xref: /freebsd/lib/libpfctl/libpfctl.h (revision 22cf89c938886d14f5796fc49f9f020c23ea8eaf) 
1 /*-
2  * SPDX-License-Identifier: BSD-2-Clause
3  *
4  * Copyright (c) 2021 Rubicon Communications, LLC (Netgate)
5  * All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  *
11  *    - Redistributions of source code must retain the above copyright
12  *      notice, this list of conditions and the following disclaimer.
13  *    - Redistributions in binary form must reproduce the above
14  *      copyright notice, this list of conditions and the following
15  *      disclaimer in the documentation and/or other materials provided
16  *      with the distribution.
17  *
18  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
21  * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
22  * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
23  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
24  * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
25  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26  * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
28  * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29  * POSSIBILITY OF SUCH DAMAGE.
30  */
31 
32 #ifndef _PFCTL_IOCTL_H_
33 #define _PFCTL_IOCTL_H_
34 
35 #include <netpfil/pf/pf.h>
36 
37 struct pfctl_anchor;
38 struct pfctl_eth_anchor;
39 
40 struct pfctl_status_counter {
41 	uint64_t	 id;
42 	uint64_t	 counter;
43 	char		*name;
44 
45 	TAILQ_ENTRY(pfctl_status_counter) entry;
46 };
47 TAILQ_HEAD(pfctl_status_counters, pfctl_status_counter);
48 
49 struct pfctl_status {
50 	bool		running;
51 	uint32_t	since;
52 	uint32_t	debug;
53 	uint32_t	hostid;
54 	uint64_t	states;
55 	uint64_t	src_nodes;
56 	char		ifname[IFNAMSIZ];
57 	uint8_t		pf_chksum[PF_MD5_DIGEST_LENGTH];
58 	bool		syncookies_active;
59 	uint32_t	reass;
60 
61 	struct pfctl_status_counters	 counters;
62 	struct pfctl_status_counters	 lcounters;
63 	struct pfctl_status_counters	 fcounters;
64 	struct pfctl_status_counters	 scounters;
65 	uint64_t	pcounters[2][2][3];
66 	uint64_t	bcounters[2][2];
67 };
68 
69 struct pfctl_eth_rulesets_info {
70 	uint32_t	nr;
71 };
72 
73 struct pfctl_eth_rules_info {
74 	uint32_t	nr;
75 	uint32_t	ticket;
76 };
77 
78 struct pfctl_eth_addr {
79 	uint8_t	addr[ETHER_ADDR_LEN];
80 	uint8_t	mask[ETHER_ADDR_LEN];
81 	bool	neg;
82 	bool	isset;
83 };
84 
85 struct pfctl_eth_rule {
86 	uint32_t		 nr;
87 
88 	char			label[PF_RULE_MAX_LABEL_COUNT][PF_RULE_LABEL_SIZE];
89 	uint32_t		ridentifier;
90 
91 	bool			 quick;
92 
93 	/* Filter */
94 	char			 ifname[IFNAMSIZ];
95 	uint8_t			 ifnot;
96 	uint8_t			 direction;
97 	uint16_t		 proto;
98 	struct pfctl_eth_addr	 src, dst;
99 	struct pf_rule_addr	 ipsrc, ipdst;
100 	char			 match_tagname[PF_TAG_NAME_SIZE];
101 	uint16_t		 match_tag;
102 	bool			 match_tag_not;
103 
104 	/* Stats */
105 	uint64_t		 evaluations;
106 	uint64_t		 packets[2];
107 	uint64_t		 bytes[2];
108 	time_t			 last_active_timestamp;
109 
110 	/* Action */
111 	char			 qname[PF_QNAME_SIZE];
112 	char			 tagname[PF_TAG_NAME_SIZE];
113 	uint16_t		 dnpipe;
114 	uint32_t		 dnflags;
115 	char			 bridge_to[IFNAMSIZ];
116 	uint8_t			 action;
117 
118 	struct pfctl_eth_anchor	*anchor;
119 	uint8_t			 anchor_relative;
120 	uint8_t			 anchor_wildcard;
121 
122 	TAILQ_ENTRY(pfctl_eth_rule)	 entries;
123 };
124 TAILQ_HEAD(pfctl_eth_rules, pfctl_eth_rule);
125 
126 struct pfctl_eth_ruleset_info {
127 	uint32_t	nr;
128 	char		name[PF_ANCHOR_NAME_SIZE];
129 	char		path[MAXPATHLEN];
130 };
131 
132 struct pfctl_eth_ruleset {
133 	struct pfctl_eth_rules	 rules;
134 	struct pfctl_eth_anchor	*anchor;
135 };
136 
137 struct pfctl_eth_anchor {
138 	struct pfctl_eth_anchor		*parent;
139 	char				 name[PF_ANCHOR_NAME_SIZE];
140 	char				 path[MAXPATHLEN];
141 	struct pfctl_eth_ruleset	 ruleset;
142 	int				 refcnt;	/* anchor rules */
143 	int				 match;	/* XXX: used for pfctl black magic */
144 };
145 
146 struct pfctl_pool {
147 	struct pf_palist	 list;
148 	struct pf_pooladdr	*cur;
149 	struct pf_poolhashkey	 key;
150 	struct pf_addr		 counter;
151 	struct pf_mape_portset	 mape;
152 	int			 tblidx;
153 	uint16_t		 proxy_port[2];
154 	uint8_t			 opts;
155 };
156 
157 struct pfctl_rules_info {
158 	uint32_t	nr;
159 	uint32_t	ticket;
160 };
161 
162 struct pfctl_rule {
163 	struct pf_rule_addr	 src;
164 	struct pf_rule_addr	 dst;
165 	union pf_rule_ptr	 skip[PF_SKIP_COUNT];
166 	char			 label[PF_RULE_MAX_LABEL_COUNT][PF_RULE_LABEL_SIZE];
167 	uint32_t		 ridentifier;
168 	char			 ifname[IFNAMSIZ];
169 	char			 qname[PF_QNAME_SIZE];
170 	char			 pqname[PF_QNAME_SIZE];
171 	char			 tagname[PF_TAG_NAME_SIZE];
172 	char			 match_tagname[PF_TAG_NAME_SIZE];
173 
174 	char			 overload_tblname[PF_TABLE_NAME_SIZE];
175 
176 	TAILQ_ENTRY(pfctl_rule)	 entries;
177 	struct pfctl_pool	 rpool;
178 
179 	uint64_t		 evaluations;
180 	uint64_t		 packets[2];
181 	uint64_t		 bytes[2];
182 	time_t			 last_active_timestamp;
183 
184 	struct pfi_kif		*kif;
185 	struct pfctl_anchor	*anchor;
186 	struct pfr_ktable	*overload_tbl;
187 
188 	pf_osfp_t		 os_fingerprint;
189 
190 	int			 rtableid;
191 	uint32_t		 timeout[PFTM_MAX];
192 	uint32_t		 max_states;
193 	uint32_t		 max_src_nodes;
194 	uint32_t		 max_src_states;
195 	uint32_t		 max_src_conn;
196 	struct {
197 		uint32_t		limit;
198 		uint32_t		seconds;
199 	}			 max_src_conn_rate;
200 	uint32_t		 qid;
201 	uint32_t		 pqid;
202 	uint16_t		 dnpipe;
203 	uint16_t		 dnrpipe;
204 	uint32_t		 free_flags;
205 	uint32_t		 nr;
206 	uint32_t		 prob;
207 	uid_t			 cuid;
208 	pid_t			 cpid;
209 
210 	uint64_t		 states_cur;
211 	uint64_t		 states_tot;
212 	uint64_t		 src_nodes;
213 
214 	uint16_t		 return_icmp;
215 	uint16_t		 return_icmp6;
216 	uint16_t		 max_mss;
217 	uint16_t		 tag;
218 	uint16_t		 match_tag;
219 	uint16_t		 scrub_flags;
220 
221 	struct pf_rule_uid	 uid;
222 	struct pf_rule_gid	 gid;
223 
224 	uint32_t		 rule_flag;
225 	uint8_t			 action;
226 	uint8_t			 direction;
227 	uint8_t			 log;
228 	uint8_t			 logif;
229 	uint8_t			 quick;
230 	uint8_t			 ifnot;
231 	uint8_t			 match_tag_not;
232 	uint8_t			 natpass;
233 
234 	uint8_t			 keep_state;
235 	sa_family_t		 af;
236 	uint8_t			 proto;
237 	uint8_t			 type;
238 	uint8_t			 code;
239 	uint8_t			 flags;
240 	uint8_t			 flagset;
241 	uint8_t			 min_ttl;
242 	uint8_t			 allow_opts;
243 	uint8_t			 rt;
244 	uint8_t			 return_ttl;
245 	uint8_t			 tos;
246 	uint8_t			 set_tos;
247 	uint8_t			 anchor_relative;
248 	uint8_t			 anchor_wildcard;
249 
250 	uint8_t			 flush;
251 	uint8_t			 prio;
252 	uint8_t			 set_prio[2];
253 
254 	struct {
255 		struct pf_addr		addr;
256 		uint16_t		port;
257 	}			divert;
258 };
259 
260 TAILQ_HEAD(pfctl_rulequeue, pfctl_rule);
261 
262 struct pfctl_ruleset {
263 	struct {
264 		struct pfctl_rulequeue	 queues[2];
265 		struct {
266 			struct pfctl_rulequeue	*ptr;
267 			struct pfctl_rule	**ptr_array;
268 			uint32_t		 rcount;
269 			uint32_t		 ticket;
270 			int			 open;
271 		}			 active, inactive;
272 	}			 rules[PF_RULESET_MAX];
273 	struct pfctl_anchor	*anchor;
274 	uint32_t		 tticket;
275 	int			 tables;
276 	int			 topen;
277 };
278 
279 RB_HEAD(pfctl_anchor_global, pfctl_anchor);
280 RB_HEAD(pfctl_anchor_node, pfctl_anchor);
281 struct pfctl_anchor {
282 	RB_ENTRY(pfctl_anchor)	 entry_global;
283 	RB_ENTRY(pfctl_anchor)	 entry_node;
284 	struct pfctl_anchor	*parent;
285 	struct pfctl_anchor_node children;
286 	char			 name[PF_ANCHOR_NAME_SIZE];
287 	char			 path[MAXPATHLEN];
288 	struct pfctl_ruleset	 ruleset;
289 	int			 refcnt;	/* anchor rules */
290 	int			 match;	/* XXX: used for pfctl black magic */
291 };
292 RB_PROTOTYPE(pfctl_anchor_global, pfctl_anchor, entry_global,
293     pf_anchor_compare);
294 RB_PROTOTYPE(pfctl_anchor_node, pfctl_anchor, entry_node,
295     pf_anchor_compare);
296 
297 struct pfctl_state_cmp {
298 	uint64_t	id;
299 	uint32_t	creatorid;
300 	uint8_t		direction;
301 };
302 
303 struct pfctl_kill {
304 	struct pfctl_state_cmp	cmp;
305 	sa_family_t		af;
306 	int			proto;
307 	struct pf_rule_addr	src;
308 	struct pf_rule_addr	dst;
309 	struct pf_rule_addr	rt_addr;
310 	char			ifname[IFNAMSIZ];
311 	char			label[PF_RULE_LABEL_SIZE];
312 	bool			kill_match;
313 };
314 
315 struct pfctl_state_peer {
316 	uint32_t			 seqlo;
317 	uint32_t			 seqhi;
318 	uint32_t			 seqdiff;
319 	uint8_t				 state;
320 	uint8_t				 wscale;
321 };
322 
323 struct pfctl_state_key {
324 	struct pf_addr	 addr[2];
325 	uint16_t	 port[2];
326 	sa_family_t	 af;
327 	uint8_t	 	 proto;
328 };
329 
330 struct pfctl_state {
331 	TAILQ_ENTRY(pfctl_state)	entry;
332 
333 	uint64_t		 id;
334 	uint32_t		 creatorid;
335 	uint8_t		 	 direction;
336 
337 	struct pfctl_state_peer	 src;
338 	struct pfctl_state_peer	 dst;
339 
340 	uint32_t		 rule;
341 	uint32_t		 anchor;
342 	uint32_t		 nat_rule;
343 	struct pf_addr		 rt_addr;
344 	struct pfctl_state_key	 key[2];	/* addresses stack and wire  */
345 	char			 ifname[IFNAMSIZ];
346 	char			 orig_ifname[IFNAMSIZ];
347 	uint64_t		 packets[2];
348 	uint64_t		 bytes[2];
349 	uint32_t		 creation;
350 	uint32_t		 expire;
351 	uint32_t		 pfsync_time;
352 	uint16_t		 state_flags;
353 	uint32_t		 sync_flags;
354 	uint16_t		 qid;
355 	uint16_t		 pqid;
356 	uint16_t		 dnpipe;
357 	uint16_t		 dnrpipe;
358 	uint8_t			 log;
359 	int32_t			 rtableid;
360 	uint8_t			 min_ttl;
361 	uint8_t			 set_tos;
362 	uint16_t		 max_mss;
363 	uint8_t			 set_prio[2];
364 	uint8_t			 rt;
365 	char			 rt_ifname[IFNAMSIZ];
366 };
367 
368 TAILQ_HEAD(pfctl_statelist, pfctl_state);
369 struct pfctl_states {
370 	struct pfctl_statelist	states;
371 	size_t 			count;
372 };
373 
374 enum pfctl_syncookies_mode {
375 	PFCTL_SYNCOOKIES_NEVER,
376 	PFCTL_SYNCOOKIES_ALWAYS,
377 	PFCTL_SYNCOOKIES_ADAPTIVE
378 };
379 extern const char* PFCTL_SYNCOOKIES_MODE_NAMES[];
380 
381 struct pfctl_syncookies {
382 	enum pfctl_syncookies_mode	mode;
383 	uint8_t				highwater;	/* Percent */
384 	uint8_t				lowwater;	/* Percent */
385 };
386 
387 struct pfctl_status* pfctl_get_status(int dev);
388 uint64_t pfctl_status_counter(struct pfctl_status *status, int id);
389 uint64_t pfctl_status_fcounter(struct pfctl_status *status, int id);
390 uint64_t pfctl_status_scounter(struct pfctl_status *status, int id);
391 void	pfctl_free_status(struct pfctl_status *status);
392 
393 int	pfctl_get_eth_rulesets_info(int dev,
394 	    struct pfctl_eth_rulesets_info *ri, const char *path);
395 int	pfctl_get_eth_ruleset(int dev, const char *path, int nr,
396 	    struct pfctl_eth_ruleset_info *ri);
397 int	pfctl_get_eth_rules_info(int dev, struct pfctl_eth_rules_info *rules,
398 	    const char *path);
399 int	pfctl_get_eth_rule(int dev, uint32_t nr, uint32_t ticket,
400 	    const char *path, struct pfctl_eth_rule *rule, bool clear,
401 	    char *anchor_call);
402 int	pfctl_add_eth_rule(int dev, const struct pfctl_eth_rule *r,
403 	    const char *anchor, const char *anchor_call, uint32_t ticket);
404 int	pfctl_get_rules_info(int dev, struct pfctl_rules_info *rules,
405 	    uint32_t ruleset, const char *path);
406 int	pfctl_get_rule(int dev, uint32_t nr, uint32_t ticket,
407 	    const char *anchor, uint32_t ruleset, struct pfctl_rule *rule,
408 	    char *anchor_call);
409 int	pfctl_get_clear_rule(int dev, uint32_t nr, uint32_t ticket,
410 	    const char *anchor, uint32_t ruleset, struct pfctl_rule *rule,
411 	    char *anchor_call, bool clear);
412 int	pfctl_add_rule(int dev, const struct pfctl_rule *r,
413 	    const char *anchor, const char *anchor_call, uint32_t ticket,
414 	    uint32_t pool_ticket);
415 int	pfctl_set_keepcounters(int dev, bool keep);
416 int	pfctl_get_states(int dev, struct pfctl_states *states);
417 void	pfctl_free_states(struct pfctl_states *states);
418 int	pfctl_clear_states(int dev, const struct pfctl_kill *kill,
419 	    unsigned int *killed);
420 int	pfctl_kill_states(int dev, const struct pfctl_kill *kill,
421 	    unsigned int *killed);
422 int	pfctl_clear_rules(int dev, const char *anchorname);
423 int	pfctl_clear_nat(int dev, const char *anchorname);
424 int	pfctl_clear_eth_rules(int dev, const char *anchorname);
425 int	pfctl_set_syncookies(int dev, const struct pfctl_syncookies *s);
426 int	pfctl_get_syncookies(int dev, struct pfctl_syncookies *s);
427 int	pfctl_table_add_addrs(int dev, struct pfr_table *tbl, struct pfr_addr
428 	    *addr, int size, int *nadd, int flags);
429 int	pfctl_table_del_addrs(int dev, struct pfr_table *tbl, struct pfr_addr
430 	    *addr, int size, int *ndel, int flags);
431 int     pfctl_table_set_addrs(int dev, struct pfr_table *tbl, struct pfr_addr
432 	    *addr, int size, int *size2, int *nadd, int *ndel, int *nchange,
433 	    int flags);
434 int	pfctl_table_get_addrs(int dev, struct pfr_table *tbl, struct pfr_addr
435 	    *addr, int *size, int flags);
436 #endif
437