1*ebe9f48dSDavid van Moolenbroek /* $NetBSD: pfctl_parser.h,v 1.5 2008/06/18 09:06:26 yamt Exp $ */ 2*ebe9f48dSDavid van Moolenbroek /* $OpenBSD: pfctl_parser.h,v 1.86 2006/10/31 23:46:25 mcbride Exp $ */ 3*ebe9f48dSDavid van Moolenbroek 4*ebe9f48dSDavid van Moolenbroek /* 5*ebe9f48dSDavid van Moolenbroek * Copyright (c) 2001 Daniel Hartmeier 6*ebe9f48dSDavid van Moolenbroek * All rights reserved. 7*ebe9f48dSDavid van Moolenbroek * 8*ebe9f48dSDavid van Moolenbroek * Redistribution and use in source and binary forms, with or without 9*ebe9f48dSDavid van Moolenbroek * modification, are permitted provided that the following conditions 10*ebe9f48dSDavid van Moolenbroek * are met: 11*ebe9f48dSDavid van Moolenbroek * 12*ebe9f48dSDavid van Moolenbroek * - Redistributions of source code must retain the above copyright 13*ebe9f48dSDavid van Moolenbroek * notice, this list of conditions and the following disclaimer. 14*ebe9f48dSDavid van Moolenbroek * - Redistributions in binary form must reproduce the above 15*ebe9f48dSDavid van Moolenbroek * copyright notice, this list of conditions and the following 16*ebe9f48dSDavid van Moolenbroek * disclaimer in the documentation and/or other materials provided 17*ebe9f48dSDavid van Moolenbroek * with the distribution. 18*ebe9f48dSDavid van Moolenbroek * 19*ebe9f48dSDavid van Moolenbroek * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 20*ebe9f48dSDavid van Moolenbroek * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 21*ebe9f48dSDavid van Moolenbroek * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 22*ebe9f48dSDavid van Moolenbroek * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 23*ebe9f48dSDavid van Moolenbroek * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 24*ebe9f48dSDavid van Moolenbroek * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 25*ebe9f48dSDavid van Moolenbroek * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 26*ebe9f48dSDavid van Moolenbroek * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 27*ebe9f48dSDavid van Moolenbroek * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28*ebe9f48dSDavid van Moolenbroek * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 29*ebe9f48dSDavid van Moolenbroek * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 30*ebe9f48dSDavid van Moolenbroek * POSSIBILITY OF SUCH DAMAGE. 31*ebe9f48dSDavid van Moolenbroek * 32*ebe9f48dSDavid van Moolenbroek */ 33*ebe9f48dSDavid van Moolenbroek 34*ebe9f48dSDavid van Moolenbroek #ifndef _PFCTL_PARSER_H_ 35*ebe9f48dSDavid van Moolenbroek #define _PFCTL_PARSER_H_ 36*ebe9f48dSDavid van Moolenbroek 37*ebe9f48dSDavid van Moolenbroek #define PF_OSFP_FILE "/etc/pf.os" 38*ebe9f48dSDavid van Moolenbroek 39*ebe9f48dSDavid van Moolenbroek #define PF_OPT_DISABLE 0x0001 40*ebe9f48dSDavid van Moolenbroek #define PF_OPT_ENABLE 0x0002 41*ebe9f48dSDavid van Moolenbroek #define PF_OPT_VERBOSE 0x0004 42*ebe9f48dSDavid van Moolenbroek #define PF_OPT_NOACTION 0x0008 43*ebe9f48dSDavid van Moolenbroek #define PF_OPT_QUIET 0x0010 44*ebe9f48dSDavid van Moolenbroek #define PF_OPT_CLRRULECTRS 0x0020 45*ebe9f48dSDavid van Moolenbroek #define PF_OPT_USEDNS 0x0040 46*ebe9f48dSDavid van Moolenbroek #define PF_OPT_VERBOSE2 0x0080 47*ebe9f48dSDavid van Moolenbroek #define PF_OPT_DUMMYACTION 0x0100 48*ebe9f48dSDavid van Moolenbroek #define PF_OPT_DEBUG 0x0200 49*ebe9f48dSDavid van Moolenbroek #define PF_OPT_SHOWALL 0x0400 50*ebe9f48dSDavid van Moolenbroek #define PF_OPT_OPTIMIZE 0x0800 51*ebe9f48dSDavid van Moolenbroek #define PF_OPT_MERGE 0x2000 52*ebe9f48dSDavid van Moolenbroek #define PF_OPT_RECURSE 0x4000 53*ebe9f48dSDavid van Moolenbroek 54*ebe9f48dSDavid van Moolenbroek #define PF_TH_ALL 0xFF 55*ebe9f48dSDavid van Moolenbroek 56*ebe9f48dSDavid van Moolenbroek #define PF_NAT_PROXY_PORT_LOW 50001 57*ebe9f48dSDavid van Moolenbroek #define PF_NAT_PROXY_PORT_HIGH 65535 58*ebe9f48dSDavid van Moolenbroek 59*ebe9f48dSDavid van Moolenbroek #define PF_OPTIMIZE_BASIC 0x0001 60*ebe9f48dSDavid van Moolenbroek #define PF_OPTIMIZE_PROFILE 0x0002 61*ebe9f48dSDavid van Moolenbroek 62*ebe9f48dSDavid van Moolenbroek #define FCNT_NAMES { \ 63*ebe9f48dSDavid van Moolenbroek "searches", \ 64*ebe9f48dSDavid van Moolenbroek "inserts", \ 65*ebe9f48dSDavid van Moolenbroek "removals", \ 66*ebe9f48dSDavid van Moolenbroek NULL \ 67*ebe9f48dSDavid van Moolenbroek } 68*ebe9f48dSDavid van Moolenbroek 69*ebe9f48dSDavid van Moolenbroek struct pfr_buffer; /* forward definition */ 70*ebe9f48dSDavid van Moolenbroek 71*ebe9f48dSDavid van Moolenbroek 72*ebe9f48dSDavid van Moolenbroek struct pfctl { 73*ebe9f48dSDavid van Moolenbroek int dev; 74*ebe9f48dSDavid van Moolenbroek int opts; 75*ebe9f48dSDavid van Moolenbroek int optimize; 76*ebe9f48dSDavid van Moolenbroek int loadopt; 77*ebe9f48dSDavid van Moolenbroek int asd; /* anchor stack depth */ 78*ebe9f48dSDavid van Moolenbroek int bn; /* brace number */ 79*ebe9f48dSDavid van Moolenbroek int brace; 80*ebe9f48dSDavid van Moolenbroek int tdirty; /* kernel dirty */ 81*ebe9f48dSDavid van Moolenbroek #define PFCTL_ANCHOR_STACK_DEPTH 64 82*ebe9f48dSDavid van Moolenbroek struct pf_anchor *astack[PFCTL_ANCHOR_STACK_DEPTH]; 83*ebe9f48dSDavid van Moolenbroek struct pfioc_pooladdr paddr; 84*ebe9f48dSDavid van Moolenbroek struct pfioc_altq *paltq; 85*ebe9f48dSDavid van Moolenbroek struct pfioc_queue *pqueue; 86*ebe9f48dSDavid van Moolenbroek struct pfr_buffer *trans; 87*ebe9f48dSDavid van Moolenbroek struct pf_anchor *anchor, *alast; 88*ebe9f48dSDavid van Moolenbroek const char *ruleset; 89*ebe9f48dSDavid van Moolenbroek 90*ebe9f48dSDavid van Moolenbroek /* 'set foo' options */ 91*ebe9f48dSDavid van Moolenbroek u_int32_t timeout[PFTM_MAX]; 92*ebe9f48dSDavid van Moolenbroek u_int32_t limit[PF_LIMIT_MAX]; 93*ebe9f48dSDavid van Moolenbroek u_int32_t debug; 94*ebe9f48dSDavid van Moolenbroek u_int32_t hostid; 95*ebe9f48dSDavid van Moolenbroek char *ifname; 96*ebe9f48dSDavid van Moolenbroek 97*ebe9f48dSDavid van Moolenbroek u_int8_t timeout_set[PFTM_MAX]; 98*ebe9f48dSDavid van Moolenbroek u_int8_t limit_set[PF_LIMIT_MAX]; 99*ebe9f48dSDavid van Moolenbroek u_int8_t debug_set; 100*ebe9f48dSDavid van Moolenbroek u_int8_t hostid_set; 101*ebe9f48dSDavid van Moolenbroek u_int8_t ifname_set; 102*ebe9f48dSDavid van Moolenbroek }; 103*ebe9f48dSDavid van Moolenbroek 104*ebe9f48dSDavid van Moolenbroek struct node_if { 105*ebe9f48dSDavid van Moolenbroek char ifname[IFNAMSIZ]; 106*ebe9f48dSDavid van Moolenbroek u_int8_t not; 107*ebe9f48dSDavid van Moolenbroek u_int8_t dynamic; /* antispoof */ 108*ebe9f48dSDavid van Moolenbroek u_int ifa_flags; 109*ebe9f48dSDavid van Moolenbroek struct node_if *next; 110*ebe9f48dSDavid van Moolenbroek struct node_if *tail; 111*ebe9f48dSDavid van Moolenbroek }; 112*ebe9f48dSDavid van Moolenbroek 113*ebe9f48dSDavid van Moolenbroek struct node_host { 114*ebe9f48dSDavid van Moolenbroek struct pf_addr_wrap addr; 115*ebe9f48dSDavid van Moolenbroek struct pf_addr bcast; 116*ebe9f48dSDavid van Moolenbroek struct pf_addr peer; 117*ebe9f48dSDavid van Moolenbroek sa_family_t af; 118*ebe9f48dSDavid van Moolenbroek u_int8_t not; 119*ebe9f48dSDavid van Moolenbroek u_int32_t ifindex; /* link-local IPv6 addrs */ 120*ebe9f48dSDavid van Moolenbroek char *ifname; 121*ebe9f48dSDavid van Moolenbroek u_int ifa_flags; 122*ebe9f48dSDavid van Moolenbroek struct node_host *next; 123*ebe9f48dSDavid van Moolenbroek struct node_host *tail; 124*ebe9f48dSDavid van Moolenbroek }; 125*ebe9f48dSDavid van Moolenbroek 126*ebe9f48dSDavid van Moolenbroek struct node_os { 127*ebe9f48dSDavid van Moolenbroek char *os; 128*ebe9f48dSDavid van Moolenbroek pf_osfp_t fingerprint; 129*ebe9f48dSDavid van Moolenbroek struct node_os *next; 130*ebe9f48dSDavid van Moolenbroek struct node_os *tail; 131*ebe9f48dSDavid van Moolenbroek }; 132*ebe9f48dSDavid van Moolenbroek 133*ebe9f48dSDavid van Moolenbroek struct node_queue_bw { 134*ebe9f48dSDavid van Moolenbroek u_int32_t bw_absolute; 135*ebe9f48dSDavid van Moolenbroek u_int16_t bw_percent; 136*ebe9f48dSDavid van Moolenbroek }; 137*ebe9f48dSDavid van Moolenbroek 138*ebe9f48dSDavid van Moolenbroek struct node_hfsc_sc { 139*ebe9f48dSDavid van Moolenbroek struct node_queue_bw m1; /* slope of 1st segment; bps */ 140*ebe9f48dSDavid van Moolenbroek u_int d; /* x-projection of m1; msec */ 141*ebe9f48dSDavid van Moolenbroek struct node_queue_bw m2; /* slope of 2nd segment; bps */ 142*ebe9f48dSDavid van Moolenbroek u_int8_t used; 143*ebe9f48dSDavid van Moolenbroek }; 144*ebe9f48dSDavid van Moolenbroek 145*ebe9f48dSDavid van Moolenbroek struct node_hfsc_opts { 146*ebe9f48dSDavid van Moolenbroek struct node_hfsc_sc realtime; 147*ebe9f48dSDavid van Moolenbroek struct node_hfsc_sc linkshare; 148*ebe9f48dSDavid van Moolenbroek struct node_hfsc_sc upperlimit; 149*ebe9f48dSDavid van Moolenbroek int flags; 150*ebe9f48dSDavid van Moolenbroek }; 151*ebe9f48dSDavid van Moolenbroek 152*ebe9f48dSDavid van Moolenbroek struct node_queue_opt { 153*ebe9f48dSDavid van Moolenbroek int qtype; 154*ebe9f48dSDavid van Moolenbroek union { 155*ebe9f48dSDavid van Moolenbroek struct cbq_opts cbq_opts; 156*ebe9f48dSDavid van Moolenbroek struct priq_opts priq_opts; 157*ebe9f48dSDavid van Moolenbroek struct node_hfsc_opts hfsc_opts; 158*ebe9f48dSDavid van Moolenbroek } data; 159*ebe9f48dSDavid van Moolenbroek }; 160*ebe9f48dSDavid van Moolenbroek 161*ebe9f48dSDavid van Moolenbroek SIMPLEQ_HEAD(node_tinithead, node_tinit); 162*ebe9f48dSDavid van Moolenbroek struct node_tinit { /* table initializer */ 163*ebe9f48dSDavid van Moolenbroek SIMPLEQ_ENTRY(node_tinit) entries; 164*ebe9f48dSDavid van Moolenbroek struct node_host *host; 165*ebe9f48dSDavid van Moolenbroek char *file; 166*ebe9f48dSDavid van Moolenbroek }; 167*ebe9f48dSDavid van Moolenbroek 168*ebe9f48dSDavid van Moolenbroek 169*ebe9f48dSDavid van Moolenbroek /* optimizer created tables */ 170*ebe9f48dSDavid van Moolenbroek struct pf_opt_tbl { 171*ebe9f48dSDavid van Moolenbroek char pt_name[PF_TABLE_NAME_SIZE]; 172*ebe9f48dSDavid van Moolenbroek int pt_rulecount; 173*ebe9f48dSDavid van Moolenbroek int pt_generated; 174*ebe9f48dSDavid van Moolenbroek struct node_tinithead pt_nodes; 175*ebe9f48dSDavid van Moolenbroek struct pfr_buffer *pt_buf; 176*ebe9f48dSDavid van Moolenbroek }; 177*ebe9f48dSDavid van Moolenbroek #define PF_OPT_TABLE_PREFIX "__automatic_" 178*ebe9f48dSDavid van Moolenbroek 179*ebe9f48dSDavid van Moolenbroek /* optimizer pf_rule container */ 180*ebe9f48dSDavid van Moolenbroek struct pf_opt_rule { 181*ebe9f48dSDavid van Moolenbroek struct pf_rule por_rule; 182*ebe9f48dSDavid van Moolenbroek struct pf_opt_tbl *por_src_tbl; 183*ebe9f48dSDavid van Moolenbroek struct pf_opt_tbl *por_dst_tbl; 184*ebe9f48dSDavid van Moolenbroek u_int64_t por_profile_count; 185*ebe9f48dSDavid van Moolenbroek TAILQ_ENTRY(pf_opt_rule) por_entry; 186*ebe9f48dSDavid van Moolenbroek TAILQ_ENTRY(pf_opt_rule) por_skip_entry[PF_SKIP_COUNT]; 187*ebe9f48dSDavid van Moolenbroek }; 188*ebe9f48dSDavid van Moolenbroek 189*ebe9f48dSDavid van Moolenbroek TAILQ_HEAD(pf_opt_queue, pf_opt_rule); 190*ebe9f48dSDavid van Moolenbroek 191*ebe9f48dSDavid van Moolenbroek int pfctl_rules(int, char *, FILE *, int, int, char *, struct pfr_buffer *); 192*ebe9f48dSDavid van Moolenbroek int pfctl_optimize_ruleset(struct pfctl *, struct pf_ruleset *); 193*ebe9f48dSDavid van Moolenbroek 194*ebe9f48dSDavid van Moolenbroek int pfctl_add_rule(struct pfctl *, struct pf_rule *, const char *); 195*ebe9f48dSDavid van Moolenbroek int pfctl_add_altq(struct pfctl *, struct pf_altq *); 196*ebe9f48dSDavid van Moolenbroek int pfctl_add_pool(struct pfctl *, struct pf_pool *, sa_family_t); 197*ebe9f48dSDavid van Moolenbroek void pfctl_move_pool(struct pf_pool *, struct pf_pool *); 198*ebe9f48dSDavid van Moolenbroek void pfctl_clear_pool(struct pf_pool *); 199*ebe9f48dSDavid van Moolenbroek 200*ebe9f48dSDavid van Moolenbroek int pfctl_set_timeout(struct pfctl *, const char *, int, int); 201*ebe9f48dSDavid van Moolenbroek int pfctl_set_optimization(struct pfctl *, const char *); 202*ebe9f48dSDavid van Moolenbroek int pfctl_set_limit(struct pfctl *, const char *, unsigned int); 203*ebe9f48dSDavid van Moolenbroek int pfctl_set_logif(struct pfctl *, char *); 204*ebe9f48dSDavid van Moolenbroek int pfctl_set_hostid(struct pfctl *, u_int32_t); 205*ebe9f48dSDavid van Moolenbroek int pfctl_set_debug(struct pfctl *, char *); 206*ebe9f48dSDavid van Moolenbroek int pfctl_set_interface_flags(struct pfctl *, char *, int, int); 207*ebe9f48dSDavid van Moolenbroek 208*ebe9f48dSDavid van Moolenbroek int parse_rules(FILE *, struct pfctl *); 209*ebe9f48dSDavid van Moolenbroek int parse_flags(char *); 210*ebe9f48dSDavid van Moolenbroek int pfctl_load_anchors(int, struct pfctl *, struct pfr_buffer *); 211*ebe9f48dSDavid van Moolenbroek 212*ebe9f48dSDavid van Moolenbroek void print_pool(struct pf_pool *, u_int16_t, u_int16_t, sa_family_t, int); 213*ebe9f48dSDavid van Moolenbroek void print_src_node(struct pf_src_node *, int); 214*ebe9f48dSDavid van Moolenbroek void print_rule(struct pf_rule *, const char *, int); 215*ebe9f48dSDavid van Moolenbroek void print_tabledef(const char *, int, int, struct node_tinithead *); 216*ebe9f48dSDavid van Moolenbroek void print_status(struct pf_status *, int); 217*ebe9f48dSDavid van Moolenbroek 218*ebe9f48dSDavid van Moolenbroek int eval_pfaltq(struct pfctl *, struct pf_altq *, struct node_queue_bw *, 219*ebe9f48dSDavid van Moolenbroek struct node_queue_opt *); 220*ebe9f48dSDavid van Moolenbroek int eval_pfqueue(struct pfctl *, struct pf_altq *, struct node_queue_bw *, 221*ebe9f48dSDavid van Moolenbroek struct node_queue_opt *); 222*ebe9f48dSDavid van Moolenbroek 223*ebe9f48dSDavid van Moolenbroek void print_altq(const struct pf_altq *, unsigned, struct node_queue_bw *, 224*ebe9f48dSDavid van Moolenbroek struct node_queue_opt *); 225*ebe9f48dSDavid van Moolenbroek void print_queue(const struct pf_altq *, unsigned, struct node_queue_bw *, 226*ebe9f48dSDavid van Moolenbroek int, struct node_queue_opt *); 227*ebe9f48dSDavid van Moolenbroek 228*ebe9f48dSDavid van Moolenbroek int pfctl_define_table(char *, int, int, const char *, struct pfr_buffer *, 229*ebe9f48dSDavid van Moolenbroek u_int32_t); 230*ebe9f48dSDavid van Moolenbroek 231*ebe9f48dSDavid van Moolenbroek void pfctl_clear_fingerprints(int, int); 232*ebe9f48dSDavid van Moolenbroek int pfctl_file_fingerprints(int, int, const char *); 233*ebe9f48dSDavid van Moolenbroek pf_osfp_t pfctl_get_fingerprint(const char *); 234*ebe9f48dSDavid van Moolenbroek int pfctl_load_fingerprints(int, int); 235*ebe9f48dSDavid van Moolenbroek char *pfctl_lookup_fingerprint(pf_osfp_t, char *, size_t); 236*ebe9f48dSDavid van Moolenbroek void pfctl_show_fingerprints(int); 237*ebe9f48dSDavid van Moolenbroek 238*ebe9f48dSDavid van Moolenbroek 239*ebe9f48dSDavid van Moolenbroek struct icmptypeent { 240*ebe9f48dSDavid van Moolenbroek const char *name; 241*ebe9f48dSDavid van Moolenbroek u_int8_t type; 242*ebe9f48dSDavid van Moolenbroek }; 243*ebe9f48dSDavid van Moolenbroek 244*ebe9f48dSDavid van Moolenbroek struct icmpcodeent { 245*ebe9f48dSDavid van Moolenbroek const char *name; 246*ebe9f48dSDavid van Moolenbroek u_int8_t type; 247*ebe9f48dSDavid van Moolenbroek u_int8_t code; 248*ebe9f48dSDavid van Moolenbroek }; 249*ebe9f48dSDavid van Moolenbroek 250*ebe9f48dSDavid van Moolenbroek const struct icmptypeent *geticmptypebynumber(u_int8_t, u_int8_t); 251*ebe9f48dSDavid van Moolenbroek const struct icmptypeent *geticmptypebyname(char *, u_int8_t); 252*ebe9f48dSDavid van Moolenbroek const struct icmpcodeent *geticmpcodebynumber(u_int8_t, u_int8_t, u_int8_t); 253*ebe9f48dSDavid van Moolenbroek const struct icmpcodeent *geticmpcodebyname(u_long, char *, u_int8_t); 254*ebe9f48dSDavid van Moolenbroek 255*ebe9f48dSDavid van Moolenbroek struct pf_timeout { 256*ebe9f48dSDavid van Moolenbroek const char *name; 257*ebe9f48dSDavid van Moolenbroek int timeout; 258*ebe9f48dSDavid van Moolenbroek }; 259*ebe9f48dSDavid van Moolenbroek 260*ebe9f48dSDavid van Moolenbroek #define PFCTL_FLAG_FILTER 0x02 261*ebe9f48dSDavid van Moolenbroek #define PFCTL_FLAG_NAT 0x04 262*ebe9f48dSDavid van Moolenbroek #define PFCTL_FLAG_OPTION 0x08 263*ebe9f48dSDavid van Moolenbroek #define PFCTL_FLAG_ALTQ 0x10 264*ebe9f48dSDavid van Moolenbroek #define PFCTL_FLAG_TABLE 0x20 265*ebe9f48dSDavid van Moolenbroek 266*ebe9f48dSDavid van Moolenbroek extern const struct pf_timeout pf_timeouts[]; 267*ebe9f48dSDavid van Moolenbroek 268*ebe9f48dSDavid van Moolenbroek void set_ipmask(struct node_host *, u_int8_t); 269*ebe9f48dSDavid van Moolenbroek int check_netmask(struct node_host *, sa_family_t); 270*ebe9f48dSDavid van Moolenbroek int unmask(struct pf_addr *, sa_family_t); 271*ebe9f48dSDavid van Moolenbroek void ifa_load(void); 272*ebe9f48dSDavid van Moolenbroek struct node_host *ifa_exists(const char *); 273*ebe9f48dSDavid van Moolenbroek struct node_host *ifa_lookup(const char *, int); 274*ebe9f48dSDavid van Moolenbroek struct node_host *host(const char *); 275*ebe9f48dSDavid van Moolenbroek 276*ebe9f48dSDavid van Moolenbroek int append_addr(struct pfr_buffer *, char *, int); 277*ebe9f48dSDavid van Moolenbroek int append_addr_host(struct pfr_buffer *, 278*ebe9f48dSDavid van Moolenbroek struct node_host *, int, int); 279*ebe9f48dSDavid van Moolenbroek 280*ebe9f48dSDavid van Moolenbroek #endif /* _PFCTL_PARSER_H_ */ 281