1
/*-
2
 * Copyright (c) 2002-2003 Luigi Rizzo
3
 * Copyright (c) 1996 Alex Nash, Paul Traina, Poul-Henning Kamp
4
 * Copyright (c) 1994 Ugen J.S.Antsilevich
5
 *
6
 * Idea and grammar partially left from:
7
 * Copyright (c) 1993 Daniel Boulet
8
 *
9
 * Redistribution and use in source forms, with and without modification,
10
 * are permitted provided that this entire comment appears intact.
11
 *
12
 * Redistribution in binary form may occur without any restrictions.
13
 * Obviously, it would be nice if you gave credit where credit is due
14
 * but requiring it would be too onerous.
15
 *
16
 * This software is provided ``AS IS'' without any warranties of any kind.
17
 *
18
 * NEW command line interface for IP firewall facility
19
 */
20

21
enum cmdline_prog {
22
	cmdline_prog_ipfw,
23
	cmdline_prog_dnctl
24
};
25

26
/*
27
 * Options that can be set on the command line.
28
 * When reading commands from a file, a subset of the options can also
29
 * be applied globally by specifying them before the file name.
30
 * After that, each line can contain its own option that changes
31
 * the global value.
32
 * XXX The context is not restored after each line.
33
 */
34

35
struct cmdline_opts {
36
	/* boolean options: */
37
	int	do_value_as_ip;	/* show table value as IP */
38
	int	do_resolv;	/* try to resolve all ip to names */
39
	int	do_time;	/* Show time stamps */
40
	int	do_quiet;	/* Be quiet in add and flush */
41
	int	do_pipe;	/* this cmd refers to a pipe/queue/sched */
42
	int	do_nat; 	/* this cmd refers to a nat config */
43
	int	do_compact;	/* show rules in compact mode */
44
	int	do_force;	/* do not ask for confirmation */
45
	int	show_sets;	/* display the set each rule belongs to */
46
	int	test_only;	/* only check syntax */
47
	int	comment_only;	/* only print action and comment */
48
	int	verbose;	/* be verbose on some commands */
49
	int	debug_only;	/* output ioctl i/o on stdout */
50

51
	/* The options below can have multiple values. */
52

53
	int	do_dynamic;	/* 1 - display dynamic rules */
54
				/* 2 - display/delete only dynamic rules */
55
	int	do_sort;	/* field to sort results (0 = no) */
56
		/* valid fields are 1 and above */
57

58
	uint32_t use_set;	/* work with specified set number */
59
		/* 0 means all sets, otherwise apply to set use_set - 1 */
60

61
	enum cmdline_prog	prog;	/* Are we ipfw or dnctl? */
62
};
63

64
int is_ipfw(void);
65

66
enum {
67
	TIMESTAMP_NONE = 0,
68
	TIMESTAMP_STRING,
69
	TIMESTAMP_NUMERIC,
70
};
71

72
extern struct cmdline_opts g_co;
73

74
/*
75
 * _s_x is a structure that stores a string <-> token pairs, used in
76
 * various places in the parser. Entries are stored in arrays,
77
 * with an entry with s=NULL as terminator.
78
 * The search routines are match_token() and match_value().
79
 * Often, an element with x=0 contains an error string.
80
 *
81
 */
82
struct _s_x {
83
	char const *s;
84
	int x;
85
};
86

87
extern struct _s_x f_ipdscp[];
88

89
enum tokens {
90
	TOK_NULL=0,
91

92
	TOK_OR,
93
	TOK_NOT,
94
	TOK_STARTBRACE,
95
	TOK_ENDBRACE,
96

97
	TOK_ABORT6,
98
	TOK_ABORT,
99
	TOK_ACCEPT,
100
	TOK_COUNT,
101
	TOK_EACTION,
102
	TOK_PIPE,
103
	TOK_LINK,
104
	TOK_QUEUE,
105
	TOK_FLOWSET,
106
	TOK_SCHED,
107
	TOK_DIVERT,
108
	TOK_TEE,
109
	TOK_NETGRAPH,
110
	TOK_NGTEE,
111
	TOK_FORWARD,
112
	TOK_SKIPTO,
113
	TOK_DENY,
114
	TOK_REJECT,
115
	TOK_RESET,
116
	TOK_UNREACH,
117
	TOK_CHECKSTATE,
118
	TOK_NAT,
119
	TOK_REASS,
120
	TOK_CALL,
121
	TOK_RETURN,
122

123
	TOK_ALTQ,
124
	TOK_LOG,
125
	TOK_TAG,
126
	TOK_UNTAG,
127

128
	TOK_TAGGED,
129
	TOK_UID,
130
	TOK_GID,
131
	TOK_JAIL,
132
	TOK_IN,
133
	TOK_LIMIT,
134
	TOK_SETLIMIT,
135
	TOK_KEEPSTATE,
136
	TOK_RECORDSTATE,
137
	TOK_LAYER2,
138
	TOK_OUT,
139
	TOK_DIVERTED,
140
	TOK_DIVERTEDLOOPBACK,
141
	TOK_DIVERTEDOUTPUT,
142
	TOK_XMIT,
143
	TOK_RECV,
144
	TOK_VIA,
145
	TOK_FRAG,
146
	TOK_IPOPTS,
147
	TOK_IPLEN,
148
	TOK_IPID,
149
	TOK_IPPRECEDENCE,
150
	TOK_DSCP,
151
	TOK_IPTOS,
152
	TOK_IPTTL,
153
	TOK_IPVER,
154
	TOK_ESTAB,
155
	TOK_SETUP,
156
	TOK_TCPDATALEN,
157
	TOK_TCPFLAGS,
158
	TOK_TCPOPTS,
159
	TOK_TCPSEQ,
160
	TOK_TCPACK,
161
	TOK_TCPMSS,
162
	TOK_TCPWIN,
163
	TOK_ICMPTYPES,
164
	TOK_MAC,
165
	TOK_MACTYPE,
166
	TOK_VERREVPATH,
167
	TOK_VERSRCREACH,
168
	TOK_ANTISPOOF,
169
	TOK_IPSEC,
170
	TOK_COMMENT,
171

172
	TOK_PLR,
173
	TOK_NOERROR,
174
	TOK_BUCKETS,
175
	TOK_DSTIP,
176
	TOK_SRCIP,
177
	TOK_DSTPORT,
178
	TOK_SRCPORT,
179
	TOK_DSTMAC,
180
	TOK_SRCMAC,
181
	TOK_ALL,
182
	TOK_MASK,
183
	TOK_FLOW_MASK,
184
	TOK_SCHED_MASK,
185
	TOK_BW,
186
	TOK_DELAY,
187
	TOK_PROFILE,
188
	TOK_BURST,
189
	TOK_RED,
190
	TOK_GRED,
191
	TOK_ECN,
192
	TOK_DROPTAIL,
193
	TOK_PROTO,
194
#ifdef NEW_AQM
195
	/* AQM tokens*/
196
	TOK_NO_ECN,
197
	TOK_CODEL, 
198
	TOK_FQ_CODEL,
199
	TOK_TARGET,
200
	TOK_INTERVAL,
201
	TOK_FLOWS,
202
	TOK_QUANTUM,
203
	
204
	TOK_PIE,
205
	TOK_FQ_PIE,
206
	TOK_TUPDATE,
207
	TOK_MAX_BURST,
208
	TOK_MAX_ECNTH,
209
	TOK_ALPHA,
210
	TOK_BETA,
211
	TOK_CAPDROP,
212
	TOK_NO_CAPDROP,
213
	TOK_ONOFF,
214
	TOK_DRE,
215
	TOK_TS,
216
	TOK_DERAND,
217
	TOK_NO_DERAND,
218
#endif
219
	/* dummynet tokens */
220
	TOK_WEIGHT,
221
	TOK_LMAX,
222
	TOK_PRI,
223
	TOK_TYPE,
224
	TOK_SLOTSIZE,
225

226
	TOK_IP,
227
	TOK_IF,
228
	TOK_ALOG,
229
	TOK_DENY_INC,
230
	TOK_SAME_PORTS,
231
	TOK_UNREG_ONLY,
232
	TOK_UNREG_CGN,
233
	TOK_SKIP_GLOBAL,
234
	TOK_RESET_ADDR,
235
	TOK_ALIAS_REV,
236
	TOK_PROXY_ONLY,
237
	TOK_REDIR_ADDR,
238
	TOK_REDIR_PORT,
239
	TOK_REDIR_PROTO,
240

241
	TOK_IPV6,
242
	TOK_FLOWID,
243
	TOK_ICMP6TYPES,
244
	TOK_EXT6HDR,
245
	TOK_DSTIP6,
246
	TOK_SRCIP6,
247

248
	TOK_IPV4,
249
	TOK_UNREACH6,
250
	TOK_RESET6,
251

252
	TOK_FIB,
253
	TOK_SETFIB,
254
	TOK_LOOKUP,
255
	TOK_SOCKARG,
256
	TOK_SETDSCP,
257
	TOK_FLOW,
258
	TOK_IFLIST,
259
	/* Table tokens */
260
	TOK_CREATE,
261
	TOK_DESTROY,
262
	TOK_LIST,
263
	TOK_INFO,
264
	TOK_DETAIL,
265
	TOK_MODIFY,
266
	TOK_FLUSH,
267
	TOK_SWAP,
268
	TOK_ADD,
269
	TOK_DEL,
270
	TOK_VALTYPE,
271
	TOK_ALGO,
272
	TOK_TALIST,
273
	TOK_ATOMIC,
274
	TOK_LOCK,
275
	TOK_UNLOCK,
276
	TOK_VLIST,
277
	TOK_OLIST,
278
	TOK_MONITOR,
279
	TOK_MISSING,
280
	TOK_ORFLUSH,
281

282
	/* NAT64 tokens */
283
	TOK_NAT64STL,
284
	TOK_NAT64LSN,
285
	TOK_STATS,
286
	TOK_STATES,
287
	TOK_CONFIG,
288
	TOK_TABLE4,
289
	TOK_TABLE6,
290
	TOK_PREFIX4,
291
	TOK_PREFIX6,
292
	TOK_AGG_LEN,
293
	TOK_AGG_COUNT,
294
	TOK_MAX_PORTS,
295
	TOK_STATES_CHUNKS,
296
	TOK_JMAXLEN,
297
	TOK_PORT_RANGE,
298
	TOK_PORT_ALIAS,
299
	TOK_HOST_DEL_AGE,
300
	TOK_PG_DEL_AGE,
301
	TOK_TCP_SYN_AGE,
302
	TOK_TCP_CLOSE_AGE,
303
	TOK_TCP_EST_AGE,
304
	TOK_UDP_AGE,
305
	TOK_ICMP_AGE,
306
	TOK_LOGOFF,
307
	TOK_PRIVATE,
308
	TOK_PRIVATEOFF,
309
	TOK_SWAPCONF,
310
	TOK_SWAPCONFOFF,
311

312
	/* NAT64 CLAT tokens */
313
	TOK_NAT64CLAT,
314
	TOK_PLAT_PREFIX,
315
	TOK_CLAT_PREFIX,
316

317
	/* NPTv6 tokens */
318
	TOK_NPTV6,
319
	TOK_INTPREFIX,
320
	TOK_EXTPREFIX,
321
	TOK_PREFIXLEN,
322
	TOK_EXTIF,
323

324
	TOK_TCPSETMSS,
325

326
	TOK_MARK,
327
	TOK_SETMARK,
328

329
	TOK_SKIPACTION,
330
	TOK_UDP_EIM,
331
};
332

333
/*
334
 * the following macro returns an error message if we run out of
335
 * arguments.
336
 */
337
#define NEED(_p, msg)      {if (!_p) errx(EX_USAGE, msg);}
338
#define NEED1(msg)      {if (!(*av)) errx(EX_USAGE, msg);}
339

340
struct buf_pr {
341
	char	*buf;	/* allocated buffer */
342
	char	*ptr;	/* current pointer */
343
	size_t	size;	/* total buffer size */
344
	size_t	avail;	/* available storage */
345
	size_t	needed;	/* length needed */
346
};
347

348
int pr_u64(struct buf_pr *bp, void *pd, int width);
349
int bp_alloc(struct buf_pr *b, size_t size);
350
void bp_free(struct buf_pr *b);
351
int bprintf(struct buf_pr *b, const char *format, ...) __printflike(2, 3);
352

353

354
/* memory allocation support */
355
void *safe_calloc(size_t number, size_t size);
356
void *safe_realloc(void *ptr, size_t size);
357

358
/* string comparison functions used for historical compatibility */
359
int _substrcmp(const char *str1, const char* str2);
360
int _substrcmp2(const char *str1, const char* str2, const char* str3);
361
int stringnum_cmp(const char *a, const char *b);
362

363
/* utility functions */
364
int match_token(struct _s_x *table, const char *string);
365
int match_token_relaxed(struct _s_x *table, const char *string);
366
int get_token(struct _s_x *table, const char *string, const char *errbase);
367
char const *match_value(struct _s_x *p, int value);
368
size_t concat_tokens(char *buf, size_t bufsize, struct _s_x *table,
369
    const char *delimiter);
370
int fill_flags(struct _s_x *flags, char *p, char **e, uint32_t *set,
371
    uint32_t *clear);
372
void print_flags_buffer(char *buf, size_t sz, struct _s_x *list, uint32_t set);
373

374
struct _ip_fw3_opheader;
375
int do_cmd(int optname, void *optval, uintptr_t optlen);
376
int do_set3(int optname, struct _ip_fw3_opheader *op3, size_t optlen);
377
int do_get3(int optname, struct _ip_fw3_opheader *op3, size_t *optlen);
378

379
struct in6_addr;
380
void n2mask(struct in6_addr *mask, int n);
381
int contigmask(const uint8_t *p, int len);
382

383
/*
384
 * Forward declarations to avoid include way too many headers.
385
 * C does not allow duplicated typedefs, so we use the base struct
386
 * that the typedef points to.
387
 * Should the typedefs use a different type, the compiler will
388
 * still detect the change when compiling the body of the
389
 * functions involved, so we do not lose error checking.
390
 */
391
struct _ipfw_insn;
392
struct _ipfw_insn_altq;
393
struct _ipfw_insn_u32;
394
struct _ipfw_insn_ip6;
395
struct _ipfw_insn_icmp6;
396

397
/*
398
 * The reserved set numer. This is a constant in ip_fw.h
399
 * but we store it in a variable so other files do not depend
400
 * in that header just for one constant.
401
 */
402
extern int resvd_set_number;
403

404
/* first-level command handlers */
405
void ipfw_add(char *av[]);
406
void ipfw_show_nat(int ac, char **av);
407
int ipfw_delete_nat(int i);
408
void ipfw_config_pipe(int ac, char **av);
409
void ipfw_config_nat(int ac, char **av);
410
void ipfw_sets_handler(char *av[]);
411
void ipfw_table_handler(int ac, char *av[]);
412
void ipfw_sysctl_handler(char *av[], int which);
413
void ipfw_delete(char *av[]);
414
void ipfw_flush(int force);
415
void ipfw_zero(int ac, char *av[], int optname);
416
void ipfw_list(int ac, char *av[], int show_counters);
417
void ipfw_internal_handler(int ac, char *av[]);
418
void ipfw_nat64clat_handler(int ac, char *av[]);
419
void ipfw_nat64lsn_handler(int ac, char *av[]);
420
void ipfw_nat64stl_handler(int ac, char *av[]);
421
void ipfw_nptv6_handler(int ac, char *av[]);
422
int ipfw_check_object_name(const char *name);
423
int ipfw_check_nat64prefix(const struct in6_addr *prefix, int length);
424

425
#ifdef PF
426
/* altq.c */
427
void altq_set_enabled(int enabled);
428
u_int32_t altq_name_to_qid(const char *name);
429
void print_altq_cmd(struct buf_pr *bp, const struct _ipfw_insn_altq *altqptr);
430
#else
431
#define NO_ALTQ
432
#endif
433

434
/* dummynet.c */
435
void dummynet_list(int ac, char *av[], int show_counters);
436
void dummynet_flush(void);
437
int ipfw_delete_pipe(int pipe_or_queue, int n);
438

439
/* ipv6.c */
440
void print_unreach6_code(struct buf_pr *bp, uint16_t code);
441
void print_ip6(struct buf_pr *bp, const struct _ipfw_insn_ip6 *cmd);
442
void print_flow6id(struct buf_pr *bp, const struct _ipfw_insn_u32 *cmd);
443
void print_icmp6types(struct buf_pr *bp, const struct _ipfw_insn_u32 *cmd);
444
void print_ext6hdr(struct buf_pr *bp, const struct _ipfw_insn *cmd);
445

446
struct tidx;
447
struct _ipfw_insn *add_srcip6(struct _ipfw_insn *cmd, char *av, int cblen,
448
    struct tidx *tstate);
449
struct _ipfw_insn *add_dstip6(struct _ipfw_insn *cmd, char *av, int cblen,
450
    struct tidx *tstate);
451

452
void fill_flow6(struct _ipfw_insn_u32 *cmd, char *av, int cblen);
453
uint16_t get_unreach6_code(const char *str);
454
void fill_icmp6types(struct _ipfw_insn_icmp6 *cmd, char *av, int cblen);
455
int fill_ext6hdr(struct _ipfw_insn *cmd, char *av);
456

457
/* ipfw2.c */
458
void bp_flush(struct buf_pr *b);
459
void fill_table(struct _ipfw_insn *cmd, char *av, uint8_t opcode,
460
    struct tidx *tstate);
461

462
/* tables.c */
463
struct _ipfw_obj_ctlv;
464
struct _ipfw_obj_ntlv;
465
int table_check_name(const char *tablename);
466
void ipfw_list_ta(int ac, char *av[]);
467
void ipfw_list_values(int ac, char *av[]);
468
void table_fill_ntlv(struct _ipfw_obj_ntlv *ntlv, const char *name,
469
    uint8_t set, uint32_t uidx);
470

471

472