xref: /freebsd/lib/libpfctl/libpfctl.h (revision 6ba2210ee039f2f12878c217bcf058e9c8b26b29)
1 /*-
2  * SPDX-License-Identifier: BSD-2-Clause
3  *
4  * Copyright (c) 2021 Rubicon Communications, LLC (Netgate)
5  * All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  *
11  *    - Redistributions of source code must retain the above copyright
12  *      notice, this list of conditions and the following disclaimer.
13  *    - Redistributions in binary form must reproduce the above
14  *      copyright notice, this list of conditions and the following
15  *      disclaimer in the documentation and/or other materials provided
16  *      with the distribution.
17  *
18  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
21  * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
22  * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
23  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
24  * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
25  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26  * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
28  * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29  * POSSIBILITY OF SUCH DAMAGE.
30  *
31  * $FreeBSD$
32  */
33 
34 #ifndef _PFCTL_IOCTL_H_
35 #define _PFCTL_IOCTL_H_
36 
37 #include <netpfil/pf/pf.h>
38 
39 struct pfctl_anchor;
40 
41 struct pfctl_status_counter {
42 	uint64_t	 id;
43 	uint64_t	 counter;
44 	char		*name;
45 
46 	TAILQ_ENTRY(pfctl_status_counter) entry;
47 };
48 TAILQ_HEAD(pfctl_status_counters, pfctl_status_counter);
49 
50 struct pfctl_status {
51 	bool		running;
52 	uint32_t	since;
53 	uint32_t	debug;
54 	uint32_t	hostid;
55 	uint64_t	states;
56 	uint64_t	src_nodes;
57 	char		ifname[IFNAMSIZ];
58 	uint8_t		pf_chksum[PF_MD5_DIGEST_LENGTH];
59 
60 	struct pfctl_status_counters	 counters;
61 	struct pfctl_status_counters	 lcounters;
62 	struct pfctl_status_counters	 fcounters;
63 	struct pfctl_status_counters	 scounters;
64 	uint64_t	pcounters[2][2][3];
65 	uint64_t	bcounters[2][2];
66 };
67 
68 struct pfctl_pool {
69 	struct pf_palist	 list;
70 	struct pf_pooladdr	*cur;
71 	struct pf_poolhashkey	 key;
72 	struct pf_addr		 counter;
73 	struct pf_mape_portset	 mape;
74 	int			 tblidx;
75 	u_int16_t		 proxy_port[2];
76 	u_int8_t		 opts;
77 };
78 
79 struct pfctl_rule {
80 	struct pf_rule_addr	 src;
81 	struct pf_rule_addr	 dst;
82 	union pf_rule_ptr	 skip[PF_SKIP_COUNT];
83 	char			 label[PF_RULE_MAX_LABEL_COUNT][PF_RULE_LABEL_SIZE];
84 	char			 ifname[IFNAMSIZ];
85 	char			 qname[PF_QNAME_SIZE];
86 	char			 pqname[PF_QNAME_SIZE];
87 	char			 tagname[PF_TAG_NAME_SIZE];
88 	char			 match_tagname[PF_TAG_NAME_SIZE];
89 
90 	char			 overload_tblname[PF_TABLE_NAME_SIZE];
91 
92 	TAILQ_ENTRY(pfctl_rule)	 entries;
93 	struct pfctl_pool	 rpool;
94 
95 	u_int64_t		 evaluations;
96 	u_int64_t		 packets[2];
97 	u_int64_t		 bytes[2];
98 
99 	struct pfi_kif		*kif;
100 	struct pfctl_anchor	*anchor;
101 	struct pfr_ktable	*overload_tbl;
102 
103 	pf_osfp_t		 os_fingerprint;
104 
105 	int			 rtableid;
106 	u_int32_t		 timeout[PFTM_MAX];
107 	u_int32_t		 max_states;
108 	u_int32_t		 max_src_nodes;
109 	u_int32_t		 max_src_states;
110 	u_int32_t		 max_src_conn;
111 	struct {
112 		u_int32_t		limit;
113 		u_int32_t		seconds;
114 	}			 max_src_conn_rate;
115 	u_int32_t		 qid;
116 	u_int32_t		 pqid;
117 	u_int16_t		 dnpipe;
118 	u_int16_t		 dnrpipe;
119 	u_int32_t		 free_flags;
120 	u_int32_t		 nr;
121 	u_int32_t		 prob;
122 	uid_t			 cuid;
123 	pid_t			 cpid;
124 
125 	uint64_t		 states_cur;
126 	uint64_t		 states_tot;
127 	uint64_t		 src_nodes;
128 
129 	u_int16_t		 return_icmp;
130 	u_int16_t		 return_icmp6;
131 	u_int16_t		 max_mss;
132 	u_int16_t		 tag;
133 	u_int16_t		 match_tag;
134 	u_int16_t		 scrub_flags;
135 
136 	struct pf_rule_uid	 uid;
137 	struct pf_rule_gid	 gid;
138 
139 	u_int32_t		 rule_flag;
140 	u_int8_t		 action;
141 	u_int8_t		 direction;
142 	u_int8_t		 log;
143 	u_int8_t		 logif;
144 	u_int8_t		 quick;
145 	u_int8_t		 ifnot;
146 	u_int8_t		 match_tag_not;
147 	u_int8_t		 natpass;
148 
149 	u_int8_t		 keep_state;
150 	sa_family_t		 af;
151 	u_int8_t		 proto;
152 	u_int8_t		 type;
153 	u_int8_t		 code;
154 	u_int8_t		 flags;
155 	u_int8_t		 flagset;
156 	u_int8_t		 min_ttl;
157 	u_int8_t		 allow_opts;
158 	u_int8_t		 rt;
159 	u_int8_t		 return_ttl;
160 	u_int8_t		 tos;
161 	u_int8_t		 set_tos;
162 	u_int8_t		 anchor_relative;
163 	u_int8_t		 anchor_wildcard;
164 
165 	u_int8_t		 flush;
166 	u_int8_t		 prio;
167 	u_int8_t		 set_prio[2];
168 
169 	struct {
170 		struct pf_addr		addr;
171 		u_int16_t		port;
172 	}			divert;
173 };
174 
175 TAILQ_HEAD(pfctl_rulequeue, pfctl_rule);
176 
177 struct pfctl_ruleset {
178 	struct {
179 		struct pfctl_rulequeue	 queues[2];
180 		struct {
181 			struct pfctl_rulequeue	*ptr;
182 			struct pfctl_rule	**ptr_array;
183 			u_int32_t		 rcount;
184 			u_int32_t		 ticket;
185 			int			 open;
186 		}			 active, inactive;
187 	}			 rules[PF_RULESET_MAX];
188 	struct pfctl_anchor	*anchor;
189 	u_int32_t		 tticket;
190 	int			 tables;
191 	int			 topen;
192 };
193 
194 RB_HEAD(pfctl_anchor_global, pfctl_anchor);
195 RB_HEAD(pfctl_anchor_node, pfctl_anchor);
196 struct pfctl_anchor {
197 	RB_ENTRY(pfctl_anchor)	 entry_global;
198 	RB_ENTRY(pfctl_anchor)	 entry_node;
199 	struct pfctl_anchor	*parent;
200 	struct pfctl_anchor_node children;
201 	char			 name[PF_ANCHOR_NAME_SIZE];
202 	char			 path[MAXPATHLEN];
203 	struct pfctl_ruleset	 ruleset;
204 	int			 refcnt;	/* anchor rules */
205 	int			 match;	/* XXX: used for pfctl black magic */
206 };
207 RB_PROTOTYPE(pfctl_anchor_global, pfctl_anchor, entry_global,
208     pf_anchor_compare);
209 RB_PROTOTYPE(pfctl_anchor_node, pfctl_anchor, entry_node,
210     pf_anchor_compare);
211 
212 struct pfctl_state_cmp {
213 	uint64_t	id;
214 	uint32_t	creatorid;
215 	uint8_t		direction;
216 };
217 
218 struct pfctl_kill {
219 	struct pfctl_state_cmp	cmp;
220 	sa_family_t		af;
221 	int			proto;
222 	struct pf_rule_addr	src;
223 	struct pf_rule_addr	dst;
224 	struct pf_rule_addr	rt_addr;
225 	char			ifname[IFNAMSIZ];
226 	char			label[PF_RULE_LABEL_SIZE];
227 	bool			kill_match;
228 };
229 
230 struct pfctl_state_peer {
231 	uint32_t			 seqlo;
232 	uint32_t			 seqhi;
233 	uint32_t			 seqdiff;
234 	uint8_t				 state;
235 	uint8_t				 wscale;
236 };
237 
238 struct pfctl_state_key {
239 	struct pf_addr	 addr[2];
240 	uint16_t	 port[2];
241 	sa_family_t	 af;
242 	uint8_t	 	 proto;
243 };
244 
245 struct pfctl_state {
246 	TAILQ_ENTRY(pfctl_state)	entry;
247 
248 	uint64_t		 id;
249 	uint32_t		 creatorid;
250 	uint8_t		 	 direction;
251 
252 	struct pfctl_state_peer	 src;
253 	struct pfctl_state_peer	 dst;
254 
255 	uint32_t		 rule;
256 	uint32_t		 anchor;
257 	uint32_t		 nat_rule;
258 	struct pf_addr		 rt_addr;
259 	struct pfctl_state_key	 key[2];	/* addresses stack and wire  */
260 	char			 ifname[IFNAMSIZ];
261 	char			 orig_ifname[IFNAMSIZ];
262 	uint64_t		 packets[2];
263 	uint64_t		 bytes[2];
264 	uint32_t		 creation;
265 	uint32_t		 expire;
266 	uint32_t		 pfsync_time;
267 	uint8_t			 state_flags;
268 	uint32_t		 sync_flags;
269 };
270 
271 TAILQ_HEAD(pfctl_statelist, pfctl_state);
272 struct pfctl_states {
273 	struct pfctl_statelist	states;
274 	size_t 			count;
275 };
276 
277 enum pfctl_syncookies_mode {
278 	PFCTL_SYNCOOKIES_NEVER,
279 	PFCTL_SYNCOOKIES_ALWAYS,
280 	PFCTL_SYNCOOKIES_ADAPTIVE
281 };
282 extern const char* PFCTL_SYNCOOKIES_MODE_NAMES[];
283 
284 struct pfctl_syncookies {
285 	enum pfctl_syncookies_mode	mode;
286 	uint8_t				highwater;	/* Percent */
287 	uint8_t				lowwater;	/* Percent */
288 };
289 
290 struct pfctl_status* pfctl_get_status(int dev);
291 void	pfctl_free_status(struct pfctl_status *status);
292 
293 int	pfctl_get_rule(int dev, u_int32_t nr, u_int32_t ticket,
294 	    const char *anchor, u_int32_t ruleset, struct pfctl_rule *rule,
295 	    char *anchor_call);
296 int	pfctl_get_clear_rule(int dev, u_int32_t nr, u_int32_t ticket,
297 	    const char *anchor, u_int32_t ruleset, struct pfctl_rule *rule,
298 	    char *anchor_call, bool clear);
299 int	pfctl_add_rule(int dev, const struct pfctl_rule *r,
300 	    const char *anchor, const char *anchor_call, u_int32_t ticket,
301 	    u_int32_t pool_ticket);
302 int	pfctl_set_keepcounters(int dev, bool keep);
303 int	pfctl_get_states(int dev, struct pfctl_states *states);
304 void	pfctl_free_states(struct pfctl_states *states);
305 int	pfctl_clear_states(int dev, const struct pfctl_kill *kill,
306 	    unsigned int *killed);
307 int	pfctl_kill_states(int dev, const struct pfctl_kill *kill,
308 	    unsigned int *killed);
309 int	pfctl_set_syncookies(int dev, const struct pfctl_syncookies *s);
310 int	pfctl_get_syncookies(int dev, struct pfctl_syncookies *s);
311 
312 #endif
313