1 /*- 2 * Copyright (c) 2002-2003 Luigi Rizzo 3 * Copyright (c) 1996 Alex Nash, Paul Traina, Poul-Henning Kamp 4 * Copyright (c) 1994 Ugen J.S.Antsilevich 5 * 6 * Idea and grammar partially left from: 7 * Copyright (c) 1993 Daniel Boulet 8 * 9 * Redistribution and use in source forms, with and without modification, 10 * are permitted provided that this entire comment appears intact. 11 * 12 * Redistribution in binary form may occur without any restrictions. 13 * Obviously, it would be nice if you gave credit where credit is due 14 * but requiring it would be too onerous. 15 * 16 * This software is provided ``AS IS'' without any warranties of any kind. 17 * 18 * NEW command line interface for IP firewall facility 19 * 20 * $FreeBSD$ 21 */ 22 23 /* 24 * Options that can be set on the command line. 25 * When reading commands from a file, a subset of the options can also 26 * be applied globally by specifying them before the file name. 27 * After that, each line can contain its own option that changes 28 * the global value. 29 * XXX The context is not restored after each line. 30 */ 31 32 struct cmdline_opts { 33 /* boolean options: */ 34 int do_value_as_ip; /* show table value as IP */ 35 int do_resolv; /* try to resolve all ip to names */ 36 int do_time; /* Show time stamps */ 37 int do_quiet; /* Be quiet in add and flush */ 38 int do_pipe; /* this cmd refers to a pipe/queue/sched */ 39 int do_nat; /* this cmd refers to a nat config */ 40 int do_compact; /* show rules in compact mode */ 41 int do_force; /* do not ask for confirmation */ 42 int show_sets; /* display the set each rule belongs to */ 43 int test_only; /* only check syntax */ 44 int comment_only; /* only print action and comment */ 45 int verbose; /* be verbose on some commands */ 46 47 /* The options below can have multiple values. */ 48 49 int do_dynamic; /* 1 - display dynamic rules */ 50 /* 2 - display/delete only dynamic rules */ 51 int do_sort; /* field to sort results (0 = no) */ 52 /* valid fields are 1 and above */ 53 54 int use_set; /* work with specified set number */ 55 /* 0 means all sets, otherwise apply to set use_set - 1 */ 56 57 }; 58 59 enum { 60 TIMESTAMP_NONE = 0, 61 TIMESTAMP_STRING, 62 TIMESTAMP_NUMERIC, 63 }; 64 65 extern struct cmdline_opts co; 66 67 /* 68 * _s_x is a structure that stores a string <-> token pairs, used in 69 * various places in the parser. Entries are stored in arrays, 70 * with an entry with s=NULL as terminator. 71 * The search routines are match_token() and match_value(). 72 * Often, an element with x=0 contains an error string. 73 * 74 */ 75 struct _s_x { 76 char const *s; 77 int x; 78 }; 79 80 extern struct _s_x f_ipdscp[]; 81 82 enum tokens { 83 TOK_NULL=0, 84 85 TOK_OR, 86 TOK_NOT, 87 TOK_STARTBRACE, 88 TOK_ENDBRACE, 89 90 TOK_ABORT6, 91 TOK_ABORT, 92 TOK_ACCEPT, 93 TOK_COUNT, 94 TOK_EACTION, 95 TOK_PIPE, 96 TOK_LINK, 97 TOK_QUEUE, 98 TOK_FLOWSET, 99 TOK_SCHED, 100 TOK_DIVERT, 101 TOK_TEE, 102 TOK_NETGRAPH, 103 TOK_NGTEE, 104 TOK_FORWARD, 105 TOK_SKIPTO, 106 TOK_DENY, 107 TOK_REJECT, 108 TOK_RESET, 109 TOK_UNREACH, 110 TOK_CHECKSTATE, 111 TOK_NAT, 112 TOK_REASS, 113 TOK_CALL, 114 TOK_RETURN, 115 116 TOK_ALTQ, 117 TOK_LOG, 118 TOK_TAG, 119 TOK_UNTAG, 120 121 TOK_TAGGED, 122 TOK_UID, 123 TOK_GID, 124 TOK_JAIL, 125 TOK_IN, 126 TOK_LIMIT, 127 TOK_SETLIMIT, 128 TOK_KEEPSTATE, 129 TOK_RECORDSTATE, 130 TOK_LAYER2, 131 TOK_OUT, 132 TOK_DIVERTED, 133 TOK_DIVERTEDLOOPBACK, 134 TOK_DIVERTEDOUTPUT, 135 TOK_XMIT, 136 TOK_RECV, 137 TOK_VIA, 138 TOK_FRAG, 139 TOK_IPOPTS, 140 TOK_IPLEN, 141 TOK_IPID, 142 TOK_IPPRECEDENCE, 143 TOK_DSCP, 144 TOK_IPTOS, 145 TOK_IPTTL, 146 TOK_IPVER, 147 TOK_ESTAB, 148 TOK_SETUP, 149 TOK_TCPDATALEN, 150 TOK_TCPFLAGS, 151 TOK_TCPOPTS, 152 TOK_TCPSEQ, 153 TOK_TCPACK, 154 TOK_TCPWIN, 155 TOK_ICMPTYPES, 156 TOK_MAC, 157 TOK_MACTYPE, 158 TOK_VERREVPATH, 159 TOK_VERSRCREACH, 160 TOK_ANTISPOOF, 161 TOK_IPSEC, 162 TOK_COMMENT, 163 164 TOK_PLR, 165 TOK_NOERROR, 166 TOK_BUCKETS, 167 TOK_DSTIP, 168 TOK_SRCIP, 169 TOK_DSTPORT, 170 TOK_SRCPORT, 171 TOK_ALL, 172 TOK_MASK, 173 TOK_FLOW_MASK, 174 TOK_SCHED_MASK, 175 TOK_BW, 176 TOK_DELAY, 177 TOK_PROFILE, 178 TOK_BURST, 179 TOK_RED, 180 TOK_GRED, 181 TOK_ECN, 182 TOK_DROPTAIL, 183 TOK_PROTO, 184 #ifdef NEW_AQM 185 /* AQM tokens*/ 186 TOK_NO_ECN, 187 TOK_CODEL, 188 TOK_FQ_CODEL, 189 TOK_TARGET, 190 TOK_INTERVAL, 191 TOK_FLOWS, 192 TOK_QUANTUM, 193 194 TOK_PIE, 195 TOK_FQ_PIE, 196 TOK_TUPDATE, 197 TOK_MAX_BURST, 198 TOK_MAX_ECNTH, 199 TOK_ALPHA, 200 TOK_BETA, 201 TOK_CAPDROP, 202 TOK_NO_CAPDROP, 203 TOK_ONOFF, 204 TOK_DRE, 205 TOK_TS, 206 TOK_DERAND, 207 TOK_NO_DERAND, 208 #endif 209 /* dummynet tokens */ 210 TOK_WEIGHT, 211 TOK_LMAX, 212 TOK_PRI, 213 TOK_TYPE, 214 TOK_SLOTSIZE, 215 216 TOK_IP, 217 TOK_IF, 218 TOK_ALOG, 219 TOK_DENY_INC, 220 TOK_SAME_PORTS, 221 TOK_UNREG_ONLY, 222 TOK_SKIP_GLOBAL, 223 TOK_RESET_ADDR, 224 TOK_ALIAS_REV, 225 TOK_PROXY_ONLY, 226 TOK_REDIR_ADDR, 227 TOK_REDIR_PORT, 228 TOK_REDIR_PROTO, 229 230 TOK_IPV6, 231 TOK_FLOWID, 232 TOK_ICMP6TYPES, 233 TOK_EXT6HDR, 234 TOK_DSTIP6, 235 TOK_SRCIP6, 236 237 TOK_IPV4, 238 TOK_UNREACH6, 239 TOK_RESET6, 240 241 TOK_FIB, 242 TOK_SETFIB, 243 TOK_LOOKUP, 244 TOK_SOCKARG, 245 TOK_SETDSCP, 246 TOK_FLOW, 247 TOK_IFLIST, 248 /* Table tokens */ 249 TOK_CREATE, 250 TOK_DESTROY, 251 TOK_LIST, 252 TOK_INFO, 253 TOK_DETAIL, 254 TOK_MODIFY, 255 TOK_FLUSH, 256 TOK_SWAP, 257 TOK_ADD, 258 TOK_DEL, 259 TOK_VALTYPE, 260 TOK_ALGO, 261 TOK_TALIST, 262 TOK_ATOMIC, 263 TOK_LOCK, 264 TOK_UNLOCK, 265 TOK_VLIST, 266 TOK_OLIST, 267 268 /* NAT64 tokens */ 269 TOK_NAT64STL, 270 TOK_NAT64LSN, 271 TOK_STATS, 272 TOK_STATES, 273 TOK_CONFIG, 274 TOK_TABLE4, 275 TOK_TABLE6, 276 TOK_PREFIX4, 277 TOK_PREFIX6, 278 TOK_AGG_LEN, 279 TOK_AGG_COUNT, 280 TOK_MAX_PORTS, 281 TOK_STATES_CHUNKS, 282 TOK_JMAXLEN, 283 TOK_PORT_RANGE, 284 TOK_HOST_DEL_AGE, 285 TOK_PG_DEL_AGE, 286 TOK_TCP_SYN_AGE, 287 TOK_TCP_CLOSE_AGE, 288 TOK_TCP_EST_AGE, 289 TOK_UDP_AGE, 290 TOK_ICMP_AGE, 291 TOK_LOGOFF, 292 TOK_PRIVATE, 293 TOK_PRIVATEOFF, 294 295 /* NAT64 CLAT tokens */ 296 TOK_NAT64CLAT, 297 TOK_PLAT_PREFIX, 298 TOK_CLAT_PREFIX, 299 300 /* NPTv6 tokens */ 301 TOK_NPTV6, 302 TOK_INTPREFIX, 303 TOK_EXTPREFIX, 304 TOK_PREFIXLEN, 305 TOK_EXTIF, 306 307 TOK_TCPSETMSS, 308 309 TOK_SKIPACTION, 310 }; 311 312 /* 313 * the following macro returns an error message if we run out of 314 * arguments. 315 */ 316 #define NEED(_p, msg) {if (!_p) errx(EX_USAGE, msg);} 317 #define NEED1(msg) {if (!(*av)) errx(EX_USAGE, msg);} 318 319 struct buf_pr { 320 char *buf; /* allocated buffer */ 321 char *ptr; /* current pointer */ 322 size_t size; /* total buffer size */ 323 size_t avail; /* available storage */ 324 size_t needed; /* length needed */ 325 }; 326 327 int pr_u64(struct buf_pr *bp, uint64_t *pd, int width); 328 int bp_alloc(struct buf_pr *b, size_t size); 329 void bp_free(struct buf_pr *b); 330 int bprintf(struct buf_pr *b, char *format, ...); 331 332 333 /* memory allocation support */ 334 void *safe_calloc(size_t number, size_t size); 335 void *safe_realloc(void *ptr, size_t size); 336 337 /* string comparison functions used for historical compatibility */ 338 int _substrcmp(const char *str1, const char* str2); 339 int _substrcmp2(const char *str1, const char* str2, const char* str3); 340 int stringnum_cmp(const char *a, const char *b); 341 342 /* utility functions */ 343 int match_token(struct _s_x *table, const char *string); 344 int match_token_relaxed(struct _s_x *table, const char *string); 345 int get_token(struct _s_x *table, const char *string, const char *errbase); 346 char const *match_value(struct _s_x *p, int value); 347 size_t concat_tokens(char *buf, size_t bufsize, struct _s_x *table, 348 char *delimiter); 349 int fill_flags(struct _s_x *flags, char *p, char **e, uint32_t *set, 350 uint32_t *clear); 351 void print_flags_buffer(char *buf, size_t sz, struct _s_x *list, uint32_t set); 352 353 struct _ip_fw3_opheader; 354 int do_cmd(int optname, void *optval, uintptr_t optlen); 355 int do_set3(int optname, struct _ip_fw3_opheader *op3, size_t optlen); 356 int do_get3(int optname, struct _ip_fw3_opheader *op3, size_t *optlen); 357 358 struct in6_addr; 359 void n2mask(struct in6_addr *mask, int n); 360 int contigmask(uint8_t *p, int len); 361 362 /* 363 * Forward declarations to avoid include way too many headers. 364 * C does not allow duplicated typedefs, so we use the base struct 365 * that the typedef points to. 366 * Should the typedefs use a different type, the compiler will 367 * still detect the change when compiling the body of the 368 * functions involved, so we do not lose error checking. 369 */ 370 struct _ipfw_insn; 371 struct _ipfw_insn_altq; 372 struct _ipfw_insn_u32; 373 struct _ipfw_insn_ip6; 374 struct _ipfw_insn_icmp6; 375 376 /* 377 * The reserved set numer. This is a constant in ip_fw.h 378 * but we store it in a variable so other files do not depend 379 * in that header just for one constant. 380 */ 381 extern int resvd_set_number; 382 383 /* first-level command handlers */ 384 void ipfw_add(char *av[]); 385 void ipfw_show_nat(int ac, char **av); 386 void ipfw_config_pipe(int ac, char **av); 387 void ipfw_config_nat(int ac, char **av); 388 void ipfw_sets_handler(char *av[]); 389 void ipfw_table_handler(int ac, char *av[]); 390 void ipfw_sysctl_handler(char *av[], int which); 391 void ipfw_delete(char *av[]); 392 void ipfw_flush(int force); 393 void ipfw_zero(int ac, char *av[], int optname); 394 void ipfw_list(int ac, char *av[], int show_counters); 395 void ipfw_internal_handler(int ac, char *av[]); 396 void ipfw_nat64clat_handler(int ac, char *av[]); 397 void ipfw_nat64lsn_handler(int ac, char *av[]); 398 void ipfw_nat64stl_handler(int ac, char *av[]); 399 void ipfw_nptv6_handler(int ac, char *av[]); 400 int ipfw_check_object_name(const char *name); 401 int ipfw_check_nat64prefix(const struct in6_addr *prefix, int length); 402 403 #ifdef PF 404 /* altq.c */ 405 void altq_set_enabled(int enabled); 406 u_int32_t altq_name_to_qid(const char *name); 407 void print_altq_cmd(struct buf_pr *bp, struct _ipfw_insn_altq *altqptr); 408 #else 409 #define NO_ALTQ 410 #endif 411 412 /* dummynet.c */ 413 void dummynet_list(int ac, char *av[], int show_counters); 414 void dummynet_flush(void); 415 int ipfw_delete_pipe(int pipe_or_queue, int n); 416 417 /* ipv6.c */ 418 void print_unreach6_code(struct buf_pr *bp, uint16_t code); 419 void print_ip6(struct buf_pr *bp, struct _ipfw_insn_ip6 *cmd); 420 void print_flow6id(struct buf_pr *bp, struct _ipfw_insn_u32 *cmd); 421 void print_icmp6types(struct buf_pr *bp, struct _ipfw_insn_u32 *cmd); 422 void print_ext6hdr(struct buf_pr *bp, struct _ipfw_insn *cmd ); 423 424 struct tidx; 425 struct _ipfw_insn *add_srcip6(struct _ipfw_insn *cmd, char *av, int cblen, 426 struct tidx *tstate); 427 struct _ipfw_insn *add_dstip6(struct _ipfw_insn *cmd, char *av, int cblen, 428 struct tidx *tstate); 429 430 void fill_flow6(struct _ipfw_insn_u32 *cmd, char *av, int cblen); 431 void fill_unreach6_code(u_short *codep, char *str); 432 void fill_icmp6types(struct _ipfw_insn_icmp6 *cmd, char *av, int cblen); 433 int fill_ext6hdr(struct _ipfw_insn *cmd, char *av); 434 435 /* ipfw2.c */ 436 void bp_flush(struct buf_pr *b); 437 void fill_table(struct _ipfw_insn *cmd, char *av, uint8_t opcode, 438 struct tidx *tstate); 439 440 /* tables.c */ 441 struct _ipfw_obj_ctlv; 442 struct _ipfw_obj_ntlv; 443 int table_check_name(const char *tablename); 444 void ipfw_list_ta(int ac, char *av[]); 445 void ipfw_list_values(int ac, char *av[]); 446 void table_fill_ntlv(struct _ipfw_obj_ntlv *ntlv, const char *name, 447 uint8_t set, uint16_t uidx); 448 449