xref: /freebsd/lib/libpfctl/libpfctl.h (revision e9eb09414a8de8f3329f51b48c90a5e5ac8f09cf)
1 /*-
2  * SPDX-License-Identifier: BSD-2-Clause
3  *
4  * Copyright (c) 2021 Rubicon Communications, LLC (Netgate)
5  * All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  *
11  *    - Redistributions of source code must retain the above copyright
12  *      notice, this list of conditions and the following disclaimer.
13  *    - Redistributions in binary form must reproduce the above
14  *      copyright notice, this list of conditions and the following
15  *      disclaimer in the documentation and/or other materials provided
16  *      with the distribution.
17  *
18  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
21  * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
22  * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
23  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
24  * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
25  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26  * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
28  * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29  * POSSIBILITY OF SUCH DAMAGE.
30  *
31  * $FreeBSD$
32  */
33 
34 #ifndef _PFCTL_IOCTL_H_
35 #define _PFCTL_IOCTL_H_
36 
37 #include <netpfil/pf/pf.h>
38 
39 struct pfctl_anchor;
40 
41 struct pfctl_rule {
42 	struct pf_rule_addr	 src;
43 	struct pf_rule_addr	 dst;
44 	union pf_rule_ptr	 skip[PF_SKIP_COUNT];
45 	char			 label[PF_RULE_LABEL_SIZE];
46 	char			 ifname[IFNAMSIZ];
47 	char			 qname[PF_QNAME_SIZE];
48 	char			 pqname[PF_QNAME_SIZE];
49 	char			 tagname[PF_TAG_NAME_SIZE];
50 	char			 match_tagname[PF_TAG_NAME_SIZE];
51 
52 	char			 overload_tblname[PF_TABLE_NAME_SIZE];
53 
54 	TAILQ_ENTRY(pfctl_rule)	 entries;
55 	struct pf_pool		 rpool;
56 
57 	u_int64_t		 evaluations;
58 	u_int64_t		 packets[2];
59 	u_int64_t		 bytes[2];
60 
61 	struct pfi_kif		*kif;
62 	struct pfctl_anchor	*anchor;
63 	struct pfr_ktable	*overload_tbl;
64 
65 	pf_osfp_t		 os_fingerprint;
66 
67 	int			 rtableid;
68 	u_int32_t		 timeout[PFTM_MAX];
69 	u_int32_t		 max_states;
70 	u_int32_t		 max_src_nodes;
71 	u_int32_t		 max_src_states;
72 	u_int32_t		 max_src_conn;
73 	struct {
74 		u_int32_t		limit;
75 		u_int32_t		seconds;
76 	}			 max_src_conn_rate;
77 	u_int32_t		 qid;
78 	u_int32_t		 pqid;
79 	u_int32_t		 nr;
80 	u_int32_t		 prob;
81 	uid_t			 cuid;
82 	pid_t			 cpid;
83 
84 	counter_u64_t		 states_cur;
85 	counter_u64_t		 states_tot;
86 	counter_u64_t		 src_nodes;
87 
88 	u_int16_t		 return_icmp;
89 	u_int16_t		 return_icmp6;
90 	u_int16_t		 max_mss;
91 	u_int16_t		 tag;
92 	u_int16_t		 match_tag;
93 	u_int16_t		 scrub_flags;
94 
95 	struct pf_rule_uid	 uid;
96 	struct pf_rule_gid	 gid;
97 
98 	u_int32_t		 rule_flag;
99 	u_int8_t		 action;
100 	u_int8_t		 direction;
101 	u_int8_t		 log;
102 	u_int8_t		 logif;
103 	u_int8_t		 quick;
104 	u_int8_t		 ifnot;
105 	u_int8_t		 match_tag_not;
106 	u_int8_t		 natpass;
107 
108 	u_int8_t		 keep_state;
109 	sa_family_t		 af;
110 	u_int8_t		 proto;
111 	u_int8_t		 type;
112 	u_int8_t		 code;
113 	u_int8_t		 flags;
114 	u_int8_t		 flagset;
115 	u_int8_t		 min_ttl;
116 	u_int8_t		 allow_opts;
117 	u_int8_t		 rt;
118 	u_int8_t		 return_ttl;
119 	u_int8_t		 tos;
120 	u_int8_t		 set_tos;
121 	u_int8_t		 anchor_relative;
122 	u_int8_t		 anchor_wildcard;
123 
124 	u_int8_t		 flush;
125 	u_int8_t		 prio;
126 	u_int8_t		 set_prio[2];
127 
128 	struct {
129 		struct pf_addr		addr;
130 		u_int16_t		port;
131 	}			divert;
132 
133 	uint64_t		 u_states_cur;
134 	uint64_t		 u_states_tot;
135 	uint64_t		 u_src_nodes;
136 };
137 
138 TAILQ_HEAD(pfctl_rulequeue, pfctl_rule);
139 
140 struct pfctl_ruleset {
141 	struct {
142 		struct pfctl_rulequeue	 queues[2];
143 		struct {
144 			struct pfctl_rulequeue	*ptr;
145 			struct pfctl_rule	**ptr_array;
146 			u_int32_t		 rcount;
147 			u_int32_t		 ticket;
148 			int			 open;
149 		}			 active, inactive;
150 	}			 rules[PF_RULESET_MAX];
151 	struct pfctl_anchor	*anchor;
152 	u_int32_t		 tticket;
153 	int			 tables;
154 	int			 topen;
155 };
156 
157 RB_HEAD(pfctl_anchor_global, pfctl_anchor);
158 RB_HEAD(pfctl_anchor_node, pfctl_anchor);
159 struct pfctl_anchor {
160 	RB_ENTRY(pfctl_anchor)	 entry_global;
161 	RB_ENTRY(pfctl_anchor)	 entry_node;
162 	struct pfctl_anchor	*parent;
163 	struct pfctl_anchor_node children;
164 	char			 name[PF_ANCHOR_NAME_SIZE];
165 	char			 path[MAXPATHLEN];
166 	struct pfctl_ruleset	 ruleset;
167 	int			 refcnt;	/* anchor rules */
168 	int			 match;	/* XXX: used for pfctl black magic */
169 };
170 RB_PROTOTYPE(pfctl_anchor_global, pfctl_anchor, entry_global,
171     pf_anchor_compare);
172 RB_PROTOTYPE(pfctl_anchor_node, pfctl_anchor, entry_node,
173     pf_anchor_compare);
174 
175 int	pfctl_get_rule(int dev, u_int32_t nr, u_int32_t ticket,
176 	    const char *anchor, u_int32_t ruleset, struct pfctl_rule *rule,
177 	    char *anchor_call);
178 int	pfctl_add_rule(int dev, const struct pfctl_rule *r,
179 	    const char *anchor, const char *anchor_call, u_int32_t ticket,
180 	    u_int32_t pool_ticket);
181 
182 #endif
183