1*ba20c455Smcbride /* $OpenBSD: pfctl_parser.h,v 1.86 2006/10/31 23:46:25 mcbride Exp $ */ 214a9b182Skjell 314a9b182Skjell /* 4fd3c3a0cSderaadt * Copyright (c) 2001 Daniel Hartmeier 514a9b182Skjell * All rights reserved. 614a9b182Skjell * 714a9b182Skjell * Redistribution and use in source and binary forms, with or without 814a9b182Skjell * modification, are permitted provided that the following conditions 914a9b182Skjell * are met: 1014a9b182Skjell * 1114a9b182Skjell * - Redistributions of source code must retain the above copyright 1214a9b182Skjell * notice, this list of conditions and the following disclaimer. 1314a9b182Skjell * - Redistributions in binary form must reproduce the above 1414a9b182Skjell * copyright notice, this list of conditions and the following 1514a9b182Skjell * disclaimer in the documentation and/or other materials provided 1614a9b182Skjell * with the distribution. 1714a9b182Skjell * 1814a9b182Skjell * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 1914a9b182Skjell * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 2014a9b182Skjell * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 2114a9b182Skjell * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 225974bd37Sdhartmei * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 2314a9b182Skjell * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 2414a9b182Skjell * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 2514a9b182Skjell * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 2614a9b182Skjell * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 2714a9b182Skjell * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 2814a9b182Skjell * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 2914a9b182Skjell * POSSIBILITY OF SUCH DAMAGE. 3014a9b182Skjell * 3114a9b182Skjell */ 3214a9b182Skjell 33a6d3c168Sdhartmei #ifndef _PFCTL_PARSER_H_ 34a6d3c168Sdhartmei #define _PFCTL_PARSER_H_ 3514a9b182Skjell 3664b4b616Sfrantzen #define PF_OSFP_FILE "/etc/pf.os" 3764b4b616Sfrantzen 38533ca421Smarkus #define PF_OPT_DISABLE 0x0001 39533ca421Smarkus #define PF_OPT_ENABLE 0x0002 40533ca421Smarkus #define PF_OPT_VERBOSE 0x0004 41533ca421Smarkus #define PF_OPT_NOACTION 0x0008 42533ca421Smarkus #define PF_OPT_QUIET 0x0010 43455ef0c1Sdhartmei #define PF_OPT_CLRRULECTRS 0x0020 440eed2997Sdhartmei #define PF_OPT_USEDNS 0x0040 450406e8a5Sderaadt #define PF_OPT_VERBOSE2 0x0080 4602cc3c1dScedric #define PF_OPT_DUMMYACTION 0x0100 47c5bc9f9aShenning #define PF_OPT_DEBUG 0x0200 48c5b6504fSmcbride #define PF_OPT_SHOWALL 0x0400 49ab648bf6Sfrantzen #define PF_OPT_OPTIMIZE 0x0800 50b6ba38e2Smcbride #define PF_OPT_MERGE 0x2000 51*ba20c455Smcbride #define PF_OPT_RECURSE 0x4000 52533ca421Smarkus 53bc795af0Shugh #define PF_TH_ALL 0xFF 54bc795af0Shugh 55e4b04189Sdhartmei #define PF_NAT_PROXY_PORT_LOW 50001 56e4b04189Sdhartmei #define PF_NAT_PROXY_PORT_HIGH 65535 57e4b04189Sdhartmei 58ac877e75Smcbride #define PF_OPTIMIZE_BASIC 0x0001 59ac877e75Smcbride #define PF_OPTIMIZE_PROFILE 0x0002 60ac877e75Smcbride 61c474e331Shenning #define FCNT_NAMES { \ 62c474e331Shenning "searches", \ 63c474e331Shenning "inserts", \ 64c474e331Shenning "removals", \ 65c474e331Shenning NULL \ 66c474e331Shenning } 67c474e331Shenning 68ab648bf6Sfrantzen struct pfr_buffer; /* forward definition */ 69ab648bf6Sfrantzen 70ab648bf6Sfrantzen 71ff352a37Smarkus struct pfctl { 72ff352a37Smarkus int dev; 73ff352a37Smarkus int opts; 74ac877e75Smcbride int optimize; 75370f5541Shenning int loadopt; 76305ca21dSmcbride int asd; /* anchor stack depth */ 77305ca21dSmcbride int bn; /* brace number */ 78305ca21dSmcbride int brace; 791cc45128Scedric int tdirty; /* kernel dirty */ 80305ca21dSmcbride #define PFCTL_ANCHOR_STACK_DEPTH 64 81305ca21dSmcbride struct pf_anchor *astack[PFCTL_ANCHOR_STACK_DEPTH]; 823a44df3cSmcbride struct pfioc_pooladdr paddr; 8378e1d2a6Shenning struct pfioc_altq *paltq; 8478e1d2a6Shenning struct pfioc_queue *pqueue; 8579cc0068Scedric struct pfr_buffer *trans; 86305ca21dSmcbride struct pf_anchor *anchor, *alast; 873e963a2eScedric const char *ruleset; 88b6ba38e2Smcbride 89b6ba38e2Smcbride /* 'set foo' options */ 90b6ba38e2Smcbride u_int32_t timeout[PFTM_MAX]; 91b6ba38e2Smcbride u_int32_t limit[PF_LIMIT_MAX]; 92b6ba38e2Smcbride u_int32_t debug; 93b6ba38e2Smcbride u_int32_t hostid; 94b6ba38e2Smcbride char *ifname; 95b6ba38e2Smcbride 96b6ba38e2Smcbride u_int8_t timeout_set[PFTM_MAX]; 97b6ba38e2Smcbride u_int8_t limit_set[PF_LIMIT_MAX]; 98b6ba38e2Smcbride u_int8_t debug_set; 99b6ba38e2Smcbride u_int8_t hostid_set; 100b6ba38e2Smcbride u_int8_t ifname_set; 101ff352a37Smarkus }; 102ff352a37Smarkus 10394e9410bShenning struct node_if { 10494e9410bShenning char ifname[IFNAMSIZ]; 10594e9410bShenning u_int8_t not; 106941498dbScedric u_int8_t dynamic; /* antispoof */ 10794e9410bShenning u_int ifa_flags; 10894e9410bShenning struct node_if *next; 10994e9410bShenning struct node_if *tail; 11094e9410bShenning }; 11194e9410bShenning 11294e9410bShenning struct node_host { 11394e9410bShenning struct pf_addr_wrap addr; 11494e9410bShenning struct pf_addr bcast; 115ec359bd5Scedric struct pf_addr peer; 11694e9410bShenning sa_family_t af; 11794e9410bShenning u_int8_t not; 11894e9410bShenning u_int32_t ifindex; /* link-local IPv6 addrs */ 11994e9410bShenning char *ifname; 12094e9410bShenning u_int ifa_flags; 12194e9410bShenning struct node_host *next; 12294e9410bShenning struct node_host *tail; 12394e9410bShenning }; 12494e9410bShenning 12564b4b616Sfrantzen struct node_os { 12664b4b616Sfrantzen char *os; 12764b4b616Sfrantzen pf_osfp_t fingerprint; 12864b4b616Sfrantzen struct node_os *next; 12964b4b616Sfrantzen struct node_os *tail; 13064b4b616Sfrantzen }; 13164b4b616Sfrantzen 13226025fd6Shenning struct node_queue_bw { 13326025fd6Shenning u_int32_t bw_absolute; 13426025fd6Shenning u_int16_t bw_percent; 13526025fd6Shenning }; 13626025fd6Shenning 13726025fd6Shenning struct node_hfsc_sc { 13826025fd6Shenning struct node_queue_bw m1; /* slope of 1st segment; bps */ 13926025fd6Shenning u_int d; /* x-projection of m1; msec */ 14026025fd6Shenning struct node_queue_bw m2; /* slope of 2nd segment; bps */ 14126025fd6Shenning u_int8_t used; 14226025fd6Shenning }; 14326025fd6Shenning 14426025fd6Shenning struct node_hfsc_opts { 14526025fd6Shenning struct node_hfsc_sc realtime; 14626025fd6Shenning struct node_hfsc_sc linkshare; 14726025fd6Shenning struct node_hfsc_sc upperlimit; 14826025fd6Shenning int flags; 14926025fd6Shenning }; 15026025fd6Shenning 151643bebe0Shenning struct node_queue_opt { 152643bebe0Shenning int qtype; 153643bebe0Shenning union { 154643bebe0Shenning struct cbq_opts cbq_opts; 155643bebe0Shenning struct priq_opts priq_opts; 15626025fd6Shenning struct node_hfsc_opts hfsc_opts; 157643bebe0Shenning } data; 158643bebe0Shenning }; 159643bebe0Shenning 1605b6c447dScedric SIMPLEQ_HEAD(node_tinithead, node_tinit); 1615b6c447dScedric struct node_tinit { /* table initializer */ 1625b6c447dScedric SIMPLEQ_ENTRY(node_tinit) entries; 1635b6c447dScedric struct node_host *host; 1645b6c447dScedric char *file; 1655b6c447dScedric }; 1665b6c447dScedric 167ab648bf6Sfrantzen 168ab648bf6Sfrantzen /* optimizer created tables */ 169ab648bf6Sfrantzen struct pf_opt_tbl { 170ab648bf6Sfrantzen char pt_name[PF_TABLE_NAME_SIZE]; 171ab648bf6Sfrantzen int pt_rulecount; 172ab648bf6Sfrantzen int pt_generated; 173ab648bf6Sfrantzen struct node_tinithead pt_nodes; 174ab648bf6Sfrantzen struct pfr_buffer *pt_buf; 175ab648bf6Sfrantzen }; 176ab648bf6Sfrantzen #define PF_OPT_TABLE_PREFIX "__automatic_" 177ab648bf6Sfrantzen 178ab648bf6Sfrantzen /* optimizer pf_rule container */ 179ab648bf6Sfrantzen struct pf_opt_rule { 180ab648bf6Sfrantzen struct pf_rule por_rule; 181ab648bf6Sfrantzen struct pf_opt_tbl *por_src_tbl; 182ab648bf6Sfrantzen struct pf_opt_tbl *por_dst_tbl; 183ab648bf6Sfrantzen u_int64_t por_profile_count; 184ab648bf6Sfrantzen TAILQ_ENTRY(pf_opt_rule) por_entry; 185ab648bf6Sfrantzen TAILQ_ENTRY(pf_opt_rule) por_skip_entry[PF_SKIP_COUNT]; 186ab648bf6Sfrantzen }; 187ab648bf6Sfrantzen 188305ca21dSmcbride TAILQ_HEAD(pf_opt_queue, pf_opt_rule); 1895b6c447dScedric 190ac877e75Smcbride int pfctl_rules(int, char *, FILE *, int, int, char *, struct pfr_buffer *); 191305ca21dSmcbride int pfctl_optimize_ruleset(struct pfctl *, struct pf_ruleset *); 1924ad19872Shenning 193d9ad7941Sdhartmei int pfctl_add_rule(struct pfctl *, struct pf_rule *, const char *); 19478e1d2a6Shenning int pfctl_add_altq(struct pfctl *, struct pf_altq *); 195f535f952Sdhartmei int pfctl_add_pool(struct pfctl *, struct pf_pool *, sa_family_t); 196305ca21dSmcbride void pfctl_move_pool(struct pf_pool *, struct pf_pool *); 197f535f952Sdhartmei void pfctl_clear_pool(struct pf_pool *); 198ff352a37Smarkus 1997829bedfShenning int pfctl_set_timeout(struct pfctl *, const char *, int, int); 20041d03d6aShenning int pfctl_set_optimization(struct pfctl *, const char *); 20141d03d6aShenning int pfctl_set_limit(struct pfctl *, const char *, unsigned int); 20241d03d6aShenning int pfctl_set_logif(struct pfctl *, char *); 2032a409ae3Smcbride int pfctl_set_hostid(struct pfctl *, u_int32_t); 20450141adaShenning int pfctl_set_debug(struct pfctl *, char *); 2051a41552dSdhartmei int pfctl_set_interface_flags(struct pfctl *, char *, int, int); 20641d03d6aShenning 207f3e945c9Shenning int parse_rules(FILE *, struct pfctl *); 208ff352a37Smarkus int parse_flags(char *); 209ac877e75Smcbride int pfctl_load_anchors(int, struct pfctl *, struct pfr_buffer *); 210ff352a37Smarkus 211e0c302d0Smcbride void print_pool(struct pf_pool *, u_int16_t, u_int16_t, sa_family_t, int); 212fd777407Smcbride void print_src_node(struct pf_src_node *, int); 213d9ad7941Sdhartmei void print_rule(struct pf_rule *, const char *, int); 2145b6c447dScedric void print_tabledef(const char *, int, int, struct node_tinithead *); 215fd777407Smcbride void print_status(struct pf_status *, int); 21614a9b182Skjell 217ac91b495Shenning int eval_pfaltq(struct pfctl *, struct pf_altq *, struct node_queue_bw *, 218ac91b495Shenning struct node_queue_opt *); 219ac91b495Shenning int eval_pfqueue(struct pfctl *, struct pf_altq *, struct node_queue_bw *, 220ac91b495Shenning struct node_queue_opt *); 221eb824e11Sderaadt 22290f7fec6Shenning void print_altq(const struct pf_altq *, unsigned, struct node_queue_bw *, 22390f7fec6Shenning struct node_queue_opt *); 224c1a24a13Shenning void print_queue(const struct pf_altq *, unsigned, struct node_queue_bw *, 22590f7fec6Shenning int, struct node_queue_opt *); 226c1a24a13Shenning 227d9ad7941Sdhartmei int pfctl_define_table(char *, int, int, const char *, struct pfr_buffer *, 228d9ad7941Sdhartmei u_int32_t); 229c06aa877Scedric 23064b4b616Sfrantzen void pfctl_clear_fingerprints(int, int); 23164b4b616Sfrantzen int pfctl_file_fingerprints(int, int, const char *); 23264b4b616Sfrantzen pf_osfp_t pfctl_get_fingerprint(const char *); 23364b4b616Sfrantzen int pfctl_load_fingerprints(int, int); 23464b4b616Sfrantzen char *pfctl_lookup_fingerprint(pf_osfp_t, char *, size_t); 23564b4b616Sfrantzen void pfctl_show_fingerprints(int); 23664b4b616Sfrantzen 23764b4b616Sfrantzen 238ff352a37Smarkus struct icmptypeent { 239132c30ccShenning const char *name; 240ff352a37Smarkus u_int8_t type; 241ff352a37Smarkus }; 242ff352a37Smarkus 243ff352a37Smarkus struct icmpcodeent { 244132c30ccShenning const char *name; 245ff352a37Smarkus u_int8_t type; 246ff352a37Smarkus u_int8_t code; 247ff352a37Smarkus }; 248ff352a37Smarkus 2497d27d81aSdhartmei const struct icmptypeent *geticmptypebynumber(u_int8_t, u_int8_t); 2507d27d81aSdhartmei const struct icmptypeent *geticmptypebyname(char *, u_int8_t); 2517d27d81aSdhartmei const struct icmpcodeent *geticmpcodebynumber(u_int8_t, u_int8_t, u_int8_t); 2527d27d81aSdhartmei const struct icmpcodeent *geticmpcodebyname(u_long, char *, u_int8_t); 253ff352a37Smarkus 254cc5f0329Sdhartmei struct pf_timeout { 255cc5f0329Sdhartmei const char *name; 256cc5f0329Sdhartmei int timeout; 257cc5f0329Sdhartmei }; 258cc5f0329Sdhartmei 259afc6663eSkjell #define PFCTL_FLAG_FILTER 0x02 260afc6663eSkjell #define PFCTL_FLAG_NAT 0x04 26141d03d6aShenning #define PFCTL_FLAG_OPTION 0x08 26278e1d2a6Shenning #define PFCTL_FLAG_ALTQ 0x10 263c06aa877Scedric #define PFCTL_FLAG_TABLE 0x20 264afc6663eSkjell 265cc5f0329Sdhartmei extern const struct pf_timeout pf_timeouts[]; 266cc5f0329Sdhartmei 26794e9410bShenning void set_ipmask(struct node_host *, u_int8_t); 26852f4a4a4Shenning int check_netmask(struct node_host *, sa_family_t); 269ab648bf6Sfrantzen int unmask(struct pf_addr *, sa_family_t); 27094e9410bShenning void ifa_load(void); 2716c3582faShenning struct node_host *ifa_exists(const char *); 272ec359bd5Scedric struct node_host *ifa_lookup(const char *, int); 273f23861c1Shenning struct node_host *host(const char *); 27494e9410bShenning 27542e05679Scedric int append_addr(struct pfr_buffer *, char *, int); 2765b6c447dScedric int append_addr_host(struct pfr_buffer *, 2775b6c447dScedric struct node_host *, int, int); 27842e05679Scedric 279a6d3c168Sdhartmei #endif /* _PFCTL_PARSER_H_ */ 280