1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2021 Rubicon Communications, LLC (Netgate) 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 11 * - Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * - Redistributions in binary form must reproduce the above 14 * copyright notice, this list of conditions and the following 15 * disclaimer in the documentation and/or other materials provided 16 * with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 20 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 21 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 22 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 23 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 24 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 25 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 26 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 28 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 * POSSIBILITY OF SUCH DAMAGE. 30 */ 31 32 #ifndef _PFCTL_IOCTL_H_ 33 #define _PFCTL_IOCTL_H_ 34 35 #include <netpfil/pf/pf.h> 36 37 struct pfctl_anchor; 38 struct pfctl_eth_anchor; 39 40 struct pfctl_status_counter { 41 uint64_t id; 42 uint64_t counter; 43 char *name; 44 45 TAILQ_ENTRY(pfctl_status_counter) entry; 46 }; 47 TAILQ_HEAD(pfctl_status_counters, pfctl_status_counter); 48 49 struct pfctl_status { 50 bool running; 51 uint32_t since; 52 uint32_t debug; 53 uint32_t hostid; 54 uint64_t states; 55 uint64_t src_nodes; 56 char ifname[IFNAMSIZ]; 57 uint8_t pf_chksum[PF_MD5_DIGEST_LENGTH]; 58 bool syncookies_active; 59 uint32_t reass; 60 61 struct pfctl_status_counters counters; 62 struct pfctl_status_counters lcounters; 63 struct pfctl_status_counters fcounters; 64 struct pfctl_status_counters scounters; 65 uint64_t pcounters[2][2][2]; 66 uint64_t bcounters[2][2]; 67 }; 68 69 struct pfctl_eth_rulesets_info { 70 uint32_t nr; 71 }; 72 73 struct pfctl_eth_rules_info { 74 uint32_t nr; 75 uint32_t ticket; 76 }; 77 78 struct pfctl_eth_addr { 79 uint8_t addr[ETHER_ADDR_LEN]; 80 uint8_t mask[ETHER_ADDR_LEN]; 81 bool neg; 82 bool isset; 83 }; 84 85 struct pfctl_eth_rule { 86 uint32_t nr; 87 88 char label[PF_RULE_MAX_LABEL_COUNT][PF_RULE_LABEL_SIZE]; 89 uint32_t ridentifier; 90 91 bool quick; 92 93 /* Filter */ 94 char ifname[IFNAMSIZ]; 95 uint8_t ifnot; 96 uint8_t direction; 97 uint16_t proto; 98 struct pfctl_eth_addr src, dst; 99 struct pf_rule_addr ipsrc, ipdst; 100 char match_tagname[PF_TAG_NAME_SIZE]; 101 uint16_t match_tag; 102 bool match_tag_not; 103 104 /* Stats */ 105 uint64_t evaluations; 106 uint64_t packets[2]; 107 uint64_t bytes[2]; 108 time_t last_active_timestamp; 109 110 /* Action */ 111 char qname[PF_QNAME_SIZE]; 112 char tagname[PF_TAG_NAME_SIZE]; 113 uint16_t dnpipe; 114 uint32_t dnflags; 115 char bridge_to[IFNAMSIZ]; 116 uint8_t action; 117 118 struct pfctl_eth_anchor *anchor; 119 uint8_t anchor_relative; 120 uint8_t anchor_wildcard; 121 122 TAILQ_ENTRY(pfctl_eth_rule) entries; 123 }; 124 TAILQ_HEAD(pfctl_eth_rules, pfctl_eth_rule); 125 126 struct pfctl_eth_ruleset_info { 127 uint32_t nr; 128 char name[PF_ANCHOR_NAME_SIZE]; 129 char path[MAXPATHLEN]; 130 }; 131 132 struct pfctl_eth_ruleset { 133 struct pfctl_eth_rules rules; 134 struct pfctl_eth_anchor *anchor; 135 }; 136 137 struct pfctl_eth_anchor { 138 struct pfctl_eth_anchor *parent; 139 char name[PF_ANCHOR_NAME_SIZE]; 140 char path[MAXPATHLEN]; 141 struct pfctl_eth_ruleset ruleset; 142 int refcnt; /* anchor rules */ 143 int match; /* XXX: used for pfctl black magic */ 144 }; 145 146 struct pfctl_pool { 147 struct pf_palist list; 148 struct pf_pooladdr *cur; 149 struct pf_poolhashkey key; 150 struct pf_addr counter; 151 struct pf_mape_portset mape; 152 int tblidx; 153 uint16_t proxy_port[2]; 154 uint8_t opts; 155 }; 156 157 struct pfctl_rules_info { 158 uint32_t nr; 159 uint32_t ticket; 160 }; 161 162 struct pfctl_threshold { 163 uint32_t limit; 164 uint32_t seconds; 165 uint32_t count; 166 uint32_t last; 167 }; 168 169 struct pfctl_rule { 170 struct pf_rule_addr src; 171 struct pf_rule_addr dst; 172 union pf_rule_ptr skip[PF_SKIP_COUNT]; 173 char label[PF_RULE_MAX_LABEL_COUNT][PF_RULE_LABEL_SIZE]; 174 uint32_t ridentifier; 175 char ifname[IFNAMSIZ]; 176 char qname[PF_QNAME_SIZE]; 177 char pqname[PF_QNAME_SIZE]; 178 char tagname[PF_TAG_NAME_SIZE]; 179 char match_tagname[PF_TAG_NAME_SIZE]; 180 181 char overload_tblname[PF_TABLE_NAME_SIZE]; 182 183 TAILQ_ENTRY(pfctl_rule) entries; 184 struct pfctl_pool nat; 185 union { 186 /* Alias old and new names. */ 187 struct pfctl_pool rpool; 188 struct pfctl_pool rdr; 189 }; 190 struct pfctl_pool route; 191 struct pfctl_threshold pktrate; 192 193 uint64_t evaluations; 194 uint64_t packets[2]; 195 uint64_t bytes[2]; 196 time_t last_active_timestamp; 197 198 struct pfi_kif *kif; 199 struct pfctl_anchor *anchor; 200 struct pfr_ktable *overload_tbl; 201 202 pf_osfp_t os_fingerprint; 203 204 int rtableid; 205 uint32_t timeout[PFTM_MAX]; 206 uint32_t max_states; 207 uint32_t max_src_nodes; 208 uint32_t max_src_states; 209 uint32_t max_src_conn; 210 struct { 211 uint32_t limit; 212 uint32_t seconds; 213 } max_src_conn_rate; 214 uint16_t max_pkt_size; 215 uint32_t qid; 216 uint32_t pqid; 217 uint16_t dnpipe; 218 uint16_t dnrpipe; 219 uint32_t free_flags; 220 uint32_t nr; 221 uint32_t prob; 222 uid_t cuid; 223 pid_t cpid; 224 225 uint64_t states_cur; 226 uint64_t states_tot; 227 uint64_t src_nodes; 228 uint64_t src_nodes_type[PF_SN_MAX]; 229 230 uint16_t return_icmp; 231 uint16_t return_icmp6; 232 uint16_t max_mss; 233 uint16_t tag; 234 uint16_t match_tag; 235 uint16_t scrub_flags; 236 237 struct pf_rule_uid uid; 238 struct pf_rule_gid gid; 239 char rcv_ifname[IFNAMSIZ]; 240 bool rcvifnot; 241 242 uint32_t rule_flag; 243 uint8_t action; 244 uint8_t direction; 245 uint8_t log; 246 uint8_t logif; 247 uint8_t quick; 248 uint8_t ifnot; 249 uint8_t match_tag_not; 250 uint8_t natpass; 251 252 uint8_t keep_state; 253 sa_family_t af; 254 uint8_t proto; 255 uint8_t type; 256 uint8_t code; 257 uint8_t flags; 258 uint8_t flagset; 259 uint8_t min_ttl; 260 uint8_t allow_opts; 261 uint8_t rt; 262 uint8_t return_ttl; 263 uint8_t tos; 264 uint8_t set_tos; 265 uint8_t anchor_relative; 266 uint8_t anchor_wildcard; 267 268 uint8_t flush; 269 uint8_t prio; 270 uint8_t set_prio[2]; 271 sa_family_t naf; 272 273 struct { 274 struct pf_addr addr; 275 uint16_t port; 276 } divert; 277 }; 278 279 TAILQ_HEAD(pfctl_rulequeue, pfctl_rule); 280 281 struct pfctl_ruleset { 282 struct { 283 struct pfctl_rulequeue queues[2]; 284 struct { 285 struct pfctl_rulequeue *ptr; 286 struct pfctl_rule **ptr_array; 287 uint32_t rcount; 288 uint32_t ticket; 289 int open; 290 } active, inactive; 291 } rules[PF_RULESET_MAX]; 292 struct pfctl_anchor *anchor; 293 uint32_t tticket; 294 int tables; 295 int topen; 296 }; 297 298 RB_HEAD(pfctl_anchor_global, pfctl_anchor); 299 RB_HEAD(pfctl_anchor_node, pfctl_anchor); 300 struct pfctl_anchor { 301 RB_ENTRY(pfctl_anchor) entry_global; 302 RB_ENTRY(pfctl_anchor) entry_node; 303 struct pfctl_anchor *parent; 304 struct pfctl_anchor_node children; 305 char name[PF_ANCHOR_NAME_SIZE]; 306 char path[MAXPATHLEN]; 307 struct pfctl_ruleset ruleset; 308 int refcnt; /* anchor rules */ 309 int match; /* XXX: used for pfctl black magic */ 310 }; 311 RB_PROTOTYPE(pfctl_anchor_global, pfctl_anchor, entry_global, 312 pf_anchor_compare); 313 RB_PROTOTYPE(pfctl_anchor_node, pfctl_anchor, entry_node, 314 pf_anchor_compare); 315 316 struct pfctl_state_cmp { 317 uint64_t id; 318 uint32_t creatorid; 319 uint8_t direction; 320 }; 321 322 struct pfctl_kill { 323 struct pfctl_state_cmp cmp; 324 sa_family_t af; 325 int proto; 326 struct pf_rule_addr src; 327 struct pf_rule_addr dst; 328 struct pf_rule_addr rt_addr; 329 char ifname[IFNAMSIZ]; 330 char label[PF_RULE_LABEL_SIZE]; 331 bool kill_match; 332 bool nat; 333 }; 334 335 struct pfctl_state_peer { 336 uint32_t seqlo; 337 uint32_t seqhi; 338 uint32_t seqdiff; 339 uint8_t state; 340 uint8_t wscale; 341 }; 342 343 struct pfctl_state_key { 344 struct pf_addr addr[2]; 345 uint16_t port[2]; 346 sa_family_t af; 347 uint8_t proto; 348 }; 349 350 struct pfctl_state { 351 TAILQ_ENTRY(pfctl_state) entry; 352 353 uint64_t id; 354 uint32_t creatorid; 355 uint8_t direction; 356 357 struct pfctl_state_peer src; 358 struct pfctl_state_peer dst; 359 360 uint32_t rule; 361 uint32_t anchor; 362 uint32_t nat_rule; 363 struct pf_addr rt_addr; 364 struct pfctl_state_key key[2]; /* addresses stack and wire */ 365 char ifname[IFNAMSIZ]; 366 char orig_ifname[IFNAMSIZ]; 367 uint64_t packets[2]; 368 uint64_t bytes[2]; 369 uint32_t creation; 370 uint32_t expire; 371 uint32_t pfsync_time; 372 uint16_t state_flags; 373 uint32_t sync_flags; 374 uint16_t qid; 375 uint16_t pqid; 376 uint16_t dnpipe; 377 uint16_t dnrpipe; 378 uint8_t log; 379 int32_t rtableid; 380 uint8_t min_ttl; 381 uint8_t set_tos; 382 uint16_t max_mss; 383 uint8_t set_prio[2]; 384 uint8_t rt; 385 char rt_ifname[IFNAMSIZ]; 386 uint8_t src_node_flags; 387 }; 388 389 TAILQ_HEAD(pfctl_statelist, pfctl_state); 390 struct pfctl_states { 391 struct pfctl_statelist states; 392 }; 393 394 enum pfctl_syncookies_mode { 395 PFCTL_SYNCOOKIES_NEVER, 396 PFCTL_SYNCOOKIES_ALWAYS, 397 PFCTL_SYNCOOKIES_ADAPTIVE 398 }; 399 extern const char* PFCTL_SYNCOOKIES_MODE_NAMES[]; 400 401 struct pfctl_syncookies { 402 enum pfctl_syncookies_mode mode; 403 uint8_t highwater; /* Percent */ 404 uint8_t lowwater; /* Percent */ 405 uint32_t halfopen_states; 406 }; 407 408 struct pfctl_src_node { 409 struct pf_addr addr; 410 struct pf_addr raddr; 411 int rule; 412 uint64_t bytes[2]; 413 uint64_t packets[2]; 414 uint32_t states; 415 uint32_t conn; 416 sa_family_t af; 417 sa_family_t naf; 418 uint8_t ruletype; 419 uint64_t creation; 420 uint64_t expire; 421 struct pfctl_threshold conn_rate; 422 pf_sn_types_t type; 423 }; 424 425 #define PF_DEVICE "/dev/pf" 426 427 struct pfctl_handle; 428 struct pfctl_handle *pfctl_open(const char *pf_device); 429 void pfctl_close(struct pfctl_handle *); 430 int pfctl_fd(struct pfctl_handle *); 431 432 int pfctl_startstop(struct pfctl_handle *h, int start); 433 struct pfctl_status* pfctl_get_status_h(struct pfctl_handle *h); 434 struct pfctl_status* pfctl_get_status(int dev); 435 int pfctl_clear_status(struct pfctl_handle *h); 436 uint64_t pfctl_status_counter(struct pfctl_status *status, int id); 437 uint64_t pfctl_status_lcounter(struct pfctl_status *status, int id); 438 uint64_t pfctl_status_fcounter(struct pfctl_status *status, int id); 439 uint64_t pfctl_status_scounter(struct pfctl_status *status, int id); 440 void pfctl_free_status(struct pfctl_status *status); 441 442 int pfctl_get_eth_rulesets_info(int dev, 443 struct pfctl_eth_rulesets_info *ri, const char *path); 444 int pfctl_get_eth_ruleset(int dev, const char *path, int nr, 445 struct pfctl_eth_ruleset_info *ri); 446 int pfctl_get_eth_rules_info(int dev, struct pfctl_eth_rules_info *rules, 447 const char *path); 448 int pfctl_get_eth_rule(int dev, uint32_t nr, uint32_t ticket, 449 const char *path, struct pfctl_eth_rule *rule, bool clear, 450 char *anchor_call); 451 int pfctl_add_eth_rule(int dev, const struct pfctl_eth_rule *r, 452 const char *anchor, const char *anchor_call, uint32_t ticket); 453 int pfctl_get_rules_info_h(struct pfctl_handle *h, 454 struct pfctl_rules_info *rules, uint32_t ruleset, 455 const char *path); 456 int pfctl_get_rules_info(int dev, struct pfctl_rules_info *rules, 457 uint32_t ruleset, const char *path); 458 int pfctl_get_rule(int dev, uint32_t nr, uint32_t ticket, 459 const char *anchor, uint32_t ruleset, struct pfctl_rule *rule, 460 char *anchor_call); 461 int pfctl_get_rule_h(struct pfctl_handle *h, uint32_t nr, uint32_t ticket, 462 const char *anchor, uint32_t ruleset, struct pfctl_rule *rule, 463 char *anchor_call); 464 int pfctl_get_clear_rule(int dev, uint32_t nr, uint32_t ticket, 465 const char *anchor, uint32_t ruleset, struct pfctl_rule *rule, 466 char *anchor_call, bool clear); 467 int pfctl_get_clear_rule_h(struct pfctl_handle *h, uint32_t nr, uint32_t ticket, 468 const char *anchor, uint32_t ruleset, struct pfctl_rule *rule, 469 char *anchor_call, bool clear); 470 int pfctl_add_rule(int dev, const struct pfctl_rule *r, 471 const char *anchor, const char *anchor_call, uint32_t ticket, 472 uint32_t pool_ticket); 473 int pfctl_add_rule_h(struct pfctl_handle *h, const struct pfctl_rule *r, 474 const char *anchor, const char *anchor_call, uint32_t ticket, 475 uint32_t pool_ticket); 476 int pfctl_set_keepcounters(int dev, bool keep); 477 int pfctl_get_creatorids(struct pfctl_handle *h, uint32_t *creators, size_t *len); 478 479 struct pfctl_state_filter { 480 char ifname[IFNAMSIZ]; 481 uint16_t proto; 482 sa_family_t af; 483 struct pf_addr addr; 484 struct pf_addr mask; 485 }; 486 typedef int (*pfctl_get_state_fn)(struct pfctl_state *, void *); 487 int pfctl_get_states_iter(pfctl_get_state_fn f, void *arg); 488 int pfctl_get_filtered_states_iter(struct pfctl_state_filter *filter, pfctl_get_state_fn f, void *arg); 489 int pfctl_get_states(int dev, struct pfctl_states *states); 490 void pfctl_free_states(struct pfctl_states *states); 491 int pfctl_clear_states(int dev, const struct pfctl_kill *kill, 492 unsigned int *killed); 493 int pfctl_kill_states(int dev, const struct pfctl_kill *kill, 494 unsigned int *killed); 495 int pfctl_clear_states_h(struct pfctl_handle *h, const struct pfctl_kill *kill, 496 unsigned int *killed); 497 int pfctl_kill_states_h(struct pfctl_handle *h, const struct pfctl_kill *kill, 498 unsigned int *killed); 499 int pfctl_clear_rules(int dev, const char *anchorname); 500 int pfctl_clear_nat(int dev, const char *anchorname); 501 int pfctl_clear_eth_rules(int dev, const char *anchorname); 502 int pfctl_set_syncookies(int dev, const struct pfctl_syncookies *s); 503 int pfctl_get_syncookies(int dev, struct pfctl_syncookies *s); 504 int pfctl_table_add_addrs(int dev, struct pfr_table *tbl, struct pfr_addr 505 *addr, int size, int *nadd, int flags); 506 int pfctl_table_del_addrs(int dev, struct pfr_table *tbl, struct pfr_addr 507 *addr, int size, int *ndel, int flags); 508 int pfctl_table_set_addrs(int dev, struct pfr_table *tbl, struct pfr_addr 509 *addr, int size, int *size2, int *nadd, int *ndel, int *nchange, 510 int flags); 511 int pfctl_table_get_addrs(int dev, struct pfr_table *tbl, struct pfr_addr 512 *addr, int *size, int flags); 513 int pfctl_set_statusif(struct pfctl_handle *h, const char *ifname); 514 515 struct pfctl_natlook_key { 516 sa_family_t af; 517 uint8_t direction; 518 uint8_t proto; 519 struct pf_addr saddr; 520 struct pf_addr daddr; 521 uint16_t sport; 522 uint16_t dport; 523 }; 524 struct pfctl_natlook { 525 struct pf_addr saddr; 526 struct pf_addr daddr; 527 uint16_t sport; 528 uint16_t dport; 529 }; 530 int pfctl_natlook(struct pfctl_handle *h, 531 const struct pfctl_natlook_key *k, struct pfctl_natlook *r); 532 int pfctl_set_debug(struct pfctl_handle *h, uint32_t level); 533 int pfctl_set_timeout(struct pfctl_handle *h, uint32_t timeout, uint32_t seconds); 534 int pfctl_get_timeout(struct pfctl_handle *h, uint32_t timeout, uint32_t *seconds); 535 int pfctl_set_limit(struct pfctl_handle *h, const int index, const uint limit); 536 int pfctl_get_limit(struct pfctl_handle *h, const int index, uint *limit); 537 int pfctl_begin_addrs(struct pfctl_handle *h, uint32_t *ticket); 538 int pfctl_add_addr(struct pfctl_handle *h, const struct pfioc_pooladdr *pa, int which); 539 int pfctl_get_addrs(struct pfctl_handle *h, uint32_t ticket, uint32_t r_num, 540 uint8_t r_action, const char *anchor, uint32_t *nr, int which); 541 int pfctl_get_addr(struct pfctl_handle *h, uint32_t ticket, uint32_t r_num, 542 uint8_t r_action, const char *anchor, uint32_t nr, struct pfioc_pooladdr *pa, 543 int which); 544 int pfctl_get_rulesets(struct pfctl_handle *h, const char *path, uint32_t *nr); 545 int pfctl_get_ruleset(struct pfctl_handle *h, const char *path, uint32_t nr, struct pfioc_ruleset *rs); 546 typedef int (*pfctl_get_srcnode_fn)(struct pfctl_src_node*, void *); 547 int pfctl_get_srcnodes(struct pfctl_handle *h, pfctl_get_srcnode_fn fn, void *arg); 548 549 int pfctl_clear_tables(struct pfctl_handle *h, struct pfr_table *filter, 550 int *ndel, int flags); 551 int pfctl_add_table(struct pfctl_handle *h, struct pfr_table *table, 552 int *nadd, int flags); 553 int pfctl_del_table(struct pfctl_handle *h, struct pfr_table *table, 554 int *ndel, int flags); 555 556 typedef int (*pfctl_get_tstats_fn)(const struct pfr_tstats *t, void *arg); 557 int pfctl_get_tstats(struct pfctl_handle *h, const struct pfr_table *filter, 558 pfctl_get_tstats_fn fn, void *arg); 559 int pfctl_clear_tstats(struct pfctl_handle *h, const struct pfr_table *filter, 560 int *nzero, int flags); 561 int pfctl_clear_addrs(struct pfctl_handle *h, const struct pfr_table *filter, 562 int *ndel, int flags); 563 564 #endif 565