ipfw2.h revision 187770
155714Skris/* 255714Skris * Copyright (c) 2002-2003 Luigi Rizzo 355714Skris * Copyright (c) 1996 Alex Nash, Paul Traina, Poul-Henning Kamp 455714Skris * Copyright (c) 1994 Ugen J.S.Antsilevich 555714Skris * 655714Skris * Idea and grammar partially left from: 755714Skris * Copyright (c) 1993 Daniel Boulet 8280297Sjkim * 955714Skris * Redistribution and use in source forms, with and without modification, 1055714Skris * are permitted provided that this entire comment appears intact. 1155714Skris * 1255714Skris * Redistribution in binary form may occur without any restrictions. 1355714Skris * Obviously, it would be nice if you gave credit where credit is due 1455714Skris * but requiring it would be too onerous. 15280297Sjkim * 1655714Skris * This software is provided ``AS IS'' without any warranties of any kind. 1755714Skris * 1855714Skris * NEW command line interface for IP firewall facility 1955714Skris * 2055714Skris * $FreeBSD: head/sbin/ipfw/ipfw2.h 187770 2009-01-27 12:01:30Z luigi $ 2155714Skris */ 22280297Sjkim 2355714Skris/* 2455714Skris * Options that can be set on the command line. 2555714Skris * When reading commands from a file, a subset of the options can also 2655714Skris * be applied globally by specifying them before the file name. 2755714Skris * After that, each line can contain its own option that changes 2855714Skris * the global value. 2955714Skris * XXX The context is not restored after each line. 3055714Skris */ 3155714Skris 3255714Skrisstruct cmdline_opts { 3355714Skris /* boolean options: */ 3455714Skris int do_value_as_ip; /* show table value as IP */ 3555714Skris int do_resolv; /* try to resolve all ip to names */ 3655714Skris int do_time; /* Show time stamps */ 37280297Sjkim int do_quiet; /* Be quiet in add and flush */ 3855714Skris int do_pipe; /* this cmd refers to a pipe */ 3955714Skris int do_nat; /* this cmd refers to a nat config */ 40280297Sjkim int do_dynamic; /* display dynamic rules */ 4155714Skris int do_expired; /* display expired dynamic rules */ 4255714Skris int do_compact; /* show rules in compact mode */ 4355714Skris int do_force; /* do not ask for confirmation */ 4455714Skris int show_sets; /* display the set each rule belongs to */ 4555714Skris int test_only; /* only check syntax */ 4655714Skris int comment_only; /* only print action and comment */ 4755714Skris int verbose; /* be verbose on some commands */ 4855714Skris 4955714Skris /* The options below can have multiple values. */ 5055714Skris 5155714Skris int do_sort; /* field to sort results (0 = no) */ 52280297Sjkim /* valid fields are 1 and above */ 5355714Skris 5455714Skris int use_set; /* work with specified set number */ 5555714Skris /* 0 means all sets, otherwise apply to set use_set - 1 */ 5655714Skris 5755714Skris}; 5855714Skris 5955714Skrisextern struct cmdline_opts co; 60280297Sjkim 6155714Skris/* 62280297Sjkim * _s_x is a structure that stores a string <-> token pairs, used in 63280297Sjkim * various places in the parser. Entries are stored in arrays, 64280297Sjkim * with an entry with s=NULL as terminator. 65280297Sjkim * The search routines are match_token() and match_value(). 6655714Skris * Often, an element with x=0 contains an error string. 67280297Sjkim * 68238405Sjkim */ 6968651Skrisstruct _s_x { 7068651Skris char const *s; 7168651Skris int x; 7268651Skris}; 73280297Sjkim 74280297Sjkimenum tokens { 75280297Sjkim TOK_NULL=0, 76280297Sjkim 7755714Skris TOK_OR, 7855714Skris TOK_NOT, 79238405Sjkim TOK_STARTBRACE, 80194206Ssimon TOK_ENDBRACE, 81238405Sjkim 82280297Sjkim TOK_ACCEPT, 8355714Skris TOK_COUNT, 8455714Skris TOK_PIPE, 8555714Skris TOK_QUEUE, 8655714Skris TOK_DIVERT, 8755714Skris TOK_TEE, 8855714Skris TOK_NETGRAPH, 89 TOK_NGTEE, 90 TOK_FORWARD, 91 TOK_SKIPTO, 92 TOK_DENY, 93 TOK_REJECT, 94 TOK_RESET, 95 TOK_UNREACH, 96 TOK_CHECKSTATE, 97 TOK_NAT, 98 99 TOK_ALTQ, 100 TOK_LOG, 101 TOK_TAG, 102 TOK_UNTAG, 103 104 TOK_TAGGED, 105 TOK_UID, 106 TOK_GID, 107 TOK_JAIL, 108 TOK_IN, 109 TOK_LIMIT, 110 TOK_KEEPSTATE, 111 TOK_LAYER2, 112 TOK_OUT, 113 TOK_DIVERTED, 114 TOK_DIVERTEDLOOPBACK, 115 TOK_DIVERTEDOUTPUT, 116 TOK_XMIT, 117 TOK_RECV, 118 TOK_VIA, 119 TOK_FRAG, 120 TOK_IPOPTS, 121 TOK_IPLEN, 122 TOK_IPID, 123 TOK_IPPRECEDENCE, 124 TOK_IPTOS, 125 TOK_IPTTL, 126 TOK_IPVER, 127 TOK_ESTAB, 128 TOK_SETUP, 129 TOK_TCPDATALEN, 130 TOK_TCPFLAGS, 131 TOK_TCPOPTS, 132 TOK_TCPSEQ, 133 TOK_TCPACK, 134 TOK_TCPWIN, 135 TOK_ICMPTYPES, 136 TOK_MAC, 137 TOK_MACTYPE, 138 TOK_VERREVPATH, 139 TOK_VERSRCREACH, 140 TOK_ANTISPOOF, 141 TOK_IPSEC, 142 TOK_COMMENT, 143 144 TOK_PLR, 145 TOK_NOERROR, 146 TOK_BUCKETS, 147 TOK_DSTIP, 148 TOK_SRCIP, 149 TOK_DSTPORT, 150 TOK_SRCPORT, 151 TOK_ALL, 152 TOK_MASK, 153 TOK_BW, 154 TOK_DELAY, 155 TOK_RED, 156 TOK_GRED, 157 TOK_DROPTAIL, 158 TOK_PROTO, 159 TOK_WEIGHT, 160 TOK_IP, 161 TOK_IF, 162 TOK_ALOG, 163 TOK_DENY_INC, 164 TOK_SAME_PORTS, 165 TOK_UNREG_ONLY, 166 TOK_RESET_ADDR, 167 TOK_ALIAS_REV, 168 TOK_PROXY_ONLY, 169 TOK_REDIR_ADDR, 170 TOK_REDIR_PORT, 171 TOK_REDIR_PROTO, 172 173 TOK_IPV6, 174 TOK_FLOWID, 175 TOK_ICMP6TYPES, 176 TOK_EXT6HDR, 177 TOK_DSTIP6, 178 TOK_SRCIP6, 179 180 TOK_IPV4, 181 TOK_UNREACH6, 182 TOK_RESET6, 183 184 TOK_FIB, 185 TOK_SETFIB, 186}; 187/* 188 * the following macro returns an error message if we run out of 189 * arguments. 190 */ 191#define NEED1(msg) {if (!ac) errx(EX_USAGE, msg);} 192 193/* memory allocation support */ 194void *safe_calloc(size_t number, size_t size); 195void *safe_realloc(void *ptr, size_t size); 196 197/* string comparison functions used for historical compatibility */ 198int _substrcmp(const char *str1, const char* str2); 199int _substrcmp2(const char *str1, const char* str2, const char* str3); 200 201/* utility functions */ 202int match_token(struct _s_x *table, char *string); 203char const *match_value(struct _s_x *p, int value); 204 205int do_cmd(int optname, void *optval, uintptr_t optlen); 206 207struct in6_addr; 208void n2mask(struct in6_addr *mask, int n); 209int contigmask(uint8_t *p, int len); 210 211/* forward declarations to avoid header dependency */ 212typedef struct _ipfw_insn ipfw_insn; 213typedef struct _ipfw_insn_u32 ipfw_insn_u32; 214typedef struct _ipfw_insn_ip6 ipfw_insn_ip6; 215typedef struct _ipfw_insn_icmp6 ipfw_insn_icmp6; 216 217 218/* 219 * The reserved set numer. This is a constant in ip_fw.h 220 * but we store it in a variable so other files do not depend 221 * in that header just for one constant. 222 */ 223extern int resvd_set_number; 224 225/* first-level command handlers */ 226void ipfw_add(int ac, char *av[]); 227void ipfw_show_nat(int ac, char **av); 228void ipfw_config_pipe(int ac, char **av); 229void ipfw_config_nat(int ac, char **av); 230void ipfw_sets_handler(int ac, char *av[]); 231void ipfw_table_handler(int ac, char *av[]); 232void ipfw_sysctl_handler(int ac, char *av[], int which); 233void ipfw_delete(int ac, char *av[]); 234void ipfw_flush(int force); 235void ipfw_zero(int ac, char *av[], int optname); 236void ipfw_list(int ac, char *av[], int show_counters); 237 238/* dummynet.c */ 239void ipfw_list_pipes(void *data, uint nbytes, int ac, char *av[]); 240int ipfw_delete_pipe(int pipe_or_queue, int n); 241 242/* ipv6.c */ 243void print_unreach6_code(uint16_t code); 244void print_ip6(ipfw_insn_ip6 *cmd, char const *s); 245void print_flow6id( ipfw_insn_u32 *cmd); 246void print_icmp6types(ipfw_insn_u32 *cmd); 247void print_ext6hdr( ipfw_insn *cmd ); 248 249ipfw_insn *add_srcip6(ipfw_insn *cmd, char *av); 250ipfw_insn *add_dstip6(ipfw_insn *cmd, char *av); 251 252void fill_flow6( ipfw_insn_u32 *cmd, char *av ); 253void fill_unreach6_code(u_short *codep, char *str); 254void fill_icmp6types(ipfw_insn_icmp6 *cmd, char *av); 255int fill_ext6hdr( ipfw_insn *cmd, char *av); 256