xref: /openbsd/sbin/pfctl/pfctl_parser.h (revision b2e3e909) 
1*b2e3e909Spelikan /*	$OpenBSD: pfctl_parser.h,v 1.103 2014/08/23 00:11:03 pelikan Exp $ */
214a9b182Skjell 
314a9b182Skjell /*
4fd3c3a0cSderaadt  * Copyright (c) 2001 Daniel Hartmeier
5f8d11d7cShenning  * Copyright (c) 2002 - 2013 Henning Brauer <henning@openbsd.org>
614a9b182Skjell  * All rights reserved.
714a9b182Skjell  *
814a9b182Skjell  * Redistribution and use in source and binary forms, with or without
914a9b182Skjell  * modification, are permitted provided that the following conditions
1014a9b182Skjell  * are met:
1114a9b182Skjell  *
1214a9b182Skjell  *    - Redistributions of source code must retain the above copyright
1314a9b182Skjell  *      notice, this list of conditions and the following disclaimer.
1414a9b182Skjell  *    - Redistributions in binary form must reproduce the above
1514a9b182Skjell  *      copyright notice, this list of conditions and the following
1614a9b182Skjell  *      disclaimer in the documentation and/or other materials provided
1714a9b182Skjell  *      with the distribution.
1814a9b182Skjell  *
1914a9b182Skjell  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
2014a9b182Skjell  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
2114a9b182Skjell  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
2214a9b182Skjell  * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
235974bd37Sdhartmei  * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
2414a9b182Skjell  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
2514a9b182Skjell  * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
2614a9b182Skjell  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
2714a9b182Skjell  * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
2814a9b182Skjell  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
2914a9b182Skjell  * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
3014a9b182Skjell  * POSSIBILITY OF SUCH DAMAGE.
3114a9b182Skjell  *
3214a9b182Skjell  */
3314a9b182Skjell 
34a6d3c168Sdhartmei #ifndef _PFCTL_PARSER_H_
35a6d3c168Sdhartmei #define _PFCTL_PARSER_H_
3614a9b182Skjell 
3764b4b616Sfrantzen #define PF_OSFP_FILE		"/etc/pf.os"
3864b4b616Sfrantzen 
39533ca421Smarkus #define PF_OPT_DISABLE		0x0001
40533ca421Smarkus #define PF_OPT_ENABLE		0x0002
41533ca421Smarkus #define PF_OPT_VERBOSE		0x0004
42533ca421Smarkus #define PF_OPT_NOACTION		0x0008
43533ca421Smarkus #define PF_OPT_QUIET		0x0010
44455ef0c1Sdhartmei #define PF_OPT_CLRRULECTRS	0x0020
450eed2997Sdhartmei #define PF_OPT_USEDNS		0x0040
460406e8a5Sderaadt #define PF_OPT_VERBOSE2		0x0080
4702cc3c1dScedric #define PF_OPT_DUMMYACTION	0x0100
48c5bc9f9aShenning #define PF_OPT_DEBUG		0x0200
49c5b6504fSmcbride #define PF_OPT_SHOWALL		0x0400
50ab648bf6Sfrantzen #define PF_OPT_OPTIMIZE		0x0800
51ba20c455Smcbride #define PF_OPT_RECURSE		0x4000
52ad85696eShenning #define PF_OPT_PORTNAMES	0x8000
53533ca421Smarkus 
54bc795af0Shugh #define PF_TH_ALL		0xFF
55bc795af0Shugh 
56e4b04189Sdhartmei #define PF_NAT_PROXY_PORT_LOW	50001
57e4b04189Sdhartmei #define PF_NAT_PROXY_PORT_HIGH	65535
58e4b04189Sdhartmei 
59ac877e75Smcbride #define PF_OPTIMIZE_BASIC	0x0001
60ac877e75Smcbride #define PF_OPTIMIZE_PROFILE	0x0002
61ac877e75Smcbride 
62c474e331Shenning #define FCNT_NAMES { \
63c474e331Shenning 	"searches", \
64c474e331Shenning 	"inserts", \
65c474e331Shenning 	"removals", \
66c474e331Shenning 	NULL \
67c474e331Shenning }
68c474e331Shenning 
69ab648bf6Sfrantzen struct pfr_buffer;	/* forward definition */
70ab648bf6Sfrantzen 
71ab648bf6Sfrantzen 
72ff352a37Smarkus struct pfctl {
73ff352a37Smarkus 	int dev;
74ff352a37Smarkus 	int opts;
75ac877e75Smcbride 	int optimize;
76305ca21dSmcbride 	int asd;			/* anchor stack depth */
77305ca21dSmcbride 	int bn;				/* brace number */
78305ca21dSmcbride 	int brace;
791cc45128Scedric 	int tdirty;			/* kernel dirty */
80305ca21dSmcbride #define PFCTL_ANCHOR_STACK_DEPTH 64
81305ca21dSmcbride 	struct pf_anchor *astack[PFCTL_ANCHOR_STACK_DEPTH];
8278e1d2a6Shenning 	struct pfioc_queue *pqueue;
8379cc0068Scedric 	struct pfr_buffer *trans;
84305ca21dSmcbride 	struct pf_anchor *anchor, *alast;
853e963a2eScedric 	const char *ruleset;
86b6ba38e2Smcbride 
87b6ba38e2Smcbride 	/* 'set foo' options */
88b6ba38e2Smcbride 	u_int32_t	 timeout[PFTM_MAX];
89b6ba38e2Smcbride 	u_int32_t	 limit[PF_LIMIT_MAX];
90b6ba38e2Smcbride 	u_int32_t	 debug;
91b6ba38e2Smcbride 	u_int32_t	 hostid;
92e9953237Shenning 	u_int32_t	 reassemble;
93b6ba38e2Smcbride 	char		*ifname;
94b6ba38e2Smcbride 
95b6ba38e2Smcbride 	u_int8_t	 timeout_set[PFTM_MAX];
96b6ba38e2Smcbride 	u_int8_t	 limit_set[PF_LIMIT_MAX];
97b6ba38e2Smcbride 	u_int8_t	 debug_set;
98b6ba38e2Smcbride 	u_int8_t	 hostid_set;
99b6ba38e2Smcbride 	u_int8_t	 ifname_set;
100e9953237Shenning 	u_int8_t	 reass_set;
101ff352a37Smarkus };
102ff352a37Smarkus 
10394e9410bShenning struct node_if {
10494e9410bShenning 	char			 ifname[IFNAMSIZ];
10594e9410bShenning 	u_int8_t		 not;
106941498dbScedric 	u_int8_t		 dynamic; /* antispoof */
1079e70289eSclaudio 	u_int8_t		 use_rdomain;
10894e9410bShenning 	u_int			 ifa_flags;
1099e70289eSclaudio 	int			 rdomain;
11094e9410bShenning 	struct node_if		*next;
11194e9410bShenning 	struct node_if		*tail;
11294e9410bShenning };
11394e9410bShenning 
11494e9410bShenning struct node_host {
11594e9410bShenning 	struct pf_addr_wrap	 addr;
11694e9410bShenning 	struct pf_addr		 bcast;
117ec359bd5Scedric 	struct pf_addr		 peer;
11894e9410bShenning 	sa_family_t		 af;
11994e9410bShenning 	u_int8_t		 not;
12094e9410bShenning 	u_int32_t		 ifindex;	/* link-local IPv6 addrs */
121cbdc262eSmcbride 	u_int16_t		 weight;	/* load balancing weight */
12294e9410bShenning 	char			*ifname;
12394e9410bShenning 	u_int			 ifa_flags;
12494e9410bShenning 	struct node_host	*next;
12594e9410bShenning 	struct node_host	*tail;
12694e9410bShenning };
127e3b4bc25Sderaadt void	freehostlist(struct node_host *);
12894e9410bShenning 
12964b4b616Sfrantzen struct node_os {
13064b4b616Sfrantzen 	char			*os;
13164b4b616Sfrantzen 	pf_osfp_t		 fingerprint;
13264b4b616Sfrantzen 	struct node_os		*next;
13364b4b616Sfrantzen 	struct node_os		*tail;
13464b4b616Sfrantzen };
13564b4b616Sfrantzen 
13626025fd6Shenning struct node_queue_bw {
13726025fd6Shenning 	u_int32_t	bw_absolute;
13826025fd6Shenning 	u_int16_t	bw_percent;
13926025fd6Shenning };
14026025fd6Shenning 
14126025fd6Shenning struct node_hfsc_sc {
14226025fd6Shenning 	struct node_queue_bw	m1;	/* slope of 1st segment; bps */
14326025fd6Shenning 	u_int			d;	/* x-projection of m1; msec */
14426025fd6Shenning 	struct node_queue_bw	m2;	/* slope of 2nd segment; bps */
14526025fd6Shenning 	u_int8_t		used;
14626025fd6Shenning };
14726025fd6Shenning 
14826025fd6Shenning struct node_hfsc_opts {
14926025fd6Shenning 	struct node_hfsc_sc	realtime;
15026025fd6Shenning 	struct node_hfsc_sc	linkshare;
15126025fd6Shenning 	struct node_hfsc_sc	upperlimit;
15226025fd6Shenning 	int			flags;
15326025fd6Shenning };
15426025fd6Shenning 
155643bebe0Shenning struct node_queue_opt {
156643bebe0Shenning 	int			 qtype;
157643bebe0Shenning 	union {
158643bebe0Shenning 		struct cbq_opts		cbq_opts;
159643bebe0Shenning 		struct priq_opts	priq_opts;
16026025fd6Shenning 		struct node_hfsc_opts	hfsc_opts;
161643bebe0Shenning 	}			 data;
162643bebe0Shenning };
163643bebe0Shenning 
1645b6c447dScedric SIMPLEQ_HEAD(node_tinithead, node_tinit);
1655b6c447dScedric struct node_tinit {	/* table initializer */
1665b6c447dScedric 	SIMPLEQ_ENTRY(node_tinit)	 entries;
1675b6c447dScedric 	struct node_host		*host;
1685b6c447dScedric 	char				*file;
1695b6c447dScedric };
1705b6c447dScedric 
171ab648bf6Sfrantzen 
172ab648bf6Sfrantzen /* optimizer created tables */
173ab648bf6Sfrantzen struct pf_opt_tbl {
174ab648bf6Sfrantzen 	char			 pt_name[PF_TABLE_NAME_SIZE];
175ab648bf6Sfrantzen 	int			 pt_rulecount;
176ab648bf6Sfrantzen 	int			 pt_generated;
177bcb11948Szinke 	u_int32_t		 pt_flags;
178ab648bf6Sfrantzen 	struct node_tinithead	 pt_nodes;
179ab648bf6Sfrantzen 	struct pfr_buffer	*pt_buf;
180ab648bf6Sfrantzen };
181ab648bf6Sfrantzen #define PF_OPT_TABLE_PREFIX	"__automatic_"
182ab648bf6Sfrantzen 
183ab648bf6Sfrantzen /* optimizer pf_rule container */
184ab648bf6Sfrantzen struct pf_opt_rule {
185ab648bf6Sfrantzen 	struct pf_rule		 por_rule;
186ab648bf6Sfrantzen 	struct pf_opt_tbl	*por_src_tbl;
187ab648bf6Sfrantzen 	struct pf_opt_tbl	*por_dst_tbl;
188ab648bf6Sfrantzen 	u_int64_t		 por_profile_count;
189ab648bf6Sfrantzen 	TAILQ_ENTRY(pf_opt_rule) por_entry;
190ab648bf6Sfrantzen 	TAILQ_ENTRY(pf_opt_rule) por_skip_entry[PF_SKIP_COUNT];
191ab648bf6Sfrantzen };
192ab648bf6Sfrantzen 
193305ca21dSmcbride TAILQ_HEAD(pf_opt_queue, pf_opt_rule);
1945b6c447dScedric 
195*b2e3e909Spelikan extern TAILQ_HEAD(pf_qihead, pfctl_qsitem) qspecs, rootqs;
196*b2e3e909Spelikan struct pfctl_qsitem {
197*b2e3e909Spelikan 	TAILQ_ENTRY(pfctl_qsitem)	 entries;
198*b2e3e909Spelikan 	struct pf_queuespec		 qs;
199*b2e3e909Spelikan 	struct pf_qihead		 children;
200*b2e3e909Spelikan 	int				 matches;
201*b2e3e909Spelikan };
202*b2e3e909Spelikan 
203*b2e3e909Spelikan 
20420741916Sderaadt int	pfctl_rules(int, char *, int, int, char *, struct pfr_buffer *);
205305ca21dSmcbride int	pfctl_optimize_ruleset(struct pfctl *, struct pf_ruleset *);
20636754172Smcbride int     pf_opt_create_table(struct pfctl *, struct pf_opt_tbl *);
20736754172Smcbride int     add_opt_table(struct pfctl *, struct pf_opt_tbl **, sa_family_t,
20836754172Smcbride             struct pf_rule_addr *, char *);
2094ad19872Shenning 
210d9ad7941Sdhartmei int	pfctl_add_rule(struct pfctl *, struct pf_rule *, const char *);
2110ef3d4feShenning int	pfctl_add_pool(struct pfctl *, struct pf_pool *, sa_family_t, int);
212305ca21dSmcbride void	pfctl_move_pool(struct pf_pool *, struct pf_pool *);
213f535f952Sdhartmei void	pfctl_clear_pool(struct pf_pool *);
214ff352a37Smarkus 
2157829bedfShenning int	pfctl_set_timeout(struct pfctl *, const char *, int, int);
216e9953237Shenning int	pfctl_set_reassembly(struct pfctl *, int, int);
21741d03d6aShenning int	pfctl_set_optimization(struct pfctl *, const char *);
21841d03d6aShenning int	pfctl_set_limit(struct pfctl *, const char *, unsigned int);
21941d03d6aShenning int	pfctl_set_logif(struct pfctl *, char *);
2209ac6101fSmcbride void	pfctl_set_hostid(struct pfctl *, u_int32_t);
22150141adaShenning int	pfctl_set_debug(struct pfctl *, char *);
2221a41552dSdhartmei int	pfctl_set_interface_flags(struct pfctl *, char *, int, int);
22341d03d6aShenning 
22420741916Sderaadt int	parse_config(char *, struct pfctl *);
225ff352a37Smarkus int	parse_flags(char *);
226ac877e75Smcbride int	pfctl_load_anchors(int, struct pfctl *, struct pfr_buffer *);
227ff352a37Smarkus 
228f8d11d7cShenning int	pfctl_load_queues(struct pfctl *);
229f8d11d7cShenning int	pfctl_add_queue(struct pfctl *, struct pf_queuespec *);
230*b2e3e909Spelikan struct pfctl_qsitem *	pfctl_find_queue(char *, struct pf_qihead *);
231f8d11d7cShenning 
23236754172Smcbride void	print_pool(struct pf_pool *, u_int16_t, u_int16_t, sa_family_t, int, int);
233fd777407Smcbride void	print_src_node(struct pf_src_node *, int);
234d9ad7941Sdhartmei void	print_rule(struct pf_rule *, const char *, int);
2355b6c447dScedric void	print_tabledef(const char *, int, int, struct node_tinithead *);
236fd777407Smcbride void	print_status(struct pf_status *, int);
237f8d11d7cShenning void	print_queuespec(struct pf_queuespec *);
23814a9b182Skjell 
239d9ad7941Sdhartmei int	pfctl_define_table(char *, int, int, const char *, struct pfr_buffer *,
240d9ad7941Sdhartmei 	    u_int32_t);
241c06aa877Scedric 
24264b4b616Sfrantzen void		 pfctl_clear_fingerprints(int, int);
24364b4b616Sfrantzen int		 pfctl_file_fingerprints(int, int, const char *);
24464b4b616Sfrantzen pf_osfp_t	 pfctl_get_fingerprint(const char *);
24564b4b616Sfrantzen int		 pfctl_load_fingerprints(int, int);
24664b4b616Sfrantzen char		*pfctl_lookup_fingerprint(pf_osfp_t, char *, size_t);
24764b4b616Sfrantzen void		 pfctl_show_fingerprints(int);
24864b4b616Sfrantzen 
249ff352a37Smarkus struct icmptypeent {
250132c30ccShenning 	const char *name;
251ff352a37Smarkus 	u_int8_t type;
252ff352a37Smarkus };
253ff352a37Smarkus 
254ff352a37Smarkus struct icmpcodeent {
255132c30ccShenning 	const char *name;
256ff352a37Smarkus 	u_int8_t type;
257ff352a37Smarkus 	u_int8_t code;
258ff352a37Smarkus };
259ff352a37Smarkus 
2607d27d81aSdhartmei const struct icmptypeent *geticmptypebynumber(u_int8_t, u_int8_t);
2617d27d81aSdhartmei const struct icmptypeent *geticmptypebyname(char *, u_int8_t);
2627d27d81aSdhartmei const struct icmpcodeent *geticmpcodebynumber(u_int8_t, u_int8_t, u_int8_t);
2637d27d81aSdhartmei const struct icmpcodeent *geticmpcodebyname(u_long, char *, u_int8_t);
264ff352a37Smarkus 
265a2fdc13dSmcbride int			  string_to_loglevel(const char *);
266a2fdc13dSmcbride const char		 *loglevel_to_string(int);
267a2fdc13dSmcbride 
268cc5f0329Sdhartmei struct pf_timeout {
269cc5f0329Sdhartmei 	const char	*name;
270cc5f0329Sdhartmei 	int		 timeout;
271cc5f0329Sdhartmei };
272cc5f0329Sdhartmei 
273cc5f0329Sdhartmei extern const struct pf_timeout pf_timeouts[];
274cc5f0329Sdhartmei 
27594e9410bShenning void			 set_ipmask(struct node_host *, u_int8_t);
27652f4a4a4Shenning int			 check_netmask(struct node_host *, sa_family_t);
277ab648bf6Sfrantzen int			 unmask(struct pf_addr *, sa_family_t);
27894e9410bShenning void			 ifa_load(void);
279918dda86Smikeb unsigned int		 ifa_nametoindex(const char *);
280918dda86Smikeb char			*ifa_indextoname(unsigned int, char *);
2816c3582faShenning struct node_host	*ifa_exists(const char *);
282ec359bd5Scedric struct node_host	*ifa_lookup(const char *, int);
283f23861c1Shenning struct node_host	*host(const char *);
28494e9410bShenning 
28542e05679Scedric int			 append_addr(struct pfr_buffer *, char *, int);
2865b6c447dScedric int			 append_addr_host(struct pfr_buffer *,
2875b6c447dScedric 			    struct node_host *, int, int);
28842e05679Scedric 
289a6d3c168Sdhartmei #endif /* _PFCTL_PARSER_H_ */
290