ipfw2.h revision 316274 
1/*
2 * Copyright (c) 2002-2003 Luigi Rizzo
3 * Copyright (c) 1996 Alex Nash, Paul Traina, Poul-Henning Kamp
4 * Copyright (c) 1994 Ugen J.S.Antsilevich
5 *
6 * Idea and grammar partially left from:
7 * Copyright (c) 1993 Daniel Boulet
8 *
9 * Redistribution and use in source forms, with and without modification,
10 * are permitted provided that this entire comment appears intact.
11 *
12 * Redistribution in binary form may occur without any restrictions.
13 * Obviously, it would be nice if you gave credit where credit is due
14 * but requiring it would be too onerous.
15 *
16 * This software is provided ``AS IS'' without any warranties of any kind.
17 *
18 * NEW command line interface for IP firewall facility
19 *
20 * $FreeBSD: stable/11/sbin/ipfw/ipfw2.h 316274 2017-03-30 14:20:27Z ae $
21 */
22
23/*
24 * Options that can be set on the command line.
25 * When reading commands from a file, a subset of the options can also
26 * be applied globally by specifying them before the file name.
27 * After that, each line can contain its own option that changes
28 * the global value.
29 * XXX The context is not restored after each line.
30 */
31
32struct cmdline_opts {
33	/* boolean options: */
34	int	do_value_as_ip;	/* show table value as IP */
35	int	do_resolv;	/* try to resolve all ip to names */
36	int	do_time;	/* Show time stamps */
37	int	do_quiet;	/* Be quiet in add and flush */
38	int	do_pipe;	/* this cmd refers to a pipe/queue/sched */
39	int	do_nat; 	/* this cmd refers to a nat config */
40	int	do_dynamic;	/* display dynamic rules */
41	int	do_expired;	/* display expired dynamic rules */
42	int	do_compact;	/* show rules in compact mode */
43	int	do_force;	/* do not ask for confirmation */
44	int	show_sets;	/* display the set each rule belongs to */
45	int	test_only;	/* only check syntax */
46	int	comment_only;	/* only print action and comment */
47	int	verbose;	/* be verbose on some commands */
48
49	/* The options below can have multiple values. */
50
51	int	do_sort;	/* field to sort results (0 = no) */
52		/* valid fields are 1 and above */
53
54	int	use_set;	/* work with specified set number */
55		/* 0 means all sets, otherwise apply to set use_set - 1 */
56
57};
58
59extern struct cmdline_opts co;
60
61/*
62 * _s_x is a structure that stores a string <-> token pairs, used in
63 * various places in the parser. Entries are stored in arrays,
64 * with an entry with s=NULL as terminator.
65 * The search routines are match_token() and match_value().
66 * Often, an element with x=0 contains an error string.
67 *
68 */
69struct _s_x {
70	char const *s;
71	int x;
72};
73
74extern struct _s_x f_ipdscp[];
75
76enum tokens {
77	TOK_NULL=0,
78
79	TOK_OR,
80	TOK_NOT,
81	TOK_STARTBRACE,
82	TOK_ENDBRACE,
83
84	TOK_ACCEPT,
85	TOK_COUNT,
86	TOK_EACTION,
87	TOK_PIPE,
88	TOK_LINK,
89	TOK_QUEUE,
90	TOK_FLOWSET,
91	TOK_SCHED,
92	TOK_DIVERT,
93	TOK_TEE,
94	TOK_NETGRAPH,
95	TOK_NGTEE,
96	TOK_FORWARD,
97	TOK_SKIPTO,
98	TOK_DENY,
99	TOK_REJECT,
100	TOK_RESET,
101	TOK_UNREACH,
102	TOK_CHECKSTATE,
103	TOK_NAT,
104	TOK_REASS,
105	TOK_CALL,
106	TOK_RETURN,
107
108	TOK_ALTQ,
109	TOK_LOG,
110	TOK_TAG,
111	TOK_UNTAG,
112
113	TOK_TAGGED,
114	TOK_UID,
115	TOK_GID,
116	TOK_JAIL,
117	TOK_IN,
118	TOK_LIMIT,
119	TOK_KEEPSTATE,
120	TOK_LAYER2,
121	TOK_OUT,
122	TOK_DIVERTED,
123	TOK_DIVERTEDLOOPBACK,
124	TOK_DIVERTEDOUTPUT,
125	TOK_XMIT,
126	TOK_RECV,
127	TOK_VIA,
128	TOK_FRAG,
129	TOK_IPOPTS,
130	TOK_IPLEN,
131	TOK_IPID,
132	TOK_IPPRECEDENCE,
133	TOK_DSCP,
134	TOK_IPTOS,
135	TOK_IPTTL,
136	TOK_IPVER,
137	TOK_ESTAB,
138	TOK_SETUP,
139	TOK_TCPDATALEN,
140	TOK_TCPFLAGS,
141	TOK_TCPOPTS,
142	TOK_TCPSEQ,
143	TOK_TCPACK,
144	TOK_TCPWIN,
145	TOK_ICMPTYPES,
146	TOK_MAC,
147	TOK_MACTYPE,
148	TOK_VERREVPATH,
149	TOK_VERSRCREACH,
150	TOK_ANTISPOOF,
151	TOK_IPSEC,
152	TOK_COMMENT,
153
154	TOK_PLR,
155	TOK_NOERROR,
156	TOK_BUCKETS,
157	TOK_DSTIP,
158	TOK_SRCIP,
159	TOK_DSTPORT,
160	TOK_SRCPORT,
161	TOK_ALL,
162	TOK_MASK,
163	TOK_FLOW_MASK,
164	TOK_SCHED_MASK,
165	TOK_BW,
166	TOK_DELAY,
167	TOK_PROFILE,
168	TOK_BURST,
169	TOK_RED,
170	TOK_GRED,
171	TOK_ECN,
172	TOK_DROPTAIL,
173	TOK_PROTO,
174#ifdef NEW_AQM
175	/* AQM tokens*/
176	TOK_NO_ECN,
177	TOK_CODEL,
178	TOK_FQ_CODEL,
179	TOK_TARGET,
180	TOK_INTERVAL,
181	TOK_FLOWS,
182	TOK_QUANTUM,
183
184	TOK_PIE,
185	TOK_FQ_PIE,
186	TOK_TUPDATE,
187	TOK_MAX_BURST,
188	TOK_MAX_ECNTH,
189	TOK_ALPHA,
190	TOK_BETA,
191	TOK_CAPDROP,
192	TOK_NO_CAPDROP,
193	TOK_ONOFF,
194	TOK_DRE,
195	TOK_TS,
196	TOK_DERAND,
197	TOK_NO_DERAND,
198#endif
199	/* dummynet tokens */
200	TOK_WEIGHT,
201	TOK_LMAX,
202	TOK_PRI,
203	TOK_TYPE,
204	TOK_SLOTSIZE,
205
206	TOK_IP,
207	TOK_IF,
208 	TOK_ALOG,
209 	TOK_DENY_INC,
210 	TOK_SAME_PORTS,
211 	TOK_UNREG_ONLY,
212	TOK_SKIP_GLOBAL,
213 	TOK_RESET_ADDR,
214 	TOK_ALIAS_REV,
215 	TOK_PROXY_ONLY,
216	TOK_REDIR_ADDR,
217	TOK_REDIR_PORT,
218	TOK_REDIR_PROTO,
219
220	TOK_IPV6,
221	TOK_FLOWID,
222	TOK_ICMP6TYPES,
223	TOK_EXT6HDR,
224	TOK_DSTIP6,
225	TOK_SRCIP6,
226
227	TOK_IPV4,
228	TOK_UNREACH6,
229	TOK_RESET6,
230
231	TOK_FIB,
232	TOK_SETFIB,
233	TOK_LOOKUP,
234	TOK_SOCKARG,
235	TOK_SETDSCP,
236	TOK_FLOW,
237	TOK_IFLIST,
238	/* Table tokens */
239	TOK_CREATE,
240	TOK_DESTROY,
241	TOK_LIST,
242	TOK_INFO,
243	TOK_DETAIL,
244	TOK_MODIFY,
245	TOK_FLUSH,
246	TOK_SWAP,
247	TOK_ADD,
248	TOK_DEL,
249	TOK_VALTYPE,
250	TOK_ALGO,
251	TOK_TALIST,
252	TOK_ATOMIC,
253	TOK_LOCK,
254	TOK_UNLOCK,
255	TOK_VLIST,
256	TOK_OLIST,
257};
258
259/*
260 * the following macro returns an error message if we run out of
261 * arguments.
262 */
263#define NEED(_p, msg)      {if (!_p) errx(EX_USAGE, msg);}
264#define NEED1(msg)      {if (!(*av)) errx(EX_USAGE, msg);}
265
266struct buf_pr {
267	char	*buf;	/* allocated buffer */
268	char	*ptr;	/* current pointer */
269	size_t	size;	/* total buffer size */
270	size_t	avail;	/* available storage */
271	size_t	needed;	/* length needed */
272};
273
274int pr_u64(struct buf_pr *bp, uint64_t *pd, int width);
275int bp_alloc(struct buf_pr *b, size_t size);
276void bp_free(struct buf_pr *b);
277int bprintf(struct buf_pr *b, char *format, ...);
278
279
280/* memory allocation support */
281void *safe_calloc(size_t number, size_t size);
282void *safe_realloc(void *ptr, size_t size);
283
284/* string comparison functions used for historical compatibility */
285int _substrcmp(const char *str1, const char* str2);
286int _substrcmp2(const char *str1, const char* str2, const char* str3);
287int stringnum_cmp(const char *a, const char *b);
288
289/* utility functions */
290int match_token(struct _s_x *table, const char *string);
291int match_token_relaxed(struct _s_x *table, const char *string);
292int get_token(struct _s_x *table, const char *string, const char *errbase);
293char const *match_value(struct _s_x *p, int value);
294size_t concat_tokens(char *buf, size_t bufsize, struct _s_x *table,
295    char *delimiter);
296int fill_flags(struct _s_x *flags, char *p, char **e, uint32_t *set,
297    uint32_t *clear);
298void print_flags_buffer(char *buf, size_t sz, struct _s_x *list, uint32_t set);
299
300struct _ip_fw3_opheader;
301int do_cmd(int optname, void *optval, uintptr_t optlen);
302int do_set3(int optname, struct _ip_fw3_opheader *op3, size_t optlen);
303int do_get3(int optname, struct _ip_fw3_opheader *op3, size_t *optlen);
304
305struct in6_addr;
306void n2mask(struct in6_addr *mask, int n);
307int contigmask(uint8_t *p, int len);
308
309/*
310 * Forward declarations to avoid include way too many headers.
311 * C does not allow duplicated typedefs, so we use the base struct
312 * that the typedef points to.
313 * Should the typedefs use a different type, the compiler will
314 * still detect the change when compiling the body of the
315 * functions involved, so we do not lose error checking.
316 */
317struct _ipfw_insn;
318struct _ipfw_insn_altq;
319struct _ipfw_insn_u32;
320struct _ipfw_insn_ip6;
321struct _ipfw_insn_icmp6;
322
323/*
324 * The reserved set numer. This is a constant in ip_fw.h
325 * but we store it in a variable so other files do not depend
326 * in that header just for one constant.
327 */
328extern int resvd_set_number;
329
330/* first-level command handlers */
331void ipfw_add(char *av[]);
332void ipfw_show_nat(int ac, char **av);
333void ipfw_config_pipe(int ac, char **av);
334void ipfw_config_nat(int ac, char **av);
335void ipfw_sets_handler(char *av[]);
336void ipfw_table_handler(int ac, char *av[]);
337void ipfw_sysctl_handler(char *av[], int which);
338void ipfw_delete(char *av[]);
339void ipfw_flush(int force);
340void ipfw_zero(int ac, char *av[], int optname);
341void ipfw_list(int ac, char *av[], int show_counters);
342void ipfw_internal_handler(int ac, char *av[]);
343int ipfw_check_object_name(const char *name);
344
345#ifdef PF
346/* altq.c */
347void altq_set_enabled(int enabled);
348u_int32_t altq_name_to_qid(const char *name);
349void print_altq_cmd(struct buf_pr *bp, struct _ipfw_insn_altq *altqptr);
350#else
351#define NO_ALTQ
352#endif
353
354/* dummynet.c */
355void dummynet_list(int ac, char *av[], int show_counters);
356void dummynet_flush(void);
357int ipfw_delete_pipe(int pipe_or_queue, int n);
358
359/* ipv6.c */
360void print_unreach6_code(struct buf_pr *bp, uint16_t code);
361void print_ip6(struct buf_pr *bp, struct _ipfw_insn_ip6 *cmd, char const *s);
362void print_flow6id(struct buf_pr *bp, struct _ipfw_insn_u32 *cmd);
363void print_icmp6types(struct buf_pr *bp, struct _ipfw_insn_u32 *cmd);
364void print_ext6hdr(struct buf_pr *bp, struct _ipfw_insn *cmd );
365
366struct tidx;
367struct _ipfw_insn *add_srcip6(struct _ipfw_insn *cmd, char *av, int cblen,
368    struct tidx *tstate);
369struct _ipfw_insn *add_dstip6(struct _ipfw_insn *cmd, char *av, int cblen,
370    struct tidx *tstate);
371
372void fill_flow6(struct _ipfw_insn_u32 *cmd, char *av, int cblen);
373void fill_unreach6_code(u_short *codep, char *str);
374void fill_icmp6types(struct _ipfw_insn_icmp6 *cmd, char *av, int cblen);
375int fill_ext6hdr(struct _ipfw_insn *cmd, char *av);
376
377/* ipfw2.c */
378void bp_flush(struct buf_pr *b);
379void fill_table(struct _ipfw_insn *cmd, char *av, uint8_t opcode,
380    struct tidx *tstate);
381
382/* tables.c */
383struct _ipfw_obj_ctlv;
384int table_check_name(const char *tablename);
385void ipfw_list_ta(int ac, char *av[]);
386void ipfw_list_values(int ac, char *av[]);
387
388