12e6f2099Srmind /*- 260a0ec10Srmind * Copyright (c) 2009-2017 The NetBSD Foundation, Inc. 32e6f2099Srmind * All rights reserved. 42e6f2099Srmind * 50e218254Srmind * This material is based upon work partially supported by The 60e218254Srmind * NetBSD Foundation under a contract with Mindaugas Rasiukevicius. 70e218254Srmind * 82e6f2099Srmind * Redistribution and use in source and binary forms, with or without 92e6f2099Srmind * modification, are permitted provided that the following conditions 102e6f2099Srmind * are met: 112e6f2099Srmind * 1. Redistributions of source code must retain the above copyright 122e6f2099Srmind * notice, this list of conditions and the following disclaimer. 132e6f2099Srmind * 2. Redistributions in binary form must reproduce the above copyright 142e6f2099Srmind * notice, this list of conditions and the following disclaimer in the 152e6f2099Srmind * documentation and/or other materials provided with the distribution. 162e6f2099Srmind * 172e6f2099Srmind * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 182e6f2099Srmind * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 192e6f2099Srmind * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 202e6f2099Srmind * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 212e6f2099Srmind * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 222e6f2099Srmind * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 232e6f2099Srmind * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 242e6f2099Srmind * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 252e6f2099Srmind * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 262e6f2099Srmind * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 272e6f2099Srmind * POSSIBILITY OF SUCH DAMAGE. 282e6f2099Srmind */ 292e6f2099Srmind 302e6f2099Srmind #ifndef _NPFCTL_H_ 312e6f2099Srmind #define _NPFCTL_H_ 322e6f2099Srmind 332e6f2099Srmind #include <stdio.h> 342e6f2099Srmind #include <stdbool.h> 35d3c56566Srmind #include <inttypes.h> 36a3b239f6Srmind #include <assert.h> 377b016567Srmind #include <util.h> 382e6f2099Srmind 394e592132Srmind #define NPF_BPFCOP 4007ac07d3Srmind #include <net/npf.h> 4107ac07d3Srmind 4207ac07d3Srmind #define _NPF_PRIVATE 4307ac07d3Srmind #include <npf.h> 442e6f2099Srmind 45d3c56566Srmind #include "npf_var.h" 462e6f2099Srmind 472e6f2099Srmind #define NPF_DEV_PATH "/dev/npf" 482e6f2099Srmind #define NPF_CONF_PATH "/etc/npf.conf" 49a02b7176Srmind #define NPF_DB_PATH "/var/db/npf.db" 502e6f2099Srmind 51d3c56566Srmind typedef struct fam_addr_mask { 52d3c56566Srmind sa_family_t fam_family; 53d3c56566Srmind npf_addr_t fam_addr; 54d3c56566Srmind npf_netmask_t fam_mask; 555111d7eaSrmind unsigned long fam_ifindex; 56d3c56566Srmind } fam_addr_mask_t; 572e6f2099Srmind 585111d7eaSrmind typedef struct ifnet_addr { 59a79812eaSrmind char * ifna_name; 605111d7eaSrmind unsigned long ifna_index; 615111d7eaSrmind sa_family_t ifna_family; 625111d7eaSrmind npfvar_t * ifna_filter; 635111d7eaSrmind npfvar_t * ifna_addrs; 645111d7eaSrmind } ifnet_addr_t; 655111d7eaSrmind 66d3c56566Srmind typedef struct port_range { 67d3c56566Srmind in_port_t pr_start; 68d3c56566Srmind in_port_t pr_end; 69d3c56566Srmind } port_range_t; 702e6f2099Srmind 717a3e0c21Srmind typedef struct addr_port { 727a3e0c21Srmind npfvar_t * ap_netaddr; 737a3e0c21Srmind npfvar_t * ap_portrange; 747a3e0c21Srmind } addr_port_t; 757a3e0c21Srmind 76d3c56566Srmind typedef struct filt_opts { 777a3e0c21Srmind addr_port_t fo_from; 787a3e0c21Srmind addr_port_t fo_to; 798334b9bcSrmind bool fo_finvert; 808334b9bcSrmind bool fo_tinvert; 81d3c56566Srmind } filt_opts_t; 822e6f2099Srmind 83d3c56566Srmind typedef struct opt_proto { 84d3c56566Srmind int op_proto; 85d3c56566Srmind npfvar_t * op_opts; 86d3c56566Srmind } opt_proto_t; 8707ac07d3Srmind 88d3c56566Srmind typedef struct rule_group { 89d3c56566Srmind const char * rg_name; 90ac69c0c3Srmind uint32_t rg_attr; 91a79812eaSrmind const char * rg_ifname; 920e218254Srmind bool rg_default; 93d3c56566Srmind } rule_group_t; 94d3c56566Srmind 958c6e21bfSrmind typedef struct proc_call { 968c6e21bfSrmind const char * pc_name; 978c6e21bfSrmind npfvar_t * pc_opts; 988c6e21bfSrmind } proc_call_t; 99d3c56566Srmind 1008c6e21bfSrmind typedef struct proc_param { 1018c6e21bfSrmind const char * pp_param; 1028c6e21bfSrmind const char * pp_value; 1038c6e21bfSrmind } proc_param_t; 104d3c56566Srmind 10504cb50acSrmind typedef enum { 10604cb50acSrmind NPFCTL_PARSE_DEFAULT, 10704cb50acSrmind NPFCTL_PARSE_RULE, 10804cb50acSrmind NPFCTL_PARSE_MAP 10904cb50acSrmind } parse_entry_t; 1100e218254Srmind 1113d9a792dSrmind #define NPF_IFNET_TABLE_PREF ".ifnet-" 1123d9a792dSrmind #define NPF_IFNET_TABLE_PREFLEN (sizeof(NPF_IFNET_TABLE_PREF) - 1) 1133d9a792dSrmind 1144c70cdf1Sjoerg void yyerror(const char *, ...) __printflike(1, 2) __dead; 115a08b1ebdSchristos void npfctl_bpfjit(bool); 1160e218254Srmind void npfctl_parse_file(const char *); 11704cb50acSrmind void npfctl_parse_string(const char *, parse_entry_t); 1182e6f2099Srmind 119*b899bfd9Srmind bool join(char *, size_t, int, char **, const char *); 120*b899bfd9Srmind bool npfctl_addr_iszero(const npf_addr_t *); 121*b899bfd9Srmind 122f75d79ebSchristos void npfctl_print_error(const npf_error_t *); 123a0cedf0dSchristos char * npfctl_print_addrmask(int, const char *, const npf_addr_t *, 124a0cedf0dSchristos npf_netmask_t); 125a79812eaSrmind void npfctl_note_interface(const char *); 126fc0df3a9Srmind nl_table_t * npfctl_table_getbyname(nl_config_t *, const char *); 12755b0c960Srmind unsigned npfctl_table_getid(const char *); 1283d9a792dSrmind const char * npfctl_table_getname(nl_config_t *, unsigned, bool *); 12933b678d7Srmind int npfctl_protono(const char *); 130d3c56566Srmind in_port_t npfctl_portno(const char *); 1317cf84a83Sspz uint8_t npfctl_icmpcode(int, uint8_t, const char *); 1327cf84a83Sspz uint8_t npfctl_icmptype(int, const char *); 133f095afd7Srmind npfvar_t * npfctl_ifnet_table(const char *); 1345111d7eaSrmind npfvar_t * npfctl_parse_ifnet(const char *, const int); 135d3c56566Srmind npfvar_t * npfctl_parse_tcpflag(const char *); 136d3c56566Srmind npfvar_t * npfctl_parse_table_id(const char *); 1377cf84a83Sspz npfvar_t * npfctl_parse_icmp(int, int, int); 138d3c56566Srmind npfvar_t * npfctl_parse_port_range(in_port_t, in_port_t); 13960a0ec10Srmind npfvar_t * npfctl_parse_port_range_variable(const char *, npfvar_t *); 140d3c56566Srmind npfvar_t * npfctl_parse_fam_addr_mask(const char *, const char *, 141d3c56566Srmind unsigned long *); 142a3b239f6Srmind bool npfctl_parse_cidr(char *, fam_addr_mask_t *, int *); 143068cee29Srmind uint16_t npfctl_npt66_calcadj(npf_netmask_t, const npf_addr_t *, 144068cee29Srmind const npf_addr_t *); 14504cb50acSrmind int npfctl_nat_ruleset_p(const char *, bool *); 1462e6f2099Srmind 147*b899bfd9Srmind void usage(void); 148*b899bfd9Srmind void npfctl_rule(int, int, char **); 149*b899bfd9Srmind void npfctl_table_replace(int, int, char **); 150*b899bfd9Srmind void npfctl_table(int, int, char **); 151*b899bfd9Srmind int npfctl_conn_list(int, int, char **); 152*b899bfd9Srmind 153d3c56566Srmind /* 1548c6e21bfSrmind * NPF extension loading. 1558c6e21bfSrmind */ 1568c6e21bfSrmind 1578c6e21bfSrmind typedef struct npf_extmod npf_extmod_t; 1588c6e21bfSrmind 1598c6e21bfSrmind npf_extmod_t * npf_extmod_get(const char *, nl_ext_t **); 1608c6e21bfSrmind int npf_extmod_param(npf_extmod_t *, nl_ext_t *, 1618c6e21bfSrmind const char *, const char *); 1628c6e21bfSrmind 1638c6e21bfSrmind /* 1644e592132Srmind * BFF byte-code generation interface. 1654e592132Srmind */ 1664e592132Srmind 1674e592132Srmind typedef struct npf_bpf npf_bpf_t; 1684e592132Srmind 1694e592132Srmind #define MATCH_DST 0x01 1704e592132Srmind #define MATCH_SRC 0x02 1718334b9bcSrmind #define MATCH_INVERT 0x04 1724e592132Srmind 1734e592132Srmind enum { 1747b5edfdcSrmind BM_IPVER, BM_PROTO, BM_SRC_CIDR, BM_SRC_TABLE, BM_DST_CIDR, 1757b5edfdcSrmind BM_DST_TABLE, BM_SRC_PORTS, BM_DST_PORTS, BM_TCPFL, BM_ICMP_TYPE, 176*b899bfd9Srmind BM_ICMP_CODE, BM_SRC_NEG, BM_DST_NEG, 177*b899bfd9Srmind 178*b899bfd9Srmind BM_COUNT // total number of the marks 1794e592132Srmind }; 1804e592132Srmind 1814e592132Srmind npf_bpf_t * npfctl_bpf_create(void); 1824e592132Srmind struct bpf_program *npfctl_bpf_complete(npf_bpf_t *); 1834e592132Srmind const void * npfctl_bpf_bmarks(npf_bpf_t *, size_t *); 1844e592132Srmind void npfctl_bpf_destroy(npf_bpf_t *); 1854e592132Srmind 186*b899bfd9Srmind void npfctl_bpf_group_enter(npf_bpf_t *, bool); 187*b899bfd9Srmind void npfctl_bpf_group_exit(npf_bpf_t *); 1884e592132Srmind 189*b899bfd9Srmind void npfctl_bpf_ipver(npf_bpf_t *, sa_family_t); 190*b899bfd9Srmind void npfctl_bpf_proto(npf_bpf_t *, unsigned); 1914e592132Srmind void npfctl_bpf_cidr(npf_bpf_t *, u_int, sa_family_t, 1924e592132Srmind const npf_addr_t *, const npf_netmask_t); 1934e592132Srmind void npfctl_bpf_ports(npf_bpf_t *, u_int, in_port_t, in_port_t); 194*b899bfd9Srmind void npfctl_bpf_tcpfl(npf_bpf_t *, uint8_t, uint8_t); 1954e592132Srmind void npfctl_bpf_icmp(npf_bpf_t *, int, int); 1964e592132Srmind void npfctl_bpf_table(npf_bpf_t *, u_int, u_int); 1974e592132Srmind 1984e592132Srmind /* 199d3c56566Srmind * Configuration building interface. 200d3c56566Srmind */ 201d3c56566Srmind 2027a3e0c21Srmind #define NPFCTL_NAT_DYNAMIC 1 2037a3e0c21Srmind #define NPFCTL_NAT_STATIC 2 204d3c56566Srmind 205d3c56566Srmind void npfctl_config_init(bool); 20607861232Srmind void npfctl_config_build(void); 20739013e66Srmind int npfctl_config_send(int); 208f960ba1cSrmind nl_config_t * npfctl_config_ref(void); 209ac69c0c3Srmind int npfctl_config_show(int); 210f75d79ebSchristos void npfctl_config_save(nl_config_t *, const char *); 21150c5afcaSrmind int npfctl_ruleset_show(int, const char *); 21250c5afcaSrmind 2130e218254Srmind nl_rule_t * npfctl_rule_ref(void); 214fc0df3a9Srmind nl_table_t * npfctl_table_ref(void); 215a79812eaSrmind bool npfctl_debug_addif(const char *); 216d3c56566Srmind 217fc0df3a9Srmind nl_table_t * npfctl_load_table(const char *, int, u_int, const char *, FILE *); 218fc0df3a9Srmind 219bc0f55deSchristos void npfctl_build_alg(const char *); 220d3c56566Srmind void npfctl_build_rproc(const char *, npfvar_t *); 221a79812eaSrmind void npfctl_build_group(const char *, int, const char *, bool); 2220e218254Srmind void npfctl_build_group_end(void); 223a79812eaSrmind void npfctl_build_rule(uint32_t, const char *, sa_family_t, 224*b899bfd9Srmind const npfvar_t *, const filt_opts_t *, 225f797733aSrmind const char *, const char *); 226bd05c4c4Srmind void npfctl_build_natseg(int, int, unsigned, const char *, 227a79812eaSrmind const addr_port_t *, const addr_port_t *, 228*b899bfd9Srmind const npfvar_t *, const filt_opts_t *, unsigned); 229a79812eaSrmind void npfctl_build_maprset(const char *, int, const char *); 230d3c56566Srmind void npfctl_build_table(const char *, u_int, const char *); 231ac69c0c3Srmind 232dadc88e3Srmind void npfctl_setparam(const char *, int); 233dadc88e3Srmind 234f75d79ebSchristos /* 235f75d79ebSchristos * For the systems which do not define TH_ECE and TW_CRW. 236f75d79ebSchristos */ 237f75d79ebSchristos #ifndef TH_ECE 238f75d79ebSchristos #define TH_ECE 0x40 239f75d79ebSchristos #endif 240f75d79ebSchristos #ifndef TH_CWR 241f75d79ebSchristos #define TH_CWR 0x80 242f75d79ebSchristos #endif 243f75d79ebSchristos 2442e6f2099Srmind #endif 245