]> CyberLeo.Net >> Repos - FreeBSD/FreeBSD.git/blob - lib/libpfctl/libpfctl.h
projects / FreeBSD / FreeBSD.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
sqlite3: Vendor import of sqlite3 3.39.3
[FreeBSD/FreeBSD.git] / lib / libpfctl / libpfctl.h
1 /*-
2  * SPDX-License-Identifier: BSD-2-Clause
3  *
4  * Copyright (c) 2021 Rubicon Communications, LLC (Netgate)
5  * All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  *
11  *    - Redistributions of source code must retain the above copyright
12  *      notice, this list of conditions and the following disclaimer.
13  *    - Redistributions in binary form must reproduce the above
14  *      copyright notice, this list of conditions and the following
15  *      disclaimer in the documentation and/or other materials provided
16  *      with the distribution.
17  *
18  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
21  * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
22  * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
23  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
24  * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
25  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26  * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
28  * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29  * POSSIBILITY OF SUCH DAMAGE.
30  *
31  * $FreeBSD$
32  */
33
34 #ifndef _PFCTL_IOCTL_H_
35 #define _PFCTL_IOCTL_H_
36
37 #include <netpfil/pf/pf.h>
38
39 struct pfctl_anchor;
40 struct pfctl_eth_anchor;
41
42 struct pfctl_status_counter {
43         uint64_t         id;
44         uint64_t         counter;
45         char            *name;
46
47         TAILQ_ENTRY(pfctl_status_counter) entry;
48 };
49 TAILQ_HEAD(pfctl_status_counters, pfctl_status_counter);
50
51 struct pfctl_status {
52         bool            running;
53         uint32_t        since;
54         uint32_t        debug;
55         uint32_t        hostid;
56         uint64_t        states;
57         uint64_t        src_nodes;
58         char            ifname[IFNAMSIZ];
59         uint8_t         pf_chksum[PF_MD5_DIGEST_LENGTH];
60
61         struct pfctl_status_counters     counters;
62         struct pfctl_status_counters     lcounters;
63         struct pfctl_status_counters     fcounters;
64         struct pfctl_status_counters     scounters;
65         uint64_t        pcounters[2][2][3];
66         uint64_t        bcounters[2][2];
67 };
68
69 struct pfctl_eth_rulesets_info {
70         uint32_t        nr;
71 };
72
73 struct pfctl_eth_rules_info {
74         uint32_t        nr;
75         uint32_t        ticket;
76 };
77
78 struct pfctl_eth_addr {
79         uint8_t addr[ETHER_ADDR_LEN];
80         uint8_t mask[ETHER_ADDR_LEN];
81         bool    neg;
82         bool    isset;
83 };
84
85 struct pfctl_eth_rule {
86         uint32_t                 nr;
87
88         bool                     quick;
89
90         /* Filter */
91         char                     ifname[IFNAMSIZ];
92         uint8_t                  ifnot;
93         uint8_t                  direction;
94         uint16_t                 proto;
95         struct pfctl_eth_addr    src, dst;
96         struct pf_rule_addr      ipsrc, ipdst;
97         char                     match_tagname[PF_TAG_NAME_SIZE];
98         uint16_t                 match_tag;
99         bool                     match_tag_not;
100
101         /* Stats */
102         uint64_t                 evaluations;
103         uint64_t                 packets[2];
104         uint64_t                 bytes[2];
105         uint32_t                 last_active_timestamp;
106
107         /* Action */
108         char                     qname[PF_QNAME_SIZE];
109         char                     tagname[PF_TAG_NAME_SIZE];
110         uint16_t                 dnpipe;
111         uint32_t                 dnflags;
112         uint8_t                  action;
113
114         struct pfctl_eth_anchor *anchor;
115         uint8_t                  anchor_relative;
116         uint8_t                  anchor_wildcard;
117
118         TAILQ_ENTRY(pfctl_eth_rule)      entries;
119 };
120 TAILQ_HEAD(pfctl_eth_rules, pfctl_eth_rule);
121
122 struct pfctl_eth_ruleset_info {
123         uint32_t        nr;
124         char            name[PF_ANCHOR_NAME_SIZE];
125         char            path[MAXPATHLEN];
126 };
127
128 struct pfctl_eth_ruleset {
129         struct pfctl_eth_rules   rules;
130         struct pfctl_eth_anchor *anchor;
131 };
132
133 struct pfctl_eth_anchor {
134         struct pfctl_eth_anchor         *parent;
135         char                             name[PF_ANCHOR_NAME_SIZE];
136         char                             path[MAXPATHLEN];
137         struct pfctl_eth_ruleset         ruleset;
138         int                              refcnt;        /* anchor rules */
139         int                              match; /* XXX: used for pfctl black magic */
140 };
141
142 struct pfctl_pool {
143         struct pf_palist         list;
144         struct pf_pooladdr      *cur;
145         struct pf_poolhashkey    key;
146         struct pf_addr           counter;
147         struct pf_mape_portset   mape;
148         int                      tblidx;
149         uint16_t                 proxy_port[2];
150         uint8_t                  opts;
151 };
152
153 struct pfctl_rules_info {
154         uint32_t        nr;
155         uint32_t        ticket;
156 };
157
158 struct pfctl_rule {
159         struct pf_rule_addr      src;
160         struct pf_rule_addr      dst;
161         union pf_rule_ptr        skip[PF_SKIP_COUNT];
162         char                     label[PF_RULE_MAX_LABEL_COUNT][PF_RULE_LABEL_SIZE];
163         uint32_t                 ridentifier;
164         char                     ifname[IFNAMSIZ];
165         char                     qname[PF_QNAME_SIZE];
166         char                     pqname[PF_QNAME_SIZE];
167         char                     tagname[PF_TAG_NAME_SIZE];
168         char                     match_tagname[PF_TAG_NAME_SIZE];
169
170         char                     overload_tblname[PF_TABLE_NAME_SIZE];
171
172         TAILQ_ENTRY(pfctl_rule)  entries;
173         struct pfctl_pool        rpool;
174
175         uint64_t                 evaluations;
176         uint64_t                 packets[2];
177         uint64_t                 bytes[2];
178         uint32_t                 last_active_timestamp;
179
180         struct pfi_kif          *kif;
181         struct pfctl_anchor     *anchor;
182         struct pfr_ktable       *overload_tbl;
183
184         pf_osfp_t                os_fingerprint;
185
186         int                      rtableid;
187         uint32_t                 timeout[PFTM_MAX];
188         uint32_t                 max_states;
189         uint32_t                 max_src_nodes;
190         uint32_t                 max_src_states;
191         uint32_t                 max_src_conn;
192         struct {
193                 uint32_t                limit;
194                 uint32_t                seconds;
195         }                        max_src_conn_rate;
196         uint32_t                 qid;
197         uint32_t                 pqid;
198         uint16_t                 dnpipe;
199         uint16_t                 dnrpipe;
200         uint32_t                 free_flags;
201         uint32_t                 nr;
202         uint32_t                 prob;
203         uid_t                    cuid;
204         pid_t                    cpid;
205
206         uint64_t                 states_cur;
207         uint64_t                 states_tot;
208         uint64_t                 src_nodes;
209
210         uint16_t                 return_icmp;
211         uint16_t                 return_icmp6;
212         uint16_t                 max_mss;
213         uint16_t                 tag;
214         uint16_t                 match_tag;
215         uint16_t                 scrub_flags;
216
217         struct pf_rule_uid       uid;
218         struct pf_rule_gid       gid;
219
220         uint32_t                 rule_flag;
221         uint8_t                  action;
222         uint8_t                  direction;
223         uint8_t                  log;
224         uint8_t                  logif;
225         uint8_t                  quick;
226         uint8_t                  ifnot;
227         uint8_t                  match_tag_not;
228         uint8_t                  natpass;
229
230         uint8_t                  keep_state;
231         sa_family_t              af;
232         uint8_t                  proto;
233         uint8_t                  type;
234         uint8_t                  code;
235         uint8_t                  flags;
236         uint8_t                  flagset;
237         uint8_t                  min_ttl;
238         uint8_t                  allow_opts;
239         uint8_t                  rt;
240         uint8_t                  return_ttl;
241         uint8_t                  tos;
242         uint8_t                  set_tos;
243         uint8_t                  anchor_relative;
244         uint8_t                  anchor_wildcard;
245
246         uint8_t                  flush;
247         uint8_t                  prio;
248         uint8_t                  set_prio[2];
249
250         struct {
251                 struct pf_addr          addr;
252                 uint16_t                port;
253         }                       divert;
254 };
255
256 TAILQ_HEAD(pfctl_rulequeue, pfctl_rule);
257
258 struct pfctl_ruleset {
259         struct {
260                 struct pfctl_rulequeue   queues[2];
261                 struct {
262                         struct pfctl_rulequeue  *ptr;
263                         struct pfctl_rule       **ptr_array;
264                         uint32_t                 rcount;
265                         uint32_t                 ticket;
266                         int                      open;
267                 }                        active, inactive;
268         }                        rules[PF_RULESET_MAX];
269         struct pfctl_anchor     *anchor;
270         uint32_t                 tticket;
271         int                      tables;
272         int                      topen;
273 };
274
275 RB_HEAD(pfctl_anchor_global, pfctl_anchor);
276 RB_HEAD(pfctl_anchor_node, pfctl_anchor);
277 struct pfctl_anchor {
278         RB_ENTRY(pfctl_anchor)   entry_global;
279         RB_ENTRY(pfctl_anchor)   entry_node;
280         struct pfctl_anchor     *parent;
281         struct pfctl_anchor_node children;
282         char                     name[PF_ANCHOR_NAME_SIZE];
283         char                     path[MAXPATHLEN];
284         struct pfctl_ruleset     ruleset;
285         int                      refcnt;        /* anchor rules */
286         int                      match; /* XXX: used for pfctl black magic */
287 };
288 RB_PROTOTYPE(pfctl_anchor_global, pfctl_anchor, entry_global,
289     pf_anchor_compare);
290 RB_PROTOTYPE(pfctl_anchor_node, pfctl_anchor, entry_node,
291     pf_anchor_compare);
292
293 struct pfctl_state_cmp {
294         uint64_t        id;
295         uint32_t        creatorid;
296         uint8_t         direction;
297 };
298
299 struct pfctl_kill {
300         struct pfctl_state_cmp  cmp;
301         sa_family_t             af;
302         int                     proto;
303         struct pf_rule_addr     src;
304         struct pf_rule_addr     dst;
305         struct pf_rule_addr     rt_addr;
306         char                    ifname[IFNAMSIZ];
307         char                    label[PF_RULE_LABEL_SIZE];
308         bool                    kill_match;
309 };
310
311 struct pfctl_state_peer {
312         uint32_t                         seqlo;
313         uint32_t                         seqhi;
314         uint32_t                         seqdiff;
315         uint8_t                          state;
316         uint8_t                          wscale;
317 };
318
319 struct pfctl_state_key {
320         struct pf_addr   addr[2];
321         uint16_t         port[2];
322         sa_family_t      af;
323         uint8_t          proto;
324 };
325
326 struct pfctl_state {
327         TAILQ_ENTRY(pfctl_state)        entry;
328
329         uint64_t                 id;
330         uint32_t                 creatorid;
331         uint8_t                  direction;
332
333         struct pfctl_state_peer  src;
334         struct pfctl_state_peer  dst;
335
336         uint32_t                 rule;
337         uint32_t                 anchor;
338         uint32_t                 nat_rule;
339         struct pf_addr           rt_addr;
340         struct pfctl_state_key   key[2];        /* addresses stack and wire  */
341         char                     ifname[IFNAMSIZ];
342         char                     orig_ifname[IFNAMSIZ];
343         uint64_t                 packets[2];
344         uint64_t                 bytes[2];
345         uint32_t                 creation;
346         uint32_t                 expire;
347         uint32_t                 pfsync_time;
348         uint8_t                  state_flags;
349         uint32_t                 sync_flags;
350 };
351
352 TAILQ_HEAD(pfctl_statelist, pfctl_state);
353 struct pfctl_states {
354         struct pfctl_statelist  states;
355         size_t                  count;
356 };
357
358 enum pfctl_syncookies_mode {
359         PFCTL_SYNCOOKIES_NEVER,
360         PFCTL_SYNCOOKIES_ALWAYS,
361         PFCTL_SYNCOOKIES_ADAPTIVE
362 };
363 extern const char* PFCTL_SYNCOOKIES_MODE_NAMES[];
364
365 struct pfctl_syncookies {
366         enum pfctl_syncookies_mode      mode;
367         uint8_t                         highwater;      /* Percent */
368         uint8_t                         lowwater;       /* Percent */
369 };
370
371 struct pfctl_status* pfctl_get_status(int dev);
372 void    pfctl_free_status(struct pfctl_status *status);
373
374 int     pfctl_get_eth_rulesets_info(int dev,
375             struct pfctl_eth_rulesets_info *ri, const char *path);
376 int     pfctl_get_eth_ruleset(int dev, const char *path, int nr,
377             struct pfctl_eth_ruleset_info *ri);
378 int     pfctl_get_eth_rules_info(int dev, struct pfctl_eth_rules_info *rules,
379             const char *path);
380 int     pfctl_get_eth_rule(int dev, uint32_t nr, uint32_t ticket,
381             const char *path, struct pfctl_eth_rule *rule, bool clear,
382             char *anchor_call);
383 int     pfctl_add_eth_rule(int dev, const struct pfctl_eth_rule *r,
384             const char *anchor, const char *anchor_call, uint32_t ticket);
385 int     pfctl_get_rules_info(int dev, struct pfctl_rules_info *rules,
386             uint32_t ruleset, const char *path);
387 int     pfctl_get_rule(int dev, uint32_t nr, uint32_t ticket,
388             const char *anchor, uint32_t ruleset, struct pfctl_rule *rule,
389             char *anchor_call);
390 int     pfctl_get_clear_rule(int dev, uint32_t nr, uint32_t ticket,
391             const char *anchor, uint32_t ruleset, struct pfctl_rule *rule,
392             char *anchor_call, bool clear);
393 int     pfctl_add_rule(int dev, const struct pfctl_rule *r,
394             const char *anchor, const char *anchor_call, uint32_t ticket,
395             uint32_t pool_ticket);
396 int     pfctl_set_keepcounters(int dev, bool keep);
397 int     pfctl_get_states(int dev, struct pfctl_states *states);
398 void    pfctl_free_states(struct pfctl_states *states);
399 int     pfctl_clear_states(int dev, const struct pfctl_kill *kill,
400             unsigned int *killed);
401 int     pfctl_kill_states(int dev, const struct pfctl_kill *kill,
402             unsigned int *killed);
403 int     pfctl_clear_rules(int dev, const char *anchorname);
404 int     pfctl_clear_nat(int dev, const char *anchorname);
405 int     pfctl_clear_eth_rules(int dev, const char *anchorname);
406 int     pfctl_set_syncookies(int dev, const struct pfctl_syncookies *s);
407 int     pfctl_get_syncookies(int dev, struct pfctl_syncookies *s);
408 int     pfctl_table_add_addrs(int dev, struct pfr_table *tbl, struct pfr_addr
409             *addr, int size, int *nadd, int flags);
410 int     pfctl_table_del_addrs(int dev, struct pfr_table *tbl, struct pfr_addr
411             *addr, int size, int *ndel, int flags);
412 int     pfctl_table_set_addrs(int dev, struct pfr_table *tbl, struct pfr_addr
413             *addr, int size, int *size2, int *nadd, int *ndel, int *nchange,
414             int flags);
415 int     pfctl_table_get_addrs(int dev, struct pfr_table *tbl, struct pfr_addr
416             *addr, int *size, int flags);
417 #endif
Unnamed repository; edit this file 'description' to name the repository.