xref: /openbsd-src/sbin/pfctl/pfctl_parser.h (revision d13be5d47e4149db2549a9828e244d59dbc43f15) 
1 /*	$OpenBSD: pfctl_parser.h,v 1.97 2011/07/27 00:26:10 mcbride Exp $ */
2 
3 /*
4  * Copyright (c) 2001 Daniel Hartmeier
5  * All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  *
11  *    - Redistributions of source code must retain the above copyright
12  *      notice, this list of conditions and the following disclaimer.
13  *    - Redistributions in binary form must reproduce the above
14  *      copyright notice, this list of conditions and the following
15  *      disclaimer in the documentation and/or other materials provided
16  *      with the distribution.
17  *
18  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
21  * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
22  * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
23  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
24  * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
25  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26  * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
28  * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29  * POSSIBILITY OF SUCH DAMAGE.
30  *
31  */
32 
33 #ifndef _PFCTL_PARSER_H_
34 #define _PFCTL_PARSER_H_
35 
36 #define PF_OSFP_FILE		"/etc/pf.os"
37 
38 #define PF_OPT_DISABLE		0x0001
39 #define PF_OPT_ENABLE		0x0002
40 #define PF_OPT_VERBOSE		0x0004
41 #define PF_OPT_NOACTION		0x0008
42 #define PF_OPT_QUIET		0x0010
43 #define PF_OPT_CLRRULECTRS	0x0020
44 #define PF_OPT_USEDNS		0x0040
45 #define PF_OPT_VERBOSE2		0x0080
46 #define PF_OPT_DUMMYACTION	0x0100
47 #define PF_OPT_DEBUG		0x0200
48 #define PF_OPT_SHOWALL		0x0400
49 #define PF_OPT_OPTIMIZE		0x0800
50 #define PF_OPT_RECURSE		0x4000
51 
52 #define PF_TH_ALL		0xFF
53 
54 #define PF_NAT_PROXY_PORT_LOW	50001
55 #define PF_NAT_PROXY_PORT_HIGH	65535
56 
57 #define PF_OPTIMIZE_BASIC	0x0001
58 #define PF_OPTIMIZE_PROFILE	0x0002
59 
60 #define FCNT_NAMES { \
61 	"searches", \
62 	"inserts", \
63 	"removals", \
64 	NULL \
65 }
66 
67 struct pfr_buffer;	/* forward definition */
68 
69 
70 struct pfctl {
71 	int dev;
72 	int opts;
73 	int optimize;
74 	int asd;			/* anchor stack depth */
75 	int bn;				/* brace number */
76 	int brace;
77 	int tdirty;			/* kernel dirty */
78 #define PFCTL_ANCHOR_STACK_DEPTH 64
79 	struct pf_anchor *astack[PFCTL_ANCHOR_STACK_DEPTH];
80 	struct pfioc_altq *paltq;
81 	struct pfioc_queue *pqueue;
82 	struct pfr_buffer *trans;
83 	struct pf_anchor *anchor, *alast;
84 	const char *ruleset;
85 
86 	/* 'set foo' options */
87 	u_int32_t	 timeout[PFTM_MAX];
88 	u_int32_t	 limit[PF_LIMIT_MAX];
89 	u_int32_t	 debug;
90 	u_int32_t	 hostid;
91 	u_int32_t	 reassemble;
92 	char		*ifname;
93 
94 	u_int8_t	 timeout_set[PFTM_MAX];
95 	u_int8_t	 limit_set[PF_LIMIT_MAX];
96 	u_int8_t	 debug_set;
97 	u_int8_t	 hostid_set;
98 	u_int8_t	 ifname_set;
99 	u_int8_t	 reass_set;
100 };
101 
102 struct node_if {
103 	char			 ifname[IFNAMSIZ];
104 	u_int8_t		 not;
105 	u_int8_t		 dynamic; /* antispoof */
106 	u_int8_t		 use_rdomain;
107 	u_int			 ifa_flags;
108 	int			 rdomain;
109 	struct node_if		*next;
110 	struct node_if		*tail;
111 };
112 
113 struct node_host {
114 	struct pf_addr_wrap	 addr;
115 	struct pf_addr		 bcast;
116 	struct pf_addr		 peer;
117 	sa_family_t		 af;
118 	u_int8_t		 not;
119 	u_int32_t		 ifindex;	/* link-local IPv6 addrs */
120 	u_int16_t		 weight;	/* load balancing weight */
121 	char			*ifname;
122 	u_int			 ifa_flags;
123 	struct node_host	*next;
124 	struct node_host	*tail;
125 };
126 void	freehostlist(struct node_host *);
127 
128 struct node_os {
129 	char			*os;
130 	pf_osfp_t		 fingerprint;
131 	struct node_os		*next;
132 	struct node_os		*tail;
133 };
134 
135 struct node_queue_bw {
136 	u_int32_t	bw_absolute;
137 	u_int16_t	bw_percent;
138 };
139 
140 struct node_hfsc_sc {
141 	struct node_queue_bw	m1;	/* slope of 1st segment; bps */
142 	u_int			d;	/* x-projection of m1; msec */
143 	struct node_queue_bw	m2;	/* slope of 2nd segment; bps */
144 	u_int8_t		used;
145 };
146 
147 struct node_hfsc_opts {
148 	struct node_hfsc_sc	realtime;
149 	struct node_hfsc_sc	linkshare;
150 	struct node_hfsc_sc	upperlimit;
151 	int			flags;
152 };
153 
154 struct node_queue_opt {
155 	int			 qtype;
156 	union {
157 		struct cbq_opts		cbq_opts;
158 		struct priq_opts	priq_opts;
159 		struct node_hfsc_opts	hfsc_opts;
160 	}			 data;
161 };
162 
163 SIMPLEQ_HEAD(node_tinithead, node_tinit);
164 struct node_tinit {	/* table initializer */
165 	SIMPLEQ_ENTRY(node_tinit)	 entries;
166 	struct node_host		*host;
167 	char				*file;
168 };
169 
170 
171 /* optimizer created tables */
172 struct pf_opt_tbl {
173 	char			 pt_name[PF_TABLE_NAME_SIZE];
174 	int			 pt_rulecount;
175 	int			 pt_generated;
176 	u_int32_t		 pt_flags;
177 	struct node_tinithead	 pt_nodes;
178 	struct pfr_buffer	*pt_buf;
179 };
180 #define PF_OPT_TABLE_PREFIX	"__automatic_"
181 
182 /* optimizer pf_rule container */
183 struct pf_opt_rule {
184 	struct pf_rule		 por_rule;
185 	struct pf_opt_tbl	*por_src_tbl;
186 	struct pf_opt_tbl	*por_dst_tbl;
187 	u_int64_t		 por_profile_count;
188 	TAILQ_ENTRY(pf_opt_rule) por_entry;
189 	TAILQ_ENTRY(pf_opt_rule) por_skip_entry[PF_SKIP_COUNT];
190 };
191 
192 TAILQ_HEAD(pf_opt_queue, pf_opt_rule);
193 
194 int	pfctl_rules(int, char *, int, int, char *, struct pfr_buffer *);
195 int	pfctl_optimize_ruleset(struct pfctl *, struct pf_ruleset *);
196 int     pf_opt_create_table(struct pfctl *, struct pf_opt_tbl *);
197 int     add_opt_table(struct pfctl *, struct pf_opt_tbl **, sa_family_t,
198             struct pf_rule_addr *, char *);
199 
200 int	pfctl_add_rule(struct pfctl *, struct pf_rule *, const char *);
201 int	pfctl_add_altq(struct pfctl *, struct pf_altq *);
202 int	pfctl_add_pool(struct pfctl *, struct pf_pool *, sa_family_t, int);
203 void	pfctl_move_pool(struct pf_pool *, struct pf_pool *);
204 void	pfctl_clear_pool(struct pf_pool *);
205 
206 int	pfctl_set_timeout(struct pfctl *, const char *, int, int);
207 int	pfctl_set_reassembly(struct pfctl *, int, int);
208 int	pfctl_set_optimization(struct pfctl *, const char *);
209 int	pfctl_set_limit(struct pfctl *, const char *, unsigned int);
210 int	pfctl_set_logif(struct pfctl *, char *);
211 int	pfctl_set_hostid(struct pfctl *, u_int32_t);
212 int	pfctl_set_debug(struct pfctl *, char *);
213 int	pfctl_set_interface_flags(struct pfctl *, char *, int, int);
214 
215 int	parse_config(char *, struct pfctl *);
216 int	parse_flags(char *);
217 int	pfctl_load_anchors(int, struct pfctl *, struct pfr_buffer *);
218 
219 void	print_pool(struct pf_pool *, u_int16_t, u_int16_t, sa_family_t, int, int);
220 void	print_src_node(struct pf_src_node *, int);
221 void	print_rule(struct pf_rule *, const char *, int);
222 void	print_tabledef(const char *, int, int, struct node_tinithead *);
223 void	print_status(struct pf_status *, int);
224 
225 int	eval_pfaltq(struct pfctl *, struct pf_altq *, struct node_queue_bw *,
226 	    struct node_queue_opt *);
227 int	eval_pfqueue(struct pfctl *, struct pf_altq *, struct node_queue_bw *,
228 	    struct node_queue_opt *);
229 
230 void	 print_altq(const struct pf_altq *, unsigned, struct node_queue_bw *,
231 	    struct node_queue_opt *);
232 void	 print_queue(const struct pf_altq *, unsigned, struct node_queue_bw *,
233 	    int, struct node_queue_opt *);
234 
235 int	pfctl_define_table(char *, int, int, const char *, struct pfr_buffer *,
236 	    u_int32_t);
237 
238 void		 pfctl_clear_fingerprints(int, int);
239 int		 pfctl_file_fingerprints(int, int, const char *);
240 pf_osfp_t	 pfctl_get_fingerprint(const char *);
241 int		 pfctl_load_fingerprints(int, int);
242 char		*pfctl_lookup_fingerprint(pf_osfp_t, char *, size_t);
243 void		 pfctl_show_fingerprints(int);
244 
245 
246 struct icmptypeent {
247 	const char *name;
248 	u_int8_t type;
249 };
250 
251 struct icmpcodeent {
252 	const char *name;
253 	u_int8_t type;
254 	u_int8_t code;
255 };
256 
257 const struct icmptypeent *geticmptypebynumber(u_int8_t, u_int8_t);
258 const struct icmptypeent *geticmptypebyname(char *, u_int8_t);
259 const struct icmpcodeent *geticmpcodebynumber(u_int8_t, u_int8_t, u_int8_t);
260 const struct icmpcodeent *geticmpcodebyname(u_long, char *, u_int8_t);
261 
262 int			  string_to_loglevel(const char *);
263 const char		 *loglevel_to_string(int);
264 
265 struct pf_timeout {
266 	const char	*name;
267 	int		 timeout;
268 };
269 
270 extern const struct pf_timeout pf_timeouts[];
271 
272 void			 set_ipmask(struct node_host *, u_int8_t);
273 int			 check_netmask(struct node_host *, sa_family_t);
274 int			 unmask(struct pf_addr *, sa_family_t);
275 void			 ifa_load(void);
276 struct node_host	*ifa_exists(const char *);
277 struct node_host	*ifa_lookup(const char *, int);
278 struct node_host	*host(const char *);
279 
280 int			 append_addr(struct pfr_buffer *, char *, int);
281 int			 append_addr_host(struct pfr_buffer *,
282 			    struct node_host *, int, int);
283 
284 #endif /* _PFCTL_PARSER_H_ */
285