Logo Search packages:      
Sourcecode: netams version File versions  Download package


***   Authentication, authorization, accounting + firewalling package
***   Copyright 1998-2002 Anton Vinokurov <anton@netams.com>
***   Copyright 2002-2008 NeTAMS Development Team
***   This code is GPL v3
***   For latest version and more info, visit this project web page
***   located at http://www.netams.com
/* $Id: policy.h,v 1.99 2008-02-23 08:35:02 anton Exp $ */

#include "flow.h"

extern time_t fw_check_changed;

#define IS_FW_CHECK_CHANGED(since) (fw_check_changed>=since)
#define FW_CHECK_CHANGED(now) { fw_check_changed=now; }
#define POLICY_TYPES_NUM      3

//number here should be in sync with char policy_type_name[][] defined in policy.c
enum policy_type { POLICY_NONE=0, POLICY_ACCT=1, POLICY_FW=2 }; 

#ifndef PC_MAX_PORTS
#define PC_MAX_PORTS    10

#ifndef PC_MAX_IFS
#define PC_MAX_IFS      10

#ifndef PC_MAX_ADDRS
#define PC_MAX_ADDRS    10

#define PC_MAX_POLICIES 10

#ifndef PC_MAX_ASES
#define PC_MAX_ASES     10

#ifndef     PC_MAX_DSES
#define     PC_MAX_DSES 10

#ifndef PC_MAX_VLANS
#define PC_MAX_VLANS    10

typedef u_char policy_target_type;

#define PT_UNKNOWN            0
#define PT_IP_TRAFFIC         0x01
#define PT_NETFLOW_TRAFFIC    0x02
#define PT_LIBPCAP_TRAFFIC    0x04
#define PT_RAW                0x08
#define PT_LAYER7       0x10
#define PT_LOGIN_LOG          0x20
#define PT_POLICY       0x40
#define PT_NETGRAPH           0x80

typedef u_short policy_check_type;

#define PC_UNKNOWN            0
#define PC_IP_PROTO           0x0001
#define PC_UNIT               0x0002
#define PC_FILE               0x0004
#define PC_IP_TOS       0x0008
#define PC_IP_PORTS           0x0010
#define PC_IFINDEX            0x0020
#define PC_IP_ADDR            0x0040
#define PC_TIME               0x0080
#define PC_DAYOFWEEK          0x0100
#define PC_AS_NUMBER          0x0200
#define PC_DS_NUMBER          0x0400
#define PC_VLAN_NUMBER        0x0800
#define PC_FLOW_DIRECTION     0x1000

typedef u_char policy_logic_type;

#define PL_OR                 0
#define PL_AND          0x01

template <int max_items>
struct policy_target_array {
        u_char  num;
        u_short value[max_items];
        u_short max[max_items];
        match mf[max_items];

      u_char SetPolicy(char **tgt);
      void GetPolicy(struct cli_def *cli);
      bool CheckPolicy(u_short src, u_short dst);

typedef struct policy_target {
      policy_target_type      target_type;
      policy_check_type check_type;

#define PROTO_ANY 0xff
      u_short proto;                      // as in /etc/protocols

      //this is when or dst or src in
      u_char num_addrs;
      struct in_addr addr[PC_MAX_ADDRS];        /* Source and destination IP addr */
      struct in_addr addr_mask[PC_MAX_ADDRS];         /* Mask for src and dest IP addr */
      policy_target_array<PC_MAX_PORTS> ports;
      u_char ip_tos;

      oid   unit_id;    
      char  *unit_name;
      NetUnit *unit;

      PrefixFile *file;
      policy_target_array<PC_MAX_IFS> ifs;

      int t_begin, t_end; /* seconds from midnight */

      u_char day_allowed[7];  //day_of_week allowed, 0 is monday, 6 is sunday (but here in america weeks starts at sunday :)
      int day_d1, day_d2;     /* begin and end of interval */
      policy_target_array<PC_MAX_ASES> ases;

      //policy_type==PT_POLICY and check_type=UNKNOWN
      u_char num_policies;
      policy_logic_type logic; //0==or; 1=and
      u_char inversion[PC_MAX_POLICIES];
      Policy *list[PC_MAX_POLICIES];

    u_char  num_dses;
    u_char dses[PC_MAX_DSES];
      u_char num_vlans;
      u_short vlans[PC_MAX_VLANS];

      u_char direction; //Flow direction: 0 - ingress flow, 1 - egress flow

} policy_target;
class Policy: public Object {
            char *name;
            policy_target target; // ip, mail, squid, login, etc...
            u_char hidden; // do not show it in HTML output (useful for layer7)
            BWinfo *bwi;
            void setName(char *n);
            u_char setTarget(struct cli_def *cli, char **tgt, u_char *i, u_char no_flag=0);
            void getTarget(struct cli_def *cli);
            u_char Check(Flow *list, match mf);

class PolicyList: public List {

            ~PolicyList() {};
            void DeleteUnitFromTarget(NetUnit *u);
            Policy *getPolicy(char *name);
            void ShowConfig(struct cli_def *cli, u_char flags);
            friend int cShowPolicy(Connection *conn);

int cPolicy(struct cli_def *cli, char **param, int argc, u_char no_flag);
Policy* aParsePolicy(char *param[], u_char *pos, oid *pid=NULL);

typedef struct pstat {
      unsigned long long in;
      unsigned long long out;
      time_t from;
      } pstat;

extern const char pstat_prefix[5];
typedef u_char policy_flag;

#define POLICY_FLAG_NONE      0x00
#define POLICY_FLAG_BRK       0x01
#define POLICY_FLAG_INV       0x02

typedef struct policy_data {
      u_char flags;
      Policy *policy;
      time_t timestamp; 
      time_t to; // last time policy_data matched, thats why we don't need time_t to in pstat
      unsigned long long check;
      unsigned long long match;
      pstat flow;
      pstat h,d,w,m;
      policy_data *next;
      policy_flag policy_flags;  //  POLICY_FLAG_*
} policy_data;

class PdList {
            policy_data *root;
            pthread_rwlock_t rwlock;
            u_char num_policies;

            policy_data *Add(Policy *p, u_char flags=0, u_char place=0);
            u_char Delete(Policy *p);
            void List(struct cli_def *cli);
            void ListForCfg(struct cli_def *cli, u_char flags);
            void SetForUnit(policy_type pt, NetUnit *u, struct cli_def *cli=NULL);
            policy_data *Get(Policy *p);
            time_t LastUsed();
            void ClearLastUsed();
            u_char IsNetCheckBroken(NetUnit *u);

void PolicyDataUpdate(match mf, policy_data *p, Flow *list);
void PolicyAdd(NetUnit *u, u_char *i, policy_type p, struct cli_def *cli, char *param[], u_char no_flag);
typedef u_char SysPolicy;

#define SP_NONE               0x00
#define SP_DENY               0x01
#define SP_DENY_MONEY         0x02
#define SP_DENY_BLOCK         0x04
#define SP_DENY_QUOTA         0x08
#define SP_DENY_AUTH          0x10
#define SP_DENY_LOGIN         0x20
#define SP_DENY_MAC                 0x40

void SetSysPolicy(struct cli_def *cli, NetUnit *u, char *p);
void GetSysPolicy(struct cli_def *cli, SysPolicy p, oid perm);

Generated by  Doxygen 1.6.0   Back to index