xref: /freebsd/lib/libpfctl/libpfctl.h (revision 058ac3e8063366dafa634d9107642e12b038bf09)
1 /*-
2  * SPDX-License-Identifier: BSD-2-Clause
3  *
4  * Copyright (c) 2021 Rubicon Communications, LLC (Netgate)
5  * All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  *
11  *    - Redistributions of source code must retain the above copyright
12  *      notice, this list of conditions and the following disclaimer.
13  *    - Redistributions in binary form must reproduce the above
14  *      copyright notice, this list of conditions and the following
15  *      disclaimer in the documentation and/or other materials provided
16  *      with the distribution.
17  *
18  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
21  * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
22  * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
23  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
24  * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
25  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26  * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
28  * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29  * POSSIBILITY OF SUCH DAMAGE.
30  *
31  * $FreeBSD$
32  */
33 
34 #ifndef _PFCTL_IOCTL_H_
35 #define _PFCTL_IOCTL_H_
36 
37 #include <netpfil/pf/pf.h>
38 
39 struct pfctl_anchor;
40 struct pfctl_eth_anchor;
41 
42 struct pfctl_status_counter {
43 	uint64_t	 id;
44 	uint64_t	 counter;
45 	char		*name;
46 
47 	TAILQ_ENTRY(pfctl_status_counter) entry;
48 };
49 TAILQ_HEAD(pfctl_status_counters, pfctl_status_counter);
50 
51 struct pfctl_status {
52 	bool		running;
53 	uint32_t	since;
54 	uint32_t	debug;
55 	uint32_t	hostid;
56 	uint64_t	states;
57 	uint64_t	src_nodes;
58 	char		ifname[IFNAMSIZ];
59 	uint8_t		pf_chksum[PF_MD5_DIGEST_LENGTH];
60 	bool		syncookies_active;
61 
62 	struct pfctl_status_counters	 counters;
63 	struct pfctl_status_counters	 lcounters;
64 	struct pfctl_status_counters	 fcounters;
65 	struct pfctl_status_counters	 scounters;
66 	uint64_t	pcounters[2][2][3];
67 	uint64_t	bcounters[2][2];
68 };
69 
70 struct pfctl_eth_rulesets_info {
71 	uint32_t	nr;
72 };
73 
74 struct pfctl_eth_rules_info {
75 	uint32_t	nr;
76 	uint32_t	ticket;
77 };
78 
79 struct pfctl_eth_addr {
80 	uint8_t	addr[ETHER_ADDR_LEN];
81 	uint8_t	mask[ETHER_ADDR_LEN];
82 	bool	neg;
83 	bool	isset;
84 };
85 
86 struct pfctl_eth_rule {
87 	uint32_t		 nr;
88 
89 	bool			 quick;
90 
91 	/* Filter */
92 	char			 ifname[IFNAMSIZ];
93 	uint8_t			 ifnot;
94 	uint8_t			 direction;
95 	uint16_t		 proto;
96 	struct pfctl_eth_addr	 src, dst;
97 	struct pf_rule_addr	 ipsrc, ipdst;
98 	char			 match_tagname[PF_TAG_NAME_SIZE];
99 	uint16_t		 match_tag;
100 	bool			 match_tag_not;
101 
102 	/* Stats */
103 	uint64_t		 evaluations;
104 	uint64_t		 packets[2];
105 	uint64_t		 bytes[2];
106 	time_t			 last_active_timestamp;
107 
108 	/* Action */
109 	char			 qname[PF_QNAME_SIZE];
110 	char			 tagname[PF_TAG_NAME_SIZE];
111 	uint16_t		 dnpipe;
112 	uint32_t		 dnflags;
113 	char			 bridge_to[IFNAMSIZ];
114 	uint8_t			 action;
115 
116 	struct pfctl_eth_anchor	*anchor;
117 	uint8_t			 anchor_relative;
118 	uint8_t			 anchor_wildcard;
119 
120 	TAILQ_ENTRY(pfctl_eth_rule)	 entries;
121 };
122 TAILQ_HEAD(pfctl_eth_rules, pfctl_eth_rule);
123 
124 struct pfctl_eth_ruleset_info {
125 	uint32_t	nr;
126 	char		name[PF_ANCHOR_NAME_SIZE];
127 	char		path[MAXPATHLEN];
128 };
129 
130 struct pfctl_eth_ruleset {
131 	struct pfctl_eth_rules	 rules;
132 	struct pfctl_eth_anchor	*anchor;
133 };
134 
135 struct pfctl_eth_anchor {
136 	struct pfctl_eth_anchor		*parent;
137 	char				 name[PF_ANCHOR_NAME_SIZE];
138 	char				 path[MAXPATHLEN];
139 	struct pfctl_eth_ruleset	 ruleset;
140 	int				 refcnt;	/* anchor rules */
141 	int				 match;	/* XXX: used for pfctl black magic */
142 };
143 
144 struct pfctl_pool {
145 	struct pf_palist	 list;
146 	struct pf_pooladdr	*cur;
147 	struct pf_poolhashkey	 key;
148 	struct pf_addr		 counter;
149 	struct pf_mape_portset	 mape;
150 	int			 tblidx;
151 	uint16_t		 proxy_port[2];
152 	uint8_t			 opts;
153 };
154 
155 struct pfctl_rules_info {
156 	uint32_t	nr;
157 	uint32_t	ticket;
158 };
159 
160 struct pfctl_rule {
161 	struct pf_rule_addr	 src;
162 	struct pf_rule_addr	 dst;
163 	union pf_rule_ptr	 skip[PF_SKIP_COUNT];
164 	char			 label[PF_RULE_MAX_LABEL_COUNT][PF_RULE_LABEL_SIZE];
165 	uint32_t		 ridentifier;
166 	char			 ifname[IFNAMSIZ];
167 	char			 qname[PF_QNAME_SIZE];
168 	char			 pqname[PF_QNAME_SIZE];
169 	char			 tagname[PF_TAG_NAME_SIZE];
170 	char			 match_tagname[PF_TAG_NAME_SIZE];
171 
172 	char			 overload_tblname[PF_TABLE_NAME_SIZE];
173 
174 	TAILQ_ENTRY(pfctl_rule)	 entries;
175 	struct pfctl_pool	 rpool;
176 
177 	uint64_t		 evaluations;
178 	uint64_t		 packets[2];
179 	uint64_t		 bytes[2];
180 	time_t			 last_active_timestamp;
181 
182 	struct pfi_kif		*kif;
183 	struct pfctl_anchor	*anchor;
184 	struct pfr_ktable	*overload_tbl;
185 
186 	pf_osfp_t		 os_fingerprint;
187 
188 	int			 rtableid;
189 	uint32_t		 timeout[PFTM_MAX];
190 	uint32_t		 max_states;
191 	uint32_t		 max_src_nodes;
192 	uint32_t		 max_src_states;
193 	uint32_t		 max_src_conn;
194 	struct {
195 		uint32_t		limit;
196 		uint32_t		seconds;
197 	}			 max_src_conn_rate;
198 	uint32_t		 qid;
199 	uint32_t		 pqid;
200 	uint16_t		 dnpipe;
201 	uint16_t		 dnrpipe;
202 	uint32_t		 free_flags;
203 	uint32_t		 nr;
204 	uint32_t		 prob;
205 	uid_t			 cuid;
206 	pid_t			 cpid;
207 
208 	uint64_t		 states_cur;
209 	uint64_t		 states_tot;
210 	uint64_t		 src_nodes;
211 
212 	uint16_t		 return_icmp;
213 	uint16_t		 return_icmp6;
214 	uint16_t		 max_mss;
215 	uint16_t		 tag;
216 	uint16_t		 match_tag;
217 	uint16_t		 scrub_flags;
218 
219 	struct pf_rule_uid	 uid;
220 	struct pf_rule_gid	 gid;
221 
222 	uint32_t		 rule_flag;
223 	uint8_t			 action;
224 	uint8_t			 direction;
225 	uint8_t			 log;
226 	uint8_t			 logif;
227 	uint8_t			 quick;
228 	uint8_t			 ifnot;
229 	uint8_t			 match_tag_not;
230 	uint8_t			 natpass;
231 
232 	uint8_t			 keep_state;
233 	sa_family_t		 af;
234 	uint8_t			 proto;
235 	uint8_t			 type;
236 	uint8_t			 code;
237 	uint8_t			 flags;
238 	uint8_t			 flagset;
239 	uint8_t			 min_ttl;
240 	uint8_t			 allow_opts;
241 	uint8_t			 rt;
242 	uint8_t			 return_ttl;
243 	uint8_t			 tos;
244 	uint8_t			 set_tos;
245 	uint8_t			 anchor_relative;
246 	uint8_t			 anchor_wildcard;
247 
248 	uint8_t			 flush;
249 	uint8_t			 prio;
250 	uint8_t			 set_prio[2];
251 
252 	struct {
253 		struct pf_addr		addr;
254 		uint16_t		port;
255 	}			divert;
256 };
257 
258 TAILQ_HEAD(pfctl_rulequeue, pfctl_rule);
259 
260 struct pfctl_ruleset {
261 	struct {
262 		struct pfctl_rulequeue	 queues[2];
263 		struct {
264 			struct pfctl_rulequeue	*ptr;
265 			struct pfctl_rule	**ptr_array;
266 			uint32_t		 rcount;
267 			uint32_t		 ticket;
268 			int			 open;
269 		}			 active, inactive;
270 	}			 rules[PF_RULESET_MAX];
271 	struct pfctl_anchor	*anchor;
272 	uint32_t		 tticket;
273 	int			 tables;
274 	int			 topen;
275 };
276 
277 RB_HEAD(pfctl_anchor_global, pfctl_anchor);
278 RB_HEAD(pfctl_anchor_node, pfctl_anchor);
279 struct pfctl_anchor {
280 	RB_ENTRY(pfctl_anchor)	 entry_global;
281 	RB_ENTRY(pfctl_anchor)	 entry_node;
282 	struct pfctl_anchor	*parent;
283 	struct pfctl_anchor_node children;
284 	char			 name[PF_ANCHOR_NAME_SIZE];
285 	char			 path[MAXPATHLEN];
286 	struct pfctl_ruleset	 ruleset;
287 	int			 refcnt;	/* anchor rules */
288 	int			 match;	/* XXX: used for pfctl black magic */
289 };
290 RB_PROTOTYPE(pfctl_anchor_global, pfctl_anchor, entry_global,
291     pf_anchor_compare);
292 RB_PROTOTYPE(pfctl_anchor_node, pfctl_anchor, entry_node,
293     pf_anchor_compare);
294 
295 struct pfctl_state_cmp {
296 	uint64_t	id;
297 	uint32_t	creatorid;
298 	uint8_t		direction;
299 };
300 
301 struct pfctl_kill {
302 	struct pfctl_state_cmp	cmp;
303 	sa_family_t		af;
304 	int			proto;
305 	struct pf_rule_addr	src;
306 	struct pf_rule_addr	dst;
307 	struct pf_rule_addr	rt_addr;
308 	char			ifname[IFNAMSIZ];
309 	char			label[PF_RULE_LABEL_SIZE];
310 	bool			kill_match;
311 };
312 
313 struct pfctl_state_peer {
314 	uint32_t			 seqlo;
315 	uint32_t			 seqhi;
316 	uint32_t			 seqdiff;
317 	uint8_t				 state;
318 	uint8_t				 wscale;
319 };
320 
321 struct pfctl_state_key {
322 	struct pf_addr	 addr[2];
323 	uint16_t	 port[2];
324 	sa_family_t	 af;
325 	uint8_t	 	 proto;
326 };
327 
328 struct pfctl_state {
329 	TAILQ_ENTRY(pfctl_state)	entry;
330 
331 	uint64_t		 id;
332 	uint32_t		 creatorid;
333 	uint8_t		 	 direction;
334 
335 	struct pfctl_state_peer	 src;
336 	struct pfctl_state_peer	 dst;
337 
338 	uint32_t		 rule;
339 	uint32_t		 anchor;
340 	uint32_t		 nat_rule;
341 	struct pf_addr		 rt_addr;
342 	struct pfctl_state_key	 key[2];	/* addresses stack and wire  */
343 	char			 ifname[IFNAMSIZ];
344 	char			 orig_ifname[IFNAMSIZ];
345 	uint64_t		 packets[2];
346 	uint64_t		 bytes[2];
347 	uint32_t		 creation;
348 	uint32_t		 expire;
349 	uint32_t		 pfsync_time;
350 	uint8_t			 state_flags;
351 	uint32_t		 sync_flags;
352 };
353 
354 TAILQ_HEAD(pfctl_statelist, pfctl_state);
355 struct pfctl_states {
356 	struct pfctl_statelist	states;
357 	size_t 			count;
358 };
359 
360 enum pfctl_syncookies_mode {
361 	PFCTL_SYNCOOKIES_NEVER,
362 	PFCTL_SYNCOOKIES_ALWAYS,
363 	PFCTL_SYNCOOKIES_ADAPTIVE
364 };
365 extern const char* PFCTL_SYNCOOKIES_MODE_NAMES[];
366 
367 struct pfctl_syncookies {
368 	enum pfctl_syncookies_mode	mode;
369 	uint8_t				highwater;	/* Percent */
370 	uint8_t				lowwater;	/* Percent */
371 };
372 
373 struct pfctl_status* pfctl_get_status(int dev);
374 void	pfctl_free_status(struct pfctl_status *status);
375 
376 int	pfctl_get_eth_rulesets_info(int dev,
377 	    struct pfctl_eth_rulesets_info *ri, const char *path);
378 int	pfctl_get_eth_ruleset(int dev, const char *path, int nr,
379 	    struct pfctl_eth_ruleset_info *ri);
380 int	pfctl_get_eth_rules_info(int dev, struct pfctl_eth_rules_info *rules,
381 	    const char *path);
382 int	pfctl_get_eth_rule(int dev, uint32_t nr, uint32_t ticket,
383 	    const char *path, struct pfctl_eth_rule *rule, bool clear,
384 	    char *anchor_call);
385 int	pfctl_add_eth_rule(int dev, const struct pfctl_eth_rule *r,
386 	    const char *anchor, const char *anchor_call, uint32_t ticket);
387 int	pfctl_get_rules_info(int dev, struct pfctl_rules_info *rules,
388 	    uint32_t ruleset, const char *path);
389 int	pfctl_get_rule(int dev, uint32_t nr, uint32_t ticket,
390 	    const char *anchor, uint32_t ruleset, struct pfctl_rule *rule,
391 	    char *anchor_call);
392 int	pfctl_get_clear_rule(int dev, uint32_t nr, uint32_t ticket,
393 	    const char *anchor, uint32_t ruleset, struct pfctl_rule *rule,
394 	    char *anchor_call, bool clear);
395 int	pfctl_add_rule(int dev, const struct pfctl_rule *r,
396 	    const char *anchor, const char *anchor_call, uint32_t ticket,
397 	    uint32_t pool_ticket);
398 int	pfctl_set_keepcounters(int dev, bool keep);
399 int	pfctl_get_states(int dev, struct pfctl_states *states);
400 void	pfctl_free_states(struct pfctl_states *states);
401 int	pfctl_clear_states(int dev, const struct pfctl_kill *kill,
402 	    unsigned int *killed);
403 int	pfctl_kill_states(int dev, const struct pfctl_kill *kill,
404 	    unsigned int *killed);
405 int	pfctl_clear_rules(int dev, const char *anchorname);
406 int	pfctl_clear_nat(int dev, const char *anchorname);
407 int	pfctl_clear_eth_rules(int dev, const char *anchorname);
408 int	pfctl_set_syncookies(int dev, const struct pfctl_syncookies *s);
409 int	pfctl_get_syncookies(int dev, struct pfctl_syncookies *s);
410 int	pfctl_table_add_addrs(int dev, struct pfr_table *tbl, struct pfr_addr
411 	    *addr, int size, int *nadd, int flags);
412 int	pfctl_table_del_addrs(int dev, struct pfr_table *tbl, struct pfr_addr
413 	    *addr, int size, int *ndel, int flags);
414 int     pfctl_table_set_addrs(int dev, struct pfr_table *tbl, struct pfr_addr
415 	    *addr, int size, int *size2, int *nadd, int *ndel, int *nchange,
416 	    int flags);
417 int	pfctl_table_get_addrs(int dev, struct pfr_table *tbl, struct pfr_addr
418 	    *addr, int *size, int flags);
419 #endif
420