pfctl_parser.h revision 126353 
1/*	$OpenBSD: pfctl_parser.h,v 1.67 2003/08/21 19:12:09 frantzen Exp $ */
2
3/*
4 * Copyright (c) 2001 Daniel Hartmeier
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 *
11 *    - Redistributions of source code must retain the above copyright
12 *      notice, this list of conditions and the following disclaimer.
13 *    - Redistributions in binary form must reproduce the above
14 *      copyright notice, this list of conditions and the following
15 *      disclaimer in the documentation and/or other materials provided
16 *      with the distribution.
17 *
18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
21 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
22 * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
23 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
24 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
25 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
26 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
28 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
29 * POSSIBILITY OF SUCH DAMAGE.
30 *
31 */
32
33#ifndef _PFCTL_PARSER_H_
34#define _PFCTL_PARSER_H_
35
36#define PF_OSFP_FILE		"/etc/pf.os"
37
38#define PF_OPT_DISABLE		0x0001
39#define PF_OPT_ENABLE		0x0002
40#define PF_OPT_VERBOSE		0x0004
41#define PF_OPT_NOACTION		0x0008
42#define PF_OPT_QUIET		0x0010
43#define PF_OPT_CLRRULECTRS	0x0020
44#define PF_OPT_USEDNS		0x0040
45#define PF_OPT_VERBOSE2		0x0080
46#define PF_OPT_DUMMYACTION	0x0100
47#define PF_OPT_DEBUG		0x0200
48
49#define PF_TH_ALL		0xFF
50
51#define PF_NAT_PROXY_PORT_LOW	50001
52#define PF_NAT_PROXY_PORT_HIGH	65535
53
54#define FCNT_NAMES { \
55	"searches", \
56	"inserts", \
57	"removals", \
58	NULL \
59}
60
61struct pfctl {
62	int dev;
63	int opts;
64	int loadopt;
65	u_int32_t tticket;		/* table ticket */
66	int tdirty;			/* kernel dirty */
67	u_int32_t rule_nr;
68	struct pfioc_pooladdr paddr;
69	struct pfioc_rule *prule[PF_RULESET_MAX];
70	struct pfioc_altq *paltq;
71	struct pfioc_queue *pqueue;
72	const char *anchor;
73	const char *ruleset;
74};
75
76enum pfctl_iflookup_mode {
77	PFCTL_IFLOOKUP_HOST,
78	PFCTL_IFLOOKUP_NET,
79	PFCTL_IFLOOKUP_BCAST
80};
81
82struct node_if {
83	char			 ifname[IFNAMSIZ];
84	u_int8_t		 not;
85	u_int			 ifa_flags;
86	struct node_if		*next;
87	struct node_if		*tail;
88};
89
90struct node_host {
91	struct pf_addr_wrap	 addr;
92	struct pf_addr		 bcast;
93	sa_family_t		 af;
94	u_int8_t		 not;
95	u_int32_t		 ifindex;	/* link-local IPv6 addrs */
96	char			*ifname;
97	u_int			 ifa_flags;
98	struct node_host	*next;
99	struct node_host	*tail;
100};
101
102struct node_os {
103	char			*os;
104	pf_osfp_t		 fingerprint;
105	struct node_os		*next;
106	struct node_os		*tail;
107};
108
109struct node_queue_bw {
110	u_int32_t	bw_absolute;
111	u_int16_t	bw_percent;
112};
113
114struct node_hfsc_sc {
115	struct node_queue_bw	m1;	/* slope of 1st segment; bps */
116	u_int			d;	/* x-projection of m1; msec */
117	struct node_queue_bw	m2;	/* slope of 2nd segment; bps */
118	u_int8_t		used;
119};
120
121struct node_hfsc_opts {
122	struct node_hfsc_sc	realtime;
123	struct node_hfsc_sc	linkshare;
124	struct node_hfsc_sc	upperlimit;
125	int			flags;
126};
127
128struct node_queue_opt {
129	int			 qtype;
130	union {
131		struct cbq_opts		cbq_opts;
132		struct priq_opts	priq_opts;
133		struct node_hfsc_opts	hfsc_opts;
134	}			 data;
135};
136
137SIMPLEQ_HEAD(node_tinithead, node_tinit);
138struct node_tinit {	/* table initializer */
139	SIMPLEQ_ENTRY(node_tinit)	 entries;
140	struct node_host		*host;
141	char				*file;
142};
143
144struct pfr_buffer;	/* forward definition */
145
146int	pfctl_rules(int, char *, int, char *, char *);
147
148int	pfctl_add_rule(struct pfctl *, struct pf_rule *);
149int	pfctl_add_altq(struct pfctl *, struct pf_altq *);
150int	pfctl_add_pool(struct pfctl *, struct pf_pool *, sa_family_t);
151void	pfctl_clear_pool(struct pf_pool *);
152
153int	pfctl_set_timeout(struct pfctl *, const char *, int, int);
154int	pfctl_set_optimization(struct pfctl *, const char *);
155int	pfctl_set_limit(struct pfctl *, const char *, unsigned int);
156int	pfctl_set_logif(struct pfctl *, char *);
157
158int	parse_rules(FILE *, struct pfctl *);
159int	parse_flags(char *);
160int	pfctl_load_anchors(int, int);
161
162void	print_pool(struct pf_pool *, u_int16_t, u_int16_t, sa_family_t, int);
163void	print_rule(struct pf_rule *, int);
164void	print_tabledef(const char *, int, int, struct node_tinithead *);
165void	print_status(struct pf_status *);
166
167int	eval_pfaltq(struct pfctl *, struct pf_altq *, struct node_queue_bw *,
168	    struct node_queue_opt *);
169int	eval_pfqueue(struct pfctl *, struct pf_altq *, struct node_queue_bw *,
170	    struct node_queue_opt *);
171
172void	 print_altq(const struct pf_altq *, unsigned, struct node_queue_bw *,
173	     struct node_queue_opt *);
174void	 print_queue(const struct pf_altq *, unsigned, struct node_queue_bw *,
175	     int, struct node_queue_opt *);
176
177int	pfctl_define_table(char *, int, int, const char *, const char *,
178	    struct pfr_buffer *, u_int32_t);
179
180void		 pfctl_clear_fingerprints(int, int);
181int		 pfctl_file_fingerprints(int, int, const char *);
182pf_osfp_t	 pfctl_get_fingerprint(const char *);
183int		 pfctl_load_fingerprints(int, int);
184char		*pfctl_lookup_fingerprint(pf_osfp_t, char *, size_t);
185void		 pfctl_show_fingerprints(int);
186
187
188struct icmptypeent {
189	const char *name;
190	u_int8_t type;
191};
192
193struct icmpcodeent {
194	const char *name;
195	u_int8_t type;
196	u_int8_t code;
197};
198
199const struct icmptypeent *geticmptypebynumber(u_int8_t, u_int8_t);
200const struct icmptypeent *geticmptypebyname(char *, u_int8_t);
201const struct icmpcodeent *geticmpcodebynumber(u_int8_t, u_int8_t, u_int8_t);
202const struct icmpcodeent *geticmpcodebyname(u_long, char *, u_int8_t);
203
204struct pf_timeout {
205	const char	*name;
206	int		 timeout;
207};
208
209#define PFCTL_FLAG_FILTER	0x02
210#define PFCTL_FLAG_NAT		0x04
211#define PFCTL_FLAG_OPTION	0x08
212#define PFCTL_FLAG_ALTQ		0x10
213#define PFCTL_FLAG_TABLE	0x20
214
215extern const struct pf_timeout pf_timeouts[];
216
217void			 set_ipmask(struct node_host *, u_int8_t);
218int			 check_netmask(struct node_host *, sa_family_t);
219void			 ifa_load(void);
220struct node_host	*ifa_exists(const char *);
221struct node_host	*ifa_lookup(const char *, enum pfctl_iflookup_mode);
222struct node_host	*host(const char *);
223
224int			 append_addr(struct pfr_buffer *, char *, int);
225int			 append_addr_host(struct pfr_buffer *,
226			    struct node_host *, int, int);
227
228#endif /* _PFCTL_PARSER_H_ */
229