xref: /freebsd/lib/libpfctl/libpfctl.h (revision 13ec1e3155c7e9bf037b12af186351b7fa9b9450)
1 /*-
2  * SPDX-License-Identifier: BSD-2-Clause
3  *
4  * Copyright (c) 2021 Rubicon Communications, LLC (Netgate)
5  * All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  *
11  *    - Redistributions of source code must retain the above copyright
12  *      notice, this list of conditions and the following disclaimer.
13  *    - Redistributions in binary form must reproduce the above
14  *      copyright notice, this list of conditions and the following
15  *      disclaimer in the documentation and/or other materials provided
16  *      with the distribution.
17  *
18  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
21  * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
22  * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
23  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
24  * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
25  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26  * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
28  * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29  * POSSIBILITY OF SUCH DAMAGE.
30  *
31  * $FreeBSD$
32  */
33 
34 #ifndef _PFCTL_IOCTL_H_
35 #define _PFCTL_IOCTL_H_
36 
37 #include <netpfil/pf/pf.h>
38 
39 struct pfctl_anchor;
40 
41 struct pfctl_status_counter {
42 	uint64_t	 id;
43 	uint64_t	 counter;
44 	char		*name;
45 
46 	TAILQ_ENTRY(pfctl_status_counter) entry;
47 };
48 TAILQ_HEAD(pfctl_status_counters, pfctl_status_counter);
49 
50 struct pfctl_status {
51 	bool		running;
52 	uint32_t	since;
53 	uint32_t	debug;
54 	uint32_t	hostid;
55 	uint64_t	states;
56 	uint64_t	src_nodes;
57 	char		ifname[IFNAMSIZ];
58 	uint8_t		pf_chksum[PF_MD5_DIGEST_LENGTH];
59 
60 	struct pfctl_status_counters	 counters;
61 	struct pfctl_status_counters	 lcounters;
62 	struct pfctl_status_counters	 fcounters;
63 	struct pfctl_status_counters	 scounters;
64 	uint64_t	pcounters[2][2][3];
65 	uint64_t	bcounters[2][2];
66 };
67 
68 struct pfctl_pool {
69 	struct pf_palist	 list;
70 	struct pf_pooladdr	*cur;
71 	struct pf_poolhashkey	 key;
72 	struct pf_addr		 counter;
73 	struct pf_mape_portset	 mape;
74 	int			 tblidx;
75 	uint16_t		 proxy_port[2];
76 	uint8_t			 opts;
77 };
78 
79 struct pfctl_rule {
80 	struct pf_rule_addr	 src;
81 	struct pf_rule_addr	 dst;
82 	union pf_rule_ptr	 skip[PF_SKIP_COUNT];
83 	char			 label[PF_RULE_MAX_LABEL_COUNT][PF_RULE_LABEL_SIZE];
84 	uint32_t		 ridentifier;
85 	char			 ifname[IFNAMSIZ];
86 	char			 qname[PF_QNAME_SIZE];
87 	char			 pqname[PF_QNAME_SIZE];
88 	char			 tagname[PF_TAG_NAME_SIZE];
89 	char			 match_tagname[PF_TAG_NAME_SIZE];
90 
91 	char			 overload_tblname[PF_TABLE_NAME_SIZE];
92 
93 	TAILQ_ENTRY(pfctl_rule)	 entries;
94 	struct pfctl_pool	 rpool;
95 
96 	uint64_t		 evaluations;
97 	uint64_t		 packets[2];
98 	uint64_t		 bytes[2];
99 
100 	struct pfi_kif		*kif;
101 	struct pfctl_anchor	*anchor;
102 	struct pfr_ktable	*overload_tbl;
103 
104 	pf_osfp_t		 os_fingerprint;
105 
106 	int			 rtableid;
107 	uint32_t		 timeout[PFTM_MAX];
108 	uint32_t		 max_states;
109 	uint32_t		 max_src_nodes;
110 	uint32_t		 max_src_states;
111 	uint32_t		 max_src_conn;
112 	struct {
113 		uint32_t		limit;
114 		uint32_t		seconds;
115 	}			 max_src_conn_rate;
116 	uint32_t		 qid;
117 	uint32_t		 pqid;
118 	uint16_t		 dnpipe;
119 	uint16_t		 dnrpipe;
120 	uint32_t		 free_flags;
121 	uint32_t		 nr;
122 	uint32_t		 prob;
123 	uid_t			 cuid;
124 	pid_t			 cpid;
125 
126 	uint64_t		 states_cur;
127 	uint64_t		 states_tot;
128 	uint64_t		 src_nodes;
129 
130 	uint16_t		 return_icmp;
131 	uint16_t		 return_icmp6;
132 	uint16_t		 max_mss;
133 	uint16_t		 tag;
134 	uint16_t		 match_tag;
135 	uint16_t		 scrub_flags;
136 
137 	struct pf_rule_uid	 uid;
138 	struct pf_rule_gid	 gid;
139 
140 	uint32_t		 rule_flag;
141 	uint8_t			 action;
142 	uint8_t			 direction;
143 	uint8_t			 log;
144 	uint8_t			 logif;
145 	uint8_t			 quick;
146 	uint8_t			 ifnot;
147 	uint8_t			 match_tag_not;
148 	uint8_t			 natpass;
149 
150 	uint8_t			 keep_state;
151 	sa_family_t		 af;
152 	uint8_t			 proto;
153 	uint8_t			 type;
154 	uint8_t			 code;
155 	uint8_t			 flags;
156 	uint8_t			 flagset;
157 	uint8_t			 min_ttl;
158 	uint8_t			 allow_opts;
159 	uint8_t			 rt;
160 	uint8_t			 return_ttl;
161 	uint8_t			 tos;
162 	uint8_t			 set_tos;
163 	uint8_t			 anchor_relative;
164 	uint8_t			 anchor_wildcard;
165 
166 	uint8_t			 flush;
167 	uint8_t			 prio;
168 	uint8_t			 set_prio[2];
169 
170 	struct {
171 		struct pf_addr		addr;
172 		uint16_t		port;
173 	}			divert;
174 };
175 
176 TAILQ_HEAD(pfctl_rulequeue, pfctl_rule);
177 
178 struct pfctl_ruleset {
179 	struct {
180 		struct pfctl_rulequeue	 queues[2];
181 		struct {
182 			struct pfctl_rulequeue	*ptr;
183 			struct pfctl_rule	**ptr_array;
184 			uint32_t		 rcount;
185 			uint32_t		 ticket;
186 			int			 open;
187 		}			 active, inactive;
188 	}			 rules[PF_RULESET_MAX];
189 	struct pfctl_anchor	*anchor;
190 	uint32_t		 tticket;
191 	int			 tables;
192 	int			 topen;
193 };
194 
195 RB_HEAD(pfctl_anchor_global, pfctl_anchor);
196 RB_HEAD(pfctl_anchor_node, pfctl_anchor);
197 struct pfctl_anchor {
198 	RB_ENTRY(pfctl_anchor)	 entry_global;
199 	RB_ENTRY(pfctl_anchor)	 entry_node;
200 	struct pfctl_anchor	*parent;
201 	struct pfctl_anchor_node children;
202 	char			 name[PF_ANCHOR_NAME_SIZE];
203 	char			 path[MAXPATHLEN];
204 	struct pfctl_ruleset	 ruleset;
205 	int			 refcnt;	/* anchor rules */
206 	int			 match;	/* XXX: used for pfctl black magic */
207 };
208 RB_PROTOTYPE(pfctl_anchor_global, pfctl_anchor, entry_global,
209     pf_anchor_compare);
210 RB_PROTOTYPE(pfctl_anchor_node, pfctl_anchor, entry_node,
211     pf_anchor_compare);
212 
213 struct pfctl_state_cmp {
214 	uint64_t	id;
215 	uint32_t	creatorid;
216 	uint8_t		direction;
217 };
218 
219 struct pfctl_kill {
220 	struct pfctl_state_cmp	cmp;
221 	sa_family_t		af;
222 	int			proto;
223 	struct pf_rule_addr	src;
224 	struct pf_rule_addr	dst;
225 	struct pf_rule_addr	rt_addr;
226 	char			ifname[IFNAMSIZ];
227 	char			label[PF_RULE_LABEL_SIZE];
228 	bool			kill_match;
229 };
230 
231 struct pfctl_state_peer {
232 	uint32_t			 seqlo;
233 	uint32_t			 seqhi;
234 	uint32_t			 seqdiff;
235 	uint8_t				 state;
236 	uint8_t				 wscale;
237 };
238 
239 struct pfctl_state_key {
240 	struct pf_addr	 addr[2];
241 	uint16_t	 port[2];
242 	sa_family_t	 af;
243 	uint8_t	 	 proto;
244 };
245 
246 struct pfctl_state {
247 	TAILQ_ENTRY(pfctl_state)	entry;
248 
249 	uint64_t		 id;
250 	uint32_t		 creatorid;
251 	uint8_t		 	 direction;
252 
253 	struct pfctl_state_peer	 src;
254 	struct pfctl_state_peer	 dst;
255 
256 	uint32_t		 rule;
257 	uint32_t		 anchor;
258 	uint32_t		 nat_rule;
259 	struct pf_addr		 rt_addr;
260 	struct pfctl_state_key	 key[2];	/* addresses stack and wire  */
261 	char			 ifname[IFNAMSIZ];
262 	char			 orig_ifname[IFNAMSIZ];
263 	uint64_t		 packets[2];
264 	uint64_t		 bytes[2];
265 	uint32_t		 creation;
266 	uint32_t		 expire;
267 	uint32_t		 pfsync_time;
268 	uint8_t			 state_flags;
269 	uint32_t		 sync_flags;
270 };
271 
272 TAILQ_HEAD(pfctl_statelist, pfctl_state);
273 struct pfctl_states {
274 	struct pfctl_statelist	states;
275 	size_t 			count;
276 };
277 
278 enum pfctl_syncookies_mode {
279 	PFCTL_SYNCOOKIES_NEVER,
280 	PFCTL_SYNCOOKIES_ALWAYS,
281 	PFCTL_SYNCOOKIES_ADAPTIVE
282 };
283 extern const char* PFCTL_SYNCOOKIES_MODE_NAMES[];
284 
285 struct pfctl_syncookies {
286 	enum pfctl_syncookies_mode	mode;
287 	uint8_t				highwater;	/* Percent */
288 	uint8_t				lowwater;	/* Percent */
289 };
290 
291 struct pfctl_status* pfctl_get_status(int dev);
292 void	pfctl_free_status(struct pfctl_status *status);
293 
294 int	pfctl_get_rule(int dev, uint32_t nr, uint32_t ticket,
295 	    const char *anchor, uint32_t ruleset, struct pfctl_rule *rule,
296 	    char *anchor_call);
297 int	pfctl_get_clear_rule(int dev, uint32_t nr, uint32_t ticket,
298 	    const char *anchor, uint32_t ruleset, struct pfctl_rule *rule,
299 	    char *anchor_call, bool clear);
300 int	pfctl_add_rule(int dev, const struct pfctl_rule *r,
301 	    const char *anchor, const char *anchor_call, uint32_t ticket,
302 	    uint32_t pool_ticket);
303 int	pfctl_set_keepcounters(int dev, bool keep);
304 int	pfctl_get_states(int dev, struct pfctl_states *states);
305 void	pfctl_free_states(struct pfctl_states *states);
306 int	pfctl_clear_states(int dev, const struct pfctl_kill *kill,
307 	    unsigned int *killed);
308 int	pfctl_kill_states(int dev, const struct pfctl_kill *kill,
309 	    unsigned int *killed);
310 int	pfctl_set_syncookies(int dev, const struct pfctl_syncookies *s);
311 int	pfctl_get_syncookies(int dev, struct pfctl_syncookies *s);
312 
313 #endif
314