2 * Copyright (c) 2002-2003 Luigi Rizzo
3 * Copyright (c) 1996 Alex Nash, Paul Traina, Poul-Henning Kamp
4 * Copyright (c) 1994 Ugen J.S.Antsilevich
6 * Idea and grammar partially left from:
7 * Copyright (c) 1993 Daniel Boulet
9 * Redistribution and use in source forms, with and without modification,
10 * are permitted provided that this entire comment appears intact.
12 * Redistribution in binary form may occur without any restrictions.
13 * Obviously, it would be nice if you gave credit where credit is due
14 * but requiring it would be too onerous.
16 * This software is provided ``AS IS'' without any warranties of any kind.
18 * NEW command line interface for IP firewall facility
23 #include <sys/param.h>
25 #include <sys/socket.h>
26 #include <sys/sockio.h>
27 #include <sys/sysctl.h>
30 #include <sys/queue.h>
44 #include <timeconv.h> /* XXX do we need this ? */
51 #include <net/pfvar.h>
52 #include <net/route.h> /* def. of struct route */
53 #include <netinet/in.h>
54 #include <netinet/in_systm.h>
55 #include <netinet/ip.h>
56 #include <netinet/ip_icmp.h>
57 #include <netinet/icmp6.h>
58 #include <netinet/ip_fw.h>
59 #include <netinet/ip_dummynet.h>
60 #include <netinet/tcp.h>
61 #include <arpa/inet.h>
64 do_resolv, /* Would try to resolve all */
65 do_time, /* Show time stamps */
66 do_quiet, /* Be quiet in add and flush */
67 do_pipe, /* this cmd refers to a pipe */
68 do_sort, /* field to sort results (0 = no) */
69 do_dynamic, /* display dynamic rules */
70 do_expired, /* display expired dynamic rules */
71 do_compact, /* show rules in compact mode */
72 do_force, /* do not ask for confirmation */
73 show_sets, /* display rule sets */
74 test_only, /* only check syntax */
75 comment_only, /* only print action and comment */
78 #define IP_MASK_ALL 0xffffffff
80 * the following macro returns an error message if we run out of
83 #define NEED1(msg) {if (!ac) errx(EX_USAGE, msg);}
85 #define GET_UINT_ARG(arg, min, max, tok, s_x) do { \
87 errx(EX_USAGE, "%s: missing argument", match_value(s_x, tok)); \
88 if (_substrcmp(*av, "tablearg") == 0) { \
89 arg = IP_FW_TABLEARG; \
97 val = strtol(*av, &end, 10); \
99 if (!isdigit(**av) || *end != '\0' || (val == 0 && errno == EINVAL)) \
100 errx(EX_DATAERR, "%s: invalid argument: %s", \
101 match_value(s_x, tok), *av); \
103 if (errno == ERANGE || val < min || val > max) \
104 errx(EX_DATAERR, "%s: argument is out of range (%u..%u): %s", \
105 match_value(s_x, tok), min, max, *av); \
107 if (val == IP_FW_TABLEARG) \
108 errx(EX_DATAERR, "%s: illegal argument value: %s", \
109 match_value(s_x, tok), *av); \
114 #define PRINT_UINT_ARG(str, arg) do { \
117 if (arg == IP_FW_TABLEARG) \
118 printf("tablearg"); \
120 printf("%u", (uint32_t)arg); \
124 * _s_x is a structure that stores a string <-> token pairs, used in
125 * various places in the parser. Entries are stored in arrays,
126 * with an entry with s=NULL as terminator.
127 * The search routines are match_token() and match_value().
128 * Often, an element with x=0 contains an error string.
136 static struct _s_x f_tcpflags[] = {
147 static struct _s_x f_tcpopts[] = {
148 { "mss", IP_FW_TCPOPT_MSS },
149 { "maxseg", IP_FW_TCPOPT_MSS },
150 { "window", IP_FW_TCPOPT_WINDOW },
151 { "sack", IP_FW_TCPOPT_SACK },
152 { "ts", IP_FW_TCPOPT_TS },
153 { "timestamp", IP_FW_TCPOPT_TS },
154 { "cc", IP_FW_TCPOPT_CC },
160 * IP options span the range 0 to 255 so we need to remap them
161 * (though in fact only the low 5 bits are significant).
163 static struct _s_x f_ipopts[] = {
164 { "ssrr", IP_FW_IPOPT_SSRR},
165 { "lsrr", IP_FW_IPOPT_LSRR},
166 { "rr", IP_FW_IPOPT_RR},
167 { "ts", IP_FW_IPOPT_TS},
172 static struct _s_x f_iptos[] = {
173 { "lowdelay", IPTOS_LOWDELAY},
174 { "throughput", IPTOS_THROUGHPUT},
175 { "reliability", IPTOS_RELIABILITY},
176 { "mincost", IPTOS_MINCOST},
177 { "congestion", IPTOS_CE},
178 { "ecntransport", IPTOS_ECT},
179 { "ip tos option", 0},
183 static struct _s_x limit_masks[] = {
184 {"all", DYN_SRC_ADDR|DYN_SRC_PORT|DYN_DST_ADDR|DYN_DST_PORT},
185 {"src-addr", DYN_SRC_ADDR},
186 {"src-port", DYN_SRC_PORT},
187 {"dst-addr", DYN_DST_ADDR},
188 {"dst-port", DYN_DST_PORT},
193 * we use IPPROTO_ETHERTYPE as a fake protocol id to call the print routines
194 * This is only used in this code.
196 #define IPPROTO_ETHERTYPE 0x1000
197 static struct _s_x ether_types[] = {
199 * Note, we cannot use "-:&/" in the names because they are field
200 * separators in the type specifications. Also, we use s = NULL as
201 * end-delimiter, because a type of 0 can be legal.
214 { "pppoe_disc", 0x8863 },
215 { "pppoe_sess", 0x8864 },
216 { "ipx_8022", 0x00E0 },
217 { "ipx_8023", 0x0000 },
218 { "ipx_ii", 0x8137 },
219 { "ipx_snap", 0x8137 },
225 static void show_usage(void);
266 TOK_DIVERTEDLOOPBACK,
325 struct _s_x dummynet_params[] = {
327 { "noerror", TOK_NOERROR },
328 { "buckets", TOK_BUCKETS },
329 { "dst-ip", TOK_DSTIP },
330 { "src-ip", TOK_SRCIP },
331 { "dst-port", TOK_DSTPORT },
332 { "src-port", TOK_SRCPORT },
333 { "proto", TOK_PROTO },
334 { "weight", TOK_WEIGHT },
336 { "mask", TOK_MASK },
337 { "droptail", TOK_DROPTAIL },
339 { "gred", TOK_GRED },
341 { "bandwidth", TOK_BW },
342 { "delay", TOK_DELAY },
343 { "pipe", TOK_PIPE },
344 { "queue", TOK_QUEUE },
345 { "flow-id", TOK_FLOWID},
346 { "dst-ipv6", TOK_DSTIP6},
347 { "dst-ip6", TOK_DSTIP6},
348 { "src-ipv6", TOK_SRCIP6},
349 { "src-ip6", TOK_SRCIP6},
350 { "dummynet-params", TOK_NULL },
351 { NULL, 0 } /* terminator */
354 struct _s_x rule_actions[] = {
355 { "accept", TOK_ACCEPT },
356 { "pass", TOK_ACCEPT },
357 { "allow", TOK_ACCEPT },
358 { "permit", TOK_ACCEPT },
359 { "count", TOK_COUNT },
360 { "pipe", TOK_PIPE },
361 { "queue", TOK_QUEUE },
362 { "divert", TOK_DIVERT },
364 { "netgraph", TOK_NETGRAPH },
365 { "ngtee", TOK_NGTEE },
366 { "fwd", TOK_FORWARD },
367 { "forward", TOK_FORWARD },
368 { "skipto", TOK_SKIPTO },
369 { "deny", TOK_DENY },
370 { "drop", TOK_DENY },
371 { "reject", TOK_REJECT },
372 { "reset6", TOK_RESET6 },
373 { "reset", TOK_RESET },
374 { "unreach6", TOK_UNREACH6 },
375 { "unreach", TOK_UNREACH },
376 { "check-state", TOK_CHECKSTATE },
377 { "//", TOK_COMMENT },
378 { NULL, 0 } /* terminator */
381 struct _s_x rule_action_params[] = {
382 { "altq", TOK_ALTQ },
385 { "untag", TOK_UNTAG },
386 { NULL, 0 } /* terminator */
389 struct _s_x rule_options[] = {
390 { "tagged", TOK_TAGGED },
393 { "jail", TOK_JAIL },
395 { "limit", TOK_LIMIT },
396 { "keep-state", TOK_KEEPSTATE },
397 { "bridged", TOK_LAYER2 },
398 { "layer2", TOK_LAYER2 },
400 { "diverted", TOK_DIVERTED },
401 { "diverted-loopback", TOK_DIVERTEDLOOPBACK },
402 { "diverted-output", TOK_DIVERTEDOUTPUT },
403 { "xmit", TOK_XMIT },
404 { "recv", TOK_RECV },
406 { "fragment", TOK_FRAG },
407 { "frag", TOK_FRAG },
408 { "ipoptions", TOK_IPOPTS },
409 { "ipopts", TOK_IPOPTS },
410 { "iplen", TOK_IPLEN },
411 { "ipid", TOK_IPID },
412 { "ipprecedence", TOK_IPPRECEDENCE },
413 { "iptos", TOK_IPTOS },
414 { "ipttl", TOK_IPTTL },
415 { "ipversion", TOK_IPVER },
416 { "ipver", TOK_IPVER },
417 { "estab", TOK_ESTAB },
418 { "established", TOK_ESTAB },
419 { "setup", TOK_SETUP },
420 { "tcpdatalen", TOK_TCPDATALEN },
421 { "tcpflags", TOK_TCPFLAGS },
422 { "tcpflgs", TOK_TCPFLAGS },
423 { "tcpoptions", TOK_TCPOPTS },
424 { "tcpopts", TOK_TCPOPTS },
425 { "tcpseq", TOK_TCPSEQ },
426 { "tcpack", TOK_TCPACK },
427 { "tcpwin", TOK_TCPWIN },
428 { "icmptype", TOK_ICMPTYPES },
429 { "icmptypes", TOK_ICMPTYPES },
430 { "dst-ip", TOK_DSTIP },
431 { "src-ip", TOK_SRCIP },
432 { "dst-port", TOK_DSTPORT },
433 { "src-port", TOK_SRCPORT },
434 { "proto", TOK_PROTO },
437 { "mac-type", TOK_MACTYPE },
438 { "verrevpath", TOK_VERREVPATH },
439 { "versrcreach", TOK_VERSRCREACH },
440 { "antispoof", TOK_ANTISPOOF },
441 { "ipsec", TOK_IPSEC },
442 { "icmp6type", TOK_ICMP6TYPES },
443 { "icmp6types", TOK_ICMP6TYPES },
444 { "ext6hdr", TOK_EXT6HDR},
445 { "flow-id", TOK_FLOWID},
450 { "dst-ipv6", TOK_DSTIP6},
451 { "dst-ip6", TOK_DSTIP6},
452 { "src-ipv6", TOK_SRCIP6},
453 { "src-ip6", TOK_SRCIP6},
454 { "//", TOK_COMMENT },
456 { "not", TOK_NOT }, /* pseudo option */
457 { "!", /* escape ? */ TOK_NOT }, /* pseudo option */
458 { "or", TOK_OR }, /* pseudo option */
459 { "|", /* escape */ TOK_OR }, /* pseudo option */
460 { "{", TOK_STARTBRACE }, /* pseudo option */
461 { "(", TOK_STARTBRACE }, /* pseudo option */
462 { "}", TOK_ENDBRACE }, /* pseudo option */
463 { ")", TOK_ENDBRACE }, /* pseudo option */
464 { NULL, 0 } /* terminator */
467 #define TABLEARG "tablearg"
469 static __inline uint64_t
470 align_uint64(uint64_t *pll) {
473 bcopy (pll, &ret, sizeof(ret));
478 * conditionally runs the command.
481 do_cmd(int optname, void *optval, uintptr_t optlen)
483 static int s = -1; /* the socket */
490 s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
492 err(EX_UNAVAILABLE, "socket");
494 if (optname == IP_FW_GET || optname == IP_DUMMYNET_GET ||
495 optname == IP_FW_ADD || optname == IP_FW_TABLE_LIST ||
496 optname == IP_FW_TABLE_GETSIZE)
497 i = getsockopt(s, IPPROTO_IP, optname, optval,
498 (socklen_t *)optlen);
500 i = setsockopt(s, IPPROTO_IP, optname, optval, optlen);
505 * match_token takes a table and a string, returns the value associated
506 * with the string (-1 in case of failure).
509 match_token(struct _s_x *table, char *string)
512 uint i = strlen(string);
514 for (pt = table ; i && pt->s != NULL ; pt++)
515 if (strlen(pt->s) == i && !bcmp(string, pt->s, i))
521 * match_value takes a table and a value, returns the string associated
522 * with the value (NULL in case of failure).
525 match_value(struct _s_x *p, int value)
527 for (; p->s != NULL; p++)
534 * _substrcmp takes two strings and returns 1 if they do not match,
535 * and 0 if they match exactly or the first string is a sub-string
536 * of the second. A warning is printed to stderr in the case that the
537 * first string is a sub-string of the second.
539 * This function will be removed in the future through the usual
540 * deprecation process.
543 _substrcmp(const char *str1, const char* str2)
546 if (strncmp(str1, str2, strlen(str1)) != 0)
549 if (strlen(str1) != strlen(str2))
550 warnx("DEPRECATED: '%s' matched '%s' as a sub-string",
556 * _substrcmp2 takes three strings and returns 1 if the first two do not match,
557 * and 0 if they match exactly or the second string is a sub-string
558 * of the first. A warning is printed to stderr in the case that the
559 * first string does not match the third.
561 * This function exists to warn about the bizzare construction
562 * strncmp(str, "by", 2) which is used to allow people to use a shotcut
563 * for "bytes". The problem is that in addition to accepting "by",
564 * "byt", "byte", and "bytes", it also excepts "by_rabid_dogs" and any
565 * other string beginning with "by".
567 * This function will be removed in the future through the usual
568 * deprecation process.
571 _substrcmp2(const char *str1, const char* str2, const char* str3)
574 if (strncmp(str1, str2, strlen(str2)) != 0)
577 if (strcmp(str1, str3) != 0)
578 warnx("DEPRECATED: '%s' matched '%s'",
584 * prints one port, symbolic or numeric
587 print_port(int proto, uint16_t port)
590 if (proto == IPPROTO_ETHERTYPE) {
593 if (do_resolv && (s = match_value(ether_types, port)) )
596 printf("0x%04x", port);
598 struct servent *se = NULL;
600 struct protoent *pe = getprotobynumber(proto);
602 se = getservbyport(htons(port), pe ? pe->p_name : NULL);
605 printf("%s", se->s_name);
611 struct _s_x _port_name[] = {
612 {"dst-port", O_IP_DSTPORT},
613 {"src-port", O_IP_SRCPORT},
617 {"mac-type", O_MAC_TYPE},
618 {"tcpdatalen", O_TCPDATALEN},
619 {"tagged", O_TAGGED},
624 * Print the values in a list 16-bit items of the types above.
625 * XXX todo: add support for mask.
628 print_newports(ipfw_insn_u16 *cmd, int proto, int opcode)
630 uint16_t *p = cmd->ports;
634 if (cmd->o.len & F_NOT)
637 sep = match_value(_port_name, opcode);
643 for (i = F_LEN((ipfw_insn *)cmd) - 1; i > 0; i--, p += 2) {
645 print_port(proto, p[0]);
648 print_port(proto, p[1]);
655 * Like strtol, but also translates service names into port numbers
656 * for some protocols.
658 * proto == -1 disables the protocol check;
659 * proto == IPPROTO_ETHERTYPE looks up an internal table
660 * proto == <some value in /etc/protocols> matches the values there.
661 * Returns *end == s in case the parameter is not found.
664 strtoport(char *s, char **end, int base, int proto)
670 *end = s; /* default - not found */
672 return 0; /* not found */
675 return strtol(s, end, base);
678 * find separator. '\\' escapes the next char.
680 for (s1 = s; *s1 && (isalnum(*s1) || *s1 == '\\') ; s1++)
681 if (*s1 == '\\' && s1[1] != '\0')
684 buf = malloc(s1 - s + 1);
689 * copy into a buffer skipping backslashes
691 for (p = s, i = 0; p != s1 ; p++)
696 if (proto == IPPROTO_ETHERTYPE) {
697 i = match_token(ether_types, buf);
699 if (i != -1) { /* found */
704 struct protoent *pe = NULL;
708 pe = getprotobynumber(proto);
710 se = getservbyname(buf, pe ? pe->p_name : NULL);
714 return ntohs(se->s_port);
717 return 0; /* not found */
721 * Map between current altq queue id numbers and names.
723 static int altq_fetched = 0;
724 static TAILQ_HEAD(, pf_altq) altq_entries =
725 TAILQ_HEAD_INITIALIZER(altq_entries);
728 altq_set_enabled(int enabled)
732 pffd = open("/dev/pf", O_RDWR);
735 "altq support opening pf(4) control device");
737 if (ioctl(pffd, DIOCSTARTALTQ) != 0 && errno != EEXIST)
738 err(EX_UNAVAILABLE, "enabling altq");
740 if (ioctl(pffd, DIOCSTOPALTQ) != 0 && errno != ENOENT)
741 err(EX_UNAVAILABLE, "disabling altq");
749 struct pfioc_altq pfioc;
750 struct pf_altq *altq;
756 pffd = open("/dev/pf", O_RDONLY);
758 warn("altq support opening pf(4) control device");
761 bzero(&pfioc, sizeof(pfioc));
762 if (ioctl(pffd, DIOCGETALTQS, &pfioc) != 0) {
763 warn("altq support getting queue list");
768 for (pfioc.nr = 0; pfioc.nr < mnr; pfioc.nr++) {
769 if (ioctl(pffd, DIOCGETALTQ, &pfioc) != 0) {
772 warn("altq support getting queue list");
776 if (pfioc.altq.qid == 0)
778 altq = malloc(sizeof(*altq));
780 err(EX_OSERR, "malloc");
782 TAILQ_INSERT_TAIL(&altq_entries, altq, entries);
788 altq_name_to_qid(const char *name)
790 struct pf_altq *altq;
793 TAILQ_FOREACH(altq, &altq_entries, entries)
794 if (strcmp(name, altq->qname) == 0)
797 errx(EX_DATAERR, "altq has no queue named `%s'", name);
802 altq_qid_to_name(u_int32_t qid)
804 struct pf_altq *altq;
807 TAILQ_FOREACH(altq, &altq_entries, entries)
808 if (qid == altq->qid)
816 fill_altq_qid(u_int32_t *qid, const char *av)
818 *qid = altq_name_to_qid(av);
822 * Fill the body of the command with the list of port ranges.
825 fill_newports(ipfw_insn_u16 *cmd, char *av, int proto)
827 uint16_t a, b, *p = cmd->ports;
832 a = strtoport(av, &s, 0, proto);
833 if (s == av) /* empty or invalid argument */
837 case '-': /* a range */
839 b = strtoport(av, &s, 0, proto);
840 /* Reject expressions like '1-abc' or '1-2-3'. */
841 if (s == av || (*s != ',' && *s != '\0'))
846 case ',': /* comma separated list */
851 warnx("port list: invalid separator <%c> in <%s>",
861 if (i + 1 > F_LEN_MASK)
862 errx(EX_DATAERR, "too many ports/ranges\n");
863 cmd->o.len |= i + 1; /* leave F_NOT and F_OR untouched */
868 static struct _s_x icmpcodes[] = {
869 { "net", ICMP_UNREACH_NET },
870 { "host", ICMP_UNREACH_HOST },
871 { "protocol", ICMP_UNREACH_PROTOCOL },
872 { "port", ICMP_UNREACH_PORT },
873 { "needfrag", ICMP_UNREACH_NEEDFRAG },
874 { "srcfail", ICMP_UNREACH_SRCFAIL },
875 { "net-unknown", ICMP_UNREACH_NET_UNKNOWN },
876 { "host-unknown", ICMP_UNREACH_HOST_UNKNOWN },
877 { "isolated", ICMP_UNREACH_ISOLATED },
878 { "net-prohib", ICMP_UNREACH_NET_PROHIB },
879 { "host-prohib", ICMP_UNREACH_HOST_PROHIB },
880 { "tosnet", ICMP_UNREACH_TOSNET },
881 { "toshost", ICMP_UNREACH_TOSHOST },
882 { "filter-prohib", ICMP_UNREACH_FILTER_PROHIB },
883 { "host-precedence", ICMP_UNREACH_HOST_PRECEDENCE },
884 { "precedence-cutoff", ICMP_UNREACH_PRECEDENCE_CUTOFF },
889 fill_reject_code(u_short *codep, char *str)
894 val = strtoul(str, &s, 0);
895 if (s == str || *s != '\0' || val >= 0x100)
896 val = match_token(icmpcodes, str);
898 errx(EX_DATAERR, "unknown ICMP unreachable code ``%s''", str);
904 print_reject_code(uint16_t code)
906 char const *s = match_value(icmpcodes, code);
909 printf("unreach %s", s);
911 printf("unreach %u", code);
914 static struct _s_x icmp6codes[] = {
915 { "no-route", ICMP6_DST_UNREACH_NOROUTE },
916 { "admin-prohib", ICMP6_DST_UNREACH_ADMIN },
917 { "address", ICMP6_DST_UNREACH_ADDR },
918 { "port", ICMP6_DST_UNREACH_NOPORT },
923 fill_unreach6_code(u_short *codep, char *str)
928 val = strtoul(str, &s, 0);
929 if (s == str || *s != '\0' || val >= 0x100)
930 val = match_token(icmp6codes, str);
932 errx(EX_DATAERR, "unknown ICMPv6 unreachable code ``%s''", str);
938 print_unreach6_code(uint16_t code)
940 char const *s = match_value(icmp6codes, code);
943 printf("unreach6 %s", s);
945 printf("unreach6 %u", code);
949 * Returns the number of bits set (from left) in a contiguous bitmask,
950 * or -1 if the mask is not contiguous.
951 * XXX this needs a proper fix.
952 * This effectively works on masks in big-endian (network) format.
953 * when compiled on little endian architectures.
955 * First bit is bit 7 of the first byte -- note, for MAC addresses,
956 * the first bit on the wire is bit 0 of the first byte.
957 * len is the max length in bits.
960 contigmask(uint8_t *p, int len)
964 for (i=0; i<len ; i++)
965 if ( (p[i/8] & (1 << (7 - (i%8)))) == 0) /* first bit unset */
967 for (n=i+1; n < len; n++)
968 if ( (p[n/8] & (1 << (7 - (n%8)))) != 0)
969 return -1; /* mask not contiguous */
974 * print flags set/clear in the two bitmasks passed as parameters.
975 * There is a specialized check for f_tcpflags.
978 print_flags(char const *name, ipfw_insn *cmd, struct _s_x *list)
980 char const *comma = "";
982 uint8_t set = cmd->arg1 & 0xff;
983 uint8_t clear = (cmd->arg1 >> 8) & 0xff;
985 if (list == f_tcpflags && set == TH_SYN && clear == TH_ACK) {
990 printf(" %s ", name);
991 for (i=0; list[i].x != 0; i++) {
992 if (set & list[i].x) {
994 printf("%s%s", comma, list[i].s);
997 if (clear & list[i].x) {
999 printf("%s!%s", comma, list[i].s);
1006 * Print the ip address contained in a command.
1009 print_ip(ipfw_insn_ip *cmd, char const *s)
1011 struct hostent *he = NULL;
1012 int len = F_LEN((ipfw_insn *)cmd);
1013 uint32_t *a = ((ipfw_insn_u32 *)cmd)->d;
1015 printf("%s%s ", cmd->o.len & F_NOT ? " not": "", s);
1017 if (cmd->o.opcode == O_IP_SRC_ME || cmd->o.opcode == O_IP_DST_ME) {
1021 if (cmd->o.opcode == O_IP_SRC_LOOKUP ||
1022 cmd->o.opcode == O_IP_DST_LOOKUP) {
1023 printf("table(%u", ((ipfw_insn *)cmd)->arg1);
1024 if (len == F_INSN_SIZE(ipfw_insn_u32))
1029 if (cmd->o.opcode == O_IP_SRC_SET || cmd->o.opcode == O_IP_DST_SET) {
1030 uint32_t x, *map = (uint32_t *)&(cmd->mask);
1034 x = cmd->o.arg1 - 1;
1036 cmd->addr.s_addr = htonl(cmd->addr.s_addr);
1037 printf("%s/%d", inet_ntoa(cmd->addr),
1038 contigmask((uint8_t *)&x, 32));
1039 x = cmd->addr.s_addr = htonl(cmd->addr.s_addr);
1040 x &= 0xff; /* base */
1042 * Print bits and ranges.
1043 * Locate first bit set (i), then locate first bit unset (j).
1044 * If we have 3+ consecutive bits set, then print them as a
1045 * range, otherwise only print the initial bit and rescan.
1047 for (i=0; i < cmd->o.arg1; i++)
1048 if (map[i/32] & (1<<(i & 31))) {
1049 for (j=i+1; j < cmd->o.arg1; j++)
1050 if (!(map[ j/32] & (1<<(j & 31))))
1052 printf("%c%d", comma, i+x);
1053 if (j>i+2) { /* range has at least 3 elements */
1054 printf("-%d", j-1+x);
1063 * len == 2 indicates a single IP, whereas lists of 1 or more
1064 * addr/mask pairs have len = (2n+1). We convert len to n so we
1065 * use that to count the number of entries.
1067 for (len = len / 2; len > 0; len--, a += 2) {
1068 int mb = /* mask length */
1069 (cmd->o.opcode == O_IP_SRC || cmd->o.opcode == O_IP_DST) ?
1070 32 : contigmask((uint8_t *)&(a[1]), 32);
1071 if (mb == 32 && do_resolv)
1072 he = gethostbyaddr((char *)&(a[0]), sizeof(u_long), AF_INET);
1073 if (he != NULL) /* resolved to name */
1074 printf("%s", he->h_name);
1075 else if (mb == 0) /* any */
1077 else { /* numeric IP followed by some kind of mask */
1078 printf("%s", inet_ntoa( *((struct in_addr *)&a[0]) ) );
1080 printf(":%s", inet_ntoa( *((struct in_addr *)&a[1]) ) );
1090 * prints a MAC address/mask pair
1093 print_mac(uint8_t *addr, uint8_t *mask)
1095 int l = contigmask(mask, 48);
1100 printf(" %02x:%02x:%02x:%02x:%02x:%02x",
1101 addr[0], addr[1], addr[2], addr[3], addr[4], addr[5]);
1103 printf("&%02x:%02x:%02x:%02x:%02x:%02x",
1104 mask[0], mask[1], mask[2],
1105 mask[3], mask[4], mask[5]);
1112 fill_icmptypes(ipfw_insn_u32 *cmd, char *av)
1121 type = strtoul(av, &av, 0);
1123 if (*av != ',' && *av != '\0')
1124 errx(EX_DATAERR, "invalid ICMP type");
1127 errx(EX_DATAERR, "ICMP type out of range");
1129 cmd->d[0] |= 1 << type;
1131 cmd->o.opcode = O_ICMPTYPE;
1132 cmd->o.len |= F_INSN_SIZE(ipfw_insn_u32);
1136 print_icmptypes(ipfw_insn_u32 *cmd)
1141 printf(" icmptypes");
1142 for (i = 0; i < 32; i++) {
1143 if ( (cmd->d[0] & (1 << (i))) == 0)
1145 printf("%c%d", sep, i);
1151 * Print the ip address contained in a command.
1154 print_ip6(ipfw_insn_ip6 *cmd, char const *s)
1156 struct hostent *he = NULL;
1157 int len = F_LEN((ipfw_insn *) cmd) - 1;
1158 struct in6_addr *a = &(cmd->addr6);
1161 printf("%s%s ", cmd->o.len & F_NOT ? " not": "", s);
1163 if (cmd->o.opcode == O_IP6_SRC_ME || cmd->o.opcode == O_IP6_DST_ME) {
1167 if (cmd->o.opcode == O_IP6) {
1173 * len == 4 indicates a single IP, whereas lists of 1 or more
1174 * addr/mask pairs have len = (2n+1). We convert len to n so we
1175 * use that to count the number of entries.
1178 for (len = len / 4; len > 0; len -= 2, a += 2) {
1179 int mb = /* mask length */
1180 (cmd->o.opcode == O_IP6_SRC || cmd->o.opcode == O_IP6_DST) ?
1181 128 : contigmask((uint8_t *)&(a[1]), 128);
1183 if (mb == 128 && do_resolv)
1184 he = gethostbyaddr((char *)a, sizeof(*a), AF_INET6);
1185 if (he != NULL) /* resolved to name */
1186 printf("%s", he->h_name);
1187 else if (mb == 0) /* any */
1189 else { /* numeric IP followed by some kind of mask */
1190 if (inet_ntop(AF_INET6, a, trad, sizeof( trad ) ) == NULL)
1191 printf("Error ntop in print_ip6\n");
1192 printf("%s", trad );
1193 if (mb < 0) /* XXX not really legal... */
1195 inet_ntop(AF_INET6, &a[1], trad, sizeof(trad)));
1205 fill_icmp6types(ipfw_insn_icmp6 *cmd, char *av)
1213 type = strtoul(av, &av, 0);
1214 if (*av != ',' && *av != '\0')
1215 errx(EX_DATAERR, "invalid ICMP6 type");
1217 * XXX: shouldn't this be 0xFF? I can't see any reason why
1218 * we shouldn't be able to filter all possiable values
1219 * regardless of the ability of the rest of the kernel to do
1220 * anything useful with them.
1222 if (type > ICMP6_MAXTYPE)
1223 errx(EX_DATAERR, "ICMP6 type out of range");
1224 cmd->d[type / 32] |= ( 1 << (type % 32));
1226 cmd->o.opcode = O_ICMP6TYPE;
1227 cmd->o.len |= F_INSN_SIZE(ipfw_insn_icmp6);
1232 print_icmp6types(ipfw_insn_u32 *cmd)
1237 printf(" ip6 icmp6types");
1238 for (i = 0; i < 7; i++)
1239 for (j=0; j < 32; ++j) {
1240 if ( (cmd->d[i] & (1 << (j))) == 0)
1242 printf("%c%d", sep, (i*32 + j));
1248 print_flow6id( ipfw_insn_u32 *cmd)
1250 uint16_t i, limit = cmd->o.arg1;
1253 printf(" flow-id ");
1254 for( i=0; i < limit; ++i) {
1257 printf("%d%c", cmd->d[i], sep);
1261 /* structure and define for the extension header in ipv6 */
1262 static struct _s_x ext6hdrcodes[] = {
1263 { "frag", EXT_FRAGMENT },
1264 { "hopopt", EXT_HOPOPTS },
1265 { "route", EXT_ROUTING },
1266 { "dstopt", EXT_DSTOPTS },
1272 /* fills command for the extension header filtering */
1274 fill_ext6hdr( ipfw_insn *cmd, char *av)
1282 av = strsep( &s, ",") ;
1283 tok = match_token(ext6hdrcodes, av);
1286 cmd->arg1 |= EXT_FRAGMENT;
1290 cmd->arg1 |= EXT_HOPOPTS;
1294 cmd->arg1 |= EXT_ROUTING;
1298 cmd->arg1 |= EXT_DSTOPTS;
1302 cmd->arg1 |= EXT_AH;
1306 cmd->arg1 |= EXT_ESP;
1310 errx( EX_DATAERR, "invalid option for ipv6 exten header" );
1314 if (cmd->arg1 == 0 )
1316 cmd->opcode = O_EXT_HDR;
1317 cmd->len |= F_INSN_SIZE( ipfw_insn );
1322 print_ext6hdr( ipfw_insn *cmd )
1326 printf(" extension header:");
1327 if (cmd->arg1 & EXT_FRAGMENT ) {
1328 printf("%cfragmentation", sep);
1331 if (cmd->arg1 & EXT_HOPOPTS ) {
1332 printf("%chop options", sep);
1335 if (cmd->arg1 & EXT_ROUTING ) {
1336 printf("%crouting options", sep);
1339 if (cmd->arg1 & EXT_DSTOPTS ) {
1340 printf("%cdestination options", sep);
1343 if (cmd->arg1 & EXT_AH ) {
1344 printf("%cauthentication header", sep);
1347 if (cmd->arg1 & EXT_ESP ) {
1348 printf("%cencapsulated security payload", sep);
1353 * show_ipfw() prints the body of an ipfw rule.
1354 * Because the standard rule has at least proto src_ip dst_ip, we use
1355 * a helper function to produce these entries if not provided explicitly.
1356 * The first argument is the list of fields we have, the second is
1357 * the list of fields we want to be printed.
1359 * Special cases if we have provided a MAC header:
1360 * + if the rule does not contain IP addresses/ports, do not print them;
1361 * + if the rule does not contain an IP proto, print "all" instead of "ip";
1363 * Once we have 'have_options', IP header fields are printed as options.
1365 #define HAVE_PROTO 0x0001
1366 #define HAVE_SRCIP 0x0002
1367 #define HAVE_DSTIP 0x0004
1368 #define HAVE_MAC 0x0008
1369 #define HAVE_MACTYPE 0x0010
1370 #define HAVE_PROTO4 0x0040
1371 #define HAVE_PROTO6 0x0080
1372 #define HAVE_OPTIONS 0x8000
1374 #define HAVE_IP (HAVE_PROTO | HAVE_SRCIP | HAVE_DSTIP)
1376 show_prerequisites(int *flags, int want, int cmd)
1380 if ( (*flags & HAVE_IP) == HAVE_IP)
1381 *flags |= HAVE_OPTIONS;
1383 if ( (*flags & (HAVE_MAC|HAVE_MACTYPE|HAVE_OPTIONS)) == HAVE_MAC &&
1384 cmd != O_MAC_TYPE) {
1386 * mac-type was optimized out by the compiler,
1390 *flags |= HAVE_MACTYPE | HAVE_OPTIONS;
1393 if ( !(*flags & HAVE_OPTIONS)) {
1394 if ( !(*flags & HAVE_PROTO) && (want & HAVE_PROTO))
1395 if ( (*flags & HAVE_PROTO4))
1397 else if ( (*flags & HAVE_PROTO6))
1402 if ( !(*flags & HAVE_SRCIP) && (want & HAVE_SRCIP))
1403 printf(" from any");
1404 if ( !(*flags & HAVE_DSTIP) && (want & HAVE_DSTIP))
1411 show_ipfw(struct ip_fw *rule, int pcwidth, int bcwidth)
1413 static int twidth = 0;
1415 ipfw_insn *cmd, *tagptr = NULL;
1416 char *comment = NULL; /* ptr to comment if we have one */
1417 int proto = 0; /* default */
1418 int flags = 0; /* prerequisites */
1419 ipfw_insn_log *logptr = NULL; /* set if we find an O_LOG */
1420 ipfw_insn_altq *altqptr = NULL; /* set if we find an O_ALTQ */
1421 int or_block = 0; /* we are in an or block */
1422 uint32_t set_disable;
1424 bcopy(&rule->next_rule, &set_disable, sizeof(set_disable));
1426 if (set_disable & (1 << rule->set)) { /* disabled */
1430 printf("# DISABLED ");
1432 printf("%05u ", rule->rulenum);
1434 if (pcwidth>0 || bcwidth>0)
1435 printf("%*llu %*llu ", pcwidth, align_uint64(&rule->pcnt),
1436 bcwidth, align_uint64(&rule->bcnt));
1439 printf("%10u ", rule->timestamp);
1440 else if (do_time == 1) {
1442 time_t t = (time_t)0;
1445 strcpy(timestr, ctime(&t));
1446 *strchr(timestr, '\n') = '\0';
1447 twidth = strlen(timestr);
1449 if (rule->timestamp) {
1450 t = _long_to_time(rule->timestamp);
1452 strcpy(timestr, ctime(&t));
1453 *strchr(timestr, '\n') = '\0';
1454 printf("%s ", timestr);
1456 printf("%*s", twidth, " ");
1461 printf("set %d ", rule->set);
1464 * print the optional "match probability"
1466 if (rule->cmd_len > 0) {
1468 if (cmd->opcode == O_PROB) {
1469 ipfw_insn_u32 *p = (ipfw_insn_u32 *)cmd;
1470 double d = 1.0 * p->d[0];
1472 d = (d / 0x7fffffff);
1473 printf("prob %f ", d);
1478 * first print actions
1480 for (l = rule->cmd_len - rule->act_ofs, cmd = ACTION_PTR(rule);
1481 l > 0 ; l -= F_LEN(cmd), cmd += F_LEN(cmd)) {
1482 switch(cmd->opcode) {
1484 printf("check-state");
1485 flags = HAVE_IP; /* avoid printing anything else */
1501 if (cmd->arg1 == ICMP_REJECT_RST)
1503 else if (cmd->arg1 == ICMP_UNREACH_HOST)
1506 print_reject_code(cmd->arg1);
1510 if (cmd->arg1 == ICMP6_UNREACH_RST)
1513 print_unreach6_code(cmd->arg1);
1517 PRINT_UINT_ARG("skipto ", cmd->arg1);
1521 PRINT_UINT_ARG("pipe ", cmd->arg1);
1525 PRINT_UINT_ARG("queue ", cmd->arg1);
1529 PRINT_UINT_ARG("divert ", cmd->arg1);
1533 PRINT_UINT_ARG("tee ", cmd->arg1);
1537 PRINT_UINT_ARG("netgraph ", cmd->arg1);
1541 PRINT_UINT_ARG("ngtee ", cmd->arg1);
1546 ipfw_insn_sa *s = (ipfw_insn_sa *)cmd;
1548 if (s->sa.sin_addr.s_addr == INADDR_ANY) {
1549 printf("fwd tablearg");
1551 printf("fwd %s", inet_ntoa(s->sa.sin_addr));
1554 printf(",%d", s->sa.sin_port);
1558 case O_LOG: /* O_LOG is printed last */
1559 logptr = (ipfw_insn_log *)cmd;
1562 case O_ALTQ: /* O_ALTQ is printed after O_LOG */
1563 altqptr = (ipfw_insn_altq *)cmd;
1571 printf("** unrecognized action %d len %d ",
1572 cmd->opcode, cmd->len);
1576 if (logptr->max_log > 0)
1577 printf(" log logamount %d", logptr->max_log);
1584 qname = altq_qid_to_name(altqptr->qid);
1586 printf(" altq ?<%u>", altqptr->qid);
1588 printf(" altq %s", qname);
1591 if (tagptr->len & F_NOT)
1592 PRINT_UINT_ARG(" untag ", tagptr->arg1);
1594 PRINT_UINT_ARG(" tag ", tagptr->arg1);
1598 * then print the body.
1600 for (l = rule->act_ofs, cmd = rule->cmd ;
1601 l > 0 ; l -= F_LEN(cmd) , cmd += F_LEN(cmd)) {
1602 if ((cmd->len & F_OR) || (cmd->len & F_NOT))
1604 if (cmd->opcode == O_IP4) {
1605 flags |= HAVE_PROTO4;
1607 } else if (cmd->opcode == O_IP6) {
1608 flags |= HAVE_PROTO6;
1612 if (rule->_pad & 1) { /* empty rules before options */
1614 show_prerequisites(&flags, HAVE_PROTO, 0);
1615 printf(" from any to any");
1617 flags |= HAVE_IP | HAVE_OPTIONS;
1623 for (l = rule->act_ofs, cmd = rule->cmd ;
1624 l > 0 ; l -= F_LEN(cmd) , cmd += F_LEN(cmd)) {
1626 ipfw_insn_u32 *cmd32 = (ipfw_insn_u32 *)cmd;
1629 if (cmd->opcode != O_NOP)
1631 printf(" // %s\n", (char *)(cmd + 1));
1635 show_prerequisites(&flags, 0, cmd->opcode);
1637 switch(cmd->opcode) {
1639 break; /* done already */
1642 break; /* no need to print anything here */
1645 ipfw_insn_mac *m = (ipfw_insn_mac *)cmd;
1647 if ((cmd->len & F_OR) && !or_block)
1649 if (cmd->len & F_NOT)
1653 print_mac(m->addr, m->mask);
1654 print_mac(m->addr + 6, m->mask + 6);
1659 if ((cmd->len & F_OR) && !or_block)
1661 print_newports((ipfw_insn_u16 *)cmd, IPPROTO_ETHERTYPE,
1662 (flags & HAVE_OPTIONS) ? cmd->opcode : 0);
1663 flags |= HAVE_MAC | HAVE_MACTYPE | HAVE_OPTIONS;
1667 case O_IP_SRC_LOOKUP:
1671 show_prerequisites(&flags, HAVE_PROTO, 0);
1672 if (!(flags & HAVE_SRCIP))
1674 if ((cmd->len & F_OR) && !or_block)
1676 print_ip((ipfw_insn_ip *)cmd,
1677 (flags & HAVE_OPTIONS) ? " src-ip" : "");
1678 flags |= HAVE_SRCIP;
1682 case O_IP_DST_LOOKUP:
1686 show_prerequisites(&flags, HAVE_PROTO|HAVE_SRCIP, 0);
1687 if (!(flags & HAVE_DSTIP))
1689 if ((cmd->len & F_OR) && !or_block)
1691 print_ip((ipfw_insn_ip *)cmd,
1692 (flags & HAVE_OPTIONS) ? " dst-ip" : "");
1693 flags |= HAVE_DSTIP;
1697 case O_IP6_SRC_MASK:
1699 show_prerequisites(&flags, HAVE_PROTO, 0);
1700 if (!(flags & HAVE_SRCIP))
1702 if ((cmd->len & F_OR) && !or_block)
1704 print_ip6((ipfw_insn_ip6 *)cmd,
1705 (flags & HAVE_OPTIONS) ? " src-ip6" : "");
1706 flags |= HAVE_SRCIP | HAVE_PROTO;
1710 case O_IP6_DST_MASK:
1712 show_prerequisites(&flags, HAVE_PROTO|HAVE_SRCIP, 0);
1713 if (!(flags & HAVE_DSTIP))
1715 if ((cmd->len & F_OR) && !or_block)
1717 print_ip6((ipfw_insn_ip6 *)cmd,
1718 (flags & HAVE_OPTIONS) ? " dst-ip6" : "");
1719 flags |= HAVE_DSTIP;
1723 print_flow6id( (ipfw_insn_u32 *) cmd );
1724 flags |= HAVE_OPTIONS;
1728 show_prerequisites(&flags, HAVE_IP, 0);
1730 show_prerequisites(&flags, HAVE_PROTO|HAVE_SRCIP, 0);
1731 if ((cmd->len & F_OR) && !or_block)
1733 print_newports((ipfw_insn_u16 *)cmd, proto,
1734 (flags & HAVE_OPTIONS) ? cmd->opcode : 0);
1738 struct protoent *pe = NULL;
1740 if ((cmd->len & F_OR) && !or_block)
1742 if (cmd->len & F_NOT)
1745 pe = getprotobynumber(cmd->arg1);
1746 if ((flags & (HAVE_PROTO4 | HAVE_PROTO6)) &&
1747 !(flags & HAVE_PROTO))
1748 show_prerequisites(&flags,
1749 HAVE_IP | HAVE_OPTIONS, 0);
1750 if (flags & HAVE_OPTIONS)
1753 printf(" %s", pe->p_name);
1755 printf(" %u", cmd->arg1);
1757 flags |= HAVE_PROTO;
1760 default: /*options ... */
1761 if (!(cmd->len & (F_OR|F_NOT)))
1762 if (((cmd->opcode == O_IP6) &&
1763 (flags & HAVE_PROTO6)) ||
1764 ((cmd->opcode == O_IP4) &&
1765 (flags & HAVE_PROTO4)))
1767 show_prerequisites(&flags, HAVE_IP | HAVE_OPTIONS, 0);
1768 if ((cmd->len & F_OR) && !or_block)
1770 if (cmd->len & F_NOT && cmd->opcode != O_IN)
1772 switch(cmd->opcode) {
1778 printf(cmd->len & F_NOT ? " out" : " in");
1782 switch (cmd->arg1) {
1784 printf(" diverted");
1787 printf(" diverted-loopback");
1790 printf(" diverted-output");
1793 printf(" diverted-?<%u>", cmd->arg1);
1806 ipfw_insn_if *cmdif = (ipfw_insn_if *)cmd;
1808 if (cmd->opcode == O_XMIT)
1810 else if (cmd->opcode == O_RECV)
1812 else /* if (cmd->opcode == O_VIA) */
1814 if (cmdif->name[0] == '\0')
1816 inet_ntoa(cmdif->p.ip));
1818 printf(" %s %s", s, cmdif->name);
1823 if (F_LEN(cmd) == 1)
1824 printf(" ipid %u", cmd->arg1 );
1826 print_newports((ipfw_insn_u16 *)cmd, 0,
1831 if (F_LEN(cmd) == 1)
1832 printf(" ipttl %u", cmd->arg1 );
1834 print_newports((ipfw_insn_u16 *)cmd, 0,
1839 printf(" ipver %u", cmd->arg1 );
1842 case O_IPPRECEDENCE:
1843 printf(" ipprecedence %u", (cmd->arg1) >> 5 );
1847 if (F_LEN(cmd) == 1)
1848 printf(" iplen %u", cmd->arg1 );
1850 print_newports((ipfw_insn_u16 *)cmd, 0,
1855 print_flags("ipoptions", cmd, f_ipopts);
1859 print_flags("iptos", cmd, f_iptos);
1863 print_icmptypes((ipfw_insn_u32 *)cmd);
1867 printf(" established");
1871 if (F_LEN(cmd) == 1)
1872 printf(" tcpdatalen %u", cmd->arg1 );
1874 print_newports((ipfw_insn_u16 *)cmd, 0,
1879 print_flags("tcpflags", cmd, f_tcpflags);
1883 print_flags("tcpoptions", cmd, f_tcpopts);
1887 printf(" tcpwin %d", ntohs(cmd->arg1));
1891 printf(" tcpack %d", ntohl(cmd32->d[0]));
1895 printf(" tcpseq %d", ntohl(cmd32->d[0]));
1900 struct passwd *pwd = getpwuid(cmd32->d[0]);
1903 printf(" uid %s", pwd->pw_name);
1905 printf(" uid %u", cmd32->d[0]);
1911 struct group *grp = getgrgid(cmd32->d[0]);
1914 printf(" gid %s", grp->gr_name);
1916 printf(" gid %u", cmd32->d[0]);
1921 printf(" jail %d", cmd32->d[0]);
1925 printf(" verrevpath");
1929 printf(" versrcreach");
1933 printf(" antispoof");
1941 comment = (char *)(cmd + 1);
1945 printf(" keep-state");
1949 struct _s_x *p = limit_masks;
1950 ipfw_insn_limit *c = (ipfw_insn_limit *)cmd;
1951 uint8_t x = c->limit_mask;
1952 char const *comma = " ";
1955 for (; p->x != 0 ; p++)
1956 if ((x & p->x) == p->x) {
1958 printf("%s%s", comma, p->s);
1961 PRINT_UINT_ARG(" ", c->conn_limit);
1974 print_icmp6types((ipfw_insn_u32 *)cmd);
1978 print_ext6hdr( (ipfw_insn *) cmd );
1982 if (F_LEN(cmd) == 1)
1983 PRINT_UINT_ARG(" tagged ", cmd->arg1);
1985 print_newports((ipfw_insn_u16 *)cmd, 0,
1990 printf(" [opcode %d len %d]",
1991 cmd->opcode, cmd->len);
1994 if (cmd->len & F_OR) {
1997 } else if (or_block) {
2002 show_prerequisites(&flags, HAVE_IP, 0);
2004 printf(" // %s", comment);
2009 show_dyn_ipfw(ipfw_dyn_rule *d, int pcwidth, int bcwidth)
2011 struct protoent *pe;
2014 char buf[INET6_ADDRSTRLEN];
2017 if (!d->expire && !(d->dyn_type == O_LIMIT_PARENT))
2020 bcopy(&d->rule, &rulenum, sizeof(rulenum));
2021 printf("%05d", rulenum);
2022 if (pcwidth>0 || bcwidth>0)
2023 printf(" %*llu %*llu (%ds)", pcwidth,
2024 align_uint64(&d->pcnt), bcwidth,
2025 align_uint64(&d->bcnt), d->expire);
2026 switch (d->dyn_type) {
2027 case O_LIMIT_PARENT:
2028 printf(" PARENT %d", d->count);
2033 case O_KEEP_STATE: /* bidir, no mask */
2038 if ((pe = getprotobynumber(d->id.proto)) != NULL)
2039 printf(" %s", pe->p_name);
2041 printf(" proto %u", d->id.proto);
2043 if (d->id.addr_type == 4) {
2044 a.s_addr = htonl(d->id.src_ip);
2045 printf(" %s %d", inet_ntoa(a), d->id.src_port);
2047 a.s_addr = htonl(d->id.dst_ip);
2048 printf(" <-> %s %d", inet_ntoa(a), d->id.dst_port);
2049 } else if (d->id.addr_type == 6) {
2050 printf(" %s %d", inet_ntop(AF_INET6, &d->id.src_ip6, buf,
2051 sizeof(buf)), d->id.src_port);
2052 printf(" <-> %s %d", inet_ntop(AF_INET6, &d->id.dst_ip6, buf,
2053 sizeof(buf)), d->id.dst_port);
2055 printf(" UNKNOWN <-> UNKNOWN\n");
2061 sort_q(const void *pa, const void *pb)
2063 int rev = (do_sort < 0);
2064 int field = rev ? -do_sort : do_sort;
2066 const struct dn_flow_queue *a = pa;
2067 const struct dn_flow_queue *b = pb;
2071 res = a->len - b->len;
2074 res = a->len_bytes - b->len_bytes;
2077 case 3: /* tot pkts */
2078 res = a->tot_pkts - b->tot_pkts;
2081 case 4: /* tot bytes */
2082 res = a->tot_bytes - b->tot_bytes;
2089 return (int)(rev ? res : -res);
2093 list_queues(struct dn_flow_set *fs, struct dn_flow_queue *q)
2096 int index_printed, indexes = 0;
2098 struct protoent *pe;
2100 if (fs->rq_elements == 0)
2104 heapsort(q, fs->rq_elements, sizeof *q, sort_q);
2106 /* Print IPv4 flows */
2108 for (l = 0; l < fs->rq_elements; l++) {
2111 /* XXX: Should check for IPv4 flows */
2112 if (IS_IP6_FLOW_ID(&(q[l].id)))
2115 if (!index_printed) {
2117 if (indexes > 0) /* currently a no-op */
2121 "mask: 0x%02x 0x%08x/0x%04x -> 0x%08x/0x%04x\n",
2122 fs->flow_mask.proto,
2123 fs->flow_mask.src_ip, fs->flow_mask.src_port,
2124 fs->flow_mask.dst_ip, fs->flow_mask.dst_port);
2126 printf("BKT Prot ___Source IP/port____ "
2127 "____Dest. IP/port____ "
2128 "Tot_pkt/bytes Pkt/Byte Drp\n");
2131 printf("%3d ", q[l].hash_slot);
2132 pe = getprotobynumber(q[l].id.proto);
2134 printf("%-4s ", pe->p_name);
2136 printf("%4u ", q[l].id.proto);
2137 ina.s_addr = htonl(q[l].id.src_ip);
2138 printf("%15s/%-5d ",
2139 inet_ntoa(ina), q[l].id.src_port);
2140 ina.s_addr = htonl(q[l].id.dst_ip);
2141 printf("%15s/%-5d ",
2142 inet_ntoa(ina), q[l].id.dst_port);
2143 printf("%4qu %8qu %2u %4u %3u\n",
2144 q[l].tot_pkts, q[l].tot_bytes,
2145 q[l].len, q[l].len_bytes, q[l].drops);
2147 printf(" S %20qd F %20qd\n",
2151 /* Print IPv6 flows */
2153 for (l = 0; l < fs->rq_elements; l++) {
2154 if (!IS_IP6_FLOW_ID(&(q[l].id)))
2157 if (!index_printed) {
2162 printf("\n mask: proto: 0x%02x, flow_id: 0x%08x, ",
2163 fs->flow_mask.proto, fs->flow_mask.flow_id6);
2164 inet_ntop(AF_INET6, &(fs->flow_mask.src_ip6),
2165 buff, sizeof(buff));
2166 printf("%s/0x%04x -> ", buff, fs->flow_mask.src_port);
2167 inet_ntop( AF_INET6, &(fs->flow_mask.dst_ip6),
2168 buff, sizeof(buff) );
2169 printf("%s/0x%04x\n", buff, fs->flow_mask.dst_port);
2171 printf("BKT ___Prot___ _flow-id_ "
2172 "______________Source IPv6/port_______________ "
2173 "_______________Dest. IPv6/port_______________ "
2174 "Tot_pkt/bytes Pkt/Byte Drp\n");
2176 printf("%3d ", q[l].hash_slot);
2177 pe = getprotobynumber(q[l].id.proto);
2179 printf("%9s ", pe->p_name);
2181 printf("%9u ", q[l].id.proto);
2182 printf("%7d %39s/%-5d ", q[l].id.flow_id6,
2183 inet_ntop(AF_INET6, &(q[l].id.src_ip6), buff, sizeof(buff)),
2185 printf(" %39s/%-5d ",
2186 inet_ntop(AF_INET6, &(q[l].id.dst_ip6), buff, sizeof(buff)),
2188 printf(" %4qu %8qu %2u %4u %3u\n",
2189 q[l].tot_pkts, q[l].tot_bytes,
2190 q[l].len, q[l].len_bytes, q[l].drops);
2192 printf(" S %20qd F %20qd\n", q[l].S, q[l].F);
2197 print_flowset_parms(struct dn_flow_set *fs, char *prefix)
2202 char red[90]; /* Display RED parameters */
2205 if (fs->flags_fs & DN_QSIZE_IS_BYTES) {
2207 sprintf(qs, "%d KB", l / 1024);
2209 sprintf(qs, "%d B", l);
2211 sprintf(qs, "%3d sl.", l);
2213 sprintf(plr, "plr %f", 1.0 * fs->plr / (double)(0x7fffffff));
2216 if (fs->flags_fs & DN_IS_RED) /* RED parameters */
2218 "\n\t %cRED w_q %f min_th %d max_th %d max_p %f",
2219 (fs->flags_fs & DN_IS_GENTLE_RED) ? 'G' : ' ',
2220 1.0 * fs->w_q / (double)(1 << SCALE_RED),
2221 SCALE_VAL(fs->min_th),
2222 SCALE_VAL(fs->max_th),
2223 1.0 * fs->max_p / (double)(1 << SCALE_RED));
2225 sprintf(red, "droptail");
2227 printf("%s %s%s %d queues (%d buckets) %s\n",
2228 prefix, qs, plr, fs->rq_elements, fs->rq_size, red);
2232 list_pipes(void *data, uint nbytes, int ac, char *av[])
2236 struct dn_pipe *p = (struct dn_pipe *) data;
2237 struct dn_flow_set *fs;
2238 struct dn_flow_queue *q;
2242 rulenum = strtoul(*av++, NULL, 10);
2245 for (; nbytes >= sizeof *p; p = (struct dn_pipe *)next) {
2246 double b = p->bandwidth;
2250 if (SLIST_NEXT(p, next) != (struct dn_pipe *)DN_IS_PIPE)
2251 break; /* done with pipes, now queues */
2254 * compute length, as pipe have variable size
2256 l = sizeof(*p) + p->fs.rq_elements * sizeof(*q);
2257 next = (char *)p + l;
2260 if ((rulenum != 0 && rulenum != p->pipe_nr) || do_pipe == 2)
2264 * Print rate (or clocking interface)
2266 if (p->if_name[0] != '\0')
2267 sprintf(buf, "%s", p->if_name);
2269 sprintf(buf, "unlimited");
2270 else if (b >= 1000000)
2271 sprintf(buf, "%7.3f Mbit/s", b/1000000);
2273 sprintf(buf, "%7.3f Kbit/s", b/1000);
2275 sprintf(buf, "%7.3f bit/s ", b);
2277 sprintf(prefix, "%05d: %s %4d ms ",
2278 p->pipe_nr, buf, p->delay);
2279 print_flowset_parms(&(p->fs), prefix);
2281 printf(" V %20qd\n", p->V >> MY_M);
2283 q = (struct dn_flow_queue *)(p+1);
2284 list_queues(&(p->fs), q);
2286 for (fs = next; nbytes >= sizeof *fs; fs = next) {
2289 if (SLIST_NEXT(fs, next) != (struct dn_flow_set *)DN_IS_QUEUE)
2291 l = sizeof(*fs) + fs->rq_elements * sizeof(*q);
2292 next = (char *)fs + l;
2295 if (rulenum != 0 && ((rulenum != fs->fs_nr && do_pipe == 2) ||
2296 (rulenum != fs->parent_nr && do_pipe == 1))) {
2300 q = (struct dn_flow_queue *)(fs+1);
2301 sprintf(prefix, "q%05d: weight %d pipe %d ",
2302 fs->fs_nr, fs->weight, fs->parent_nr);
2303 print_flowset_parms(fs, prefix);
2309 * This one handles all set-related commands
2310 * ipfw set { show | enable | disable }
2312 * ipfw set move X to Y
2313 * ipfw set move rule X to Y
2316 sets_handler(int ac, char *av[])
2318 uint32_t set_disable, masks[2];
2321 uint8_t cmd, new_set;
2327 errx(EX_USAGE, "set needs command");
2328 if (_substrcmp(*av, "show") == 0) {
2332 nbytes = sizeof(struct ip_fw);
2333 if ((data = calloc(1, nbytes)) == NULL)
2334 err(EX_OSERR, "calloc");
2335 if (do_cmd(IP_FW_GET, data, (uintptr_t)&nbytes) < 0)
2336 err(EX_OSERR, "getsockopt(IP_FW_GET)");
2337 bcopy(&((struct ip_fw *)data)->next_rule,
2338 &set_disable, sizeof(set_disable));
2340 for (i = 0, msg = "disable" ; i < RESVD_SET; i++)
2341 if ((set_disable & (1<<i))) {
2342 printf("%s %d", msg, i);
2345 msg = (set_disable) ? " enable" : "enable";
2346 for (i = 0; i < RESVD_SET; i++)
2347 if (!(set_disable & (1<<i))) {
2348 printf("%s %d", msg, i);
2352 } else if (_substrcmp(*av, "swap") == 0) {
2355 errx(EX_USAGE, "set swap needs 2 set numbers\n");
2356 rulenum = atoi(av[0]);
2357 new_set = atoi(av[1]);
2358 if (!isdigit(*(av[0])) || rulenum > RESVD_SET)
2359 errx(EX_DATAERR, "invalid set number %s\n", av[0]);
2360 if (!isdigit(*(av[1])) || new_set > RESVD_SET)
2361 errx(EX_DATAERR, "invalid set number %s\n", av[1]);
2362 masks[0] = (4 << 24) | (new_set << 16) | (rulenum);
2363 i = do_cmd(IP_FW_DEL, masks, sizeof(uint32_t));
2364 } else if (_substrcmp(*av, "move") == 0) {
2366 if (ac && _substrcmp(*av, "rule") == 0) {
2371 if (ac != 3 || _substrcmp(av[1], "to") != 0)
2372 errx(EX_USAGE, "syntax: set move [rule] X to Y\n");
2373 rulenum = atoi(av[0]);
2374 new_set = atoi(av[2]);
2375 if (!isdigit(*(av[0])) || (cmd == 3 && rulenum > RESVD_SET) ||
2376 (cmd == 2 && rulenum == 65535) )
2377 errx(EX_DATAERR, "invalid source number %s\n", av[0]);
2378 if (!isdigit(*(av[2])) || new_set > RESVD_SET)
2379 errx(EX_DATAERR, "invalid dest. set %s\n", av[1]);
2380 masks[0] = (cmd << 24) | (new_set << 16) | (rulenum);
2381 i = do_cmd(IP_FW_DEL, masks, sizeof(uint32_t));
2382 } else if (_substrcmp(*av, "disable") == 0 ||
2383 _substrcmp(*av, "enable") == 0 ) {
2384 int which = _substrcmp(*av, "enable") == 0 ? 1 : 0;
2387 masks[0] = masks[1] = 0;
2390 if (isdigit(**av)) {
2392 if (i < 0 || i > RESVD_SET)
2394 "invalid set number %d\n", i);
2395 masks[which] |= (1<<i);
2396 } else if (_substrcmp(*av, "disable") == 0)
2398 else if (_substrcmp(*av, "enable") == 0)
2402 "invalid set command %s\n", *av);
2405 if ( (masks[0] & masks[1]) != 0 )
2407 "cannot enable and disable the same set\n");
2409 i = do_cmd(IP_FW_DEL, masks, sizeof(masks));
2411 warn("set enable/disable: setsockopt(IP_FW_DEL)");
2413 errx(EX_USAGE, "invalid set command %s\n", *av);
2417 sysctl_handler(int ac, char *av[], int which)
2423 warnx("missing keyword to enable/disable\n");
2424 } else if (_substrcmp(*av, "firewall") == 0) {
2425 sysctlbyname("net.inet.ip.fw.enable", NULL, 0,
2426 &which, sizeof(which));
2427 } else if (_substrcmp(*av, "one_pass") == 0) {
2428 sysctlbyname("net.inet.ip.fw.one_pass", NULL, 0,
2429 &which, sizeof(which));
2430 } else if (_substrcmp(*av, "debug") == 0) {
2431 sysctlbyname("net.inet.ip.fw.debug", NULL, 0,
2432 &which, sizeof(which));
2433 } else if (_substrcmp(*av, "verbose") == 0) {
2434 sysctlbyname("net.inet.ip.fw.verbose", NULL, 0,
2435 &which, sizeof(which));
2436 } else if (_substrcmp(*av, "dyn_keepalive") == 0) {
2437 sysctlbyname("net.inet.ip.fw.dyn_keepalive", NULL, 0,
2438 &which, sizeof(which));
2439 } else if (_substrcmp(*av, "altq") == 0) {
2440 altq_set_enabled(which);
2442 warnx("unrecognize enable/disable keyword: %s\n", *av);
2447 list(int ac, char *av[], int show_counters)
2450 ipfw_dyn_rule *dynrules, *d;
2452 #define NEXT(r) ((struct ip_fw *)((char *)r + RULESIZE(r)))
2455 int bcwidth, n, nbytes, nstat, ndyn, pcwidth, width;
2456 int exitval = EX_OK;
2463 const int ocmd = do_pipe ? IP_DUMMYNET_GET : IP_FW_GET;
2464 int nalloc = 1024; /* start somewhere... */
2469 fprintf(stderr, "Testing only, list disabled\n");
2476 /* get rules or pipes from kernel, resizing array as necessary */
2479 while (nbytes >= nalloc) {
2480 nalloc = nalloc * 2 + 200;
2482 if ((data = realloc(data, nbytes)) == NULL)
2483 err(EX_OSERR, "realloc");
2484 if (do_cmd(ocmd, data, (uintptr_t)&nbytes) < 0)
2485 err(EX_OSERR, "getsockopt(IP_%s_GET)",
2486 do_pipe ? "DUMMYNET" : "FW");
2490 list_pipes(data, nbytes, ac, av);
2495 * Count static rules. They have variable size so we
2496 * need to scan the list to count them.
2498 for (nstat = 1, r = data, lim = (char *)data + nbytes;
2499 r->rulenum < 65535 && (char *)r < lim;
2500 ++nstat, r = NEXT(r) )
2504 * Count dynamic rules. This is easier as they have
2508 dynrules = (ipfw_dyn_rule *)r ;
2509 n = (char *)r - (char *)data;
2510 ndyn = (nbytes - n) / sizeof *dynrules;
2512 /* if showing stats, figure out column widths ahead of time */
2513 bcwidth = pcwidth = 0;
2514 if (show_counters) {
2515 for (n = 0, r = data; n < nstat; n++, r = NEXT(r)) {
2516 /* packet counter */
2517 width = snprintf(NULL, 0, "%llu",
2518 align_uint64(&r->pcnt));
2519 if (width > pcwidth)
2523 width = snprintf(NULL, 0, "%llu",
2524 align_uint64(&r->bcnt));
2525 if (width > bcwidth)
2529 if (do_dynamic && ndyn) {
2530 for (n = 0, d = dynrules; n < ndyn; n++, d++) {
2531 width = snprintf(NULL, 0, "%llu",
2532 align_uint64(&d->pcnt));
2533 if (width > pcwidth)
2536 width = snprintf(NULL, 0, "%llu",
2537 align_uint64(&d->bcnt));
2538 if (width > bcwidth)
2542 /* if no rule numbers were specified, list all rules */
2544 for (n = 0, r = data; n < nstat; n++, r = NEXT(r) )
2545 show_ipfw(r, pcwidth, bcwidth);
2547 if (do_dynamic && ndyn) {
2548 printf("## Dynamic rules (%d):\n", ndyn);
2549 for (n = 0, d = dynrules; n < ndyn; n++, d++)
2550 show_dyn_ipfw(d, pcwidth, bcwidth);
2555 /* display specific rules requested on command line */
2557 for (lac = ac, lav = av; lac != 0; lac--) {
2558 /* convert command line rule # */
2559 last = rnum = strtoul(*lav++, &endptr, 10);
2561 last = strtoul(endptr+1, &endptr, 10);
2564 warnx("invalid rule number: %s", *(lav - 1));
2567 for (n = seen = 0, r = data; n < nstat; n++, r = NEXT(r) ) {
2568 if (r->rulenum > last)
2570 if (r->rulenum >= rnum && r->rulenum <= last) {
2571 show_ipfw(r, pcwidth, bcwidth);
2576 /* give precedence to other error(s) */
2577 if (exitval == EX_OK)
2578 exitval = EX_UNAVAILABLE;
2579 warnx("rule %lu does not exist", rnum);
2583 if (do_dynamic && ndyn) {
2584 printf("## Dynamic rules:\n");
2585 for (lac = ac, lav = av; lac != 0; lac--) {
2586 last = rnum = strtoul(*lav++, &endptr, 10);
2588 last = strtoul(endptr+1, &endptr, 10);
2590 /* already warned */
2592 for (n = 0, d = dynrules; n < ndyn; n++, d++) {
2595 bcopy(&d->rule, &rulenum, sizeof(rulenum));
2598 if (r->rulenum >= rnum && r->rulenum <= last)
2599 show_dyn_ipfw(d, pcwidth, bcwidth);
2609 if (exitval != EX_OK)
2617 fprintf(stderr, "usage: ipfw [options]\n"
2618 "do \"ipfw -h\" or see ipfw manpage for details\n"
2627 "ipfw syntax summary (but please do read the ipfw(8) manpage):\n"
2628 "ipfw [-abcdefhnNqStTv] <command> where <command> is one of:\n"
2629 "add [num] [set N] [prob x] RULE-BODY\n"
2630 "{pipe|queue} N config PIPE-BODY\n"
2631 "[pipe|queue] {zero|delete|show} [N{,N}]\n"
2632 "set [disable N... enable N...] | move [rule] X to Y | swap X Y | show\n"
2633 "table N {add ip[/bits] [value] | delete ip[/bits] | flush | list}\n"
2635 "RULE-BODY: check-state [PARAMS] | ACTION [PARAMS] ADDR [OPTION_LIST]\n"
2636 "ACTION: check-state | allow | count | deny | unreach{,6} CODE |\n"
2637 " skipto N | {divert|tee} PORT | forward ADDR |\n"
2638 " pipe N | queue N\n"
2639 "PARAMS: [log [logamount LOGLIMIT]] [altq QUEUE_NAME]\n"
2640 "ADDR: [ MAC dst src ether_type ] \n"
2641 " [ ip from IPADDR [ PORT ] to IPADDR [ PORTLIST ] ]\n"
2642 " [ ipv6|ip6 from IP6ADDR [ PORT ] to IP6ADDR [ PORTLIST ] ]\n"
2643 "IPADDR: [not] { any | me | ip/bits{x,y,z} | table(t[,v]) | IPLIST }\n"
2644 "IP6ADDR: [not] { any | me | me6 | ip6/bits | IP6LIST }\n"
2645 "IP6LIST: { ip6 | ip6/bits }[,IP6LIST]\n"
2646 "IPLIST: { ip | ip/bits | ip:mask }[,IPLIST]\n"
2647 "OPTION_LIST: OPTION [OPTION_LIST]\n"
2648 "OPTION: bridged | diverted | diverted-loopback | diverted-output |\n"
2649 " {dst-ip|src-ip} IPADDR | {dst-ip6|src-ip6|dst-ipv6|src-ipv6} IP6ADDR |\n"
2650 " {dst-port|src-port} LIST |\n"
2651 " estab | frag | {gid|uid} N | icmptypes LIST | in | out | ipid LIST |\n"
2652 " iplen LIST | ipoptions SPEC | ipprecedence | ipsec | iptos SPEC |\n"
2653 " ipttl LIST | ipversion VER | keep-state | layer2 | limit ... |\n"
2654 " icmp6types LIST | ext6hdr LIST | flow-id N[,N] |\n"
2655 " mac ... | mac-type LIST | proto LIST | {recv|xmit|via} {IF|IPADDR} |\n"
2656 " setup | {tcpack|tcpseq|tcpwin} NN | tcpflags SPEC | tcpoptions SPEC |\n"
2657 " tcpdatalen LIST | verrevpath | versrcreach | antispoof\n"
2664 lookup_host (char *host, struct in_addr *ipaddr)
2668 if (!inet_aton(host, ipaddr)) {
2669 if ((he = gethostbyname(host)) == NULL)
2671 *ipaddr = *(struct in_addr *)he->h_addr_list[0];
2677 * fills the addr and mask fields in the instruction as appropriate from av.
2678 * Update length as appropriate.
2679 * The following formats are allowed:
2680 * me returns O_IP_*_ME
2681 * 1.2.3.4 single IP address
2682 * 1.2.3.4:5.6.7.8 address:mask
2683 * 1.2.3.4/24 address/mask
2684 * 1.2.3.4/26{1,6,5,4,23} set of addresses in a subnet
2685 * We can have multiple comma-separated address/mask entries.
2688 fill_ip(ipfw_insn_ip *cmd, char *av)
2691 uint32_t *d = ((ipfw_insn_u32 *)cmd)->d;
2693 cmd->o.len &= ~F_LEN_MASK; /* zero len */
2695 if (_substrcmp(av, "any") == 0)
2698 if (_substrcmp(av, "me") == 0) {
2699 cmd->o.len |= F_INSN_SIZE(ipfw_insn);
2703 if (strncmp(av, "table(", 6) == 0) {
2704 char *p = strchr(av + 6, ',');
2708 cmd->o.opcode = O_IP_DST_LOOKUP;
2709 cmd->o.arg1 = strtoul(av + 6, NULL, 0);
2711 cmd->o.len |= F_INSN_SIZE(ipfw_insn_u32);
2712 d[0] = strtoul(p, NULL, 0);
2714 cmd->o.len |= F_INSN_SIZE(ipfw_insn);
2720 * After the address we can have '/' or ':' indicating a mask,
2721 * ',' indicating another address follows, '{' indicating a
2722 * set of addresses of unspecified size.
2724 char *p = strpbrk(av, "/:,{");
2734 if (lookup_host(av, (struct in_addr *)&d[0]) != 0)
2735 errx(EX_NOHOST, "hostname ``%s'' unknown", av);
2738 if (!inet_aton(p, (struct in_addr *)&d[1]))
2739 errx(EX_DATAERR, "bad netmask ``%s''", p);
2744 d[1] = htonl(0); /* mask */
2745 else if (masklen > 32)
2746 errx(EX_DATAERR, "bad width ``%s''", p);
2748 d[1] = htonl(~0 << (32 - masklen));
2750 case '{': /* no mask, assume /24 and put back the '{' */
2751 d[1] = htonl(~0 << (32 - 24));
2755 case ',': /* single address plus continuation */
2758 case 0: /* initialization value */
2760 d[1] = htonl(~0); /* force /32 */
2763 d[0] &= d[1]; /* mask base address with mask */
2764 /* find next separator */
2766 p = strpbrk(p, ",{");
2767 if (p && *p == '{') {
2769 * We have a set of addresses. They are stored as follows:
2770 * arg1 is the set size (powers of 2, 2..256)
2771 * addr is the base address IN HOST FORMAT
2772 * mask.. is an array of arg1 bits (rounded up to
2773 * the next multiple of 32) with bits set
2774 * for each host in the map.
2776 uint32_t *map = (uint32_t *)&cmd->mask;
2778 int i = contigmask((uint8_t *)&(d[1]), 32);
2781 errx(EX_DATAERR, "address set cannot be in a list");
2782 if (i < 24 || i > 31)
2783 errx(EX_DATAERR, "invalid set with mask %d\n", i);
2784 cmd->o.arg1 = 1<<(32-i); /* map length */
2785 d[0] = ntohl(d[0]); /* base addr in host format */
2786 cmd->o.opcode = O_IP_DST_SET; /* default */
2787 cmd->o.len |= F_INSN_SIZE(ipfw_insn_u32) + (cmd->o.arg1+31)/32;
2788 for (i = 0; i < (cmd->o.arg1+31)/32 ; i++)
2789 map[i] = 0; /* clear map */
2793 high = low + cmd->o.arg1 - 1;
2795 * Here, i stores the previous value when we specify a range
2796 * of addresses within a mask, e.g. 45-63. i = -1 means we
2797 * have no previous value.
2799 i = -1; /* previous value in a range */
2800 while (isdigit(*av)) {
2802 int a = strtol(av, &s, 0);
2804 if (s == av) { /* no parameter */
2806 errx(EX_DATAERR, "set not closed\n");
2808 errx(EX_DATAERR, "incomplete range %d-", i);
2811 if (a < low || a > high)
2812 errx(EX_DATAERR, "addr %d out of range [%d-%d]\n",
2815 if (i == -1) /* no previous in range */
2817 else { /* check that range is valid */
2819 errx(EX_DATAERR, "invalid range %d-%d",
2822 errx(EX_DATAERR, "double '-' in range");
2825 map[i/32] |= 1<<(i & 31);
2836 if (av) /* then *av must be a ',' */
2839 /* Check this entry */
2840 if (d[1] == 0) { /* "any", specified as x.x.x.x/0 */
2842 * 'any' turns the entire list into a NOP.
2843 * 'not any' never matches, so it is removed from the
2844 * list unless it is the only item, in which case we
2847 if (cmd->o.len & F_NOT) { /* "not any" never matches */
2848 if (av == NULL && len == 0) /* only this entry */
2849 errx(EX_DATAERR, "not any never matches");
2851 /* else do nothing and skip this entry */
2854 /* A single IP can be stored in an optimized format */
2855 if (d[1] == IP_MASK_ALL && av == NULL && len == 0) {
2856 cmd->o.len |= F_INSN_SIZE(ipfw_insn_u32);
2859 len += 2; /* two words... */
2862 cmd->o.len |= len+1;
2866 /* Try to find ipv6 address by hostname */
2868 lookup_host6 (char *host, struct in6_addr *ip6addr)
2872 if (!inet_pton(AF_INET6, host, ip6addr)) {
2873 if ((he = gethostbyname2(host, AF_INET6)) == NULL)
2875 memcpy(ip6addr, he->h_addr_list[0], sizeof( struct in6_addr));
2881 /* n2mask sets n bits of the mask */
2883 n2mask(struct in6_addr *mask, int n)
2885 static int minimask[9] =
2886 { 0x00, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe, 0xff };
2889 memset(mask, 0, sizeof(struct in6_addr));
2890 p = (u_char *) mask;
2891 for (; n > 0; p++, n -= 8) {
2902 * fill the addr and mask fields in the instruction as appropriate from av.
2903 * Update length as appropriate.
2904 * The following formats are allowed:
2905 * any matches any IP6. Actually returns an empty instruction.
2906 * me returns O_IP6_*_ME
2908 * 03f1::234:123:0342 single IP6 addres
2909 * 03f1::234:123:0342/24 address/mask
2910 * 03f1::234:123:0342/24,03f1::234:123:0343/ List of address
2912 * Set of address (as in ipv6) not supported because ipv6 address
2913 * are typically random past the initial prefix.
2914 * Return 1 on success, 0 on failure.
2917 fill_ip6(ipfw_insn_ip6 *cmd, char *av)
2920 struct in6_addr *d = &(cmd->addr6);
2922 * Needed for multiple address.
2923 * Note d[1] points to struct in6_add r mask6 of cmd
2926 cmd->o.len &= ~F_LEN_MASK; /* zero len */
2928 if (strcmp(av, "any") == 0)
2932 if (strcmp(av, "me") == 0) { /* Set the data for "me" opt*/
2933 cmd->o.len |= F_INSN_SIZE(ipfw_insn);
2937 if (strcmp(av, "me6") == 0) { /* Set the data for "me" opt*/
2938 cmd->o.len |= F_INSN_SIZE(ipfw_insn);
2945 * After the address we can have '/' indicating a mask,
2946 * or ',' indicating another address follows.
2953 if ((p = strpbrk(av, "/,")) ) {
2954 md = *p; /* save the separator */
2955 *p = '\0'; /* terminate address string */
2956 p++; /* and skip past it */
2958 /* now p points to NULL, mask or next entry */
2960 /* lookup stores address in *d as a side effect */
2961 if (lookup_host6(av, d) != 0) {
2962 /* XXX: failed. Free memory and go */
2963 errx(EX_DATAERR, "bad address \"%s\"", av);
2965 /* next, look at the mask, if any */
2966 masklen = (md == '/') ? atoi(p) : 128;
2967 if (masklen > 128 || masklen < 0)
2968 errx(EX_DATAERR, "bad width \"%s\''", p);
2970 n2mask(&d[1], masklen);
2972 APPLY_MASK(d, &d[1]) /* mask base address with mask */
2974 /* find next separator */
2976 if (md == '/') { /* find separator past the mask */
2977 p = strpbrk(p, ",");
2983 /* Check this entry */
2986 * 'any' turns the entire list into a NOP.
2987 * 'not any' never matches, so it is removed from the
2988 * list unless it is the only item, in which case we
2991 if (cmd->o.len & F_NOT && av == NULL && len == 0)
2992 errx(EX_DATAERR, "not any never matches");
2997 * A single IP can be stored alone
2999 if (masklen == 128 && av == NULL && len == 0) {
3000 len = F_INSN_SIZE(struct in6_addr);
3004 /* Update length and pointer to arguments */
3005 len += F_INSN_SIZE(struct in6_addr)*2;
3010 * Total length of the command, remember that 1 is the size of
3013 cmd->o.len |= len+1;
3019 * fills command for ipv6 flow-id filtering
3020 * note that the 20 bit flow number is stored in a array of u_int32_t
3021 * it's supported lists of flow-id, so in the o.arg1 we store how many
3022 * additional flow-id we want to filter, the basic is 1
3025 fill_flow6( ipfw_insn_u32 *cmd, char *av )
3027 u_int32_t type; /* Current flow number */
3028 u_int16_t nflow = 0; /* Current flow index */
3030 cmd->d[0] = 0; /* Initializing the base number*/
3033 av = strsep( &s, ",") ;
3034 type = strtoul(av, &av, 0);
3035 if (*av != ',' && *av != '\0')
3036 errx(EX_DATAERR, "invalid ipv6 flow number %s", av);
3038 errx(EX_DATAERR, "flow number out of range %s", av);
3039 cmd->d[nflow] |= type;
3043 cmd->o.opcode = O_FLOW6ID;
3044 cmd->o.len |= F_INSN_SIZE(ipfw_insn_u32) + nflow;
3045 cmd->o.arg1 = nflow;
3048 errx(EX_DATAERR, "invalid ipv6 flow number %s", av);
3053 add_srcip6(ipfw_insn *cmd, char *av)
3056 fill_ip6((ipfw_insn_ip6 *)cmd, av);
3057 if (F_LEN(cmd) == 0) /* any */
3059 if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn)) { /* "me" */
3060 cmd->opcode = O_IP6_SRC_ME;
3061 } else if (F_LEN(cmd) ==
3062 (F_INSN_SIZE(struct in6_addr) + F_INSN_SIZE(ipfw_insn))) {
3063 /* single IP, no mask*/
3064 cmd->opcode = O_IP6_SRC;
3065 } else { /* addr/mask opt */
3066 cmd->opcode = O_IP6_SRC_MASK;
3072 add_dstip6(ipfw_insn *cmd, char *av)
3075 fill_ip6((ipfw_insn_ip6 *)cmd, av);
3076 if (F_LEN(cmd) == 0) /* any */
3078 if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn)) { /* "me" */
3079 cmd->opcode = O_IP6_DST_ME;
3080 } else if (F_LEN(cmd) ==
3081 (F_INSN_SIZE(struct in6_addr) + F_INSN_SIZE(ipfw_insn))) {
3082 /* single IP, no mask*/
3083 cmd->opcode = O_IP6_DST;
3084 } else { /* addr/mask opt */
3085 cmd->opcode = O_IP6_DST_MASK;
3092 * helper function to process a set of flags and set bits in the
3093 * appropriate masks.
3096 fill_flags(ipfw_insn *cmd, enum ipfw_opcodes opcode,
3097 struct _s_x *flags, char *p)
3099 uint8_t set=0, clear=0;
3102 char *q; /* points to the separator */
3104 uint8_t *which; /* mask we are working on */
3114 val = match_token(flags, p);
3116 errx(EX_DATAERR, "invalid flag %s", p);
3117 *which |= (uint8_t)val;
3120 cmd->opcode = opcode;
3121 cmd->len = (cmd->len & (F_NOT | F_OR)) | 1;
3122 cmd->arg1 = (set & 0xff) | ( (clear & 0xff) << 8);
3127 delete(int ac, char *av[])
3132 int exitval = EX_OK;
3135 memset(&p, 0, sizeof p);
3138 NEED1("missing rule specification");
3139 if (ac > 0 && _substrcmp(*av, "set") == 0) {
3140 do_set = 1; /* delete set */
3145 while (ac && isdigit(**av)) {
3146 i = atoi(*av); av++; ac--;
3152 i = do_cmd(IP_DUMMYNET_DEL, &p, sizeof p);
3155 warn("rule %u: setsockopt(IP_DUMMYNET_DEL)",
3156 do_pipe == 1 ? p.pipe_nr : p.fs.fs_nr);
3159 rulenum = (i & 0xffff) | (do_set << 24);
3160 i = do_cmd(IP_FW_DEL, &rulenum, sizeof rulenum);
3162 exitval = EX_UNAVAILABLE;
3163 warn("rule %u: setsockopt(IP_FW_DEL)",
3168 if (exitval != EX_OK)
3174 * fill the interface structure. We do not check the name as we can
3175 * create interfaces dynamically, so checking them at insert time
3176 * makes relatively little sense.
3177 * Interface names containing '*', '?', or '[' are assumed to be shell
3178 * patterns which match interfaces.
3181 fill_iface(ipfw_insn_if *cmd, char *arg)
3183 cmd->name[0] = '\0';
3184 cmd->o.len |= F_INSN_SIZE(ipfw_insn_if);
3186 /* Parse the interface or address */
3187 if (strcmp(arg, "any") == 0)
3188 cmd->o.len = 0; /* effectively ignore this command */
3189 else if (!isdigit(*arg)) {
3190 strlcpy(cmd->name, arg, sizeof(cmd->name));
3191 cmd->p.glob = strpbrk(arg, "*?[") != NULL ? 1 : 0;
3192 } else if (!inet_aton(arg, &cmd->p.ip))
3193 errx(EX_DATAERR, "bad ip address ``%s''", arg);
3197 config_pipe(int ac, char **av)
3204 memset(&p, 0, sizeof p);
3208 if (ac && isdigit(**av)) {
3209 i = atoi(*av); av++; ac--;
3217 int tok = match_token(dummynet_params, *av);
3222 p.fs.flags_fs |= DN_NOERROR;
3226 NEED1("plr needs argument 0..1\n");
3227 d = strtod(av[0], NULL);
3232 p.fs.plr = (int)(d*0x7fffffff);
3237 NEED1("queue needs queue size\n");
3239 p.fs.qsize = strtoul(av[0], &end, 0);
3240 if (*end == 'K' || *end == 'k') {
3241 p.fs.flags_fs |= DN_QSIZE_IS_BYTES;
3243 } else if (*end == 'B' ||
3244 _substrcmp2(end, "by", "bytes") == 0) {
3245 p.fs.flags_fs |= DN_QSIZE_IS_BYTES;
3251 NEED1("buckets needs argument\n");
3252 p.fs.rq_size = strtoul(av[0], NULL, 0);
3257 NEED1("mask needs mask specifier\n");
3259 * per-flow queue, mask is dst_ip, dst_port,
3260 * src_ip, src_port, proto measured in bits
3264 bzero(&p.fs.flow_mask, sizeof(p.fs.flow_mask));
3268 uint32_t *p32 = NULL;
3269 uint16_t *p16 = NULL;
3270 uint32_t *p20 = NULL;
3271 struct in6_addr *pa6 = NULL;
3274 tok = match_token(dummynet_params, *av);
3279 * special case, all bits significant
3281 p.fs.flow_mask.dst_ip = ~0;
3282 p.fs.flow_mask.src_ip = ~0;
3283 p.fs.flow_mask.dst_port = ~0;
3284 p.fs.flow_mask.src_port = ~0;
3285 p.fs.flow_mask.proto = ~0;
3286 n2mask(&(p.fs.flow_mask.dst_ip6), 128);
3287 n2mask(&(p.fs.flow_mask.src_ip6), 128);
3288 p.fs.flow_mask.flow_id6 = ~0;
3289 p.fs.flags_fs |= DN_HAVE_FLOW_MASK;
3293 p32 = &p.fs.flow_mask.dst_ip;
3297 p32 = &p.fs.flow_mask.src_ip;
3301 pa6 = &(p.fs.flow_mask.dst_ip6);
3305 pa6 = &(p.fs.flow_mask.src_ip6);
3309 p20 = &p.fs.flow_mask.flow_id6;
3313 p16 = &p.fs.flow_mask.dst_port;
3317 p16 = &p.fs.flow_mask.src_port;
3324 ac++; av--; /* backtrack */
3328 errx(EX_USAGE, "mask: value missing");
3329 if (*av[0] == '/') {
3330 a = strtoul(av[0]+1, &end, 0);
3332 a = (a == 32) ? ~0 : (1 << a) - 1;
3334 a = strtoul(av[0], &end, 0);
3337 else if (p16 != NULL) {
3340 "port mask must be 16 bit");
3342 } else if (p20 != NULL) {
3345 "flow_id mask must be 20 bit");
3347 } else if (pa6 != NULL) {
3348 if (a < 0 || a > 128)
3350 "in6addr invalid mask len");
3356 "proto mask must be 8 bit");
3357 p.fs.flow_mask.proto = (uint8_t)a;
3360 p.fs.flags_fs |= DN_HAVE_FLOW_MASK;
3362 } /* end while, config masks */
3368 NEED1("red/gred needs w_q/min_th/max_th/max_p\n");
3369 p.fs.flags_fs |= DN_IS_RED;
3370 if (tok == TOK_GRED)
3371 p.fs.flags_fs |= DN_IS_GENTLE_RED;
3373 * the format for parameters is w_q/min_th/max_th/max_p
3375 if ((end = strsep(&av[0], "/"))) {
3376 double w_q = strtod(end, NULL);
3377 if (w_q > 1 || w_q <= 0)
3378 errx(EX_DATAERR, "0 < w_q <= 1");
3379 p.fs.w_q = (int) (w_q * (1 << SCALE_RED));
3381 if ((end = strsep(&av[0], "/"))) {
3382 p.fs.min_th = strtoul(end, &end, 0);
3383 if (*end == 'K' || *end == 'k')
3384 p.fs.min_th *= 1024;
3386 if ((end = strsep(&av[0], "/"))) {
3387 p.fs.max_th = strtoul(end, &end, 0);
3388 if (*end == 'K' || *end == 'k')
3389 p.fs.max_th *= 1024;
3391 if ((end = strsep(&av[0], "/"))) {
3392 double max_p = strtod(end, NULL);
3393 if (max_p > 1 || max_p <= 0)
3394 errx(EX_DATAERR, "0 < max_p <= 1");
3395 p.fs.max_p = (int)(max_p * (1 << SCALE_RED));
3401 p.fs.flags_fs &= ~(DN_IS_RED|DN_IS_GENTLE_RED);
3405 NEED1("bw needs bandwidth or interface\n");
3407 errx(EX_DATAERR, "bandwidth only valid for pipes");
3409 * set clocking interface or bandwidth value
3411 if (av[0][0] >= 'a' && av[0][0] <= 'z') {
3412 int l = sizeof(p.if_name)-1;
3413 /* interface name */
3414 strncpy(p.if_name, av[0], l);
3415 p.if_name[l] = '\0';
3418 p.if_name[0] = '\0';
3419 p.bandwidth = strtoul(av[0], &end, 0);
3420 if (*end == 'K' || *end == 'k') {
3422 p.bandwidth *= 1000;
3423 } else if (*end == 'M') {
3425 p.bandwidth *= 1000000;
3428 _substrcmp2(end, "Bi", "Bit/s") != 0) ||
3429 _substrcmp2(end, "by", "bytes") == 0)
3431 if (p.bandwidth < 0)
3432 errx(EX_DATAERR, "bandwidth too large");
3439 errx(EX_DATAERR, "delay only valid for pipes");
3440 NEED1("delay needs argument 0..10000ms\n");
3441 p.delay = strtoul(av[0], NULL, 0);
3447 errx(EX_DATAERR,"weight only valid for queues");
3448 NEED1("weight needs argument 0..100\n");
3449 p.fs.weight = strtoul(av[0], &end, 0);
3455 errx(EX_DATAERR,"pipe only valid for queues");
3456 NEED1("pipe needs pipe_number\n");
3457 p.fs.parent_nr = strtoul(av[0], &end, 0);
3462 errx(EX_DATAERR, "unrecognised option ``%s''", av[-1]);
3467 errx(EX_DATAERR, "pipe_nr must be > 0");
3468 if (p.delay > 10000)
3469 errx(EX_DATAERR, "delay must be < 10000");
3470 } else { /* do_pipe == 2, queue */
3471 if (p.fs.parent_nr == 0)
3472 errx(EX_DATAERR, "pipe must be > 0");
3473 if (p.fs.weight >100)
3474 errx(EX_DATAERR, "weight must be <= 100");
3476 if (p.fs.flags_fs & DN_QSIZE_IS_BYTES) {
3477 if (p.fs.qsize > 1024*1024)
3478 errx(EX_DATAERR, "queue size must be < 1MB");
3480 if (p.fs.qsize > 100)
3481 errx(EX_DATAERR, "2 <= queue size <= 100");
3483 if (p.fs.flags_fs & DN_IS_RED) {
3485 int lookup_depth, avg_pkt_size;
3486 double s, idle, weight, w_q;
3487 struct clockinfo ck;
3490 if (p.fs.min_th >= p.fs.max_th)
3491 errx(EX_DATAERR, "min_th %d must be < than max_th %d",
3492 p.fs.min_th, p.fs.max_th);
3493 if (p.fs.max_th == 0)
3494 errx(EX_DATAERR, "max_th must be > 0");
3497 if (sysctlbyname("net.inet.ip.dummynet.red_lookup_depth",
3498 &lookup_depth, &len, NULL, 0) == -1)
3500 errx(1, "sysctlbyname(\"%s\")",
3501 "net.inet.ip.dummynet.red_lookup_depth");
3502 if (lookup_depth == 0)
3503 errx(EX_DATAERR, "net.inet.ip.dummynet.red_lookup_depth"
3504 " must be greater than zero");
3507 if (sysctlbyname("net.inet.ip.dummynet.red_avg_pkt_size",
3508 &avg_pkt_size, &len, NULL, 0) == -1)
3510 errx(1, "sysctlbyname(\"%s\")",
3511 "net.inet.ip.dummynet.red_avg_pkt_size");
3512 if (avg_pkt_size == 0)
3514 "net.inet.ip.dummynet.red_avg_pkt_size must"
3515 " be greater than zero");
3517 len = sizeof(struct clockinfo);
3518 if (sysctlbyname("kern.clockrate", &ck, &len, NULL, 0) == -1)
3519 errx(1, "sysctlbyname(\"%s\")", "kern.clockrate");
3522 * Ticks needed for sending a medium-sized packet.
3523 * Unfortunately, when we are configuring a WF2Q+ queue, we
3524 * do not have bandwidth information, because that is stored
3525 * in the parent pipe, and also we have multiple queues
3526 * competing for it. So we set s=0, which is not very
3527 * correct. But on the other hand, why do we want RED with
3530 if (p.bandwidth==0) /* this is a WF2Q+ queue */
3533 s = ck.hz * avg_pkt_size * 8 / p.bandwidth;
3536 * max idle time (in ticks) before avg queue size becomes 0.
3537 * NOTA: (3/w_q) is approx the value x so that
3538 * (1-w_q)^x < 10^-3.
3540 w_q = ((double)p.fs.w_q) / (1 << SCALE_RED);
3541 idle = s * 3. / w_q;
3542 p.fs.lookup_step = (int)idle / lookup_depth;
3543 if (!p.fs.lookup_step)
3544 p.fs.lookup_step = 1;
3546 for (t = p.fs.lookup_step; t > 0; --t)
3548 p.fs.lookup_weight = (int)(weight * (1 << SCALE_RED));
3550 i = do_cmd(IP_DUMMYNET_CONFIGURE, &p, sizeof p);
3552 err(1, "setsockopt(%s)", "IP_DUMMYNET_CONFIGURE");
3556 get_mac_addr_mask(char *p, uint8_t *addr, uint8_t *mask)
3561 addr[i] = mask[i] = 0;
3562 if (strcmp(p, "any") == 0)
3565 for (i=0; *p && i<6;i++, p++) {
3566 addr[i] = strtol(p, &p, 16);
3567 if (*p != ':') /* we start with the mask */
3570 if (*p == '/') { /* mask len */
3571 l = strtol(p+1, &p, 0);
3572 for (i=0; l>0; l -=8, i++)
3573 mask[i] = (l >=8) ? 0xff : (~0) << (8-l);
3574 } else if (*p == '&') { /* mask */
3575 for (i=0, p++; *p && i<6;i++, p++) {
3576 mask[i] = strtol(p, &p, 16);
3580 } else if (*p == '\0') {
3589 * helper function, updates the pointer to cmd with the length
3590 * of the current command, and also cleans up the first word of
3591 * the new command in case it has been clobbered before.
3594 next_cmd(ipfw_insn *cmd)
3597 bzero(cmd, sizeof(*cmd));
3602 * Takes arguments and copies them into a comment
3605 fill_comment(ipfw_insn *cmd, int ac, char **av)
3608 char *p = (char *)(cmd + 1);
3610 cmd->opcode = O_NOP;
3611 cmd->len = (cmd->len & (F_NOT | F_OR));
3613 /* Compute length of comment string. */
3614 for (i = 0, l = 0; i < ac; i++)
3615 l += strlen(av[i]) + 1;
3620 "comment too long (max 80 chars)");
3622 cmd->len = (cmd->len & (F_NOT | F_OR)) | l;
3623 for (i = 0; i < ac; i++) {
3632 * A function to fill simple commands of size 1.
3633 * Existing flags are preserved.
3636 fill_cmd(ipfw_insn *cmd, enum ipfw_opcodes opcode, int flags, uint16_t arg)
3638 cmd->opcode = opcode;
3639 cmd->len = ((cmd->len | flags) & (F_NOT | F_OR)) | 1;
3644 * Fetch and add the MAC address and type, with masks. This generates one or
3645 * two microinstructions, and returns the pointer to the last one.
3648 add_mac(ipfw_insn *cmd, int ac, char *av[])
3653 errx(EX_DATAERR, "MAC dst src");
3655 cmd->opcode = O_MACADDR2;
3656 cmd->len = (cmd->len & (F_NOT | F_OR)) | F_INSN_SIZE(ipfw_insn_mac);
3658 mac = (ipfw_insn_mac *)cmd;
3659 get_mac_addr_mask(av[0], mac->addr, mac->mask); /* dst */
3660 get_mac_addr_mask(av[1], &(mac->addr[6]), &(mac->mask[6])); /* src */
3665 add_mactype(ipfw_insn *cmd, int ac, char *av)
3668 errx(EX_DATAERR, "missing MAC type");
3669 if (strcmp(av, "any") != 0) { /* we have a non-null type */
3670 fill_newports((ipfw_insn_u16 *)cmd, av, IPPROTO_ETHERTYPE);
3671 cmd->opcode = O_MAC_TYPE;
3678 add_proto0(ipfw_insn *cmd, char *av, u_char *protop)
3680 struct protoent *pe;
3684 proto = strtol(av, &ep, 10);
3685 if (*ep != '\0' || proto <= 0) {
3686 if ((pe = getprotobyname(av)) == NULL)
3688 proto = pe->p_proto;
3691 fill_cmd(cmd, O_PROTO, 0, proto);
3697 add_proto(ipfw_insn *cmd, char *av, u_char *protop)
3699 u_char proto = IPPROTO_IP;
3701 if (_substrcmp(av, "all") == 0 || strcmp(av, "ip") == 0)
3702 ; /* do not set O_IP4 nor O_IP6 */
3703 else if (strcmp(av, "ip4") == 0)
3704 /* explicit "just IPv4" rule */
3705 fill_cmd(cmd, O_IP4, 0, 0);
3706 else if (strcmp(av, "ip6") == 0) {
3707 /* explicit "just IPv6" rule */
3708 proto = IPPROTO_IPV6;
3709 fill_cmd(cmd, O_IP6, 0, 0);
3711 return add_proto0(cmd, av, protop);
3718 add_proto_compat(ipfw_insn *cmd, char *av, u_char *protop)
3720 u_char proto = IPPROTO_IP;
3722 if (_substrcmp(av, "all") == 0 || strcmp(av, "ip") == 0)
3723 ; /* do not set O_IP4 nor O_IP6 */
3724 else if (strcmp(av, "ipv4") == 0 || strcmp(av, "ip4") == 0)
3725 /* explicit "just IPv4" rule */
3726 fill_cmd(cmd, O_IP4, 0, 0);
3727 else if (strcmp(av, "ipv6") == 0 || strcmp(av, "ip6") == 0) {
3728 /* explicit "just IPv6" rule */
3729 proto = IPPROTO_IPV6;
3730 fill_cmd(cmd, O_IP6, 0, 0);
3732 return add_proto0(cmd, av, protop);
3739 add_srcip(ipfw_insn *cmd, char *av)
3741 fill_ip((ipfw_insn_ip *)cmd, av);
3742 if (cmd->opcode == O_IP_DST_SET) /* set */
3743 cmd->opcode = O_IP_SRC_SET;
3744 else if (cmd->opcode == O_IP_DST_LOOKUP) /* table */
3745 cmd->opcode = O_IP_SRC_LOOKUP;
3746 else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn)) /* me */
3747 cmd->opcode = O_IP_SRC_ME;
3748 else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn_u32)) /* one IP */
3749 cmd->opcode = O_IP_SRC;
3750 else /* addr/mask */
3751 cmd->opcode = O_IP_SRC_MASK;
3756 add_dstip(ipfw_insn *cmd, char *av)
3758 fill_ip((ipfw_insn_ip *)cmd, av);
3759 if (cmd->opcode == O_IP_DST_SET) /* set */
3761 else if (cmd->opcode == O_IP_DST_LOOKUP) /* table */
3763 else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn)) /* me */
3764 cmd->opcode = O_IP_DST_ME;
3765 else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn_u32)) /* one IP */
3766 cmd->opcode = O_IP_DST;
3767 else /* addr/mask */
3768 cmd->opcode = O_IP_DST_MASK;
3773 add_ports(ipfw_insn *cmd, char *av, u_char proto, int opcode)
3775 if (_substrcmp(av, "any") == 0) {
3777 } else if (fill_newports((ipfw_insn_u16 *)cmd, av, proto)) {
3778 /* XXX todo: check that we have a protocol with ports */
3779 cmd->opcode = opcode;
3786 add_src(ipfw_insn *cmd, char *av, u_char proto)
3790 ipfw_insn *ret = NULL;
3792 if ((host = strdup(av)) == NULL)
3794 if ((ch = strrchr(host, '/')) != NULL)
3797 if (proto == IPPROTO_IPV6 || strcmp(av, "me6") == 0 ||
3798 inet_pton(AF_INET6, host, &a))
3799 ret = add_srcip6(cmd, av);
3800 /* XXX: should check for IPv4, not !IPv6 */
3801 if (ret == NULL && (proto == IPPROTO_IP || strcmp(av, "me") == 0 ||
3802 !inet_pton(AF_INET6, host, &a)))
3803 ret = add_srcip(cmd, av);
3804 if (ret == NULL && strcmp(av, "any") != 0)
3812 add_dst(ipfw_insn *cmd, char *av, u_char proto)
3816 ipfw_insn *ret = NULL;
3818 if ((host = strdup(av)) == NULL)
3820 if ((ch = strrchr(host, '/')) != NULL)
3823 if (proto == IPPROTO_IPV6 || strcmp(av, "me6") == 0 ||
3824 inet_pton(AF_INET6, host, &a))
3825 ret = add_dstip6(cmd, av);
3826 /* XXX: should check for IPv4, not !IPv6 */
3827 if (ret == NULL && (proto == IPPROTO_IP || strcmp(av, "me") == 0 ||
3828 !inet_pton(AF_INET6, host, &a)))
3829 ret = add_dstip(cmd, av);
3830 if (ret == NULL && strcmp(av, "any") != 0)
3838 * Parse arguments and assemble the microinstructions which make up a rule.
3839 * Rules are added into the 'rulebuf' and then copied in the correct order
3840 * into the actual rule.
3842 * The syntax for a rule starts with the action, followed by
3843 * optional action parameters, and the various match patterns.
3844 * In the assembled microcode, the first opcode must be an O_PROBE_STATE
3845 * (generated if the rule includes a keep-state option), then the
3846 * various match patterns, log/altq actions, and the actual action.
3850 add(int ac, char *av[])
3853 * rules are added into the 'rulebuf' and then copied in
3854 * the correct order into the actual rule.
3855 * Some things that need to go out of order (prob, action etc.)
3858 static uint32_t rulebuf[255], actbuf[255], cmdbuf[255];
3860 ipfw_insn *src, *dst, *cmd, *action, *prev=NULL;
3861 ipfw_insn *first_cmd; /* first match pattern */
3866 * various flags used to record that we entered some fields.
3868 ipfw_insn *have_state = NULL; /* check-state or keep-state */
3869 ipfw_insn *have_log = NULL, *have_altq = NULL, *have_tag = NULL;
3874 int open_par = 0; /* open parenthesis ( */
3876 /* proto is here because it is used to fetch ports */
3877 u_char proto = IPPROTO_IP; /* default protocol */
3879 double match_prob = 1; /* match probability, default is always match */
3881 bzero(actbuf, sizeof(actbuf)); /* actions go here */
3882 bzero(cmdbuf, sizeof(cmdbuf));
3883 bzero(rulebuf, sizeof(rulebuf));
3885 rule = (struct ip_fw *)rulebuf;
3886 cmd = (ipfw_insn *)cmdbuf;
3887 action = (ipfw_insn *)actbuf;
3891 /* [rule N] -- Rule number optional */
3892 if (ac && isdigit(**av)) {
3893 rule->rulenum = atoi(*av);
3898 /* [set N] -- set number (0..RESVD_SET), optional */
3899 if (ac > 1 && _substrcmp(*av, "set") == 0) {
3900 int set = strtoul(av[1], NULL, 10);
3901 if (set < 0 || set > RESVD_SET)
3902 errx(EX_DATAERR, "illegal set %s", av[1]);
3907 /* [prob D] -- match probability, optional */
3908 if (ac > 1 && _substrcmp(*av, "prob") == 0) {
3909 match_prob = strtod(av[1], NULL);
3911 if (match_prob <= 0 || match_prob > 1)
3912 errx(EX_DATAERR, "illegal match prob. %s", av[1]);
3916 /* action -- mandatory */
3917 NEED1("missing action");
3918 i = match_token(rule_actions, *av);
3920 action->len = 1; /* default */
3922 case TOK_CHECKSTATE:
3923 have_state = action;
3924 action->opcode = O_CHECK_STATE;
3928 action->opcode = O_ACCEPT;
3932 action->opcode = O_DENY;
3937 action->opcode = O_REJECT;
3938 action->arg1 = ICMP_UNREACH_HOST;
3942 action->opcode = O_REJECT;
3943 action->arg1 = ICMP_REJECT_RST;
3947 action->opcode = O_UNREACH6;
3948 action->arg1 = ICMP6_UNREACH_RST;
3952 action->opcode = O_REJECT;
3953 NEED1("missing reject code");
3954 fill_reject_code(&action->arg1, *av);
3959 action->opcode = O_UNREACH6;
3960 NEED1("missing unreach code");
3961 fill_unreach6_code(&action->arg1, *av);
3966 action->opcode = O_COUNT;
3970 action->opcode = O_QUEUE;
3973 action->opcode = O_PIPE;
3976 action->opcode = O_SKIPTO;
3979 action->opcode = O_NETGRAPH;
3982 action->opcode = O_NGTEE;
3985 action->opcode = O_DIVERT;
3988 action->opcode = O_TEE;
3991 errx(EX_USAGE, "missing argument for %s", *(av - 1));
3992 if (isdigit(**av)) {
3993 action->arg1 = strtoul(*av, NULL, 10);
3994 if (action->arg1 <= 0 || action->arg1 >= IP_FW_TABLEARG)
3995 errx(EX_DATAERR, "illegal argument for %s",
3997 } else if (_substrcmp(*av, TABLEARG) == 0) {
3998 action->arg1 = IP_FW_TABLEARG;
3999 } else if (i == TOK_DIVERT || i == TOK_TEE) {
4002 s = getservbyname(av[0], "divert");
4004 action->arg1 = ntohs(s->s_port);
4006 errx(EX_DATAERR, "illegal divert/tee port");
4008 errx(EX_DATAERR, "illegal argument for %s", *(av - 1));
4013 ipfw_insn_sa *p = (ipfw_insn_sa *)action;
4016 NEED1("missing forward address[:port]");
4018 action->opcode = O_FORWARD_IP;
4019 action->len = F_INSN_SIZE(ipfw_insn_sa);
4021 p->sa.sin_len = sizeof(struct sockaddr_in);
4022 p->sa.sin_family = AF_INET;
4025 * locate the address-port separator (':' or ',')
4027 s = strchr(*av, ':');
4029 s = strchr(*av, ',');
4032 i = strtoport(s, &end, 0 /* base */, 0 /* proto */);
4035 "illegal forwarding port ``%s''", s);
4036 p->sa.sin_port = (u_short)i;
4038 if (_substrcmp(*av, "tablearg") == 0)
4039 p->sa.sin_addr.s_addr = INADDR_ANY;
4041 lookup_host(*av, &(p->sa.sin_addr));
4046 /* pretend it is a 'count' rule followed by the comment */
4047 action->opcode = O_COUNT;
4048 ac++; av--; /* go back... */
4052 errx(EX_DATAERR, "invalid action %s\n", av[-1]);
4054 action = next_cmd(action);
4057 * [altq queuename] -- altq tag, optional
4058 * [log [logamount N]] -- log, optional
4060 * If they exist, it go first in the cmdbuf, but then it is
4061 * skipped in the copy section to the end of the buffer.
4063 while (ac != 0 && (i = match_token(rule_action_params, *av)) != -1) {
4068 ipfw_insn_log *c = (ipfw_insn_log *)cmd;
4073 "log cannot be specified more than once");
4074 have_log = (ipfw_insn *)c;
4075 cmd->len = F_INSN_SIZE(ipfw_insn_log);
4076 cmd->opcode = O_LOG;
4077 if (ac && _substrcmp(*av, "logamount") == 0) {
4079 NEED1("logamount requires argument");
4083 "logamount must be positive");
4087 len = sizeof(c->max_log);
4088 if (sysctlbyname("net.inet.ip.fw.verbose_limit",
4089 &c->max_log, &len, NULL, 0) == -1)
4090 errx(1, "sysctlbyname(\"%s\")",
4091 "net.inet.ip.fw.verbose_limit");
4098 ipfw_insn_altq *a = (ipfw_insn_altq *)cmd;
4100 NEED1("missing altq queue name");
4103 "altq cannot be specified more than once");
4104 have_altq = (ipfw_insn *)a;
4105 cmd->len = F_INSN_SIZE(ipfw_insn_altq);
4106 cmd->opcode = O_ALTQ;
4107 fill_altq_qid(&a->qid, *av);
4117 errx(EX_USAGE, "tag and untag cannot be "
4118 "specified more than once");
4119 GET_UINT_ARG(tag, 1, 65534, i, rule_action_params);
4121 fill_cmd(cmd, O_TAG, (i == TOK_TAG) ? 0: F_NOT, tag);
4129 cmd = next_cmd(cmd);
4132 if (have_state) /* must be a check-state, we are done */
4135 #define OR_START(target) \
4136 if (ac && (*av[0] == '(' || *av[0] == '{')) { \
4138 errx(EX_USAGE, "nested \"(\" not allowed\n"); \
4141 if ( (av[0])[1] == '\0') { \
4152 strcmp(*av, ")") == 0 || \
4153 strcmp(*av, "}") == 0)) { \
4158 errx(EX_USAGE, "missing \")\"\n"); \
4162 if (ac && _substrcmp(*av, "not") == 0) { \
4163 if (cmd->len & F_NOT) \
4164 errx(EX_USAGE, "double \"not\" not allowed\n"); \
4165 cmd->len |= F_NOT; \
4169 #define OR_BLOCK(target) \
4170 if (ac && _substrcmp(*av, "or") == 0) { \
4171 if (prev == NULL || open_par == 0) \
4172 errx(EX_DATAERR, "invalid OR block"); \
4173 prev->len |= F_OR; \
4183 * MAC addresses, optional.
4184 * If we have this, we skip the part "proto from src to dst"
4185 * and jump straight to the option parsing.
4188 NEED1("missing protocol");
4189 if (_substrcmp(*av, "MAC") == 0 ||
4190 _substrcmp(*av, "mac") == 0) {
4191 ac--; av++; /* the "MAC" keyword */
4192 add_mac(cmd, ac, av); /* exits in case of errors */
4193 cmd = next_cmd(cmd);
4194 ac -= 2; av += 2; /* dst-mac and src-mac */
4196 NEED1("missing mac type");
4197 if (add_mactype(cmd, ac, av[0]))
4198 cmd = next_cmd(cmd);
4199 ac--; av++; /* any or mac-type */
4205 * protocol, mandatory
4207 OR_START(get_proto);
4209 NEED1("missing protocol");
4210 if (add_proto_compat(cmd, *av, &proto)) {
4212 if (F_LEN(cmd) != 0) {
4214 cmd = next_cmd(cmd);
4216 } else if (first_cmd != cmd) {
4217 errx(EX_DATAERR, "invalid protocol ``%s''", *av);
4220 OR_BLOCK(get_proto);
4225 if (!ac || _substrcmp(*av, "from") != 0)
4226 errx(EX_USAGE, "missing ``from''");
4230 * source IP, mandatory
4232 OR_START(source_ip);
4233 NOT_BLOCK; /* optional "not" */
4234 NEED1("missing source address");
4235 if (add_src(cmd, *av, proto)) {
4237 if (F_LEN(cmd) != 0) { /* ! any */
4239 cmd = next_cmd(cmd);
4242 errx(EX_USAGE, "bad source address %s", *av);
4243 OR_BLOCK(source_ip);
4246 * source ports, optional
4248 NOT_BLOCK; /* optional "not" */
4250 if (_substrcmp(*av, "any") == 0 ||
4251 add_ports(cmd, *av, proto, O_IP_SRCPORT)) {
4253 if (F_LEN(cmd) != 0)
4254 cmd = next_cmd(cmd);
4261 if (!ac || _substrcmp(*av, "to") != 0)
4262 errx(EX_USAGE, "missing ``to''");
4266 * destination, mandatory
4269 NOT_BLOCK; /* optional "not" */
4270 NEED1("missing dst address");
4271 if (add_dst(cmd, *av, proto)) {
4273 if (F_LEN(cmd) != 0) { /* ! any */
4275 cmd = next_cmd(cmd);
4278 errx( EX_USAGE, "bad destination address %s", *av);
4282 * dest. ports, optional
4284 NOT_BLOCK; /* optional "not" */
4286 if (_substrcmp(*av, "any") == 0 ||
4287 add_ports(cmd, *av, proto, O_IP_DSTPORT)) {
4289 if (F_LEN(cmd) != 0)
4290 cmd = next_cmd(cmd);
4295 if (ac && first_cmd == cmd) {
4297 * nothing specified so far, store in the rule to ease
4305 ipfw_insn_u32 *cmd32; /* alias for cmd */
4308 cmd32 = (ipfw_insn_u32 *)cmd;
4310 if (*s == '!') { /* alternate syntax for NOT */
4311 if (cmd->len & F_NOT)
4312 errx(EX_USAGE, "double \"not\" not allowed\n");
4316 i = match_token(rule_options, s);
4320 if (cmd->len & F_NOT)
4321 errx(EX_USAGE, "double \"not\" not allowed\n");
4326 if (open_par == 0 || prev == NULL)
4327 errx(EX_USAGE, "invalid \"or\" block\n");
4331 case TOK_STARTBRACE:
4333 errx(EX_USAGE, "+nested \"(\" not allowed\n");
4339 errx(EX_USAGE, "+missing \")\"\n");
4345 fill_cmd(cmd, O_IN, 0, 0);
4349 cmd->len ^= F_NOT; /* toggle F_NOT */
4350 fill_cmd(cmd, O_IN, 0, 0);
4354 fill_cmd(cmd, O_DIVERTED, 0, 3);
4357 case TOK_DIVERTEDLOOPBACK:
4358 fill_cmd(cmd, O_DIVERTED, 0, 1);
4361 case TOK_DIVERTEDOUTPUT:
4362 fill_cmd(cmd, O_DIVERTED, 0, 2);
4366 fill_cmd(cmd, O_FRAG, 0, 0);
4370 fill_cmd(cmd, O_LAYER2, 0, 0);
4376 NEED1("recv, xmit, via require interface name"
4378 fill_iface((ipfw_insn_if *)cmd, av[0]);
4380 if (F_LEN(cmd) == 0) /* not a valid address */
4383 cmd->opcode = O_XMIT;
4384 else if (i == TOK_RECV)
4385 cmd->opcode = O_RECV;
4386 else if (i == TOK_VIA)
4387 cmd->opcode = O_VIA;
4391 NEED1("icmptypes requires list of types");
4392 fill_icmptypes((ipfw_insn_u32 *)cmd, *av);
4396 case TOK_ICMP6TYPES:
4397 NEED1("icmptypes requires list of types");
4398 fill_icmp6types((ipfw_insn_icmp6 *)cmd, *av);
4403 NEED1("ipttl requires TTL");
4404 if (strpbrk(*av, "-,")) {
4405 if (!add_ports(cmd, *av, 0, O_IPTTL))
4406 errx(EX_DATAERR, "invalid ipttl %s", *av);
4408 fill_cmd(cmd, O_IPTTL, 0, strtoul(*av, NULL, 0));
4413 NEED1("ipid requires id");
4414 if (strpbrk(*av, "-,")) {
4415 if (!add_ports(cmd, *av, 0, O_IPID))
4416 errx(EX_DATAERR, "invalid ipid %s", *av);
4418 fill_cmd(cmd, O_IPID, 0, strtoul(*av, NULL, 0));
4423 NEED1("iplen requires length");
4424 if (strpbrk(*av, "-,")) {
4425 if (!add_ports(cmd, *av, 0, O_IPLEN))
4426 errx(EX_DATAERR, "invalid ip len %s", *av);
4428 fill_cmd(cmd, O_IPLEN, 0, strtoul(*av, NULL, 0));
4433 NEED1("ipver requires version");
4434 fill_cmd(cmd, O_IPVER, 0, strtoul(*av, NULL, 0));
4438 case TOK_IPPRECEDENCE:
4439 NEED1("ipprecedence requires value");
4440 fill_cmd(cmd, O_IPPRECEDENCE, 0,
4441 (strtoul(*av, NULL, 0) & 7) << 5);
4446 NEED1("missing argument for ipoptions");
4447 fill_flags(cmd, O_IPOPT, f_ipopts, *av);
4452 NEED1("missing argument for iptos");
4453 fill_flags(cmd, O_IPTOS, f_iptos, *av);
4458 NEED1("uid requires argument");
4464 cmd->opcode = O_UID;
4465 uid = strtoul(*av, &end, 0);
4466 pwd = (*end == '\0') ? getpwuid(uid) : getpwnam(*av);
4468 errx(EX_DATAERR, "uid \"%s\" nonexistent", *av);
4469 cmd32->d[0] = pwd->pw_uid;
4470 cmd->len |= F_INSN_SIZE(ipfw_insn_u32);
4476 NEED1("gid requires argument");
4482 cmd->opcode = O_GID;
4483 gid = strtoul(*av, &end, 0);
4484 grp = (*end == '\0') ? getgrgid(gid) : getgrnam(*av);
4486 errx(EX_DATAERR, "gid \"%s\" nonexistent", *av);
4487 cmd32->d[0] = grp->gr_gid;
4488 cmd->len |= F_INSN_SIZE(ipfw_insn_u32);
4494 NEED1("jail requires argument");
4499 cmd->opcode = O_JAIL;
4500 jid = (int)strtol(*av, &end, 0);
4501 if (jid < 0 || *end != '\0')
4502 errx(EX_DATAERR, "jail requires prison ID");
4503 cmd32->d[0] = (uint32_t)jid;
4504 cmd->len |= F_INSN_SIZE(ipfw_insn_u32);
4510 fill_cmd(cmd, O_ESTAB, 0, 0);
4514 fill_cmd(cmd, O_TCPFLAGS, 0,
4515 (TH_SYN) | ( (TH_ACK) & 0xff) <<8 );
4518 case TOK_TCPDATALEN:
4519 NEED1("tcpdatalen requires length");
4520 if (strpbrk(*av, "-,")) {
4521 if (!add_ports(cmd, *av, 0, O_TCPDATALEN))
4522 errx(EX_DATAERR, "invalid tcpdata len %s", *av);
4524 fill_cmd(cmd, O_TCPDATALEN, 0,
4525 strtoul(*av, NULL, 0));
4530 NEED1("missing argument for tcpoptions");
4531 fill_flags(cmd, O_TCPOPTS, f_tcpopts, *av);
4537 NEED1("tcpseq/tcpack requires argument");
4538 cmd->len = F_INSN_SIZE(ipfw_insn_u32);
4539 cmd->opcode = (i == TOK_TCPSEQ) ? O_TCPSEQ : O_TCPACK;
4540 cmd32->d[0] = htonl(strtoul(*av, NULL, 0));
4545 NEED1("tcpwin requires length");
4546 fill_cmd(cmd, O_TCPWIN, 0,
4547 htons(strtoul(*av, NULL, 0)));
4552 NEED1("missing argument for tcpflags");
4553 cmd->opcode = O_TCPFLAGS;
4554 fill_flags(cmd, O_TCPFLAGS, f_tcpflags, *av);
4560 errx(EX_USAGE, "keep-state cannot be part "
4563 errx(EX_USAGE, "only one of keep-state "
4564 "and limit is allowed");
4566 fill_cmd(cmd, O_KEEP_STATE, 0, 0);
4570 ipfw_insn_limit *c = (ipfw_insn_limit *)cmd;
4575 "limit cannot be part of an or block");
4577 errx(EX_USAGE, "only one of keep-state and"
4578 "limit is allowed");
4581 cmd->len = F_INSN_SIZE(ipfw_insn_limit);
4582 cmd->opcode = O_LIMIT;
4583 c->limit_mask = c->conn_limit = 0;
4586 if ((val = match_token(limit_masks, *av)) <= 0)
4588 c->limit_mask |= val;
4592 if (c->limit_mask == 0)
4593 errx(EX_USAGE, "limit: missing limit mask");
4595 GET_UINT_ARG(c->conn_limit, 1, 65534, TOK_LIMIT,
4603 NEED1("missing protocol");
4604 if (add_proto(cmd, *av, &proto)) {
4607 errx(EX_DATAERR, "invalid protocol ``%s''",
4612 NEED1("missing source IP");
4613 if (add_srcip(cmd, *av)) {
4619 NEED1("missing destination IP");
4620 if (add_dstip(cmd, *av)) {
4626 NEED1("missing source IP6");
4627 if (add_srcip6(cmd, *av)) {
4633 NEED1("missing destination IP6");
4634 if (add_dstip6(cmd, *av)) {
4640 NEED1("missing source port");
4641 if (_substrcmp(*av, "any") == 0 ||
4642 add_ports(cmd, *av, proto, O_IP_SRCPORT)) {
4645 errx(EX_DATAERR, "invalid source port %s", *av);
4649 NEED1("missing destination port");
4650 if (_substrcmp(*av, "any") == 0 ||
4651 add_ports(cmd, *av, proto, O_IP_DSTPORT)) {
4654 errx(EX_DATAERR, "invalid destination port %s",
4659 if (add_mac(cmd, ac, av)) {
4665 NEED1("missing mac type");
4666 if (!add_mactype(cmd, ac, *av))
4667 errx(EX_DATAERR, "invalid mac type %s", *av);
4671 case TOK_VERREVPATH:
4672 fill_cmd(cmd, O_VERREVPATH, 0, 0);
4675 case TOK_VERSRCREACH:
4676 fill_cmd(cmd, O_VERSRCREACH, 0, 0);
4680 fill_cmd(cmd, O_ANTISPOOF, 0, 0);
4684 fill_cmd(cmd, O_IPSEC, 0, 0);
4688 fill_cmd(cmd, O_IP6, 0, 0);
4692 fill_cmd(cmd, O_IP4, 0, 0);
4696 fill_ext6hdr( cmd, *av );
4701 if (proto != IPPROTO_IPV6 )
4702 errx( EX_USAGE, "flow-id filter is active "
4703 "only for ipv6 protocol\n");
4704 fill_flow6( (ipfw_insn_u32 *) cmd, *av );
4709 fill_comment(cmd, ac, av);
4715 if (ac > 0 && strpbrk(*av, "-,")) {
4716 if (!add_ports(cmd, *av, 0, O_TAGGED))
4717 errx(EX_DATAERR, "tagged: invalid tag"
4723 GET_UINT_ARG(tag, 1, 65534, TOK_TAGGED,
4725 fill_cmd(cmd, O_TAGGED, 0, tag);
4731 errx(EX_USAGE, "unrecognised option [%d] %s\n", i, s);
4733 if (F_LEN(cmd) > 0) { /* prepare to advance */
4735 cmd = next_cmd(cmd);
4741 * Now copy stuff into the rule.
4742 * If we have a keep-state option, the first instruction
4743 * must be a PROBE_STATE (which is generated here).
4744 * If we have a LOG option, it was stored as the first command,
4745 * and now must be moved to the top of the action part.
4747 dst = (ipfw_insn *)rule->cmd;
4750 * First thing to write into the command stream is the match probability.
4752 if (match_prob != 1) { /* 1 means always match */
4753 dst->opcode = O_PROB;
4755 *((int32_t *)(dst+1)) = (int32_t)(match_prob * 0x7fffffff);
4760 * generate O_PROBE_STATE if necessary
4762 if (have_state && have_state->opcode != O_CHECK_STATE) {
4763 fill_cmd(dst, O_PROBE_STATE, 0, 0);
4764 dst = next_cmd(dst);
4767 /* copy all commands but O_LOG, O_KEEP_STATE, O_LIMIT, O_ALTQ, O_TAG */
4768 for (src = (ipfw_insn *)cmdbuf; src != cmd; src += i) {
4771 switch (src->opcode) {
4779 bcopy(src, dst, i * sizeof(uint32_t));
4785 * put back the have_state command as last opcode
4787 if (have_state && have_state->opcode != O_CHECK_STATE) {
4788 i = F_LEN(have_state);
4789 bcopy(have_state, dst, i * sizeof(uint32_t));
4793 * start action section
4795 rule->act_ofs = dst - rule->cmd;
4797 /* put back O_LOG, O_ALTQ, O_TAG if necessary */
4799 i = F_LEN(have_log);
4800 bcopy(have_log, dst, i * sizeof(uint32_t));
4804 i = F_LEN(have_altq);
4805 bcopy(have_altq, dst, i * sizeof(uint32_t));
4809 i = F_LEN(have_tag);
4810 bcopy(have_tag, dst, i * sizeof(uint32_t));
4814 * copy all other actions
4816 for (src = (ipfw_insn *)actbuf; src != action; src += i) {
4818 bcopy(src, dst, i * sizeof(uint32_t));
4822 rule->cmd_len = (uint32_t *)dst - (uint32_t *)(rule->cmd);
4823 i = (char *)dst - (char *)rule;
4824 if (do_cmd(IP_FW_ADD, rule, (uintptr_t)&i) == -1)
4825 err(EX_UNAVAILABLE, "getsockopt(%s)", "IP_FW_ADD");
4827 show_ipfw(rule, 0, 0);
4831 zero(int ac, char *av[], int optname /* IP_FW_ZERO or IP_FW_RESETLOG */)
4835 char const *name = optname == IP_FW_ZERO ? "ZERO" : "RESETLOG";
4840 /* clear all entries */
4841 if (do_cmd(optname, NULL, 0) < 0)
4842 err(EX_UNAVAILABLE, "setsockopt(IP_FW_%s)", name);
4844 printf("%s.\n", optname == IP_FW_ZERO ?
4845 "Accounting cleared":"Logging counts reset");
4852 if (isdigit(**av)) {
4853 rulenum = atoi(*av);
4856 if (do_cmd(optname, &rulenum, sizeof rulenum)) {
4857 warn("rule %u: setsockopt(IP_FW_%s)",
4859 failed = EX_UNAVAILABLE;
4860 } else if (!do_quiet)
4861 printf("Entry %d %s.\n", rulenum,
4862 optname == IP_FW_ZERO ?
4863 "cleared" : "logging count reset");
4865 errx(EX_USAGE, "invalid rule number ``%s''", *av);
4868 if (failed != EX_OK)
4875 int cmd = do_pipe ? IP_DUMMYNET_FLUSH : IP_FW_FLUSH;
4877 if (!force && !do_quiet) { /* need to ask user */
4880 printf("Are you sure? [yn] ");
4883 c = toupper(getc(stdin));
4884 while (c != '\n' && getc(stdin) != '\n')
4886 return; /* and do not flush */
4887 } while (c != 'Y' && c != 'N');
4889 if (c == 'N') /* user said no */
4892 if (do_cmd(cmd, NULL, 0) < 0)
4893 err(EX_UNAVAILABLE, "setsockopt(IP_%s_FLUSH)",
4894 do_pipe ? "DUMMYNET" : "FW");
4896 printf("Flushed all %s.\n", do_pipe ? "pipes" : "rules");
4900 * Free a the (locally allocated) copy of command line arguments.
4903 free_args(int ac, char **av)
4907 for (i=0; i < ac; i++)
4913 * This one handles all table-related commands
4914 * ipfw table N add addr[/masklen] [value]
4915 * ipfw table N delete addr[/masklen]
4916 * ipfw table N flush
4920 table_handler(int ac, char *av[])
4922 ipfw_table_entry ent;
4930 if (ac && isdigit(**av)) {
4931 ent.tbl = atoi(*av);
4934 errx(EX_USAGE, "table number required");
4935 NEED1("table needs command");
4936 if (_substrcmp(*av, "add") == 0 ||
4937 _substrcmp(*av, "delete") == 0) {
4938 do_add = **av == 'a';
4941 errx(EX_USAGE, "IP address required");
4942 p = strchr(*av, '/');
4945 ent.masklen = atoi(p);
4946 if (ent.masklen > 32)
4947 errx(EX_DATAERR, "bad width ``%s''", p);
4950 if (lookup_host(*av, (struct in_addr *)&ent.addr) != 0)
4951 errx(EX_NOHOST, "hostname ``%s'' unknown", *av);
4955 /* isdigit is a bit of a hack here.. */
4956 if (strchr(*av, (int)'.') == NULL && isdigit(**av)) {
4957 ent.value = strtoul(*av, NULL, 0);
4959 if (lookup_host(*av, (struct in_addr *)&tval) == 0) {
4960 /* The value must be stored in host order *
4961 * so that the values < 65k can be distinguished */
4962 ent.value = ntohl(tval);
4964 errx(EX_NOHOST, "hostname ``%s'' unknown", *av);
4969 if (do_cmd(do_add ? IP_FW_TABLE_ADD : IP_FW_TABLE_DEL,
4970 &ent, sizeof(ent)) < 0) {
4971 /* If running silent, don't bomb out on these errors. */
4972 if (!(do_quiet && (errno == (do_add ? EEXIST : ESRCH))))
4973 err(EX_OSERR, "setsockopt(IP_FW_TABLE_%s)",
4974 do_add ? "ADD" : "DEL");
4975 /* In silent mode, react to a failed add by deleting */
4977 do_cmd(IP_FW_TABLE_DEL, &ent, sizeof(ent));
4978 if (do_cmd(IP_FW_TABLE_ADD,
4979 &ent, sizeof(ent)) < 0)
4981 "setsockopt(IP_FW_TABLE_ADD)");
4984 } else if (_substrcmp(*av, "flush") == 0) {
4985 if (do_cmd(IP_FW_TABLE_FLUSH, &ent.tbl, sizeof(ent.tbl)) < 0)
4986 err(EX_OSERR, "setsockopt(IP_FW_TABLE_FLUSH)");
4987 } else if (_substrcmp(*av, "list") == 0) {
4990 if (do_cmd(IP_FW_TABLE_GETSIZE, &a, (uintptr_t)&l) < 0)
4991 err(EX_OSERR, "getsockopt(IP_FW_TABLE_GETSIZE)");
4992 l = sizeof(*tbl) + a * sizeof(ipfw_table_entry);
4995 err(EX_OSERR, "malloc");
4997 if (do_cmd(IP_FW_TABLE_LIST, tbl, (uintptr_t)&l) < 0)
4998 err(EX_OSERR, "getsockopt(IP_FW_TABLE_LIST)");
4999 for (a = 0; a < tbl->cnt; a++) {
5000 /* Heuristic to print it the right way */
5001 /* values < 64k are printed as numbers */
5003 tval = tbl->ent[a].value;
5004 if (tval > 0xffff) {
5006 strncpy(tbuf, inet_ntoa(*(struct in_addr *)
5007 &tbl->ent[a].addr), 127);
5008 /* inet_ntoa expects host order */
5010 printf("%s/%u %s\n", tbuf, tbl->ent[a].masklen,
5011 inet_ntoa(*(struct in_addr *)&tval));
5013 printf("%s/%u %u\n",
5014 inet_ntoa(*(struct in_addr *)&tbl->ent[a].addr),
5015 tbl->ent[a].masklen, tbl->ent[a].value);
5019 errx(EX_USAGE, "invalid table command %s", *av);
5023 * Called with the arguments (excluding program name).
5024 * Returns 0 if successful, 1 if empty command, errx() in case of errors.
5027 ipfw_main(int oldac, char **oldav)
5029 int ch, ac, save_ac;
5030 char **av, **save_av;
5031 int do_acct = 0; /* Show packet/byte count */
5033 #define WHITESP " \t\f\v\n\r"
5036 else if (oldac == 1) {
5038 * If we are called with a single string, try to split it into
5039 * arguments for subsequent parsing.
5040 * But first, remove spaces after a ',', by copying the string
5043 char *arg = oldav[0]; /* The string... */
5044 int l = strlen(arg);
5045 int copy = 0; /* 1 if we need to copy, 0 otherwise */
5047 for (i = j = 0; i < l; i++) {
5048 if (arg[i] == '#') /* comment marker */
5052 copy = !index("," WHITESP, arg[i]);
5054 copy = !index(WHITESP, arg[i]);
5059 if (!copy && j > 0) /* last char was a 'blank', remove it */
5061 l = j; /* the new argument length */
5063 if (l == 0) /* empty string! */
5067 * First, count number of arguments. Because of the previous
5068 * processing, this is just the number of blanks plus 1.
5070 for (i = 0, ac = 1; i < l; i++)
5071 if (index(WHITESP, arg[i]) != NULL)
5074 av = calloc(ac, sizeof(char *));
5077 * Second, copy arguments from cmd[] to av[]. For each one,
5078 * j is the initial character, i is the one past the end.
5080 for (ac = 0, i = j = 0; i < l; i++)
5081 if (index(WHITESP, arg[i]) != NULL || i == l-1) {
5084 av[ac] = calloc(i-j+1, 1);
5085 bcopy(arg+j, av[ac], i-j);
5091 * If an argument ends with ',' join with the next one.
5095 av = calloc(oldac, sizeof(char *));
5096 for (first = i = ac = 0, l = 0; i < oldac; i++) {
5097 char *arg = oldav[i];
5098 int k = strlen(arg);
5101 if (arg[k-1] != ',' || i == oldac-1) {
5103 av[ac] = calloc(l+1, 1);
5104 for (l=0; first <= i; first++) {
5105 strcat(av[ac]+l, oldav[first]);
5106 l += strlen(oldav[first]);
5115 /* Set the force flag for non-interactive processes */
5117 do_force = !isatty(STDIN_FILENO);
5119 /* Save arguments for final freeing of memory. */
5123 optind = optreset = 0;
5124 while ((ch = getopt(ac, av, "abcdefhnNqs:STtv")) != -1)
5151 case 'h': /* help */
5152 free_args(save_ac, save_av);
5154 break; /* NOTREACHED */
5168 case 's': /* sort */
5169 do_sort = atoi(optarg);
5181 do_time = 2; /* numeric timestamp */
5184 case 'v': /* verbose */
5189 free_args(save_ac, save_av);
5195 NEED1("bad arguments, for usage summary ``ipfw''");
5198 * An undocumented behaviour of ipfw1 was to allow rule numbers first,
5199 * e.g. "100 add allow ..." instead of "add 100 allow ...".
5200 * In case, swap first and second argument to get the normal form.
5202 if (ac > 1 && isdigit(*av[0])) {
5210 * optional: pipe or queue
5213 if (_substrcmp(*av, "pipe") == 0)
5215 else if (_substrcmp(*av, "queue") == 0)
5221 NEED1("missing command");
5224 * For pipes and queues we normally say 'pipe NN config'
5225 * but the code is easier to parse as 'pipe config NN'
5226 * so we swap the two arguments.
5228 if (do_pipe > 0 && ac > 1 && isdigit(*av[0])) {
5235 if (_substrcmp(*av, "add") == 0)
5237 else if (do_pipe && _substrcmp(*av, "config") == 0)
5238 config_pipe(ac, av);
5239 else if (_substrcmp(*av, "delete") == 0)
5241 else if (_substrcmp(*av, "flush") == 0)
5243 else if (_substrcmp(*av, "zero") == 0)
5244 zero(ac, av, IP_FW_ZERO);
5245 else if (_substrcmp(*av, "resetlog") == 0)
5246 zero(ac, av, IP_FW_RESETLOG);
5247 else if (_substrcmp(*av, "print") == 0 ||
5248 _substrcmp(*av, "list") == 0)
5249 list(ac, av, do_acct);
5250 else if (_substrcmp(*av, "set") == 0)
5251 sets_handler(ac, av);
5252 else if (_substrcmp(*av, "table") == 0)
5253 table_handler(ac, av);
5254 else if (_substrcmp(*av, "enable") == 0)
5255 sysctl_handler(ac, av, 1);
5256 else if (_substrcmp(*av, "disable") == 0)
5257 sysctl_handler(ac, av, 0);
5258 else if (_substrcmp(*av, "show") == 0)
5259 list(ac, av, 1 /* show counters */);
5261 errx(EX_USAGE, "bad command `%s'", *av);
5263 /* Free memory allocated in the argument parsing. */
5264 free_args(save_ac, save_av);
5270 ipfw_readfile(int ac, char *av[])
5274 char *cmd = NULL, *filename = av[ac-1];
5279 filename = av[ac-1];
5281 while ((c = getopt(ac, av, "cfNnp:qS")) != -1) {
5302 * Skip previous args and delete last one, so we
5303 * pass all but the last argument to the preprocessor
5309 fprintf(stderr, "command is %s\n", av[0]);
5321 errx(EX_USAGE, "bad arguments, for usage"
5322 " summary ``ipfw''");
5329 if (cmd == NULL && ac != optind + 1) {
5330 fprintf(stderr, "ac %d, optind %d\n", ac, optind);
5331 errx(EX_USAGE, "extraneous filename arguments");
5334 if ((f = fopen(filename, "r")) == NULL)
5335 err(EX_UNAVAILABLE, "fopen: %s", filename);
5337 if (cmd != NULL) { /* pipe through preprocessor */
5340 if (pipe(pipedes) == -1)
5341 err(EX_OSERR, "cannot create pipe");
5345 err(EX_OSERR, "cannot fork");
5349 * Child, will run the preprocessor with the
5350 * file on stdin and the pipe on stdout.
5352 if (dup2(fileno(f), 0) == -1
5353 || dup2(pipedes[1], 1) == -1)
5354 err(EX_OSERR, "dup2()");
5359 err(EX_OSERR, "execvp(%s) failed", cmd);
5360 } else { /* parent, will reopen f as the pipe */
5363 if ((f = fdopen(pipedes[0], "r")) == NULL) {
5364 int savederrno = errno;
5366 (void)kill(preproc, SIGTERM);
5368 err(EX_OSERR, "fdopen()");
5373 while (fgets(buf, BUFSIZ, f)) { /* read commands */
5378 sprintf(linename, "Line %d", lineno);
5379 setprogname(linename); /* XXX */
5387 if (waitpid(preproc, &status, 0) == -1)
5388 errx(EX_OSERR, "waitpid()");
5389 if (WIFEXITED(status) && WEXITSTATUS(status) != EX_OK)
5390 errx(EX_UNAVAILABLE,
5391 "preprocessor exited with status %d",
5392 WEXITSTATUS(status));
5393 else if (WIFSIGNALED(status))
5394 errx(EX_UNAVAILABLE,
5395 "preprocessor exited with signal %d",
5401 main(int ac, char *av[])
5404 * If the last argument is an absolute pathname, interpret it
5405 * as a file to be preprocessed.
5408 if (ac > 1 && av[ac - 1][0] == '/' && access(av[ac - 1], R_OK) == 0)
5409 ipfw_readfile(ac, av);
5411 if (ipfw_main(ac-1, av+1))