1*0ff82421Skn /* $OpenBSD: pfctl_parser.h,v 1.113 2019/01/29 10:58:31 kn Exp $ */ 214a9b182Skjell 314a9b182Skjell /* 4fd3c3a0cSderaadt * Copyright (c) 2001 Daniel Hartmeier 5f8d11d7cShenning * Copyright (c) 2002 - 2013 Henning Brauer <henning@openbsd.org> 614a9b182Skjell * All rights reserved. 714a9b182Skjell * 814a9b182Skjell * Redistribution and use in source and binary forms, with or without 914a9b182Skjell * modification, are permitted provided that the following conditions 1014a9b182Skjell * are met: 1114a9b182Skjell * 1214a9b182Skjell * - Redistributions of source code must retain the above copyright 1314a9b182Skjell * notice, this list of conditions and the following disclaimer. 1414a9b182Skjell * - Redistributions in binary form must reproduce the above 1514a9b182Skjell * copyright notice, this list of conditions and the following 1614a9b182Skjell * disclaimer in the documentation and/or other materials provided 1714a9b182Skjell * with the distribution. 1814a9b182Skjell * 1914a9b182Skjell * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 2014a9b182Skjell * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 2114a9b182Skjell * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 2214a9b182Skjell * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 235974bd37Sdhartmei * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 2414a9b182Skjell * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 2514a9b182Skjell * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 2614a9b182Skjell * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 2714a9b182Skjell * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 2814a9b182Skjell * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 2914a9b182Skjell * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 3014a9b182Skjell * POSSIBILITY OF SUCH DAMAGE. 3114a9b182Skjell * 3214a9b182Skjell */ 3314a9b182Skjell 34a6d3c168Sdhartmei #ifndef _PFCTL_PARSER_H_ 35a6d3c168Sdhartmei #define _PFCTL_PARSER_H_ 3614a9b182Skjell 3764b4b616Sfrantzen #define PF_OSFP_FILE "/etc/pf.os" 3864b4b616Sfrantzen 39533ca421Smarkus #define PF_OPT_DISABLE 0x0001 40533ca421Smarkus #define PF_OPT_ENABLE 0x0002 41533ca421Smarkus #define PF_OPT_VERBOSE 0x0004 42533ca421Smarkus #define PF_OPT_NOACTION 0x0008 43533ca421Smarkus #define PF_OPT_QUIET 0x0010 44455ef0c1Sdhartmei #define PF_OPT_CLRRULECTRS 0x0020 450eed2997Sdhartmei #define PF_OPT_USEDNS 0x0040 460406e8a5Sderaadt #define PF_OPT_VERBOSE2 0x0080 4702cc3c1dScedric #define PF_OPT_DUMMYACTION 0x0100 48c5bc9f9aShenning #define PF_OPT_DEBUG 0x0200 49c5b6504fSmcbride #define PF_OPT_SHOWALL 0x0400 50ab648bf6Sfrantzen #define PF_OPT_OPTIMIZE 0x0800 517c8726d4Sbenno #define PF_OPT_NODNS 0x1000 52ba20c455Smcbride #define PF_OPT_RECURSE 0x4000 53ad85696eShenning #define PF_OPT_PORTNAMES 0x8000 54533ca421Smarkus 55bc795af0Shugh #define PF_TH_ALL 0xFF 56bc795af0Shugh 57e4b04189Sdhartmei #define PF_NAT_PROXY_PORT_LOW 50001 58e4b04189Sdhartmei #define PF_NAT_PROXY_PORT_HIGH 65535 59e4b04189Sdhartmei 60ac877e75Smcbride #define PF_OPTIMIZE_BASIC 0x0001 61ac877e75Smcbride #define PF_OPTIMIZE_PROFILE 0x0002 62ac877e75Smcbride 63c474e331Shenning #define FCNT_NAMES { \ 64c474e331Shenning "searches", \ 65c474e331Shenning "inserts", \ 66c474e331Shenning "removals", \ 67c474e331Shenning NULL \ 68c474e331Shenning } 69c474e331Shenning 70ab648bf6Sfrantzen struct pfr_buffer; /* forward definition */ 71ab648bf6Sfrantzen 72ab648bf6Sfrantzen 73ff352a37Smarkus struct pfctl { 74ff352a37Smarkus int dev; 75ff352a37Smarkus int opts; 76ac877e75Smcbride int optimize; 77305ca21dSmcbride int asd; /* anchor stack depth */ 78305ca21dSmcbride int bn; /* brace number */ 79305ca21dSmcbride int brace; 801cc45128Scedric int tdirty; /* kernel dirty */ 81305ca21dSmcbride #define PFCTL_ANCHOR_STACK_DEPTH 64 82305ca21dSmcbride struct pf_anchor *astack[PFCTL_ANCHOR_STACK_DEPTH]; 8378e1d2a6Shenning struct pfioc_queue *pqueue; 8479cc0068Scedric struct pfr_buffer *trans; 85305ca21dSmcbride struct pf_anchor *anchor, *alast; 863e963a2eScedric const char *ruleset; 87b6ba38e2Smcbride 88b6ba38e2Smcbride /* 'set foo' options */ 89b6ba38e2Smcbride u_int32_t timeout[PFTM_MAX]; 90b6ba38e2Smcbride u_int32_t limit[PF_LIMIT_MAX]; 91b6ba38e2Smcbride u_int32_t debug; 92b6ba38e2Smcbride u_int32_t hostid; 93e9953237Shenning u_int32_t reassemble; 946dce935dShenning u_int8_t syncookies; 954ee64aa9Shenning u_int8_t syncookieswat[2]; /* lowat, hiwat */ 96b6ba38e2Smcbride char *ifname; 97b6ba38e2Smcbride 98b6ba38e2Smcbride u_int8_t timeout_set[PFTM_MAX]; 99b6ba38e2Smcbride u_int8_t limit_set[PF_LIMIT_MAX]; 100b6ba38e2Smcbride u_int8_t debug_set; 101b6ba38e2Smcbride u_int8_t hostid_set; 102b6ba38e2Smcbride u_int8_t ifname_set; 103e9953237Shenning u_int8_t reass_set; 1046dce935dShenning u_int8_t syncookies_set; 1054ee64aa9Shenning u_int8_t syncookieswat_set; 106ff352a37Smarkus }; 107ff352a37Smarkus 10894e9410bShenning struct node_if { 10994e9410bShenning char ifname[IFNAMSIZ]; 11094e9410bShenning u_int8_t not; 111941498dbScedric u_int8_t dynamic; /* antispoof */ 1129e70289eSclaudio u_int8_t use_rdomain; 11394e9410bShenning u_int ifa_flags; 1149e70289eSclaudio int rdomain; 11594e9410bShenning struct node_if *next; 11694e9410bShenning struct node_if *tail; 11794e9410bShenning }; 11894e9410bShenning 11994e9410bShenning struct node_host { 12094e9410bShenning struct pf_addr_wrap addr; 12194e9410bShenning struct pf_addr bcast; 122ec359bd5Scedric struct pf_addr peer; 12394e9410bShenning sa_family_t af; 12494e9410bShenning u_int8_t not; 12594e9410bShenning u_int32_t ifindex; /* link-local IPv6 addrs */ 126cbdc262eSmcbride u_int16_t weight; /* load balancing weight */ 12794e9410bShenning char *ifname; 12894e9410bShenning u_int ifa_flags; 12994e9410bShenning struct node_host *next; 13094e9410bShenning struct node_host *tail; 13194e9410bShenning }; 132e3b4bc25Sderaadt void freehostlist(struct node_host *); 13394e9410bShenning 13464b4b616Sfrantzen struct node_os { 13564b4b616Sfrantzen char *os; 13664b4b616Sfrantzen pf_osfp_t fingerprint; 13764b4b616Sfrantzen struct node_os *next; 13864b4b616Sfrantzen struct node_os *tail; 13964b4b616Sfrantzen }; 14064b4b616Sfrantzen 14126025fd6Shenning struct node_queue_bw { 14226025fd6Shenning u_int32_t bw_absolute; 14326025fd6Shenning u_int16_t bw_percent; 14426025fd6Shenning }; 14526025fd6Shenning 14626025fd6Shenning struct node_hfsc_sc { 14726025fd6Shenning struct node_queue_bw m1; /* slope of 1st segment; bps */ 14826025fd6Shenning u_int d; /* x-projection of m1; msec */ 14926025fd6Shenning struct node_queue_bw m2; /* slope of 2nd segment; bps */ 15026025fd6Shenning u_int8_t used; 15126025fd6Shenning }; 15226025fd6Shenning 15326025fd6Shenning struct node_hfsc_opts { 15426025fd6Shenning struct node_hfsc_sc realtime; 15526025fd6Shenning struct node_hfsc_sc linkshare; 15626025fd6Shenning struct node_hfsc_sc upperlimit; 15726025fd6Shenning int flags; 15826025fd6Shenning }; 15926025fd6Shenning 160643bebe0Shenning struct node_queue_opt { 161643bebe0Shenning int qtype; 162643bebe0Shenning union { 163643bebe0Shenning struct priq_opts priq_opts; 16426025fd6Shenning struct node_hfsc_opts hfsc_opts; 165643bebe0Shenning } data; 166643bebe0Shenning }; 167643bebe0Shenning 1685b6c447dScedric SIMPLEQ_HEAD(node_tinithead, node_tinit); 1695b6c447dScedric struct node_tinit { /* table initializer */ 1705b6c447dScedric SIMPLEQ_ENTRY(node_tinit) entries; 1715b6c447dScedric struct node_host *host; 1725b6c447dScedric char *file; 1735b6c447dScedric }; 1745b6c447dScedric 175ab648bf6Sfrantzen 176ab648bf6Sfrantzen /* optimizer created tables */ 177ab648bf6Sfrantzen struct pf_opt_tbl { 178ab648bf6Sfrantzen char pt_name[PF_TABLE_NAME_SIZE]; 179ab648bf6Sfrantzen int pt_rulecount; 180ab648bf6Sfrantzen int pt_generated; 181bcb11948Szinke u_int32_t pt_flags; 18243d70b83Ssashan u_int32_t pt_refcnt; 183ab648bf6Sfrantzen struct node_tinithead pt_nodes; 184ab648bf6Sfrantzen struct pfr_buffer *pt_buf; 185ab648bf6Sfrantzen }; 186ab648bf6Sfrantzen #define PF_OPT_TABLE_PREFIX "__automatic_" 187ab648bf6Sfrantzen 188ab648bf6Sfrantzen /* optimizer pf_rule container */ 189ab648bf6Sfrantzen struct pf_opt_rule { 190ab648bf6Sfrantzen struct pf_rule por_rule; 191ab648bf6Sfrantzen struct pf_opt_tbl *por_src_tbl; 192ab648bf6Sfrantzen struct pf_opt_tbl *por_dst_tbl; 193ab648bf6Sfrantzen u_int64_t por_profile_count; 194ab648bf6Sfrantzen TAILQ_ENTRY(pf_opt_rule) por_entry; 195ab648bf6Sfrantzen TAILQ_ENTRY(pf_opt_rule) por_skip_entry[PF_SKIP_COUNT]; 196ab648bf6Sfrantzen }; 197ab648bf6Sfrantzen 198305ca21dSmcbride TAILQ_HEAD(pf_opt_queue, pf_opt_rule); 1995b6c447dScedric 200b2e3e909Spelikan extern TAILQ_HEAD(pf_qihead, pfctl_qsitem) qspecs, rootqs; 201b2e3e909Spelikan struct pfctl_qsitem { 202b2e3e909Spelikan TAILQ_ENTRY(pfctl_qsitem) entries; 203b2e3e909Spelikan struct pf_queuespec qs; 204b2e3e909Spelikan struct pf_qihead children; 205b2e3e909Spelikan int matches; 206b2e3e909Spelikan }; 207b2e3e909Spelikan 2086af76811Shenning struct pfctl_watermarks { 2096af76811Shenning u_int32_t hi; 2106af76811Shenning u_int32_t lo; 2116af76811Shenning }; 212b2e3e909Spelikan 213*0ff82421Skn void copy_satopfaddr(struct pf_addr *, struct sockaddr *); 214*0ff82421Skn 21520741916Sderaadt int pfctl_rules(int, char *, int, int, char *, struct pfr_buffer *); 216305ca21dSmcbride int pfctl_optimize_ruleset(struct pfctl *, struct pf_ruleset *); 21736754172Smcbride int pf_opt_create_table(struct pfctl *, struct pf_opt_tbl *); 21836754172Smcbride int add_opt_table(struct pfctl *, struct pf_opt_tbl **, sa_family_t, 21936754172Smcbride struct pf_rule_addr *, char *); 2204ad19872Shenning 221d9ad7941Sdhartmei int pfctl_add_rule(struct pfctl *, struct pf_rule *, const char *); 2220ef3d4feShenning int pfctl_add_pool(struct pfctl *, struct pf_pool *, sa_family_t, int); 223305ca21dSmcbride void pfctl_move_pool(struct pf_pool *, struct pf_pool *); 224f535f952Sdhartmei void pfctl_clear_pool(struct pf_pool *); 225ff352a37Smarkus 2267829bedfShenning int pfctl_set_timeout(struct pfctl *, const char *, int, int); 227e9953237Shenning int pfctl_set_reassembly(struct pfctl *, int, int); 2284ee64aa9Shenning int pfctl_set_syncookies(struct pfctl *, u_int8_t, 2294ee64aa9Shenning struct pfctl_watermarks *); 23041d03d6aShenning int pfctl_set_optimization(struct pfctl *, const char *); 23141d03d6aShenning int pfctl_set_limit(struct pfctl *, const char *, unsigned int); 23241d03d6aShenning int pfctl_set_logif(struct pfctl *, char *); 2339ac6101fSmcbride void pfctl_set_hostid(struct pfctl *, u_int32_t); 23450141adaShenning int pfctl_set_debug(struct pfctl *, char *); 2351a41552dSdhartmei int pfctl_set_interface_flags(struct pfctl *, char *, int, int); 23641d03d6aShenning 23720741916Sderaadt int parse_config(char *, struct pfctl *); 238ff352a37Smarkus int parse_flags(char *); 239ac877e75Smcbride int pfctl_load_anchors(int, struct pfctl *, struct pfr_buffer *); 240ff352a37Smarkus 241f8d11d7cShenning int pfctl_load_queues(struct pfctl *); 242f8d11d7cShenning int pfctl_add_queue(struct pfctl *, struct pf_queuespec *); 243b2e3e909Spelikan struct pfctl_qsitem * pfctl_find_queue(char *, struct pf_qihead *); 244f8d11d7cShenning 24536754172Smcbride void print_pool(struct pf_pool *, u_int16_t, u_int16_t, sa_family_t, int, int); 246fd777407Smcbride void print_src_node(struct pf_src_node *, int); 247d9ad7941Sdhartmei void print_rule(struct pf_rule *, const char *, int); 2485b6c447dScedric void print_tabledef(const char *, int, int, struct node_tinithead *); 2496af76811Shenning void print_status(struct pf_status *, struct pfctl_watermarks *, int); 250f8d11d7cShenning void print_queuespec(struct pf_queuespec *); 25114a9b182Skjell 252d9ad7941Sdhartmei int pfctl_define_table(char *, int, int, const char *, struct pfr_buffer *, 253d9ad7941Sdhartmei u_int32_t); 254c06aa877Scedric 25564b4b616Sfrantzen void pfctl_clear_fingerprints(int, int); 25664b4b616Sfrantzen int pfctl_file_fingerprints(int, int, const char *); 25764b4b616Sfrantzen pf_osfp_t pfctl_get_fingerprint(const char *); 25864b4b616Sfrantzen int pfctl_load_fingerprints(int, int); 25964b4b616Sfrantzen char *pfctl_lookup_fingerprint(pf_osfp_t, char *, size_t); 26064b4b616Sfrantzen void pfctl_show_fingerprints(int); 26164b4b616Sfrantzen 262ff352a37Smarkus struct icmptypeent { 263132c30ccShenning const char *name; 264ff352a37Smarkus u_int8_t type; 265ff352a37Smarkus }; 266ff352a37Smarkus 267ff352a37Smarkus struct icmpcodeent { 268132c30ccShenning const char *name; 269ff352a37Smarkus u_int8_t type; 270ff352a37Smarkus u_int8_t code; 271ff352a37Smarkus }; 272ff352a37Smarkus 2737d27d81aSdhartmei const struct icmptypeent *geticmptypebynumber(u_int8_t, u_int8_t); 2747d27d81aSdhartmei const struct icmptypeent *geticmptypebyname(char *, u_int8_t); 2757d27d81aSdhartmei const struct icmpcodeent *geticmpcodebynumber(u_int8_t, u_int8_t, u_int8_t); 2767d27d81aSdhartmei const struct icmpcodeent *geticmpcodebyname(u_long, char *, u_int8_t); 277ff352a37Smarkus 278a2fdc13dSmcbride int string_to_loglevel(const char *); 279a2fdc13dSmcbride const char *loglevel_to_string(int); 280a2fdc13dSmcbride 281cc5f0329Sdhartmei struct pf_timeout { 282cc5f0329Sdhartmei const char *name; 283cc5f0329Sdhartmei int timeout; 284cc5f0329Sdhartmei }; 285cc5f0329Sdhartmei 286cc5f0329Sdhartmei extern const struct pf_timeout pf_timeouts[]; 287cc5f0329Sdhartmei 288c04427ddSkn void set_ipmask(struct node_host *, int); 28952f4a4a4Shenning int check_netmask(struct node_host *, sa_family_t); 290f0bb6ca5Skn int unmask(struct pf_addr *); 291c64927a6Smikeb struct node_host *gen_dynnode(struct node_host *, sa_family_t); 29294e9410bShenning void ifa_load(void); 293918dda86Smikeb unsigned int ifa_nametoindex(const char *); 294918dda86Smikeb char *ifa_indextoname(unsigned int, char *); 2956c3582faShenning struct node_host *ifa_exists(const char *); 296ec359bd5Scedric struct node_host *ifa_lookup(const char *, int); 2977c8726d4Sbenno struct node_host *host(const char *, int); 29894e9410bShenning 2997c8726d4Sbenno int append_addr(struct pfr_buffer *, char *, int, int); 3005b6c447dScedric int append_addr_host(struct pfr_buffer *, 3015b6c447dScedric struct node_host *, int, int); 30242e05679Scedric 303a6d3c168Sdhartmei #endif /* _PFCTL_PARSER_H_ */ 304