xref: /freebsd/lib/libpfctl/libpfctl.h (revision 5aa839c9e2c373275091b8bf529c1311d0b84d76) 
1 /*-
2  * SPDX-License-Identifier: BSD-2-Clause
3  *
4  * Copyright (c) 2021 Rubicon Communications, LLC (Netgate)
5  * All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  *
11  *    - Redistributions of source code must retain the above copyright
12  *      notice, this list of conditions and the following disclaimer.
13  *    - Redistributions in binary form must reproduce the above
14  *      copyright notice, this list of conditions and the following
15  *      disclaimer in the documentation and/or other materials provided
16  *      with the distribution.
17  *
18  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
21  * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
22  * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
23  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
24  * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
25  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26  * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
28  * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29  * POSSIBILITY OF SUCH DAMAGE.
30  *
31  * $FreeBSD$
32  */
33 
34 #ifndef _PFCTL_IOCTL_H_
35 #define _PFCTL_IOCTL_H_
36 
37 #include <netpfil/pf/pf.h>
38 
39 struct pfctl_anchor;
40 struct pfctl_eth_anchor;
41 
42 struct pfctl_status_counter {
43 	uint64_t	 id;
44 	uint64_t	 counter;
45 	char		*name;
46 
47 	TAILQ_ENTRY(pfctl_status_counter) entry;
48 };
49 TAILQ_HEAD(pfctl_status_counters, pfctl_status_counter);
50 
51 struct pfctl_status {
52 	bool		running;
53 	uint32_t	since;
54 	uint32_t	debug;
55 	uint32_t	hostid;
56 	uint64_t	states;
57 	uint64_t	src_nodes;
58 	char		ifname[IFNAMSIZ];
59 	uint8_t		pf_chksum[PF_MD5_DIGEST_LENGTH];
60 
61 	struct pfctl_status_counters	 counters;
62 	struct pfctl_status_counters	 lcounters;
63 	struct pfctl_status_counters	 fcounters;
64 	struct pfctl_status_counters	 scounters;
65 	uint64_t	pcounters[2][2][3];
66 	uint64_t	bcounters[2][2];
67 };
68 
69 struct pfctl_eth_rules_info {
70 	uint32_t	nr;
71 	uint32_t	ticket;
72 };
73 
74 struct pfctl_eth_addr {
75 	uint8_t	addr[ETHER_ADDR_LEN];
76 	uint8_t	mask[ETHER_ADDR_LEN];
77 	bool	neg;
78 	bool	isset;
79 };
80 
81 struct pfctl_eth_rule {
82 	uint32_t		 nr;
83 
84 	bool			 quick;
85 
86 	/* Filter */
87 	char			 ifname[IFNAMSIZ];
88 	uint8_t			 ifnot;
89 	uint8_t			 direction;
90 	uint16_t		 proto;
91 	struct pfctl_eth_addr	 src, dst;
92 
93 	/* Stats */
94 	uint64_t		 evaluations;
95 	uint64_t		 packets[2];
96 	uint64_t		 bytes[2];
97 
98 	/* Action */
99 	char			 qname[PF_QNAME_SIZE];
100 	char			 tagname[PF_TAG_NAME_SIZE];
101 	uint16_t		 dnpipe;
102 	uint32_t		 dnflags;
103 	uint8_t			 action;
104 
105 	struct pfctl_eth_anchor	*anchor;
106 	uint8_t			 anchor_relative;
107 	uint8_t			 anchor_wildcard;
108 
109 	TAILQ_ENTRY(pfctl_eth_rule)	 entries;
110 };
111 TAILQ_HEAD(pfctl_eth_rules, pfctl_eth_rule);
112 
113 struct pfctl_eth_ruleset {
114 	struct pfctl_eth_rules	 rules;
115 	struct pfctl_eth_anchor	*anchor;
116 };
117 
118 struct pfctl_eth_anchor {
119 	struct pfctl_eth_anchor		*parent;
120 	char				 name[PF_ANCHOR_NAME_SIZE];
121 	char				 path[MAXPATHLEN];
122 	struct pfctl_eth_ruleset	 ruleset;
123 	int				 refcnt;	/* anchor rules */
124 	int				 match;	/* XXX: used for pfctl black magic */
125 };
126 
127 struct pfctl_pool {
128 	struct pf_palist	 list;
129 	struct pf_pooladdr	*cur;
130 	struct pf_poolhashkey	 key;
131 	struct pf_addr		 counter;
132 	struct pf_mape_portset	 mape;
133 	int			 tblidx;
134 	uint16_t		 proxy_port[2];
135 	uint8_t			 opts;
136 };
137 
138 struct pfctl_rule {
139 	struct pf_rule_addr	 src;
140 	struct pf_rule_addr	 dst;
141 	union pf_rule_ptr	 skip[PF_SKIP_COUNT];
142 	char			 label[PF_RULE_MAX_LABEL_COUNT][PF_RULE_LABEL_SIZE];
143 	uint32_t		 ridentifier;
144 	char			 ifname[IFNAMSIZ];
145 	char			 qname[PF_QNAME_SIZE];
146 	char			 pqname[PF_QNAME_SIZE];
147 	char			 tagname[PF_TAG_NAME_SIZE];
148 	char			 match_tagname[PF_TAG_NAME_SIZE];
149 
150 	char			 overload_tblname[PF_TABLE_NAME_SIZE];
151 
152 	TAILQ_ENTRY(pfctl_rule)	 entries;
153 	struct pfctl_pool	 rpool;
154 
155 	uint64_t		 evaluations;
156 	uint64_t		 packets[2];
157 	uint64_t		 bytes[2];
158 
159 	struct pfi_kif		*kif;
160 	struct pfctl_anchor	*anchor;
161 	struct pfr_ktable	*overload_tbl;
162 
163 	pf_osfp_t		 os_fingerprint;
164 
165 	int			 rtableid;
166 	uint32_t		 timeout[PFTM_MAX];
167 	uint32_t		 max_states;
168 	uint32_t		 max_src_nodes;
169 	uint32_t		 max_src_states;
170 	uint32_t		 max_src_conn;
171 	struct {
172 		uint32_t		limit;
173 		uint32_t		seconds;
174 	}			 max_src_conn_rate;
175 	uint32_t		 qid;
176 	uint32_t		 pqid;
177 	uint16_t		 dnpipe;
178 	uint16_t		 dnrpipe;
179 	uint32_t		 free_flags;
180 	uint32_t		 nr;
181 	uint32_t		 prob;
182 	uid_t			 cuid;
183 	pid_t			 cpid;
184 
185 	uint64_t		 states_cur;
186 	uint64_t		 states_tot;
187 	uint64_t		 src_nodes;
188 
189 	uint16_t		 return_icmp;
190 	uint16_t		 return_icmp6;
191 	uint16_t		 max_mss;
192 	uint16_t		 tag;
193 	uint16_t		 match_tag;
194 	uint16_t		 scrub_flags;
195 
196 	struct pf_rule_uid	 uid;
197 	struct pf_rule_gid	 gid;
198 
199 	uint32_t		 rule_flag;
200 	uint8_t			 action;
201 	uint8_t			 direction;
202 	uint8_t			 log;
203 	uint8_t			 logif;
204 	uint8_t			 quick;
205 	uint8_t			 ifnot;
206 	uint8_t			 match_tag_not;
207 	uint8_t			 natpass;
208 
209 	uint8_t			 keep_state;
210 	sa_family_t		 af;
211 	uint8_t			 proto;
212 	uint8_t			 type;
213 	uint8_t			 code;
214 	uint8_t			 flags;
215 	uint8_t			 flagset;
216 	uint8_t			 min_ttl;
217 	uint8_t			 allow_opts;
218 	uint8_t			 rt;
219 	uint8_t			 return_ttl;
220 	uint8_t			 tos;
221 	uint8_t			 set_tos;
222 	uint8_t			 anchor_relative;
223 	uint8_t			 anchor_wildcard;
224 
225 	uint8_t			 flush;
226 	uint8_t			 prio;
227 	uint8_t			 set_prio[2];
228 
229 	struct {
230 		struct pf_addr		addr;
231 		uint16_t		port;
232 	}			divert;
233 };
234 
235 TAILQ_HEAD(pfctl_rulequeue, pfctl_rule);
236 
237 struct pfctl_ruleset {
238 	struct {
239 		struct pfctl_rulequeue	 queues[2];
240 		struct {
241 			struct pfctl_rulequeue	*ptr;
242 			struct pfctl_rule	**ptr_array;
243 			uint32_t		 rcount;
244 			uint32_t		 ticket;
245 			int			 open;
246 		}			 active, inactive;
247 	}			 rules[PF_RULESET_MAX];
248 	struct pfctl_anchor	*anchor;
249 	uint32_t		 tticket;
250 	int			 tables;
251 	int			 topen;
252 };
253 
254 RB_HEAD(pfctl_anchor_global, pfctl_anchor);
255 RB_HEAD(pfctl_anchor_node, pfctl_anchor);
256 struct pfctl_anchor {
257 	RB_ENTRY(pfctl_anchor)	 entry_global;
258 	RB_ENTRY(pfctl_anchor)	 entry_node;
259 	struct pfctl_anchor	*parent;
260 	struct pfctl_anchor_node children;
261 	char			 name[PF_ANCHOR_NAME_SIZE];
262 	char			 path[MAXPATHLEN];
263 	struct pfctl_ruleset	 ruleset;
264 	int			 refcnt;	/* anchor rules */
265 	int			 match;	/* XXX: used for pfctl black magic */
266 };
267 RB_PROTOTYPE(pfctl_anchor_global, pfctl_anchor, entry_global,
268     pf_anchor_compare);
269 RB_PROTOTYPE(pfctl_anchor_node, pfctl_anchor, entry_node,
270     pf_anchor_compare);
271 
272 struct pfctl_state_cmp {
273 	uint64_t	id;
274 	uint32_t	creatorid;
275 	uint8_t		direction;
276 };
277 
278 struct pfctl_kill {
279 	struct pfctl_state_cmp	cmp;
280 	sa_family_t		af;
281 	int			proto;
282 	struct pf_rule_addr	src;
283 	struct pf_rule_addr	dst;
284 	struct pf_rule_addr	rt_addr;
285 	char			ifname[IFNAMSIZ];
286 	char			label[PF_RULE_LABEL_SIZE];
287 	bool			kill_match;
288 };
289 
290 struct pfctl_state_peer {
291 	uint32_t			 seqlo;
292 	uint32_t			 seqhi;
293 	uint32_t			 seqdiff;
294 	uint8_t				 state;
295 	uint8_t				 wscale;
296 };
297 
298 struct pfctl_state_key {
299 	struct pf_addr	 addr[2];
300 	uint16_t	 port[2];
301 	sa_family_t	 af;
302 	uint8_t	 	 proto;
303 };
304 
305 struct pfctl_state {
306 	TAILQ_ENTRY(pfctl_state)	entry;
307 
308 	uint64_t		 id;
309 	uint32_t		 creatorid;
310 	uint8_t		 	 direction;
311 
312 	struct pfctl_state_peer	 src;
313 	struct pfctl_state_peer	 dst;
314 
315 	uint32_t		 rule;
316 	uint32_t		 anchor;
317 	uint32_t		 nat_rule;
318 	struct pf_addr		 rt_addr;
319 	struct pfctl_state_key	 key[2];	/* addresses stack and wire  */
320 	char			 ifname[IFNAMSIZ];
321 	char			 orig_ifname[IFNAMSIZ];
322 	uint64_t		 packets[2];
323 	uint64_t		 bytes[2];
324 	uint32_t		 creation;
325 	uint32_t		 expire;
326 	uint32_t		 pfsync_time;
327 	uint8_t			 state_flags;
328 	uint32_t		 sync_flags;
329 };
330 
331 TAILQ_HEAD(pfctl_statelist, pfctl_state);
332 struct pfctl_states {
333 	struct pfctl_statelist	states;
334 	size_t 			count;
335 };
336 
337 enum pfctl_syncookies_mode {
338 	PFCTL_SYNCOOKIES_NEVER,
339 	PFCTL_SYNCOOKIES_ALWAYS,
340 	PFCTL_SYNCOOKIES_ADAPTIVE
341 };
342 extern const char* PFCTL_SYNCOOKIES_MODE_NAMES[];
343 
344 struct pfctl_syncookies {
345 	enum pfctl_syncookies_mode	mode;
346 	uint8_t				highwater;	/* Percent */
347 	uint8_t				lowwater;	/* Percent */
348 };
349 
350 struct pfctl_status* pfctl_get_status(int dev);
351 void	pfctl_free_status(struct pfctl_status *status);
352 
353 int	pfctl_get_eth_rules_info(int dev, struct pfctl_eth_rules_info *rules,
354 	    const char *path);
355 int	pfctl_get_eth_rule(int dev, uint32_t nr, uint32_t ticket,
356 	    const char *path, struct pfctl_eth_rule *rule, bool clear,
357 	    char *anchor_call);
358 int	pfctl_add_eth_rule(int dev, const struct pfctl_eth_rule *r,
359 	    const char *anchor, const char *anchor_call, uint32_t ticket);
360 int	pfctl_get_rule(int dev, uint32_t nr, uint32_t ticket,
361 	    const char *anchor, uint32_t ruleset, struct pfctl_rule *rule,
362 	    char *anchor_call);
363 int	pfctl_get_clear_rule(int dev, uint32_t nr, uint32_t ticket,
364 	    const char *anchor, uint32_t ruleset, struct pfctl_rule *rule,
365 	    char *anchor_call, bool clear);
366 int	pfctl_add_rule(int dev, const struct pfctl_rule *r,
367 	    const char *anchor, const char *anchor_call, uint32_t ticket,
368 	    uint32_t pool_ticket);
369 int	pfctl_set_keepcounters(int dev, bool keep);
370 int	pfctl_get_states(int dev, struct pfctl_states *states);
371 void	pfctl_free_states(struct pfctl_states *states);
372 int	pfctl_clear_states(int dev, const struct pfctl_kill *kill,
373 	    unsigned int *killed);
374 int	pfctl_kill_states(int dev, const struct pfctl_kill *kill,
375 	    unsigned int *killed);
376 int	pfctl_set_syncookies(int dev, const struct pfctl_syncookies *s);
377 int	pfctl_get_syncookies(int dev, struct pfctl_syncookies *s);
378 
379 #endif
380