1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2021 Rubicon Communications, LLC (Netgate) 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 11 * - Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * - Redistributions in binary form must reproduce the above 14 * copyright notice, this list of conditions and the following 15 * disclaimer in the documentation and/or other materials provided 16 * with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 20 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 21 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 22 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 23 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 24 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 25 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 26 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 28 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 * POSSIBILITY OF SUCH DAMAGE. 30 * 31 * $FreeBSD$ 32 */ 33 34 #ifndef _PFCTL_IOCTL_H_ 35 #define _PFCTL_IOCTL_H_ 36 37 #include <netpfil/pf/pf.h> 38 39 struct pfctl_anchor; 40 struct pfctl_eth_anchor; 41 42 struct pfctl_status_counter { 43 uint64_t id; 44 uint64_t counter; 45 char *name; 46 47 TAILQ_ENTRY(pfctl_status_counter) entry; 48 }; 49 TAILQ_HEAD(pfctl_status_counters, pfctl_status_counter); 50 51 struct pfctl_status { 52 bool running; 53 uint32_t since; 54 uint32_t debug; 55 uint32_t hostid; 56 uint64_t states; 57 uint64_t src_nodes; 58 char ifname[IFNAMSIZ]; 59 uint8_t pf_chksum[PF_MD5_DIGEST_LENGTH]; 60 bool syncookies_active; 61 uint32_t reass; 62 63 struct pfctl_status_counters counters; 64 struct pfctl_status_counters lcounters; 65 struct pfctl_status_counters fcounters; 66 struct pfctl_status_counters scounters; 67 uint64_t pcounters[2][2][3]; 68 uint64_t bcounters[2][2]; 69 }; 70 71 struct pfctl_eth_rulesets_info { 72 uint32_t nr; 73 }; 74 75 struct pfctl_eth_rules_info { 76 uint32_t nr; 77 uint32_t ticket; 78 }; 79 80 struct pfctl_eth_addr { 81 uint8_t addr[ETHER_ADDR_LEN]; 82 uint8_t mask[ETHER_ADDR_LEN]; 83 bool neg; 84 bool isset; 85 }; 86 87 struct pfctl_eth_rule { 88 uint32_t nr; 89 90 char label[PF_RULE_MAX_LABEL_COUNT][PF_RULE_LABEL_SIZE]; 91 uint32_t ridentifier; 92 93 bool quick; 94 95 /* Filter */ 96 char ifname[IFNAMSIZ]; 97 uint8_t ifnot; 98 uint8_t direction; 99 uint16_t proto; 100 struct pfctl_eth_addr src, dst; 101 struct pf_rule_addr ipsrc, ipdst; 102 char match_tagname[PF_TAG_NAME_SIZE]; 103 uint16_t match_tag; 104 bool match_tag_not; 105 106 /* Stats */ 107 uint64_t evaluations; 108 uint64_t packets[2]; 109 uint64_t bytes[2]; 110 time_t last_active_timestamp; 111 112 /* Action */ 113 char qname[PF_QNAME_SIZE]; 114 char tagname[PF_TAG_NAME_SIZE]; 115 uint16_t dnpipe; 116 uint32_t dnflags; 117 char bridge_to[IFNAMSIZ]; 118 uint8_t action; 119 120 struct pfctl_eth_anchor *anchor; 121 uint8_t anchor_relative; 122 uint8_t anchor_wildcard; 123 124 TAILQ_ENTRY(pfctl_eth_rule) entries; 125 }; 126 TAILQ_HEAD(pfctl_eth_rules, pfctl_eth_rule); 127 128 struct pfctl_eth_ruleset_info { 129 uint32_t nr; 130 char name[PF_ANCHOR_NAME_SIZE]; 131 char path[MAXPATHLEN]; 132 }; 133 134 struct pfctl_eth_ruleset { 135 struct pfctl_eth_rules rules; 136 struct pfctl_eth_anchor *anchor; 137 }; 138 139 struct pfctl_eth_anchor { 140 struct pfctl_eth_anchor *parent; 141 char name[PF_ANCHOR_NAME_SIZE]; 142 char path[MAXPATHLEN]; 143 struct pfctl_eth_ruleset ruleset; 144 int refcnt; /* anchor rules */ 145 int match; /* XXX: used for pfctl black magic */ 146 }; 147 148 struct pfctl_pool { 149 struct pf_palist list; 150 struct pf_pooladdr *cur; 151 struct pf_poolhashkey key; 152 struct pf_addr counter; 153 struct pf_mape_portset mape; 154 int tblidx; 155 uint16_t proxy_port[2]; 156 uint8_t opts; 157 }; 158 159 struct pfctl_rules_info { 160 uint32_t nr; 161 uint32_t ticket; 162 }; 163 164 struct pfctl_rule { 165 struct pf_rule_addr src; 166 struct pf_rule_addr dst; 167 union pf_rule_ptr skip[PF_SKIP_COUNT]; 168 char label[PF_RULE_MAX_LABEL_COUNT][PF_RULE_LABEL_SIZE]; 169 uint32_t ridentifier; 170 char ifname[IFNAMSIZ]; 171 char qname[PF_QNAME_SIZE]; 172 char pqname[PF_QNAME_SIZE]; 173 char tagname[PF_TAG_NAME_SIZE]; 174 char match_tagname[PF_TAG_NAME_SIZE]; 175 176 char overload_tblname[PF_TABLE_NAME_SIZE]; 177 178 TAILQ_ENTRY(pfctl_rule) entries; 179 struct pfctl_pool rpool; 180 181 uint64_t evaluations; 182 uint64_t packets[2]; 183 uint64_t bytes[2]; 184 time_t last_active_timestamp; 185 186 struct pfi_kif *kif; 187 struct pfctl_anchor *anchor; 188 struct pfr_ktable *overload_tbl; 189 190 pf_osfp_t os_fingerprint; 191 192 int rtableid; 193 uint32_t timeout[PFTM_MAX]; 194 uint32_t max_states; 195 uint32_t max_src_nodes; 196 uint32_t max_src_states; 197 uint32_t max_src_conn; 198 struct { 199 uint32_t limit; 200 uint32_t seconds; 201 } max_src_conn_rate; 202 uint32_t qid; 203 uint32_t pqid; 204 uint16_t dnpipe; 205 uint16_t dnrpipe; 206 uint32_t free_flags; 207 uint32_t nr; 208 uint32_t prob; 209 uid_t cuid; 210 pid_t cpid; 211 212 uint64_t states_cur; 213 uint64_t states_tot; 214 uint64_t src_nodes; 215 216 uint16_t return_icmp; 217 uint16_t return_icmp6; 218 uint16_t max_mss; 219 uint16_t tag; 220 uint16_t match_tag; 221 uint16_t scrub_flags; 222 223 struct pf_rule_uid uid; 224 struct pf_rule_gid gid; 225 226 uint32_t rule_flag; 227 uint8_t action; 228 uint8_t direction; 229 uint8_t log; 230 uint8_t logif; 231 uint8_t quick; 232 uint8_t ifnot; 233 uint8_t match_tag_not; 234 uint8_t natpass; 235 236 uint8_t keep_state; 237 sa_family_t af; 238 uint8_t proto; 239 uint8_t type; 240 uint8_t code; 241 uint8_t flags; 242 uint8_t flagset; 243 uint8_t min_ttl; 244 uint8_t allow_opts; 245 uint8_t rt; 246 uint8_t return_ttl; 247 uint8_t tos; 248 uint8_t set_tos; 249 uint8_t anchor_relative; 250 uint8_t anchor_wildcard; 251 252 uint8_t flush; 253 uint8_t prio; 254 uint8_t set_prio[2]; 255 256 struct { 257 struct pf_addr addr; 258 uint16_t port; 259 } divert; 260 }; 261 262 TAILQ_HEAD(pfctl_rulequeue, pfctl_rule); 263 264 struct pfctl_ruleset { 265 struct { 266 struct pfctl_rulequeue queues[2]; 267 struct { 268 struct pfctl_rulequeue *ptr; 269 struct pfctl_rule **ptr_array; 270 uint32_t rcount; 271 uint32_t ticket; 272 int open; 273 } active, inactive; 274 } rules[PF_RULESET_MAX]; 275 struct pfctl_anchor *anchor; 276 uint32_t tticket; 277 int tables; 278 int topen; 279 }; 280 281 RB_HEAD(pfctl_anchor_global, pfctl_anchor); 282 RB_HEAD(pfctl_anchor_node, pfctl_anchor); 283 struct pfctl_anchor { 284 RB_ENTRY(pfctl_anchor) entry_global; 285 RB_ENTRY(pfctl_anchor) entry_node; 286 struct pfctl_anchor *parent; 287 struct pfctl_anchor_node children; 288 char name[PF_ANCHOR_NAME_SIZE]; 289 char path[MAXPATHLEN]; 290 struct pfctl_ruleset ruleset; 291 int refcnt; /* anchor rules */ 292 int match; /* XXX: used for pfctl black magic */ 293 }; 294 RB_PROTOTYPE(pfctl_anchor_global, pfctl_anchor, entry_global, 295 pf_anchor_compare); 296 RB_PROTOTYPE(pfctl_anchor_node, pfctl_anchor, entry_node, 297 pf_anchor_compare); 298 299 struct pfctl_state_cmp { 300 uint64_t id; 301 uint32_t creatorid; 302 uint8_t direction; 303 }; 304 305 struct pfctl_kill { 306 struct pfctl_state_cmp cmp; 307 sa_family_t af; 308 int proto; 309 struct pf_rule_addr src; 310 struct pf_rule_addr dst; 311 struct pf_rule_addr rt_addr; 312 char ifname[IFNAMSIZ]; 313 char label[PF_RULE_LABEL_SIZE]; 314 bool kill_match; 315 }; 316 317 struct pfctl_state_peer { 318 uint32_t seqlo; 319 uint32_t seqhi; 320 uint32_t seqdiff; 321 uint8_t state; 322 uint8_t wscale; 323 }; 324 325 struct pfctl_state_key { 326 struct pf_addr addr[2]; 327 uint16_t port[2]; 328 sa_family_t af; 329 uint8_t proto; 330 }; 331 332 struct pfctl_state { 333 TAILQ_ENTRY(pfctl_state) entry; 334 335 uint64_t id; 336 uint32_t creatorid; 337 uint8_t direction; 338 339 struct pfctl_state_peer src; 340 struct pfctl_state_peer dst; 341 342 uint32_t rule; 343 uint32_t anchor; 344 uint32_t nat_rule; 345 struct pf_addr rt_addr; 346 struct pfctl_state_key key[2]; /* addresses stack and wire */ 347 char ifname[IFNAMSIZ]; 348 char orig_ifname[IFNAMSIZ]; 349 uint64_t packets[2]; 350 uint64_t bytes[2]; 351 uint32_t creation; 352 uint32_t expire; 353 uint32_t pfsync_time; 354 uint16_t state_flags; 355 uint32_t sync_flags; 356 }; 357 358 TAILQ_HEAD(pfctl_statelist, pfctl_state); 359 struct pfctl_states { 360 struct pfctl_statelist states; 361 size_t count; 362 }; 363 364 enum pfctl_syncookies_mode { 365 PFCTL_SYNCOOKIES_NEVER, 366 PFCTL_SYNCOOKIES_ALWAYS, 367 PFCTL_SYNCOOKIES_ADAPTIVE 368 }; 369 extern const char* PFCTL_SYNCOOKIES_MODE_NAMES[]; 370 371 struct pfctl_syncookies { 372 enum pfctl_syncookies_mode mode; 373 uint8_t highwater; /* Percent */ 374 uint8_t lowwater; /* Percent */ 375 }; 376 377 struct pfctl_status* pfctl_get_status(int dev); 378 void pfctl_free_status(struct pfctl_status *status); 379 380 int pfctl_get_eth_rulesets_info(int dev, 381 struct pfctl_eth_rulesets_info *ri, const char *path); 382 int pfctl_get_eth_ruleset(int dev, const char *path, int nr, 383 struct pfctl_eth_ruleset_info *ri); 384 int pfctl_get_eth_rules_info(int dev, struct pfctl_eth_rules_info *rules, 385 const char *path); 386 int pfctl_get_eth_rule(int dev, uint32_t nr, uint32_t ticket, 387 const char *path, struct pfctl_eth_rule *rule, bool clear, 388 char *anchor_call); 389 int pfctl_add_eth_rule(int dev, const struct pfctl_eth_rule *r, 390 const char *anchor, const char *anchor_call, uint32_t ticket); 391 int pfctl_get_rules_info(int dev, struct pfctl_rules_info *rules, 392 uint32_t ruleset, const char *path); 393 int pfctl_get_rule(int dev, uint32_t nr, uint32_t ticket, 394 const char *anchor, uint32_t ruleset, struct pfctl_rule *rule, 395 char *anchor_call); 396 int pfctl_get_clear_rule(int dev, uint32_t nr, uint32_t ticket, 397 const char *anchor, uint32_t ruleset, struct pfctl_rule *rule, 398 char *anchor_call, bool clear); 399 int pfctl_add_rule(int dev, const struct pfctl_rule *r, 400 const char *anchor, const char *anchor_call, uint32_t ticket, 401 uint32_t pool_ticket); 402 int pfctl_set_keepcounters(int dev, bool keep); 403 int pfctl_get_states(int dev, struct pfctl_states *states); 404 void pfctl_free_states(struct pfctl_states *states); 405 int pfctl_clear_states(int dev, const struct pfctl_kill *kill, 406 unsigned int *killed); 407 int pfctl_kill_states(int dev, const struct pfctl_kill *kill, 408 unsigned int *killed); 409 int pfctl_clear_rules(int dev, const char *anchorname); 410 int pfctl_clear_nat(int dev, const char *anchorname); 411 int pfctl_clear_eth_rules(int dev, const char *anchorname); 412 int pfctl_set_syncookies(int dev, const struct pfctl_syncookies *s); 413 int pfctl_get_syncookies(int dev, struct pfctl_syncookies *s); 414 int pfctl_table_add_addrs(int dev, struct pfr_table *tbl, struct pfr_addr 415 *addr, int size, int *nadd, int flags); 416 int pfctl_table_del_addrs(int dev, struct pfr_table *tbl, struct pfr_addr 417 *addr, int size, int *ndel, int flags); 418 int pfctl_table_set_addrs(int dev, struct pfr_table *tbl, struct pfr_addr 419 *addr, int size, int *size2, int *nadd, int *ndel, int *nchange, 420 int flags); 421 int pfctl_table_get_addrs(int dev, struct pfr_table *tbl, struct pfr_addr 422 *addr, int *size, int flags); 423 #endif 424