Changeset View
Standalone View
sys/netpfil/pf/pf.h
| Show First 20 Lines • Show All 107 Lines • ▼ Show 20 Lines | |||||
| #define PF_POOL_TYPEMASK 0x0f | #define PF_POOL_TYPEMASK 0x0f | ||||
| #define PF_POOL_STICKYADDR 0x20 | #define PF_POOL_STICKYADDR 0x20 | ||||
| #define PF_WSCALE_FLAG 0x80 | #define PF_WSCALE_FLAG 0x80 | ||||
| #define PF_WSCALE_MASK 0x0f | #define PF_WSCALE_MASK 0x0f | ||||
| #define PF_LOG 0x01 | #define PF_LOG 0x01 | ||||
| #define PF_LOG_ALL 0x02 | #define PF_LOG_ALL 0x02 | ||||
| #define PF_LOG_SOCKET_LOOKUP 0x04 | #define PF_LOG_SOCKET_LOOKUP 0x04 | ||||
| #define PF_LOG_FORCE 0x08 | |||||
| /* Reasons code for passing/dropping a packet */ | /* Reasons code for passing/dropping a packet */ | ||||
| #define PFRES_MATCH 0 /* Explicit match of a rule */ | #define PFRES_MATCH 0 /* Explicit match of a rule */ | ||||
| #define PFRES_BADOFF 1 /* Bad offset for pull_hdr */ | #define PFRES_BADOFF 1 /* Bad offset for pull_hdr */ | ||||
| #define PFRES_FRAG 2 /* Dropping following fragment */ | #define PFRES_FRAG 2 /* Dropping following fragment */ | ||||
| #define PFRES_SHORT 3 /* Dropping short packet */ | #define PFRES_SHORT 3 /* Dropping short packet */ | ||||
| #define PFRES_NORM 4 /* Dropping by normalizer */ | #define PFRES_NORM 4 /* Dropping by normalizer */ | ||||
| #define PFRES_MEMORY 5 /* Dropped due to lacking mem */ | #define PFRES_MEMORY 5 /* Dropped due to lacking mem */ | ||||
| ▲ Show 20 Lines • Show All 135 Lines • ▼ Show 20 Lines | struct pf_status { | ||||
| uint32_t src_nodes; | uint32_t src_nodes; | ||||
| uint32_t since; | uint32_t since; | ||||
| uint32_t debug; | uint32_t debug; | ||||
| uint32_t hostid; | uint32_t hostid; | ||||
| char ifname[IFNAMSIZ]; | char ifname[IFNAMSIZ]; | ||||
| uint8_t pf_chksum[PF_MD5_DIGEST_LENGTH]; | uint8_t pf_chksum[PF_MD5_DIGEST_LENGTH]; | ||||
| }; | }; | ||||
| #define PF_REASS_ENABLED 0x01 | |||||
| #define PF_REASS_NODF 0x02 | |||||
| struct pf_addr { | struct pf_addr { | ||||
| union { | union { | ||||
| struct in_addr v4; | struct in_addr v4; | ||||
| struct in6_addr v6; | struct in6_addr v6; | ||||
| u_int8_t addr8[16]; | u_int8_t addr8[16]; | ||||
| u_int16_t addr16[8]; | u_int16_t addr16[8]; | ||||
| u_int32_t addr32[4]; | u_int32_t addr32[4]; | ||||
| } pfa; /* 128-bit address */ | } pfa; /* 128-bit address */ | ||||
| ▲ Show 20 Lines • Show All 316 Lines • ▼ Show 20 Lines | |||||
| #define PFRULE_NOSYNC 0x0010 | #define PFRULE_NOSYNC 0x0010 | ||||
| #define PFRULE_SRCTRACK 0x0020 /* track source states */ | #define PFRULE_SRCTRACK 0x0020 /* track source states */ | ||||
| #define PFRULE_RULESRCTRACK 0x0040 /* per rule */ | #define PFRULE_RULESRCTRACK 0x0040 /* per rule */ | ||||
| #ifdef _KERNEL | #ifdef _KERNEL | ||||
| #define PFRULE_REFS 0x0080 /* rule has references */ | #define PFRULE_REFS 0x0080 /* rule has references */ | ||||
| #endif | #endif | ||||
| /* scrub flags */ | /* old-style scrub flags */ | ||||
| #define PFRULE_DN_IS_PIPE 0x0040 | |||||
| #define PFRULE_DN_IS_QUEUE 0x0080 | |||||
| #define PFRULE_NODF 0x0100 | #define PFRULE_NODF 0x0100 | ||||
| #define PFRULE_FRAGMENT_NOREASS 0x0200 | #define PFRULE_FRAGMENT_NOREASS 0x0200 | ||||
| #define PFRULE_RANDOMID 0x0800 | #define PFRULE_RANDOMID 0x0800 | ||||
| #define PFRULE_REASSEMBLE_TCP 0x1000 | #define PFRULE_REASSEMBLE_TCP 0x1000 | ||||
| #define PFRULE_SET_TOS 0x2000 | #define PFRULE_SET_TOS 0x2000 | ||||
| /* struct pf_state.state_flags */ | |||||
| #define PFSTATE_ALLOWOPTS 0x0001 | |||||
| #define PFSTATE_SLOPPY 0x0002 | |||||
| /* was PFSTATE_PFLOW 0x0004 */ | |||||
| #define PFSTATE_NOSYNC 0x0008 | |||||
| #define PFSTATE_ACK 0x0010 | |||||
| #define PFSTATE_NODF 0x0020 | |||||
| #define PFSTATE_SETTOS 0x0040 | |||||
vegeta_tuxpowered.net: This conflicts with PFRULE_DN_IS_PIPE which is also assigned to `pf_rule_actions->flags`. | |||||
Done Inline Actions@kp I think the simplest way to address this conflict (as I'd rather keep PFSTATE_.* flags with the same values as OpenBSD does) is to provide pf_rule_actions->dnflags and set it in pf_rule_to_actions(). This is is what I have uploaded now. However it makes me raise a question why are there are now 2 separate variables for those flags (pfctl_rule/pf_krule->free_flags and pfctl_eth_rule/pf_keth_rule->dnflags). And there still is the 32-bit pfctl_rule/pf_krule->rule_flags which could store those flags just fine if they are moved to higher bits. vegeta_tuxpowered.net: @kp I think the simplest way to address this conflict (as I'd rather keep `PFSTATE_.*` flags… | |||||
Not Done Inline ActionsIt's 'dnflags' for ethernet rules, 'free_flags' for layer-3 rules. We can't move the flags, because that'll break ABI compatibility with userspace. kp: It's 'dnflags' for ethernet rules, 'free_flags' for layer-3 rules.
We can't move the flags… | |||||
Done Inline ActionsPlease find the updated patch where DN flags follow the existing mechanism of translating PFRULE_.* flags on rules into PFSTATE_.* flags on states. With flags translated onto pf_kstate->state_flags (s->state_flags |= pd->act.flags in pf_create_state()) in we can hope to be able to make those flags work properly with pfsync too one day. That is out of scope of this review and I'll submit a proposal for pfsync separately soon-ish but let's already have code preparing us for that opportunity. vegeta_tuxpowered.net: Please find the updated patch where DN flags follow the existing mechanism of translating… | |||||
Done Inline ActionsSounds like a good plan. I expect to land this (and the tests) late next week or early the week after, once I'm back from AsiaBSDCon. kp: Sounds like a good plan.
I expect to land this (and the tests) late next week or early the… | |||||
| #define PFSTATE_RANDOMID 0x0080 | |||||
| #define PFSTATE_SCRUB_TCP 0x0100 | |||||
| #define PFSTATE_SETPRIO 0x0200 | |||||
| /* was PFSTATE_INP_UNLINKED 0x0400 */ | |||||
| #define PFSTATE_SCRUBMASK (PFSTATE_NODF|PFSTATE_RANDOMID|PFSTATE_SCRUB_TCP) | |||||
| #define PFSTATE_SETMASK (PFSTATE_SETTOS|PFSTATE_SETPRIO) | |||||
| /* rule flags again */ | /* rule flags again */ | ||||
| #define PFRULE_IFBOUND 0x00010000 /* if-bound */ | #define PFRULE_IFBOUND 0x00010000 /* if-bound */ | ||||
| #define PFRULE_STATESLOPPY 0x00020000 /* sloppy state tracking */ | #define PFRULE_STATESLOPPY 0x00020000 /* sloppy state tracking */ | ||||
| #define PFSTATE_HIWAT 100000 /* default state table size */ | #define PFSTATE_HIWAT 100000 /* default state table size */ | ||||
| #define PFSTATE_ADAPT_START 60000 /* default adaptive timeout start */ | #define PFSTATE_ADAPT_START 60000 /* default adaptive timeout start */ | ||||
| #define PFSTATE_ADAPT_END 120000 /* default adaptive timeout end */ | #define PFSTATE_ADAPT_END 120000 /* default adaptive timeout end */ | ||||
| ▲ Show 20 Lines • Show All 70 Lines • Show Last 20 Lines | |||||
This conflicts with PFRULE_DN_IS_PIPE which is also assigned to pf_rule_actions->flags.