1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2021 Rubicon Communications, LLC (Netgate) 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 11 * - Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * - Redistributions in binary form must reproduce the above 14 * copyright notice, this list of conditions and the following 15 * disclaimer in the documentation and/or other materials provided 16 * with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 20 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 21 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 22 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 23 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 24 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 25 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 26 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 28 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 * POSSIBILITY OF SUCH DAMAGE. 30 * 31 * $FreeBSD$ 32 */ 33 34 #ifndef _PFCTL_IOCTL_H_ 35 #define _PFCTL_IOCTL_H_ 36 37 #include <netpfil/pf/pf.h> 38 39 struct pfctl_anchor; 40 41 struct pfctl_pool { 42 struct pf_palist list; 43 struct pf_pooladdr *cur; 44 struct pf_poolhashkey key; 45 struct pf_addr counter; 46 struct pf_mape_portset mape; 47 int tblidx; 48 u_int16_t proxy_port[2]; 49 u_int8_t opts; 50 }; 51 52 struct pfctl_rule { 53 struct pf_rule_addr src; 54 struct pf_rule_addr dst; 55 union pf_rule_ptr skip[PF_SKIP_COUNT]; 56 char label[PF_RULE_MAX_LABEL_COUNT][PF_RULE_LABEL_SIZE]; 57 char ifname[IFNAMSIZ]; 58 char qname[PF_QNAME_SIZE]; 59 char pqname[PF_QNAME_SIZE]; 60 char tagname[PF_TAG_NAME_SIZE]; 61 char match_tagname[PF_TAG_NAME_SIZE]; 62 63 char overload_tblname[PF_TABLE_NAME_SIZE]; 64 65 TAILQ_ENTRY(pfctl_rule) entries; 66 struct pfctl_pool rpool; 67 68 u_int64_t evaluations; 69 u_int64_t packets[2]; 70 u_int64_t bytes[2]; 71 72 struct pfi_kif *kif; 73 struct pfctl_anchor *anchor; 74 struct pfr_ktable *overload_tbl; 75 76 pf_osfp_t os_fingerprint; 77 78 int rtableid; 79 u_int32_t timeout[PFTM_MAX]; 80 u_int32_t max_states; 81 u_int32_t max_src_nodes; 82 u_int32_t max_src_states; 83 u_int32_t max_src_conn; 84 struct { 85 u_int32_t limit; 86 u_int32_t seconds; 87 } max_src_conn_rate; 88 u_int32_t qid; 89 u_int32_t pqid; 90 u_int32_t nr; 91 u_int32_t prob; 92 uid_t cuid; 93 pid_t cpid; 94 95 uint64_t states_cur; 96 uint64_t states_tot; 97 uint64_t src_nodes; 98 99 u_int16_t return_icmp; 100 u_int16_t return_icmp6; 101 u_int16_t max_mss; 102 u_int16_t tag; 103 u_int16_t match_tag; 104 u_int16_t scrub_flags; 105 106 struct pf_rule_uid uid; 107 struct pf_rule_gid gid; 108 109 u_int32_t rule_flag; 110 u_int8_t action; 111 u_int8_t direction; 112 u_int8_t log; 113 u_int8_t logif; 114 u_int8_t quick; 115 u_int8_t ifnot; 116 u_int8_t match_tag_not; 117 u_int8_t natpass; 118 119 u_int8_t keep_state; 120 sa_family_t af; 121 u_int8_t proto; 122 u_int8_t type; 123 u_int8_t code; 124 u_int8_t flags; 125 u_int8_t flagset; 126 u_int8_t min_ttl; 127 u_int8_t allow_opts; 128 u_int8_t rt; 129 u_int8_t return_ttl; 130 u_int8_t tos; 131 u_int8_t set_tos; 132 u_int8_t anchor_relative; 133 u_int8_t anchor_wildcard; 134 135 u_int8_t flush; 136 u_int8_t prio; 137 u_int8_t set_prio[2]; 138 139 struct { 140 struct pf_addr addr; 141 u_int16_t port; 142 } divert; 143 }; 144 145 TAILQ_HEAD(pfctl_rulequeue, pfctl_rule); 146 147 struct pfctl_ruleset { 148 struct { 149 struct pfctl_rulequeue queues[2]; 150 struct { 151 struct pfctl_rulequeue *ptr; 152 struct pfctl_rule **ptr_array; 153 u_int32_t rcount; 154 u_int32_t ticket; 155 int open; 156 } active, inactive; 157 } rules[PF_RULESET_MAX]; 158 struct pfctl_anchor *anchor; 159 u_int32_t tticket; 160 int tables; 161 int topen; 162 }; 163 164 RB_HEAD(pfctl_anchor_global, pfctl_anchor); 165 RB_HEAD(pfctl_anchor_node, pfctl_anchor); 166 struct pfctl_anchor { 167 RB_ENTRY(pfctl_anchor) entry_global; 168 RB_ENTRY(pfctl_anchor) entry_node; 169 struct pfctl_anchor *parent; 170 struct pfctl_anchor_node children; 171 char name[PF_ANCHOR_NAME_SIZE]; 172 char path[MAXPATHLEN]; 173 struct pfctl_ruleset ruleset; 174 int refcnt; /* anchor rules */ 175 int match; /* XXX: used for pfctl black magic */ 176 }; 177 RB_PROTOTYPE(pfctl_anchor_global, pfctl_anchor, entry_global, 178 pf_anchor_compare); 179 RB_PROTOTYPE(pfctl_anchor_node, pfctl_anchor, entry_node, 180 pf_anchor_compare); 181 182 struct pfctl_state_cmp { 183 uint64_t id; 184 uint32_t creatorid; 185 uint8_t direction; 186 }; 187 188 struct pfctl_kill { 189 struct pfctl_state_cmp cmp; 190 sa_family_t af; 191 int proto; 192 struct pf_rule_addr src; 193 struct pf_rule_addr dst; 194 struct pf_rule_addr rt_addr; 195 char ifname[IFNAMSIZ]; 196 char label[PF_RULE_LABEL_SIZE]; 197 bool kill_match; 198 }; 199 200 struct pfctl_state_peer { 201 uint32_t seqlo; 202 uint32_t seqhi; 203 uint32_t seqdiff; 204 uint8_t state; 205 uint8_t wscale; 206 }; 207 208 struct pfctl_state_key { 209 struct pf_addr addr[2]; 210 uint16_t port[2]; 211 sa_family_t af; 212 uint8_t proto; 213 }; 214 215 struct pfctl_state { 216 TAILQ_ENTRY(pfctl_state) entry; 217 218 uint64_t id; 219 uint32_t creatorid; 220 uint8_t direction; 221 222 struct pfctl_state_peer src; 223 struct pfctl_state_peer dst; 224 225 uint32_t rule; 226 uint32_t anchor; 227 uint32_t nat_rule; 228 struct pf_addr rt_addr; 229 struct pfctl_state_key key[2]; /* addresses stack and wire */ 230 char ifname[IFNAMSIZ]; 231 char orig_ifname[IFNAMSIZ]; 232 uint64_t packets[2]; 233 uint64_t bytes[2]; 234 uint32_t creation; 235 uint32_t expire; 236 uint32_t pfsync_time; 237 uint8_t state_flags; 238 uint32_t sync_flags; 239 }; 240 241 TAILQ_HEAD(pfctl_statelist, pfctl_state); 242 struct pfctl_states { 243 struct pfctl_statelist states; 244 size_t count; 245 }; 246 247 enum pfctl_syncookies_mode { 248 PFCTL_SYNCOOKIES_NEVER, 249 PFCTL_SYNCOOKIES_ALWAYS 250 }; 251 252 struct pfctl_syncookies { 253 enum pfctl_syncookies_mode mode; 254 }; 255 256 int pfctl_get_rule(int dev, u_int32_t nr, u_int32_t ticket, 257 const char *anchor, u_int32_t ruleset, struct pfctl_rule *rule, 258 char *anchor_call); 259 int pfctl_get_clear_rule(int dev, u_int32_t nr, u_int32_t ticket, 260 const char *anchor, u_int32_t ruleset, struct pfctl_rule *rule, 261 char *anchor_call, bool clear); 262 int pfctl_add_rule(int dev, const struct pfctl_rule *r, 263 const char *anchor, const char *anchor_call, u_int32_t ticket, 264 u_int32_t pool_ticket); 265 int pfctl_set_keepcounters(int dev, bool keep); 266 int pfctl_get_states(int dev, struct pfctl_states *states); 267 void pfctl_free_states(struct pfctl_states *states); 268 int pfctl_clear_states(int dev, const struct pfctl_kill *kill, 269 unsigned int *killed); 270 int pfctl_kill_states(int dev, const struct pfctl_kill *kill, 271 unsigned int *killed); 272 int pfctl_set_syncookies(int dev, const struct pfctl_syncookies *s); 273 int pfctl_get_syncookies(int dev, struct pfctl_syncookies *s); 274 275 #endif 276