1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2021 Rubicon Communications, LLC (Netgate) 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 11 * - Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * - Redistributions in binary form must reproduce the above 14 * copyright notice, this list of conditions and the following 15 * disclaimer in the documentation and/or other materials provided 16 * with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 20 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 21 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 22 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 23 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 24 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 25 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 26 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 28 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 * POSSIBILITY OF SUCH DAMAGE. 30 * 31 * $FreeBSD$ 32 */ 33 34 #ifndef _PFCTL_IOCTL_H_ 35 #define _PFCTL_IOCTL_H_ 36 37 #include <netpfil/pf/pf.h> 38 39 struct pfctl_anchor; 40 struct pfctl_eth_anchor; 41 42 struct pfctl_status_counter { 43 uint64_t id; 44 uint64_t counter; 45 char *name; 46 47 TAILQ_ENTRY(pfctl_status_counter) entry; 48 }; 49 TAILQ_HEAD(pfctl_status_counters, pfctl_status_counter); 50 51 struct pfctl_status { 52 bool running; 53 uint32_t since; 54 uint32_t debug; 55 uint32_t hostid; 56 uint64_t states; 57 uint64_t src_nodes; 58 char ifname[IFNAMSIZ]; 59 uint8_t pf_chksum[PF_MD5_DIGEST_LENGTH]; 60 61 struct pfctl_status_counters counters; 62 struct pfctl_status_counters lcounters; 63 struct pfctl_status_counters fcounters; 64 struct pfctl_status_counters scounters; 65 uint64_t pcounters[2][2][3]; 66 uint64_t bcounters[2][2]; 67 }; 68 69 struct pfctl_eth_rules_info { 70 uint32_t nr; 71 uint32_t ticket; 72 }; 73 74 struct pfctl_eth_addr { 75 uint8_t addr[ETHER_ADDR_LEN]; 76 uint8_t mask[ETHER_ADDR_LEN]; 77 bool neg; 78 bool isset; 79 }; 80 81 struct pfctl_eth_rule { 82 uint32_t nr; 83 84 bool quick; 85 86 /* Filter */ 87 char ifname[IFNAMSIZ]; 88 uint8_t ifnot; 89 uint8_t direction; 90 uint16_t proto; 91 struct pfctl_eth_addr src, dst; 92 struct pf_rule_addr ipsrc, ipdst; 93 94 /* Stats */ 95 uint64_t evaluations; 96 uint64_t packets[2]; 97 uint64_t bytes[2]; 98 99 /* Action */ 100 char qname[PF_QNAME_SIZE]; 101 char tagname[PF_TAG_NAME_SIZE]; 102 uint16_t dnpipe; 103 uint32_t dnflags; 104 uint8_t action; 105 106 struct pfctl_eth_anchor *anchor; 107 uint8_t anchor_relative; 108 uint8_t anchor_wildcard; 109 110 TAILQ_ENTRY(pfctl_eth_rule) entries; 111 }; 112 TAILQ_HEAD(pfctl_eth_rules, pfctl_eth_rule); 113 114 struct pfctl_eth_ruleset { 115 struct pfctl_eth_rules rules; 116 struct pfctl_eth_anchor *anchor; 117 }; 118 119 struct pfctl_eth_anchor { 120 struct pfctl_eth_anchor *parent; 121 char name[PF_ANCHOR_NAME_SIZE]; 122 char path[MAXPATHLEN]; 123 struct pfctl_eth_ruleset ruleset; 124 int refcnt; /* anchor rules */ 125 int match; /* XXX: used for pfctl black magic */ 126 }; 127 128 struct pfctl_pool { 129 struct pf_palist list; 130 struct pf_pooladdr *cur; 131 struct pf_poolhashkey key; 132 struct pf_addr counter; 133 struct pf_mape_portset mape; 134 int tblidx; 135 uint16_t proxy_port[2]; 136 uint8_t opts; 137 }; 138 139 struct pfctl_rules_info { 140 uint32_t nr; 141 uint32_t ticket; 142 }; 143 144 struct pfctl_rule { 145 struct pf_rule_addr src; 146 struct pf_rule_addr dst; 147 union pf_rule_ptr skip[PF_SKIP_COUNT]; 148 char label[PF_RULE_MAX_LABEL_COUNT][PF_RULE_LABEL_SIZE]; 149 uint32_t ridentifier; 150 char ifname[IFNAMSIZ]; 151 char qname[PF_QNAME_SIZE]; 152 char pqname[PF_QNAME_SIZE]; 153 char tagname[PF_TAG_NAME_SIZE]; 154 char match_tagname[PF_TAG_NAME_SIZE]; 155 156 char overload_tblname[PF_TABLE_NAME_SIZE]; 157 158 TAILQ_ENTRY(pfctl_rule) entries; 159 struct pfctl_pool rpool; 160 161 uint64_t evaluations; 162 uint64_t packets[2]; 163 uint64_t bytes[2]; 164 165 struct pfi_kif *kif; 166 struct pfctl_anchor *anchor; 167 struct pfr_ktable *overload_tbl; 168 169 pf_osfp_t os_fingerprint; 170 171 int rtableid; 172 uint32_t timeout[PFTM_MAX]; 173 uint32_t max_states; 174 uint32_t max_src_nodes; 175 uint32_t max_src_states; 176 uint32_t max_src_conn; 177 struct { 178 uint32_t limit; 179 uint32_t seconds; 180 } max_src_conn_rate; 181 uint32_t qid; 182 uint32_t pqid; 183 uint16_t dnpipe; 184 uint16_t dnrpipe; 185 uint32_t free_flags; 186 uint32_t nr; 187 uint32_t prob; 188 uid_t cuid; 189 pid_t cpid; 190 191 uint64_t states_cur; 192 uint64_t states_tot; 193 uint64_t src_nodes; 194 195 uint16_t return_icmp; 196 uint16_t return_icmp6; 197 uint16_t max_mss; 198 uint16_t tag; 199 uint16_t match_tag; 200 uint16_t scrub_flags; 201 202 struct pf_rule_uid uid; 203 struct pf_rule_gid gid; 204 205 uint32_t rule_flag; 206 uint8_t action; 207 uint8_t direction; 208 uint8_t log; 209 uint8_t logif; 210 uint8_t quick; 211 uint8_t ifnot; 212 uint8_t match_tag_not; 213 uint8_t natpass; 214 215 uint8_t keep_state; 216 sa_family_t af; 217 uint8_t proto; 218 uint8_t type; 219 uint8_t code; 220 uint8_t flags; 221 uint8_t flagset; 222 uint8_t min_ttl; 223 uint8_t allow_opts; 224 uint8_t rt; 225 uint8_t return_ttl; 226 uint8_t tos; 227 uint8_t set_tos; 228 uint8_t anchor_relative; 229 uint8_t anchor_wildcard; 230 231 uint8_t flush; 232 uint8_t prio; 233 uint8_t set_prio[2]; 234 235 struct { 236 struct pf_addr addr; 237 uint16_t port; 238 } divert; 239 }; 240 241 TAILQ_HEAD(pfctl_rulequeue, pfctl_rule); 242 243 struct pfctl_ruleset { 244 struct { 245 struct pfctl_rulequeue queues[2]; 246 struct { 247 struct pfctl_rulequeue *ptr; 248 struct pfctl_rule **ptr_array; 249 uint32_t rcount; 250 uint32_t ticket; 251 int open; 252 } active, inactive; 253 } rules[PF_RULESET_MAX]; 254 struct pfctl_anchor *anchor; 255 uint32_t tticket; 256 int tables; 257 int topen; 258 }; 259 260 RB_HEAD(pfctl_anchor_global, pfctl_anchor); 261 RB_HEAD(pfctl_anchor_node, pfctl_anchor); 262 struct pfctl_anchor { 263 RB_ENTRY(pfctl_anchor) entry_global; 264 RB_ENTRY(pfctl_anchor) entry_node; 265 struct pfctl_anchor *parent; 266 struct pfctl_anchor_node children; 267 char name[PF_ANCHOR_NAME_SIZE]; 268 char path[MAXPATHLEN]; 269 struct pfctl_ruleset ruleset; 270 int refcnt; /* anchor rules */ 271 int match; /* XXX: used for pfctl black magic */ 272 }; 273 RB_PROTOTYPE(pfctl_anchor_global, pfctl_anchor, entry_global, 274 pf_anchor_compare); 275 RB_PROTOTYPE(pfctl_anchor_node, pfctl_anchor, entry_node, 276 pf_anchor_compare); 277 278 struct pfctl_state_cmp { 279 uint64_t id; 280 uint32_t creatorid; 281 uint8_t direction; 282 }; 283 284 struct pfctl_kill { 285 struct pfctl_state_cmp cmp; 286 sa_family_t af; 287 int proto; 288 struct pf_rule_addr src; 289 struct pf_rule_addr dst; 290 struct pf_rule_addr rt_addr; 291 char ifname[IFNAMSIZ]; 292 char label[PF_RULE_LABEL_SIZE]; 293 bool kill_match; 294 }; 295 296 struct pfctl_state_peer { 297 uint32_t seqlo; 298 uint32_t seqhi; 299 uint32_t seqdiff; 300 uint8_t state; 301 uint8_t wscale; 302 }; 303 304 struct pfctl_state_key { 305 struct pf_addr addr[2]; 306 uint16_t port[2]; 307 sa_family_t af; 308 uint8_t proto; 309 }; 310 311 struct pfctl_state { 312 TAILQ_ENTRY(pfctl_state) entry; 313 314 uint64_t id; 315 uint32_t creatorid; 316 uint8_t direction; 317 318 struct pfctl_state_peer src; 319 struct pfctl_state_peer dst; 320 321 uint32_t rule; 322 uint32_t anchor; 323 uint32_t nat_rule; 324 struct pf_addr rt_addr; 325 struct pfctl_state_key key[2]; /* addresses stack and wire */ 326 char ifname[IFNAMSIZ]; 327 char orig_ifname[IFNAMSIZ]; 328 uint64_t packets[2]; 329 uint64_t bytes[2]; 330 uint32_t creation; 331 uint32_t expire; 332 uint32_t pfsync_time; 333 uint8_t state_flags; 334 uint32_t sync_flags; 335 }; 336 337 TAILQ_HEAD(pfctl_statelist, pfctl_state); 338 struct pfctl_states { 339 struct pfctl_statelist states; 340 size_t count; 341 }; 342 343 enum pfctl_syncookies_mode { 344 PFCTL_SYNCOOKIES_NEVER, 345 PFCTL_SYNCOOKIES_ALWAYS, 346 PFCTL_SYNCOOKIES_ADAPTIVE 347 }; 348 extern const char* PFCTL_SYNCOOKIES_MODE_NAMES[]; 349 350 struct pfctl_syncookies { 351 enum pfctl_syncookies_mode mode; 352 uint8_t highwater; /* Percent */ 353 uint8_t lowwater; /* Percent */ 354 }; 355 356 struct pfctl_status* pfctl_get_status(int dev); 357 void pfctl_free_status(struct pfctl_status *status); 358 359 int pfctl_get_eth_rules_info(int dev, struct pfctl_eth_rules_info *rules, 360 const char *path); 361 int pfctl_get_eth_rule(int dev, uint32_t nr, uint32_t ticket, 362 const char *path, struct pfctl_eth_rule *rule, bool clear, 363 char *anchor_call); 364 int pfctl_add_eth_rule(int dev, const struct pfctl_eth_rule *r, 365 const char *anchor, const char *anchor_call, uint32_t ticket); 366 int pfctl_get_rules_info(int dev, struct pfctl_rules_info *rules, 367 uint32_t ruleset, const char *path); 368 int pfctl_get_rule(int dev, uint32_t nr, uint32_t ticket, 369 const char *anchor, uint32_t ruleset, struct pfctl_rule *rule, 370 char *anchor_call); 371 int pfctl_get_clear_rule(int dev, uint32_t nr, uint32_t ticket, 372 const char *anchor, uint32_t ruleset, struct pfctl_rule *rule, 373 char *anchor_call, bool clear); 374 int pfctl_add_rule(int dev, const struct pfctl_rule *r, 375 const char *anchor, const char *anchor_call, uint32_t ticket, 376 uint32_t pool_ticket); 377 int pfctl_set_keepcounters(int dev, bool keep); 378 int pfctl_get_states(int dev, struct pfctl_states *states); 379 void pfctl_free_states(struct pfctl_states *states); 380 int pfctl_clear_states(int dev, const struct pfctl_kill *kill, 381 unsigned int *killed); 382 int pfctl_kill_states(int dev, const struct pfctl_kill *kill, 383 unsigned int *killed); 384 int pfctl_clear_rules(int dev, const char *anchorname); 385 int pfctl_clear_nat(int dev, const char *anchorname); 386 int pfctl_clear_eth_rules(int dev, const char *anchorname); 387 int pfctl_set_syncookies(int dev, const struct pfctl_syncookies *s); 388 int pfctl_get_syncookies(int dev, struct pfctl_syncookies *s); 389 390 #endif 391