]> git.saurik.com Git - apple/network_cmds.git/blob - ipfw.tproj/ipfw2.c
projects / apple / network_cmds.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
network_cmds-245.1.3.tar.gz
[apple/network_cmds.git] / ipfw.tproj / ipfw2.c
1 /*
2 * Copyright (c) 2002 Apple Computer, Inc. All rights reserved.
3 *
4 * @APPLE_LICENSE_HEADER_START@
5 *
6 * This file contains Original Code and/or Modifications of Original Code
7 * as defined in and that are subject to the Apple Public Source License
8 * Version 2.0 (the 'License'). You may not use this file except in
9 * compliance with the License. Please obtain a copy of the License at
10 * http://www.opensource.apple.com/apsl/ and read it before using this
11 * file.
12 *
13 * The Original Code and all software distributed under the License are
14 * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
15 * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
16 * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
17 * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
18 * Please see the License for the specific language governing rights and
19 * limitations under the License.
20 *
21 * @APPLE_LICENSE_HEADER_END@
22 */
23 /*
24 * Copyright (c) 2002-2003 Luigi Rizzo
25 * Copyright (c) 1996 Alex Nash, Paul Traina, Poul-Henning Kamp
26 * Copyright (c) 1994 Ugen J.S.Antsilevich
27 *
28 * Idea and grammar partially left from:
29 * Copyright (c) 1993 Daniel Boulet
30 *
31 * Redistribution and use in source forms, with and without modification,
32 * are permitted provided that this entire comment appears intact.
33 *
34 * Redistribution in binary form may occur without any restrictions.
35 * Obviously, it would be nice if you gave credit where credit is due
36 * but requiring it would be too onerous.
37 *
38 * This software is provided ``AS IS'' without any warranties of any kind.
39 *
40 * NEW command line interface for IP firewall facility
41 *
42 * $FreeBSD: /repoman/r/ncvs/src/sbin/ipfw/ipfw2.c,v 1.4.2.18 2003/09/15 10:27:03 luigi Exp $
43 */
44
45 #include <sys/param.h>
46 #include <sys/mbuf.h>
47 #include <sys/socket.h>
48 #include <sys/sockio.h>
49 #include <sys/sysctl.h>
50 #include <sys/time.h>
51 #include <sys/wait.h>
52
53 #include <ctype.h>
54 #include <err.h>
55 #include <errno.h>
56 #include <grp.h>
57 #include <limits.h>
58 #include <netdb.h>
59 #include <pwd.h>
60 #include <signal.h>
61 #include <stdio.h>
62 #include <stdlib.h>
63 #include <stdarg.h>
64 #include <string.h>
65 #include <unistd.h>
66 #include <sysexits.h>
67
68 #include <net/if.h>
69 #include <netinet/in.h>
70 #include <netinet/in_systm.h>
71 #include <netinet/ip.h>
72 #include <netinet/ip_icmp.h>
73 #define IPFW2
74 #include <netinet/ip_fw.h>
75 #undef IPFW2
76 #include <net/route.h> /* def. of struct route */
77 #include <netinet/ip_dummynet.h>
78 #include <netinet/tcp.h>
79 #include <arpa/inet.h>
80
81 int
82 do_resolv, /* Would try to resolve all */
83 do_time, /* Show time stamps */
84 do_quiet, /* Be quiet in add and flush */
85 do_pipe, /* this cmd refers to a pipe */
86 do_sort, /* field to sort results (0 = no) */
87 do_dynamic, /* display dynamic rules */
88 do_expired, /* display expired dynamic rules */
89 do_compact, /* show rules in compact mode */
90 show_sets, /* display rule sets */
91 test_only, /* only check syntax */
92 verbose;
93
94 #define IP_MASK_ALL 0xffffffff
95
96 /*
97 * _s_x is a structure that stores a string <-> token pairs, used in
98 * various places in the parser. Entries are stored in arrays,
99 * with an entry with s=NULL as terminator.
100 * The search routines are match_token() and match_value().
101 * Often, an element with x=0 contains an error string.
102 *
103 */
104 struct _s_x {
105 char const *s;
106 int x;
107 };
108
109 static struct _s_x f_tcpflags[] = {
110 { "syn", TH_SYN },
111 { "fin", TH_FIN },
112 { "ack", TH_ACK },
113 { "psh", TH_PUSH },
114 { "rst", TH_RST },
115 { "urg", TH_URG },
116 { "tcp flag", 0 },
117 { NULL, 0 }
118 };
119
120 static struct _s_x f_tcpopts[] = {
121 { "mss", IP_FW_TCPOPT_MSS },
122 { "maxseg", IP_FW_TCPOPT_MSS },
123 { "window", IP_FW_TCPOPT_WINDOW },
124 { "sack", IP_FW_TCPOPT_SACK },
125 { "ts", IP_FW_TCPOPT_TS },
126 { "timestamp", IP_FW_TCPOPT_TS },
127 { "cc", IP_FW_TCPOPT_CC },
128 { "tcp option", 0 },
129 { NULL, 0 }
130 };
131
132 /*
133 * IP options span the range 0 to 255 so we need to remap them
134 * (though in fact only the low 5 bits are significant).
135 */
136 static struct _s_x f_ipopts[] = {
137 { "ssrr", IP_FW_IPOPT_SSRR},
138 { "lsrr", IP_FW_IPOPT_LSRR},
139 { "rr", IP_FW_IPOPT_RR},
140 { "ts", IP_FW_IPOPT_TS},
141 { "ip option", 0 },
142 { NULL, 0 }
143 };
144
145 static struct _s_x f_iptos[] = {
146 { "lowdelay", IPTOS_LOWDELAY},
147 { "throughput", IPTOS_THROUGHPUT},
148 { "reliability", IPTOS_RELIABILITY},
149 { "mincost", IPTOS_MINCOST},
150 { "congestion", IPTOS_CE},
151 { "ecntransport", IPTOS_ECT},
152 { "ip tos option", 0},
153 { NULL, 0 }
154 };
155
156 static struct _s_x limit_masks[] = {
157 {"all", DYN_SRC_ADDR|DYN_SRC_PORT|DYN_DST_ADDR|DYN_DST_PORT},
158 {"src-addr", DYN_SRC_ADDR},
159 {"src-port", DYN_SRC_PORT},
160 {"dst-addr", DYN_DST_ADDR},
161 {"dst-port", DYN_DST_PORT},
162 {NULL, 0}
163 };
164
165 /*
166 * we use IPPROTO_ETHERTYPE as a fake protocol id to call the print routines
167 * This is only used in this code.
168 */
169 #define IPPROTO_ETHERTYPE 0x1000
170 static struct _s_x ether_types[] = {
171 /*
172 * Note, we cannot use "-:&/" in the names because they are field
173 * separators in the type specifications. Also, we use s = NULL as
174 * end-delimiter, because a type of 0 can be legal.
175 */
176 { "ip", 0x0800 },
177 { "ipv4", 0x0800 },
178 { "ipv6", 0x86dd },
179 { "arp", 0x0806 },
180 { "rarp", 0x8035 },
181 { "vlan", 0x8100 },
182 { "loop", 0x9000 },
183 { "trail", 0x1000 },
184 { "at", 0x809b },
185 { "atalk", 0x809b },
186 { "aarp", 0x80f3 },
187 { "pppoe_disc", 0x8863 },
188 { "pppoe_sess", 0x8864 },
189 { "ipx_8022", 0x00E0 },
190 { "ipx_8023", 0x0000 },
191 { "ipx_ii", 0x8137 },
192 { "ipx_snap", 0x8137 },
193 { "ipx", 0x8137 },
194 { "ns", 0x0600 },
195 { NULL, 0 }
196 };
197
198 static struct _s_x exception_types[] = {
199 { "to", 1},
200 { "dst", 2},
201 { "in", 3},
202 { "out", 4},
203 { "xmit", 5},
204 { "recv", 6},
205 { "via", 7},
206 { "src", 8},
207 { NULL, 0}
208 };
209
210 static void show_usage(void);
211
212 enum tokens {
213 TOK_NULL=0,
214
215 TOK_OR,
216 TOK_NOT,
217 TOK_STARTBRACE,
218 TOK_ENDBRACE,
219
220 TOK_ACCEPT,
221 TOK_COUNT,
222 TOK_PIPE,
223 TOK_QUEUE,
224 TOK_DIVERT,
225 TOK_TEE,
226 TOK_FORWARD,
227 TOK_SKIPTO,
228 TOK_DENY,
229 TOK_REJECT,
230 TOK_RESET,
231 TOK_UNREACH,
232 TOK_CHECKSTATE,
233
234 TOK_UID,
235 TOK_GID,
236 TOK_IN,
237 TOK_LIMIT,
238 TOK_KEEPSTATE,
239 TOK_LAYER2,
240 TOK_OUT,
241 TOK_XMIT,
242 TOK_RECV,
243 TOK_VIA,
244 TOK_FRAG,
245 TOK_IPOPTS,
246 TOK_IPLEN,
247 TOK_IPID,
248 TOK_IPPRECEDENCE,
249 TOK_IPTOS,
250 TOK_IPTTL,
251 TOK_IPVER,
252 TOK_ESTAB,
253 TOK_SETUP,
254 TOK_TCPFLAGS,
255 TOK_TCPOPTS,
256 TOK_TCPSEQ,
257 TOK_TCPACK,
258 TOK_TCPWIN,
259 TOK_ICMPTYPES,
260 TOK_MAC,
261 TOK_MACTYPE,
262 TOK_VERREVPATH,
263 TOK_IPSEC,
264 TOK_COMMENT,
265
266 TOK_PLR,
267 TOK_NOERROR,
268 TOK_BUCKETS,
269 TOK_DSTIP,
270 TOK_SRCIP,
271 TOK_DSTPORT,
272 TOK_SRCPORT,
273 TOK_ALL,
274 TOK_MASK,
275 TOK_BW,
276 TOK_DELAY,
277 TOK_RED,
278 TOK_GRED,
279 TOK_DROPTAIL,
280 TOK_PROTO,
281 TOK_WEIGHT,
282 };
283
284 struct _s_x dummynet_params[] = {
285 { "plr", TOK_PLR },
286 { "noerror", TOK_NOERROR },
287 { "buckets", TOK_BUCKETS },
288 { "dst-ip", TOK_DSTIP },
289 { "src-ip", TOK_SRCIP },
290 { "dst-port", TOK_DSTPORT },
291 { "src-port", TOK_SRCPORT },
292 { "proto", TOK_PROTO },
293 { "weight", TOK_WEIGHT },
294 { "all", TOK_ALL },
295 { "mask", TOK_MASK },
296 { "droptail", TOK_DROPTAIL },
297 { "red", TOK_RED },
298 { "gred", TOK_GRED },
299 { "bw", TOK_BW },
300 { "bandwidth", TOK_BW },
301 { "delay", TOK_DELAY },
302 { "pipe", TOK_PIPE },
303 { "queue", TOK_QUEUE },
304 { "dummynet-params", TOK_NULL },
305 { NULL, 0 } /* terminator */
306 };
307
308 struct _s_x rule_actions[] = {
309 { "accept", TOK_ACCEPT },
310 { "pass", TOK_ACCEPT },
311 { "allow", TOK_ACCEPT },
312 { "permit", TOK_ACCEPT },
313 { "count", TOK_COUNT },
314 { "pipe", TOK_PIPE },
315 { "queue", TOK_QUEUE },
316 { "divert", TOK_DIVERT },
317 { "tee", TOK_TEE },
318 { "fwd", TOK_FORWARD },
319 { "forward", TOK_FORWARD },
320 { "skipto", TOK_SKIPTO },
321 { "deny", TOK_DENY },
322 { "drop", TOK_DENY },
323 { "reject", TOK_REJECT },
324 { "reset", TOK_RESET },
325 { "unreach", TOK_UNREACH },
326 { "check-state", TOK_CHECKSTATE },
327 { "//", TOK_COMMENT },
328 { NULL, 0 } /* terminator */
329 };
330
331 struct _s_x rule_options[] = {
332 { "uid", TOK_UID },
333 { "gid", TOK_GID },
334 { "in", TOK_IN },
335 { "limit", TOK_LIMIT },
336 { "keep-state", TOK_KEEPSTATE },
337 { "bridged", TOK_LAYER2 },
338 { "layer2", TOK_LAYER2 },
339 { "out", TOK_OUT },
340 { "xmit", TOK_XMIT },
341 { "recv", TOK_RECV },
342 { "via", TOK_VIA },
343 { "fragment", TOK_FRAG },
344 { "frag", TOK_FRAG },
345 { "ipoptions", TOK_IPOPTS },
346 { "ipopts", TOK_IPOPTS },
347 { "iplen", TOK_IPLEN },
348 { "ipid", TOK_IPID },
349 { "ipprecedence", TOK_IPPRECEDENCE },
350 { "iptos", TOK_IPTOS },
351 { "ipttl", TOK_IPTTL },
352 { "ipversion", TOK_IPVER },
353 { "ipver", TOK_IPVER },
354 { "estab", TOK_ESTAB },
355 { "established", TOK_ESTAB },
356 { "setup", TOK_SETUP },
357 { "tcpflags", TOK_TCPFLAGS },
358 { "tcpflgs", TOK_TCPFLAGS },
359 { "tcpoptions", TOK_TCPOPTS },
360 { "tcpopts", TOK_TCPOPTS },
361 { "tcpseq", TOK_TCPSEQ },
362 { "tcpack", TOK_TCPACK },
363 { "tcpwin", TOK_TCPWIN },
364 { "icmptype", TOK_ICMPTYPES },
365 { "icmptypes", TOK_ICMPTYPES },
366 { "dst-ip", TOK_DSTIP },
367 { "src-ip", TOK_SRCIP },
368 { "dst-port", TOK_DSTPORT },
369 { "src-port", TOK_SRCPORT },
370 { "proto", TOK_PROTO },
371 { "MAC", TOK_MAC },
372 { "mac", TOK_MAC },
373 { "mac-type", TOK_MACTYPE },
374 { "verrevpath", TOK_VERREVPATH },
375 { "ipsec", TOK_IPSEC },
376 { "//", TOK_COMMENT },
377
378 { "not", TOK_NOT }, /* pseudo option */
379 { "!", /* escape ? */ TOK_NOT }, /* pseudo option */
380 { "or", TOK_OR }, /* pseudo option */
381 { "|", /* escape */ TOK_OR }, /* pseudo option */
382 { "{", TOK_STARTBRACE }, /* pseudo option */
383 { "(", TOK_STARTBRACE }, /* pseudo option */
384 { "}", TOK_ENDBRACE }, /* pseudo option */
385 { ")", TOK_ENDBRACE }, /* pseudo option */
386 { NULL, 0 } /* terminator */
387 };
388
389 static __inline uint64_t
390 align_uint64(uint64_t *pll) {
391 uint64_t ret;
392
393 bcopy (pll, &ret, sizeof(ret));
394 return ret;
395 };
396
397 /*
398 * conditionally runs the command.
399 */
400 static int
401 do_cmd(int optname, void *optval, uintptr_t optlen)
402 {
403 static int s = -1; /* the socket */
404 int i;
405
406 if (test_only)
407 return 0;
408
409 if (s == -1)
410 s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
411 if (s < 0)
412 err(EX_UNAVAILABLE, "socket");
413
414 switch (optname) {
415 case IP_FW_GET:
416 case IP_FW_FLUSH:
417 case IP_FW_ADD:
418 case IP_FW_DEL:
419 case IP_FW_ZERO:
420 case IP_FW_RESETLOG:
421 ((struct ip_fw *)optval)->version = IP_FW_CURRENT_API_VERSION;
422 default:
423 break;
424 }
425
426 if (optname == IP_FW_GET || optname == IP_DUMMYNET_GET ||
427 optname == IP_FW_ADD)
428 i = getsockopt(s, IPPROTO_IP, optname, optval,
429 (socklen_t *)optlen);
430 else
431 i = setsockopt(s, IPPROTO_IP, optname, optval, optlen);
432 return i;
433 }
434
435 /**
436 * match_token takes a table and a string, returns the value associated
437 * with the string (-1 in case of failure).
438 */
439 static int
440 match_token(struct _s_x *table, char *string)
441 {
442 struct _s_x *pt;
443 uint i = strlen(string);
444
445 for (pt = table ; i && pt->s != NULL ; pt++)
446 if (strlen(pt->s) == i && !bcmp(string, pt->s, i))
447 return pt->x;
448 return -1;
449 };
450
451 /**
452 * match_value takes a table and a value, returns the string associated
453 * with the value (NULL in case of failure).
454 */
455 static char const *
456 match_value(struct _s_x *p, int value)
457 {
458 for (; p->s != NULL; p++)
459 if (p->x == value)
460 return p->s;
461 return NULL;
462 }
463
464 /*
465 * prints one port, symbolic or numeric
466 */
467 static void
468 print_port(int proto, uint16_t port)
469 {
470
471 if (proto == IPPROTO_ETHERTYPE) {
472 char const *s;
473
474 if (do_resolv && (s = match_value(ether_types, port)) )
475 printf("%s", s);
476 else
477 printf("0x%04x", port);
478 } else {
479 struct servent *se = NULL;
480 if (do_resolv) {
481 struct protoent *pe = getprotobynumber(proto);
482
483 se = getservbyport(htons(port), pe ? pe->p_name : NULL);
484 }
485 if (se)
486 printf("%s", se->s_name);
487 else
488 printf("%d", port);
489 }
490 }
491
492 struct _s_x _port_name[] = {
493 {"dst-port", O_IP_DSTPORT},
494 {"src-port", O_IP_SRCPORT},
495 {"ipid", O_IPID},
496 {"iplen", O_IPLEN},
497 {"ipttl", O_IPTTL},
498 {"mac-type", O_MAC_TYPE},
499 {NULL, 0}
500 };
501
502 /*
503 * Print the values in a list 16-bit items of the types above.
504 * XXX todo: add support for mask.
505 */
506 static void
507 print_newports(ipfw_insn_u16 *cmd, int proto, int opcode)
508 {
509 uint16_t *p = cmd->ports;
510 int i;
511 char const *sep;
512
513 if (cmd->o.len & F_NOT)
514 printf(" not");
515 if (opcode != 0) {
516 sep = match_value(_port_name, opcode);
517 if (sep == NULL)
518 sep = "???";
519 printf (" %s", sep);
520 }
521 sep = " ";
522 for (i = F_LEN((ipfw_insn *)cmd) - 1; i > 0; i--, p += 2) {
523 printf(sep);
524 print_port(proto, p[0]);
525 if (p[0] != p[1]) {
526 printf("-");
527 print_port(proto, p[1]);
528 }
529 sep = ",";
530 }
531 }
532
533 /*
534 * Like strtol, but also translates service names into port numbers
535 * for some protocols.
536 * In particular:
537 * proto == -1 disables the protocol check;
538 * proto == IPPROTO_ETHERTYPE looks up an internal table
539 * proto == <some value in /etc/protocols> matches the values there.
540 * Returns *end == s in case the parameter is not found.
541 */
542 static int
543 strtoport(char *s, char **end, int base, int proto)
544 {
545 char *p, *buf;
546 char *s1;
547 int i;
548
549 *end = s; /* default - not found */
550 if (*s == '\0')
551 return 0; /* not found */
552
553 if (isdigit(*s))
554 return strtol(s, end, base);
555
556 /*
557 * find separator. '\\' escapes the next char.
558 */
559 for (s1 = s; *s1 && (isalnum(*s1) || *s1 == '\\') ; s1++)
560 if (*s1 == '\\' && s1[1] != '\0')
561 s1++;
562
563 buf = malloc(s1 - s + 1);
564 if (buf == NULL)
565 return 0;
566
567 /*
568 * copy into a buffer skipping backslashes
569 */
570 for (p = s, i = 0; p != s1 ; p++)
571 if (*p != '\\')
572 buf[i++] = *p;
573 buf[i++] = '\0';
574
575 if ( match_token( exception_types, buf) != -1 ){
576 free(buf);
577 return 0;
578 }
579
580 if (proto == IPPROTO_ETHERTYPE) {
581 i = match_token(ether_types, buf);
582 free(buf);
583 if (i != -1) { /* found */
584 *end = s1;
585 return i;
586 }
587 } else {
588 struct protoent *pe = NULL;
589 struct servent *se;
590
591 if (proto != 0)
592 pe = getprotobynumber(proto);
593 setservent(1);
594 se = getservbyname(buf, pe ? pe->p_name : NULL);
595 free(buf);
596 if (se != NULL) {
597 *end = s1;
598 return ntohs(se->s_port);
599 }
600 }
601 return 0; /* not found */
602 }
603
604 /*
605 * Fill the body of the command with the list of port ranges.
606 */
607 static int
608 fill_newports(ipfw_insn_u16 *cmd, char *av, int proto)
609 {
610 uint16_t a, b, *p = cmd->ports;
611 int i = 0;
612 char *s = av;
613
614 while (*s) {
615 a = strtoport(av, &s, 0, proto);
616 if (s == av) /* no parameter */
617 break;
618 if (*s == '-') { /* a range */
619 av = s+1;
620 b = strtoport(av, &s, 0, proto);
621 if (s == av) /* no parameter */
622 break;
623 p[0] = a;
624 p[1] = b;
625 } else if (*s == ',' || *s == '\0' )
626 p[0] = p[1] = a;
627 else /* invalid separator */
628 errx(EX_DATAERR, "invalid separator <%c> in <%s>\n",
629 *s, av);
630 i++;
631 p += 2;
632 av = s+1;
633 }
634 if (i > 0) {
635 if (i+1 > F_LEN_MASK)
636 errx(EX_DATAERR, "too many ports/ranges\n");
637 cmd->o.len |= i+1; /* leave F_NOT and F_OR untouched */
638 }
639 return i;
640 }
641
642 static struct _s_x icmpcodes[] = {
643 { "net", ICMP_UNREACH_NET },
644 { "host", ICMP_UNREACH_HOST },
645 { "protocol", ICMP_UNREACH_PROTOCOL },
646 { "port", ICMP_UNREACH_PORT },
647 { "needfrag", ICMP_UNREACH_NEEDFRAG },
648 { "srcfail", ICMP_UNREACH_SRCFAIL },
649 { "net-unknown", ICMP_UNREACH_NET_UNKNOWN },
650 { "host-unknown", ICMP_UNREACH_HOST_UNKNOWN },
651 { "isolated", ICMP_UNREACH_ISOLATED },
652 { "net-prohib", ICMP_UNREACH_NET_PROHIB },
653 { "host-prohib", ICMP_UNREACH_HOST_PROHIB },
654 { "tosnet", ICMP_UNREACH_TOSNET },
655 { "toshost", ICMP_UNREACH_TOSHOST },
656 { "filter-prohib", ICMP_UNREACH_FILTER_PROHIB },
657 { "host-precedence", ICMP_UNREACH_HOST_PRECEDENCE },
658 { "precedence-cutoff", ICMP_UNREACH_PRECEDENCE_CUTOFF },
659 { NULL, 0 }
660 };
661
662 static void
663 fill_reject_code(u_short *codep, char *str)
664 {
665 int val;
666 char *s;
667
668 val = strtoul(str, &s, 0);
669 if (s == str || *s != '\0' || val >= 0x100)
670 val = match_token(icmpcodes, str);
671 if (val < 0)
672 errx(EX_DATAERR, "unknown ICMP unreachable code ``%s''", str);
673 *codep = val;
674 return;
675 }
676
677 static void
678 print_reject_code(uint16_t code)
679 {
680 char const *s = match_value(icmpcodes, code);
681
682 if (s != NULL)
683 printf("unreach %s", s);
684 else
685 printf("unreach %u", code);
686 }
687
688 /*
689 * Returns the number of bits set (from left) in a contiguous bitmask,
690 * or -1 if the mask is not contiguous.
691 * XXX this needs a proper fix.
692 * This effectively works on masks in big-endian (network) format.
693 * when compiled on little endian architectures.
694 *
695 * First bit is bit 7 of the first byte -- note, for MAC addresses,
696 * the first bit on the wire is bit 0 of the first byte.
697 * len is the max length in bits.
698 */
699 static int
700 contigmask(uint8_t *p, int len)
701 {
702 int i, n;
703
704 for (i=0; i<len ; i++)
705 if ( (p[i/8] & (1 << (7 - (i%8)))) == 0) /* first bit unset */
706 break;
707 for (n=i+1; n < len; n++)
708 if ( (p[n/8] & (1 << (7 - (n%8)))) != 0)
709 return -1; /* mask not contiguous */
710 return i;
711 }
712
713 /*
714 * print flags set/clear in the two bitmasks passed as parameters.
715 * There is a specialized check for f_tcpflags.
716 */
717 static void
718 print_flags(char const *name, ipfw_insn *cmd, struct _s_x *list)
719 {
720 char const *comma = "";
721 int i;
722 uint8_t set = cmd->arg1 & 0xff;
723 uint8_t clear = (cmd->arg1 >> 8) & 0xff;
724
725 if (list == f_tcpflags && set == TH_SYN && clear == TH_ACK) {
726 printf(" setup");
727 return;
728 }
729
730 printf(" %s ", name);
731 for (i=0; list[i].x != 0; i++) {
732 if (set & list[i].x) {
733 set &= ~list[i].x;
734 printf("%s%s", comma, list[i].s);
735 comma = ",";
736 }
737 if (clear & list[i].x) {
738 clear &= ~list[i].x;
739 printf("%s!%s", comma, list[i].s);
740 comma = ",";
741 }
742 }
743 }
744
745 /*
746 * Print the ip address contained in a command.
747 */
748 static void
749 print_ip(ipfw_insn_ip *cmd, char const *s)
750 {
751 struct hostent *he = NULL;
752 int len = F_LEN((ipfw_insn *)cmd);
753 uint32_t *a = ((ipfw_insn_u32 *)cmd)->d;
754
755 printf("%s%s ", cmd->o.len & F_NOT ? " not": "", s);
756
757 if (cmd->o.opcode == O_IP_SRC_ME || cmd->o.opcode == O_IP_DST_ME) {
758 printf("me");
759 return;
760 }
761 if (cmd->o.opcode == O_IP_SRC_SET || cmd->o.opcode == O_IP_DST_SET) {
762 uint32_t x, *map = (uint32_t *)&(cmd->mask);
763 int i, j;
764 char comma = '{';
765
766 x = cmd->o.arg1 - 1;
767 x = htonl( ~x );
768 cmd->addr.s_addr = htonl(cmd->addr.s_addr);
769 printf("%s/%d", inet_ntoa(cmd->addr),
770 contigmask((uint8_t *)&x, 32));
771 x = cmd->addr.s_addr = htonl(cmd->addr.s_addr);
772 x &= 0xff; /* base */
773 /*
774 * Print bits and ranges.
775 * Locate first bit set (i), then locate first bit unset (j).
776 * If we have 3+ consecutive bits set, then print them as a
777 * range, otherwise only print the initial bit and rescan.
778 */
779 for (i=0; i < cmd->o.arg1; i++)
780 if (map[i/32] & (1<<(i & 31))) {
781 for (j=i+1; j < cmd->o.arg1; j++)
782 if (!(map[ j/32] & (1<<(j & 31))))
783 break;
784 printf("%c%d", comma, i+x);
785 if (j>i+2) { /* range has at least 3 elements */
786 printf("-%d", j-1+x);
787 i = j-1;
788 }
789 comma = ',';
790 }
791 printf("}");
792 return;
793 }
794 /*
795 * len == 2 indicates a single IP, whereas lists of 1 or more
796 * addr/mask pairs have len = (2n+1). We convert len to n so we
797 * use that to count the number of entries.
798 */
799 for (len = len / 2; len > 0; len--, a += 2) {
800 int mb = /* mask length */
801 (cmd->o.opcode == O_IP_SRC || cmd->o.opcode == O_IP_DST) ?
802 32 : contigmask((uint8_t *)&(a[1]), 32);
803 if (mb == 32 && do_resolv)
804 he = gethostbyaddr((char *)&(a[0]), sizeof(u_long), AF_INET);
805 if (he != NULL) /* resolved to name */
806 printf("%s", he->h_name);
807 else if (mb == 0) /* any */
808 printf("any");
809 else { /* numeric IP followed by some kind of mask */
810 printf("%s", inet_ntoa( *((struct in_addr *)&a[0]) ) );
811 if (mb < 0)
812 printf(":%s", inet_ntoa( *((struct in_addr *)&a[1]) ) );
813 else if (mb < 32)
814 printf("/%d", mb);
815 }
816 if (len > 1)
817 printf(",");
818 }
819 }
820
821 /*
822 * prints a MAC address/mask pair
823 */
824 static void
825 print_mac(uint8_t *addr, uint8_t *mask)
826 {
827 int l = contigmask(mask, 48);
828
829 if (l == 0)
830 printf(" any");
831 else {
832 printf(" %02x:%02x:%02x:%02x:%02x:%02x",
833 addr[0], addr[1], addr[2], addr[3], addr[4], addr[5]);
834 if (l == -1)
835 printf("&%02x:%02x:%02x:%02x:%02x:%02x",
836 mask[0], mask[1], mask[2],
837 mask[3], mask[4], mask[5]);
838 else if (l < 48)
839 printf("/%d", l);
840 }
841 }
842
843 static void
844 fill_icmptypes(ipfw_insn_u32 *cmd, char *av)
845 {
846 uint8_t type;
847
848 cmd->d[0] = 0;
849 while (*av) {
850 if (*av == ',')
851 av++;
852
853 type = strtoul(av, &av, 0);
854
855 if (*av != ',' && *av != '\0')
856 errx(EX_DATAERR, "invalid ICMP type");
857
858 if (type > 31)
859 errx(EX_DATAERR, "ICMP type out of range");
860
861 cmd->d[0] |= 1 << type;
862 }
863 cmd->o.opcode = O_ICMPTYPE;
864 cmd->o.len |= F_INSN_SIZE(ipfw_insn_u32);
865 }
866
867 static void
868 print_icmptypes(ipfw_insn_u32 *cmd)
869 {
870 int i;
871 char sep= ' ';
872
873 printf(" icmptypes");
874 for (i = 0; i < 32; i++) {
875 if ( (cmd->d[0] & (1 << (i))) == 0)
876 continue;
877 printf("%c%d", sep, i);
878 sep = ',';
879 }
880 }
881
882 /*
883 * show_ipfw() prints the body of an ipfw rule.
884 * Because the standard rule has at least proto src_ip dst_ip, we use
885 * a helper function to produce these entries if not provided explicitly.
886 * The first argument is the list of fields we have, the second is
887 * the list of fields we want to be printed.
888 *
889 * Special cases if we have provided a MAC header:
890 * + if the rule does not contain IP addresses/ports, do not print them;
891 * + if the rule does not contain an IP proto, print "all" instead of "ip";
892 *
893 * Once we have 'have_options', IP header fields are printed as options.
894 */
895 #define HAVE_PROTO 0x0001
896 #define HAVE_SRCIP 0x0002
897 #define HAVE_DSTIP 0x0004
898 #define HAVE_MAC 0x0008
899 #define HAVE_MACTYPE 0x0010
900 #define HAVE_OPTIONS 0x8000
901
902 #define HAVE_IP (HAVE_PROTO | HAVE_SRCIP | HAVE_DSTIP)
903 static void
904 show_prerequisites(int *flags, int want, int cmd)
905 {
906 if ( (*flags & HAVE_IP) == HAVE_IP)
907 *flags |= HAVE_OPTIONS;
908
909 if ( (*flags & (HAVE_MAC|HAVE_MACTYPE|HAVE_OPTIONS)) == HAVE_MAC &&
910 cmd != O_MAC_TYPE) {
911 /*
912 * mac-type was optimized out by the compiler,
913 * restore it
914 */
915 printf(" any");
916 *flags |= HAVE_MACTYPE | HAVE_OPTIONS;
917 return;
918 }
919 if ( !(*flags & HAVE_OPTIONS)) {
920 if ( !(*flags & HAVE_PROTO) && (want & HAVE_PROTO))
921 printf(" ip");
922 if ( !(*flags & HAVE_SRCIP) && (want & HAVE_SRCIP))
923 printf(" from any");
924 if ( !(*flags & HAVE_DSTIP) && (want & HAVE_DSTIP))
925 printf(" to any");
926 }
927 *flags |= want;
928 }
929
930 static void
931 show_ipfw(struct ip_fw *rule, int pcwidth, int bcwidth)
932 {
933 static int twidth = 0;
934 int l;
935 ipfw_insn *cmd;
936 char *comment = NULL; /* ptr to comment if we have one */
937 int proto = 0; /* default */
938 int flags = 0; /* prerequisites */
939 ipfw_insn_log *logptr = NULL; /* set if we find an O_LOG */
940 int or_block = 0; /* we are in an or block */
941 uint32_t set_disable;
942
943 bcopy(&rule->next_rule, &set_disable, sizeof(set_disable));
944
945 if (set_disable & (1 << rule->set)) { /* disabled */
946 if (!show_sets)
947 return;
948 else
949 printf("# DISABLED ");
950 }
951 printf("%05u ", rule->rulenum);
952
953 if (pcwidth>0 || bcwidth>0)
954 printf("%*llu %*llu ", pcwidth, align_uint64(&rule->pcnt),
955 bcwidth, align_uint64(&rule->bcnt));
956
957 if (do_time == 2)
958 printf("%10u ", rule->timestamp);
959 else if (do_time == 1) {
960 char timestr[30];
961 time_t t = (time_t)0;
962
963 if (twidth == 0) {
964 strcpy(timestr, ctime(&t));
965 *strchr(timestr, '\n') = '\0';
966 twidth = strlen(timestr);
967 }
968 if (rule->timestamp) {
969 #if _FreeBSD_version < 500000 /* XXX check */
970 #define _long_to_time(x) (time_t)(x)
971 #endif
972 t = _long_to_time(rule->timestamp);
973
974 strcpy(timestr, ctime(&t));
975 *strchr(timestr, '\n') = '\0';
976 printf("%s ", timestr);
977 } else {
978 printf("%*s", twidth, " ");
979 }
980 }
981
982 if (show_sets)
983 printf("set %d ", rule->set);
984
985 /*
986 * print the optional "match probability"
987 */
988 if (rule->cmd_len > 0) {
989 cmd = rule->cmd ;
990 if (cmd->opcode == O_PROB) {
991 ipfw_insn_u32 *p = (ipfw_insn_u32 *)cmd;
992 double d = 1.0 * p->d[0];
993
994 d = (d / 0x7fffffff);
995 printf("prob %f ", d);
996 }
997 }
998
999 /*
1000 * first print actions
1001 */
1002 for (l = rule->cmd_len - rule->act_ofs, cmd = ACTION_PTR(rule);
1003 l > 0 ; l -= F_LEN(cmd), cmd += F_LEN(cmd)) {
1004 switch(cmd->opcode) {
1005 case O_CHECK_STATE:
1006 printf("check-state");
1007 flags = HAVE_IP; /* avoid printing anything else */
1008 break;
1009
1010 case O_ACCEPT:
1011 printf("allow");
1012 break;
1013
1014 case O_COUNT:
1015 printf("count");
1016 break;
1017
1018 case O_DENY:
1019 printf("deny");
1020 break;
1021
1022 case O_REJECT:
1023 if (cmd->arg1 == ICMP_REJECT_RST)
1024 printf("reset");
1025 else if (cmd->arg1 == ICMP_UNREACH_HOST)
1026 printf("reject");
1027 else
1028 print_reject_code(cmd->arg1);
1029 break;
1030
1031 case O_SKIPTO:
1032 printf("skipto %u", cmd->arg1);
1033 break;
1034
1035 case O_PIPE:
1036 printf("pipe %u", cmd->arg1);
1037 break;
1038
1039 case O_QUEUE:
1040 printf("queue %u", cmd->arg1);
1041 break;
1042
1043 case O_DIVERT:
1044 printf("divert %u", cmd->arg1);
1045 break;
1046
1047 case O_TEE:
1048 printf("tee %u", cmd->arg1);
1049 break;
1050
1051 case O_FORWARD_IP:
1052 {
1053 ipfw_insn_sa *s = (ipfw_insn_sa *)cmd;
1054
1055 printf("fwd %s", inet_ntoa(s->sa.sin_addr));
1056 if (s->sa.sin_port)
1057 printf(",%d", s->sa.sin_port);
1058 }
1059 break;
1060
1061 case O_LOG: /* O_LOG is printed last */
1062 logptr = (ipfw_insn_log *)cmd;
1063 break;
1064
1065 default:
1066 printf("** unrecognized action %d len %d",
1067 cmd->opcode, cmd->len);
1068 }
1069 }
1070 if (logptr) {
1071 if (logptr->max_log > 0)
1072 printf(" log logamount %d", logptr->max_log);
1073 else
1074 printf(" log");
1075 }
1076
1077 /*
1078 * then print the body.
1079 */
1080 if (rule->_pad & 1) { /* empty rules before options */
1081 if (!do_compact)
1082 printf(" ip from any to any");
1083 flags |= HAVE_IP | HAVE_OPTIONS;
1084 }
1085
1086 for (l = rule->act_ofs, cmd = rule->cmd ;
1087 l > 0 ; l -= F_LEN(cmd) , cmd += F_LEN(cmd)) {
1088 /* useful alias */
1089 ipfw_insn_u32 *cmd32 = (ipfw_insn_u32 *)cmd;
1090
1091 show_prerequisites(&flags, 0, cmd->opcode);
1092
1093 switch(cmd->opcode) {
1094 case O_PROB:
1095 break; /* done already */
1096
1097 case O_PROBE_STATE:
1098 break; /* no need to print anything here */
1099
1100 case O_MACADDR2: {
1101 ipfw_insn_mac *m = (ipfw_insn_mac *)cmd;
1102
1103 if ((cmd->len & F_OR) && !or_block)
1104 printf(" {");
1105 if (cmd->len & F_NOT)
1106 printf(" not");
1107 printf(" MAC");
1108 flags |= HAVE_MAC;
1109 print_mac(m->addr, m->mask);
1110 print_mac(m->addr + 6, m->mask + 6);
1111 }
1112 break;
1113
1114 case O_MAC_TYPE:
1115 if ((cmd->len & F_OR) && !or_block)
1116 printf(" {");
1117 print_newports((ipfw_insn_u16 *)cmd, IPPROTO_ETHERTYPE,
1118 (flags & HAVE_OPTIONS) ? cmd->opcode : 0);
1119 flags |= HAVE_MAC | HAVE_MACTYPE | HAVE_OPTIONS;
1120 break;
1121
1122 case O_IP_SRC:
1123 case O_IP_SRC_MASK:
1124 case O_IP_SRC_ME:
1125 case O_IP_SRC_SET:
1126 show_prerequisites(&flags, HAVE_PROTO, 0);
1127 if (!(flags & HAVE_SRCIP))
1128 printf(" from");
1129 if ((cmd->len & F_OR) && !or_block)
1130 printf(" {");
1131 print_ip((ipfw_insn_ip *)cmd,
1132 (flags & HAVE_OPTIONS) ? " src-ip" : "");
1133 flags |= HAVE_SRCIP;
1134 break;
1135
1136 case O_IP_DST:
1137 case O_IP_DST_MASK:
1138 case O_IP_DST_ME:
1139 case O_IP_DST_SET:
1140 show_prerequisites(&flags, HAVE_PROTO|HAVE_SRCIP, 0);
1141 if (!(flags & HAVE_DSTIP))
1142 printf(" to");
1143 if ((cmd->len & F_OR) && !or_block)
1144 printf(" {");
1145 print_ip((ipfw_insn_ip *)cmd,
1146 (flags & HAVE_OPTIONS) ? " dst-ip" : "");
1147 flags |= HAVE_DSTIP;
1148 break;
1149
1150 case O_IP_DSTPORT:
1151 show_prerequisites(&flags, HAVE_IP, 0);
1152 case O_IP_SRCPORT:
1153 show_prerequisites(&flags, HAVE_PROTO|HAVE_SRCIP, 0);
1154 if ((cmd->len & F_OR) && !or_block)
1155 printf(" {");
1156 print_newports((ipfw_insn_u16 *)cmd, proto,
1157 (flags & HAVE_OPTIONS) ? cmd->opcode : 0);
1158 break;
1159
1160 case O_PROTO: {
1161 struct protoent *pe;
1162
1163 if ((cmd->len & F_OR) && !or_block)
1164 printf(" {");
1165 if (cmd->len & F_NOT)
1166 printf(" not");
1167 proto = cmd->arg1;
1168 pe = getprotobynumber(cmd->arg1);
1169 if (flags & HAVE_OPTIONS)
1170 printf(" proto");
1171 if (pe)
1172 printf(" %s", pe->p_name);
1173 else
1174 printf(" %u", cmd->arg1);
1175 }
1176 flags |= HAVE_PROTO;
1177 break;
1178
1179 default: /*options ... */
1180 show_prerequisites(&flags, HAVE_IP | HAVE_OPTIONS, 0);
1181 if ((cmd->len & F_OR) && !or_block)
1182 printf(" {");
1183 if (cmd->len & F_NOT && cmd->opcode != O_IN)
1184 printf(" not");
1185 switch(cmd->opcode) {
1186 case O_FRAG:
1187 printf(" frag");
1188 break;
1189
1190 case O_IN:
1191 printf(cmd->len & F_NOT ? " out" : " in");
1192 break;
1193
1194 case O_LAYER2:
1195 printf(" layer2");
1196 break;
1197 case O_XMIT:
1198 case O_RECV:
1199 case O_VIA: {
1200 char const *s;
1201 ipfw_insn_if *cmdif = (ipfw_insn_if *)cmd;
1202
1203 if (cmd->opcode == O_XMIT)
1204 s = "xmit";
1205 else if (cmd->opcode == O_RECV)
1206 s = "recv";
1207 else /* if (cmd->opcode == O_VIA) */
1208 s = "via";
1209 if (cmdif->name[0] == '\0')
1210 printf(" %s %s", s,
1211 inet_ntoa(cmdif->p.ip));
1212 else if (cmdif->p.unit == -1)
1213 printf(" %s %s*", s, cmdif->name);
1214 else
1215 printf(" %s %s%d", s, cmdif->name,
1216 cmdif->p.unit);
1217 }
1218 break;
1219
1220 case O_IPID:
1221 if (F_LEN(cmd) == 1)
1222 printf(" ipid %u", cmd->arg1 );
1223 else
1224 print_newports((ipfw_insn_u16 *)cmd, 0,
1225 O_IPID);
1226 break;
1227
1228 case O_IPTTL:
1229 if (F_LEN(cmd) == 1)
1230 printf(" ipttl %u", cmd->arg1 );
1231 else
1232 print_newports((ipfw_insn_u16 *)cmd, 0,
1233 O_IPTTL);
1234 break;
1235
1236 case O_IPVER:
1237 printf(" ipver %u", cmd->arg1 );
1238 break;
1239
1240 case O_IPPRECEDENCE:
1241 printf(" ipprecedence %u", (cmd->arg1) >> 5 );
1242 break;
1243
1244 case O_IPLEN:
1245 if (F_LEN(cmd) == 1)
1246 printf(" iplen %u", cmd->arg1 );
1247 else
1248 print_newports((ipfw_insn_u16 *)cmd, 0,
1249 O_IPLEN);
1250 break;
1251
1252 case O_IPOPT:
1253 print_flags("ipoptions", cmd, f_ipopts);
1254 break;
1255
1256 case O_IPTOS:
1257 print_flags("iptos", cmd, f_iptos);
1258 break;
1259
1260 case O_ICMPTYPE:
1261 print_icmptypes((ipfw_insn_u32 *)cmd);
1262 break;
1263
1264 case O_ESTAB:
1265 printf(" established");
1266 break;
1267
1268 case O_TCPFLAGS:
1269 print_flags("tcpflags", cmd, f_tcpflags);
1270 break;
1271
1272 case O_TCPOPTS:
1273 print_flags("tcpoptions", cmd, f_tcpopts);
1274 break;
1275
1276 case O_TCPWIN:
1277 printf(" tcpwin %d", ntohs(cmd->arg1));
1278 break;
1279
1280 case O_TCPACK:
1281 printf(" tcpack %ld", ntohl(cmd32->d[0]));
1282 break;
1283
1284 case O_TCPSEQ:
1285 printf(" tcpseq %ld", ntohl(cmd32->d[0]));
1286 break;
1287
1288 case O_UID:
1289 {
1290 struct passwd *pwd = getpwuid(cmd32->d[0]);
1291
1292 if (pwd)
1293 printf(" uid %s", pwd->pw_name);
1294 else
1295 printf(" uid %u", cmd32->d[0]);
1296 }
1297 break;
1298
1299 case O_GID:
1300 {
1301 struct group *grp = getgrgid(cmd32->d[0]);
1302
1303 if (grp)
1304 printf(" gid %s", grp->gr_name);
1305 else
1306 printf(" gid %u", cmd32->d[0]);
1307 }
1308 break;
1309
1310 case O_VERREVPATH:
1311 printf(" verrevpath");
1312 break;
1313
1314 case O_IPSEC:
1315 printf(" ipsec");
1316 break;
1317
1318 case O_NOP:
1319 comment = (char *)(cmd + 1);
1320 break;
1321
1322 case O_KEEP_STATE:
1323 printf(" keep-state");
1324 break;
1325
1326 case O_LIMIT:
1327 {
1328 struct _s_x *p = limit_masks;
1329 ipfw_insn_limit *c = (ipfw_insn_limit *)cmd;
1330 uint8_t x = c->limit_mask;
1331 char const *comma = " ";
1332
1333 printf(" limit");
1334 for (; p->x != 0 ; p++)
1335 if ((x & p->x) == p->x) {
1336 x &= ~p->x;
1337 printf("%s%s", comma, p->s);
1338 comma = ",";
1339 }
1340 printf(" %d", c->conn_limit);
1341 }
1342 break;
1343
1344 default:
1345 printf(" [opcode %d len %d]",
1346 cmd->opcode, cmd->len);
1347 }
1348 }
1349 if (cmd->len & F_OR) {
1350 printf(" or");
1351 or_block = 1;
1352 } else if (or_block) {
1353 printf(" }");
1354 or_block = 0;
1355 }
1356 }
1357 show_prerequisites(&flags, HAVE_IP, 0);
1358 if (comment)
1359 printf(" // %s", comment);
1360 printf("\n");
1361 }
1362
1363 static void
1364 show_dyn_ipfw(ipfw_dyn_rule *d, int pcwidth, int bcwidth)
1365 {
1366 struct protoent *pe;
1367 struct in_addr a;
1368 uint16_t rulenum;
1369
1370 if (!do_expired) {
1371 if (!d->expire && !(d->dyn_type == O_LIMIT_PARENT))
1372 return;
1373 }
1374 bcopy(&d->rule, &rulenum, sizeof(rulenum));
1375 printf("%05d", rulenum);
1376 if (pcwidth>0 || bcwidth>0)
1377 printf(" %*llu %*llu (%ds)", pcwidth,
1378 align_uint64(&d->pcnt), bcwidth,
1379 align_uint64(&d->bcnt), d->expire);
1380 switch (d->dyn_type) {
1381 case O_LIMIT_PARENT:
1382 printf(" PARENT %d", d->count);
1383 break;
1384 case O_LIMIT:
1385 printf(" LIMIT");
1386 break;
1387 case O_KEEP_STATE: /* bidir, no mask */
1388 printf(" STATE");
1389 break;
1390 }
1391
1392 if ((pe = getprotobynumber(d->id.proto)) != NULL)
1393 printf(" %s", pe->p_name);
1394 else
1395 printf(" proto %u", d->id.proto);
1396
1397 a.s_addr = htonl(d->id.src_ip);
1398 printf(" %s %d", inet_ntoa(a), d->id.src_port);
1399
1400 a.s_addr = htonl(d->id.dst_ip);
1401 printf(" <-> %s %d", inet_ntoa(a), d->id.dst_port);
1402 printf("\n");
1403 }
1404
1405 static int
1406 sort_q(const void *pa, const void *pb)
1407 {
1408 int rev = (do_sort < 0);
1409 int field = rev ? -do_sort : do_sort;
1410 long long res = 0;
1411 const struct dn_flow_queue *a = pa;
1412 const struct dn_flow_queue *b = pb;
1413
1414 switch (field) {
1415 case 1: /* pkts */
1416 res = a->len - b->len;
1417 break;
1418 case 2: /* bytes */
1419 res = a->len_bytes - b->len_bytes;
1420 break;
1421
1422 case 3: /* tot pkts */
1423 res = a->tot_pkts - b->tot_pkts;
1424 break;
1425
1426 case 4: /* tot bytes */
1427 res = a->tot_bytes - b->tot_bytes;
1428 break;
1429 }
1430 if (res < 0)
1431 res = -1;
1432 if (res > 0)
1433 res = 1;
1434 return (int)(rev ? res : -res);
1435 }
1436
1437 static void
1438 list_queues(struct dn_flow_set *fs, struct dn_flow_queue *q)
1439 {
1440 int l;
1441
1442 printf(" mask: 0x%02x 0x%08x/0x%04x -> 0x%08x/0x%04x\n",
1443 fs->flow_mask.proto,
1444 fs->flow_mask.src_ip, fs->flow_mask.src_port,
1445 fs->flow_mask.dst_ip, fs->flow_mask.dst_port);
1446 if (fs->rq_elements == 0)
1447 return;
1448
1449 printf("BKT Prot ___Source IP/port____ "
1450 "____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp\n");
1451 if (do_sort != 0)
1452 heapsort(q, fs->rq_elements, sizeof *q, sort_q);
1453 for (l = 0; l < fs->rq_elements; l++) {
1454 struct in_addr ina;
1455 struct protoent *pe;
1456
1457 ina.s_addr = htonl(q[l].id.src_ip);
1458 printf("%3d ", q[l].hash_slot);
1459 pe = getprotobynumber(q[l].id.proto);
1460 if (pe)
1461 printf("%-4s ", pe->p_name);
1462 else
1463 printf("%4u ", q[l].id.proto);
1464 printf("%15s/%-5d ",
1465 inet_ntoa(ina), q[l].id.src_port);
1466 ina.s_addr = htonl(q[l].id.dst_ip);
1467 printf("%15s/%-5d ",
1468 inet_ntoa(ina), q[l].id.dst_port);
1469 printf("%4qu %8qu %2u %4u %3u\n",
1470 q[l].tot_pkts, q[l].tot_bytes,
1471 q[l].len, q[l].len_bytes, q[l].drops);
1472 if (verbose)
1473 printf(" S %20qd F %20qd\n",
1474 q[l].S, q[l].F);
1475 }
1476 }
1477
1478 static void
1479 print_flowset_parms(struct dn_flow_set *fs, char *prefix)
1480 {
1481 int l;
1482 char qs[30];
1483 char plr[30];
1484 char red[90]; /* Display RED parameters */
1485
1486 l = fs->qsize;
1487 if (fs->flags_fs & DN_QSIZE_IS_BYTES) {
1488 if (l >= 8192)
1489 sprintf(qs, "%d KB", l / 1024);
1490 else
1491 sprintf(qs, "%d B", l);
1492 } else
1493 sprintf(qs, "%3d sl.", l);
1494 if (fs->plr)
1495 sprintf(plr, "plr %f", 1.0 * fs->plr / (double)(0x7fffffff));
1496 else
1497 plr[0] = '\0';
1498 if (fs->flags_fs & DN_IS_RED) /* RED parameters */
1499 sprintf(red,
1500 "\n\t %cRED w_q %f min_th %d max_th %d max_p %f",
1501 (fs->flags_fs & DN_IS_GENTLE_RED) ? 'G' : ' ',
1502 1.0 * fs->w_q / (double)(1 << SCALE_RED),
1503 SCALE_VAL(fs->min_th),
1504 SCALE_VAL(fs->max_th),
1505 1.0 * fs->max_p / (double)(1 << SCALE_RED));
1506 else
1507 sprintf(red, "droptail");
1508
1509 printf("%s %s%s %d queues (%d buckets) %s\n",
1510 prefix, qs, plr, fs->rq_elements, fs->rq_size, red);
1511 }
1512
1513 static void
1514 list_pipes(void *data, uint nbytes, int ac, char *av[])
1515 {
1516 int rulenum;
1517 void *next = data;
1518 struct dn_pipe *p = (struct dn_pipe *) data;
1519 struct dn_flow_set *fs;
1520 struct dn_flow_queue *q;
1521 int l;
1522
1523 if (ac > 0)
1524 rulenum = strtoul(*av++, NULL, 10);
1525 else
1526 rulenum = 0;
1527 for (; nbytes >= sizeof *p; p = (struct dn_pipe *)next) {
1528 double b = p->bandwidth;
1529 char buf[30];
1530 char prefix[80];
1531
1532 if (p->next != (struct dn_pipe *)DN_IS_PIPE)
1533 break; /* done with pipes, now queues */
1534
1535 /*
1536 * compute length, as pipe have variable size
1537 */
1538 l = sizeof(*p) + p->fs.rq_elements * sizeof(*q);
1539 next = (char *)p + l;
1540 nbytes -= l;
1541
1542 if (rulenum != 0 && rulenum != p->pipe_nr)
1543 continue;
1544
1545 /*
1546 * Print rate (or clocking interface)
1547 */
1548 if (p->if_name[0] != '\0')
1549 sprintf(buf, "%s", p->if_name);
1550 else if (b == 0)
1551 sprintf(buf, "unlimited");
1552 else if (b >= 1000000)
1553 sprintf(buf, "%7.3f Mbit/s", b/1000000);
1554 else if (b >= 1000)
1555 sprintf(buf, "%7.3f Kbit/s", b/1000);
1556 else
1557 sprintf(buf, "%7.3f bit/s ", b);
1558
1559 sprintf(prefix, "%05d: %s %4d ms ",
1560 p->pipe_nr, buf, p->delay);
1561 print_flowset_parms(&(p->fs), prefix);
1562 if (verbose)
1563 printf(" V %20qd\n", p->V >> MY_M);
1564
1565 q = (struct dn_flow_queue *)(p+1);
1566 list_queues(&(p->fs), q);
1567 }
1568 for (fs = next; nbytes >= sizeof *fs; fs = next) {
1569 char prefix[80];
1570
1571 if (fs->next != (struct dn_flow_set *)DN_IS_QUEUE)
1572 break;
1573 l = sizeof(*fs) + fs->rq_elements * sizeof(*q);
1574 next = (char *)fs + l;
1575 nbytes -= l;
1576 q = (struct dn_flow_queue *)(fs+1);
1577 sprintf(prefix, "q%05d: weight %d pipe %d ",
1578 fs->fs_nr, fs->weight, fs->parent_nr);
1579 print_flowset_parms(fs, prefix);
1580 list_queues(fs, q);
1581 }
1582 }
1583
1584 /*
1585 * This one handles all set-related commands
1586 * ipfw set { show | enable | disable }
1587 * ipfw set swap X Y
1588 * ipfw set move X to Y
1589 * ipfw set move rule X to Y
1590 */
1591 static void
1592 sets_handler(int ac, char *av[])
1593 {
1594 uint32_t set_disable, masks[2];
1595 int i, nbytes;
1596 uint16_t rulenum;
1597 uint8_t cmd, new_set;
1598
1599 ac--;
1600 av++;
1601
1602 if (!ac)
1603 errx(EX_USAGE, "set needs command");
1604 if (!strncmp(*av, "show", strlen(*av)) ) {
1605 void *data;
1606 char const *msg;
1607
1608 nbytes = sizeof(struct ip_fw);
1609 if ((data = calloc(1, nbytes)) == NULL)
1610 err(EX_OSERR, "calloc");
1611
1612 if (do_cmd(IP_FW_GET, data, (uintptr_t)&nbytes) < 0)
1613 err(EX_OSERR, "getsockopt(IP_FW_GET)");
1614 bcopy(&((struct ip_fw *)data)->next_rule,
1615 &set_disable, sizeof(set_disable));
1616
1617 for (i = 0, msg = "disable" ; i < RESVD_SET; i++)
1618 if ((set_disable & (1<<i))) {
1619 printf("%s %d", msg, i);
1620 msg = "";
1621 }
1622 msg = (set_disable) ? " enable" : "enable";
1623 for (i = 0; i < RESVD_SET; i++)
1624 if (!(set_disable & (1<<i))) {
1625 printf("%s %d", msg, i);
1626 msg = "";
1627 }
1628 printf("\n");
1629 } else if (!strncmp(*av, "swap", strlen(*av))) {
1630 struct ip_fw rule;
1631 ac--; av++;
1632 if (ac != 2)
1633 errx(EX_USAGE, "set swap needs 2 set numbers\n");
1634 rulenum = atoi(av[0]);
1635 new_set = atoi(av[1]);
1636 if (!isdigit(*(av[0])) || rulenum > RESVD_SET)
1637 errx(EX_DATAERR, "invalid set number %s\n", av[0]);
1638 if (!isdigit(*(av[1])) || new_set > RESVD_SET)
1639 errx(EX_DATAERR, "invalid set number %s\n", av[1]);
1640 masks[0] = (4 << 24) | (new_set << 16) | (rulenum);
1641
1642 bzero(&rule, sizeof(rule));
1643 rule.set_masks[0] = masks[0];
1644
1645 i = do_cmd(IP_FW_DEL, &rule, sizeof(rule));
1646 } else if (!strncmp(*av, "move", strlen(*av))) {
1647 struct ip_fw rule;
1648 ac--; av++;
1649 if (ac && !strncmp(*av, "rule", strlen(*av))) {
1650 cmd = 2;
1651 ac--; av++;
1652 } else
1653 cmd = 3;
1654 if (ac != 3 || strncmp(av[1], "to", strlen(*av)))
1655 errx(EX_USAGE, "syntax: set move [rule] X to Y\n");
1656 rulenum = atoi(av[0]);
1657 new_set = atoi(av[2]);
1658 if (!isdigit(*(av[0])) || (cmd == 3 && rulenum > RESVD_SET) ||
1659 (cmd == 2 && rulenum == 65535) )
1660 errx(EX_DATAERR, "invalid source number %s\n", av[0]);
1661 if (!isdigit(*(av[2])) || new_set > RESVD_SET)
1662 errx(EX_DATAERR, "invalid dest. set %s\n", av[1]);
1663 masks[0] = (cmd << 24) | (new_set << 16) | (rulenum);
1664
1665 bzero(&rule, sizeof(rule));
1666 rule.set_masks[0] = masks[0];
1667
1668 i = do_cmd(IP_FW_DEL, &rule, sizeof(rule));
1669 } else if (!strncmp(*av, "disable", strlen(*av)) ||
1670 !strncmp(*av, "enable", strlen(*av)) ) {
1671 int which = !strncmp(*av, "enable", strlen(*av)) ? 1 : 0;
1672 struct ip_fw rule;
1673
1674 ac--; av++;
1675 masks[0] = masks[1] = 0;
1676
1677 while (ac) {
1678 if (isdigit(**av)) {
1679 i = atoi(*av);
1680 if (i < 0 || i > RESVD_SET)
1681 errx(EX_DATAERR,
1682 "invalid set number %d\n", i);
1683 masks[which] |= (1<<i);
1684 } else if (!strncmp(*av, "disable", strlen(*av)))
1685 which = 0;
1686 else if (!strncmp(*av, "enable", strlen(*av)))
1687 which = 1;
1688 else
1689 errx(EX_DATAERR,
1690 "invalid set command %s\n", *av);
1691 av++; ac--;
1692 }
1693 if ( (masks[0] & masks[1]) != 0 )
1694 errx(EX_DATAERR,
1695 "cannot enable and disable the same set\n");
1696
1697 bzero(&rule, sizeof(rule));
1698 rule.set_masks[0] = masks[0];
1699 rule.set_masks[1] = masks[1];
1700
1701 i = do_cmd(IP_FW_DEL, &rule, sizeof(rule));
1702 if (i)
1703 warn("set enable/disable: setsockopt(IP_FW_DEL)");
1704 } else
1705 errx(EX_USAGE, "invalid set command %s\n", *av);
1706 }
1707
1708 static void
1709 sysctl_handler(int ac, char *av[], int which)
1710 {
1711 ac--;
1712 av++;
1713
1714 if (ac == 0) {
1715 warnx("missing keyword to enable/disable\n");
1716 } else if (strncmp(*av, "firewall", strlen(*av)) == 0) {
1717 sysctlbyname("net.inet.ip.fw.enable", NULL, 0,
1718 &which, sizeof(which));
1719 } else if (strncmp(*av, "one_pass", strlen(*av)) == 0) {
1720 sysctlbyname("net.inet.ip.fw.one_pass", NULL, 0,
1721 &which, sizeof(which));
1722 } else if (strncmp(*av, "debug", strlen(*av)) == 0) {
1723 sysctlbyname("net.inet.ip.fw.debug", NULL, 0,
1724 &which, sizeof(which));
1725 } else if (strncmp(*av, "verbose", strlen(*av)) == 0) {
1726 sysctlbyname("net.inet.ip.fw.verbose", NULL, 0,
1727 &which, sizeof(which));
1728 } else if (strncmp(*av, "dyn_keepalive", strlen(*av)) == 0) {
1729 sysctlbyname("net.inet.ip.fw.dyn_keepalive", NULL, 0,
1730 &which, sizeof(which));
1731 } else {
1732 warnx("unrecognize enable/disable keyword: %s\n", *av);
1733 }
1734 }
1735
1736 static void
1737 list(int ac, char *av[], int show_counters)
1738 {
1739 struct ip_fw *r;
1740 ipfw_dyn_rule *dynrules, *d;
1741
1742 #define NEXT(r) ((struct ip_fw *)((char *)r + RULESIZE(r)))
1743 char *lim;
1744 void *data = NULL;
1745 int bcwidth, n, nbytes, nstat, ndyn, pcwidth, width;
1746 int exitval = EX_OK;
1747 int lac;
1748 char **lav;
1749 u_long rnum, last;
1750 char *endptr;
1751 int seen = 0;
1752
1753 const int ocmd = do_pipe ? IP_DUMMYNET_GET : IP_FW_GET;
1754 int nalloc = 1024; /* start somewhere... */
1755
1756 if (test_only) {
1757 fprintf(stderr, "Testing only, list disabled\n");
1758 return;
1759 }
1760
1761 ac--;
1762 av++;
1763
1764 /* get rules or pipes from kernel, resizing array as necessary */
1765 nbytes = nalloc;
1766
1767 while (nbytes >= nalloc) {
1768 nalloc = nalloc * 2 + 200;
1769 nbytes = nalloc;
1770 if ((data = realloc(data, nbytes)) == NULL)
1771 err(EX_OSERR, "realloc");
1772
1773 if (do_cmd(ocmd, data, (uintptr_t)&nbytes) < 0)
1774 err(EX_OSERR, "getsockopt(IP_%s_GET)",
1775 do_pipe ? "DUMMYNET" : "FW");
1776 }
1777
1778 if (do_pipe) {
1779 list_pipes(data, nbytes, ac, av);
1780 goto done;
1781 }
1782
1783 /*
1784 * Count static rules. They have variable size so we
1785 * need to scan the list to count them.
1786 */
1787 for (nstat = 1, r = data, lim = (char *)data + nbytes;
1788 r->rulenum < 65535 && (char *)r < lim;
1789 ++nstat, r = NEXT(r) )
1790 ; /* nothing */
1791
1792 /*
1793 * Count dynamic rules. This is easier as they have
1794 * fixed size.
1795 */
1796 r = NEXT(r);
1797 dynrules = (ipfw_dyn_rule *)r ;
1798 n = (char *)r - (char *)data;
1799 ndyn = (nbytes - n) / sizeof *dynrules;
1800
1801 /* if showing stats, figure out column widths ahead of time */
1802 bcwidth = pcwidth = 0;
1803 if (show_counters) {
1804 for (n = 0, r = data; n < nstat; n++, r = NEXT(r)) {
1805 /* packet counter */
1806 width = snprintf(NULL, 0, "%llu",
1807 align_uint64(&r->pcnt));
1808 if (width > pcwidth)
1809 pcwidth = width;
1810
1811 /* byte counter */
1812 width = snprintf(NULL, 0, "%llu",
1813 align_uint64(&r->bcnt));
1814 if (width > bcwidth)
1815 bcwidth = width;
1816 }
1817 }
1818 if (do_dynamic && ndyn) {
1819 for (n = 0, d = dynrules; n < ndyn; n++, d++) {
1820 width = snprintf(NULL, 0, "%llu",
1821 align_uint64(&d->pcnt));
1822 if (width > pcwidth)
1823 pcwidth = width;
1824
1825 width = snprintf(NULL, 0, "%llu",
1826 align_uint64(&d->bcnt));
1827 if (width > bcwidth)
1828 bcwidth = width;
1829 }
1830 }
1831 /* if no rule numbers were specified, list all rules */
1832 if (ac == 0) {
1833 for (n = 0, r = data; n < nstat; n++, r = NEXT(r) )
1834 show_ipfw(r, pcwidth, bcwidth);
1835
1836 if (do_dynamic && ndyn) {
1837 printf("## Dynamic rules (%d):\n", ndyn);
1838 for (n = 0, d = dynrules; n < ndyn; n++, d++)
1839 show_dyn_ipfw(d, pcwidth, bcwidth);
1840 }
1841 goto done;
1842 }
1843
1844 /* display specific rules requested on command line */
1845
1846 for (lac = ac, lav = av; lac != 0; lac--) {
1847 /* convert command line rule # */
1848 last = rnum = strtoul(*lav++, &endptr, 10);
1849 if (*endptr == '-')
1850 last = strtoul(endptr+1, &endptr, 10);
1851 if (*endptr) {
1852 exitval = EX_USAGE;
1853 warnx("invalid rule number: %s", *(lav - 1));
1854 continue;
1855 }
1856 for (n = seen = 0, r = data; n < nstat; n++, r = NEXT(r) ) {
1857 if (r->rulenum > last)
1858 break;
1859 if (r->rulenum >= rnum && r->rulenum <= last) {
1860 show_ipfw(r, pcwidth, bcwidth);
1861 seen = 1;
1862 }
1863 }
1864 if (!seen) {
1865 /* give precedence to other error(s) */
1866 if (exitval == EX_OK)
1867 exitval = EX_UNAVAILABLE;
1868 warnx("rule %lu does not exist", rnum);
1869 }
1870 }
1871
1872 if (do_dynamic && ndyn) {
1873 printf("## Dynamic rules:\n");
1874 for (lac = ac, lav = av; lac != 0; lac--) {
1875 rnum = strtoul(*lav++, &endptr, 10);
1876 if (*endptr == '-')
1877 last = strtoul(endptr+1, &endptr, 10);
1878 if (*endptr)
1879 /* already warned */
1880 continue;
1881 for (n = 0, d = dynrules; n < ndyn; n++, d++) {
1882 uint16_t rulenum;
1883
1884 bcopy(&d->rule, &rulenum, sizeof(rulenum));
1885 if (rulenum > rnum)
1886 break;
1887 if (r->rulenum >= rnum && r->rulenum <= last)
1888 show_dyn_ipfw(d, pcwidth, bcwidth);
1889 }
1890 }
1891 }
1892
1893 ac = 0;
1894
1895 done:
1896 free(data);
1897
1898 if (exitval != EX_OK)
1899 exit(exitval);
1900 #undef NEXT
1901 }
1902
1903 static void
1904 show_usage(void)
1905 {
1906 fprintf(stderr, "usage: ipfw [options]\n"
1907 "do \"ipfw -h\" or see ipfw manpage for details\n"
1908 );
1909 exit(EX_USAGE);
1910 }
1911
1912 static void
1913 help(void)
1914 {
1915 fprintf(stderr,
1916 "ipfw syntax summary (but please do read the ipfw(8) manpage):\n"
1917 "ipfw [-acdeftTnNpqS] <command> where <command> is one of:\n"
1918 "add [num] [set N] [prob x] RULE-BODY\n"
1919 "{pipe|queue} N config PIPE-BODY\n"
1920 "[pipe|queue] {zero|delete|show} [N{,N}]\n"
1921 "set [disable N... enable N...] | move [rule] X to Y | swap X Y | show\n"
1922 "\n"
1923 "RULE-BODY: check-state [LOG] | ACTION [LOG] ADDR [OPTION_LIST]\n"
1924 "ACTION: check-state | allow | count | deny | reject | skipto N |\n"
1925 " {divert|tee} PORT | forward ADDR | pipe N | queue N\n"
1926 "ADDR: [ MAC dst src ether_type ] \n"
1927 " [ from IPADDR [ PORT ] to IPADDR [ PORTLIST ] ]\n"
1928 "IPADDR: [not] { any | me | ip/bits{x,y,z} | IPLIST }\n"
1929 "IPLIST: { ip | ip/bits | ip:mask }[,IPLIST]\n"
1930 "OPTION_LIST: OPTION [OPTION_LIST]\n"
1931 "OPTION: bridged | {dst-ip|src-ip} ADDR | {dst-port|src-port} LIST |\n"
1932 " estab | frag | {gid|uid} N | icmptypes LIST | in | out | ipid LIST |\n"
1933 " iplen LIST | ipoptions SPEC | ipprecedence | ipsec | iptos SPEC |\n"
1934 " ipttl LIST | ipversion VER | keep-state | layer2 | limit ... |\n"
1935 " mac ... | mac-type LIST | proto LIST | {recv|xmit|via} {IF|IPADDR} |\n"
1936 " setup | {tcpack|tcpseq|tcpwin} NN | tcpflags SPEC | tcpoptions SPEC |\n"
1937 " verrevpath\n"
1938 );
1939 exit(0);
1940 }
1941
1942
1943 static int
1944 lookup_host (char *host, struct in_addr *ipaddr)
1945 {
1946 struct hostent *he;
1947
1948 if (!inet_aton(host, ipaddr)) {
1949 if ((he = gethostbyname(host)) == NULL)
1950 return(-1);
1951 *ipaddr = *(struct in_addr *)he->h_addr_list[0];
1952 }
1953 return(0);
1954 }
1955
1956 /*
1957 * fills the addr and mask fields in the instruction as appropriate from av.
1958 * Update length as appropriate.
1959 * The following formats are allowed:
1960 * any matches any IP. Actually returns an empty instruction.
1961 * me returns O_IP_*_ME
1962 * 1.2.3.4 single IP address
1963 * 1.2.3.4:5.6.7.8 address:mask
1964 * 1.2.3.4/24 address/mask
1965 * 1.2.3.4/26{1,6,5,4,23} set of addresses in a subnet
1966 * We can have multiple comma-separated address/mask entries.
1967 */
1968 static void
1969 fill_ip(ipfw_insn_ip *cmd, char *av)
1970 {
1971 int len = 0;
1972 uint32_t *d = ((ipfw_insn_u32 *)cmd)->d;
1973
1974 cmd->o.len &= ~F_LEN_MASK; /* zero len */
1975
1976 if (!strncmp(av, "any", strlen(av)))
1977 return;
1978
1979 if (!strncmp(av, "me", strlen(av))) {
1980 cmd->o.len |= F_INSN_SIZE(ipfw_insn);
1981 return;
1982 }
1983
1984 while (av) {
1985 /*
1986 * After the address we can have '/' or ':' indicating a mask,
1987 * ',' indicating another address follows, '{' indicating a
1988 * set of addresses of unspecified size.
1989 */
1990 char *p = strpbrk(av, "/:,{");
1991 int masklen;
1992 char md;
1993
1994 if (p) {
1995 md = *p;
1996 *p++ = '\0';
1997 } else
1998 md = '\0';
1999
2000 if (lookup_host(av, (struct in_addr *)&d[0]) != 0)
2001 errx(EX_NOHOST, "hostname ``%s'' unknown", av);
2002 switch (md) {
2003 case ':':
2004 if (!inet_aton(p, (struct in_addr *)&d[1]))
2005 errx(EX_DATAERR, "bad netmask ``%s''", p);
2006 break;
2007 case '/':
2008 masklen = atoi(p);
2009 if (masklen == 0)
2010 d[1] = htonl(0); /* mask */
2011 else if (masklen > 32)
2012 errx(EX_DATAERR, "bad width ``%s''", p);
2013 else
2014 d[1] = htonl(~0 << (32 - masklen));
2015 break;
2016 case '{': /* no mask, assume /24 and put back the '{' */
2017 d[1] = htonl(~0 << (32 - 24));
2018 *(--p) = md;
2019 break;
2020
2021 case ',': /* single address plus continuation */
2022 *(--p) = md;
2023 /* FALLTHROUGH */
2024 case 0: /* initialization value */
2025 default:
2026 d[1] = htonl(~0); /* force /32 */
2027 break;
2028 }
2029 d[0] &= d[1]; /* mask base address with mask */
2030 /* find next separator */
2031 if (p)
2032 p = strpbrk(p, ",{");
2033 if (p && *p == '{') {
2034 /*
2035 * We have a set of addresses. They are stored as follows:
2036 * arg1 is the set size (powers of 2, 2..256)
2037 * addr is the base address IN HOST FORMAT
2038 * mask.. is an array of arg1 bits (rounded up to
2039 * the next multiple of 32) with bits set
2040 * for each host in the map.
2041 */
2042 uint32_t *map = (uint32_t *)&cmd->mask;
2043 int low, high;
2044 int i = contigmask((uint8_t *)&(d[1]), 32);
2045
2046 if (len > 0)
2047 errx(EX_DATAERR, "address set cannot be in a list");
2048 if (i < 24 || i > 31)
2049 errx(EX_DATAERR, "invalid set with mask %d\n", i);
2050 cmd->o.arg1 = 1<<(32-i); /* map length */
2051 d[0] = ntohl(d[0]); /* base addr in host format */
2052 cmd->o.opcode = O_IP_DST_SET; /* default */
2053 cmd->o.len |= F_INSN_SIZE(ipfw_insn_u32) + (cmd->o.arg1+31)/32;
2054 for (i = 0; i < (cmd->o.arg1+31)/32 ; i++)
2055 map[i] = 0; /* clear map */
2056
2057 av = p + 1;
2058 low = d[0] & 0xff;
2059 high = low + cmd->o.arg1 - 1;
2060 /*
2061 * Here, i stores the previous value when we specify a range
2062 * of addresses within a mask, e.g. 45-63. i = -1 means we
2063 * have no previous value.
2064 */
2065 i = -1; /* previous value in a range */
2066 while (isdigit(*av)) {
2067 char *s;
2068 int a = strtol(av, &s, 0);
2069
2070 if (s == av) { /* no parameter */
2071 if (*av != '}')
2072 errx(EX_DATAERR, "set not closed\n");
2073 if (i != -1)
2074 errx(EX_DATAERR, "incomplete range %d-", i);
2075 break;
2076 }
2077 if (a < low || a > high)
2078 errx(EX_DATAERR, "addr %d out of range [%d-%d]\n",
2079 a, low, high);
2080 a -= low;
2081 if (i == -1) /* no previous in range */
2082 i = a;
2083 else { /* check that range is valid */
2084 if (i > a)
2085 errx(EX_DATAERR, "invalid range %d-%d",
2086 i+low, a+low);
2087 if (*s == '-')
2088 errx(EX_DATAERR, "double '-' in range");
2089 }
2090 for (; i <= a; i++)
2091 map[i/32] |= 1<<(i & 31);
2092 i = -1;
2093 if (*s == '-')
2094 i = a;
2095 else if (*s == '}')
2096 break;
2097 av = s+1;
2098 }
2099 return;
2100 }
2101 av = p;
2102 if (av) /* then *av must be a ',' */
2103 av++;
2104
2105 /* Check this entry */
2106 if (d[1] == 0) { /* "any", specified as x.x.x.x/0 */
2107 /*
2108 * 'any' turns the entire list into a NOP.
2109 * 'not any' never matches, so it is removed from the
2110 * list unless it is the only item, in which case we
2111 * report an error.
2112 */
2113 if (cmd->o.len & F_NOT) { /* "not any" never matches */
2114 if (av == NULL && len == 0) /* only this entry */
2115 errx(EX_DATAERR, "not any never matches");
2116 }
2117 /* else do nothing and return */
2118 return;
2119 }
2120 /* A single IP can be stored in an optimized format */
2121 if (d[1] == IP_MASK_ALL && av == NULL && len == 0) {
2122 cmd->o.len |= F_INSN_SIZE(ipfw_insn_u32);
2123 return;
2124 }
2125 len += 2; /* two words... */
2126 d += 2;
2127 } /* end while */
2128 cmd->o.len |= len+1;
2129 }
2130
2131
2132 /*
2133 * helper function to process a set of flags and set bits in the
2134 * appropriate masks.
2135 */
2136 static void
2137 fill_flags(ipfw_insn *cmd, enum ipfw_opcodes opcode,
2138 struct _s_x *flags, char *p)
2139 {
2140 uint8_t set=0, clear=0;
2141
2142 while (p && *p) {
2143 char *q; /* points to the separator */
2144 int val;
2145 uint8_t *which; /* mask we are working on */
2146
2147 if (*p == '!') {
2148 p++;
2149 which = &clear;
2150 } else
2151 which = &set;
2152 q = strchr(p, ',');
2153 if (q)
2154 *q++ = '\0';
2155 val = match_token(flags, p);
2156 if (val <= 0)
2157 errx(EX_DATAERR, "invalid flag %s", p);
2158 *which |= (uint8_t)val;
2159 p = q;
2160 }
2161 cmd->opcode = opcode;
2162 cmd->len = (cmd->len & (F_NOT | F_OR)) | 1;
2163 cmd->arg1 = (set & 0xff) | ( (clear & 0xff) << 8);
2164 }
2165
2166
2167 static void
2168 delete(int ac, char *av[])
2169 {
2170 struct ip_fw rule;
2171 struct dn_pipe p;
2172 int i;
2173 int exitval = EX_OK;
2174 int do_set = 0;
2175
2176 memset(&p, 0, sizeof p);
2177
2178 av++; ac--;
2179 if (ac > 0 && !strncmp(*av, "set", strlen(*av))) {
2180 do_set = 1; /* delete set */
2181 ac--; av++;
2182 }
2183
2184 /* Rule number */
2185 while (ac && isdigit(**av)) {
2186 i = atoi(*av); av++; ac--;
2187 if (do_pipe) {
2188 if (do_pipe == 1)
2189 p.pipe_nr = i;
2190 else
2191 p.fs.fs_nr = i;
2192 i = do_cmd(IP_DUMMYNET_DEL, &p, sizeof p);
2193 if (i) {
2194 exitval = 1;
2195 warn("rule %u: setsockopt(IP_DUMMYNET_DEL)",
2196 do_pipe == 1 ? p.pipe_nr : p.fs.fs_nr);
2197 }
2198 } else {
2199 bzero(&rule, sizeof(rule));
2200 if (do_set) {
2201 rule.set_masks[0] = (i & 0xffff) | (do_set << 24);
2202 }
2203 else {
2204 rule.rulenum = i;
2205 }
2206 i = do_cmd(IP_FW_DEL, &rule, sizeof(rule));
2207 if (i) {
2208 exitval = EX_UNAVAILABLE;
2209 warn("rule %u: setsockopt(IP_FW_DEL)",
2210 rule.rulenum);
2211 }
2212 }
2213 }
2214 if (exitval != EX_OK)
2215 exit(exitval);
2216 }
2217
2218
2219 /*
2220 * fill the interface structure. We do not check the name as we can
2221 * create interfaces dynamically, so checking them at insert time
2222 * makes relatively little sense.
2223 * A '*' following the name means any unit.
2224 */
2225 static void
2226 fill_iface(ipfw_insn_if *cmd, char *arg)
2227 {
2228 cmd->name[0] = '\0';
2229 cmd->o.len |= F_INSN_SIZE(ipfw_insn_if);
2230
2231 /* Parse the interface or address */
2232 if (!strcmp(arg, "any"))
2233 cmd->o.len = 0; /* effectively ignore this command */
2234 else if (!isdigit(*arg)) {
2235 char *q;
2236
2237 strncpy(cmd->name, arg, sizeof(cmd->name));
2238 cmd->name[sizeof(cmd->name) - 1] = '\0';
2239 /* find first digit or wildcard */
2240 for (q = cmd->name; *q && !isdigit(*q) && *q != '*'; q++)
2241 continue;
2242 cmd->p.unit = (*q == '*') ? -1 : atoi(q);
2243 *q = '\0';
2244 } else if (!inet_aton(arg, &cmd->p.ip))
2245 errx(EX_DATAERR, "bad ip address ``%s''", arg);
2246 }
2247
2248 /*
2249 * the following macro returns an error message if we run out of
2250 * arguments.
2251 */
2252 #define NEED1(msg) {if (!ac) errx(EX_USAGE, msg);}
2253
2254 static void
2255 config_pipe(int ac, char **av)
2256 {
2257 struct dn_pipe p;
2258 int i;
2259 char *end;
2260 uint32_t a;
2261 void *par = NULL;
2262
2263 memset(&p, 0, sizeof p);
2264
2265 av++; ac--;
2266 /* Pipe number */
2267 if (ac && isdigit(**av)) {
2268 i = atoi(*av); av++; ac--;
2269 if (do_pipe == 1)
2270 p.pipe_nr = i;
2271 else
2272 p.fs.fs_nr = i;
2273 }
2274 while (ac > 0) {
2275 double d;
2276 int tok = match_token(dummynet_params, *av);
2277 ac--; av++;
2278
2279 switch(tok) {
2280 case TOK_NOERROR:
2281 p.fs.flags_fs |= DN_NOERROR;
2282 break;
2283
2284 case TOK_PLR:
2285 NEED1("plr needs argument 0..1\n");
2286 d = strtod(av[0], NULL);
2287 if (d > 1)
2288 d = 1;
2289 else if (d < 0)
2290 d = 0;
2291 p.fs.plr = (int)(d*0x7fffffff);
2292 ac--; av++;
2293 break;
2294
2295 case TOK_QUEUE:
2296 NEED1("queue needs queue size\n");
2297 end = NULL;
2298 p.fs.qsize = strtoul(av[0], &end, 0);
2299 if (*end == 'K' || *end == 'k') {
2300 p.fs.flags_fs |= DN_QSIZE_IS_BYTES;
2301 p.fs.qsize *= 1024;
2302 } else if (*end == 'B' || !strncmp(end, "by", 2)) {
2303 p.fs.flags_fs |= DN_QSIZE_IS_BYTES;
2304 }
2305 ac--; av++;
2306 break;
2307
2308 case TOK_BUCKETS:
2309 NEED1("buckets needs argument\n");
2310 p.fs.rq_size = strtoul(av[0], NULL, 0);
2311 ac--; av++;
2312 break;
2313
2314 case TOK_MASK:
2315 NEED1("mask needs mask specifier\n");
2316 /*
2317 * per-flow queue, mask is dst_ip, dst_port,
2318 * src_ip, src_port, proto measured in bits
2319 */
2320 par = NULL;
2321
2322 p.fs.flow_mask.dst_ip = 0;
2323 p.fs.flow_mask.src_ip = 0;
2324 p.fs.flow_mask.dst_port = 0;
2325 p.fs.flow_mask.src_port = 0;
2326 p.fs.flow_mask.proto = 0;
2327 end = NULL;
2328
2329 while (ac >= 1) {
2330 uint32_t *p32 = NULL;
2331 uint16_t *p16 = NULL;
2332
2333 tok = match_token(dummynet_params, *av);
2334 ac--; av++;
2335 switch(tok) {
2336 case TOK_ALL:
2337 /*
2338 * special case, all bits significant
2339 */
2340 p.fs.flow_mask.dst_ip = ~0;
2341 p.fs.flow_mask.src_ip = ~0;
2342 p.fs.flow_mask.dst_port = ~0;
2343 p.fs.flow_mask.src_port = ~0;
2344 p.fs.flow_mask.proto = ~0;
2345 p.fs.flags_fs |= DN_HAVE_FLOW_MASK;
2346 goto end_mask;
2347
2348 case TOK_DSTIP:
2349 p32 = &p.fs.flow_mask.dst_ip;
2350 break;
2351
2352 case TOK_SRCIP:
2353 p32 = &p.fs.flow_mask.src_ip;
2354 break;
2355
2356 case TOK_DSTPORT:
2357 p16 = &p.fs.flow_mask.dst_port;
2358 break;
2359
2360 case TOK_SRCPORT:
2361 p16 = &p.fs.flow_mask.src_port;
2362 break;
2363
2364 case TOK_PROTO:
2365 break;
2366
2367 default:
2368 ac++; av--; /* backtrack */
2369 goto end_mask;
2370 }
2371 if (ac < 1)
2372 errx(EX_USAGE, "mask: value missing");
2373 if (*av[0] == '/') {
2374 a = strtoul(av[0]+1, &end, 0);
2375 a = (a == 32) ? ~0 : (1 << a) - 1;
2376 } else
2377 a = strtoul(av[0], &end, 0);
2378 if (p32 != NULL)
2379 *p32 = a;
2380 else if (p16 != NULL) {
2381 if (a > 65535)
2382 errx(EX_DATAERR,
2383 "mask: must be 16 bit");
2384 *p16 = (uint16_t)a;
2385 } else {
2386 if (a > 255)
2387 errx(EX_DATAERR,
2388 "mask: must be 8 bit");
2389 p.fs.flow_mask.proto = (uint8_t)a;
2390 }
2391 if (a != 0)
2392 p.fs.flags_fs |= DN_HAVE_FLOW_MASK;
2393 ac--; av++;
2394 } /* end while, config masks */
2395 end_mask:
2396 break;
2397
2398 case TOK_RED:
2399 case TOK_GRED:
2400 NEED1("red/gred needs w_q/min_th/max_th/max_p\n");
2401 p.fs.flags_fs |= DN_IS_RED;
2402 if (tok == TOK_GRED)
2403 p.fs.flags_fs |= DN_IS_GENTLE_RED;
2404 /*
2405 * the format for parameters is w_q/min_th/max_th/max_p
2406 */
2407 if ((end = strsep(&av[0], "/"))) {
2408 double w_q = strtod(end, NULL);
2409 if (w_q > 1 || w_q <= 0)
2410 errx(EX_DATAERR, "0 < w_q <= 1");
2411 p.fs.w_q = (int) (w_q * (1 << SCALE_RED));
2412 }
2413 if ((end = strsep(&av[0], "/"))) {
2414 p.fs.min_th = strtoul(end, &end, 0);
2415 if (*end == 'K' || *end == 'k')
2416 p.fs.min_th *= 1024;
2417 }
2418 if ((end = strsep(&av[0], "/"))) {
2419 p.fs.max_th = strtoul(end, &end, 0);
2420 if (*end == 'K' || *end == 'k')
2421 p.fs.max_th *= 1024;
2422 }
2423 if ((end = strsep(&av[0], "/"))) {
2424 double max_p = strtod(end, NULL);
2425 if (max_p > 1 || max_p <= 0)
2426 errx(EX_DATAERR, "0 < max_p <= 1");
2427 p.fs.max_p = (int)(max_p * (1 << SCALE_RED));
2428 }
2429 ac--; av++;
2430 break;
2431
2432 case TOK_DROPTAIL:
2433 p.fs.flags_fs &= ~(DN_IS_RED|DN_IS_GENTLE_RED);
2434 break;
2435
2436 case TOK_BW:
2437 NEED1("bw needs bandwidth or interface\n");
2438 if (do_pipe != 1)
2439 errx(EX_DATAERR, "bandwidth only valid for pipes");
2440 /*
2441 * set clocking interface or bandwidth value
2442 */
2443 if (av[0][0] >= 'a' && av[0][0] <= 'z') {
2444 int l = sizeof(p.if_name)-1;
2445 /* interface name */
2446 strncpy(p.if_name, av[0], l);
2447 p.if_name[l] = '\0';
2448 p.bandwidth = 0;
2449 } else {
2450 p.if_name[0] = '\0';
2451 p.bandwidth = strtoul(av[0], &end, 0);
2452 if (*end == 'K' || *end == 'k') {
2453 end++;
2454 p.bandwidth *= 1000;
2455 } else if (*end == 'M') {
2456 end++;
2457 p.bandwidth *= 1000000;
2458 }
2459 if (*end == 'B' || !strncmp(end, "by", 2))
2460 p.bandwidth *= 8;
2461 if (p.bandwidth < 0)
2462 errx(EX_DATAERR, "bandwidth too large");
2463 }
2464 ac--; av++;
2465 break;
2466
2467 case TOK_DELAY:
2468 if (do_pipe != 1)
2469 errx(EX_DATAERR, "delay only valid for pipes");
2470 NEED1("delay needs argument 0..10000ms\n");
2471 p.delay = strtoul(av[0], NULL, 0);
2472 ac--; av++;
2473 break;
2474
2475 case TOK_WEIGHT:
2476 if (do_pipe == 1)
2477 errx(EX_DATAERR,"weight only valid for queues");
2478 NEED1("weight needs argument 0..100\n");
2479 p.fs.weight = strtoul(av[0], &end, 0);
2480 ac--; av++;
2481 break;
2482
2483 case TOK_PIPE:
2484 if (do_pipe == 1)
2485 errx(EX_DATAERR,"pipe only valid for queues");
2486 NEED1("pipe needs pipe_number\n");
2487 p.fs.parent_nr = strtoul(av[0], &end, 0);
2488 ac--; av++;
2489 break;
2490
2491 default:
2492 errx(EX_DATAERR, "unrecognised option ``%s''", *av);
2493 }
2494 }
2495 if (do_pipe == 1) {
2496 if (p.pipe_nr == 0)
2497 errx(EX_DATAERR, "pipe_nr must be > 0");
2498 if (p.delay > 10000)
2499 errx(EX_DATAERR, "delay must be < 10000");
2500 } else { /* do_pipe == 2, queue */
2501 if (p.fs.parent_nr == 0)
2502 errx(EX_DATAERR, "pipe must be > 0");
2503 if (p.fs.weight >100)
2504 errx(EX_DATAERR, "weight must be <= 100");
2505 }
2506 if (p.fs.flags_fs & DN_QSIZE_IS_BYTES) {
2507 if (p.fs.qsize > 1024*1024)
2508 errx(EX_DATAERR, "queue size must be < 1MB");
2509 } else {
2510 if (p.fs.qsize > 100)
2511 errx(EX_DATAERR, "2 <= queue size <= 100");
2512 }
2513 if (p.fs.flags_fs & DN_IS_RED) {
2514 size_t len;
2515 int lookup_depth, avg_pkt_size;
2516 double s, idle, weight, w_q;
2517 struct clockinfo ck;
2518 int t;
2519
2520 if (p.fs.min_th >= p.fs.max_th)
2521 errx(EX_DATAERR, "min_th %d must be < than max_th %d",
2522 p.fs.min_th, p.fs.max_th);
2523 if (p.fs.max_th == 0)
2524 errx(EX_DATAERR, "max_th must be > 0");
2525
2526 len = sizeof(int);
2527 if (sysctlbyname("net.inet.ip.dummynet.red_lookup_depth",
2528 &lookup_depth, &len, NULL, 0) == -1)
2529
2530 errx(1, "sysctlbyname(\"%s\")",
2531 "net.inet.ip.dummynet.red_lookup_depth");
2532 if (lookup_depth == 0)
2533 errx(EX_DATAERR, "net.inet.ip.dummynet.red_lookup_depth"
2534 " must be greater than zero");
2535
2536 len = sizeof(int);
2537 if (sysctlbyname("net.inet.ip.dummynet.red_avg_pkt_size",
2538 &avg_pkt_size, &len, NULL, 0) == -1)
2539
2540 errx(1, "sysctlbyname(\"%s\")",
2541 "net.inet.ip.dummynet.red_avg_pkt_size");
2542 if (avg_pkt_size == 0)
2543 errx(EX_DATAERR,
2544 "net.inet.ip.dummynet.red_avg_pkt_size must"
2545 " be greater than zero");
2546
2547 len = sizeof(struct clockinfo);
2548 if (sysctlbyname("kern.clockrate", &ck, &len, NULL, 0) == -1)
2549 errx(1, "sysctlbyname(\"%s\")", "kern.clockrate");
2550
2551 /*
2552 * Ticks needed for sending a medium-sized packet.
2553 * Unfortunately, when we are configuring a WF2Q+ queue, we
2554 * do not have bandwidth information, because that is stored
2555 * in the parent pipe, and also we have multiple queues
2556 * competing for it. So we set s=0, which is not very
2557 * correct. But on the other hand, why do we want RED with
2558 * WF2Q+ ?
2559 */
2560 if (p.bandwidth==0) /* this is a WF2Q+ queue */
2561 s = 0;
2562 else
2563 s = ck.hz * avg_pkt_size * 8 / p.bandwidth;
2564
2565 /*
2566 * max idle time (in ticks) before avg queue size becomes 0.
2567 * NOTA: (3/w_q) is approx the value x so that
2568 * (1-w_q)^x < 10^-3.
2569 */
2570 w_q = ((double)p.fs.w_q) / (1 << SCALE_RED);
2571 idle = s * 3. / w_q;
2572 p.fs.lookup_step = (int)idle / lookup_depth;
2573 if (!p.fs.lookup_step)
2574 p.fs.lookup_step = 1;
2575 weight = 1 - w_q;
2576 for (t = p.fs.lookup_step; t > 0; --t)
2577 weight *= weight;
2578 p.fs.lookup_weight = (int)(weight * (1 << SCALE_RED));
2579 }
2580 i = do_cmd(IP_DUMMYNET_CONFIGURE, &p, sizeof p);
2581 if (i)
2582 err(1, "setsockopt(%s)", "IP_DUMMYNET_CONFIGURE");
2583 }
2584
2585 static void
2586 get_mac_addr_mask(char *p, uint8_t *addr, uint8_t *mask)
2587 {
2588 int i, l;
2589
2590 for (i=0; i<6; i++)
2591 addr[i] = mask[i] = 0;
2592 if (!strcmp(p, "any"))
2593 return;
2594
2595 for (i=0; *p && i<6;i++, p++) {
2596 addr[i] = strtol(p, &p, 16);
2597 if (*p != ':') /* we start with the mask */
2598 break;
2599 }
2600 if (*p == '/') { /* mask len */
2601 l = strtol(p+1, &p, 0);
2602 for (i=0; l>0; l -=8, i++)
2603 mask[i] = (l >=8) ? 0xff : (~0) << (8-l);
2604 } else if (*p == '&') { /* mask */
2605 for (i=0, p++; *p && i<6;i++, p++) {
2606 mask[i] = strtol(p, &p, 16);
2607 if (*p != ':')
2608 break;
2609 }
2610 } else if (*p == '\0') {
2611 for (i=0; i<6; i++)
2612 mask[i] = 0xff;
2613 }
2614 for (i=0; i<6; i++)
2615 addr[i] &= mask[i];
2616 }
2617
2618 /*
2619 * helper function, updates the pointer to cmd with the length
2620 * of the current command, and also cleans up the first word of
2621 * the new command in case it has been clobbered before.
2622 */
2623 static ipfw_insn *
2624 next_cmd(ipfw_insn *cmd)
2625 {
2626 cmd += F_LEN(cmd);
2627 bzero(cmd, sizeof(*cmd));
2628 return cmd;
2629 }
2630
2631 /*
2632 * Takes arguments and copies them into a comment
2633 */
2634 static void
2635 fill_comment(ipfw_insn *cmd, int ac, char **av)
2636 {
2637 int i, l;
2638 char *p = (char *)(cmd + 1);
2639
2640 cmd->opcode = O_NOP;
2641 cmd->len = (cmd->len & (F_NOT | F_OR));
2642
2643 /* Compute length of comment string. */
2644 for (i = 0, l = 0; i < ac; i++)
2645 l += strlen(av[i]) + 1;
2646 if (l == 0)
2647 return;
2648 if (l > 84)
2649 errx(EX_DATAERR,
2650 "comment too long (max 80 chars)");
2651 l = 1 + (l+3)/4;
2652 cmd->len = (cmd->len & (F_NOT | F_OR)) | l;
2653 for (i = 0; i < ac; i++) {
2654 strcpy(p, av[i]);
2655 p += strlen(av[i]);
2656 *p++ = ' ';
2657 }
2658 *(--p) = '\0';
2659 }
2660
2661 /*
2662 * A function to fill simple commands of size 1.
2663 * Existing flags are preserved.
2664 */
2665 static void
2666 fill_cmd(ipfw_insn *cmd, enum ipfw_opcodes opcode, int flags, uint16_t arg)
2667 {
2668 cmd->opcode = opcode;
2669 cmd->len = ((cmd->len | flags) & (F_NOT | F_OR)) | 1;
2670 cmd->arg1 = arg;
2671 }
2672
2673 /*
2674 * Fetch and add the MAC address and type, with masks. This generates one or
2675 * two microinstructions, and returns the pointer to the last one.
2676 */
2677 static ipfw_insn *
2678 add_mac(ipfw_insn *cmd, int ac, char *av[])
2679 {
2680 ipfw_insn_mac *mac;
2681
2682 if (ac < 2)
2683 errx(EX_DATAERR, "MAC dst src");
2684
2685 cmd->opcode = O_MACADDR2;
2686 cmd->len = (cmd->len & (F_NOT | F_OR)) | F_INSN_SIZE(ipfw_insn_mac);
2687
2688 mac = (ipfw_insn_mac *)cmd;
2689 get_mac_addr_mask(av[0], mac->addr, mac->mask); /* dst */
2690 get_mac_addr_mask(av[1], &(mac->addr[6]), &(mac->mask[6])); /* src */
2691 return cmd;
2692 }
2693
2694 static ipfw_insn *
2695 add_mactype(ipfw_insn *cmd, int ac, char *av)
2696 {
2697 if (ac < 1)
2698 errx(EX_DATAERR, "missing MAC type");
2699 if (strcmp(av, "any") != 0) { /* we have a non-null type */
2700 fill_newports((ipfw_insn_u16 *)cmd, av, IPPROTO_ETHERTYPE);
2701 cmd->opcode = O_MAC_TYPE;
2702 return cmd;
2703 } else
2704 return NULL;
2705 }
2706
2707 static ipfw_insn *
2708 add_proto(ipfw_insn *cmd, char *av)
2709 {
2710 struct protoent *pe;
2711 u_char proto = 0;
2712
2713 if (!strncmp(av, "all", strlen(av)))
2714 ; /* same as "ip" */
2715 else if ((proto = atoi(av)) > 0)
2716 ; /* all done! */
2717 else if ((pe = getprotobyname(av)) != NULL)
2718 proto = pe->p_proto;
2719 else
2720 return NULL;
2721 if (proto != IPPROTO_IP)
2722 fill_cmd(cmd, O_PROTO, 0, proto);
2723 return cmd;
2724 }
2725
2726 static ipfw_insn *
2727 add_srcip(ipfw_insn *cmd, char *av)
2728 {
2729 fill_ip((ipfw_insn_ip *)cmd, av);
2730 if (cmd->opcode == O_IP_DST_SET) /* set */
2731 cmd->opcode = O_IP_SRC_SET;
2732 else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn)) /* me */
2733 cmd->opcode = O_IP_SRC_ME;
2734 else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn_u32)) /* one IP */
2735 cmd->opcode = O_IP_SRC;
2736 else /* addr/mask */
2737 cmd->opcode = O_IP_SRC_MASK;
2738 return cmd;
2739 }
2740
2741 static ipfw_insn *
2742 add_dstip(ipfw_insn *cmd, char *av)
2743 {
2744 fill_ip((ipfw_insn_ip *)cmd, av);
2745 if (cmd->opcode == O_IP_DST_SET) /* set */
2746 ;
2747 else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn)) /* me */
2748 cmd->opcode = O_IP_DST_ME;
2749 else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn_u32)) /* one IP */
2750 cmd->opcode = O_IP_DST;
2751 else /* addr/mask */
2752 cmd->opcode = O_IP_DST_MASK;
2753 return cmd;
2754 }
2755
2756 static ipfw_insn *
2757 add_ports(ipfw_insn *cmd, char *av, u_char proto, int opcode)
2758 {
2759 if (!strncmp(av, "any", strlen(av))) {
2760 return NULL;
2761 } else if (fill_newports((ipfw_insn_u16 *)cmd, av, proto)) {
2762 /* XXX todo: check that we have a protocol with ports */
2763 cmd->opcode = opcode;
2764 return cmd;
2765 }
2766 return NULL;
2767 }
2768
2769 /*
2770 * Parse arguments and assemble the microinstructions which make up a rule.
2771 * Rules are added into the 'rulebuf' and then copied in the correct order
2772 * into the actual rule.
2773 *
2774 * The syntax for a rule starts with the action, followed by an
2775 * optional log action, and the various match patterns.
2776 * In the assembled microcode, the first opcode must be an O_PROBE_STATE
2777 * (generated if the rule includes a keep-state option), then the
2778 * various match patterns, the "log" action, and the actual action.
2779 *
2780 */
2781 static void
2782 add(int ac, char *av[])
2783 {
2784 /*
2785 * rules are added into the 'rulebuf' and then copied in
2786 * the correct order into the actual rule.
2787 * Some things that need to go out of order (prob, action etc.)
2788 * go into actbuf[].
2789 */
2790 static uint32_t rulebuf[255], actbuf[255], cmdbuf[255];
2791
2792 ipfw_insn *src, *dst, *cmd, *action, *prev=NULL;
2793 ipfw_insn *first_cmd; /* first match pattern */
2794
2795 struct ip_fw *rule;
2796
2797 /*
2798 * various flags used to record that we entered some fields.
2799 */
2800 ipfw_insn *have_state = NULL; /* check-state or keep-state */
2801
2802 int i;
2803
2804 int open_par = 0; /* open parenthesis ( */
2805
2806 /* proto is here because it is used to fetch ports */
2807 u_char proto = IPPROTO_IP; /* default protocol */
2808
2809 double match_prob = 1; /* match probability, default is always match */
2810
2811 bzero(actbuf, sizeof(actbuf)); /* actions go here */
2812 bzero(cmdbuf, sizeof(cmdbuf));
2813 bzero(rulebuf, sizeof(rulebuf));
2814
2815 rule = (struct ip_fw *)rulebuf;
2816 cmd = (ipfw_insn *)cmdbuf;
2817 action = (ipfw_insn *)actbuf;
2818
2819 av++; ac--;
2820
2821 /* [rule N] -- Rule number optional */
2822 if (ac && isdigit(**av)) {
2823 rule->rulenum = atoi(*av);
2824 av++;
2825 ac--;
2826 }
2827
2828 /* [set N] -- set number (0..RESVD_SET), optional */
2829 if (ac > 1 && !strncmp(*av, "set", strlen(*av))) {
2830 int set = strtoul(av[1], NULL, 10);
2831 if (set < 0 || set > RESVD_SET)
2832 errx(EX_DATAERR, "illegal set %s", av[1]);
2833 rule->set = set;
2834 av += 2; ac -= 2;
2835 }
2836
2837 /* [prob D] -- match probability, optional */
2838 if (ac > 1 && !strncmp(*av, "prob", strlen(*av))) {
2839 match_prob = strtod(av[1], NULL);
2840
2841 if (match_prob <= 0 || match_prob > 1)
2842 errx(EX_DATAERR, "illegal match prob. %s", av[1]);
2843 av += 2; ac -= 2;
2844 }
2845
2846 /* action -- mandatory */
2847 NEED1("missing action");
2848 i = match_token(rule_actions, *av);
2849 ac--; av++;
2850 action->len = 1; /* default */
2851 switch(i) {
2852 case TOK_CHECKSTATE:
2853 have_state = action;
2854 action->opcode = O_CHECK_STATE;
2855 break;
2856
2857 case TOK_ACCEPT:
2858 action->opcode = O_ACCEPT;
2859 break;
2860
2861 case TOK_DENY:
2862 action->opcode = O_DENY;
2863 action->arg1 = 0;
2864 break;
2865
2866 case TOK_REJECT:
2867 action->opcode = O_REJECT;
2868 action->arg1 = ICMP_UNREACH_HOST;
2869 break;
2870
2871 case TOK_RESET:
2872 action->opcode = O_REJECT;
2873 action->arg1 = ICMP_REJECT_RST;
2874 break;
2875
2876 case TOK_UNREACH:
2877 action->opcode = O_REJECT;
2878 NEED1("missing reject code");
2879 fill_reject_code(&action->arg1, *av);
2880 ac--; av++;
2881 break;
2882
2883 case TOK_COUNT:
2884 action->opcode = O_COUNT;
2885 break;
2886
2887 case TOK_QUEUE:
2888 case TOK_PIPE:
2889 action->len = F_INSN_SIZE(ipfw_insn_pipe);
2890 case TOK_SKIPTO:
2891 if (i == TOK_QUEUE)
2892 action->opcode = O_QUEUE;
2893 else if (i == TOK_PIPE)
2894 action->opcode = O_PIPE;
2895 else if (i == TOK_SKIPTO)
2896 action->opcode = O_SKIPTO;
2897 NEED1("missing skipto/pipe/queue number");
2898 action->arg1 = strtoul(*av, NULL, 10);
2899 av++; ac--;
2900 break;
2901
2902 case TOK_DIVERT:
2903 case TOK_TEE:
2904 action->opcode = (i == TOK_DIVERT) ? O_DIVERT : O_TEE;
2905 NEED1("missing divert/tee port");
2906 action->arg1 = strtoul(*av, NULL, 0);
2907 if (action->arg1 == 0) {
2908 struct servent *s;
2909 setservent(1);
2910 s = getservbyname(av[0], "divert");
2911 if (s != NULL)
2912 action->arg1 = ntohs(s->s_port);
2913 else
2914 errx(EX_DATAERR, "illegal divert/tee port");
2915 }
2916 ac--; av++;
2917 break;
2918
2919 case TOK_FORWARD: {
2920 ipfw_insn_sa *p = (ipfw_insn_sa *)action;
2921 char *s, *end;
2922
2923 NEED1("missing forward address[:port]");
2924
2925 action->opcode = O_FORWARD_IP;
2926 action->len = F_INSN_SIZE(ipfw_insn_sa);
2927
2928 p->sa.sin_len = sizeof(struct sockaddr_in);
2929 p->sa.sin_family = AF_INET;
2930 p->sa.sin_port = 0;
2931 /*
2932 * locate the address-port separator (':' or ',')
2933 */
2934 s = strchr(*av, ':');
2935 if (s == NULL)
2936 s = strchr(*av, ',');
2937 if (s != NULL) {
2938 *(s++) = '\0';
2939 i = strtoport(s, &end, 0 /* base */, 0 /* proto */);
2940 if (s == end)
2941 errx(EX_DATAERR,
2942 "illegal forwarding port ``%s''", s);
2943 p->sa.sin_port = (u_short)i;
2944 }
2945 lookup_host(*av, &(p->sa.sin_addr));
2946 }
2947 ac--; av++;
2948 break;
2949
2950 case TOK_COMMENT:
2951 /* pretend it is a 'count' rule followed by the comment */
2952 action->opcode = O_COUNT;
2953 ac++; av--; /* go back... */
2954 break;
2955
2956 default:
2957 errx(EX_DATAERR, "invalid action %s\n", av[-1]);
2958 }
2959 action = next_cmd(action);
2960
2961 /*
2962 * [log [logamount N]] -- log, optional
2963 *
2964 * If exists, it goes first in the cmdbuf, but then it is
2965 * skipped in the copy section to the end of the buffer.
2966 */
2967 if (ac && !strncmp(*av, "log", strlen(*av))) {
2968 ipfw_insn_log *c = (ipfw_insn_log *)cmd;
2969 int l;
2970
2971 cmd->len = F_INSN_SIZE(ipfw_insn_log);
2972 cmd->opcode = O_LOG;
2973 av++; ac--;
2974 if (ac && !strncmp(*av, "logamount", strlen(*av))) {
2975 ac--; av++;
2976 NEED1("logamount requires argument");
2977 l = atoi(*av);
2978 if (l < 0)
2979 errx(EX_DATAERR, "logamount must be positive");
2980 c->max_log = l;
2981 ac--; av++;
2982 }
2983 cmd = next_cmd(cmd);
2984 }
2985
2986 if (have_state) /* must be a check-state, we are done */
2987 goto done;
2988
2989 #define OR_START(target) \
2990 if (ac && (*av[0] == '(' || *av[0] == '{')) { \
2991 if (open_par) \
2992 errx(EX_USAGE, "nested \"(\" not allowed\n"); \
2993 prev = NULL; \
2994 open_par = 1; \
2995 if ( (av[0])[1] == '\0') { \
2996 ac--; av++; \
2997 } else \
2998 (*av)++; \
2999 } \
3000 target: \
3001
3002
3003 #define CLOSE_PAR \
3004 if (open_par) { \
3005 if (ac && ( \
3006 !strncmp(*av, ")", strlen(*av)) || \
3007 !strncmp(*av, "}", strlen(*av)) )) { \
3008 prev = NULL; \
3009 open_par = 0; \
3010 ac--; av++; \
3011 } else \
3012 errx(EX_USAGE, "missing \")\"\n"); \
3013 }
3014
3015 #define NOT_BLOCK \
3016 if (ac && !strncmp(*av, "not", strlen(*av))) { \
3017 if (cmd->len & F_NOT) \
3018 errx(EX_USAGE, "double \"not\" not allowed\n"); \
3019 cmd->len |= F_NOT; \
3020 ac--; av++; \
3021 }
3022
3023 #define OR_BLOCK(target) \
3024 if (ac && !strncmp(*av, "or", strlen(*av))) { \
3025 if (prev == NULL || open_par == 0) \
3026 errx(EX_DATAERR, "invalid OR block"); \
3027 prev->len |= F_OR; \
3028 ac--; av++; \
3029 goto target; \
3030 } \
3031 CLOSE_PAR;
3032
3033 first_cmd = cmd;
3034
3035 #if 0
3036 /*
3037 * MAC addresses, optional.
3038 * If we have this, we skip the part "proto from src to dst"
3039 * and jump straight to the option parsing.
3040 */
3041 NOT_BLOCK;
3042 NEED1("missing protocol");
3043 if (!strncmp(*av, "MAC", strlen(*av)) ||
3044 !strncmp(*av, "mac", strlen(*av))) {
3045 ac--; av++; /* the "MAC" keyword */
3046 add_mac(cmd, ac, av); /* exits in case of errors */
3047 cmd = next_cmd(cmd);
3048 ac -= 2; av += 2; /* dst-mac and src-mac */
3049 NOT_BLOCK;
3050 NEED1("missing mac type");
3051 if (add_mactype(cmd, ac, av[0]))
3052 cmd = next_cmd(cmd);
3053 ac--; av++; /* any or mac-type */
3054 goto read_options;
3055 }
3056 #endif
3057
3058 /*
3059 * protocol, mandatory
3060 */
3061 OR_START(get_proto);
3062 NOT_BLOCK;
3063 NEED1("missing protocol");
3064 if (add_proto(cmd, *av)) {
3065 av++; ac--;
3066 if (F_LEN(cmd) == 0) /* plain IP */
3067 proto = 0;
3068 else {
3069 proto = cmd->arg1;
3070 prev = cmd;
3071 cmd = next_cmd(cmd);
3072 }
3073 } else if (first_cmd != cmd) {
3074 errx(EX_DATAERR, "invalid protocol ``%s''", *av);
3075 } else
3076 goto read_options;
3077 OR_BLOCK(get_proto);
3078
3079 /*
3080 * "from", mandatory
3081 */
3082 if (!ac || strncmp(*av, "from", strlen(*av)))
3083 errx(EX_USAGE, "missing ``from''");
3084 ac--; av++;
3085
3086 /*
3087 * source IP, mandatory
3088 */
3089 OR_START(source_ip);
3090 NOT_BLOCK; /* optional "not" */
3091 NEED1("missing source address");
3092 if (add_srcip(cmd, *av)) {
3093 ac--; av++;
3094 if (F_LEN(cmd) != 0) { /* ! any */
3095 prev = cmd;
3096 cmd = next_cmd(cmd);
3097 }
3098 }
3099 OR_BLOCK(source_ip);
3100
3101 /*
3102 * source ports, optional
3103 */
3104 NOT_BLOCK; /* optional "not" */
3105 if (ac) {
3106 if (!strncmp(*av, "any", strlen(*av)) ||
3107 add_ports(cmd, *av, proto, O_IP_SRCPORT)) {
3108 ac--; av++;
3109 if (F_LEN(cmd) != 0)
3110 cmd = next_cmd(cmd);
3111 }
3112 }
3113
3114 /*
3115 * "to", mandatory
3116 */
3117 if (!ac || strncmp(*av, "to", strlen(*av)))
3118 errx(EX_USAGE, "missing ``to''");
3119 av++; ac--;
3120
3121 /*
3122 * destination, mandatory
3123 */
3124 OR_START(dest_ip);
3125 NOT_BLOCK; /* optional "not" */
3126 NEED1("missing dst address");
3127 if (add_dstip(cmd, *av)) {
3128 ac--; av++;
3129 if (F_LEN(cmd) != 0) { /* ! any */
3130 prev = cmd;
3131 cmd = next_cmd(cmd);
3132 }
3133 }
3134 OR_BLOCK(dest_ip);
3135
3136 /*
3137 * dest. ports, optional
3138 */
3139 NOT_BLOCK; /* optional "not" */
3140 if (ac) {
3141 if (!strncmp(*av, "any", strlen(*av)) ||
3142 add_ports(cmd, *av, proto, O_IP_DSTPORT)) {
3143 ac--; av++;
3144 if (F_LEN(cmd) != 0)
3145 cmd = next_cmd(cmd);
3146 }
3147 }
3148
3149 read_options:
3150 if (ac && first_cmd == cmd) {
3151 /*
3152 * nothing specified so far, store in the rule to ease
3153 * printout later.
3154 */
3155 rule->_pad = 1;
3156 }
3157 prev = NULL;
3158 while (ac) {
3159 char *s;
3160 ipfw_insn_u32 *cmd32; /* alias for cmd */
3161
3162 s = *av;
3163 cmd32 = (ipfw_insn_u32 *)cmd;
3164
3165 if (*s == '!') { /* alternate syntax for NOT */
3166 if (cmd->len & F_NOT)
3167 errx(EX_USAGE, "double \"not\" not allowed\n");
3168 cmd->len = F_NOT;
3169 s++;
3170 }
3171 i = match_token(rule_options, s);
3172 ac--; av++;
3173 switch(i) {
3174 case TOK_NOT:
3175 if (cmd->len & F_NOT)
3176 errx(EX_USAGE, "double \"not\" not allowed\n");
3177 cmd->len = F_NOT;
3178 break;
3179
3180 case TOK_OR:
3181 if (open_par == 0 || prev == NULL)
3182 errx(EX_USAGE, "invalid \"or\" block\n");
3183 prev->len |= F_OR;
3184 break;
3185
3186 case TOK_STARTBRACE:
3187 if (open_par)
3188 errx(EX_USAGE, "+nested \"(\" not allowed\n");
3189 open_par = 1;
3190 break;
3191
3192 case TOK_ENDBRACE:
3193 if (!open_par)
3194 errx(EX_USAGE, "+missing \")\"\n");
3195 open_par = 0;
3196 prev = NULL;
3197 break;
3198
3199 case TOK_IN:
3200 fill_cmd(cmd, O_IN, 0, 0);
3201 break;
3202
3203 case TOK_OUT:
3204 cmd->len ^= F_NOT; /* toggle F_NOT */
3205 fill_cmd(cmd, O_IN, 0, 0);
3206 break;
3207
3208 case TOK_FRAG:
3209 fill_cmd(cmd, O_FRAG, 0, 0);
3210 break;
3211
3212 case TOK_LAYER2:
3213 fill_cmd(cmd, O_LAYER2, 0, 0);
3214 break;
3215
3216 case TOK_XMIT:
3217 case TOK_RECV:
3218 case TOK_VIA:
3219 NEED1("recv, xmit, via require interface name"
3220 " or address");
3221 fill_iface((ipfw_insn_if *)cmd, av[0]);
3222 ac--; av++;
3223 if (F_LEN(cmd) == 0) /* not a valid address */
3224 break;
3225 if (i == TOK_XMIT)
3226 cmd->opcode = O_XMIT;
3227 else if (i == TOK_RECV)
3228 cmd->opcode = O_RECV;
3229 else if (i == TOK_VIA)
3230 cmd->opcode = O_VIA;
3231 break;
3232
3233 case TOK_ICMPTYPES:
3234 NEED1("icmptypes requires list of types");
3235 fill_icmptypes((ipfw_insn_u32 *)cmd, *av);
3236 av++; ac--;
3237 break;
3238
3239 case TOK_IPTTL:
3240 NEED1("ipttl requires TTL");
3241 if (strpbrk(*av, "-,")) {
3242 if (!add_ports(cmd, *av, 0, O_IPTTL))
3243 errx(EX_DATAERR, "invalid ipttl %s", *av);
3244 } else
3245 fill_cmd(cmd, O_IPTTL, 0, strtoul(*av, NULL, 0));
3246 ac--; av++;
3247 break;
3248
3249 case TOK_IPID:
3250 NEED1("ipid requires id");
3251 if (strpbrk(*av, "-,")) {
3252 if (!add_ports(cmd, *av, 0, O_IPID))
3253 errx(EX_DATAERR, "invalid ipid %s", *av);
3254 } else
3255 fill_cmd(cmd, O_IPID, 0, strtoul(*av, NULL, 0));
3256 ac--; av++;
3257 break;
3258
3259 case TOK_IPLEN:
3260 NEED1("iplen requires length");
3261 if (strpbrk(*av, "-,")) {
3262 if (!add_ports(cmd, *av, 0, O_IPLEN))
3263 errx(EX_DATAERR, "invalid ip len %s", *av);
3264 } else
3265 fill_cmd(cmd, O_IPLEN, 0, strtoul(*av, NULL, 0));
3266 ac--; av++;
3267 break;
3268
3269 case TOK_IPVER:
3270 NEED1("ipver requires version");
3271 fill_cmd(cmd, O_IPVER, 0, strtoul(*av, NULL, 0));
3272 ac--; av++;
3273 break;
3274
3275 case TOK_IPPRECEDENCE:
3276 NEED1("ipprecedence requires value");
3277 fill_cmd(cmd, O_IPPRECEDENCE, 0,
3278 (strtoul(*av, NULL, 0) & 7) << 5);
3279 ac--; av++;
3280 break;
3281
3282 case TOK_IPOPTS:
3283 NEED1("missing argument for ipoptions");
3284 fill_flags(cmd, O_IPOPT, f_ipopts, *av);
3285 ac--; av++;
3286 break;
3287
3288 case TOK_IPTOS:
3289 NEED1("missing argument for iptos");
3290 fill_flags(cmd, O_IPTOS, f_iptos, *av);
3291 ac--; av++;
3292 break;
3293
3294 case TOK_UID:
3295 NEED1("uid requires argument");
3296 {
3297 char *end;
3298 uid_t uid;
3299 struct passwd *pwd;
3300
3301 cmd->opcode = O_UID;
3302 uid = strtoul(*av, &end, 0);
3303 pwd = (*end == '\0') ? getpwuid(uid) : getpwnam(*av);
3304 if (pwd == NULL)
3305 errx(EX_DATAERR, "uid \"%s\" nonexistent", *av);
3306 cmd32->d[0] = pwd->pw_uid;
3307 cmd->len = F_INSN_SIZE(ipfw_insn_u32);
3308 ac--; av++;
3309 }
3310 break;
3311
3312 case TOK_GID:
3313 NEED1("gid requires argument");
3314 {
3315 char *end;
3316 gid_t gid;
3317 struct group *grp;
3318
3319 cmd->opcode = O_GID;
3320 gid = strtoul(*av, &end, 0);
3321 grp = (*end == '\0') ? getgrgid(gid) : getgrnam(*av);
3322 if (grp == NULL)
3323 errx(EX_DATAERR, "gid \"%s\" nonexistent", *av);
3324 cmd32->d[0] = grp->gr_gid;
3325 cmd->len = F_INSN_SIZE(ipfw_insn_u32);
3326 ac--; av++;
3327 }
3328 break;
3329
3330 case TOK_ESTAB:
3331 fill_cmd(cmd, O_ESTAB, 0, 0);
3332 break;
3333
3334 case TOK_SETUP:
3335 fill_cmd(cmd, O_TCPFLAGS, 0,
3336 (TH_SYN) | ( (TH_ACK) & 0xff) <<8 );
3337 break;
3338
3339 case TOK_TCPOPTS:
3340 NEED1("missing argument for tcpoptions");
3341 fill_flags(cmd, O_TCPOPTS, f_tcpopts, *av);
3342 ac--; av++;
3343 break;
3344
3345 case TOK_TCPSEQ:
3346 case TOK_TCPACK:
3347 NEED1("tcpseq/tcpack requires argument");
3348 cmd->len = F_INSN_SIZE(ipfw_insn_u32);
3349 cmd->opcode = (i == TOK_TCPSEQ) ? O_TCPSEQ : O_TCPACK;
3350 cmd32->d[0] = htonl(strtoul(*av, NULL, 0));
3351 ac--; av++;
3352 break;
3353
3354 case TOK_TCPWIN:
3355 NEED1("tcpwin requires length");
3356 fill_cmd(cmd, O_TCPWIN, 0,
3357 htons(strtoul(*av, NULL, 0)));
3358 ac--; av++;
3359 break;
3360
3361 case TOK_TCPFLAGS:
3362 NEED1("missing argument for tcpflags");
3363 cmd->opcode = O_TCPFLAGS;
3364 fill_flags(cmd, O_TCPFLAGS, f_tcpflags, *av);
3365 ac--; av++;
3366 break;
3367
3368 case TOK_KEEPSTATE:
3369 if (open_par)
3370 errx(EX_USAGE, "keep-state cannot be part "
3371 "of an or block");
3372 if (have_state)
3373 errx(EX_USAGE, "only one of keep-state "
3374 "and limit is allowed");
3375 have_state = cmd;
3376 fill_cmd(cmd, O_KEEP_STATE, 0, 0);
3377 break;
3378
3379 case TOK_LIMIT:
3380 if (open_par)
3381 errx(EX_USAGE, "limit cannot be part "
3382 "of an or block");
3383 if (have_state)
3384 errx(EX_USAGE, "only one of keep-state "
3385 "and limit is allowed");
3386 NEED1("limit needs mask and # of connections");
3387 have_state = cmd;
3388 {
3389 ipfw_insn_limit *c = (ipfw_insn_limit *)cmd;
3390
3391 cmd->len = F_INSN_SIZE(ipfw_insn_limit);
3392 cmd->opcode = O_LIMIT;
3393 c->limit_mask = 0;
3394 c->conn_limit = 0;
3395 for (; ac >1 ;) {
3396 int val;
3397
3398 val = match_token(limit_masks, *av);
3399 if (val <= 0)
3400 break;
3401 c->limit_mask |= val;
3402 ac--; av++;
3403 }
3404 c->conn_limit = atoi(*av);
3405 if (c->conn_limit == 0)
3406 errx(EX_USAGE, "limit: limit must be >0");
3407 if (c->limit_mask == 0)
3408 errx(EX_USAGE, "missing limit mask");
3409 ac--; av++;
3410 }
3411 break;
3412
3413 case TOK_PROTO:
3414 NEED1("missing protocol");
3415 if (add_proto(cmd, *av)) {
3416 proto = cmd->arg1;
3417 ac--; av++;
3418 } else
3419 errx(EX_DATAERR, "invalid protocol ``%s''",
3420 *av);
3421 break;
3422
3423 case TOK_SRCIP:
3424 NEED1("missing source IP");
3425 if (add_srcip(cmd, *av)) {
3426 ac--; av++;
3427 }
3428 break;
3429
3430 case TOK_DSTIP:
3431 NEED1("missing destination IP");
3432 if (add_dstip(cmd, *av)) {
3433 ac--; av++;
3434 }
3435 break;
3436
3437 case TOK_SRCPORT:
3438 NEED1("missing source port");
3439 if (!strncmp(*av, "any", strlen(*av)) ||
3440 add_ports(cmd, *av, proto, O_IP_SRCPORT)) {
3441 ac--; av++;
3442 } else
3443 errx(EX_DATAERR, "invalid source port %s", *av);
3444 break;
3445
3446 case TOK_DSTPORT:
3447 NEED1("missing destination port");
3448 if (!strncmp(*av, "any", strlen(*av)) ||
3449 add_ports(cmd, *av, proto, O_IP_DSTPORT)) {
3450 ac--; av++;
3451 } else
3452 errx(EX_DATAERR, "invalid destination port %s",
3453 *av);
3454 break;
3455
3456 case TOK_MAC:
3457 if (ac < 2)
3458 errx(EX_USAGE, "MAC dst-mac src-mac");
3459 if (add_mac(cmd, ac, av)) {
3460 ac -= 2; av += 2;
3461 }
3462 break;
3463
3464 case TOK_MACTYPE:
3465 NEED1("missing mac type");
3466 if (!add_mactype(cmd, ac, *av))
3467 errx(EX_DATAERR, "invalid mac type %s", *av);
3468 ac--; av++;
3469 break;
3470
3471 case TOK_VERREVPATH:
3472 fill_cmd(cmd, O_VERREVPATH, 0, 0);
3473 break;
3474
3475 case TOK_IPSEC:
3476 fill_cmd(cmd, O_IPSEC, 0, 0);
3477 break;
3478
3479 case TOK_COMMENT:
3480 fill_comment(cmd, ac, av);
3481 av += ac;
3482 ac = 0;
3483 break;
3484
3485 default:
3486 errx(EX_USAGE, "unrecognised option [%d] %s\n", i, s);
3487 }
3488 if (F_LEN(cmd) > 0) { /* prepare to advance */
3489 prev = cmd;
3490 cmd = next_cmd(cmd);
3491 }
3492 }
3493
3494 done:
3495 /*
3496 * Now copy stuff into the rule.
3497 * If we have a keep-state option, the first instruction
3498 * must be a PROBE_STATE (which is generated here).
3499 * If we have a LOG option, it was stored as the first command,
3500 * and now must be moved to the top of the action part.
3501 */
3502 dst = (ipfw_insn *)rule->cmd;
3503
3504 /*
3505 * First thing to write into the command stream is the match probability.
3506 */
3507 if (match_prob != 1) { /* 1 means always match */
3508 dst->opcode = O_PROB;
3509 dst->len = 2;
3510 *((int32_t *)(dst+1)) = (int32_t)(match_prob * 0x7fffffff);
3511 dst += dst->len;
3512 }
3513
3514 /*
3515 * generate O_PROBE_STATE if necessary
3516 */
3517 if (have_state && have_state->opcode != O_CHECK_STATE) {
3518 fill_cmd(dst, O_PROBE_STATE, 0, 0);
3519 dst = next_cmd(dst);
3520 }
3521 /*
3522 * copy all commands but O_LOG, O_KEEP_STATE, O_LIMIT
3523 */
3524 for (src = (ipfw_insn *)cmdbuf; src != cmd; src += i) {
3525 i = F_LEN(src);
3526
3527 switch (src->opcode) {
3528 case O_LOG:
3529 case O_KEEP_STATE:
3530 case O_LIMIT:
3531 break;
3532 default:
3533 bcopy(src, dst, i * sizeof(uint32_t));
3534 dst += i;
3535 }
3536 }
3537
3538 /*
3539 * put back the have_state command as last opcode
3540 */
3541 if (have_state && have_state->opcode != O_CHECK_STATE) {
3542 i = F_LEN(have_state);
3543 bcopy(have_state, dst, i * sizeof(uint32_t));
3544 dst += i;
3545 }
3546 /*
3547 * start action section
3548 */
3549 rule->act_ofs = dst - rule->cmd;
3550
3551 /*
3552 * put back O_LOG if necessary
3553 */
3554 src = (ipfw_insn *)cmdbuf;
3555 if (src->opcode == O_LOG) {
3556 i = F_LEN(src);
3557 bcopy(src, dst, i * sizeof(uint32_t));
3558 dst += i;
3559 }
3560 /*
3561 * copy all other actions
3562 */
3563 for (src = (ipfw_insn *)actbuf; src != action; src += i) {
3564 i = F_LEN(src);
3565 bcopy(src, dst, i * sizeof(uint32_t));
3566 dst += i;
3567 }
3568
3569 rule->cmd_len = (uint32_t *)dst - (uint32_t *)(rule->cmd);
3570 i = (char *)dst - (char *)rule;
3571
3572 if (do_cmd(IP_FW_ADD, rule, (uintptr_t)&i) == -1)
3573 err(EX_UNAVAILABLE, "getsockopt(%s)", "IP_FW_ADD");
3574 if (!do_quiet)
3575 show_ipfw(rule, 0, 0);
3576 }
3577
3578 static void
3579 zero(int ac, char *av[], int optname /* IP_FW_ZERO or IP_FW_RESETLOG */)
3580 {
3581 struct ip_fw rule;
3582 int rulenum;
3583 int failed = EX_OK;
3584 char const *name = optname == IP_FW_ZERO ? "ZERO" : "RESETLOG";
3585
3586 av++; ac--;
3587 bzero(&rule, sizeof(rule));
3588
3589 if (!ac) {
3590 /* clear all entries - send empty rule */
3591 if (do_cmd(optname, &rule, sizeof(rule)) < 0)
3592 err(EX_UNAVAILABLE, "setsockopt(IP_FW_%s)", name);
3593 if (!do_quiet)
3594 printf("%s.\n", optname == IP_FW_ZERO ?
3595 "Accounting cleared":"Logging counts reset");
3596
3597 return;
3598 }
3599
3600 while (ac) {
3601 /* Rule number */
3602 if (isdigit(**av)) {
3603 rulenum = atoi(*av);
3604 av++;
3605 ac--;
3606 rule.rulenum = rulenum;
3607 if (do_cmd(optname, &rule, sizeof(rule))) {
3608 warn("rule %u: setsockopt(IP_FW_%s)",
3609 rulenum, name);
3610 failed = EX_UNAVAILABLE;
3611 } else if (!do_quiet)
3612 printf("Entry %d %s.\n", rulenum,
3613 optname == IP_FW_ZERO ?
3614 "cleared" : "logging count reset");
3615 } else {
3616 errx(EX_USAGE, "invalid rule number ``%s''", *av);
3617 }
3618 }
3619 if (failed != EX_OK)
3620 exit(failed);
3621 }
3622
3623 static void
3624 flush(int force)
3625 {
3626 int cmd = do_pipe ? IP_DUMMYNET_FLUSH : IP_FW_FLUSH;
3627 struct ip_fw rule;
3628
3629 if (!force && !do_quiet) { /* need to ask user */
3630 int c;
3631
3632 printf("Are you sure? [yn] ");
3633 fflush(stdout);
3634 do {
3635 c = toupper(getc(stdin));
3636 while (c != '\n' && getc(stdin) != '\n')
3637 if (feof(stdin))
3638 return; /* and do not flush */
3639 } while (c != 'Y' && c != 'N');
3640 printf("\n");
3641 if (c == 'N') /* user said no */
3642 return;
3643 }
3644
3645 if (cmd == IP_FW_FLUSH) {
3646 /* send empty rule */
3647 bzero(&rule, sizeof(rule));
3648 if (do_cmd(cmd, &rule, sizeof(rule)) < 0)
3649 err(EX_UNAVAILABLE, "setsockopt(IP_FW_FLUSH)");
3650 }
3651 else {
3652 if (do_cmd(cmd, NULL, 0) < 0)
3653 err(EX_UNAVAILABLE, "setsockopt(IP_DUMMYNET_FLUSH)");
3654 }
3655 if (!do_quiet)
3656 printf("Flushed all %s.\n", do_pipe ? "pipes" : "rules");
3657 }
3658
3659 /*
3660 * Free a the (locally allocated) copy of command line arguments.
3661 */
3662 static void
3663 free_args(int ac, char **av)
3664 {
3665 int i;
3666
3667 for (i=0; i < ac; i++)
3668 free(av[i]);
3669 free(av);
3670 }
3671
3672 /*
3673 * Called with the arguments (excluding program name).
3674 * Returns 0 if successful, 1 if empty command, errx() in case of errors.
3675 */
3676 static int
3677 ipfw_main(int oldac, char **oldav)
3678 {
3679 int ch, ac, save_ac;
3680 char **av, **save_av;
3681 int do_acct = 0; /* Show packet/byte count */
3682 int do_force = 0; /* Don't ask for confirmation */
3683
3684 #define WHITESP " \t\f\v\n\r"
3685 if (oldac == 0)
3686 return 1;
3687 else if (oldac == 1) {
3688 /*
3689 * If we are called with a single string, try to split it into
3690 * arguments for subsequent parsing.
3691 * But first, remove spaces after a ',', by copying the string
3692 * in-place.
3693 */
3694 char *arg = oldav[0]; /* The string... */
3695 int l = strlen(arg);
3696 int copy = 0; /* 1 if we need to copy, 0 otherwise */
3697 int i, j;
3698 for (i = j = 0; i < l; i++) {
3699 if (arg[i] == '#') /* comment marker */
3700 break;
3701 if (copy) {
3702 arg[j++] = arg[i];
3703 copy = !index("," WHITESP, arg[i]);
3704 } else {
3705 copy = !index(WHITESP, arg[i]);
3706 if (copy)
3707 arg[j++] = arg[i];
3708 }
3709 }
3710 if (!copy && j > 0) /* last char was a 'blank', remove it */
3711 j--;
3712 l = j; /* the new argument length */
3713 arg[j++] = '\0';
3714 if (l == 0) /* empty string! */
3715 return 1;
3716
3717 /*
3718 * First, count number of arguments. Because of the previous
3719 * processing, this is just the number of blanks plus 1.
3720 */
3721 for (i = 0, ac = 1; i < l; i++)
3722 if (index(WHITESP, arg[i]) != NULL)
3723 ac++;
3724
3725 av = calloc(ac, sizeof(char *));
3726
3727 /*
3728 * Second, copy arguments from cmd[] to av[]. For each one,
3729 * j is the initial character, i is the one past the end.
3730 */
3731 for (ac = 0, i = j = 0; i < l; i++)
3732 if (index(WHITESP, arg[i]) != NULL || i == l-1) {
3733 if (i == l-1)
3734 i++;
3735 av[ac] = calloc(i-j+1, 1);
3736 bcopy(arg+j, av[ac], i-j);
3737 ac++;
3738 j = i + 1;
3739 }
3740 } else {
3741 /*
3742 * If an argument ends with ',' join with the next one.
3743 */
3744 int first, i, l;
3745
3746 av = calloc(oldac, sizeof(char *));
3747 for (first = i = ac = 0, l = 0; i < oldac; i++) {
3748 char *arg = oldav[i];
3749 int k = strlen(arg);
3750
3751 l += k;
3752 if (arg[k-1] != ',' || i == oldac-1) {
3753 /* Time to copy. */
3754 av[ac] = calloc(l+1, 1);
3755 for (l=0; first <= i; first++) {
3756 strcat(av[ac]+l, oldav[first]);
3757 l += strlen(oldav[first]);
3758 }
3759 ac++;
3760 l = 0;
3761 first = i+1;
3762 }
3763 }
3764 }
3765
3766 /* Set the force flag for non-interactive processes */
3767 do_force = !isatty(STDIN_FILENO);
3768
3769 /* Save arguments for final freeing of memory. */
3770 save_ac = ac;
3771 save_av = av;
3772
3773 optind = optreset = 0;
3774 while ((ch = getopt(ac, av, "acdefhnNqs:STtv")) != -1)
3775 switch (ch) {
3776 case 'a':
3777 do_acct = 1;
3778 break;
3779
3780 case 'c':
3781 do_compact = 1;
3782 break;
3783
3784 case 'd':
3785 do_dynamic = 1;
3786 break;
3787
3788 case 'e':
3789 do_expired = 1;
3790 break;
3791
3792 case 'f':
3793 do_force = 1;
3794 break;
3795
3796 case 'h': /* help */
3797 free_args(save_ac, save_av);
3798 help();
3799 break; /* NOTREACHED */
3800
3801 case 'n':
3802 test_only = 1;
3803 break;
3804
3805 case 'N':
3806 do_resolv = 1;
3807 break;
3808
3809 case 'q':
3810 do_quiet = 1;
3811 break;
3812
3813 case 's': /* sort */
3814 do_sort = atoi(optarg);
3815 break;
3816
3817 case 'S':
3818 show_sets = 1;
3819 break;
3820
3821 case 't':
3822 do_time = 1;
3823 break;
3824
3825 case 'T':
3826 do_time = 2; /* numeric timestamp */
3827 break;
3828
3829 case 'v': /* verbose */
3830 verbose = 1;
3831 break;
3832
3833 default:
3834 free_args(save_ac, save_av);
3835 return 1;
3836 }
3837
3838 ac -= optind;
3839 av += optind;
3840 NEED1("bad arguments, for usage summary ``ipfw''");
3841
3842 /*
3843 * An undocumented behaviour of ipfw1 was to allow rule numbers first,
3844 * e.g. "100 add allow ..." instead of "add 100 allow ...".
3845 * In case, swap first and second argument to get the normal form.
3846 */
3847 if (ac > 1 && isdigit(*av[0])) {
3848 char *p = av[0];
3849
3850 av[0] = av[1];
3851 av[1] = p;
3852 }
3853
3854 /*
3855 * optional: pipe or queue
3856 */
3857 do_pipe = 0;
3858 if (!strncmp(*av, "pipe", strlen(*av)))
3859 do_pipe = 1;
3860 else if (!strncmp(*av, "queue", strlen(*av)))
3861 do_pipe = 2;
3862 if (do_pipe) {
3863 ac--;
3864 av++;
3865 }
3866 NEED1("missing command");
3867
3868 /*
3869 * For pipes and queues we normally say 'pipe NN config'
3870 * but the code is easier to parse as 'pipe config NN'
3871 * so we swap the two arguments.
3872 */
3873 if (do_pipe > 0 && ac > 1 && isdigit(*av[0])) {
3874 char *p = av[0];
3875
3876 av[0] = av[1];
3877 av[1] = p;
3878 }
3879
3880 if (!strncmp(*av, "add", strlen(*av)))
3881 add(ac, av);
3882 else if (do_pipe && !strncmp(*av, "config", strlen(*av)))
3883 config_pipe(ac, av);
3884 else if (!strncmp(*av, "delete", strlen(*av)))
3885 delete(ac, av);
3886 else if (!strncmp(*av, "flush", strlen(*av)))
3887 flush(do_force);
3888 else if (!strncmp(*av, "zero", strlen(*av)))
3889 zero(ac, av, IP_FW_ZERO);
3890 else if (!strncmp(*av, "resetlog", strlen(*av)))
3891 zero(ac, av, IP_FW_RESETLOG);
3892 else if (!strncmp(*av, "print", strlen(*av)) ||
3893 !strncmp(*av, "list", strlen(*av)))
3894 list(ac, av, do_acct);
3895 else if (!strncmp(*av, "set", strlen(*av)))
3896 sets_handler(ac, av);
3897 else if (!strncmp(*av, "enable", strlen(*av)))
3898 sysctl_handler(ac, av, 1);
3899 else if (!strncmp(*av, "disable", strlen(*av)))
3900 sysctl_handler(ac, av, 0);
3901 else if (!strncmp(*av, "show", strlen(*av)))
3902 list(ac, av, 1 /* show counters */);
3903 else
3904 errx(EX_USAGE, "bad command `%s'", *av);
3905
3906 /* Free memory allocated in the argument parsing. */
3907 free_args(save_ac, save_av);
3908 return 0;
3909 }
3910
3911
3912 static void
3913 ipfw_readfile(int ac, char *av[])
3914 {
3915 #define MAX_ARGS 32
3916 char buf[BUFSIZ];
3917 char *cmd = NULL, *filename = av[ac-1];
3918 int c, lineno=0;
3919 FILE *f = NULL;
3920 pid_t preproc = 0;
3921
3922 filename = av[ac-1];
3923
3924 while ((c = getopt(ac, av, "cNnp:qS")) != -1) {
3925 switch(c) {
3926 case 'c':
3927 do_compact = 1;
3928 break;
3929
3930 case 'N':
3931 do_resolv = 1;
3932 break;
3933
3934 case 'n':
3935 test_only = 1;
3936 break;
3937
3938 case 'p':
3939 cmd = optarg;
3940 /*
3941 * Skip previous args and delete last one, so we
3942 * pass all but the last argument to the preprocessor
3943 * via av[optind-1]
3944 */
3945 av += optind - 1;
3946 ac -= optind - 1;
3947 av[ac-1] = NULL;
3948 fprintf(stderr, "command is %s\n", av[0]);
3949 break;
3950
3951 case 'q':
3952 do_quiet = 1;
3953 break;
3954
3955 case 'S':
3956 show_sets = 1;
3957 break;
3958
3959 default:
3960 errx(EX_USAGE, "bad arguments, for usage"
3961 " summary ``ipfw''");
3962 }
3963
3964 if (cmd != NULL)
3965 break;
3966 }
3967
3968 if (cmd == NULL && ac != optind + 1) {
3969 fprintf(stderr, "ac %d, optind %d\n", ac, optind);
3970 errx(EX_USAGE, "extraneous filename arguments");
3971 }
3972
3973 if ((f = fopen(filename, "r")) == NULL)
3974 err(EX_UNAVAILABLE, "fopen: %s", filename);
3975
3976 if (cmd != NULL) { /* pipe through preprocessor */
3977 int pipedes[2];
3978
3979 if (pipe(pipedes) == -1)
3980 err(EX_OSERR, "cannot create pipe");
3981
3982 preproc = fork();
3983 if (preproc == -1)
3984 err(EX_OSERR, "cannot fork");
3985
3986 if (preproc == 0) {
3987 /*
3988 * Child, will run the preprocessor with the
3989 * file on stdin and the pipe on stdout.
3990 */
3991 if (dup2(fileno(f), 0) == -1
3992 || dup2(pipedes[1], 1) == -1)
3993 err(EX_OSERR, "dup2()");
3994 fclose(f);
3995 close(pipedes[1]);
3996 close(pipedes[0]);
3997 execvp(cmd, av);
3998 err(EX_OSERR, "execvp(%s) failed", cmd);
3999 } else { /* parent, will reopen f as the pipe */
4000 fclose(f);
4001 close(pipedes[1]);
4002 if ((f = fdopen(pipedes[0], "r")) == NULL) {
4003 int savederrno = errno;
4004
4005 (void)kill(preproc, SIGTERM);
4006 errno = savederrno;
4007 err(EX_OSERR, "fdopen()");
4008 }
4009 }
4010 }
4011
4012 while (fgets(buf, BUFSIZ, f)) { /* read commands */
4013 char linename[10];
4014 char *args[1];
4015
4016 lineno++;
4017 sprintf(linename, "Line %d", lineno);
4018 setprogname(linename); /* XXX */
4019 args[0] = buf;
4020 ipfw_main(1, args);
4021 }
4022 fclose(f);
4023 if (cmd != NULL) {
4024 int status;
4025
4026 if (waitpid(preproc, &status, 0) == -1)
4027 errx(EX_OSERR, "waitpid()");
4028 if (WIFEXITED(status) && WEXITSTATUS(status) != EX_OK)
4029 errx(EX_UNAVAILABLE,
4030 "preprocessor exited with status %d",
4031 WEXITSTATUS(status));
4032 else if (WIFSIGNALED(status))
4033 errx(EX_UNAVAILABLE,
4034 "preprocessor exited with signal %d",
4035 WTERMSIG(status));
4036 }
4037 }
4038
4039 int
4040 main(int ac, char *av[])
4041 {
4042 /*
4043 * If the last argument is an absolute pathname, interpret it
4044 * as a file to be preprocessed.
4045 */
4046
4047 if (ac > 1 && av[ac - 1][0] == '/' && access(av[ac - 1], R_OK) == 0)
4048 ipfw_readfile(ac, av);
4049 else {
4050 if (ipfw_main(ac-1, av+1))
4051 show_usage();
4052 }
4053 return EX_OK;
4054 }
mirror of network_cmds