1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2021 Rubicon Communications, LLC (Netgate) 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 11 * - Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * - Redistributions in binary form must reproduce the above 14 * copyright notice, this list of conditions and the following 15 * disclaimer in the documentation and/or other materials provided 16 * with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 20 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 21 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 22 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 23 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 24 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 25 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 26 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 28 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 * POSSIBILITY OF SUCH DAMAGE. 30 * 31 * $FreeBSD$ 32 */ 33 34 #ifndef _PFCTL_IOCTL_H_ 35 #define _PFCTL_IOCTL_H_ 36 37 #include <netpfil/pf/pf.h> 38 39 struct pfctl_anchor; 40 struct pfctl_eth_anchor; 41 42 struct pfctl_status_counter { 43 uint64_t id; 44 uint64_t counter; 45 char *name; 46 47 TAILQ_ENTRY(pfctl_status_counter) entry; 48 }; 49 TAILQ_HEAD(pfctl_status_counters, pfctl_status_counter); 50 51 struct pfctl_status { 52 bool running; 53 uint32_t since; 54 uint32_t debug; 55 uint32_t hostid; 56 uint64_t states; 57 uint64_t src_nodes; 58 char ifname[IFNAMSIZ]; 59 uint8_t pf_chksum[PF_MD5_DIGEST_LENGTH]; 60 bool syncookies_active; 61 62 struct pfctl_status_counters counters; 63 struct pfctl_status_counters lcounters; 64 struct pfctl_status_counters fcounters; 65 struct pfctl_status_counters scounters; 66 uint64_t pcounters[2][2][3]; 67 uint64_t bcounters[2][2]; 68 }; 69 70 struct pfctl_eth_rulesets_info { 71 uint32_t nr; 72 }; 73 74 struct pfctl_eth_rules_info { 75 uint32_t nr; 76 uint32_t ticket; 77 }; 78 79 struct pfctl_eth_addr { 80 uint8_t addr[ETHER_ADDR_LEN]; 81 uint8_t mask[ETHER_ADDR_LEN]; 82 bool neg; 83 bool isset; 84 }; 85 86 struct pfctl_eth_rule { 87 uint32_t nr; 88 89 bool quick; 90 91 /* Filter */ 92 char ifname[IFNAMSIZ]; 93 uint8_t ifnot; 94 uint8_t direction; 95 uint16_t proto; 96 struct pfctl_eth_addr src, dst; 97 struct pf_rule_addr ipsrc, ipdst; 98 char match_tagname[PF_TAG_NAME_SIZE]; 99 uint16_t match_tag; 100 bool match_tag_not; 101 102 /* Stats */ 103 uint64_t evaluations; 104 uint64_t packets[2]; 105 uint64_t bytes[2]; 106 time_t last_active_timestamp; 107 108 /* Action */ 109 char qname[PF_QNAME_SIZE]; 110 char tagname[PF_TAG_NAME_SIZE]; 111 uint16_t dnpipe; 112 uint32_t dnflags; 113 char bridge_to[IFNAMSIZ]; 114 uint8_t action; 115 116 struct pfctl_eth_anchor *anchor; 117 uint8_t anchor_relative; 118 uint8_t anchor_wildcard; 119 120 TAILQ_ENTRY(pfctl_eth_rule) entries; 121 }; 122 TAILQ_HEAD(pfctl_eth_rules, pfctl_eth_rule); 123 124 struct pfctl_eth_ruleset_info { 125 uint32_t nr; 126 char name[PF_ANCHOR_NAME_SIZE]; 127 char path[MAXPATHLEN]; 128 }; 129 130 struct pfctl_eth_ruleset { 131 struct pfctl_eth_rules rules; 132 struct pfctl_eth_anchor *anchor; 133 }; 134 135 struct pfctl_eth_anchor { 136 struct pfctl_eth_anchor *parent; 137 char name[PF_ANCHOR_NAME_SIZE]; 138 char path[MAXPATHLEN]; 139 struct pfctl_eth_ruleset ruleset; 140 int refcnt; /* anchor rules */ 141 int match; /* XXX: used for pfctl black magic */ 142 }; 143 144 struct pfctl_pool { 145 struct pf_palist list; 146 struct pf_pooladdr *cur; 147 struct pf_poolhashkey key; 148 struct pf_addr counter; 149 struct pf_mape_portset mape; 150 int tblidx; 151 uint16_t proxy_port[2]; 152 uint8_t opts; 153 }; 154 155 struct pfctl_rules_info { 156 uint32_t nr; 157 uint32_t ticket; 158 }; 159 160 struct pfctl_rule { 161 struct pf_rule_addr src; 162 struct pf_rule_addr dst; 163 union pf_rule_ptr skip[PF_SKIP_COUNT]; 164 char label[PF_RULE_MAX_LABEL_COUNT][PF_RULE_LABEL_SIZE]; 165 uint32_t ridentifier; 166 char ifname[IFNAMSIZ]; 167 char qname[PF_QNAME_SIZE]; 168 char pqname[PF_QNAME_SIZE]; 169 char tagname[PF_TAG_NAME_SIZE]; 170 char match_tagname[PF_TAG_NAME_SIZE]; 171 172 char overload_tblname[PF_TABLE_NAME_SIZE]; 173 174 TAILQ_ENTRY(pfctl_rule) entries; 175 struct pfctl_pool rpool; 176 177 uint64_t evaluations; 178 uint64_t packets[2]; 179 uint64_t bytes[2]; 180 time_t last_active_timestamp; 181 182 struct pfi_kif *kif; 183 struct pfctl_anchor *anchor; 184 struct pfr_ktable *overload_tbl; 185 186 pf_osfp_t os_fingerprint; 187 188 int rtableid; 189 uint32_t timeout[PFTM_MAX]; 190 uint32_t max_states; 191 uint32_t max_src_nodes; 192 uint32_t max_src_states; 193 uint32_t max_src_conn; 194 struct { 195 uint32_t limit; 196 uint32_t seconds; 197 } max_src_conn_rate; 198 uint32_t qid; 199 uint32_t pqid; 200 uint16_t dnpipe; 201 uint16_t dnrpipe; 202 uint32_t free_flags; 203 uint32_t nr; 204 uint32_t prob; 205 uid_t cuid; 206 pid_t cpid; 207 208 uint64_t states_cur; 209 uint64_t states_tot; 210 uint64_t src_nodes; 211 212 uint16_t return_icmp; 213 uint16_t return_icmp6; 214 uint16_t max_mss; 215 uint16_t tag; 216 uint16_t match_tag; 217 uint16_t scrub_flags; 218 219 struct pf_rule_uid uid; 220 struct pf_rule_gid gid; 221 222 uint32_t rule_flag; 223 uint8_t action; 224 uint8_t direction; 225 uint8_t log; 226 uint8_t logif; 227 uint8_t quick; 228 uint8_t ifnot; 229 uint8_t match_tag_not; 230 uint8_t natpass; 231 232 uint8_t keep_state; 233 sa_family_t af; 234 uint8_t proto; 235 uint8_t type; 236 uint8_t code; 237 uint8_t flags; 238 uint8_t flagset; 239 uint8_t min_ttl; 240 uint8_t allow_opts; 241 uint8_t rt; 242 uint8_t return_ttl; 243 uint8_t tos; 244 uint8_t set_tos; 245 uint8_t anchor_relative; 246 uint8_t anchor_wildcard; 247 248 uint8_t flush; 249 uint8_t prio; 250 uint8_t set_prio[2]; 251 252 struct { 253 struct pf_addr addr; 254 uint16_t port; 255 } divert; 256 }; 257 258 TAILQ_HEAD(pfctl_rulequeue, pfctl_rule); 259 260 struct pfctl_ruleset { 261 struct { 262 struct pfctl_rulequeue queues[2]; 263 struct { 264 struct pfctl_rulequeue *ptr; 265 struct pfctl_rule **ptr_array; 266 uint32_t rcount; 267 uint32_t ticket; 268 int open; 269 } active, inactive; 270 } rules[PF_RULESET_MAX]; 271 struct pfctl_anchor *anchor; 272 uint32_t tticket; 273 int tables; 274 int topen; 275 }; 276 277 RB_HEAD(pfctl_anchor_global, pfctl_anchor); 278 RB_HEAD(pfctl_anchor_node, pfctl_anchor); 279 struct pfctl_anchor { 280 RB_ENTRY(pfctl_anchor) entry_global; 281 RB_ENTRY(pfctl_anchor) entry_node; 282 struct pfctl_anchor *parent; 283 struct pfctl_anchor_node children; 284 char name[PF_ANCHOR_NAME_SIZE]; 285 char path[MAXPATHLEN]; 286 struct pfctl_ruleset ruleset; 287 int refcnt; /* anchor rules */ 288 int match; /* XXX: used for pfctl black magic */ 289 }; 290 RB_PROTOTYPE(pfctl_anchor_global, pfctl_anchor, entry_global, 291 pf_anchor_compare); 292 RB_PROTOTYPE(pfctl_anchor_node, pfctl_anchor, entry_node, 293 pf_anchor_compare); 294 295 struct pfctl_state_cmp { 296 uint64_t id; 297 uint32_t creatorid; 298 uint8_t direction; 299 }; 300 301 struct pfctl_kill { 302 struct pfctl_state_cmp cmp; 303 sa_family_t af; 304 int proto; 305 struct pf_rule_addr src; 306 struct pf_rule_addr dst; 307 struct pf_rule_addr rt_addr; 308 char ifname[IFNAMSIZ]; 309 char label[PF_RULE_LABEL_SIZE]; 310 bool kill_match; 311 }; 312 313 struct pfctl_state_peer { 314 uint32_t seqlo; 315 uint32_t seqhi; 316 uint32_t seqdiff; 317 uint8_t state; 318 uint8_t wscale; 319 }; 320 321 struct pfctl_state_key { 322 struct pf_addr addr[2]; 323 uint16_t port[2]; 324 sa_family_t af; 325 uint8_t proto; 326 }; 327 328 struct pfctl_state { 329 TAILQ_ENTRY(pfctl_state) entry; 330 331 uint64_t id; 332 uint32_t creatorid; 333 uint8_t direction; 334 335 struct pfctl_state_peer src; 336 struct pfctl_state_peer dst; 337 338 uint32_t rule; 339 uint32_t anchor; 340 uint32_t nat_rule; 341 struct pf_addr rt_addr; 342 struct pfctl_state_key key[2]; /* addresses stack and wire */ 343 char ifname[IFNAMSIZ]; 344 char orig_ifname[IFNAMSIZ]; 345 uint64_t packets[2]; 346 uint64_t bytes[2]; 347 uint32_t creation; 348 uint32_t expire; 349 uint32_t pfsync_time; 350 uint8_t state_flags; 351 uint32_t sync_flags; 352 }; 353 354 TAILQ_HEAD(pfctl_statelist, pfctl_state); 355 struct pfctl_states { 356 struct pfctl_statelist states; 357 size_t count; 358 }; 359 360 enum pfctl_syncookies_mode { 361 PFCTL_SYNCOOKIES_NEVER, 362 PFCTL_SYNCOOKIES_ALWAYS, 363 PFCTL_SYNCOOKIES_ADAPTIVE 364 }; 365 extern const char* PFCTL_SYNCOOKIES_MODE_NAMES[]; 366 367 struct pfctl_syncookies { 368 enum pfctl_syncookies_mode mode; 369 uint8_t highwater; /* Percent */ 370 uint8_t lowwater; /* Percent */ 371 }; 372 373 struct pfctl_status* pfctl_get_status(int dev); 374 void pfctl_free_status(struct pfctl_status *status); 375 376 int pfctl_get_eth_rulesets_info(int dev, 377 struct pfctl_eth_rulesets_info *ri, const char *path); 378 int pfctl_get_eth_ruleset(int dev, const char *path, int nr, 379 struct pfctl_eth_ruleset_info *ri); 380 int pfctl_get_eth_rules_info(int dev, struct pfctl_eth_rules_info *rules, 381 const char *path); 382 int pfctl_get_eth_rule(int dev, uint32_t nr, uint32_t ticket, 383 const char *path, struct pfctl_eth_rule *rule, bool clear, 384 char *anchor_call); 385 int pfctl_add_eth_rule(int dev, const struct pfctl_eth_rule *r, 386 const char *anchor, const char *anchor_call, uint32_t ticket); 387 int pfctl_get_rules_info(int dev, struct pfctl_rules_info *rules, 388 uint32_t ruleset, const char *path); 389 int pfctl_get_rule(int dev, uint32_t nr, uint32_t ticket, 390 const char *anchor, uint32_t ruleset, struct pfctl_rule *rule, 391 char *anchor_call); 392 int pfctl_get_clear_rule(int dev, uint32_t nr, uint32_t ticket, 393 const char *anchor, uint32_t ruleset, struct pfctl_rule *rule, 394 char *anchor_call, bool clear); 395 int pfctl_add_rule(int dev, const struct pfctl_rule *r, 396 const char *anchor, const char *anchor_call, uint32_t ticket, 397 uint32_t pool_ticket); 398 int pfctl_set_keepcounters(int dev, bool keep); 399 int pfctl_get_states(int dev, struct pfctl_states *states); 400 void pfctl_free_states(struct pfctl_states *states); 401 int pfctl_clear_states(int dev, const struct pfctl_kill *kill, 402 unsigned int *killed); 403 int pfctl_kill_states(int dev, const struct pfctl_kill *kill, 404 unsigned int *killed); 405 int pfctl_clear_rules(int dev, const char *anchorname); 406 int pfctl_clear_nat(int dev, const char *anchorname); 407 int pfctl_clear_eth_rules(int dev, const char *anchorname); 408 int pfctl_set_syncookies(int dev, const struct pfctl_syncookies *s); 409 int pfctl_get_syncookies(int dev, struct pfctl_syncookies *s); 410 int pfctl_table_add_addrs(int dev, struct pfr_table *tbl, struct pfr_addr 411 *addr, int size, int *nadd, int flags); 412 int pfctl_table_del_addrs(int dev, struct pfr_table *tbl, struct pfr_addr 413 *addr, int size, int *ndel, int flags); 414 int pfctl_table_set_addrs(int dev, struct pfr_table *tbl, struct pfr_addr 415 *addr, int size, int *size2, int *nadd, int *ndel, int *nchange, 416 int flags); 417 int pfctl_table_get_addrs(int dev, struct pfr_table *tbl, struct pfr_addr 418 *addr, int *size, int flags); 419 #endif 420