync_insert_state_t(struct pf_state *);
-typedef void pfsync_update_state_t(struct pf_state *);
-typedef void pfsync_delete_state_t(struct pf_state *);
-typedef void pfsync_clear_states_t(u_int32_t, const char *);
-typedef int pfsync_defer_t(struct pf_state *, struct mbuf *);
-
-extern pfsync_state_import_t *pfsync_state_import_ptr;
-extern pfsync_insert_state_t *pfsync_insert_state_ptr;
-extern pfsync_update_state_t *pfsync_update_state_ptr;
-extern pfsync_delete_state_t *pfsync_delete_state_ptr;
-extern pfsync_clear_states_t *pfsync_clear_states_ptr;
-extern pfsync_defer_t *pfsync_defer_ptr;
-
-void pfsync_state_export(struct pfsync_state *,
- struct pf_state *);
-
-/* pflog */
-struct pf_ruleset;
-struct pf_pdesc;
-typedef int pflog_packet_t(struct pfi_kif *, struct mbuf *, sa_family_t,
- u_int8_t, u_int8_t, struct pf_rule *, struct pf_rule *,
- struct pf_ruleset *, struct pf_pdesc *, int);
-extern pflog_packet_t *pflog_packet_ptr;
-
-#define V_pf_end_threads VNET(pf_end_threads)
-#endif /* _KERNEL */
-
-#define PFSYNC_FLAG_SRCNODE 0x04
-#define PFSYNC_FLAG_NATSRCNODE 0x08
-
-/* for copies to/from network byte order */
-/* ioctl interface also uses network byte order */
-#define pf_state_peer_hton(s,d) do { \
- (d)->seqlo = htonl((s)->seqlo); \
- (d)->seqhi = htonl((s)->seqhi); \
- (d)->seqdiff = htonl((s)->seqdiff); \
- (d)->max_win = htons((s)->max_win); \
- (d)->mss = htons((s)->mss); \
- (d)->state = (s)->state; \
- (d)->wscale = (s)->wscale; \
- if ((s)->scrub) { \
- (d)->scrub.pfss_flags = \
- htons((s)->scrub->pfss_flags & PFSS_TIMESTAMP); \
- (d)->scrub.pfss_ttl = (s)->scrub->pfss_ttl; \
- (d)->scrub.pfss_ts_mod = htonl((s)->scrub->pfss_ts_mod);\
- (d)->scrub.scrub_flag = PFSYNC_SCRUB_FLAG_VALID; \
- } \
-} while (0)
-
-#define pf_state_peer_ntoh(s,d) do { \
- (d)->seqlo = ntohl((s)->seqlo); \
- (d)->seqhi = ntohl((s)->seqhi); \
- (d)->seqdiff = ntohl((s)->seqdiff); \
- (d)->max_win = ntohs((s)->max_win); \
- (d)->mss = ntohs((s)->mss); \
- (d)->state = (s)->state; \
- (d)->wscale = (s)->wscale; \
- if ((s)->scrub.scrub_flag == PFSYNC_SCRUB_FLAG_VALID && \
- (d)->scrub != NULL) { \
- (d)->scrub->pfss_flags = \
- ntohs((s)->scrub.pfss_flags) & PFSS_TIMESTAMP; \
- (d)->scrub->pfss_ttl = (s)->scrub.pfss_ttl; \
- (d)->scrub->pfss_ts_mod = ntohl((s)->scrub.pfss_ts_mod);\
- } \
-} while (0)
-
-#define pf_state_counter_hton(s,d) do { \
- d[0] = htonl((s>>32)&0xffffffff); \
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
_______________________________________________
svn-src-head@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"
