OpenVPN
pf.h
Go to the documentation of this file.
1 /*
2  * OpenVPN -- An application to securely tunnel IP networks
3  * over a single TCP/UDP port, with support for SSL/TLS-based
4  * session authentication and key exchange,
5  * packet encryption, packet authentication, and
6  * packet compression.
7  *
8  * Copyright (C) 2002-2018 OpenVPN Inc <sales@openvpn.net>
9  *
10  * This program is free software; you can redistribute it and/or modify
11  * it under the terms of the GNU General Public License version 2
12  * as published by the Free Software Foundation.
13  *
14  * This program is distributed in the hope that it will be useful,
15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17  * GNU General Public License for more details.
18  *
19  * You should have received a copy of the GNU General Public License along
20  * with this program; if not, write to the Free Software Foundation, Inc.,
21  * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
22  */
23 
24 /* packet filter functions */
25 
26 #if defined(ENABLE_PF) && !defined(OPENVPN_PF_H)
27 #define OPENVPN_PF_H
28 
29 #include "list.h"
30 #include "mroute.h"
31 
32 #define PF_MAX_LINE_LEN 256
33 
34 #define PCT_SRC 1
35 #define PCT_DEST 2
36 
37 struct context;
38 
39 struct ipv4_subnet {
40  bool exclude;
41  in_addr_t network;
42  in_addr_t netmask;
43 };
44 
45 struct pf_subnet {
46  struct pf_subnet *next;
47  struct ipv4_subnet rule;
48 };
49 
50 struct pf_subnet_set {
51  bool default_allow;
52  struct pf_subnet *list;
53 };
54 
55 struct pf_cn {
56  bool exclude;
57  char *cn;
58 };
59 
60 struct pf_cn_elem {
61  struct pf_cn_elem *next;
62  struct pf_cn rule;
63 };
64 
65 struct pf_cn_set {
66  bool default_allow;
67  struct pf_cn_elem *list;
68  struct hash *hash_table;
69 };
70 
71 struct pf_set {
72  bool kill;
73  struct pf_subnet_set sns;
74  struct pf_cn_set cns;
75 };
76 
77 struct pf_context {
78  bool enabled;
79  struct pf_set *pfs;
80 #ifdef PLUGIN_PF
81  const char *filename;
82  time_t file_last_mod;
83  unsigned int n_check_reload;
84  struct event_timeout reload;
85 #endif
86 };
87 
88 void pf_init_context(struct context *c);
89 
90 void pf_destroy_context(struct pf_context *pfc);
91 
92 #ifdef PLUGIN_PF
93 void pf_check_reload(struct context *c);
94 
95 #endif
96 
97 #ifdef MANAGEMENT_PF
98 bool pf_load_from_buffer_list(struct context *c, const struct buffer_list *config);
99 
100 #endif
101 
102 #ifdef ENABLE_DEBUG
103 void pf_context_print(const struct pf_context *pfc, const char *prefix, const int lev);
104 
105 #endif
106 
107 bool pf_addr_test_dowork(const struct context *src,
108  const struct mroute_addr *dest, const char *prefix);
109 
110 static inline bool
111 pf_addr_test(const struct pf_context *src_pf, const struct context *src,
112  const struct mroute_addr *dest, const char *prefix)
113 {
114  if (src_pf->enabled)
115  {
116  return pf_addr_test_dowork(src, dest, prefix);
117  }
118  else
119  {
120  return true;
121  }
122 }
123 
124 /*
125  * Inline functions
126  */
127 
128 bool pf_cn_test(struct pf_set *pfs, const struct tls_multi *tm, const int type,
129  const char *prefix);
130 
131 static inline bool
132 pf_c2c_test(const struct pf_context *src_pf, const struct tls_multi *src,
133  const struct pf_context *dest_pf, const struct tls_multi *dest,
134  const char *prefix)
135 {
136  return (!src_pf->enabled || pf_cn_test(src_pf->pfs, dest, PCT_DEST, prefix))
137  && (!dest_pf->enabled || pf_cn_test(dest_pf->pfs, src, PCT_SRC,
138  prefix));
139 }
140 
141 static inline bool
142 pf_kill_test(const struct pf_set *pfs)
143 {
144  return pfs->kill;
145 }
146 
147 #endif /* if defined(ENABLE_PF) && !defined(OPENVPN_PF_H) */
Contains all state information for one tunnel.
Definition: openvpn.h:500
Security parameter state for a single VPN tunnel.
Definition: ssl_common.h:503
#define in_addr_t
Definition: config-msvc.h:104
char * dest
Definition: compat-lz4.h:431
Definition: list.h:60