ipfw2.h revision 316274
1/* 2 * Copyright (c) 2002-2003 Luigi Rizzo 3 * Copyright (c) 1996 Alex Nash, Paul Traina, Poul-Henning Kamp 4 * Copyright (c) 1994 Ugen J.S.Antsilevich 5 * 6 * Idea and grammar partially left from: 7 * Copyright (c) 1993 Daniel Boulet 8 * 9 * Redistribution and use in source forms, with and without modification, 10 * are permitted provided that this entire comment appears intact. 11 * 12 * Redistribution in binary form may occur without any restrictions. 13 * Obviously, it would be nice if you gave credit where credit is due 14 * but requiring it would be too onerous. 15 * 16 * This software is provided ``AS IS'' without any warranties of any kind. 17 * 18 * NEW command line interface for IP firewall facility 19 * 20 * $FreeBSD: stable/11/sbin/ipfw/ipfw2.h 316274 2017-03-30 14:20:27Z ae $ 21 */ 22 23/* 24 * Options that can be set on the command line. 25 * When reading commands from a file, a subset of the options can also 26 * be applied globally by specifying them before the file name. 27 * After that, each line can contain its own option that changes 28 * the global value. 29 * XXX The context is not restored after each line. 30 */ 31 32struct cmdline_opts { 33 /* boolean options: */ 34 int do_value_as_ip; /* show table value as IP */ 35 int do_resolv; /* try to resolve all ip to names */ 36 int do_time; /* Show time stamps */ 37 int do_quiet; /* Be quiet in add and flush */ 38 int do_pipe; /* this cmd refers to a pipe/queue/sched */ 39 int do_nat; /* this cmd refers to a nat config */ 40 int do_dynamic; /* display dynamic rules */ 41 int do_expired; /* display expired dynamic rules */ 42 int do_compact; /* show rules in compact mode */ 43 int do_force; /* do not ask for confirmation */ 44 int show_sets; /* display the set each rule belongs to */ 45 int test_only; /* only check syntax */ 46 int comment_only; /* only print action and comment */ 47 int verbose; /* be verbose on some commands */ 48 49 /* The options below can have multiple values. */ 50 51 int do_sort; /* field to sort results (0 = no) */ 52 /* valid fields are 1 and above */ 53 54 int use_set; /* work with specified set number */ 55 /* 0 means all sets, otherwise apply to set use_set - 1 */ 56 57}; 58 59extern struct cmdline_opts co; 60 61/* 62 * _s_x is a structure that stores a string <-> token pairs, used in 63 * various places in the parser. Entries are stored in arrays, 64 * with an entry with s=NULL as terminator. 65 * The search routines are match_token() and match_value(). 66 * Often, an element with x=0 contains an error string. 67 * 68 */ 69struct _s_x { 70 char const *s; 71 int x; 72}; 73 74extern struct _s_x f_ipdscp[]; 75 76enum tokens { 77 TOK_NULL=0, 78 79 TOK_OR, 80 TOK_NOT, 81 TOK_STARTBRACE, 82 TOK_ENDBRACE, 83 84 TOK_ACCEPT, 85 TOK_COUNT, 86 TOK_EACTION, 87 TOK_PIPE, 88 TOK_LINK, 89 TOK_QUEUE, 90 TOK_FLOWSET, 91 TOK_SCHED, 92 TOK_DIVERT, 93 TOK_TEE, 94 TOK_NETGRAPH, 95 TOK_NGTEE, 96 TOK_FORWARD, 97 TOK_SKIPTO, 98 TOK_DENY, 99 TOK_REJECT, 100 TOK_RESET, 101 TOK_UNREACH, 102 TOK_CHECKSTATE, 103 TOK_NAT, 104 TOK_REASS, 105 TOK_CALL, 106 TOK_RETURN, 107 108 TOK_ALTQ, 109 TOK_LOG, 110 TOK_TAG, 111 TOK_UNTAG, 112 113 TOK_TAGGED, 114 TOK_UID, 115 TOK_GID, 116 TOK_JAIL, 117 TOK_IN, 118 TOK_LIMIT, 119 TOK_KEEPSTATE, 120 TOK_LAYER2, 121 TOK_OUT, 122 TOK_DIVERTED, 123 TOK_DIVERTEDLOOPBACK, 124 TOK_DIVERTEDOUTPUT, 125 TOK_XMIT, 126 TOK_RECV, 127 TOK_VIA, 128 TOK_FRAG, 129 TOK_IPOPTS, 130 TOK_IPLEN, 131 TOK_IPID, 132 TOK_IPPRECEDENCE, 133 TOK_DSCP, 134 TOK_IPTOS, 135 TOK_IPTTL, 136 TOK_IPVER, 137 TOK_ESTAB, 138 TOK_SETUP, 139 TOK_TCPDATALEN, 140 TOK_TCPFLAGS, 141 TOK_TCPOPTS, 142 TOK_TCPSEQ, 143 TOK_TCPACK, 144 TOK_TCPWIN, 145 TOK_ICMPTYPES, 146 TOK_MAC, 147 TOK_MACTYPE, 148 TOK_VERREVPATH, 149 TOK_VERSRCREACH, 150 TOK_ANTISPOOF, 151 TOK_IPSEC, 152 TOK_COMMENT, 153 154 TOK_PLR, 155 TOK_NOERROR, 156 TOK_BUCKETS, 157 TOK_DSTIP, 158 TOK_SRCIP, 159 TOK_DSTPORT, 160 TOK_SRCPORT, 161 TOK_ALL, 162 TOK_MASK, 163 TOK_FLOW_MASK, 164 TOK_SCHED_MASK, 165 TOK_BW, 166 TOK_DELAY, 167 TOK_PROFILE, 168 TOK_BURST, 169 TOK_RED, 170 TOK_GRED, 171 TOK_ECN, 172 TOK_DROPTAIL, 173 TOK_PROTO, 174#ifdef NEW_AQM 175 /* AQM tokens*/ 176 TOK_NO_ECN, 177 TOK_CODEL, 178 TOK_FQ_CODEL, 179 TOK_TARGET, 180 TOK_INTERVAL, 181 TOK_FLOWS, 182 TOK_QUANTUM, 183 184 TOK_PIE, 185 TOK_FQ_PIE, 186 TOK_TUPDATE, 187 TOK_MAX_BURST, 188 TOK_MAX_ECNTH, 189 TOK_ALPHA, 190 TOK_BETA, 191 TOK_CAPDROP, 192 TOK_NO_CAPDROP, 193 TOK_ONOFF, 194 TOK_DRE, 195 TOK_TS, 196 TOK_DERAND, 197 TOK_NO_DERAND, 198#endif 199 /* dummynet tokens */ 200 TOK_WEIGHT, 201 TOK_LMAX, 202 TOK_PRI, 203 TOK_TYPE, 204 TOK_SLOTSIZE, 205 206 TOK_IP, 207 TOK_IF, 208 TOK_ALOG, 209 TOK_DENY_INC, 210 TOK_SAME_PORTS, 211 TOK_UNREG_ONLY, 212 TOK_SKIP_GLOBAL, 213 TOK_RESET_ADDR, 214 TOK_ALIAS_REV, 215 TOK_PROXY_ONLY, 216 TOK_REDIR_ADDR, 217 TOK_REDIR_PORT, 218 TOK_REDIR_PROTO, 219 220 TOK_IPV6, 221 TOK_FLOWID, 222 TOK_ICMP6TYPES, 223 TOK_EXT6HDR, 224 TOK_DSTIP6, 225 TOK_SRCIP6, 226 227 TOK_IPV4, 228 TOK_UNREACH6, 229 TOK_RESET6, 230 231 TOK_FIB, 232 TOK_SETFIB, 233 TOK_LOOKUP, 234 TOK_SOCKARG, 235 TOK_SETDSCP, 236 TOK_FLOW, 237 TOK_IFLIST, 238 /* Table tokens */ 239 TOK_CREATE, 240 TOK_DESTROY, 241 TOK_LIST, 242 TOK_INFO, 243 TOK_DETAIL, 244 TOK_MODIFY, 245 TOK_FLUSH, 246 TOK_SWAP, 247 TOK_ADD, 248 TOK_DEL, 249 TOK_VALTYPE, 250 TOK_ALGO, 251 TOK_TALIST, 252 TOK_ATOMIC, 253 TOK_LOCK, 254 TOK_UNLOCK, 255 TOK_VLIST, 256 TOK_OLIST, 257}; 258 259/* 260 * the following macro returns an error message if we run out of 261 * arguments. 262 */ 263#define NEED(_p, msg) {if (!_p) errx(EX_USAGE, msg);} 264#define NEED1(msg) {if (!(*av)) errx(EX_USAGE, msg);} 265 266struct buf_pr { 267 char *buf; /* allocated buffer */ 268 char *ptr; /* current pointer */ 269 size_t size; /* total buffer size */ 270 size_t avail; /* available storage */ 271 size_t needed; /* length needed */ 272}; 273 274int pr_u64(struct buf_pr *bp, uint64_t *pd, int width); 275int bp_alloc(struct buf_pr *b, size_t size); 276void bp_free(struct buf_pr *b); 277int bprintf(struct buf_pr *b, char *format, ...); 278 279 280/* memory allocation support */ 281void *safe_calloc(size_t number, size_t size); 282void *safe_realloc(void *ptr, size_t size); 283 284/* string comparison functions used for historical compatibility */ 285int _substrcmp(const char *str1, const char* str2); 286int _substrcmp2(const char *str1, const char* str2, const char* str3); 287int stringnum_cmp(const char *a, const char *b); 288 289/* utility functions */ 290int match_token(struct _s_x *table, const char *string); 291int match_token_relaxed(struct _s_x *table, const char *string); 292int get_token(struct _s_x *table, const char *string, const char *errbase); 293char const *match_value(struct _s_x *p, int value); 294size_t concat_tokens(char *buf, size_t bufsize, struct _s_x *table, 295 char *delimiter); 296int fill_flags(struct _s_x *flags, char *p, char **e, uint32_t *set, 297 uint32_t *clear); 298void print_flags_buffer(char *buf, size_t sz, struct _s_x *list, uint32_t set); 299 300struct _ip_fw3_opheader; 301int do_cmd(int optname, void *optval, uintptr_t optlen); 302int do_set3(int optname, struct _ip_fw3_opheader *op3, size_t optlen); 303int do_get3(int optname, struct _ip_fw3_opheader *op3, size_t *optlen); 304 305struct in6_addr; 306void n2mask(struct in6_addr *mask, int n); 307int contigmask(uint8_t *p, int len); 308 309/* 310 * Forward declarations to avoid include way too many headers. 311 * C does not allow duplicated typedefs, so we use the base struct 312 * that the typedef points to. 313 * Should the typedefs use a different type, the compiler will 314 * still detect the change when compiling the body of the 315 * functions involved, so we do not lose error checking. 316 */ 317struct _ipfw_insn; 318struct _ipfw_insn_altq; 319struct _ipfw_insn_u32; 320struct _ipfw_insn_ip6; 321struct _ipfw_insn_icmp6; 322 323/* 324 * The reserved set numer. This is a constant in ip_fw.h 325 * but we store it in a variable so other files do not depend 326 * in that header just for one constant. 327 */ 328extern int resvd_set_number; 329 330/* first-level command handlers */ 331void ipfw_add(char *av[]); 332void ipfw_show_nat(int ac, char **av); 333void ipfw_config_pipe(int ac, char **av); 334void ipfw_config_nat(int ac, char **av); 335void ipfw_sets_handler(char *av[]); 336void ipfw_table_handler(int ac, char *av[]); 337void ipfw_sysctl_handler(char *av[], int which); 338void ipfw_delete(char *av[]); 339void ipfw_flush(int force); 340void ipfw_zero(int ac, char *av[], int optname); 341void ipfw_list(int ac, char *av[], int show_counters); 342void ipfw_internal_handler(int ac, char *av[]); 343int ipfw_check_object_name(const char *name); 344 345#ifdef PF 346/* altq.c */ 347void altq_set_enabled(int enabled); 348u_int32_t altq_name_to_qid(const char *name); 349void print_altq_cmd(struct buf_pr *bp, struct _ipfw_insn_altq *altqptr); 350#else 351#define NO_ALTQ 352#endif 353 354/* dummynet.c */ 355void dummynet_list(int ac, char *av[], int show_counters); 356void dummynet_flush(void); 357int ipfw_delete_pipe(int pipe_or_queue, int n); 358 359/* ipv6.c */ 360void print_unreach6_code(struct buf_pr *bp, uint16_t code); 361void print_ip6(struct buf_pr *bp, struct _ipfw_insn_ip6 *cmd, char const *s); 362void print_flow6id(struct buf_pr *bp, struct _ipfw_insn_u32 *cmd); 363void print_icmp6types(struct buf_pr *bp, struct _ipfw_insn_u32 *cmd); 364void print_ext6hdr(struct buf_pr *bp, struct _ipfw_insn *cmd ); 365 366struct tidx; 367struct _ipfw_insn *add_srcip6(struct _ipfw_insn *cmd, char *av, int cblen, 368 struct tidx *tstate); 369struct _ipfw_insn *add_dstip6(struct _ipfw_insn *cmd, char *av, int cblen, 370 struct tidx *tstate); 371 372void fill_flow6(struct _ipfw_insn_u32 *cmd, char *av, int cblen); 373void fill_unreach6_code(u_short *codep, char *str); 374void fill_icmp6types(struct _ipfw_insn_icmp6 *cmd, char *av, int cblen); 375int fill_ext6hdr(struct _ipfw_insn *cmd, char *av); 376 377/* ipfw2.c */ 378void bp_flush(struct buf_pr *b); 379void fill_table(struct _ipfw_insn *cmd, char *av, uint8_t opcode, 380 struct tidx *tstate); 381 382/* tables.c */ 383struct _ipfw_obj_ctlv; 384int table_check_name(const char *tablename); 385void ipfw_list_ta(int ac, char *av[]); 386void ipfw_list_values(int ac, char *av[]); 387 388