xref: /freebsd/lib/libpfctl/libpfctl.h (revision 550cb4ab85c7e514629c8bacbbb07085b81d916b) 
1 /*-
2  * SPDX-License-Identifier: BSD-2-Clause
3  *
4  * Copyright (c) 2021 Rubicon Communications, LLC (Netgate)
5  * All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  *
11  *    - Redistributions of source code must retain the above copyright
12  *      notice, this list of conditions and the following disclaimer.
13  *    - Redistributions in binary form must reproduce the above
14  *      copyright notice, this list of conditions and the following
15  *      disclaimer in the documentation and/or other materials provided
16  *      with the distribution.
17  *
18  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
21  * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
22  * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
23  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
24  * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
25  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26  * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
28  * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29  * POSSIBILITY OF SUCH DAMAGE.
30  *
31  * $FreeBSD$
32  */
33 
34 #ifndef _PFCTL_IOCTL_H_
35 #define _PFCTL_IOCTL_H_
36 
37 #include <netpfil/pf/pf.h>
38 
39 struct pfctl_anchor;
40 
41 struct pfctl_pool {
42 	struct pf_palist	 list;
43 	struct pf_pooladdr	*cur;
44 	struct pf_poolhashkey	 key;
45 	struct pf_addr		 counter;
46 	int			 tblidx;
47 	u_int16_t		 proxy_port[2];
48 	u_int8_t		 opts;
49 };
50 
51 struct pfctl_rule {
52 	struct pf_rule_addr	 src;
53 	struct pf_rule_addr	 dst;
54 	union pf_rule_ptr	 skip[PF_SKIP_COUNT];
55 	char			 label[PF_RULE_LABEL_SIZE];
56 	char			 ifname[IFNAMSIZ];
57 	char			 qname[PF_QNAME_SIZE];
58 	char			 pqname[PF_QNAME_SIZE];
59 	char			 tagname[PF_TAG_NAME_SIZE];
60 	char			 match_tagname[PF_TAG_NAME_SIZE];
61 
62 	char			 overload_tblname[PF_TABLE_NAME_SIZE];
63 
64 	TAILQ_ENTRY(pfctl_rule)	 entries;
65 	struct pfctl_pool	 rpool;
66 
67 	u_int64_t		 evaluations;
68 	u_int64_t		 packets[2];
69 	u_int64_t		 bytes[2];
70 
71 	struct pfi_kif		*kif;
72 	struct pfctl_anchor	*anchor;
73 	struct pfr_ktable	*overload_tbl;
74 
75 	pf_osfp_t		 os_fingerprint;
76 
77 	int			 rtableid;
78 	u_int32_t		 timeout[PFTM_MAX];
79 	u_int32_t		 max_states;
80 	u_int32_t		 max_src_nodes;
81 	u_int32_t		 max_src_states;
82 	u_int32_t		 max_src_conn;
83 	struct {
84 		u_int32_t		limit;
85 		u_int32_t		seconds;
86 	}			 max_src_conn_rate;
87 	u_int32_t		 qid;
88 	u_int32_t		 pqid;
89 	u_int32_t		 nr;
90 	u_int32_t		 prob;
91 	uid_t			 cuid;
92 	pid_t			 cpid;
93 
94 	uint64_t		 states_cur;
95 	uint64_t		 states_tot;
96 	uint64_t		 src_nodes;
97 
98 	u_int16_t		 return_icmp;
99 	u_int16_t		 return_icmp6;
100 	u_int16_t		 max_mss;
101 	u_int16_t		 tag;
102 	u_int16_t		 match_tag;
103 	u_int16_t		 scrub_flags;
104 
105 	struct pf_rule_uid	 uid;
106 	struct pf_rule_gid	 gid;
107 
108 	u_int32_t		 rule_flag;
109 	u_int8_t		 action;
110 	u_int8_t		 direction;
111 	u_int8_t		 log;
112 	u_int8_t		 logif;
113 	u_int8_t		 quick;
114 	u_int8_t		 ifnot;
115 	u_int8_t		 match_tag_not;
116 	u_int8_t		 natpass;
117 
118 	u_int8_t		 keep_state;
119 	sa_family_t		 af;
120 	u_int8_t		 proto;
121 	u_int8_t		 type;
122 	u_int8_t		 code;
123 	u_int8_t		 flags;
124 	u_int8_t		 flagset;
125 	u_int8_t		 min_ttl;
126 	u_int8_t		 allow_opts;
127 	u_int8_t		 rt;
128 	u_int8_t		 return_ttl;
129 	u_int8_t		 tos;
130 	u_int8_t		 set_tos;
131 	u_int8_t		 anchor_relative;
132 	u_int8_t		 anchor_wildcard;
133 
134 	u_int8_t		 flush;
135 	u_int8_t		 prio;
136 	u_int8_t		 set_prio[2];
137 
138 	struct {
139 		struct pf_addr		addr;
140 		u_int16_t		port;
141 	}			divert;
142 };
143 
144 TAILQ_HEAD(pfctl_rulequeue, pfctl_rule);
145 
146 struct pfctl_ruleset {
147 	struct {
148 		struct pfctl_rulequeue	 queues[2];
149 		struct {
150 			struct pfctl_rulequeue	*ptr;
151 			struct pfctl_rule	**ptr_array;
152 			u_int32_t		 rcount;
153 			u_int32_t		 ticket;
154 			int			 open;
155 		}			 active, inactive;
156 	}			 rules[PF_RULESET_MAX];
157 	struct pfctl_anchor	*anchor;
158 	u_int32_t		 tticket;
159 	int			 tables;
160 	int			 topen;
161 };
162 
163 RB_HEAD(pfctl_anchor_global, pfctl_anchor);
164 RB_HEAD(pfctl_anchor_node, pfctl_anchor);
165 struct pfctl_anchor {
166 	RB_ENTRY(pfctl_anchor)	 entry_global;
167 	RB_ENTRY(pfctl_anchor)	 entry_node;
168 	struct pfctl_anchor	*parent;
169 	struct pfctl_anchor_node children;
170 	char			 name[PF_ANCHOR_NAME_SIZE];
171 	char			 path[MAXPATHLEN];
172 	struct pfctl_ruleset	 ruleset;
173 	int			 refcnt;	/* anchor rules */
174 	int			 match;	/* XXX: used for pfctl black magic */
175 };
176 RB_PROTOTYPE(pfctl_anchor_global, pfctl_anchor, entry_global,
177     pf_anchor_compare);
178 RB_PROTOTYPE(pfctl_anchor_node, pfctl_anchor, entry_node,
179     pf_anchor_compare);
180 
181 int	pfctl_get_rule(int dev, u_int32_t nr, u_int32_t ticket,
182 	    const char *anchor, u_int32_t ruleset, struct pfctl_rule *rule,
183 	    char *anchor_call);
184 int	pfctl_add_rule(int dev, const struct pfctl_rule *r,
185 	    const char *anchor, const char *anchor_call, u_int32_t ticket,
186 	    u_int32_t pool_ticket);
187 
188 #endif
189