xref: /openbsd/sbin/pfctl/pfctl_parser.h (revision ac877e75) 
1*ac877e75Smcbride /*	$OpenBSD: pfctl_parser.h,v 1.85 2006/10/31 14:17:45 mcbride Exp $ */
214a9b182Skjell 
314a9b182Skjell /*
4fd3c3a0cSderaadt  * Copyright (c) 2001 Daniel Hartmeier
514a9b182Skjell  * All rights reserved.
614a9b182Skjell  *
714a9b182Skjell  * Redistribution and use in source and binary forms, with or without
814a9b182Skjell  * modification, are permitted provided that the following conditions
914a9b182Skjell  * are met:
1014a9b182Skjell  *
1114a9b182Skjell  *    - Redistributions of source code must retain the above copyright
1214a9b182Skjell  *      notice, this list of conditions and the following disclaimer.
1314a9b182Skjell  *    - Redistributions in binary form must reproduce the above
1414a9b182Skjell  *      copyright notice, this list of conditions and the following
1514a9b182Skjell  *      disclaimer in the documentation and/or other materials provided
1614a9b182Skjell  *      with the distribution.
1714a9b182Skjell  *
1814a9b182Skjell  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
1914a9b182Skjell  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
2014a9b182Skjell  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
2114a9b182Skjell  * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
225974bd37Sdhartmei  * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
2314a9b182Skjell  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
2414a9b182Skjell  * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
2514a9b182Skjell  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
2614a9b182Skjell  * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
2714a9b182Skjell  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
2814a9b182Skjell  * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
2914a9b182Skjell  * POSSIBILITY OF SUCH DAMAGE.
3014a9b182Skjell  *
3114a9b182Skjell  */
3214a9b182Skjell 
33a6d3c168Sdhartmei #ifndef _PFCTL_PARSER_H_
34a6d3c168Sdhartmei #define _PFCTL_PARSER_H_
3514a9b182Skjell 
3664b4b616Sfrantzen #define PF_OSFP_FILE		"/etc/pf.os"
3764b4b616Sfrantzen 
38533ca421Smarkus #define PF_OPT_DISABLE		0x0001
39533ca421Smarkus #define PF_OPT_ENABLE		0x0002
40533ca421Smarkus #define PF_OPT_VERBOSE		0x0004
41533ca421Smarkus #define PF_OPT_NOACTION		0x0008
42533ca421Smarkus #define PF_OPT_QUIET		0x0010
43455ef0c1Sdhartmei #define PF_OPT_CLRRULECTRS	0x0020
440eed2997Sdhartmei #define PF_OPT_USEDNS		0x0040
450406e8a5Sderaadt #define PF_OPT_VERBOSE2		0x0080
4602cc3c1dScedric #define PF_OPT_DUMMYACTION	0x0100
47c5bc9f9aShenning #define PF_OPT_DEBUG		0x0200
48c5b6504fSmcbride #define PF_OPT_SHOWALL		0x0400
49ab648bf6Sfrantzen #define PF_OPT_OPTIMIZE		0x0800
50b6ba38e2Smcbride #define PF_OPT_MERGE		0x2000
51533ca421Smarkus 
52bc795af0Shugh #define PF_TH_ALL		0xFF
53bc795af0Shugh 
54e4b04189Sdhartmei #define PF_NAT_PROXY_PORT_LOW	50001
55e4b04189Sdhartmei #define PF_NAT_PROXY_PORT_HIGH	65535
56e4b04189Sdhartmei 
57*ac877e75Smcbride #define PF_OPTIMIZE_BASIC	0x0001
58*ac877e75Smcbride #define PF_OPTIMIZE_PROFILE	0x0002
59*ac877e75Smcbride 
60c474e331Shenning #define FCNT_NAMES { \
61c474e331Shenning 	"searches", \
62c474e331Shenning 	"inserts", \
63c474e331Shenning 	"removals", \
64c474e331Shenning 	NULL \
65c474e331Shenning }
66c474e331Shenning 
67ab648bf6Sfrantzen struct pfr_buffer;	/* forward definition */
68ab648bf6Sfrantzen 
69ab648bf6Sfrantzen 
70ff352a37Smarkus struct pfctl {
71ff352a37Smarkus 	int dev;
72ff352a37Smarkus 	int opts;
73*ac877e75Smcbride 	int optimize;
74370f5541Shenning 	int loadopt;
75305ca21dSmcbride 	int asd;			/* anchor stack depth */
76305ca21dSmcbride 	int bn;				/* brace number */
77305ca21dSmcbride 	int brace;
781cc45128Scedric 	int tdirty;			/* kernel dirty */
79305ca21dSmcbride #define PFCTL_ANCHOR_STACK_DEPTH 64
80305ca21dSmcbride 	struct pf_anchor *astack[PFCTL_ANCHOR_STACK_DEPTH];
813a44df3cSmcbride 	struct pfioc_pooladdr paddr;
8278e1d2a6Shenning 	struct pfioc_altq *paltq;
8378e1d2a6Shenning 	struct pfioc_queue *pqueue;
8479cc0068Scedric 	struct pfr_buffer *trans;
85305ca21dSmcbride 	struct pf_anchor *anchor, *alast;
863e963a2eScedric 	const char *ruleset;
87b6ba38e2Smcbride 
88b6ba38e2Smcbride 	/* 'set foo' options */
89b6ba38e2Smcbride 	u_int32_t	 timeout[PFTM_MAX];
90b6ba38e2Smcbride 	u_int32_t	 limit[PF_LIMIT_MAX];
91b6ba38e2Smcbride 	u_int32_t	 debug;
92b6ba38e2Smcbride 	u_int32_t	 hostid;
93b6ba38e2Smcbride 	char		*ifname;
94b6ba38e2Smcbride 
95b6ba38e2Smcbride 	u_int8_t	 timeout_set[PFTM_MAX];
96b6ba38e2Smcbride 	u_int8_t	 limit_set[PF_LIMIT_MAX];
97b6ba38e2Smcbride 	u_int8_t	 debug_set;
98b6ba38e2Smcbride 	u_int8_t	 hostid_set;
99b6ba38e2Smcbride 	u_int8_t	 ifname_set;
100ff352a37Smarkus };
101ff352a37Smarkus 
10294e9410bShenning struct node_if {
10394e9410bShenning 	char			 ifname[IFNAMSIZ];
10494e9410bShenning 	u_int8_t		 not;
105941498dbScedric 	u_int8_t		 dynamic; /* antispoof */
10694e9410bShenning 	u_int			 ifa_flags;
10794e9410bShenning 	struct node_if		*next;
10894e9410bShenning 	struct node_if		*tail;
10994e9410bShenning };
11094e9410bShenning 
11194e9410bShenning struct node_host {
11294e9410bShenning 	struct pf_addr_wrap	 addr;
11394e9410bShenning 	struct pf_addr		 bcast;
114ec359bd5Scedric 	struct pf_addr		 peer;
11594e9410bShenning 	sa_family_t		 af;
11694e9410bShenning 	u_int8_t		 not;
11794e9410bShenning 	u_int32_t		 ifindex;	/* link-local IPv6 addrs */
11894e9410bShenning 	char			*ifname;
11994e9410bShenning 	u_int			 ifa_flags;
12094e9410bShenning 	struct node_host	*next;
12194e9410bShenning 	struct node_host	*tail;
12294e9410bShenning };
12394e9410bShenning 
12464b4b616Sfrantzen struct node_os {
12564b4b616Sfrantzen 	char			*os;
12664b4b616Sfrantzen 	pf_osfp_t		 fingerprint;
12764b4b616Sfrantzen 	struct node_os		*next;
12864b4b616Sfrantzen 	struct node_os		*tail;
12964b4b616Sfrantzen };
13064b4b616Sfrantzen 
13126025fd6Shenning struct node_queue_bw {
13226025fd6Shenning 	u_int32_t	bw_absolute;
13326025fd6Shenning 	u_int16_t	bw_percent;
13426025fd6Shenning };
13526025fd6Shenning 
13626025fd6Shenning struct node_hfsc_sc {
13726025fd6Shenning 	struct node_queue_bw	m1;	/* slope of 1st segment; bps */
13826025fd6Shenning 	u_int			d;	/* x-projection of m1; msec */
13926025fd6Shenning 	struct node_queue_bw	m2;	/* slope of 2nd segment; bps */
14026025fd6Shenning 	u_int8_t		used;
14126025fd6Shenning };
14226025fd6Shenning 
14326025fd6Shenning struct node_hfsc_opts {
14426025fd6Shenning 	struct node_hfsc_sc	realtime;
14526025fd6Shenning 	struct node_hfsc_sc	linkshare;
14626025fd6Shenning 	struct node_hfsc_sc	upperlimit;
14726025fd6Shenning 	int			flags;
14826025fd6Shenning };
14926025fd6Shenning 
150643bebe0Shenning struct node_queue_opt {
151643bebe0Shenning 	int			 qtype;
152643bebe0Shenning 	union {
153643bebe0Shenning 		struct cbq_opts		cbq_opts;
154643bebe0Shenning 		struct priq_opts	priq_opts;
15526025fd6Shenning 		struct node_hfsc_opts	hfsc_opts;
156643bebe0Shenning 	}			 data;
157643bebe0Shenning };
158643bebe0Shenning 
1595b6c447dScedric SIMPLEQ_HEAD(node_tinithead, node_tinit);
1605b6c447dScedric struct node_tinit {	/* table initializer */
1615b6c447dScedric 	SIMPLEQ_ENTRY(node_tinit)	 entries;
1625b6c447dScedric 	struct node_host		*host;
1635b6c447dScedric 	char				*file;
1645b6c447dScedric };
1655b6c447dScedric 
166ab648bf6Sfrantzen 
167ab648bf6Sfrantzen /* optimizer created tables */
168ab648bf6Sfrantzen struct pf_opt_tbl {
169ab648bf6Sfrantzen 	char			 pt_name[PF_TABLE_NAME_SIZE];
170ab648bf6Sfrantzen 	int			 pt_rulecount;
171ab648bf6Sfrantzen 	int			 pt_generated;
172ab648bf6Sfrantzen 	struct node_tinithead	 pt_nodes;
173ab648bf6Sfrantzen 	struct pfr_buffer	*pt_buf;
174ab648bf6Sfrantzen };
175ab648bf6Sfrantzen #define PF_OPT_TABLE_PREFIX	"__automatic_"
176ab648bf6Sfrantzen 
177ab648bf6Sfrantzen /* optimizer pf_rule container */
178ab648bf6Sfrantzen struct pf_opt_rule {
179ab648bf6Sfrantzen 	struct pf_rule		 por_rule;
180ab648bf6Sfrantzen 	struct pf_opt_tbl	*por_src_tbl;
181ab648bf6Sfrantzen 	struct pf_opt_tbl	*por_dst_tbl;
182ab648bf6Sfrantzen 	u_int64_t		 por_profile_count;
183ab648bf6Sfrantzen 	TAILQ_ENTRY(pf_opt_rule) por_entry;
184ab648bf6Sfrantzen 	TAILQ_ENTRY(pf_opt_rule) por_skip_entry[PF_SKIP_COUNT];
185ab648bf6Sfrantzen };
186ab648bf6Sfrantzen 
187305ca21dSmcbride TAILQ_HEAD(pf_opt_queue, pf_opt_rule);
1885b6c447dScedric 
189*ac877e75Smcbride int	pfctl_rules(int, char *, FILE *, int, int, char *, struct pfr_buffer *);
190305ca21dSmcbride int	pfctl_optimize_ruleset(struct pfctl *, struct pf_ruleset *);
1914ad19872Shenning 
192d9ad7941Sdhartmei int	pfctl_add_rule(struct pfctl *, struct pf_rule *, const char *);
19378e1d2a6Shenning int	pfctl_add_altq(struct pfctl *, struct pf_altq *);
194f535f952Sdhartmei int	pfctl_add_pool(struct pfctl *, struct pf_pool *, sa_family_t);
195305ca21dSmcbride void	pfctl_move_pool(struct pf_pool *, struct pf_pool *);
196f535f952Sdhartmei void	pfctl_clear_pool(struct pf_pool *);
197ff352a37Smarkus 
1987829bedfShenning int	pfctl_set_timeout(struct pfctl *, const char *, int, int);
19941d03d6aShenning int	pfctl_set_optimization(struct pfctl *, const char *);
20041d03d6aShenning int	pfctl_set_limit(struct pfctl *, const char *, unsigned int);
20141d03d6aShenning int	pfctl_set_logif(struct pfctl *, char *);
2022a409ae3Smcbride int	pfctl_set_hostid(struct pfctl *, u_int32_t);
20350141adaShenning int	pfctl_set_debug(struct pfctl *, char *);
2041a41552dSdhartmei int	pfctl_set_interface_flags(struct pfctl *, char *, int, int);
20541d03d6aShenning 
206f3e945c9Shenning int	parse_rules(FILE *, struct pfctl *);
207ff352a37Smarkus int	parse_flags(char *);
208*ac877e75Smcbride int	pfctl_load_anchors(int, struct pfctl *, struct pfr_buffer *);
209ff352a37Smarkus 
210e0c302d0Smcbride void	print_pool(struct pf_pool *, u_int16_t, u_int16_t, sa_family_t, int);
211fd777407Smcbride void	print_src_node(struct pf_src_node *, int);
212d9ad7941Sdhartmei void	print_rule(struct pf_rule *, const char *, int);
2135b6c447dScedric void	print_tabledef(const char *, int, int, struct node_tinithead *);
214fd777407Smcbride void	print_status(struct pf_status *, int);
21514a9b182Skjell 
216ac91b495Shenning int	eval_pfaltq(struct pfctl *, struct pf_altq *, struct node_queue_bw *,
217ac91b495Shenning 	    struct node_queue_opt *);
218ac91b495Shenning int	eval_pfqueue(struct pfctl *, struct pf_altq *, struct node_queue_bw *,
219ac91b495Shenning 	    struct node_queue_opt *);
220eb824e11Sderaadt 
22190f7fec6Shenning void	 print_altq(const struct pf_altq *, unsigned, struct node_queue_bw *,
22290f7fec6Shenning 	    struct node_queue_opt *);
223c1a24a13Shenning void	 print_queue(const struct pf_altq *, unsigned, struct node_queue_bw *,
22490f7fec6Shenning 	    int, struct node_queue_opt *);
225c1a24a13Shenning 
226d9ad7941Sdhartmei int	pfctl_define_table(char *, int, int, const char *, struct pfr_buffer *,
227d9ad7941Sdhartmei 	    u_int32_t);
228c06aa877Scedric 
22964b4b616Sfrantzen void		 pfctl_clear_fingerprints(int, int);
23064b4b616Sfrantzen int		 pfctl_file_fingerprints(int, int, const char *);
23164b4b616Sfrantzen pf_osfp_t	 pfctl_get_fingerprint(const char *);
23264b4b616Sfrantzen int		 pfctl_load_fingerprints(int, int);
23364b4b616Sfrantzen char		*pfctl_lookup_fingerprint(pf_osfp_t, char *, size_t);
23464b4b616Sfrantzen void		 pfctl_show_fingerprints(int);
23564b4b616Sfrantzen 
23664b4b616Sfrantzen 
237ff352a37Smarkus struct icmptypeent {
238132c30ccShenning 	const char *name;
239ff352a37Smarkus 	u_int8_t type;
240ff352a37Smarkus };
241ff352a37Smarkus 
242ff352a37Smarkus struct icmpcodeent {
243132c30ccShenning 	const char *name;
244ff352a37Smarkus 	u_int8_t type;
245ff352a37Smarkus 	u_int8_t code;
246ff352a37Smarkus };
247ff352a37Smarkus 
2487d27d81aSdhartmei const struct icmptypeent *geticmptypebynumber(u_int8_t, u_int8_t);
2497d27d81aSdhartmei const struct icmptypeent *geticmptypebyname(char *, u_int8_t);
2507d27d81aSdhartmei const struct icmpcodeent *geticmpcodebynumber(u_int8_t, u_int8_t, u_int8_t);
2517d27d81aSdhartmei const struct icmpcodeent *geticmpcodebyname(u_long, char *, u_int8_t);
252ff352a37Smarkus 
253cc5f0329Sdhartmei struct pf_timeout {
254cc5f0329Sdhartmei 	const char	*name;
255cc5f0329Sdhartmei 	int		 timeout;
256cc5f0329Sdhartmei };
257cc5f0329Sdhartmei 
258afc6663eSkjell #define PFCTL_FLAG_FILTER	0x02
259afc6663eSkjell #define PFCTL_FLAG_NAT		0x04
26041d03d6aShenning #define PFCTL_FLAG_OPTION	0x08
26178e1d2a6Shenning #define PFCTL_FLAG_ALTQ		0x10
262c06aa877Scedric #define PFCTL_FLAG_TABLE	0x20
263afc6663eSkjell 
264cc5f0329Sdhartmei extern const struct pf_timeout pf_timeouts[];
265cc5f0329Sdhartmei 
26694e9410bShenning void			 set_ipmask(struct node_host *, u_int8_t);
26752f4a4a4Shenning int			 check_netmask(struct node_host *, sa_family_t);
268ab648bf6Sfrantzen int			 unmask(struct pf_addr *, sa_family_t);
26994e9410bShenning void			 ifa_load(void);
2706c3582faShenning struct node_host	*ifa_exists(const char *);
271ec359bd5Scedric struct node_host	*ifa_lookup(const char *, int);
272f23861c1Shenning struct node_host	*host(const char *);
27394e9410bShenning 
27442e05679Scedric int			 append_addr(struct pfr_buffer *, char *, int);
2755b6c447dScedric int			 append_addr_host(struct pfr_buffer *,
2765b6c447dScedric 			    struct node_host *, int, int);
27742e05679Scedric 
278a6d3c168Sdhartmei #endif /* _PFCTL_PARSER_H_ */
279