2 * Copyright (C) 1993-1998 by Darren Reed.
4 * Redistribution and use in source and binary forms are permitted
5 * provided that this notice is preserved and due credit is given
6 * to the original author and the contributors.
9 #if !defined(__SVR4) && !defined(__svr4__)
12 #include <sys/byteorder.h>
14 #include <sys/param.h>
16 #include <sys/socket.h>
17 #include <netinet/in.h>
18 #include <netinet/in_systm.h>
19 #include <netinet/ip.h>
20 #include <netinet/tcp.h>
22 #if __FreeBSD_version >= 300000
23 # include <net/if_var.h>
32 #include <arpa/nameser.h>
33 #include <arpa/inet.h>
37 #include "ip_compat.h"
43 static const char sccsid[] = "@(#)parse.c 1.44 6/5/96 (C) 1993-1996 Darren Reed";
44 static const char rcsid[] = "@(#)$Id: parse.c,v 2.1.2.5 1999/12/28 06:06:58 darrenr Exp $";
47 extern struct ipopt_names ionames[], secclass[];
50 int portnum __P((char *, u_short *, int));
51 u_char tcp_flags __P((char *, u_char *, int));
52 int addicmp __P((char ***, struct frentry *, int));
53 int extras __P((char ***, struct frentry *, int));
59 int hostmask __P((char ***, u_32_t *, u_32_t *, u_short *, u_char *,
61 int ports __P((char ***, u_short *, u_char *, u_short *, int));
62 int icmpcode __P((char *)), addkeep __P((char ***, struct frentry *, int));
63 int to_interface __P((frdest_t *, char *, int));
64 void print_toif __P((char *, frdest_t *));
65 void optprint __P((u_short *, u_long, u_long));
66 int countbits __P((u_32_t));
67 char *portname __P((int, int));
68 int ratoi __P((char *, int *, int, int));
72 char flagset[] = "FSRPAU";
73 u_char flags[] = { TH_FIN, TH_SYN, TH_RST, TH_PUSH, TH_ACK, TH_URG };
75 static char thishost[MAXHOSTNAMELEN];
80 gethostname(thishost, sizeof(thishost));
81 thishost[sizeof(thishost) - 1] = '\0';
87 * parse a line read from the input filter rule file
89 struct frentry *parse(line, linenum)
93 static struct frentry fil;
94 struct protoent *p = NULL;
95 char *cps[31], **cpp, *endptr;
99 while (*line && isspace(*line))
104 bzero((char *)&fil, sizeof(fil));
105 fil.fr_mip.fi_v = 0xf;
107 fil.fr_loglevel = 0xffff;
110 * break line up into max of 20 segments
112 if (opts & OPT_DEBUG)
113 fprintf(stderr, "parse [%s]\n", line);
114 for (i = 0, *cps = strtok(line, " \b\t\r\n"); cps[i] && i < 30; cnt++)
115 cps[++i] = strtok(NULL, " \b\t\r\n");
119 fprintf(stderr, "%d: not enough segments in line\n", linenum);
125 fil.fr_hits = (U_QUAD_T)atoi(*cpp++ + 1) + 1;
128 if (!strcasecmp("block", *cpp)) {
129 fil.fr_flags |= FR_BLOCK;
130 if (!strncasecmp(*(cpp+1), "return-icmp-as-dest", 19))
131 fil.fr_flags |= FR_FAKEICMP;
132 else if (!strncasecmp(*(cpp+1), "return-icmp", 11))
133 fil.fr_flags |= FR_RETICMP;
134 if (fil.fr_flags & FR_RETICMP) {
137 if ((strlen(*cpp) > i) && (*(*cpp + i) != '('))
139 if (*(*cpp + i) == '(') {
141 j = icmpcode(*cpp + i);
144 "%d: unrecognised icmp code %s\n",
150 } else if (!strncasecmp(*(cpp+1), "return-rst", 10)) {
151 fil.fr_flags |= FR_RETRST;
154 } else if (!strcasecmp("count", *cpp)) {
155 fil.fr_flags |= FR_ACCOUNT;
156 } else if (!strcasecmp("pass", *cpp)) {
157 fil.fr_flags |= FR_PASS;
158 } else if (!strcasecmp("auth", *cpp)) {
159 fil.fr_flags |= FR_AUTH;
160 } else if (!strcasecmp("preauth", *cpp)) {
161 fil.fr_flags |= FR_PREAUTH;
162 } else if (!strcasecmp("skip", *cpp)) {
164 if (ratoi(*cpp, &i, 0, USHRT_MAX))
167 fprintf(stderr, "%d: integer must follow skip\n",
171 } else if (!strcasecmp("log", *cpp)) {
172 fil.fr_flags |= FR_LOG;
173 if (!strcasecmp(*(cpp+1), "body")) {
174 fil.fr_flags |= FR_LOGBODY;
177 if (!strcasecmp(*(cpp+1), "first")) {
178 fil.fr_flags |= FR_LOGFIRST;
180 if (!strcasecmp(*(cpp+1), "level")) {
187 s = index(*cpp, '.');
190 fac = fac_findname(*cpp);
192 fprintf(stderr, "%d: %s %s\n", linenum,
193 "Unknown facility", *cpp);
196 pri = pri_findname(s);
198 fprintf(stderr, "%d: %s %s\n", linenum,
199 "Unknown priority", s);
203 pri = pri_findname(*cpp);
205 fprintf(stderr, "%d: %s %s\n", linenum,
206 "Unknown priority", *cpp);
210 fil.fr_loglevel = fac|pri;
215 * Doesn't start with one of the action words
217 fprintf(stderr, "%d: unknown keyword (%s)\n", linenum, *cpp);
222 if (!strcasecmp("in", *cpp))
223 fil.fr_flags |= FR_INQUE;
224 else if (!strcasecmp("out", *cpp)) {
225 fil.fr_flags |= FR_OUTQUE;
226 if (fil.fr_flags & FR_RETICMP) {
228 "%d: Can only use return-icmp with 'in'\n",
231 } else if (fil.fr_flags & FR_RETRST) {
233 "%d: Can only use return-rst with 'in'\n",
238 fprintf(stderr, "%d: missing 'in'/'out' keyword (%s)\n",
245 if (!strcasecmp("log", *cpp)) {
247 fprintf(stderr, "%d: missing source specification\n",
251 if (fil.fr_flags & FR_PASS)
252 fil.fr_flags |= FR_LOGP;
253 else if (fil.fr_flags & FR_BLOCK)
254 fil.fr_flags |= FR_LOGB;
255 if (!strcasecmp(*cpp, "body")) {
256 fil.fr_flags |= FR_LOGBODY;
259 if (!strcasecmp(*cpp, "first")) {
260 fil.fr_flags |= FR_LOGFIRST;
263 if (!strcasecmp(*cpp, "or-block")) {
264 if (!(fil.fr_flags & FR_PASS)) {
266 "%d: or-block must be used with pass\n",
270 fil.fr_flags |= FR_LOGORBLOCK;
273 if (!strcasecmp(*cpp, "level")) {
280 s = index(*cpp, '.');
283 fac = fac_findname(*cpp);
285 fprintf(stderr, "%d: %s %s\n", linenum,
286 "Unknown facility", *cpp);
289 pri = pri_findname(s);
291 fprintf(stderr, "%d: %s %s\n", linenum,
292 "Unknown priority", s);
296 pri = pri_findname(*cpp);
298 fprintf(stderr, "%d: %s %s\n", linenum,
299 "Unknown priority", *cpp);
303 fil.fr_loglevel = fac|pri;
308 if (!strcasecmp("quick", *cpp)) {
310 fil.fr_flags |= FR_QUICK;
313 *fil.fr_ifname = '\0';
314 if (*cpp && !strcasecmp(*cpp, "on")) {
316 fprintf(stderr, "%d: interface name missing\n",
320 (void)strncpy(fil.fr_ifname, *cpp, IFNAMSIZ-1);
321 fil.fr_ifname[IFNAMSIZ-1] = '\0';
324 if ((fil.fr_flags & FR_RETMASK) == FR_RETRST) {
326 "%d: %s can only be used with TCP\n",
327 linenum, "return-rst");
334 if (!strcasecmp(*cpp, "dup-to") && *(cpp + 1)) {
336 if (to_interface(&fil.fr_dif, *cpp, linenum))
340 if (!strcasecmp(*cpp, "to") && *(cpp + 1)) {
342 if (to_interface(&fil.fr_tif, *cpp, linenum))
345 } else if (!strcasecmp(*cpp, "fastroute")) {
346 if (!(fil.fr_flags & FR_INQUE)) {
348 "can only use %s with 'in'\n",
352 fil.fr_flags |= FR_FASTROUTE;
357 if (*cpp && !strcasecmp(*cpp, "tos")) {
359 fprintf(stderr, "%d: tos missing value\n", linenum);
362 fil.fr_tos = strtol(*cpp, NULL, 0);
363 fil.fr_mip.fi_tos = 0xff;
367 if (*cpp && !strcasecmp(*cpp, "ttl")) {
369 fprintf(stderr, "%d: ttl missing hopcount value\n",
373 if (ratoi(*cpp, &i, 0, 255))
376 fprintf(stderr, "%d: invalid ttl (%s)\n",
380 fil.fr_mip.fi_ttl = 0xff;
385 * check for "proto <protoname>" only decode udp/tcp/icmp as protoname
388 if (*cpp && !strcasecmp(*cpp, "proto")) {
390 fprintf(stderr, "%d: protocol name missing\n", linenum);
394 if (!strcasecmp(proto, "tcp/udp")) {
395 fil.fr_ip.fi_fl |= FI_TCPUDP;
396 fil.fr_mip.fi_fl |= FI_TCPUDP;
398 if (!(p = getprotobyname(proto)) && !isdigit(*proto)) {
400 "%d: unknown protocol (%s)\n",
405 fil.fr_proto = p->p_proto;
406 else if (isdigit(*proto)) {
407 i = (int)strtol(proto, &endptr, 0);
408 if (*endptr != '\0' || i < 0 || i > 255) {
410 "%d: unknown protocol (%s)\n",
416 fil.fr_mip.fi_p = 0xff;
419 if ((fil.fr_proto != IPPROTO_TCP) &&
420 ((fil.fr_flags & FR_RETMASK) == FR_RETRST)) {
421 fprintf(stderr, "%d: %s can only be used with TCP\n",
422 linenum, "return-rst");
427 * get the from host and bit mask to use against packets
431 fprintf(stderr, "%d: missing source specification\n", linenum);
434 if (!strcasecmp(*cpp, "all")) {
439 if (strcasecmp(*cpp, "from")) {
440 fprintf(stderr, "%d: unexpected keyword (%s) - from\n",
445 fprintf(stderr, "%d: missing host after from\n",
451 fil.fr_flags |= FR_NOTSRCIP;
454 if (hostmask(&cpp, (u_32_t *)&fil.fr_src,
455 (u_32_t *)&fil.fr_smsk, &fil.fr_sport, &ch,
456 &fil.fr_stop, linenum)) {
461 fprintf(stderr, "%d: missing to fields\n", linenum);
466 * do the same for the to field (destination host)
468 if (strcasecmp(*cpp, "to")) {
469 fprintf(stderr, "%d: unexpected keyword (%s) - to\n",
474 fprintf(stderr, "%d: missing host after to\n", linenum);
479 fil.fr_flags |= FR_NOTDSTIP;
482 if (hostmask(&cpp, (u_32_t *)&fil.fr_dst,
483 (u_32_t *)&fil.fr_dmsk, &fil.fr_dport, &ch,
484 &fil.fr_dtop, linenum)) {
491 * check some sanity, make sure we don't have icmp checks with tcp
492 * or udp or visa versa.
494 if (fil.fr_proto && (fil.fr_dcmp || fil.fr_scmp) &&
495 fil.fr_proto != IPPROTO_TCP && fil.fr_proto != IPPROTO_UDP) {
496 fprintf(stderr, "%d: port operation on non tcp/udp\n", linenum);
499 if (fil.fr_icmp && fil.fr_proto != IPPROTO_ICMP) {
500 fprintf(stderr, "%d: icmp comparisons on wrong protocol\n",
508 if (*cpp && !strcasecmp(*cpp, "flags")) {
510 fprintf(stderr, "%d: no flags present\n", linenum);
513 fil.fr_tcpf = tcp_flags(*cpp, &fil.fr_tcpfm, linenum);
520 if (*cpp && (!strcasecmp(*cpp, "with") || !strcasecmp(*cpp, "and")))
521 if (extras(&cpp, &fil, linenum))
525 * icmp types for use with the icmp protocol
527 if (*cpp && !strcasecmp(*cpp, "icmp-type")) {
528 if (fil.fr_proto != IPPROTO_ICMP) {
530 "%d: icmp with wrong protocol (%d)\n",
531 linenum, fil.fr_proto);
534 if (addicmp(&cpp, &fil, linenum))
536 fil.fr_icmp = htons(fil.fr_icmp);
537 fil.fr_icmpm = htons(fil.fr_icmpm);
543 while (*cpp && !strcasecmp(*cpp, "keep"))
544 if (addkeep(&cpp, &fil, linenum))
548 * head of a new group ?
550 if (*cpp && !strcasecmp(*cpp, "head")) {
552 fprintf(stderr, "%d: head without group #\n", linenum);
555 if (ratoi(*cpp, &i, 0, USHRT_MAX))
558 fprintf(stderr, "%d: invalid group (%s)\n",
566 * head of a new group ?
568 if (*cpp && !strcasecmp(*cpp, "group")) {
570 fprintf(stderr, "%d: group without group #\n",
574 if (ratoi(*cpp, &i, 0, USHRT_MAX))
577 fprintf(stderr, "%d: invalid group (%s)\n",
588 fprintf(stderr, "%d: unknown words at end: [", linenum);
590 fprintf(stderr, "%s ", *cpp);
591 fprintf(stderr, "]\n");
598 if ((fil.fr_tcpf || fil.fr_tcpfm) && fil.fr_proto != IPPROTO_TCP) {
599 fprintf(stderr, "%d: TCP protocol not specified\n", linenum);
602 if (!(fil.fr_ip.fi_fl & FI_TCPUDP) && (fil.fr_proto != IPPROTO_TCP) &&
603 (fil.fr_proto != IPPROTO_UDP) && (fil.fr_dcmp || fil.fr_scmp)) {
605 fil.fr_ip.fi_fl |= FI_TCPUDP;
606 fil.fr_mip.fi_fl |= FI_TCPUDP;
609 "%d: port comparisons for non-TCP/UDP\n",
615 if ((fil.fr_flags & FR_KEEPFRAG) &&
616 (!(fil.fr_ip.fi_fl & FI_FRAG) || !(fil.fr_ip.fi_fl & FI_FRAG))) {
618 "%d: must use 'with frags' with 'keep frags'\n",
627 int to_interface(fdp, to, linenum)
639 fdp->fd_ip.s_addr = hostnum(s, &r, linenum);
643 (void) strncpy(fdp->fd_ifname, to, sizeof(fdp->fd_ifname) - 1);
644 fdp->fd_ifname[sizeof(fdp->fd_ifname) - 1] = '\0';
649 void print_toif(tag, fdp)
653 printf("%s %s%s", tag, fdp->fd_ifname,
654 (fdp->fd_ifp || (long)fdp->fd_ifp == -1) ? "" : "(!)");
655 if (fdp->fd_ip.s_addr)
656 printf(":%s", inet_ntoa(fdp->fd_ip));
662 * returns -1 if neither "hostmask/num" or "hostmask mask addr" are
663 * found in the line segments, there is an error processing this information,
664 * or there is an error processing ports information.
666 int hostmask(seg, sa, msk, pp, cp, tp, linenum)
674 int bits = -1, resolved;
675 struct in_addr maskaddr;
678 * is it possibly hostname/num ?
680 if ((s = index(**seg, '/')) || (s = index(**seg, ':'))) {
682 if (index(s, '.') || index(s, 'x')) {
683 /* possibly of the form xxx.xxx.xxx.xxx
685 if (inet_aton(s, &maskaddr) == 0) {
686 fprintf(stderr, "%d: bad mask (%s)\n",
690 *msk = maskaddr.s_addr;
693 * set x most significant bits
695 bits = (int)strtol(s, &endptr, 0);
696 if (*endptr != '\0' || bits > 32 || bits < 0) {
697 fprintf(stderr, "%d: bad mask (/%s)\n",
704 *msk = htonl(0xffffffff << (32 - bits));
706 *sa = hostnum(**seg, &resolved, linenum) & *msk;
707 if (resolved == -1) {
708 fprintf(stderr, "%d: bad host (%s)\n", linenum, **seg);
712 return ports(seg, pp, cp, tp, linenum);
716 * look for extra segments if "mask" found in right spot
718 if (*(*seg+1) && *(*seg+2) && !strcasecmp(*(*seg+1), "mask")) {
719 *sa = hostnum(**seg, &resolved, linenum);
720 if (resolved == -1) {
721 fprintf(stderr, "%d: bad host (%s)\n", linenum, **seg);
726 if (inet_aton(**seg, &maskaddr) == 0) {
727 fprintf(stderr, "%d: bad mask (%s)\n", linenum, **seg);
730 *msk = maskaddr.s_addr;
733 return ports(seg, pp, cp, tp, linenum);
737 *sa = hostnum(**seg, &resolved, linenum);
738 if (resolved == -1) {
739 fprintf(stderr, "%d: bad host (%s)\n", linenum, **seg);
743 *msk = (*sa ? inet_addr("255.255.255.255") : 0L);
745 return ports(seg, pp, cp, tp, linenum);
747 fprintf(stderr, "%d: bad host (%s)\n", linenum, **seg);
752 * returns an ip address as a long var as a result of either a DNS lookup or
753 * straight inet_addr() call
755 u_32_t hostnum(host, resolved, linenum)
765 if (!strcasecmp("any", host))
767 if (isdigit(*host) && inet_aton(host, &ip))
770 if (!strcasecmp("<thishost>", host))
773 if (!(hp = gethostbyname(host))) {
774 if (!(np = getnetbyname(host))) {
776 fprintf(stderr, "%d: can't resolve hostname: %s\n",
780 return htonl(np->n_net);
782 return *(u_32_t *)hp->h_addr;
786 * check for possible presence of the port fields in the line
788 int ports(seg, pp, cp, tp, linenum)
796 if (!*seg || !**seg || !***seg)
798 if (!strcasecmp(**seg, "port") && *(*seg + 1) && *(*seg + 2)) {
800 if (isdigit(***seg) && *(*seg + 2)) {
801 if (portnum(**seg, pp, linenum) == 0)
804 if (!strcmp(**seg, "<>"))
806 else if (!strcmp(**seg, "><"))
810 "%d: unknown range operator (%s)\n",
816 fprintf(stderr, "%d: missing 2nd port value\n",
820 if (portnum(**seg, tp, linenum) == 0)
822 } else if (!strcmp(**seg, "=") || !strcasecmp(**seg, "eq"))
824 else if (!strcmp(**seg, "!=") || !strcasecmp(**seg, "ne"))
826 else if (!strcmp(**seg, "<") || !strcasecmp(**seg, "lt"))
828 else if (!strcmp(**seg, ">") || !strcasecmp(**seg, "gt"))
830 else if (!strcmp(**seg, "<=") || !strcasecmp(**seg, "le"))
832 else if (!strcmp(**seg, ">=") || !strcasecmp(**seg, "ge"))
835 fprintf(stderr, "%d: unknown comparator (%s)\n",
839 if (comp != FR_OUTRANGE && comp != FR_INRANGE) {
841 if (portnum(**seg, pp, linenum) == 0)
851 * find the port number given by the name, either from getservbyname() or
852 * straight atoi(). Return 1 on success, 0 on failure
854 int portnum(name, port, linenum)
859 struct servent *sp, *sp2;
862 if (isdigit(*name)) {
863 if (ratoi(name, &i, 0, USHRT_MAX)) {
867 fprintf(stderr, "%d: unknown port \"%s\"\n", linenum, name);
870 if (proto != NULL && strcasecmp(proto, "tcp/udp") != 0) {
871 sp = getservbyname(name, proto);
873 *port = ntohs(sp->s_port);
876 fprintf(stderr, "%d: unknown service \"%s\".\n", linenum, name);
879 sp = getservbyname(name, "tcp");
882 sp2 = getservbyname(name, "udp");
884 fprintf(stderr, "%d: unknown tcp/udp service \"%s\".\n",
888 if (p1 != sp2->s_port) {
889 fprintf(stderr, "%d: %s %d/tcp is a different port to ",
891 fprintf(stderr, "%d: %s %d/udp\n", linenum, name, sp->s_port);
899 u_char tcp_flags(flgs, mask, linenum)
904 u_char tcpf = 0, tcpfm = 0, *fp = &tcpf;
907 for (s = flgs; *s; s++) {
908 if (*s == '/' && fp == &tcpf) {
912 if (!(t = index(flagset, *s))) {
913 fprintf(stderr, "%d: unknown flag (%c)\n", linenum, *s);
916 *fp |= flags[t - flagset];
926 * deal with extra bits on end of the line
928 int extras(cp, fr, linenum)
945 while (**cp && (!strncasecmp(**cp, "ipopt", 5) ||
946 !strncasecmp(**cp, "not", 3) || !strncasecmp(**cp, "opt", 4) ||
947 !strncasecmp(**cp, "frag", 3) || !strncasecmp(**cp, "no", 2) ||
948 !strncasecmp(**cp, "short", 5))) {
949 if (***cp == 'n' || ***cp == 'N') {
953 } else if (***cp == 'i' || ***cp == 'I') {
955 fr->fr_ip.fi_fl |= FI_OPTIONS;
956 fr->fr_mip.fi_fl |= FI_OPTIONS;
958 } else if (***cp == 'f' || ***cp == 'F') {
960 fr->fr_ip.fi_fl |= FI_FRAG;
961 fr->fr_mip.fi_fl |= FI_FRAG;
963 } else if (***cp == 'o' || ***cp == 'O') {
966 "%d: opt missing arguements\n",
971 if (!(opts = optname(cp, &secmsk, linenum)))
974 } else if (***cp == 's' || ***cp == 'S') {
977 "%d: short cannot be used with TCP flags\n",
983 fr->fr_ip.fi_fl |= FI_SHORT;
984 fr->fr_mip.fi_fl |= FI_SHORT;
989 if (!notopt || !opts)
990 fr->fr_mip.fi_fl |= oflags;
993 fr->fr_mip.fi_optmsk |= opts;
995 fr->fr_mip.fi_optmsk |= (opts & ~0x0100);
998 fr->fr_mip.fi_optmsk |= opts;
1000 fr->fr_mip.fi_secmsk |= secmsk;
1003 fr->fr_ip.fi_fl &= (~oflags & 0xf);
1004 fr->fr_ip.fi_optmsk &= ~opts;
1005 fr->fr_ip.fi_secmsk &= ~secmsk;
1007 fr->fr_ip.fi_fl |= oflags;
1008 fr->fr_ip.fi_optmsk |= opts;
1009 fr->fr_ip.fi_secmsk |= secmsk;
1022 u_32_t optname(cp, sp, linenum)
1027 struct ipopt_names *io, *so;
1033 for (s = strtok(**cp, ","); s; s = strtok(NULL, ",")) {
1034 for (io = ionames; io->on_name; io++)
1035 if (!strcasecmp(s, io->on_name)) {
1040 fprintf(stderr, "%d: unknown IP option name %s\n",
1044 if (!strcasecmp(s, "sec-class"))
1048 if (sec && !*(*cp + 1)) {
1049 fprintf(stderr, "%d: missing security level after sec-class\n",
1056 for (s = strtok(**cp, ","); s; s = strtok(NULL, ",")) {
1057 for (so = secclass; so->on_name; so++)
1058 if (!strcasecmp(s, so->on_name)) {
1064 "%d: no such security level: %s\n",
1077 void optprint(u_short *sec, u_long optmsk, u_long optbits)
1079 void optprint(sec, optmsk, optbits)
1081 u_long optmsk, optbits;
1084 u_short secmsk = sec[0], secbits = sec[1];
1085 struct ipopt_names *io, *so;
1090 for (io = ionames; io->on_name; io++)
1091 if ((io->on_bit & optmsk) &&
1092 ((io->on_bit & optmsk) == (io->on_bit & optbits))) {
1093 if ((io->on_value != IPOPT_SECURITY) ||
1094 (!secmsk && !secbits)) {
1095 printf("%s%s", s, io->on_name);
1096 if (io->on_value == IPOPT_SECURITY)
1104 if (secmsk & secbits) {
1105 printf("%ssec-class", s);
1107 for (so = secclass; so->on_name; so++)
1108 if ((secmsk & so->on_bit) &&
1109 ((so->on_bit & secmsk) == (so->on_bit & secbits))) {
1110 printf("%s%s", s, so->on_name);
1115 if ((optmsk && (optmsk != optbits)) ||
1116 (secmsk && (secmsk != secbits))) {
1119 if (optmsk != optbits) {
1120 for (io = ionames; io->on_name; io++)
1121 if ((io->on_bit & optmsk) &&
1122 ((io->on_bit & optmsk) !=
1123 (io->on_bit & optbits))) {
1124 if ((io->on_value != IPOPT_SECURITY) ||
1125 (!secmsk && !secbits)) {
1126 printf("%s%s", s, io->on_name);
1136 if (secmsk != secbits) {
1137 printf("%ssec-class", s);
1139 for (so = secclass; so->on_name; so++)
1140 if ((so->on_bit & secmsk) &&
1141 ((so->on_bit & secmsk) !=
1142 (so->on_bit & secbits))) {
1143 printf("%s%s", s, so->on_name);
1150 char *icmptypes[] = {
1151 "echorep", (char *)NULL, (char *)NULL, "unreach", "squench",
1152 "redir", (char *)NULL, (char *)NULL, "echo", "routerad",
1153 "routersol", "timex", "paramprob", "timest", "timestrep",
1154 "inforeq", "inforep", "maskreq", "maskrep", "END"
1158 * set the icmp field to the correct type if "icmp" word is found
1160 int addicmp(cp, fp, linenum)
1171 if (!fp->fr_proto) /* to catch lusers */
1172 fp->fr_proto = IPPROTO_ICMP;
1173 if (isdigit(***cp)) {
1174 if (!ratoi(**cp, &i, 0, 255)) {
1176 "%d: Invalid icmp-type (%s) specified\n",
1181 for (t = icmptypes, i = 0; ; t++, i++) {
1184 if (!strcasecmp("END", *t)) {
1188 if (!strcasecmp(*t, **cp))
1193 "%d: Invalid icmp-type (%s) specified\n",
1198 fp->fr_icmp = (u_short)(i << 8);
1199 fp->fr_icmpm = (u_short)0xff00;
1204 if (**cp && strcasecmp("code", **cp))
1207 if (isdigit(***cp)) {
1208 if (!ratoi(**cp, &i, 0, 255)) {
1210 "%d: Invalid icmp code (%s) specified\n",
1214 fp->fr_icmp |= (u_short)i;
1215 fp->fr_icmpm = (u_short)0xffff;
1219 fprintf(stderr, "%d: Invalid icmp code (%s) specified\n",
1225 #define MAX_ICMPCODE 12
1227 char *icmpcodes[] = {
1228 "net-unr", "host-unr", "proto-unr", "port-unr", "needfrag", "srcfail",
1229 "net-unk", "host-unk", "isolate", "net-prohib", "host-prohib",
1230 "net-tos", "host-tos", NULL };
1232 * Return the number for the associated ICMP unreachable code.
1240 if (!(s = strrchr(str, ')')))
1243 if (isdigit(*str)) {
1244 if (!ratoi(str, &i, 0, 255))
1250 for (i = 0; icmpcodes[i]; i++)
1251 if (!strncasecmp(str, icmpcodes[i], MIN(len,
1252 strlen(icmpcodes[i])) ))
1259 * set the icmp field to the correct type if "icmp" word is found
1261 int addkeep(cp, fp, linenum)
1266 if (fp->fr_proto != IPPROTO_TCP && fp->fr_proto != IPPROTO_UDP &&
1267 fp->fr_proto != IPPROTO_ICMP && !(fp->fr_ip.fi_fl & FI_TCPUDP)) {
1268 fprintf(stderr, "%d: Can only use keep with UDP/ICMP/TCP\n",
1274 if (**cp && strcasecmp(**cp, "state") && strcasecmp(**cp, "frags")) {
1275 fprintf(stderr, "%d: Unrecognised state keyword \"%s\"\n",
1280 if (***cp == 's' || ***cp == 'S')
1281 fp->fr_flags |= FR_KEEPSTATE;
1282 else if (***cp == 'f' || ***cp == 'F')
1283 fp->fr_flags |= FR_KEEPFRAG;
1290 * count consecutive 1's in bit mask. If the mask generated by counting
1291 * consecutive 1's is different to that passed, return -1, else return #
1300 ip = ipn = ntohl(ip);
1301 for (i = 32; i; i--, ipn *= 2)
1302 if (ipn & 0x80000000)
1307 for (i = 32, j = cnt; i; i--, j--) {
1318 char *portname(pr, port)
1321 static char buf[32];
1322 struct protoent *p = NULL;
1323 struct servent *sv = NULL, *sv1 = NULL;
1326 if ((sv = getservbyport(htons(port), "tcp"))) {
1327 strncpy(buf, sv->s_name, sizeof(buf)-1);
1328 buf[sizeof(buf)-1] = '\0';
1329 sv1 = getservbyport(htons(port), "udp");
1330 sv = strncasecmp(buf, sv->s_name, strlen(buf)) ?
1335 } else if (pr && (p = getprotobynumber(pr))) {
1336 if ((sv = getservbyport(htons(port), p->p_name))) {
1337 strncpy(buf, sv->s_name, sizeof(buf)-1);
1338 buf[sizeof(buf)-1] = '\0';
1343 (void) sprintf(buf, "%d", port);
1349 * print the filter structure in a useful way
1354 static char *pcmp1[] = { "*", "=", "!=", "<", ">", "<=", ">=",
1362 if (fp->fr_flags & FR_PASS)
1364 else if (fp->fr_flags & FR_BLOCK) {
1366 if (fp->fr_flags & FR_RETICMP) {
1367 if ((fp->fr_flags & FR_RETMASK) == FR_FAKEICMP)
1368 printf(" return-icmp-as-dest");
1369 else if ((fp->fr_flags & FR_RETMASK) == FR_RETICMP)
1370 printf(" return-icmp");
1372 if (fp->fr_icode <= MAX_ICMPCODE)
1374 icmpcodes[(int)fp->fr_icode]);
1376 printf("(%d)", fp->fr_icode);
1378 } else if ((fp->fr_flags & FR_RETMASK) == FR_RETRST)
1379 printf(" return-rst");
1380 } else if ((fp->fr_flags & FR_LOGMASK) == FR_LOG) {
1382 if (fp->fr_flags & FR_LOGBODY)
1384 if (fp->fr_flags & FR_LOGFIRST)
1386 } else if (fp->fr_flags & FR_ACCOUNT)
1388 else if (fp->fr_flags & FR_AUTH)
1390 else if (fp->fr_flags & FR_PREAUTH)
1392 else if (fp->fr_skip)
1393 printf("skip %hu", fp->fr_skip);
1395 if (fp->fr_flags & FR_OUTQUE)
1400 if (((fp->fr_flags & FR_LOGB) == FR_LOGB) ||
1401 ((fp->fr_flags & FR_LOGP) == FR_LOGP)) {
1403 if (fp->fr_flags & FR_LOGBODY)
1405 if (fp->fr_flags & FR_LOGFIRST)
1407 if (fp->fr_flags & FR_LOGORBLOCK)
1408 printf("or-block ");
1409 if (fp->fr_loglevel != 0xffff) {
1410 if (fp->fr_loglevel & LOG_FACMASK) {
1411 s = fac_toname(fp->fr_loglevel);
1416 u = pri_toname(fp->fr_loglevel);
1420 printf("level %s.%s ", s, u);
1422 printf("level %s ", u);
1426 if (fp->fr_flags & FR_QUICK)
1429 if (*fp->fr_ifname) {
1430 printf("on %s%s ", fp->fr_ifname,
1431 (fp->fr_ifa || (long)fp->fr_ifa == -1) ? "" : "(!)");
1432 if (*fp->fr_dif.fd_ifname)
1433 print_toif("dup-to", &fp->fr_dif);
1434 if (*fp->fr_tif.fd_ifname)
1435 print_toif("to", &fp->fr_tif);
1436 if (fp->fr_flags & FR_FASTROUTE)
1437 printf("fastroute ");
1440 if (fp->fr_mip.fi_tos)
1441 printf("tos %#x ", fp->fr_tos);
1442 if (fp->fr_mip.fi_ttl)
1443 printf("ttl %d ", fp->fr_ttl);
1444 if (fp->fr_ip.fi_fl & FI_TCPUDP) {
1445 printf("proto tcp/udp ");
1447 } else if ((pr = fp->fr_mip.fi_p)) {
1448 if ((p = getprotobynumber(fp->fr_proto)))
1449 printf("proto %s ", p->p_name);
1451 printf("proto %d ", fp->fr_proto);
1454 printf("from %s", fp->fr_flags & FR_NOTSRCIP ? "!" : "");
1455 if (!fp->fr_src.s_addr && !fp->fr_smsk.s_addr)
1458 printf("%s", inet_ntoa(fp->fr_src));
1459 if ((ones = countbits(fp->fr_smsk.s_addr)) == -1)
1460 printf("/%s ", inet_ntoa(fp->fr_smsk));
1462 printf("/%d ", ones);
1465 if (fp->fr_scmp == FR_INRANGE || fp->fr_scmp == FR_OUTRANGE)
1466 printf("port %d %s %d ", fp->fr_sport,
1467 pcmp1[fp->fr_scmp], fp->fr_stop);
1469 printf("port %s %s ", pcmp1[fp->fr_scmp],
1470 portname(pr, fp->fr_sport));
1473 printf("to %s", fp->fr_flags & FR_NOTDSTIP ? "!" : "");
1474 if (!fp->fr_dst.s_addr && !fp->fr_dmsk.s_addr)
1477 printf("%s", inet_ntoa(fp->fr_dst));
1478 if ((ones = countbits(fp->fr_dmsk.s_addr)) == -1)
1479 printf("/%s", inet_ntoa(fp->fr_dmsk));
1481 printf("/%d", ones);
1484 if (fp->fr_dcmp == FR_INRANGE || fp->fr_dcmp == FR_OUTRANGE)
1485 printf(" port %d %s %d", fp->fr_dport,
1486 pcmp1[fp->fr_dcmp], fp->fr_dtop);
1488 printf(" port %s %s", pcmp1[fp->fr_dcmp],
1489 portname(pr, fp->fr_dport));
1491 if ((fp->fr_ip.fi_fl & ~FI_TCPUDP) ||
1492 (fp->fr_mip.fi_fl & ~FI_TCPUDP) ||
1493 fp->fr_ip.fi_optmsk || fp->fr_mip.fi_optmsk ||
1494 fp->fr_ip.fi_secmsk || fp->fr_mip.fi_secmsk) {
1496 if (fp->fr_ip.fi_optmsk || fp->fr_mip.fi_optmsk ||
1497 fp->fr_ip.fi_secmsk || fp->fr_mip.fi_secmsk) {
1498 sec[0] = fp->fr_mip.fi_secmsk;
1499 sec[1] = fp->fr_ip.fi_secmsk;
1501 fp->fr_mip.fi_optmsk, fp->fr_ip.fi_optmsk);
1502 } else if (fp->fr_mip.fi_fl & FI_OPTIONS) {
1503 if (!(fp->fr_ip.fi_fl & FI_OPTIONS))
1507 if (fp->fr_mip.fi_fl & FI_SHORT) {
1508 if (!(fp->fr_ip.fi_fl & FI_SHORT))
1512 if (fp->fr_mip.fi_fl & FI_FRAG) {
1513 if (!(fp->fr_ip.fi_fl & FI_FRAG))
1518 if (fp->fr_proto == IPPROTO_ICMP && fp->fr_icmpm) {
1519 int type = fp->fr_icmp, code;
1521 type = ntohs(fp->fr_icmp);
1524 if (type < (sizeof(icmptypes) / sizeof(char *)) &&
1526 printf(" icmp-type %s", icmptypes[type]);
1528 printf(" icmp-type %d", type);
1530 printf(" code %d", code);
1532 if (fp->fr_proto == IPPROTO_TCP && (fp->fr_tcpf || fp->fr_tcpfm)) {
1534 for (s = flagset, t = flags; *s; s++, t++)
1535 if (fp->fr_tcpf & *t)
1539 for (s = flagset, t = flags; *s; s++, t++)
1540 if (fp->fr_tcpfm & *t)
1545 if (fp->fr_flags & FR_KEEPSTATE)
1546 printf(" keep state");
1547 if (fp->fr_flags & FR_KEEPFRAG)
1548 printf(" keep frags");
1550 printf(" head %d", fp->fr_grhead);
1552 printf(" group %d", fp->fr_group);
1553 (void)putchar('\n');
1559 int i = sizeof(*fp), j = 0;
1562 for (s = (u_char *)fp; i; i--, s++) {
1564 printf("%02x ", *s);
1571 (void)fflush(stdout);
1575 int ratoi(ps, pi, min, max)
1582 i = (int)strtol(ps, &pe, 0);
1583 if (*pe != '\0' || i < min || i > max)