1*3898e353Ssashan /* $OpenBSD: pfctl_parser.h,v 1.119 2024/01/15 07:23:32 sashan Exp $ */ 214a9b182Skjell 314a9b182Skjell /* 4fd3c3a0cSderaadt * Copyright (c) 2001 Daniel Hartmeier 5f8d11d7cShenning * Copyright (c) 2002 - 2013 Henning Brauer <henning@openbsd.org> 614a9b182Skjell * All rights reserved. 714a9b182Skjell * 814a9b182Skjell * Redistribution and use in source and binary forms, with or without 914a9b182Skjell * modification, are permitted provided that the following conditions 1014a9b182Skjell * are met: 1114a9b182Skjell * 1214a9b182Skjell * - Redistributions of source code must retain the above copyright 1314a9b182Skjell * notice, this list of conditions and the following disclaimer. 1414a9b182Skjell * - Redistributions in binary form must reproduce the above 1514a9b182Skjell * copyright notice, this list of conditions and the following 1614a9b182Skjell * disclaimer in the documentation and/or other materials provided 1714a9b182Skjell * with the distribution. 1814a9b182Skjell * 1914a9b182Skjell * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 2014a9b182Skjell * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 2114a9b182Skjell * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 2214a9b182Skjell * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 235974bd37Sdhartmei * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 2414a9b182Skjell * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 2514a9b182Skjell * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 2614a9b182Skjell * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 2714a9b182Skjell * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 2814a9b182Skjell * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 2914a9b182Skjell * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 3014a9b182Skjell * POSSIBILITY OF SUCH DAMAGE. 3114a9b182Skjell * 3214a9b182Skjell */ 3314a9b182Skjell 34a6d3c168Sdhartmei #ifndef _PFCTL_PARSER_H_ 35a6d3c168Sdhartmei #define _PFCTL_PARSER_H_ 3614a9b182Skjell 3764b4b616Sfrantzen #define PF_OSFP_FILE "/etc/pf.os" 3864b4b616Sfrantzen 39ae711728Ssashan #define PF_OPT_DISABLE 0x00001 40ae711728Ssashan #define PF_OPT_ENABLE 0x00002 41ae711728Ssashan #define PF_OPT_VERBOSE 0x00004 42ae711728Ssashan #define PF_OPT_NOACTION 0x00008 43ae711728Ssashan #define PF_OPT_QUIET 0x00010 44ae711728Ssashan #define PF_OPT_CLRRULECTRS 0x00020 45ae711728Ssashan #define PF_OPT_USEDNS 0x00040 46ae711728Ssashan #define PF_OPT_VERBOSE2 0x00080 47ae711728Ssashan #define PF_OPT_DUMMYACTION 0x00100 48ae711728Ssashan #define PF_OPT_DEBUG 0x00200 49ae711728Ssashan #define PF_OPT_SHOWALL 0x00400 50ae711728Ssashan #define PF_OPT_OPTIMIZE 0x00800 51ae711728Ssashan #define PF_OPT_NODNS 0x01000 52ae711728Ssashan #define PF_OPT_RECURSE 0x04000 53ae711728Ssashan #define PF_OPT_PORTNAMES 0x08000 54ae711728Ssashan #define PF_OPT_IGNFAIL 0x10000 55*3898e353Ssashan #define PF_OPT_CALLSHOW 0x20000 56533ca421Smarkus 57bc795af0Shugh #define PF_TH_ALL 0xFF 58bc795af0Shugh 59e4b04189Sdhartmei #define PF_NAT_PROXY_PORT_LOW 50001 60e4b04189Sdhartmei #define PF_NAT_PROXY_PORT_HIGH 65535 61e4b04189Sdhartmei 62ac877e75Smcbride #define PF_OPTIMIZE_BASIC 0x0001 63ac877e75Smcbride #define PF_OPTIMIZE_PROFILE 0x0002 64ac877e75Smcbride 65c474e331Shenning #define FCNT_NAMES { \ 66c474e331Shenning "searches", \ 67c474e331Shenning "inserts", \ 68c474e331Shenning "removals", \ 69c474e331Shenning NULL \ 70c474e331Shenning } 71c474e331Shenning 72ab648bf6Sfrantzen struct pfr_buffer; /* forward definition */ 73ab648bf6Sfrantzen 74ab648bf6Sfrantzen 75ff352a37Smarkus struct pfctl { 76ff352a37Smarkus int dev; 77ff352a37Smarkus int opts; 78ac877e75Smcbride int optimize; 79305ca21dSmcbride int asd; /* anchor stack depth */ 80305ca21dSmcbride int bn; /* brace number */ 81305ca21dSmcbride int brace; 821cc45128Scedric int tdirty; /* kernel dirty */ 83305ca21dSmcbride #define PFCTL_ANCHOR_STACK_DEPTH 64 84305ca21dSmcbride struct pf_anchor *astack[PFCTL_ANCHOR_STACK_DEPTH]; 8578e1d2a6Shenning struct pfioc_queue *pqueue; 8679cc0068Scedric struct pfr_buffer *trans; 87305ca21dSmcbride struct pf_anchor *anchor, *alast; 883e963a2eScedric const char *ruleset; 89b6ba38e2Smcbride 90b6ba38e2Smcbride /* 'set foo' options */ 91b6ba38e2Smcbride u_int32_t timeout[PFTM_MAX]; 92b6ba38e2Smcbride u_int32_t limit[PF_LIMIT_MAX]; 93b6ba38e2Smcbride u_int32_t debug; 94b6ba38e2Smcbride u_int32_t hostid; 95e9953237Shenning u_int32_t reassemble; 966dce935dShenning u_int8_t syncookies; 974ee64aa9Shenning u_int8_t syncookieswat[2]; /* lowat, hiwat */ 98b6ba38e2Smcbride char *ifname; 99b6ba38e2Smcbride 100b6ba38e2Smcbride u_int8_t timeout_set[PFTM_MAX]; 101b6ba38e2Smcbride u_int8_t limit_set[PF_LIMIT_MAX]; 102b6ba38e2Smcbride u_int8_t debug_set; 103b6ba38e2Smcbride u_int8_t hostid_set; 104b6ba38e2Smcbride u_int8_t ifname_set; 105e9953237Shenning u_int8_t reass_set; 1066dce935dShenning u_int8_t syncookies_set; 1074ee64aa9Shenning u_int8_t syncookieswat_set; 108ff352a37Smarkus }; 109ff352a37Smarkus 11094e9410bShenning struct node_if { 11194e9410bShenning char ifname[IFNAMSIZ]; 11294e9410bShenning u_int8_t not; 113941498dbScedric u_int8_t dynamic; /* antispoof */ 1149e70289eSclaudio u_int8_t use_rdomain; 11594e9410bShenning u_int ifa_flags; 1169e70289eSclaudio int rdomain; 11794e9410bShenning struct node_if *next; 11894e9410bShenning struct node_if *tail; 11994e9410bShenning }; 12094e9410bShenning 12194e9410bShenning struct node_host { 12294e9410bShenning struct pf_addr_wrap addr; 12394e9410bShenning struct pf_addr bcast; 124ec359bd5Scedric struct pf_addr peer; 12594e9410bShenning sa_family_t af; 12694e9410bShenning u_int8_t not; 12794e9410bShenning u_int32_t ifindex; /* link-local IPv6 addrs */ 128cbdc262eSmcbride u_int16_t weight; /* load balancing weight */ 12994e9410bShenning char *ifname; 13094e9410bShenning u_int ifa_flags; 13194e9410bShenning struct node_host *next; 13294e9410bShenning struct node_host *tail; 13394e9410bShenning }; 134e3b4bc25Sderaadt void freehostlist(struct node_host *); 13594e9410bShenning 13664b4b616Sfrantzen struct node_os { 13764b4b616Sfrantzen char *os; 13864b4b616Sfrantzen pf_osfp_t fingerprint; 13964b4b616Sfrantzen struct node_os *next; 14064b4b616Sfrantzen struct node_os *tail; 14164b4b616Sfrantzen }; 14264b4b616Sfrantzen 14326025fd6Shenning struct node_queue_bw { 14426025fd6Shenning u_int32_t bw_absolute; 14526025fd6Shenning u_int16_t bw_percent; 14626025fd6Shenning }; 14726025fd6Shenning 14826025fd6Shenning struct node_hfsc_sc { 14926025fd6Shenning struct node_queue_bw m1; /* slope of 1st segment; bps */ 15026025fd6Shenning u_int d; /* x-projection of m1; msec */ 15126025fd6Shenning struct node_queue_bw m2; /* slope of 2nd segment; bps */ 15226025fd6Shenning u_int8_t used; 15326025fd6Shenning }; 15426025fd6Shenning 15526025fd6Shenning struct node_hfsc_opts { 15626025fd6Shenning struct node_hfsc_sc realtime; 15726025fd6Shenning struct node_hfsc_sc linkshare; 15826025fd6Shenning struct node_hfsc_sc upperlimit; 15926025fd6Shenning int flags; 16026025fd6Shenning }; 16126025fd6Shenning 162643bebe0Shenning struct node_queue_opt { 163643bebe0Shenning int qtype; 164643bebe0Shenning union { 165643bebe0Shenning struct priq_opts priq_opts; 16626025fd6Shenning struct node_hfsc_opts hfsc_opts; 167643bebe0Shenning } data; 168643bebe0Shenning }; 169643bebe0Shenning 1705b6c447dScedric SIMPLEQ_HEAD(node_tinithead, node_tinit); 1715b6c447dScedric struct node_tinit { /* table initializer */ 1725b6c447dScedric SIMPLEQ_ENTRY(node_tinit) entries; 1735b6c447dScedric struct node_host *host; 1745b6c447dScedric char *file; 1755b6c447dScedric }; 1765b6c447dScedric 177ab648bf6Sfrantzen 178ab648bf6Sfrantzen /* optimizer created tables */ 179ab648bf6Sfrantzen struct pf_opt_tbl { 180ab648bf6Sfrantzen char pt_name[PF_TABLE_NAME_SIZE]; 181ab648bf6Sfrantzen int pt_rulecount; 182ab648bf6Sfrantzen int pt_generated; 183bcb11948Szinke u_int32_t pt_flags; 18443d70b83Ssashan u_int32_t pt_refcnt; 185ab648bf6Sfrantzen struct node_tinithead pt_nodes; 186ab648bf6Sfrantzen struct pfr_buffer *pt_buf; 187ab648bf6Sfrantzen }; 188ab648bf6Sfrantzen 189ab648bf6Sfrantzen /* optimizer pf_rule container */ 190ab648bf6Sfrantzen struct pf_opt_rule { 191ab648bf6Sfrantzen struct pf_rule por_rule; 192ab648bf6Sfrantzen struct pf_opt_tbl *por_src_tbl; 193ab648bf6Sfrantzen struct pf_opt_tbl *por_dst_tbl; 194ab648bf6Sfrantzen u_int64_t por_profile_count; 195ab648bf6Sfrantzen TAILQ_ENTRY(pf_opt_rule) por_entry; 196ab648bf6Sfrantzen TAILQ_ENTRY(pf_opt_rule) por_skip_entry[PF_SKIP_COUNT]; 197ab648bf6Sfrantzen }; 198ab648bf6Sfrantzen 199305ca21dSmcbride TAILQ_HEAD(pf_opt_queue, pf_opt_rule); 2005b6c447dScedric 201b2e3e909Spelikan extern TAILQ_HEAD(pf_qihead, pfctl_qsitem) qspecs, rootqs; 202b2e3e909Spelikan struct pfctl_qsitem { 203b2e3e909Spelikan TAILQ_ENTRY(pfctl_qsitem) entries; 204b2e3e909Spelikan struct pf_queuespec qs; 205b2e3e909Spelikan struct pf_qihead children; 206b2e3e909Spelikan int matches; 207b2e3e909Spelikan }; 208b2e3e909Spelikan 2096af76811Shenning struct pfctl_watermarks { 2106af76811Shenning u_int32_t hi; 2116af76811Shenning u_int32_t lo; 2126af76811Shenning }; 213b2e3e909Spelikan 2140ff82421Skn void copy_satopfaddr(struct pf_addr *, struct sockaddr *); 2150ff82421Skn 21620741916Sderaadt int pfctl_rules(int, char *, int, int, char *, struct pfr_buffer *); 217305ca21dSmcbride int pfctl_optimize_ruleset(struct pfctl *, struct pf_ruleset *); 21836754172Smcbride int pf_opt_create_table(struct pfctl *, struct pf_opt_tbl *); 21936754172Smcbride int add_opt_table(struct pfctl *, struct pf_opt_tbl **, sa_family_t, 22036754172Smcbride struct pf_rule_addr *, char *); 2214ad19872Shenning 2226da84b37Skn void pfctl_add_rule(struct pfctl *, struct pf_rule *); 223ff352a37Smarkus 2247829bedfShenning int pfctl_set_timeout(struct pfctl *, const char *, int, int); 225e9953237Shenning int pfctl_set_reassembly(struct pfctl *, int, int); 2264ee64aa9Shenning int pfctl_set_syncookies(struct pfctl *, u_int8_t, 2274ee64aa9Shenning struct pfctl_watermarks *); 22841d03d6aShenning int pfctl_set_optimization(struct pfctl *, const char *); 22941d03d6aShenning int pfctl_set_limit(struct pfctl *, const char *, unsigned int); 23041d03d6aShenning int pfctl_set_logif(struct pfctl *, char *); 2319ac6101fSmcbride void pfctl_set_hostid(struct pfctl *, u_int32_t); 23250141adaShenning int pfctl_set_debug(struct pfctl *, char *); 2331a41552dSdhartmei int pfctl_set_interface_flags(struct pfctl *, char *, int, int); 23441d03d6aShenning 23520741916Sderaadt int parse_config(char *, struct pfctl *); 236ff352a37Smarkus int parse_flags(char *); 237ac877e75Smcbride int pfctl_load_anchors(int, struct pfctl *, struct pfr_buffer *); 238ff352a37Smarkus 239f8d11d7cShenning int pfctl_load_queues(struct pfctl *); 240f8d11d7cShenning int pfctl_add_queue(struct pfctl *, struct pf_queuespec *); 241b2e3e909Spelikan struct pfctl_qsitem * pfctl_find_queue(char *, struct pf_qihead *); 242f8d11d7cShenning 24336754172Smcbride void print_pool(struct pf_pool *, u_int16_t, u_int16_t, sa_family_t, int, int); 244fd777407Smcbride void print_src_node(struct pf_src_node *, int); 245d9ad7941Sdhartmei void print_rule(struct pf_rule *, const char *, int); 2465b6c447dScedric void print_tabledef(const char *, int, int, struct node_tinithead *); 2476af76811Shenning void print_status(struct pf_status *, struct pfctl_watermarks *, int); 248f8d11d7cShenning void print_queuespec(struct pf_queuespec *); 24914a9b182Skjell 250d9ad7941Sdhartmei int pfctl_define_table(char *, int, int, const char *, struct pfr_buffer *, 251d9ad7941Sdhartmei u_int32_t); 2526edf764cSsashan void pfctl_expand_label_nr(struct pf_rule *, unsigned int); 253c06aa877Scedric 25464b4b616Sfrantzen void pfctl_clear_fingerprints(int, int); 25564b4b616Sfrantzen int pfctl_file_fingerprints(int, int, const char *); 25664b4b616Sfrantzen pf_osfp_t pfctl_get_fingerprint(const char *); 25764b4b616Sfrantzen int pfctl_load_fingerprints(int, int); 25864b4b616Sfrantzen char *pfctl_lookup_fingerprint(pf_osfp_t, char *, size_t); 25964b4b616Sfrantzen void pfctl_show_fingerprints(int); 26064b4b616Sfrantzen 261ff352a37Smarkus struct icmptypeent { 262132c30ccShenning const char *name; 263ff352a37Smarkus u_int8_t type; 264ff352a37Smarkus }; 265ff352a37Smarkus 266ff352a37Smarkus struct icmpcodeent { 267132c30ccShenning const char *name; 268ff352a37Smarkus u_int8_t type; 269ff352a37Smarkus u_int8_t code; 270ff352a37Smarkus }; 271ff352a37Smarkus 2727d27d81aSdhartmei const struct icmptypeent *geticmptypebynumber(u_int8_t, u_int8_t); 2737d27d81aSdhartmei const struct icmptypeent *geticmptypebyname(char *, u_int8_t); 2747d27d81aSdhartmei const struct icmpcodeent *geticmpcodebynumber(u_int8_t, u_int8_t, u_int8_t); 2757d27d81aSdhartmei const struct icmpcodeent *geticmpcodebyname(u_long, char *, u_int8_t); 276ff352a37Smarkus 277a2fdc13dSmcbride int string_to_loglevel(const char *); 278a2fdc13dSmcbride const char *loglevel_to_string(int); 279a2fdc13dSmcbride 280cc5f0329Sdhartmei struct pf_timeout { 281cc5f0329Sdhartmei const char *name; 282cc5f0329Sdhartmei int timeout; 283cc5f0329Sdhartmei }; 284cc5f0329Sdhartmei 285cc5f0329Sdhartmei extern const struct pf_timeout pf_timeouts[]; 286cc5f0329Sdhartmei 287c04427ddSkn void set_ipmask(struct node_host *, int); 28852f4a4a4Shenning int check_netmask(struct node_host *, sa_family_t); 289f0bb6ca5Skn int unmask(struct pf_addr *); 290c64927a6Smikeb struct node_host *gen_dynnode(struct node_host *, sa_family_t); 29194e9410bShenning void ifa_load(void); 292918dda86Smikeb unsigned int ifa_nametoindex(const char *); 293918dda86Smikeb char *ifa_indextoname(unsigned int, char *); 2946c3582faShenning struct node_host *ifa_exists(const char *); 295ec359bd5Scedric struct node_host *ifa_lookup(const char *, int); 2967c8726d4Sbenno struct node_host *host(const char *, int); 29794e9410bShenning 2987c8726d4Sbenno int append_addr(struct pfr_buffer *, char *, int, int); 2995b6c447dScedric int append_addr_host(struct pfr_buffer *, 3005b6c447dScedric struct node_host *, int, int); 30142e05679Scedric 302a6d3c168Sdhartmei #endif /* _PFCTL_PARSER_H_ */ 303