1 /* $OpenBSD: pfctl_parser.h,v 1.87 2007/10/13 16:35:18 deraadt Exp $ */ 2 3 /* 4 * Copyright (c) 2001 Daniel Hartmeier 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 11 * - Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * - Redistributions in binary form must reproduce the above 14 * copyright notice, this list of conditions and the following 15 * disclaimer in the documentation and/or other materials provided 16 * with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 20 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 21 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 22 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 23 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 24 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 25 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 26 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 28 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 29 * POSSIBILITY OF SUCH DAMAGE. 30 * 31 */ 32 33 #ifndef _PFCTL_PARSER_H_ 34 #define _PFCTL_PARSER_H_ 35 36 #define PF_OSFP_FILE "/etc/pf.os" 37 38 #define PF_OPT_DISABLE 0x0001 39 #define PF_OPT_ENABLE 0x0002 40 #define PF_OPT_VERBOSE 0x0004 41 #define PF_OPT_NOACTION 0x0008 42 #define PF_OPT_QUIET 0x0010 43 #define PF_OPT_CLRRULECTRS 0x0020 44 #define PF_OPT_USEDNS 0x0040 45 #define PF_OPT_VERBOSE2 0x0080 46 #define PF_OPT_DUMMYACTION 0x0100 47 #define PF_OPT_DEBUG 0x0200 48 #define PF_OPT_SHOWALL 0x0400 49 #define PF_OPT_OPTIMIZE 0x0800 50 #define PF_OPT_MERGE 0x2000 51 #define PF_OPT_RECURSE 0x4000 52 53 #define PF_TH_ALL 0xFF 54 55 #define PF_NAT_PROXY_PORT_LOW 50001 56 #define PF_NAT_PROXY_PORT_HIGH 65535 57 58 #define PF_OPTIMIZE_BASIC 0x0001 59 #define PF_OPTIMIZE_PROFILE 0x0002 60 61 #define FCNT_NAMES { \ 62 "searches", \ 63 "inserts", \ 64 "removals", \ 65 NULL \ 66 } 67 68 struct pfr_buffer; /* forward definition */ 69 70 71 struct pfctl { 72 int dev; 73 int opts; 74 int optimize; 75 int loadopt; 76 int asd; /* anchor stack depth */ 77 int bn; /* brace number */ 78 int brace; 79 int tdirty; /* kernel dirty */ 80 #define PFCTL_ANCHOR_STACK_DEPTH 64 81 struct pf_anchor *astack[PFCTL_ANCHOR_STACK_DEPTH]; 82 struct pfioc_pooladdr paddr; 83 struct pfioc_altq *paltq; 84 struct pfioc_queue *pqueue; 85 struct pfr_buffer *trans; 86 struct pf_anchor *anchor, *alast; 87 const char *ruleset; 88 89 /* 'set foo' options */ 90 u_int32_t timeout[PFTM_MAX]; 91 u_int32_t limit[PF_LIMIT_MAX]; 92 u_int32_t debug; 93 u_int32_t hostid; 94 char *ifname; 95 96 u_int8_t timeout_set[PFTM_MAX]; 97 u_int8_t limit_set[PF_LIMIT_MAX]; 98 u_int8_t debug_set; 99 u_int8_t hostid_set; 100 u_int8_t ifname_set; 101 }; 102 103 struct node_if { 104 char ifname[IFNAMSIZ]; 105 u_int8_t not; 106 u_int8_t dynamic; /* antispoof */ 107 u_int ifa_flags; 108 struct node_if *next; 109 struct node_if *tail; 110 }; 111 112 struct node_host { 113 struct pf_addr_wrap addr; 114 struct pf_addr bcast; 115 struct pf_addr peer; 116 sa_family_t af; 117 u_int8_t not; 118 u_int32_t ifindex; /* link-local IPv6 addrs */ 119 char *ifname; 120 u_int ifa_flags; 121 struct node_host *next; 122 struct node_host *tail; 123 }; 124 125 struct node_os { 126 char *os; 127 pf_osfp_t fingerprint; 128 struct node_os *next; 129 struct node_os *tail; 130 }; 131 132 struct node_queue_bw { 133 u_int32_t bw_absolute; 134 u_int16_t bw_percent; 135 }; 136 137 struct node_hfsc_sc { 138 struct node_queue_bw m1; /* slope of 1st segment; bps */ 139 u_int d; /* x-projection of m1; msec */ 140 struct node_queue_bw m2; /* slope of 2nd segment; bps */ 141 u_int8_t used; 142 }; 143 144 struct node_hfsc_opts { 145 struct node_hfsc_sc realtime; 146 struct node_hfsc_sc linkshare; 147 struct node_hfsc_sc upperlimit; 148 int flags; 149 }; 150 151 struct node_fairq_sc { 152 struct node_queue_bw m1; /* slope of 1st segment; bps */ 153 u_int d; /* x-projection of m1; msec */ 154 struct node_queue_bw m2; /* slope of 2nd segment; bps */ 155 u_int8_t used; 156 }; 157 158 struct node_fairq_opts { 159 struct node_fairq_sc linkshare; 160 struct node_queue_bw hogs_bw; 161 u_int nbuckets; 162 int flags; 163 }; 164 165 struct node_queue_opt { 166 int qtype; 167 union { 168 struct cbq_opts cbq_opts; 169 struct priq_opts priq_opts; 170 struct node_hfsc_opts hfsc_opts; 171 struct node_fairq_opts fairq_opts; 172 } data; 173 }; 174 175 /* XXX should be in machine/limits.h */ 176 #include <limits.h> 177 #define UID_MAX UINT_MAX 178 #define GID_MAX UINT_MAX 179 180 /* 181 * XXX 182 * Absolutely this is not correct location to define this. 183 * Should we use an another sperate header file? 184 * NOTE: This is also defined in sys/bus/usb/usb_port.h 185 * perhaps place in sys/queue.h? 186 */ 187 #define SIMPLEQ_HEAD STAILQ_HEAD 188 #define SIMPLEQ_HEAD_INITIALIZER STAILQ_HEAD_INITIALIZER 189 #define SIMPLEQ_ENTRY STAILQ_ENTRY 190 #define SIMPLEQ_FIRST STAILQ_FIRST 191 #define SIMPLEQ_END(head) NULL 192 #define SIMPLEQ_EMPTY STAILQ_EMPTY 193 #define SIMPLEQ_NEXT STAILQ_NEXT 194 /*#define SIMPLEQ_FOREACH STAILQ_FOREACH*/ 195 #define SIMPLEQ_FOREACH(var, head, field) \ 196 for((var) = SIMPLEQ_FIRST(head); \ 197 (var) != SIMPLEQ_END(head); \ 198 (var) = SIMPLEQ_NEXT(var, field)) 199 #define SIMPLEQ_INIT STAILQ_INIT 200 #define SIMPLEQ_INSERT_HEAD STAILQ_INSERT_HEAD 201 #define SIMPLEQ_INSERT_TAIL STAILQ_INSERT_TAIL 202 #define SIMPLEQ_INSERT_AFTER STAILQ_INSERT_AFTER 203 #define SIMPLEQ_REMOVE_HEAD STAILQ_REMOVE_HEAD 204 205 SIMPLEQ_HEAD(node_tinithead, node_tinit); 206 struct node_tinit { /* table initializer */ 207 SIMPLEQ_ENTRY(node_tinit) entries; 208 struct node_host *host; 209 char *file; 210 }; 211 212 213 /* optimizer created tables */ 214 struct pf_opt_tbl { 215 char pt_name[PF_TABLE_NAME_SIZE]; 216 int pt_rulecount; 217 int pt_generated; 218 struct node_tinithead pt_nodes; 219 struct pfr_buffer *pt_buf; 220 }; 221 #define PF_OPT_TABLE_PREFIX "__automatic_" 222 223 /* optimizer pf_rule container */ 224 struct pf_opt_rule { 225 struct pf_rule por_rule; 226 struct pf_opt_tbl *por_src_tbl; 227 struct pf_opt_tbl *por_dst_tbl; 228 u_int64_t por_profile_count; 229 TAILQ_ENTRY(pf_opt_rule) por_entry; 230 TAILQ_ENTRY(pf_opt_rule) por_skip_entry[PF_SKIP_COUNT]; 231 }; 232 233 TAILQ_HEAD(pf_opt_queue, pf_opt_rule); 234 235 int pfctl_rules(int, char *, int, int, char *, struct pfr_buffer *); 236 int pfctl_optimize_ruleset(struct pfctl *, struct pf_ruleset *); 237 238 int pfctl_add_rule(struct pfctl *, struct pf_rule *, const char *); 239 int pfctl_add_altq(struct pfctl *, struct pf_altq *); 240 int pfctl_add_pool(struct pfctl *, struct pf_pool *, sa_family_t); 241 void pfctl_move_pool(struct pf_pool *, struct pf_pool *); 242 void pfctl_clear_pool(struct pf_pool *); 243 244 int pfctl_set_timeout(struct pfctl *, const char *, int, int); 245 int pfctl_set_optimization(struct pfctl *, const char *); 246 int pfctl_set_limit(struct pfctl *, const char *, unsigned int); 247 int pfctl_set_logif(struct pfctl *, char *); 248 int pfctl_set_hostid(struct pfctl *, u_int32_t); 249 int pfctl_set_debug(struct pfctl *, char *); 250 int pfctl_set_interface_flags(struct pfctl *, char *, int, int); 251 252 int parse_config(char *, struct pfctl *); 253 int parse_flags(const char *); 254 int pfctl_load_anchors(int, struct pfctl *, struct pfr_buffer *); 255 256 void print_pool(struct pf_pool *, u_int16_t, u_int16_t, sa_family_t, int); 257 void print_src_node(struct pf_src_node *, int); 258 void print_rule(struct pf_rule *, const char *, int); 259 void print_tabledef(const char *, int, int, struct node_tinithead *); 260 void print_status(struct pf_status *, int); 261 262 int eval_pfaltq(struct pfctl *, struct pf_altq *, struct node_queue_bw *, 263 struct node_queue_opt *); 264 int eval_pfqueue(struct pfctl *, struct pf_altq *, struct node_queue_bw *, 265 struct node_queue_opt *); 266 267 void print_altq(const struct pf_altq *, unsigned, struct node_queue_bw *, 268 struct node_queue_opt *); 269 void print_queue(const struct pf_altq *, unsigned, struct node_queue_bw *, 270 int, struct node_queue_opt *); 271 272 int pfctl_define_table(char *, int, int, const char *, struct pfr_buffer *, 273 u_int32_t); 274 275 void pfctl_clear_fingerprints(int, int); 276 int pfctl_file_fingerprints(int, int, const char *); 277 pf_osfp_t pfctl_get_fingerprint(const char *); 278 int pfctl_load_fingerprints(int, int); 279 char *pfctl_lookup_fingerprint(pf_osfp_t, char *, size_t); 280 void pfctl_show_fingerprints(int); 281 282 283 struct icmptypeent { 284 const char *name; 285 u_int8_t type; 286 }; 287 288 struct icmpcodeent { 289 const char *name; 290 u_int8_t type; 291 u_int8_t code; 292 }; 293 294 const struct icmptypeent *geticmptypebynumber(u_int8_t, u_int8_t); 295 const struct icmptypeent *geticmptypebyname(char *, u_int8_t); 296 const struct icmpcodeent *geticmpcodebynumber(u_int8_t, u_int8_t, u_int8_t); 297 const struct icmpcodeent *geticmpcodebyname(u_long, char *, u_int8_t); 298 299 struct pf_timeout { 300 const char *name; 301 int timeout; 302 }; 303 304 #define PFCTL_FLAG_FILTER 0x02 305 #define PFCTL_FLAG_NAT 0x04 306 #define PFCTL_FLAG_OPTION 0x08 307 #define PFCTL_FLAG_ALTQ 0x10 308 #define PFCTL_FLAG_TABLE 0x20 309 310 extern const struct pf_timeout pf_timeouts[]; 311 312 void set_ipmask(struct node_host *, u_int8_t); 313 int check_netmask(struct node_host *, sa_family_t); 314 void ifa_load(void); 315 struct node_host *ifa_exists(const char *); 316 struct node_host *ifa_lookup(const char *, int); 317 struct node_host *host(const char *); 318 319 int append_addr(struct pfr_buffer *, char *, int); 320 int append_addr_host(struct pfr_buffer *, 321 struct node_host *, int, int); 322 323 #endif /* _PFCTL_PARSER_H_ */ 324