lib/libpfctl/libpfctl.h

   1 /*-
   2  * SPDX-License-Identifier: BSD-2-Clause
   3  *
   4  * Copyright (c) 2021 Rubicon Communications, LLC (Netgate)
   5  * All rights reserved.
   6  *
   7  * Redistribution and use in source and binary forms, with or without
   8  * modification, are permitted provided that the following conditions
   9  * are met:
  10  *
  11  *    - Redistributions of source code must retain the above copyright
  12  *      notice, this list of conditions and the following disclaimer.
  13  *    - Redistributions in binary form must reproduce the above
  14  *      copyright notice, this list of conditions and the following
  15  *      disclaimer in the documentation and/or other materials provided
  16  *      with the distribution.
  17  *
  18  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
  19  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
  20  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
  21  * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
  22  * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
  23  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
  24  * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  25  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
  26  * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  27  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
  28  * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
  29  * POSSIBILITY OF SUCH DAMAGE.
  30  *
  31  * $FreeBSD$
  32  */
  33
  34 #ifndef _PFCTL_IOCTL_H_
  35 #define _PFCTL_IOCTL_H_
  36
  37 #include <netpfil/pf/pf.h>
  38
  39 struct pfctl_anchor;
  40 struct pfctl_eth_anchor;
  41
  42 struct pfctl_status_counter {
  43         uint64_t         id;
  44         uint64_t         counter;
  45         char            *name;
  46
  47         TAILQ_ENTRY(pfctl_status_counter) entry;
  48 };
  49 TAILQ_HEAD(pfctl_status_counters, pfctl_status_counter);
  50
  51 struct pfctl_status {
  52         bool            running;
  53         uint32_t        since;
  54         uint32_t        debug;
  55         uint32_t        hostid;
  56         uint64_t        states;
  57         uint64_t        src_nodes;
  58         char            ifname[IFNAMSIZ];
  59         uint8_t         pf_chksum[PF_MD5_DIGEST_LENGTH];
  60         bool            syncookies_active;
  61         uint32_t        reass;
  62
  63         struct pfctl_status_counters     counters;
  64         struct pfctl_status_counters     lcounters;
  65         struct pfctl_status_counters     fcounters;
  66         struct pfctl_status_counters     scounters;
  67         uint64_t        pcounters[2][2][3];
  68         uint64_t        bcounters[2][2];
  69 };
  70
  71 struct pfctl_eth_rulesets_info {
  72         uint32_t        nr;
  73 };
  74
  75 struct pfctl_eth_rules_info {
  76         uint32_t        nr;
  77         uint32_t        ticket;
  78 };
  79
  80 struct pfctl_eth_addr {
  81         uint8_t addr[ETHER_ADDR_LEN];
  82         uint8_t mask[ETHER_ADDR_LEN];
  83         bool    neg;
  84         bool    isset;
  85 };
  86
  87 struct pfctl_eth_rule {
  88         uint32_t                 nr;
  89
  90         char                    label[PF_RULE_MAX_LABEL_COUNT][PF_RULE_LABEL_SIZE];
  91         uint32_t                ridentifier;
  92
  93         bool                     quick;
  94
  95         /* Filter */
  96         char                     ifname[IFNAMSIZ];
  97         uint8_t                  ifnot;
  98         uint8_t                  direction;
  99         uint16_t                 proto;
 100         struct pfctl_eth_addr    src, dst;
 101         struct pf_rule_addr      ipsrc, ipdst;
 102         char                     match_tagname[PF_TAG_NAME_SIZE];
 103         uint16_t                 match_tag;
 104         bool                     match_tag_not;
 105
 106         /* Stats */
 107         uint64_t                 evaluations;
 108         uint64_t                 packets[2];
 109         uint64_t                 bytes[2];
 110         time_t                   last_active_timestamp;
 111
 112         /* Action */
 113         char                     qname[PF_QNAME_SIZE];
 114         char                     tagname[PF_TAG_NAME_SIZE];
 115         uint16_t                 dnpipe;
 116         uint32_t                 dnflags;
 117         char                     bridge_to[IFNAMSIZ];
 118         uint8_t                  action;
 119
 120         struct pfctl_eth_anchor *anchor;
 121         uint8_t                  anchor_relative;
 122         uint8_t                  anchor_wildcard;
 123
 124         TAILQ_ENTRY(pfctl_eth_rule)      entries;
 125 };
 126 TAILQ_HEAD(pfctl_eth_rules, pfctl_eth_rule);
 127
 128 struct pfctl_eth_ruleset_info {
 129         uint32_t        nr;
 130         char            name[PF_ANCHOR_NAME_SIZE];
 131         char            path[MAXPATHLEN];
 132 };
 133
 134 struct pfctl_eth_ruleset {
 135         struct pfctl_eth_rules   rules;
 136         struct pfctl_eth_anchor *anchor;
 137 };
 138
 139 struct pfctl_eth_anchor {
 140         struct pfctl_eth_anchor         *parent;
 141         char                             name[PF_ANCHOR_NAME_SIZE];
 142         char                             path[MAXPATHLEN];
 143         struct pfctl_eth_ruleset         ruleset;
 144         int                              refcnt;        /* anchor rules */
 145         int                              match; /* XXX: used for pfctl black magic */
 146 };
 147
 148 struct pfctl_pool {
 149         struct pf_palist         list;
 150         struct pf_pooladdr      *cur;
 151         struct pf_poolhashkey    key;
 152         struct pf_addr           counter;
 153         struct pf_mape_portset   mape;
 154         int                      tblidx;
 155         uint16_t                 proxy_port[2];
 156         uint8_t                  opts;
 157 };
 158
 159 struct pfctl_rules_info {
 160         uint32_t        nr;
 161         uint32_t        ticket;
 162 };
 163
 164 struct pfctl_rule {
 165         struct pf_rule_addr      src;
 166         struct pf_rule_addr      dst;
 167         union pf_rule_ptr        skip[PF_SKIP_COUNT];
 168         char                     label[PF_RULE_MAX_LABEL_COUNT][PF_RULE_LABEL_SIZE];
 169         uint32_t                 ridentifier;
 170         char                     ifname[IFNAMSIZ];
 171         char                     qname[PF_QNAME_SIZE];
 172         char                     pqname[PF_QNAME_SIZE];
 173         char                     tagname[PF_TAG_NAME_SIZE];
 174         char                     match_tagname[PF_TAG_NAME_SIZE];
 175
 176         char                     overload_tblname[PF_TABLE_NAME_SIZE];
 177
 178         TAILQ_ENTRY(pfctl_rule)  entries;
 179         struct pfctl_pool        rpool;
 180
 181         uint64_t                 evaluations;
 182         uint64_t                 packets[2];
 183         uint64_t                 bytes[2];
 184         time_t                   last_active_timestamp;
 185
 186         struct pfi_kif          *kif;
 187         struct pfctl_anchor     *anchor;
 188         struct pfr_ktable       *overload_tbl;
 189
 190         pf_osfp_t                os_fingerprint;
 191
 192         int                      rtableid;
 193         uint32_t                 timeout[PFTM_MAX];
 194         uint32_t                 max_states;
 195         uint32_t                 max_src_nodes;
 196         uint32_t                 max_src_states;
 197         uint32_t                 max_src_conn;
 198         struct {
 199                 uint32_t                limit;
 200                 uint32_t                seconds;
 201         }                        max_src_conn_rate;
 202         uint32_t                 qid;
 203         uint32_t                 pqid;
 204         uint16_t                 dnpipe;
 205         uint16_t                 dnrpipe;
 206         uint32_t                 free_flags;
 207         uint32_t                 nr;
 208         uint32_t                 prob;
 209         uid_t                    cuid;
 210         pid_t                    cpid;
 211
 212         uint64_t                 states_cur;
 213         uint64_t                 states_tot;
 214         uint64_t                 src_nodes;
 215
 216         uint16_t                 return_icmp;
 217         uint16_t                 return_icmp6;
 218         uint16_t                 max_mss;
 219         uint16_t                 tag;
 220         uint16_t                 match_tag;
 221         uint16_t                 scrub_flags;
 222
 223         struct pf_rule_uid       uid;
 224         struct pf_rule_gid       gid;
 225
 226         uint32_t                 rule_flag;
 227         uint8_t                  action;
 228         uint8_t                  direction;
 229         uint8_t                  log;
 230         uint8_t                  logif;
 231         uint8_t                  quick;
 232         uint8_t                  ifnot;
 233         uint8_t                  match_tag_not;
 234         uint8_t                  natpass;
 235
 236         uint8_t                  keep_state;
 237         sa_family_t              af;
 238         uint8_t                  proto;
 239         uint8_t                  type;
 240         uint8_t                  code;
 241         uint8_t                  flags;
 242         uint8_t                  flagset;
 243         uint8_t                  min_ttl;
 244         uint8_t                  allow_opts;
 245         uint8_t                  rt;
 246         uint8_t                  return_ttl;
 247         uint8_t                  tos;
 248         uint8_t                  set_tos;
 249         uint8_t                  anchor_relative;
 250         uint8_t                  anchor_wildcard;
 251
 252         uint8_t                  flush;
 253         uint8_t                  prio;
 254         uint8_t                  set_prio[2];
 255
 256         struct {
 257                 struct pf_addr          addr;
 258                 uint16_t                port;
 259         }                       divert;
 260 };
 261
 262 TAILQ_HEAD(pfctl_rulequeue, pfctl_rule);
 263
 264 struct pfctl_ruleset {
 265         struct {
 266                 struct pfctl_rulequeue   queues[2];
 267                 struct {
 268                         struct pfctl_rulequeue  *ptr;
 269                         struct pfctl_rule       **ptr_array;
 270                         uint32_t                 rcount;
 271                         uint32_t                 ticket;
 272                         int                      open;
 273                 }                        active, inactive;
 274         }                        rules[PF_RULESET_MAX];
 275         struct pfctl_anchor     *anchor;
 276         uint32_t                 tticket;
 277         int                      tables;
 278         int                      topen;
 279 };
 280
 281 RB_HEAD(pfctl_anchor_global, pfctl_anchor);
 282 RB_HEAD(pfctl_anchor_node, pfctl_anchor);
 283 struct pfctl_anchor {
 284         RB_ENTRY(pfctl_anchor)   entry_global;
 285         RB_ENTRY(pfctl_anchor)   entry_node;
 286         struct pfctl_anchor     *parent;
 287         struct pfctl_anchor_node children;
 288         char                     name[PF_ANCHOR_NAME_SIZE];
 289         char                     path[MAXPATHLEN];
 290         struct pfctl_ruleset     ruleset;
 291         int                      refcnt;        /* anchor rules */
 292         int                      match; /* XXX: used for pfctl black magic */
 293 };
 294 RB_PROTOTYPE(pfctl_anchor_global, pfctl_anchor, entry_global,
 295     pf_anchor_compare);
 296 RB_PROTOTYPE(pfctl_anchor_node, pfctl_anchor, entry_node,
 297     pf_anchor_compare);
 298
 299 struct pfctl_state_cmp {
 300         uint64_t        id;
 301         uint32_t        creatorid;
 302         uint8_t         direction;
 303 };
 304
 305 struct pfctl_kill {
 306         struct pfctl_state_cmp  cmp;
 307         sa_family_t             af;
 308         int                     proto;
 309         struct pf_rule_addr     src;
 310         struct pf_rule_addr     dst;
 311         struct pf_rule_addr     rt_addr;
 312         char                    ifname[IFNAMSIZ];
 313         char                    label[PF_RULE_LABEL_SIZE];
 314         bool                    kill_match;
 315 };
 316
 317 struct pfctl_state_peer {
 318         uint32_t                         seqlo;
 319         uint32_t                         seqhi;
 320         uint32_t                         seqdiff;
 321         uint8_t                          state;
 322         uint8_t                          wscale;
 323 };
 324
 325 struct pfctl_state_key {
 326         struct pf_addr   addr[2];
 327         uint16_t         port[2];
 328         sa_family_t      af;
 329         uint8_t          proto;
 330 };
 331
 332 struct pfctl_state {
 333         TAILQ_ENTRY(pfctl_state)        entry;
 334
 335         uint64_t                 id;
 336         uint32_t                 creatorid;
 337         uint8_t                  direction;
 338
 339         struct pfctl_state_peer  src;
 340         struct pfctl_state_peer  dst;
 341
 342         uint32_t                 rule;
 343         uint32_t                 anchor;
 344         uint32_t                 nat_rule;
 345         struct pf_addr           rt_addr;
 346         struct pfctl_state_key   key[2];        /* addresses stack and wire  */
 347         char                     ifname[IFNAMSIZ];
 348         char                     orig_ifname[IFNAMSIZ];
 349         uint64_t                 packets[2];
 350         uint64_t                 bytes[2];
 351         uint32_t                 creation;
 352         uint32_t                 expire;
 353         uint32_t                 pfsync_time;
 354         uint16_t                 state_flags;
 355         uint32_t                 sync_flags;
 356         uint16_t                 qid;
 357         uint16_t                 pqid;
 358         uint16_t                 dnpipe;
 359         uint16_t                 dnrpipe;
 360         uint8_t                  log;
 361         int32_t                  rtableid;
 362         uint8_t                  min_ttl;
 363         uint8_t                  set_tos;
 364         uint16_t                 max_mss;
 365         uint8_t                  set_prio[2];
 366         uint8_t                  rt;
 367         char                     rt_ifname[IFNAMSIZ];
 368 };
 369
 370 TAILQ_HEAD(pfctl_statelist, pfctl_state);
 371 struct pfctl_states {
 372         struct pfctl_statelist  states;
 373         size_t                  count;
 374 };
 375
 376 enum pfctl_syncookies_mode {
 377         PFCTL_SYNCOOKIES_NEVER,
 378         PFCTL_SYNCOOKIES_ALWAYS,
 379         PFCTL_SYNCOOKIES_ADAPTIVE
 380 };
 381 extern const char* PFCTL_SYNCOOKIES_MODE_NAMES[];
 382
 383 struct pfctl_syncookies {
 384         enum pfctl_syncookies_mode      mode;
 385         uint8_t                         highwater;      /* Percent */
 386         uint8_t                         lowwater;       /* Percent */
 387 };
 388
 389 struct pfctl_status* pfctl_get_status(int dev);
 390 void    pfctl_free_status(struct pfctl_status *status);
 391
 392 int     pfctl_get_eth_rulesets_info(int dev,
 393             struct pfctl_eth_rulesets_info *ri, const char *path);
 394 int     pfctl_get_eth_ruleset(int dev, const char *path, int nr,
 395             struct pfctl_eth_ruleset_info *ri);
 396 int     pfctl_get_eth_rules_info(int dev, struct pfctl_eth_rules_info *rules,
 397             const char *path);
 398 int     pfctl_get_eth_rule(int dev, uint32_t nr, uint32_t ticket,
 399             const char *path, struct pfctl_eth_rule *rule, bool clear,
 400             char *anchor_call);
 401 int     pfctl_add_eth_rule(int dev, const struct pfctl_eth_rule *r,
 402             const char *anchor, const char *anchor_call, uint32_t ticket);
 403 int     pfctl_get_rules_info(int dev, struct pfctl_rules_info *rules,
 404             uint32_t ruleset, const char *path);
 405 int     pfctl_get_rule(int dev, uint32_t nr, uint32_t ticket,
 406             const char *anchor, uint32_t ruleset, struct pfctl_rule *rule,
 407             char *anchor_call);
 408 int     pfctl_get_clear_rule(int dev, uint32_t nr, uint32_t ticket,
 409             const char *anchor, uint32_t ruleset, struct pfctl_rule *rule,
 410             char *anchor_call, bool clear);
 411 int     pfctl_add_rule(int dev, const struct pfctl_rule *r,
 412             const char *anchor, const char *anchor_call, uint32_t ticket,
 413             uint32_t pool_ticket);
 414 int     pfctl_set_keepcounters(int dev, bool keep);
 415 int     pfctl_get_states(int dev, struct pfctl_states *states);
 416 void    pfctl_free_states(struct pfctl_states *states);
 417 int     pfctl_clear_states(int dev, const struct pfctl_kill *kill,
 418             unsigned int *killed);
 419 int     pfctl_kill_states(int dev, const struct pfctl_kill *kill,
 420             unsigned int *killed);
 421 int     pfctl_clear_rules(int dev, const char *anchorname);
 422 int     pfctl_clear_nat(int dev, const char *anchorname);
 423 int     pfctl_clear_eth_rules(int dev, const char *anchorname);
 424 int     pfctl_set_syncookies(int dev, const struct pfctl_syncookies *s);
 425 int     pfctl_get_syncookies(int dev, struct pfctl_syncookies *s);
 426 int     pfctl_table_add_addrs(int dev, struct pfr_table *tbl, struct pfr_addr
 427             *addr, int size, int *nadd, int flags);
 428 int     pfctl_table_del_addrs(int dev, struct pfr_table *tbl, struct pfr_addr
 429             *addr, int size, int *ndel, int flags);
 430 int     pfctl_table_set_addrs(int dev, struct pfr_table *tbl, struct pfr_addr
 431             *addr, int size, int *size2, int *nadd, int *ndel, int *nchange,
 432             int flags);
 433 int     pfctl_table_get_addrs(int dev, struct pfr_table *tbl, struct pfr_addr
 434             *addr, int *size, int flags);
 435 #endif