4 * Copyright (C) 2012 by Darren Reed.
6 * See the IPFILTER.LICENCE file for details on licencing.
11 #include <sys/ioctl.h>
12 #include "netinet/ipl.h"
15 static const char sccsid[] = "@(#)ipf.c 1.23 6/5/96 (C) 1993-2000 Darren Reed";
16 static const char rcsid[] = "@(#)$Id$";
19 #if !defined(__SVR4) && defined(__GNUC__)
20 extern char *index __P((const char *, int));
25 extern frentry_t *frtop;
28 void ipf_frsync __P((void));
29 void zerostats __P((void));
30 int main __P((int, char *[]));
37 static void procfile __P((char *));
38 static void flushfilter __P((char *, int *));
39 static void set_state __P((u_int));
40 static void showstats __P((friostat_t *));
41 static void packetlogon __P((char *));
42 static void swapactive __P((void));
43 static int opendevice __P((char *, int));
44 static void closedevice __P((void));
45 static char *ipfname = IPL_NAME;
46 static void usage __P((void));
47 static int showversion __P((void));
48 static int get_flags __P((void));
49 static int ipf_interceptadd __P((int, ioctlfunc_t, void *));
52 static ioctlfunc_t iocfunctions[IPL_LOGSIZE] = { ioctl, ioctl, ioctl,
56 /* XXX The following was added to satisfy a rescue/rescue/ build
62 fprintf(stderr, "usage: ipf [-6AdDEInoPrRsvVyzZ] %s %s %s\n",
63 "[-l block|pass|nomatch|state|nat]", "[-cc] [-F i|o|a|s|S|u]",
64 "[-f filename] [-T <tuneopts>]");
73 int c, *filter = NULL;
78 assigndefined(getenv("IPF_PREDEFINED"));
80 while ((c = getopt(argc, argv, "46Ac:dDEf:F:Il:m:noPrRsT:vVyzZ")) != -1) {
93 opts &= ~OPT_INACTIVE;
96 if (strcmp(optarg, "c") == 0)
112 flushfilter(optarg, filter);
115 opts ^= OPT_INACTIVE;
121 filter = parseipfexpr(optarg, NULL);
124 opts ^= OPT_DONOTHING|OPT_DONTOPEN;
129 ipfname = IPAUTH_NAME;
132 opts ^= OPT_NORESOLVE;
141 if (opendevice(ipfname, 1) >= 0)
142 ipf_dotuning(fd, optarg, ioctl);
155 opts ^= OPT_ZERORULEST;
174 static int opendevice(ipfdev, check)
178 if (opts & OPT_DONOTHING)
181 if (check && checkrev(ipfname) == -1) {
182 fprintf(stderr, "User/kernel version check failed\n");
190 if ((fd = open(ipfdev, O_RDWR)) == -1)
191 if ((fd = open(ipfdev, O_RDONLY)) == -1)
192 ipferror(fd, "open device");
197 static void closedevice()
204 static int get_flags()
208 if ((opendevice(ipfname, 1) != -2) &&
209 (ioctl(fd, SIOCGETFF, &i) == -1)) {
210 ipferror(fd, "SIOCGETFF");
217 static void set_state(enable)
220 if (opendevice(ipfname, 0) != -2) {
221 if (ioctl(fd, SIOCFRENB, &enable) == -1) {
222 if (errno == EBUSY) {
224 "IP FIlter: already initialized\n");
226 ipferror(fd, "SIOCFRENB");
234 static void procfile(file)
237 (void) opendevice(ipfname, 1);
241 ipf_parsefile(fd, ipf_interceptadd, iocfunctions, file);
246 emit(-1, -1, NULL, NULL);
251 static int ipf_interceptadd(fd, ioctlfunc, ptr)
253 ioctlfunc_t ioctlfunc;
259 if (ipf_addrule(fd, ioctlfunc, ptr) != 0)
265 static void packetlogon(opt)
268 int flag, xfd, logopt, change = 0;
272 if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE)
273 printf("log flag is currently %#x\n", flag);
276 flag &= ~(FF_LOGPASS|FF_LOGNOMATCH|FF_LOGBLOCK);
278 if (strstr(opt, "pass")) {
280 if (opts & OPT_VERBOSE)
281 printf("set log flag: pass\n");
284 if (strstr(opt, "nomatch")) {
285 flag |= FF_LOGNOMATCH;
286 if (opts & OPT_VERBOSE)
287 printf("set log flag: nomatch\n");
290 if (strstr(opt, "block") || strchr(opt, 'd')) {
292 if (opts & OPT_VERBOSE)
293 printf("set log flag: block\n");
296 if (strstr(opt, "none")) {
297 if (opts & OPT_VERBOSE)
298 printf("disable all log flags\n");
303 if (opendevice(ipfname, 1) != -2 &&
304 (ioctl(fd, SIOCSETFF, &flag) != 0))
305 ipferror(fd, "ioctl(SIOCSETFF)");
308 if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) {
310 printf("log flags are now %#x\n", flag);
313 if (strstr(opt, "state")) {
314 if (opts & OPT_VERBOSE)
315 printf("set state log flag\n");
316 xfd = open(IPSTATE_NAME, O_RDWR);
319 if (ioctl(xfd, SIOCGETLG, &logopt))
320 ipferror(fd, "ioctl(SIOCGETLG)");
323 if (ioctl(xfd, SIOCSETLG, &logopt))
324 ipferror(xfd, "ioctl(SIOCSETLG)");
330 if (strstr(opt, "nat")) {
331 if (opts & OPT_VERBOSE)
332 printf("set nat log flag\n");
333 xfd = open(IPNAT_NAME, O_RDWR);
336 if (ioctl(xfd, SIOCGETLG, &logopt))
337 ipferror(xfd, "ioctl(SIOCGETLG)");
340 if (ioctl(xfd, SIOCSETLG, &logopt))
341 ipferror(xfd, "ioctl(SIOCSETLG)");
349 static void flushfilter(arg, filter)
357 if (!strcmp(arg, "s") || !strcmp(arg, "S") || ISDIGIT(*arg)) {
360 else if (*arg == 's')
367 if (opendevice(IPSTATE_NAME, 1) == -2)
370 if (!(opts & OPT_DONOTHING)) {
373 "IPv6 rules are no longer seperate\n");
374 } else if (filter != NULL) {
377 obj.ipfo_rev = IPFILTER_VERSION;
378 obj.ipfo_size = filter[0] * sizeof(int);
379 obj.ipfo_type = IPFOBJ_IPFEXPR;
380 obj.ipfo_ptr = filter;
381 if (ioctl(fd, SIOCMATCHFLUSH, &obj) == -1) {
382 ipferror(fd, "ioctl(SIOCMATCHFLUSH)");
385 fl = obj.ipfo_retval;
388 if (ioctl(fd, SIOCIPFFL, &fl) == -1) {
389 ipferror(fd, "ioctl(SIOCIPFFL)");
394 if ((opts & (OPT_DONOTHING|OPT_DEBUG)) == OPT_DEBUG) {
395 printf("remove flags %s (%d)\n", arg, rem);
397 if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) {
398 printf("%d state entries removed\n", fl);
402 } else if (strchr(arg, 'i') || strchr(arg, 'I'))
404 else if (strchr(arg, 'o') || strchr(arg, 'O'))
406 else if (strchr(arg, 'a') || strchr(arg, 'A'))
407 fl = FR_OUTQUE|FR_INQUE;
409 fprintf(stderr, "Incorrect flush argument: %s\n", arg);
412 if (opts & OPT_INACTIVE)
416 if (opendevice(ipfname, 1) == -2)
419 if (!(opts & OPT_DONOTHING)) {
421 if (ioctl(fd, SIOCIPFL6, &fl) == -1) {
422 ipferror(fd, "ioctl(SIOCIPFL6)");
426 if (ioctl(fd, SIOCIPFFL, &fl) == -1) {
427 ipferror(fd, "ioctl(SIOCIPFFL)");
433 if ((opts & (OPT_DONOTHING|OPT_DEBUG)) == OPT_DEBUG) {
434 printf("remove flags %s%s (%d)\n", (rem & FR_INQUE) ? "I" : "",
435 (rem & FR_OUTQUE) ? "O" : "", rem);
437 if ((opts & (OPT_DONOTHING|OPT_VERBOSE)) == OPT_VERBOSE) {
438 printf("%d filter rules removed\n", fl);
444 static void swapactive()
448 if (opendevice(ipfname, 1) != -2 && ioctl(fd, SIOCSWAPA, &in) == -1)
449 ipferror(fd, "ioctl(SIOCSWAPA)");
451 printf("Set %d now inactive\n", in);
459 if (opendevice(ipfname, 1) != -2 && ioctl(fd, SIOCFRSYN, &frsyn) == -1)
460 ipferror(fd, "SIOCFRSYN");
462 printf("filter sync'd\n");
471 obj.ipfo_rev = IPFILTER_VERSION;
472 obj.ipfo_type = IPFOBJ_IPFSTAT;
473 obj.ipfo_size = sizeof(fio);
477 if (opendevice(ipfname, 1) != -2) {
478 if (ioctl(fd, SIOCFRZST, &obj) == -1) {
479 ipferror(fd, "ioctl(SIOCFRZST)");
489 * read the kernel stats for packets blocked and passed
491 static void showstats(fp)
494 printf("bad packets:\t\tin %lu\tout %lu\n",
495 fp->f_st[0].fr_bad, fp->f_st[1].fr_bad);
496 printf(" input packets:\t\tblocked %lu passed %lu nomatch %lu",
497 fp->f_st[0].fr_block, fp->f_st[0].fr_pass,
499 printf(" counted %lu\n", fp->f_st[0].fr_acct);
500 printf("output packets:\t\tblocked %lu passed %lu nomatch %lu",
501 fp->f_st[1].fr_block, fp->f_st[1].fr_pass,
503 printf(" counted %lu\n", fp->f_st[0].fr_acct);
504 printf(" input packets logged:\tblocked %lu passed %lu\n",
505 fp->f_st[0].fr_bpkl, fp->f_st[0].fr_ppkl);
506 printf("output packets logged:\tblocked %lu passed %lu\n",
507 fp->f_st[1].fr_bpkl, fp->f_st[1].fr_ppkl);
511 static int showversion()
519 bzero((caddr_t)&ipfo, sizeof(ipfo));
520 ipfo.ipfo_rev = IPFILTER_VERSION;
521 ipfo.ipfo_size = sizeof(fio);
522 ipfo.ipfo_ptr = (void *)&fio;
523 ipfo.ipfo_type = IPFOBJ_IPFSTAT;
525 printf("ipf: %s (%d)\n", IPL_VERSION, (int)sizeof(frentry_t));
527 if ((vfd = open(ipfname, O_RDONLY)) == -1) {
528 perror("open device");
532 if (ioctl(vfd, SIOCGETFS, &ipfo)) {
533 ipferror(vfd, "ioctl(SIOCGETFS)");
540 printf("Kernel: %-*.*s\n", (int)sizeof(fio.f_version),
541 (int)sizeof(fio.f_version), fio.f_version);
542 printf("Running: %s\n", (fio.f_running > 0) ? "yes" : "no");
543 printf("Log Flags: %#x = ", flags);
545 if (flags & FF_LOGPASS) {
549 if (flags & FF_LOGBLOCK) {
550 printf("%sblock", s);
553 if (flags & FF_LOGNOMATCH) {
554 printf("%snomatch", s);
557 if (flags & FF_BLOCKNONIP) {
558 printf("%snonip", s);
566 if (FR_ISPASS(fio.f_defpass))
568 else if (FR_ISBLOCK(fio.f_defpass))
571 s = "nomatch -> block";
572 printf("%s all, Logging: %savailable\n", s, fio.f_logging ? "" : "un");
573 printf("Active list: %d\n", fio.f_active);
574 printf("Feature mask: %#x\n", fio.f_features);
projects / FreeBSD / FreeBSD.git / blob