1/*-
2 * SPDX-License-Identifier: BSD-2-Clause
3 *
4 * Copyright (c) 2021 Rubicon Communications, LLC (Netgate)
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 *
11 *    - Redistributions of source code must retain the above copyright
12 *      notice, this list of conditions and the following disclaimer.
13 *    - Redistributions in binary form must reproduce the above
14 *      copyright notice, this list of conditions and the following
15 *      disclaimer in the documentation and/or other materials provided
16 *      with the distribution.
17 *
18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
21 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
22 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
23 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
24 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
25 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
28 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29 * POSSIBILITY OF SUCH DAMAGE.
30 */
31
32#ifndef _PFCTL_IOCTL_H_
33#define _PFCTL_IOCTL_H_
34
35#include <netpfil/pf/pf.h>
36
37struct pfctl_anchor;
38struct pfctl_eth_anchor;
39
40struct pfctl_status_counter {
41	uint64_t	 id;
42	uint64_t	 counter;
43	char		*name;
44
45	TAILQ_ENTRY(pfctl_status_counter) entry;
46};
47TAILQ_HEAD(pfctl_status_counters, pfctl_status_counter);
48
49struct pfctl_status {
50	bool		running;
51	uint32_t	since;
52	uint32_t	debug;
53	uint32_t	hostid;
54	uint64_t	states;
55	uint64_t	src_nodes;
56	char		ifname[IFNAMSIZ];
57	uint8_t		pf_chksum[PF_MD5_DIGEST_LENGTH];
58	bool		syncookies_active;
59	uint32_t	reass;
60
61	struct pfctl_status_counters	 counters;
62	struct pfctl_status_counters	 lcounters;
63	struct pfctl_status_counters	 fcounters;
64	struct pfctl_status_counters	 scounters;
65	uint64_t	pcounters[2][2][2];
66	uint64_t	bcounters[2][2];
67};
68
69struct pfctl_eth_rulesets_info {
70	uint32_t	nr;
71};
72
73struct pfctl_eth_rules_info {
74	uint32_t	nr;
75	uint32_t	ticket;
76};
77
78struct pfctl_eth_addr {
79	uint8_t	addr[ETHER_ADDR_LEN];
80	uint8_t	mask[ETHER_ADDR_LEN];
81	bool	neg;
82	bool	isset;
83};
84
85struct pfctl_eth_rule {
86	uint32_t		 nr;
87
88	char			label[PF_RULE_MAX_LABEL_COUNT][PF_RULE_LABEL_SIZE];
89	uint32_t		ridentifier;
90
91	bool			 quick;
92
93	/* Filter */
94	char			 ifname[IFNAMSIZ];
95	uint8_t			 ifnot;
96	uint8_t			 direction;
97	uint16_t		 proto;
98	struct pfctl_eth_addr	 src, dst;
99	struct pf_rule_addr	 ipsrc, ipdst;
100	char			 match_tagname[PF_TAG_NAME_SIZE];
101	uint16_t		 match_tag;
102	bool			 match_tag_not;
103
104	/* Stats */
105	uint64_t		 evaluations;
106	uint64_t		 packets[2];
107	uint64_t		 bytes[2];
108	time_t			 last_active_timestamp;
109
110	/* Action */
111	char			 qname[PF_QNAME_SIZE];
112	char			 tagname[PF_TAG_NAME_SIZE];
113	uint16_t		 dnpipe;
114	uint32_t		 dnflags;
115	char			 bridge_to[IFNAMSIZ];
116	uint8_t			 action;
117
118	struct pfctl_eth_anchor	*anchor;
119	uint8_t			 anchor_relative;
120	uint8_t			 anchor_wildcard;
121
122	TAILQ_ENTRY(pfctl_eth_rule)	 entries;
123};
124TAILQ_HEAD(pfctl_eth_rules, pfctl_eth_rule);
125
126struct pfctl_eth_ruleset_info {
127	uint32_t	nr;
128	char		name[PF_ANCHOR_NAME_SIZE];
129	char		path[MAXPATHLEN];
130};
131
132struct pfctl_eth_ruleset {
133	struct pfctl_eth_rules	 rules;
134	struct pfctl_eth_anchor	*anchor;
135};
136
137struct pfctl_eth_anchor {
138	struct pfctl_eth_anchor		*parent;
139	char				 name[PF_ANCHOR_NAME_SIZE];
140	char				 path[MAXPATHLEN];
141	struct pfctl_eth_ruleset	 ruleset;
142	int				 refcnt;	/* anchor rules */
143	int				 match;	/* XXX: used for pfctl black magic */
144};
145
146struct pfctl_pool {
147	struct pf_palist	 list;
148	struct pf_pooladdr	*cur;
149	struct pf_poolhashkey	 key;
150	struct pf_addr		 counter;
151	struct pf_mape_portset	 mape;
152	int			 tblidx;
153	uint16_t		 proxy_port[2];
154	uint8_t			 opts;
155};
156
157struct pfctl_rules_info {
158	uint32_t	nr;
159	uint32_t	ticket;
160};
161
162struct pfctl_rule {
163	struct pf_rule_addr	 src;
164	struct pf_rule_addr	 dst;
165	union pf_rule_ptr	 skip[PF_SKIP_COUNT];
166	char			 label[PF_RULE_MAX_LABEL_COUNT][PF_RULE_LABEL_SIZE];
167	uint32_t		 ridentifier;
168	char			 ifname[IFNAMSIZ];
169	char			 qname[PF_QNAME_SIZE];
170	char			 pqname[PF_QNAME_SIZE];
171	char			 tagname[PF_TAG_NAME_SIZE];
172	char			 match_tagname[PF_TAG_NAME_SIZE];
173
174	char			 overload_tblname[PF_TABLE_NAME_SIZE];
175
176	TAILQ_ENTRY(pfctl_rule)	 entries;
177	struct pfctl_pool	 rpool;
178
179	uint64_t		 evaluations;
180	uint64_t		 packets[2];
181	uint64_t		 bytes[2];
182	time_t			 last_active_timestamp;
183
184	struct pfi_kif		*kif;
185	struct pfctl_anchor	*anchor;
186	struct pfr_ktable	*overload_tbl;
187
188	pf_osfp_t		 os_fingerprint;
189
190	int			 rtableid;
191	uint32_t		 timeout[PFTM_MAX];
192	uint32_t		 max_states;
193	uint32_t		 max_src_nodes;
194	uint32_t		 max_src_states;
195	uint32_t		 max_src_conn;
196	struct {
197		uint32_t		limit;
198		uint32_t		seconds;
199	}			 max_src_conn_rate;
200	uint32_t		 qid;
201	uint32_t		 pqid;
202	uint16_t		 dnpipe;
203	uint16_t		 dnrpipe;
204	uint32_t		 free_flags;
205	uint32_t		 nr;
206	uint32_t		 prob;
207	uid_t			 cuid;
208	pid_t			 cpid;
209
210	uint64_t		 states_cur;
211	uint64_t		 states_tot;
212	uint64_t		 src_nodes;
213
214	uint16_t		 return_icmp;
215	uint16_t		 return_icmp6;
216	uint16_t		 max_mss;
217	uint16_t		 tag;
218	uint16_t		 match_tag;
219	uint16_t		 scrub_flags;
220
221	struct pf_rule_uid	 uid;
222	struct pf_rule_gid	 gid;
223
224	uint32_t		 rule_flag;
225	uint8_t			 action;
226	uint8_t			 direction;
227	uint8_t			 log;
228	uint8_t			 logif;
229	uint8_t			 quick;
230	uint8_t			 ifnot;
231	uint8_t			 match_tag_not;
232	uint8_t			 natpass;
233
234	uint8_t			 keep_state;
235	sa_family_t		 af;
236	uint8_t			 proto;
237	uint8_t			 type;
238	uint8_t			 code;
239	uint8_t			 flags;
240	uint8_t			 flagset;
241	uint8_t			 min_ttl;
242	uint8_t			 allow_opts;
243	uint8_t			 rt;
244	uint8_t			 return_ttl;
245	uint8_t			 tos;
246	uint8_t			 set_tos;
247	uint8_t			 anchor_relative;
248	uint8_t			 anchor_wildcard;
249
250	uint8_t			 flush;
251	uint8_t			 prio;
252	uint8_t			 set_prio[2];
253
254	struct {
255		struct pf_addr		addr;
256		uint16_t		port;
257	}			divert;
258};
259
260TAILQ_HEAD(pfctl_rulequeue, pfctl_rule);
261
262struct pfctl_ruleset {
263	struct {
264		struct pfctl_rulequeue	 queues[2];
265		struct {
266			struct pfctl_rulequeue	*ptr;
267			struct pfctl_rule	**ptr_array;
268			uint32_t		 rcount;
269			uint32_t		 ticket;
270			int			 open;
271		}			 active, inactive;
272	}			 rules[PF_RULESET_MAX];
273	struct pfctl_anchor	*anchor;
274	uint32_t		 tticket;
275	int			 tables;
276	int			 topen;
277};
278
279RB_HEAD(pfctl_anchor_global, pfctl_anchor);
280RB_HEAD(pfctl_anchor_node, pfctl_anchor);
281struct pfctl_anchor {
282	RB_ENTRY(pfctl_anchor)	 entry_global;
283	RB_ENTRY(pfctl_anchor)	 entry_node;
284	struct pfctl_anchor	*parent;
285	struct pfctl_anchor_node children;
286	char			 name[PF_ANCHOR_NAME_SIZE];
287	char			 path[MAXPATHLEN];
288	struct pfctl_ruleset	 ruleset;
289	int			 refcnt;	/* anchor rules */
290	int			 match;	/* XXX: used for pfctl black magic */
291};
292RB_PROTOTYPE(pfctl_anchor_global, pfctl_anchor, entry_global,
293    pf_anchor_compare);
294RB_PROTOTYPE(pfctl_anchor_node, pfctl_anchor, entry_node,
295    pf_anchor_compare);
296
297struct pfctl_state_cmp {
298	uint64_t	id;
299	uint32_t	creatorid;
300	uint8_t		direction;
301};
302
303struct pfctl_kill {
304	struct pfctl_state_cmp	cmp;
305	sa_family_t		af;
306	int			proto;
307	struct pf_rule_addr	src;
308	struct pf_rule_addr	dst;
309	struct pf_rule_addr	rt_addr;
310	char			ifname[IFNAMSIZ];
311	char			label[PF_RULE_LABEL_SIZE];
312	bool			kill_match;
313	bool			nat;
314};
315
316struct pfctl_state_peer {
317	uint32_t			 seqlo;
318	uint32_t			 seqhi;
319	uint32_t			 seqdiff;
320	uint8_t				 state;
321	uint8_t				 wscale;
322};
323
324struct pfctl_state_key {
325	struct pf_addr	 addr[2];
326	uint16_t	 port[2];
327	sa_family_t	 af;
328	uint8_t	 	 proto;
329};
330
331struct pfctl_state {
332	TAILQ_ENTRY(pfctl_state)	entry;
333
334	uint64_t		 id;
335	uint32_t		 creatorid;
336	uint8_t		 	 direction;
337
338	struct pfctl_state_peer	 src;
339	struct pfctl_state_peer	 dst;
340
341	uint32_t		 rule;
342	uint32_t		 anchor;
343	uint32_t		 nat_rule;
344	struct pf_addr		 rt_addr;
345	struct pfctl_state_key	 key[2];	/* addresses stack and wire  */
346	char			 ifname[IFNAMSIZ];
347	char			 orig_ifname[IFNAMSIZ];
348	uint64_t		 packets[2];
349	uint64_t		 bytes[2];
350	uint32_t		 creation;
351	uint32_t		 expire;
352	uint32_t		 pfsync_time;
353	uint16_t		 state_flags;
354	uint32_t		 sync_flags;
355	uint16_t		 qid;
356	uint16_t		 pqid;
357	uint16_t		 dnpipe;
358	uint16_t		 dnrpipe;
359	uint8_t			 log;
360	int32_t			 rtableid;
361	uint8_t			 min_ttl;
362	uint8_t			 set_tos;
363	uint16_t		 max_mss;
364	uint8_t			 set_prio[2];
365	uint8_t			 rt;
366	char			 rt_ifname[IFNAMSIZ];
367};
368
369TAILQ_HEAD(pfctl_statelist, pfctl_state);
370struct pfctl_states {
371	struct pfctl_statelist	states;
372};
373
374enum pfctl_syncookies_mode {
375	PFCTL_SYNCOOKIES_NEVER,
376	PFCTL_SYNCOOKIES_ALWAYS,
377	PFCTL_SYNCOOKIES_ADAPTIVE
378};
379extern const char* PFCTL_SYNCOOKIES_MODE_NAMES[];
380
381struct pfctl_syncookies {
382	enum pfctl_syncookies_mode	mode;
383	uint8_t				highwater;	/* Percent */
384	uint8_t				lowwater;	/* Percent */
385	uint32_t			halfopen_states;
386};
387
388#define	PF_DEVICE	"/dev/pf"
389
390struct pfctl_handle;
391struct pfctl_handle	*pfctl_open(const char *pf_device);
392void	pfctl_close(struct pfctl_handle *);
393int	pfctl_fd(struct pfctl_handle *);
394
395int	pfctl_startstop(struct pfctl_handle *h, int start);
396struct pfctl_status* pfctl_get_status_h(struct pfctl_handle *h);
397struct pfctl_status* pfctl_get_status(int dev);
398int	pfctl_clear_status(struct pfctl_handle *h);
399uint64_t pfctl_status_counter(struct pfctl_status *status, int id);
400uint64_t pfctl_status_lcounter(struct pfctl_status *status, int id);
401uint64_t pfctl_status_fcounter(struct pfctl_status *status, int id);
402uint64_t pfctl_status_scounter(struct pfctl_status *status, int id);
403void	pfctl_free_status(struct pfctl_status *status);
404
405int	pfctl_get_eth_rulesets_info(int dev,
406	    struct pfctl_eth_rulesets_info *ri, const char *path);
407int	pfctl_get_eth_ruleset(int dev, const char *path, int nr,
408	    struct pfctl_eth_ruleset_info *ri);
409int	pfctl_get_eth_rules_info(int dev, struct pfctl_eth_rules_info *rules,
410	    const char *path);
411int	pfctl_get_eth_rule(int dev, uint32_t nr, uint32_t ticket,
412	    const char *path, struct pfctl_eth_rule *rule, bool clear,
413	    char *anchor_call);
414int	pfctl_add_eth_rule(int dev, const struct pfctl_eth_rule *r,
415	    const char *anchor, const char *anchor_call, uint32_t ticket);
416int	pfctl_get_rules_info_h(struct pfctl_handle *h,
417	    struct pfctl_rules_info *rules, uint32_t ruleset,
418	    const char *path);
419int	pfctl_get_rules_info(int dev, struct pfctl_rules_info *rules,
420	    uint32_t ruleset, const char *path);
421int	pfctl_get_rule(int dev, uint32_t nr, uint32_t ticket,
422	    const char *anchor, uint32_t ruleset, struct pfctl_rule *rule,
423	    char *anchor_call);
424int	pfctl_get_rule_h(struct pfctl_handle *h, uint32_t nr, uint32_t ticket,
425	    const char *anchor, uint32_t ruleset, struct pfctl_rule *rule,
426	    char *anchor_call);
427int	pfctl_get_clear_rule(int dev, uint32_t nr, uint32_t ticket,
428	    const char *anchor, uint32_t ruleset, struct pfctl_rule *rule,
429	    char *anchor_call, bool clear);
430int	pfctl_get_clear_rule_h(struct pfctl_handle *h, uint32_t nr, uint32_t ticket,
431	    const char *anchor, uint32_t ruleset, struct pfctl_rule *rule,
432	    char *anchor_call, bool clear);
433int	pfctl_add_rule(int dev, const struct pfctl_rule *r,
434	    const char *anchor, const char *anchor_call, uint32_t ticket,
435	    uint32_t pool_ticket);
436int	pfctl_add_rule_h(struct pfctl_handle *h, const struct pfctl_rule *r,
437	    const char *anchor, const char *anchor_call, uint32_t ticket,
438	    uint32_t pool_ticket);
439int	pfctl_set_keepcounters(int dev, bool keep);
440int	pfctl_get_creatorids(struct pfctl_handle *h, uint32_t *creators, size_t *len);
441
442struct pfctl_state_filter {
443	char			ifname[IFNAMSIZ];
444	uint16_t		proto;
445	sa_family_t		af;
446	struct pf_addr		addr;
447	struct pf_addr		mask;
448};
449typedef int (*pfctl_get_state_fn)(struct pfctl_state *, void *);
450int pfctl_get_states_iter(pfctl_get_state_fn f, void *arg);
451int pfctl_get_filtered_states_iter(struct pfctl_state_filter *filter, pfctl_get_state_fn f, void *arg);
452int	pfctl_get_states(int dev, struct pfctl_states *states);
453void	pfctl_free_states(struct pfctl_states *states);
454int	pfctl_clear_states(int dev, const struct pfctl_kill *kill,
455	    unsigned int *killed);
456int	pfctl_kill_states(int dev, const struct pfctl_kill *kill,
457	    unsigned int *killed);
458int	pfctl_clear_states_h(struct pfctl_handle *h, const struct pfctl_kill *kill,
459	    unsigned int *killed);
460int	pfctl_kill_states_h(struct pfctl_handle *h, const struct pfctl_kill *kill,
461	    unsigned int *killed);
462int	pfctl_clear_rules(int dev, const char *anchorname);
463int	pfctl_clear_nat(int dev, const char *anchorname);
464int	pfctl_clear_eth_rules(int dev, const char *anchorname);
465int	pfctl_set_syncookies(int dev, const struct pfctl_syncookies *s);
466int	pfctl_get_syncookies(int dev, struct pfctl_syncookies *s);
467int	pfctl_table_add_addrs(int dev, struct pfr_table *tbl, struct pfr_addr
468	    *addr, int size, int *nadd, int flags);
469int	pfctl_table_del_addrs(int dev, struct pfr_table *tbl, struct pfr_addr
470	    *addr, int size, int *ndel, int flags);
471int     pfctl_table_set_addrs(int dev, struct pfr_table *tbl, struct pfr_addr
472	    *addr, int size, int *size2, int *nadd, int *ndel, int *nchange,
473	    int flags);
474int	pfctl_table_get_addrs(int dev, struct pfr_table *tbl, struct pfr_addr
475	    *addr, int *size, int flags);
476int	pfctl_set_statusif(struct pfctl_handle *h, const char *ifname);
477
478struct pfctl_natlook_key {
479	sa_family_t af;
480	uint8_t direction;
481	uint8_t proto;
482	struct pf_addr saddr;
483	struct pf_addr daddr;
484	uint16_t sport;
485	uint16_t dport;
486};
487struct pfctl_natlook {
488	struct pf_addr saddr;
489	struct pf_addr daddr;
490	uint16_t sport;
491	uint16_t dport;
492};
493int	pfctl_natlook(struct pfctl_handle *h,
494	    const struct pfctl_natlook_key *k, struct pfctl_natlook *r);
495int	pfctl_set_debug(struct pfctl_handle *h, uint32_t level);
496
497#endif
498