2 * Copyright (C) 1993-1998 by Darren Reed.
4 * Redistribution and use in source and binary forms are permitted
5 * provided that this notice is preserved and due credit is given
6 * to the original author and the contributors.
9 #if !defined(__SVR4) && !defined(__svr4__)
12 #include <sys/byteorder.h>
14 #include <sys/param.h>
16 #include <sys/socket.h>
17 #include <netinet/in.h>
18 #include <netinet/in_systm.h>
19 #include <netinet/ip.h>
20 #include <netinet/tcp.h>
22 #if __FreeBSD_version >= 300000
23 # include <net/if_var.h>
32 #include <arpa/nameser.h>
33 #include <arpa/inet.h>
37 #include "ip_compat.h"
43 static const char sccsid[] = "@(#)parse.c 1.44 6/5/96 (C) 1993-1996 Darren Reed";
44 static const char rcsid[] = "@(#)$Id: parse.c,v 2.1.2.1 1999/09/11 05:32:10 darrenr Exp $";
47 extern struct ipopt_names ionames[], secclass[];
50 int portnum __P((char *, u_short *, int));
51 u_char tcp_flags __P((char *, u_char *, int));
52 int addicmp __P((char ***, struct frentry *, int));
53 int extras __P((char ***, struct frentry *, int));
59 int hostmask __P((char ***, u_32_t *, u_32_t *, u_short *, u_char *,
61 int ports __P((char ***, u_short *, u_char *, u_short *, int));
62 int icmpcode __P((char *)), addkeep __P((char ***, struct frentry *, int));
63 int to_interface __P((frdest_t *, char *, int));
64 void print_toif __P((char *, frdest_t *));
65 void optprint __P((u_short *, u_long, u_long));
66 int countbits __P((u_32_t));
67 char *portname __P((int, int));
68 int ratoi __P((char *, int *, int, int));
72 char flagset[] = "FSRPAU";
73 u_char flags[] = { TH_FIN, TH_SYN, TH_RST, TH_PUSH, TH_ACK, TH_URG };
75 static char thishost[MAXHOSTNAMELEN];
80 gethostname(thishost, sizeof(thishost));
81 thishost[sizeof(thishost) - 1] = '\0';
87 * parse a line read from the input filter rule file
89 struct frentry *parse(line, linenum)
93 static struct frentry fil;
94 struct protoent *p = NULL;
95 char *cps[31], **cpp, *endptr;
99 while (*line && isspace(*line))
104 bzero((char *)&fil, sizeof(fil));
105 fil.fr_mip.fi_v = 0xf;
107 fil.fr_loglevel = 0xffff;
110 * break line up into max of 20 segments
112 if (opts & OPT_DEBUG)
113 fprintf(stderr, "parse [%s]\n", line);
114 for (i = 0, *cps = strtok(line, " \b\t\r\n"); cps[i] && i < 30; cnt++)
115 cps[++i] = strtok(NULL, " \b\t\r\n");
119 fprintf(stderr, "%d: not enough segments in line\n", linenum);
125 fil.fr_hits = (U_QUAD_T)atoi(*cpp++ + 1) + 1;
128 if (!strcasecmp("block", *cpp)) {
129 fil.fr_flags |= FR_BLOCK;
130 if (!strncasecmp(*(cpp+1), "return-icmp-as-dest", 19))
131 fil.fr_flags |= FR_FAKEICMP;
132 else if (!strncasecmp(*(cpp+1), "return-icmp", 11))
133 fil.fr_flags |= FR_RETICMP;
134 if (fil.fr_flags & FR_RETICMP) {
136 if (*(*cpp + 11) == '(') {
137 i = icmpcode(*cpp + 12);
140 "%d: unrecognised icmp code %s\n",
146 } else if (!strncasecmp(*(cpp+1), "return-rst", 10)) {
147 fil.fr_flags |= FR_RETRST;
150 } else if (!strcasecmp("count", *cpp)) {
151 fil.fr_flags |= FR_ACCOUNT;
152 } else if (!strcasecmp("pass", *cpp)) {
153 fil.fr_flags |= FR_PASS;
154 } else if (!strcasecmp("auth", *cpp)) {
155 fil.fr_flags |= FR_AUTH;
156 } else if (!strcasecmp("preauth", *cpp)) {
157 fil.fr_flags |= FR_PREAUTH;
158 } else if (!strcasecmp("skip", *cpp)) {
160 if (ratoi(*cpp, &i, 0, USHRT_MAX))
163 fprintf(stderr, "%d: integer must follow skip\n",
167 } else if (!strcasecmp("log", *cpp)) {
168 fil.fr_flags |= FR_LOG;
169 if (!strcasecmp(*(cpp+1), "body")) {
170 fil.fr_flags |= FR_LOGBODY;
173 if (!strcasecmp(*(cpp+1), "first")) {
174 fil.fr_flags |= FR_LOGFIRST;
176 if (!strcasecmp(*(cpp+1), "level")) {
183 s = index(*cpp, '.');
186 fac = fac_findname(*cpp);
188 fprintf(stderr, "%d: %s %s\n", linenum,
189 "Unknown facility", *cpp);
192 pri = pri_findname(s);
194 fprintf(stderr, "%d: %s %s\n", linenum,
195 "Unknown priority", s);
199 pri = pri_findname(*cpp);
201 fprintf(stderr, "%d: %s %s\n", linenum,
202 "Unknown priority", *cpp);
206 fil.fr_loglevel = fac|pri;
211 * Doesn't start with one of the action words
213 fprintf(stderr, "%d: unknown keyword (%s)\n", linenum, *cpp);
218 if (!strcasecmp("in", *cpp))
219 fil.fr_flags |= FR_INQUE;
220 else if (!strcasecmp("out", *cpp)) {
221 fil.fr_flags |= FR_OUTQUE;
222 if (fil.fr_flags & FR_RETICMP) {
224 "%d: Can only use return-icmp with 'in'\n",
227 } else if (fil.fr_flags & FR_RETRST) {
229 "%d: Can only use return-rst with 'in'\n",
234 fprintf(stderr, "%d: missing 'in'/'out' keyword (%s)\n",
241 if (!strcasecmp("log", *cpp)) {
243 if (fil.fr_flags & FR_PASS)
244 fil.fr_flags |= FR_LOGP;
245 else if (fil.fr_flags & FR_BLOCK)
246 fil.fr_flags |= FR_LOGB;
247 if (!strcasecmp(*cpp, "body")) {
248 fil.fr_flags |= FR_LOGBODY;
251 if (!strcasecmp(*cpp, "first")) {
252 fil.fr_flags |= FR_LOGFIRST;
255 if (!strcasecmp(*cpp, "or-block")) {
256 if (!(fil.fr_flags & FR_PASS)) {
258 "%d: or-block must be used with pass\n",
262 fil.fr_flags |= FR_LOGORBLOCK;
267 if (!strcasecmp("quick", *cpp)) {
269 fil.fr_flags |= FR_QUICK;
272 *fil.fr_ifname = '\0';
273 if (*cpp && !strcasecmp(*cpp, "on")) {
275 fprintf(stderr, "%d: interface name missing\n",
279 (void)strncpy(fil.fr_ifname, *cpp, IFNAMSIZ-1);
280 fil.fr_ifname[IFNAMSIZ-1] = '\0';
283 if ((fil.fr_flags & FR_RETMASK) == FR_RETRST) {
285 "%d: %s can only be used with TCP\n",
286 linenum, "return-rst");
293 if (!strcasecmp(*cpp, "dup-to") && *(cpp + 1)) {
295 if (to_interface(&fil.fr_dif, *cpp, linenum))
299 if (!strcasecmp(*cpp, "to") && *(cpp + 1)) {
301 if (to_interface(&fil.fr_tif, *cpp, linenum))
304 } else if (!strcasecmp(*cpp, "fastroute")) {
305 if (!(fil.fr_flags & FR_INQUE)) {
307 "can only use %s with 'in'\n",
311 fil.fr_flags |= FR_FASTROUTE;
316 if (*cpp && !strcasecmp(*cpp, "tos")) {
318 fprintf(stderr, "%d: tos missing value\n", linenum);
321 fil.fr_tos = strtol(*cpp, NULL, 0);
322 fil.fr_mip.fi_tos = 0xff;
326 if (*cpp && !strcasecmp(*cpp, "ttl")) {
328 fprintf(stderr, "%d: ttl missing hopcount value\n",
332 if (ratoi(*cpp, &i, 0, 255))
335 fprintf(stderr, "%d: invalid ttl (%s)\n",
339 fil.fr_mip.fi_ttl = 0xff;
344 * check for "proto <protoname>" only decode udp/tcp/icmp as protoname
347 if (*cpp && !strcasecmp(*cpp, "proto")) {
349 fprintf(stderr, "%d: protocol name missing\n", linenum);
353 if (!strcasecmp(proto, "tcp/udp")) {
354 fil.fr_ip.fi_fl |= FI_TCPUDP;
355 fil.fr_mip.fi_fl |= FI_TCPUDP;
357 if (!(p = getprotobyname(proto)) && !isdigit(*proto)) {
359 "%d: unknown protocol (%s)\n",
364 fil.fr_proto = p->p_proto;
365 else if (isdigit(*proto)) {
366 i = (int)strtol(proto, &endptr, 0);
367 if (*endptr != '\0' || i < 0 || i > 255) {
369 "%d: unknown protocol (%s)\n",
375 fil.fr_mip.fi_p = 0xff;
378 if ((fil.fr_proto != IPPROTO_TCP) &&
379 ((fil.fr_flags & FR_RETMASK) == FR_RETRST)) {
380 fprintf(stderr, "%d: %s can only be used with TCP\n",
381 linenum, "return-rst");
386 * get the from host and bit mask to use against packets
390 fprintf(stderr, "%d: missing source specification\n", linenum);
393 if (!strcasecmp(*cpp, "all")) {
398 if (strcasecmp(*cpp, "from")) {
399 fprintf(stderr, "%d: unexpected keyword (%s) - from\n",
404 fprintf(stderr, "%d: missing host after from\n",
410 fil.fr_flags |= FR_NOTSRCIP;
413 if (hostmask(&cpp, (u_32_t *)&fil.fr_src,
414 (u_32_t *)&fil.fr_smsk, &fil.fr_sport, &ch,
415 &fil.fr_stop, linenum)) {
420 fprintf(stderr, "%d: missing to fields\n", linenum);
425 * do the same for the to field (destination host)
427 if (strcasecmp(*cpp, "to")) {
428 fprintf(stderr, "%d: unexpected keyword (%s) - to\n",
433 fprintf(stderr, "%d: missing host after to\n", linenum);
438 fil.fr_flags |= FR_NOTDSTIP;
441 if (hostmask(&cpp, (u_32_t *)&fil.fr_dst,
442 (u_32_t *)&fil.fr_dmsk, &fil.fr_dport, &ch,
443 &fil.fr_dtop, linenum)) {
450 * check some sanity, make sure we don't have icmp checks with tcp
451 * or udp or visa versa.
453 if (fil.fr_proto && (fil.fr_dcmp || fil.fr_scmp) &&
454 fil.fr_proto != IPPROTO_TCP && fil.fr_proto != IPPROTO_UDP) {
455 fprintf(stderr, "%d: port operation on non tcp/udp\n", linenum);
458 if (fil.fr_icmp && fil.fr_proto != IPPROTO_ICMP) {
459 fprintf(stderr, "%d: icmp comparisons on wrong protocol\n",
467 if (*cpp && !strcasecmp(*cpp, "flags")) {
469 fprintf(stderr, "%d: no flags present\n", linenum);
472 fil.fr_tcpf = tcp_flags(*cpp, &fil.fr_tcpfm, linenum);
479 if (*cpp && (!strcasecmp(*cpp, "with") || !strcasecmp(*cpp, "and")))
480 if (extras(&cpp, &fil, linenum))
484 * icmp types for use with the icmp protocol
486 if (*cpp && !strcasecmp(*cpp, "icmp-type")) {
487 if (fil.fr_proto != IPPROTO_ICMP) {
489 "%d: icmp with wrong protocol (%d)\n",
490 linenum, fil.fr_proto);
493 if (addicmp(&cpp, &fil, linenum))
495 fil.fr_icmp = htons(fil.fr_icmp);
496 fil.fr_icmpm = htons(fil.fr_icmpm);
502 while (*cpp && !strcasecmp(*cpp, "keep"))
503 if (addkeep(&cpp, &fil, linenum))
507 * head of a new group ?
509 if (*cpp && !strcasecmp(*cpp, "head")) {
511 fprintf(stderr, "%d: head without group #\n", linenum);
514 if (ratoi(*cpp, &i, 0, USHRT_MAX))
517 fprintf(stderr, "%d: invalid group (%s)\n",
525 * head of a new group ?
527 if (*cpp && !strcasecmp(*cpp, "group")) {
529 fprintf(stderr, "%d: group without group #\n",
533 if (ratoi(*cpp, &i, 0, USHRT_MAX))
536 fprintf(stderr, "%d: invalid group (%s)\n",
547 fprintf(stderr, "%d: unknown words at end: [", linenum);
549 fprintf(stderr, "%s ", *cpp);
550 fprintf(stderr, "]\n");
557 if ((fil.fr_tcpf || fil.fr_tcpfm) && fil.fr_proto != IPPROTO_TCP) {
558 fprintf(stderr, "%d: TCP protocol not specified\n", linenum);
561 if (!(fil.fr_ip.fi_fl & FI_TCPUDP) && (fil.fr_proto != IPPROTO_TCP) &&
562 (fil.fr_proto != IPPROTO_UDP) && (fil.fr_dcmp || fil.fr_scmp)) {
564 fil.fr_ip.fi_fl |= FI_TCPUDP;
565 fil.fr_mip.fi_fl |= FI_TCPUDP;
568 "%d: port comparisons for non-TCP/UDP\n",
574 if ((fil.fr_flags & FR_KEEPFRAG) &&
575 (!(fil.fr_ip.fi_fl & FI_FRAG) || !(fil.fr_ip.fi_fl & FI_FRAG))) {
577 "%d: must use 'with frags' with 'keep frags'\n",
586 int to_interface(fdp, to, linenum)
598 fdp->fd_ip.s_addr = hostnum(s, &r, linenum);
602 (void) strncpy(fdp->fd_ifname, to, sizeof(fdp->fd_ifname) - 1);
603 fdp->fd_ifname[sizeof(fdp->fd_ifname) - 1] = '\0';
608 void print_toif(tag, fdp)
612 printf("%s %s%s", tag, fdp->fd_ifname,
613 (fdp->fd_ifp || (long)fdp->fd_ifp == -1) ? "" : "(!)");
614 if (fdp->fd_ip.s_addr)
615 printf(":%s", inet_ntoa(fdp->fd_ip));
621 * returns -1 if neither "hostmask/num" or "hostmask mask addr" are
622 * found in the line segments, there is an error processing this information,
623 * or there is an error processing ports information.
625 int hostmask(seg, sa, msk, pp, cp, tp, linenum)
633 int bits = -1, resolved;
634 struct in_addr maskaddr;
637 * is it possibly hostname/num ?
639 if ((s = index(**seg, '/')) || (s = index(**seg, ':'))) {
641 if (index(s, '.') || index(s, 'x')) {
642 /* possibly of the form xxx.xxx.xxx.xxx
644 if (inet_aton(s, &maskaddr) == 0) {
645 fprintf(stderr, "%d: bad mask (%s)\n",
649 *msk = maskaddr.s_addr;
652 * set x most significant bits
654 bits = (int)strtol(s, &endptr, 0);
655 if (*endptr != '\0' || bits > 32 || bits < 0) {
656 fprintf(stderr, "%d: bad mask (/%s)\n",
663 *msk = htonl(0xffffffff << (32 - bits));
665 *sa = hostnum(**seg, &resolved, linenum) & *msk;
666 if (resolved == -1) {
667 fprintf(stderr, "%d: bad host (%s)\n", linenum, **seg);
671 return ports(seg, pp, cp, tp, linenum);
675 * look for extra segments if "mask" found in right spot
677 if (*(*seg+1) && *(*seg+2) && !strcasecmp(*(*seg+1), "mask")) {
678 *sa = hostnum(**seg, &resolved, linenum);
679 if (resolved == -1) {
680 fprintf(stderr, "%d: bad host (%s)\n", linenum, **seg);
685 if (inet_aton(**seg, &maskaddr) == 0) {
686 fprintf(stderr, "%d: bad mask (%s)\n", linenum, **seg);
689 *msk = maskaddr.s_addr;
692 return ports(seg, pp, cp, tp, linenum);
696 *sa = hostnum(**seg, &resolved, linenum);
697 if (resolved == -1) {
698 fprintf(stderr, "%d: bad host (%s)\n", linenum, **seg);
702 *msk = (*sa ? inet_addr("255.255.255.255") : 0L);
704 return ports(seg, pp, cp, tp, linenum);
706 fprintf(stderr, "%d: bad host (%s)\n", linenum, **seg);
711 * returns an ip address as a long var as a result of either a DNS lookup or
712 * straight inet_addr() call
714 u_32_t hostnum(host, resolved, linenum)
724 if (!strcasecmp("any", host))
726 if (isdigit(*host) && inet_aton(host, &ip))
729 if (!strcasecmp("<thishost>", host))
732 if (!(hp = gethostbyname(host))) {
733 if (!(np = getnetbyname(host))) {
735 fprintf(stderr, "%d: can't resolve hostname: %s\n",
739 return htonl(np->n_net);
741 return *(u_32_t *)hp->h_addr;
745 * check for possible presence of the port fields in the line
747 int ports(seg, pp, cp, tp, linenum)
755 if (!*seg || !**seg || !***seg)
757 if (!strcasecmp(**seg, "port") && *(*seg + 1) && *(*seg + 2)) {
759 if (isdigit(***seg) && *(*seg + 2)) {
760 if (portnum(**seg, pp, linenum) == 0)
763 if (!strcmp(**seg, "<>"))
765 else if (!strcmp(**seg, "><"))
769 "%d: unknown range operator (%s)\n",
775 fprintf(stderr, "%d: missing 2nd port value\n",
779 if (portnum(**seg, tp, linenum) == 0)
781 } else if (!strcmp(**seg, "=") || !strcasecmp(**seg, "eq"))
783 else if (!strcmp(**seg, "!=") || !strcasecmp(**seg, "ne"))
785 else if (!strcmp(**seg, "<") || !strcasecmp(**seg, "lt"))
787 else if (!strcmp(**seg, ">") || !strcasecmp(**seg, "gt"))
789 else if (!strcmp(**seg, "<=") || !strcasecmp(**seg, "le"))
791 else if (!strcmp(**seg, ">=") || !strcasecmp(**seg, "ge"))
794 fprintf(stderr, "%d: unknown comparator (%s)\n",
798 if (comp != FR_OUTRANGE && comp != FR_INRANGE) {
800 if (portnum(**seg, pp, linenum) == 0)
810 * find the port number given by the name, either from getservbyname() or
811 * straight atoi(). Return 1 on success, 0 on failure
813 int portnum(name, port, linenum)
818 struct servent *sp, *sp2;
821 if (isdigit(*name)) {
822 if (ratoi(name, &i, 0, USHRT_MAX)) {
826 fprintf(stderr, "%d: unknown port \"%s\"\n", linenum, name);
829 if (proto != NULL && strcasecmp(proto, "tcp/udp") != 0) {
830 sp = getservbyname(name, proto);
832 *port = ntohs(sp->s_port);
835 fprintf(stderr, "%d: unknown service \"%s\".\n", linenum, name);
838 sp = getservbyname(name, "tcp");
841 sp2 = getservbyname(name, "udp");
843 fprintf(stderr, "%d: unknown tcp/udp service \"%s\".\n",
847 if (p1 != sp2->s_port) {
848 fprintf(stderr, "%d: %s %d/tcp is a different port to ",
850 fprintf(stderr, "%d: %s %d/udp\n", linenum, name, sp->s_port);
858 u_char tcp_flags(flgs, mask, linenum)
863 u_char tcpf = 0, tcpfm = 0, *fp = &tcpf;
866 for (s = flgs; *s; s++) {
867 if (*s == '/' && fp == &tcpf) {
871 if (!(t = index(flagset, *s))) {
872 fprintf(stderr, "%d: unknown flag (%c)\n", linenum, *s);
875 *fp |= flags[t - flagset];
885 * deal with extra bits on end of the line
887 int extras(cp, fr, linenum)
904 while (**cp && (!strncasecmp(**cp, "ipopt", 5) ||
905 !strncasecmp(**cp, "not", 3) || !strncasecmp(**cp, "opt", 4) ||
906 !strncasecmp(**cp, "frag", 3) || !strncasecmp(**cp, "no", 2) ||
907 !strncasecmp(**cp, "short", 5))) {
908 if (***cp == 'n' || ***cp == 'N') {
912 } else if (***cp == 'i' || ***cp == 'I') {
914 fr->fr_ip.fi_fl |= FI_OPTIONS;
915 fr->fr_mip.fi_fl |= FI_OPTIONS;
917 } else if (***cp == 'f' || ***cp == 'F') {
919 fr->fr_ip.fi_fl |= FI_FRAG;
920 fr->fr_mip.fi_fl |= FI_FRAG;
922 } else if (***cp == 'o' || ***cp == 'O') {
925 "%d: opt missing arguements\n",
930 if (!(opts = optname(cp, &secmsk, linenum)))
933 } else if (***cp == 's' || ***cp == 'S') {
936 "%d: short cannot be used with TCP flags\n",
942 fr->fr_ip.fi_fl |= FI_SHORT;
943 fr->fr_mip.fi_fl |= FI_SHORT;
948 if (!notopt || !opts)
949 fr->fr_mip.fi_fl |= oflags;
952 fr->fr_mip.fi_optmsk |= opts;
954 fr->fr_mip.fi_optmsk |= (opts & ~0x0100);
957 fr->fr_mip.fi_optmsk |= opts;
959 fr->fr_mip.fi_secmsk |= secmsk;
962 fr->fr_ip.fi_fl &= (~oflags & 0xf);
963 fr->fr_ip.fi_optmsk &= ~opts;
964 fr->fr_ip.fi_secmsk &= ~secmsk;
966 fr->fr_ip.fi_fl |= oflags;
967 fr->fr_ip.fi_optmsk |= opts;
968 fr->fr_ip.fi_secmsk |= secmsk;
981 u_32_t optname(cp, sp, linenum)
986 struct ipopt_names *io, *so;
992 for (s = strtok(**cp, ","); s; s = strtok(NULL, ",")) {
993 for (io = ionames; io->on_name; io++)
994 if (!strcasecmp(s, io->on_name)) {
999 fprintf(stderr, "%d: unknown IP option name %s\n",
1003 if (!strcasecmp(s, "sec-class"))
1007 if (sec && !*(*cp + 1)) {
1008 fprintf(stderr, "%d: missing security level after sec-class\n",
1015 for (s = strtok(**cp, ","); s; s = strtok(NULL, ",")) {
1016 for (so = secclass; so->on_name; so++)
1017 if (!strcasecmp(s, so->on_name)) {
1023 "%d: no such security level: %s\n",
1036 void optprint(u_short *sec, u_long optmsk, u_long optbits)
1038 void optprint(sec, optmsk, optbits)
1040 u_long optmsk, optbits;
1043 u_short secmsk = sec[0], secbits = sec[1];
1044 struct ipopt_names *io, *so;
1049 for (io = ionames; io->on_name; io++)
1050 if ((io->on_bit & optmsk) &&
1051 ((io->on_bit & optmsk) == (io->on_bit & optbits))) {
1052 if ((io->on_value != IPOPT_SECURITY) ||
1053 (!secmsk && !secbits)) {
1054 printf("%s%s", s, io->on_name);
1055 if (io->on_value == IPOPT_SECURITY)
1063 if (secmsk & secbits) {
1064 printf("%ssec-class", s);
1066 for (so = secclass; so->on_name; so++)
1067 if ((secmsk & so->on_bit) &&
1068 ((so->on_bit & secmsk) == (so->on_bit & secbits))) {
1069 printf("%s%s", s, so->on_name);
1074 if ((optmsk && (optmsk != optbits)) ||
1075 (secmsk && (secmsk != secbits))) {
1078 if (optmsk != optbits) {
1079 for (io = ionames; io->on_name; io++)
1080 if ((io->on_bit & optmsk) &&
1081 ((io->on_bit & optmsk) !=
1082 (io->on_bit & optbits))) {
1083 if ((io->on_value != IPOPT_SECURITY) ||
1084 (!secmsk && !secbits)) {
1085 printf("%s%s", s, io->on_name);
1095 if (secmsk != secbits) {
1096 printf("%ssec-class", s);
1098 for (so = secclass; so->on_name; so++)
1099 if ((so->on_bit & secmsk) &&
1100 ((so->on_bit & secmsk) !=
1101 (so->on_bit & secbits))) {
1102 printf("%s%s", s, so->on_name);
1109 char *icmptypes[] = {
1110 "echorep", (char *)NULL, (char *)NULL, "unreach", "squench",
1111 "redir", (char *)NULL, (char *)NULL, "echo", "routerad",
1112 "routersol", "timex", "paramprob", "timest", "timestrep",
1113 "inforeq", "inforep", "maskreq", "maskrep", "END"
1117 * set the icmp field to the correct type if "icmp" word is found
1119 int addicmp(cp, fp, linenum)
1130 if (!fp->fr_proto) /* to catch lusers */
1131 fp->fr_proto = IPPROTO_ICMP;
1132 if (isdigit(***cp)) {
1133 if (!ratoi(**cp, &i, 0, 255)) {
1135 "%d: Invalid icmp-type (%s) specified\n",
1140 for (t = icmptypes, i = 0; ; t++, i++) {
1143 if (!strcasecmp("END", *t)) {
1147 if (!strcasecmp(*t, **cp))
1152 "%d: Invalid icmp-type (%s) specified\n",
1157 fp->fr_icmp = (u_short)(i << 8);
1158 fp->fr_icmpm = (u_short)0xff00;
1163 if (**cp && strcasecmp("code", **cp))
1166 if (isdigit(***cp)) {
1167 if (!ratoi(**cp, &i, 0, 255)) {
1169 "%d: Invalid icmp code (%s) specified\n",
1173 fp->fr_icmp |= (u_short)i;
1174 fp->fr_icmpm = (u_short)0xffff;
1178 fprintf(stderr, "%d: Invalid icmp code (%s) specified\n",
1184 #define MAX_ICMPCODE 12
1186 char *icmpcodes[] = {
1187 "net-unr", "host-unr", "proto-unr", "port-unr", "needfrag", "srcfail",
1188 "net-unk", "host-unk", "isolate", "net-prohib", "host-prohib",
1189 "net-tos", "host-tos", NULL };
1191 * Return the number for the associated ICMP unreachable code.
1199 if (!(s = strrchr(str, ')')))
1202 if (isdigit(*str)) {
1203 if (!ratoi(str, &i, 0, 255))
1209 for (i = 0; icmpcodes[i]; i++)
1210 if (!strncasecmp(str, icmpcodes[i], MIN(len,
1211 strlen(icmpcodes[i])) ))
1218 * set the icmp field to the correct type if "icmp" word is found
1220 int addkeep(cp, fp, linenum)
1225 if (fp->fr_proto != IPPROTO_TCP && fp->fr_proto != IPPROTO_UDP &&
1226 fp->fr_proto != IPPROTO_ICMP && !(fp->fr_ip.fi_fl & FI_TCPUDP)) {
1227 fprintf(stderr, "%d: Can only use keep with UDP/ICMP/TCP\n",
1233 if (**cp && strcasecmp(**cp, "state") && strcasecmp(**cp, "frags")) {
1234 fprintf(stderr, "%d: Unrecognised state keyword \"%s\"\n",
1239 if (***cp == 's' || ***cp == 'S')
1240 fp->fr_flags |= FR_KEEPSTATE;
1241 else if (***cp == 'f' || ***cp == 'F')
1242 fp->fr_flags |= FR_KEEPFRAG;
1249 * count consecutive 1's in bit mask. If the mask generated by counting
1250 * consecutive 1's is different to that passed, return -1, else return #
1259 ip = ipn = ntohl(ip);
1260 for (i = 32; i; i--, ipn *= 2)
1261 if (ipn & 0x80000000)
1266 for (i = 32, j = cnt; i; i--, j--) {
1277 char *portname(pr, port)
1280 static char buf[32];
1281 struct protoent *p = NULL;
1282 struct servent *sv = NULL, *sv1 = NULL;
1285 if ((sv = getservbyport(htons(port), "tcp"))) {
1286 strncpy(buf, sv->s_name, sizeof(buf)-1);
1287 buf[sizeof(buf)-1] = '\0';
1288 sv1 = getservbyport(htons(port), "udp");
1289 sv = strncasecmp(buf, sv->s_name, strlen(buf)) ?
1294 } else if (pr && (p = getprotobynumber(pr))) {
1295 if ((sv = getservbyport(htons(port), p->p_name))) {
1296 strncpy(buf, sv->s_name, sizeof(buf)-1);
1297 buf[sizeof(buf)-1] = '\0';
1302 (void) sprintf(buf, "%d", port);
1308 * print the filter structure in a useful way
1313 static char *pcmp1[] = { "*", "=", "!=", "<", ">", "<=", ">=",
1321 if (fp->fr_flags & FR_PASS)
1323 else if (fp->fr_flags & FR_BLOCK) {
1325 if (fp->fr_flags & FR_RETICMP) {
1326 if ((fp->fr_flags & FR_RETMASK) == FR_FAKEICMP)
1327 printf(" return-icmp-as-dest");
1328 else if ((fp->fr_flags & FR_RETMASK) == FR_RETICMP)
1329 printf(" return-icmp");
1331 if (fp->fr_icode <= MAX_ICMPCODE)
1333 icmpcodes[(int)fp->fr_icode]);
1335 printf("(%d)", fp->fr_icode);
1337 } else if ((fp->fr_flags & FR_RETMASK) == FR_RETRST)
1338 printf(" return-rst");
1339 } else if ((fp->fr_flags & FR_LOGMASK) == FR_LOG) {
1341 if (fp->fr_flags & FR_LOGBODY)
1343 if (fp->fr_flags & FR_LOGFIRST)
1345 } else if (fp->fr_flags & FR_ACCOUNT)
1347 else if (fp->fr_flags & FR_AUTH)
1349 else if (fp->fr_flags & FR_PREAUTH)
1351 else if (fp->fr_skip)
1352 printf("skip %hu", fp->fr_skip);
1354 if (fp->fr_flags & FR_OUTQUE)
1359 if (((fp->fr_flags & FR_LOGB) == FR_LOGB) ||
1360 ((fp->fr_flags & FR_LOGP) == FR_LOGP)) {
1362 if (fp->fr_flags & FR_LOGBODY)
1364 if (fp->fr_flags & FR_LOGFIRST)
1366 if (fp->fr_flags & FR_LOGORBLOCK)
1367 printf("or-block ");
1368 if (fp->fr_loglevel != 0xffff) {
1369 if (fp->fr_loglevel & LOG_FACMASK) {
1370 s = fac_toname(fp->fr_loglevel);
1375 u = pri_toname(fp->fr_loglevel);
1379 printf("%s.%s ", s, u);
1385 if (fp->fr_flags & FR_QUICK)
1388 if (*fp->fr_ifname) {
1389 printf("on %s%s ", fp->fr_ifname,
1390 (fp->fr_ifa || (long)fp->fr_ifa == -1) ? "" : "(!)");
1391 if (*fp->fr_dif.fd_ifname)
1392 print_toif("dup-to", &fp->fr_dif);
1393 if (*fp->fr_tif.fd_ifname)
1394 print_toif("to", &fp->fr_tif);
1395 if (fp->fr_flags & FR_FASTROUTE)
1396 printf("fastroute ");
1399 if (fp->fr_mip.fi_tos)
1400 printf("tos %#x ", fp->fr_tos);
1401 if (fp->fr_mip.fi_ttl)
1402 printf("ttl %d ", fp->fr_ttl);
1403 if (fp->fr_ip.fi_fl & FI_TCPUDP) {
1404 printf("proto tcp/udp ");
1406 } else if ((pr = fp->fr_mip.fi_p)) {
1407 if ((p = getprotobynumber(fp->fr_proto)))
1408 printf("proto %s ", p->p_name);
1410 printf("proto %d ", fp->fr_proto);
1413 printf("from %s", fp->fr_flags & FR_NOTSRCIP ? "!" : "");
1414 if (!fp->fr_src.s_addr && !fp->fr_smsk.s_addr)
1417 printf("%s", inet_ntoa(fp->fr_src));
1418 if ((ones = countbits(fp->fr_smsk.s_addr)) == -1)
1419 printf("/%s ", inet_ntoa(fp->fr_smsk));
1421 printf("/%d ", ones);
1424 if (fp->fr_scmp == FR_INRANGE || fp->fr_scmp == FR_OUTRANGE)
1425 printf("port %d %s %d ", fp->fr_sport,
1426 pcmp1[fp->fr_scmp], fp->fr_stop);
1428 printf("port %s %s ", pcmp1[fp->fr_scmp],
1429 portname(pr, fp->fr_sport));
1432 printf("to %s", fp->fr_flags & FR_NOTDSTIP ? "!" : "");
1433 if (!fp->fr_dst.s_addr && !fp->fr_dmsk.s_addr)
1436 printf("%s", inet_ntoa(fp->fr_dst));
1437 if ((ones = countbits(fp->fr_dmsk.s_addr)) == -1)
1438 printf("/%s", inet_ntoa(fp->fr_dmsk));
1440 printf("/%d", ones);
1443 if (fp->fr_dcmp == FR_INRANGE || fp->fr_dcmp == FR_OUTRANGE)
1444 printf(" port %d %s %d", fp->fr_dport,
1445 pcmp1[fp->fr_dcmp], fp->fr_dtop);
1447 printf(" port %s %s", pcmp1[fp->fr_dcmp],
1448 portname(pr, fp->fr_dport));
1450 if ((fp->fr_ip.fi_fl & ~FI_TCPUDP) ||
1451 (fp->fr_mip.fi_fl & ~FI_TCPUDP) ||
1452 fp->fr_ip.fi_optmsk || fp->fr_mip.fi_optmsk ||
1453 fp->fr_ip.fi_secmsk || fp->fr_mip.fi_secmsk) {
1455 if (fp->fr_ip.fi_optmsk || fp->fr_mip.fi_optmsk ||
1456 fp->fr_ip.fi_secmsk || fp->fr_mip.fi_secmsk) {
1457 sec[0] = fp->fr_mip.fi_secmsk;
1458 sec[1] = fp->fr_ip.fi_secmsk;
1460 fp->fr_mip.fi_optmsk, fp->fr_ip.fi_optmsk);
1461 } else if (fp->fr_mip.fi_fl & FI_OPTIONS) {
1462 if (!(fp->fr_ip.fi_fl & FI_OPTIONS))
1466 if (fp->fr_mip.fi_fl & FI_SHORT) {
1467 if (!(fp->fr_ip.fi_fl & FI_SHORT))
1471 if (fp->fr_mip.fi_fl & FI_FRAG) {
1472 if (!(fp->fr_ip.fi_fl & FI_FRAG))
1477 if (fp->fr_proto == IPPROTO_ICMP && fp->fr_icmpm) {
1478 int type = fp->fr_icmp, code;
1480 type = ntohs(fp->fr_icmp);
1483 if (type < (sizeof(icmptypes) / sizeof(char *)) &&
1485 printf(" icmp-type %s", icmptypes[type]);
1487 printf(" icmp-type %d", type);
1489 printf(" code %d", code);
1491 if (fp->fr_proto == IPPROTO_TCP && (fp->fr_tcpf || fp->fr_tcpfm)) {
1493 for (s = flagset, t = flags; *s; s++, t++)
1494 if (fp->fr_tcpf & *t)
1498 for (s = flagset, t = flags; *s; s++, t++)
1499 if (fp->fr_tcpfm & *t)
1504 if (fp->fr_flags & FR_KEEPSTATE)
1505 printf(" keep state");
1506 if (fp->fr_flags & FR_KEEPFRAG)
1507 printf(" keep frags");
1509 printf(" head %d", fp->fr_grhead);
1511 printf(" group %d", fp->fr_group);
1512 (void)putchar('\n');
1518 int i = sizeof(*fp), j = 0;
1521 for (s = (u_char *)fp; i; i--, s++) {
1523 printf("%02x ", *s);
1530 (void)fflush(stdout);
1534 int ratoi(ps, pi, min, max)
1541 i = (int)strtol(ps, &pe, 0);
1542 if (*pe != '\0' || i < min || i > max)