10d71f9f3SKristof Provost /*- 20d71f9f3SKristof Provost * SPDX-License-Identifier: BSD-2-Clause 30d71f9f3SKristof Provost * 40d71f9f3SKristof Provost * Copyright (c) 2021 Rubicon Communications, LLC (Netgate) 50d71f9f3SKristof Provost * All rights reserved. 60d71f9f3SKristof Provost * 70d71f9f3SKristof Provost * Redistribution and use in source and binary forms, with or without 80d71f9f3SKristof Provost * modification, are permitted provided that the following conditions 90d71f9f3SKristof Provost * are met: 100d71f9f3SKristof Provost * 110d71f9f3SKristof Provost * - Redistributions of source code must retain the above copyright 120d71f9f3SKristof Provost * notice, this list of conditions and the following disclaimer. 130d71f9f3SKristof Provost * - Redistributions in binary form must reproduce the above 140d71f9f3SKristof Provost * copyright notice, this list of conditions and the following 150d71f9f3SKristof Provost * disclaimer in the documentation and/or other materials provided 160d71f9f3SKristof Provost * with the distribution. 170d71f9f3SKristof Provost * 180d71f9f3SKristof Provost * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 190d71f9f3SKristof Provost * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 200d71f9f3SKristof Provost * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 210d71f9f3SKristof Provost * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 220d71f9f3SKristof Provost * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 230d71f9f3SKristof Provost * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 240d71f9f3SKristof Provost * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 250d71f9f3SKristof Provost * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 260d71f9f3SKristof Provost * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 270d71f9f3SKristof Provost * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 280d71f9f3SKristof Provost * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 290d71f9f3SKristof Provost * POSSIBILITY OF SUCH DAMAGE. 300d71f9f3SKristof Provost */ 310d71f9f3SKristof Provost 320d71f9f3SKristof Provost #ifndef _PFCTL_IOCTL_H_ 330d71f9f3SKristof Provost #define _PFCTL_IOCTL_H_ 340d71f9f3SKristof Provost 350d71f9f3SKristof Provost #include <netpfil/pf/pf.h> 360d71f9f3SKristof Provost 37e9eb0941SKristof Provost struct pfctl_anchor; 38c5131afeSKristof Provost struct pfctl_eth_anchor; 39e9eb0941SKristof Provost 4046fb68b1SKristof Provost struct pfctl_status_counter { 4146fb68b1SKristof Provost uint64_t id; 4246fb68b1SKristof Provost uint64_t counter; 4346fb68b1SKristof Provost char *name; 4446fb68b1SKristof Provost 4546fb68b1SKristof Provost TAILQ_ENTRY(pfctl_status_counter) entry; 4646fb68b1SKristof Provost }; 4746fb68b1SKristof Provost TAILQ_HEAD(pfctl_status_counters, pfctl_status_counter); 4846fb68b1SKristof Provost 4946fb68b1SKristof Provost struct pfctl_status { 5046fb68b1SKristof Provost bool running; 5146fb68b1SKristof Provost uint32_t since; 5246fb68b1SKristof Provost uint32_t debug; 5346fb68b1SKristof Provost uint32_t hostid; 5446fb68b1SKristof Provost uint64_t states; 5546fb68b1SKristof Provost uint64_t src_nodes; 5646fb68b1SKristof Provost char ifname[IFNAMSIZ]; 5746fb68b1SKristof Provost uint8_t pf_chksum[PF_MD5_DIGEST_LENGTH]; 58444a77caSKristof Provost bool syncookies_active; 5939282ef3SKajetan Staszkiewicz uint32_t reass; 6046fb68b1SKristof Provost 6146fb68b1SKristof Provost struct pfctl_status_counters counters; 6246fb68b1SKristof Provost struct pfctl_status_counters lcounters; 6346fb68b1SKristof Provost struct pfctl_status_counters fcounters; 6446fb68b1SKristof Provost struct pfctl_status_counters scounters; 65a3f71765SKristof Provost uint64_t pcounters[2][2][2]; 6646fb68b1SKristof Provost uint64_t bcounters[2][2]; 6746fb68b1SKristof Provost }; 6846fb68b1SKristof Provost 699bb06778SKristof Provost struct pfctl_eth_rulesets_info { 709bb06778SKristof Provost uint32_t nr; 719bb06778SKristof Provost }; 729bb06778SKristof Provost 732b29ceb8SKristof Provost struct pfctl_eth_rules_info { 742b29ceb8SKristof Provost uint32_t nr; 752b29ceb8SKristof Provost uint32_t ticket; 762b29ceb8SKristof Provost }; 772b29ceb8SKristof Provost 782b29ceb8SKristof Provost struct pfctl_eth_addr { 792b29ceb8SKristof Provost uint8_t addr[ETHER_ADDR_LEN]; 80b590f17aSKristof Provost uint8_t mask[ETHER_ADDR_LEN]; 812b29ceb8SKristof Provost bool neg; 82c696d5c7SKristof Provost bool isset; 832b29ceb8SKristof Provost }; 842b29ceb8SKristof Provost 852b29ceb8SKristof Provost struct pfctl_eth_rule { 862b29ceb8SKristof Provost uint32_t nr; 872b29ceb8SKristof Provost 88ef661d4aSChristian McDonald char label[PF_RULE_MAX_LABEL_COUNT][PF_RULE_LABEL_SIZE]; 89ef661d4aSChristian McDonald uint32_t ridentifier; 90ef661d4aSChristian McDonald 912b29ceb8SKristof Provost bool quick; 922b29ceb8SKristof Provost 932b29ceb8SKristof Provost /* Filter */ 942b29ceb8SKristof Provost char ifname[IFNAMSIZ]; 952b29ceb8SKristof Provost uint8_t ifnot; 962b29ceb8SKristof Provost uint8_t direction; 972b29ceb8SKristof Provost uint16_t proto; 982b29ceb8SKristof Provost struct pfctl_eth_addr src, dst; 998a42005dSKristof Provost struct pf_rule_addr ipsrc, ipdst; 1001f61367fSKristof Provost char match_tagname[PF_TAG_NAME_SIZE]; 1011f61367fSKristof Provost uint16_t match_tag; 1021f61367fSKristof Provost bool match_tag_not; 1032b29ceb8SKristof Provost 1042b29ceb8SKristof Provost /* Stats */ 1052b29ceb8SKristof Provost uint64_t evaluations; 1062b29ceb8SKristof Provost uint64_t packets[2]; 1072b29ceb8SKristof Provost uint64_t bytes[2]; 1081d090028SKristof Provost time_t last_active_timestamp; 1092b29ceb8SKristof Provost 1102b29ceb8SKristof Provost /* Action */ 1112b29ceb8SKristof Provost char qname[PF_QNAME_SIZE]; 1122b29ceb8SKristof Provost char tagname[PF_TAG_NAME_SIZE]; 113fb330f39SKristof Provost uint16_t dnpipe; 114fb330f39SKristof Provost uint32_t dnflags; 1158a8af942SKristof Provost char bridge_to[IFNAMSIZ]; 1162b29ceb8SKristof Provost uint8_t action; 1172b29ceb8SKristof Provost 118c5131afeSKristof Provost struct pfctl_eth_anchor *anchor; 119c5131afeSKristof Provost uint8_t anchor_relative; 120c5131afeSKristof Provost uint8_t anchor_wildcard; 121c5131afeSKristof Provost 1222b29ceb8SKristof Provost TAILQ_ENTRY(pfctl_eth_rule) entries; 1232b29ceb8SKristof Provost }; 1242b29ceb8SKristof Provost TAILQ_HEAD(pfctl_eth_rules, pfctl_eth_rule); 1252b29ceb8SKristof Provost 1269bb06778SKristof Provost struct pfctl_eth_ruleset_info { 1279bb06778SKristof Provost uint32_t nr; 1289bb06778SKristof Provost char name[PF_ANCHOR_NAME_SIZE]; 1299bb06778SKristof Provost char path[MAXPATHLEN]; 1309bb06778SKristof Provost }; 1319bb06778SKristof Provost 132c5131afeSKristof Provost struct pfctl_eth_ruleset { 133c5131afeSKristof Provost struct pfctl_eth_rules rules; 134c5131afeSKristof Provost struct pfctl_eth_anchor *anchor; 135c5131afeSKristof Provost }; 136c5131afeSKristof Provost 137c5131afeSKristof Provost struct pfctl_eth_anchor { 138c5131afeSKristof Provost struct pfctl_eth_anchor *parent; 139c5131afeSKristof Provost char name[PF_ANCHOR_NAME_SIZE]; 140c5131afeSKristof Provost char path[MAXPATHLEN]; 141c5131afeSKristof Provost struct pfctl_eth_ruleset ruleset; 142c5131afeSKristof Provost int refcnt; /* anchor rules */ 143c5131afeSKristof Provost int match; /* XXX: used for pfctl black magic */ 144c5131afeSKristof Provost }; 145c5131afeSKristof Provost 146600bd6ceSKurosawa Takahiro struct pfctl_pool { 147600bd6ceSKurosawa Takahiro struct pf_palist list; 148600bd6ceSKurosawa Takahiro struct pf_pooladdr *cur; 149600bd6ceSKurosawa Takahiro struct pf_poolhashkey key; 150600bd6ceSKurosawa Takahiro struct pf_addr counter; 1512aa21096SKurosawa Takahiro struct pf_mape_portset mape; 152600bd6ceSKurosawa Takahiro int tblidx; 1537bb3c927SKristof Provost uint16_t proxy_port[2]; 1547bb3c927SKristof Provost uint8_t opts; 155600bd6ceSKurosawa Takahiro }; 156600bd6ceSKurosawa Takahiro 1578c1400b0SKristof Provost struct pfctl_rules_info { 1588c1400b0SKristof Provost uint32_t nr; 1598c1400b0SKristof Provost uint32_t ticket; 1608c1400b0SKristof Provost }; 1618c1400b0SKristof Provost 162e9eb0941SKristof Provost struct pfctl_rule { 163e9eb0941SKristof Provost struct pf_rule_addr src; 164e9eb0941SKristof Provost struct pf_rule_addr dst; 165e9eb0941SKristof Provost union pf_rule_ptr skip[PF_SKIP_COUNT]; 1666fcc8e04SKristof Provost char label[PF_RULE_MAX_LABEL_COUNT][PF_RULE_LABEL_SIZE]; 1677bb3c927SKristof Provost uint32_t ridentifier; 168e9eb0941SKristof Provost char ifname[IFNAMSIZ]; 169e9eb0941SKristof Provost char qname[PF_QNAME_SIZE]; 170e9eb0941SKristof Provost char pqname[PF_QNAME_SIZE]; 171e9eb0941SKristof Provost char tagname[PF_TAG_NAME_SIZE]; 172e9eb0941SKristof Provost char match_tagname[PF_TAG_NAME_SIZE]; 173e9eb0941SKristof Provost 174e9eb0941SKristof Provost char overload_tblname[PF_TABLE_NAME_SIZE]; 175e9eb0941SKristof Provost 176e9eb0941SKristof Provost TAILQ_ENTRY(pfctl_rule) entries; 177e11dacbfSKristof Provost struct pfctl_pool nat; 178e11dacbfSKristof Provost union { 179e11dacbfSKristof Provost /* Alias old and new names. */ 180600bd6ceSKurosawa Takahiro struct pfctl_pool rpool; 181e11dacbfSKristof Provost struct pfctl_pool rdr; 182e11dacbfSKristof Provost }; 1830972294eSKristof Provost struct pfctl_pool route; 184e9eb0941SKristof Provost 1857bb3c927SKristof Provost uint64_t evaluations; 1867bb3c927SKristof Provost uint64_t packets[2]; 1877bb3c927SKristof Provost uint64_t bytes[2]; 1881d090028SKristof Provost time_t last_active_timestamp; 189e9eb0941SKristof Provost 190e9eb0941SKristof Provost struct pfi_kif *kif; 191e9eb0941SKristof Provost struct pfctl_anchor *anchor; 192e9eb0941SKristof Provost struct pfr_ktable *overload_tbl; 193e9eb0941SKristof Provost 194e9eb0941SKristof Provost pf_osfp_t os_fingerprint; 195e9eb0941SKristof Provost 196e9eb0941SKristof Provost int rtableid; 1977bb3c927SKristof Provost uint32_t timeout[PFTM_MAX]; 1987bb3c927SKristof Provost uint32_t max_states; 1997bb3c927SKristof Provost uint32_t max_src_nodes; 2007bb3c927SKristof Provost uint32_t max_src_states; 2017bb3c927SKristof Provost uint32_t max_src_conn; 202e9eb0941SKristof Provost struct { 2037bb3c927SKristof Provost uint32_t limit; 2047bb3c927SKristof Provost uint32_t seconds; 205e9eb0941SKristof Provost } max_src_conn_rate; 2067bb3c927SKristof Provost uint32_t qid; 2077bb3c927SKristof Provost uint32_t pqid; 2087bb3c927SKristof Provost uint16_t dnpipe; 2097bb3c927SKristof Provost uint16_t dnrpipe; 2107bb3c927SKristof Provost uint32_t free_flags; 2117bb3c927SKristof Provost uint32_t nr; 2127bb3c927SKristof Provost uint32_t prob; 213e9eb0941SKristof Provost uid_t cuid; 214e9eb0941SKristof Provost pid_t cpid; 215e9eb0941SKristof Provost 216ab5707a5SKristof Provost uint64_t states_cur; 217ab5707a5SKristof Provost uint64_t states_tot; 218ab5707a5SKristof Provost uint64_t src_nodes; 219*07e070efSKajetan Staszkiewicz uint64_t src_nodes_type[PF_SN_MAX]; 220e9eb0941SKristof Provost 2217bb3c927SKristof Provost uint16_t return_icmp; 2227bb3c927SKristof Provost uint16_t return_icmp6; 2237bb3c927SKristof Provost uint16_t max_mss; 2247bb3c927SKristof Provost uint16_t tag; 2257bb3c927SKristof Provost uint16_t match_tag; 2267bb3c927SKristof Provost uint16_t scrub_flags; 227e9eb0941SKristof Provost 228e9eb0941SKristof Provost struct pf_rule_uid uid; 229e9eb0941SKristof Provost struct pf_rule_gid gid; 2302339ead6SKristof Provost char rcv_ifname[IFNAMSIZ]; 23171594e32SKristof Provost bool rcvifnot; 232e9eb0941SKristof Provost 2337bb3c927SKristof Provost uint32_t rule_flag; 2347bb3c927SKristof Provost uint8_t action; 2357bb3c927SKristof Provost uint8_t direction; 2367bb3c927SKristof Provost uint8_t log; 2377bb3c927SKristof Provost uint8_t logif; 2387bb3c927SKristof Provost uint8_t quick; 2397bb3c927SKristof Provost uint8_t ifnot; 2407bb3c927SKristof Provost uint8_t match_tag_not; 2417bb3c927SKristof Provost uint8_t natpass; 242e9eb0941SKristof Provost 2437bb3c927SKristof Provost uint8_t keep_state; 244e9eb0941SKristof Provost sa_family_t af; 2457bb3c927SKristof Provost uint8_t proto; 2467bb3c927SKristof Provost uint8_t type; 2477bb3c927SKristof Provost uint8_t code; 2487bb3c927SKristof Provost uint8_t flags; 2497bb3c927SKristof Provost uint8_t flagset; 2507bb3c927SKristof Provost uint8_t min_ttl; 2517bb3c927SKristof Provost uint8_t allow_opts; 2527bb3c927SKristof Provost uint8_t rt; 2537bb3c927SKristof Provost uint8_t return_ttl; 2547bb3c927SKristof Provost uint8_t tos; 2557bb3c927SKristof Provost uint8_t set_tos; 2567bb3c927SKristof Provost uint8_t anchor_relative; 2577bb3c927SKristof Provost uint8_t anchor_wildcard; 258e9eb0941SKristof Provost 2597bb3c927SKristof Provost uint8_t flush; 2607bb3c927SKristof Provost uint8_t prio; 2617bb3c927SKristof Provost uint8_t set_prio[2]; 262aa69fdf1SKristof Provost sa_family_t naf; 263e9eb0941SKristof Provost 264e9eb0941SKristof Provost struct { 265e9eb0941SKristof Provost struct pf_addr addr; 2667bb3c927SKristof Provost uint16_t port; 267e9eb0941SKristof Provost } divert; 268e9eb0941SKristof Provost }; 269e9eb0941SKristof Provost 270e9eb0941SKristof Provost TAILQ_HEAD(pfctl_rulequeue, pfctl_rule); 271e9eb0941SKristof Provost 272e9eb0941SKristof Provost struct pfctl_ruleset { 273e9eb0941SKristof Provost struct { 274e9eb0941SKristof Provost struct pfctl_rulequeue queues[2]; 275e9eb0941SKristof Provost struct { 276e9eb0941SKristof Provost struct pfctl_rulequeue *ptr; 277e9eb0941SKristof Provost struct pfctl_rule **ptr_array; 2787bb3c927SKristof Provost uint32_t rcount; 2797bb3c927SKristof Provost uint32_t ticket; 280e9eb0941SKristof Provost int open; 281e9eb0941SKristof Provost } active, inactive; 282e9eb0941SKristof Provost } rules[PF_RULESET_MAX]; 283e9eb0941SKristof Provost struct pfctl_anchor *anchor; 2847bb3c927SKristof Provost uint32_t tticket; 285e9eb0941SKristof Provost int tables; 286e9eb0941SKristof Provost int topen; 287e9eb0941SKristof Provost }; 288e9eb0941SKristof Provost 289e9eb0941SKristof Provost RB_HEAD(pfctl_anchor_global, pfctl_anchor); 290e9eb0941SKristof Provost RB_HEAD(pfctl_anchor_node, pfctl_anchor); 291e9eb0941SKristof Provost struct pfctl_anchor { 292e9eb0941SKristof Provost RB_ENTRY(pfctl_anchor) entry_global; 293e9eb0941SKristof Provost RB_ENTRY(pfctl_anchor) entry_node; 294e9eb0941SKristof Provost struct pfctl_anchor *parent; 295e9eb0941SKristof Provost struct pfctl_anchor_node children; 296e9eb0941SKristof Provost char name[PF_ANCHOR_NAME_SIZE]; 297e9eb0941SKristof Provost char path[MAXPATHLEN]; 298e9eb0941SKristof Provost struct pfctl_ruleset ruleset; 299e9eb0941SKristof Provost int refcnt; /* anchor rules */ 300e9eb0941SKristof Provost int match; /* XXX: used for pfctl black magic */ 301e9eb0941SKristof Provost }; 302e9eb0941SKristof Provost RB_PROTOTYPE(pfctl_anchor_global, pfctl_anchor, entry_global, 303e9eb0941SKristof Provost pf_anchor_compare); 304e9eb0941SKristof Provost RB_PROTOTYPE(pfctl_anchor_node, pfctl_anchor, entry_node, 305e9eb0941SKristof Provost pf_anchor_compare); 306e9eb0941SKristof Provost 30753714a58SKristof Provost struct pfctl_state_cmp { 30853714a58SKristof Provost uint64_t id; 30953714a58SKristof Provost uint32_t creatorid; 31053714a58SKristof Provost uint8_t direction; 31153714a58SKristof Provost }; 31253714a58SKristof Provost 31353714a58SKristof Provost struct pfctl_kill { 31453714a58SKristof Provost struct pfctl_state_cmp cmp; 31553714a58SKristof Provost sa_family_t af; 31653714a58SKristof Provost int proto; 31753714a58SKristof Provost struct pf_rule_addr src; 31853714a58SKristof Provost struct pf_rule_addr dst; 319abbcba9cSKristof Provost struct pf_rule_addr rt_addr; 32053714a58SKristof Provost char ifname[IFNAMSIZ]; 32153714a58SKristof Provost char label[PF_RULE_LABEL_SIZE]; 32293abcf17SKristof Provost bool kill_match; 3234f337550SKristof Provost bool nat; 32453714a58SKristof Provost }; 32553714a58SKristof Provost 326bc941291SKristof Provost struct pfctl_state_peer { 327bc941291SKristof Provost uint32_t seqlo; 328bc941291SKristof Provost uint32_t seqhi; 329bc941291SKristof Provost uint32_t seqdiff; 330bc941291SKristof Provost uint8_t state; 331bc941291SKristof Provost uint8_t wscale; 332bc941291SKristof Provost }; 333bc941291SKristof Provost 334bc941291SKristof Provost struct pfctl_state_key { 335bc941291SKristof Provost struct pf_addr addr[2]; 336bc941291SKristof Provost uint16_t port[2]; 337bc941291SKristof Provost sa_family_t af; 338bc941291SKristof Provost uint8_t proto; 339bc941291SKristof Provost }; 340bc941291SKristof Provost 341bc941291SKristof Provost struct pfctl_state { 342bc941291SKristof Provost TAILQ_ENTRY(pfctl_state) entry; 343bc941291SKristof Provost 344bc941291SKristof Provost uint64_t id; 345bc941291SKristof Provost uint32_t creatorid; 346bc941291SKristof Provost uint8_t direction; 347bc941291SKristof Provost 348bc941291SKristof Provost struct pfctl_state_peer src; 349bc941291SKristof Provost struct pfctl_state_peer dst; 350bc941291SKristof Provost 351bc941291SKristof Provost uint32_t rule; 352bc941291SKristof Provost uint32_t anchor; 353bc941291SKristof Provost uint32_t nat_rule; 354bc941291SKristof Provost struct pf_addr rt_addr; 355bc941291SKristof Provost struct pfctl_state_key key[2]; /* addresses stack and wire */ 356bc941291SKristof Provost char ifname[IFNAMSIZ]; 357d0fdf2b2SKristof Provost char orig_ifname[IFNAMSIZ]; 358bc941291SKristof Provost uint64_t packets[2]; 359bc941291SKristof Provost uint64_t bytes[2]; 360bc941291SKristof Provost uint32_t creation; 361bc941291SKristof Provost uint32_t expire; 362bc941291SKristof Provost uint32_t pfsync_time; 36339282ef3SKajetan Staszkiewicz uint16_t state_flags; 364bc941291SKristof Provost uint32_t sync_flags; 365c45d6b0eSKajetan Staszkiewicz uint16_t qid; 366c45d6b0eSKajetan Staszkiewicz uint16_t pqid; 367c45d6b0eSKajetan Staszkiewicz uint16_t dnpipe; 368c45d6b0eSKajetan Staszkiewicz uint16_t dnrpipe; 369c45d6b0eSKajetan Staszkiewicz uint8_t log; 370c45d6b0eSKajetan Staszkiewicz int32_t rtableid; 371c45d6b0eSKajetan Staszkiewicz uint8_t min_ttl; 372c45d6b0eSKajetan Staszkiewicz uint8_t set_tos; 373c45d6b0eSKajetan Staszkiewicz uint16_t max_mss; 374c45d6b0eSKajetan Staszkiewicz uint8_t set_prio[2]; 375c45d6b0eSKajetan Staszkiewicz uint8_t rt; 376c45d6b0eSKajetan Staszkiewicz char rt_ifname[IFNAMSIZ]; 377*07e070efSKajetan Staszkiewicz uint8_t src_node_flags; 378bc941291SKristof Provost }; 379bc941291SKristof Provost 380bc941291SKristof Provost TAILQ_HEAD(pfctl_statelist, pfctl_state); 381bc941291SKristof Provost struct pfctl_states { 382bc941291SKristof Provost struct pfctl_statelist states; 383bc941291SKristof Provost }; 384bc941291SKristof Provost 385c69121c4SKristof Provost enum pfctl_syncookies_mode { 386c69121c4SKristof Provost PFCTL_SYNCOOKIES_NEVER, 3875062afffSKristof Provost PFCTL_SYNCOOKIES_ALWAYS, 3885062afffSKristof Provost PFCTL_SYNCOOKIES_ADAPTIVE 389c69121c4SKristof Provost }; 3905062afffSKristof Provost extern const char* PFCTL_SYNCOOKIES_MODE_NAMES[]; 391c69121c4SKristof Provost 392c69121c4SKristof Provost struct pfctl_syncookies { 393c69121c4SKristof Provost enum pfctl_syncookies_mode mode; 3945062afffSKristof Provost uint8_t highwater; /* Percent */ 3955062afffSKristof Provost uint8_t lowwater; /* Percent */ 396a6173e94SKristof Provost uint32_t halfopen_states; 397c69121c4SKristof Provost }; 398c69121c4SKristof Provost 3999c125336SKristof Provost struct pfctl_threshold { 4009c125336SKristof Provost uint32_t limit; 4019c125336SKristof Provost uint32_t seconds; 4029c125336SKristof Provost uint32_t count; 4039c125336SKristof Provost uint32_t last; 4049c125336SKristof Provost }; 4059c125336SKristof Provost 4069c125336SKristof Provost struct pfctl_src_node { 4079c125336SKristof Provost struct pf_addr addr; 4089c125336SKristof Provost struct pf_addr raddr; 4099c125336SKristof Provost int rule; 4109c125336SKristof Provost uint64_t bytes[2]; 4119c125336SKristof Provost uint64_t packets[2]; 4129c125336SKristof Provost uint32_t states; 4139c125336SKristof Provost uint32_t conn; 4149c125336SKristof Provost sa_family_t af; 415aa69fdf1SKristof Provost sa_family_t naf; 4169c125336SKristof Provost uint8_t ruletype; 4179c125336SKristof Provost uint64_t creation; 4189c125336SKristof Provost uint64_t expire; 4199c125336SKristof Provost struct pfctl_threshold conn_rate; 420*07e070efSKajetan Staszkiewicz pf_sn_types_t type; 4219c125336SKristof Provost }; 4229c125336SKristof Provost 42366cacc14SKristof Provost #define PF_DEVICE "/dev/pf" 42466cacc14SKristof Provost 42566cacc14SKristof Provost struct pfctl_handle; 42666cacc14SKristof Provost struct pfctl_handle *pfctl_open(const char *pf_device); 42766cacc14SKristof Provost void pfctl_close(struct pfctl_handle *); 428044243fcSKristof Provost int pfctl_fd(struct pfctl_handle *); 42966cacc14SKristof Provost 43066cacc14SKristof Provost int pfctl_startstop(struct pfctl_handle *h, int start); 4315824df8dSKristof Provost struct pfctl_status* pfctl_get_status_h(struct pfctl_handle *h); 43246fb68b1SKristof Provost struct pfctl_status* pfctl_get_status(int dev); 4339dbbe68bSKristof Provost int pfctl_clear_status(struct pfctl_handle *h); 434e3d3d61aSKristof Provost uint64_t pfctl_status_counter(struct pfctl_status *status, int id); 4351c824f43SKristof Provost uint64_t pfctl_status_lcounter(struct pfctl_status *status, int id); 436e3d3d61aSKristof Provost uint64_t pfctl_status_fcounter(struct pfctl_status *status, int id); 437e3d3d61aSKristof Provost uint64_t pfctl_status_scounter(struct pfctl_status *status, int id); 43846fb68b1SKristof Provost void pfctl_free_status(struct pfctl_status *status); 43946fb68b1SKristof Provost 4409bb06778SKristof Provost int pfctl_get_eth_rulesets_info(int dev, 4419bb06778SKristof Provost struct pfctl_eth_rulesets_info *ri, const char *path); 4429bb06778SKristof Provost int pfctl_get_eth_ruleset(int dev, const char *path, int nr, 4439bb06778SKristof Provost struct pfctl_eth_ruleset_info *ri); 444c5131afeSKristof Provost int pfctl_get_eth_rules_info(int dev, struct pfctl_eth_rules_info *rules, 445c5131afeSKristof Provost const char *path); 4462b29ceb8SKristof Provost int pfctl_get_eth_rule(int dev, uint32_t nr, uint32_t ticket, 447c5131afeSKristof Provost const char *path, struct pfctl_eth_rule *rule, bool clear, 448c5131afeSKristof Provost char *anchor_call); 4492b29ceb8SKristof Provost int pfctl_add_eth_rule(int dev, const struct pfctl_eth_rule *r, 450c5131afeSKristof Provost const char *anchor, const char *anchor_call, uint32_t ticket); 451f1612e70SKristof Provost int pfctl_get_rules_info_h(struct pfctl_handle *h, 452f1612e70SKristof Provost struct pfctl_rules_info *rules, uint32_t ruleset, 453f1612e70SKristof Provost const char *path); 4548c1400b0SKristof Provost int pfctl_get_rules_info(int dev, struct pfctl_rules_info *rules, 4558c1400b0SKristof Provost uint32_t ruleset, const char *path); 4567bb3c927SKristof Provost int pfctl_get_rule(int dev, uint32_t nr, uint32_t ticket, 4577bb3c927SKristof Provost const char *anchor, uint32_t ruleset, struct pfctl_rule *rule, 4580d71f9f3SKristof Provost char *anchor_call); 459cd2054d4SKristof Provost int pfctl_get_rule_h(struct pfctl_handle *h, uint32_t nr, uint32_t ticket, 460cd2054d4SKristof Provost const char *anchor, uint32_t ruleset, struct pfctl_rule *rule, 461cd2054d4SKristof Provost char *anchor_call); 4627bb3c927SKristof Provost int pfctl_get_clear_rule(int dev, uint32_t nr, uint32_t ticket, 4637bb3c927SKristof Provost const char *anchor, uint32_t ruleset, struct pfctl_rule *rule, 4644eabfe46SKristof Provost char *anchor_call, bool clear); 465777a4702SKristof Provost int pfctl_get_clear_rule_h(struct pfctl_handle *h, uint32_t nr, uint32_t ticket, 466777a4702SKristof Provost const char *anchor, uint32_t ruleset, struct pfctl_rule *rule, 467777a4702SKristof Provost char *anchor_call, bool clear); 468e9eb0941SKristof Provost int pfctl_add_rule(int dev, const struct pfctl_rule *r, 4697bb3c927SKristof Provost const char *anchor, const char *anchor_call, uint32_t ticket, 4707bb3c927SKristof Provost uint32_t pool_ticket); 471324fd7ecSKristof Provost int pfctl_add_rule_h(struct pfctl_handle *h, const struct pfctl_rule *r, 472324fd7ecSKristof Provost const char *anchor, const char *anchor_call, uint32_t ticket, 473324fd7ecSKristof Provost uint32_t pool_ticket); 47442ec75f8SKristof Provost int pfctl_set_keepcounters(int dev, bool keep); 47566cacc14SKristof Provost int pfctl_get_creatorids(struct pfctl_handle *h, uint32_t *creators, size_t *len); 476044eef6aSKristof Provost 477044eef6aSKristof Provost struct pfctl_state_filter { 478044eef6aSKristof Provost char ifname[IFNAMSIZ]; 479044eef6aSKristof Provost uint16_t proto; 480044eef6aSKristof Provost sa_family_t af; 481044eef6aSKristof Provost struct pf_addr addr; 482044eef6aSKristof Provost struct pf_addr mask; 483044eef6aSKristof Provost }; 484f218b851SKristof Provost typedef int (*pfctl_get_state_fn)(struct pfctl_state *, void *); 485f218b851SKristof Provost int pfctl_get_states_iter(pfctl_get_state_fn f, void *arg); 486044eef6aSKristof Provost int pfctl_get_filtered_states_iter(struct pfctl_state_filter *filter, pfctl_get_state_fn f, void *arg); 487bc941291SKristof Provost int pfctl_get_states(int dev, struct pfctl_states *states); 488bc941291SKristof Provost void pfctl_free_states(struct pfctl_states *states); 48953714a58SKristof Provost int pfctl_clear_states(int dev, const struct pfctl_kill *kill, 49053714a58SKristof Provost unsigned int *killed); 4912a00c4dbSKristof Provost int pfctl_kill_states(int dev, const struct pfctl_kill *kill, 4922a00c4dbSKristof Provost unsigned int *killed); 493706d465dSKristof Provost int pfctl_clear_states_h(struct pfctl_handle *h, const struct pfctl_kill *kill, 494706d465dSKristof Provost unsigned int *killed); 495706d465dSKristof Provost int pfctl_kill_states_h(struct pfctl_handle *h, const struct pfctl_kill *kill, 496706d465dSKristof Provost unsigned int *killed); 497f0c334e4SKristof Provost int pfctl_clear_rules(int dev, const char *anchorname); 498f0c334e4SKristof Provost int pfctl_clear_nat(int dev, const char *anchorname); 499f0c334e4SKristof Provost int pfctl_clear_eth_rules(int dev, const char *anchorname); 500c69121c4SKristof Provost int pfctl_set_syncookies(int dev, const struct pfctl_syncookies *s); 501c69121c4SKristof Provost int pfctl_get_syncookies(int dev, struct pfctl_syncookies *s); 5024823489aSReid Linnemann int pfctl_table_add_addrs(int dev, struct pfr_table *tbl, struct pfr_addr 5034823489aSReid Linnemann *addr, int size, int *nadd, int flags); 5044823489aSReid Linnemann int pfctl_table_del_addrs(int dev, struct pfr_table *tbl, struct pfr_addr 5054823489aSReid Linnemann *addr, int size, int *ndel, int flags); 5064823489aSReid Linnemann int pfctl_table_set_addrs(int dev, struct pfr_table *tbl, struct pfr_addr 5074823489aSReid Linnemann *addr, int size, int *size2, int *nadd, int *ndel, int *nchange, 5084823489aSReid Linnemann int flags); 5094823489aSReid Linnemann int pfctl_table_get_addrs(int dev, struct pfr_table *tbl, struct pfr_addr 5104823489aSReid Linnemann *addr, int *size, int flags); 511470a2b33SKristof Provost int pfctl_set_statusif(struct pfctl_handle *h, const char *ifname); 512470a2b33SKristof Provost 51371d3c704SKristof Provost struct pfctl_natlook_key { 51471d3c704SKristof Provost sa_family_t af; 51571d3c704SKristof Provost uint8_t direction; 51671d3c704SKristof Provost uint8_t proto; 51771d3c704SKristof Provost struct pf_addr saddr; 51871d3c704SKristof Provost struct pf_addr daddr; 51971d3c704SKristof Provost uint16_t sport; 52071d3c704SKristof Provost uint16_t dport; 52171d3c704SKristof Provost }; 52271d3c704SKristof Provost struct pfctl_natlook { 52371d3c704SKristof Provost struct pf_addr saddr; 52471d3c704SKristof Provost struct pf_addr daddr; 52571d3c704SKristof Provost uint16_t sport; 52671d3c704SKristof Provost uint16_t dport; 52771d3c704SKristof Provost }; 52871d3c704SKristof Provost int pfctl_natlook(struct pfctl_handle *h, 52971d3c704SKristof Provost const struct pfctl_natlook_key *k, struct pfctl_natlook *r); 530c36c90a2SKristof Provost int pfctl_set_debug(struct pfctl_handle *h, uint32_t level); 53130bad751SKristof Provost int pfctl_set_timeout(struct pfctl_handle *h, uint32_t timeout, uint32_t seconds); 53230bad751SKristof Provost int pfctl_get_timeout(struct pfctl_handle *h, uint32_t timeout, uint32_t *seconds); 533d9ab8999SKristof Provost int pfctl_set_limit(struct pfctl_handle *h, const int index, const uint limit); 534d9ab8999SKristof Provost int pfctl_get_limit(struct pfctl_handle *h, const int index, uint *limit); 535ba2a9207SKristof Provost int pfctl_begin_addrs(struct pfctl_handle *h, uint32_t *ticket); 536e11dacbfSKristof Provost int pfctl_add_addr(struct pfctl_handle *h, const struct pfioc_pooladdr *pa, int which); 537644b7b5aSKristof Provost int pfctl_get_addrs(struct pfctl_handle *h, uint32_t ticket, uint32_t r_num, 538aa69fdf1SKristof Provost uint8_t r_action, const char *anchor, uint32_t *nr, int which); 5399ae91f59SKristof Provost int pfctl_get_addr(struct pfctl_handle *h, uint32_t ticket, uint32_t r_num, 540aa69fdf1SKristof Provost uint8_t r_action, const char *anchor, uint32_t nr, struct pfioc_pooladdr *pa, 541aa69fdf1SKristof Provost int which); 54225e0f8f9SKristof Provost int pfctl_get_rulesets(struct pfctl_handle *h, const char *path, uint32_t *nr); 54348f5bf8bSKristof Provost int pfctl_get_ruleset(struct pfctl_handle *h, const char *path, uint32_t nr, struct pfioc_ruleset *rs); 5449c125336SKristof Provost typedef int (*pfctl_get_srcnode_fn)(struct pfctl_src_node*, void *); 5459c125336SKristof Provost int pfctl_get_srcnodes(struct pfctl_handle *h, pfctl_get_srcnode_fn fn, void *arg); 54671d3c704SKristof Provost 547441d4894SKristof Provost int pfctl_clear_tables(struct pfctl_handle *h, struct pfr_table *filter, 548441d4894SKristof Provost int *ndel, int flags); 54984a80eaeSKristof Provost int pfctl_add_table(struct pfctl_handle *h, struct pfr_table *table, 55084a80eaeSKristof Provost int *nadd, int flags); 5510d2058abSKristof Provost int pfctl_del_table(struct pfctl_handle *h, struct pfr_table *table, 5520d2058abSKristof Provost int *ndel, int flags); 553441d4894SKristof Provost 5540d71f9f3SKristof Provost #endif 555