2 * SPDX-License-Identifier: BSD-2-Clause
4 * Copyright (c) 2021 Rubicon Communications, LLC (Netgate)
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
11 * - Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * - Redistributions in binary form must reproduce the above
14 * copyright notice, this list of conditions and the following
15 * disclaimer in the documentation and/or other materials provided
16 * with the distribution.
18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
21 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
22 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
23 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
24 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
25 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
28 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29 * POSSIBILITY OF SUCH DAMAGE.
34 #ifndef _PFCTL_IOCTL_H_
35 #define _PFCTL_IOCTL_H_
37 #include <netpfil/pf/pf.h>
41 struct pfctl_status_counter {
46 TAILQ_ENTRY(pfctl_status_counter) entry;
48 TAILQ_HEAD(pfctl_status_counters, pfctl_status_counter);
57 char ifname[IFNAMSIZ];
58 uint8_t pf_chksum[PF_MD5_DIGEST_LENGTH];
60 struct pfctl_status_counters counters;
61 struct pfctl_status_counters lcounters;
62 struct pfctl_status_counters fcounters;
63 struct pfctl_status_counters scounters;
64 uint64_t pcounters[2][2][3];
65 uint64_t bcounters[2][2];
69 struct pf_palist list;
70 struct pf_pooladdr *cur;
71 struct pf_poolhashkey key;
72 struct pf_addr counter;
73 struct pf_mape_portset mape;
75 uint16_t proxy_port[2];
80 struct pf_rule_addr src;
81 struct pf_rule_addr dst;
82 union pf_rule_ptr skip[PF_SKIP_COUNT];
83 char label[PF_RULE_MAX_LABEL_COUNT][PF_RULE_LABEL_SIZE];
85 char ifname[IFNAMSIZ];
86 char qname[PF_QNAME_SIZE];
87 char pqname[PF_QNAME_SIZE];
88 char tagname[PF_TAG_NAME_SIZE];
89 char match_tagname[PF_TAG_NAME_SIZE];
91 char overload_tblname[PF_TABLE_NAME_SIZE];
93 TAILQ_ENTRY(pfctl_rule) entries;
94 struct pfctl_pool rpool;
101 struct pfctl_anchor *anchor;
102 struct pfr_ktable *overload_tbl;
104 pf_osfp_t os_fingerprint;
107 uint32_t timeout[PFTM_MAX];
109 uint32_t max_src_nodes;
110 uint32_t max_src_states;
111 uint32_t max_src_conn;
130 uint16_t return_icmp;
131 uint16_t return_icmp6;
135 uint16_t scrub_flags;
137 struct pf_rule_uid uid;
138 struct pf_rule_gid gid;
147 uint8_t match_tag_not;
163 uint8_t anchor_relative;
164 uint8_t anchor_wildcard;
176 TAILQ_HEAD(pfctl_rulequeue, pfctl_rule);
178 struct pfctl_ruleset {
180 struct pfctl_rulequeue queues[2];
182 struct pfctl_rulequeue *ptr;
183 struct pfctl_rule **ptr_array;
188 } rules[PF_RULESET_MAX];
189 struct pfctl_anchor *anchor;
195 RB_HEAD(pfctl_anchor_global, pfctl_anchor);
196 RB_HEAD(pfctl_anchor_node, pfctl_anchor);
197 struct pfctl_anchor {
198 RB_ENTRY(pfctl_anchor) entry_global;
199 RB_ENTRY(pfctl_anchor) entry_node;
200 struct pfctl_anchor *parent;
201 struct pfctl_anchor_node children;
202 char name[PF_ANCHOR_NAME_SIZE];
203 char path[MAXPATHLEN];
204 struct pfctl_ruleset ruleset;
205 int refcnt; /* anchor rules */
206 int match; /* XXX: used for pfctl black magic */
208 RB_PROTOTYPE(pfctl_anchor_global, pfctl_anchor, entry_global,
210 RB_PROTOTYPE(pfctl_anchor_node, pfctl_anchor, entry_node,
213 struct pfctl_state_cmp {
220 struct pfctl_state_cmp cmp;
223 struct pf_rule_addr src;
224 struct pf_rule_addr dst;
225 struct pf_rule_addr rt_addr;
226 char ifname[IFNAMSIZ];
227 char label[PF_RULE_LABEL_SIZE];
231 struct pfctl_state_peer {
239 struct pfctl_state_key {
240 struct pf_addr addr[2];
247 TAILQ_ENTRY(pfctl_state) entry;
253 struct pfctl_state_peer src;
254 struct pfctl_state_peer dst;
259 struct pf_addr rt_addr;
260 struct pfctl_state_key key[2]; /* addresses stack and wire */
261 char ifname[IFNAMSIZ];
262 char orig_ifname[IFNAMSIZ];
267 uint32_t pfsync_time;
272 TAILQ_HEAD(pfctl_statelist, pfctl_state);
273 struct pfctl_states {
274 struct pfctl_statelist states;
278 enum pfctl_syncookies_mode {
279 PFCTL_SYNCOOKIES_NEVER,
280 PFCTL_SYNCOOKIES_ALWAYS,
281 PFCTL_SYNCOOKIES_ADAPTIVE
283 extern const char* PFCTL_SYNCOOKIES_MODE_NAMES[];
285 struct pfctl_syncookies {
286 enum pfctl_syncookies_mode mode;
287 uint8_t highwater; /* Percent */
288 uint8_t lowwater; /* Percent */
291 struct pfctl_status* pfctl_get_status(int dev);
292 void pfctl_free_status(struct pfctl_status *status);
294 int pfctl_get_rule(int dev, uint32_t nr, uint32_t ticket,
295 const char *anchor, uint32_t ruleset, struct pfctl_rule *rule,
297 int pfctl_get_clear_rule(int dev, uint32_t nr, uint32_t ticket,
298 const char *anchor, uint32_t ruleset, struct pfctl_rule *rule,
299 char *anchor_call, bool clear);
300 int pfctl_add_rule(int dev, const struct pfctl_rule *r,
301 const char *anchor, const char *anchor_call, uint32_t ticket,
302 uint32_t pool_ticket);
303 int pfctl_set_keepcounters(int dev, bool keep);
304 int pfctl_get_states(int dev, struct pfctl_states *states);
305 void pfctl_free_states(struct pfctl_states *states);
306 int pfctl_clear_states(int dev, const struct pfctl_kill *kill,
307 unsigned int *killed);
308 int pfctl_kill_states(int dev, const struct pfctl_kill *kill,
309 unsigned int *killed);
310 int pfctl_set_syncookies(int dev, const struct pfctl_syncookies *s);
311 int pfctl_get_syncookies(int dev, struct pfctl_syncookies *s);