xref: /freebsd/lib/libpfctl/libpfctl.h (revision 455dff72fcc260f758964d61f67dd1ba79e4889d) 
1 /*-
2  * SPDX-License-Identifier: BSD-2-Clause
3  *
4  * Copyright (c) 2021 Rubicon Communications, LLC (Netgate)
5  * All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  *
11  *    - Redistributions of source code must retain the above copyright
12  *      notice, this list of conditions and the following disclaimer.
13  *    - Redistributions in binary form must reproduce the above
14  *      copyright notice, this list of conditions and the following
15  *      disclaimer in the documentation and/or other materials provided
16  *      with the distribution.
17  *
18  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
21  * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
22  * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
23  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
24  * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
25  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26  * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
28  * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29  * POSSIBILITY OF SUCH DAMAGE.
30  *
31  * $FreeBSD$
32  */
33 
34 #ifndef _PFCTL_IOCTL_H_
35 #define _PFCTL_IOCTL_H_
36 
37 #include <netpfil/pf/pf.h>
38 
39 struct pfctl_anchor;
40 
41 struct pfctl_pool {
42 	struct pf_palist	 list;
43 	struct pf_pooladdr	*cur;
44 	struct pf_poolhashkey	 key;
45 	struct pf_addr		 counter;
46 	struct pf_mape_portset	 mape;
47 	int			 tblidx;
48 	u_int16_t		 proxy_port[2];
49 	u_int8_t		 opts;
50 };
51 
52 struct pfctl_rule {
53 	struct pf_rule_addr	 src;
54 	struct pf_rule_addr	 dst;
55 	union pf_rule_ptr	 skip[PF_SKIP_COUNT];
56 	char			 label[PF_RULE_MAX_LABEL_COUNT][PF_RULE_LABEL_SIZE];
57 	char			 ifname[IFNAMSIZ];
58 	char			 qname[PF_QNAME_SIZE];
59 	char			 pqname[PF_QNAME_SIZE];
60 	char			 tagname[PF_TAG_NAME_SIZE];
61 	char			 match_tagname[PF_TAG_NAME_SIZE];
62 
63 	char			 overload_tblname[PF_TABLE_NAME_SIZE];
64 
65 	TAILQ_ENTRY(pfctl_rule)	 entries;
66 	struct pfctl_pool	 rpool;
67 
68 	u_int64_t		 evaluations;
69 	u_int64_t		 packets[2];
70 	u_int64_t		 bytes[2];
71 
72 	struct pfi_kif		*kif;
73 	struct pfctl_anchor	*anchor;
74 	struct pfr_ktable	*overload_tbl;
75 
76 	pf_osfp_t		 os_fingerprint;
77 
78 	int			 rtableid;
79 	u_int32_t		 timeout[PFTM_MAX];
80 	u_int32_t		 max_states;
81 	u_int32_t		 max_src_nodes;
82 	u_int32_t		 max_src_states;
83 	u_int32_t		 max_src_conn;
84 	struct {
85 		u_int32_t		limit;
86 		u_int32_t		seconds;
87 	}			 max_src_conn_rate;
88 	u_int32_t		 qid;
89 	u_int32_t		 pqid;
90 	u_int32_t		 nr;
91 	u_int32_t		 prob;
92 	uid_t			 cuid;
93 	pid_t			 cpid;
94 
95 	uint64_t		 states_cur;
96 	uint64_t		 states_tot;
97 	uint64_t		 src_nodes;
98 
99 	u_int16_t		 return_icmp;
100 	u_int16_t		 return_icmp6;
101 	u_int16_t		 max_mss;
102 	u_int16_t		 tag;
103 	u_int16_t		 match_tag;
104 	u_int16_t		 scrub_flags;
105 
106 	struct pf_rule_uid	 uid;
107 	struct pf_rule_gid	 gid;
108 
109 	u_int32_t		 rule_flag;
110 	u_int8_t		 action;
111 	u_int8_t		 direction;
112 	u_int8_t		 log;
113 	u_int8_t		 logif;
114 	u_int8_t		 quick;
115 	u_int8_t		 ifnot;
116 	u_int8_t		 match_tag_not;
117 	u_int8_t		 natpass;
118 
119 	u_int8_t		 keep_state;
120 	sa_family_t		 af;
121 	u_int8_t		 proto;
122 	u_int8_t		 type;
123 	u_int8_t		 code;
124 	u_int8_t		 flags;
125 	u_int8_t		 flagset;
126 	u_int8_t		 min_ttl;
127 	u_int8_t		 allow_opts;
128 	u_int8_t		 rt;
129 	u_int8_t		 return_ttl;
130 	u_int8_t		 tos;
131 	u_int8_t		 set_tos;
132 	u_int8_t		 anchor_relative;
133 	u_int8_t		 anchor_wildcard;
134 
135 	u_int8_t		 flush;
136 	u_int8_t		 prio;
137 	u_int8_t		 set_prio[2];
138 
139 	struct {
140 		struct pf_addr		addr;
141 		u_int16_t		port;
142 	}			divert;
143 };
144 
145 TAILQ_HEAD(pfctl_rulequeue, pfctl_rule);
146 
147 struct pfctl_ruleset {
148 	struct {
149 		struct pfctl_rulequeue	 queues[2];
150 		struct {
151 			struct pfctl_rulequeue	*ptr;
152 			struct pfctl_rule	**ptr_array;
153 			u_int32_t		 rcount;
154 			u_int32_t		 ticket;
155 			int			 open;
156 		}			 active, inactive;
157 	}			 rules[PF_RULESET_MAX];
158 	struct pfctl_anchor	*anchor;
159 	u_int32_t		 tticket;
160 	int			 tables;
161 	int			 topen;
162 };
163 
164 RB_HEAD(pfctl_anchor_global, pfctl_anchor);
165 RB_HEAD(pfctl_anchor_node, pfctl_anchor);
166 struct pfctl_anchor {
167 	RB_ENTRY(pfctl_anchor)	 entry_global;
168 	RB_ENTRY(pfctl_anchor)	 entry_node;
169 	struct pfctl_anchor	*parent;
170 	struct pfctl_anchor_node children;
171 	char			 name[PF_ANCHOR_NAME_SIZE];
172 	char			 path[MAXPATHLEN];
173 	struct pfctl_ruleset	 ruleset;
174 	int			 refcnt;	/* anchor rules */
175 	int			 match;	/* XXX: used for pfctl black magic */
176 };
177 RB_PROTOTYPE(pfctl_anchor_global, pfctl_anchor, entry_global,
178     pf_anchor_compare);
179 RB_PROTOTYPE(pfctl_anchor_node, pfctl_anchor, entry_node,
180     pf_anchor_compare);
181 
182 struct pfctl_state_cmp {
183 	uint64_t	id;
184 	uint32_t	creatorid;
185 	uint8_t		direction;
186 };
187 
188 struct pfctl_kill {
189 	struct pfctl_state_cmp	cmp;
190 	sa_family_t		af;
191 	int			proto;
192 	struct pf_rule_addr	src;
193 	struct pf_rule_addr	dst;
194 	struct pf_rule_addr	rt_addr;
195 	char			ifname[IFNAMSIZ];
196 	char			label[PF_RULE_LABEL_SIZE];
197 	bool			kill_match;
198 };
199 
200 struct pfctl_state_scrub {
201 	bool		timestamp;
202 	uint8_t		ttl;
203 	uint32_t	ts_mod;
204 };
205 
206 struct pfctl_state_peer {
207 	struct pfctl_state_scrub	*scrub;
208 	uint32_t			 seqlo;
209 	uint32_t			 seqhi;
210 	uint32_t			 seqdiff;
211 	uint16_t			 max_win;
212 	uint16_t			 mss;
213 	uint8_t				 state;
214 	uint8_t				 wscale;
215 };
216 
217 struct pfctl_state_key {
218 	struct pf_addr	 addr[2];
219 	uint16_t	 port[2];
220 	sa_family_t	 af;
221 	uint8_t	 	 proto;
222 };
223 
224 struct pfctl_state {
225 	TAILQ_ENTRY(pfctl_state)	entry;
226 
227 	uint64_t		 id;
228 	uint32_t		 creatorid;
229 	uint8_t		 	 direction;
230 
231 	struct pfctl_state_peer	 src;
232 	struct pfctl_state_peer	 dst;
233 
234 	uint32_t		 rule;
235 	uint32_t		 anchor;
236 	uint32_t		 nat_rule;
237 	struct pf_addr		 rt_addr;
238 	struct pfctl_state_key	 key[2];	/* addresses stack and wire  */
239 	char			 ifname[IFNAMSIZ];
240 	char			 orig_ifname[IFNAMSIZ];
241 	uint64_t		 packets[2];
242 	uint64_t		 bytes[2];
243 	uint32_t		 creation;
244 	uint32_t		 expire;
245 	uint32_t		 pfsync_time;
246 	uint16_t		 tag;
247 	uint8_t			 log;
248 	uint8_t			 state_flags;
249 	uint8_t			 timeout;
250 	uint32_t		 sync_flags;
251 };
252 
253 TAILQ_HEAD(pfctl_statelist, pfctl_state);
254 struct pfctl_states {
255 	struct pfctl_statelist	states;
256 	size_t 			count;
257 };
258 
259 int	pfctl_get_rule(int dev, u_int32_t nr, u_int32_t ticket,
260 	    const char *anchor, u_int32_t ruleset, struct pfctl_rule *rule,
261 	    char *anchor_call);
262 int	pfctl_get_clear_rule(int dev, u_int32_t nr, u_int32_t ticket,
263 	    const char *anchor, u_int32_t ruleset, struct pfctl_rule *rule,
264 	    char *anchor_call, bool clear);
265 int	pfctl_add_rule(int dev, const struct pfctl_rule *r,
266 	    const char *anchor, const char *anchor_call, u_int32_t ticket,
267 	    u_int32_t pool_ticket);
268 int	pfctl_set_keepcounters(int dev, bool keep);
269 int	pfctl_get_states(int dev, struct pfctl_states *states);
270 void	pfctl_free_states(struct pfctl_states *states);
271 int	pfctl_clear_states(int dev, const struct pfctl_kill *kill,
272 	    unsigned int *killed);
273 int	pfctl_kill_states(int dev, const struct pfctl_kill *kill,
274 	    unsigned int *killed);
275 
276 #endif
277