1 /*- 2 * Copyright (c) 2002-2003 Luigi Rizzo 3 * Copyright (c) 1996 Alex Nash, Paul Traina, Poul-Henning Kamp 4 * Copyright (c) 1994 Ugen J.S.Antsilevich 5 * 6 * Idea and grammar partially left from: 7 * Copyright (c) 1993 Daniel Boulet 8 * 9 * Redistribution and use in source forms, with and without modification, 10 * are permitted provided that this entire comment appears intact. 11 * 12 * Redistribution in binary form may occur without any restrictions. 13 * Obviously, it would be nice if you gave credit where credit is due 14 * but requiring it would be too onerous. 15 * 16 * This software is provided ``AS IS'' without any warranties of any kind. 17 * 18 * NEW command line interface for IP firewall facility 19 * 20 * $FreeBSD$ 21 */ 22 23 enum cmdline_prog { 24 cmdline_prog_ipfw, 25 cmdline_prog_dnctl 26 }; 27 28 /* 29 * Options that can be set on the command line. 30 * When reading commands from a file, a subset of the options can also 31 * be applied globally by specifying them before the file name. 32 * After that, each line can contain its own option that changes 33 * the global value. 34 * XXX The context is not restored after each line. 35 */ 36 37 struct cmdline_opts { 38 /* boolean options: */ 39 int do_value_as_ip; /* show table value as IP */ 40 int do_resolv; /* try to resolve all ip to names */ 41 int do_time; /* Show time stamps */ 42 int do_quiet; /* Be quiet in add and flush */ 43 int do_pipe; /* this cmd refers to a pipe/queue/sched */ 44 int do_nat; /* this cmd refers to a nat config */ 45 int do_compact; /* show rules in compact mode */ 46 int do_force; /* do not ask for confirmation */ 47 int show_sets; /* display the set each rule belongs to */ 48 int test_only; /* only check syntax */ 49 int comment_only; /* only print action and comment */ 50 int verbose; /* be verbose on some commands */ 51 int debug_only; /* output ioctl i/o on stdout */ 52 53 /* The options below can have multiple values. */ 54 55 int do_dynamic; /* 1 - display dynamic rules */ 56 /* 2 - display/delete only dynamic rules */ 57 int do_sort; /* field to sort results (0 = no) */ 58 /* valid fields are 1 and above */ 59 60 uint32_t use_set; /* work with specified set number */ 61 /* 0 means all sets, otherwise apply to set use_set - 1 */ 62 63 enum cmdline_prog prog; /* Are we ipfw or dnctl? */ 64 }; 65 66 int is_ipfw(void); 67 68 enum { 69 TIMESTAMP_NONE = 0, 70 TIMESTAMP_STRING, 71 TIMESTAMP_NUMERIC, 72 }; 73 74 extern struct cmdline_opts g_co; 75 76 /* 77 * _s_x is a structure that stores a string <-> token pairs, used in 78 * various places in the parser. Entries are stored in arrays, 79 * with an entry with s=NULL as terminator. 80 * The search routines are match_token() and match_value(). 81 * Often, an element with x=0 contains an error string. 82 * 83 */ 84 struct _s_x { 85 char const *s; 86 int x; 87 }; 88 89 extern struct _s_x f_ipdscp[]; 90 91 enum tokens { 92 TOK_NULL=0, 93 94 TOK_OR, 95 TOK_NOT, 96 TOK_STARTBRACE, 97 TOK_ENDBRACE, 98 99 TOK_ABORT6, 100 TOK_ABORT, 101 TOK_ACCEPT, 102 TOK_COUNT, 103 TOK_EACTION, 104 TOK_PIPE, 105 TOK_LINK, 106 TOK_QUEUE, 107 TOK_FLOWSET, 108 TOK_SCHED, 109 TOK_DIVERT, 110 TOK_TEE, 111 TOK_NETGRAPH, 112 TOK_NGTEE, 113 TOK_FORWARD, 114 TOK_SKIPTO, 115 TOK_DENY, 116 TOK_REJECT, 117 TOK_RESET, 118 TOK_UNREACH, 119 TOK_CHECKSTATE, 120 TOK_NAT, 121 TOK_REASS, 122 TOK_CALL, 123 TOK_RETURN, 124 125 TOK_ALTQ, 126 TOK_LOG, 127 TOK_TAG, 128 TOK_UNTAG, 129 130 TOK_TAGGED, 131 TOK_UID, 132 TOK_GID, 133 TOK_JAIL, 134 TOK_IN, 135 TOK_LIMIT, 136 TOK_SETLIMIT, 137 TOK_KEEPSTATE, 138 TOK_RECORDSTATE, 139 TOK_LAYER2, 140 TOK_OUT, 141 TOK_DIVERTED, 142 TOK_DIVERTEDLOOPBACK, 143 TOK_DIVERTEDOUTPUT, 144 TOK_XMIT, 145 TOK_RECV, 146 TOK_VIA, 147 TOK_FRAG, 148 TOK_IPOPTS, 149 TOK_IPLEN, 150 TOK_IPID, 151 TOK_IPPRECEDENCE, 152 TOK_DSCP, 153 TOK_IPTOS, 154 TOK_IPTTL, 155 TOK_IPVER, 156 TOK_ESTAB, 157 TOK_SETUP, 158 TOK_TCPDATALEN, 159 TOK_TCPFLAGS, 160 TOK_TCPOPTS, 161 TOK_TCPSEQ, 162 TOK_TCPACK, 163 TOK_TCPMSS, 164 TOK_TCPWIN, 165 TOK_ICMPTYPES, 166 TOK_MAC, 167 TOK_MACTYPE, 168 TOK_VERREVPATH, 169 TOK_VERSRCREACH, 170 TOK_ANTISPOOF, 171 TOK_IPSEC, 172 TOK_COMMENT, 173 174 TOK_PLR, 175 TOK_NOERROR, 176 TOK_BUCKETS, 177 TOK_DSTIP, 178 TOK_SRCIP, 179 TOK_DSTPORT, 180 TOK_SRCPORT, 181 TOK_DSTMAC, 182 TOK_SRCMAC, 183 TOK_ALL, 184 TOK_MASK, 185 TOK_FLOW_MASK, 186 TOK_SCHED_MASK, 187 TOK_BW, 188 TOK_DELAY, 189 TOK_PROFILE, 190 TOK_BURST, 191 TOK_RED, 192 TOK_GRED, 193 TOK_ECN, 194 TOK_DROPTAIL, 195 TOK_PROTO, 196 #ifdef NEW_AQM 197 /* AQM tokens*/ 198 TOK_NO_ECN, 199 TOK_CODEL, 200 TOK_FQ_CODEL, 201 TOK_TARGET, 202 TOK_INTERVAL, 203 TOK_FLOWS, 204 TOK_QUANTUM, 205 206 TOK_PIE, 207 TOK_FQ_PIE, 208 TOK_TUPDATE, 209 TOK_MAX_BURST, 210 TOK_MAX_ECNTH, 211 TOK_ALPHA, 212 TOK_BETA, 213 TOK_CAPDROP, 214 TOK_NO_CAPDROP, 215 TOK_ONOFF, 216 TOK_DRE, 217 TOK_TS, 218 TOK_DERAND, 219 TOK_NO_DERAND, 220 #endif 221 /* dummynet tokens */ 222 TOK_WEIGHT, 223 TOK_LMAX, 224 TOK_PRI, 225 TOK_TYPE, 226 TOK_SLOTSIZE, 227 228 TOK_IP, 229 TOK_IF, 230 TOK_ALOG, 231 TOK_DENY_INC, 232 TOK_SAME_PORTS, 233 TOK_UNREG_ONLY, 234 TOK_UNREG_CGN, 235 TOK_SKIP_GLOBAL, 236 TOK_RESET_ADDR, 237 TOK_ALIAS_REV, 238 TOK_PROXY_ONLY, 239 TOK_REDIR_ADDR, 240 TOK_REDIR_PORT, 241 TOK_REDIR_PROTO, 242 243 TOK_IPV6, 244 TOK_FLOWID, 245 TOK_ICMP6TYPES, 246 TOK_EXT6HDR, 247 TOK_DSTIP6, 248 TOK_SRCIP6, 249 250 TOK_IPV4, 251 TOK_UNREACH6, 252 TOK_RESET6, 253 254 TOK_FIB, 255 TOK_SETFIB, 256 TOK_LOOKUP, 257 TOK_SOCKARG, 258 TOK_SETDSCP, 259 TOK_FLOW, 260 TOK_IFLIST, 261 /* Table tokens */ 262 TOK_CREATE, 263 TOK_DESTROY, 264 TOK_LIST, 265 TOK_INFO, 266 TOK_DETAIL, 267 TOK_MODIFY, 268 TOK_FLUSH, 269 TOK_SWAP, 270 TOK_ADD, 271 TOK_DEL, 272 TOK_VALTYPE, 273 TOK_ALGO, 274 TOK_TALIST, 275 TOK_ATOMIC, 276 TOK_LOCK, 277 TOK_UNLOCK, 278 TOK_VLIST, 279 TOK_OLIST, 280 TOK_MISSING, 281 TOK_ORFLUSH, 282 283 /* NAT64 tokens */ 284 TOK_NAT64STL, 285 TOK_NAT64LSN, 286 TOK_STATS, 287 TOK_STATES, 288 TOK_CONFIG, 289 TOK_TABLE4, 290 TOK_TABLE6, 291 TOK_PREFIX4, 292 TOK_PREFIX6, 293 TOK_AGG_LEN, 294 TOK_AGG_COUNT, 295 TOK_MAX_PORTS, 296 TOK_STATES_CHUNKS, 297 TOK_JMAXLEN, 298 TOK_PORT_RANGE, 299 TOK_PORT_ALIAS, 300 TOK_HOST_DEL_AGE, 301 TOK_PG_DEL_AGE, 302 TOK_TCP_SYN_AGE, 303 TOK_TCP_CLOSE_AGE, 304 TOK_TCP_EST_AGE, 305 TOK_UDP_AGE, 306 TOK_ICMP_AGE, 307 TOK_LOGOFF, 308 TOK_PRIVATE, 309 TOK_PRIVATEOFF, 310 311 /* NAT64 CLAT tokens */ 312 TOK_NAT64CLAT, 313 TOK_PLAT_PREFIX, 314 TOK_CLAT_PREFIX, 315 316 /* NPTv6 tokens */ 317 TOK_NPTV6, 318 TOK_INTPREFIX, 319 TOK_EXTPREFIX, 320 TOK_PREFIXLEN, 321 TOK_EXTIF, 322 323 TOK_TCPSETMSS, 324 325 TOK_MARK, 326 TOK_SETMARK, 327 328 TOK_SKIPACTION, 329 }; 330 331 /* 332 * the following macro returns an error message if we run out of 333 * arguments. 334 */ 335 #define NEED(_p, msg) {if (!_p) errx(EX_USAGE, msg);} 336 #define NEED1(msg) {if (!(*av)) errx(EX_USAGE, msg);} 337 338 struct buf_pr { 339 char *buf; /* allocated buffer */ 340 char *ptr; /* current pointer */ 341 size_t size; /* total buffer size */ 342 size_t avail; /* available storage */ 343 size_t needed; /* length needed */ 344 }; 345 346 int pr_u64(struct buf_pr *bp, void *pd, int width); 347 int bp_alloc(struct buf_pr *b, size_t size); 348 void bp_free(struct buf_pr *b); 349 int bprintf(struct buf_pr *b, const char *format, ...); 350 351 352 /* memory allocation support */ 353 void *safe_calloc(size_t number, size_t size); 354 void *safe_realloc(void *ptr, size_t size); 355 356 /* string comparison functions used for historical compatibility */ 357 int _substrcmp(const char *str1, const char* str2); 358 int _substrcmp2(const char *str1, const char* str2, const char* str3); 359 int stringnum_cmp(const char *a, const char *b); 360 361 /* utility functions */ 362 int match_token(struct _s_x *table, const char *string); 363 int match_token_relaxed(struct _s_x *table, const char *string); 364 int get_token(struct _s_x *table, const char *string, const char *errbase); 365 char const *match_value(struct _s_x *p, int value); 366 size_t concat_tokens(char *buf, size_t bufsize, struct _s_x *table, 367 const char *delimiter); 368 int fill_flags(struct _s_x *flags, char *p, char **e, uint32_t *set, 369 uint32_t *clear); 370 void print_flags_buffer(char *buf, size_t sz, struct _s_x *list, uint32_t set); 371 372 struct _ip_fw3_opheader; 373 int do_cmd(int optname, void *optval, uintptr_t optlen); 374 int do_set3(int optname, struct _ip_fw3_opheader *op3, size_t optlen); 375 int do_get3(int optname, struct _ip_fw3_opheader *op3, size_t *optlen); 376 377 struct in6_addr; 378 void n2mask(struct in6_addr *mask, int n); 379 int contigmask(const uint8_t *p, int len); 380 381 /* 382 * Forward declarations to avoid include way too many headers. 383 * C does not allow duplicated typedefs, so we use the base struct 384 * that the typedef points to. 385 * Should the typedefs use a different type, the compiler will 386 * still detect the change when compiling the body of the 387 * functions involved, so we do not lose error checking. 388 */ 389 struct _ipfw_insn; 390 struct _ipfw_insn_altq; 391 struct _ipfw_insn_u32; 392 struct _ipfw_insn_ip6; 393 struct _ipfw_insn_icmp6; 394 395 /* 396 * The reserved set numer. This is a constant in ip_fw.h 397 * but we store it in a variable so other files do not depend 398 * in that header just for one constant. 399 */ 400 extern int resvd_set_number; 401 402 /* first-level command handlers */ 403 void ipfw_add(char *av[]); 404 void ipfw_show_nat(int ac, char **av); 405 int ipfw_delete_nat(int i); 406 void ipfw_config_pipe(int ac, char **av); 407 void ipfw_config_nat(int ac, char **av); 408 void ipfw_sets_handler(char *av[]); 409 void ipfw_table_handler(int ac, char *av[]); 410 void ipfw_sysctl_handler(char *av[], int which); 411 void ipfw_delete(char *av[]); 412 void ipfw_flush(int force); 413 void ipfw_zero(int ac, char *av[], int optname); 414 void ipfw_list(int ac, char *av[], int show_counters); 415 void ipfw_internal_handler(int ac, char *av[]); 416 void ipfw_nat64clat_handler(int ac, char *av[]); 417 void ipfw_nat64lsn_handler(int ac, char *av[]); 418 void ipfw_nat64stl_handler(int ac, char *av[]); 419 void ipfw_nptv6_handler(int ac, char *av[]); 420 int ipfw_check_object_name(const char *name); 421 int ipfw_check_nat64prefix(const struct in6_addr *prefix, int length); 422 423 #ifdef PF 424 /* altq.c */ 425 void altq_set_enabled(int enabled); 426 u_int32_t altq_name_to_qid(const char *name); 427 void print_altq_cmd(struct buf_pr *bp, const struct _ipfw_insn_altq *altqptr); 428 #else 429 #define NO_ALTQ 430 #endif 431 432 /* dummynet.c */ 433 void dummynet_list(int ac, char *av[], int show_counters); 434 void dummynet_flush(void); 435 int ipfw_delete_pipe(int pipe_or_queue, int n); 436 437 /* ipv6.c */ 438 void print_unreach6_code(struct buf_pr *bp, uint16_t code); 439 void print_ip6(struct buf_pr *bp, const struct _ipfw_insn_ip6 *cmd); 440 void print_flow6id(struct buf_pr *bp, const struct _ipfw_insn_u32 *cmd); 441 void print_icmp6types(struct buf_pr *bp, const struct _ipfw_insn_u32 *cmd); 442 void print_ext6hdr(struct buf_pr *bp, const struct _ipfw_insn *cmd); 443 444 struct tidx; 445 struct _ipfw_insn *add_srcip6(struct _ipfw_insn *cmd, char *av, int cblen, 446 struct tidx *tstate); 447 struct _ipfw_insn *add_dstip6(struct _ipfw_insn *cmd, char *av, int cblen, 448 struct tidx *tstate); 449 450 void fill_flow6(struct _ipfw_insn_u32 *cmd, char *av, int cblen); 451 uint16_t get_unreach6_code(const char *str); 452 void fill_icmp6types(struct _ipfw_insn_icmp6 *cmd, char *av, int cblen); 453 int fill_ext6hdr(struct _ipfw_insn *cmd, char *av); 454 455 /* ipfw2.c */ 456 void bp_flush(struct buf_pr *b); 457 void fill_table(struct _ipfw_insn *cmd, char *av, uint8_t opcode, 458 struct tidx *tstate); 459 460 /* tables.c */ 461 struct _ipfw_obj_ctlv; 462 struct _ipfw_obj_ntlv; 463 int table_check_name(const char *tablename); 464 void ipfw_list_ta(int ac, char *av[]); 465 void ipfw_list_values(int ac, char *av[]); 466 void table_fill_ntlv(struct _ipfw_obj_ntlv *ntlv, const char *name, 467 uint8_t set, uint16_t uidx); 468 469