lib/libpfctl/libpfctl.h

   1 /*-
   2  * SPDX-License-Identifier: BSD-2-Clause
   3  *
   4  * Copyright (c) 2021 Rubicon Communications, LLC (Netgate)
   5  * All rights reserved.
   6  *
   7  * Redistribution and use in source and binary forms, with or without
   8  * modification, are permitted provided that the following conditions
   9  * are met:
  10  *
  11  *    - Redistributions of source code must retain the above copyright
  12  *      notice, this list of conditions and the following disclaimer.
  13  *    - Redistributions in binary form must reproduce the above
  14  *      copyright notice, this list of conditions and the following
  15  *      disclaimer in the documentation and/or other materials provided
  16  *      with the distribution.
  17  *
  18  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
  19  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
  20  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
  21  * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
  22  * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
  23  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
  24  * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  25  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
  26  * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  27  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
  28  * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  29  * POSSIBILITY OF SUCH DAMAGE.
  30  */
  31
  32 #ifndef _PFCTL_IOCTL_H_
  33 #define _PFCTL_IOCTL_H_
  34
  35 #include <netpfil/pf/pf.h>
  36
  37 struct pfctl_anchor;
  38 struct pfctl_eth_anchor;
  39
  40 struct pfctl_status_counter {
  41         uint64_t         id;
  42         uint64_t         counter;
  43         char            *name;
  44
  45         TAILQ_ENTRY(pfctl_status_counter) entry;
  46 };
  47 TAILQ_HEAD(pfctl_status_counters, pfctl_status_counter);
  48
  49 struct pfctl_status {
  50         bool            running;
  51         uint32_t        since;
  52         uint32_t        debug;
  53         uint32_t        hostid;
  54         uint64_t        states;
  55         uint64_t        src_nodes;
  56         char            ifname[IFNAMSIZ];
  57         uint8_t         pf_chksum[PF_MD5_DIGEST_LENGTH];
  58         bool            syncookies_active;
  59         uint32_t        reass;
  60
  61         struct pfctl_status_counters     counters;
  62         struct pfctl_status_counters     lcounters;
  63         struct pfctl_status_counters     fcounters;
  64         struct pfctl_status_counters     scounters;
  65         uint64_t        pcounters[2][2][3];
  66         uint64_t        bcounters[2][2];
  67 };
  68
  69 struct pfctl_eth_rulesets_info {
  70         uint32_t        nr;
  71 };
  72
  73 struct pfctl_eth_rules_info {
  74         uint32_t        nr;
  75         uint32_t        ticket;
  76 };
  77
  78 struct pfctl_eth_addr {
  79         uint8_t addr[ETHER_ADDR_LEN];
  80         uint8_t mask[ETHER_ADDR_LEN];
  81         bool    neg;
  82         bool    isset;
  83 };
  84
  85 struct pfctl_eth_rule {
  86         uint32_t                 nr;
  87
  88         char                    label[PF_RULE_MAX_LABEL_COUNT][PF_RULE_LABEL_SIZE];
  89         uint32_t                ridentifier;
  90
  91         bool                     quick;
  92
  93         /* Filter */
  94         char                     ifname[IFNAMSIZ];
  95         uint8_t                  ifnot;
  96         uint8_t                  direction;
  97         uint16_t                 proto;
  98         struct pfctl_eth_addr    src, dst;
  99         struct pf_rule_addr      ipsrc, ipdst;
 100         char                     match_tagname[PF_TAG_NAME_SIZE];
 101         uint16_t                 match_tag;
 102         bool                     match_tag_not;
 103
 104         /* Stats */
 105         uint64_t                 evaluations;
 106         uint64_t                 packets[2];
 107         uint64_t                 bytes[2];
 108         time_t                   last_active_timestamp;
 109
 110         /* Action */
 111         char                     qname[PF_QNAME_SIZE];
 112         char                     tagname[PF_TAG_NAME_SIZE];
 113         uint16_t                 dnpipe;
 114         uint32_t                 dnflags;
 115         char                     bridge_to[IFNAMSIZ];
 116         uint8_t                  action;
 117
 118         struct pfctl_eth_anchor *anchor;
 119         uint8_t                  anchor_relative;
 120         uint8_t                  anchor_wildcard;
 121
 122         TAILQ_ENTRY(pfctl_eth_rule)      entries;
 123 };
 124 TAILQ_HEAD(pfctl_eth_rules, pfctl_eth_rule);
 125
 126 struct pfctl_eth_ruleset_info {
 127         uint32_t        nr;
 128         char            name[PF_ANCHOR_NAME_SIZE];
 129         char            path[MAXPATHLEN];
 130 };
 131
 132 struct pfctl_eth_ruleset {
 133         struct pfctl_eth_rules   rules;
 134         struct pfctl_eth_anchor *anchor;
 135 };
 136
 137 struct pfctl_eth_anchor {
 138         struct pfctl_eth_anchor         *parent;
 139         char                             name[PF_ANCHOR_NAME_SIZE];
 140         char                             path[MAXPATHLEN];
 141         struct pfctl_eth_ruleset         ruleset;
 142         int                              refcnt;        /* anchor rules */
 143         int                              match; /* XXX: used for pfctl black magic */
 144 };
 145
 146 struct pfctl_pool {
 147         struct pf_palist         list;
 148         struct pf_pooladdr      *cur;
 149         struct pf_poolhashkey    key;
 150         struct pf_addr           counter;
 151         struct pf_mape_portset   mape;
 152         int                      tblidx;
 153         uint16_t                 proxy_port[2];
 154         uint8_t                  opts;
 155 };
 156
 157 struct pfctl_rules_info {
 158         uint32_t        nr;
 159         uint32_t        ticket;
 160 };
 161
 162 struct pfctl_rule {
 163         struct pf_rule_addr      src;
 164         struct pf_rule_addr      dst;
 165         union pf_rule_ptr        skip[PF_SKIP_COUNT];
 166         char                     label[PF_RULE_MAX_LABEL_COUNT][PF_RULE_LABEL_SIZE];
 167         uint32_t                 ridentifier;
 168         char                     ifname[IFNAMSIZ];
 169         char                     qname[PF_QNAME_SIZE];
 170         char                     pqname[PF_QNAME_SIZE];
 171         char                     tagname[PF_TAG_NAME_SIZE];
 172         char                     match_tagname[PF_TAG_NAME_SIZE];
 173
 174         char                     overload_tblname[PF_TABLE_NAME_SIZE];
 175
 176         TAILQ_ENTRY(pfctl_rule)  entries;
 177         struct pfctl_pool        rpool;
 178
 179         uint64_t                 evaluations;
 180         uint64_t                 packets[2];
 181         uint64_t                 bytes[2];
 182         time_t                   last_active_timestamp;
 183
 184         struct pfi_kif          *kif;
 185         struct pfctl_anchor     *anchor;
 186         struct pfr_ktable       *overload_tbl;
 187
 188         pf_osfp_t                os_fingerprint;
 189
 190         int                      rtableid;
 191         uint32_t                 timeout[PFTM_MAX];
 192         uint32_t                 max_states;
 193         uint32_t                 max_src_nodes;
 194         uint32_t                 max_src_states;
 195         uint32_t                 max_src_conn;
 196         struct {
 197                 uint32_t                limit;
 198                 uint32_t                seconds;
 199         }                        max_src_conn_rate;
 200         uint32_t                 qid;
 201         uint32_t                 pqid;
 202         uint16_t                 dnpipe;
 203         uint16_t                 dnrpipe;
 204         uint32_t                 free_flags;
 205         uint32_t                 nr;
 206         uint32_t                 prob;
 207         uid_t                    cuid;
 208         pid_t                    cpid;
 209
 210         uint64_t                 states_cur;
 211         uint64_t                 states_tot;
 212         uint64_t                 src_nodes;
 213
 214         uint16_t                 return_icmp;
 215         uint16_t                 return_icmp6;
 216         uint16_t                 max_mss;
 217         uint16_t                 tag;
 218         uint16_t                 match_tag;
 219         uint16_t                 scrub_flags;
 220
 221         struct pf_rule_uid       uid;
 222         struct pf_rule_gid       gid;
 223
 224         uint32_t                 rule_flag;
 225         uint8_t                  action;
 226         uint8_t                  direction;
 227         uint8_t                  log;
 228         uint8_t                  logif;
 229         uint8_t                  quick;
 230         uint8_t                  ifnot;
 231         uint8_t                  match_tag_not;
 232         uint8_t                  natpass;
 233
 234         uint8_t                  keep_state;
 235         sa_family_t              af;
 236         uint8_t                  proto;
 237         uint8_t                  type;
 238         uint8_t                  code;
 239         uint8_t                  flags;
 240         uint8_t                  flagset;
 241         uint8_t                  min_ttl;
 242         uint8_t                  allow_opts;
 243         uint8_t                  rt;
 244         uint8_t                  return_ttl;
 245         uint8_t                  tos;
 246         uint8_t                  set_tos;
 247         uint8_t                  anchor_relative;
 248         uint8_t                  anchor_wildcard;
 249
 250         uint8_t                  flush;
 251         uint8_t                  prio;
 252         uint8_t                  set_prio[2];
 253
 254         struct {
 255                 struct pf_addr          addr;
 256                 uint16_t                port;
 257         }                       divert;
 258 };
 259
 260 TAILQ_HEAD(pfctl_rulequeue, pfctl_rule);
 261
 262 struct pfctl_ruleset {
 263         struct {
 264                 struct pfctl_rulequeue   queues[2];
 265                 struct {
 266                         struct pfctl_rulequeue  *ptr;
 267                         struct pfctl_rule       **ptr_array;
 268                         uint32_t                 rcount;
 269                         uint32_t                 ticket;
 270                         int                      open;
 271                 }                        active, inactive;
 272         }                        rules[PF_RULESET_MAX];
 273         struct pfctl_anchor     *anchor;
 274         uint32_t                 tticket;
 275         int                      tables;
 276         int                      topen;
 277 };
 278
 279 RB_HEAD(pfctl_anchor_global, pfctl_anchor);
 280 RB_HEAD(pfctl_anchor_node, pfctl_anchor);
 281 struct pfctl_anchor {
 282         RB_ENTRY(pfctl_anchor)   entry_global;
 283         RB_ENTRY(pfctl_anchor)   entry_node;
 284         struct pfctl_anchor     *parent;
 285         struct pfctl_anchor_node children;
 286         char                     name[PF_ANCHOR_NAME_SIZE];
 287         char                     path[MAXPATHLEN];
 288         struct pfctl_ruleset     ruleset;
 289         int                      refcnt;        /* anchor rules */
 290         int                      match; /* XXX: used for pfctl black magic */
 291 };
 292 RB_PROTOTYPE(pfctl_anchor_global, pfctl_anchor, entry_global,
 293     pf_anchor_compare);
 294 RB_PROTOTYPE(pfctl_anchor_node, pfctl_anchor, entry_node,
 295     pf_anchor_compare);
 296
 297 struct pfctl_state_cmp {
 298         uint64_t        id;
 299         uint32_t        creatorid;
 300         uint8_t         direction;
 301 };
 302
 303 struct pfctl_kill {
 304         struct pfctl_state_cmp  cmp;
 305         sa_family_t             af;
 306         int                     proto;
 307         struct pf_rule_addr     src;
 308         struct pf_rule_addr     dst;
 309         struct pf_rule_addr     rt_addr;
 310         char                    ifname[IFNAMSIZ];
 311         char                    label[PF_RULE_LABEL_SIZE];
 312         bool                    kill_match;
 313         bool                    nat;
 314 };
 315
 316 struct pfctl_state_peer {
 317         uint32_t                         seqlo;
 318         uint32_t                         seqhi;
 319         uint32_t                         seqdiff;
 320         uint8_t                          state;
 321         uint8_t                          wscale;
 322 };
 323
 324 struct pfctl_state_key {
 325         struct pf_addr   addr[2];
 326         uint16_t         port[2];
 327         sa_family_t      af;
 328         uint8_t          proto;
 329 };
 330
 331 struct pfctl_state {
 332         TAILQ_ENTRY(pfctl_state)        entry;
 333
 334         uint64_t                 id;
 335         uint32_t                 creatorid;
 336         uint8_t                  direction;
 337
 338         struct pfctl_state_peer  src;
 339         struct pfctl_state_peer  dst;
 340
 341         uint32_t                 rule;
 342         uint32_t                 anchor;
 343         uint32_t                 nat_rule;
 344         struct pf_addr           rt_addr;
 345         struct pfctl_state_key   key[2];        /* addresses stack and wire  */
 346         char                     ifname[IFNAMSIZ];
 347         char                     orig_ifname[IFNAMSIZ];
 348         uint64_t                 packets[2];
 349         uint64_t                 bytes[2];
 350         uint32_t                 creation;
 351         uint32_t                 expire;
 352         uint32_t                 pfsync_time;
 353         uint16_t                 state_flags;
 354         uint32_t                 sync_flags;
 355         uint16_t                 qid;
 356         uint16_t                 pqid;
 357         uint16_t                 dnpipe;
 358         uint16_t                 dnrpipe;
 359         uint8_t                  log;
 360         int32_t                  rtableid;
 361         uint8_t                  min_ttl;
 362         uint8_t                  set_tos;
 363         uint16_t                 max_mss;
 364         uint8_t                  set_prio[2];
 365         uint8_t                  rt;
 366         char                     rt_ifname[IFNAMSIZ];
 367 };
 368
 369 TAILQ_HEAD(pfctl_statelist, pfctl_state);
 370 struct pfctl_states {
 371         struct pfctl_statelist  states;
 372 };
 373
 374 enum pfctl_syncookies_mode {
 375         PFCTL_SYNCOOKIES_NEVER,
 376         PFCTL_SYNCOOKIES_ALWAYS,
 377         PFCTL_SYNCOOKIES_ADAPTIVE
 378 };
 379 extern const char* PFCTL_SYNCOOKIES_MODE_NAMES[];
 380
 381 struct pfctl_syncookies {
 382         enum pfctl_syncookies_mode      mode;
 383         uint8_t                         highwater;      /* Percent */
 384         uint8_t                         lowwater;       /* Percent */
 385         uint32_t                        halfopen_states;
 386 };
 387
 388 #define PF_DEVICE       "/dev/pf"
 389
 390 struct pfctl_handle;
 391 struct pfctl_handle     *pfctl_open(const char *pf_device);
 392 void    pfctl_close(struct pfctl_handle *);
 393
 394 int     pfctl_startstop(struct pfctl_handle *h, int start);
 395 struct pfctl_status* pfctl_get_status(int dev);
 396 uint64_t pfctl_status_counter(struct pfctl_status *status, int id);
 397 uint64_t pfctl_status_lcounter(struct pfctl_status *status, int id);
 398 uint64_t pfctl_status_fcounter(struct pfctl_status *status, int id);
 399 uint64_t pfctl_status_scounter(struct pfctl_status *status, int id);
 400 void    pfctl_free_status(struct pfctl_status *status);
 401
 402 int     pfctl_get_eth_rulesets_info(int dev,
 403             struct pfctl_eth_rulesets_info *ri, const char *path);
 404 int     pfctl_get_eth_ruleset(int dev, const char *path, int nr,
 405             struct pfctl_eth_ruleset_info *ri);
 406 int     pfctl_get_eth_rules_info(int dev, struct pfctl_eth_rules_info *rules,
 407             const char *path);
 408 int     pfctl_get_eth_rule(int dev, uint32_t nr, uint32_t ticket,
 409             const char *path, struct pfctl_eth_rule *rule, bool clear,
 410             char *anchor_call);
 411 int     pfctl_add_eth_rule(int dev, const struct pfctl_eth_rule *r,
 412             const char *anchor, const char *anchor_call, uint32_t ticket);
 413 int     pfctl_get_rules_info(int dev, struct pfctl_rules_info *rules,
 414             uint32_t ruleset, const char *path);
 415 int     pfctl_get_rule(int dev, uint32_t nr, uint32_t ticket,
 416             const char *anchor, uint32_t ruleset, struct pfctl_rule *rule,
 417             char *anchor_call);
 418 int     pfctl_get_clear_rule(int dev, uint32_t nr, uint32_t ticket,
 419             const char *anchor, uint32_t ruleset, struct pfctl_rule *rule,
 420             char *anchor_call, bool clear);
 421 int     pfctl_add_rule(int dev, const struct pfctl_rule *r,
 422             const char *anchor, const char *anchor_call, uint32_t ticket,
 423             uint32_t pool_ticket);
 424 int     pfctl_add_rule_h(struct pfctl_handle *h, const struct pfctl_rule *r,
 425             const char *anchor, const char *anchor_call, uint32_t ticket,
 426             uint32_t pool_ticket);
 427 int     pfctl_set_keepcounters(int dev, bool keep);
 428 int     pfctl_get_creatorids(struct pfctl_handle *h, uint32_t *creators, size_t *len);
 429
 430 struct pfctl_state_filter {
 431         char                    ifname[IFNAMSIZ];
 432         uint16_t                proto;
 433         sa_family_t             af;
 434         struct pf_addr          addr;
 435         struct pf_addr          mask;
 436 };
 437 typedef int (*pfctl_get_state_fn)(struct pfctl_state *, void *);
 438 int pfctl_get_states_iter(pfctl_get_state_fn f, void *arg);
 439 int pfctl_get_filtered_states_iter(struct pfctl_state_filter *filter, pfctl_get_state_fn f, void *arg);
 440 int     pfctl_get_states(int dev, struct pfctl_states *states);
 441 void    pfctl_free_states(struct pfctl_states *states);
 442 int     pfctl_clear_states(int dev, const struct pfctl_kill *kill,
 443             unsigned int *killed);
 444 int     pfctl_kill_states(int dev, const struct pfctl_kill *kill,
 445             unsigned int *killed);
 446 int     pfctl_clear_rules(int dev, const char *anchorname);
 447 int     pfctl_clear_nat(int dev, const char *anchorname);
 448 int     pfctl_clear_eth_rules(int dev, const char *anchorname);
 449 int     pfctl_set_syncookies(int dev, const struct pfctl_syncookies *s);
 450 int     pfctl_get_syncookies(int dev, struct pfctl_syncookies *s);
 451 int     pfctl_table_add_addrs(int dev, struct pfr_table *tbl, struct pfr_addr
 452             *addr, int size, int *nadd, int flags);
 453 int     pfctl_table_del_addrs(int dev, struct pfr_table *tbl, struct pfr_addr
 454             *addr, int size, int *ndel, int flags);
 455 int     pfctl_table_set_addrs(int dev, struct pfr_table *tbl, struct pfr_addr
 456             *addr, int size, int *size2, int *nadd, int *ndel, int *nchange,
 457             int flags);
 458 int     pfctl_table_get_addrs(int dev, struct pfr_table *tbl, struct pfr_addr
 459             *addr, int *size, int flags);
 460 #endif