Page MenuHomeFreeBSD
Differential D38025 Diff 119138 sys/net/pfvar.h

Changeset View

Standalone View

View Options

sys/net/pfvar.h

Show First 20 LinesShow All 304 Lines▼ Show 20 Lines do { \
critical_exit(); \ critical_exit(); \
} while (0) } while (0)
#define pf_timestamp_pcpu_zone (sizeof(time_t) == 4 ? pcpu_zone_4 : pcpu_zone_8) #define pf_timestamp_pcpu_zone (sizeof(time_t) == 4 ? pcpu_zone_4 : pcpu_zone_8)
_Static_assert(sizeof(time_t) == 4 || sizeof(time_t) == 8, "unexpected time_t size"); _Static_assert(sizeof(time_t) == 4 || sizeof(time_t) == 8, "unexpected time_t size");
SYSCTL_DECL(_net_pf); SYSCTL_DECL(_net_pf);
MALLOC_DECLARE(M_PFHASH); MALLOC_DECLARE(M_PFHASH);
MALLOC_DECLARE(M_PF_RULE_ITEM);
SDT_PROVIDER_DECLARE(pf); SDT_PROVIDER_DECLARE(pf);
struct pfi_dynaddr { struct pfi_dynaddr {
TAILQ_ENTRY(pfi_dynaddr) entry; TAILQ_ENTRY(pfi_dynaddr) entry;
struct pf_addr pfid_addr4; struct pf_addr pfid_addr4;
struct pf_addr pfid_mask4; struct pf_addr pfid_mask4;
struct pf_addr pfid_addr6; struct pf_addr pfid_addr6;
▲ Show 20 LinesShow All 267 Lines▼ Show 20 Linesstruct pf_kpool {
struct pf_addr counter; struct pf_addr counter;
struct pf_mape_portset mape; struct pf_mape_portset mape;
int tblidx; int tblidx;
u_int16_t proxy_port[2]; u_int16_t proxy_port[2];
u_int8_t opts; u_int8_t opts;
}; };
struct pf_rule_actions { struct pf_rule_actions {
int rtableid;
uint16_t qid; uint16_t qid;
uint16_t pqid; uint16_t pqid;
uint16_t max_mss;
uint8_t log;
uint8_t set_tos;
uint8_t min_ttl;
uint16_t dnpipe; uint16_t dnpipe;
uint16_t dnrpipe; /* Reverse direction pipe */ uint16_t dnrpipe; /* Reverse direction pipe */
uint32_t flags; uint32_t flags;
uint32_t dnflags;
}; };
union pf_keth_rule_ptr { union pf_keth_rule_ptr {
struct pf_keth_rule *ptr; struct pf_keth_rule *ptr;
uint32_t nr; uint32_t nr;
}; };
struct pf_keth_rule_addr { struct pf_keth_rule_addr {
▲ Show 20 LinesShow All 197 Lines▼ Show 20 Linesstruct pf_krule {
RB_ENTRY(pf_krule) entry_global; RB_ENTRY(pf_krule) entry_global;
#ifdef PF_WANT_32_TO_64_COUNTER #ifdef PF_WANT_32_TO_64_COUNTER
LIST_ENTRY(pf_krule) allrulelist; LIST_ENTRY(pf_krule) allrulelist;
bool allrulelinked; bool allrulelinked;
#endif #endif
}; };
struct pf_krule_item {
SLIST_ENTRY(pf_krule_item) entry;
struct pf_krule *r;
};
SLIST_HEAD(pf_krule_slist, pf_krule_item);
struct pf_ksrc_node { struct pf_ksrc_node {
LIST_ENTRY(pf_ksrc_node) entry; LIST_ENTRY(pf_ksrc_node) entry;
struct pf_addr addr; struct pf_addr addr;
struct pf_addr raddr; struct pf_addr raddr;
struct pf_krule_slist match_rules;
union pf_krule_ptr rule; union pf_krule_ptr rule;
struct pfi_kkif *kif; struct pfi_kkif *kif;
counter_u64_t bytes[2]; counter_u64_t bytes[2];
counter_u64_t packets[2]; counter_u64_t packets[2];
u_int32_t states; u_int32_t states;
u_int32_t conn; u_int32_t conn;
struct pf_threshold conn_rate; struct pf_threshold conn_rate;
u_int32_t creation; u_int32_t creation;
▲ Show 20 LinesShow All 61 Lines▼ Show 20 Lines
/* Keep synced with struct pf_kstate. */ /* Keep synced with struct pf_kstate. */
struct pf_state_cmp { struct pf_state_cmp {
u_int64_t id; u_int64_t id;
u_int32_t creatorid; u_int32_t creatorid;
u_int8_t direction; u_int8_t direction;
u_int8_t pad[3]; u_int8_t pad[3];
}; };
#define PFSTATE_ALLOWOPTS 0x01
#define PFSTATE_SLOPPY 0x02
/* was PFSTATE_PFLOW 0x04 */
#define PFSTATE_NOSYNC 0x08
#define PFSTATE_ACK 0x10
#define PFRULE_DN_IS_PIPE 0x40
#define PFRULE_DN_IS_QUEUE 0x80
#define PFSTATE_SETPRIO 0x0200
#define PFSTATE_SETMASK (PFSTATE_SETPRIO)
struct pf_state_scrub_export { struct pf_state_scrub_export {
uint16_t pfss_flags; uint16_t pfss_flags;
uint8_t pfss_ttl; /* stashed TTL */ uint8_t pfss_ttl; /* stashed TTL */
#define PF_SCRUB_FLAG_VALID 0x01 #define PF_SCRUB_FLAG_VALID 0x01
uint8_t scrub_flag; uint8_t scrub_flag;
uint32_t pfss_ts_mod; /* timestamp modulation */ uint32_t pfss_ts_mod; /* timestamp modulation */
}; };
Show All 34 Lines#define PF_STATE_VERSION 20210706
uint64_t packets[2]; uint64_t packets[2];
uint64_t bytes[2]; uint64_t bytes[2];
uint32_t creatorid; uint32_t creatorid;
uint32_t spare1; uint32_t spare1;
sa_family_t af; sa_family_t af;
uint8_t proto; uint8_t proto;
uint8_t direction; uint8_t direction;
uint8_t log; uint8_t log;
uint8_t state_flags; uint8_t state_flags_compat;
uint8_t timeout; uint8_t timeout;
uint8_t sync_flags; uint8_t sync_flags;
uint8_t updates; uint8_t updates;
uint16_t state_flags;
uint8_t spare[112]; uint8_t spare[110];
}; };
_Static_assert(sizeof(struct pf_state_export) == 384, "size incorrect"); _Static_assert(sizeof(struct pf_state_export) == 384, "size incorrect");
#ifdef _KERNEL #ifdef _KERNEL
struct pf_kstate { struct pf_kstate {
/* /*
* Area shared with pf_state_cmp * Area shared with pf_state_cmp
*/ */
u_int64_t id; u_int64_t id;
u_int32_t creatorid; u_int32_t creatorid;
u_int8_t direction; u_int8_t direction;
u_int8_t pad[3]; u_int8_t pad[3];
/* /*
* end of the area * end of the area
*/ */
u_int8_t state_flags; u_int16_t state_flags;
vegeta_tuxpowered.netAuthorUnsubmitted
Done
Inline Actions

At this moment pfync and pfctl are not yet fixed to handle the 16-bit flags. I'll update them later.

vegeta_tuxpowered.net: At this moment pfync and pfctl are not yet fixed to handle the 16-bit flags. I'll update them…
kpUnsubmitted
Not Done
Inline Actions

We're going to have to be very careful about pfsync compatibility then.

kp: We're going to have to be very careful about pfsync compatibility then.
vegeta_tuxpowered.netAuthorUnsubmitted
Done
Inline Actions

I've done it the same way as OpenBSD did during transition. There are 2 spare bytes, I've added a new struct member there. In sending and receiving both the the old 8-bit and the new 16-bit struct members are used.

vegeta_tuxpowered.net: I've done it the same way as OpenBSD did during transition. There are 2 spare bytes, I've added…
u_int8_t timeout; u_int8_t timeout;
u_int8_t sync_state; /* PFSYNC_S_x */ u_int8_t sync_state; /* PFSYNC_S_x */
u_int8_t sync_updates; /* XXX */ u_int8_t sync_updates; /* XXX */
u_int refs; u_int refs;
struct mtx *lock; struct mtx *lock;
TAILQ_ENTRY(pf_kstate) sync_list; TAILQ_ENTRY(pf_kstate) sync_list;
TAILQ_ENTRY(pf_kstate) key_list[2]; TAILQ_ENTRY(pf_kstate) key_list[2];
LIST_ENTRY(pf_kstate) entry; LIST_ENTRY(pf_kstate) entry;
struct pf_state_peer src; struct pf_state_peer src;
struct pf_state_peer dst; struct pf_state_peer dst;
struct pf_krule_slist match_rules;
union pf_krule_ptr rule; union pf_krule_ptr rule;
union pf_krule_ptr anchor; union pf_krule_ptr anchor;
union pf_krule_ptr nat_rule; union pf_krule_ptr nat_rule;
struct pf_addr rt_addr; struct pf_addr rt_addr;
struct pf_state_key *key[2]; /* addresses stack and wire */ struct pf_state_key *key[2]; /* addresses stack and wire */
struct pfi_kkif *kif; struct pfi_kkif *kif;
struct pfi_kkif *orig_kif; /* The real kif, even if we're a floating state (i.e. if == V_pfi_all). */ struct pfi_kkif *orig_kif; /* The real kif, even if we're a floating state (i.e. if == V_pfi_all). */
struct pfi_kkif *rt_kif; struct pfi_kkif *rt_kif;
struct pf_ksrc_node *src_node; struct pf_ksrc_node *src_node;
struct pf_ksrc_node *nat_src_node; struct pf_ksrc_node *nat_src_node;
u_int64_t packets[2]; u_int64_t packets[2];
u_int64_t bytes[2]; u_int64_t bytes[2];
u_int32_t creation; u_int32_t creation;
u_int32_t expire; u_int32_t expire;
u_int32_t pfsync_time; u_int32_t pfsync_time;
u_int16_t qid; u_int16_t qid;
u_int16_t pqid; u_int16_t pqid;
u_int16_t dnpipe; u_int16_t dnpipe;
u_int16_t dnrpipe; u_int16_t dnrpipe;
u_int16_t tag; u_int16_t tag;
u_int8_t log; u_int8_t log;
int rtableid;
u_int8_t min_ttl;
u_int8_t set_tos;
u_int16_t max_mss;
}; };
/* /*
* Size <= fits 13 objects per page on LP64. Try to not grow the struct beyond that. * Size <= fits 12 objects per page on LP64. Try to not grow the struct beyond that.
*/ */
_Static_assert(sizeof(struct pf_kstate) <= 312, "pf_kstate size crosses 312 bytes"); _Static_assert(sizeof(struct pf_kstate) <= 336, "pf_kstate size crosses 336 bytes");
vegeta_tuxpowered.netAuthorUnsubmitted
Not Done
Inline Actions

@kp I'm unsure if I did the math correctly here. Now I've updated it to 336B, because its dividable by 64b/8B and 340B * 12 = 4032, so it fits within a page. Is this proper?

vegeta_tuxpowered.net: @kp I'm unsure if I did the math correctly here. Now I've updated it to 336B, because its…
kpUnsubmitted
Not Done
Inline Actions

That should be okay, yes. The intent behind this (I believe, I didn't write this) is to keep struct pf_kstate compact for performance reasons. It's almost inevitable that we're going to keep growing it with new features though.

kp: That should be okay, yes. The intent behind this (I believe, I didn't write this) is to keep…
#endif #endif
/* /*
* Unified state structures for pulling states out of the kernel * Unified state structures for pulling states out of the kernel
* used by pfsync(4) and the pf(4) ioctl. * used by pfsync(4) and the pf(4) ioctl.
*/ */
struct pfsync_state_scrub { struct pfsync_state_scrub {
u_int16_t pfss_flags; u_int16_t pfss_flags;
Show All 33 Linesstruct pfsync_state {
u_int32_t creation; u_int32_t creation;
u_int32_t expire; u_int32_t expire;
u_int32_t packets[2][2]; u_int32_t packets[2][2];
u_int32_t bytes[2][2]; u_int32_t bytes[2][2];
u_int32_t creatorid; u_int32_t creatorid;
sa_family_t af; sa_family_t af;
u_int8_t proto; u_int8_t proto;
u_int8_t direction; u_int8_t direction;
u_int8_t __spare[2]; u_int16_t state_flags;
u_int8_t log; u_int8_t log;
u_int8_t state_flags; u_int8_t state_flags_compat;
u_int8_t timeout; u_int8_t timeout;
u_int8_t sync_flags; u_int8_t sync_flags;
u_int8_t updates; u_int8_t updates;
} __packed; } __packed;
#ifdef _KERNEL #ifdef _KERNEL
/* pfsync */ /* pfsync */
typedef int pfsync_state_import_t(struct pfsync_state *, int); typedef int pfsync_state_import_t(struct pfsync_state *, int);
▲ Show 20 LinesShow All 465 Lines▼ Show 20 Linesstruct pf_kstatus {
uint32_t hostid; uint32_t hostid;
char ifname[IFNAMSIZ]; char ifname[IFNAMSIZ];
uint8_t pf_chksum[PF_MD5_DIGEST_LENGTH]; uint8_t pf_chksum[PF_MD5_DIGEST_LENGTH];
bool keep_counters; bool keep_counters;
enum pf_syncookies_mode syncookies_mode; enum pf_syncookies_mode syncookies_mode;
bool syncookies_active; bool syncookies_active;
uint64_t syncookies_inflight[2]; uint64_t syncookies_inflight[2];
uint32_t states_halfopen; uint32_t states_halfopen;
uint32_t reass;
}; };
#endif #endif
struct pf_divert { struct pf_divert {
union { union {
struct in_addr ipv4; struct in_addr ipv4;
struct in6_addr ipv6; struct in6_addr ipv6;
} addr; } addr;
▲ Show 20 LinesShow All 336 Lines▼ Show 20 Lines
#define DIOCSETSYNCOOKIES _IOWR('D', 95, struct pfioc_nv) #define DIOCSETSYNCOOKIES _IOWR('D', 95, struct pfioc_nv)
#define DIOCKEEPCOUNTERS _IOWR('D', 96, struct pfioc_nv) #define DIOCKEEPCOUNTERS _IOWR('D', 96, struct pfioc_nv)
#define DIOCKEEPCOUNTERS_FREEBSD13 _IOWR('D', 92, struct pfioc_nv) #define DIOCKEEPCOUNTERS_FREEBSD13 _IOWR('D', 92, struct pfioc_nv)
#define DIOCADDETHRULE _IOWR('D', 97, struct pfioc_nv) #define DIOCADDETHRULE _IOWR('D', 97, struct pfioc_nv)
#define DIOCGETETHRULE _IOWR('D', 98, struct pfioc_nv) #define DIOCGETETHRULE _IOWR('D', 98, struct pfioc_nv)
#define DIOCGETETHRULES _IOWR('D', 99, struct pfioc_nv) #define DIOCGETETHRULES _IOWR('D', 99, struct pfioc_nv)
#define DIOCGETETHRULESETS _IOWR('D', 100, struct pfioc_nv) #define DIOCGETETHRULESETS _IOWR('D', 100, struct pfioc_nv)
#define DIOCGETETHRULESET _IOWR('D', 101, struct pfioc_nv) #define DIOCGETETHRULESET _IOWR('D', 101, struct pfioc_nv)
#define DIOCSETREASS _IOWR('D', 102, u_int32_t)
struct pf_ifspeed_v0 { struct pf_ifspeed_v0 {
char ifname[IFNAMSIZ]; char ifname[IFNAMSIZ];
u_int32_t baudrate; u_int32_t baudrate;
}; };
struct pf_ifspeed_v1 { struct pf_ifspeed_v1 {
char ifname[IFNAMSIZ]; char ifname[IFNAMSIZ];
▲ Show 20 LinesShow All 336 Lines▼ Show 20 Linesint pf_addr_cmp(struct pf_addr *, struct pf_addr *,
sa_family_t); sa_family_t);
u_int16_t pf_get_mss(struct mbuf *, int, u_int16_t, sa_family_t); u_int16_t pf_get_mss(struct mbuf *, int, u_int16_t, sa_family_t);
u_int8_t pf_get_wscale(struct mbuf *, int, u_int16_t, sa_family_t); u_int8_t pf_get_wscale(struct mbuf *, int, u_int16_t, sa_family_t);
struct mbuf *pf_build_tcp(const struct pf_krule *, sa_family_t, struct mbuf *pf_build_tcp(const struct pf_krule *, sa_family_t,
const struct pf_addr *, const struct pf_addr *, const struct pf_addr *, const struct pf_addr *,
u_int16_t, u_int16_t, u_int32_t, u_int32_t, u_int16_t, u_int16_t, u_int32_t, u_int32_t,
u_int8_t, u_int16_t, u_int16_t, u_int8_t, int, u_int8_t, u_int16_t, u_int16_t, u_int8_t, int,
u_int16_t); u_int16_t, int);
void pf_send_tcp(const struct pf_krule *, sa_family_t, void pf_send_tcp(const struct pf_krule *, sa_family_t,
const struct pf_addr *, const struct pf_addr *, const struct pf_addr *, const struct pf_addr *,
u_int16_t, u_int16_t, u_int32_t, u_int32_t, u_int16_t, u_int16_t, u_int32_t, u_int32_t,
u_int8_t, u_int16_t, u_int16_t, u_int8_t, int, u_int8_t, u_int16_t, u_int16_t, u_int8_t, int,
u_int16_t); u_int16_t, int);
void pf_syncookies_init(void); void pf_syncookies_init(void);
void pf_syncookies_cleanup(void); void pf_syncookies_cleanup(void);
int pf_get_syncookies(struct pfioc_nv *); int pf_get_syncookies(struct pfioc_nv *);
int pf_set_syncookies(struct pfioc_nv *); int pf_set_syncookies(struct pfioc_nv *);
int pf_synflood_check(struct pf_pdesc *); int pf_synflood_check(struct pf_pdesc *);
void pf_syncookie_send(struct mbuf *m, int off, void pf_syncookie_send(struct mbuf *m, int off,
struct pf_pdesc *); struct pf_pdesc *);
▲ Show 20 LinesShow All 96 Lines▼ Show 20 Linesstruct pf_krule *pf_get_translation(struct pf_pdesc *, struct mbuf *,
int, int, struct pfi_kkif *, struct pf_ksrc_node **, int, int, struct pfi_kkif *, struct pf_ksrc_node **,
struct pf_state_key **, struct pf_state_key **, struct pf_state_key **, struct pf_state_key **,
struct pf_addr *, struct pf_addr *, struct pf_addr *, struct pf_addr *,
uint16_t, uint16_t, struct pf_kanchor_stackframe *); uint16_t, uint16_t, struct pf_kanchor_stackframe *);
struct pf_state_key *pf_state_key_setup(struct pf_pdesc *, struct pf_addr *, struct pf_state_key *pf_state_key_setup(struct pf_pdesc *, struct pf_addr *,
struct pf_addr *, u_int16_t, u_int16_t); struct pf_addr *, u_int16_t, u_int16_t);
struct pf_state_key *pf_state_key_clone(struct pf_state_key *); struct pf_state_key *pf_state_key_clone(struct pf_state_key *);
int pf_normalize_mss(struct mbuf *m, int off,
struct pf_pdesc *pd, u_int16_t maxmss);
u_int16_t pf_rule_to_scrub_flags(u_int32_t);
#ifdef INET
void pf_scrub_ip(struct mbuf **, uint32_t, uint8_t, uint8_t);
#endif /* INET */
#ifdef INET6
void pf_scrub_ip6(struct mbuf **, uint32_t, uint8_t, uint8_t);
#endif /* INET6 */
struct pfi_kkif *pf_kkif_create(int); struct pfi_kkif *pf_kkif_create(int);
void pf_kkif_free(struct pfi_kkif *); void pf_kkif_free(struct pfi_kkif *);
void pf_kkif_zero(struct pfi_kkif *); void pf_kkif_zero(struct pfi_kkif *);
#endif /* _KERNEL */ #endif /* _KERNEL */
#endif /* _NET_PFVAR_H_ */ #endif /* _NET_PFVAR_H_ */