ipfw2.h revision 190633
1187767Sluigi/* 2187767Sluigi * Copyright (c) 2002-2003 Luigi Rizzo 3187767Sluigi * Copyright (c) 1996 Alex Nash, Paul Traina, Poul-Henning Kamp 4187767Sluigi * Copyright (c) 1994 Ugen J.S.Antsilevich 5187767Sluigi * 6187767Sluigi * Idea and grammar partially left from: 7187767Sluigi * Copyright (c) 1993 Daniel Boulet 8187767Sluigi * 9187767Sluigi * Redistribution and use in source forms, with and without modification, 10187767Sluigi * are permitted provided that this entire comment appears intact. 11187767Sluigi * 12187767Sluigi * Redistribution in binary form may occur without any restrictions. 13187767Sluigi * Obviously, it would be nice if you gave credit where credit is due 14187767Sluigi * but requiring it would be too onerous. 15187767Sluigi * 16187767Sluigi * This software is provided ``AS IS'' without any warranties of any kind. 17187767Sluigi * 18187767Sluigi * NEW command line interface for IP firewall facility 19187767Sluigi * 20187767Sluigi * $FreeBSD: head/sbin/ipfw/ipfw2.h 190633 2009-04-01 20:23:47Z piso $ 21187767Sluigi */ 22187767Sluigi 23187767Sluigi/* 24187767Sluigi * Options that can be set on the command line. 25187767Sluigi * When reading commands from a file, a subset of the options can also 26187767Sluigi * be applied globally by specifying them before the file name. 27187767Sluigi * After that, each line can contain its own option that changes 28187767Sluigi * the global value. 29187767Sluigi * XXX The context is not restored after each line. 30187767Sluigi */ 31187767Sluigi 32187767Sluigistruct cmdline_opts { 33187767Sluigi /* boolean options: */ 34187767Sluigi int do_value_as_ip; /* show table value as IP */ 35187767Sluigi int do_resolv; /* try to resolve all ip to names */ 36187767Sluigi int do_time; /* Show time stamps */ 37187767Sluigi int do_quiet; /* Be quiet in add and flush */ 38187767Sluigi int do_pipe; /* this cmd refers to a pipe */ 39187767Sluigi int do_nat; /* this cmd refers to a nat config */ 40187767Sluigi int do_dynamic; /* display dynamic rules */ 41187767Sluigi int do_expired; /* display expired dynamic rules */ 42187767Sluigi int do_compact; /* show rules in compact mode */ 43187767Sluigi int do_force; /* do not ask for confirmation */ 44187767Sluigi int show_sets; /* display the set each rule belongs to */ 45187767Sluigi int test_only; /* only check syntax */ 46187767Sluigi int comment_only; /* only print action and comment */ 47187767Sluigi int verbose; /* be verbose on some commands */ 48187767Sluigi 49187767Sluigi /* The options below can have multiple values. */ 50187767Sluigi 51187767Sluigi int do_sort; /* field to sort results (0 = no) */ 52187767Sluigi /* valid fields are 1 and above */ 53187767Sluigi 54187767Sluigi int use_set; /* work with specified set number */ 55187767Sluigi /* 0 means all sets, otherwise apply to set use_set - 1 */ 56187767Sluigi 57187767Sluigi}; 58187767Sluigi 59187767Sluigiextern struct cmdline_opts co; 60187767Sluigi 61187767Sluigi/* 62187767Sluigi * _s_x is a structure that stores a string <-> token pairs, used in 63187767Sluigi * various places in the parser. Entries are stored in arrays, 64187767Sluigi * with an entry with s=NULL as terminator. 65187767Sluigi * The search routines are match_token() and match_value(). 66187767Sluigi * Often, an element with x=0 contains an error string. 67187767Sluigi * 68187767Sluigi */ 69187767Sluigistruct _s_x { 70187767Sluigi char const *s; 71187767Sluigi int x; 72187767Sluigi}; 73187767Sluigi 74187769Sluigienum tokens { 75187769Sluigi TOK_NULL=0, 76187769Sluigi 77187769Sluigi TOK_OR, 78187769Sluigi TOK_NOT, 79187769Sluigi TOK_STARTBRACE, 80187769Sluigi TOK_ENDBRACE, 81187769Sluigi 82187769Sluigi TOK_ACCEPT, 83187769Sluigi TOK_COUNT, 84187769Sluigi TOK_PIPE, 85187769Sluigi TOK_QUEUE, 86187769Sluigi TOK_DIVERT, 87187769Sluigi TOK_TEE, 88187769Sluigi TOK_NETGRAPH, 89187769Sluigi TOK_NGTEE, 90187769Sluigi TOK_FORWARD, 91187769Sluigi TOK_SKIPTO, 92187769Sluigi TOK_DENY, 93187769Sluigi TOK_REJECT, 94187769Sluigi TOK_RESET, 95187769Sluigi TOK_UNREACH, 96187769Sluigi TOK_CHECKSTATE, 97187769Sluigi TOK_NAT, 98190633Spiso TOK_REASS, 99187769Sluigi 100187769Sluigi TOK_ALTQ, 101187769Sluigi TOK_LOG, 102187769Sluigi TOK_TAG, 103187769Sluigi TOK_UNTAG, 104187769Sluigi 105187769Sluigi TOK_TAGGED, 106187769Sluigi TOK_UID, 107187769Sluigi TOK_GID, 108187769Sluigi TOK_JAIL, 109187769Sluigi TOK_IN, 110187769Sluigi TOK_LIMIT, 111187769Sluigi TOK_KEEPSTATE, 112187769Sluigi TOK_LAYER2, 113187769Sluigi TOK_OUT, 114187769Sluigi TOK_DIVERTED, 115187769Sluigi TOK_DIVERTEDLOOPBACK, 116187769Sluigi TOK_DIVERTEDOUTPUT, 117187769Sluigi TOK_XMIT, 118187769Sluigi TOK_RECV, 119187769Sluigi TOK_VIA, 120187769Sluigi TOK_FRAG, 121187769Sluigi TOK_IPOPTS, 122187769Sluigi TOK_IPLEN, 123187769Sluigi TOK_IPID, 124187769Sluigi TOK_IPPRECEDENCE, 125187769Sluigi TOK_IPTOS, 126187769Sluigi TOK_IPTTL, 127187769Sluigi TOK_IPVER, 128187769Sluigi TOK_ESTAB, 129187769Sluigi TOK_SETUP, 130187769Sluigi TOK_TCPDATALEN, 131187769Sluigi TOK_TCPFLAGS, 132187769Sluigi TOK_TCPOPTS, 133187769Sluigi TOK_TCPSEQ, 134187769Sluigi TOK_TCPACK, 135187769Sluigi TOK_TCPWIN, 136187769Sluigi TOK_ICMPTYPES, 137187769Sluigi TOK_MAC, 138187769Sluigi TOK_MACTYPE, 139187769Sluigi TOK_VERREVPATH, 140187769Sluigi TOK_VERSRCREACH, 141187769Sluigi TOK_ANTISPOOF, 142187769Sluigi TOK_IPSEC, 143187769Sluigi TOK_COMMENT, 144187769Sluigi 145187769Sluigi TOK_PLR, 146187769Sluigi TOK_NOERROR, 147187769Sluigi TOK_BUCKETS, 148187769Sluigi TOK_DSTIP, 149187769Sluigi TOK_SRCIP, 150187769Sluigi TOK_DSTPORT, 151187769Sluigi TOK_SRCPORT, 152187769Sluigi TOK_ALL, 153187769Sluigi TOK_MASK, 154187769Sluigi TOK_BW, 155187769Sluigi TOK_DELAY, 156187769Sluigi TOK_RED, 157187769Sluigi TOK_GRED, 158187769Sluigi TOK_DROPTAIL, 159187769Sluigi TOK_PROTO, 160187769Sluigi TOK_WEIGHT, 161187769Sluigi TOK_IP, 162187769Sluigi TOK_IF, 163187769Sluigi TOK_ALOG, 164187769Sluigi TOK_DENY_INC, 165187769Sluigi TOK_SAME_PORTS, 166187769Sluigi TOK_UNREG_ONLY, 167187769Sluigi TOK_RESET_ADDR, 168187769Sluigi TOK_ALIAS_REV, 169187769Sluigi TOK_PROXY_ONLY, 170187769Sluigi TOK_REDIR_ADDR, 171187769Sluigi TOK_REDIR_PORT, 172187769Sluigi TOK_REDIR_PROTO, 173187769Sluigi 174187769Sluigi TOK_IPV6, 175187769Sluigi TOK_FLOWID, 176187769Sluigi TOK_ICMP6TYPES, 177187769Sluigi TOK_EXT6HDR, 178187769Sluigi TOK_DSTIP6, 179187769Sluigi TOK_SRCIP6, 180187769Sluigi 181187769Sluigi TOK_IPV4, 182187769Sluigi TOK_UNREACH6, 183187769Sluigi TOK_RESET6, 184187769Sluigi 185187769Sluigi TOK_FIB, 186187769Sluigi TOK_SETFIB, 187187769Sluigi}; 188187767Sluigi/* 189187767Sluigi * the following macro returns an error message if we run out of 190187767Sluigi * arguments. 191187767Sluigi */ 192187767Sluigi#define NEED1(msg) {if (!ac) errx(EX_USAGE, msg);} 193187767Sluigi 194187787Sluigiunsigned long long align_uint64(const uint64_t *pll); 195187787Sluigi 196187767Sluigi/* memory allocation support */ 197187767Sluigivoid *safe_calloc(size_t number, size_t size); 198187767Sluigivoid *safe_realloc(void *ptr, size_t size); 199187767Sluigi 200187770Sluigi/* string comparison functions used for historical compatibility */ 201187767Sluigiint _substrcmp(const char *str1, const char* str2); 202187769Sluigiint _substrcmp2(const char *str1, const char* str2, const char* str3); 203187767Sluigi 204187770Sluigi/* utility functions */ 205187769Sluigiint match_token(struct _s_x *table, char *string); 206187770Sluigichar const *match_value(struct _s_x *p, int value); 207187770Sluigi 208187769Sluigiint do_cmd(int optname, void *optval, uintptr_t optlen); 209187769Sluigi 210187769Sluigistruct in6_addr; 211187769Sluigivoid n2mask(struct in6_addr *mask, int n); 212187770Sluigiint contigmask(uint8_t *p, int len); 213187769Sluigi 214187819Sluigi/* 215187819Sluigi * Forward declarations to avoid include way too many headers. 216187819Sluigi * C does not allow duplicated typedefs, so we use the base struct 217187819Sluigi * that the typedef points to. 218187819Sluigi * Should the typedefs use a different type, the compiler will 219187819Sluigi * still detect the change when compiling the body of the 220187819Sluigi * functions involved, so we do not lose error checking. 221187819Sluigi */ 222187819Sluigistruct _ipfw_insn; 223187983Sluigistruct _ipfw_insn_altq; 224187819Sluigistruct _ipfw_insn_u32; 225187819Sluigistruct _ipfw_insn_ip6; 226187819Sluigistruct _ipfw_insn_icmp6; 227187769Sluigi 228187767Sluigi/* 229187767Sluigi * The reserved set numer. This is a constant in ip_fw.h 230187767Sluigi * but we store it in a variable so other files do not depend 231187767Sluigi * in that header just for one constant. 232187767Sluigi */ 233187767Sluigiextern int resvd_set_number; 234187767Sluigi 235187770Sluigi/* first-level command handlers */ 236187767Sluigivoid ipfw_add(int ac, char *av[]); 237187767Sluigivoid ipfw_show_nat(int ac, char **av); 238187767Sluigivoid ipfw_config_pipe(int ac, char **av); 239187767Sluigivoid ipfw_config_nat(int ac, char **av); 240187767Sluigivoid ipfw_sets_handler(int ac, char *av[]); 241187767Sluigivoid ipfw_table_handler(int ac, char *av[]); 242187767Sluigivoid ipfw_sysctl_handler(int ac, char *av[], int which); 243187767Sluigivoid ipfw_delete(int ac, char *av[]); 244187767Sluigivoid ipfw_flush(int force); 245187767Sluigivoid ipfw_zero(int ac, char *av[], int optname); 246187767Sluigivoid ipfw_list(int ac, char *av[], int show_counters); 247187767Sluigi 248187983Sluigi/* altq.c */ 249187983Sluigivoid altq_set_enabled(int enabled); 250187983Sluigiu_int32_t altq_name_to_qid(const char *name); 251187983Sluigi 252187983Sluigivoid print_altq_cmd(struct _ipfw_insn_altq *altqptr); 253187983Sluigi 254187770Sluigi/* dummynet.c */ 255187769Sluigivoid ipfw_list_pipes(void *data, uint nbytes, int ac, char *av[]); 256187769Sluigiint ipfw_delete_pipe(int pipe_or_queue, int n); 257187769Sluigi 258187770Sluigi/* ipv6.c */ 259187770Sluigivoid print_unreach6_code(uint16_t code); 260187819Sluigivoid print_ip6(struct _ipfw_insn_ip6 *cmd, char const *s); 261187819Sluigivoid print_flow6id(struct _ipfw_insn_u32 *cmd); 262187819Sluigivoid print_icmp6types(struct _ipfw_insn_u32 *cmd); 263187819Sluigivoid print_ext6hdr(struct _ipfw_insn *cmd ); 264187770Sluigi 265187819Sluigistruct _ipfw_insn *add_srcip6(struct _ipfw_insn *cmd, char *av); 266187819Sluigistruct _ipfw_insn *add_dstip6(struct _ipfw_insn *cmd, char *av); 267187770Sluigi 268187819Sluigivoid fill_flow6(struct _ipfw_insn_u32 *cmd, char *av ); 269187770Sluigivoid fill_unreach6_code(u_short *codep, char *str); 270187819Sluigivoid fill_icmp6types(struct _ipfw_insn_icmp6 *cmd, char *av); 271187819Sluigiint fill_ext6hdr(struct _ipfw_insn *cmd, char *av); 272