2 * Copyright (c) 2014 Yandex LLC
3 * Copyright (c) 2014 Alexander V. Chernikov
5 * Redistribution and use in source forms, with and without modification,
6 * are permitted provided that this entire comment appears intact.
8 * Redistribution in binary form may occur without any restrictions.
9 * Obviously, it would be nice if you gave credit where credit is due
10 * but requiring it would be too onerous.
12 * This software is provided ``AS IS'' without any warranties of any kind.
14 * in-kernel ipfw tables support.
20 #include <sys/types.h>
21 #include <sys/param.h>
22 #include <sys/socket.h>
23 #include <sys/sysctl.h>
35 #include <netinet/in.h>
36 #include <netinet/ip_fw.h>
37 #include <arpa/inet.h>
42 static void table_modify_record(ipfw_obj_header *oh, int ac, char *av[],
43 int add, int quiet, int update, int atomic);
44 static int table_flush(ipfw_obj_header *oh);
45 static int table_destroy(ipfw_obj_header *oh);
46 static int table_do_create(ipfw_obj_header *oh, ipfw_xtable_info *i);
47 static int table_do_modify(ipfw_obj_header *oh, ipfw_xtable_info *i);
48 static int table_do_swap(ipfw_obj_header *oh, char *second);
49 static void table_create(ipfw_obj_header *oh, int ac, char *av[]);
50 static void table_modify(ipfw_obj_header *oh, int ac, char *av[]);
51 static void table_lookup(ipfw_obj_header *oh, int ac, char *av[]);
52 static void table_lock(ipfw_obj_header *oh, int lock);
53 static int table_swap(ipfw_obj_header *oh, char *second);
54 static int table_get_info(ipfw_obj_header *oh, ipfw_xtable_info *i);
55 static int table_show_info(ipfw_xtable_info *i, void *arg);
57 static int table_flush_one(ipfw_xtable_info *i, void *arg);
58 static int table_show_one(ipfw_xtable_info *i, void *arg);
59 static int table_do_get_list(ipfw_xtable_info *i, ipfw_obj_header **poh);
60 static void table_show_list(ipfw_obj_header *oh, int need_header);
61 static void table_show_entry(ipfw_xtable_info *i, ipfw_obj_tentry *tent);
63 static void tentry_fill_key(ipfw_obj_header *oh, ipfw_obj_tentry *tent,
64 char *key, int add, uint8_t *ptype, uint32_t *pvmask, ipfw_xtable_info *xi);
65 static void tentry_fill_value(ipfw_obj_header *oh, ipfw_obj_tentry *tent,
66 char *arg, uint8_t type, uint32_t vmask);
67 static void table_show_value(char *buf, size_t bufsize, ipfw_table_value *v,
68 uint32_t vmask, int print_ip);
70 typedef int (table_cb_t)(ipfw_xtable_info *i, void *arg);
71 static int tables_foreach(table_cb_t *f, void *arg, int sort);
74 #define s6_addr32 __u6_addr.__u6_addr32
77 static struct _s_x tabletypes[] = {
78 { "addr", IPFW_TABLE_ADDR },
79 { "iface", IPFW_TABLE_INTERFACE },
80 { "number", IPFW_TABLE_NUMBER },
81 { "flow", IPFW_TABLE_FLOW },
85 static struct _s_x tablevaltypes[] = {
86 { "skipto", IPFW_VTYPE_SKIPTO },
87 { "pipe", IPFW_VTYPE_PIPE },
88 { "fib", IPFW_VTYPE_FIB },
89 { "nat", IPFW_VTYPE_NAT },
90 { "dscp", IPFW_VTYPE_DSCP },
91 { "tag", IPFW_VTYPE_TAG },
92 { "divert", IPFW_VTYPE_DIVERT },
93 { "netgraph", IPFW_VTYPE_NETGRAPH },
94 { "limit", IPFW_VTYPE_LIMIT },
95 { "ipv4", IPFW_VTYPE_NH4 },
96 { "ipv6", IPFW_VTYPE_NH6 },
100 static struct _s_x tablecmds[] = {
102 { "delete", TOK_DEL },
103 { "create", TOK_CREATE },
104 { "destroy", TOK_DESTROY },
105 { "flush", TOK_FLUSH },
106 { "modify", TOK_MODIFY },
107 { "swap", TOK_SWAP },
108 { "info", TOK_INFO },
109 { "detail", TOK_DETAIL },
110 { "list", TOK_LIST },
111 { "lookup", TOK_LOOKUP },
112 { "atomic", TOK_ATOMIC },
113 { "lock", TOK_LOCK },
114 { "unlock", TOK_UNLOCK },
119 lookup_host (char *host, struct in_addr *ipaddr)
123 if (!inet_aton(host, ipaddr)) {
124 if ((he = gethostbyname(host)) == NULL)
126 *ipaddr = *(struct in_addr *)he->h_addr_list[0];
132 * This one handles all table-related commands
133 * ipfw table NAME create ...
134 * ipfw table NAME modify ...
135 * ipfw table NAME destroy
136 * ipfw table NAME swap NAME
137 * ipfw table NAME lock
138 * ipfw table NAME unlock
139 * ipfw table NAME add addr[/masklen] [value]
140 * ipfw table NAME add [addr[/masklen] value] [addr[/masklen] value] ..
141 * ipfw table NAME delete addr[/masklen] [addr[/masklen]] ..
142 * ipfw table NAME lookup addr
143 * ipfw table {NAME | all} flush
144 * ipfw table {NAME | all} list
145 * ipfw table {NAME | all} info
146 * ipfw table {NAME | all} detail
149 ipfw_table_handler(int ac, char *av[])
152 int atomic, error, tcmd;
159 memset(&oh, 0, sizeof(oh));
162 set = co.use_set - 1;
167 NEED1("table needs name");
170 if (table_check_name(tablename) == 0) {
171 table_fill_ntlv(&oh.ntlv, *av, set, 1);
174 if (strcmp(tablename, "all") == 0)
177 errx(EX_USAGE, "table name %s is invalid", tablename);
180 NEED1("table needs command");
182 tcmd = get_token(tablecmds, *av, "table command");
183 /* Check if atomic operation was requested */
185 if (tcmd == TOK_ATOMIC) {
187 NEED1("atomic needs command");
188 tcmd = get_token(tablecmds, *av, "table command");
193 errx(EX_USAGE, "atomic is not compatible with %s", *av);
206 errx(EX_USAGE, "table name required");
212 do_add = **av == 'a';
214 table_modify_record(&oh, ac, av, do_add, co.do_quiet,
215 co.do_quiet, atomic);
219 table_create(&oh, ac, av);
223 table_modify(&oh, ac, av);
226 if (table_destroy(&oh) == 0)
229 err(EX_OSERR, "failed to destroy table %s", tablename);
230 /* ESRCH isn't fatal, warn if not quiet mode */
231 if (co.do_quiet == 0)
232 warn("failed to destroy table %s", tablename);
236 if ((error = table_flush(&oh)) == 0)
239 err(EX_OSERR, "failed to flush table %s info",
241 /* ESRCH isn't fatal, warn if not quiet mode */
242 if (co.do_quiet == 0)
243 warn("failed to flush table %s info",
246 error = tables_foreach(table_flush_one, &oh, 1);
248 err(EX_OSERR, "failed to flush tables list");
249 /* XXX: we ignore errors here */
254 NEED1("second table name required");
255 table_swap(&oh, *av);
259 table_lock(&oh, (tcmd == TOK_LOCK));
263 arg = (tcmd == TOK_DETAIL) ? (void *)1 : NULL;
265 if ((error = table_get_info(&oh, &i)) != 0)
266 err(EX_OSERR, "failed to request table info");
267 table_show_info(&i, arg);
269 error = tables_foreach(table_show_info, arg, 1);
271 err(EX_OSERR, "failed to request tables list");
277 if ((error = table_get_info(&oh, &i)) != 0)
278 err(EX_OSERR, "failed to request table info");
279 table_show_one(&i, NULL);
281 error = tables_foreach(table_show_one, NULL, 1);
283 err(EX_OSERR, "failed to request tables list");
288 table_lookup(&oh, ac, av);
294 table_fill_ntlv(ipfw_obj_ntlv *ntlv, const char *name, uint8_t set,
298 ntlv->head.type = IPFW_TLV_TBL_NAME;
299 ntlv->head.length = sizeof(ipfw_obj_ntlv);
302 strlcpy(ntlv->name, name, sizeof(ntlv->name));
306 table_fill_objheader(ipfw_obj_header *oh, ipfw_xtable_info *i)
310 table_fill_ntlv(&oh->ntlv, i->tablename, i->set, 1);
313 static struct _s_x tablenewcmds[] = {
314 { "type", TOK_TYPE },
315 { "valtype", TOK_VALTYPE },
316 { "algo", TOK_ALGO },
317 { "limit", TOK_LIMIT },
318 { "locked", TOK_LOCK },
322 static struct _s_x flowtypecmds[] = {
323 { "src-ip", IPFW_TFFLAG_SRCIP },
324 { "proto", IPFW_TFFLAG_PROTO },
325 { "src-port", IPFW_TFFLAG_SRCPORT },
326 { "dst-ip", IPFW_TFFLAG_DSTIP },
327 { "dst-port", IPFW_TFFLAG_DSTPORT },
332 table_parse_type(uint8_t ttype, char *p, uint8_t *tflags)
334 uint32_t fset, fclear;
337 /* Parse type options */
339 case IPFW_TABLE_FLOW:
341 if (fill_flags(flowtypecmds, p, &e, &fset, &fclear) != 0)
343 "unable to parse flow option %s", e);
354 table_print_type(char *tbuf, size_t size, uint8_t type, uint8_t tflags)
359 if ((tname = match_value(tabletypes, type)) == NULL)
362 l = snprintf(tbuf, size, "%s", tname);
367 case IPFW_TABLE_FLOW:
371 print_flags_buffer(tbuf, size, flowtypecmds, tflags);
380 * ipfw table NAME create [ type { addr | iface | number | flow } ]
384 table_create(ipfw_obj_header *oh, int ac, char *av[])
387 int error, tcmd, val;
388 uint32_t fset, fclear;
392 memset(&xi, 0, sizeof(xi));
395 tcmd = get_token(tablenewcmds, *av, "option");
400 NEED1("limit value required");
401 xi.limit = strtol(*av, NULL, 10);
405 NEED1("table type required");
406 /* Type may have suboptions after ':' */
407 if ((p = strchr(*av, ':')) != NULL)
409 val = match_token(tabletypes, *av);
411 concat_tokens(tbuf, sizeof(tbuf), tabletypes,
414 "Unknown tabletype: %s. Supported: %s",
419 error = table_parse_type(val, p, &xi.tflags);
422 "Unsupported suboptions: %s", p);
427 NEED1("table value type required");
429 val = fill_flags(tablevaltypes, *av, &e, &fset, &fclear);
435 concat_tokens(tbuf, sizeof(tbuf), tablevaltypes, ", ");
436 errx(EX_USAGE, "Unknown value type: %s. Supported: %s",
440 NEED1("table algorithm name required");
441 if (strlen(*av) > sizeof(xi.algoname))
442 errx(EX_USAGE, "algorithm name too long");
443 strlcpy(xi.algoname, *av, sizeof(xi.algoname));
447 xi.flags |= IPFW_TGFLAGS_LOCKED;
452 /* Set some defaults to preserve compatibility. */
453 if (xi.algoname[0] == '\0' && xi.type == 0)
454 xi.type = IPFW_TABLE_ADDR;
456 xi.vmask = IPFW_VTYPE_LEGACY;
458 if ((error = table_do_create(oh, &xi)) != 0)
459 err(EX_OSERR, "Table creation failed");
465 * Request: [ ipfw_obj_header ipfw_xtable_info ]
467 * Returns 0 on success.
470 table_do_create(ipfw_obj_header *oh, ipfw_xtable_info *i)
472 char tbuf[sizeof(ipfw_obj_header) + sizeof(ipfw_xtable_info)];
475 memcpy(tbuf, oh, sizeof(*oh));
476 memcpy(tbuf + sizeof(*oh), i, sizeof(*i));
477 oh = (ipfw_obj_header *)tbuf;
479 error = do_set3(IP_FW_TABLE_XCREATE, &oh->opheader, sizeof(tbuf));
485 * Modifies existing table
487 * ipfw table NAME modify [ limit number ]
490 table_modify(ipfw_obj_header *oh, int ac, char *av[])
495 memset(&xi, 0, sizeof(xi));
498 tcmd = get_token(tablenewcmds, *av, "option");
503 NEED1("limit value required");
504 xi.limit = strtol(*av, NULL, 10);
505 xi.mflags |= IPFW_TMFLAGS_LIMIT;
509 errx(EX_USAGE, "cmd is not supported for modificatiob");
513 if (table_do_modify(oh, &xi) != 0)
514 err(EX_OSERR, "Table modification failed");
518 * Modifies existing table.
520 * Request: [ ipfw_obj_header ipfw_xtable_info ]
522 * Returns 0 on success.
525 table_do_modify(ipfw_obj_header *oh, ipfw_xtable_info *i)
527 char tbuf[sizeof(ipfw_obj_header) + sizeof(ipfw_xtable_info)];
530 memcpy(tbuf, oh, sizeof(*oh));
531 memcpy(tbuf + sizeof(*oh), i, sizeof(*i));
532 oh = (ipfw_obj_header *)tbuf;
534 error = do_set3(IP_FW_TABLE_XMODIFY, &oh->opheader, sizeof(tbuf));
540 * Locks or unlocks given table
543 table_lock(ipfw_obj_header *oh, int lock)
547 memset(&xi, 0, sizeof(xi));
549 xi.mflags |= IPFW_TMFLAGS_LOCK;
550 xi.flags |= (lock != 0) ? IPFW_TGFLAGS_LOCKED : 0;
552 if (table_do_modify(oh, &xi) != 0)
553 err(EX_OSERR, "Table %s failed", lock != 0 ? "lock" : "unlock");
557 * Destroys given table specified by @oh->ntlv.
558 * Returns 0 on success.
561 table_destroy(ipfw_obj_header *oh)
564 if (do_set3(IP_FW_TABLE_XDESTROY, &oh->opheader, sizeof(*oh)) != 0)
571 * Flushes given table specified by @oh->ntlv.
572 * Returns 0 on success.
575 table_flush(ipfw_obj_header *oh)
578 if (do_set3(IP_FW_TABLE_XFLUSH, &oh->opheader, sizeof(*oh)) != 0)
585 table_do_swap(ipfw_obj_header *oh, char *second)
587 char tbuf[sizeof(ipfw_obj_header) + sizeof(ipfw_obj_ntlv)];
590 memset(tbuf, 0, sizeof(tbuf));
591 memcpy(tbuf, oh, sizeof(*oh));
592 oh = (ipfw_obj_header *)tbuf;
593 table_fill_ntlv((ipfw_obj_ntlv *)(oh + 1), second, oh->ntlv.set, 1);
595 error = do_set3(IP_FW_TABLE_XSWAP, &oh->opheader, sizeof(tbuf));
601 * Swaps given table with @second one.
604 table_swap(ipfw_obj_header *oh, char *second)
607 if (table_check_name(second) != 0)
608 errx(EX_USAGE, "table name %s is invalid", second);
610 if (table_do_swap(oh, second) == 0)
615 errx(EX_USAGE, "Unable to swap table: check types");
617 errx(EX_USAGE, "Unable to swap table: check limits");
625 * Retrieves table in given table specified by @oh->ntlv.
627 * Returns 0 on success.
630 table_get_info(ipfw_obj_header *oh, ipfw_xtable_info *i)
632 char tbuf[sizeof(ipfw_obj_header) + sizeof(ipfw_xtable_info)];
636 memset(tbuf, 0, sizeof(tbuf));
637 memcpy(tbuf, oh, sizeof(*oh));
638 oh = (ipfw_obj_header *)tbuf;
640 if (do_get3(IP_FW_TABLE_XINFO, &oh->opheader, &sz) != 0)
643 if (sz < sizeof(tbuf))
646 *i = *(ipfw_xtable_info *)(oh + 1);
651 static struct _s_x tablealgoclass[] = {
652 { "hash", IPFW_TACLASS_HASH },
653 { "array", IPFW_TACLASS_ARRAY },
654 { "radix", IPFW_TACLASS_RADIX },
668 * Print global/per-AF table @i algorithm info.
671 table_show_tainfo(ipfw_xtable_info *i, struct ta_cldata *d,
672 const char *af, const char *taclass)
675 switch (d->taclass) {
676 case IPFW_TACLASS_HASH:
677 case IPFW_TACLASS_ARRAY:
678 printf(" %salgorithm %s info\n", af, taclass);
679 if (d->itemsize == d->itemsize6)
680 printf(" size: %u items: %u itemsize: %u\n",
681 d->size, d->count, d->itemsize);
683 printf(" size: %u items: %u "
684 "itemsize4: %u itemsize6: %u\n",
686 d->itemsize, d->itemsize6);
688 case IPFW_TACLASS_RADIX:
689 printf(" %salgorithm %s info\n", af, taclass);
690 if (d->itemsize == d->itemsize6)
691 printf(" items: %u itemsize: %u\n",
692 d->count, d->itemsize);
695 "itemsize4: %u itemsize6: %u\n",
696 d->count, d->itemsize, d->itemsize6);
699 printf(" algo class: %s\n", taclass);
704 table_print_valheader(char *buf, size_t bufsize, uint32_t vmask)
707 if (vmask == IPFW_VTYPE_LEGACY) {
708 snprintf(buf, bufsize, "legacy");
712 memset(buf, 0, bufsize);
713 print_flags_buffer(buf, bufsize, tablevaltypes, vmask);
717 * Prints table info struct @i in human-readable form.
720 table_show_info(ipfw_xtable_info *i, void *arg)
723 ipfw_ta_tinfo *tainfo;
726 char ttype[64], tvtype[64];
728 table_print_type(ttype, sizeof(ttype), i->type, i->tflags);
729 table_print_valheader(tvtype, sizeof(tvtype), i->vmask);
731 printf("--- table(%s), set(%u) ---\n", i->tablename, i->set);
732 if ((i->flags & IPFW_TGFLAGS_LOCKED) != 0)
733 printf(" kindex: %d, type: %s, locked\n", i->kidx, ttype);
735 printf(" kindex: %d, type: %s\n", i->kidx, ttype);
736 printf(" references: %u, valtype: %s\n", i->refcnt, tvtype);
737 printf(" algorithm: %s\n", i->algoname);
738 printf(" items: %u, size: %u\n", i->count, i->size);
740 printf(" limit: %u\n", i->limit);
742 /* Print algo-specific info if requested & set */
746 if ((i->ta_info.flags & IPFW_TATFLAGS_DATA) == 0)
748 tainfo = &i->ta_info;
752 if (tainfo->flags & IPFW_TATFLAGS_AFDATA)
754 if (tainfo->flags & IPFW_TATFLAGS_AFITEM)
757 memset(&d, 0, sizeof(d));
758 d.taclass = tainfo->taclass4;
759 d.size = tainfo->size4;
760 d.count = tainfo->count4;
761 d.itemsize = tainfo->itemsize4;
762 if (afdata == 0 && afitem != 0)
763 d.itemsize6 = tainfo->itemsize6;
765 d.itemsize6 = d.itemsize;
766 if ((vtype = match_value(tablealgoclass, d.taclass)) == NULL)
770 table_show_tainfo(i, &d, "", vtype);
772 table_show_tainfo(i, &d, "IPv4 ", vtype);
773 memset(&d, 0, sizeof(d));
774 d.taclass = tainfo->taclass6;
775 if ((vtype = match_value(tablealgoclass, d.taclass)) == NULL)
777 d.size = tainfo->size6;
778 d.count = tainfo->count6;
779 d.itemsize = tainfo->itemsize6;
780 d.itemsize6 = d.itemsize;
781 table_show_tainfo(i, &d, "IPv6 ", vtype);
789 * Function wrappers which can be used either
790 * as is or as foreach function parameter.
794 table_show_one(ipfw_xtable_info *i, void *arg)
799 if ((error = table_do_get_list(i, &oh)) != 0) {
800 err(EX_OSERR, "Error requesting table %s list", i->tablename);
804 table_show_list(oh, 1);
811 table_flush_one(ipfw_xtable_info *i, void *arg)
815 oh = (ipfw_obj_header *)arg;
817 table_fill_ntlv(&oh->ntlv, i->tablename, i->set, 1);
819 return (table_flush(oh));
823 table_do_modify_record(int cmd, ipfw_obj_header *oh,
824 ipfw_obj_tentry *tent, int count, int atomic)
827 ipfw_obj_tentry *tent_base;
829 char xbuf[sizeof(*oh) + sizeof(ipfw_obj_ctlv) + sizeof(*tent)];
833 sz = sizeof(*ctlv) + sizeof(*tent) * count;
835 memset(xbuf, 0, sizeof(xbuf));
838 if ((pbuf = calloc(1, sizeof(*oh) + sz)) == NULL)
842 memcpy(pbuf, oh, sizeof(*oh));
843 oh = (ipfw_obj_header *)pbuf;
844 oh->opheader.version = 1;
846 ctlv = (ipfw_obj_ctlv *)(oh + 1);
848 ctlv->head.length = sz;
850 ctlv->flags |= IPFW_CTF_ATOMIC;
853 memcpy(ctlv + 1, tent, sizeof(*tent) * count);
854 tent = (ipfw_obj_tentry *)(ctlv + 1);
855 for (i = 0; i < count; i++, tent++) {
856 tent->head.length = sizeof(ipfw_obj_tentry);
861 error = do_get3(cmd, &oh->opheader, &sz);
862 tent = (ipfw_obj_tentry *)(ctlv + 1);
863 /* Copy result back to provided buffer */
864 memcpy(tent_base, ctlv + 1, sizeof(*tent) * count);
873 table_modify_record(ipfw_obj_header *oh, int ac, char *av[], int add,
874 int quiet, int update, int atomic)
876 ipfw_obj_tentry *ptent, tent, *tent_buf;
880 int cmd, count, error, i, ignored;
881 char *texterr, *etxt, *px;
884 errx(EX_USAGE, "address required");
887 cmd = IP_FW_TABLE_XADD;
888 texterr = "Adding record failed";
890 cmd = IP_FW_TABLE_XDEL;
891 texterr = "Deleting record failed";
895 * Calculate number of entries:
896 * Assume [key val] x N for add
900 count = (add != 0) ? ac / 2 + 1 : ac;
903 /* Adding single entry with/without value */
904 memset(&tent, 0, sizeof(tent));
908 if ((tent_buf = calloc(count, sizeof(tent))) == NULL)
910 "Unable to allocate memory for all entries");
914 memset(&xi, 0, sizeof(xi));
917 tentry_fill_key(oh, ptent, *av, add, &type, &vmask, &xi);
920 * Compatibility layer: auto-create table if not exists.
922 if (xi.tablename[0] == '\0') {
925 strlcpy(xi.tablename, oh->ntlv.name,
926 sizeof(xi.tablename));
928 warnx("DEPRECATED: inserting data into "
929 "non-existent table %s. (auto-created)",
931 table_do_create(oh, &xi);
934 oh->ntlv.type = type;
937 if (add != 0 && ac > 0) {
938 tentry_fill_value(oh, ptent, *av, type, vmask);
943 ptent->head.flags |= IPFW_TF_UPDATE;
949 error = table_do_modify_record(cmd, oh, tent_buf, count, atomic);
952 * Compatibility stuff: do not yell on duplicate keys or
955 if (error == 0 || (error == EEXIST && add != 0) ||
956 (error == ENOENT && add == 0)) {
958 if (tent_buf != &tent)
964 /* Report results back */
966 for (i = 0; i < count; ptent++, i++) {
968 switch (ptent->result) {
972 case IPFW_TR_DELETED:
975 case IPFW_TR_UPDATED:
986 case IPFW_TR_NOTFOUND:
994 case IPFW_TR_IGNORED:
1003 if (error != 0 && atomic != 0 && ignored == 0)
1004 printf("%s(reverted): ", px);
1008 table_show_entry(&xi, ptent);
1011 if (tent_buf != &tent)
1016 /* Get real OS error */
1019 /* Try to provide more human-readable error */
1022 etxt = "record already exists";
1028 etxt = "table not found";
1031 etxt = "record not found";
1034 etxt = "table is locked";
1037 etxt = strerror(error);
1040 errx(EX_OSERR, "%s: %s", texterr, etxt);
1044 table_do_lookup(ipfw_obj_header *oh, char *key, ipfw_xtable_info *xi,
1045 ipfw_obj_tentry *xtent)
1047 char xbuf[sizeof(ipfw_obj_header) + sizeof(ipfw_obj_tentry)];
1048 ipfw_obj_tentry *tent;
1053 memcpy(xbuf, oh, sizeof(*oh));
1054 oh = (ipfw_obj_header *)xbuf;
1055 tent = (ipfw_obj_tentry *)(oh + 1);
1057 memset(tent, 0, sizeof(*tent));
1058 tent->head.length = sizeof(*tent);
1061 tentry_fill_key(oh, tent, key, 0, &type, &vmask, xi);
1062 oh->ntlv.type = type;
1065 if (do_get3(IP_FW_TABLE_XFIND, &oh->opheader, &sz) != 0)
1068 if (sz < sizeof(xbuf))
1077 table_lookup(ipfw_obj_header *oh, int ac, char *av[])
1079 ipfw_obj_tentry xtent;
1080 ipfw_xtable_info xi;
1085 errx(EX_USAGE, "address required");
1087 strlcpy(key, *av, sizeof(key));
1089 memset(&xi, 0, sizeof(xi));
1090 error = table_do_lookup(oh, key, &xi, &xtent);
1096 errx(EX_UNAVAILABLE, "Table %s not found", oh->ntlv.name);
1098 errx(EX_UNAVAILABLE, "Entry %s not found", *av);
1100 errx(EX_UNAVAILABLE, "Table %s algo does not support "
1101 "\"lookup\" method", oh->ntlv.name);
1103 err(EX_OSERR, "getsockopt(IP_FW_TABLE_XFIND)");
1106 table_show_entry(&xi, &xtent);
1110 tentry_fill_key_type(char *arg, ipfw_obj_tentry *tentry, uint8_t type,
1115 struct in6_addr *paddr, tmp;
1116 struct tflow_entry *tfe;
1117 uint32_t key, *pkey;
1119 struct protoent *pent;
1120 struct servent *sent;
1125 paddr = (struct in6_addr *)&tentry->k;
1128 case IPFW_TABLE_ADDR:
1129 /* Remove / if exists */
1130 if ((p = strchr(arg, '/')) != NULL) {
1135 if (inet_pton(AF_INET, arg, paddr) == 1) {
1136 if (p != NULL && mask > 32)
1137 errx(EX_DATAERR, "bad IPv4 mask width: %s",
1140 masklen = p ? mask : 32;
1142 } else if (inet_pton(AF_INET6, arg, paddr) == 1) {
1143 if (IN6_IS_ADDR_V4COMPAT(paddr))
1145 "Use IPv4 instead of v4-compatible");
1146 if (p != NULL && mask > 128)
1147 errx(EX_DATAERR, "bad IPv6 mask width: %s",
1150 masklen = p ? mask : 128;
1154 if (lookup_host(arg, (struct in_addr *)paddr) != 0)
1155 errx(EX_NOHOST, "hostname ``%s'' unknown", arg);
1158 type = IPFW_TABLE_ADDR;
1162 case IPFW_TABLE_INTERFACE:
1163 /* Assume interface name. Copy significant data only */
1164 mask = MIN(strlen(arg), IF_NAMESIZE - 1);
1165 memcpy(paddr, arg, mask);
1166 /* Set mask to exact match */
1167 masklen = 8 * IF_NAMESIZE;
1169 case IPFW_TABLE_NUMBER:
1170 /* Port or any other key */
1171 key = strtol(arg, &p, 10);
1173 errx(EX_DATAERR, "Invalid number: %s", arg);
1175 pkey = (uint32_t *)paddr;
1179 case IPFW_TABLE_FLOW:
1180 /* Assume [src-ip][,proto][,src-port][,dst-ip][,dst-port] */
1181 tfe = &tentry->k.flow;
1184 /* Handle <ipv4|ipv6> */
1185 if ((tflags & IPFW_TFFLAG_SRCIP) != 0) {
1186 if ((p = strchr(arg, ',')) != NULL)
1188 /* Determine family using temporary storage */
1189 if (inet_pton(AF_INET, arg, &tmp) == 1) {
1190 if (af != 0 && af != AF_INET)
1192 "Inconsistent address family\n");
1194 memcpy(&tfe->a.a4.sip, &tmp, 4);
1195 } else if (inet_pton(AF_INET6, arg, &tmp) == 1) {
1196 if (af != 0 && af != AF_INET6)
1198 "Inconsistent address family\n");
1200 memcpy(&tfe->a.a6.sip6, &tmp, 16);
1206 /* Handle <proto-num|proto-name> */
1207 if ((tflags & IPFW_TFFLAG_PROTO) != 0) {
1209 errx(EX_DATAERR, "invalid key: proto missing");
1210 if ((p = strchr(arg, ',')) != NULL)
1213 key = strtol(arg, &pp, 10);
1215 if ((pent = getprotobyname(arg)) == NULL)
1216 errx(EX_DATAERR, "Unknown proto: %s",
1219 key = pent->p_proto;
1223 errx(EX_DATAERR, "Bad protocol number: %u",key);
1230 /* Handle <port-num|service-name> */
1231 if ((tflags & IPFW_TFFLAG_SRCPORT) != 0) {
1233 errx(EX_DATAERR, "invalid key: src port missing");
1234 if ((p = strchr(arg, ',')) != NULL)
1237 if ((port = htons(strtol(arg, NULL, 10))) == 0) {
1238 if ((sent = getservbyname(arg, NULL)) == NULL)
1239 errx(EX_DATAERR, "Unknown service: %s",
1250 /* Handle <ipv4|ipv6>*/
1251 if ((tflags & IPFW_TFFLAG_DSTIP) != 0) {
1253 errx(EX_DATAERR, "invalid key: dst ip missing");
1254 if ((p = strchr(arg, ',')) != NULL)
1256 /* Determine family using temporary storage */
1257 if (inet_pton(AF_INET, arg, &tmp) == 1) {
1258 if (af != 0 && af != AF_INET)
1260 "Inconsistent address family");
1262 memcpy(&tfe->a.a4.dip, &tmp, 4);
1263 } else if (inet_pton(AF_INET6, arg, &tmp) == 1) {
1264 if (af != 0 && af != AF_INET6)
1266 "Inconsistent address family");
1268 memcpy(&tfe->a.a6.dip6, &tmp, 16);
1274 /* Handle <port-num|service-name> */
1275 if ((tflags & IPFW_TFFLAG_DSTPORT) != 0) {
1277 errx(EX_DATAERR, "invalid key: dst port missing");
1278 if ((p = strchr(arg, ',')) != NULL)
1281 if ((port = htons(strtol(arg, NULL, 10))) == 0) {
1282 if ((sent = getservbyname(arg, NULL)) == NULL)
1283 errx(EX_DATAERR, "Unknown service: %s",
1299 errx(EX_DATAERR, "Unsupported table type: %d", type);
1302 tentry->subtype = af;
1303 tentry->masklen = masklen;
1307 * Tries to guess table key type.
1308 * This procedure is used in legacy table auto-create
1309 * code AND in `ipfw -n` ruleset checking.
1311 * Imported from old table_fill_xentry() parse code.
1314 guess_key_type(char *key, uint8_t *ptype)
1317 struct in6_addr addr;
1320 if (ishexnumber(*key) != 0 || *key == ':') {
1321 /* Remove / if exists */
1322 if ((p = strchr(key, '/')) != NULL)
1325 if ((inet_pton(AF_INET, key, &addr) == 1) ||
1326 (inet_pton(AF_INET6, key, &addr) == 1)) {
1327 *ptype = IPFW_TABLE_CIDR;
1332 /* Port or any other key */
1333 /* Skip non-base 10 entries like 'fa1' */
1334 kv = strtol(key, &p, 10);
1336 *ptype = IPFW_TABLE_NUMBER;
1338 } else if ((p != key) && (*p == '.')) {
1340 * Warn on IPv4 address strings
1341 * which are "valid" for inet_aton() but not
1344 * Typical examples: '10.5' or '10.0.0.05'
1351 if (strchr(key, '.') == NULL) {
1352 *ptype = IPFW_TABLE_INTERFACE;
1356 if (lookup_host(key, (struct in_addr *)&addr) != 0)
1359 *ptype = IPFW_TABLE_CIDR;
1364 tentry_fill_key(ipfw_obj_header *oh, ipfw_obj_tentry *tent, char *key,
1365 int add, uint8_t *ptype, uint32_t *pvmask, ipfw_xtable_info *xi)
1367 uint8_t type, tflags;
1375 if (xi->tablename[0] == '\0')
1376 error = table_get_info(oh, xi);
1381 if (co.test_only == 0) {
1384 tflags = xi->tflags;
1388 * We're running `ipfw -n`
1389 * Compatibility layer: try to guess key type
1392 if (guess_key_type(key, &type) != 0) {
1394 errx(EX_USAGE, "Cannot guess "
1395 "key '%s' type", key);
1397 vmask = IPFW_VTYPE_LEGACY;
1401 errx(EX_OSERR, "Error requesting table %s info",
1404 errx(EX_DATAERR, "Table %s does not exist",
1407 * Table does not exist
1408 * Compatibility layer: try to guess key type before failing.
1410 if (guess_key_type(key, &type) != 0) {
1412 errx(EX_USAGE, "Table %s does not exist, cannot guess "
1413 "key '%s' type", oh->ntlv.name, key);
1416 vmask = IPFW_VTYPE_LEGACY;
1419 tentry_fill_key_type(key, tent, type, tflags);
1426 set_legacy_value(uint32_t val, ipfw_table_value *v)
1436 v->dscp = (uint8_t)val;
1441 tentry_fill_value(ipfw_obj_header *oh, ipfw_obj_tentry *tent, char *arg,
1442 uint8_t type, uint32_t vmask)
1444 struct addrinfo hints, *res;
1445 uint32_t a4, flag, val;
1446 ipfw_table_value *v;
1449 char *comma, *e, *etype, *n, *p;
1453 /* Compat layer: keep old behavior for legacy value types */
1454 if (vmask == IPFW_VTYPE_LEGACY) {
1455 /* Try to interpret as number first */
1456 val = strtoul(arg, &p, 0);
1458 set_legacy_value(val, v);
1461 if (inet_pton(AF_INET, arg, &val) == 1) {
1462 set_legacy_value(ntohl(val), v);
1466 if (lookup_host(arg, (struct in_addr *)&val) == 0) {
1467 set_legacy_value(val, v);
1470 errx(EX_OSERR, "Unable to parse value %s", arg);
1474 * Shorthands: handle single value if vmask consists
1475 * of numbers only. e.g.:
1476 * vmask = "fib,skipto" -> treat input "1" as "1,1"
1481 for (i = 1; i < (1 << 31); i *= 2) {
1482 if ((flag = (vmask & i)) == 0)
1486 if ((comma = strchr(n, ',')) != NULL)
1490 case IPFW_VTYPE_TAG:
1491 v->tag = strtol(n, &e, 10);
1495 case IPFW_VTYPE_PIPE:
1496 v->pipe = strtol(n, &e, 10);
1500 case IPFW_VTYPE_DIVERT:
1501 v->divert = strtol(n, &e, 10);
1505 case IPFW_VTYPE_SKIPTO:
1506 v->skipto = strtol(n, &e, 10);
1510 case IPFW_VTYPE_NETGRAPH:
1511 v->netgraph = strtol(n, &e, 10);
1515 case IPFW_VTYPE_FIB:
1516 v->fib = strtol(n, &e, 10);
1520 case IPFW_VTYPE_NAT:
1521 v->nat = strtol(n, &e, 10);
1525 case IPFW_VTYPE_LIMIT:
1526 v->limit = strtol(n, &e, 10);
1530 case IPFW_VTYPE_NH4:
1531 if (strchr(n, '.') != NULL &&
1532 inet_pton(AF_INET, n, &a4) == 1) {
1536 if (lookup_host(n, (struct in_addr *)&v->nh4) == 0)
1540 case IPFW_VTYPE_DSCP:
1542 if ((dval = match_token(f_ipdscp, n)) != -1) {
1546 etype = "DSCP code";
1548 v->dscp = strtol(n, &e, 10);
1549 if (v->dscp > 63 || *e != '\0')
1550 etype = "DSCP value";
1553 case IPFW_VTYPE_NH6:
1554 if (strchr(n, ':') != NULL) {
1555 memset(&hints, 0, sizeof(hints));
1556 hints.ai_family = AF_INET6;
1557 hints.ai_flags = AI_NUMERICHOST;
1558 if (getaddrinfo(n, NULL, &hints, &res) == 0) {
1559 v->nh6 = ((struct sockaddr_in6 *)
1560 res->ai_addr)->sin6_addr;
1561 v->zoneid = ((struct sockaddr_in6 *)
1562 res->ai_addr)->sin6_scope_id;
1572 errx(EX_USAGE, "Unable to parse %s as %s", n, etype);
1577 if ((n = comma) != NULL)
1582 errx(EX_USAGE, "Not enough fields inside value");
1587 * Compare table names.
1588 * Honor number comparison.
1591 tablename_cmp(const void *a, const void *b)
1593 ipfw_xtable_info *ia, *ib;
1595 ia = (ipfw_xtable_info *)a;
1596 ib = (ipfw_xtable_info *)b;
1598 return (stringnum_cmp(ia->tablename, ib->tablename));
1602 * Retrieves table list from kernel,
1603 * optionally sorts it and calls requested function for each table.
1604 * Returns 0 on success.
1607 tables_foreach(table_cb_t *f, void *arg, int sort)
1609 ipfw_obj_lheader *olh;
1610 ipfw_xtable_info *info;
1614 /* Start with reasonable default */
1615 sz = sizeof(*olh) + 16 * sizeof(ipfw_xtable_info);
1618 if ((olh = calloc(1, sz)) == NULL)
1622 if (do_get3(IP_FW_TABLES_XLIST, &olh->opheader, &sz) != 0) {
1625 if (errno != ENOMEM)
1631 qsort(olh + 1, olh->count, olh->objsize, tablename_cmp);
1633 info = (ipfw_xtable_info *)(olh + 1);
1634 for (i = 0; i < olh->count; i++) {
1635 error = f(info, arg); /* Ignore errors for now */
1636 info = (ipfw_xtable_info *)((caddr_t)info + olh->objsize);
1648 * Retrieves all entries for given table @i in
1649 * eXtended format. Allocate buffer large enough
1650 * to store result. Called needs to free it later.
1652 * Returns 0 on success.
1655 table_do_get_list(ipfw_xtable_info *i, ipfw_obj_header **poh)
1657 ipfw_obj_header *oh;
1663 for (c = 0; c < 8; c++) {
1668 if ((oh = calloc(1, sz)) == NULL)
1670 table_fill_objheader(oh, i);
1671 oh->opheader.version = 1; /* Current version */
1672 if (do_get3(IP_FW_TABLE_XLIST, &oh->opheader, &sz) == 0) {
1677 if (errno != ENOMEM)
1686 * Shows all entries from @oh in human-readable format
1689 table_show_list(ipfw_obj_header *oh, int need_header)
1691 ipfw_obj_tentry *tent;
1693 ipfw_xtable_info *i;
1695 i = (ipfw_xtable_info *)(oh + 1);
1696 tent = (ipfw_obj_tentry *)(i + 1);
1699 printf("--- table(%s), set(%u) ---\n", i->tablename, i->set);
1703 table_show_entry(i, tent);
1704 tent = (ipfw_obj_tentry *)((caddr_t)tent + tent->head.length);
1710 table_show_value(char *buf, size_t bufsize, ipfw_table_value *v,
1711 uint32_t vmask, int print_ip)
1713 char abuf[INET6_ADDRSTRLEN + IF_NAMESIZE + 2];
1714 struct sockaddr_in6 sa6;
1715 uint32_t flag, i, l;
1722 * Some shorthands for printing values:
1723 * legacy assumes all values are equal, so keep the first one.
1725 if (vmask == IPFW_VTYPE_LEGACY) {
1726 if (print_ip != 0) {
1727 flag = htonl(v->tag);
1728 inet_ntop(AF_INET, &flag, buf, sz);
1730 snprintf(buf, sz, "%u", v->tag);
1734 for (i = 1; i < (1 << 31); i *= 2) {
1735 if ((flag = (vmask & i)) == 0)
1740 case IPFW_VTYPE_TAG:
1741 l = snprintf(buf, sz, "%u,", v->tag);
1743 case IPFW_VTYPE_PIPE:
1744 l = snprintf(buf, sz, "%u,", v->pipe);
1746 case IPFW_VTYPE_DIVERT:
1747 l = snprintf(buf, sz, "%d,", v->divert);
1749 case IPFW_VTYPE_SKIPTO:
1750 l = snprintf(buf, sz, "%d,", v->skipto);
1752 case IPFW_VTYPE_NETGRAPH:
1753 l = snprintf(buf, sz, "%u,", v->netgraph);
1755 case IPFW_VTYPE_FIB:
1756 l = snprintf(buf, sz, "%u,", v->fib);
1758 case IPFW_VTYPE_NAT:
1759 l = snprintf(buf, sz, "%u,", v->nat);
1761 case IPFW_VTYPE_LIMIT:
1762 l = snprintf(buf, sz, "%u,", v->limit);
1764 case IPFW_VTYPE_NH4:
1765 a4.s_addr = htonl(v->nh4);
1766 inet_ntop(AF_INET, &a4, abuf, sizeof(abuf));
1767 l = snprintf(buf, sz, "%s,", abuf);
1769 case IPFW_VTYPE_DSCP:
1770 l = snprintf(buf, sz, "%d,", v->dscp);
1772 case IPFW_VTYPE_NH6:
1773 sa6.sin6_family = AF_INET6;
1774 sa6.sin6_len = sizeof(sa6);
1775 sa6.sin6_addr = v->nh6;
1777 sa6.sin6_scope_id = v->zoneid;
1778 if (getnameinfo((const struct sockaddr *)&sa6,
1779 sa6.sin6_len, abuf, sizeof(abuf), NULL, 0,
1780 NI_NUMERICHOST) == 0)
1781 l = snprintf(buf, sz, "%s,", abuf);
1794 table_show_entry(ipfw_xtable_info *i, ipfw_obj_tentry *tent)
1796 char *comma, tbuf[128], pval[128];
1798 struct tflow_entry *tfe;
1800 table_show_value(pval, sizeof(pval), &tent->v.value, i->vmask,
1804 case IPFW_TABLE_ADDR:
1805 /* IPv4 or IPv6 prefixes */
1806 inet_ntop(tent->subtype, &tent->k, tbuf, sizeof(tbuf));
1807 printf("%s/%u %s\n", tbuf, tent->masklen, pval);
1809 case IPFW_TABLE_INTERFACE:
1810 /* Interface names */
1811 printf("%s %s\n", tent->k.iface, pval);
1813 case IPFW_TABLE_NUMBER:
1815 printf("%u %s\n", tent->k.key, pval);
1817 case IPFW_TABLE_FLOW:
1819 tfe = &tent->k.flow;
1822 if ((i->tflags & IPFW_TFFLAG_SRCIP) != 0) {
1823 if (tfe->af == AF_INET)
1824 paddr = &tfe->a.a4.sip;
1826 paddr = &tfe->a.a6.sip6;
1828 inet_ntop(tfe->af, paddr, tbuf, sizeof(tbuf));
1829 printf("%s%s", comma, tbuf);
1833 if ((i->tflags & IPFW_TFFLAG_PROTO) != 0) {
1834 printf("%s%d", comma, tfe->proto);
1838 if ((i->tflags & IPFW_TFFLAG_SRCPORT) != 0) {
1839 printf("%s%d", comma, ntohs(tfe->sport));
1842 if ((i->tflags & IPFW_TFFLAG_DSTIP) != 0) {
1843 if (tfe->af == AF_INET)
1844 paddr = &tfe->a.a4.dip;
1846 paddr = &tfe->a.a6.dip6;
1848 inet_ntop(tfe->af, paddr, tbuf, sizeof(tbuf));
1849 printf("%s%s", comma, tbuf);
1853 if ((i->tflags & IPFW_TFFLAG_DSTPORT) != 0) {
1854 printf("%s%d", comma, ntohs(tfe->dport));
1858 printf(" %s\n", pval);
1863 table_do_get_stdlist(uint16_t opcode, ipfw_obj_lheader **polh)
1865 ipfw_obj_lheader req, *olh;
1868 memset(&req, 0, sizeof(req));
1871 if (do_get3(opcode, &req.opheader, &sz) != 0)
1872 if (errno != ENOMEM)
1876 if ((olh = calloc(1, sz)) == NULL)
1880 if (do_get3(opcode, &olh->opheader, &sz) != 0) {
1890 table_do_get_algolist(ipfw_obj_lheader **polh)
1893 return (table_do_get_stdlist(IP_FW_TABLES_ALIST, polh));
1897 table_do_get_vlist(ipfw_obj_lheader **polh)
1900 return (table_do_get_stdlist(IP_FW_TABLE_VLIST, polh));
1904 ipfw_list_ta(int ac, char *av[])
1906 ipfw_obj_lheader *olh;
1911 error = table_do_get_algolist(&olh);
1913 err(EX_OSERR, "Unable to request algorithm list");
1915 info = (ipfw_ta_info *)(olh + 1);
1916 for (i = 0; i < olh->count; i++) {
1917 if ((atype = match_value(tabletypes, info->type)) == NULL)
1919 printf("--- %s ---\n", info->algoname);
1920 printf(" type: %s\n refcount: %u\n", atype, info->refcnt);
1922 info = (ipfw_ta_info *)((caddr_t)info + olh->objsize);
1929 /* Copy of current kernel table_value structure */
1930 struct _table_value {
1931 uint32_t tag; /* O_TAG/O_TAGGED */
1932 uint32_t pipe; /* O_PIPE/O_QUEUE */
1933 uint16_t divert; /* O_DIVERT/O_TEE */
1934 uint16_t skipto; /* skipto, CALLRET */
1935 uint32_t netgraph; /* O_NETGRAPH/O_NGTEE */
1936 uint32_t fib; /* O_SETFIB */
1937 uint32_t nat; /* O_NAT */
1942 /* -- 32 bytes -- */
1943 struct in6_addr nh6;
1944 uint32_t limit; /* O_LIMIT */
1946 uint64_t refcnt; /* Number of references */
1950 compare_values(const void *_a, const void *_b)
1952 struct _table_value *a, *b;
1954 a = (struct _table_value *)_a;
1955 b = (struct _table_value *)_b;
1957 if (a->spare1 < b->spare1)
1959 else if (a->spare1 > b->spare1)
1966 ipfw_list_values(int ac, char *av[])
1968 ipfw_obj_lheader *olh;
1969 struct _table_value *v;
1974 error = table_do_get_vlist(&olh);
1976 err(EX_OSERR, "Unable to request value list");
1978 vmask = 0x7FFFFFFF; /* Similar to IPFW_VTYPE_LEGACY */
1980 table_print_valheader(buf, sizeof(buf), vmask);
1981 printf("HEADER: %s\n", buf);
1982 v = (struct _table_value *)(olh + 1);
1983 qsort(v, olh->count, olh->objsize, compare_values);
1984 for (i = 0; i < olh->count; i++) {
1985 table_show_value(buf, sizeof(buf), (ipfw_table_value *)v,
1987 printf("[%u] refs=%lu %s\n", v->spare1, (u_long)v->refcnt, buf);
1988 v = (struct _table_value *)((caddr_t)v + olh->objsize);
1995 table_check_name(const char *tablename)
1998 if (ipfw_check_object_name(tablename) != 0)
2000 /* Restrict some 'special' names */
2001 if (strcmp(tablename, "all") == 0)
projects / FreeBSD / FreeBSD.git / blob