1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2021 Rubicon Communications, LLC (Netgate) 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 11 * - Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * - Redistributions in binary form must reproduce the above 14 * copyright notice, this list of conditions and the following 15 * disclaimer in the documentation and/or other materials provided 16 * with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 20 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 21 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 22 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 23 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 24 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 25 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 26 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 28 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 * POSSIBILITY OF SUCH DAMAGE. 30 * 31 * $FreeBSD$ 32 */ 33 34 #ifndef _PFCTL_IOCTL_H_ 35 #define _PFCTL_IOCTL_H_ 36 37 #include <netpfil/pf/pf.h> 38 39 struct pfctl_anchor; 40 struct pfctl_eth_anchor; 41 42 struct pfctl_status_counter { 43 uint64_t id; 44 uint64_t counter; 45 char *name; 46 47 TAILQ_ENTRY(pfctl_status_counter) entry; 48 }; 49 TAILQ_HEAD(pfctl_status_counters, pfctl_status_counter); 50 51 struct pfctl_status { 52 bool running; 53 uint32_t since; 54 uint32_t debug; 55 uint32_t hostid; 56 uint64_t states; 57 uint64_t src_nodes; 58 char ifname[IFNAMSIZ]; 59 uint8_t pf_chksum[PF_MD5_DIGEST_LENGTH]; 60 61 struct pfctl_status_counters counters; 62 struct pfctl_status_counters lcounters; 63 struct pfctl_status_counters fcounters; 64 struct pfctl_status_counters scounters; 65 uint64_t pcounters[2][2][3]; 66 uint64_t bcounters[2][2]; 67 }; 68 69 struct pfctl_eth_rulesets_info { 70 uint32_t nr; 71 }; 72 73 struct pfctl_eth_rules_info { 74 uint32_t nr; 75 uint32_t ticket; 76 }; 77 78 struct pfctl_eth_addr { 79 uint8_t addr[ETHER_ADDR_LEN]; 80 uint8_t mask[ETHER_ADDR_LEN]; 81 bool neg; 82 bool isset; 83 }; 84 85 struct pfctl_eth_rule { 86 uint32_t nr; 87 88 bool quick; 89 90 /* Filter */ 91 char ifname[IFNAMSIZ]; 92 uint8_t ifnot; 93 uint8_t direction; 94 uint16_t proto; 95 struct pfctl_eth_addr src, dst; 96 struct pf_rule_addr ipsrc, ipdst; 97 char match_tagname[PF_TAG_NAME_SIZE]; 98 uint16_t match_tag; 99 bool match_tag_not; 100 101 /* Stats */ 102 uint64_t evaluations; 103 uint64_t packets[2]; 104 uint64_t bytes[2]; 105 uint32_t last_active_timestamp; 106 107 /* Action */ 108 char qname[PF_QNAME_SIZE]; 109 char tagname[PF_TAG_NAME_SIZE]; 110 uint16_t dnpipe; 111 uint32_t dnflags; 112 uint8_t action; 113 114 struct pfctl_eth_anchor *anchor; 115 uint8_t anchor_relative; 116 uint8_t anchor_wildcard; 117 118 TAILQ_ENTRY(pfctl_eth_rule) entries; 119 }; 120 TAILQ_HEAD(pfctl_eth_rules, pfctl_eth_rule); 121 122 struct pfctl_eth_ruleset_info { 123 uint32_t nr; 124 char name[PF_ANCHOR_NAME_SIZE]; 125 char path[MAXPATHLEN]; 126 }; 127 128 struct pfctl_eth_ruleset { 129 struct pfctl_eth_rules rules; 130 struct pfctl_eth_anchor *anchor; 131 }; 132 133 struct pfctl_eth_anchor { 134 struct pfctl_eth_anchor *parent; 135 char name[PF_ANCHOR_NAME_SIZE]; 136 char path[MAXPATHLEN]; 137 struct pfctl_eth_ruleset ruleset; 138 int refcnt; /* anchor rules */ 139 int match; /* XXX: used for pfctl black magic */ 140 }; 141 142 struct pfctl_pool { 143 struct pf_palist list; 144 struct pf_pooladdr *cur; 145 struct pf_poolhashkey key; 146 struct pf_addr counter; 147 struct pf_mape_portset mape; 148 int tblidx; 149 uint16_t proxy_port[2]; 150 uint8_t opts; 151 }; 152 153 struct pfctl_rules_info { 154 uint32_t nr; 155 uint32_t ticket; 156 }; 157 158 struct pfctl_rule { 159 struct pf_rule_addr src; 160 struct pf_rule_addr dst; 161 union pf_rule_ptr skip[PF_SKIP_COUNT]; 162 char label[PF_RULE_MAX_LABEL_COUNT][PF_RULE_LABEL_SIZE]; 163 uint32_t ridentifier; 164 char ifname[IFNAMSIZ]; 165 char qname[PF_QNAME_SIZE]; 166 char pqname[PF_QNAME_SIZE]; 167 char tagname[PF_TAG_NAME_SIZE]; 168 char match_tagname[PF_TAG_NAME_SIZE]; 169 170 char overload_tblname[PF_TABLE_NAME_SIZE]; 171 172 TAILQ_ENTRY(pfctl_rule) entries; 173 struct pfctl_pool rpool; 174 175 uint64_t evaluations; 176 uint64_t packets[2]; 177 uint64_t bytes[2]; 178 uint32_t last_active_timestamp; 179 180 struct pfi_kif *kif; 181 struct pfctl_anchor *anchor; 182 struct pfr_ktable *overload_tbl; 183 184 pf_osfp_t os_fingerprint; 185 186 int rtableid; 187 uint32_t timeout[PFTM_MAX]; 188 uint32_t max_states; 189 uint32_t max_src_nodes; 190 uint32_t max_src_states; 191 uint32_t max_src_conn; 192 struct { 193 uint32_t limit; 194 uint32_t seconds; 195 } max_src_conn_rate; 196 uint32_t qid; 197 uint32_t pqid; 198 uint16_t dnpipe; 199 uint16_t dnrpipe; 200 uint32_t free_flags; 201 uint32_t nr; 202 uint32_t prob; 203 uid_t cuid; 204 pid_t cpid; 205 206 uint64_t states_cur; 207 uint64_t states_tot; 208 uint64_t src_nodes; 209 210 uint16_t return_icmp; 211 uint16_t return_icmp6; 212 uint16_t max_mss; 213 uint16_t tag; 214 uint16_t match_tag; 215 uint16_t scrub_flags; 216 217 struct pf_rule_uid uid; 218 struct pf_rule_gid gid; 219 220 uint32_t rule_flag; 221 uint8_t action; 222 uint8_t direction; 223 uint8_t log; 224 uint8_t logif; 225 uint8_t quick; 226 uint8_t ifnot; 227 uint8_t match_tag_not; 228 uint8_t natpass; 229 230 uint8_t keep_state; 231 sa_family_t af; 232 uint8_t proto; 233 uint8_t type; 234 uint8_t code; 235 uint8_t flags; 236 uint8_t flagset; 237 uint8_t min_ttl; 238 uint8_t allow_opts; 239 uint8_t rt; 240 uint8_t return_ttl; 241 uint8_t tos; 242 uint8_t set_tos; 243 uint8_t anchor_relative; 244 uint8_t anchor_wildcard; 245 246 uint8_t flush; 247 uint8_t prio; 248 uint8_t set_prio[2]; 249 250 struct { 251 struct pf_addr addr; 252 uint16_t port; 253 } divert; 254 }; 255 256 TAILQ_HEAD(pfctl_rulequeue, pfctl_rule); 257 258 struct pfctl_ruleset { 259 struct { 260 struct pfctl_rulequeue queues[2]; 261 struct { 262 struct pfctl_rulequeue *ptr; 263 struct pfctl_rule **ptr_array; 264 uint32_t rcount; 265 uint32_t ticket; 266 int open; 267 } active, inactive; 268 } rules[PF_RULESET_MAX]; 269 struct pfctl_anchor *anchor; 270 uint32_t tticket; 271 int tables; 272 int topen; 273 }; 274 275 RB_HEAD(pfctl_anchor_global, pfctl_anchor); 276 RB_HEAD(pfctl_anchor_node, pfctl_anchor); 277 struct pfctl_anchor { 278 RB_ENTRY(pfctl_anchor) entry_global; 279 RB_ENTRY(pfctl_anchor) entry_node; 280 struct pfctl_anchor *parent; 281 struct pfctl_anchor_node children; 282 char name[PF_ANCHOR_NAME_SIZE]; 283 char path[MAXPATHLEN]; 284 struct pfctl_ruleset ruleset; 285 int refcnt; /* anchor rules */ 286 int match; /* XXX: used for pfctl black magic */ 287 }; 288 RB_PROTOTYPE(pfctl_anchor_global, pfctl_anchor, entry_global, 289 pf_anchor_compare); 290 RB_PROTOTYPE(pfctl_anchor_node, pfctl_anchor, entry_node, 291 pf_anchor_compare); 292 293 struct pfctl_state_cmp { 294 uint64_t id; 295 uint32_t creatorid; 296 uint8_t direction; 297 }; 298 299 struct pfctl_kill { 300 struct pfctl_state_cmp cmp; 301 sa_family_t af; 302 int proto; 303 struct pf_rule_addr src; 304 struct pf_rule_addr dst; 305 struct pf_rule_addr rt_addr; 306 char ifname[IFNAMSIZ]; 307 char label[PF_RULE_LABEL_SIZE]; 308 bool kill_match; 309 }; 310 311 struct pfctl_state_peer { 312 uint32_t seqlo; 313 uint32_t seqhi; 314 uint32_t seqdiff; 315 uint8_t state; 316 uint8_t wscale; 317 }; 318 319 struct pfctl_state_key { 320 struct pf_addr addr[2]; 321 uint16_t port[2]; 322 sa_family_t af; 323 uint8_t proto; 324 }; 325 326 struct pfctl_state { 327 TAILQ_ENTRY(pfctl_state) entry; 328 329 uint64_t id; 330 uint32_t creatorid; 331 uint8_t direction; 332 333 struct pfctl_state_peer src; 334 struct pfctl_state_peer dst; 335 336 uint32_t rule; 337 uint32_t anchor; 338 uint32_t nat_rule; 339 struct pf_addr rt_addr; 340 struct pfctl_state_key key[2]; /* addresses stack and wire */ 341 char ifname[IFNAMSIZ]; 342 char orig_ifname[IFNAMSIZ]; 343 uint64_t packets[2]; 344 uint64_t bytes[2]; 345 uint32_t creation; 346 uint32_t expire; 347 uint32_t pfsync_time; 348 uint8_t state_flags; 349 uint32_t sync_flags; 350 }; 351 352 TAILQ_HEAD(pfctl_statelist, pfctl_state); 353 struct pfctl_states { 354 struct pfctl_statelist states; 355 size_t count; 356 }; 357 358 enum pfctl_syncookies_mode { 359 PFCTL_SYNCOOKIES_NEVER, 360 PFCTL_SYNCOOKIES_ALWAYS, 361 PFCTL_SYNCOOKIES_ADAPTIVE 362 }; 363 extern const char* PFCTL_SYNCOOKIES_MODE_NAMES[]; 364 365 struct pfctl_syncookies { 366 enum pfctl_syncookies_mode mode; 367 uint8_t highwater; /* Percent */ 368 uint8_t lowwater; /* Percent */ 369 }; 370 371 struct pfctl_status* pfctl_get_status(int dev); 372 void pfctl_free_status(struct pfctl_status *status); 373 374 int pfctl_get_eth_rulesets_info(int dev, 375 struct pfctl_eth_rulesets_info *ri, const char *path); 376 int pfctl_get_eth_ruleset(int dev, const char *path, int nr, 377 struct pfctl_eth_ruleset_info *ri); 378 int pfctl_get_eth_rules_info(int dev, struct pfctl_eth_rules_info *rules, 379 const char *path); 380 int pfctl_get_eth_rule(int dev, uint32_t nr, uint32_t ticket, 381 const char *path, struct pfctl_eth_rule *rule, bool clear, 382 char *anchor_call); 383 int pfctl_add_eth_rule(int dev, const struct pfctl_eth_rule *r, 384 const char *anchor, const char *anchor_call, uint32_t ticket); 385 int pfctl_get_rules_info(int dev, struct pfctl_rules_info *rules, 386 uint32_t ruleset, const char *path); 387 int pfctl_get_rule(int dev, uint32_t nr, uint32_t ticket, 388 const char *anchor, uint32_t ruleset, struct pfctl_rule *rule, 389 char *anchor_call); 390 int pfctl_get_clear_rule(int dev, uint32_t nr, uint32_t ticket, 391 const char *anchor, uint32_t ruleset, struct pfctl_rule *rule, 392 char *anchor_call, bool clear); 393 int pfctl_add_rule(int dev, const struct pfctl_rule *r, 394 const char *anchor, const char *anchor_call, uint32_t ticket, 395 uint32_t pool_ticket); 396 int pfctl_set_keepcounters(int dev, bool keep); 397 int pfctl_get_states(int dev, struct pfctl_states *states); 398 void pfctl_free_states(struct pfctl_states *states); 399 int pfctl_clear_states(int dev, const struct pfctl_kill *kill, 400 unsigned int *killed); 401 int pfctl_kill_states(int dev, const struct pfctl_kill *kill, 402 unsigned int *killed); 403 int pfctl_clear_rules(int dev, const char *anchorname); 404 int pfctl_clear_nat(int dev, const char *anchorname); 405 int pfctl_clear_eth_rules(int dev, const char *anchorname); 406 int pfctl_set_syncookies(int dev, const struct pfctl_syncookies *s); 407 int pfctl_get_syncookies(int dev, struct pfctl_syncookies *s); 408 int pfctl_table_add_addrs(int dev, struct pfr_table *tbl, struct pfr_addr 409 *addr, int size, int *nadd, int flags); 410 int pfctl_table_del_addrs(int dev, struct pfr_table *tbl, struct pfr_addr 411 *addr, int size, int *ndel, int flags); 412 int pfctl_table_set_addrs(int dev, struct pfr_table *tbl, struct pfr_addr 413 *addr, int size, int *size2, int *nadd, int *ndel, int *nchange, 414 int flags); 415 int pfctl_table_get_addrs(int dev, struct pfr_table *tbl, struct pfr_addr 416 *addr, int *size, int flags); 417 #endif 418