sbin/pfctl/pfctl_parser.h

*42a2f8b7Sdlg/*	$OpenBSD: pfctl_parser.h,v 1.121 2024/11/12 04:14:51 dlg Exp $ */
14a9b182Skjell
14a9b182Skjell/*
fd3c3a0cSderaadt * Copyright (c) 2001 Daniel Hartmeier
f8d11d7cShenning * Copyright (c) 2002 - 2013 Henning Brauer <henning@openbsd.org>
14a9b182Skjell * All rights reserved.
14a9b182Skjell *
14a9b182Skjell * Redistribution and use in source and binary forms, with or without
14a9b182Skjell * modification, are permitted provided that the following conditions
14a9b182Skjell * are met:
14a9b182Skjell *
14a9b182Skjell *    - Redistributions of source code must retain the above copyright
14a9b182Skjell *      notice, this list of conditions and the following disclaimer.
14a9b182Skjell *    - Redistributions in binary form must reproduce the above
14a9b182Skjell *      copyright notice, this list of conditions and the following
14a9b182Skjell *      disclaimer in the documentation and/or other materials provided
14a9b182Skjell *      with the distribution.
14a9b182Skjell *
14a9b182Skjell * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
14a9b182Skjell * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
14a9b182Skjell * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
14a9b182Skjell * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
5974bd37Sdhartmei * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
14a9b182Skjell * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
14a9b182Skjell * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
14a9b182Skjell * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
14a9b182Skjell * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
14a9b182Skjell * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
14a9b182Skjell * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
14a9b182Skjell * POSSIBILITY OF SUCH DAMAGE.
14a9b182Skjell *
14a9b182Skjell */
14a9b182Skjell
a6d3c168Sdhartmei#ifndef _PFCTL_PARSER_H_
a6d3c168Sdhartmei#define _PFCTL_PARSER_H_
14a9b182Skjell
64b4b616Sfrantzen#define PF_OSFP_FILE		"/etc/pf.os"
64b4b616Sfrantzen
ae711728Ssashan#define PF_OPT_DISABLE		0x00001
ae711728Ssashan#define PF_OPT_ENABLE		0x00002
ae711728Ssashan#define PF_OPT_VERBOSE		0x00004
ae711728Ssashan#define PF_OPT_NOACTION		0x00008
ae711728Ssashan#define PF_OPT_QUIET		0x00010
ae711728Ssashan#define PF_OPT_CLRRULECTRS	0x00020
ae711728Ssashan#define PF_OPT_USEDNS		0x00040
ae711728Ssashan#define PF_OPT_VERBOSE2		0x00080
ae711728Ssashan#define PF_OPT_DUMMYACTION	0x00100
ae711728Ssashan#define PF_OPT_DEBUG		0x00200
ae711728Ssashan#define PF_OPT_SHOWALL		0x00400
ae711728Ssashan#define PF_OPT_OPTIMIZE		0x00800
ae711728Ssashan#define PF_OPT_NODNS		0x01000
ae711728Ssashan#define PF_OPT_RECURSE		0x04000
ae711728Ssashan#define PF_OPT_PORTNAMES	0x08000
ae711728Ssashan#define PF_OPT_IGNFAIL		0x10000
3898e353Ssashan#define PF_OPT_CALLSHOW		0x20000
533ca421Smarkus
bc795af0Shugh#define PF_TH_ALL		0xFF
bc795af0Shugh
e4b04189Sdhartmei#define PF_NAT_PROXY_PORT_LOW	50001
e4b04189Sdhartmei#define PF_NAT_PROXY_PORT_HIGH	65535
e4b04189Sdhartmei
ac877e75Smcbride#define PF_OPTIMIZE_BASIC	0x0001
ac877e75Smcbride#define PF_OPTIMIZE_PROFILE	0x0002
ac877e75Smcbride
c474e331Shenning#define FCNT_NAMES { \
c474e331Shenning	"searches", \
c474e331Shenning	"inserts", \
c474e331Shenning	"removals", \
c474e331Shenning	NULL \
c474e331Shenning}
c474e331Shenning
ab648bf6Sfrantzenstruct pfr_buffer;	/* forward definition */
ab648bf6Sfrantzen
ab648bf6Sfrantzen
ff352a37Smarkusstruct pfctl {
ff352a37Smarkus	int dev;
ff352a37Smarkus	int opts;
ac877e75Smcbride	int optimize;
305ca21dSmcbride	int asd;			/* anchor stack depth */
305ca21dSmcbride	int bn;				/* brace number */
305ca21dSmcbride	int brace;
1cc45128Scedric	int tdirty;			/* kernel dirty */
305ca21dSmcbride#define PFCTL_ANCHOR_STACK_DEPTH 64
305ca21dSmcbride	struct pf_anchor *astack[PFCTL_ANCHOR_STACK_DEPTH];
78e1d2a6Shenning	struct pfioc_queue *pqueue;
79cc0068Scedric	struct pfr_buffer *trans;
305ca21dSmcbride	struct pf_anchor *anchor, *alast;
30269bc3Ssashan	struct pfr_ktablehead pfr_ktlast;
3e963a2eScedric	const char *ruleset;
b6ba38e2Smcbride
b6ba38e2Smcbride	/* 'set foo' options */
b6ba38e2Smcbride	u_int32_t	 timeout[PFTM_MAX];
b6ba38e2Smcbride	u_int32_t	 limit[PF_LIMIT_MAX];
b6ba38e2Smcbride	u_int32_t	 debug;
b6ba38e2Smcbride	u_int32_t	 hostid;
e9953237Shenning	u_int32_t	 reassemble;
6dce935dShenning	u_int8_t	 syncookies;
4ee64aa9Shenning	u_int8_t	 syncookieswat[2];	/* lowat, hiwat */
b6ba38e2Smcbride	char		*ifname;
b6ba38e2Smcbride
b6ba38e2Smcbride	u_int8_t	 timeout_set[PFTM_MAX];
b6ba38e2Smcbride	u_int8_t	 limit_set[PF_LIMIT_MAX];
b6ba38e2Smcbride	u_int8_t	 debug_set;
b6ba38e2Smcbride	u_int8_t	 hostid_set;
b6ba38e2Smcbride	u_int8_t	 ifname_set;
e9953237Shenning	u_int8_t	 reass_set;
6dce935dShenning	u_int8_t	 syncookies_set;
4ee64aa9Shenning	u_int8_t	 syncookieswat_set;
ff352a37Smarkus};
ff352a37Smarkus
94e9410bShenningstruct node_if {
94e9410bShenning	char			 ifname[IFNAMSIZ];
94e9410bShenning	u_int8_t		 not;
941498dbScedric	u_int8_t		 dynamic; /* antispoof */
9e70289eSclaudio	u_int8_t		 use_rdomain;
94e9410bShenning	u_int			 ifa_flags;
9e70289eSclaudio	int			 rdomain;
94e9410bShenning	struct node_if		*next;
94e9410bShenning	struct node_if		*tail;
94e9410bShenning};
94e9410bShenning
94e9410bShenningstruct node_host {
94e9410bShenning	struct pf_addr_wrap	 addr;
94e9410bShenning	struct pf_addr		 bcast;
ec359bd5Scedric	struct pf_addr		 peer;
94e9410bShenning	sa_family_t		 af;
94e9410bShenning	u_int8_t		 not;
94e9410bShenning	u_int32_t		 ifindex;	/* link-local IPv6 addrs */
cbdc262eSmcbride	u_int16_t		 weight;	/* load balancing weight */
94e9410bShenning	char			*ifname;
94e9410bShenning	u_int			 ifa_flags;
94e9410bShenning	struct node_host	*next;
94e9410bShenning	struct node_host	*tail;
94e9410bShenning};
e3b4bc25Sderaadtvoid	freehostlist(struct node_host *);
94e9410bShenning
64b4b616Sfrantzenstruct node_os {
64b4b616Sfrantzen	char			*os;
64b4b616Sfrantzen	pf_osfp_t		 fingerprint;
64b4b616Sfrantzen	struct node_os		*next;
64b4b616Sfrantzen	struct node_os		*tail;
64b4b616Sfrantzen};
64b4b616Sfrantzen
26025fd6Shenningstruct node_queue_bw {
*42a2f8b7Sdlg	u_int64_t	bw_absolute;
26025fd6Shenning	u_int16_t	bw_percent;
26025fd6Shenning};
26025fd6Shenning
26025fd6Shenningstruct node_hfsc_sc {
26025fd6Shenning	struct node_queue_bw	m1;	/* slope of 1st segment; bps */
26025fd6Shenning	u_int			d;	/* x-projection of m1; msec */
26025fd6Shenning	struct node_queue_bw	m2;	/* slope of 2nd segment; bps */
26025fd6Shenning	u_int8_t		used;
26025fd6Shenning};
26025fd6Shenning
26025fd6Shenningstruct node_hfsc_opts {
26025fd6Shenning	struct node_hfsc_sc	realtime;
26025fd6Shenning	struct node_hfsc_sc	linkshare;
26025fd6Shenning	struct node_hfsc_sc	upperlimit;
26025fd6Shenning	int			flags;
26025fd6Shenning};
26025fd6Shenning
643bebe0Shenningstruct node_queue_opt {
643bebe0Shenning	int			 qtype;
643bebe0Shenning	union {
643bebe0Shenning		struct priq_opts	priq_opts;
26025fd6Shenning		struct node_hfsc_opts	hfsc_opts;
643bebe0Shenning	}			 data;
643bebe0Shenning};
643bebe0Shenning
5b6c447dScedricSIMPLEQ_HEAD(node_tinithead, node_tinit);
5b6c447dScedricstruct node_tinit {	/* table initializer */
5b6c447dScedric	SIMPLEQ_ENTRY(node_tinit)	 entries;
5b6c447dScedric	struct node_host		*host;
5b6c447dScedric	char				*file;
5b6c447dScedric};
5b6c447dScedric
ab648bf6Sfrantzen
ab648bf6Sfrantzen/* optimizer created tables */
ab648bf6Sfrantzenstruct pf_opt_tbl {
ab648bf6Sfrantzen	char			 pt_name[PF_TABLE_NAME_SIZE];
ab648bf6Sfrantzen	int			 pt_rulecount;
ab648bf6Sfrantzen	int			 pt_generated;
bcb11948Szinke	u_int32_t		 pt_flags;
43d70b83Ssashan	u_int32_t		 pt_refcnt;
ab648bf6Sfrantzen	struct node_tinithead	 pt_nodes;
ab648bf6Sfrantzen	struct pfr_buffer	*pt_buf;
ab648bf6Sfrantzen};
ab648bf6Sfrantzen
ab648bf6Sfrantzen/* optimizer pf_rule container */
ab648bf6Sfrantzenstruct pf_opt_rule {
ab648bf6Sfrantzen	struct pf_rule		 por_rule;
ab648bf6Sfrantzen	struct pf_opt_tbl	*por_src_tbl;
ab648bf6Sfrantzen	struct pf_opt_tbl	*por_dst_tbl;
ab648bf6Sfrantzen	u_int64_t		 por_profile_count;
ab648bf6Sfrantzen	TAILQ_ENTRY(pf_opt_rule) por_entry;
ab648bf6Sfrantzen	TAILQ_ENTRY(pf_opt_rule) por_skip_entry[PF_SKIP_COUNT];
ab648bf6Sfrantzen};
ab648bf6Sfrantzen
305ca21dSmcbrideTAILQ_HEAD(pf_opt_queue, pf_opt_rule);
5b6c447dScedric
b2e3e909Spelikanextern TAILQ_HEAD(pf_qihead, pfctl_qsitem) qspecs, rootqs;
b2e3e909Spelikanstruct pfctl_qsitem {
b2e3e909Spelikan	TAILQ_ENTRY(pfctl_qsitem)	 entries;
b2e3e909Spelikan	struct pf_queuespec		 qs;
b2e3e909Spelikan	struct pf_qihead		 children;
b2e3e909Spelikan	int				 matches;
b2e3e909Spelikan};
b2e3e909Spelikan
6af76811Shenningstruct pfctl_watermarks {
6af76811Shenning	u_int32_t	hi;
6af76811Shenning	u_int32_t	lo;
6af76811Shenning};
b2e3e909Spelikan
30269bc3Ssashanstruct pfr_uktable;
30269bc3Ssashan
0ff82421Sknvoid		 copy_satopfaddr(struct pf_addr *, struct sockaddr *);
0ff82421Skn
20741916Sderaadtint	pfctl_rules(int, char *, int, int, char *, struct pfr_buffer *);
305ca21dSmcbrideint	pfctl_optimize_ruleset(struct pfctl *, struct pf_ruleset *);
36754172Smcbrideint     pf_opt_create_table(struct pfctl *, struct pf_opt_tbl *);
36754172Smcbrideint     add_opt_table(struct pfctl *, struct pf_opt_tbl **, sa_family_t,
36754172Smcbride            struct pf_rule_addr *, char *);
4ad19872Shenning
6da84b37Sknvoid	pfctl_add_rule(struct pfctl *, struct pf_rule *);
ff352a37Smarkus
7829bedfShenningint	pfctl_set_timeout(struct pfctl *, const char *, int, int);
e9953237Shenningint	pfctl_set_reassembly(struct pfctl *, int, int);
4ee64aa9Shenningint	pfctl_set_syncookies(struct pfctl *, u_int8_t,
4ee64aa9Shenning	    struct pfctl_watermarks *);
41d03d6aShenningint	pfctl_set_optimization(struct pfctl *, const char *);
41d03d6aShenningint	pfctl_set_limit(struct pfctl *, const char *, unsigned int);
41d03d6aShenningint	pfctl_set_logif(struct pfctl *, char *);
9ac6101fSmcbridevoid	pfctl_set_hostid(struct pfctl *, u_int32_t);
50141adaShenningint	pfctl_set_debug(struct pfctl *, char *);
1a41552dSdhartmeiint	pfctl_set_interface_flags(struct pfctl *, char *, int, int);
41d03d6aShenning
20741916Sderaadtint	parse_config(char *, struct pfctl *);
ff352a37Smarkusint	parse_flags(char *);
30269bc3Ssashanint	pfctl_load_anchors(int, struct pfctl *);
ff352a37Smarkus
f8d11d7cShenningint	pfctl_load_queues(struct pfctl *);
f8d11d7cShenningint	pfctl_add_queue(struct pfctl *, struct pf_queuespec *);
b2e3e909Spelikanstruct pfctl_qsitem *	pfctl_find_queue(char *, struct pf_qihead *);
f8d11d7cShenning
36754172Smcbridevoid	print_pool(struct pf_pool *, u_int16_t, u_int16_t, sa_family_t, int, int);
fd777407Smcbridevoid	print_src_node(struct pf_src_node *, int);
d9ad7941Sdhartmeivoid	print_rule(struct pf_rule *, const char *, int);
5b6c447dScedricvoid	print_tabledef(const char *, int, int, struct node_tinithead *);
6af76811Shenningvoid	print_status(struct pf_status *, struct pfctl_watermarks *, int);
f8d11d7cShenningvoid	print_queuespec(struct pf_queuespec *);
14a9b182Skjell
d9ad7941Sdhartmeiint	pfctl_define_table(char *, int, int, const char *, struct pfr_buffer *,
30269bc3Ssashan	    u_int32_t, struct pfr_uktable *);
6edf764cSsashanvoid	pfctl_expand_label_nr(struct pf_rule *, unsigned int);
c06aa877Scedric
64b4b616Sfrantzenvoid		 pfctl_clear_fingerprints(int, int);
64b4b616Sfrantzenint		 pfctl_file_fingerprints(int, int, const char *);
64b4b616Sfrantzenpf_osfp_t	 pfctl_get_fingerprint(const char *);
64b4b616Sfrantzenint		 pfctl_load_fingerprints(int, int);
64b4b616Sfrantzenchar		*pfctl_lookup_fingerprint(pf_osfp_t, char *, size_t);
64b4b616Sfrantzenvoid		 pfctl_show_fingerprints(int);
64b4b616Sfrantzen
ff352a37Smarkusstruct icmptypeent {
132c30ccShenning	const char *name;
ff352a37Smarkus	u_int8_t type;
ff352a37Smarkus};
ff352a37Smarkus
ff352a37Smarkusstruct icmpcodeent {
132c30ccShenning	const char *name;
ff352a37Smarkus	u_int8_t type;
ff352a37Smarkus	u_int8_t code;
ff352a37Smarkus};
ff352a37Smarkus
7d27d81aSdhartmeiconst struct icmptypeent *geticmptypebynumber(u_int8_t, u_int8_t);
7d27d81aSdhartmeiconst struct icmptypeent *geticmptypebyname(char *, u_int8_t);
7d27d81aSdhartmeiconst struct icmpcodeent *geticmpcodebynumber(u_int8_t, u_int8_t, u_int8_t);
7d27d81aSdhartmeiconst struct icmpcodeent *geticmpcodebyname(u_long, char *, u_int8_t);
ff352a37Smarkus
a2fdc13dSmcbrideint			  string_to_loglevel(const char *);
a2fdc13dSmcbrideconst char		 *loglevel_to_string(int);
a2fdc13dSmcbride
cc5f0329Sdhartmeistruct pf_timeout {
cc5f0329Sdhartmei	const char	*name;
cc5f0329Sdhartmei	int		 timeout;
cc5f0329Sdhartmei};
cc5f0329Sdhartmei
cc5f0329Sdhartmeiextern const struct pf_timeout pf_timeouts[];
cc5f0329Sdhartmei
c04427ddSknvoid			 set_ipmask(struct node_host *, int);
52f4a4a4Shenningint			 check_netmask(struct node_host *, sa_family_t);
f0bb6ca5Sknint			 unmask(struct pf_addr *);
c64927a6Smikebstruct node_host	*gen_dynnode(struct node_host *, sa_family_t);
94e9410bShenningvoid			 ifa_load(void);
918dda86Smikebunsigned int		 ifa_nametoindex(const char *);
918dda86Smikebchar			*ifa_indextoname(unsigned int, char *);
6c3582faShenningstruct node_host	*ifa_exists(const char *);
ec359bd5Scedricstruct node_host	*ifa_lookup(const char *, int);
7c8726d4Sbennostruct node_host	*host(const char *, int);
94e9410bShenning
7c8726d4Sbennoint			 append_addr(struct pfr_buffer *, char *, int, int);
5b6c447dScedricint			 append_addr_host(struct pfr_buffer *,
5b6c447dScedric			    struct node_host *, int, int);
30269bc3Ssashanint			 pfr_ktable_compare(struct pfr_ktable *,
30269bc3Ssashan			    struct pfr_ktable *);
30269bc3SsashanRB_PROTOTYPE(pfr_ktablehead, pfr_ktable, pfrkt_tree, pfr_ktable_compare);
42e05679Scedric
a6d3c168Sdhartmei#endif /* _PFCTL_PARSER_H_ */