10d71f9f3SKristof Provost /*- 20d71f9f3SKristof Provost * SPDX-License-Identifier: BSD-2-Clause 30d71f9f3SKristof Provost * 40d71f9f3SKristof Provost * Copyright (c) 2021 Rubicon Communications, LLC (Netgate) 50d71f9f3SKristof Provost * All rights reserved. 60d71f9f3SKristof Provost * 70d71f9f3SKristof Provost * Redistribution and use in source and binary forms, with or without 80d71f9f3SKristof Provost * modification, are permitted provided that the following conditions 90d71f9f3SKristof Provost * are met: 100d71f9f3SKristof Provost * 110d71f9f3SKristof Provost * - Redistributions of source code must retain the above copyright 120d71f9f3SKristof Provost * notice, this list of conditions and the following disclaimer. 130d71f9f3SKristof Provost * - Redistributions in binary form must reproduce the above 140d71f9f3SKristof Provost * copyright notice, this list of conditions and the following 150d71f9f3SKristof Provost * disclaimer in the documentation and/or other materials provided 160d71f9f3SKristof Provost * with the distribution. 170d71f9f3SKristof Provost * 180d71f9f3SKristof Provost * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 190d71f9f3SKristof Provost * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 200d71f9f3SKristof Provost * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 210d71f9f3SKristof Provost * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 220d71f9f3SKristof Provost * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 230d71f9f3SKristof Provost * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 240d71f9f3SKristof Provost * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 250d71f9f3SKristof Provost * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 260d71f9f3SKristof Provost * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 270d71f9f3SKristof Provost * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 280d71f9f3SKristof Provost * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 290d71f9f3SKristof Provost * POSSIBILITY OF SUCH DAMAGE. 300d71f9f3SKristof Provost */ 310d71f9f3SKristof Provost 320d71f9f3SKristof Provost #ifndef _PFCTL_IOCTL_H_ 330d71f9f3SKristof Provost #define _PFCTL_IOCTL_H_ 340d71f9f3SKristof Provost 350d71f9f3SKristof Provost #include <netpfil/pf/pf.h> 360d71f9f3SKristof Provost 37e9eb0941SKristof Provost struct pfctl_anchor; 38c5131afeSKristof Provost struct pfctl_eth_anchor; 39e9eb0941SKristof Provost 4046fb68b1SKristof Provost struct pfctl_status_counter { 4146fb68b1SKristof Provost uint64_t id; 4246fb68b1SKristof Provost uint64_t counter; 4346fb68b1SKristof Provost char *name; 4446fb68b1SKristof Provost 4546fb68b1SKristof Provost TAILQ_ENTRY(pfctl_status_counter) entry; 4646fb68b1SKristof Provost }; 4746fb68b1SKristof Provost TAILQ_HEAD(pfctl_status_counters, pfctl_status_counter); 4846fb68b1SKristof Provost 4946fb68b1SKristof Provost struct pfctl_status { 5046fb68b1SKristof Provost bool running; 5146fb68b1SKristof Provost uint32_t since; 5246fb68b1SKristof Provost uint32_t debug; 5346fb68b1SKristof Provost uint32_t hostid; 5446fb68b1SKristof Provost uint64_t states; 5546fb68b1SKristof Provost uint64_t src_nodes; 5646fb68b1SKristof Provost char ifname[IFNAMSIZ]; 5746fb68b1SKristof Provost uint8_t pf_chksum[PF_MD5_DIGEST_LENGTH]; 58444a77caSKristof Provost bool syncookies_active; 5939282ef3SKajetan Staszkiewicz uint32_t reass; 6046fb68b1SKristof Provost 6146fb68b1SKristof Provost struct pfctl_status_counters counters; 6246fb68b1SKristof Provost struct pfctl_status_counters lcounters; 6346fb68b1SKristof Provost struct pfctl_status_counters fcounters; 6446fb68b1SKristof Provost struct pfctl_status_counters scounters; 65c00aca9aSKristof Provost struct pfctl_status_counters ncounters; 66c00aca9aSKristof Provost uint64_t fragments; 67a3f71765SKristof Provost uint64_t pcounters[2][2][2]; 6846fb68b1SKristof Provost uint64_t bcounters[2][2]; 6946fb68b1SKristof Provost }; 7046fb68b1SKristof Provost 719bb06778SKristof Provost struct pfctl_eth_rulesets_info { 729bb06778SKristof Provost uint32_t nr; 739bb06778SKristof Provost }; 749bb06778SKristof Provost 752b29ceb8SKristof Provost struct pfctl_eth_rules_info { 762b29ceb8SKristof Provost uint32_t nr; 772b29ceb8SKristof Provost uint32_t ticket; 782b29ceb8SKristof Provost }; 792b29ceb8SKristof Provost 802b29ceb8SKristof Provost struct pfctl_eth_addr { 812b29ceb8SKristof Provost uint8_t addr[ETHER_ADDR_LEN]; 82b590f17aSKristof Provost uint8_t mask[ETHER_ADDR_LEN]; 832b29ceb8SKristof Provost bool neg; 84c696d5c7SKristof Provost bool isset; 852b29ceb8SKristof Provost }; 862b29ceb8SKristof Provost 872b29ceb8SKristof Provost struct pfctl_eth_rule { 882b29ceb8SKristof Provost uint32_t nr; 892b29ceb8SKristof Provost 90ef661d4aSChristian McDonald char label[PF_RULE_MAX_LABEL_COUNT][PF_RULE_LABEL_SIZE]; 91ef661d4aSChristian McDonald uint32_t ridentifier; 92ef661d4aSChristian McDonald 932b29ceb8SKristof Provost bool quick; 942b29ceb8SKristof Provost 952b29ceb8SKristof Provost /* Filter */ 962b29ceb8SKristof Provost char ifname[IFNAMSIZ]; 972b29ceb8SKristof Provost uint8_t ifnot; 982b29ceb8SKristof Provost uint8_t direction; 992b29ceb8SKristof Provost uint16_t proto; 1002b29ceb8SKristof Provost struct pfctl_eth_addr src, dst; 1018a42005dSKristof Provost struct pf_rule_addr ipsrc, ipdst; 1021f61367fSKristof Provost char match_tagname[PF_TAG_NAME_SIZE]; 1031f61367fSKristof Provost uint16_t match_tag; 1041f61367fSKristof Provost bool match_tag_not; 1052b29ceb8SKristof Provost 1062b29ceb8SKristof Provost /* Stats */ 1072b29ceb8SKristof Provost uint64_t evaluations; 1082b29ceb8SKristof Provost uint64_t packets[2]; 1092b29ceb8SKristof Provost uint64_t bytes[2]; 1101d090028SKristof Provost time_t last_active_timestamp; 1112b29ceb8SKristof Provost 1122b29ceb8SKristof Provost /* Action */ 1132b29ceb8SKristof Provost char qname[PF_QNAME_SIZE]; 1142b29ceb8SKristof Provost char tagname[PF_TAG_NAME_SIZE]; 115fb330f39SKristof Provost uint16_t dnpipe; 116fb330f39SKristof Provost uint32_t dnflags; 1178a8af942SKristof Provost char bridge_to[IFNAMSIZ]; 1182b29ceb8SKristof Provost uint8_t action; 1192b29ceb8SKristof Provost 120c5131afeSKristof Provost struct pfctl_eth_anchor *anchor; 121c5131afeSKristof Provost uint8_t anchor_relative; 122c5131afeSKristof Provost uint8_t anchor_wildcard; 123c5131afeSKristof Provost 1242b29ceb8SKristof Provost TAILQ_ENTRY(pfctl_eth_rule) entries; 1252b29ceb8SKristof Provost }; 1262b29ceb8SKristof Provost TAILQ_HEAD(pfctl_eth_rules, pfctl_eth_rule); 1272b29ceb8SKristof Provost 1289bb06778SKristof Provost struct pfctl_eth_ruleset_info { 1299bb06778SKristof Provost uint32_t nr; 1309bb06778SKristof Provost char name[PF_ANCHOR_NAME_SIZE]; 1319bb06778SKristof Provost char path[MAXPATHLEN]; 1329bb06778SKristof Provost }; 1339bb06778SKristof Provost 134c5131afeSKristof Provost struct pfctl_eth_ruleset { 135c5131afeSKristof Provost struct pfctl_eth_rules rules; 136c5131afeSKristof Provost struct pfctl_eth_anchor *anchor; 137c5131afeSKristof Provost }; 138c5131afeSKristof Provost 139c5131afeSKristof Provost struct pfctl_eth_anchor { 140c5131afeSKristof Provost struct pfctl_eth_anchor *parent; 141c5131afeSKristof Provost char name[PF_ANCHOR_NAME_SIZE]; 142c5131afeSKristof Provost char path[MAXPATHLEN]; 143c5131afeSKristof Provost struct pfctl_eth_ruleset ruleset; 144c5131afeSKristof Provost int refcnt; /* anchor rules */ 145c5131afeSKristof Provost int match; /* XXX: used for pfctl black magic */ 146c5131afeSKristof Provost }; 147c5131afeSKristof Provost 148d2761422SKajetan Staszkiewicz struct pfctl_pooladdr { 149d2761422SKajetan Staszkiewicz struct pf_addr_wrap addr; 150d2761422SKajetan Staszkiewicz TAILQ_ENTRY(pfctl_pooladdr) entries; 151d2761422SKajetan Staszkiewicz char ifname[IFNAMSIZ]; 152d2761422SKajetan Staszkiewicz sa_family_t af; 153d2761422SKajetan Staszkiewicz }; 154d2761422SKajetan Staszkiewicz 155d2761422SKajetan Staszkiewicz TAILQ_HEAD(pfctl_palist, pfctl_pooladdr); 156d2761422SKajetan Staszkiewicz 157600bd6ceSKurosawa Takahiro struct pfctl_pool { 158d2761422SKajetan Staszkiewicz struct pfctl_palist list; 159d2761422SKajetan Staszkiewicz struct pfctl_pooladdr *cur; 160600bd6ceSKurosawa Takahiro struct pf_poolhashkey key; 161600bd6ceSKurosawa Takahiro struct pf_addr counter; 1622aa21096SKurosawa Takahiro struct pf_mape_portset mape; 163600bd6ceSKurosawa Takahiro int tblidx; 1647bb3c927SKristof Provost uint16_t proxy_port[2]; 1657bb3c927SKristof Provost uint8_t opts; 166600bd6ceSKurosawa Takahiro }; 167600bd6ceSKurosawa Takahiro 1688c1400b0SKristof Provost struct pfctl_rules_info { 1698c1400b0SKristof Provost uint32_t nr; 1708c1400b0SKristof Provost uint32_t ticket; 1718c1400b0SKristof Provost }; 1728c1400b0SKristof Provost 173ff11f1c8SKristof Provost struct pfctl_threshold { 174ff11f1c8SKristof Provost uint32_t limit; 175ff11f1c8SKristof Provost uint32_t seconds; 176ff11f1c8SKristof Provost uint32_t count; 177ff11f1c8SKristof Provost uint32_t last; 178ff11f1c8SKristof Provost }; 179ff11f1c8SKristof Provost 180e9eb0941SKristof Provost struct pfctl_rule { 181e9eb0941SKristof Provost struct pf_rule_addr src; 182e9eb0941SKristof Provost struct pf_rule_addr dst; 183e9eb0941SKristof Provost union pf_rule_ptr skip[PF_SKIP_COUNT]; 1846fcc8e04SKristof Provost char label[PF_RULE_MAX_LABEL_COUNT][PF_RULE_LABEL_SIZE]; 1857bb3c927SKristof Provost uint32_t ridentifier; 186e9eb0941SKristof Provost char ifname[IFNAMSIZ]; 187e9eb0941SKristof Provost char qname[PF_QNAME_SIZE]; 188e9eb0941SKristof Provost char pqname[PF_QNAME_SIZE]; 189e9eb0941SKristof Provost char tagname[PF_TAG_NAME_SIZE]; 190e9eb0941SKristof Provost char match_tagname[PF_TAG_NAME_SIZE]; 191e9eb0941SKristof Provost 192e9eb0941SKristof Provost char overload_tblname[PF_TABLE_NAME_SIZE]; 193e9eb0941SKristof Provost 194e9eb0941SKristof Provost TAILQ_ENTRY(pfctl_rule) entries; 195e11dacbfSKristof Provost struct pfctl_pool nat; 196e11dacbfSKristof Provost union { 197e11dacbfSKristof Provost /* Alias old and new names. */ 198600bd6ceSKurosawa Takahiro struct pfctl_pool rpool; 199e11dacbfSKristof Provost struct pfctl_pool rdr; 200e11dacbfSKristof Provost }; 2010972294eSKristof Provost struct pfctl_pool route; 202ff11f1c8SKristof Provost struct pfctl_threshold pktrate; 203e9eb0941SKristof Provost 2047bb3c927SKristof Provost uint64_t evaluations; 2057bb3c927SKristof Provost uint64_t packets[2]; 2067bb3c927SKristof Provost uint64_t bytes[2]; 2071d090028SKristof Provost time_t last_active_timestamp; 208e9eb0941SKristof Provost 209e9eb0941SKristof Provost struct pfi_kif *kif; 210e9eb0941SKristof Provost struct pfctl_anchor *anchor; 211e9eb0941SKristof Provost struct pfr_ktable *overload_tbl; 212e9eb0941SKristof Provost 213e9eb0941SKristof Provost pf_osfp_t os_fingerprint; 214e9eb0941SKristof Provost 215e9eb0941SKristof Provost int rtableid; 2167bb3c927SKristof Provost uint32_t timeout[PFTM_MAX]; 2177bb3c927SKristof Provost uint32_t max_states; 2187bb3c927SKristof Provost uint32_t max_src_nodes; 2197bb3c927SKristof Provost uint32_t max_src_states; 2207bb3c927SKristof Provost uint32_t max_src_conn; 221e9eb0941SKristof Provost struct { 2227bb3c927SKristof Provost uint32_t limit; 2237bb3c927SKristof Provost uint32_t seconds; 224e9eb0941SKristof Provost } max_src_conn_rate; 22541fd03c0SKristof Provost uint16_t max_pkt_size; 2267bb3c927SKristof Provost uint32_t qid; 2277bb3c927SKristof Provost uint32_t pqid; 2287bb3c927SKristof Provost uint16_t dnpipe; 2297bb3c927SKristof Provost uint16_t dnrpipe; 2307bb3c927SKristof Provost uint32_t free_flags; 2317bb3c927SKristof Provost uint32_t nr; 2327bb3c927SKristof Provost uint32_t prob; 233e9eb0941SKristof Provost uid_t cuid; 234e9eb0941SKristof Provost pid_t cpid; 235e9eb0941SKristof Provost 236ab5707a5SKristof Provost uint64_t states_cur; 237ab5707a5SKristof Provost uint64_t states_tot; 238ab5707a5SKristof Provost uint64_t src_nodes; 23907e070efSKajetan Staszkiewicz uint64_t src_nodes_type[PF_SN_MAX]; 240e9eb0941SKristof Provost 2417bb3c927SKristof Provost uint16_t return_icmp; 2427bb3c927SKristof Provost uint16_t return_icmp6; 2437bb3c927SKristof Provost uint16_t max_mss; 2447bb3c927SKristof Provost uint16_t tag; 2457bb3c927SKristof Provost uint16_t match_tag; 2467bb3c927SKristof Provost uint16_t scrub_flags; 247e9eb0941SKristof Provost 248e9eb0941SKristof Provost struct pf_rule_uid uid; 249e9eb0941SKristof Provost struct pf_rule_gid gid; 2502339ead6SKristof Provost char rcv_ifname[IFNAMSIZ]; 25171594e32SKristof Provost bool rcvifnot; 2528716d8c7SKristof Provost struct { 2538716d8c7SKristof Provost uint8_t id; 2548716d8c7SKristof Provost int limiter_action; 2558716d8c7SKristof Provost } statelim; 2568716d8c7SKristof Provost struct { 2578716d8c7SKristof Provost uint8_t id; 2588716d8c7SKristof Provost int limiter_action; 2598716d8c7SKristof Provost } sourcelim; 260e9eb0941SKristof Provost 2617bb3c927SKristof Provost uint32_t rule_flag; 2627bb3c927SKristof Provost uint8_t action; 2637bb3c927SKristof Provost uint8_t direction; 2647bb3c927SKristof Provost uint8_t log; 2657bb3c927SKristof Provost uint8_t logif; 2667bb3c927SKristof Provost uint8_t quick; 2677bb3c927SKristof Provost uint8_t ifnot; 2687bb3c927SKristof Provost uint8_t match_tag_not; 2697bb3c927SKristof Provost uint8_t natpass; 270e9eb0941SKristof Provost 2717bb3c927SKristof Provost uint8_t keep_state; 272e9eb0941SKristof Provost sa_family_t af; 2737bb3c927SKristof Provost uint8_t proto; 274932ec59dSKristof Provost uint16_t type; 275932ec59dSKristof Provost uint16_t code; 2767bb3c927SKristof Provost uint8_t flags; 2777bb3c927SKristof Provost uint8_t flagset; 2787bb3c927SKristof Provost uint8_t min_ttl; 2797bb3c927SKristof Provost uint8_t allow_opts; 2807bb3c927SKristof Provost uint8_t rt; 2817bb3c927SKristof Provost uint8_t return_ttl; 2827bb3c927SKristof Provost uint8_t tos; 2837bb3c927SKristof Provost uint8_t set_tos; 2847bb3c927SKristof Provost uint8_t anchor_relative; 2857bb3c927SKristof Provost uint8_t anchor_wildcard; 286e9eb0941SKristof Provost 2877bb3c927SKristof Provost uint8_t flush; 2887bb3c927SKristof Provost uint8_t prio; 2897bb3c927SKristof Provost uint8_t set_prio[2]; 290aa69fdf1SKristof Provost sa_family_t naf; 291e9eb0941SKristof Provost 292e9eb0941SKristof Provost struct { 293e9eb0941SKristof Provost struct pf_addr addr; 2947bb3c927SKristof Provost uint16_t port; 295e9eb0941SKristof Provost } divert; 296b9d652bbSKristof Provost 297b9d652bbSKristof Provost time_t exptime; 298e9eb0941SKristof Provost }; 299e9eb0941SKristof Provost 300e9eb0941SKristof Provost TAILQ_HEAD(pfctl_rulequeue, pfctl_rule); 301e9eb0941SKristof Provost 302e9eb0941SKristof Provost struct pfctl_ruleset { 303e9eb0941SKristof Provost struct { 304e9eb0941SKristof Provost struct pfctl_rulequeue queues[2]; 305e9eb0941SKristof Provost struct { 306e9eb0941SKristof Provost struct pfctl_rulequeue *ptr; 307e9eb0941SKristof Provost struct pfctl_rule **ptr_array; 3087bb3c927SKristof Provost uint32_t rcount; 3097bb3c927SKristof Provost uint32_t ticket; 310e9eb0941SKristof Provost int open; 311e9eb0941SKristof Provost } active, inactive; 312e9eb0941SKristof Provost } rules[PF_RULESET_MAX]; 313e9eb0941SKristof Provost struct pfctl_anchor *anchor; 3147bb3c927SKristof Provost uint32_t tticket; 315e9eb0941SKristof Provost int tables; 316e9eb0941SKristof Provost int topen; 317e9eb0941SKristof Provost }; 318e9eb0941SKristof Provost 319e9eb0941SKristof Provost RB_HEAD(pfctl_anchor_global, pfctl_anchor); 320e9eb0941SKristof Provost RB_HEAD(pfctl_anchor_node, pfctl_anchor); 321e9eb0941SKristof Provost struct pfctl_anchor { 322e9eb0941SKristof Provost RB_ENTRY(pfctl_anchor) entry_global; 323e9eb0941SKristof Provost RB_ENTRY(pfctl_anchor) entry_node; 324e9eb0941SKristof Provost struct pfctl_anchor *parent; 325e9eb0941SKristof Provost struct pfctl_anchor_node children; 326e9eb0941SKristof Provost char name[PF_ANCHOR_NAME_SIZE]; 327e9eb0941SKristof Provost char path[MAXPATHLEN]; 328e9eb0941SKristof Provost struct pfctl_ruleset ruleset; 329e9eb0941SKristof Provost int refcnt; /* anchor rules */ 330e9eb0941SKristof Provost int match; /* XXX: used for pfctl black magic */ 331e9eb0941SKristof Provost }; 332e9eb0941SKristof Provost RB_PROTOTYPE(pfctl_anchor_global, pfctl_anchor, entry_global, 333e9eb0941SKristof Provost pf_anchor_compare); 334e9eb0941SKristof Provost RB_PROTOTYPE(pfctl_anchor_node, pfctl_anchor, entry_node, 335e9eb0941SKristof Provost pf_anchor_compare); 336e9eb0941SKristof Provost 33753714a58SKristof Provost struct pfctl_state_cmp { 33853714a58SKristof Provost uint64_t id; 33953714a58SKristof Provost uint32_t creatorid; 34053714a58SKristof Provost uint8_t direction; 34153714a58SKristof Provost }; 34253714a58SKristof Provost 34353714a58SKristof Provost struct pfctl_kill { 34453714a58SKristof Provost struct pfctl_state_cmp cmp; 34553714a58SKristof Provost sa_family_t af; 34653714a58SKristof Provost int proto; 34753714a58SKristof Provost struct pf_rule_addr src; 34853714a58SKristof Provost struct pf_rule_addr dst; 349abbcba9cSKristof Provost struct pf_rule_addr rt_addr; 35053714a58SKristof Provost char ifname[IFNAMSIZ]; 35153714a58SKristof Provost char label[PF_RULE_LABEL_SIZE]; 35293abcf17SKristof Provost bool kill_match; 3534f337550SKristof Provost bool nat; 35453714a58SKristof Provost }; 35553714a58SKristof Provost 356bc941291SKristof Provost struct pfctl_state_peer { 357bc941291SKristof Provost uint32_t seqlo; 358bc941291SKristof Provost uint32_t seqhi; 359bc941291SKristof Provost uint32_t seqdiff; 360bc941291SKristof Provost uint8_t state; 361bc941291SKristof Provost uint8_t wscale; 362bc941291SKristof Provost }; 363bc941291SKristof Provost 364bc941291SKristof Provost struct pfctl_state_key { 365bc941291SKristof Provost struct pf_addr addr[2]; 366bc941291SKristof Provost uint16_t port[2]; 367bc941291SKristof Provost sa_family_t af; 368bc941291SKristof Provost uint8_t proto; 369bc941291SKristof Provost }; 370bc941291SKristof Provost 371bc941291SKristof Provost struct pfctl_state { 372bc941291SKristof Provost TAILQ_ENTRY(pfctl_state) entry; 373bc941291SKristof Provost 374bc941291SKristof Provost uint64_t id; 375bc941291SKristof Provost uint32_t creatorid; 376bc941291SKristof Provost uint8_t direction; 377bc941291SKristof Provost 378bc941291SKristof Provost struct pfctl_state_peer src; 379bc941291SKristof Provost struct pfctl_state_peer dst; 380bc941291SKristof Provost 381bc941291SKristof Provost uint32_t rule; 382bc941291SKristof Provost uint32_t anchor; 383bc941291SKristof Provost uint32_t nat_rule; 384bc941291SKristof Provost struct pf_addr rt_addr; 385bc941291SKristof Provost struct pfctl_state_key key[2]; /* addresses stack and wire */ 386bc941291SKristof Provost char ifname[IFNAMSIZ]; 387d0fdf2b2SKristof Provost char orig_ifname[IFNAMSIZ]; 388bc941291SKristof Provost uint64_t packets[2]; 389bc941291SKristof Provost uint64_t bytes[2]; 390bc941291SKristof Provost uint32_t creation; 391bc941291SKristof Provost uint32_t expire; 392bc941291SKristof Provost uint32_t pfsync_time; 39339282ef3SKajetan Staszkiewicz uint16_t state_flags; 394bc941291SKristof Provost uint32_t sync_flags; 395c45d6b0eSKajetan Staszkiewicz uint16_t qid; 396c45d6b0eSKajetan Staszkiewicz uint16_t pqid; 397c45d6b0eSKajetan Staszkiewicz uint16_t dnpipe; 398c45d6b0eSKajetan Staszkiewicz uint16_t dnrpipe; 399c45d6b0eSKajetan Staszkiewicz uint8_t log; 400c45d6b0eSKajetan Staszkiewicz int32_t rtableid; 401c45d6b0eSKajetan Staszkiewicz uint8_t min_ttl; 402c45d6b0eSKajetan Staszkiewicz uint8_t set_tos; 403c45d6b0eSKajetan Staszkiewicz uint16_t max_mss; 404c45d6b0eSKajetan Staszkiewicz uint8_t set_prio[2]; 405c45d6b0eSKajetan Staszkiewicz uint8_t rt; 406c45d6b0eSKajetan Staszkiewicz char rt_ifname[IFNAMSIZ]; 407d2761422SKajetan Staszkiewicz sa_family_t rt_af; 40807e070efSKajetan Staszkiewicz uint8_t src_node_flags; 409bc941291SKristof Provost }; 410bc941291SKristof Provost 411bc941291SKristof Provost TAILQ_HEAD(pfctl_statelist, pfctl_state); 412bc941291SKristof Provost struct pfctl_states { 413bc941291SKristof Provost struct pfctl_statelist states; 414bc941291SKristof Provost }; 415bc941291SKristof Provost 416c69121c4SKristof Provost enum pfctl_syncookies_mode { 417c69121c4SKristof Provost PFCTL_SYNCOOKIES_NEVER, 4185062afffSKristof Provost PFCTL_SYNCOOKIES_ALWAYS, 4195062afffSKristof Provost PFCTL_SYNCOOKIES_ADAPTIVE 420c69121c4SKristof Provost }; 4215062afffSKristof Provost extern const char* PFCTL_SYNCOOKIES_MODE_NAMES[]; 422c69121c4SKristof Provost 423c69121c4SKristof Provost struct pfctl_syncookies { 424c69121c4SKristof Provost enum pfctl_syncookies_mode mode; 4255062afffSKristof Provost uint8_t highwater; /* Percent */ 4265062afffSKristof Provost uint8_t lowwater; /* Percent */ 427a6173e94SKristof Provost uint32_t halfopen_states; 428c69121c4SKristof Provost }; 429c69121c4SKristof Provost 4309c125336SKristof Provost struct pfctl_src_node { 4319c125336SKristof Provost struct pf_addr addr; 4329c125336SKristof Provost struct pf_addr raddr; 4339c125336SKristof Provost int rule; 4349c125336SKristof Provost uint64_t bytes[2]; 4359c125336SKristof Provost uint64_t packets[2]; 4369c125336SKristof Provost uint32_t states; 4379c125336SKristof Provost uint32_t conn; 4389c125336SKristof Provost sa_family_t af; 439d2761422SKajetan Staszkiewicz sa_family_t raf; 4409c125336SKristof Provost uint8_t ruletype; 4419c125336SKristof Provost uint64_t creation; 4429c125336SKristof Provost uint64_t expire; 4439c125336SKristof Provost struct pfctl_threshold conn_rate; 44407e070efSKajetan Staszkiewicz pf_sn_types_t type; 4459c125336SKristof Provost }; 4469c125336SKristof Provost 44766cacc14SKristof Provost #define PF_DEVICE "/dev/pf" 44866cacc14SKristof Provost 44966cacc14SKristof Provost struct pfctl_handle; 45066cacc14SKristof Provost struct pfctl_handle *pfctl_open(const char *pf_device); 45166cacc14SKristof Provost void pfctl_close(struct pfctl_handle *); 452044243fcSKristof Provost int pfctl_fd(struct pfctl_handle *); 45366cacc14SKristof Provost 45466cacc14SKristof Provost int pfctl_startstop(struct pfctl_handle *h, int start); 4555824df8dSKristof Provost struct pfctl_status* pfctl_get_status_h(struct pfctl_handle *h); 45646fb68b1SKristof Provost struct pfctl_status* pfctl_get_status(int dev); 4579dbbe68bSKristof Provost int pfctl_clear_status(struct pfctl_handle *h); 458e3d3d61aSKristof Provost uint64_t pfctl_status_counter(struct pfctl_status *status, int id); 4591c824f43SKristof Provost uint64_t pfctl_status_lcounter(struct pfctl_status *status, int id); 460e3d3d61aSKristof Provost uint64_t pfctl_status_fcounter(struct pfctl_status *status, int id); 461e3d3d61aSKristof Provost uint64_t pfctl_status_scounter(struct pfctl_status *status, int id); 46246fb68b1SKristof Provost void pfctl_free_status(struct pfctl_status *status); 46346fb68b1SKristof Provost 4649bb06778SKristof Provost int pfctl_get_eth_rulesets_info(int dev, 4659bb06778SKristof Provost struct pfctl_eth_rulesets_info *ri, const char *path); 4669bb06778SKristof Provost int pfctl_get_eth_ruleset(int dev, const char *path, int nr, 4679bb06778SKristof Provost struct pfctl_eth_ruleset_info *ri); 468c5131afeSKristof Provost int pfctl_get_eth_rules_info(int dev, struct pfctl_eth_rules_info *rules, 469c5131afeSKristof Provost const char *path); 4702b29ceb8SKristof Provost int pfctl_get_eth_rule(int dev, uint32_t nr, uint32_t ticket, 471c5131afeSKristof Provost const char *path, struct pfctl_eth_rule *rule, bool clear, 472c5131afeSKristof Provost char *anchor_call); 4732b29ceb8SKristof Provost int pfctl_add_eth_rule(int dev, const struct pfctl_eth_rule *r, 474c5131afeSKristof Provost const char *anchor, const char *anchor_call, uint32_t ticket); 475f1612e70SKristof Provost int pfctl_get_rules_info_h(struct pfctl_handle *h, 476f1612e70SKristof Provost struct pfctl_rules_info *rules, uint32_t ruleset, 477f1612e70SKristof Provost const char *path); 4788c1400b0SKristof Provost int pfctl_get_rules_info(int dev, struct pfctl_rules_info *rules, 4798c1400b0SKristof Provost uint32_t ruleset, const char *path); 4807bb3c927SKristof Provost int pfctl_get_rule(int dev, uint32_t nr, uint32_t ticket, 4817bb3c927SKristof Provost const char *anchor, uint32_t ruleset, struct pfctl_rule *rule, 4820d71f9f3SKristof Provost char *anchor_call); 483cd2054d4SKristof Provost int pfctl_get_rule_h(struct pfctl_handle *h, uint32_t nr, uint32_t ticket, 484cd2054d4SKristof Provost const char *anchor, uint32_t ruleset, struct pfctl_rule *rule, 485cd2054d4SKristof Provost char *anchor_call); 4867bb3c927SKristof Provost int pfctl_get_clear_rule(int dev, uint32_t nr, uint32_t ticket, 4877bb3c927SKristof Provost const char *anchor, uint32_t ruleset, struct pfctl_rule *rule, 4884eabfe46SKristof Provost char *anchor_call, bool clear); 489777a4702SKristof Provost int pfctl_get_clear_rule_h(struct pfctl_handle *h, uint32_t nr, uint32_t ticket, 490777a4702SKristof Provost const char *anchor, uint32_t ruleset, struct pfctl_rule *rule, 491777a4702SKristof Provost char *anchor_call, bool clear); 492e9eb0941SKristof Provost int pfctl_add_rule(int dev, const struct pfctl_rule *r, 4937bb3c927SKristof Provost const char *anchor, const char *anchor_call, uint32_t ticket, 4947bb3c927SKristof Provost uint32_t pool_ticket); 495324fd7ecSKristof Provost int pfctl_add_rule_h(struct pfctl_handle *h, const struct pfctl_rule *r, 496324fd7ecSKristof Provost const char *anchor, const char *anchor_call, uint32_t ticket, 497324fd7ecSKristof Provost uint32_t pool_ticket); 49842ec75f8SKristof Provost int pfctl_set_keepcounters(int dev, bool keep); 49966cacc14SKristof Provost int pfctl_get_creatorids(struct pfctl_handle *h, uint32_t *creators, size_t *len); 500044eef6aSKristof Provost 501044eef6aSKristof Provost struct pfctl_state_filter { 502044eef6aSKristof Provost char ifname[IFNAMSIZ]; 503044eef6aSKristof Provost uint16_t proto; 504044eef6aSKristof Provost sa_family_t af; 505044eef6aSKristof Provost struct pf_addr addr; 506044eef6aSKristof Provost struct pf_addr mask; 507044eef6aSKristof Provost }; 508f218b851SKristof Provost typedef int (*pfctl_get_state_fn)(struct pfctl_state *, void *); 509f218b851SKristof Provost int pfctl_get_states_iter(pfctl_get_state_fn f, void *arg); 510823ebd7cSKristof Provost int pfctl_get_states_h(struct pfctl_handle *h, struct pfctl_state_filter *filter, pfctl_get_state_fn f, void *arg); 511044eef6aSKristof Provost int pfctl_get_filtered_states_iter(struct pfctl_state_filter *filter, pfctl_get_state_fn f, void *arg); 512bc941291SKristof Provost int pfctl_get_states(int dev, struct pfctl_states *states); 513bc941291SKristof Provost void pfctl_free_states(struct pfctl_states *states); 51453714a58SKristof Provost int pfctl_clear_states(int dev, const struct pfctl_kill *kill, 51553714a58SKristof Provost unsigned int *killed); 5162a00c4dbSKristof Provost int pfctl_kill_states(int dev, const struct pfctl_kill *kill, 5172a00c4dbSKristof Provost unsigned int *killed); 518706d465dSKristof Provost int pfctl_clear_states_h(struct pfctl_handle *h, const struct pfctl_kill *kill, 519706d465dSKristof Provost unsigned int *killed); 520706d465dSKristof Provost int pfctl_kill_states_h(struct pfctl_handle *h, const struct pfctl_kill *kill, 521706d465dSKristof Provost unsigned int *killed); 522f0c334e4SKristof Provost int pfctl_clear_rules(int dev, const char *anchorname); 523f0c334e4SKristof Provost int pfctl_clear_nat(int dev, const char *anchorname); 524f0c334e4SKristof Provost int pfctl_clear_eth_rules(int dev, const char *anchorname); 525c69121c4SKristof Provost int pfctl_set_syncookies(int dev, const struct pfctl_syncookies *s); 526c69121c4SKristof Provost int pfctl_get_syncookies(int dev, struct pfctl_syncookies *s); 5278b388995SKristof Provost int pfctl_table_add_addrs_h(struct pfctl_handle *h, struct pfr_table *tbl, struct pfr_addr 5288b388995SKristof Provost *addr, int size, int *nadd, int flags); 5294823489aSReid Linnemann int pfctl_table_add_addrs(int dev, struct pfr_table *tbl, struct pfr_addr 5304823489aSReid Linnemann *addr, int size, int *nadd, int flags); 531bad279e1SKristof Provost int pfctl_table_del_addrs_h(struct pfctl_handle *h, struct pfr_table *tbl, 532bad279e1SKristof Provost struct pfr_addr *addr, int size, int *ndel, int flags); 5334823489aSReid Linnemann int pfctl_table_del_addrs(int dev, struct pfr_table *tbl, struct pfr_addr 5344823489aSReid Linnemann *addr, int size, int *ndel, int flags); 53508ed87a4SKristof Provost int pfctl_table_set_addrs_h(struct pfctl_handle *h, struct pfr_table *tbl, 53608ed87a4SKristof Provost struct pfr_addr *addr, int size, int *nadd, int *ndel, 53708ed87a4SKristof Provost int *nchange, int flags); 5384823489aSReid Linnemann int pfctl_table_set_addrs(int dev, struct pfr_table *tbl, struct pfr_addr 5394823489aSReid Linnemann *addr, int size, int *size2, int *nadd, int *ndel, int *nchange, 5404823489aSReid Linnemann int flags); 541f27e44e2SKristof Provost int pfctl_table_get_addrs_h(struct pfctl_handle *h, struct pfr_table *tbl, struct pfr_addr *addr, 542f27e44e2SKristof Provost int *size, int flags); 5434823489aSReid Linnemann int pfctl_table_get_addrs(int dev, struct pfr_table *tbl, struct pfr_addr 5444823489aSReid Linnemann *addr, int *size, int flags); 545470a2b33SKristof Provost int pfctl_set_statusif(struct pfctl_handle *h, const char *ifname); 546470a2b33SKristof Provost 54771d3c704SKristof Provost struct pfctl_natlook_key { 54871d3c704SKristof Provost sa_family_t af; 54971d3c704SKristof Provost uint8_t direction; 55071d3c704SKristof Provost uint8_t proto; 55171d3c704SKristof Provost struct pf_addr saddr; 55271d3c704SKristof Provost struct pf_addr daddr; 55371d3c704SKristof Provost uint16_t sport; 55471d3c704SKristof Provost uint16_t dport; 55571d3c704SKristof Provost }; 55671d3c704SKristof Provost struct pfctl_natlook { 55771d3c704SKristof Provost struct pf_addr saddr; 55871d3c704SKristof Provost struct pf_addr daddr; 55971d3c704SKristof Provost uint16_t sport; 56071d3c704SKristof Provost uint16_t dport; 56171d3c704SKristof Provost }; 56271d3c704SKristof Provost int pfctl_natlook(struct pfctl_handle *h, 56371d3c704SKristof Provost const struct pfctl_natlook_key *k, struct pfctl_natlook *r); 564c36c90a2SKristof Provost int pfctl_set_debug(struct pfctl_handle *h, uint32_t level); 56530bad751SKristof Provost int pfctl_set_timeout(struct pfctl_handle *h, uint32_t timeout, uint32_t seconds); 56630bad751SKristof Provost int pfctl_get_timeout(struct pfctl_handle *h, uint32_t timeout, uint32_t *seconds); 567d9ab8999SKristof Provost int pfctl_set_limit(struct pfctl_handle *h, const int index, const uint limit); 568d9ab8999SKristof Provost int pfctl_get_limit(struct pfctl_handle *h, const int index, uint *limit); 569ba2a9207SKristof Provost int pfctl_begin_addrs(struct pfctl_handle *h, uint32_t *ticket); 570e11dacbfSKristof Provost int pfctl_add_addr(struct pfctl_handle *h, const struct pfioc_pooladdr *pa, int which); 571644b7b5aSKristof Provost int pfctl_get_addrs(struct pfctl_handle *h, uint32_t ticket, uint32_t r_num, 572aa69fdf1SKristof Provost uint8_t r_action, const char *anchor, uint32_t *nr, int which); 5739ae91f59SKristof Provost int pfctl_get_addr(struct pfctl_handle *h, uint32_t ticket, uint32_t r_num, 574aa69fdf1SKristof Provost uint8_t r_action, const char *anchor, uint32_t nr, struct pfioc_pooladdr *pa, 575aa69fdf1SKristof Provost int which); 57625e0f8f9SKristof Provost int pfctl_get_rulesets(struct pfctl_handle *h, const char *path, uint32_t *nr); 57748f5bf8bSKristof Provost int pfctl_get_ruleset(struct pfctl_handle *h, const char *path, uint32_t nr, struct pfioc_ruleset *rs); 5789c125336SKristof Provost typedef int (*pfctl_get_srcnode_fn)(struct pfctl_src_node*, void *); 5799c125336SKristof Provost int pfctl_get_srcnodes(struct pfctl_handle *h, pfctl_get_srcnode_fn fn, void *arg); 58071d3c704SKristof Provost 581441d4894SKristof Provost int pfctl_clear_tables(struct pfctl_handle *h, struct pfr_table *filter, 582441d4894SKristof Provost int *ndel, int flags); 58384a80eaeSKristof Provost int pfctl_add_table(struct pfctl_handle *h, struct pfr_table *table, 58484a80eaeSKristof Provost int *nadd, int flags); 5850d2058abSKristof Provost int pfctl_del_table(struct pfctl_handle *h, struct pfr_table *table, 5860d2058abSKristof Provost int *ndel, int flags); 587441d4894SKristof Provost 5889e8d2962SKristof Provost typedef int (*pfctl_get_tstats_fn)(const struct pfr_tstats *t, void *arg); 5899e8d2962SKristof Provost int pfctl_get_tstats(struct pfctl_handle *h, const struct pfr_table *filter, 5909e8d2962SKristof Provost pfctl_get_tstats_fn fn, void *arg); 591b3a68a2eSKristof Provost int pfctl_clear_tstats(struct pfctl_handle *h, const struct pfr_table *filter, 592b3a68a2eSKristof Provost int *nzero, int flags); 593b543f426SKristof Provost int pfctl_clear_addrs(struct pfctl_handle *h, const struct pfr_table *filter, 594b543f426SKristof Provost int *ndel, int flags); 5959e8d2962SKristof Provost 5964aa79010SKristof Provost int pfctl_get_astats(struct pfctl_handle *h, const struct pfr_table *tbl, 5974aa79010SKristof Provost struct pfr_astats *addr, int *size, int flags); 598c2e7a523SKristof Provost int pfctl_clr_astats(struct pfctl_handle *h, const struct pfr_table *tbl, 599c2e7a523SKristof Provost struct pfr_addr *addr, int size, int *nzero, int flags); 600*281282e9SKristof Provost int pfctl_test_addrs(struct pfctl_handle *h, const struct pfr_table *tbl, 601*281282e9SKristof Provost struct pfr_addr *addr, int size, int *nmatch, int flags); 6024aa79010SKristof Provost 603c72fb110SKristof Provost struct pfctl_limit_rate { 604c72fb110SKristof Provost unsigned int limit; 605c72fb110SKristof Provost unsigned int seconds; 606c72fb110SKristof Provost }; 607c72fb110SKristof Provost 608c72fb110SKristof Provost struct pfctl_state_lim { 609c72fb110SKristof Provost uint32_t ticket; 610c72fb110SKristof Provost char name[PF_STATELIM_NAME_LEN]; 611c72fb110SKristof Provost uint32_t id; 612c72fb110SKristof Provost unsigned int limit; 613c72fb110SKristof Provost 614c72fb110SKristof Provost struct pfctl_limit_rate rate; 615c72fb110SKristof Provost 616c72fb110SKristof Provost char description[PF_STATELIM_DESCR_LEN]; 617c72fb110SKristof Provost 618c72fb110SKristof Provost unsigned int inuse; 619c72fb110SKristof Provost uint64_t admitted; 620c72fb110SKristof Provost uint64_t hardlimited; 621c72fb110SKristof Provost uint64_t ratelimited; 622c72fb110SKristof Provost }; 623c72fb110SKristof Provost 624c72fb110SKristof Provost int pfctl_state_limiter_nget(struct pfctl_handle *h, struct pfctl_state_lim *lim); 625c72fb110SKristof Provost int pfctl_state_limiter_add(struct pfctl_handle *h, struct pfctl_state_lim *lim); 626c72fb110SKristof Provost 627c72fb110SKristof Provost struct pfctl_source_lim { 628c72fb110SKristof Provost uint32_t ticket; 629c72fb110SKristof Provost 630c72fb110SKristof Provost char name[PF_SOURCELIM_NAME_LEN]; 631c72fb110SKristof Provost uint32_t id; 632c72fb110SKristof Provost 633c72fb110SKristof Provost /* limit on the total number of address entries */ 634c72fb110SKristof Provost unsigned int entries; 635c72fb110SKristof Provost 636c72fb110SKristof Provost /* limit on the number of states per address entry */ 637c72fb110SKristof Provost unsigned int limit; 638c72fb110SKristof Provost 639c72fb110SKristof Provost /* rate limit on the creation of states by an address entry */ 640c72fb110SKristof Provost struct pfctl_limit_rate rate; 641c72fb110SKristof Provost 642c72fb110SKristof Provost /* 643c72fb110SKristof Provost * when the number of states on an entry exceeds hwm, add 644c72fb110SKristof Provost * the address to the specified table. when the number of 645c72fb110SKristof Provost * states goes below lwm, remove it from the table. 646c72fb110SKristof Provost */ 647c72fb110SKristof Provost char overload_tblname[PF_TABLE_NAME_SIZE]; 648c72fb110SKristof Provost unsigned int overload_hwm; 649c72fb110SKristof Provost unsigned int overload_lwm; 650c72fb110SKristof Provost 651c72fb110SKristof Provost /* 652c72fb110SKristof Provost * mask addresses before they're used for entries. /64s 653c72fb110SKristof Provost * everywhere for inet6 makes it easy to use too much memory. 654c72fb110SKristof Provost */ 655c72fb110SKristof Provost unsigned int inet_prefix; 656c72fb110SKristof Provost unsigned int inet6_prefix; 657c72fb110SKristof Provost 658c72fb110SKristof Provost char description[PF_SOURCELIM_DESCR_LEN]; 659c72fb110SKristof Provost 660c72fb110SKristof Provost unsigned int nentries; 661c72fb110SKristof Provost unsigned int inuse; 662c72fb110SKristof Provost 663c72fb110SKristof Provost uint64_t addrallocs; 664c72fb110SKristof Provost uint64_t addrnomem; 665c72fb110SKristof Provost uint64_t admitted; 666c72fb110SKristof Provost uint64_t addrlimited; 667c72fb110SKristof Provost uint64_t hardlimited; 668c72fb110SKristof Provost uint64_t ratelimited; 669c72fb110SKristof Provost }; 670c72fb110SKristof Provost 671c72fb110SKristof Provost int pfctl_source_limiter_get(struct pfctl_handle *h, struct pfctl_source_lim *lim); 672c72fb110SKristof Provost int pfctl_source_limiter_nget(struct pfctl_handle *h, struct pfctl_source_lim *lim); 673c72fb110SKristof Provost int pfctl_source_limiter_add(struct pfctl_handle *h, struct pfctl_source_lim *lim); 674c72fb110SKristof Provost 675c72fb110SKristof Provost struct pfctl_source { 676c72fb110SKristof Provost sa_family_t af; 677c72fb110SKristof Provost unsigned int rdomain; 678c72fb110SKristof Provost struct pf_addr addr; 679c72fb110SKristof Provost 680c72fb110SKristof Provost unsigned int inet_prefix; 681c72fb110SKristof Provost unsigned int inet6_prefix; 682c72fb110SKristof Provost 683c72fb110SKristof Provost unsigned int limit; 684c72fb110SKristof Provost unsigned int inuse; 685c72fb110SKristof Provost uint64_t admitted; 686c72fb110SKristof Provost uint64_t hardlimited; 687c72fb110SKristof Provost uint64_t ratelimited; 688c72fb110SKristof Provost }; 689c72fb110SKristof Provost typedef int (*pfctl_get_source_fn)(struct pfctl_source *, void *); 690c72fb110SKristof Provost int pfctl_source_get(struct pfctl_handle *h, int id, 691c72fb110SKristof Provost pfctl_get_source_fn fn, void *arg); 692c72fb110SKristof Provost 693c72fb110SKristof Provost struct pfctl_source_clear { 694c72fb110SKristof Provost char name[PF_SOURCELIM_NAME_LEN]; 695c72fb110SKristof Provost uint32_t id; 696c72fb110SKristof Provost sa_family_t af; 697c72fb110SKristof Provost unsigned int rdomain; 698c72fb110SKristof Provost struct pf_addr addr; 699c72fb110SKristof Provost }; 700c72fb110SKristof Provost int pfctl_source_clear(struct pfctl_handle *h, struct pfctl_source_clear *); 701c72fb110SKristof Provost 7020d71f9f3SKristof Provost #endif 703