sbin/ipfw/ipfw2.h

187767Sluigi/*
187767Sluigi * Copyright (c) 2002-2003 Luigi Rizzo
187767Sluigi * Copyright (c) 1996 Alex Nash, Paul Traina, Poul-Henning Kamp
187767Sluigi * Copyright (c) 1994 Ugen J.S.Antsilevich
187767Sluigi *
187767Sluigi * Idea and grammar partially left from:
187767Sluigi * Copyright (c) 1993 Daniel Boulet
187767Sluigi *
187767Sluigi * Redistribution and use in source forms, with and without modification,
187767Sluigi * are permitted provided that this entire comment appears intact.
187767Sluigi *
187767Sluigi * Redistribution in binary form may occur without any restrictions.
187767Sluigi * Obviously, it would be nice if you gave credit where credit is due
187767Sluigi * but requiring it would be too onerous.
187767Sluigi *
187767Sluigi * This software is provided ``AS IS'' without any warranties of any kind.
187767Sluigi *
187767Sluigi * NEW command line interface for IP firewall facility
187767Sluigi *
187767Sluigi * $FreeBSD: stable/11/sbin/ipfw/ipfw2.h 359695 2020-04-07 16:29:11Z eugen $
187767Sluigi */
187767Sluigi
187767Sluigi/*
187767Sluigi * Options that can be set on the command line.
187767Sluigi * When reading commands from a file, a subset of the options can also
187767Sluigi * be applied globally by specifying them before the file name.
187767Sluigi * After that, each line can contain its own option that changes
187767Sluigi * the global value.
187767Sluigi * XXX The context is not restored after each line.
187767Sluigi */
187767Sluigi
187767Sluigistruct cmdline_opts {
187767Sluigi	/* boolean options: */
187767Sluigi	int	do_value_as_ip;	/* show table value as IP */
187767Sluigi	int	do_resolv;	/* try to resolve all ip to names */
187767Sluigi	int	do_time;	/* Show time stamps */
187767Sluigi	int	do_quiet;	/* Be quiet in add and flush */
204591Sluigi	int	do_pipe;	/* this cmd refers to a pipe/queue/sched */
187767Sluigi	int	do_nat; 	/* this cmd refers to a nat config */
187767Sluigi	int	do_compact;	/* show rules in compact mode */
187767Sluigi	int	do_force;	/* do not ask for confirmation */
187767Sluigi	int	show_sets;	/* display the set each rule belongs to */
187767Sluigi	int	test_only;	/* only check syntax */
187767Sluigi	int	comment_only;	/* only print action and comment */
187767Sluigi	int	verbose;	/* be verbose on some commands */
187767Sluigi
187767Sluigi	/* The options below can have multiple values. */
187767Sluigi
346205Sae	int	do_dynamic;	/* 1 - display dynamic rules */
346205Sae				/* 2 - display/delete only dynamic rules */
187767Sluigi	int	do_sort;	/* field to sort results (0 = no) */
187767Sluigi		/* valid fields are 1 and above */
187767Sluigi
187767Sluigi	int	use_set;	/* work with specified set number */
187767Sluigi		/* 0 means all sets, otherwise apply to set use_set - 1 */
187767Sluigi
187767Sluigi};
187767Sluigi
332400Saeenum {
332400Sae	TIMESTAMP_NONE = 0,
332400Sae	TIMESTAMP_STRING,
332400Sae	TIMESTAMP_NUMERIC,
332400Sae};
332400Sae
187767Sluigiextern struct cmdline_opts co;
187767Sluigi
187767Sluigi/*
187767Sluigi * _s_x is a structure that stores a string <-> token pairs, used in
187767Sluigi * various places in the parser. Entries are stored in arrays,
187767Sluigi * with an entry with s=NULL as terminator.
187767Sluigi * The search routines are match_token() and match_value().
187767Sluigi * Often, an element with x=0 contains an error string.
187767Sluigi *
187767Sluigi */
187767Sluigistruct _s_x {
187767Sluigi	char const *s;
187767Sluigi	int x;
187767Sluigi};
187767Sluigi
270424Smelifaroextern struct _s_x f_ipdscp[];
270424Smelifaro
187769Sluigienum tokens {
187769Sluigi	TOK_NULL=0,
187769Sluigi
187769Sluigi	TOK_OR,
187769Sluigi	TOK_NOT,
187769Sluigi	TOK_STARTBRACE,
187769Sluigi	TOK_ENDBRACE,
187769Sluigi
332229Stuexen	TOK_ABORT6,
332229Stuexen	TOK_ABORT,
187769Sluigi	TOK_ACCEPT,
187769Sluigi	TOK_COUNT,
298016Sae	TOK_EACTION,
187769Sluigi	TOK_PIPE,
204591Sluigi	TOK_LINK,
187769Sluigi	TOK_QUEUE,
204591Sluigi	TOK_FLOWSET,
204591Sluigi	TOK_SCHED,
187769Sluigi	TOK_DIVERT,
187769Sluigi	TOK_TEE,
187769Sluigi	TOK_NETGRAPH,
187769Sluigi	TOK_NGTEE,
187769Sluigi	TOK_FORWARD,
187769Sluigi	TOK_SKIPTO,
187769Sluigi	TOK_DENY,
187769Sluigi	TOK_REJECT,
187769Sluigi	TOK_RESET,
187769Sluigi	TOK_UNREACH,
187769Sluigi	TOK_CHECKSTATE,
187769Sluigi	TOK_NAT,
190633Spiso	TOK_REASS,
223666Sae	TOK_CALL,
223666Sae	TOK_RETURN,
187769Sluigi
187769Sluigi	TOK_ALTQ,
187769Sluigi	TOK_LOG,
187769Sluigi	TOK_TAG,
187769Sluigi	TOK_UNTAG,
187769Sluigi
187769Sluigi	TOK_TAGGED,
187769Sluigi	TOK_UID,
187769Sluigi	TOK_GID,
187769Sluigi	TOK_JAIL,
187769Sluigi	TOK_IN,
187769Sluigi	TOK_LIMIT,
337461Sae	TOK_SETLIMIT,
187769Sluigi	TOK_KEEPSTATE,
337461Sae	TOK_RECORDSTATE,
187769Sluigi	TOK_LAYER2,
187769Sluigi	TOK_OUT,
187769Sluigi	TOK_DIVERTED,
187769Sluigi	TOK_DIVERTEDLOOPBACK,
187769Sluigi	TOK_DIVERTEDOUTPUT,
187769Sluigi	TOK_XMIT,
187769Sluigi	TOK_RECV,
187769Sluigi	TOK_VIA,
187769Sluigi	TOK_FRAG,
187769Sluigi	TOK_IPOPTS,
187769Sluigi	TOK_IPLEN,
187769Sluigi	TOK_IPID,
187769Sluigi	TOK_IPPRECEDENCE,
205169Sluigi	TOK_DSCP,
187769Sluigi	TOK_IPTOS,
187769Sluigi	TOK_IPTTL,
187769Sluigi	TOK_IPVER,
187769Sluigi	TOK_ESTAB,
187769Sluigi	TOK_SETUP,
187769Sluigi	TOK_TCPDATALEN,
187769Sluigi	TOK_TCPFLAGS,
187769Sluigi	TOK_TCPOPTS,
187769Sluigi	TOK_TCPSEQ,
187769Sluigi	TOK_TCPACK,
349573Sae	TOK_TCPMSS,
187769Sluigi	TOK_TCPWIN,
187769Sluigi	TOK_ICMPTYPES,
187769Sluigi	TOK_MAC,
187769Sluigi	TOK_MACTYPE,
187769Sluigi	TOK_VERREVPATH,
187769Sluigi	TOK_VERSRCREACH,
187769Sluigi	TOK_ANTISPOOF,
187769Sluigi	TOK_IPSEC,
187769Sluigi	TOK_COMMENT,
187769Sluigi
187769Sluigi	TOK_PLR,
187769Sluigi	TOK_NOERROR,
187769Sluigi	TOK_BUCKETS,
187769Sluigi	TOK_DSTIP,
187769Sluigi	TOK_SRCIP,
187769Sluigi	TOK_DSTPORT,
187769Sluigi	TOK_SRCPORT,
187769Sluigi	TOK_ALL,
187769Sluigi	TOK_MASK,
204591Sluigi	TOK_FLOW_MASK,
204591Sluigi	TOK_SCHED_MASK,
187769Sluigi	TOK_BW,
187769Sluigi	TOK_DELAY,
204591Sluigi	TOK_PROFILE,
194930Soleg	TOK_BURST,
187769Sluigi	TOK_RED,
187769Sluigi	TOK_GRED,
266941Shiren	TOK_ECN,
187769Sluigi	TOK_DROPTAIL,
187769Sluigi	TOK_PROTO,
300779Struckman#ifdef NEW_AQM
300779Struckman	/* AQM tokens*/
300779Struckman	TOK_NO_ECN,
300779Struckman	TOK_CODEL,
300779Struckman	TOK_FQ_CODEL,
300779Struckman	TOK_TARGET,
300779Struckman	TOK_INTERVAL,
300779Struckman	TOK_FLOWS,
300779Struckman	TOK_QUANTUM,
300779Struckman
300779Struckman	TOK_PIE,
300779Struckman	TOK_FQ_PIE,
300779Struckman	TOK_TUPDATE,
300779Struckman	TOK_MAX_BURST,
300779Struckman	TOK_MAX_ECNTH,
300779Struckman	TOK_ALPHA,
300779Struckman	TOK_BETA,
300779Struckman	TOK_CAPDROP,
300779Struckman	TOK_NO_CAPDROP,
300779Struckman	TOK_ONOFF,
300779Struckman	TOK_DRE,
300779Struckman	TOK_TS,
300779Struckman	TOK_DERAND,
300779Struckman	TOK_NO_DERAND,
300779Struckman#endif
204591Sluigi	/* dummynet tokens */
187769Sluigi	TOK_WEIGHT,
204591Sluigi	TOK_LMAX,
204591Sluigi	TOK_PRI,
204591Sluigi	TOK_TYPE,
204591Sluigi	TOK_SLOTSIZE,
204591Sluigi
187769Sluigi	TOK_IP,
187769Sluigi	TOK_IF,
332210Stuexen	TOK_ALOG,
332210Stuexen	TOK_DENY_INC,
332210Stuexen	TOK_SAME_PORTS,
332210Stuexen	TOK_UNREG_ONLY,
359695Seugen	TOK_UNREG_CGN,
223080Sae	TOK_SKIP_GLOBAL,
332210Stuexen	TOK_RESET_ADDR,
332210Stuexen	TOK_ALIAS_REV,
332210Stuexen	TOK_PROXY_ONLY,
187769Sluigi	TOK_REDIR_ADDR,
187769Sluigi	TOK_REDIR_PORT,
220804Sglebius	TOK_REDIR_PROTO,
187769Sluigi
187769Sluigi	TOK_IPV6,
187769Sluigi	TOK_FLOWID,
187769Sluigi	TOK_ICMP6TYPES,
187769Sluigi	TOK_EXT6HDR,
187769Sluigi	TOK_DSTIP6,
187769Sluigi	TOK_SRCIP6,
187769Sluigi
187769Sluigi	TOK_IPV4,
187769Sluigi	TOK_UNREACH6,
187769Sluigi	TOK_RESET6,
187769Sluigi
187769Sluigi	TOK_FIB,
187769Sluigi	TOK_SETFIB,
200567Sluigi	TOK_LOOKUP,
215179Sluigi	TOK_SOCKARG,
248552Smelifaro	TOK_SETDSCP,
272840Smelifaro	TOK_FLOW,
272840Smelifaro	TOK_IFLIST,
272840Smelifaro	/* Table tokens */
272840Smelifaro	TOK_CREATE,
272840Smelifaro	TOK_DESTROY,
272840Smelifaro	TOK_LIST,
272840Smelifaro	TOK_INFO,
272840Smelifaro	TOK_DETAIL,
272840Smelifaro	TOK_MODIFY,
272840Smelifaro	TOK_FLUSH,
272840Smelifaro	TOK_SWAP,
272840Smelifaro	TOK_ADD,
272840Smelifaro	TOK_DEL,
272840Smelifaro	TOK_VALTYPE,
272840Smelifaro	TOK_ALGO,
272840Smelifaro	TOK_TALIST,
272840Smelifaro	TOK_ATOMIC,
272840Smelifaro	TOK_LOCK,
272840Smelifaro	TOK_UNLOCK,
272840Smelifaro	TOK_VLIST,
290330Sae	TOK_OLIST,
349575Sae	TOK_MISSING,
349575Sae	TOK_ORFLUSH,
316446Sae
316446Sae	/* NAT64 tokens */
316446Sae	TOK_NAT64STL,
316446Sae	TOK_NAT64LSN,
316444Sae	TOK_STATS,
316446Sae	TOK_STATES,
316446Sae	TOK_CONFIG,
316446Sae	TOK_TABLE4,
316446Sae	TOK_TABLE6,
316446Sae	TOK_PREFIX4,
316446Sae	TOK_PREFIX6,
316446Sae	TOK_AGG_LEN,
316446Sae	TOK_AGG_COUNT,
316446Sae	TOK_MAX_PORTS,
316446Sae	TOK_JMAXLEN,
316446Sae	TOK_PORT_RANGE,
316446Sae	TOK_HOST_DEL_AGE,
316446Sae	TOK_PG_DEL_AGE,
316446Sae	TOK_TCP_SYN_AGE,
316446Sae	TOK_TCP_CLOSE_AGE,
316446Sae	TOK_TCP_EST_AGE,
316446Sae	TOK_UDP_AGE,
316446Sae	TOK_ICMP_AGE,
316446Sae	TOK_LOGOFF,
346210Sae	TOK_PRIVATE,
346210Sae	TOK_PRIVATEOFF,
316444Sae
346212Sae	/* NAT64 CLAT tokens */
346212Sae	TOK_NAT64CLAT,
346212Sae	TOK_PLAT_PREFIX,
346212Sae	TOK_CLAT_PREFIX,
346212Sae
316444Sae	/* NPTv6 tokens */
316444Sae	TOK_NPTV6,
316444Sae	TOK_INTPREFIX,
316444Sae	TOK_EXTPREFIX,
316444Sae	TOK_PREFIXLEN,
317045Sae
317045Sae	TOK_TCPSETMSS,
337461Sae
337461Sae	TOK_SKIPACTION,
187769Sluigi};
272840Smelifaro
187767Sluigi/*
187767Sluigi * the following macro returns an error message if we run out of
187767Sluigi * arguments.
187767Sluigi */
204591Sluigi#define NEED(_p, msg)      {if (!_p) errx(EX_USAGE, msg);}
204591Sluigi#define NEED1(msg)      {if (!(*av)) errx(EX_USAGE, msg);}
187767Sluigi
270424Smelifarostruct buf_pr {
270424Smelifaro	char	*buf;	/* allocated buffer */
270424Smelifaro	char	*ptr;	/* current pointer */
270424Smelifaro	size_t	size;	/* total buffer size */
270424Smelifaro	size_t	avail;	/* available storage */
270424Smelifaro	size_t	needed;	/* length needed */
270424Smelifaro};
187787Sluigi
270424Smelifaroint pr_u64(struct buf_pr *bp, uint64_t *pd, int width);
270424Smelifaroint bp_alloc(struct buf_pr *b, size_t size);
270424Smelifarovoid bp_free(struct buf_pr *b);
270424Smelifaroint bprintf(struct buf_pr *b, char *format, ...);
270424Smelifaro
270424Smelifaro
187767Sluigi/* memory allocation support */
187767Sluigivoid *safe_calloc(size_t number, size_t size);
187767Sluigivoid *safe_realloc(void *ptr, size_t size);
187767Sluigi
187770Sluigi/* string comparison functions used for historical compatibility */
187767Sluigiint _substrcmp(const char *str1, const char* str2);
187769Sluigiint _substrcmp2(const char *str1, const char* str2, const char* str3);
272840Smelifaroint stringnum_cmp(const char *a, const char *b);
187767Sluigi
187770Sluigi/* utility functions */
298016Saeint match_token(struct _s_x *table, const char *string);
298016Saeint match_token_relaxed(struct _s_x *table, const char *string);
298016Saeint get_token(struct _s_x *table, const char *string, const char *errbase);
187770Sluigichar const *match_value(struct _s_x *p, int value);
272840Smelifarosize_t concat_tokens(char *buf, size_t bufsize, struct _s_x *table,
272840Smelifaro    char *delimiter);
272840Smelifaroint fill_flags(struct _s_x *flags, char *p, char **e, uint32_t *set,
272840Smelifaro    uint32_t *clear);
272840Smelifarovoid print_flags_buffer(char *buf, size_t sz, struct _s_x *list, uint32_t set);
187770Sluigi
272840Smelifarostruct _ip_fw3_opheader;
187769Sluigiint do_cmd(int optname, void *optval, uintptr_t optlen);
316274Saeint do_set3(int optname, struct _ip_fw3_opheader *op3, size_t optlen);
272840Smelifaroint do_get3(int optname, struct _ip_fw3_opheader *op3, size_t *optlen);
187769Sluigi
187769Sluigistruct in6_addr;
187769Sluigivoid n2mask(struct in6_addr *mask, int n);
187770Sluigiint contigmask(uint8_t *p, int len);
187769Sluigi
187819Sluigi/*
187819Sluigi * Forward declarations to avoid include way too many headers.
187819Sluigi * C does not allow duplicated typedefs, so we use the base struct
187819Sluigi * that the typedef points to.
187819Sluigi * Should the typedefs use a different type, the compiler will
187819Sluigi * still detect the change when compiling the body of the
187819Sluigi * functions involved, so we do not lose error checking.
187819Sluigi */
187819Sluigistruct _ipfw_insn;
187983Sluigistruct _ipfw_insn_altq;
187819Sluigistruct _ipfw_insn_u32;
187819Sluigistruct _ipfw_insn_ip6;
187819Sluigistruct _ipfw_insn_icmp6;
187769Sluigi
187767Sluigi/*
187767Sluigi * The reserved set numer. This is a constant in ip_fw.h
187767Sluigi * but we store it in a variable so other files do not depend
187767Sluigi * in that header just for one constant.
187767Sluigi */
187767Sluigiextern int resvd_set_number;
187767Sluigi
187770Sluigi/* first-level command handlers */
204591Sluigivoid ipfw_add(char *av[]);
187767Sluigivoid ipfw_show_nat(int ac, char **av);
359649Saeint ipfw_delete_nat(int i);
187767Sluigivoid ipfw_config_pipe(int ac, char **av);
187767Sluigivoid ipfw_config_nat(int ac, char **av);
204591Sluigivoid ipfw_sets_handler(char *av[]);
187767Sluigivoid ipfw_table_handler(int ac, char *av[]);
204591Sluigivoid ipfw_sysctl_handler(char *av[], int which);
204591Sluigivoid ipfw_delete(char *av[]);
187767Sluigivoid ipfw_flush(int force);
187767Sluigivoid ipfw_zero(int ac, char *av[], int optname);
187767Sluigivoid ipfw_list(int ac, char *av[], int show_counters);
272840Smelifarovoid ipfw_internal_handler(int ac, char *av[]);
346212Saevoid ipfw_nat64clat_handler(int ac, char *av[]);
316446Saevoid ipfw_nat64lsn_handler(int ac, char *av[]);
316446Saevoid ipfw_nat64stl_handler(int ac, char *av[]);
316444Saevoid ipfw_nptv6_handler(int ac, char *av[]);
298016Saeint ipfw_check_object_name(const char *name);
334836Saeint ipfw_check_nat64prefix(const struct in6_addr *prefix, int length);
187767Sluigi
261797Sglebius#ifdef PF
187983Sluigi/* altq.c */
187983Sluigivoid altq_set_enabled(int enabled);
187983Sluigiu_int32_t altq_name_to_qid(const char *name);
270424Smelifarovoid print_altq_cmd(struct buf_pr *bp, struct _ipfw_insn_altq *altqptr);
261797Sglebius#else
261797Sglebius#define NO_ALTQ
261797Sglebius#endif
187983Sluigi
187770Sluigi/* dummynet.c */
204591Sluigivoid dummynet_list(int ac, char *av[], int show_counters);
204591Sluigivoid dummynet_flush(void);
187769Sluigiint ipfw_delete_pipe(int pipe_or_queue, int n);
187769Sluigi
187770Sluigi/* ipv6.c */
297981Saevoid print_unreach6_code(struct buf_pr *bp, uint16_t code);
332763Saevoid print_ip6(struct buf_pr *bp, struct _ipfw_insn_ip6 *cmd);
270424Smelifarovoid print_flow6id(struct buf_pr *bp, struct _ipfw_insn_u32 *cmd);
270424Smelifarovoid print_icmp6types(struct buf_pr *bp, struct _ipfw_insn_u32 *cmd);
270424Smelifarovoid print_ext6hdr(struct buf_pr *bp, struct _ipfw_insn *cmd );
187770Sluigi
308970Saestruct tidx;
308970Saestruct _ipfw_insn *add_srcip6(struct _ipfw_insn *cmd, char *av, int cblen,
308970Sae    struct tidx *tstate);
308970Saestruct _ipfw_insn *add_dstip6(struct _ipfw_insn *cmd, char *av, int cblen,
308970Sae    struct tidx *tstate);
187770Sluigi
247712Smelifarovoid fill_flow6(struct _ipfw_insn_u32 *cmd, char *av, int cblen);
187770Sluigivoid fill_unreach6_code(u_short *codep, char *str);
247712Smelifarovoid fill_icmp6types(struct _ipfw_insn_icmp6 *cmd, char *av, int cblen);
187819Sluigiint fill_ext6hdr(struct _ipfw_insn *cmd, char *av);
272840Smelifaro
302979Sae/* ipfw2.c */
302979Saevoid bp_flush(struct buf_pr *b);
308970Saevoid fill_table(struct _ipfw_insn *cmd, char *av, uint8_t opcode,
308970Sae    struct tidx *tstate);
302979Sae
272840Smelifaro/* tables.c */
272840Smelifarostruct _ipfw_obj_ctlv;
316446Saestruct _ipfw_obj_ntlv;
298016Saeint table_check_name(const char *tablename);
272840Smelifarovoid ipfw_list_ta(int ac, char *av[]);
272840Smelifarovoid ipfw_list_values(int ac, char *av[]);
316446Saevoid table_fill_ntlv(struct _ipfw_obj_ntlv *ntlv, const char *name,
316446Sae    uint8_t set, uint16_t uidx);
272840Smelifaro