#ifndef LOCAL_PACKETBL_H
# define LOCAL_PACKETBL_H
#include <stdlib.h>
#include <stdio.h>
#include <stdint.h>
#include <string.h>
#include <netinet/in.h>
#include <netinet/tcp.h>
#include <resolv.h>
#include <netdb.h>
#include <ctype.h>
#include <syslog.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <string.h>
#include <unistd.h>
#include <getopt.h>
#include <time.h>
#include <errno.h>
#include <linux/netfilter.h>
#include <libconfig.h>
#include <libnetfilter_queue.h>
# ifdef HAVE_CONFIG_H
# include "config.h"
# endif
# ifdef USE_SOCKSTAT
# ifndef SOCKSTAT_PATH
# define SOCKSTAT_PATH "/tmp/.packetbl.sock"
# endif
# endif
#ifdef USE_SOCKSTAT
#include <sys/socket.h>
#include <sys/un.h>
#include <pthread.h>
#endif
#ifdef HAVE_FIREDNS
#include <firedns.h>
#endif
#ifndef BUFFERSIZE
#define BUFFERSIZE 65536
#endif
#ifdef USE_CACHE
# ifndef USE_CACHE_DEF_LEN
# define USE_CACHE_DEF_LEN 8192
# endif
# ifndef USE_CACHE_DEF_TTL
# define USE_CACHE_DEF_TTL 3600
# endif
#endif
# define TH_FIN 0x01
# define TH_SYN 0x02
# define TH_RST 0x04
# define TH_PUSH 0x08
# define TH_ACK 0x10
# define TH_URG 0x20
# define SET_VERDICT nfq_set_verdict
# define PBL_HANDLE nfq_q_handle
# define PBL_SET_MODE nfq_set_mode
# define PBL_COPY_PACKET NFQNL_COPY_PACKET
# define PBL_ID_T u_int32_t
# define PBL_ERRSTR ""
#define DEBUG(x, y) if (conf.debug >= x) { printf(y "\n"); }
#define INVALID_OCTET(x) x < 0 || x > 255
struct packet_info {
uint8_t b1;
uint8_t b2;
uint8_t b3;
uint8_t b4;
unsigned int s_port;
unsigned int d_port;
int flags;
};
struct cidr {
uint32_t ip;
uint32_t network;
uint32_t processed; /* network, but as a bitmask */
};
struct config_entry {
char *string;
struct config_entry *next;
struct packet_info ip;
struct cidr cidr;
};
char msgbuf[BUFFERSIZE];
struct config {
int allow_non25;
int allow_nonsyn;
int default_accept;
int dryrun;
int log_facility;
int queueno;
int quiet;
int debug;
struct config_entry *blacklistbl;
struct config_entry *whitelistbl;
struct config_entry *blacklist;
struct config_entry *whitelist;
};
static struct config conf = { 0, 0, 1, 0, LOG_DAEMON, 1, 0, 0, NULL, NULL, NULL, NULL };
struct pbl_stat_info {
uint32_t cacheaccept;
uint32_t cachereject;
uint32_t whitelistblhits;
uint32_t blacklistblhits;
uint32_t whitelisthits;
uint32_t blacklisthits;
uint32_t fallthroughhits;
uint32_t totalpackets;
};
static struct pbl_stat_info statistics = { 0, 0, 0, 0, 0, 0, 0 };
#ifdef USE_CACHE
struct packet_cache_t {
uint32_t ipaddr;
time_t expires;
int action;
};
struct packet_cache_t *packet_cache = NULL;
uint32_t packet_cache_len = USE_CACHE_DEF_LEN;
uint16_t packet_cache_ttl = USE_CACHE_DEF_TTL;
#endif
struct config_entry *hostlistcache = NULL;
int get_packet_info(char *payload, struct packet_info *ip);
int check_packet_list(const struct packet_info *ip, struct config_entry *list);
int check_packet_dnsbl(const struct packet_info *ip, struct config_entry *list);
int parse_cidr(struct config_entry *ce);
/* int validate_blacklist(char *); */
void parse_config(void);
void parse_arguments(int argc, char **argv);
void pbl_init_sockstat(void);
static void get_ip_string(const struct packet_info *ip);
static void pbl_set_verdict(struct PBL_HANDLE *h, PBL_ID_T id,
unsigned int verdict);
static int pbl_callback(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
struct nfq_data *nfa, void *data);
typedef struct facility {
char *string;
int num;
} facility;
static struct facility facenum[] = {
{"auth", LOG_AUTH},
{"authpriv", LOG_AUTHPRIV},
{"cron", LOG_CRON},
{"daemon", LOG_DAEMON},
{"kern", LOG_KERN},
{"lpr", LOG_LPR},
{"mail", LOG_MAIL},
{"news", LOG_NEWS},
{"syslog", LOG_SYSLOG},
{"user", LOG_USER},
{"uucp", LOG_UUCP},
{"local0", LOG_LOCAL0},
{"local1", LOG_LOCAL1},
{"local2", LOG_LOCAL2},
{"local3", LOG_LOCAL3},
{"local4", LOG_LOCAL4},
{"local5", LOG_LOCAL5},
{"local6", LOG_LOCAL6},
{"local7", LOG_LOCAL7},
NULL
};
#endif