2 * SPDX-License-Identifier: BSD-2-Clause
4 * Copyright (c) 2021 Rubicon Communications, LLC (Netgate)
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
11 * - Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * - Redistributions in binary form must reproduce the above
14 * copyright notice, this list of conditions and the following
15 * disclaimer in the documentation and/or other materials provided
16 * with the distribution.
18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
21 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
22 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
23 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
24 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
25 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
28 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29 * POSSIBILITY OF SUCH DAMAGE.
34 #ifndef _PFCTL_IOCTL_H_
35 #define _PFCTL_IOCTL_H_
37 #include <netpfil/pf/pf.h>
42 struct pf_palist list;
43 struct pf_pooladdr *cur;
44 struct pf_poolhashkey key;
45 struct pf_addr counter;
47 u_int16_t proxy_port[2];
52 struct pf_rule_addr src;
53 struct pf_rule_addr dst;
54 union pf_rule_ptr skip[PF_SKIP_COUNT];
55 char label[PF_RULE_MAX_LABEL_COUNT][PF_RULE_LABEL_SIZE];
56 char ifname[IFNAMSIZ];
57 char qname[PF_QNAME_SIZE];
58 char pqname[PF_QNAME_SIZE];
59 char tagname[PF_TAG_NAME_SIZE];
60 char match_tagname[PF_TAG_NAME_SIZE];
62 char overload_tblname[PF_TABLE_NAME_SIZE];
64 TAILQ_ENTRY(pfctl_rule) entries;
65 struct pfctl_pool rpool;
67 u_int64_t evaluations;
72 struct pfctl_anchor *anchor;
73 struct pfr_ktable *overload_tbl;
75 pf_osfp_t os_fingerprint;
78 u_int32_t timeout[PFTM_MAX];
80 u_int32_t max_src_nodes;
81 u_int32_t max_src_states;
82 u_int32_t max_src_conn;
98 u_int16_t return_icmp;
99 u_int16_t return_icmp6;
103 u_int16_t scrub_flags;
105 struct pf_rule_uid uid;
106 struct pf_rule_gid gid;
115 u_int8_t match_tag_not;
131 u_int8_t anchor_relative;
132 u_int8_t anchor_wildcard;
136 u_int8_t set_prio[2];
144 TAILQ_HEAD(pfctl_rulequeue, pfctl_rule);
146 struct pfctl_ruleset {
148 struct pfctl_rulequeue queues[2];
150 struct pfctl_rulequeue *ptr;
151 struct pfctl_rule **ptr_array;
156 } rules[PF_RULESET_MAX];
157 struct pfctl_anchor *anchor;
163 RB_HEAD(pfctl_anchor_global, pfctl_anchor);
164 RB_HEAD(pfctl_anchor_node, pfctl_anchor);
165 struct pfctl_anchor {
166 RB_ENTRY(pfctl_anchor) entry_global;
167 RB_ENTRY(pfctl_anchor) entry_node;
168 struct pfctl_anchor *parent;
169 struct pfctl_anchor_node children;
170 char name[PF_ANCHOR_NAME_SIZE];
171 char path[MAXPATHLEN];
172 struct pfctl_ruleset ruleset;
173 int refcnt; /* anchor rules */
174 int match; /* XXX: used for pfctl black magic */
176 RB_PROTOTYPE(pfctl_anchor_global, pfctl_anchor, entry_global,
178 RB_PROTOTYPE(pfctl_anchor_node, pfctl_anchor, entry_node,
181 int pfctl_get_rule(int dev, u_int32_t nr, u_int32_t ticket,
182 const char *anchor, u_int32_t ruleset, struct pfctl_rule *rule,
184 int pfctl_get_clear_rule(int dev, u_int32_t nr, u_int32_t ticket,
185 const char *anchor, u_int32_t ruleset, struct pfctl_rule *rule,
186 char *anchor_call, bool clear);
187 int pfctl_add_rule(int dev, const struct pfctl_rule *r,
188 const char *anchor, const char *anchor_call, u_int32_t ticket,
189 u_int32_t pool_ticket);