2 * Copyright (c) 2014 Yandex LLC
3 * Copyright (c) 2014 Alexander V. Chernikov
5 * Redistribution and use in source forms, with and without modification,
6 * are permitted provided that this entire comment appears intact.
8 * Redistribution in binary form may occur without any restrictions.
9 * Obviously, it would be nice if you gave credit where credit is due
10 * but requiring it would be too onerous.
12 * This software is provided ``AS IS'' without any warranties of any kind.
14 * in-kernel ipfw tables support.
20 #include <sys/types.h>
21 #include <sys/param.h>
22 #include <sys/socket.h>
23 #include <sys/sysctl.h>
35 #include <netinet/in.h>
36 #include <netinet/ip_fw.h>
37 #include <arpa/inet.h>
41 static void table_modify_record(ipfw_obj_header *oh, int ac, char *av[],
42 int add, int quiet, int update, int atomic);
43 static int table_flush(ipfw_obj_header *oh);
44 static int table_destroy(ipfw_obj_header *oh);
45 static int table_do_create(ipfw_obj_header *oh, ipfw_xtable_info *i);
46 static int table_do_modify(ipfw_obj_header *oh, ipfw_xtable_info *i);
47 static int table_do_swap(ipfw_obj_header *oh, char *second);
48 static void table_create(ipfw_obj_header *oh, int ac, char *av[]);
49 static void table_modify(ipfw_obj_header *oh, int ac, char *av[]);
50 static void table_lookup(ipfw_obj_header *oh, int ac, char *av[]);
51 static void table_lock(ipfw_obj_header *oh, int lock);
52 static int table_swap(ipfw_obj_header *oh, char *second);
53 static int table_get_info(ipfw_obj_header *oh, ipfw_xtable_info *i);
54 static int table_show_info(ipfw_xtable_info *i, void *arg);
55 static void table_fill_ntlv(ipfw_obj_ntlv *ntlv, char *name, uint32_t set,
58 static int table_flush_one(ipfw_xtable_info *i, void *arg);
59 static int table_show_one(ipfw_xtable_info *i, void *arg);
60 static int table_do_get_list(ipfw_xtable_info *i, ipfw_obj_header **poh);
61 static void table_show_list(ipfw_obj_header *oh, int need_header);
62 static void table_show_entry(ipfw_xtable_info *i, ipfw_obj_tentry *tent);
64 static void tentry_fill_key(ipfw_obj_header *oh, ipfw_obj_tentry *tent,
65 char *key, int add, uint8_t *ptype, uint32_t *pvmask, ipfw_xtable_info *xi);
66 static void tentry_fill_value(ipfw_obj_header *oh, ipfw_obj_tentry *tent,
67 char *arg, uint8_t type, uint32_t vmask);
68 static void table_show_value(char *buf, size_t bufsize, ipfw_table_value *v,
69 uint32_t vmask, int print_ip);
71 typedef int (table_cb_t)(ipfw_xtable_info *i, void *arg);
72 static int tables_foreach(table_cb_t *f, void *arg, int sort);
75 #define s6_addr32 __u6_addr.__u6_addr32
78 static struct _s_x tabletypes[] = {
79 { "addr", IPFW_TABLE_ADDR },
80 { "iface", IPFW_TABLE_INTERFACE },
81 { "number", IPFW_TABLE_NUMBER },
82 { "flow", IPFW_TABLE_FLOW },
86 static struct _s_x tablevaltypes[] = {
87 { "skipto", IPFW_VTYPE_SKIPTO },
88 { "pipe", IPFW_VTYPE_PIPE },
89 { "fib", IPFW_VTYPE_FIB },
90 { "nat", IPFW_VTYPE_NAT },
91 { "dscp", IPFW_VTYPE_DSCP },
92 { "tag", IPFW_VTYPE_TAG },
93 { "divert", IPFW_VTYPE_DIVERT },
94 { "netgraph", IPFW_VTYPE_NETGRAPH },
95 { "limit", IPFW_VTYPE_LIMIT },
96 { "ipv4", IPFW_VTYPE_NH4 },
97 { "ipv6", IPFW_VTYPE_NH6 },
101 static struct _s_x tablecmds[] = {
103 { "delete", TOK_DEL },
104 { "create", TOK_CREATE },
105 { "destroy", TOK_DESTROY },
106 { "flush", TOK_FLUSH },
107 { "modify", TOK_MODIFY },
108 { "swap", TOK_SWAP },
109 { "info", TOK_INFO },
110 { "detail", TOK_DETAIL },
111 { "list", TOK_LIST },
112 { "lookup", TOK_LOOKUP },
113 { "atomic", TOK_ATOMIC },
114 { "lock", TOK_LOCK },
115 { "unlock", TOK_UNLOCK },
120 lookup_host (char *host, struct in_addr *ipaddr)
124 if (!inet_aton(host, ipaddr)) {
125 if ((he = gethostbyname(host)) == NULL)
127 *ipaddr = *(struct in_addr *)he->h_addr_list[0];
133 get_token(struct _s_x *table, char *string, char *errbase)
137 if ((tcmd = match_token_relaxed(table, string)) < 0)
138 errx(EX_USAGE, "%s %s %s",
139 (tcmd == 0) ? "invalid" : "ambiguous", errbase, string);
145 * This one handles all table-related commands
146 * ipfw table NAME create ...
147 * ipfw table NAME modify ...
148 * ipfw table NAME destroy
149 * ipfw table NAME swap NAME
150 * ipfw table NAME lock
151 * ipfw table NAME unlock
152 * ipfw table NAME add addr[/masklen] [value]
153 * ipfw table NAME add [addr[/masklen] value] [addr[/masklen] value] ..
154 * ipfw table NAME delete addr[/masklen] [addr[/masklen]] ..
155 * ipfw table NAME lookup addr
156 * ipfw table {NAME | all} flush
157 * ipfw table {NAME | all} list
158 * ipfw table {NAME | all} info
159 * ipfw table {NAME | all} detail
162 ipfw_table_handler(int ac, char *av[])
165 int atomic, error, tcmd;
172 memset(&oh, 0, sizeof(oh));
175 set = co.use_set - 1;
180 NEED1("table needs name");
183 if (table_check_name(tablename) == 0) {
184 table_fill_ntlv(&oh.ntlv, *av, set, 1);
187 if (strcmp(tablename, "all") == 0)
190 errx(EX_USAGE, "table name %s is invalid", tablename);
193 NEED1("table needs command");
195 tcmd = get_token(tablecmds, *av, "table command");
196 /* Check if atomic operation was requested */
198 if (tcmd == TOK_ATOMIC) {
200 NEED1("atomic needs command");
201 tcmd = get_token(tablecmds, *av, "table command");
206 errx(EX_USAGE, "atomic is not compatible with %s", *av);
219 errx(EX_USAGE, "table name required");
225 do_add = **av == 'a';
227 table_modify_record(&oh, ac, av, do_add, co.do_quiet,
228 co.do_quiet, atomic);
232 table_create(&oh, ac, av);
236 table_modify(&oh, ac, av);
239 if (table_destroy(&oh) != 0)
240 err(EX_OSERR, "failed to destroy table %s", tablename);
244 if ((error = table_flush(&oh)) != 0)
245 err(EX_OSERR, "failed to flush table %s info",
248 error = tables_foreach(table_flush_one, &oh, 1);
250 err(EX_OSERR, "failed to flush tables list");
255 NEED1("second table name required");
256 table_swap(&oh, *av);
260 table_lock(&oh, (tcmd == TOK_LOCK));
264 arg = (tcmd == TOK_DETAIL) ? (void *)1 : NULL;
266 if ((error = table_get_info(&oh, &i)) != 0)
267 err(EX_OSERR, "failed to request table info");
268 table_show_info(&i, arg);
270 error = tables_foreach(table_show_info, arg, 1);
272 err(EX_OSERR, "failed to request tables list");
278 if ((error = table_get_info(&oh, &i)) != 0)
279 err(EX_OSERR, "failed to request table info");
280 table_show_one(&i, NULL);
282 error = tables_foreach(table_show_one, NULL, 1);
284 err(EX_OSERR, "failed to request tables list");
289 table_lookup(&oh, ac, av);
295 table_fill_ntlv(ipfw_obj_ntlv *ntlv, char *name, uint32_t set, uint16_t uidx)
298 ntlv->head.type = IPFW_TLV_TBL_NAME;
299 ntlv->head.length = sizeof(ipfw_obj_ntlv);
302 strlcpy(ntlv->name, name, sizeof(ntlv->name));
306 table_fill_objheader(ipfw_obj_header *oh, ipfw_xtable_info *i)
310 table_fill_ntlv(&oh->ntlv, i->tablename, i->set, 1);
313 static struct _s_x tablenewcmds[] = {
314 { "type", TOK_TYPE },
315 { "valtype", TOK_VALTYPE },
316 { "algo", TOK_ALGO },
317 { "limit", TOK_LIMIT },
318 { "locked", TOK_LOCK },
322 static struct _s_x flowtypecmds[] = {
323 { "src-ip", IPFW_TFFLAG_SRCIP },
324 { "proto", IPFW_TFFLAG_PROTO },
325 { "src-port", IPFW_TFFLAG_SRCPORT },
326 { "dst-ip", IPFW_TFFLAG_DSTIP },
327 { "dst-port", IPFW_TFFLAG_DSTPORT },
332 table_parse_type(uint8_t ttype, char *p, uint8_t *tflags)
334 uint32_t fset, fclear;
337 /* Parse type options */
339 case IPFW_TABLE_FLOW:
341 if (fill_flags(flowtypecmds, p, &e, &fset, &fclear) != 0)
343 "unable to parse flow option %s", e);
354 table_print_type(char *tbuf, size_t size, uint8_t type, uint8_t tflags)
359 if ((tname = match_value(tabletypes, type)) == NULL)
362 l = snprintf(tbuf, size, "%s", tname);
367 case IPFW_TABLE_FLOW:
371 print_flags_buffer(tbuf, size, flowtypecmds, tflags);
380 * ipfw table NAME create [ type { addr | iface | number | flow } ]
384 table_create(ipfw_obj_header *oh, int ac, char *av[])
387 int error, tcmd, val;
388 uint32_t fset, fclear;
394 memset(&xi, 0, sizeof(xi));
397 tcmd = get_token(tablenewcmds, *av, "option");
402 NEED1("limit value required");
403 xi.limit = strtol(*av, NULL, 10);
407 NEED1("table type required");
408 /* Type may have suboptions after ':' */
409 if ((p = strchr(*av, ':')) != NULL)
411 val = match_token(tabletypes, *av);
413 concat_tokens(tbuf, sizeof(tbuf), tabletypes,
416 "Unknown tabletype: %s. Supported: %s",
421 error = table_parse_type(val, p, &xi.tflags);
424 "Unsupported suboptions: %s", p);
429 NEED1("table value type required");
431 val = fill_flags(tablevaltypes, *av, &e, &fset, &fclear);
437 concat_tokens(tbuf, sizeof(tbuf), tablevaltypes, ", ");
438 errx(EX_USAGE, "Unknown value type: %s. Supported: %s",
442 NEED1("table algorithm name required");
443 if (strlen(*av) > sizeof(xi.algoname))
444 errx(EX_USAGE, "algorithm name too long");
445 strlcpy(xi.algoname, *av, sizeof(xi.algoname));
449 xi.flags |= IPFW_TGFLAGS_LOCKED;
454 /* Set some defaults to preserve compability */
455 if (xi.algoname[0] == '\0' && xi.type == 0)
456 xi.type = IPFW_TABLE_ADDR;
458 xi.vmask = IPFW_VTYPE_LEGACY;
460 if ((error = table_do_create(oh, &xi)) != 0)
461 err(EX_OSERR, "Table creation failed");
467 * Request: [ ipfw_obj_header ipfw_xtable_info ]
469 * Returns 0 on success.
472 table_do_create(ipfw_obj_header *oh, ipfw_xtable_info *i)
474 char tbuf[sizeof(ipfw_obj_header) + sizeof(ipfw_xtable_info)];
477 memcpy(tbuf, oh, sizeof(*oh));
478 memcpy(tbuf + sizeof(*oh), i, sizeof(*i));
479 oh = (ipfw_obj_header *)tbuf;
481 error = do_set3(IP_FW_TABLE_XCREATE, &oh->opheader, sizeof(tbuf));
487 * Modifies existing table
489 * ipfw table NAME modify [ limit number ]
492 table_modify(ipfw_obj_header *oh, int ac, char *av[])
500 memset(&xi, 0, sizeof(xi));
503 tcmd = get_token(tablenewcmds, *av, "option");
508 NEED1("limit value required");
509 xi.limit = strtol(*av, NULL, 10);
510 xi.mflags |= IPFW_TMFLAGS_LIMIT;
514 errx(EX_USAGE, "cmd is not supported for modificatiob");
518 if (table_do_modify(oh, &xi) != 0)
519 err(EX_OSERR, "Table modification failed");
523 * Modifies existing table.
525 * Request: [ ipfw_obj_header ipfw_xtable_info ]
527 * Returns 0 on success.
530 table_do_modify(ipfw_obj_header *oh, ipfw_xtable_info *i)
532 char tbuf[sizeof(ipfw_obj_header) + sizeof(ipfw_xtable_info)];
535 memcpy(tbuf, oh, sizeof(*oh));
536 memcpy(tbuf + sizeof(*oh), i, sizeof(*i));
537 oh = (ipfw_obj_header *)tbuf;
539 error = do_set3(IP_FW_TABLE_XMODIFY, &oh->opheader, sizeof(tbuf));
545 * Locks or unlocks given table
548 table_lock(ipfw_obj_header *oh, int lock)
552 memset(&xi, 0, sizeof(xi));
554 xi.mflags |= IPFW_TMFLAGS_LOCK;
555 xi.flags |= (lock != 0) ? IPFW_TGFLAGS_LOCKED : 0;
557 if (table_do_modify(oh, &xi) != 0)
558 err(EX_OSERR, "Table %s failed", lock != 0 ? "lock" : "unlock");
562 * Destroys given table specified by @oh->ntlv.
563 * Returns 0 on success.
566 table_destroy(ipfw_obj_header *oh)
569 if (do_set3(IP_FW_TABLE_XDESTROY, &oh->opheader, sizeof(*oh)) != 0)
576 * Flushes given table specified by @oh->ntlv.
577 * Returns 0 on success.
580 table_flush(ipfw_obj_header *oh)
583 if (do_set3(IP_FW_TABLE_XFLUSH, &oh->opheader, sizeof(*oh)) != 0)
590 table_do_swap(ipfw_obj_header *oh, char *second)
592 char tbuf[sizeof(ipfw_obj_header) + sizeof(ipfw_obj_ntlv)];
595 memset(tbuf, 0, sizeof(tbuf));
596 memcpy(tbuf, oh, sizeof(*oh));
597 oh = (ipfw_obj_header *)tbuf;
598 table_fill_ntlv((ipfw_obj_ntlv *)(oh + 1), second, oh->ntlv.set, 1);
600 error = do_set3(IP_FW_TABLE_XSWAP, &oh->opheader, sizeof(tbuf));
606 * Swaps given table with @second one.
609 table_swap(ipfw_obj_header *oh, char *second)
613 if (table_check_name(second) != 0)
614 errx(EX_USAGE, "table name %s is invalid", second);
616 error = table_do_swap(oh, second);
620 errx(EX_USAGE, "Unable to swap table: check types");
622 errx(EX_USAGE, "Unable to swap table: check limits");
630 * Retrieves table in given table specified by @oh->ntlv.
632 * Returns 0 on success.
635 table_get_info(ipfw_obj_header *oh, ipfw_xtable_info *i)
637 char tbuf[sizeof(ipfw_obj_header) + sizeof(ipfw_xtable_info)];
641 memset(tbuf, 0, sizeof(tbuf));
642 memcpy(tbuf, oh, sizeof(*oh));
643 oh = (ipfw_obj_header *)tbuf;
645 if (do_get3(IP_FW_TABLE_XINFO, &oh->opheader, &sz) != 0)
648 if (sz < sizeof(tbuf))
651 *i = *(ipfw_xtable_info *)(oh + 1);
656 static struct _s_x tablealgoclass[] = {
657 { "hash", IPFW_TACLASS_HASH },
658 { "array", IPFW_TACLASS_ARRAY },
659 { "radix", IPFW_TACLASS_RADIX },
673 * Print global/per-AF table @i algorithm info.
676 table_show_tainfo(ipfw_xtable_info *i, struct ta_cldata *d,
677 const char *af, const char *taclass)
680 switch (d->taclass) {
681 case IPFW_TACLASS_HASH:
682 case IPFW_TACLASS_ARRAY:
683 printf(" %salgorithm %s info\n", af, taclass);
684 if (d->itemsize == d->itemsize6)
685 printf(" size: %u items: %u itemsize: %u\n",
686 d->size, d->count, d->itemsize);
688 printf(" size: %u items: %u "
689 "itemsize4: %u itemsize6: %u\n",
691 d->itemsize, d->itemsize6);
693 case IPFW_TACLASS_RADIX:
694 printf(" %salgorithm %s info\n", af, taclass);
695 if (d->itemsize == d->itemsize6)
696 printf(" items: %u itemsize: %u\n",
697 d->count, d->itemsize);
700 "itemsize4: %u itemsize6: %u\n",
701 d->count, d->itemsize, d->itemsize6);
704 printf(" algo class: %s\n", taclass);
709 table_print_valheader(char *buf, size_t bufsize, uint32_t vmask)
712 if (vmask == IPFW_VTYPE_LEGACY) {
713 snprintf(buf, bufsize, "legacy");
717 print_flags_buffer(buf, bufsize, tablevaltypes, vmask);
721 * Prints table info struct @i in human-readable form.
724 table_show_info(ipfw_xtable_info *i, void *arg)
727 ipfw_ta_tinfo *tainfo;
730 char ttype[64], tvtype[64];
732 table_print_type(ttype, sizeof(ttype), i->type, i->tflags);
733 table_print_valheader(tvtype, sizeof(tvtype), i->vmask);
735 printf("--- table(%s), set(%u) ---\n", i->tablename, i->set);
736 if ((i->flags & IPFW_TGFLAGS_LOCKED) != 0)
737 printf(" kindex: %d, type: %s, locked\n", i->kidx, ttype);
739 printf(" kindex: %d, type: %s\n", i->kidx, ttype);
740 printf(" references: %u, valtype: %s\n", i->refcnt, tvtype);
741 printf(" algorithm: %s\n", i->algoname);
742 printf(" items: %u, size: %u\n", i->count, i->size);
744 printf(" limit: %u\n", i->limit);
746 /* Print algo-specific info if requested & set */
750 if ((i->ta_info.flags & IPFW_TATFLAGS_DATA) == 0)
752 tainfo = &i->ta_info;
756 if (tainfo->flags & IPFW_TATFLAGS_AFDATA)
758 if (tainfo->flags & IPFW_TATFLAGS_AFITEM)
761 memset(&d, 0, sizeof(d));
762 d.taclass = tainfo->taclass4;
763 d.size = tainfo->size4;
764 d.count = tainfo->count4;
765 d.itemsize = tainfo->itemsize4;
766 if (afdata == 0 && afitem != 0)
767 d.itemsize6 = tainfo->itemsize6;
769 d.itemsize6 = d.itemsize;
770 if ((vtype = match_value(tablealgoclass, d.taclass)) == NULL)
774 table_show_tainfo(i, &d, "", vtype);
776 table_show_tainfo(i, &d, "IPv4 ", vtype);
777 memset(&d, 0, sizeof(d));
778 d.taclass = tainfo->taclass6;
779 if ((vtype = match_value(tablealgoclass, d.taclass)) == NULL)
781 d.size = tainfo->size6;
782 d.count = tainfo->count6;
783 d.itemsize = tainfo->itemsize6;
784 d.itemsize6 = d.itemsize;
785 table_show_tainfo(i, &d, "IPv6 ", vtype);
793 * Function wrappers which can be used either
794 * as is or as foreach function parameter.
798 table_show_one(ipfw_xtable_info *i, void *arg)
803 if ((error = table_do_get_list(i, &oh)) != 0) {
804 err(EX_OSERR, "Error requesting table %s list", i->tablename);
808 table_show_list(oh, 1);
815 table_flush_one(ipfw_xtable_info *i, void *arg)
819 oh = (ipfw_obj_header *)arg;
821 table_fill_ntlv(&oh->ntlv, i->tablename, i->set, 1);
823 return (table_flush(oh));
827 table_do_modify_record(int cmd, ipfw_obj_header *oh,
828 ipfw_obj_tentry *tent, int count, int atomic)
831 ipfw_obj_tentry *tent_base;
833 char xbuf[sizeof(*oh) + sizeof(ipfw_obj_ctlv) + sizeof(*tent)];
837 sz = sizeof(*ctlv) + sizeof(*tent) * count;
839 memset(xbuf, 0, sizeof(xbuf));
842 if ((pbuf = calloc(1, sizeof(*oh) + sz)) == NULL)
846 memcpy(pbuf, oh, sizeof(*oh));
847 oh = (ipfw_obj_header *)pbuf;
848 oh->opheader.version = 1;
850 ctlv = (ipfw_obj_ctlv *)(oh + 1);
852 ctlv->head.length = sz;
854 ctlv->flags |= IPFW_CTF_ATOMIC;
857 memcpy(ctlv + 1, tent, sizeof(*tent) * count);
858 tent = (ipfw_obj_tentry *)(ctlv + 1);
859 for (i = 0; i < count; i++, tent++) {
860 tent->head.length = sizeof(ipfw_obj_tentry);
865 error = do_get3(cmd, &oh->opheader, &sz);
866 tent = (ipfw_obj_tentry *)(ctlv + 1);
867 /* Copy result back to provided buffer */
868 memcpy(tent_base, ctlv + 1, sizeof(*tent) * count);
877 table_modify_record(ipfw_obj_header *oh, int ac, char *av[], int add,
878 int quiet, int update, int atomic)
880 ipfw_obj_tentry *ptent, tent, *tent_buf;
884 int cmd, count, error, i, ignored;
885 char *texterr, *etxt, *px;
888 errx(EX_USAGE, "address required");
891 cmd = IP_FW_TABLE_XADD;
892 texterr = "Adding record failed";
894 cmd = IP_FW_TABLE_XDEL;
895 texterr = "Deleting record failed";
899 * Calculate number of entries:
900 * Assume [key val] x N for add
904 count = (add != 0) ? ac / 2 + 1 : ac;
907 /* Adding single entry with/without value */
908 memset(&tent, 0, sizeof(tent));
912 if ((tent_buf = calloc(count, sizeof(tent))) == NULL)
914 "Unable to allocate memory for all entries");
918 memset(&xi, 0, sizeof(xi));
921 tentry_fill_key(oh, ptent, *av, add, &type, &vmask, &xi);
924 * compability layer: auto-create table if not exists
926 if (xi.tablename[0] == '\0') {
929 strlcpy(xi.tablename, oh->ntlv.name,
930 sizeof(xi.tablename));
931 fprintf(stderr, "DEPRECATED: inserting data info "
932 "non-existent table %s. (auto-created)\n",
934 table_do_create(oh, &xi);
937 oh->ntlv.type = type;
940 if (add != 0 && ac > 0) {
941 tentry_fill_value(oh, ptent, *av, type, vmask);
946 ptent->head.flags |= IPFW_TF_UPDATE;
952 error = table_do_modify_record(cmd, oh, tent_buf, count, atomic);
957 * Compatibility stuff: do not yell on duplicate keys or
960 if (error == 0 || (error == EEXIST && add != 0) ||
961 (error == ENOENT && add == 0)) {
963 if (tent_buf != &tent)
969 /* Report results back */
971 for (i = 0; i < count; ptent++, i++) {
973 switch (ptent->result) {
977 case IPFW_TR_DELETED:
980 case IPFW_TR_UPDATED:
991 case IPFW_TR_NOTFOUND:
999 case IPFW_TR_IGNORED:
1008 if (error != 0 && atomic != 0 && ignored == 0)
1009 printf("%s(reverted): ", px);
1013 table_show_entry(&xi, ptent);
1016 if (tent_buf != &tent)
1021 /* Get real OS error */
1024 /* Try to provide more human-readable error */
1027 etxt = "record already exists";
1033 etxt = "table not found";
1036 etxt = "record not found";
1039 etxt = "table is locked";
1042 etxt = strerror(error);
1045 errx(EX_OSERR, "%s: %s", texterr, etxt);
1049 table_do_lookup(ipfw_obj_header *oh, char *key, ipfw_xtable_info *xi,
1050 ipfw_obj_tentry *xtent)
1052 char xbuf[sizeof(ipfw_obj_header) + sizeof(ipfw_obj_tentry)];
1053 ipfw_obj_tentry *tent;
1058 memcpy(xbuf, oh, sizeof(*oh));
1059 oh = (ipfw_obj_header *)xbuf;
1060 tent = (ipfw_obj_tentry *)(oh + 1);
1062 memset(tent, 0, sizeof(*tent));
1063 tent->head.length = sizeof(*tent);
1066 tentry_fill_key(oh, tent, key, 0, &type, &vmask, xi);
1067 oh->ntlv.type = type;
1070 if (do_get3(IP_FW_TABLE_XFIND, &oh->opheader, &sz) != 0)
1073 if (sz < sizeof(xbuf))
1082 table_lookup(ipfw_obj_header *oh, int ac, char *av[])
1084 ipfw_obj_tentry xtent;
1085 ipfw_xtable_info xi;
1090 errx(EX_USAGE, "address required");
1092 strlcpy(key, *av, sizeof(key));
1094 memset(&xi, 0, sizeof(xi));
1095 error = table_do_lookup(oh, key, &xi, &xtent);
1101 errx(EX_UNAVAILABLE, "Table %s not found", oh->ntlv.name);
1103 errx(EX_UNAVAILABLE, "Entry %s not found", *av);
1105 errx(EX_UNAVAILABLE, "Table %s algo does not support "
1106 "\"lookup\" method", oh->ntlv.name);
1108 err(EX_OSERR, "getsockopt(IP_FW_TABLE_XFIND)");
1111 table_show_entry(&xi, &xtent);
1115 tentry_fill_key_type(char *arg, ipfw_obj_tentry *tentry, uint8_t type,
1120 struct in6_addr *paddr, tmp;
1121 struct tflow_entry *tfe;
1122 uint32_t key, *pkey;
1124 struct protoent *pent;
1125 struct servent *sent;
1130 paddr = (struct in6_addr *)&tentry->k;
1133 case IPFW_TABLE_ADDR:
1134 /* Remove / if exists */
1135 if ((p = strchr(arg, '/')) != NULL) {
1140 if (inet_pton(AF_INET, arg, paddr) == 1) {
1141 if (p != NULL && mask > 32)
1142 errx(EX_DATAERR, "bad IPv4 mask width: %s",
1145 masklen = p ? mask : 32;
1147 } else if (inet_pton(AF_INET6, arg, paddr) == 1) {
1148 if (IN6_IS_ADDR_V4COMPAT(paddr))
1150 "Use IPv4 instead of v4-compatible");
1151 if (p != NULL && mask > 128)
1152 errx(EX_DATAERR, "bad IPv6 mask width: %s",
1155 masklen = p ? mask : 128;
1159 if (lookup_host(arg, (struct in_addr *)paddr) != 0)
1160 errx(EX_NOHOST, "hostname ``%s'' unknown", arg);
1163 type = IPFW_TABLE_ADDR;
1167 case IPFW_TABLE_INTERFACE:
1168 /* Assume interface name. Copy significant data only */
1169 mask = MIN(strlen(arg), IF_NAMESIZE - 1);
1170 memcpy(paddr, arg, mask);
1171 /* Set mask to exact match */
1172 masklen = 8 * IF_NAMESIZE;
1174 case IPFW_TABLE_NUMBER:
1175 /* Port or any other key */
1176 key = strtol(arg, &p, 10);
1178 errx(EX_DATAERR, "Invalid number: %s", arg);
1180 pkey = (uint32_t *)paddr;
1184 case IPFW_TABLE_FLOW:
1185 /* Assume [src-ip][,proto][,src-port][,dst-ip][,dst-port] */
1186 tfe = &tentry->k.flow;
1189 /* Handle <ipv4|ipv6> */
1190 if ((tflags & IPFW_TFFLAG_SRCIP) != 0) {
1191 if ((p = strchr(arg, ',')) != NULL)
1193 /* Determine family using temporary storage */
1194 if (inet_pton(AF_INET, arg, &tmp) == 1) {
1195 if (af != 0 && af != AF_INET)
1197 "Inconsistent address family\n");
1199 memcpy(&tfe->a.a4.sip, &tmp, 4);
1200 } else if (inet_pton(AF_INET6, arg, &tmp) == 1) {
1201 if (af != 0 && af != AF_INET6)
1203 "Inconsistent address family\n");
1205 memcpy(&tfe->a.a6.sip6, &tmp, 16);
1211 /* Handle <proto-num|proto-name> */
1212 if ((tflags & IPFW_TFFLAG_PROTO) != 0) {
1214 errx(EX_DATAERR, "invalid key: proto missing");
1215 if ((p = strchr(arg, ',')) != NULL)
1218 key = strtol(arg, &pp, 10);
1220 if ((pent = getprotobyname(arg)) == NULL)
1221 errx(EX_DATAERR, "Unknown proto: %s",
1224 key = pent->p_proto;
1228 errx(EX_DATAERR, "Bad protocol number: %u",key);
1235 /* Handle <port-num|service-name> */
1236 if ((tflags & IPFW_TFFLAG_SRCPORT) != 0) {
1238 errx(EX_DATAERR, "invalid key: src port missing");
1239 if ((p = strchr(arg, ',')) != NULL)
1242 if ((port = htons(strtol(arg, NULL, 10))) == 0) {
1243 if ((sent = getservbyname(arg, NULL)) == NULL)
1244 errx(EX_DATAERR, "Unknown service: %s",
1255 /* Handle <ipv4|ipv6>*/
1256 if ((tflags & IPFW_TFFLAG_DSTIP) != 0) {
1258 errx(EX_DATAERR, "invalid key: dst ip missing");
1259 if ((p = strchr(arg, ',')) != NULL)
1261 /* Determine family using temporary storage */
1262 if (inet_pton(AF_INET, arg, &tmp) == 1) {
1263 if (af != 0 && af != AF_INET)
1265 "Inconsistent address family");
1267 memcpy(&tfe->a.a4.dip, &tmp, 4);
1268 } else if (inet_pton(AF_INET6, arg, &tmp) == 1) {
1269 if (af != 0 && af != AF_INET6)
1271 "Inconsistent address family");
1273 memcpy(&tfe->a.a6.dip6, &tmp, 16);
1279 /* Handle <port-num|service-name> */
1280 if ((tflags & IPFW_TFFLAG_DSTPORT) != 0) {
1282 errx(EX_DATAERR, "invalid key: dst port missing");
1283 if ((p = strchr(arg, ',')) != NULL)
1286 if ((port = htons(strtol(arg, NULL, 10))) == 0) {
1287 if ((sent = getservbyname(arg, NULL)) == NULL)
1288 errx(EX_DATAERR, "Unknown service: %s",
1304 errx(EX_DATAERR, "Unsupported table type: %d", type);
1307 tentry->subtype = af;
1308 tentry->masklen = masklen;
1312 tentry_fill_key(ipfw_obj_header *oh, ipfw_obj_tentry *tent, char *key,
1313 int add, uint8_t *ptype, uint32_t *pvmask, ipfw_xtable_info *xi)
1315 uint8_t type, tflags;
1324 if (xi->tablename[0] == '\0')
1325 error = table_get_info(oh, xi);
1332 tflags = xi->tflags;
1336 errx(EX_OSERR, "Error requesting table %s info",
1339 errx(EX_DATAERR, "Table %s does not exist",
1342 * Table does not exist.
1343 * Compability layer: try to interpret data as ADDR
1346 if ((del = strchr(key, '/')) != NULL)
1348 if (inet_pton(AF_INET, key, &tent->k.addr6) == 1 ||
1349 inet_pton(AF_INET6, key, &tent->k.addr6) == 1) {
1350 /* OK Prepare and send */
1351 type = IPFW_TABLE_ADDR;
1352 vmask = IPFW_VTYPE_LEGACY;
1355 errx(EX_USAGE, "Table %s does not exist, cannot guess "
1356 "key '%s' type", oh->ntlv.name, key);
1362 tentry_fill_key_type(key, tent, type, tflags);
1369 set_legacy_value(uint32_t val, ipfw_table_value *v)
1379 v->dscp = (uint8_t)val;
1384 tentry_fill_value(ipfw_obj_header *oh, ipfw_obj_tentry *tent, char *arg,
1385 uint8_t type, uint32_t vmask)
1387 uint32_t a4, flag, val, vm;
1388 ipfw_table_value *v;
1391 char *comma, *e, *etype, *n, *p;
1396 /* Compat layer: keep old behavior for legacy value types */
1397 if (vmask == IPFW_VTYPE_LEGACY) {
1398 /* Try to interpret as number first */
1399 val = strtoul(arg, &p, 0);
1401 set_legacy_value(val, v);
1404 if (inet_pton(AF_INET, arg, &val) == 1) {
1405 set_legacy_value(ntohl(val), v);
1409 if (lookup_host(arg, (struct in_addr *)&val) == 0) {
1410 set_legacy_value(val, v);
1413 errx(EX_OSERR, "Unable to parse value %s", arg);
1417 * Shorthands: handle single value if vmask consists
1418 * of numbers only. e.g.:
1419 * vmask = "fib,skipto" -> treat input "1" as "1,1"
1424 for (i = 1; i < (1 << 31); i *= 2) {
1425 if ((flag = (vmask & i)) == 0)
1429 if ((comma = strchr(n, ',')) != NULL)
1433 case IPFW_VTYPE_TAG:
1434 v->tag = strtol(n, &e, 10);
1438 case IPFW_VTYPE_PIPE:
1439 v->pipe = strtol(n, &e, 10);
1443 case IPFW_VTYPE_DIVERT:
1444 v->divert = strtol(n, &e, 10);
1448 case IPFW_VTYPE_SKIPTO:
1449 v->skipto = strtol(n, &e, 10);
1453 case IPFW_VTYPE_NETGRAPH:
1454 v->netgraph = strtol(n, &e, 10);
1458 case IPFW_VTYPE_FIB:
1459 v->fib = strtol(n, &e, 10);
1463 case IPFW_VTYPE_NAT:
1464 v->nat = strtol(n, &e, 10);
1468 case IPFW_VTYPE_LIMIT:
1469 v->limit = strtol(n, &e, 10);
1473 case IPFW_VTYPE_NH4:
1474 if (strchr(n, '.') != NULL &&
1475 inet_pton(AF_INET, n, &a4) == 1) {
1479 if (lookup_host(n, (struct in_addr *)&v->nh4) == 0)
1483 case IPFW_VTYPE_DSCP:
1485 if ((dval = match_token(f_ipdscp, n)) != -1) {
1489 etype = "DSCP code";
1491 v->dscp = strtol(n, &e, 10);
1492 if (v->dscp > 63 || *e != '\0')
1493 etype = "DSCP value";
1496 case IPFW_VTYPE_NH6:
1497 if (strchr(n, ':') != NULL &&
1498 inet_pton(AF_INET6, n, &v->nh6) == 1)
1505 errx(EX_USAGE, "Unable to parse %s as %s", n, etype);
1510 if ((n = comma) != NULL)
1515 errx(EX_USAGE, "Not enough fields inside value");
1520 * Compare table names.
1521 * Honor number comparison.
1524 tablename_cmp(const void *a, const void *b)
1526 ipfw_xtable_info *ia, *ib;
1528 ia = (ipfw_xtable_info *)a;
1529 ib = (ipfw_xtable_info *)b;
1531 return (stringnum_cmp(ia->tablename, ib->tablename));
1535 * Retrieves table list from kernel,
1536 * optionally sorts it and calls requested function for each table.
1537 * Returns 0 on success.
1540 tables_foreach(table_cb_t *f, void *arg, int sort)
1542 ipfw_obj_lheader *olh;
1543 ipfw_xtable_info *info;
1547 /* Start with reasonable default */
1548 sz = sizeof(*olh) + 16 * sizeof(ipfw_xtable_info);
1551 if ((olh = calloc(1, sz)) == NULL)
1555 if (do_get3(IP_FW_TABLES_XLIST, &olh->opheader, &sz) != 0) {
1558 if (errno != ENOMEM)
1564 qsort(olh + 1, olh->count, olh->objsize, tablename_cmp);
1566 info = (ipfw_xtable_info *)(olh + 1);
1567 for (i = 0; i < olh->count; i++) {
1568 error = f(info, arg); /* Ignore errors for now */
1569 info = (ipfw_xtable_info *)((caddr_t)info + olh->objsize);
1581 * Retrieves all entries for given table @i in
1582 * eXtended format. Allocate buffer large enough
1583 * to store result. Called needs to free it later.
1585 * Returns 0 on success.
1588 table_do_get_list(ipfw_xtable_info *i, ipfw_obj_header **poh)
1590 ipfw_obj_header *oh;
1596 for (c = 0; c < 8; c++) {
1601 if ((oh = calloc(1, sz)) == NULL)
1603 table_fill_objheader(oh, i);
1604 oh->opheader.version = 1; /* Current version */
1605 if (do_get3(IP_FW_TABLE_XLIST, &oh->opheader, &sz) == 0) {
1610 if (errno != ENOMEM)
1619 * Shows all entries from @oh in human-readable format
1622 table_show_list(ipfw_obj_header *oh, int need_header)
1624 ipfw_obj_tentry *tent;
1626 ipfw_xtable_info *i;
1628 i = (ipfw_xtable_info *)(oh + 1);
1629 tent = (ipfw_obj_tentry *)(i + 1);
1632 printf("--- table(%s), set(%u) ---\n", i->tablename, i->set);
1636 table_show_entry(i, tent);
1637 tent = (ipfw_obj_tentry *)((caddr_t)tent + tent->head.length);
1643 table_show_value(char *buf, size_t bufsize, ipfw_table_value *v,
1644 uint32_t vmask, int print_ip)
1646 uint32_t flag, i, l;
1649 char abuf[INET6_ADDRSTRLEN];
1654 * Some shorthands for printing values:
1655 * legacy assumes all values are equal, so keep the first one.
1657 if (vmask == IPFW_VTYPE_LEGACY) {
1658 if (print_ip != 0) {
1659 flag = htonl(v->tag);
1660 inet_ntop(AF_INET, &flag, buf, sz);
1662 snprintf(buf, sz, "%u", v->tag);
1666 for (i = 1; i < (1 << 31); i *= 2) {
1667 if ((flag = (vmask & i)) == 0)
1672 case IPFW_VTYPE_TAG:
1673 l = snprintf(buf, sz, "%u,", v->tag);
1675 case IPFW_VTYPE_PIPE:
1676 l = snprintf(buf, sz, "%u,", v->pipe);
1678 case IPFW_VTYPE_DIVERT:
1679 l = snprintf(buf, sz, "%d,", v->divert);
1681 case IPFW_VTYPE_SKIPTO:
1682 l = snprintf(buf, sz, "%d,", v->skipto);
1684 case IPFW_VTYPE_NETGRAPH:
1685 l = snprintf(buf, sz, "%u,", v->netgraph);
1687 case IPFW_VTYPE_FIB:
1688 l = snprintf(buf, sz, "%u,", v->fib);
1690 case IPFW_VTYPE_NAT:
1691 l = snprintf(buf, sz, "%u,", v->nat);
1693 case IPFW_VTYPE_LIMIT:
1694 l = snprintf(buf, sz, "%u,", v->limit);
1696 case IPFW_VTYPE_NH4:
1697 a4.s_addr = htonl(v->nh4);
1698 inet_ntop(AF_INET, &a4, abuf, sizeof(abuf));
1699 l = snprintf(buf, sz, "%s,", abuf);
1701 case IPFW_VTYPE_DSCP:
1702 l = snprintf(buf, sz, "%d,", v->dscp);
1704 case IPFW_VTYPE_NH6:
1705 inet_ntop(AF_INET6, &v->nh6, abuf, sizeof(abuf));
1706 l = snprintf(buf, sz, "%s,", abuf);
1719 table_show_entry(ipfw_xtable_info *i, ipfw_obj_tentry *tent)
1721 char *comma, tbuf[128], pval[128];
1723 struct tflow_entry *tfe;
1725 table_show_value(pval, sizeof(pval), &tent->v.value, i->vmask,
1729 case IPFW_TABLE_ADDR:
1730 /* IPv4 or IPv6 prefixes */
1731 inet_ntop(tent->subtype, &tent->k, tbuf, sizeof(tbuf));
1732 printf("%s/%u %s\n", tbuf, tent->masklen, pval);
1734 case IPFW_TABLE_INTERFACE:
1735 /* Interface names */
1736 printf("%s %s\n", tent->k.iface, pval);
1738 case IPFW_TABLE_NUMBER:
1740 printf("%u %s\n", tent->k.key, pval);
1742 case IPFW_TABLE_FLOW:
1744 tfe = &tent->k.flow;
1747 if ((i->tflags & IPFW_TFFLAG_SRCIP) != 0) {
1748 if (tfe->af == AF_INET)
1749 paddr = &tfe->a.a4.sip;
1751 paddr = &tfe->a.a6.sip6;
1753 inet_ntop(tfe->af, paddr, tbuf, sizeof(tbuf));
1754 printf("%s%s", comma, tbuf);
1758 if ((i->tflags & IPFW_TFFLAG_PROTO) != 0) {
1759 printf("%s%d", comma, tfe->proto);
1763 if ((i->tflags & IPFW_TFFLAG_SRCPORT) != 0) {
1764 printf("%s%d", comma, ntohs(tfe->sport));
1767 if ((i->tflags & IPFW_TFFLAG_DSTIP) != 0) {
1768 if (tfe->af == AF_INET)
1769 paddr = &tfe->a.a4.dip;
1771 paddr = &tfe->a.a6.dip6;
1773 inet_ntop(tfe->af, paddr, tbuf, sizeof(tbuf));
1774 printf("%s%s", comma, tbuf);
1778 if ((i->tflags & IPFW_TFFLAG_DSTPORT) != 0) {
1779 printf("%s%d", comma, ntohs(tfe->dport));
1783 printf(" %s\n", pval);
1788 table_do_get_stdlist(uint16_t opcode, ipfw_obj_lheader **polh)
1790 ipfw_obj_lheader req, *olh;
1793 memset(&req, 0, sizeof(req));
1796 if (do_get3(opcode, &req.opheader, &sz) != 0)
1797 if (errno != ENOMEM)
1801 if ((olh = calloc(1, sz)) == NULL)
1805 if (do_get3(opcode, &olh->opheader, &sz) != 0) {
1815 table_do_get_algolist(ipfw_obj_lheader **polh)
1818 return (table_do_get_stdlist(IP_FW_TABLES_ALIST, polh));
1822 table_do_get_vlist(ipfw_obj_lheader **polh)
1825 return (table_do_get_stdlist(IP_FW_TABLE_VLIST, polh));
1829 ipfw_list_ta(int ac, char *av[])
1831 ipfw_obj_lheader *olh;
1836 error = table_do_get_algolist(&olh);
1838 err(EX_OSERR, "Unable to request algorithm list");
1840 info = (ipfw_ta_info *)(olh + 1);
1841 for (i = 0; i < olh->count; i++) {
1842 if ((atype = match_value(tabletypes, info->type)) == NULL)
1844 printf("--- %s ---\n", info->algoname);
1845 printf(" type: %s\n refcount: %u\n", atype, info->refcnt);
1847 info = (ipfw_ta_info *)((caddr_t)info + olh->objsize);
1854 /* Copy of current kernel table_value structure */
1855 struct _table_value {
1856 uint32_t tag; /* O_TAG/O_TAGGED */
1857 uint32_t pipe; /* O_PIPE/O_QUEUE */
1858 uint16_t divert; /* O_DIVERT/O_TEE */
1859 uint16_t skipto; /* skipto, CALLRET */
1860 uint32_t netgraph; /* O_NETGRAPH/O_NGTEE */
1861 uint32_t fib; /* O_SETFIB */
1862 uint32_t nat; /* O_NAT */
1866 /* -- 32 bytes -- */
1867 struct in6_addr nh6;
1868 uint32_t limit; /* O_LIMIT */
1870 uint64_t refcnt; /* Number of references */
1874 compare_values(const void *_a, const void *_b)
1876 struct _table_value *a, *b;
1878 a = (struct _table_value *)_a;
1879 b = (struct _table_value *)_b;
1881 if (a->spare1 < b->spare1)
1883 else if (a->spare1 > b->spare1)
1890 ipfw_list_values(int ac, char *av[])
1892 ipfw_obj_lheader *olh;
1893 struct _table_value *v;
1898 error = table_do_get_vlist(&olh);
1900 err(EX_OSERR, "Unable to request value list");
1902 vmask = 0x7FFFFFFF; /* Similar to IPFW_VTYPE_LEGACY */
1904 table_print_valheader(buf, sizeof(buf), vmask);
1905 printf("HEADER: %s\n", buf);
1906 v = (struct _table_value *)(olh + 1);
1907 qsort(v, olh->count, olh->objsize, compare_values);
1908 for (i = 0; i < olh->count; i++) {
1909 table_show_value(buf, sizeof(buf), (ipfw_table_value *)v,
1911 printf("[%u] refs=%lu %s\n", v->spare1, (u_long)v->refcnt, buf);
1912 v = (struct _table_value *)((caddr_t)v + olh->objsize);
1919 compare_ntlv(const void *_a, const void *_b)
1921 ipfw_obj_ntlv *a, *b;
1923 a = (ipfw_obj_ntlv *)_a;
1924 b = (ipfw_obj_ntlv *)_b;
1926 if (a->set < b->set)
1928 else if (a->set > b->set)
1931 if (a->idx < b->idx)
1933 else if (a->idx > b->idx)
1940 compare_kntlv(const void *k, const void *v)
1942 ipfw_obj_ntlv *ntlv;
1945 key = *((uint16_t *)k);
1946 ntlv = (ipfw_obj_ntlv *)v;
1948 if (key < ntlv->idx)
1950 else if (key > ntlv->idx)
1957 * Finds table name in @ctlv by @idx.
1958 * Uses the following facts:
1959 * 1) All TLVs are the same size
1960 * 2) Kernel implementation provides already sorted list.
1962 * Returns table name or NULL.
1965 table_search_ctlv(ipfw_obj_ctlv *ctlv, uint16_t idx)
1967 ipfw_obj_ntlv *ntlv;
1969 ntlv = bsearch(&idx, (ctlv + 1), ctlv->count, ctlv->objsize,
1973 return (ntlv->name);
1979 table_sort_ctlv(ipfw_obj_ctlv *ctlv)
1982 qsort(ctlv + 1, ctlv->count, ctlv->objsize, compare_ntlv);
1986 table_check_name(char *tablename)
1991 * Check if tablename is null-terminated and contains
1992 * valid symbols only. Valid mask is:
1993 * [a-zA-Z0-9\-_\.]{1,63}
1995 l = strlen(tablename);
1996 if (l == 0 || l >= 64)
1998 for (i = 0; i < l; i++) {
2000 if (isalpha(c) || isdigit(c) || c == '_' ||
2001 c == '-' || c == '.')
2006 /* Restrict some 'special' names */
2007 if (strcmp(tablename, "all") == 0)
projects / FreeBSD / FreeBSD.git / blob