2 * Copyright (c) 1996 Alex Nash, Paul Traina, Poul-Henning Kamp
3 * Copyright (c) 1994 Ugen J.S.Antsilevich
5 * Idea and grammar partially left from:
6 * Copyright (c) 1993 Daniel Boulet
8 * Redistribution and use in source forms, with and without modification,
9 * are permitted provided that this entire comment appears intact.
11 * Redistribution in binary form may occur without any restrictions.
12 * Obviously, it would be nice if you gave credit where credit is due
13 * but requiring it would be too onerous.
15 * This software is provided ``AS IS'' without any warranties of any kind.
17 * NEW command line interface for IP firewall facility
19 * $Id: ipfw.c,v 1.61 1998/11/23 10:54:28 joerg Exp $
23 #include <sys/types.h>
24 #include <sys/queue.h>
25 #include <sys/socket.h>
26 #include <sys/sockio.h>
45 #include <netinet/in.h>
46 #include <netinet/in_systm.h>
47 #include <netinet/ip_var.h>
48 #include <netinet/ip.h>
49 #include <netinet/ip_icmp.h>
50 #include <netinet/ip_fw.h>
51 #include <netinet/tcp.h>
52 #include <arpa/inet.h>
56 int s; /* main RAW socket */
57 int do_resolv=0; /* Would try to resolv all */
58 int do_acct=0; /* Show packet/byte count */
59 int do_time=0; /* Show time stamps */
60 int do_quiet=0; /* Be quiet in add and flush */
61 int do_force=0; /* Don't ask for confirmation */
68 static struct icmpcode icmpcodes[] = {
69 { ICMP_UNREACH_NET, "net" },
70 { ICMP_UNREACH_HOST, "host" },
71 { ICMP_UNREACH_PROTOCOL, "protocol" },
72 { ICMP_UNREACH_PORT, "port" },
73 { ICMP_UNREACH_NEEDFRAG, "needfrag" },
74 { ICMP_UNREACH_SRCFAIL, "srcfail" },
75 { ICMP_UNREACH_NET_UNKNOWN, "net-unknown" },
76 { ICMP_UNREACH_HOST_UNKNOWN, "host-unknown" },
77 { ICMP_UNREACH_ISOLATED, "isolated" },
78 { ICMP_UNREACH_NET_PROHIB, "net-prohib" },
79 { ICMP_UNREACH_HOST_PROHIB, "host-prohib" },
80 { ICMP_UNREACH_TOSNET, "tosnet" },
81 { ICMP_UNREACH_TOSHOST, "toshost" },
82 { ICMP_UNREACH_FILTER_PROHIB, "filter-prohib" },
83 { ICMP_UNREACH_HOST_PRECEDENCE, "host-precedence" },
84 { ICMP_UNREACH_PRECEDENCE_CUTOFF, "precedence-cutoff" },
88 static void show_usage(const char *fmt, ...);
91 mask_bits(struct in_addr m_ad)
93 int h_fnd=0,h_num=0,i;
96 mask=ntohl(m_ad.s_addr);
97 for (i=0;i<sizeof(u_long)*CHAR_BIT;i++) {
111 print_port(prot, port, comma)
118 const char *protocol;
122 pe = getprotobynumber(prot);
124 protocol = pe->p_name;
128 se = getservbyport(htons(port), protocol);
130 printf("%s%s", comma, se->s_name);
135 printf("%s%d",comma,port);
139 print_iface(char *key, union ip_fw_if *un, int byname)
141 char ifnb[FW_IFNLEN+1];
144 strncpy(ifnb, un->fu_via_if.name, FW_IFNLEN);
145 ifnb[FW_IFNLEN]='\0';
146 if (un->fu_via_if.unit == -1)
147 printf(" %s %s*", key, ifnb);
149 printf(" %s %s%d", key, ifnb, un->fu_via_if.unit);
150 } else if (un->fu_via_ip.s_addr != 0) {
151 printf(" %s %s", key, inet_ntoa(un->fu_via_ip));
153 printf(" %s any", key);
157 print_reject_code(int code)
161 for (ic = icmpcodes; ic->str; ic++)
162 if (ic->code == code) {
163 printf("%s", ic->str);
170 show_ipfw(struct ip_fw *chain, int pcwidth, int bcwidth)
177 int nsp = IP_FW_GETNSRCP(chain);
178 int ndp = IP_FW_GETNDSTP(chain);
181 setservent(1/*stayopen*/);
183 printf("%05u ", chain->fw_number);
186 printf("%*qu %*qu ",pcwidth,chain->fw_pcnt,bcwidth,chain->fw_bcnt);
190 if (chain->timestamp)
194 strcpy(timestr, ctime((time_t *)&chain->timestamp));
195 *strchr(timestr, '\n') = '\0';
196 printf("%s ", timestr);
202 switch (chain->fw_flg & IP_FW_F_COMMAND)
214 printf("divert %u", chain->fw_divert_port);
217 printf("tee %u", chain->fw_divert_port);
220 printf("skipto %u", chain->fw_skipto_rule);
223 if (chain->fw_reject_code == IP_FW_REJECT_RST)
227 print_reject_code(chain->fw_reject_code);
231 printf("fwd %s", inet_ntoa(chain->fw_fwd_ip.sin_addr));
232 if(chain->fw_fwd_ip.sin_port)
233 printf(",%d", chain->fw_fwd_ip.sin_port);
236 errx(EX_OSERR, "impossible");
239 if (chain->fw_flg & IP_FW_F_PRN)
242 pe = getprotobynumber(chain->fw_prot);
244 printf(" %s", pe->p_name);
246 printf(" %u", chain->fw_prot);
248 printf(" from %s", chain->fw_flg & IP_FW_F_INVSRC ? "not " : "");
250 adrt=ntohl(chain->fw_smsk.s_addr);
251 if (adrt==ULONG_MAX && do_resolv) {
252 adrt=(chain->fw_src.s_addr);
253 he=gethostbyaddr((char *)&adrt,sizeof(u_long),AF_INET);
255 printf(inet_ntoa(chain->fw_src));
257 printf("%s",he->h_name);
259 if (adrt!=ULONG_MAX) {
260 mb=mask_bits(chain->fw_smsk);
265 printf(inet_ntoa(chain->fw_src));
268 printf(inet_ntoa(chain->fw_src));
270 printf(inet_ntoa(chain->fw_smsk));
274 printf(inet_ntoa(chain->fw_src));
277 if (chain->fw_prot == IPPROTO_TCP || chain->fw_prot == IPPROTO_UDP) {
279 for (i = 0; i < nsp; i++) {
280 print_port(chain->fw_prot, chain->fw_uar.fw_pts[i], comma);
281 if (i==0 && (chain->fw_flg & IP_FW_F_SRNG))
288 printf(" to %s", chain->fw_flg & IP_FW_F_INVDST ? "not " : "");
290 adrt=ntohl(chain->fw_dmsk.s_addr);
291 if (adrt==ULONG_MAX && do_resolv) {
292 adrt=(chain->fw_dst.s_addr);
293 he=gethostbyaddr((char *)&adrt,sizeof(u_long),AF_INET);
295 printf(inet_ntoa(chain->fw_dst));
297 printf("%s",he->h_name);
299 if (adrt!=ULONG_MAX) {
300 mb=mask_bits(chain->fw_dmsk);
305 printf(inet_ntoa(chain->fw_dst));
308 printf(inet_ntoa(chain->fw_dst));
310 printf(inet_ntoa(chain->fw_dmsk));
314 printf(inet_ntoa(chain->fw_dst));
317 if (chain->fw_prot == IPPROTO_TCP || chain->fw_prot == IPPROTO_UDP) {
319 for (i = 0; i < ndp; i++) {
320 print_port(chain->fw_prot, chain->fw_uar.fw_pts[nsp+i], comma);
321 if (i==0 && (chain->fw_flg & IP_FW_F_DRNG))
329 if ((chain->fw_flg & IP_FW_F_IN) && !(chain->fw_flg & IP_FW_F_OUT))
331 if (!(chain->fw_flg & IP_FW_F_IN) && (chain->fw_flg & IP_FW_F_OUT))
334 /* Handle hack for "via" backwards compatibility */
335 if ((chain->fw_flg & IF_FW_F_VIAHACK) == IF_FW_F_VIAHACK) {
337 &chain->fw_in_if, chain->fw_flg & IP_FW_F_IIFNAME);
339 /* Receive interface specified */
340 if (chain->fw_flg & IP_FW_F_IIFACE)
341 print_iface("recv", &chain->fw_in_if,
342 chain->fw_flg & IP_FW_F_IIFNAME);
343 /* Transmit interface specified */
344 if (chain->fw_flg & IP_FW_F_OIFACE)
345 print_iface("xmit", &chain->fw_out_if,
346 chain->fw_flg & IP_FW_F_OIFNAME);
349 if (chain->fw_flg & IP_FW_F_FRAG)
352 if (chain->fw_ipopt || chain->fw_ipnopt) {
353 int _opt_printed = 0;
354 #define PRINTOPT(x) {if (_opt_printed) printf(",");\
355 printf(x); _opt_printed = 1;}
358 if (chain->fw_ipopt & IP_FW_IPOPT_SSRR) PRINTOPT("ssrr");
359 if (chain->fw_ipnopt & IP_FW_IPOPT_SSRR) PRINTOPT("!ssrr");
360 if (chain->fw_ipopt & IP_FW_IPOPT_LSRR) PRINTOPT("lsrr");
361 if (chain->fw_ipnopt & IP_FW_IPOPT_LSRR) PRINTOPT("!lsrr");
362 if (chain->fw_ipopt & IP_FW_IPOPT_RR) PRINTOPT("rr");
363 if (chain->fw_ipnopt & IP_FW_IPOPT_RR) PRINTOPT("!rr");
364 if (chain->fw_ipopt & IP_FW_IPOPT_TS) PRINTOPT("ts");
365 if (chain->fw_ipnopt & IP_FW_IPOPT_TS) PRINTOPT("!ts");
368 if (chain->fw_tcpf & IP_FW_TCPF_ESTAB)
369 printf(" established");
370 else if (chain->fw_tcpf == IP_FW_TCPF_SYN &&
371 chain->fw_tcpnf == IP_FW_TCPF_ACK)
373 else if (chain->fw_tcpf || chain->fw_tcpnf) {
374 int _flg_printed = 0;
375 #define PRINTFLG(x) {if (_flg_printed) printf(",");\
376 printf(x); _flg_printed = 1;}
379 if (chain->fw_tcpf & IP_FW_TCPF_FIN) PRINTFLG("fin");
380 if (chain->fw_tcpnf & IP_FW_TCPF_FIN) PRINTFLG("!fin");
381 if (chain->fw_tcpf & IP_FW_TCPF_SYN) PRINTFLG("syn");
382 if (chain->fw_tcpnf & IP_FW_TCPF_SYN) PRINTFLG("!syn");
383 if (chain->fw_tcpf & IP_FW_TCPF_RST) PRINTFLG("rst");
384 if (chain->fw_tcpnf & IP_FW_TCPF_RST) PRINTFLG("!rst");
385 if (chain->fw_tcpf & IP_FW_TCPF_PSH) PRINTFLG("psh");
386 if (chain->fw_tcpnf & IP_FW_TCPF_PSH) PRINTFLG("!psh");
387 if (chain->fw_tcpf & IP_FW_TCPF_ACK) PRINTFLG("ack");
388 if (chain->fw_tcpnf & IP_FW_TCPF_ACK) PRINTFLG("!ack");
389 if (chain->fw_tcpf & IP_FW_TCPF_URG) PRINTFLG("urg");
390 if (chain->fw_tcpnf & IP_FW_TCPF_URG) PRINTFLG("!urg");
392 if (chain->fw_flg & IP_FW_F_ICMPBIT) {
398 for (type_index = 0; type_index < IP_FW_ICMPTYPES_DIM * sizeof(unsigned) * 8; ++type_index)
399 if (chain->fw_uar.fw_icmptypes[type_index / (sizeof(unsigned) * 8)] &
400 (1U << (type_index % (sizeof(unsigned) * 8)))) {
401 printf("%c%d", first == 1 ? ' ' : ',', type_index);
416 struct ip_fw rules[1024];
418 unsigned long rulenum;
422 /* extract rules from kernel */
423 memset(rules,0,sizeof rules);
424 bytes = sizeof rules;
425 i = getsockopt(s, IPPROTO_IP, IP_FW_GET, rules, &bytes);
427 err(2,"getsockopt(IP_FW_GET)");
429 /* find the maximum packet/byte counter widths */
430 for (r=rules, l = bytes; l >= sizeof rules[0];
431 r++, l-=sizeof rules[0]) {
436 width = sprintf(temp, "%qu", r->fw_pcnt);
441 width = sprintf(temp, "%qu", r->fw_bcnt);
446 /* display all rules */
447 for (r = rules, l = bytes; l >= sizeof rules[0];
448 r++, l-=sizeof rules[0])
449 show_ipfw(r, pcwidth, bcwidth);
452 /* display specific rules requested on command line */
459 /* convert command line rule # */
460 rulenum = strtoul(*av++, &endptr, 10);
463 warn("invalid rule number: %s", *(av - 1));
467 for (r = rules, l = bytes;
468 l >= sizeof rules[0] && r->fw_number <= rulenum;
469 r++, l-=sizeof rules[0])
470 if (rulenum == r->fw_number) {
471 show_ipfw(r, pcwidth, bcwidth);
475 /* give precedence to other error(s) */
476 if (exitval == EX_OK)
477 exitval = EX_UNAVAILABLE;
478 warnx("rule %lu does not exist", rulenum);
481 if (exitval != EX_OK)
487 show_usage(const char *fmt, ...)
494 vsnprintf(buf, sizeof(buf), fmt, args);
496 warnx("error: %s", buf);
498 fprintf(stderr, "usage: ipfw [options]\n"
500 " add [number] rule\n"
501 " delete number ...\n"
502 " list [number ...]\n"
503 " show [number ...]\n"
504 " zero [number ...]\n"
505 " rule: action proto src dst extras...\n"
507 " {allow|permit|accept|pass|deny|drop|reject|unreach code|\n"
508 " reset|count|skipto num|divert port|tee port|fwd ip} [log]\n"
509 " proto: {ip|tcp|udp|icmp|<number>}\n"
510 " src: from [not] {any|ip[{/bits|:mask}]} [{port|port-port},[port],...]\n"
511 " dst: to [not] {any|ip[{/bits|:mask}]} [{port|port-port},[port],...]\n"
513 " fragment (may not be used with ports or tcpflags)\n"
516 " {xmit|recv|via} {iface|ip|any}\n"
517 " {established|setup}\n"
518 " tcpflags [!]{syn|fin|rst|ack|psh|urg},...\n"
519 " ipoptions [!]{ssrr|lsrr|rr|ts},...\n"
520 " icmptypes {type[,type]}...\n");
526 lookup_host (host, ipaddr)
528 struct in_addr *ipaddr;
530 struct hostent *he = gethostbyname(host);
535 *ipaddr = *(struct in_addr *)he->h_addr_list[0];
541 fill_ip(ipno, mask, acp, avp)
542 struct in_addr *ipno, *mask;
550 if (ac && !strncmp(*av,"any",strlen(*av))) {
551 ipno->s_addr = mask->s_addr = 0; av++; ac--;
553 p = strchr(*av, '/');
555 p = strchr(*av, ':');
561 if (lookup_host(*av, ipno) != 0)
562 show_usage("hostname ``%s'' unknown", *av);
565 if (!inet_aton(p,mask))
566 show_usage("bad netmask ``%s''", p);
571 } else if (atoi(p) > 32) {
572 show_usage("bad width ``%s''", p);
575 htonl(~0 << (32 - atoi(p)));
579 mask->s_addr = htonl(~0);
582 ipno->s_addr &= mask->s_addr;
591 fill_reject_code(u_short *codep, char *str)
597 val = strtoul(str, &s, 0);
598 if (s != str && *s == '\0' && val < 0x100) {
602 for (ic = icmpcodes; ic->str; ic++)
603 if (!strcasecmp(str, ic->str)) {
607 show_usage("unknown ICMP unreachable code ``%s''", str);
611 add_port(cnt, ptr, off, port)
612 u_short *cnt, *ptr, off, port;
614 if (off + *cnt >= IP_FW_MAX_PORTS)
615 errx(EX_USAGE, "too many ports (max is %d)", IP_FW_MAX_PORTS);
616 ptr[off+*cnt] = port;
621 lookup_port(const char *arg, int test, int nodash)
627 snprintf(buf, sizeof(buf), "%s", arg);
628 buf[strcspn(arg, nodash ? "-," : ",")] = 0;
629 val = (int) strtoul(buf, &earg, 0);
630 if (!*buf || *earg) {
632 if ((s = getservbyname(buf, NULL))) {
633 val = htons(s->s_port);
636 errx(EX_DATAERR, "unknown port ``%s''", arg);
641 if (val < 0 || val > 0xffff) {
643 errx(EX_DATAERR, "port ``%s'' out of range", arg);
652 fill_port(cnt, ptr, off, arg)
653 u_short *cnt, *ptr, off;
657 int initial_range = 0;
659 s = arg + strcspn(arg, "-,"); /* first port name can't have a dash */
662 if (strchr(arg, ','))
663 errx(EX_USAGE, "port range must be first in list");
664 add_port(cnt, ptr, off, *arg ? lookup_port(arg, 0, 0) : 0x0000);
669 add_port(cnt, ptr, off, *arg ? lookup_port(arg, 0, 0) : 0xffff);
673 while (arg != NULL) {
677 add_port(cnt, ptr, off, lookup_port(arg, 0, 0));
680 return initial_range;
684 fill_tcpflag(set, reset, vp)
696 { "syn", IP_FW_TCPF_SYN },
697 { "fin", IP_FW_TCPF_FIN },
698 { "ack", IP_FW_TCPF_ACK },
699 { "psh", IP_FW_TCPF_PSH },
700 { "rst", IP_FW_TCPF_RST },
701 { "urg", IP_FW_TCPF_URG }
714 for (i = 0; i < sizeof(flags) / sizeof(flags[0]); ++i)
715 if (!strncmp(p, flags[i].name, strlen(p))) {
716 *d |= flags[i].value;
719 if (i == sizeof(flags) / sizeof(flags[0]))
720 show_usage("invalid tcp flag ``%s''", p);
726 fill_ipopt(u_char *set, u_char *reset, char **vp)
741 if (!strncmp(p,"ssrr",strlen(p))) *d |= IP_FW_IPOPT_SSRR;
742 if (!strncmp(p,"lsrr",strlen(p))) *d |= IP_FW_IPOPT_LSRR;
743 if (!strncmp(p,"rr",strlen(p))) *d |= IP_FW_IPOPT_RR;
744 if (!strncmp(p,"ts",strlen(p))) *d |= IP_FW_IPOPT_TS;
750 fill_icmptypes(types, vp, fw_flg)
759 unsigned long icmptype;
764 icmptype = strtoul(c, &c, 0);
766 if ( *c != ',' && *c != '\0' )
767 show_usage("invalid ICMP type");
769 if (icmptype >= IP_FW_ICMPTYPES_DIM * sizeof(unsigned) * 8)
770 show_usage("ICMP type out of range");
772 types[icmptype / (sizeof(unsigned) * 8)] |=
773 1 << (icmptype % (sizeof(unsigned) * 8));
774 *fw_flg |= IP_FW_F_ICMPBIT;
787 memset(&rule, 0, sizeof rule);
792 while (ac && isdigit(**av)) {
793 rule.fw_number = atoi(*av); av++; ac--;
794 i = setsockopt(s, IPPROTO_IP, IP_FW_DEL, &rule, sizeof rule);
796 exitval = EX_UNAVAILABLE;
797 warn("rule %u: setsockopt(%s)", rule.fw_number, "IP_FW_DEL");
800 if (exitval != EX_OK)
805 verify_interface(union ip_fw_if *ifu)
810 * If a unit was specified, check for that exact interface.
811 * If a wildcard was specified, check for unit 0.
813 snprintf(ifr.ifr_name, sizeof(ifr.ifr_name), "%s%d",
815 ifu->fu_via_if.unit == -1 ? 0 : ifu->fu_via_if.unit);
817 if (ioctl(s, SIOCGIFFLAGS, &ifr) < 0)
818 warnx("warning: interface ``%s'' does not exist", ifr.ifr_name);
822 fill_iface(char *which, union ip_fw_if *ifu, int *byname, int ac, char *arg)
825 show_usage("missing argument for ``%s''", which);
827 /* Parse the interface or address */
828 if (!strcmp(arg, "any")) {
829 ifu->fu_via_ip.s_addr = 0;
831 } else if (!isdigit(*arg)) {
835 strncpy(ifu->fu_via_if.name, arg, sizeof(ifu->fu_via_if.name));
836 ifu->fu_via_if.name[sizeof(ifu->fu_via_if.name) - 1] = '\0';
837 for (q = ifu->fu_via_if.name;
838 *q && !isdigit(*q) && *q != '*'; q++)
840 ifu->fu_via_if.unit = (*q == '*') ? -1 : atoi(q);
842 verify_interface(ifu);
843 } else if (!inet_aton(arg, &ifu->fu_via_ip)) {
844 show_usage("bad ip address ``%s''", arg);
858 int saw_xmrc = 0, saw_via = 0;
860 memset(&rule, 0, sizeof rule);
865 if (ac && isdigit(**av)) {
866 rule.fw_number = atoi(*av); av++; ac--;
871 show_usage("missing action");
872 if (!strncmp(*av,"accept",strlen(*av))
873 || !strncmp(*av,"pass",strlen(*av))
874 || !strncmp(*av,"allow",strlen(*av))
875 || !strncmp(*av,"permit",strlen(*av))) {
876 rule.fw_flg |= IP_FW_F_ACCEPT; av++; ac--;
877 } else if (!strncmp(*av,"count",strlen(*av))) {
878 rule.fw_flg |= IP_FW_F_COUNT; av++; ac--;
879 } else if (!strncmp(*av,"divert",strlen(*av))) {
880 rule.fw_flg |= IP_FW_F_DIVERT; av++; ac--;
882 show_usage("missing %s port", "divert");
883 rule.fw_divert_port = strtoul(*av, NULL, 0); av++; ac--;
884 if (rule.fw_divert_port == 0) {
887 s = getservbyname(av[-1], "divert");
889 rule.fw_divert_port = ntohs(s->s_port);
891 show_usage("illegal %s port", "divert");
893 } else if (!strncmp(*av,"tee",strlen(*av))) {
894 rule.fw_flg |= IP_FW_F_TEE; av++; ac--;
896 show_usage("missing %s port", "tee divert");
897 rule.fw_divert_port = strtoul(*av, NULL, 0); av++; ac--;
898 if (rule.fw_divert_port == 0) {
901 s = getservbyname(av[-1], "divert");
903 rule.fw_divert_port = ntohs(s->s_port);
905 show_usage("illegal %s port", "tee divert");
907 #ifndef IPFW_TEE_IS_FINALLY_IMPLEMENTED
908 err(EX_USAGE, "the ``tee'' action is not implemented");
910 } else if (!strncmp(*av,"fwd",strlen(*av)) ||
911 !strncmp(*av,"forward",strlen(*av))) {
912 struct in_addr dummyip;
914 rule.fw_flg |= IP_FW_F_FWD; av++; ac--;
916 show_usage("missing forwarding IP address");
917 rule.fw_fwd_ip.sin_len = sizeof(struct sockaddr_in);
918 rule.fw_fwd_ip.sin_family = AF_INET;
919 rule.fw_fwd_ip.sin_port = 0;
920 pp = strchr(*av, ':');
922 pp = strchr(*av, ',');
926 rule.fw_fwd_ip.sin_port = lookup_port(pp, 1, 1);
927 if(rule.fw_fwd_ip.sin_port == (unsigned int)-1)
928 show_usage("illegal forwarding port");
930 fill_ip(&(rule.fw_fwd_ip.sin_addr), &dummyip, &ac, &av);
931 if (rule.fw_fwd_ip.sin_addr.s_addr == 0)
932 show_usage("illegal forwarding IP address");
934 } else if (!strncmp(*av,"skipto",strlen(*av))) {
935 rule.fw_flg |= IP_FW_F_SKIPTO; av++; ac--;
937 show_usage("missing skipto rule number");
938 rule.fw_skipto_rule = strtoul(*av, NULL, 0); av++; ac--;
939 } else if ((!strncmp(*av,"deny",strlen(*av))
940 || !strncmp(*av,"drop",strlen(*av)))) {
941 rule.fw_flg |= IP_FW_F_DENY; av++; ac--;
942 } else if (!strncmp(*av,"reject",strlen(*av))) {
943 rule.fw_flg |= IP_FW_F_REJECT; av++; ac--;
944 rule.fw_reject_code = ICMP_UNREACH_HOST;
945 } else if (!strncmp(*av,"reset",strlen(*av))) {
946 rule.fw_flg |= IP_FW_F_REJECT; av++; ac--;
947 rule.fw_reject_code = IP_FW_REJECT_RST; /* check TCP later */
948 } else if (!strncmp(*av,"unreach",strlen(*av))) {
949 rule.fw_flg |= IP_FW_F_REJECT; av++; ac--;
950 fill_reject_code(&rule.fw_reject_code, *av); av++; ac--;
952 show_usage("invalid action ``%s''", *av);
956 if (ac && !strncmp(*av,"log",strlen(*av))) {
957 rule.fw_flg |= IP_FW_F_PRN; av++; ac--;
962 show_usage("missing protocol");
963 if ((proto = atoi(*av)) > 0) {
964 rule.fw_prot = proto; av++; ac--;
965 } else if (!strncmp(*av,"all",strlen(*av))) {
966 rule.fw_prot = IPPROTO_IP; av++; ac--;
967 } else if ((pe = getprotobyname(*av)) != NULL) {
968 rule.fw_prot = pe->p_proto; av++; ac--;
970 show_usage("invalid protocol ``%s''", *av);
973 if (rule.fw_prot != IPPROTO_TCP
974 && (rule.fw_flg & IP_FW_F_COMMAND) == IP_FW_F_REJECT
975 && rule.fw_reject_code == IP_FW_REJECT_RST)
976 show_usage("``reset'' is only valid for tcp packets");
979 if (ac && !strncmp(*av,"from",strlen(*av))) { av++; ac--; }
981 show_usage("missing ``from''");
983 if (ac && !strncmp(*av,"not",strlen(*av))) {
984 rule.fw_flg |= IP_FW_F_INVSRC;
988 show_usage("missing arguments");
990 fill_ip(&rule.fw_src, &rule.fw_smsk, &ac, &av);
992 if (ac && (isdigit(**av) || lookup_port(*av, 1, 1) >= 0)) {
995 if (fill_port(&nports, rule.fw_uar.fw_pts, 0, *av))
996 rule.fw_flg |= IP_FW_F_SRNG;
997 IP_FW_SETNSRCP(&rule, nports);
1002 if (ac && !strncmp(*av,"to",strlen(*av))) { av++; ac--; }
1004 show_usage("missing ``to''");
1006 if (ac && !strncmp(*av,"not",strlen(*av))) {
1007 rule.fw_flg |= IP_FW_F_INVDST;
1011 show_usage("missing arguments");
1013 fill_ip(&rule.fw_dst, &rule.fw_dmsk, &ac, &av);
1015 if (ac && (isdigit(**av) || lookup_port(*av, 1, 1) >= 0)) {
1018 if (fill_port(&nports,
1019 rule.fw_uar.fw_pts, IP_FW_GETNSRCP(&rule), *av))
1020 rule.fw_flg |= IP_FW_F_DRNG;
1021 IP_FW_SETNDSTP(&rule, nports);
1025 if ((rule.fw_prot != IPPROTO_TCP) && (rule.fw_prot != IPPROTO_UDP)
1026 && (IP_FW_GETNSRCP(&rule) || IP_FW_GETNDSTP(&rule))) {
1027 show_usage("only TCP and UDP protocols are valid"
1028 " with port specifications");
1032 if (!strncmp(*av,"in",strlen(*av))) {
1033 rule.fw_flg |= IP_FW_F_IN;
1034 av++; ac--; continue;
1036 if (!strncmp(*av,"out",strlen(*av))) {
1037 rule.fw_flg |= IP_FW_F_OUT;
1038 av++; ac--; continue;
1040 if (ac && !strncmp(*av,"xmit",strlen(*av))) {
1046 show_usage("``via'' is incompatible"
1047 " with ``xmit'' and ``recv''");
1051 fill_iface("xmit", &ifu, &byname, ac, *av);
1052 rule.fw_out_if = ifu;
1053 rule.fw_flg |= IP_FW_F_OIFACE;
1055 rule.fw_flg |= IP_FW_F_OIFNAME;
1056 av++; ac--; continue;
1058 if (ac && !strncmp(*av,"recv",strlen(*av))) {
1066 fill_iface("recv", &ifu, &byname, ac, *av);
1067 rule.fw_in_if = ifu;
1068 rule.fw_flg |= IP_FW_F_IIFACE;
1070 rule.fw_flg |= IP_FW_F_IIFNAME;
1071 av++; ac--; continue;
1073 if (ac && !strncmp(*av,"via",strlen(*av))) {
1081 fill_iface("via", &ifu, &byname, ac, *av);
1082 rule.fw_out_if = rule.fw_in_if = ifu;
1085 (IP_FW_F_IIFNAME | IP_FW_F_OIFNAME);
1086 av++; ac--; continue;
1088 if (!strncmp(*av,"fragment",strlen(*av))) {
1089 rule.fw_flg |= IP_FW_F_FRAG;
1090 av++; ac--; continue;
1092 if (!strncmp(*av,"ipoptions",strlen(*av))) {
1095 show_usage("missing argument"
1096 " for ``ipoptions''");
1097 fill_ipopt(&rule.fw_ipopt, &rule.fw_ipnopt, av);
1098 av++; ac--; continue;
1100 if (rule.fw_prot == IPPROTO_TCP) {
1101 if (!strncmp(*av,"established",strlen(*av))) {
1102 rule.fw_tcpf |= IP_FW_TCPF_ESTAB;
1103 av++; ac--; continue;
1105 if (!strncmp(*av,"setup",strlen(*av))) {
1106 rule.fw_tcpf |= IP_FW_TCPF_SYN;
1107 rule.fw_tcpnf |= IP_FW_TCPF_ACK;
1108 av++; ac--; continue;
1110 if (!strncmp(*av,"tcpflags",strlen(*av))) {
1113 show_usage("missing argument"
1114 " for ``tcpflags''");
1115 fill_tcpflag(&rule.fw_tcpf, &rule.fw_tcpnf, av);
1116 av++; ac--; continue;
1119 if (rule.fw_prot == IPPROTO_ICMP) {
1120 if (!strncmp(*av,"icmptypes",strlen(*av))) {
1123 show_usage("missing argument"
1124 " for ``icmptypes''");
1125 fill_icmptypes(rule.fw_uar.fw_icmptypes,
1127 av++; ac--; continue;
1130 show_usage("unknown argument ``%s''", *av);
1133 /* No direction specified -> do both directions */
1134 if (!(rule.fw_flg & (IP_FW_F_OUT|IP_FW_F_IN)))
1135 rule.fw_flg |= (IP_FW_F_OUT|IP_FW_F_IN);
1137 /* Sanity check interface check, but handle "via" case separately */
1139 if (rule.fw_flg & IP_FW_F_IN)
1140 rule.fw_flg |= IP_FW_F_IIFACE;
1141 if (rule.fw_flg & IP_FW_F_OUT)
1142 rule.fw_flg |= IP_FW_F_OIFACE;
1143 } else if ((rule.fw_flg & IP_FW_F_OIFACE) && (rule.fw_flg & IP_FW_F_IN))
1144 show_usage("can't check xmit interface of incoming packets");
1146 /* frag may not be used in conjunction with ports or TCP flags */
1147 if (rule.fw_flg & IP_FW_F_FRAG) {
1148 if (rule.fw_tcpf || rule.fw_tcpnf)
1149 show_usage("can't mix 'frag' and tcpflags");
1152 show_usage("can't mix 'frag' and port specifications");
1156 show_ipfw(&rule, 10, 10);
1157 i = setsockopt(s, IPPROTO_IP, IP_FW_ADD, &rule, sizeof rule);
1159 err(EX_UNAVAILABLE, "setsockopt(%s)", "IP_FW_ADD");
1170 /* clear all entries */
1171 if (setsockopt(s,IPPROTO_IP,IP_FW_ZERO,NULL,0)<0)
1172 err(EX_UNAVAILABLE, "setsockopt(%s)", "IP_FW_ZERO");
1174 printf("Accounting cleared.\n");
1179 memset(&rule, 0, sizeof rule);
1182 if (isdigit(**av)) {
1183 rule.fw_number = atoi(*av); av++; ac--;
1184 if (setsockopt(s, IPPROTO_IP,
1185 IP_FW_ZERO, &rule, sizeof rule)) {
1186 warn("rule %u: setsockopt(%s)", rule.fw_number,
1188 failed = EX_UNAVAILABLE;
1191 printf("Entry %d cleared\n",
1194 show_usage("invalid rule number ``%s''", *av);
1196 if (failed != EX_OK)
1208 extern int optreset; /* XXX should be declared in <unistd.h> */
1214 /* Set the force flag for non-interactive processes */
1215 do_force = !isatty(STDIN_FILENO);
1217 optind = optreset = 1;
1218 while ((ch = getopt(ac, av, "afqtN")) != -1)
1240 if (*(av+=optind)==NULL) {
1241 show_usage("Bad arguments");
1244 if (!strncmp(*av, "add", strlen(*av))) {
1246 } else if (!strncmp(*av, "delete", strlen(*av))) {
1248 } else if (!strncmp(*av, "flush", strlen(*av))) {
1251 if ( do_force || do_quiet )
1257 printf("Are you sure? [yn] ");
1260 c = toupper(getc(stdin));
1261 while (c != '\n' && getc(stdin) != '\n')
1264 } while (c != 'Y' && c != 'N');
1270 if (setsockopt(s,IPPROTO_IP,IP_FW_FLUSH,NULL,0) < 0)
1271 err(EX_UNAVAILABLE, "setsockopt(%s)", "IP_FW_FLUSH");
1273 printf("Flushed all rules.\n");
1275 } else if (!strncmp(*av, "zero", strlen(*av))) {
1277 } else if (!strncmp(*av, "print", strlen(*av))) {
1279 } else if (!strncmp(*av, "list", strlen(*av))) {
1281 } else if (!strncmp(*av, "show", strlen(*av))) {
1285 show_usage("Bad arguments");
1296 #define WHITESP " \t\f\v\n\r"
1298 char *a, *p, *args[MAX_ARGS], *cmd = NULL;
1300 int i, c, qflag, pflag, status;
1304 s = socket( AF_INET, SOCK_RAW, IPPROTO_RAW );
1306 err(EX_UNAVAILABLE, "socket");
1310 if (ac > 1 && access(av[ac - 1], R_OK) == 0) {
1311 qflag = pflag = i = 0;
1314 while ((c = getopt(ac, av, "D:U:p:q")) != -1)
1318 errx(EX_USAGE, "-D requires -p");
1319 if (i > MAX_ARGS - 2)
1321 "too many -D or -U options");
1328 errx(EX_USAGE, "-U requires -p");
1329 if (i > MAX_ARGS - 2)
1331 "too many -D or -U options");
1354 show_usage("extraneous filename arguments");
1356 if ((f = fopen(av[0], "r")) == NULL)
1357 err(EX_UNAVAILABLE, "fopen: %s", av[0]);
1360 /* pipe through preprocessor (cpp or m4) */
1365 if (pipe(pipedes) == -1)
1366 err(EX_OSERR, "cannot create pipe");
1368 switch((preproc = fork())) {
1370 err(EX_OSERR, "cannot fork");
1374 if (dup2(fileno(f), 0) == -1 ||
1375 dup2(pipedes[1], 1) == -1)
1376 err(EX_OSERR, "dup2()");
1381 err(EX_OSERR, "execvp(%s) failed", cmd);
1387 if ((f = fdopen(pipedes[0], "r")) == NULL) {
1388 int savederrno = errno;
1390 (void)kill(preproc, SIGTERM);
1392 err(EX_OSERR, "fdopen()");
1397 while (fgets(buf, BUFSIZ, f)) {
1399 sprintf(linename, "Line %d", lineno);
1404 if ((p = strchr(buf, '#')) != NULL)
1407 if (qflag) args[i++]="-q";
1408 for (a = strtok(buf, WHITESP);
1409 a && i < MAX_ARGS; a = strtok(NULL, WHITESP), i++)
1411 if (i == (qflag? 2: 1))
1414 errx(EX_USAGE, "%s: too many arguments", linename);
1421 if (waitpid(preproc, &status, 0) != -1) {
1422 if (WIFEXITED(status)) {
1423 if (WEXITSTATUS(status) != EX_OK)
1424 errx(EX_UNAVAILABLE,
1425 "preprocessor exited with status %d",
1426 WEXITSTATUS(status));
1427 } else if (WIFSIGNALED(status)) {
1428 errx(EX_UNAVAILABLE,
1429 "preprocessor exited with signal %d",