1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2021 Rubicon Communications, LLC (Netgate) 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 11 * - Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * - Redistributions in binary form must reproduce the above 14 * copyright notice, this list of conditions and the following 15 * disclaimer in the documentation and/or other materials provided 16 * with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 20 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 21 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 22 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 23 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 24 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 25 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 26 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 28 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 * POSSIBILITY OF SUCH DAMAGE. 30 * 31 * $FreeBSD$ 32 */ 33 34 #ifndef _PFCTL_IOCTL_H_ 35 #define _PFCTL_IOCTL_H_ 36 37 #include <netpfil/pf/pf.h> 38 39 struct pfctl_anchor; 40 struct pfctl_eth_anchor; 41 42 struct pfctl_status_counter { 43 uint64_t id; 44 uint64_t counter; 45 char *name; 46 47 TAILQ_ENTRY(pfctl_status_counter) entry; 48 }; 49 TAILQ_HEAD(pfctl_status_counters, pfctl_status_counter); 50 51 struct pfctl_status { 52 bool running; 53 uint32_t since; 54 uint32_t debug; 55 uint32_t hostid; 56 uint64_t states; 57 uint64_t src_nodes; 58 char ifname[IFNAMSIZ]; 59 uint8_t pf_chksum[PF_MD5_DIGEST_LENGTH]; 60 61 struct pfctl_status_counters counters; 62 struct pfctl_status_counters lcounters; 63 struct pfctl_status_counters fcounters; 64 struct pfctl_status_counters scounters; 65 uint64_t pcounters[2][2][3]; 66 uint64_t bcounters[2][2]; 67 }; 68 69 struct pfctl_eth_rulesets_info { 70 uint32_t nr; 71 }; 72 73 struct pfctl_eth_rules_info { 74 uint32_t nr; 75 uint32_t ticket; 76 }; 77 78 struct pfctl_eth_addr { 79 uint8_t addr[ETHER_ADDR_LEN]; 80 uint8_t mask[ETHER_ADDR_LEN]; 81 bool neg; 82 bool isset; 83 }; 84 85 struct pfctl_eth_rule { 86 uint32_t nr; 87 88 bool quick; 89 90 /* Filter */ 91 char ifname[IFNAMSIZ]; 92 uint8_t ifnot; 93 uint8_t direction; 94 uint16_t proto; 95 struct pfctl_eth_addr src, dst; 96 struct pf_rule_addr ipsrc, ipdst; 97 98 /* Stats */ 99 uint64_t evaluations; 100 uint64_t packets[2]; 101 uint64_t bytes[2]; 102 uint32_t last_active_timestamp; 103 104 /* Action */ 105 char qname[PF_QNAME_SIZE]; 106 char tagname[PF_TAG_NAME_SIZE]; 107 uint16_t dnpipe; 108 uint32_t dnflags; 109 uint8_t action; 110 111 struct pfctl_eth_anchor *anchor; 112 uint8_t anchor_relative; 113 uint8_t anchor_wildcard; 114 115 TAILQ_ENTRY(pfctl_eth_rule) entries; 116 }; 117 TAILQ_HEAD(pfctl_eth_rules, pfctl_eth_rule); 118 119 struct pfctl_eth_ruleset_info { 120 uint32_t nr; 121 char name[PF_ANCHOR_NAME_SIZE]; 122 char path[MAXPATHLEN]; 123 }; 124 125 struct pfctl_eth_ruleset { 126 struct pfctl_eth_rules rules; 127 struct pfctl_eth_anchor *anchor; 128 }; 129 130 struct pfctl_eth_anchor { 131 struct pfctl_eth_anchor *parent; 132 char name[PF_ANCHOR_NAME_SIZE]; 133 char path[MAXPATHLEN]; 134 struct pfctl_eth_ruleset ruleset; 135 int refcnt; /* anchor rules */ 136 int match; /* XXX: used for pfctl black magic */ 137 }; 138 139 struct pfctl_pool { 140 struct pf_palist list; 141 struct pf_pooladdr *cur; 142 struct pf_poolhashkey key; 143 struct pf_addr counter; 144 struct pf_mape_portset mape; 145 int tblidx; 146 uint16_t proxy_port[2]; 147 uint8_t opts; 148 }; 149 150 struct pfctl_rules_info { 151 uint32_t nr; 152 uint32_t ticket; 153 }; 154 155 struct pfctl_rule { 156 struct pf_rule_addr src; 157 struct pf_rule_addr dst; 158 union pf_rule_ptr skip[PF_SKIP_COUNT]; 159 char label[PF_RULE_MAX_LABEL_COUNT][PF_RULE_LABEL_SIZE]; 160 uint32_t ridentifier; 161 char ifname[IFNAMSIZ]; 162 char qname[PF_QNAME_SIZE]; 163 char pqname[PF_QNAME_SIZE]; 164 char tagname[PF_TAG_NAME_SIZE]; 165 char match_tagname[PF_TAG_NAME_SIZE]; 166 167 char overload_tblname[PF_TABLE_NAME_SIZE]; 168 169 TAILQ_ENTRY(pfctl_rule) entries; 170 struct pfctl_pool rpool; 171 172 uint64_t evaluations; 173 uint64_t packets[2]; 174 uint64_t bytes[2]; 175 uint32_t last_active_timestamp; 176 177 struct pfi_kif *kif; 178 struct pfctl_anchor *anchor; 179 struct pfr_ktable *overload_tbl; 180 181 pf_osfp_t os_fingerprint; 182 183 int rtableid; 184 uint32_t timeout[PFTM_MAX]; 185 uint32_t max_states; 186 uint32_t max_src_nodes; 187 uint32_t max_src_states; 188 uint32_t max_src_conn; 189 struct { 190 uint32_t limit; 191 uint32_t seconds; 192 } max_src_conn_rate; 193 uint32_t qid; 194 uint32_t pqid; 195 uint16_t dnpipe; 196 uint16_t dnrpipe; 197 uint32_t free_flags; 198 uint32_t nr; 199 uint32_t prob; 200 uid_t cuid; 201 pid_t cpid; 202 203 uint64_t states_cur; 204 uint64_t states_tot; 205 uint64_t src_nodes; 206 207 uint16_t return_icmp; 208 uint16_t return_icmp6; 209 uint16_t max_mss; 210 uint16_t tag; 211 uint16_t match_tag; 212 uint16_t scrub_flags; 213 214 struct pf_rule_uid uid; 215 struct pf_rule_gid gid; 216 217 uint32_t rule_flag; 218 uint8_t action; 219 uint8_t direction; 220 uint8_t log; 221 uint8_t logif; 222 uint8_t quick; 223 uint8_t ifnot; 224 uint8_t match_tag_not; 225 uint8_t natpass; 226 227 uint8_t keep_state; 228 sa_family_t af; 229 uint8_t proto; 230 uint8_t type; 231 uint8_t code; 232 uint8_t flags; 233 uint8_t flagset; 234 uint8_t min_ttl; 235 uint8_t allow_opts; 236 uint8_t rt; 237 uint8_t return_ttl; 238 uint8_t tos; 239 uint8_t set_tos; 240 uint8_t anchor_relative; 241 uint8_t anchor_wildcard; 242 243 uint8_t flush; 244 uint8_t prio; 245 uint8_t set_prio[2]; 246 247 struct { 248 struct pf_addr addr; 249 uint16_t port; 250 } divert; 251 }; 252 253 TAILQ_HEAD(pfctl_rulequeue, pfctl_rule); 254 255 struct pfctl_ruleset { 256 struct { 257 struct pfctl_rulequeue queues[2]; 258 struct { 259 struct pfctl_rulequeue *ptr; 260 struct pfctl_rule **ptr_array; 261 uint32_t rcount; 262 uint32_t ticket; 263 int open; 264 } active, inactive; 265 } rules[PF_RULESET_MAX]; 266 struct pfctl_anchor *anchor; 267 uint32_t tticket; 268 int tables; 269 int topen; 270 }; 271 272 RB_HEAD(pfctl_anchor_global, pfctl_anchor); 273 RB_HEAD(pfctl_anchor_node, pfctl_anchor); 274 struct pfctl_anchor { 275 RB_ENTRY(pfctl_anchor) entry_global; 276 RB_ENTRY(pfctl_anchor) entry_node; 277 struct pfctl_anchor *parent; 278 struct pfctl_anchor_node children; 279 char name[PF_ANCHOR_NAME_SIZE]; 280 char path[MAXPATHLEN]; 281 struct pfctl_ruleset ruleset; 282 int refcnt; /* anchor rules */ 283 int match; /* XXX: used for pfctl black magic */ 284 }; 285 RB_PROTOTYPE(pfctl_anchor_global, pfctl_anchor, entry_global, 286 pf_anchor_compare); 287 RB_PROTOTYPE(pfctl_anchor_node, pfctl_anchor, entry_node, 288 pf_anchor_compare); 289 290 struct pfctl_state_cmp { 291 uint64_t id; 292 uint32_t creatorid; 293 uint8_t direction; 294 }; 295 296 struct pfctl_kill { 297 struct pfctl_state_cmp cmp; 298 sa_family_t af; 299 int proto; 300 struct pf_rule_addr src; 301 struct pf_rule_addr dst; 302 struct pf_rule_addr rt_addr; 303 char ifname[IFNAMSIZ]; 304 char label[PF_RULE_LABEL_SIZE]; 305 bool kill_match; 306 }; 307 308 struct pfctl_state_peer { 309 uint32_t seqlo; 310 uint32_t seqhi; 311 uint32_t seqdiff; 312 uint8_t state; 313 uint8_t wscale; 314 }; 315 316 struct pfctl_state_key { 317 struct pf_addr addr[2]; 318 uint16_t port[2]; 319 sa_family_t af; 320 uint8_t proto; 321 }; 322 323 struct pfctl_state { 324 TAILQ_ENTRY(pfctl_state) entry; 325 326 uint64_t id; 327 uint32_t creatorid; 328 uint8_t direction; 329 330 struct pfctl_state_peer src; 331 struct pfctl_state_peer dst; 332 333 uint32_t rule; 334 uint32_t anchor; 335 uint32_t nat_rule; 336 struct pf_addr rt_addr; 337 struct pfctl_state_key key[2]; /* addresses stack and wire */ 338 char ifname[IFNAMSIZ]; 339 char orig_ifname[IFNAMSIZ]; 340 uint64_t packets[2]; 341 uint64_t bytes[2]; 342 uint32_t creation; 343 uint32_t expire; 344 uint32_t pfsync_time; 345 uint8_t state_flags; 346 uint32_t sync_flags; 347 }; 348 349 TAILQ_HEAD(pfctl_statelist, pfctl_state); 350 struct pfctl_states { 351 struct pfctl_statelist states; 352 size_t count; 353 }; 354 355 enum pfctl_syncookies_mode { 356 PFCTL_SYNCOOKIES_NEVER, 357 PFCTL_SYNCOOKIES_ALWAYS, 358 PFCTL_SYNCOOKIES_ADAPTIVE 359 }; 360 extern const char* PFCTL_SYNCOOKIES_MODE_NAMES[]; 361 362 struct pfctl_syncookies { 363 enum pfctl_syncookies_mode mode; 364 uint8_t highwater; /* Percent */ 365 uint8_t lowwater; /* Percent */ 366 }; 367 368 struct pfctl_status* pfctl_get_status(int dev); 369 void pfctl_free_status(struct pfctl_status *status); 370 371 int pfctl_get_eth_rulesets_info(int dev, 372 struct pfctl_eth_rulesets_info *ri, const char *path); 373 int pfctl_get_eth_ruleset(int dev, const char *path, int nr, 374 struct pfctl_eth_ruleset_info *ri); 375 int pfctl_get_eth_rules_info(int dev, struct pfctl_eth_rules_info *rules, 376 const char *path); 377 int pfctl_get_eth_rule(int dev, uint32_t nr, uint32_t ticket, 378 const char *path, struct pfctl_eth_rule *rule, bool clear, 379 char *anchor_call); 380 int pfctl_add_eth_rule(int dev, const struct pfctl_eth_rule *r, 381 const char *anchor, const char *anchor_call, uint32_t ticket); 382 int pfctl_get_rules_info(int dev, struct pfctl_rules_info *rules, 383 uint32_t ruleset, const char *path); 384 int pfctl_get_rule(int dev, uint32_t nr, uint32_t ticket, 385 const char *anchor, uint32_t ruleset, struct pfctl_rule *rule, 386 char *anchor_call); 387 int pfctl_get_clear_rule(int dev, uint32_t nr, uint32_t ticket, 388 const char *anchor, uint32_t ruleset, struct pfctl_rule *rule, 389 char *anchor_call, bool clear); 390 int pfctl_add_rule(int dev, const struct pfctl_rule *r, 391 const char *anchor, const char *anchor_call, uint32_t ticket, 392 uint32_t pool_ticket); 393 int pfctl_set_keepcounters(int dev, bool keep); 394 int pfctl_get_states(int dev, struct pfctl_states *states); 395 void pfctl_free_states(struct pfctl_states *states); 396 int pfctl_clear_states(int dev, const struct pfctl_kill *kill, 397 unsigned int *killed); 398 int pfctl_kill_states(int dev, const struct pfctl_kill *kill, 399 unsigned int *killed); 400 int pfctl_clear_rules(int dev, const char *anchorname); 401 int pfctl_clear_nat(int dev, const char *anchorname); 402 int pfctl_clear_eth_rules(int dev, const char *anchorname); 403 int pfctl_set_syncookies(int dev, const struct pfctl_syncookies *s); 404 int pfctl_get_syncookies(int dev, struct pfctl_syncookies *s); 405 int pfctl_table_add_addrs(int dev, struct pfr_table *tbl, struct pfr_addr 406 *addr, int size, int *nadd, int flags); 407 int pfctl_table_del_addrs(int dev, struct pfr_table *tbl, struct pfr_addr 408 *addr, int size, int *ndel, int flags); 409 int pfctl_table_set_addrs(int dev, struct pfr_table *tbl, struct pfr_addr 410 *addr, int size, int *size2, int *nadd, int *ndel, int *nchange, 411 int flags); 412 int pfctl_table_get_addrs(int dev, struct pfr_table *tbl, struct pfr_addr 413 *addr, int *size, int flags); 414 #endif 415