summaryrefslogtreecommitdiff
path: root/src/openvpn/pf.h
blob: c64d21bdc4fae6e9f3bb34df9a13743194d06b75 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
/*
 *  OpenVPN -- An application to securely tunnel IP networks
 *             over a single TCP/UDP port, with support for SSL/TLS-based
 *             session authentication and key exchange,
 *             packet encryption, packet authentication, and
 *             packet compression.
 *
 *  Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License version 2
 *  as published by the Free Software Foundation.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License along
 *  with this program; if not, write to the Free Software Foundation, Inc.,
 *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */

/* packet filter functions */

#if defined(ENABLE_PF) && !defined(OPENVPN_PF_H)
#define OPENVPN_PF_H

#include "list.h"
#include "mroute.h"

#define PF_MAX_LINE_LEN 256

#define PCT_SRC  1
#define PCT_DEST 2

struct context;

struct ipv4_subnet {
    bool exclude;
    in_addr_t network;
    in_addr_t netmask;
};

struct pf_subnet {
    struct pf_subnet *next;
    struct ipv4_subnet rule;
};

struct pf_subnet_set {
    bool default_allow;
    struct pf_subnet *list;
};

struct pf_cn {
    bool exclude;
    char *cn;
};

struct pf_cn_elem {
    struct pf_cn_elem *next;
    struct pf_cn rule;
};

struct pf_cn_set {
    bool default_allow;
    struct pf_cn_elem *list;
    struct hash *hash_table;
};

struct pf_set {
    bool kill;
    struct pf_subnet_set sns;
    struct pf_cn_set cns;
};

struct pf_context {
    bool enabled;
    struct pf_set *pfs;
#ifdef PLUGIN_PF
    const char *filename;
    time_t file_last_mod;
    unsigned int n_check_reload;
    struct event_timeout reload;
#endif
};

void pf_init_context(struct context *c);

void pf_destroy_context(struct pf_context *pfc);

#ifdef PLUGIN_PF
void pf_check_reload(struct context *c);

#endif

#ifdef MANAGEMENT_PF
bool pf_load_from_buffer_list(struct context *c, const struct buffer_list *config);

#endif

#ifdef ENABLE_DEBUG
void pf_context_print(const struct pf_context *pfc, const char *prefix, const int lev);

#endif

bool pf_addr_test_dowork(const struct context *src,
                         const struct mroute_addr *dest, const char *prefix);

static inline bool
pf_addr_test(const struct pf_context *src_pf, const struct context *src,
             const struct mroute_addr *dest, const char *prefix)
{
    if (src_pf->enabled)
    {
        return pf_addr_test_dowork(src, dest, prefix);
    }
    else
    {
        return true;
    }
}

/*
 * Inline functions
 */

bool pf_cn_test(struct pf_set *pfs, const struct tls_multi *tm, const int type,
                const char *prefix);

static inline bool
pf_c2c_test(const struct pf_context *src_pf, const struct tls_multi *src,
            const struct pf_context *dest_pf, const struct tls_multi *dest,
            const char *prefix)
{
    return (!src_pf->enabled || pf_cn_test(src_pf->pfs, dest, PCT_DEST, prefix))
           && (!dest_pf->enabled || pf_cn_test(dest_pf->pfs, src, PCT_SRC,
                                               prefix));
}

static inline bool
pf_kill_test(const struct pf_set *pfs)
{
    return pfs->kill;
}

#endif /* if defined(ENABLE_PF) && !defined(OPENVPN_PF_H) */