xref: /freebsd-13-stable/lib/libpfctl/libpfctl.h (revision 75a94658d3724e61f25ec3692d2665fce9ead195) 
1 /*-
2  * SPDX-License-Identifier: BSD-2-Clause
3  *
4  * Copyright (c) 2021 Rubicon Communications, LLC (Netgate)
5  * All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  *
11  *    - Redistributions of source code must retain the above copyright
12  *      notice, this list of conditions and the following disclaimer.
13  *    - Redistributions in binary form must reproduce the above
14  *      copyright notice, this list of conditions and the following
15  *      disclaimer in the documentation and/or other materials provided
16  *      with the distribution.
17  *
18  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
21  * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
22  * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
23  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
24  * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
25  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26  * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
28  * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29  * POSSIBILITY OF SUCH DAMAGE.
30  */
31 
32 #ifndef _PFCTL_IOCTL_H_
33 #define _PFCTL_IOCTL_H_
34 
35 #include <netpfil/pf/pf.h>
36 
37 struct pfctl_anchor;
38 
39 struct pfctl_status_counter {
40 	uint64_t	 id;
41 	uint64_t	 counter;
42 	char		*name;
43 
44 	TAILQ_ENTRY(pfctl_status_counter) entry;
45 };
46 TAILQ_HEAD(pfctl_status_counters, pfctl_status_counter);
47 
48 struct pfctl_status {
49 	bool		running;
50 	uint32_t	since;
51 	uint32_t	debug;
52 	uint32_t	hostid;
53 	uint64_t	states;
54 	uint64_t	src_nodes;
55 	char		ifname[IFNAMSIZ];
56 	uint8_t		pf_chksum[PF_MD5_DIGEST_LENGTH];
57 	bool		syncookies_active;
58 
59 	struct pfctl_status_counters	 counters;
60 	struct pfctl_status_counters	 lcounters;
61 	struct pfctl_status_counters	 fcounters;
62 	struct pfctl_status_counters	 scounters;
63 	uint64_t	pcounters[2][2][2];
64 	uint64_t	bcounters[2][2];
65 };
66 
67 struct pfctl_pool {
68 	struct pf_palist	 list;
69 	struct pf_pooladdr	*cur;
70 	struct pf_poolhashkey	 key;
71 	struct pf_addr		 counter;
72 	struct pf_mape_portset	 mape;
73 	int			 tblidx;
74 	uint16_t		 proxy_port[2];
75 	uint8_t			 opts;
76 };
77 
78 struct pfctl_rules_info {
79 	uint32_t	nr;
80 	uint32_t	ticket;
81 };
82 
83 struct pfctl_rule {
84 	struct pf_rule_addr	 src;
85 	struct pf_rule_addr	 dst;
86 	union pf_rule_ptr	 skip[PF_SKIP_COUNT];
87 	char			 label[PF_RULE_MAX_LABEL_COUNT][PF_RULE_LABEL_SIZE];
88 	uint32_t		 ridentifier;
89 	char			 ifname[IFNAMSIZ];
90 	char			 qname[PF_QNAME_SIZE];
91 	char			 pqname[PF_QNAME_SIZE];
92 	char			 tagname[PF_TAG_NAME_SIZE];
93 	char			 match_tagname[PF_TAG_NAME_SIZE];
94 
95 	char			 overload_tblname[PF_TABLE_NAME_SIZE];
96 
97 	TAILQ_ENTRY(pfctl_rule)	 entries;
98 	struct pfctl_pool	 rpool;
99 
100 	uint64_t		 evaluations;
101 	uint64_t		 packets[2];
102 	uint64_t		 bytes[2];
103 
104 	struct pfi_kif		*kif;
105 	struct pfctl_anchor	*anchor;
106 	struct pfr_ktable	*overload_tbl;
107 
108 	pf_osfp_t		 os_fingerprint;
109 
110 	int			 rtableid;
111 	uint32_t		 timeout[PFTM_MAX];
112 	uint32_t		 max_states;
113 	uint32_t		 max_src_nodes;
114 	uint32_t		 max_src_states;
115 	uint32_t		 max_src_conn;
116 	struct {
117 		uint32_t		limit;
118 		uint32_t		seconds;
119 	}			 max_src_conn_rate;
120 	uint32_t		 qid;
121 	uint32_t		 pqid;
122 	uint32_t		 nr;
123 	uint32_t		 prob;
124 	uid_t			 cuid;
125 	pid_t			 cpid;
126 
127 	uint64_t		 states_cur;
128 	uint64_t		 states_tot;
129 	uint64_t		 src_nodes;
130 
131 	uint16_t		 return_icmp;
132 	uint16_t		 return_icmp6;
133 	uint16_t		 max_mss;
134 	uint16_t		 tag;
135 	uint16_t		 match_tag;
136 	uint16_t		 scrub_flags;
137 
138 	struct pf_rule_uid	 uid;
139 	struct pf_rule_gid	 gid;
140 
141 	uint32_t		 rule_flag;
142 	uint8_t			 action;
143 	uint8_t			 direction;
144 	uint8_t			 log;
145 	uint8_t			 logif;
146 	uint8_t			 quick;
147 	uint8_t			 ifnot;
148 	uint8_t			 match_tag_not;
149 	uint8_t			 natpass;
150 
151 	uint8_t			 keep_state;
152 	sa_family_t		 af;
153 	uint8_t			 proto;
154 	uint8_t			 type;
155 	uint8_t			 code;
156 	uint8_t			 flags;
157 	uint8_t			 flagset;
158 	uint8_t			 min_ttl;
159 	uint8_t			 allow_opts;
160 	uint8_t			 rt;
161 	uint8_t			 return_ttl;
162 	uint8_t			 tos;
163 	uint8_t			 set_tos;
164 	uint8_t			 anchor_relative;
165 	uint8_t			 anchor_wildcard;
166 
167 	uint8_t			 flush;
168 	uint8_t			 prio;
169 	uint8_t			 set_prio[2];
170 
171 	struct {
172 		struct pf_addr		addr;
173 		uint16_t		port;
174 	}			divert;
175 };
176 
177 TAILQ_HEAD(pfctl_rulequeue, pfctl_rule);
178 
179 struct pfctl_ruleset {
180 	struct {
181 		struct pfctl_rulequeue	 queues[2];
182 		struct {
183 			struct pfctl_rulequeue	*ptr;
184 			struct pfctl_rule	**ptr_array;
185 			uint32_t		 rcount;
186 			uint32_t		 ticket;
187 			int			 open;
188 		}			 active, inactive;
189 	}			 rules[PF_RULESET_MAX];
190 	struct pfctl_anchor	*anchor;
191 	uint32_t		 tticket;
192 	int			 tables;
193 	int			 topen;
194 };
195 
196 RB_HEAD(pfctl_anchor_global, pfctl_anchor);
197 RB_HEAD(pfctl_anchor_node, pfctl_anchor);
198 struct pfctl_anchor {
199 	RB_ENTRY(pfctl_anchor)	 entry_global;
200 	RB_ENTRY(pfctl_anchor)	 entry_node;
201 	struct pfctl_anchor	*parent;
202 	struct pfctl_anchor_node children;
203 	char			 name[PF_ANCHOR_NAME_SIZE];
204 	char			 path[MAXPATHLEN];
205 	struct pfctl_ruleset	 ruleset;
206 	int			 refcnt;	/* anchor rules */
207 	int			 match;	/* XXX: used for pfctl black magic */
208 };
209 RB_PROTOTYPE(pfctl_anchor_global, pfctl_anchor, entry_global,
210     pf_anchor_compare);
211 RB_PROTOTYPE(pfctl_anchor_node, pfctl_anchor, entry_node,
212     pf_anchor_compare);
213 
214 struct pfctl_state_cmp {
215 	uint64_t	id;
216 	uint32_t	creatorid;
217 	uint8_t		direction;
218 };
219 
220 struct pfctl_kill {
221 	struct pfctl_state_cmp	cmp;
222 	sa_family_t		af;
223 	int			proto;
224 	struct pf_rule_addr	src;
225 	struct pf_rule_addr	dst;
226 	struct pf_rule_addr	rt_addr;
227 	char			ifname[IFNAMSIZ];
228 	char			label[PF_RULE_LABEL_SIZE];
229 	bool			kill_match;
230 };
231 
232 struct pfctl_state_peer {
233 	uint32_t			 seqlo;
234 	uint32_t			 seqhi;
235 	uint32_t			 seqdiff;
236 	uint8_t				 state;
237 	uint8_t				 wscale;
238 };
239 
240 struct pfctl_state_key {
241 	struct pf_addr	 addr[2];
242 	uint16_t	 port[2];
243 	sa_family_t	 af;
244 	uint8_t	 	 proto;
245 };
246 
247 struct pfctl_state {
248 	TAILQ_ENTRY(pfctl_state)	entry;
249 
250 	uint64_t		 id;
251 	uint32_t		 creatorid;
252 	uint8_t		 	 direction;
253 
254 	struct pfctl_state_peer	 src;
255 	struct pfctl_state_peer	 dst;
256 
257 	uint32_t		 rule;
258 	uint32_t		 anchor;
259 	uint32_t		 nat_rule;
260 	struct pf_addr		 rt_addr;
261 	struct pfctl_state_key	 key[2];	/* addresses stack and wire  */
262 	char			 ifname[IFNAMSIZ];
263 	char			 orig_ifname[IFNAMSIZ];
264 	uint64_t		 packets[2];
265 	uint64_t		 bytes[2];
266 	uint32_t		 creation;
267 	uint32_t		 expire;
268 	uint32_t		 pfsync_time;
269 	uint8_t			 state_flags;
270 	uint32_t		 sync_flags;
271 };
272 
273 TAILQ_HEAD(pfctl_statelist, pfctl_state);
274 struct pfctl_states {
275 	struct pfctl_statelist	states;
276 };
277 
278 enum pfctl_syncookies_mode {
279 	PFCTL_SYNCOOKIES_NEVER,
280 	PFCTL_SYNCOOKIES_ALWAYS,
281 	PFCTL_SYNCOOKIES_ADAPTIVE
282 };
283 extern const char* PFCTL_SYNCOOKIES_MODE_NAMES[];
284 
285 struct pfctl_syncookies {
286 	enum pfctl_syncookies_mode	mode;
287 	uint8_t				highwater;	/* Percent */
288 	uint8_t				lowwater;	/* Percent */
289 	uint32_t			halfopen_states;
290 };
291 
292 struct pfctl_status* pfctl_get_status(int dev);
293 uint64_t pfctl_status_counter(struct pfctl_status *status, int id);
294 uint64_t pfctl_status_lcounter(struct pfctl_status *status, int id);
295 uint64_t pfctl_status_fcounter(struct pfctl_status *status, int id);
296 uint64_t pfctl_status_scounter(struct pfctl_status *status, int id);
297 void	pfctl_free_status(struct pfctl_status *status);
298 
299 int	pfctl_get_rules_info(int dev, struct pfctl_rules_info *rules,
300 	    uint32_t ruleset, const char *path);
301 int	pfctl_get_rule(int dev, uint32_t nr, uint32_t ticket,
302 	    const char *anchor, uint32_t ruleset, struct pfctl_rule *rule,
303 	    char *anchor_call);
304 int	pfctl_get_clear_rule(int dev, uint32_t nr, uint32_t ticket,
305 	    const char *anchor, uint32_t ruleset, struct pfctl_rule *rule,
306 	    char *anchor_call, bool clear);
307 int	pfctl_add_rule(int dev, const struct pfctl_rule *r,
308 	    const char *anchor, const char *anchor_call, uint32_t ticket,
309 	    uint32_t pool_ticket);
310 int	pfctl_set_keepcounters(int dev, bool keep);
311 int	pfctl_get_states(int dev, struct pfctl_states *states);
312 void	pfctl_free_states(struct pfctl_states *states);
313 int	pfctl_clear_states(int dev, const struct pfctl_kill *kill,
314 	    unsigned int *killed);
315 int	pfctl_kill_states(int dev, const struct pfctl_kill *kill,
316 	    unsigned int *killed);
317 int	pfctl_clear_rules(int dev, const char *anchorname);
318 int	pfctl_clear_nat(int dev, const char *anchorname);
319 int	pfctl_set_syncookies(int dev, const struct pfctl_syncookies *s);
320 int	pfctl_get_syncookies(int dev, struct pfctl_syncookies *s);
321 int	pfctl_table_add_addrs(int dev, struct pfr_table *tbl, struct pfr_addr
322 	    *addr, int size, int *nadd, int flags);
323 int	pfctl_table_del_addrs(int dev, struct pfr_table *tbl, struct pfr_addr
324 	    *addr, int size, int *ndel, int flags);
325 int     pfctl_table_set_addrs(int dev, struct pfr_table *tbl, struct pfr_addr
326 	    *addr, int size, int *size2, int *nadd, int *ndel, int *nchange,
327 	    int flags);
328 int	pfctl_table_get_addrs(int dev, struct pfr_table *tbl, struct pfr_addr
329 	    *addr, int *size, int flags);
330 #endif
331