1 /*- 2 * SPDX-License-Identifier: BSD-2-Clause 3 * 4 * Copyright (c) 2021 Rubicon Communications, LLC (Netgate) 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 11 * - Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * - Redistributions in binary form must reproduce the above 14 * copyright notice, this list of conditions and the following 15 * disclaimer in the documentation and/or other materials provided 16 * with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 20 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 21 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 22 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 23 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 24 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 25 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 26 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 28 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 * POSSIBILITY OF SUCH DAMAGE. 30 * 31 * $FreeBSD$ 32 */ 33 34 #ifndef _PFCTL_IOCTL_H_ 35 #define _PFCTL_IOCTL_H_ 36 37 #include <netpfil/pf/pf.h> 38 39 struct pfctl_anchor; 40 41 struct pfctl_status_counter { 42 uint64_t id; 43 uint64_t counter; 44 char *name; 45 46 TAILQ_ENTRY(pfctl_status_counter) entry; 47 }; 48 TAILQ_HEAD(pfctl_status_counters, pfctl_status_counter); 49 50 struct pfctl_status { 51 bool running; 52 uint32_t since; 53 uint32_t debug; 54 uint32_t hostid; 55 uint64_t states; 56 uint64_t src_nodes; 57 char ifname[IFNAMSIZ]; 58 uint8_t pf_chksum[PF_MD5_DIGEST_LENGTH]; 59 60 struct pfctl_status_counters counters; 61 struct pfctl_status_counters lcounters; 62 struct pfctl_status_counters fcounters; 63 struct pfctl_status_counters scounters; 64 uint64_t pcounters[2][2][3]; 65 uint64_t bcounters[2][2]; 66 }; 67 68 struct pfctl_pool { 69 struct pf_palist list; 70 struct pf_pooladdr *cur; 71 struct pf_poolhashkey key; 72 struct pf_addr counter; 73 struct pf_mape_portset mape; 74 int tblidx; 75 u_int16_t proxy_port[2]; 76 u_int8_t opts; 77 }; 78 79 struct pfctl_rule { 80 struct pf_rule_addr src; 81 struct pf_rule_addr dst; 82 union pf_rule_ptr skip[PF_SKIP_COUNT]; 83 char label[PF_RULE_MAX_LABEL_COUNT][PF_RULE_LABEL_SIZE]; 84 char ifname[IFNAMSIZ]; 85 char qname[PF_QNAME_SIZE]; 86 char pqname[PF_QNAME_SIZE]; 87 char tagname[PF_TAG_NAME_SIZE]; 88 char match_tagname[PF_TAG_NAME_SIZE]; 89 90 char overload_tblname[PF_TABLE_NAME_SIZE]; 91 92 TAILQ_ENTRY(pfctl_rule) entries; 93 struct pfctl_pool rpool; 94 95 u_int64_t evaluations; 96 u_int64_t packets[2]; 97 u_int64_t bytes[2]; 98 99 struct pfi_kif *kif; 100 struct pfctl_anchor *anchor; 101 struct pfr_ktable *overload_tbl; 102 103 pf_osfp_t os_fingerprint; 104 105 int rtableid; 106 u_int32_t timeout[PFTM_MAX]; 107 u_int32_t max_states; 108 u_int32_t max_src_nodes; 109 u_int32_t max_src_states; 110 u_int32_t max_src_conn; 111 struct { 112 u_int32_t limit; 113 u_int32_t seconds; 114 } max_src_conn_rate; 115 u_int32_t qid; 116 u_int32_t pqid; 117 u_int32_t nr; 118 u_int32_t prob; 119 uid_t cuid; 120 pid_t cpid; 121 122 uint64_t states_cur; 123 uint64_t states_tot; 124 uint64_t src_nodes; 125 126 u_int16_t return_icmp; 127 u_int16_t return_icmp6; 128 u_int16_t max_mss; 129 u_int16_t tag; 130 u_int16_t match_tag; 131 u_int16_t scrub_flags; 132 133 struct pf_rule_uid uid; 134 struct pf_rule_gid gid; 135 136 u_int32_t rule_flag; 137 u_int8_t action; 138 u_int8_t direction; 139 u_int8_t log; 140 u_int8_t logif; 141 u_int8_t quick; 142 u_int8_t ifnot; 143 u_int8_t match_tag_not; 144 u_int8_t natpass; 145 146 u_int8_t keep_state; 147 sa_family_t af; 148 u_int8_t proto; 149 u_int8_t type; 150 u_int8_t code; 151 u_int8_t flags; 152 u_int8_t flagset; 153 u_int8_t min_ttl; 154 u_int8_t allow_opts; 155 u_int8_t rt; 156 u_int8_t return_ttl; 157 u_int8_t tos; 158 u_int8_t set_tos; 159 u_int8_t anchor_relative; 160 u_int8_t anchor_wildcard; 161 162 u_int8_t flush; 163 u_int8_t prio; 164 u_int8_t set_prio[2]; 165 166 struct { 167 struct pf_addr addr; 168 u_int16_t port; 169 } divert; 170 }; 171 172 TAILQ_HEAD(pfctl_rulequeue, pfctl_rule); 173 174 struct pfctl_ruleset { 175 struct { 176 struct pfctl_rulequeue queues[2]; 177 struct { 178 struct pfctl_rulequeue *ptr; 179 struct pfctl_rule **ptr_array; 180 u_int32_t rcount; 181 u_int32_t ticket; 182 int open; 183 } active, inactive; 184 } rules[PF_RULESET_MAX]; 185 struct pfctl_anchor *anchor; 186 u_int32_t tticket; 187 int tables; 188 int topen; 189 }; 190 191 RB_HEAD(pfctl_anchor_global, pfctl_anchor); 192 RB_HEAD(pfctl_anchor_node, pfctl_anchor); 193 struct pfctl_anchor { 194 RB_ENTRY(pfctl_anchor) entry_global; 195 RB_ENTRY(pfctl_anchor) entry_node; 196 struct pfctl_anchor *parent; 197 struct pfctl_anchor_node children; 198 char name[PF_ANCHOR_NAME_SIZE]; 199 char path[MAXPATHLEN]; 200 struct pfctl_ruleset ruleset; 201 int refcnt; /* anchor rules */ 202 int match; /* XXX: used for pfctl black magic */ 203 }; 204 RB_PROTOTYPE(pfctl_anchor_global, pfctl_anchor, entry_global, 205 pf_anchor_compare); 206 RB_PROTOTYPE(pfctl_anchor_node, pfctl_anchor, entry_node, 207 pf_anchor_compare); 208 209 struct pfctl_state_cmp { 210 uint64_t id; 211 uint32_t creatorid; 212 uint8_t direction; 213 }; 214 215 struct pfctl_kill { 216 struct pfctl_state_cmp cmp; 217 sa_family_t af; 218 int proto; 219 struct pf_rule_addr src; 220 struct pf_rule_addr dst; 221 struct pf_rule_addr rt_addr; 222 char ifname[IFNAMSIZ]; 223 char label[PF_RULE_LABEL_SIZE]; 224 bool kill_match; 225 }; 226 227 struct pfctl_state_peer { 228 uint32_t seqlo; 229 uint32_t seqhi; 230 uint32_t seqdiff; 231 uint8_t state; 232 uint8_t wscale; 233 }; 234 235 struct pfctl_state_key { 236 struct pf_addr addr[2]; 237 uint16_t port[2]; 238 sa_family_t af; 239 uint8_t proto; 240 }; 241 242 struct pfctl_state { 243 TAILQ_ENTRY(pfctl_state) entry; 244 245 uint64_t id; 246 uint32_t creatorid; 247 uint8_t direction; 248 249 struct pfctl_state_peer src; 250 struct pfctl_state_peer dst; 251 252 uint32_t rule; 253 uint32_t anchor; 254 uint32_t nat_rule; 255 struct pf_addr rt_addr; 256 struct pfctl_state_key key[2]; /* addresses stack and wire */ 257 char ifname[IFNAMSIZ]; 258 char orig_ifname[IFNAMSIZ]; 259 uint64_t packets[2]; 260 uint64_t bytes[2]; 261 uint32_t creation; 262 uint32_t expire; 263 uint32_t pfsync_time; 264 uint8_t state_flags; 265 uint32_t sync_flags; 266 }; 267 268 TAILQ_HEAD(pfctl_statelist, pfctl_state); 269 struct pfctl_states { 270 struct pfctl_statelist states; 271 size_t count; 272 }; 273 274 enum pfctl_syncookies_mode { 275 PFCTL_SYNCOOKIES_NEVER, 276 PFCTL_SYNCOOKIES_ALWAYS 277 }; 278 279 struct pfctl_syncookies { 280 enum pfctl_syncookies_mode mode; 281 }; 282 283 struct pfctl_status* pfctl_get_status(int dev); 284 void pfctl_free_status(struct pfctl_status *status); 285 286 int pfctl_get_rule(int dev, u_int32_t nr, u_int32_t ticket, 287 const char *anchor, u_int32_t ruleset, struct pfctl_rule *rule, 288 char *anchor_call); 289 int pfctl_get_clear_rule(int dev, u_int32_t nr, u_int32_t ticket, 290 const char *anchor, u_int32_t ruleset, struct pfctl_rule *rule, 291 char *anchor_call, bool clear); 292 int pfctl_add_rule(int dev, const struct pfctl_rule *r, 293 const char *anchor, const char *anchor_call, u_int32_t ticket, 294 u_int32_t pool_ticket); 295 int pfctl_set_keepcounters(int dev, bool keep); 296 int pfctl_get_states(int dev, struct pfctl_states *states); 297 void pfctl_free_states(struct pfctl_states *states); 298 int pfctl_clear_states(int dev, const struct pfctl_kill *kill, 299 unsigned int *killed); 300 int pfctl_kill_states(int dev, const struct pfctl_kill *kill, 301 unsigned int *killed); 302 int pfctl_set_syncookies(int dev, const struct pfctl_syncookies *s); 303 int pfctl_get_syncookies(int dev, struct pfctl_syncookies *s); 304 305 #endif 306