ipfw2.h revision 205169
190075Sobrien/* 2169689Skan * Copyright (c) 2002-2003 Luigi Rizzo 390075Sobrien * Copyright (c) 1996 Alex Nash, Paul Traina, Poul-Henning Kamp 490075Sobrien * Copyright (c) 1994 Ugen J.S.Antsilevich 590075Sobrien * 690075Sobrien * Idea and grammar partially left from: 790075Sobrien * Copyright (c) 1993 Daniel Boulet 890075Sobrien * 990075Sobrien * Redistribution and use in source forms, with and without modification, 1090075Sobrien * are permitted provided that this entire comment appears intact. 1190075Sobrien * 1290075Sobrien * Redistribution in binary form may occur without any restrictions. 1390075Sobrien * Obviously, it would be nice if you gave credit where credit is due 1490075Sobrien * but requiring it would be too onerous. 1590075Sobrien * 1690075Sobrien * This software is provided ``AS IS'' without any warranties of any kind. 1790075Sobrien * 1890075Sobrien * NEW command line interface for IP firewall facility 19169689Skan * 20169689Skan * $FreeBSD: head/sbin/ipfw/ipfw2.h 205169 2010-03-15 15:43:35Z luigi $ 2190075Sobrien */ 2290075Sobrien 2390075Sobrien/* 2490075Sobrien * Options that can be set on the command line. 2590075Sobrien * When reading commands from a file, a subset of the options can also 2690075Sobrien * be applied globally by specifying them before the file name. 2790075Sobrien * After that, each line can contain its own option that changes 2890075Sobrien * the global value. 2990075Sobrien * XXX The context is not restored after each line. 3090075Sobrien */ 3190075Sobrien 3290075Sobrienstruct cmdline_opts { 3390075Sobrien /* boolean options: */ 3490075Sobrien int do_value_as_ip; /* show table value as IP */ 3590075Sobrien int do_resolv; /* try to resolve all ip to names */ 3690075Sobrien int do_time; /* Show time stamps */ 3790075Sobrien int do_quiet; /* Be quiet in add and flush */ 3890075Sobrien int do_pipe; /* this cmd refers to a pipe/queue/sched */ 3990075Sobrien int do_nat; /* this cmd refers to a nat config */ 4090075Sobrien int do_dynamic; /* display dynamic rules */ 4190075Sobrien int do_expired; /* display expired dynamic rules */ 4290075Sobrien int do_compact; /* show rules in compact mode */ 4390075Sobrien int do_force; /* do not ask for confirmation */ 4490075Sobrien int show_sets; /* display the set each rule belongs to */ 4590075Sobrien int test_only; /* only check syntax */ 4690075Sobrien int comment_only; /* only print action and comment */ 4790075Sobrien int verbose; /* be verbose on some commands */ 4890075Sobrien 4990075Sobrien /* The options below can have multiple values. */ 5090075Sobrien 51169689Skan int do_sort; /* field to sort results (0 = no) */ 52169689Skan /* valid fields are 1 and above */ 53169689Skan 54169689Skan int use_set; /* work with specified set number */ 55169689Skan /* 0 means all sets, otherwise apply to set use_set - 1 */ 56169689Skan 57169689Skan}; 5890075Sobrien 5990075Sobrienextern struct cmdline_opts co; 6090075Sobrien 6190075Sobrien/* 6290075Sobrien * _s_x is a structure that stores a string <-> token pairs, used in 6390075Sobrien * various places in the parser. Entries are stored in arrays, 6490075Sobrien * with an entry with s=NULL as terminator. 6590075Sobrien * The search routines are match_token() and match_value(). 6690075Sobrien * Often, an element with x=0 contains an error string. 6790075Sobrien * 6890075Sobrien */ 69132718Skanstruct _s_x { 7090075Sobrien char const *s; 7190075Sobrien int x; 7290075Sobrien}; 73132718Skan 7490075Sobrienenum tokens { 7590075Sobrien TOK_NULL=0, 7690075Sobrien 7790075Sobrien TOK_OR, 7890075Sobrien TOK_NOT, 7990075Sobrien TOK_STARTBRACE, 80169689Skan TOK_ENDBRACE, 8190075Sobrien 8290075Sobrien TOK_ACCEPT, 83117395Skan TOK_COUNT, 8490075Sobrien TOK_PIPE, 8590075Sobrien TOK_LINK, 8690075Sobrien TOK_QUEUE, 8790075Sobrien TOK_FLOWSET, 8890075Sobrien TOK_SCHED, 8990075Sobrien TOK_DIVERT, 90117395Skan TOK_TEE, 9190075Sobrien TOK_NETGRAPH, 92169689Skan TOK_NGTEE, 93169689Skan TOK_FORWARD, 94169689Skan TOK_SKIPTO, 95169689Skan TOK_DENY, 96169689Skan TOK_REJECT, 97169689Skan TOK_RESET, 98169689Skan TOK_UNREACH, 99169689Skan TOK_CHECKSTATE, 100169689Skan TOK_NAT, 101169689Skan TOK_REASS, 102117395Skan 103117395Skan TOK_ALTQ, 10490075Sobrien TOK_LOG, 10590075Sobrien TOK_TAG, 106117395Skan TOK_UNTAG, 107117395Skan 108117395Skan TOK_TAGGED, 109117395Skan TOK_UID, 110117395Skan TOK_GID, 111117395Skan TOK_JAIL, 112169689Skan TOK_IN, 113169689Skan TOK_LIMIT, 11490075Sobrien TOK_KEEPSTATE, 11590075Sobrien TOK_LAYER2, 11690075Sobrien TOK_OUT, 11790075Sobrien TOK_DIVERTED, 11890075Sobrien TOK_DIVERTEDLOOPBACK, 11990075Sobrien TOK_DIVERTEDOUTPUT, 12090075Sobrien TOK_XMIT, 12190075Sobrien TOK_RECV, 12290075Sobrien TOK_VIA, 12390075Sobrien TOK_FRAG, 124169689Skan TOK_IPOPTS, 125169689Skan TOK_IPLEN, 126169689Skan TOK_IPID, 127169689Skan TOK_IPPRECEDENCE, 128117395Skan TOK_DSCP, 129117395Skan TOK_IPTOS, 130169689Skan TOK_IPTTL, 131169689Skan TOK_IPVER, 132169689Skan TOK_ESTAB, 133169689Skan TOK_SETUP, 134169689Skan TOK_TCPDATALEN, 135169689Skan TOK_TCPFLAGS, 136169689Skan TOK_TCPOPTS, 137169689Skan TOK_TCPSEQ, 138169689Skan TOK_TCPACK, 139169689Skan TOK_TCPWIN, 140169689Skan TOK_ICMPTYPES, 141169689Skan TOK_MAC, 142169689Skan TOK_MACTYPE, 143169689Skan TOK_VERREVPATH, 144146895Skan TOK_VERSRCREACH, 145146895Skan TOK_ANTISPOOF, 146169689Skan TOK_IPSEC, 147169689Skan TOK_COMMENT, 148169689Skan 149169689Skan TOK_PLR, 150169689Skan TOK_NOERROR, 151169689Skan TOK_BUCKETS, 152169689Skan TOK_DSTIP, 153169689Skan TOK_SRCIP, 15490075Sobrien TOK_DSTPORT, 155 TOK_SRCPORT, 156 TOK_ALL, 157 TOK_MASK, 158 TOK_FLOW_MASK, 159 TOK_SCHED_MASK, 160 TOK_BW, 161 TOK_DELAY, 162 TOK_PROFILE, 163 TOK_BURST, 164 TOK_RED, 165 TOK_GRED, 166 TOK_DROPTAIL, 167 TOK_PROTO, 168 /* dummynet tokens */ 169 TOK_WEIGHT, 170 TOK_LMAX, 171 TOK_PRI, 172 TOK_TYPE, 173 TOK_SLOTSIZE, 174 175 TOK_IP, 176 TOK_IF, 177 TOK_ALOG, 178 TOK_DENY_INC, 179 TOK_SAME_PORTS, 180 TOK_UNREG_ONLY, 181 TOK_RESET_ADDR, 182 TOK_ALIAS_REV, 183 TOK_PROXY_ONLY, 184 TOK_REDIR_ADDR, 185 TOK_REDIR_PORT, 186 TOK_REDIR_PROTO, 187 188 TOK_IPV6, 189 TOK_FLOWID, 190 TOK_ICMP6TYPES, 191 TOK_EXT6HDR, 192 TOK_DSTIP6, 193 TOK_SRCIP6, 194 195 TOK_IPV4, 196 TOK_UNREACH6, 197 TOK_RESET6, 198 199 TOK_FIB, 200 TOK_SETFIB, 201 TOK_LOOKUP, 202}; 203/* 204 * the following macro returns an error message if we run out of 205 * arguments. 206 */ 207#define NEED(_p, msg) {if (!_p) errx(EX_USAGE, msg);} 208#define NEED1(msg) {if (!(*av)) errx(EX_USAGE, msg);} 209 210unsigned long long align_uint64(const uint64_t *pll); 211 212/* memory allocation support */ 213void *safe_calloc(size_t number, size_t size); 214void *safe_realloc(void *ptr, size_t size); 215 216/* string comparison functions used for historical compatibility */ 217int _substrcmp(const char *str1, const char* str2); 218int _substrcmp2(const char *str1, const char* str2, const char* str3); 219 220/* utility functions */ 221int match_token(struct _s_x *table, char *string); 222char const *match_value(struct _s_x *p, int value); 223 224int do_cmd(int optname, void *optval, uintptr_t optlen); 225 226struct in6_addr; 227void n2mask(struct in6_addr *mask, int n); 228int contigmask(uint8_t *p, int len); 229 230/* 231 * Forward declarations to avoid include way too many headers. 232 * C does not allow duplicated typedefs, so we use the base struct 233 * that the typedef points to. 234 * Should the typedefs use a different type, the compiler will 235 * still detect the change when compiling the body of the 236 * functions involved, so we do not lose error checking. 237 */ 238struct _ipfw_insn; 239struct _ipfw_insn_altq; 240struct _ipfw_insn_u32; 241struct _ipfw_insn_ip6; 242struct _ipfw_insn_icmp6; 243 244/* 245 * The reserved set numer. This is a constant in ip_fw.h 246 * but we store it in a variable so other files do not depend 247 * in that header just for one constant. 248 */ 249extern int resvd_set_number; 250 251/* first-level command handlers */ 252void ipfw_add(char *av[]); 253void ipfw_show_nat(int ac, char **av); 254void ipfw_config_pipe(int ac, char **av); 255void ipfw_config_nat(int ac, char **av); 256void ipfw_sets_handler(char *av[]); 257void ipfw_table_handler(int ac, char *av[]); 258void ipfw_sysctl_handler(char *av[], int which); 259void ipfw_delete(char *av[]); 260void ipfw_flush(int force); 261void ipfw_zero(int ac, char *av[], int optname); 262void ipfw_list(int ac, char *av[], int show_counters); 263 264/* altq.c */ 265void altq_set_enabled(int enabled); 266u_int32_t altq_name_to_qid(const char *name); 267 268void print_altq_cmd(struct _ipfw_insn_altq *altqptr); 269 270/* dummynet.c */ 271void dummynet_list(int ac, char *av[], int show_counters); 272void dummynet_flush(void); 273int ipfw_delete_pipe(int pipe_or_queue, int n); 274 275/* ipv6.c */ 276void print_unreach6_code(uint16_t code); 277void print_ip6(struct _ipfw_insn_ip6 *cmd, char const *s); 278void print_flow6id(struct _ipfw_insn_u32 *cmd); 279void print_icmp6types(struct _ipfw_insn_u32 *cmd); 280void print_ext6hdr(struct _ipfw_insn *cmd ); 281 282struct _ipfw_insn *add_srcip6(struct _ipfw_insn *cmd, char *av); 283struct _ipfw_insn *add_dstip6(struct _ipfw_insn *cmd, char *av); 284 285void fill_flow6(struct _ipfw_insn_u32 *cmd, char *av ); 286void fill_unreach6_code(u_short *codep, char *str); 287void fill_icmp6types(struct _ipfw_insn_icmp6 *cmd, char *av); 288int fill_ext6hdr(struct _ipfw_insn *cmd, char *av); 289