2 * SPDX-License-Identifier: BSD-2-Clause
4 * Copyright (c) 2021 Rubicon Communications, LLC (Netgate)
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
11 * - Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * - Redistributions in binary form must reproduce the above
14 * copyright notice, this list of conditions and the following
15 * disclaimer in the documentation and/or other materials provided
16 * with the distribution.
18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
21 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
22 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
23 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
24 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
25 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
28 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29 * POSSIBILITY OF SUCH DAMAGE.
32 #ifndef _PFCTL_IOCTL_H_
33 #define _PFCTL_IOCTL_H_
35 #include <netpfil/pf/pf.h>
38 struct pfctl_eth_anchor;
40 struct pfctl_status_counter {
45 TAILQ_ENTRY(pfctl_status_counter) entry;
47 TAILQ_HEAD(pfctl_status_counters, pfctl_status_counter);
56 char ifname[IFNAMSIZ];
57 uint8_t pf_chksum[PF_MD5_DIGEST_LENGTH];
58 bool syncookies_active;
61 struct pfctl_status_counters counters;
62 struct pfctl_status_counters lcounters;
63 struct pfctl_status_counters fcounters;
64 struct pfctl_status_counters scounters;
65 uint64_t pcounters[2][2][3];
66 uint64_t bcounters[2][2];
69 struct pfctl_eth_rulesets_info {
73 struct pfctl_eth_rules_info {
78 struct pfctl_eth_addr {
79 uint8_t addr[ETHER_ADDR_LEN];
80 uint8_t mask[ETHER_ADDR_LEN];
85 struct pfctl_eth_rule {
88 char label[PF_RULE_MAX_LABEL_COUNT][PF_RULE_LABEL_SIZE];
94 char ifname[IFNAMSIZ];
98 struct pfctl_eth_addr src, dst;
99 struct pf_rule_addr ipsrc, ipdst;
100 char match_tagname[PF_TAG_NAME_SIZE];
105 uint64_t evaluations;
108 time_t last_active_timestamp;
111 char qname[PF_QNAME_SIZE];
112 char tagname[PF_TAG_NAME_SIZE];
115 char bridge_to[IFNAMSIZ];
118 struct pfctl_eth_anchor *anchor;
119 uint8_t anchor_relative;
120 uint8_t anchor_wildcard;
122 TAILQ_ENTRY(pfctl_eth_rule) entries;
124 TAILQ_HEAD(pfctl_eth_rules, pfctl_eth_rule);
126 struct pfctl_eth_ruleset_info {
128 char name[PF_ANCHOR_NAME_SIZE];
129 char path[MAXPATHLEN];
132 struct pfctl_eth_ruleset {
133 struct pfctl_eth_rules rules;
134 struct pfctl_eth_anchor *anchor;
137 struct pfctl_eth_anchor {
138 struct pfctl_eth_anchor *parent;
139 char name[PF_ANCHOR_NAME_SIZE];
140 char path[MAXPATHLEN];
141 struct pfctl_eth_ruleset ruleset;
142 int refcnt; /* anchor rules */
143 int match; /* XXX: used for pfctl black magic */
147 struct pf_palist list;
148 struct pf_pooladdr *cur;
149 struct pf_poolhashkey key;
150 struct pf_addr counter;
151 struct pf_mape_portset mape;
153 uint16_t proxy_port[2];
157 struct pfctl_rules_info {
163 struct pf_rule_addr src;
164 struct pf_rule_addr dst;
165 union pf_rule_ptr skip[PF_SKIP_COUNT];
166 char label[PF_RULE_MAX_LABEL_COUNT][PF_RULE_LABEL_SIZE];
167 uint32_t ridentifier;
168 char ifname[IFNAMSIZ];
169 char qname[PF_QNAME_SIZE];
170 char pqname[PF_QNAME_SIZE];
171 char tagname[PF_TAG_NAME_SIZE];
172 char match_tagname[PF_TAG_NAME_SIZE];
174 char overload_tblname[PF_TABLE_NAME_SIZE];
176 TAILQ_ENTRY(pfctl_rule) entries;
177 struct pfctl_pool rpool;
179 uint64_t evaluations;
182 time_t last_active_timestamp;
185 struct pfctl_anchor *anchor;
186 struct pfr_ktable *overload_tbl;
188 pf_osfp_t os_fingerprint;
191 uint32_t timeout[PFTM_MAX];
193 uint32_t max_src_nodes;
194 uint32_t max_src_states;
195 uint32_t max_src_conn;
214 uint16_t return_icmp;
215 uint16_t return_icmp6;
219 uint16_t scrub_flags;
221 struct pf_rule_uid uid;
222 struct pf_rule_gid gid;
231 uint8_t match_tag_not;
247 uint8_t anchor_relative;
248 uint8_t anchor_wildcard;
260 TAILQ_HEAD(pfctl_rulequeue, pfctl_rule);
262 struct pfctl_ruleset {
264 struct pfctl_rulequeue queues[2];
266 struct pfctl_rulequeue *ptr;
267 struct pfctl_rule **ptr_array;
272 } rules[PF_RULESET_MAX];
273 struct pfctl_anchor *anchor;
279 RB_HEAD(pfctl_anchor_global, pfctl_anchor);
280 RB_HEAD(pfctl_anchor_node, pfctl_anchor);
281 struct pfctl_anchor {
282 RB_ENTRY(pfctl_anchor) entry_global;
283 RB_ENTRY(pfctl_anchor) entry_node;
284 struct pfctl_anchor *parent;
285 struct pfctl_anchor_node children;
286 char name[PF_ANCHOR_NAME_SIZE];
287 char path[MAXPATHLEN];
288 struct pfctl_ruleset ruleset;
289 int refcnt; /* anchor rules */
290 int match; /* XXX: used for pfctl black magic */
292 RB_PROTOTYPE(pfctl_anchor_global, pfctl_anchor, entry_global,
294 RB_PROTOTYPE(pfctl_anchor_node, pfctl_anchor, entry_node,
297 struct pfctl_state_cmp {
304 struct pfctl_state_cmp cmp;
307 struct pf_rule_addr src;
308 struct pf_rule_addr dst;
309 struct pf_rule_addr rt_addr;
310 char ifname[IFNAMSIZ];
311 char label[PF_RULE_LABEL_SIZE];
316 struct pfctl_state_peer {
324 struct pfctl_state_key {
325 struct pf_addr addr[2];
332 TAILQ_ENTRY(pfctl_state) entry;
338 struct pfctl_state_peer src;
339 struct pfctl_state_peer dst;
344 struct pf_addr rt_addr;
345 struct pfctl_state_key key[2]; /* addresses stack and wire */
346 char ifname[IFNAMSIZ];
347 char orig_ifname[IFNAMSIZ];
352 uint32_t pfsync_time;
353 uint16_t state_flags;
366 char rt_ifname[IFNAMSIZ];
369 TAILQ_HEAD(pfctl_statelist, pfctl_state);
370 struct pfctl_states {
371 struct pfctl_statelist states;
374 enum pfctl_syncookies_mode {
375 PFCTL_SYNCOOKIES_NEVER,
376 PFCTL_SYNCOOKIES_ALWAYS,
377 PFCTL_SYNCOOKIES_ADAPTIVE
379 extern const char* PFCTL_SYNCOOKIES_MODE_NAMES[];
381 struct pfctl_syncookies {
382 enum pfctl_syncookies_mode mode;
383 uint8_t highwater; /* Percent */
384 uint8_t lowwater; /* Percent */
385 uint32_t halfopen_states;
388 #define PF_DEVICE "/dev/pf"
391 struct pfctl_handle *pfctl_open(const char *pf_device);
392 void pfctl_close(struct pfctl_handle *);
394 int pfctl_startstop(struct pfctl_handle *h, int start);
395 struct pfctl_status* pfctl_get_status(int dev);
396 uint64_t pfctl_status_counter(struct pfctl_status *status, int id);
397 uint64_t pfctl_status_lcounter(struct pfctl_status *status, int id);
398 uint64_t pfctl_status_fcounter(struct pfctl_status *status, int id);
399 uint64_t pfctl_status_scounter(struct pfctl_status *status, int id);
400 void pfctl_free_status(struct pfctl_status *status);
402 int pfctl_get_eth_rulesets_info(int dev,
403 struct pfctl_eth_rulesets_info *ri, const char *path);
404 int pfctl_get_eth_ruleset(int dev, const char *path, int nr,
405 struct pfctl_eth_ruleset_info *ri);
406 int pfctl_get_eth_rules_info(int dev, struct pfctl_eth_rules_info *rules,
408 int pfctl_get_eth_rule(int dev, uint32_t nr, uint32_t ticket,
409 const char *path, struct pfctl_eth_rule *rule, bool clear,
411 int pfctl_add_eth_rule(int dev, const struct pfctl_eth_rule *r,
412 const char *anchor, const char *anchor_call, uint32_t ticket);
413 int pfctl_get_rules_info(int dev, struct pfctl_rules_info *rules,
414 uint32_t ruleset, const char *path);
415 int pfctl_get_rule(int dev, uint32_t nr, uint32_t ticket,
416 const char *anchor, uint32_t ruleset, struct pfctl_rule *rule,
418 int pfctl_get_clear_rule(int dev, uint32_t nr, uint32_t ticket,
419 const char *anchor, uint32_t ruleset, struct pfctl_rule *rule,
420 char *anchor_call, bool clear);
421 int pfctl_add_rule(int dev, const struct pfctl_rule *r,
422 const char *anchor, const char *anchor_call, uint32_t ticket,
423 uint32_t pool_ticket);
424 int pfctl_add_rule_h(struct pfctl_handle *h, const struct pfctl_rule *r,
425 const char *anchor, const char *anchor_call, uint32_t ticket,
426 uint32_t pool_ticket);
427 int pfctl_set_keepcounters(int dev, bool keep);
428 int pfctl_get_creatorids(struct pfctl_handle *h, uint32_t *creators, size_t *len);
430 struct pfctl_state_filter {
431 char ifname[IFNAMSIZ];
437 typedef int (*pfctl_get_state_fn)(struct pfctl_state *, void *);
438 int pfctl_get_states_iter(pfctl_get_state_fn f, void *arg);
439 int pfctl_get_filtered_states_iter(struct pfctl_state_filter *filter, pfctl_get_state_fn f, void *arg);
440 int pfctl_get_states(int dev, struct pfctl_states *states);
441 void pfctl_free_states(struct pfctl_states *states);
442 int pfctl_clear_states(int dev, const struct pfctl_kill *kill,
443 unsigned int *killed);
444 int pfctl_kill_states(int dev, const struct pfctl_kill *kill,
445 unsigned int *killed);
446 int pfctl_clear_rules(int dev, const char *anchorname);
447 int pfctl_clear_nat(int dev, const char *anchorname);
448 int pfctl_clear_eth_rules(int dev, const char *anchorname);
449 int pfctl_set_syncookies(int dev, const struct pfctl_syncookies *s);
450 int pfctl_get_syncookies(int dev, struct pfctl_syncookies *s);
451 int pfctl_table_add_addrs(int dev, struct pfr_table *tbl, struct pfr_addr
452 *addr, int size, int *nadd, int flags);
453 int pfctl_table_del_addrs(int dev, struct pfr_table *tbl, struct pfr_addr
454 *addr, int size, int *ndel, int flags);
455 int pfctl_table_set_addrs(int dev, struct pfr_table *tbl, struct pfr_addr
456 *addr, int size, int *size2, int *nadd, int *ndel, int *nchange,
458 int pfctl_table_get_addrs(int dev, struct pfr_table *tbl, struct pfr_addr
459 *addr, int *size, int flags);