lib/libpfctl/libpfctl.h

   1 /*-
   2  * SPDX-License-Identifier: BSD-2-Clause
   3  *
   4  * Copyright (c) 2021 Rubicon Communications, LLC (Netgate)
   5  * All rights reserved.
   6  *
   7  * Redistribution and use in source and binary forms, with or without
   8  * modification, are permitted provided that the following conditions
   9  * are met:
  10  *
  11  *    - Redistributions of source code must retain the above copyright
  12  *      notice, this list of conditions and the following disclaimer.
  13  *    - Redistributions in binary form must reproduce the above
  14  *      copyright notice, this list of conditions and the following
  15  *      disclaimer in the documentation and/or other materials provided
  16  *      with the distribution.
  17  *
  18  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
  19  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
  20  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
  21  * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
  22  * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
  23  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
  24  * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  25  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
  26  * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  27  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
  28  * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  29  * POSSIBILITY OF SUCH DAMAGE.
  30  *
  31  * $FreeBSD$
  32  */
  33
  34 #ifndef _PFCTL_IOCTL_H_
  35 #define _PFCTL_IOCTL_H_
  36
  37 #include <netpfil/pf/pf.h>
  38
  39 struct pfctl_anchor;
  40
  41 struct pfctl_status_counter {
  42         uint64_t         id;
  43         uint64_t         counter;
  44         char            *name;
  45
  46         TAILQ_ENTRY(pfctl_status_counter) entry;
  47 };
  48 TAILQ_HEAD(pfctl_status_counters, pfctl_status_counter);
  49
  50 struct pfctl_status {
  51         bool            running;
  52         uint32_t        since;
  53         uint32_t        debug;
  54         uint32_t        hostid;
  55         uint64_t        states;
  56         uint64_t        src_nodes;
  57         char            ifname[IFNAMSIZ];
  58         uint8_t         pf_chksum[PF_MD5_DIGEST_LENGTH];
  59
  60         struct pfctl_status_counters     counters;
  61         struct pfctl_status_counters     lcounters;
  62         struct pfctl_status_counters     fcounters;
  63         struct pfctl_status_counters     scounters;
  64         uint64_t        pcounters[2][2][3];
  65         uint64_t        bcounters[2][2];
  66 };
  67
  68 struct pfctl_pool {
  69         struct pf_palist         list;
  70         struct pf_pooladdr      *cur;
  71         struct pf_poolhashkey    key;
  72         struct pf_addr           counter;
  73         struct pf_mape_portset   mape;
  74         int                      tblidx;
  75         uint16_t                 proxy_port[2];
  76         uint8_t                  opts;
  77 };
  78
  79 struct pfctl_rules_info {
  80         uint32_t        nr;
  81         uint32_t        ticket;
  82 };
  83
  84 struct pfctl_rule {
  85         struct pf_rule_addr      src;
  86         struct pf_rule_addr      dst;
  87         union pf_rule_ptr        skip[PF_SKIP_COUNT];
  88         char                     label[PF_RULE_MAX_LABEL_COUNT][PF_RULE_LABEL_SIZE];
  89         uint32_t                 ridentifier;
  90         char                     ifname[IFNAMSIZ];
  91         char                     qname[PF_QNAME_SIZE];
  92         char                     pqname[PF_QNAME_SIZE];
  93         char                     tagname[PF_TAG_NAME_SIZE];
  94         char                     match_tagname[PF_TAG_NAME_SIZE];
  95
  96         char                     overload_tblname[PF_TABLE_NAME_SIZE];
  97
  98         TAILQ_ENTRY(pfctl_rule)  entries;
  99         struct pfctl_pool        rpool;
 100
 101         uint64_t                 evaluations;
 102         uint64_t                 packets[2];
 103         uint64_t                 bytes[2];
 104
 105         struct pfi_kif          *kif;
 106         struct pfctl_anchor     *anchor;
 107         struct pfr_ktable       *overload_tbl;
 108
 109         pf_osfp_t                os_fingerprint;
 110
 111         int                      rtableid;
 112         uint32_t                 timeout[PFTM_MAX];
 113         uint32_t                 max_states;
 114         uint32_t                 max_src_nodes;
 115         uint32_t                 max_src_states;
 116         uint32_t                 max_src_conn;
 117         struct {
 118                 uint32_t                limit;
 119                 uint32_t                seconds;
 120         }                        max_src_conn_rate;
 121         uint32_t                 qid;
 122         uint32_t                 pqid;
 123         uint32_t                 nr;
 124         uint32_t                 prob;
 125         uid_t                    cuid;
 126         pid_t                    cpid;
 127
 128         uint64_t                 states_cur;
 129         uint64_t                 states_tot;
 130         uint64_t                 src_nodes;
 131
 132         uint16_t                 return_icmp;
 133         uint16_t                 return_icmp6;
 134         uint16_t                 max_mss;
 135         uint16_t                 tag;
 136         uint16_t                 match_tag;
 137         uint16_t                 scrub_flags;
 138
 139         struct pf_rule_uid       uid;
 140         struct pf_rule_gid       gid;
 141
 142         uint32_t                 rule_flag;
 143         uint8_t                  action;
 144         uint8_t                  direction;
 145         uint8_t                  log;
 146         uint8_t                  logif;
 147         uint8_t                  quick;
 148         uint8_t                  ifnot;
 149         uint8_t                  match_tag_not;
 150         uint8_t                  natpass;
 151
 152         uint8_t                  keep_state;
 153         sa_family_t              af;
 154         uint8_t                  proto;
 155         uint8_t                  type;
 156         uint8_t                  code;
 157         uint8_t                  flags;
 158         uint8_t                  flagset;
 159         uint8_t                  min_ttl;
 160         uint8_t                  allow_opts;
 161         uint8_t                  rt;
 162         uint8_t                  return_ttl;
 163         uint8_t                  tos;
 164         uint8_t                  set_tos;
 165         uint8_t                  anchor_relative;
 166         uint8_t                  anchor_wildcard;
 167
 168         uint8_t                  flush;
 169         uint8_t                  prio;
 170         uint8_t                  set_prio[2];
 171
 172         struct {
 173                 struct pf_addr          addr;
 174                 uint16_t                port;
 175         }                       divert;
 176 };
 177
 178 TAILQ_HEAD(pfctl_rulequeue, pfctl_rule);
 179
 180 struct pfctl_ruleset {
 181         struct {
 182                 struct pfctl_rulequeue   queues[2];
 183                 struct {
 184                         struct pfctl_rulequeue  *ptr;
 185                         struct pfctl_rule       **ptr_array;
 186                         uint32_t                 rcount;
 187                         uint32_t                 ticket;
 188                         int                      open;
 189                 }                        active, inactive;
 190         }                        rules[PF_RULESET_MAX];
 191         struct pfctl_anchor     *anchor;
 192         uint32_t                 tticket;
 193         int                      tables;
 194         int                      topen;
 195 };
 196
 197 RB_HEAD(pfctl_anchor_global, pfctl_anchor);
 198 RB_HEAD(pfctl_anchor_node, pfctl_anchor);
 199 struct pfctl_anchor {
 200         RB_ENTRY(pfctl_anchor)   entry_global;
 201         RB_ENTRY(pfctl_anchor)   entry_node;
 202         struct pfctl_anchor     *parent;
 203         struct pfctl_anchor_node children;
 204         char                     name[PF_ANCHOR_NAME_SIZE];
 205         char                     path[MAXPATHLEN];
 206         struct pfctl_ruleset     ruleset;
 207         int                      refcnt;        /* anchor rules */
 208         int                      match; /* XXX: used for pfctl black magic */
 209 };
 210 RB_PROTOTYPE(pfctl_anchor_global, pfctl_anchor, entry_global,
 211     pf_anchor_compare);
 212 RB_PROTOTYPE(pfctl_anchor_node, pfctl_anchor, entry_node,
 213     pf_anchor_compare);
 214
 215 struct pfctl_state_cmp {
 216         uint64_t        id;
 217         uint32_t        creatorid;
 218         uint8_t         direction;
 219 };
 220
 221 struct pfctl_kill {
 222         struct pfctl_state_cmp  cmp;
 223         sa_family_t             af;
 224         int                     proto;
 225         struct pf_rule_addr     src;
 226         struct pf_rule_addr     dst;
 227         struct pf_rule_addr     rt_addr;
 228         char                    ifname[IFNAMSIZ];
 229         char                    label[PF_RULE_LABEL_SIZE];
 230         bool                    kill_match;
 231 };
 232
 233 struct pfctl_state_peer {
 234         uint32_t                         seqlo;
 235         uint32_t                         seqhi;
 236         uint32_t                         seqdiff;
 237         uint8_t                          state;
 238         uint8_t                          wscale;
 239 };
 240
 241 struct pfctl_state_key {
 242         struct pf_addr   addr[2];
 243         uint16_t         port[2];
 244         sa_family_t      af;
 245         uint8_t          proto;
 246 };
 247
 248 struct pfctl_state {
 249         TAILQ_ENTRY(pfctl_state)        entry;
 250
 251         uint64_t                 id;
 252         uint32_t                 creatorid;
 253         uint8_t                  direction;
 254
 255         struct pfctl_state_peer  src;
 256         struct pfctl_state_peer  dst;
 257
 258         uint32_t                 rule;
 259         uint32_t                 anchor;
 260         uint32_t                 nat_rule;
 261         struct pf_addr           rt_addr;
 262         struct pfctl_state_key   key[2];        /* addresses stack and wire  */
 263         char                     ifname[IFNAMSIZ];
 264         char                     orig_ifname[IFNAMSIZ];
 265         uint64_t                 packets[2];
 266         uint64_t                 bytes[2];
 267         uint32_t                 creation;
 268         uint32_t                 expire;
 269         uint32_t                 pfsync_time;
 270         uint8_t                  state_flags;
 271         uint32_t                 sync_flags;
 272 };
 273
 274 TAILQ_HEAD(pfctl_statelist, pfctl_state);
 275 struct pfctl_states {
 276         struct pfctl_statelist  states;
 277         size_t                  count;
 278 };
 279
 280 enum pfctl_syncookies_mode {
 281         PFCTL_SYNCOOKIES_NEVER,
 282         PFCTL_SYNCOOKIES_ALWAYS,
 283         PFCTL_SYNCOOKIES_ADAPTIVE
 284 };
 285 extern const char* PFCTL_SYNCOOKIES_MODE_NAMES[];
 286
 287 struct pfctl_syncookies {
 288         enum pfctl_syncookies_mode      mode;
 289         uint8_t                         highwater;      /* Percent */
 290         uint8_t                         lowwater;       /* Percent */
 291 };
 292
 293 struct pfctl_status* pfctl_get_status(int dev);
 294 void    pfctl_free_status(struct pfctl_status *status);
 295
 296 int     pfctl_get_rules_info(int dev, struct pfctl_rules_info *rules,
 297             uint32_t ruleset, const char *path);
 298 int     pfctl_get_rule(int dev, uint32_t nr, uint32_t ticket,
 299             const char *anchor, uint32_t ruleset, struct pfctl_rule *rule,
 300             char *anchor_call);
 301 int     pfctl_get_clear_rule(int dev, uint32_t nr, uint32_t ticket,
 302             const char *anchor, uint32_t ruleset, struct pfctl_rule *rule,
 303             char *anchor_call, bool clear);
 304 int     pfctl_add_rule(int dev, const struct pfctl_rule *r,
 305             const char *anchor, const char *anchor_call, uint32_t ticket,
 306             uint32_t pool_ticket);
 307 int     pfctl_set_keepcounters(int dev, bool keep);
 308 int     pfctl_get_states(int dev, struct pfctl_states *states);
 309 void    pfctl_free_states(struct pfctl_states *states);
 310 int     pfctl_clear_states(int dev, const struct pfctl_kill *kill,
 311             unsigned int *killed);
 312 int     pfctl_kill_states(int dev, const struct pfctl_kill *kill,
 313             unsigned int *killed);
 314 int     pfctl_clear_rules(int dev, const char *anchorname);
 315 int     pfctl_clear_nat(int dev, const char *anchorname);
 316 int     pfctl_set_syncookies(int dev, const struct pfctl_syncookies *s);
 317 int     pfctl_get_syncookies(int dev, struct pfctl_syncookies *s);
 318 int     pfctl_table_add_addrs(int dev, struct pfr_table *tbl, struct pfr_addr
 319             *addr, int size, int *nadd, int flags);
 320 int     pfctl_table_del_addrs(int dev, struct pfr_table *tbl, struct pfr_addr
 321             *addr, int size, int *ndel, int flags);
 322 int     pfctl_table_set_addrs(int dev, struct pfr_table *tbl, struct pfr_addr
 323             *addr, int size, int *size2, int *nadd, int *ndel, int *nchange,
 324             int flags);
 325 int     pfctl_table_get_addrs(int dev, struct pfr_table *tbl, struct pfr_addr
 326             *addr, int *size, int flags);
 327 #endif