10d71f9f3SKristof Provost /*- 20d71f9f3SKristof Provost * SPDX-License-Identifier: BSD-2-Clause 30d71f9f3SKristof Provost * 40d71f9f3SKristof Provost * Copyright (c) 2021 Rubicon Communications, LLC (Netgate) 50d71f9f3SKristof Provost * All rights reserved. 60d71f9f3SKristof Provost * 70d71f9f3SKristof Provost * Redistribution and use in source and binary forms, with or without 80d71f9f3SKristof Provost * modification, are permitted provided that the following conditions 90d71f9f3SKristof Provost * are met: 100d71f9f3SKristof Provost * 110d71f9f3SKristof Provost * - Redistributions of source code must retain the above copyright 120d71f9f3SKristof Provost * notice, this list of conditions and the following disclaimer. 130d71f9f3SKristof Provost * - Redistributions in binary form must reproduce the above 140d71f9f3SKristof Provost * copyright notice, this list of conditions and the following 150d71f9f3SKristof Provost * disclaimer in the documentation and/or other materials provided 160d71f9f3SKristof Provost * with the distribution. 170d71f9f3SKristof Provost * 180d71f9f3SKristof Provost * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 190d71f9f3SKristof Provost * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 200d71f9f3SKristof Provost * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 210d71f9f3SKristof Provost * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 220d71f9f3SKristof Provost * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 230d71f9f3SKristof Provost * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 240d71f9f3SKristof Provost * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 250d71f9f3SKristof Provost * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 260d71f9f3SKristof Provost * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 270d71f9f3SKristof Provost * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 280d71f9f3SKristof Provost * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 290d71f9f3SKristof Provost * POSSIBILITY OF SUCH DAMAGE. 300d71f9f3SKristof Provost */ 310d71f9f3SKristof Provost 320d71f9f3SKristof Provost #ifndef _PFCTL_IOCTL_H_ 330d71f9f3SKristof Provost #define _PFCTL_IOCTL_H_ 340d71f9f3SKristof Provost 350d71f9f3SKristof Provost #include <netpfil/pf/pf.h> 360d71f9f3SKristof Provost 37e9eb0941SKristof Provost struct pfctl_anchor; 38c5131afeSKristof Provost struct pfctl_eth_anchor; 39e9eb0941SKristof Provost 4046fb68b1SKristof Provost struct pfctl_status_counter { 4146fb68b1SKristof Provost uint64_t id; 4246fb68b1SKristof Provost uint64_t counter; 4346fb68b1SKristof Provost char *name; 4446fb68b1SKristof Provost 4546fb68b1SKristof Provost TAILQ_ENTRY(pfctl_status_counter) entry; 4646fb68b1SKristof Provost }; 4746fb68b1SKristof Provost TAILQ_HEAD(pfctl_status_counters, pfctl_status_counter); 4846fb68b1SKristof Provost 4946fb68b1SKristof Provost struct pfctl_status { 5046fb68b1SKristof Provost bool running; 5146fb68b1SKristof Provost uint32_t since; 5246fb68b1SKristof Provost uint32_t debug; 5346fb68b1SKristof Provost uint32_t hostid; 5446fb68b1SKristof Provost uint64_t states; 5546fb68b1SKristof Provost uint64_t src_nodes; 5646fb68b1SKristof Provost char ifname[IFNAMSIZ]; 5746fb68b1SKristof Provost uint8_t pf_chksum[PF_MD5_DIGEST_LENGTH]; 58444a77caSKristof Provost bool syncookies_active; 5939282ef3SKajetan Staszkiewicz uint32_t reass; 6046fb68b1SKristof Provost 6146fb68b1SKristof Provost struct pfctl_status_counters counters; 6246fb68b1SKristof Provost struct pfctl_status_counters lcounters; 6346fb68b1SKristof Provost struct pfctl_status_counters fcounters; 6446fb68b1SKristof Provost struct pfctl_status_counters scounters; 65c00aca9aSKristof Provost struct pfctl_status_counters ncounters; 66c00aca9aSKristof Provost uint64_t fragments; 67a3f71765SKristof Provost uint64_t pcounters[2][2][2]; 6846fb68b1SKristof Provost uint64_t bcounters[2][2]; 6946fb68b1SKristof Provost }; 7046fb68b1SKristof Provost 719bb06778SKristof Provost struct pfctl_eth_rulesets_info { 729bb06778SKristof Provost uint32_t nr; 739bb06778SKristof Provost }; 749bb06778SKristof Provost 752b29ceb8SKristof Provost struct pfctl_eth_rules_info { 762b29ceb8SKristof Provost uint32_t nr; 772b29ceb8SKristof Provost uint32_t ticket; 782b29ceb8SKristof Provost }; 792b29ceb8SKristof Provost 802b29ceb8SKristof Provost struct pfctl_eth_addr { 812b29ceb8SKristof Provost uint8_t addr[ETHER_ADDR_LEN]; 82b590f17aSKristof Provost uint8_t mask[ETHER_ADDR_LEN]; 832b29ceb8SKristof Provost bool neg; 84c696d5c7SKristof Provost bool isset; 852b29ceb8SKristof Provost }; 862b29ceb8SKristof Provost 872b29ceb8SKristof Provost struct pfctl_eth_rule { 882b29ceb8SKristof Provost uint32_t nr; 892b29ceb8SKristof Provost 90ef661d4aSChristian McDonald char label[PF_RULE_MAX_LABEL_COUNT][PF_RULE_LABEL_SIZE]; 91ef661d4aSChristian McDonald uint32_t ridentifier; 92ef661d4aSChristian McDonald 932b29ceb8SKristof Provost bool quick; 942b29ceb8SKristof Provost 952b29ceb8SKristof Provost /* Filter */ 962b29ceb8SKristof Provost char ifname[IFNAMSIZ]; 972b29ceb8SKristof Provost uint8_t ifnot; 982b29ceb8SKristof Provost uint8_t direction; 992b29ceb8SKristof Provost uint16_t proto; 1002b29ceb8SKristof Provost struct pfctl_eth_addr src, dst; 1018a42005dSKristof Provost struct pf_rule_addr ipsrc, ipdst; 1021f61367fSKristof Provost char match_tagname[PF_TAG_NAME_SIZE]; 1031f61367fSKristof Provost uint16_t match_tag; 1041f61367fSKristof Provost bool match_tag_not; 1052b29ceb8SKristof Provost 1062b29ceb8SKristof Provost /* Stats */ 1072b29ceb8SKristof Provost uint64_t evaluations; 1082b29ceb8SKristof Provost uint64_t packets[2]; 1092b29ceb8SKristof Provost uint64_t bytes[2]; 1101d090028SKristof Provost time_t last_active_timestamp; 1112b29ceb8SKristof Provost 1122b29ceb8SKristof Provost /* Action */ 1132b29ceb8SKristof Provost char qname[PF_QNAME_SIZE]; 1142b29ceb8SKristof Provost char tagname[PF_TAG_NAME_SIZE]; 115fb330f39SKristof Provost uint16_t dnpipe; 116fb330f39SKristof Provost uint32_t dnflags; 1178a8af942SKristof Provost char bridge_to[IFNAMSIZ]; 1182b29ceb8SKristof Provost uint8_t action; 1192b29ceb8SKristof Provost 120c5131afeSKristof Provost struct pfctl_eth_anchor *anchor; 121c5131afeSKristof Provost uint8_t anchor_relative; 122c5131afeSKristof Provost uint8_t anchor_wildcard; 123c5131afeSKristof Provost 1242b29ceb8SKristof Provost TAILQ_ENTRY(pfctl_eth_rule) entries; 1252b29ceb8SKristof Provost }; 1262b29ceb8SKristof Provost TAILQ_HEAD(pfctl_eth_rules, pfctl_eth_rule); 1272b29ceb8SKristof Provost 1289bb06778SKristof Provost struct pfctl_eth_ruleset_info { 1299bb06778SKristof Provost uint32_t nr; 1309bb06778SKristof Provost char name[PF_ANCHOR_NAME_SIZE]; 1319bb06778SKristof Provost char path[MAXPATHLEN]; 1329bb06778SKristof Provost }; 1339bb06778SKristof Provost 134c5131afeSKristof Provost struct pfctl_eth_ruleset { 135c5131afeSKristof Provost struct pfctl_eth_rules rules; 136c5131afeSKristof Provost struct pfctl_eth_anchor *anchor; 137c5131afeSKristof Provost }; 138c5131afeSKristof Provost 139c5131afeSKristof Provost struct pfctl_eth_anchor { 140c5131afeSKristof Provost struct pfctl_eth_anchor *parent; 141c5131afeSKristof Provost char name[PF_ANCHOR_NAME_SIZE]; 142c5131afeSKristof Provost char path[MAXPATHLEN]; 143c5131afeSKristof Provost struct pfctl_eth_ruleset ruleset; 144c5131afeSKristof Provost int refcnt; /* anchor rules */ 145c5131afeSKristof Provost int match; /* XXX: used for pfctl black magic */ 146c5131afeSKristof Provost }; 147c5131afeSKristof Provost 148d2761422SKajetan Staszkiewicz struct pfctl_pooladdr { 149d2761422SKajetan Staszkiewicz struct pf_addr_wrap addr; 150d2761422SKajetan Staszkiewicz TAILQ_ENTRY(pfctl_pooladdr) entries; 151d2761422SKajetan Staszkiewicz char ifname[IFNAMSIZ]; 152d2761422SKajetan Staszkiewicz sa_family_t af; 153d2761422SKajetan Staszkiewicz }; 154d2761422SKajetan Staszkiewicz 155d2761422SKajetan Staszkiewicz TAILQ_HEAD(pfctl_palist, pfctl_pooladdr); 156d2761422SKajetan Staszkiewicz 157600bd6ceSKurosawa Takahiro struct pfctl_pool { 158d2761422SKajetan Staszkiewicz struct pfctl_palist list; 159d2761422SKajetan Staszkiewicz struct pfctl_pooladdr *cur; 160600bd6ceSKurosawa Takahiro struct pf_poolhashkey key; 161600bd6ceSKurosawa Takahiro struct pf_addr counter; 1622aa21096SKurosawa Takahiro struct pf_mape_portset mape; 163600bd6ceSKurosawa Takahiro int tblidx; 1647bb3c927SKristof Provost uint16_t proxy_port[2]; 1657bb3c927SKristof Provost uint8_t opts; 166600bd6ceSKurosawa Takahiro }; 167600bd6ceSKurosawa Takahiro 1688c1400b0SKristof Provost struct pfctl_rules_info { 1698c1400b0SKristof Provost uint32_t nr; 1708c1400b0SKristof Provost uint32_t ticket; 1718c1400b0SKristof Provost }; 1728c1400b0SKristof Provost 173ff11f1c8SKristof Provost struct pfctl_threshold { 174ff11f1c8SKristof Provost uint32_t limit; 175ff11f1c8SKristof Provost uint32_t seconds; 176ff11f1c8SKristof Provost uint32_t count; 177ff11f1c8SKristof Provost uint32_t last; 178ff11f1c8SKristof Provost }; 179ff11f1c8SKristof Provost 180e9eb0941SKristof Provost struct pfctl_rule { 181e9eb0941SKristof Provost struct pf_rule_addr src; 182e9eb0941SKristof Provost struct pf_rule_addr dst; 183e9eb0941SKristof Provost union pf_rule_ptr skip[PF_SKIP_COUNT]; 1846fcc8e04SKristof Provost char label[PF_RULE_MAX_LABEL_COUNT][PF_RULE_LABEL_SIZE]; 1857bb3c927SKristof Provost uint32_t ridentifier; 186e9eb0941SKristof Provost char ifname[IFNAMSIZ]; 187e9eb0941SKristof Provost char qname[PF_QNAME_SIZE]; 188e9eb0941SKristof Provost char pqname[PF_QNAME_SIZE]; 189e9eb0941SKristof Provost char tagname[PF_TAG_NAME_SIZE]; 190e9eb0941SKristof Provost char match_tagname[PF_TAG_NAME_SIZE]; 191e9eb0941SKristof Provost 192e9eb0941SKristof Provost char overload_tblname[PF_TABLE_NAME_SIZE]; 193e9eb0941SKristof Provost 194e9eb0941SKristof Provost TAILQ_ENTRY(pfctl_rule) entries; 195e11dacbfSKristof Provost struct pfctl_pool nat; 196e11dacbfSKristof Provost union { 197e11dacbfSKristof Provost /* Alias old and new names. */ 198600bd6ceSKurosawa Takahiro struct pfctl_pool rpool; 199e11dacbfSKristof Provost struct pfctl_pool rdr; 200e11dacbfSKristof Provost }; 2010972294eSKristof Provost struct pfctl_pool route; 202ff11f1c8SKristof Provost struct pfctl_threshold pktrate; 203e9eb0941SKristof Provost 2047bb3c927SKristof Provost uint64_t evaluations; 2057bb3c927SKristof Provost uint64_t packets[2]; 2067bb3c927SKristof Provost uint64_t bytes[2]; 2071d090028SKristof Provost time_t last_active_timestamp; 208e9eb0941SKristof Provost 209e9eb0941SKristof Provost struct pfi_kif *kif; 210e9eb0941SKristof Provost struct pfctl_anchor *anchor; 211e9eb0941SKristof Provost struct pfr_ktable *overload_tbl; 212e9eb0941SKristof Provost 213e9eb0941SKristof Provost pf_osfp_t os_fingerprint; 214e9eb0941SKristof Provost 215e9eb0941SKristof Provost int rtableid; 2167bb3c927SKristof Provost uint32_t timeout[PFTM_MAX]; 2177bb3c927SKristof Provost uint32_t max_states; 2187bb3c927SKristof Provost uint32_t max_src_nodes; 2197bb3c927SKristof Provost uint32_t max_src_states; 2207bb3c927SKristof Provost uint32_t max_src_conn; 221e9eb0941SKristof Provost struct { 2227bb3c927SKristof Provost uint32_t limit; 2237bb3c927SKristof Provost uint32_t seconds; 224e9eb0941SKristof Provost } max_src_conn_rate; 22541fd03c0SKristof Provost uint16_t max_pkt_size; 2267bb3c927SKristof Provost uint32_t qid; 2277bb3c927SKristof Provost uint32_t pqid; 2287bb3c927SKristof Provost uint16_t dnpipe; 2297bb3c927SKristof Provost uint16_t dnrpipe; 2307bb3c927SKristof Provost uint32_t free_flags; 2317bb3c927SKristof Provost uint32_t nr; 2327bb3c927SKristof Provost uint32_t prob; 233e9eb0941SKristof Provost uid_t cuid; 234e9eb0941SKristof Provost pid_t cpid; 235e9eb0941SKristof Provost 236ab5707a5SKristof Provost uint64_t states_cur; 237ab5707a5SKristof Provost uint64_t states_tot; 238ab5707a5SKristof Provost uint64_t src_nodes; 23907e070efSKajetan Staszkiewicz uint64_t src_nodes_type[PF_SN_MAX]; 240e9eb0941SKristof Provost 2417bb3c927SKristof Provost uint16_t return_icmp; 2427bb3c927SKristof Provost uint16_t return_icmp6; 2437bb3c927SKristof Provost uint16_t max_mss; 2447bb3c927SKristof Provost uint16_t tag; 2457bb3c927SKristof Provost uint16_t match_tag; 2467bb3c927SKristof Provost uint16_t scrub_flags; 247e9eb0941SKristof Provost 248e9eb0941SKristof Provost struct pf_rule_uid uid; 249e9eb0941SKristof Provost struct pf_rule_gid gid; 2502339ead6SKristof Provost char rcv_ifname[IFNAMSIZ]; 25171594e32SKristof Provost bool rcvifnot; 252e9eb0941SKristof Provost 2537bb3c927SKristof Provost uint32_t rule_flag; 2547bb3c927SKristof Provost uint8_t action; 2557bb3c927SKristof Provost uint8_t direction; 2567bb3c927SKristof Provost uint8_t log; 2577bb3c927SKristof Provost uint8_t logif; 2587bb3c927SKristof Provost uint8_t quick; 2597bb3c927SKristof Provost uint8_t ifnot; 2607bb3c927SKristof Provost uint8_t match_tag_not; 2617bb3c927SKristof Provost uint8_t natpass; 262e9eb0941SKristof Provost 2637bb3c927SKristof Provost uint8_t keep_state; 264e9eb0941SKristof Provost sa_family_t af; 2657bb3c927SKristof Provost uint8_t proto; 266932ec59dSKristof Provost uint16_t type; 267932ec59dSKristof Provost uint16_t code; 2687bb3c927SKristof Provost uint8_t flags; 2697bb3c927SKristof Provost uint8_t flagset; 2707bb3c927SKristof Provost uint8_t min_ttl; 2717bb3c927SKristof Provost uint8_t allow_opts; 2727bb3c927SKristof Provost uint8_t rt; 2737bb3c927SKristof Provost uint8_t return_ttl; 2747bb3c927SKristof Provost uint8_t tos; 2757bb3c927SKristof Provost uint8_t set_tos; 2767bb3c927SKristof Provost uint8_t anchor_relative; 2777bb3c927SKristof Provost uint8_t anchor_wildcard; 278e9eb0941SKristof Provost 2797bb3c927SKristof Provost uint8_t flush; 2807bb3c927SKristof Provost uint8_t prio; 2817bb3c927SKristof Provost uint8_t set_prio[2]; 282aa69fdf1SKristof Provost sa_family_t naf; 283e9eb0941SKristof Provost 284e9eb0941SKristof Provost struct { 285e9eb0941SKristof Provost struct pf_addr addr; 2867bb3c927SKristof Provost uint16_t port; 287e9eb0941SKristof Provost } divert; 288b9d652bbSKristof Provost 289b9d652bbSKristof Provost time_t exptime; 290e9eb0941SKristof Provost }; 291e9eb0941SKristof Provost 292e9eb0941SKristof Provost TAILQ_HEAD(pfctl_rulequeue, pfctl_rule); 293e9eb0941SKristof Provost 294e9eb0941SKristof Provost struct pfctl_ruleset { 295e9eb0941SKristof Provost struct { 296e9eb0941SKristof Provost struct pfctl_rulequeue queues[2]; 297e9eb0941SKristof Provost struct { 298e9eb0941SKristof Provost struct pfctl_rulequeue *ptr; 299e9eb0941SKristof Provost struct pfctl_rule **ptr_array; 3007bb3c927SKristof Provost uint32_t rcount; 3017bb3c927SKristof Provost uint32_t ticket; 302e9eb0941SKristof Provost int open; 303e9eb0941SKristof Provost } active, inactive; 304e9eb0941SKristof Provost } rules[PF_RULESET_MAX]; 305e9eb0941SKristof Provost struct pfctl_anchor *anchor; 3067bb3c927SKristof Provost uint32_t tticket; 307e9eb0941SKristof Provost int tables; 308e9eb0941SKristof Provost int topen; 309e9eb0941SKristof Provost }; 310e9eb0941SKristof Provost 311e9eb0941SKristof Provost RB_HEAD(pfctl_anchor_global, pfctl_anchor); 312e9eb0941SKristof Provost RB_HEAD(pfctl_anchor_node, pfctl_anchor); 313e9eb0941SKristof Provost struct pfctl_anchor { 314e9eb0941SKristof Provost RB_ENTRY(pfctl_anchor) entry_global; 315e9eb0941SKristof Provost RB_ENTRY(pfctl_anchor) entry_node; 316e9eb0941SKristof Provost struct pfctl_anchor *parent; 317e9eb0941SKristof Provost struct pfctl_anchor_node children; 318e9eb0941SKristof Provost char name[PF_ANCHOR_NAME_SIZE]; 319e9eb0941SKristof Provost char path[MAXPATHLEN]; 320e9eb0941SKristof Provost struct pfctl_ruleset ruleset; 321e9eb0941SKristof Provost int refcnt; /* anchor rules */ 322e9eb0941SKristof Provost int match; /* XXX: used for pfctl black magic */ 323e9eb0941SKristof Provost }; 324e9eb0941SKristof Provost RB_PROTOTYPE(pfctl_anchor_global, pfctl_anchor, entry_global, 325e9eb0941SKristof Provost pf_anchor_compare); 326e9eb0941SKristof Provost RB_PROTOTYPE(pfctl_anchor_node, pfctl_anchor, entry_node, 327e9eb0941SKristof Provost pf_anchor_compare); 328e9eb0941SKristof Provost 32953714a58SKristof Provost struct pfctl_state_cmp { 33053714a58SKristof Provost uint64_t id; 33153714a58SKristof Provost uint32_t creatorid; 33253714a58SKristof Provost uint8_t direction; 33353714a58SKristof Provost }; 33453714a58SKristof Provost 33553714a58SKristof Provost struct pfctl_kill { 33653714a58SKristof Provost struct pfctl_state_cmp cmp; 33753714a58SKristof Provost sa_family_t af; 33853714a58SKristof Provost int proto; 33953714a58SKristof Provost struct pf_rule_addr src; 34053714a58SKristof Provost struct pf_rule_addr dst; 341abbcba9cSKristof Provost struct pf_rule_addr rt_addr; 34253714a58SKristof Provost char ifname[IFNAMSIZ]; 34353714a58SKristof Provost char label[PF_RULE_LABEL_SIZE]; 34493abcf17SKristof Provost bool kill_match; 3454f337550SKristof Provost bool nat; 34653714a58SKristof Provost }; 34753714a58SKristof Provost 348bc941291SKristof Provost struct pfctl_state_peer { 349bc941291SKristof Provost uint32_t seqlo; 350bc941291SKristof Provost uint32_t seqhi; 351bc941291SKristof Provost uint32_t seqdiff; 352bc941291SKristof Provost uint8_t state; 353bc941291SKristof Provost uint8_t wscale; 354bc941291SKristof Provost }; 355bc941291SKristof Provost 356bc941291SKristof Provost struct pfctl_state_key { 357bc941291SKristof Provost struct pf_addr addr[2]; 358bc941291SKristof Provost uint16_t port[2]; 359bc941291SKristof Provost sa_family_t af; 360bc941291SKristof Provost uint8_t proto; 361bc941291SKristof Provost }; 362bc941291SKristof Provost 363bc941291SKristof Provost struct pfctl_state { 364bc941291SKristof Provost TAILQ_ENTRY(pfctl_state) entry; 365bc941291SKristof Provost 366bc941291SKristof Provost uint64_t id; 367bc941291SKristof Provost uint32_t creatorid; 368bc941291SKristof Provost uint8_t direction; 369bc941291SKristof Provost 370bc941291SKristof Provost struct pfctl_state_peer src; 371bc941291SKristof Provost struct pfctl_state_peer dst; 372bc941291SKristof Provost 373bc941291SKristof Provost uint32_t rule; 374bc941291SKristof Provost uint32_t anchor; 375bc941291SKristof Provost uint32_t nat_rule; 376bc941291SKristof Provost struct pf_addr rt_addr; 377bc941291SKristof Provost struct pfctl_state_key key[2]; /* addresses stack and wire */ 378bc941291SKristof Provost char ifname[IFNAMSIZ]; 379d0fdf2b2SKristof Provost char orig_ifname[IFNAMSIZ]; 380bc941291SKristof Provost uint64_t packets[2]; 381bc941291SKristof Provost uint64_t bytes[2]; 382bc941291SKristof Provost uint32_t creation; 383bc941291SKristof Provost uint32_t expire; 384bc941291SKristof Provost uint32_t pfsync_time; 38539282ef3SKajetan Staszkiewicz uint16_t state_flags; 386bc941291SKristof Provost uint32_t sync_flags; 387c45d6b0eSKajetan Staszkiewicz uint16_t qid; 388c45d6b0eSKajetan Staszkiewicz uint16_t pqid; 389c45d6b0eSKajetan Staszkiewicz uint16_t dnpipe; 390c45d6b0eSKajetan Staszkiewicz uint16_t dnrpipe; 391c45d6b0eSKajetan Staszkiewicz uint8_t log; 392c45d6b0eSKajetan Staszkiewicz int32_t rtableid; 393c45d6b0eSKajetan Staszkiewicz uint8_t min_ttl; 394c45d6b0eSKajetan Staszkiewicz uint8_t set_tos; 395c45d6b0eSKajetan Staszkiewicz uint16_t max_mss; 396c45d6b0eSKajetan Staszkiewicz uint8_t set_prio[2]; 397c45d6b0eSKajetan Staszkiewicz uint8_t rt; 398c45d6b0eSKajetan Staszkiewicz char rt_ifname[IFNAMSIZ]; 399d2761422SKajetan Staszkiewicz sa_family_t rt_af; 40007e070efSKajetan Staszkiewicz uint8_t src_node_flags; 401bc941291SKristof Provost }; 402bc941291SKristof Provost 403bc941291SKristof Provost TAILQ_HEAD(pfctl_statelist, pfctl_state); 404bc941291SKristof Provost struct pfctl_states { 405bc941291SKristof Provost struct pfctl_statelist states; 406bc941291SKristof Provost }; 407bc941291SKristof Provost 408c69121c4SKristof Provost enum pfctl_syncookies_mode { 409c69121c4SKristof Provost PFCTL_SYNCOOKIES_NEVER, 4105062afffSKristof Provost PFCTL_SYNCOOKIES_ALWAYS, 4115062afffSKristof Provost PFCTL_SYNCOOKIES_ADAPTIVE 412c69121c4SKristof Provost }; 4135062afffSKristof Provost extern const char* PFCTL_SYNCOOKIES_MODE_NAMES[]; 414c69121c4SKristof Provost 415c69121c4SKristof Provost struct pfctl_syncookies { 416c69121c4SKristof Provost enum pfctl_syncookies_mode mode; 4175062afffSKristof Provost uint8_t highwater; /* Percent */ 4185062afffSKristof Provost uint8_t lowwater; /* Percent */ 419a6173e94SKristof Provost uint32_t halfopen_states; 420c69121c4SKristof Provost }; 421c69121c4SKristof Provost 4229c125336SKristof Provost struct pfctl_src_node { 4239c125336SKristof Provost struct pf_addr addr; 4249c125336SKristof Provost struct pf_addr raddr; 4259c125336SKristof Provost int rule; 4269c125336SKristof Provost uint64_t bytes[2]; 4279c125336SKristof Provost uint64_t packets[2]; 4289c125336SKristof Provost uint32_t states; 4299c125336SKristof Provost uint32_t conn; 4309c125336SKristof Provost sa_family_t af; 431d2761422SKajetan Staszkiewicz sa_family_t raf; 4329c125336SKristof Provost uint8_t ruletype; 4339c125336SKristof Provost uint64_t creation; 4349c125336SKristof Provost uint64_t expire; 4359c125336SKristof Provost struct pfctl_threshold conn_rate; 43607e070efSKajetan Staszkiewicz pf_sn_types_t type; 4379c125336SKristof Provost }; 4389c125336SKristof Provost 43966cacc14SKristof Provost #define PF_DEVICE "/dev/pf" 44066cacc14SKristof Provost 44166cacc14SKristof Provost struct pfctl_handle; 44266cacc14SKristof Provost struct pfctl_handle *pfctl_open(const char *pf_device); 44366cacc14SKristof Provost void pfctl_close(struct pfctl_handle *); 444044243fcSKristof Provost int pfctl_fd(struct pfctl_handle *); 44566cacc14SKristof Provost 44666cacc14SKristof Provost int pfctl_startstop(struct pfctl_handle *h, int start); 4475824df8dSKristof Provost struct pfctl_status* pfctl_get_status_h(struct pfctl_handle *h); 44846fb68b1SKristof Provost struct pfctl_status* pfctl_get_status(int dev); 4499dbbe68bSKristof Provost int pfctl_clear_status(struct pfctl_handle *h); 450e3d3d61aSKristof Provost uint64_t pfctl_status_counter(struct pfctl_status *status, int id); 4511c824f43SKristof Provost uint64_t pfctl_status_lcounter(struct pfctl_status *status, int id); 452e3d3d61aSKristof Provost uint64_t pfctl_status_fcounter(struct pfctl_status *status, int id); 453e3d3d61aSKristof Provost uint64_t pfctl_status_scounter(struct pfctl_status *status, int id); 45446fb68b1SKristof Provost void pfctl_free_status(struct pfctl_status *status); 45546fb68b1SKristof Provost 4569bb06778SKristof Provost int pfctl_get_eth_rulesets_info(int dev, 4579bb06778SKristof Provost struct pfctl_eth_rulesets_info *ri, const char *path); 4589bb06778SKristof Provost int pfctl_get_eth_ruleset(int dev, const char *path, int nr, 4599bb06778SKristof Provost struct pfctl_eth_ruleset_info *ri); 460c5131afeSKristof Provost int pfctl_get_eth_rules_info(int dev, struct pfctl_eth_rules_info *rules, 461c5131afeSKristof Provost const char *path); 4622b29ceb8SKristof Provost int pfctl_get_eth_rule(int dev, uint32_t nr, uint32_t ticket, 463c5131afeSKristof Provost const char *path, struct pfctl_eth_rule *rule, bool clear, 464c5131afeSKristof Provost char *anchor_call); 4652b29ceb8SKristof Provost int pfctl_add_eth_rule(int dev, const struct pfctl_eth_rule *r, 466c5131afeSKristof Provost const char *anchor, const char *anchor_call, uint32_t ticket); 467f1612e70SKristof Provost int pfctl_get_rules_info_h(struct pfctl_handle *h, 468f1612e70SKristof Provost struct pfctl_rules_info *rules, uint32_t ruleset, 469f1612e70SKristof Provost const char *path); 4708c1400b0SKristof Provost int pfctl_get_rules_info(int dev, struct pfctl_rules_info *rules, 4718c1400b0SKristof Provost uint32_t ruleset, const char *path); 4727bb3c927SKristof Provost int pfctl_get_rule(int dev, uint32_t nr, uint32_t ticket, 4737bb3c927SKristof Provost const char *anchor, uint32_t ruleset, struct pfctl_rule *rule, 4740d71f9f3SKristof Provost char *anchor_call); 475cd2054d4SKristof Provost int pfctl_get_rule_h(struct pfctl_handle *h, uint32_t nr, uint32_t ticket, 476cd2054d4SKristof Provost const char *anchor, uint32_t ruleset, struct pfctl_rule *rule, 477cd2054d4SKristof Provost char *anchor_call); 4787bb3c927SKristof Provost int pfctl_get_clear_rule(int dev, uint32_t nr, uint32_t ticket, 4797bb3c927SKristof Provost const char *anchor, uint32_t ruleset, struct pfctl_rule *rule, 4804eabfe46SKristof Provost char *anchor_call, bool clear); 481777a4702SKristof Provost int pfctl_get_clear_rule_h(struct pfctl_handle *h, uint32_t nr, uint32_t ticket, 482777a4702SKristof Provost const char *anchor, uint32_t ruleset, struct pfctl_rule *rule, 483777a4702SKristof Provost char *anchor_call, bool clear); 484e9eb0941SKristof Provost int pfctl_add_rule(int dev, const struct pfctl_rule *r, 4857bb3c927SKristof Provost const char *anchor, const char *anchor_call, uint32_t ticket, 4867bb3c927SKristof Provost uint32_t pool_ticket); 487324fd7ecSKristof Provost int pfctl_add_rule_h(struct pfctl_handle *h, const struct pfctl_rule *r, 488324fd7ecSKristof Provost const char *anchor, const char *anchor_call, uint32_t ticket, 489324fd7ecSKristof Provost uint32_t pool_ticket); 49042ec75f8SKristof Provost int pfctl_set_keepcounters(int dev, bool keep); 49166cacc14SKristof Provost int pfctl_get_creatorids(struct pfctl_handle *h, uint32_t *creators, size_t *len); 492044eef6aSKristof Provost 493044eef6aSKristof Provost struct pfctl_state_filter { 494044eef6aSKristof Provost char ifname[IFNAMSIZ]; 495044eef6aSKristof Provost uint16_t proto; 496044eef6aSKristof Provost sa_family_t af; 497044eef6aSKristof Provost struct pf_addr addr; 498044eef6aSKristof Provost struct pf_addr mask; 499044eef6aSKristof Provost }; 500f218b851SKristof Provost typedef int (*pfctl_get_state_fn)(struct pfctl_state *, void *); 501f218b851SKristof Provost int pfctl_get_states_iter(pfctl_get_state_fn f, void *arg); 502823ebd7cSKristof Provost int pfctl_get_states_h(struct pfctl_handle *h, struct pfctl_state_filter *filter, pfctl_get_state_fn f, void *arg); 503044eef6aSKristof Provost int pfctl_get_filtered_states_iter(struct pfctl_state_filter *filter, pfctl_get_state_fn f, void *arg); 504bc941291SKristof Provost int pfctl_get_states(int dev, struct pfctl_states *states); 505bc941291SKristof Provost void pfctl_free_states(struct pfctl_states *states); 50653714a58SKristof Provost int pfctl_clear_states(int dev, const struct pfctl_kill *kill, 50753714a58SKristof Provost unsigned int *killed); 5082a00c4dbSKristof Provost int pfctl_kill_states(int dev, const struct pfctl_kill *kill, 5092a00c4dbSKristof Provost unsigned int *killed); 510706d465dSKristof Provost int pfctl_clear_states_h(struct pfctl_handle *h, const struct pfctl_kill *kill, 511706d465dSKristof Provost unsigned int *killed); 512706d465dSKristof Provost int pfctl_kill_states_h(struct pfctl_handle *h, const struct pfctl_kill *kill, 513706d465dSKristof Provost unsigned int *killed); 514f0c334e4SKristof Provost int pfctl_clear_rules(int dev, const char *anchorname); 515f0c334e4SKristof Provost int pfctl_clear_nat(int dev, const char *anchorname); 516f0c334e4SKristof Provost int pfctl_clear_eth_rules(int dev, const char *anchorname); 517c69121c4SKristof Provost int pfctl_set_syncookies(int dev, const struct pfctl_syncookies *s); 518c69121c4SKristof Provost int pfctl_get_syncookies(int dev, struct pfctl_syncookies *s); 5198b388995SKristof Provost int pfctl_table_add_addrs_h(struct pfctl_handle *h, struct pfr_table *tbl, struct pfr_addr 5208b388995SKristof Provost *addr, int size, int *nadd, int flags); 5214823489aSReid Linnemann int pfctl_table_add_addrs(int dev, struct pfr_table *tbl, struct pfr_addr 5224823489aSReid Linnemann *addr, int size, int *nadd, int flags); 523bad279e1SKristof Provost int pfctl_table_del_addrs_h(struct pfctl_handle *h, struct pfr_table *tbl, 524bad279e1SKristof Provost struct pfr_addr *addr, int size, int *ndel, int flags); 5254823489aSReid Linnemann int pfctl_table_del_addrs(int dev, struct pfr_table *tbl, struct pfr_addr 5264823489aSReid Linnemann *addr, int size, int *ndel, int flags); 52708ed87a4SKristof Provost int pfctl_table_set_addrs_h(struct pfctl_handle *h, struct pfr_table *tbl, 52808ed87a4SKristof Provost struct pfr_addr *addr, int size, int *nadd, int *ndel, 52908ed87a4SKristof Provost int *nchange, int flags); 5304823489aSReid Linnemann int pfctl_table_set_addrs(int dev, struct pfr_table *tbl, struct pfr_addr 5314823489aSReid Linnemann *addr, int size, int *size2, int *nadd, int *ndel, int *nchange, 5324823489aSReid Linnemann int flags); 533f27e44e2SKristof Provost int pfctl_table_get_addrs_h(struct pfctl_handle *h, struct pfr_table *tbl, struct pfr_addr *addr, 534f27e44e2SKristof Provost int *size, int flags); 5354823489aSReid Linnemann int pfctl_table_get_addrs(int dev, struct pfr_table *tbl, struct pfr_addr 5364823489aSReid Linnemann *addr, int *size, int flags); 537470a2b33SKristof Provost int pfctl_set_statusif(struct pfctl_handle *h, const char *ifname); 538470a2b33SKristof Provost 53971d3c704SKristof Provost struct pfctl_natlook_key { 54071d3c704SKristof Provost sa_family_t af; 54171d3c704SKristof Provost uint8_t direction; 54271d3c704SKristof Provost uint8_t proto; 54371d3c704SKristof Provost struct pf_addr saddr; 54471d3c704SKristof Provost struct pf_addr daddr; 54571d3c704SKristof Provost uint16_t sport; 54671d3c704SKristof Provost uint16_t dport; 54771d3c704SKristof Provost }; 54871d3c704SKristof Provost struct pfctl_natlook { 54971d3c704SKristof Provost struct pf_addr saddr; 55071d3c704SKristof Provost struct pf_addr daddr; 55171d3c704SKristof Provost uint16_t sport; 55271d3c704SKristof Provost uint16_t dport; 55371d3c704SKristof Provost }; 55471d3c704SKristof Provost int pfctl_natlook(struct pfctl_handle *h, 55571d3c704SKristof Provost const struct pfctl_natlook_key *k, struct pfctl_natlook *r); 556c36c90a2SKristof Provost int pfctl_set_debug(struct pfctl_handle *h, uint32_t level); 55730bad751SKristof Provost int pfctl_set_timeout(struct pfctl_handle *h, uint32_t timeout, uint32_t seconds); 55830bad751SKristof Provost int pfctl_get_timeout(struct pfctl_handle *h, uint32_t timeout, uint32_t *seconds); 559d9ab8999SKristof Provost int pfctl_set_limit(struct pfctl_handle *h, const int index, const uint limit); 560d9ab8999SKristof Provost int pfctl_get_limit(struct pfctl_handle *h, const int index, uint *limit); 561ba2a9207SKristof Provost int pfctl_begin_addrs(struct pfctl_handle *h, uint32_t *ticket); 562e11dacbfSKristof Provost int pfctl_add_addr(struct pfctl_handle *h, const struct pfioc_pooladdr *pa, int which); 563644b7b5aSKristof Provost int pfctl_get_addrs(struct pfctl_handle *h, uint32_t ticket, uint32_t r_num, 564aa69fdf1SKristof Provost uint8_t r_action, const char *anchor, uint32_t *nr, int which); 5659ae91f59SKristof Provost int pfctl_get_addr(struct pfctl_handle *h, uint32_t ticket, uint32_t r_num, 566aa69fdf1SKristof Provost uint8_t r_action, const char *anchor, uint32_t nr, struct pfioc_pooladdr *pa, 567aa69fdf1SKristof Provost int which); 56825e0f8f9SKristof Provost int pfctl_get_rulesets(struct pfctl_handle *h, const char *path, uint32_t *nr); 56948f5bf8bSKristof Provost int pfctl_get_ruleset(struct pfctl_handle *h, const char *path, uint32_t nr, struct pfioc_ruleset *rs); 5709c125336SKristof Provost typedef int (*pfctl_get_srcnode_fn)(struct pfctl_src_node*, void *); 5719c125336SKristof Provost int pfctl_get_srcnodes(struct pfctl_handle *h, pfctl_get_srcnode_fn fn, void *arg); 57271d3c704SKristof Provost 573441d4894SKristof Provost int pfctl_clear_tables(struct pfctl_handle *h, struct pfr_table *filter, 574441d4894SKristof Provost int *ndel, int flags); 57584a80eaeSKristof Provost int pfctl_add_table(struct pfctl_handle *h, struct pfr_table *table, 57684a80eaeSKristof Provost int *nadd, int flags); 5770d2058abSKristof Provost int pfctl_del_table(struct pfctl_handle *h, struct pfr_table *table, 5780d2058abSKristof Provost int *ndel, int flags); 579441d4894SKristof Provost 5809e8d2962SKristof Provost typedef int (*pfctl_get_tstats_fn)(const struct pfr_tstats *t, void *arg); 5819e8d2962SKristof Provost int pfctl_get_tstats(struct pfctl_handle *h, const struct pfr_table *filter, 5829e8d2962SKristof Provost pfctl_get_tstats_fn fn, void *arg); 583b3a68a2eSKristof Provost int pfctl_clear_tstats(struct pfctl_handle *h, const struct pfr_table *filter, 584b3a68a2eSKristof Provost int *nzero, int flags); 585b543f426SKristof Provost int pfctl_clear_addrs(struct pfctl_handle *h, const struct pfr_table *filter, 586b543f426SKristof Provost int *ndel, int flags); 5879e8d2962SKristof Provost 5884aa79010SKristof Provost int pfctl_get_astats(struct pfctl_handle *h, const struct pfr_table *tbl, 5894aa79010SKristof Provost struct pfr_astats *addr, int *size, int flags); 590c2e7a523SKristof Provost int pfctl_clr_astats(struct pfctl_handle *h, const struct pfr_table *tbl, 591c2e7a523SKristof Provost struct pfr_addr *addr, int size, int *nzero, int flags); 5924aa79010SKristof Provost 5930d71f9f3SKristof Provost #endif 594