1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2021 Rubicon Communications, LLC (Netgate) 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 11 * - Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * - Redistributions in binary form must reproduce the above 14 * copyright notice, this list of conditions and the following 15 * disclaimer in the documentation and/or other materials provided 16 * with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 20 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 21 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 22 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 23 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 24 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 25 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 26 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 28 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 * POSSIBILITY OF SUCH DAMAGE. 30 * 31 * $FreeBSD$ 32 */ 33 34 #ifndef _PFCTL_IOCTL_H_ 35 #define _PFCTL_IOCTL_H_ 36 37 #include <netpfil/pf/pf.h> 38 39 struct pfctl_anchor; 40 41 struct pfctl_rule { 42 struct pf_rule_addr src; 43 struct pf_rule_addr dst; 44 union pf_rule_ptr skip[PF_SKIP_COUNT]; 45 char label[PF_RULE_LABEL_SIZE]; 46 char ifname[IFNAMSIZ]; 47 char qname[PF_QNAME_SIZE]; 48 char pqname[PF_QNAME_SIZE]; 49 char tagname[PF_TAG_NAME_SIZE]; 50 char match_tagname[PF_TAG_NAME_SIZE]; 51 52 char overload_tblname[PF_TABLE_NAME_SIZE]; 53 54 TAILQ_ENTRY(pfctl_rule) entries; 55 struct pf_pool rpool; 56 57 u_int64_t evaluations; 58 u_int64_t packets[2]; 59 u_int64_t bytes[2]; 60 61 struct pfi_kif *kif; 62 struct pfctl_anchor *anchor; 63 struct pfr_ktable *overload_tbl; 64 65 pf_osfp_t os_fingerprint; 66 67 int rtableid; 68 u_int32_t timeout[PFTM_MAX]; 69 u_int32_t max_states; 70 u_int32_t max_src_nodes; 71 u_int32_t max_src_states; 72 u_int32_t max_src_conn; 73 struct { 74 u_int32_t limit; 75 u_int32_t seconds; 76 } max_src_conn_rate; 77 u_int32_t qid; 78 u_int32_t pqid; 79 u_int32_t nr; 80 u_int32_t prob; 81 uid_t cuid; 82 pid_t cpid; 83 84 counter_u64_t states_cur; 85 counter_u64_t states_tot; 86 counter_u64_t src_nodes; 87 88 u_int16_t return_icmp; 89 u_int16_t return_icmp6; 90 u_int16_t max_mss; 91 u_int16_t tag; 92 u_int16_t match_tag; 93 u_int16_t scrub_flags; 94 95 struct pf_rule_uid uid; 96 struct pf_rule_gid gid; 97 98 u_int32_t rule_flag; 99 u_int8_t action; 100 u_int8_t direction; 101 u_int8_t log; 102 u_int8_t logif; 103 u_int8_t quick; 104 u_int8_t ifnot; 105 u_int8_t match_tag_not; 106 u_int8_t natpass; 107 108 u_int8_t keep_state; 109 sa_family_t af; 110 u_int8_t proto; 111 u_int8_t type; 112 u_int8_t code; 113 u_int8_t flags; 114 u_int8_t flagset; 115 u_int8_t min_ttl; 116 u_int8_t allow_opts; 117 u_int8_t rt; 118 u_int8_t return_ttl; 119 u_int8_t tos; 120 u_int8_t set_tos; 121 u_int8_t anchor_relative; 122 u_int8_t anchor_wildcard; 123 124 u_int8_t flush; 125 u_int8_t prio; 126 u_int8_t set_prio[2]; 127 128 struct { 129 struct pf_addr addr; 130 u_int16_t port; 131 } divert; 132 133 uint64_t u_states_cur; 134 uint64_t u_states_tot; 135 uint64_t u_src_nodes; 136 }; 137 138 TAILQ_HEAD(pfctl_rulequeue, pfctl_rule); 139 140 struct pfctl_ruleset { 141 struct { 142 struct pfctl_rulequeue queues[2]; 143 struct { 144 struct pfctl_rulequeue *ptr; 145 struct pfctl_rule **ptr_array; 146 u_int32_t rcount; 147 u_int32_t ticket; 148 int open; 149 } active, inactive; 150 } rules[PF_RULESET_MAX]; 151 struct pfctl_anchor *anchor; 152 u_int32_t tticket; 153 int tables; 154 int topen; 155 }; 156 157 RB_HEAD(pfctl_anchor_global, pfctl_anchor); 158 RB_HEAD(pfctl_anchor_node, pfctl_anchor); 159 struct pfctl_anchor { 160 RB_ENTRY(pfctl_anchor) entry_global; 161 RB_ENTRY(pfctl_anchor) entry_node; 162 struct pfctl_anchor *parent; 163 struct pfctl_anchor_node children; 164 char name[PF_ANCHOR_NAME_SIZE]; 165 char path[MAXPATHLEN]; 166 struct pfctl_ruleset ruleset; 167 int refcnt; /* anchor rules */ 168 int match; /* XXX: used for pfctl black magic */ 169 }; 170 RB_PROTOTYPE(pfctl_anchor_global, pfctl_anchor, entry_global, 171 pf_anchor_compare); 172 RB_PROTOTYPE(pfctl_anchor_node, pfctl_anchor, entry_node, 173 pf_anchor_compare); 174 175 int pfctl_get_rule(int dev, u_int32_t nr, u_int32_t ticket, 176 const char *anchor, u_int32_t ruleset, struct pfctl_rule *rule, 177 char *anchor_call); 178 int pfctl_add_rule(int dev, const struct pfctl_rule *r, 179 const char *anchor, const char *anchor_call, u_int32_t ticket, 180 u_int32_t pool_ticket); 181 182 #endif 183