/* $NetBSD: pfil.h,v 1.22 2003/06/23 12:57:08 martin Exp $ */ /*- * SPDX-License-Identifier: BSD-3-Clause * * Copyright (c) 2019 Gleb Smirnoff <glebius@FreeBSD.org> * Copyright (c) 1996 Matthew R. Green * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. The name of the author may not be used to endorse or promote products * derived from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #ifndef _NET_PFIL_H_ #define _NET_PFIL_H_ #include <sys/ioccom.h> enum pfil_types { PFIL_TYPE_IP4, PFIL_TYPE_IP6, PFIL_TYPE_ETHERNET, }; #define MAXPFILNAME 64 struct pfilioc_head { char pio_name[MAXPFILNAME]; int pio_nhooksin; int pio_nhooksout; enum pfil_types pio_type; }; struct pfilioc_hook { char pio_module[MAXPFILNAME]; char pio_ruleset[MAXPFILNAME]; int pio_flags; enum pfil_types pio_type; }; struct pfilioc_list { u_int pio_nheads; u_int pio_nhooks; struct pfilioc_head *pio_heads; struct pfilioc_hook *pio_hooks; }; struct pfilioc_link { char pio_name[MAXPFILNAME]; char pio_module[MAXPFILNAME]; char pio_ruleset[MAXPFILNAME]; int pio_flags; }; #define PFILDEV "pfil" #define PFILIOC_LISTHEADS _IOWR('P', 1, struct pfilioc_list) #define PFILIOC_LISTHOOKS _IOWR('P', 2, struct pfilioc_list) #define PFILIOC_LINK _IOW('P', 3, struct pfilioc_link) #define PFIL_IN 0x00010000 #define PFIL_OUT 0x00020000 #define PFIL_FWD 0x00040000 #define PFIL_DIR(f) ((f) & (PFIL_IN|PFIL_OUT)) #define PFIL_HEADPTR 0x00100000 #define PFIL_HOOKPTR 0x00200000 #define PFIL_APPEND 0x00400000 #define PFIL_UNLINK 0x00800000 #ifdef _KERNEL struct mbuf; struct ifnet; struct inpcb; typedef enum { PFIL_PASS = 0, PFIL_DROPPED, PFIL_CONSUMED, PFIL_REALLOCED, } pfil_return_t; typedef pfil_return_t (*pfil_mbuf_chk_t)(struct mbuf **, struct ifnet *, int, void *, struct inpcb *); typedef pfil_return_t (*pfil_mem_chk_t)(void *, u_int, int, struct ifnet *, void *, struct mbuf **); /* * A pfil head is created by a packet intercept point. * * A pfil hook is created by a packet filter. * * Hooks are chained on heads. Historically some hooking happens * automatically, e.g. ipfw(4), pf(4) and ipfilter(4) would register * theirselves on IPv4 and IPv6 input/output. */ typedef struct pfil_hook * pfil_hook_t; typedef struct pfil_head * pfil_head_t; /* * Give us a chance to modify pfil_xxx_args structures in future. */ #define PFIL_VERSION 2 /* Argument structure used by packet filters to register themselves. */ struct pfil_hook_args { int pa_version; int pa_flags; enum pfil_types pa_type; pfil_mbuf_chk_t pa_mbuf_chk; pfil_mem_chk_t pa_mem_chk; void *pa_ruleset; const char *pa_modname; const char *pa_rulname; }; /* Public functions for pfil hook management by packet filters. */ pfil_hook_t pfil_add_hook(struct pfil_hook_args *); void pfil_remove_hook(pfil_hook_t); /* Argument structure used by ioctl() and packet filters to set filters. */ struct pfil_link_args { int pa_version; int pa_flags; union { const char *pa_headname; pfil_head_t pa_head; }; union { struct { const char *pa_modname; const char *pa_rulname; }; pfil_hook_t pa_hook; }; }; /* Public function to configure filter chains. Used by ioctl() and filters. */ int pfil_link(struct pfil_link_args *); /* Argument structure used by inspection points to register themselves. */ struct pfil_head_args { int pa_version; int pa_flags; enum pfil_types pa_type; const char *pa_headname; }; /* Public functions for pfil head management by inspection points. */ pfil_head_t pfil_head_register(struct pfil_head_args *); void pfil_head_unregister(pfil_head_t); /* Public functions to run the packet inspection by inspection points. */ int pfil_mem_in(struct pfil_head *, void *, u_int, struct ifnet *, struct mbuf **); int pfil_mem_out(struct pfil_head *, void *, u_int, struct ifnet *, struct mbuf **); int pfil_mbuf_in(struct pfil_head *, struct mbuf **, struct ifnet *, struct inpcb *inp); int pfil_mbuf_out(struct pfil_head *, struct mbuf **, struct ifnet *, struct inpcb *inp); int pfil_mbuf_fwd(struct pfil_head *, struct mbuf **, struct ifnet *, struct inpcb *); /* * Minimally exposed structure to avoid function call in case of absence * of any filters by protocols and macros to do the check. */ struct _pfil_head { int head_nhooksin; int head_nhooksout; }; #define PFIL_HOOKED_IN(p) (((struct _pfil_head *)(p))->head_nhooksin > 0) #define PFIL_HOOKED_OUT(p) (((struct _pfil_head *)(p))->head_nhooksout > 0) #endif /* _KERNEL */ #endif /* _NET_PFIL_H_ */