1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2021 Rubicon Communications, LLC (Netgate) 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 11 * - Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * - Redistributions in binary form must reproduce the above 14 * copyright notice, this list of conditions and the following 15 * disclaimer in the documentation and/or other materials provided 16 * with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 20 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 21 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 22 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 23 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 24 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 25 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 26 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 28 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 * POSSIBILITY OF SUCH DAMAGE. 30 */ 31 32 #ifndef _PFCTL_IOCTL_H_ 33 #define _PFCTL_IOCTL_H_ 34 35 #include <netpfil/pf/pf.h> 36 37 struct pfctl_anchor; 38 struct pfctl_eth_anchor; 39 40 struct pfctl_status_counter { 41 uint64_t id; 42 uint64_t counter; 43 char *name; 44 45 TAILQ_ENTRY(pfctl_status_counter) entry; 46 }; 47 TAILQ_HEAD(pfctl_status_counters, pfctl_status_counter); 48 49 struct pfctl_status { 50 bool running; 51 uint32_t since; 52 uint32_t debug; 53 uint32_t hostid; 54 uint64_t states; 55 uint64_t src_nodes; 56 char ifname[IFNAMSIZ]; 57 uint8_t pf_chksum[PF_MD5_DIGEST_LENGTH]; 58 bool syncookies_active; 59 uint32_t reass; 60 61 struct pfctl_status_counters counters; 62 struct pfctl_status_counters lcounters; 63 struct pfctl_status_counters fcounters; 64 struct pfctl_status_counters scounters; 65 uint64_t pcounters[2][2][2]; 66 uint64_t bcounters[2][2]; 67 }; 68 69 struct pfctl_eth_rulesets_info { 70 uint32_t nr; 71 }; 72 73 struct pfctl_eth_rules_info { 74 uint32_t nr; 75 uint32_t ticket; 76 }; 77 78 struct pfctl_eth_addr { 79 uint8_t addr[ETHER_ADDR_LEN]; 80 uint8_t mask[ETHER_ADDR_LEN]; 81 bool neg; 82 bool isset; 83 }; 84 85 struct pfctl_eth_rule { 86 uint32_t nr; 87 88 char label[PF_RULE_MAX_LABEL_COUNT][PF_RULE_LABEL_SIZE]; 89 uint32_t ridentifier; 90 91 bool quick; 92 93 /* Filter */ 94 char ifname[IFNAMSIZ]; 95 uint8_t ifnot; 96 uint8_t direction; 97 uint16_t proto; 98 struct pfctl_eth_addr src, dst; 99 struct pf_rule_addr ipsrc, ipdst; 100 char match_tagname[PF_TAG_NAME_SIZE]; 101 uint16_t match_tag; 102 bool match_tag_not; 103 104 /* Stats */ 105 uint64_t evaluations; 106 uint64_t packets[2]; 107 uint64_t bytes[2]; 108 time_t last_active_timestamp; 109 110 /* Action */ 111 char qname[PF_QNAME_SIZE]; 112 char tagname[PF_TAG_NAME_SIZE]; 113 uint16_t dnpipe; 114 uint32_t dnflags; 115 char bridge_to[IFNAMSIZ]; 116 uint8_t action; 117 118 struct pfctl_eth_anchor *anchor; 119 uint8_t anchor_relative; 120 uint8_t anchor_wildcard; 121 122 TAILQ_ENTRY(pfctl_eth_rule) entries; 123 }; 124 TAILQ_HEAD(pfctl_eth_rules, pfctl_eth_rule); 125 126 struct pfctl_eth_ruleset_info { 127 uint32_t nr; 128 char name[PF_ANCHOR_NAME_SIZE]; 129 char path[MAXPATHLEN]; 130 }; 131 132 struct pfctl_eth_ruleset { 133 struct pfctl_eth_rules rules; 134 struct pfctl_eth_anchor *anchor; 135 }; 136 137 struct pfctl_eth_anchor { 138 struct pfctl_eth_anchor *parent; 139 char name[PF_ANCHOR_NAME_SIZE]; 140 char path[MAXPATHLEN]; 141 struct pfctl_eth_ruleset ruleset; 142 int refcnt; /* anchor rules */ 143 int match; /* XXX: used for pfctl black magic */ 144 }; 145 146 struct pfctl_pooladdr { 147 struct pf_addr_wrap addr; 148 TAILQ_ENTRY(pfctl_pooladdr) entries; 149 char ifname[IFNAMSIZ]; 150 sa_family_t af; 151 }; 152 153 TAILQ_HEAD(pfctl_palist, pfctl_pooladdr); 154 155 struct pfctl_pool { 156 struct pfctl_palist list; 157 struct pfctl_pooladdr *cur; 158 struct pf_poolhashkey key; 159 struct pf_addr counter; 160 struct pf_mape_portset mape; 161 int tblidx; 162 uint16_t proxy_port[2]; 163 uint8_t opts; 164 }; 165 166 struct pfctl_rules_info { 167 uint32_t nr; 168 uint32_t ticket; 169 }; 170 171 struct pfctl_threshold { 172 uint32_t limit; 173 uint32_t seconds; 174 uint32_t count; 175 uint32_t last; 176 }; 177 178 struct pfctl_rule { 179 struct pf_rule_addr src; 180 struct pf_rule_addr dst; 181 union pf_rule_ptr skip[PF_SKIP_COUNT]; 182 char label[PF_RULE_MAX_LABEL_COUNT][PF_RULE_LABEL_SIZE]; 183 uint32_t ridentifier; 184 char ifname[IFNAMSIZ]; 185 char qname[PF_QNAME_SIZE]; 186 char pqname[PF_QNAME_SIZE]; 187 char tagname[PF_TAG_NAME_SIZE]; 188 char match_tagname[PF_TAG_NAME_SIZE]; 189 190 char overload_tblname[PF_TABLE_NAME_SIZE]; 191 192 TAILQ_ENTRY(pfctl_rule) entries; 193 struct pfctl_pool nat; 194 union { 195 /* Alias old and new names. */ 196 struct pfctl_pool rpool; 197 struct pfctl_pool rdr; 198 }; 199 struct pfctl_pool route; 200 struct pfctl_threshold pktrate; 201 202 uint64_t evaluations; 203 uint64_t packets[2]; 204 uint64_t bytes[2]; 205 time_t last_active_timestamp; 206 207 struct pfi_kif *kif; 208 struct pfctl_anchor *anchor; 209 struct pfr_ktable *overload_tbl; 210 211 pf_osfp_t os_fingerprint; 212 213 int rtableid; 214 uint32_t timeout[PFTM_MAX]; 215 uint32_t max_states; 216 uint32_t max_src_nodes; 217 uint32_t max_src_states; 218 uint32_t max_src_conn; 219 struct { 220 uint32_t limit; 221 uint32_t seconds; 222 } max_src_conn_rate; 223 uint16_t max_pkt_size; 224 uint32_t qid; 225 uint32_t pqid; 226 uint16_t dnpipe; 227 uint16_t dnrpipe; 228 uint32_t free_flags; 229 uint32_t nr; 230 uint32_t prob; 231 uid_t cuid; 232 pid_t cpid; 233 234 uint64_t states_cur; 235 uint64_t states_tot; 236 uint64_t src_nodes; 237 uint64_t src_nodes_type[PF_SN_MAX]; 238 239 uint16_t return_icmp; 240 uint16_t return_icmp6; 241 uint16_t max_mss; 242 uint16_t tag; 243 uint16_t match_tag; 244 uint16_t scrub_flags; 245 246 struct pf_rule_uid uid; 247 struct pf_rule_gid gid; 248 char rcv_ifname[IFNAMSIZ]; 249 bool rcvifnot; 250 251 uint32_t rule_flag; 252 uint8_t action; 253 uint8_t direction; 254 uint8_t log; 255 uint8_t logif; 256 uint8_t quick; 257 uint8_t ifnot; 258 uint8_t match_tag_not; 259 uint8_t natpass; 260 261 uint8_t keep_state; 262 sa_family_t af; 263 uint8_t proto; 264 uint8_t type; 265 uint8_t code; 266 uint8_t flags; 267 uint8_t flagset; 268 uint8_t min_ttl; 269 uint8_t allow_opts; 270 uint8_t rt; 271 uint8_t return_ttl; 272 uint8_t tos; 273 uint8_t set_tos; 274 uint8_t anchor_relative; 275 uint8_t anchor_wildcard; 276 277 uint8_t flush; 278 uint8_t prio; 279 uint8_t set_prio[2]; 280 sa_family_t naf; 281 282 struct { 283 struct pf_addr addr; 284 uint16_t port; 285 } divert; 286 }; 287 288 TAILQ_HEAD(pfctl_rulequeue, pfctl_rule); 289 290 struct pfctl_ruleset { 291 struct { 292 struct pfctl_rulequeue queues[2]; 293 struct { 294 struct pfctl_rulequeue *ptr; 295 struct pfctl_rule **ptr_array; 296 uint32_t rcount; 297 uint32_t ticket; 298 int open; 299 } active, inactive; 300 } rules[PF_RULESET_MAX]; 301 struct pfctl_anchor *anchor; 302 uint32_t tticket; 303 int tables; 304 int topen; 305 }; 306 307 RB_HEAD(pfctl_anchor_global, pfctl_anchor); 308 RB_HEAD(pfctl_anchor_node, pfctl_anchor); 309 struct pfctl_anchor { 310 RB_ENTRY(pfctl_anchor) entry_global; 311 RB_ENTRY(pfctl_anchor) entry_node; 312 struct pfctl_anchor *parent; 313 struct pfctl_anchor_node children; 314 char name[PF_ANCHOR_NAME_SIZE]; 315 char path[MAXPATHLEN]; 316 struct pfctl_ruleset ruleset; 317 int refcnt; /* anchor rules */ 318 int match; /* XXX: used for pfctl black magic */ 319 }; 320 RB_PROTOTYPE(pfctl_anchor_global, pfctl_anchor, entry_global, 321 pf_anchor_compare); 322 RB_PROTOTYPE(pfctl_anchor_node, pfctl_anchor, entry_node, 323 pf_anchor_compare); 324 325 struct pfctl_state_cmp { 326 uint64_t id; 327 uint32_t creatorid; 328 uint8_t direction; 329 }; 330 331 struct pfctl_kill { 332 struct pfctl_state_cmp cmp; 333 sa_family_t af; 334 int proto; 335 struct pf_rule_addr src; 336 struct pf_rule_addr dst; 337 struct pf_rule_addr rt_addr; 338 char ifname[IFNAMSIZ]; 339 char label[PF_RULE_LABEL_SIZE]; 340 bool kill_match; 341 bool nat; 342 }; 343 344 struct pfctl_state_peer { 345 uint32_t seqlo; 346 uint32_t seqhi; 347 uint32_t seqdiff; 348 uint8_t state; 349 uint8_t wscale; 350 }; 351 352 struct pfctl_state_key { 353 struct pf_addr addr[2]; 354 uint16_t port[2]; 355 sa_family_t af; 356 uint8_t proto; 357 }; 358 359 struct pfctl_state { 360 TAILQ_ENTRY(pfctl_state) entry; 361 362 uint64_t id; 363 uint32_t creatorid; 364 uint8_t direction; 365 366 struct pfctl_state_peer src; 367 struct pfctl_state_peer dst; 368 369 uint32_t rule; 370 uint32_t anchor; 371 uint32_t nat_rule; 372 struct pf_addr rt_addr; 373 struct pfctl_state_key key[2]; /* addresses stack and wire */ 374 char ifname[IFNAMSIZ]; 375 char orig_ifname[IFNAMSIZ]; 376 uint64_t packets[2]; 377 uint64_t bytes[2]; 378 uint32_t creation; 379 uint32_t expire; 380 uint32_t pfsync_time; 381 uint16_t state_flags; 382 uint32_t sync_flags; 383 uint16_t qid; 384 uint16_t pqid; 385 uint16_t dnpipe; 386 uint16_t dnrpipe; 387 uint8_t log; 388 int32_t rtableid; 389 uint8_t min_ttl; 390 uint8_t set_tos; 391 uint16_t max_mss; 392 uint8_t set_prio[2]; 393 uint8_t rt; 394 char rt_ifname[IFNAMSIZ]; 395 sa_family_t rt_af; 396 uint8_t src_node_flags; 397 }; 398 399 TAILQ_HEAD(pfctl_statelist, pfctl_state); 400 struct pfctl_states { 401 struct pfctl_statelist states; 402 }; 403 404 enum pfctl_syncookies_mode { 405 PFCTL_SYNCOOKIES_NEVER, 406 PFCTL_SYNCOOKIES_ALWAYS, 407 PFCTL_SYNCOOKIES_ADAPTIVE 408 }; 409 extern const char* PFCTL_SYNCOOKIES_MODE_NAMES[]; 410 411 struct pfctl_syncookies { 412 enum pfctl_syncookies_mode mode; 413 uint8_t highwater; /* Percent */ 414 uint8_t lowwater; /* Percent */ 415 uint32_t halfopen_states; 416 }; 417 418 struct pfctl_src_node { 419 struct pf_addr addr; 420 struct pf_addr raddr; 421 int rule; 422 uint64_t bytes[2]; 423 uint64_t packets[2]; 424 uint32_t states; 425 uint32_t conn; 426 sa_family_t af; 427 sa_family_t raf; 428 uint8_t ruletype; 429 uint64_t creation; 430 uint64_t expire; 431 struct pfctl_threshold conn_rate; 432 pf_sn_types_t type; 433 }; 434 435 #define PF_DEVICE "/dev/pf" 436 437 struct pfctl_handle; 438 struct pfctl_handle *pfctl_open(const char *pf_device); 439 void pfctl_close(struct pfctl_handle *); 440 int pfctl_fd(struct pfctl_handle *); 441 442 int pfctl_startstop(struct pfctl_handle *h, int start); 443 struct pfctl_status* pfctl_get_status_h(struct pfctl_handle *h); 444 struct pfctl_status* pfctl_get_status(int dev); 445 int pfctl_clear_status(struct pfctl_handle *h); 446 uint64_t pfctl_status_counter(struct pfctl_status *status, int id); 447 uint64_t pfctl_status_lcounter(struct pfctl_status *status, int id); 448 uint64_t pfctl_status_fcounter(struct pfctl_status *status, int id); 449 uint64_t pfctl_status_scounter(struct pfctl_status *status, int id); 450 void pfctl_free_status(struct pfctl_status *status); 451 452 int pfctl_get_eth_rulesets_info(int dev, 453 struct pfctl_eth_rulesets_info *ri, const char *path); 454 int pfctl_get_eth_ruleset(int dev, const char *path, int nr, 455 struct pfctl_eth_ruleset_info *ri); 456 int pfctl_get_eth_rules_info(int dev, struct pfctl_eth_rules_info *rules, 457 const char *path); 458 int pfctl_get_eth_rule(int dev, uint32_t nr, uint32_t ticket, 459 const char *path, struct pfctl_eth_rule *rule, bool clear, 460 char *anchor_call); 461 int pfctl_add_eth_rule(int dev, const struct pfctl_eth_rule *r, 462 const char *anchor, const char *anchor_call, uint32_t ticket); 463 int pfctl_get_rules_info_h(struct pfctl_handle *h, 464 struct pfctl_rules_info *rules, uint32_t ruleset, 465 const char *path); 466 int pfctl_get_rules_info(int dev, struct pfctl_rules_info *rules, 467 uint32_t ruleset, const char *path); 468 int pfctl_get_rule(int dev, uint32_t nr, uint32_t ticket, 469 const char *anchor, uint32_t ruleset, struct pfctl_rule *rule, 470 char *anchor_call); 471 int pfctl_get_rule_h(struct pfctl_handle *h, uint32_t nr, uint32_t ticket, 472 const char *anchor, uint32_t ruleset, struct pfctl_rule *rule, 473 char *anchor_call); 474 int pfctl_get_clear_rule(int dev, uint32_t nr, uint32_t ticket, 475 const char *anchor, uint32_t ruleset, struct pfctl_rule *rule, 476 char *anchor_call, bool clear); 477 int pfctl_get_clear_rule_h(struct pfctl_handle *h, uint32_t nr, uint32_t ticket, 478 const char *anchor, uint32_t ruleset, struct pfctl_rule *rule, 479 char *anchor_call, bool clear); 480 int pfctl_add_rule(int dev, const struct pfctl_rule *r, 481 const char *anchor, const char *anchor_call, uint32_t ticket, 482 uint32_t pool_ticket); 483 int pfctl_add_rule_h(struct pfctl_handle *h, const struct pfctl_rule *r, 484 const char *anchor, const char *anchor_call, uint32_t ticket, 485 uint32_t pool_ticket); 486 int pfctl_set_keepcounters(int dev, bool keep); 487 int pfctl_get_creatorids(struct pfctl_handle *h, uint32_t *creators, size_t *len); 488 489 struct pfctl_state_filter { 490 char ifname[IFNAMSIZ]; 491 uint16_t proto; 492 sa_family_t af; 493 struct pf_addr addr; 494 struct pf_addr mask; 495 }; 496 typedef int (*pfctl_get_state_fn)(struct pfctl_state *, void *); 497 int pfctl_get_states_iter(pfctl_get_state_fn f, void *arg); 498 int pfctl_get_filtered_states_iter(struct pfctl_state_filter *filter, pfctl_get_state_fn f, void *arg); 499 int pfctl_get_states(int dev, struct pfctl_states *states); 500 void pfctl_free_states(struct pfctl_states *states); 501 int pfctl_clear_states(int dev, const struct pfctl_kill *kill, 502 unsigned int *killed); 503 int pfctl_kill_states(int dev, const struct pfctl_kill *kill, 504 unsigned int *killed); 505 int pfctl_clear_states_h(struct pfctl_handle *h, const struct pfctl_kill *kill, 506 unsigned int *killed); 507 int pfctl_kill_states_h(struct pfctl_handle *h, const struct pfctl_kill *kill, 508 unsigned int *killed); 509 int pfctl_clear_rules(int dev, const char *anchorname); 510 int pfctl_clear_nat(int dev, const char *anchorname); 511 int pfctl_clear_eth_rules(int dev, const char *anchorname); 512 int pfctl_set_syncookies(int dev, const struct pfctl_syncookies *s); 513 int pfctl_get_syncookies(int dev, struct pfctl_syncookies *s); 514 int pfctl_table_add_addrs(int dev, struct pfr_table *tbl, struct pfr_addr 515 *addr, int size, int *nadd, int flags); 516 int pfctl_table_del_addrs(int dev, struct pfr_table *tbl, struct pfr_addr 517 *addr, int size, int *ndel, int flags); 518 int pfctl_table_set_addrs(int dev, struct pfr_table *tbl, struct pfr_addr 519 *addr, int size, int *size2, int *nadd, int *ndel, int *nchange, 520 int flags); 521 int pfctl_table_get_addrs(int dev, struct pfr_table *tbl, struct pfr_addr 522 *addr, int *size, int flags); 523 int pfctl_set_statusif(struct pfctl_handle *h, const char *ifname); 524 525 struct pfctl_natlook_key { 526 sa_family_t af; 527 uint8_t direction; 528 uint8_t proto; 529 struct pf_addr saddr; 530 struct pf_addr daddr; 531 uint16_t sport; 532 uint16_t dport; 533 }; 534 struct pfctl_natlook { 535 struct pf_addr saddr; 536 struct pf_addr daddr; 537 uint16_t sport; 538 uint16_t dport; 539 }; 540 int pfctl_natlook(struct pfctl_handle *h, 541 const struct pfctl_natlook_key *k, struct pfctl_natlook *r); 542 int pfctl_set_debug(struct pfctl_handle *h, uint32_t level); 543 int pfctl_set_timeout(struct pfctl_handle *h, uint32_t timeout, uint32_t seconds); 544 int pfctl_get_timeout(struct pfctl_handle *h, uint32_t timeout, uint32_t *seconds); 545 int pfctl_set_limit(struct pfctl_handle *h, const int index, const uint limit); 546 int pfctl_get_limit(struct pfctl_handle *h, const int index, uint *limit); 547 int pfctl_begin_addrs(struct pfctl_handle *h, uint32_t *ticket); 548 int pfctl_add_addr(struct pfctl_handle *h, const struct pfioc_pooladdr *pa, int which); 549 int pfctl_get_addrs(struct pfctl_handle *h, uint32_t ticket, uint32_t r_num, 550 uint8_t r_action, const char *anchor, uint32_t *nr, int which); 551 int pfctl_get_addr(struct pfctl_handle *h, uint32_t ticket, uint32_t r_num, 552 uint8_t r_action, const char *anchor, uint32_t nr, struct pfioc_pooladdr *pa, 553 int which); 554 int pfctl_get_rulesets(struct pfctl_handle *h, const char *path, uint32_t *nr); 555 int pfctl_get_ruleset(struct pfctl_handle *h, const char *path, uint32_t nr, struct pfioc_ruleset *rs); 556 typedef int (*pfctl_get_srcnode_fn)(struct pfctl_src_node*, void *); 557 int pfctl_get_srcnodes(struct pfctl_handle *h, pfctl_get_srcnode_fn fn, void *arg); 558 559 int pfctl_clear_tables(struct pfctl_handle *h, struct pfr_table *filter, 560 int *ndel, int flags); 561 int pfctl_add_table(struct pfctl_handle *h, struct pfr_table *table, 562 int *nadd, int flags); 563 int pfctl_del_table(struct pfctl_handle *h, struct pfr_table *table, 564 int *ndel, int flags); 565 566 typedef int (*pfctl_get_tstats_fn)(const struct pfr_tstats *t, void *arg); 567 int pfctl_get_tstats(struct pfctl_handle *h, const struct pfr_table *filter, 568 pfctl_get_tstats_fn fn, void *arg); 569 int pfctl_clear_tstats(struct pfctl_handle *h, const struct pfr_table *filter, 570 int *nzero, int flags); 571 int pfctl_clear_addrs(struct pfctl_handle *h, const struct pfr_table *filter, 572 int *ndel, int flags); 573 574 #endif 575