sbin/ipfw/ipfw2.c

98943Sluigi/*
117328Sluigi * Copyright (c) 2002-2003 Luigi Rizzo
98943Sluigi * Copyright (c) 1996 Alex Nash, Paul Traina, Poul-Henning Kamp
98943Sluigi * Copyright (c) 1994 Ugen J.S.Antsilevich
98943Sluigi *
98943Sluigi * Idea and grammar partially left from:
98943Sluigi * Copyright (c) 1993 Daniel Boulet
98943Sluigi *
98943Sluigi * Redistribution and use in source forms, with and without modification,
98943Sluigi * are permitted provided that this entire comment appears intact.
98943Sluigi *
98943Sluigi * Redistribution in binary form may occur without any restrictions.
98943Sluigi * Obviously, it would be nice if you gave credit where credit is due
98943Sluigi * but requiring it would be too onerous.
98943Sluigi *
98943Sluigi * This software is provided ``AS IS'' without any warranties of any kind.
98943Sluigi *
98943Sluigi * NEW command line interface for IP firewall facility
98943Sluigi *
98943Sluigi * $FreeBSD: head/sbin/ipfw/ipfw2.c 187716 2009-01-26 14:26:35Z luigi $
98943Sluigi */
98943Sluigi
187604Sluigi#include <sys/types.h>
98943Sluigi#include <sys/socket.h>
98943Sluigi#include <sys/sockio.h>
98943Sluigi#include <sys/sysctl.h>
98943Sluigi#include <sys/wait.h>
98943Sluigi
98943Sluigi#include <ctype.h>
98943Sluigi#include <err.h>
98943Sluigi#include <errno.h>
98943Sluigi#include <grp.h>
98943Sluigi#include <netdb.h>
98943Sluigi#include <pwd.h>
98943Sluigi#include <signal.h>
98943Sluigi#include <stdio.h>
98943Sluigi#include <stdlib.h>
98943Sluigi#include <string.h>
98943Sluigi#include <sysexits.h>
187604Sluigi#include <timeconv.h>	/* _long_to_time */
136071Sgreen#include <unistd.h>
136071Sgreen#include <fcntl.h>
98943Sluigi
175659Srwatson#define IPFW_INTERNAL	/* Access to protected structures in ip_fw.h. */
175659Srwatson
169424Smaxim#include <net/ethernet.h>
98943Sluigi#include <net/if.h>
165648Spiso#include <net/if_dl.h>
136071Sgreen#include <net/pfvar.h>
145246Sbrooks#include <net/route.h> /* def. of struct route */
98943Sluigi#include <netinet/in.h>
98943Sluigi#include <netinet/in_systm.h>
98943Sluigi#include <netinet/ip.h>
98943Sluigi#include <netinet/ip_icmp.h>
145246Sbrooks#include <netinet/icmp6.h>
98943Sluigi#include <netinet/ip_fw.h>
98943Sluigi#include <netinet/ip_dummynet.h>
98943Sluigi#include <netinet/tcp.h>
98943Sluigi#include <arpa/inet.h>
165648Spiso#include <alias.h>
98943Sluigi
117328Sluigiint
176391Sjulian		do_value_as_ip,		/* show table value as IP */
98943Sluigi		do_resolv,		/* Would try to resolve all */
98943Sluigi		do_time,		/* Show time stamps */
98943Sluigi		do_quiet,		/* Be quiet in add and flush */
98943Sluigi		do_pipe,		/* this cmd refers to a pipe */
165648Spiso	        do_nat, 		/* Nat configuration. */
98943Sluigi		do_sort,		/* field to sort results (0 = no) */
98943Sluigi		do_dynamic,		/* display dynamic rules */
98943Sluigi		do_expired,		/* display expired dynamic rules */
102098Sluigi		do_compact,		/* show rules in compact mode */
123804Smaxim		do_force,		/* do not ask for confirmation */
170923Smaxim		use_set,		/* work with specified set number */
101628Sluigi		show_sets,		/* display rule sets */
117328Sluigi		test_only,		/* only check syntax */
123495Sluigi		comment_only,		/* only print action and comment */
98943Sluigi		verbose;
98943Sluigi
98943Sluigi#define	IP_MASK_ALL	0xffffffff
130013Scsjp/*
130013Scsjp * the following macro returns an error message if we run out of
130013Scsjp * arguments.
130013Scsjp */
130013Scsjp#define NEED1(msg)      {if (!ac) errx(EX_USAGE, msg);}
98943Sluigi
159636Soleg#define GET_UINT_ARG(arg, min, max, tok, s_x) do {			\
159636Soleg	if (!ac)							\
159636Soleg		errx(EX_USAGE, "%s: missing argument", match_value(s_x, tok)); \
159636Soleg	if (_substrcmp(*av, "tablearg") == 0) {				\
159636Soleg		arg = IP_FW_TABLEARG;					\
159636Soleg		break;							\
159636Soleg	}								\
159636Soleg									\
159636Soleg	{								\
159636Soleg	long val;							\
159636Soleg	char *end;							\
159636Soleg									\
159636Soleg	val = strtol(*av, &end, 10);					\
159636Soleg									\
159636Soleg	if (!isdigit(**av) || *end != '\0' || (val == 0 && errno == EINVAL)) \
159636Soleg		errx(EX_DATAERR, "%s: invalid argument: %s",		\
159636Soleg		    match_value(s_x, tok), *av);			\
159636Soleg									\
159636Soleg	if (errno == ERANGE || val < min || val > max)			\
159636Soleg		errx(EX_DATAERR, "%s: argument is out of range (%u..%u): %s", \
159636Soleg		    match_value(s_x, tok), min, max, *av);		\
159636Soleg									\
159636Soleg	if (val == IP_FW_TABLEARG)					\
159636Soleg		errx(EX_DATAERR, "%s: illegal argument value: %s",	\
159636Soleg		    match_value(s_x, tok), *av);			\
159636Soleg	arg = val;							\
159636Soleg	}								\
158879Soleg} while (0)
158879Soleg
159636Soleg#define PRINT_UINT_ARG(str, arg) do {					\
159636Soleg	if (str != NULL)						\
159636Soleg		printf("%s",str);					\
159636Soleg	if (arg == IP_FW_TABLEARG)					\
159636Soleg		printf("tablearg");					\
159636Soleg	else								\
159636Soleg		printf("%u", (uint32_t)arg);				\
159636Soleg} while (0)
159636Soleg
98943Sluigi/*
117328Sluigi * _s_x is a structure that stores a string <-> token pairs, used in
117328Sluigi * various places in the parser. Entries are stored in arrays,
117328Sluigi * with an entry with s=NULL as terminator.
117328Sluigi * The search routines are match_token() and match_value().
117328Sluigi * Often, an element with x=0 contains an error string.
98943Sluigi *
98943Sluigi */
98943Sluigistruct _s_x {
117469Sluigi	char const *s;
98943Sluigi	int x;
98943Sluigi};
98943Sluigi
98943Sluigistatic struct _s_x f_tcpflags[] = {
98943Sluigi	{ "syn", TH_SYN },
98943Sluigi	{ "fin", TH_FIN },
98943Sluigi	{ "ack", TH_ACK },
98943Sluigi	{ "psh", TH_PUSH },
98943Sluigi	{ "rst", TH_RST },
98943Sluigi	{ "urg", TH_URG },
98943Sluigi	{ "tcp flag", 0 },
98943Sluigi	{ NULL,	0 }
98943Sluigi};
98943Sluigi
98943Sluigistatic struct _s_x f_tcpopts[] = {
98943Sluigi	{ "mss",	IP_FW_TCPOPT_MSS },
98943Sluigi	{ "maxseg",	IP_FW_TCPOPT_MSS },
98943Sluigi	{ "window",	IP_FW_TCPOPT_WINDOW },
98943Sluigi	{ "sack",	IP_FW_TCPOPT_SACK },
98943Sluigi	{ "ts",		IP_FW_TCPOPT_TS },
98943Sluigi	{ "timestamp",	IP_FW_TCPOPT_TS },
98943Sluigi	{ "cc",		IP_FW_TCPOPT_CC },
98943Sluigi	{ "tcp option",	0 },
98943Sluigi	{ NULL,	0 }
98943Sluigi};
98943Sluigi
98943Sluigi/*
98943Sluigi * IP options span the range 0 to 255 so we need to remap them
98943Sluigi * (though in fact only the low 5 bits are significant).
98943Sluigi */
98943Sluigistatic struct _s_x f_ipopts[] = {
98943Sluigi	{ "ssrr",	IP_FW_IPOPT_SSRR},
98943Sluigi	{ "lsrr",	IP_FW_IPOPT_LSRR},
98943Sluigi	{ "rr",		IP_FW_IPOPT_RR},
98943Sluigi	{ "ts",		IP_FW_IPOPT_TS},
98943Sluigi	{ "ip option",	0 },
98943Sluigi	{ NULL,	0 }
98943Sluigi};
98943Sluigi
98943Sluigistatic struct _s_x f_iptos[] = {
98943Sluigi	{ "lowdelay",	IPTOS_LOWDELAY},
98943Sluigi	{ "throughput",	IPTOS_THROUGHPUT},
98943Sluigi	{ "reliability", IPTOS_RELIABILITY},
98943Sluigi	{ "mincost",	IPTOS_MINCOST},
172801Srpaulo	{ "congestion",	IPTOS_ECN_CE},
172801Srpaulo	{ "ecntransport", IPTOS_ECN_ECT0},
98943Sluigi	{ "ip tos option", 0},
98943Sluigi	{ NULL,	0 }
98943Sluigi};
98943Sluigi
98943Sluigistatic struct _s_x limit_masks[] = {
98943Sluigi	{"all",		DYN_SRC_ADDR|DYN_SRC_PORT|DYN_DST_ADDR|DYN_DST_PORT},
98943Sluigi	{"src-addr",	DYN_SRC_ADDR},
98943Sluigi	{"src-port",	DYN_SRC_PORT},
98943Sluigi	{"dst-addr",	DYN_DST_ADDR},
98943Sluigi	{"dst-port",	DYN_DST_PORT},
98943Sluigi	{NULL,		0}
98943Sluigi};
98943Sluigi
98943Sluigi/*
98943Sluigi * we use IPPROTO_ETHERTYPE as a fake protocol id to call the print routines
98943Sluigi * This is only used in this code.
98943Sluigi */
98943Sluigi#define IPPROTO_ETHERTYPE	0x1000
98943Sluigistatic struct _s_x ether_types[] = {
98943Sluigi    /*
98943Sluigi     * Note, we cannot use "-:&/" in the names because they are field
98943Sluigi     * separators in the type specifications. Also, we use s = NULL as
98943Sluigi     * end-delimiter, because a type of 0 can be legal.
98943Sluigi     */
98943Sluigi	{ "ip",		0x0800 },
98943Sluigi	{ "ipv4",	0x0800 },
98943Sluigi	{ "ipv6",	0x86dd },
98943Sluigi	{ "arp",	0x0806 },
98943Sluigi	{ "rarp",	0x8035 },
98943Sluigi	{ "vlan",	0x8100 },
98943Sluigi	{ "loop",	0x9000 },
98943Sluigi	{ "trail",	0x1000 },
98943Sluigi	{ "at",		0x809b },
98943Sluigi	{ "atalk",	0x809b },
98943Sluigi	{ "aarp",	0x80f3 },
98943Sluigi	{ "pppoe_disc",	0x8863 },
98943Sluigi	{ "pppoe_sess",	0x8864 },
98943Sluigi	{ "ipx_8022",	0x00E0 },
98943Sluigi	{ "ipx_8023",	0x0000 },
98943Sluigi	{ "ipx_ii",	0x8137 },
98943Sluigi	{ "ipx_snap",	0x8137 },
98943Sluigi	{ "ipx",	0x8137 },
98943Sluigi	{ "ns",		0x0600 },
98943Sluigi	{ NULL,		0 }
98943Sluigi};
98943Sluigi
98943Sluigistatic void show_usage(void);
98943Sluigi
98943Sluigienum tokens {
98943Sluigi	TOK_NULL=0,
98943Sluigi
98943Sluigi	TOK_OR,
98943Sluigi	TOK_NOT,
101641Sluigi	TOK_STARTBRACE,
101641Sluigi	TOK_ENDBRACE,
98943Sluigi
98943Sluigi	TOK_ACCEPT,
98943Sluigi	TOK_COUNT,
98943Sluigi	TOK_PIPE,
98943Sluigi	TOK_QUEUE,
98943Sluigi	TOK_DIVERT,
98943Sluigi	TOK_TEE,
141351Sglebius	TOK_NETGRAPH,
141351Sglebius	TOK_NGTEE,
98943Sluigi	TOK_FORWARD,
98943Sluigi	TOK_SKIPTO,
98943Sluigi	TOK_DENY,
98943Sluigi	TOK_REJECT,
98943Sluigi	TOK_RESET,
98943Sluigi	TOK_UNREACH,
98943Sluigi	TOK_CHECKSTATE,
165648Spiso	TOK_NAT,
98943Sluigi
136071Sgreen	TOK_ALTQ,
136071Sgreen	TOK_LOG,
158879Soleg	TOK_TAG,
158879Soleg	TOK_UNTAG,
136071Sgreen
158879Soleg	TOK_TAGGED,
98943Sluigi	TOK_UID,
98943Sluigi	TOK_GID,
133600Scsjp	TOK_JAIL,
98943Sluigi	TOK_IN,
98943Sluigi	TOK_LIMIT,
98943Sluigi	TOK_KEEPSTATE,
98943Sluigi	TOK_LAYER2,
98943Sluigi	TOK_OUT,
136073Sgreen	TOK_DIVERTED,
136073Sgreen	TOK_DIVERTEDLOOPBACK,
136073Sgreen	TOK_DIVERTEDOUTPUT,
98943Sluigi	TOK_XMIT,
98943Sluigi	TOK_RECV,
98943Sluigi	TOK_VIA,
98943Sluigi	TOK_FRAG,
98943Sluigi	TOK_IPOPTS,
98943Sluigi	TOK_IPLEN,
98943Sluigi	TOK_IPID,
98943Sluigi	TOK_IPPRECEDENCE,
98943Sluigi	TOK_IPTOS,
98943Sluigi	TOK_IPTTL,
98943Sluigi	TOK_IPVER,
98943Sluigi	TOK_ESTAB,
98943Sluigi	TOK_SETUP,
136075Sgreen	TOK_TCPDATALEN,
98943Sluigi	TOK_TCPFLAGS,
98943Sluigi	TOK_TCPOPTS,
98943Sluigi	TOK_TCPSEQ,
98943Sluigi	TOK_TCPACK,
98943Sluigi	TOK_TCPWIN,
98943Sluigi	TOK_ICMPTYPES,
102087Sluigi	TOK_MAC,
102087Sluigi	TOK_MACTYPE,
112250Scjc	TOK_VERREVPATH,
128575Sandre	TOK_VERSRCREACH,
133387Sandre	TOK_ANTISPOOF,
117241Sluigi	TOK_IPSEC,
117469Sluigi	TOK_COMMENT,
98943Sluigi
98943Sluigi	TOK_PLR,
101978Sluigi	TOK_NOERROR,
98943Sluigi	TOK_BUCKETS,
98943Sluigi	TOK_DSTIP,
98943Sluigi	TOK_SRCIP,
98943Sluigi	TOK_DSTPORT,
98943Sluigi	TOK_SRCPORT,
98943Sluigi	TOK_ALL,
98943Sluigi	TOK_MASK,
98943Sluigi	TOK_BW,
98943Sluigi	TOK_DELAY,
98943Sluigi	TOK_RED,
98943Sluigi	TOK_GRED,
98943Sluigi	TOK_DROPTAIL,
98943Sluigi	TOK_PROTO,
98943Sluigi	TOK_WEIGHT,
165648Spiso	TOK_IP,
165648Spiso	TOK_IF,
165648Spiso 	TOK_ALOG,
165648Spiso 	TOK_DENY_INC,
165648Spiso 	TOK_SAME_PORTS,
165648Spiso 	TOK_UNREG_ONLY,
165648Spiso 	TOK_RESET_ADDR,
165648Spiso 	TOK_ALIAS_REV,
165648Spiso 	TOK_PROXY_ONLY,
165648Spiso	TOK_REDIR_ADDR,
165648Spiso	TOK_REDIR_PORT,
165648Spiso	TOK_REDIR_PROTO,
145246Sbrooks
145246Sbrooks	TOK_IPV6,
145246Sbrooks	TOK_FLOWID,
145246Sbrooks	TOK_ICMP6TYPES,
145246Sbrooks	TOK_EXT6HDR,
145246Sbrooks	TOK_DSTIP6,
145246Sbrooks	TOK_SRCIP6,
146894Smlaier
146894Smlaier	TOK_IPV4,
149020Sbz	TOK_UNREACH6,
149020Sbz	TOK_RESET6,
178888Sjulian
178888Sjulian	TOK_FIB,
178888Sjulian	TOK_SETFIB,
98943Sluigi};
98943Sluigi
98943Sluigistruct _s_x dummynet_params[] = {
98943Sluigi	{ "plr",		TOK_PLR },
101978Sluigi	{ "noerror",		TOK_NOERROR },
98943Sluigi	{ "buckets",		TOK_BUCKETS },
98943Sluigi	{ "dst-ip",		TOK_DSTIP },
98943Sluigi	{ "src-ip",		TOK_SRCIP },
98943Sluigi	{ "dst-port",		TOK_DSTPORT },
98943Sluigi	{ "src-port",		TOK_SRCPORT },
98943Sluigi	{ "proto",		TOK_PROTO },
98943Sluigi	{ "weight",		TOK_WEIGHT },
98943Sluigi	{ "all",		TOK_ALL },
98943Sluigi	{ "mask",		TOK_MASK },
98943Sluigi	{ "droptail",		TOK_DROPTAIL },
98943Sluigi	{ "red",		TOK_RED },
98943Sluigi	{ "gred",		TOK_GRED },
98943Sluigi	{ "bw",			TOK_BW },
98943Sluigi	{ "bandwidth",		TOK_BW },
98943Sluigi	{ "delay",		TOK_DELAY },
99475Sluigi	{ "pipe",		TOK_PIPE },
98943Sluigi	{ "queue",		TOK_QUEUE },
145246Sbrooks	{ "flow-id",		TOK_FLOWID},
145246Sbrooks	{ "dst-ipv6",		TOK_DSTIP6},
145246Sbrooks	{ "dst-ip6",		TOK_DSTIP6},
145246Sbrooks	{ "src-ipv6",		TOK_SRCIP6},
145246Sbrooks	{ "src-ip6",		TOK_SRCIP6},
98943Sluigi	{ "dummynet-params",	TOK_NULL },
117328Sluigi	{ NULL, 0 }	/* terminator */
98943Sluigi};
98943Sluigi
165648Spisostruct _s_x nat_params[] = {
165648Spiso	{ "ip",	                TOK_IP },
165648Spiso	{ "if",	                TOK_IF },
165648Spiso 	{ "log",                TOK_ALOG },
165648Spiso 	{ "deny_in",	        TOK_DENY_INC },
165648Spiso 	{ "same_ports",	        TOK_SAME_PORTS },
165648Spiso 	{ "unreg_only",	        TOK_UNREG_ONLY },
165648Spiso 	{ "reset",	        TOK_RESET_ADDR },
165648Spiso 	{ "reverse",	        TOK_ALIAS_REV },
165648Spiso 	{ "proxy_only",	        TOK_PROXY_ONLY },
165648Spiso	{ "redirect_addr",	TOK_REDIR_ADDR },
165648Spiso	{ "redirect_port",	TOK_REDIR_PORT },
165648Spiso	{ "redirect_proto",	TOK_REDIR_PROTO },
165648Spiso 	{ NULL, 0 }	/* terminator */
165648Spiso};
165648Spiso
98943Sluigistruct _s_x rule_actions[] = {
98943Sluigi	{ "accept",		TOK_ACCEPT },
98943Sluigi	{ "pass",		TOK_ACCEPT },
98943Sluigi	{ "allow",		TOK_ACCEPT },
98943Sluigi	{ "permit",		TOK_ACCEPT },
98943Sluigi	{ "count",		TOK_COUNT },
98943Sluigi	{ "pipe",		TOK_PIPE },
98943Sluigi	{ "queue",		TOK_QUEUE },
98943Sluigi	{ "divert",		TOK_DIVERT },
98943Sluigi	{ "tee",		TOK_TEE },
141351Sglebius	{ "netgraph",		TOK_NETGRAPH },
141351Sglebius	{ "ngtee",		TOK_NGTEE },
98943Sluigi	{ "fwd",		TOK_FORWARD },
98943Sluigi	{ "forward",		TOK_FORWARD },
98943Sluigi	{ "skipto",		TOK_SKIPTO },
98943Sluigi	{ "deny",		TOK_DENY },
98943Sluigi	{ "drop",		TOK_DENY },
98943Sluigi	{ "reject",		TOK_REJECT },
149020Sbz	{ "reset6",		TOK_RESET6 },
98943Sluigi	{ "reset",		TOK_RESET },
149020Sbz	{ "unreach6",		TOK_UNREACH6 },
99475Sluigi	{ "unreach",		TOK_UNREACH },
98943Sluigi	{ "check-state",	TOK_CHECKSTATE },
117469Sluigi	{ "//",			TOK_COMMENT },
165648Spiso	{ "nat",                TOK_NAT },
178888Sjulian	{ "setfib",		TOK_SETFIB },
117328Sluigi	{ NULL, 0 }	/* terminator */
98943Sluigi};
98943Sluigi
136071Sgreenstruct _s_x rule_action_params[] = {
136071Sgreen	{ "altq",		TOK_ALTQ },
136071Sgreen	{ "log",		TOK_LOG },
158879Soleg	{ "tag",		TOK_TAG },
158879Soleg	{ "untag",		TOK_UNTAG },
136071Sgreen	{ NULL, 0 }	/* terminator */
136071Sgreen};
136071Sgreen
98943Sluigistruct _s_x rule_options[] = {
158879Soleg	{ "tagged",		TOK_TAGGED },
98943Sluigi	{ "uid",		TOK_UID },
98943Sluigi	{ "gid",		TOK_GID },
133600Scsjp	{ "jail",		TOK_JAIL },
98943Sluigi	{ "in",			TOK_IN },
98943Sluigi	{ "limit",		TOK_LIMIT },
98943Sluigi	{ "keep-state",		TOK_KEEPSTATE },
98943Sluigi	{ "bridged",		TOK_LAYER2 },
98943Sluigi	{ "layer2",		TOK_LAYER2 },
98943Sluigi	{ "out",		TOK_OUT },
136073Sgreen	{ "diverted",		TOK_DIVERTED },
136073Sgreen	{ "diverted-loopback",	TOK_DIVERTEDLOOPBACK },
136073Sgreen	{ "diverted-output",	TOK_DIVERTEDOUTPUT },
98943Sluigi	{ "xmit",		TOK_XMIT },
98943Sluigi	{ "recv",		TOK_RECV },
98943Sluigi	{ "via",		TOK_VIA },
98943Sluigi	{ "fragment",		TOK_FRAG },
98943Sluigi	{ "frag",		TOK_FRAG },
178888Sjulian	{ "fib",		TOK_FIB },
98943Sluigi	{ "ipoptions",		TOK_IPOPTS },
98943Sluigi	{ "ipopts",		TOK_IPOPTS },
98943Sluigi	{ "iplen",		TOK_IPLEN },
98943Sluigi	{ "ipid",		TOK_IPID },
98943Sluigi	{ "ipprecedence",	TOK_IPPRECEDENCE },
98943Sluigi	{ "iptos",		TOK_IPTOS },
98943Sluigi	{ "ipttl",		TOK_IPTTL },
98943Sluigi	{ "ipversion",		TOK_IPVER },
98943Sluigi	{ "ipver",		TOK_IPVER },
98943Sluigi	{ "estab",		TOK_ESTAB },
98943Sluigi	{ "established",	TOK_ESTAB },
98943Sluigi	{ "setup",		TOK_SETUP },
136075Sgreen	{ "tcpdatalen",		TOK_TCPDATALEN },
98943Sluigi	{ "tcpflags",		TOK_TCPFLAGS },
98943Sluigi	{ "tcpflgs",		TOK_TCPFLAGS },
98943Sluigi	{ "tcpoptions",		TOK_TCPOPTS },
98943Sluigi	{ "tcpopts",		TOK_TCPOPTS },
98943Sluigi	{ "tcpseq",		TOK_TCPSEQ },
98943Sluigi	{ "tcpack",		TOK_TCPACK },
98943Sluigi	{ "tcpwin",		TOK_TCPWIN },
99909Sluigi	{ "icmptype",		TOK_ICMPTYPES },
98943Sluigi	{ "icmptypes",		TOK_ICMPTYPES },
102087Sluigi	{ "dst-ip",		TOK_DSTIP },
102087Sluigi	{ "src-ip",		TOK_SRCIP },
102087Sluigi	{ "dst-port",		TOK_DSTPORT },
102087Sluigi	{ "src-port",		TOK_SRCPORT },
102087Sluigi	{ "proto",		TOK_PROTO },
102087Sluigi	{ "MAC",		TOK_MAC },
102087Sluigi	{ "mac",		TOK_MAC },
102087Sluigi	{ "mac-type",		TOK_MACTYPE },
112250Scjc	{ "verrevpath",		TOK_VERREVPATH },
128575Sandre	{ "versrcreach",	TOK_VERSRCREACH },
133387Sandre	{ "antispoof",		TOK_ANTISPOOF },
117241Sluigi	{ "ipsec",		TOK_IPSEC },
145246Sbrooks	{ "icmp6type",		TOK_ICMP6TYPES },
145246Sbrooks	{ "icmp6types",		TOK_ICMP6TYPES },
145246Sbrooks	{ "ext6hdr",		TOK_EXT6HDR},
145246Sbrooks	{ "flow-id",		TOK_FLOWID},
145246Sbrooks	{ "ipv6",		TOK_IPV6},
145246Sbrooks	{ "ip6",		TOK_IPV6},
146894Smlaier	{ "ipv4",		TOK_IPV4},
146894Smlaier	{ "ip4",		TOK_IPV4},
145246Sbrooks	{ "dst-ipv6",		TOK_DSTIP6},
145246Sbrooks	{ "dst-ip6",		TOK_DSTIP6},
145246Sbrooks	{ "src-ipv6",		TOK_SRCIP6},
145246Sbrooks	{ "src-ip6",		TOK_SRCIP6},
117469Sluigi	{ "//",			TOK_COMMENT },
98943Sluigi
98943Sluigi	{ "not",		TOK_NOT },		/* pseudo option */
98943Sluigi	{ "!", /* escape ? */	TOK_NOT },		/* pseudo option */
98943Sluigi	{ "or",			TOK_OR },		/* pseudo option */
98943Sluigi	{ "|", /* escape */	TOK_OR },		/* pseudo option */
101641Sluigi	{ "{",			TOK_STARTBRACE },	/* pseudo option */
101641Sluigi	{ "(",			TOK_STARTBRACE },	/* pseudo option */
101641Sluigi	{ "}",			TOK_ENDBRACE },		/* pseudo option */
101641Sluigi	{ ")",			TOK_ENDBRACE },		/* pseudo option */
117328Sluigi	{ NULL, 0 }	/* terminator */
98943Sluigi};
98943Sluigi
153374Sglebius#define	TABLEARG	"tablearg"
153374Sglebius
117328Sluigistatic __inline uint64_t
117328Sluigialign_uint64(uint64_t *pll) {
117328Sluigi	uint64_t ret;
115793Sticso
115793Sticso	bcopy (pll, &ret, sizeof(ret));
115793Sticso	return ret;
129389Sstefanf}
115793Sticso
187716Sluigistatic void *
187716Sluigisafe_calloc(size_t number, size_t size)
187716Sluigi{
187716Sluigi	void *ret = calloc(number, size);
187716Sluigi
187716Sluigi	if (ret == NULL)
187716Sluigi		err(EX_OSERR, "calloc");
187716Sluigi	return ret;
187716Sluigi}
187716Sluigi
187716Sluigistatic void *
187716Sluigisafe_realloc(void *ptr, size_t size)
187716Sluigi{
187716Sluigi	void *ret = realloc(ptr, size);
187716Sluigi
187716Sluigi	if (ret == NULL)
187716Sluigi		err(EX_OSERR, "realloc");
187716Sluigi	return ret;
187716Sluigi}
187716Sluigi
117328Sluigi/*
117328Sluigi * conditionally runs the command.
117328Sluigi */
117469Sluigistatic int
119740Stmmdo_cmd(int optname, void *optval, uintptr_t optlen)
117328Sluigi{
117328Sluigi	static int s = -1;	/* the socket */
117328Sluigi	int i;
117577Sluigi
117328Sluigi	if (test_only)
117328Sluigi		return 0;
117328Sluigi
117328Sluigi	if (s == -1)
117328Sluigi		s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
117328Sluigi	if (s < 0)
117328Sluigi		err(EX_UNAVAILABLE, "socket");
117328Sluigi
117328Sluigi	if (optname == IP_FW_GET || optname == IP_DUMMYNET_GET ||
130281Sru	    optname == IP_FW_ADD || optname == IP_FW_TABLE_LIST ||
165648Spiso	    optname == IP_FW_TABLE_GETSIZE ||
165648Spiso	    optname == IP_FW_NAT_GET_CONFIG ||
165648Spiso	    optname == IP_FW_NAT_GET_LOG)
117328Sluigi		i = getsockopt(s, IPPROTO_IP, optname, optval,
117328Sluigi			(socklen_t *)optlen);
117328Sluigi	else
117328Sluigi		i = setsockopt(s, IPPROTO_IP, optname, optval, optlen);
117328Sluigi	return i;
117328Sluigi}
117328Sluigi
98943Sluigi/**
98943Sluigi * match_token takes a table and a string, returns the value associated
117328Sluigi * with the string (-1 in case of failure).
98943Sluigi */
98943Sluigistatic int
98943Sluigimatch_token(struct _s_x *table, char *string)
98943Sluigi{
98943Sluigi	struct _s_x *pt;
117469Sluigi	uint i = strlen(string);
98943Sluigi
98943Sluigi	for (pt = table ; i && pt->s != NULL ; pt++)
98943Sluigi		if (strlen(pt->s) == i && !bcmp(string, pt->s, i))
98943Sluigi			return pt->x;
98943Sluigi	return -1;
129389Sstefanf}
98943Sluigi
117328Sluigi/**
117328Sluigi * match_value takes a table and a value, returns the string associated
117328Sluigi * with the value (NULL in case of failure).
117328Sluigi */
117469Sluigistatic char const *
117469Sluigimatch_value(struct _s_x *p, int value)
98943Sluigi{
98943Sluigi	for (; p->s != NULL; p++)
98943Sluigi		if (p->x == value)
98943Sluigi			return p->s;
98943Sluigi	return NULL;
98943Sluigi}
98943Sluigi
98943Sluigi/*
140271Sbrooks * _substrcmp takes two strings and returns 1 if they do not match,
140271Sbrooks * and 0 if they match exactly or the first string is a sub-string
140271Sbrooks * of the second.  A warning is printed to stderr in the case that the
140271Sbrooks * first string is a sub-string of the second.
140271Sbrooks *
140271Sbrooks * This function will be removed in the future through the usual
140271Sbrooks * deprecation process.
140271Sbrooks */
140271Sbrooksstatic int
140271Sbrooks_substrcmp(const char *str1, const char* str2)
140271Sbrooks{
140271Sbrooks
140271Sbrooks	if (strncmp(str1, str2, strlen(str1)) != 0)
140271Sbrooks		return 1;
140271Sbrooks
140271Sbrooks	if (strlen(str1) != strlen(str2))
140271Sbrooks		warnx("DEPRECATED: '%s' matched '%s' as a sub-string",
140271Sbrooks		    str1, str2);
140271Sbrooks	return 0;
140271Sbrooks}
140271Sbrooks
140271Sbrooks/*
140271Sbrooks * _substrcmp2 takes three strings and returns 1 if the first two do not match,
140271Sbrooks * and 0 if they match exactly or the second string is a sub-string
140271Sbrooks * of the first.  A warning is printed to stderr in the case that the
140271Sbrooks * first string does not match the third.
140271Sbrooks *
140271Sbrooks * This function exists to warn about the bizzare construction
140271Sbrooks * strncmp(str, "by", 2) which is used to allow people to use a shotcut
140271Sbrooks * for "bytes".  The problem is that in addition to accepting "by",
140271Sbrooks * "byt", "byte", and "bytes", it also excepts "by_rabid_dogs" and any
140271Sbrooks * other string beginning with "by".
140271Sbrooks *
140271Sbrooks * This function will be removed in the future through the usual
140271Sbrooks * deprecation process.
140271Sbrooks */
140271Sbrooksstatic int
140271Sbrooks_substrcmp2(const char *str1, const char* str2, const char* str3)
140271Sbrooks{
140271Sbrooks
140271Sbrooks	if (strncmp(str1, str2, strlen(str2)) != 0)
140271Sbrooks		return 1;
140271Sbrooks
140271Sbrooks	if (strcmp(str1, str3) != 0)
140271Sbrooks		warnx("DEPRECATED: '%s' matched '%s'",
140271Sbrooks		    str1, str3);
140271Sbrooks	return 0;
140271Sbrooks}
140271Sbrooks
140271Sbrooks/*
98943Sluigi * prints one port, symbolic or numeric
98943Sluigi */
98943Sluigistatic void
117328Sluigiprint_port(int proto, uint16_t port)
98943Sluigi{
98943Sluigi
98943Sluigi	if (proto == IPPROTO_ETHERTYPE) {
117469Sluigi		char const *s;
98943Sluigi
98943Sluigi		if (do_resolv && (s = match_value(ether_types, port)) )
98943Sluigi			printf("%s", s);
98943Sluigi		else
98943Sluigi			printf("0x%04x", port);
98943Sluigi	} else {
98943Sluigi		struct servent *se = NULL;
98943Sluigi		if (do_resolv) {
98943Sluigi			struct protoent *pe = getprotobynumber(proto);
98943Sluigi
98943Sluigi			se = getservbyport(htons(port), pe ? pe->p_name : NULL);
98943Sluigi		}
98943Sluigi		if (se)
98943Sluigi			printf("%s", se->s_name);
98943Sluigi		else
98943Sluigi			printf("%d", port);
98943Sluigi	}
98943Sluigi}
98943Sluigi
117328Sluigistruct _s_x _port_name[] = {
117328Sluigi	{"dst-port",	O_IP_DSTPORT},
117328Sluigi	{"src-port",	O_IP_SRCPORT},
117328Sluigi	{"ipid",	O_IPID},
117328Sluigi	{"iplen",	O_IPLEN},
117328Sluigi	{"ipttl",	O_IPTTL},
117328Sluigi	{"mac-type",	O_MAC_TYPE},
136075Sgreen	{"tcpdatalen",	O_TCPDATALEN},
158879Soleg	{"tagged",	O_TAGGED},
117328Sluigi	{NULL,		0}
117328Sluigi};
117328Sluigi
98943Sluigi/*
117328Sluigi * Print the values in a list 16-bit items of the types above.
98943Sluigi * XXX todo: add support for mask.
98943Sluigi */
98943Sluigistatic void
102087Sluigiprint_newports(ipfw_insn_u16 *cmd, int proto, int opcode)
98943Sluigi{
117328Sluigi	uint16_t *p = cmd->ports;
98943Sluigi	int i;
117469Sluigi	char const *sep;
98943Sluigi
116690Sluigi	if (opcode != 0) {
117328Sluigi		sep = match_value(_port_name, opcode);
117328Sluigi		if (sep == NULL)
116690Sluigi			sep = "???";
116690Sluigi		printf (" %s", sep);
116690Sluigi	}
116690Sluigi	sep = " ";
98943Sluigi	for (i = F_LEN((ipfw_insn *)cmd) - 1; i > 0; i--, p += 2) {
98943Sluigi		printf(sep);
98943Sluigi		print_port(proto, p[0]);
98943Sluigi		if (p[0] != p[1]) {
98943Sluigi			printf("-");
98943Sluigi			print_port(proto, p[1]);
98943Sluigi		}
98943Sluigi		sep = ",";
98943Sluigi	}
98943Sluigi}
98943Sluigi
98943Sluigi/*
98943Sluigi * Like strtol, but also translates service names into port numbers
98943Sluigi * for some protocols.
98943Sluigi * In particular:
98943Sluigi *	proto == -1 disables the protocol check;
98943Sluigi *	proto == IPPROTO_ETHERTYPE looks up an internal table
98943Sluigi *	proto == <some value in /etc/protocols> matches the values there.
101628Sluigi * Returns *end == s in case the parameter is not found.
98943Sluigi */
98943Sluigistatic int
98943Sluigistrtoport(char *s, char **end, int base, int proto)
98943Sluigi{
101628Sluigi	char *p, *buf;
101628Sluigi	char *s1;
98943Sluigi	int i;
98943Sluigi
101628Sluigi	*end = s;		/* default - not found */
117577Sluigi	if (*s == '\0')
101628Sluigi		return 0;	/* not found */
106505Smaxim
98943Sluigi	if (isdigit(*s))
98943Sluigi		return strtol(s, end, base);
98943Sluigi
98943Sluigi	/*
101628Sluigi	 * find separator. '\\' escapes the next char.
98943Sluigi	 */
101628Sluigi	for (s1 = s; *s1 && (isalnum(*s1) || *s1 == '\\') ; s1++)
101628Sluigi		if (*s1 == '\\' && s1[1] != '\0')
101628Sluigi			s1++;
98943Sluigi
187716Sluigi	buf = safe_calloc(s1 - s + 1, 1);
101628Sluigi
101628Sluigi	/*
101628Sluigi	 * copy into a buffer skipping backslashes
101628Sluigi	 */
101628Sluigi	for (p = s, i = 0; p != s1 ; p++)
117577Sluigi		if (*p != '\\')
101628Sluigi			buf[i++] = *p;
101628Sluigi	buf[i++] = '\0';
101628Sluigi
98943Sluigi	if (proto == IPPROTO_ETHERTYPE) {
101628Sluigi		i = match_token(ether_types, buf);
101628Sluigi		free(buf);
101628Sluigi		if (i != -1) {	/* found */
98943Sluigi			*end = s1;
98943Sluigi			return i;
98943Sluigi		}
98943Sluigi	} else {
98943Sluigi		struct protoent *pe = NULL;
98943Sluigi		struct servent *se;
98943Sluigi
98943Sluigi		if (proto != 0)
98943Sluigi			pe = getprotobynumber(proto);
98943Sluigi		setservent(1);
101628Sluigi		se = getservbyname(buf, pe ? pe->p_name : NULL);
101628Sluigi		free(buf);
98943Sluigi		if (se != NULL) {
98943Sluigi			*end = s1;
98943Sluigi			return ntohs(se->s_port);
98943Sluigi		}
98943Sluigi	}
101628Sluigi	return 0;	/* not found */
98943Sluigi}
98943Sluigi
98943Sluigi/*
136071Sgreen * Map between current altq queue id numbers and names.
136071Sgreen */
136071Sgreenstatic int altq_fetched = 0;
136071Sgreenstatic TAILQ_HEAD(, pf_altq) altq_entries =
136071Sgreen	TAILQ_HEAD_INITIALIZER(altq_entries);
136071Sgreen
136071Sgreenstatic void
136071Sgreenaltq_set_enabled(int enabled)
136071Sgreen{
136071Sgreen	int pffd;
136071Sgreen
136071Sgreen	pffd = open("/dev/pf", O_RDWR);
136071Sgreen	if (pffd == -1)
136071Sgreen		err(EX_UNAVAILABLE,
136071Sgreen		    "altq support opening pf(4) control device");
136071Sgreen	if (enabled) {
136071Sgreen		if (ioctl(pffd, DIOCSTARTALTQ) != 0 && errno != EEXIST)
136071Sgreen			err(EX_UNAVAILABLE, "enabling altq");
136071Sgreen	} else {
136071Sgreen		if (ioctl(pffd, DIOCSTOPALTQ) != 0 && errno != ENOENT)
136071Sgreen			err(EX_UNAVAILABLE, "disabling altq");
136071Sgreen	}
136071Sgreen	close(pffd);
136071Sgreen}
136071Sgreen
136071Sgreenstatic void
187477Sluigialtq_fetch(void)
136071Sgreen{
136071Sgreen	struct pfioc_altq pfioc;
136071Sgreen	struct pf_altq *altq;
187477Sluigi	int pffd;
187477Sluigi	unsigned int mnr;
136071Sgreen
136071Sgreen	if (altq_fetched)
136071Sgreen		return;
136071Sgreen	altq_fetched = 1;
136071Sgreen	pffd = open("/dev/pf", O_RDONLY);
136071Sgreen	if (pffd == -1) {
136071Sgreen		warn("altq support opening pf(4) control device");
136071Sgreen		return;
136071Sgreen	}
136071Sgreen	bzero(&pfioc, sizeof(pfioc));
136071Sgreen	if (ioctl(pffd, DIOCGETALTQS, &pfioc) != 0) {
136071Sgreen		warn("altq support getting queue list");
136071Sgreen		close(pffd);
136071Sgreen		return;
136071Sgreen	}
136071Sgreen	mnr = pfioc.nr;
136071Sgreen	for (pfioc.nr = 0; pfioc.nr < mnr; pfioc.nr++) {
136071Sgreen		if (ioctl(pffd, DIOCGETALTQ, &pfioc) != 0) {
136071Sgreen			if (errno == EBUSY)
136071Sgreen				break;
136071Sgreen			warn("altq support getting queue list");
136071Sgreen			close(pffd);
136071Sgreen			return;
136071Sgreen		}
136071Sgreen		if (pfioc.altq.qid == 0)
136071Sgreen			continue;
187716Sluigi		altq = safe_calloc(1, sizeof(*altq));
136071Sgreen		*altq = pfioc.altq;
136071Sgreen		TAILQ_INSERT_TAIL(&altq_entries, altq, entries);
136071Sgreen	}
136071Sgreen	close(pffd);
136071Sgreen}
136071Sgreen
136071Sgreenstatic u_int32_t
136071Sgreenaltq_name_to_qid(const char *name)
136071Sgreen{
136071Sgreen	struct pf_altq *altq;
136071Sgreen
136071Sgreen	altq_fetch();
136071Sgreen	TAILQ_FOREACH(altq, &altq_entries, entries)
136071Sgreen		if (strcmp(name, altq->qname) == 0)
136071Sgreen			break;
136071Sgreen	if (altq == NULL)
136071Sgreen		errx(EX_DATAERR, "altq has no queue named `%s'", name);
136071Sgreen	return altq->qid;
136071Sgreen}
136071Sgreen
136071Sgreenstatic const char *
136071Sgreenaltq_qid_to_name(u_int32_t qid)
136071Sgreen{
136071Sgreen	struct pf_altq *altq;
136071Sgreen
136071Sgreen	altq_fetch();
136071Sgreen	TAILQ_FOREACH(altq, &altq_entries, entries)
136071Sgreen		if (qid == altq->qid)
136071Sgreen			break;
136071Sgreen	if (altq == NULL)
136071Sgreen		return NULL;
136071Sgreen	return altq->qname;
136071Sgreen}
136071Sgreen
136071Sgreenstatic void
136071Sgreenfill_altq_qid(u_int32_t *qid, const char *av)
136071Sgreen{
136071Sgreen	*qid = altq_name_to_qid(av);
136071Sgreen}
136071Sgreen
136071Sgreen/*
117328Sluigi * Fill the body of the command with the list of port ranges.
98943Sluigi */
98943Sluigistatic int
98943Sluigifill_newports(ipfw_insn_u16 *cmd, char *av, int proto)
98943Sluigi{
117328Sluigi	uint16_t a, b, *p = cmd->ports;
98943Sluigi	int i = 0;
102087Sluigi	char *s = av;
98943Sluigi
102087Sluigi	while (*s) {
98943Sluigi		a = strtoport(av, &s, 0, proto);
159636Soleg		if (s == av) 			/* empty or invalid argument */
159636Soleg			return (0);
159636Soleg
159636Soleg		switch (*s) {
159636Soleg		case '-':			/* a range */
159636Soleg			av = s + 1;
98943Sluigi			b = strtoport(av, &s, 0, proto);
159636Soleg			/* Reject expressions like '1-abc' or '1-2-3'. */
159636Soleg			if (s == av || (*s != ',' && *s != '\0'))
159636Soleg				return (0);
98943Sluigi			p[0] = a;
98943Sluigi			p[1] = b;
159636Soleg			break;
159636Soleg		case ',':			/* comma separated list */
159636Soleg		case '\0':
98943Sluigi			p[0] = p[1] = a;
159636Soleg			break;
159636Soleg		default:
159636Soleg			warnx("port list: invalid separator <%c> in <%s>",
101978Sluigi				*s, av);
159636Soleg			return (0);
159636Soleg		}
159636Soleg
102087Sluigi		i++;
102087Sluigi		p += 2;
159636Soleg		av = s + 1;
98943Sluigi	}
98943Sluigi	if (i > 0) {
159636Soleg		if (i + 1 > F_LEN_MASK)
102087Sluigi			errx(EX_DATAERR, "too many ports/ranges\n");
159636Soleg		cmd->o.len |= i + 1;	/* leave F_NOT and F_OR untouched */
98943Sluigi	}
159636Soleg	return (i);
98943Sluigi}
98943Sluigi
98943Sluigistatic struct _s_x icmpcodes[] = {
98943Sluigi      { "net",			ICMP_UNREACH_NET },
98943Sluigi      { "host",			ICMP_UNREACH_HOST },
98943Sluigi      { "protocol",		ICMP_UNREACH_PROTOCOL },
98943Sluigi      { "port",			ICMP_UNREACH_PORT },
98943Sluigi      { "needfrag",		ICMP_UNREACH_NEEDFRAG },
98943Sluigi      { "srcfail",		ICMP_UNREACH_SRCFAIL },
98943Sluigi      { "net-unknown",		ICMP_UNREACH_NET_UNKNOWN },
98943Sluigi      { "host-unknown",		ICMP_UNREACH_HOST_UNKNOWN },
98943Sluigi      { "isolated",		ICMP_UNREACH_ISOLATED },
98943Sluigi      { "net-prohib",		ICMP_UNREACH_NET_PROHIB },
98943Sluigi      { "host-prohib",		ICMP_UNREACH_HOST_PROHIB },
98943Sluigi      { "tosnet",		ICMP_UNREACH_TOSNET },
98943Sluigi      { "toshost",		ICMP_UNREACH_TOSHOST },
98943Sluigi      { "filter-prohib",	ICMP_UNREACH_FILTER_PROHIB },
98943Sluigi      { "host-precedence",	ICMP_UNREACH_HOST_PRECEDENCE },
98943Sluigi      { "precedence-cutoff",	ICMP_UNREACH_PRECEDENCE_CUTOFF },
98943Sluigi      { NULL, 0 }
98943Sluigi};
98943Sluigi
98943Sluigistatic void
98943Sluigifill_reject_code(u_short *codep, char *str)
98943Sluigi{
98943Sluigi	int val;
98943Sluigi	char *s;
98943Sluigi
98943Sluigi	val = strtoul(str, &s, 0);
98943Sluigi	if (s == str || *s != '\0' || val >= 0x100)
98943Sluigi		val = match_token(icmpcodes, str);
102087Sluigi	if (val < 0)
98943Sluigi		errx(EX_DATAERR, "unknown ICMP unreachable code ``%s''", str);
98943Sluigi	*codep = val;
98943Sluigi	return;
98943Sluigi}
98943Sluigi
98943Sluigistatic void
117328Sluigiprint_reject_code(uint16_t code)
98943Sluigi{
117469Sluigi	char const *s = match_value(icmpcodes, code);
98943Sluigi
98943Sluigi	if (s != NULL)
99475Sluigi		printf("unreach %s", s);
98943Sluigi	else
99475Sluigi		printf("unreach %u", code);
98943Sluigi}
98943Sluigi
149020Sbzstatic struct _s_x icmp6codes[] = {
149020Sbz      { "no-route",		ICMP6_DST_UNREACH_NOROUTE },
149020Sbz      { "admin-prohib",		ICMP6_DST_UNREACH_ADMIN },
149020Sbz      { "address",		ICMP6_DST_UNREACH_ADDR },
149020Sbz      { "port",			ICMP6_DST_UNREACH_NOPORT },
149020Sbz      { NULL, 0 }
149020Sbz};
149020Sbz
149020Sbzstatic void
149020Sbzfill_unreach6_code(u_short *codep, char *str)
149020Sbz{
149020Sbz	int val;
149020Sbz	char *s;
149020Sbz
149020Sbz	val = strtoul(str, &s, 0);
149020Sbz	if (s == str || *s != '\0' || val >= 0x100)
149020Sbz		val = match_token(icmp6codes, str);
149020Sbz	if (val < 0)
149020Sbz		errx(EX_DATAERR, "unknown ICMPv6 unreachable code ``%s''", str);
149020Sbz	*codep = val;
149020Sbz	return;
149020Sbz}
149020Sbz
149020Sbzstatic void
149020Sbzprint_unreach6_code(uint16_t code)
149020Sbz{
149020Sbz	char const *s = match_value(icmp6codes, code);
149020Sbz
149020Sbz	if (s != NULL)
149020Sbz		printf("unreach6 %s", s);
149020Sbz	else
149020Sbz		printf("unreach6 %u", code);
149020Sbz}
149020Sbz
98943Sluigi/*
98943Sluigi * Returns the number of bits set (from left) in a contiguous bitmask,
98943Sluigi * or -1 if the mask is not contiguous.
98943Sluigi * XXX this needs a proper fix.
98943Sluigi * This effectively works on masks in big-endian (network) format.
98943Sluigi * when compiled on little endian architectures.
98943Sluigi *
98943Sluigi * First bit is bit 7 of the first byte -- note, for MAC addresses,
98943Sluigi * the first bit on the wire is bit 0 of the first byte.
98943Sluigi * len is the max length in bits.
98943Sluigi */
98943Sluigistatic int
117577Sluigicontigmask(uint8_t *p, int len)
98943Sluigi{
98943Sluigi	int i, n;
117577Sluigi
98943Sluigi	for (i=0; i<len ; i++)
98943Sluigi		if ( (p[i/8] & (1 << (7 - (i%8)))) == 0) /* first bit unset */
98943Sluigi			break;
98943Sluigi	for (n=i+1; n < len; n++)
98943Sluigi		if ( (p[n/8] & (1 << (7 - (n%8)))) != 0)
98943Sluigi			return -1; /* mask not contiguous */
98943Sluigi	return i;
98943Sluigi}
98943Sluigi
98943Sluigi/*
98943Sluigi * print flags set/clear in the two bitmasks passed as parameters.
98943Sluigi * There is a specialized check for f_tcpflags.
98943Sluigi */
98943Sluigistatic void
117469Sluigiprint_flags(char const *name, ipfw_insn *cmd, struct _s_x *list)
98943Sluigi{
117469Sluigi	char const *comma = "";
98943Sluigi	int i;
117577Sluigi	uint8_t set = cmd->arg1 & 0xff;
117577Sluigi	uint8_t clear = (cmd->arg1 >> 8) & 0xff;
98943Sluigi
98943Sluigi	if (list == f_tcpflags && set == TH_SYN && clear == TH_ACK) {
98943Sluigi		printf(" setup");
98943Sluigi		return;
98943Sluigi	}
98943Sluigi
98943Sluigi	printf(" %s ", name);
98943Sluigi	for (i=0; list[i].x != 0; i++) {
98943Sluigi		if (set & list[i].x) {
98943Sluigi			set &= ~list[i].x;
98943Sluigi			printf("%s%s", comma, list[i].s);
98943Sluigi			comma = ",";
98943Sluigi		}
98943Sluigi		if (clear & list[i].x) {
98943Sluigi			clear &= ~list[i].x;
98943Sluigi			printf("%s!%s", comma, list[i].s);
98943Sluigi			comma = ",";
98943Sluigi		}
98943Sluigi	}
98943Sluigi}
98943Sluigi
98943Sluigi/*
98943Sluigi * Print the ip address contained in a command.
98943Sluigi */
98943Sluigistatic void
117469Sluigiprint_ip(ipfw_insn_ip *cmd, char const *s)
98943Sluigi{
98943Sluigi	struct hostent *he = NULL;
117328Sluigi	int len = F_LEN((ipfw_insn *)cmd);
117328Sluigi	uint32_t *a = ((ipfw_insn_u32 *)cmd)->d;
98943Sluigi
102087Sluigi	printf("%s%s ", cmd->o.len & F_NOT ? " not": "", s);
98943Sluigi
98943Sluigi	if (cmd->o.opcode == O_IP_SRC_ME || cmd->o.opcode == O_IP_DST_ME) {
98943Sluigi		printf("me");
98943Sluigi		return;
98943Sluigi	}
130281Sru	if (cmd->o.opcode == O_IP_SRC_LOOKUP ||
130281Sru	    cmd->o.opcode == O_IP_DST_LOOKUP) {
130281Sru		printf("table(%u", ((ipfw_insn *)cmd)->arg1);
130281Sru		if (len == F_INSN_SIZE(ipfw_insn_u32))
130281Sru			printf(",%u", *a);
130281Sru		printf(")");
130281Sru		return;
130281Sru	}
98943Sluigi	if (cmd->o.opcode == O_IP_SRC_SET || cmd->o.opcode == O_IP_DST_SET) {
117328Sluigi		uint32_t x, *map = (uint32_t *)&(cmd->mask);
116716Sluigi		int i, j;
98943Sluigi		char comma = '{';
98943Sluigi
98943Sluigi		x = cmd->o.arg1 - 1;
98943Sluigi		x = htonl( ~x );
98943Sluigi		cmd->addr.s_addr = htonl(cmd->addr.s_addr);
98943Sluigi		printf("%s/%d", inet_ntoa(cmd->addr),
117577Sluigi			contigmask((uint8_t *)&x, 32));
98943Sluigi		x = cmd->addr.s_addr = htonl(cmd->addr.s_addr);
98943Sluigi		x &= 0xff; /* base */
116716Sluigi		/*
116716Sluigi		 * Print bits and ranges.
116716Sluigi		 * Locate first bit set (i), then locate first bit unset (j).
116716Sluigi		 * If we have 3+ consecutive bits set, then print them as a
116716Sluigi		 * range, otherwise only print the initial bit and rescan.
116716Sluigi		 */
98943Sluigi		for (i=0; i < cmd->o.arg1; i++)
117328Sluigi			if (map[i/32] & (1<<(i & 31))) {
116716Sluigi				for (j=i+1; j < cmd->o.arg1; j++)
117328Sluigi					if (!(map[ j/32] & (1<<(j & 31))))
116716Sluigi						break;
98943Sluigi				printf("%c%d", comma, i+x);
116716Sluigi				if (j>i+2) { /* range has at least 3 elements */
116716Sluigi					printf("-%d", j-1+x);
116716Sluigi					i = j-1;
116716Sluigi				}
98943Sluigi				comma = ',';
98943Sluigi			}
98943Sluigi		printf("}");
98943Sluigi		return;
98943Sluigi	}
117328Sluigi	/*
117328Sluigi	 * len == 2 indicates a single IP, whereas lists of 1 or more
117328Sluigi	 * addr/mask pairs have len = (2n+1). We convert len to n so we
117328Sluigi	 * use that to count the number of entries.
117328Sluigi	 */
117328Sluigi    for (len = len / 2; len > 0; len--, a += 2) {
117328Sluigi	int mb =	/* mask length */
117328Sluigi	    (cmd->o.opcode == O_IP_SRC || cmd->o.opcode == O_IP_DST) ?
117577Sluigi		32 : contigmask((uint8_t *)&(a[1]), 32);
98943Sluigi	if (mb == 32 && do_resolv)
117328Sluigi		he = gethostbyaddr((char *)&(a[0]), sizeof(u_long), AF_INET);
98943Sluigi	if (he != NULL)		/* resolved to name */
98943Sluigi		printf("%s", he->h_name);
98943Sluigi	else if (mb == 0)	/* any */
98943Sluigi		printf("any");
98943Sluigi	else {		/* numeric IP followed by some kind of mask */
117328Sluigi		printf("%s", inet_ntoa( *((struct in_addr *)&a[0]) ) );
98943Sluigi		if (mb < 0)
117328Sluigi			printf(":%s", inet_ntoa( *((struct in_addr *)&a[1]) ) );
98943Sluigi		else if (mb < 32)
98943Sluigi			printf("/%d", mb);
98943Sluigi	}
117328Sluigi	if (len > 1)
117328Sluigi		printf(",");
117328Sluigi    }
98943Sluigi}
98943Sluigi
98943Sluigi/*
98943Sluigi * prints a MAC address/mask pair
98943Sluigi */
98943Sluigistatic void
117577Sluigiprint_mac(uint8_t *addr, uint8_t *mask)
98943Sluigi{
98943Sluigi	int l = contigmask(mask, 48);
98943Sluigi
98943Sluigi	if (l == 0)
98943Sluigi		printf(" any");
98943Sluigi	else {
98943Sluigi		printf(" %02x:%02x:%02x:%02x:%02x:%02x",
98943Sluigi		    addr[0], addr[1], addr[2], addr[3], addr[4], addr[5]);
98943Sluigi		if (l == -1)
98943Sluigi			printf("&%02x:%02x:%02x:%02x:%02x:%02x",
98943Sluigi			    mask[0], mask[1], mask[2],
98943Sluigi			    mask[3], mask[4], mask[5]);
98943Sluigi		else if (l < 48)
98943Sluigi			printf("/%d", l);
98943Sluigi	}
98943Sluigi}
98943Sluigi
99475Sluigistatic void
99475Sluigifill_icmptypes(ipfw_insn_u32 *cmd, char *av)
99475Sluigi{
117328Sluigi	uint8_t type;
98943Sluigi
99475Sluigi	cmd->d[0] = 0;
99475Sluigi	while (*av) {
99475Sluigi		if (*av == ',')
99475Sluigi			av++;
99475Sluigi
99475Sluigi		type = strtoul(av, &av, 0);
99475Sluigi
99475Sluigi		if (*av != ',' && *av != '\0')
99475Sluigi			errx(EX_DATAERR, "invalid ICMP type");
99475Sluigi
99475Sluigi		if (type > 31)
99475Sluigi			errx(EX_DATAERR, "ICMP type out of range");
99475Sluigi
99475Sluigi		cmd->d[0] |= 1 << type;
99475Sluigi	}
99475Sluigi	cmd->o.opcode = O_ICMPTYPE;
99475Sluigi	cmd->o.len |= F_INSN_SIZE(ipfw_insn_u32);
99475Sluigi}
99475Sluigi
99475Sluigistatic void
99475Sluigiprint_icmptypes(ipfw_insn_u32 *cmd)
99475Sluigi{
99475Sluigi	int i;
99475Sluigi	char sep= ' ';
99475Sluigi
99475Sluigi	printf(" icmptypes");
99475Sluigi	for (i = 0; i < 32; i++) {
99475Sluigi		if ( (cmd->d[0] & (1 << (i))) == 0)
99475Sluigi			continue;
99475Sluigi		printf("%c%d", sep, i);
99475Sluigi		sep = ',';
99475Sluigi	}
99475Sluigi}
99475Sluigi
145246Sbrooks/*
145246Sbrooks * Print the ip address contained in a command.
145246Sbrooks */
145246Sbrooksstatic void
145246Sbrooksprint_ip6(ipfw_insn_ip6 *cmd, char const *s)
145246Sbrooks{
145246Sbrooks       struct hostent *he = NULL;
145246Sbrooks       int len = F_LEN((ipfw_insn *) cmd) - 1;
145246Sbrooks       struct in6_addr *a = &(cmd->addr6);
145246Sbrooks       char trad[255];
145246Sbrooks
145246Sbrooks       printf("%s%s ", cmd->o.len & F_NOT ? " not": "", s);
145246Sbrooks
145246Sbrooks       if (cmd->o.opcode == O_IP6_SRC_ME || cmd->o.opcode == O_IP6_DST_ME) {
145246Sbrooks               printf("me6");
145246Sbrooks               return;
145246Sbrooks       }
145246Sbrooks       if (cmd->o.opcode == O_IP6) {
152923Sume               printf(" ip6");
145246Sbrooks               return;
145246Sbrooks       }
145246Sbrooks
145246Sbrooks       /*
145246Sbrooks        * len == 4 indicates a single IP, whereas lists of 1 or more
145246Sbrooks        * addr/mask pairs have len = (2n+1). We convert len to n so we
145246Sbrooks        * use that to count the number of entries.
145246Sbrooks        */
145246Sbrooks
145246Sbrooks       for (len = len / 4; len > 0; len -= 2, a += 2) {
145246Sbrooks           int mb =        /* mask length */
145246Sbrooks               (cmd->o.opcode == O_IP6_SRC || cmd->o.opcode == O_IP6_DST) ?
145246Sbrooks               128 : contigmask((uint8_t *)&(a[1]), 128);
145246Sbrooks
145246Sbrooks           if (mb == 128 && do_resolv)
145246Sbrooks               he = gethostbyaddr((char *)a, sizeof(*a), AF_INET6);
145246Sbrooks           if (he != NULL)             /* resolved to name */
145246Sbrooks               printf("%s", he->h_name);
145246Sbrooks           else if (mb == 0)           /* any */
145246Sbrooks               printf("any");
145246Sbrooks           else {          /* numeric IP followed by some kind of mask */
145246Sbrooks               if (inet_ntop(AF_INET6,  a, trad, sizeof( trad ) ) == NULL)
145246Sbrooks                   printf("Error ntop in print_ip6\n");
145246Sbrooks               printf("%s",  trad );
145246Sbrooks               if (mb < 0)     /* XXX not really legal... */
145246Sbrooks                   printf(":%s",
145246Sbrooks                       inet_ntop(AF_INET6, &a[1], trad, sizeof(trad)));
145246Sbrooks               else if (mb < 128)
145246Sbrooks                   printf("/%d", mb);
145246Sbrooks           }
145246Sbrooks           if (len > 2)
145246Sbrooks               printf(",");
145246Sbrooks       }
145246Sbrooks}
145246Sbrooks
145246Sbrooksstatic void
145246Sbrooksfill_icmp6types(ipfw_insn_icmp6 *cmd, char *av)
145246Sbrooks{
145246Sbrooks       uint8_t type;
145246Sbrooks
162344Sjhay       bzero(cmd, sizeof(*cmd));
145246Sbrooks       while (*av) {
145246Sbrooks           if (*av == ',')
145246Sbrooks               av++;
145246Sbrooks           type = strtoul(av, &av, 0);
145246Sbrooks           if (*av != ',' && *av != '\0')
145246Sbrooks               errx(EX_DATAERR, "invalid ICMP6 type");
145246Sbrooks	   /*
145246Sbrooks	    * XXX: shouldn't this be 0xFF?  I can't see any reason why
145246Sbrooks	    * we shouldn't be able to filter all possiable values
145246Sbrooks	    * regardless of the ability of the rest of the kernel to do
145246Sbrooks	    * anything useful with them.
145246Sbrooks	    */
145246Sbrooks           if (type > ICMP6_MAXTYPE)
145246Sbrooks               errx(EX_DATAERR, "ICMP6 type out of range");
145246Sbrooks           cmd->d[type / 32] |= ( 1 << (type % 32));
145246Sbrooks       }
145246Sbrooks       cmd->o.opcode = O_ICMP6TYPE;
145246Sbrooks       cmd->o.len |= F_INSN_SIZE(ipfw_insn_icmp6);
145246Sbrooks}
145246Sbrooks
145246Sbrooks
145246Sbrooksstatic void
145246Sbrooksprint_icmp6types(ipfw_insn_u32 *cmd)
145246Sbrooks{
145246Sbrooks       int i, j;
145246Sbrooks       char sep= ' ';
145246Sbrooks
152923Sume       printf(" ip6 icmp6types");
145246Sbrooks       for (i = 0; i < 7; i++)
145246Sbrooks               for (j=0; j < 32; ++j) {
145246Sbrooks                       if ( (cmd->d[i] & (1 << (j))) == 0)
145246Sbrooks                               continue;
145246Sbrooks                       printf("%c%d", sep, (i*32 + j));
145246Sbrooks                       sep = ',';
145246Sbrooks               }
145246Sbrooks}
145246Sbrooks
145246Sbrooksstatic void
145246Sbrooksprint_flow6id( ipfw_insn_u32 *cmd)
145246Sbrooks{
145246Sbrooks       uint16_t i, limit = cmd->o.arg1;
145246Sbrooks       char sep = ',';
145246Sbrooks
145246Sbrooks       printf(" flow-id ");
145246Sbrooks       for( i=0; i < limit; ++i) {
145246Sbrooks               if (i == limit - 1)
145246Sbrooks                       sep = ' ';
145246Sbrooks               printf("%d%c", cmd->d[i], sep);
145246Sbrooks       }
145246Sbrooks}
145246Sbrooks
145246Sbrooks/* structure and define for the extension header in ipv6 */
145246Sbrooksstatic struct _s_x ext6hdrcodes[] = {
145246Sbrooks       { "frag",       EXT_FRAGMENT },
145246Sbrooks       { "hopopt",     EXT_HOPOPTS },
145246Sbrooks       { "route",      EXT_ROUTING },
149020Sbz       { "dstopt",     EXT_DSTOPTS },
145246Sbrooks       { "ah",         EXT_AH },
145246Sbrooks       { "esp",        EXT_ESP },
169245Sbz       { "rthdr0",     EXT_RTHDR0 },
169245Sbz       { "rthdr2",     EXT_RTHDR2 },
145246Sbrooks       { NULL,         0 }
145246Sbrooks};
145246Sbrooks
145246Sbrooks/* fills command for the extension header filtering */
187477Sluigistatic int
145246Sbrooksfill_ext6hdr( ipfw_insn *cmd, char *av)
145246Sbrooks{
145246Sbrooks       int tok;
145246Sbrooks       char *s = av;
145246Sbrooks
145246Sbrooks       cmd->arg1 = 0;
145246Sbrooks
145246Sbrooks       while(s) {
145246Sbrooks           av = strsep( &s, ",") ;
145246Sbrooks           tok = match_token(ext6hdrcodes, av);
145246Sbrooks           switch (tok) {
145246Sbrooks           case EXT_FRAGMENT:
145246Sbrooks               cmd->arg1 |= EXT_FRAGMENT;
145246Sbrooks               break;
145246Sbrooks
145246Sbrooks           case EXT_HOPOPTS:
145246Sbrooks               cmd->arg1 |= EXT_HOPOPTS;
145246Sbrooks               break;
145246Sbrooks
145246Sbrooks           case EXT_ROUTING:
145246Sbrooks               cmd->arg1 |= EXT_ROUTING;
145246Sbrooks               break;
145246Sbrooks
149020Sbz           case EXT_DSTOPTS:
149020Sbz               cmd->arg1 |= EXT_DSTOPTS;
149020Sbz               break;
149020Sbz
145246Sbrooks           case EXT_AH:
145246Sbrooks               cmd->arg1 |= EXT_AH;
145246Sbrooks               break;
145246Sbrooks
145246Sbrooks           case EXT_ESP:
145246Sbrooks               cmd->arg1 |= EXT_ESP;
145246Sbrooks               break;
145246Sbrooks
169245Sbz           case EXT_RTHDR0:
169245Sbz               cmd->arg1 |= EXT_RTHDR0;
169245Sbz               break;
169245Sbz
169245Sbz           case EXT_RTHDR2:
169245Sbz               cmd->arg1 |= EXT_RTHDR2;
169245Sbz               break;
169245Sbz
145246Sbrooks           default:
145246Sbrooks               errx( EX_DATAERR, "invalid option for ipv6 exten header" );
145246Sbrooks               break;
145246Sbrooks           }
145246Sbrooks       }
145246Sbrooks       if (cmd->arg1 == 0 )
145246Sbrooks           return 0;
145246Sbrooks       cmd->opcode = O_EXT_HDR;
145246Sbrooks       cmd->len |= F_INSN_SIZE( ipfw_insn );
145246Sbrooks       return 1;
145246Sbrooks}
145246Sbrooks
187477Sluigistatic void
145246Sbrooksprint_ext6hdr( ipfw_insn *cmd )
145246Sbrooks{
145246Sbrooks       char sep = ' ';
145246Sbrooks
145246Sbrooks       printf(" extension header:");
145246Sbrooks       if (cmd->arg1 & EXT_FRAGMENT ) {
145246Sbrooks           printf("%cfragmentation", sep);
145246Sbrooks           sep = ',';
145246Sbrooks       }
145246Sbrooks       if (cmd->arg1 & EXT_HOPOPTS ) {
145246Sbrooks           printf("%chop options", sep);
145246Sbrooks           sep = ',';
145246Sbrooks       }
145246Sbrooks       if (cmd->arg1 & EXT_ROUTING ) {
145246Sbrooks           printf("%crouting options", sep);
145246Sbrooks           sep = ',';
145246Sbrooks       }
169245Sbz       if (cmd->arg1 & EXT_RTHDR0 ) {
169245Sbz           printf("%crthdr0", sep);
169245Sbz           sep = ',';
169245Sbz       }
169245Sbz       if (cmd->arg1 & EXT_RTHDR2 ) {
169245Sbz           printf("%crthdr2", sep);
169245Sbz           sep = ',';
169245Sbz       }
149020Sbz       if (cmd->arg1 & EXT_DSTOPTS ) {
149020Sbz           printf("%cdestination options", sep);
149020Sbz           sep = ',';
149020Sbz       }
145246Sbrooks       if (cmd->arg1 & EXT_AH ) {
145246Sbrooks           printf("%cauthentication header", sep);
145246Sbrooks           sep = ',';
145246Sbrooks       }
145246Sbrooks       if (cmd->arg1 & EXT_ESP ) {
145246Sbrooks           printf("%cencapsulated security payload", sep);
145246Sbrooks       }
145246Sbrooks}
145246Sbrooks
98943Sluigi/*
98943Sluigi * show_ipfw() prints the body of an ipfw rule.
98943Sluigi * Because the standard rule has at least proto src_ip dst_ip, we use
98943Sluigi * a helper function to produce these entries if not provided explicitly.
102087Sluigi * The first argument is the list of fields we have, the second is
102087Sluigi * the list of fields we want to be printed.
101978Sluigi *
102087Sluigi * Special cases if we have provided a MAC header:
102087Sluigi *   + if the rule does not contain IP addresses/ports, do not print them;
102087Sluigi *   + if the rule does not contain an IP proto, print "all" instead of "ip";
102087Sluigi *
102087Sluigi * Once we have 'have_options', IP header fields are printed as options.
98943Sluigi */
101978Sluigi#define	HAVE_PROTO	0x0001
101978Sluigi#define	HAVE_SRCIP	0x0002
101978Sluigi#define	HAVE_DSTIP	0x0004
169139Smaxim#define	HAVE_PROTO4	0x0008
169139Smaxim#define	HAVE_PROTO6	0x0010
102087Sluigi#define	HAVE_OPTIONS	0x8000
98943Sluigi
101978Sluigi#define	HAVE_IP		(HAVE_PROTO | HAVE_SRCIP | HAVE_DSTIP)
98943Sluigistatic void
187477Sluigishow_prerequisites(int *flags, int want, int cmd __unused)
98943Sluigi{
123495Sluigi	if (comment_only)
123495Sluigi		return;
102087Sluigi	if ( (*flags & HAVE_IP) == HAVE_IP)
102087Sluigi		*flags |= HAVE_OPTIONS;
102087Sluigi
102087Sluigi	if ( !(*flags & HAVE_OPTIONS)) {
187477Sluigi		if ( !(*flags & HAVE_PROTO) && (want & HAVE_PROTO)) {
146894Smlaier			if ( (*flags & HAVE_PROTO4))
146894Smlaier				printf(" ip4");
146894Smlaier			else if ( (*flags & HAVE_PROTO6))
146894Smlaier				printf(" ip6");
146894Smlaier			else
146894Smlaier				printf(" ip");
187477Sluigi		}
102087Sluigi		if ( !(*flags & HAVE_SRCIP) && (want & HAVE_SRCIP))
102087Sluigi			printf(" from any");
102087Sluigi		if ( !(*flags & HAVE_DSTIP) && (want & HAVE_DSTIP))
102087Sluigi			printf(" to any");
102087Sluigi	}
98943Sluigi	*flags |= want;
98943Sluigi}
98943Sluigi
98943Sluigistatic void
112189Smaximshow_ipfw(struct ip_fw *rule, int pcwidth, int bcwidth)
98943Sluigi{
107291Skeramida	static int twidth = 0;
98943Sluigi	int l;
158879Soleg	ipfw_insn *cmd, *tagptr = NULL;
187477Sluigi	const char *comment = NULL;	/* ptr to comment if we have one */
98943Sluigi	int proto = 0;		/* default */
98943Sluigi	int flags = 0;	/* prerequisites */
98943Sluigi	ipfw_insn_log *logptr = NULL; /* set if we find an O_LOG */
136071Sgreen	ipfw_insn_altq *altqptr = NULL; /* set if we find an O_ALTQ */
98943Sluigi	int or_block = 0;	/* we are in an or block */
117328Sluigi	uint32_t set_disable;
98943Sluigi
115793Sticso	bcopy(&rule->next_rule, &set_disable, sizeof(set_disable));
101628Sluigi
101628Sluigi	if (set_disable & (1 << rule->set)) { /* disabled */
101628Sluigi		if (!show_sets)
101628Sluigi			return;
101628Sluigi		else
101628Sluigi			printf("# DISABLED ");
101628Sluigi	}
98943Sluigi	printf("%05u ", rule->rulenum);
98943Sluigi
117469Sluigi	if (pcwidth>0 || bcwidth>0)
115793Sticso		printf("%*llu %*llu ", pcwidth, align_uint64(&rule->pcnt),
115793Sticso		    bcwidth, align_uint64(&rule->bcnt));
98943Sluigi
117472Sluigi	if (do_time == 2)
117472Sluigi		printf("%10u ", rule->timestamp);
117472Sluigi	else if (do_time == 1) {
107291Skeramida		char timestr[30];
107291Skeramida		time_t t = (time_t)0;
107291Skeramida
107291Skeramida		if (twidth == 0) {
107291Skeramida			strcpy(timestr, ctime(&t));
107291Skeramida			*strchr(timestr, '\n') = '\0';
107291Skeramida			twidth = strlen(timestr);
107291Skeramida		}
98943Sluigi		if (rule->timestamp) {
107291Skeramida			t = _long_to_time(rule->timestamp);
98943Sluigi
98943Sluigi			strcpy(timestr, ctime(&t));
98943Sluigi			*strchr(timestr, '\n') = '\0';
98943Sluigi			printf("%s ", timestr);
98943Sluigi		} else {
107291Skeramida			printf("%*s", twidth, " ");
98943Sluigi		}
98943Sluigi	}
98943Sluigi
101628Sluigi	if (show_sets)
101628Sluigi		printf("set %d ", rule->set);
101628Sluigi
98943Sluigi	/*
107289Sluigi	 * print the optional "match probability"
107289Sluigi	 */
107289Sluigi	if (rule->cmd_len > 0) {
107289Sluigi		cmd = rule->cmd ;
107289Sluigi		if (cmd->opcode == O_PROB) {
107289Sluigi			ipfw_insn_u32 *p = (ipfw_insn_u32 *)cmd;
107289Sluigi			double d = 1.0 * p->d[0];
107289Sluigi
107289Sluigi			d = (d / 0x7fffffff);
107289Sluigi			printf("prob %f ", d);
107289Sluigi		}
107289Sluigi	}
107289Sluigi
107289Sluigi	/*
98943Sluigi	 * first print actions
98943Sluigi	 */
98943Sluigi        for (l = rule->cmd_len - rule->act_ofs, cmd = ACTION_PTR(rule);
98943Sluigi			l > 0 ; l -= F_LEN(cmd), cmd += F_LEN(cmd)) {
98943Sluigi		switch(cmd->opcode) {
98943Sluigi		case O_CHECK_STATE:
98943Sluigi			printf("check-state");
102087Sluigi			flags = HAVE_IP; /* avoid printing anything else */
98943Sluigi			break;
98943Sluigi
98943Sluigi		case O_ACCEPT:
98943Sluigi			printf("allow");
98943Sluigi			break;
98943Sluigi
98943Sluigi		case O_COUNT:
98943Sluigi			printf("count");
98943Sluigi			break;
98943Sluigi
98943Sluigi		case O_DENY:
98943Sluigi			printf("deny");
98943Sluigi			break;
98943Sluigi
99475Sluigi		case O_REJECT:
99475Sluigi			if (cmd->arg1 == ICMP_REJECT_RST)
99475Sluigi				printf("reset");
99475Sluigi			else if (cmd->arg1 == ICMP_UNREACH_HOST)
99475Sluigi				printf("reject");
99475Sluigi			else
99475Sluigi				print_reject_code(cmd->arg1);
99475Sluigi			break;
99475Sluigi
149020Sbz		case O_UNREACH6:
149020Sbz			if (cmd->arg1 == ICMP6_UNREACH_RST)
149020Sbz				printf("reset6");
149020Sbz			else
149020Sbz				print_unreach6_code(cmd->arg1);
149020Sbz			break;
149020Sbz
159636Soleg		case O_SKIPTO:
159636Soleg			PRINT_UINT_ARG("skipto ", cmd->arg1);
98943Sluigi			break;
98943Sluigi
98943Sluigi		case O_PIPE:
159636Soleg			PRINT_UINT_ARG("pipe ", cmd->arg1);
159636Soleg			break;
159636Soleg
98943Sluigi		case O_QUEUE:
159636Soleg			PRINT_UINT_ARG("queue ", cmd->arg1);
159636Soleg			break;
159636Soleg
98943Sluigi		case O_DIVERT:
159636Soleg			PRINT_UINT_ARG("divert ", cmd->arg1);
159636Soleg			break;
159636Soleg
98943Sluigi		case O_TEE:
159636Soleg			PRINT_UINT_ARG("tee ", cmd->arg1);
159636Soleg			break;
159636Soleg
141351Sglebius		case O_NETGRAPH:
159636Soleg			PRINT_UINT_ARG("netgraph ", cmd->arg1);
159636Soleg			break;
159636Soleg
141351Sglebius		case O_NGTEE:
159636Soleg			PRINT_UINT_ARG("ngtee ", cmd->arg1);
159636Soleg			break;
141351Sglebius
98943Sluigi		case O_FORWARD_IP:
98943Sluigi		    {
98943Sluigi			ipfw_insn_sa *s = (ipfw_insn_sa *)cmd;
98943Sluigi
161424Sjulian			if (s->sa.sin_addr.s_addr == INADDR_ANY) {
161424Sjulian				printf("fwd tablearg");
161424Sjulian			} else {
161424Sjulian				printf("fwd %s", inet_ntoa(s->sa.sin_addr));
161424Sjulian			}
98943Sluigi			if (s->sa.sin_port)
103241Sluigi				printf(",%d", s->sa.sin_port);
98943Sluigi		    }
98943Sluigi			break;
98943Sluigi
98943Sluigi		case O_LOG: /* O_LOG is printed last */
98943Sluigi			logptr = (ipfw_insn_log *)cmd;
98943Sluigi			break;
98943Sluigi
136071Sgreen		case O_ALTQ: /* O_ALTQ is printed after O_LOG */
136071Sgreen			altqptr = (ipfw_insn_altq *)cmd;
136071Sgreen			break;
136071Sgreen
158879Soleg		case O_TAG:
158879Soleg			tagptr = cmd;
158879Soleg			break;
158879Soleg
165648Spiso		case O_NAT:
176517Spiso			PRINT_UINT_ARG("nat ", cmd->arg1);
165648Spiso 			break;
165648Spiso
178888Sjulian		case O_SETFIB:
178888Sjulian			PRINT_UINT_ARG("setfib ", cmd->arg1);
178888Sjulian 			break;
178888Sjulian
98943Sluigi		default:
136071Sgreen			printf("** unrecognized action %d len %d ",
98943Sluigi				cmd->opcode, cmd->len);
98943Sluigi		}
98943Sluigi	}
98943Sluigi	if (logptr) {
98943Sluigi		if (logptr->max_log > 0)
99909Sluigi			printf(" log logamount %d", logptr->max_log);
98943Sluigi		else
99909Sluigi			printf(" log");
98943Sluigi	}
136071Sgreen	if (altqptr) {
136071Sgreen		const char *qname;
102087Sluigi
136071Sgreen		qname = altq_qid_to_name(altqptr->qid);
136071Sgreen		if (qname == NULL)
136071Sgreen			printf(" altq ?<%u>", altqptr->qid);
136071Sgreen		else
136071Sgreen			printf(" altq %s", qname);
136071Sgreen	}
158879Soleg	if (tagptr) {
158879Soleg		if (tagptr->len & F_NOT)
159636Soleg			PRINT_UINT_ARG(" untag ", tagptr->arg1);
158879Soleg		else
159636Soleg			PRINT_UINT_ARG(" tag ", tagptr->arg1);
158879Soleg	}
136071Sgreen
98943Sluigi	/*
102087Sluigi	 * then print the body.
98943Sluigi	 */
146894Smlaier        for (l = rule->act_ofs, cmd = rule->cmd ;
146894Smlaier			l > 0 ; l -= F_LEN(cmd) , cmd += F_LEN(cmd)) {
146894Smlaier		if ((cmd->len & F_OR) || (cmd->len & F_NOT))
146894Smlaier			continue;
146894Smlaier		if (cmd->opcode == O_IP4) {
146894Smlaier			flags |= HAVE_PROTO4;
146894Smlaier			break;
146894Smlaier		} else if (cmd->opcode == O_IP6) {
146894Smlaier			flags |= HAVE_PROTO6;
146894Smlaier			break;
146894Smlaier		}
146894Smlaier	}
102087Sluigi	if (rule->_pad & 1) {	/* empty rules before options */
146894Smlaier		if (!do_compact) {
146894Smlaier			show_prerequisites(&flags, HAVE_PROTO, 0);
146894Smlaier			printf(" from any to any");
146894Smlaier		}
102087Sluigi		flags |= HAVE_IP | HAVE_OPTIONS;
102087Sluigi	}
102087Sluigi
123495Sluigi	if (comment_only)
123495Sluigi		comment = "...";
123495Sluigi
98943Sluigi        for (l = rule->act_ofs, cmd = rule->cmd ;
98943Sluigi			l > 0 ; l -= F_LEN(cmd) , cmd += F_LEN(cmd)) {
99475Sluigi		/* useful alias */
99475Sluigi		ipfw_insn_u32 *cmd32 = (ipfw_insn_u32 *)cmd;
98943Sluigi
123495Sluigi		if (comment_only) {
123495Sluigi			if (cmd->opcode != O_NOP)
123495Sluigi				continue;
123495Sluigi			printf(" // %s\n", (char *)(cmd + 1));
123495Sluigi			return;
123495Sluigi		}
123495Sluigi
102087Sluigi		show_prerequisites(&flags, 0, cmd->opcode);
102087Sluigi
98943Sluigi		switch(cmd->opcode) {
117577Sluigi		case O_PROB:
107289Sluigi			break;	/* done already */
107289Sluigi
98943Sluigi		case O_PROBE_STATE:
98943Sluigi			break; /* no need to print anything here */
98943Sluigi
98943Sluigi		case O_IP_SRC:
130281Sru		case O_IP_SRC_LOOKUP:
98943Sluigi		case O_IP_SRC_MASK:
98943Sluigi		case O_IP_SRC_ME:
98943Sluigi		case O_IP_SRC_SET:
102087Sluigi			show_prerequisites(&flags, HAVE_PROTO, 0);
98943Sluigi			if (!(flags & HAVE_SRCIP))
98943Sluigi				printf(" from");
98943Sluigi			if ((cmd->len & F_OR) && !or_block)
98943Sluigi				printf(" {");
102087Sluigi			print_ip((ipfw_insn_ip *)cmd,
102087Sluigi				(flags & HAVE_OPTIONS) ? " src-ip" : "");
98943Sluigi			flags |= HAVE_SRCIP;
98943Sluigi			break;
98943Sluigi
98943Sluigi		case O_IP_DST:
130281Sru		case O_IP_DST_LOOKUP:
98943Sluigi		case O_IP_DST_MASK:
98943Sluigi		case O_IP_DST_ME:
98943Sluigi		case O_IP_DST_SET:
102087Sluigi			show_prerequisites(&flags, HAVE_PROTO|HAVE_SRCIP, 0);
98943Sluigi			if (!(flags & HAVE_DSTIP))
98943Sluigi				printf(" to");
98943Sluigi			if ((cmd->len & F_OR) && !or_block)
98943Sluigi				printf(" {");
102087Sluigi			print_ip((ipfw_insn_ip *)cmd,
102087Sluigi				(flags & HAVE_OPTIONS) ? " dst-ip" : "");
98943Sluigi			flags |= HAVE_DSTIP;
98943Sluigi			break;
98943Sluigi
145246Sbrooks		case O_IP6_SRC:
145246Sbrooks		case O_IP6_SRC_MASK:
145246Sbrooks		case O_IP6_SRC_ME:
147105Smlaier			show_prerequisites(&flags, HAVE_PROTO, 0);
145246Sbrooks			if (!(flags & HAVE_SRCIP))
145246Sbrooks				printf(" from");
145246Sbrooks			if ((cmd->len & F_OR) && !or_block)
145246Sbrooks				printf(" {");
145246Sbrooks			print_ip6((ipfw_insn_ip6 *)cmd,
145246Sbrooks			    (flags & HAVE_OPTIONS) ? " src-ip6" : "");
145246Sbrooks			flags |= HAVE_SRCIP | HAVE_PROTO;
145246Sbrooks			break;
145246Sbrooks
145246Sbrooks		case O_IP6_DST:
145246Sbrooks		case O_IP6_DST_MASK:
145246Sbrooks		case O_IP6_DST_ME:
145246Sbrooks			show_prerequisites(&flags, HAVE_PROTO|HAVE_SRCIP, 0);
145246Sbrooks			if (!(flags & HAVE_DSTIP))
145246Sbrooks				printf(" to");
145246Sbrooks			if ((cmd->len & F_OR) && !or_block)
145246Sbrooks				printf(" {");
145246Sbrooks			print_ip6((ipfw_insn_ip6 *)cmd,
145246Sbrooks			    (flags & HAVE_OPTIONS) ? " dst-ip6" : "");
145246Sbrooks			flags |= HAVE_DSTIP;
145246Sbrooks			break;
145246Sbrooks
145246Sbrooks		case O_FLOW6ID:
145246Sbrooks		print_flow6id( (ipfw_insn_u32 *) cmd );
145246Sbrooks		flags |= HAVE_OPTIONS;
145246Sbrooks		break;
145246Sbrooks
98943Sluigi		case O_IP_DSTPORT:
102087Sluigi			show_prerequisites(&flags, HAVE_IP, 0);
98943Sluigi		case O_IP_SRCPORT:
102087Sluigi			show_prerequisites(&flags, HAVE_PROTO|HAVE_SRCIP, 0);
101641Sluigi			if ((cmd->len & F_OR) && !or_block)
101641Sluigi				printf(" {");
172306Smaxim			if (cmd->len & F_NOT)
172306Smaxim				printf(" not");
102087Sluigi			print_newports((ipfw_insn_u16 *)cmd, proto,
102087Sluigi				(flags & HAVE_OPTIONS) ? cmd->opcode : 0);
98943Sluigi			break;
98943Sluigi
98943Sluigi		case O_PROTO: {
145246Sbrooks			struct protoent *pe = NULL;
98943Sluigi
98943Sluigi			if ((cmd->len & F_OR) && !or_block)
98943Sluigi				printf(" {");
98943Sluigi			if (cmd->len & F_NOT)
98943Sluigi				printf(" not");
98943Sluigi			proto = cmd->arg1;
145567Sbrooks			pe = getprotobynumber(cmd->arg1);
146894Smlaier			if ((flags & (HAVE_PROTO4 | HAVE_PROTO6)) &&
146894Smlaier			    !(flags & HAVE_PROTO))
146894Smlaier				show_prerequisites(&flags,
146894Smlaier				    HAVE_IP | HAVE_OPTIONS, 0);
102087Sluigi			if (flags & HAVE_OPTIONS)
102087Sluigi				printf(" proto");
98943Sluigi			if (pe)
98943Sluigi				printf(" %s", pe->p_name);
98943Sluigi			else
98943Sluigi				printf(" %u", cmd->arg1);
98943Sluigi			}
98943Sluigi			flags |= HAVE_PROTO;
98943Sluigi			break;
106505Smaxim
98943Sluigi		default: /*options ... */
146894Smlaier			if (!(cmd->len & (F_OR|F_NOT)))
146894Smlaier				if (((cmd->opcode == O_IP6) &&
146894Smlaier				    (flags & HAVE_PROTO6)) ||
146894Smlaier				    ((cmd->opcode == O_IP4) &&
146894Smlaier				    (flags & HAVE_PROTO4)))
146894Smlaier					break;
102087Sluigi			show_prerequisites(&flags, HAVE_IP | HAVE_OPTIONS, 0);
98943Sluigi			if ((cmd->len & F_OR) && !or_block)
98943Sluigi				printf(" {");
98943Sluigi			if (cmd->len & F_NOT && cmd->opcode != O_IN)
98943Sluigi				printf(" not");
98943Sluigi			switch(cmd->opcode) {
169139Smaxim			case O_MACADDR2: {
169139Smaxim				ipfw_insn_mac *m = (ipfw_insn_mac *)cmd;
169139Smaxim
169139Smaxim				printf(" MAC");
169139Smaxim				print_mac(m->addr, m->mask);
169139Smaxim				print_mac(m->addr + 6, m->mask + 6);
169139Smaxim				}
169139Smaxim				break;
169139Smaxim
169139Smaxim			case O_MAC_TYPE:
169139Smaxim				print_newports((ipfw_insn_u16 *)cmd,
169139Smaxim						IPPROTO_ETHERTYPE, cmd->opcode);
169139Smaxim				break;
169139Smaxim
169139Smaxim
98943Sluigi			case O_FRAG:
98943Sluigi				printf(" frag");
98943Sluigi				break;
98943Sluigi
178888Sjulian			case O_FIB:
178888Sjulian				printf(" fib %u", cmd->arg1 );
178888Sjulian				break;
178888Sjulian
98943Sluigi			case O_IN:
98943Sluigi				printf(cmd->len & F_NOT ? " out" : " in");
98943Sluigi				break;
98943Sluigi
136073Sgreen			case O_DIVERTED:
136073Sgreen				switch (cmd->arg1) {
136073Sgreen				case 3:
136073Sgreen					printf(" diverted");
136073Sgreen					break;
136073Sgreen				case 1:
136073Sgreen					printf(" diverted-loopback");
136073Sgreen					break;
136073Sgreen				case 2:
136073Sgreen					printf(" diverted-output");
136073Sgreen					break;
136073Sgreen				default:
136073Sgreen					printf(" diverted-?<%u>", cmd->arg1);
136073Sgreen					break;
136073Sgreen				}
136073Sgreen				break;
136073Sgreen
98943Sluigi			case O_LAYER2:
98943Sluigi				printf(" layer2");
98943Sluigi				break;
98943Sluigi			case O_XMIT:
98943Sluigi			case O_RECV:
140423Sglebius			case O_VIA:
140423Sglebius			    {
117469Sluigi				char const *s;
98943Sluigi				ipfw_insn_if *cmdif = (ipfw_insn_if *)cmd;
98943Sluigi
98943Sluigi				if (cmd->opcode == O_XMIT)
98943Sluigi					s = "xmit";
98943Sluigi				else if (cmd->opcode == O_RECV)
98943Sluigi					s = "recv";
117469Sluigi				else /* if (cmd->opcode == O_VIA) */
98943Sluigi					s = "via";
98943Sluigi				if (cmdif->name[0] == '\0')
99475Sluigi					printf(" %s %s", s,
99475Sluigi					    inet_ntoa(cmdif->p.ip));
140423Sglebius				else
140423Sglebius					printf(" %s %s", s, cmdif->name);
140423Sglebius
98943Sluigi				break;
140423Sglebius			    }
98943Sluigi			case O_IPID:
116690Sluigi				if (F_LEN(cmd) == 1)
116690Sluigi				    printf(" ipid %u", cmd->arg1 );
116690Sluigi				else
116690Sluigi				    print_newports((ipfw_insn_u16 *)cmd, 0,
116690Sluigi					O_IPID);
98943Sluigi				break;
98943Sluigi
98943Sluigi			case O_IPTTL:
116690Sluigi				if (F_LEN(cmd) == 1)
116690Sluigi				    printf(" ipttl %u", cmd->arg1 );
116690Sluigi				else
116690Sluigi				    print_newports((ipfw_insn_u16 *)cmd, 0,
116690Sluigi					O_IPTTL);
98943Sluigi				break;
98943Sluigi
98943Sluigi			case O_IPVER:
98943Sluigi				printf(" ipver %u", cmd->arg1 );
98943Sluigi				break;
98943Sluigi
99475Sluigi			case O_IPPRECEDENCE:
99475Sluigi				printf(" ipprecedence %u", (cmd->arg1) >> 5 );
99475Sluigi				break;
99475Sluigi
98943Sluigi			case O_IPLEN:
116690Sluigi				if (F_LEN(cmd) == 1)
116690Sluigi				    printf(" iplen %u", cmd->arg1 );
116690Sluigi				else
116690Sluigi				    print_newports((ipfw_insn_u16 *)cmd, 0,
116690Sluigi					O_IPLEN);
98943Sluigi				break;
98943Sluigi
101116Sluigi			case O_IPOPT:
98943Sluigi				print_flags("ipoptions", cmd, f_ipopts);
98943Sluigi				break;
98943Sluigi
99475Sluigi			case O_IPTOS:
99475Sluigi				print_flags("iptos", cmd, f_iptos);
99475Sluigi				break;
99475Sluigi
99475Sluigi			case O_ICMPTYPE:
99475Sluigi				print_icmptypes((ipfw_insn_u32 *)cmd);
99475Sluigi				break;
99475Sluigi
98943Sluigi			case O_ESTAB:
98943Sluigi				printf(" established");
98943Sluigi				break;
98943Sluigi
136075Sgreen			case O_TCPDATALEN:
136075Sgreen				if (F_LEN(cmd) == 1)
136075Sgreen				    printf(" tcpdatalen %u", cmd->arg1 );
136075Sgreen				else
136075Sgreen				    print_newports((ipfw_insn_u16 *)cmd, 0,
136075Sgreen					O_TCPDATALEN);
136075Sgreen				break;
136075Sgreen
98943Sluigi			case O_TCPFLAGS:
98943Sluigi				print_flags("tcpflags", cmd, f_tcpflags);
98943Sluigi				break;
98943Sluigi
98943Sluigi			case O_TCPOPTS:
98943Sluigi				print_flags("tcpoptions", cmd, f_tcpopts);
98943Sluigi				break;
98943Sluigi
98943Sluigi			case O_TCPWIN:
98943Sluigi				printf(" tcpwin %d", ntohs(cmd->arg1));
98943Sluigi				break;
98943Sluigi
98943Sluigi			case O_TCPACK:
98943Sluigi				printf(" tcpack %d", ntohl(cmd32->d[0]));
98943Sluigi				break;
98943Sluigi
98943Sluigi			case O_TCPSEQ:
98943Sluigi				printf(" tcpseq %d", ntohl(cmd32->d[0]));
98943Sluigi				break;
98943Sluigi
98943Sluigi			case O_UID:
98943Sluigi			    {
98943Sluigi				struct passwd *pwd = getpwuid(cmd32->d[0]);
98943Sluigi
98943Sluigi				if (pwd)
98943Sluigi					printf(" uid %s", pwd->pw_name);
98943Sluigi				else
98943Sluigi					printf(" uid %u", cmd32->d[0]);
98943Sluigi			    }
98943Sluigi				break;
98943Sluigi
98943Sluigi			case O_GID:
98943Sluigi			    {
98943Sluigi				struct group *grp = getgrgid(cmd32->d[0]);
98943Sluigi
98943Sluigi				if (grp)
98943Sluigi					printf(" gid %s", grp->gr_name);
98943Sluigi				else
98943Sluigi					printf(" gid %u", cmd32->d[0]);
98943Sluigi			    }
98943Sluigi				break;
98943Sluigi
133600Scsjp			case O_JAIL:
133600Scsjp				printf(" jail %d", cmd32->d[0]);
133600Scsjp				break;
133600Scsjp
112250Scjc			case O_VERREVPATH:
112250Scjc				printf(" verrevpath");
112250Scjc				break;
116919Sluigi
128575Sandre			case O_VERSRCREACH:
128575Sandre				printf(" versrcreach");
128575Sandre				break;
128575Sandre
133387Sandre			case O_ANTISPOOF:
133387Sandre				printf(" antispoof");
133387Sandre				break;
133387Sandre
117241Sluigi			case O_IPSEC:
117241Sluigi				printf(" ipsec");
117241Sluigi				break;
117241Sluigi
117469Sluigi			case O_NOP:
117626Sluigi				comment = (char *)(cmd + 1);
117469Sluigi				break;
117469Sluigi
98943Sluigi			case O_KEEP_STATE:
98943Sluigi				printf(" keep-state");
98943Sluigi				break;
98943Sluigi
159636Soleg			case O_LIMIT: {
98943Sluigi				struct _s_x *p = limit_masks;
98943Sluigi				ipfw_insn_limit *c = (ipfw_insn_limit *)cmd;
117328Sluigi				uint8_t x = c->limit_mask;
117469Sluigi				char const *comma = " ";
98943Sluigi
98943Sluigi				printf(" limit");
117577Sluigi				for (; p->x != 0 ; p++)
99909Sluigi					if ((x & p->x) == p->x) {
98943Sluigi						x &= ~p->x;
98943Sluigi						printf("%s%s", comma, p->s);
98943Sluigi						comma = ",";
98943Sluigi					}
159636Soleg				PRINT_UINT_ARG(" ", c->conn_limit);
98943Sluigi				break;
159636Soleg			}
98943Sluigi
146894Smlaier			case O_IP6:
152923Sume				printf(" ip6");
145246Sbrooks				break;
145246Sbrooks
146894Smlaier			case O_IP4:
152923Sume				printf(" ip4");
146894Smlaier				break;
146894Smlaier
145246Sbrooks			case O_ICMP6TYPE:
145246Sbrooks				print_icmp6types((ipfw_insn_u32 *)cmd);
145246Sbrooks				break;
145246Sbrooks
145246Sbrooks			case O_EXT_HDR:
145246Sbrooks				print_ext6hdr( (ipfw_insn *) cmd );
145246Sbrooks				break;
145246Sbrooks
158879Soleg			case O_TAGGED:
158879Soleg				if (F_LEN(cmd) == 1)
159636Soleg					PRINT_UINT_ARG(" tagged ", cmd->arg1);
158879Soleg				else
159636Soleg					print_newports((ipfw_insn_u16 *)cmd, 0,
159636Soleg					    O_TAGGED);
158879Soleg				break;
158879Soleg
98943Sluigi			default:
98943Sluigi				printf(" [opcode %d len %d]",
98943Sluigi				    cmd->opcode, cmd->len);
98943Sluigi			}
98943Sluigi		}
98943Sluigi		if (cmd->len & F_OR) {
98943Sluigi			printf(" or");
98943Sluigi			or_block = 1;
98943Sluigi		} else if (or_block) {
98943Sluigi			printf(" }");
98943Sluigi			or_block = 0;
98943Sluigi		}
98943Sluigi	}
102087Sluigi	show_prerequisites(&flags, HAVE_IP, 0);
117626Sluigi	if (comment)
117626Sluigi		printf(" // %s", comment);
98943Sluigi	printf("\n");
98943Sluigi}
98943Sluigi
98943Sluigistatic void
112189Smaximshow_dyn_ipfw(ipfw_dyn_rule *d, int pcwidth, int bcwidth)
98943Sluigi{
98943Sluigi	struct protoent *pe;
98943Sluigi	struct in_addr a;
115793Sticso	uint16_t rulenum;
159160Smlaier	char buf[INET6_ADDRSTRLEN];
98943Sluigi
98943Sluigi	if (!do_expired) {
98943Sluigi		if (!d->expire && !(d->dyn_type == O_LIMIT_PARENT))
98943Sluigi			return;
98943Sluigi	}
115793Sticso	bcopy(&d->rule, &rulenum, sizeof(rulenum));
117328Sluigi	printf("%05d", rulenum);
117469Sluigi	if (pcwidth>0 || bcwidth>0)
117328Sluigi	    printf(" %*llu %*llu (%ds)", pcwidth,
117328Sluigi		align_uint64(&d->pcnt), bcwidth,
117328Sluigi		align_uint64(&d->bcnt), d->expire);
98943Sluigi	switch (d->dyn_type) {
98943Sluigi	case O_LIMIT_PARENT:
98943Sluigi		printf(" PARENT %d", d->count);
98943Sluigi		break;
98943Sluigi	case O_LIMIT:
98943Sluigi		printf(" LIMIT");
98943Sluigi		break;
98943Sluigi	case O_KEEP_STATE: /* bidir, no mask */
106505Smaxim		printf(" STATE");
98943Sluigi		break;
98943Sluigi	}
98943Sluigi
98943Sluigi	if ((pe = getprotobynumber(d->id.proto)) != NULL)
98943Sluigi		printf(" %s", pe->p_name);
98943Sluigi	else
98943Sluigi		printf(" proto %u", d->id.proto);
98943Sluigi
159160Smlaier	if (d->id.addr_type == 4) {
159160Smlaier		a.s_addr = htonl(d->id.src_ip);
159160Smlaier		printf(" %s %d", inet_ntoa(a), d->id.src_port);
98943Sluigi
159160Smlaier		a.s_addr = htonl(d->id.dst_ip);
159160Smlaier		printf(" <-> %s %d", inet_ntoa(a), d->id.dst_port);
159160Smlaier	} else if (d->id.addr_type == 6) {
159160Smlaier		printf(" %s %d", inet_ntop(AF_INET6, &d->id.src_ip6, buf,
159160Smlaier		    sizeof(buf)), d->id.src_port);
159160Smlaier		printf(" <-> %s %d", inet_ntop(AF_INET6, &d->id.dst_ip6, buf,
159160Smlaier		    sizeof(buf)), d->id.dst_port);
159160Smlaier	} else
159160Smlaier		printf(" UNKNOWN <-> UNKNOWN\n");
159160Smlaier
98943Sluigi	printf("\n");
98943Sluigi}
98943Sluigi
117469Sluigistatic int
98943Sluigisort_q(const void *pa, const void *pb)
98943Sluigi{
98943Sluigi	int rev = (do_sort < 0);
98943Sluigi	int field = rev ? -do_sort : do_sort;
98943Sluigi	long long res = 0;
98943Sluigi	const struct dn_flow_queue *a = pa;
98943Sluigi	const struct dn_flow_queue *b = pb;
98943Sluigi
98943Sluigi	switch (field) {
98943Sluigi	case 1: /* pkts */
98943Sluigi		res = a->len - b->len;
98943Sluigi		break;
98943Sluigi	case 2: /* bytes */
98943Sluigi		res = a->len_bytes - b->len_bytes;
98943Sluigi		break;
98943Sluigi
98943Sluigi	case 3: /* tot pkts */
98943Sluigi		res = a->tot_pkts - b->tot_pkts;
98943Sluigi		break;
98943Sluigi
98943Sluigi	case 4: /* tot bytes */
98943Sluigi		res = a->tot_bytes - b->tot_bytes;
98943Sluigi		break;
98943Sluigi	}
98943Sluigi	if (res < 0)
98943Sluigi		res = -1;
98943Sluigi	if (res > 0)
98943Sluigi		res = 1;
98943Sluigi	return (int)(rev ? res : -res);
98943Sluigi}
98943Sluigi
98943Sluigistatic void
98943Sluigilist_queues(struct dn_flow_set *fs, struct dn_flow_queue *q)
98943Sluigi{
98943Sluigi	int l;
145246Sbrooks	int index_printed, indexes = 0;
145246Sbrooks	char buff[255];
145246Sbrooks	struct protoent *pe;
98943Sluigi
98943Sluigi	if (fs->rq_elements == 0)
98943Sluigi		return;
98943Sluigi
98943Sluigi	if (do_sort != 0)
98943Sluigi		heapsort(q, fs->rq_elements, sizeof *q, sort_q);
145246Sbrooks
145246Sbrooks	/* Print IPv4 flows */
145246Sbrooks	index_printed = 0;
98943Sluigi	for (l = 0; l < fs->rq_elements; l++) {
98943Sluigi		struct in_addr ina;
98943Sluigi
145246Sbrooks		/* XXX: Should check for IPv4 flows */
145246Sbrooks		if (IS_IP6_FLOW_ID(&(q[l].id)))
145246Sbrooks			continue;
145246Sbrooks
145246Sbrooks		if (!index_printed) {
145246Sbrooks			index_printed = 1;
145246Sbrooks			if (indexes > 0)	/* currently a no-op */
145246Sbrooks				printf("\n");
145246Sbrooks			indexes++;
145246Sbrooks			printf("    "
145246Sbrooks			    "mask: 0x%02x 0x%08x/0x%04x -> 0x%08x/0x%04x\n",
145246Sbrooks			    fs->flow_mask.proto,
145246Sbrooks			    fs->flow_mask.src_ip, fs->flow_mask.src_port,
145246Sbrooks			    fs->flow_mask.dst_ip, fs->flow_mask.dst_port);
145246Sbrooks
145246Sbrooks			printf("BKT Prot ___Source IP/port____ "
145246Sbrooks			    "____Dest. IP/port____ "
145246Sbrooks			    "Tot_pkt/bytes Pkt/Byte Drp\n");
145246Sbrooks		}
145246Sbrooks
98943Sluigi		printf("%3d ", q[l].hash_slot);
98943Sluigi		pe = getprotobynumber(q[l].id.proto);
98943Sluigi		if (pe)
98943Sluigi			printf("%-4s ", pe->p_name);
98943Sluigi		else
98943Sluigi			printf("%4u ", q[l].id.proto);
145246Sbrooks		ina.s_addr = htonl(q[l].id.src_ip);
98943Sluigi		printf("%15s/%-5d ",
98943Sluigi		    inet_ntoa(ina), q[l].id.src_port);
98943Sluigi		ina.s_addr = htonl(q[l].id.dst_ip);
98943Sluigi		printf("%15s/%-5d ",
98943Sluigi		    inet_ntoa(ina), q[l].id.dst_port);
98943Sluigi		printf("%4qu %8qu %2u %4u %3u\n",
98943Sluigi		    q[l].tot_pkts, q[l].tot_bytes,
98943Sluigi		    q[l].len, q[l].len_bytes, q[l].drops);
98943Sluigi		if (verbose)
98943Sluigi			printf("   S %20qd  F %20qd\n",
98943Sluigi			    q[l].S, q[l].F);
98943Sluigi	}
145246Sbrooks
145246Sbrooks	/* Print IPv6 flows */
145246Sbrooks	index_printed = 0;
145246Sbrooks	for (l = 0; l < fs->rq_elements; l++) {
145246Sbrooks		if (!IS_IP6_FLOW_ID(&(q[l].id)))
145246Sbrooks			continue;
145246Sbrooks
145246Sbrooks		if (!index_printed) {
145246Sbrooks			index_printed = 1;
145246Sbrooks			if (indexes > 0)
145246Sbrooks				printf("\n");
145246Sbrooks			indexes++;
145246Sbrooks			printf("\n        mask: proto: 0x%02x, flow_id: 0x%08x,  ",
145246Sbrooks			    fs->flow_mask.proto, fs->flow_mask.flow_id6);
145246Sbrooks			inet_ntop(AF_INET6, &(fs->flow_mask.src_ip6),
145246Sbrooks			    buff, sizeof(buff));
145246Sbrooks			printf("%s/0x%04x -> ", buff, fs->flow_mask.src_port);
145246Sbrooks			inet_ntop( AF_INET6, &(fs->flow_mask.dst_ip6),
145246Sbrooks			    buff, sizeof(buff) );
145246Sbrooks			printf("%s/0x%04x\n", buff, fs->flow_mask.dst_port);
145246Sbrooks
145246Sbrooks			printf("BKT ___Prot___ _flow-id_ "
145246Sbrooks			    "______________Source IPv6/port_______________ "
145246Sbrooks			    "_______________Dest. IPv6/port_______________ "
145246Sbrooks			    "Tot_pkt/bytes Pkt/Byte Drp\n");
145246Sbrooks		}
145246Sbrooks		printf("%3d ", q[l].hash_slot);
145246Sbrooks		pe = getprotobynumber(q[l].id.proto);
145246Sbrooks		if (pe != NULL)
145246Sbrooks			printf("%9s ", pe->p_name);
145246Sbrooks		else
145246Sbrooks			printf("%9u ", q[l].id.proto);
145246Sbrooks		printf("%7d  %39s/%-5d ", q[l].id.flow_id6,
145246Sbrooks		    inet_ntop(AF_INET6, &(q[l].id.src_ip6), buff, sizeof(buff)),
145246Sbrooks		    q[l].id.src_port);
145246Sbrooks		printf(" %39s/%-5d ",
145246Sbrooks		    inet_ntop(AF_INET6, &(q[l].id.dst_ip6), buff, sizeof(buff)),
145246Sbrooks		    q[l].id.dst_port);
145246Sbrooks		printf(" %4qu %8qu %2u %4u %3u\n",
145246Sbrooks		    q[l].tot_pkts, q[l].tot_bytes,
145246Sbrooks		    q[l].len, q[l].len_bytes, q[l].drops);
145246Sbrooks		if (verbose)
145246Sbrooks			printf("   S %20qd  F %20qd\n", q[l].S, q[l].F);
145246Sbrooks	}
98943Sluigi}
98943Sluigi
98943Sluigistatic void
98943Sluigiprint_flowset_parms(struct dn_flow_set *fs, char *prefix)
98943Sluigi{
98943Sluigi	int l;
98943Sluigi	char qs[30];
98943Sluigi	char plr[30];
98943Sluigi	char red[90];	/* Display RED parameters */
98943Sluigi
98943Sluigi	l = fs->qsize;
98943Sluigi	if (fs->flags_fs & DN_QSIZE_IS_BYTES) {
98943Sluigi		if (l >= 8192)
98943Sluigi			sprintf(qs, "%d KB", l / 1024);
98943Sluigi		else
98943Sluigi			sprintf(qs, "%d B", l);
98943Sluigi	} else
98943Sluigi		sprintf(qs, "%3d sl.", l);
98943Sluigi	if (fs->plr)
98943Sluigi		sprintf(plr, "plr %f", 1.0 * fs->plr / (double)(0x7fffffff));
98943Sluigi	else
98943Sluigi		plr[0] = '\0';
98943Sluigi	if (fs->flags_fs & DN_IS_RED)	/* RED parameters */
98943Sluigi		sprintf(red,
98943Sluigi		    "\n\t  %cRED w_q %f min_th %d max_th %d max_p %f",
98943Sluigi		    (fs->flags_fs & DN_IS_GENTLE_RED) ? 'G' : ' ',
98943Sluigi		    1.0 * fs->w_q / (double)(1 << SCALE_RED),
98943Sluigi		    SCALE_VAL(fs->min_th),
98943Sluigi		    SCALE_VAL(fs->max_th),
98943Sluigi		    1.0 * fs->max_p / (double)(1 << SCALE_RED));
98943Sluigi	else
98943Sluigi		sprintf(red, "droptail");
98943Sluigi
98943Sluigi	printf("%s %s%s %d queues (%d buckets) %s\n",
98943Sluigi	    prefix, qs, plr, fs->rq_elements, fs->rq_size, red);
98943Sluigi}
98943Sluigi
98943Sluigistatic void
117469Sluigilist_pipes(void *data, uint nbytes, int ac, char *av[])
98943Sluigi{
117469Sluigi	int rulenum;
98943Sluigi	void *next = data;
98943Sluigi	struct dn_pipe *p = (struct dn_pipe *) data;
98943Sluigi	struct dn_flow_set *fs;
98943Sluigi	struct dn_flow_queue *q;
98943Sluigi	int l;
98943Sluigi
98943Sluigi	if (ac > 0)
98943Sluigi		rulenum = strtoul(*av++, NULL, 10);
98943Sluigi	else
98943Sluigi		rulenum = 0;
98943Sluigi	for (; nbytes >= sizeof *p; p = (struct dn_pipe *)next) {
98943Sluigi		double b = p->bandwidth;
98943Sluigi		char buf[30];
98943Sluigi		char prefix[80];
98943Sluigi
161001Sstefanf		if (SLIST_NEXT(p, next) != (struct dn_pipe *)DN_IS_PIPE)
98943Sluigi			break;	/* done with pipes, now queues */
98943Sluigi
98943Sluigi		/*
98943Sluigi		 * compute length, as pipe have variable size
98943Sluigi		 */
98943Sluigi		l = sizeof(*p) + p->fs.rq_elements * sizeof(*q);
117469Sluigi		next = (char *)p + l;
98943Sluigi		nbytes -= l;
98943Sluigi
134225Spjd		if ((rulenum != 0 && rulenum != p->pipe_nr) || do_pipe == 2)
98943Sluigi			continue;
98943Sluigi
98943Sluigi		/*
98943Sluigi		 * Print rate (or clocking interface)
98943Sluigi		 */
98943Sluigi		if (p->if_name[0] != '\0')
98943Sluigi			sprintf(buf, "%s", p->if_name);
98943Sluigi		else if (b == 0)
98943Sluigi			sprintf(buf, "unlimited");
98943Sluigi		else if (b >= 1000000)
98943Sluigi			sprintf(buf, "%7.3f Mbit/s", b/1000000);
98943Sluigi		else if (b >= 1000)
98943Sluigi			sprintf(buf, "%7.3f Kbit/s", b/1000);
98943Sluigi		else
98943Sluigi			sprintf(buf, "%7.3f bit/s ", b);
98943Sluigi
98943Sluigi		sprintf(prefix, "%05d: %s %4d ms ",
98943Sluigi		    p->pipe_nr, buf, p->delay);
98943Sluigi		print_flowset_parms(&(p->fs), prefix);
98943Sluigi		if (verbose)
98943Sluigi			printf("   V %20qd\n", p->V >> MY_M);
106505Smaxim
98943Sluigi		q = (struct dn_flow_queue *)(p+1);
98943Sluigi		list_queues(&(p->fs), q);
98943Sluigi	}
98943Sluigi	for (fs = next; nbytes >= sizeof *fs; fs = next) {
98943Sluigi		char prefix[80];
98943Sluigi
161001Sstefanf		if (SLIST_NEXT(fs, next) != (struct dn_flow_set *)DN_IS_QUEUE)
98943Sluigi			break;
98943Sluigi		l = sizeof(*fs) + fs->rq_elements * sizeof(*q);
117469Sluigi		next = (char *)fs + l;
98943Sluigi		nbytes -= l;
134225Spjd
134225Spjd		if (rulenum != 0 && ((rulenum != fs->fs_nr && do_pipe == 2) ||
134225Spjd		    (rulenum != fs->parent_nr && do_pipe == 1))) {
134225Spjd			continue;
134225Spjd		}
134225Spjd
98943Sluigi		q = (struct dn_flow_queue *)(fs+1);
98943Sluigi		sprintf(prefix, "q%05d: weight %d pipe %d ",
98943Sluigi		    fs->fs_nr, fs->weight, fs->parent_nr);
98943Sluigi		print_flowset_parms(fs, prefix);
98943Sluigi		list_queues(fs, q);
98943Sluigi	}
98943Sluigi}
98943Sluigi
101978Sluigi/*
101978Sluigi * This one handles all set-related commands
101978Sluigi * 	ipfw set { show | enable | disable }
101978Sluigi * 	ipfw set swap X Y
101978Sluigi * 	ipfw set move X to Y
101978Sluigi * 	ipfw set move rule X to Y
101978Sluigi */
98943Sluigistatic void
101978Sluigisets_handler(int ac, char *av[])
101978Sluigi{
117328Sluigi	uint32_t set_disable, masks[2];
101978Sluigi	int i, nbytes;
117328Sluigi	uint16_t rulenum;
117328Sluigi	uint8_t cmd, new_set;
101978Sluigi
101978Sluigi	ac--;
101978Sluigi	av++;
101978Sluigi
101978Sluigi	if (!ac)
101978Sluigi		errx(EX_USAGE, "set needs command");
140271Sbrooks	if (_substrcmp(*av, "show") == 0) {
101978Sluigi		void *data;
117469Sluigi		char const *msg;
101978Sluigi
101978Sluigi		nbytes = sizeof(struct ip_fw);
187716Sluigi		data = safe_calloc(1, nbytes);
119740Stmm		if (do_cmd(IP_FW_GET, data, (uintptr_t)&nbytes) < 0)
101978Sluigi			err(EX_OSERR, "getsockopt(IP_FW_GET)");
115793Sticso		bcopy(&((struct ip_fw *)data)->next_rule,
115793Sticso			&set_disable, sizeof(set_disable));
101978Sluigi
117655Sluigi		for (i = 0, msg = "disable" ; i < RESVD_SET; i++)
117577Sluigi			if ((set_disable & (1<<i))) {
101978Sluigi				printf("%s %d", msg, i);
101978Sluigi				msg = "";
101978Sluigi			}
101978Sluigi		msg = (set_disable) ? " enable" : "enable";
117655Sluigi		for (i = 0; i < RESVD_SET; i++)
117577Sluigi			if (!(set_disable & (1<<i))) {
101978Sluigi				printf("%s %d", msg, i);
101978Sluigi				msg = "";
101978Sluigi			}
101978Sluigi		printf("\n");
140271Sbrooks	} else if (_substrcmp(*av, "swap") == 0) {
101978Sluigi		ac--; av++;
101978Sluigi		if (ac != 2)
101978Sluigi			errx(EX_USAGE, "set swap needs 2 set numbers\n");
101978Sluigi		rulenum = atoi(av[0]);
101978Sluigi		new_set = atoi(av[1]);
117655Sluigi		if (!isdigit(*(av[0])) || rulenum > RESVD_SET)
101978Sluigi			errx(EX_DATAERR, "invalid set number %s\n", av[0]);
117655Sluigi		if (!isdigit(*(av[1])) || new_set > RESVD_SET)
101978Sluigi			errx(EX_DATAERR, "invalid set number %s\n", av[1]);
101978Sluigi		masks[0] = (4 << 24) | (new_set << 16) | (rulenum);
117328Sluigi		i = do_cmd(IP_FW_DEL, masks, sizeof(uint32_t));
140271Sbrooks	} else if (_substrcmp(*av, "move") == 0) {
101978Sluigi		ac--; av++;
140271Sbrooks		if (ac && _substrcmp(*av, "rule") == 0) {
101978Sluigi			cmd = 2;
101978Sluigi			ac--; av++;
101978Sluigi		} else
101978Sluigi			cmd = 3;
140271Sbrooks		if (ac != 3 || _substrcmp(av[1], "to") != 0)
101978Sluigi			errx(EX_USAGE, "syntax: set move [rule] X to Y\n");
101978Sluigi		rulenum = atoi(av[0]);
101978Sluigi		new_set = atoi(av[2]);
117655Sluigi		if (!isdigit(*(av[0])) || (cmd == 3 && rulenum > RESVD_SET) ||
182823Srik			(cmd == 2 && rulenum == IPFW_DEFAULT_RULE) )
101978Sluigi			errx(EX_DATAERR, "invalid source number %s\n", av[0]);
117655Sluigi		if (!isdigit(*(av[2])) || new_set > RESVD_SET)
101978Sluigi			errx(EX_DATAERR, "invalid dest. set %s\n", av[1]);
101978Sluigi		masks[0] = (cmd << 24) | (new_set << 16) | (rulenum);
117328Sluigi		i = do_cmd(IP_FW_DEL, masks, sizeof(uint32_t));
140271Sbrooks	} else if (_substrcmp(*av, "disable") == 0 ||
140271Sbrooks		   _substrcmp(*av, "enable") == 0 ) {
140271Sbrooks		int which = _substrcmp(*av, "enable") == 0 ? 1 : 0;
101978Sluigi
101978Sluigi		ac--; av++;
101978Sluigi		masks[0] = masks[1] = 0;
101978Sluigi
101978Sluigi		while (ac) {
101978Sluigi			if (isdigit(**av)) {
101978Sluigi				i = atoi(*av);
117655Sluigi				if (i < 0 || i > RESVD_SET)
101978Sluigi					errx(EX_DATAERR,
101978Sluigi					    "invalid set number %d\n", i);
101978Sluigi				masks[which] |= (1<<i);
140271Sbrooks			} else if (_substrcmp(*av, "disable") == 0)
101978Sluigi				which = 0;
140271Sbrooks			else if (_substrcmp(*av, "enable") == 0)
101978Sluigi				which = 1;
101978Sluigi			else
101978Sluigi				errx(EX_DATAERR,
101978Sluigi					"invalid set command %s\n", *av);
101978Sluigi			av++; ac--;
101978Sluigi		}
101978Sluigi		if ( (masks[0] & masks[1]) != 0 )
101978Sluigi			errx(EX_DATAERR,
101978Sluigi			    "cannot enable and disable the same set\n");
101978Sluigi
117328Sluigi		i = do_cmd(IP_FW_DEL, masks, sizeof(masks));
101978Sluigi		if (i)
101978Sluigi			warn("set enable/disable: setsockopt(IP_FW_DEL)");
101978Sluigi	} else
101978Sluigi		errx(EX_USAGE, "invalid set command %s\n", *av);
101978Sluigi}
101978Sluigi
101978Sluigistatic void
109126Sdillonsysctl_handler(int ac, char *av[], int which)
109126Sdillon{
109126Sdillon	ac--;
109126Sdillon	av++;
109126Sdillon
119668Smaxim	if (ac == 0) {
109126Sdillon		warnx("missing keyword to enable/disable\n");
140271Sbrooks	} else if (_substrcmp(*av, "firewall") == 0) {
116770Sluigi		sysctlbyname("net.inet.ip.fw.enable", NULL, 0,
116770Sluigi		    &which, sizeof(which));
140271Sbrooks	} else if (_substrcmp(*av, "one_pass") == 0) {
116770Sluigi		sysctlbyname("net.inet.ip.fw.one_pass", NULL, 0,
116770Sluigi		    &which, sizeof(which));
140271Sbrooks	} else if (_substrcmp(*av, "debug") == 0) {
116770Sluigi		sysctlbyname("net.inet.ip.fw.debug", NULL, 0,
116770Sluigi		    &which, sizeof(which));
140271Sbrooks	} else if (_substrcmp(*av, "verbose") == 0) {
116770Sluigi		sysctlbyname("net.inet.ip.fw.verbose", NULL, 0,
116770Sluigi		    &which, sizeof(which));
140271Sbrooks	} else if (_substrcmp(*av, "dyn_keepalive") == 0) {
116770Sluigi		sysctlbyname("net.inet.ip.fw.dyn_keepalive", NULL, 0,
116770Sluigi		    &which, sizeof(which));
140271Sbrooks	} else if (_substrcmp(*av, "altq") == 0) {
136071Sgreen		altq_set_enabled(which);
109126Sdillon	} else {
109126Sdillon		warnx("unrecognize enable/disable keyword: %s\n", *av);
109126Sdillon	}
109126Sdillon}
109126Sdillon
109126Sdillonstatic void
117469Sluigilist(int ac, char *av[], int show_counters)
98943Sluigi{
98943Sluigi	struct ip_fw *r;
98943Sluigi	ipfw_dyn_rule *dynrules, *d;
98943Sluigi
117469Sluigi#define NEXT(r)	((struct ip_fw *)((char *)r + RULESIZE(r)))
117469Sluigi	char *lim;
117469Sluigi	void *data = NULL;
112189Smaxim	int bcwidth, n, nbytes, nstat, ndyn, pcwidth, width;
98943Sluigi	int exitval = EX_OK;
98943Sluigi	int lac;
98943Sluigi	char **lav;
117469Sluigi	u_long rnum, last;
98943Sluigi	char *endptr;
98943Sluigi	int seen = 0;
170923Smaxim	uint8_t set;
98943Sluigi
98943Sluigi	const int ocmd = do_pipe ? IP_DUMMYNET_GET : IP_FW_GET;
98943Sluigi	int nalloc = 1024;	/* start somewhere... */
98943Sluigi
135036Smaxim	last = 0;
135036Smaxim
117328Sluigi	if (test_only) {
117328Sluigi		fprintf(stderr, "Testing only, list disabled\n");
117328Sluigi		return;
117328Sluigi	}
117328Sluigi
98943Sluigi	ac--;
98943Sluigi	av++;
98943Sluigi
98943Sluigi	/* get rules or pipes from kernel, resizing array as necessary */
98943Sluigi	nbytes = nalloc;
98943Sluigi
98943Sluigi	while (nbytes >= nalloc) {
98943Sluigi		nalloc = nalloc * 2 + 200;
98943Sluigi		nbytes = nalloc;
187716Sluigi		data = safe_realloc(data, nbytes);
119740Stmm		if (do_cmd(ocmd, data, (uintptr_t)&nbytes) < 0)
98943Sluigi			err(EX_OSERR, "getsockopt(IP_%s_GET)",
98943Sluigi				do_pipe ? "DUMMYNET" : "FW");
98943Sluigi	}
98943Sluigi
98943Sluigi	if (do_pipe) {
98943Sluigi		list_pipes(data, nbytes, ac, av);
98943Sluigi		goto done;
98943Sluigi	}
98943Sluigi
98943Sluigi	/*
98943Sluigi	 * Count static rules. They have variable size so we
98943Sluigi	 * need to scan the list to count them.
98943Sluigi	 */
117469Sluigi	for (nstat = 1, r = data, lim = (char *)data + nbytes;
182823Srik		    r->rulenum < IPFW_DEFAULT_RULE && (char *)r < lim;
117469Sluigi		    ++nstat, r = NEXT(r) )
98943Sluigi		; /* nothing */
98943Sluigi
98943Sluigi	/*
98943Sluigi	 * Count dynamic rules. This is easier as they have
98943Sluigi	 * fixed size.
98943Sluigi	 */
117469Sluigi	r = NEXT(r);
98943Sluigi	dynrules = (ipfw_dyn_rule *)r ;
117469Sluigi	n = (char *)r - (char *)data;
98943Sluigi	ndyn = (nbytes - n) / sizeof *dynrules;
98943Sluigi
112189Smaxim	/* if showing stats, figure out column widths ahead of time */
112189Smaxim	bcwidth = pcwidth = 0;
117469Sluigi	if (show_counters) {
117469Sluigi		for (n = 0, r = data; n < nstat; n++, r = NEXT(r)) {
170923Smaxim			/* skip rules from another set */
170923Smaxim			if (use_set && r->set != use_set - 1)
170923Smaxim				continue;
170923Smaxim
112189Smaxim			/* packet counter */
115793Sticso			width = snprintf(NULL, 0, "%llu",
115793Sticso			    align_uint64(&r->pcnt));
112189Smaxim			if (width > pcwidth)
112189Smaxim				pcwidth = width;
112189Smaxim
112189Smaxim			/* byte counter */
115793Sticso			width = snprintf(NULL, 0, "%llu",
115793Sticso			    align_uint64(&r->bcnt));
112189Smaxim			if (width > bcwidth)
112189Smaxim				bcwidth = width;
112189Smaxim		}
112189Smaxim	}
112189Smaxim	if (do_dynamic && ndyn) {
112189Smaxim		for (n = 0, d = dynrules; n < ndyn; n++, d++) {
170923Smaxim			if (use_set) {
170923Smaxim				/* skip rules from another set */
171989Smaxim				bcopy((char *)&d->rule + sizeof(uint16_t),
170923Smaxim				      &set, sizeof(uint8_t));
170923Smaxim				if (set != use_set - 1)
170923Smaxim					continue;
170923Smaxim			}
115793Sticso			width = snprintf(NULL, 0, "%llu",
115793Sticso			    align_uint64(&d->pcnt));
112189Smaxim			if (width > pcwidth)
112189Smaxim				pcwidth = width;
112189Smaxim
115793Sticso			width = snprintf(NULL, 0, "%llu",
115793Sticso			    align_uint64(&d->bcnt));
112189Smaxim			if (width > bcwidth)
112189Smaxim				bcwidth = width;
112189Smaxim		}
112189Smaxim	}
98943Sluigi	/* if no rule numbers were specified, list all rules */
98943Sluigi	if (ac == 0) {
170923Smaxim		for (n = 0, r = data; n < nstat; n++, r = NEXT(r)) {
170923Smaxim			if (use_set && r->set != use_set - 1)
170923Smaxim				continue;
112189Smaxim			show_ipfw(r, pcwidth, bcwidth);
170923Smaxim		}
98943Sluigi
98943Sluigi		if (do_dynamic && ndyn) {
98943Sluigi			printf("## Dynamic rules (%d):\n", ndyn);
170923Smaxim			for (n = 0, d = dynrules; n < ndyn; n++, d++) {
170923Smaxim				if (use_set) {
171989Smaxim					bcopy((char *)&d->rule + sizeof(uint16_t),
170923Smaxim					      &set, sizeof(uint8_t));
170923Smaxim					if (set != use_set - 1)
170923Smaxim						continue;
170923Smaxim				}
112189Smaxim				show_dyn_ipfw(d, pcwidth, bcwidth);
98943Sluigi		}
170923Smaxim		}
98943Sluigi		goto done;
98943Sluigi	}
98943Sluigi
98943Sluigi	/* display specific rules requested on command line */
98943Sluigi
98943Sluigi	for (lac = ac, lav = av; lac != 0; lac--) {
98943Sluigi		/* convert command line rule # */
117469Sluigi		last = rnum = strtoul(*lav++, &endptr, 10);
117469Sluigi		if (*endptr == '-')
117469Sluigi			last = strtoul(endptr+1, &endptr, 10);
98943Sluigi		if (*endptr) {
98943Sluigi			exitval = EX_USAGE;
98943Sluigi			warnx("invalid rule number: %s", *(lav - 1));
98943Sluigi			continue;
98943Sluigi		}
117469Sluigi		for (n = seen = 0, r = data; n < nstat; n++, r = NEXT(r) ) {
117469Sluigi			if (r->rulenum > last)
98943Sluigi				break;
170923Smaxim			if (use_set && r->set != use_set - 1)
170923Smaxim				continue;
117469Sluigi			if (r->rulenum >= rnum && r->rulenum <= last) {
112189Smaxim				show_ipfw(r, pcwidth, bcwidth);
98943Sluigi				seen = 1;
98943Sluigi			}
98943Sluigi		}
98943Sluigi		if (!seen) {
98943Sluigi			/* give precedence to other error(s) */
98943Sluigi			if (exitval == EX_OK)
98943Sluigi				exitval = EX_UNAVAILABLE;
98943Sluigi			warnx("rule %lu does not exist", rnum);
98943Sluigi		}
98943Sluigi	}
98943Sluigi
98943Sluigi	if (do_dynamic && ndyn) {
98943Sluigi		printf("## Dynamic rules:\n");
98943Sluigi		for (lac = ac, lav = av; lac != 0; lac--) {
145246Sbrooks			last = rnum = strtoul(*lav++, &endptr, 10);
117469Sluigi			if (*endptr == '-')
117469Sluigi				last = strtoul(endptr+1, &endptr, 10);
98943Sluigi			if (*endptr)
98943Sluigi				/* already warned */
98943Sluigi				continue;
98943Sluigi			for (n = 0, d = dynrules; n < ndyn; n++, d++) {
115793Sticso				uint16_t rulenum;
115793Sticso
115793Sticso				bcopy(&d->rule, &rulenum, sizeof(rulenum));
115793Sticso				if (rulenum > rnum)
98943Sluigi					break;
170923Smaxim				if (use_set) {
171989Smaxim					bcopy((char *)&d->rule + sizeof(uint16_t),
170923Smaxim					      &set, sizeof(uint8_t));
170923Smaxim					if (set != use_set - 1)
170923Smaxim						continue;
170923Smaxim				}
117469Sluigi				if (r->rulenum >= rnum && r->rulenum <= last)
112189Smaxim					show_dyn_ipfw(d, pcwidth, bcwidth);
98943Sluigi			}
98943Sluigi		}
98943Sluigi	}
98943Sluigi
98943Sluigi	ac = 0;
98943Sluigi
98943Sluigidone:
98943Sluigi	free(data);
98943Sluigi
98943Sluigi	if (exitval != EX_OK)
98943Sluigi		exit(exitval);
117469Sluigi#undef NEXT
98943Sluigi}
98943Sluigi
98943Sluigistatic void
98943Sluigishow_usage(void)
98943Sluigi{
98943Sluigi	fprintf(stderr, "usage: ipfw [options]\n"
98943Sluigi"do \"ipfw -h\" or see ipfw manpage for details\n"
98943Sluigi);
98943Sluigi	exit(EX_USAGE);
98943Sluigi}
98943Sluigi
98943Sluigistatic void
98943Sluigihelp(void)
98943Sluigi{
117328Sluigi	fprintf(stderr,
117328Sluigi"ipfw syntax summary (but please do read the ipfw(8) manpage):\n"
123495Sluigi"ipfw [-abcdefhnNqStTv] <command> where <command> is one of:\n"
117328Sluigi"add [num] [set N] [prob x] RULE-BODY\n"
117328Sluigi"{pipe|queue} N config PIPE-BODY\n"
117328Sluigi"[pipe|queue] {zero|delete|show} [N{,N}]\n"
165648Spiso"nat N config {ip IPADDR|if IFNAME|log|deny_in|same_ports|unreg_only|reset|\n"
165648Spiso"		reverse|proxy_only|redirect_addr linkspec|\n"
165648Spiso"		redirect_port linkspec|redirect_proto linkspec}\n"
117328Sluigi"set [disable N... enable N...] | move [rule] X to Y | swap X Y | show\n"
170923Smaxim"set N {show|list|zero|resetlog|delete} [N{,N}] | flush\n"
130281Sru"table N {add ip[/bits] [value] | delete ip[/bits] | flush | list}\n"
183407Srik"table all {flush | list}\n"
98943Sluigi"\n"
136071Sgreen"RULE-BODY:	check-state [PARAMS] | ACTION [PARAMS] ADDR [OPTION_LIST]\n"
149020Sbz"ACTION:	check-state | allow | count | deny | unreach{,6} CODE |\n"
149020Sbz"               skipto N | {divert|tee} PORT | forward ADDR |\n"
178888Sjulian"               pipe N | queue N | nat N | setfib FIB\n"
136071Sgreen"PARAMS: 	[log [logamount LOGLIMIT]] [altq QUEUE_NAME]\n"
98943Sluigi"ADDR:		[ MAC dst src ether_type ] \n"
145246Sbrooks"		[ ip from IPADDR [ PORT ] to IPADDR [ PORTLIST ] ]\n"
145246Sbrooks"		[ ipv6|ip6 from IP6ADDR [ PORT ] to IP6ADDR [ PORTLIST ] ]\n"
130281Sru"IPADDR:	[not] { any | me | ip/bits{x,y,z} | table(t[,v]) | IPLIST }\n"
145246Sbrooks"IP6ADDR:	[not] { any | me | me6 | ip6/bits | IP6LIST }\n"
145246Sbrooks"IP6LIST:	{ ip6 | ip6/bits }[,IP6LIST]\n"
117544Sluigi"IPLIST:	{ ip | ip/bits | ip:mask }[,IPLIST]\n"
117544Sluigi"OPTION_LIST:	OPTION [OPTION_LIST]\n"
136247Sgreen"OPTION:	bridged | diverted | diverted-loopback | diverted-output |\n"
145246Sbrooks"	{dst-ip|src-ip} IPADDR | {dst-ip6|src-ip6|dst-ipv6|src-ipv6} IP6ADDR |\n"
145246Sbrooks"	{dst-port|src-port} LIST |\n"
117328Sluigi"	estab | frag | {gid|uid} N | icmptypes LIST | in | out | ipid LIST |\n"
117328Sluigi"	iplen LIST | ipoptions SPEC | ipprecedence | ipsec | iptos SPEC |\n"
117328Sluigi"	ipttl LIST | ipversion VER | keep-state | layer2 | limit ... |\n"
178888Sjulian"	icmp6types LIST | ext6hdr LIST | flow-id N[,N] | fib FIB |\n"
117328Sluigi"	mac ... | mac-type LIST | proto LIST | {recv|xmit|via} {IF|IPADDR} |\n"
117328Sluigi"	setup | {tcpack|tcpseq|tcpwin} NN | tcpflags SPEC | tcpoptions SPEC |\n"
136075Sgreen"	tcpdatalen LIST | verrevpath | versrcreach | antispoof\n"
98943Sluigi);
98943Sluigiexit(0);
98943Sluigi}
98943Sluigi
98943Sluigi
98943Sluigistatic int
98943Sluigilookup_host (char *host, struct in_addr *ipaddr)
98943Sluigi{
98943Sluigi	struct hostent *he;
98943Sluigi
98943Sluigi	if (!inet_aton(host, ipaddr)) {
98943Sluigi		if ((he = gethostbyname(host)) == NULL)
98943Sluigi			return(-1);
98943Sluigi		*ipaddr = *(struct in_addr *)he->h_addr_list[0];
98943Sluigi	}
98943Sluigi	return(0);
98943Sluigi}
98943Sluigi
98943Sluigi/*
98943Sluigi * fills the addr and mask fields in the instruction as appropriate from av.
98943Sluigi * Update length as appropriate.
98943Sluigi * The following formats are allowed:
98943Sluigi *	me	returns O_IP_*_ME
98943Sluigi *	1.2.3.4		single IP address
98943Sluigi *	1.2.3.4:5.6.7.8	address:mask
98943Sluigi *	1.2.3.4/24	address/mask
98943Sluigi *	1.2.3.4/26{1,6,5,4,23}	set of addresses in a subnet
117328Sluigi * We can have multiple comma-separated address/mask entries.
98943Sluigi */
98943Sluigistatic void
98943Sluigifill_ip(ipfw_insn_ip *cmd, char *av)
98943Sluigi{
117328Sluigi	int len = 0;
117328Sluigi	uint32_t *d = ((ipfw_insn_u32 *)cmd)->d;
98943Sluigi
98943Sluigi	cmd->o.len &= ~F_LEN_MASK;	/* zero len */
98943Sluigi
140271Sbrooks	if (_substrcmp(av, "any") == 0)
98943Sluigi		return;
98943Sluigi
140271Sbrooks	if (_substrcmp(av, "me") == 0) {
98943Sluigi		cmd->o.len |= F_INSN_SIZE(ipfw_insn);
98943Sluigi		return;
98943Sluigi	}
98943Sluigi
140271Sbrooks	if (strncmp(av, "table(", 6) == 0) {
130281Sru		char *p = strchr(av + 6, ',');
130281Sru
130281Sru		if (p)
130281Sru			*p++ = '\0';
130281Sru		cmd->o.opcode = O_IP_DST_LOOKUP;
130281Sru		cmd->o.arg1 = strtoul(av + 6, NULL, 0);
130281Sru		if (p) {
130281Sru			cmd->o.len |= F_INSN_SIZE(ipfw_insn_u32);
130281Sru			d[0] = strtoul(p, NULL, 0);
130281Sru		} else
130281Sru			cmd->o.len |= F_INSN_SIZE(ipfw_insn);
130281Sru		return;
130281Sru	}
130281Sru
117328Sluigi    while (av) {
117328Sluigi	/*
117328Sluigi	 * After the address we can have '/' or ':' indicating a mask,
117328Sluigi	 * ',' indicating another address follows, '{' indicating a
117328Sluigi	 * set of addresses of unspecified size.
117328Sluigi	 */
165851Smlaier	char *t = NULL, *p = strpbrk(av, "/:,{");
117328Sluigi	int masklen;
187477Sluigi	char md, nd = '\0';
117328Sluigi
98943Sluigi	if (p) {
98943Sluigi		md = *p;
98943Sluigi		*p++ = '\0';
165851Smlaier		if ((t = strpbrk(p, ",{")) != NULL) {
165851Smlaier			nd = *t;
165851Smlaier			*t = '\0';
165851Smlaier		}
117328Sluigi	} else
117328Sluigi		md = '\0';
98943Sluigi
117328Sluigi	if (lookup_host(av, (struct in_addr *)&d[0]) != 0)
98943Sluigi		errx(EX_NOHOST, "hostname ``%s'' unknown", av);
98943Sluigi	switch (md) {
98943Sluigi	case ':':
117328Sluigi		if (!inet_aton(p, (struct in_addr *)&d[1]))
98943Sluigi			errx(EX_DATAERR, "bad netmask ``%s''", p);
98943Sluigi		break;
98943Sluigi	case '/':
117328Sluigi		masklen = atoi(p);
117328Sluigi		if (masklen == 0)
117328Sluigi			d[1] = htonl(0);	/* mask */
117328Sluigi		else if (masklen > 32)
98943Sluigi			errx(EX_DATAERR, "bad width ``%s''", p);
98943Sluigi		else
117328Sluigi			d[1] = htonl(~0 << (32 - masklen));
98943Sluigi		break;
117328Sluigi	case '{':	/* no mask, assume /24 and put back the '{' */
117328Sluigi		d[1] = htonl(~0 << (32 - 24));
117328Sluigi		*(--p) = md;
117328Sluigi		break;
117328Sluigi
117328Sluigi	case ',':	/* single address plus continuation */
117328Sluigi		*(--p) = md;
117328Sluigi		/* FALLTHROUGH */
117328Sluigi	case 0:		/* initialization value */
98943Sluigi	default:
117328Sluigi		d[1] = htonl(~0);	/* force /32 */
98943Sluigi		break;
98943Sluigi	}
117328Sluigi	d[0] &= d[1];		/* mask base address with mask */
165851Smlaier	if (t)
165851Smlaier		*t = nd;
117328Sluigi	/* find next separator */
98943Sluigi	if (p)
117328Sluigi		p = strpbrk(p, ",{");
117328Sluigi	if (p && *p == '{') {
117328Sluigi		/*
117328Sluigi		 * We have a set of addresses. They are stored as follows:
117328Sluigi		 *   arg1	is the set size (powers of 2, 2..256)
117328Sluigi		 *   addr	is the base address IN HOST FORMAT
117328Sluigi		 *   mask..	is an array of arg1 bits (rounded up to
117328Sluigi		 *		the next multiple of 32) with bits set
117328Sluigi		 *		for each host in the map.
117328Sluigi		 */
117328Sluigi		uint32_t *map = (uint32_t *)&cmd->mask;
98943Sluigi		int low, high;
117577Sluigi		int i = contigmask((uint8_t *)&(d[1]), 32);
98943Sluigi
117328Sluigi		if (len > 0)
117328Sluigi			errx(EX_DATAERR, "address set cannot be in a list");
117328Sluigi		if (i < 24 || i > 31)
117328Sluigi			errx(EX_DATAERR, "invalid set with mask %d\n", i);
117328Sluigi		cmd->o.arg1 = 1<<(32-i);	/* map length		*/
117328Sluigi		d[0] = ntohl(d[0]);		/* base addr in host format */
98943Sluigi		cmd->o.opcode = O_IP_DST_SET;	/* default */
98943Sluigi		cmd->o.len |= F_INSN_SIZE(ipfw_insn_u32) + (cmd->o.arg1+31)/32;
101117Sluigi		for (i = 0; i < (cmd->o.arg1+31)/32 ; i++)
117328Sluigi			map[i] = 0;	/* clear map */
98943Sluigi
117328Sluigi		av = p + 1;
117328Sluigi		low = d[0] & 0xff;
98943Sluigi		high = low + cmd->o.arg1 - 1;
117328Sluigi		/*
117328Sluigi		 * Here, i stores the previous value when we specify a range
117328Sluigi		 * of addresses within a mask, e.g. 45-63. i = -1 means we
117328Sluigi		 * have no previous value.
117328Sluigi		 */
116716Sluigi		i = -1;	/* previous value in a range */
98943Sluigi		while (isdigit(*av)) {
98943Sluigi			char *s;
117328Sluigi			int a = strtol(av, &s, 0);
98943Sluigi
117328Sluigi			if (s == av) { /* no parameter */
117328Sluigi			    if (*av != '}')
117328Sluigi				errx(EX_DATAERR, "set not closed\n");
117328Sluigi			    if (i != -1)
117328Sluigi				errx(EX_DATAERR, "incomplete range %d-", i);
117328Sluigi			    break;
117328Sluigi			}
117328Sluigi			if (a < low || a > high)
117328Sluigi			    errx(EX_DATAERR, "addr %d out of range [%d-%d]\n",
98943Sluigi				a, low, high);
98943Sluigi			a -= low;
116716Sluigi			if (i == -1)	/* no previous in range */
116716Sluigi			    i = a;
116716Sluigi			else {		/* check that range is valid */
116716Sluigi			    if (i > a)
116716Sluigi				errx(EX_DATAERR, "invalid range %d-%d",
116716Sluigi					i+low, a+low);
116716Sluigi			    if (*s == '-')
116716Sluigi				errx(EX_DATAERR, "double '-' in range");
116716Sluigi			}
116716Sluigi			for (; i <= a; i++)
117328Sluigi			    map[i/32] |= 1<<(i & 31);
116716Sluigi			i = -1;
116716Sluigi			if (*s == '-')
116716Sluigi			    i = a;
117328Sluigi			else if (*s == '}')
116716Sluigi			    break;
98943Sluigi			av = s+1;
98943Sluigi		}
98943Sluigi		return;
98943Sluigi	}
117328Sluigi	av = p;
117328Sluigi	if (av)			/* then *av must be a ',' */
117328Sluigi		av++;
98943Sluigi
117328Sluigi	/* Check this entry */
117328Sluigi	if (d[1] == 0) { /* "any", specified as x.x.x.x/0 */
117328Sluigi		/*
117328Sluigi		 * 'any' turns the entire list into a NOP.
117328Sluigi		 * 'not any' never matches, so it is removed from the
117328Sluigi		 * list unless it is the only item, in which case we
117328Sluigi		 * report an error.
117328Sluigi		 */
117328Sluigi		if (cmd->o.len & F_NOT) {	/* "not any" never matches */
117328Sluigi			if (av == NULL && len == 0) /* only this entry */
117328Sluigi				errx(EX_DATAERR, "not any never matches");
117328Sluigi		}
117328Sluigi		/* else do nothing and skip this entry */
128067Smaxim		return;
117328Sluigi	}
117328Sluigi	/* A single IP can be stored in an optimized format */
117328Sluigi	if (d[1] == IP_MASK_ALL && av == NULL && len == 0) {
98943Sluigi		cmd->o.len |= F_INSN_SIZE(ipfw_insn_u32);
117328Sluigi		return;
117328Sluigi	}
117328Sluigi	len += 2;	/* two words... */
117328Sluigi	d += 2;
117328Sluigi    } /* end while */
162363Sjhay    if (len + 1 > F_LEN_MASK)
162363Sjhay	errx(EX_DATAERR, "address list too long");
117328Sluigi    cmd->o.len |= len+1;
98943Sluigi}
98943Sluigi
98943Sluigi
145246Sbrooks/* Try to find ipv6 address by hostname */
145246Sbrooksstatic int
145246Sbrookslookup_host6 (char *host, struct in6_addr *ip6addr)
145246Sbrooks{
145246Sbrooks	struct hostent *he;
145246Sbrooks
145246Sbrooks	if (!inet_pton(AF_INET6, host, ip6addr)) {
145246Sbrooks		if ((he = gethostbyname2(host, AF_INET6)) == NULL)
145246Sbrooks			return(-1);
145246Sbrooks		memcpy(ip6addr, he->h_addr_list[0], sizeof( struct in6_addr));
145246Sbrooks	}
145246Sbrooks	return(0);
145246Sbrooks}
145246Sbrooks
145246Sbrooks
145246Sbrooks/* n2mask sets n bits of the mask */
145246Sbrooksstatic void
145246Sbrooksn2mask(struct in6_addr *mask, int n)
145246Sbrooks{
145246Sbrooks	static int	minimask[9] =
145246Sbrooks	    { 0x00, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe, 0xff };
145246Sbrooks	u_char		*p;
145246Sbrooks
145246Sbrooks	memset(mask, 0, sizeof(struct in6_addr));
145246Sbrooks	p = (u_char *) mask;
145246Sbrooks	for (; n > 0; p++, n -= 8) {
145246Sbrooks		if (n >= 8)
145246Sbrooks			*p = 0xff;
145246Sbrooks		else
145246Sbrooks			*p = minimask[n];
145246Sbrooks	}
145246Sbrooks	return;
145246Sbrooks}
145246Sbrooks
145246Sbrooks
98943Sluigi/*
145246Sbrooks * fill the addr and mask fields in the instruction as appropriate from av.
145246Sbrooks * Update length as appropriate.
145246Sbrooks * The following formats are allowed:
145246Sbrooks *     any     matches any IP6. Actually returns an empty instruction.
145246Sbrooks *     me      returns O_IP6_*_ME
145246Sbrooks *
145246Sbrooks *     03f1::234:123:0342                single IP6 addres
145246Sbrooks *     03f1::234:123:0342/24            address/mask
145246Sbrooks *     03f1::234:123:0342/24,03f1::234:123:0343/               List of address
145246Sbrooks *
145246Sbrooks * Set of address (as in ipv6) not supported because ipv6 address
145246Sbrooks * are typically random past the initial prefix.
145246Sbrooks * Return 1 on success, 0 on failure.
145246Sbrooks */
145246Sbrooksstatic int
145246Sbrooksfill_ip6(ipfw_insn_ip6 *cmd, char *av)
145246Sbrooks{
145246Sbrooks	int len = 0;
145246Sbrooks	struct in6_addr *d = &(cmd->addr6);
145246Sbrooks	/*
145246Sbrooks	 * Needed for multiple address.
145246Sbrooks	 * Note d[1] points to struct in6_add r mask6 of cmd
145246Sbrooks	 */
145246Sbrooks
145246Sbrooks       cmd->o.len &= ~F_LEN_MASK;	/* zero len */
145246Sbrooks
145246Sbrooks       if (strcmp(av, "any") == 0)
145246Sbrooks	       return (1);
145246Sbrooks
145246Sbrooks
145246Sbrooks       if (strcmp(av, "me") == 0) {	/* Set the data for "me" opt*/
145246Sbrooks	       cmd->o.len |= F_INSN_SIZE(ipfw_insn);
145246Sbrooks	       return (1);
145246Sbrooks       }
145246Sbrooks
145246Sbrooks       if (strcmp(av, "me6") == 0) {	/* Set the data for "me" opt*/
145246Sbrooks	       cmd->o.len |= F_INSN_SIZE(ipfw_insn);
145246Sbrooks	       return (1);
145246Sbrooks       }
145246Sbrooks
145246Sbrooks       av = strdup(av);
145246Sbrooks       while (av) {
145246Sbrooks		/*
145246Sbrooks		 * After the address we can have '/' indicating a mask,
145246Sbrooks		 * or ',' indicating another address follows.
145246Sbrooks		 */
145246Sbrooks
145246Sbrooks		char *p;
145246Sbrooks		int masklen;
145246Sbrooks		char md = '\0';
145246Sbrooks
145246Sbrooks		if ((p = strpbrk(av, "/,")) ) {
145246Sbrooks			md = *p;	/* save the separator */
145246Sbrooks			*p = '\0';	/* terminate address string */
145246Sbrooks			p++;		/* and skip past it */
145246Sbrooks		}
145246Sbrooks		/* now p points to NULL, mask or next entry */
145246Sbrooks
145246Sbrooks		/* lookup stores address in *d as a side effect */
145246Sbrooks		if (lookup_host6(av, d) != 0) {
145246Sbrooks			/* XXX: failed. Free memory and go */
145246Sbrooks			errx(EX_DATAERR, "bad address \"%s\"", av);
145246Sbrooks		}
145246Sbrooks		/* next, look at the mask, if any */
145246Sbrooks		masklen = (md == '/') ? atoi(p) : 128;
145246Sbrooks		if (masklen > 128 || masklen < 0)
145246Sbrooks			errx(EX_DATAERR, "bad width \"%s\''", p);
145246Sbrooks		else
145246Sbrooks			n2mask(&d[1], masklen);
145246Sbrooks
145246Sbrooks		APPLY_MASK(d, &d[1])   /* mask base address with mask */
145246Sbrooks
145246Sbrooks		/* find next separator */
145246Sbrooks
145246Sbrooks		if (md == '/') {	/* find separator past the mask */
145246Sbrooks			p = strpbrk(p, ",");
145246Sbrooks			if (p != NULL)
145246Sbrooks				p++;
145246Sbrooks		}
145246Sbrooks		av = p;
145246Sbrooks
145246Sbrooks		/* Check this entry */
145246Sbrooks		if (masklen == 0) {
145246Sbrooks			/*
145246Sbrooks			 * 'any' turns the entire list into a NOP.
145246Sbrooks			 * 'not any' never matches, so it is removed from the
145246Sbrooks			 * list unless it is the only item, in which case we
145246Sbrooks			 * report an error.
145246Sbrooks			 */
145246Sbrooks			if (cmd->o.len & F_NOT && av == NULL && len == 0)
145246Sbrooks				errx(EX_DATAERR, "not any never matches");
145246Sbrooks			continue;
145246Sbrooks		}
145246Sbrooks
145246Sbrooks		/*
145246Sbrooks		 * A single IP can be stored alone
145246Sbrooks		 */
145246Sbrooks		if (masklen == 128 && av == NULL && len == 0) {
145246Sbrooks			len = F_INSN_SIZE(struct in6_addr);
145246Sbrooks			break;
145246Sbrooks		}
145246Sbrooks
145246Sbrooks		/* Update length and pointer to arguments */
145246Sbrooks		len += F_INSN_SIZE(struct in6_addr)*2;
145246Sbrooks		d += 2;
145246Sbrooks	} /* end while */
145246Sbrooks
145246Sbrooks	/*
145246Sbrooks	 * Total length of the command, remember that 1 is the size of
145246Sbrooks	 * the base command.
145246Sbrooks	 */
162363Sjhay	if (len + 1 > F_LEN_MASK)
162363Sjhay		errx(EX_DATAERR, "address list too long");
145246Sbrooks	cmd->o.len |= len+1;
145246Sbrooks	free(av);
145246Sbrooks	return (1);
145246Sbrooks}
145246Sbrooks
145246Sbrooks/*
145246Sbrooks * fills command for ipv6 flow-id filtering
145246Sbrooks * note that the 20 bit flow number is stored in a array of u_int32_t
145246Sbrooks * it's supported lists of flow-id, so in the o.arg1 we store how many
145246Sbrooks * additional flow-id we want to filter, the basic is 1
145246Sbrooks */
187477Sluigistatic void
145246Sbrooksfill_flow6( ipfw_insn_u32 *cmd, char *av )
145246Sbrooks{
145246Sbrooks	u_int32_t type;	 /* Current flow number */
145246Sbrooks	u_int16_t nflow = 0;    /* Current flow index */
145246Sbrooks	char *s = av;
145246Sbrooks	cmd->d[0] = 0;	  /* Initializing the base number*/
145246Sbrooks
145246Sbrooks	while (s) {
145246Sbrooks		av = strsep( &s, ",") ;
145246Sbrooks		type = strtoul(av, &av, 0);
145246Sbrooks		if (*av != ',' && *av != '\0')
145246Sbrooks			errx(EX_DATAERR, "invalid ipv6 flow number %s", av);
145246Sbrooks		if (type > 0xfffff)
145246Sbrooks			errx(EX_DATAERR, "flow number out of range %s", av);
145246Sbrooks		cmd->d[nflow] |= type;
145246Sbrooks		nflow++;
145246Sbrooks	}
145246Sbrooks	if( nflow > 0 ) {
145246Sbrooks		cmd->o.opcode = O_FLOW6ID;
145246Sbrooks		cmd->o.len |= F_INSN_SIZE(ipfw_insn_u32) + nflow;
145246Sbrooks		cmd->o.arg1 = nflow;
145246Sbrooks	}
145246Sbrooks	else {
145246Sbrooks		errx(EX_DATAERR, "invalid ipv6 flow number %s", av);
145246Sbrooks	}
145246Sbrooks}
145246Sbrooks
145246Sbrooksstatic ipfw_insn *
145246Sbrooksadd_srcip6(ipfw_insn *cmd, char *av)
145246Sbrooks{
145246Sbrooks
145246Sbrooks	fill_ip6((ipfw_insn_ip6 *)cmd, av);
187477Sluigi	if (F_LEN(cmd) == 0) {				/* any */
187477Sluigi	} else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn)) {	/* "me" */
145246Sbrooks		cmd->opcode = O_IP6_SRC_ME;
145246Sbrooks	} else if (F_LEN(cmd) ==
145246Sbrooks	    (F_INSN_SIZE(struct in6_addr) + F_INSN_SIZE(ipfw_insn))) {
145246Sbrooks		/* single IP, no mask*/
145246Sbrooks		cmd->opcode = O_IP6_SRC;
145246Sbrooks	} else {					/* addr/mask opt */
145246Sbrooks		cmd->opcode = O_IP6_SRC_MASK;
145246Sbrooks	}
145246Sbrooks	return cmd;
145246Sbrooks}
145246Sbrooks
145246Sbrooksstatic ipfw_insn *
145246Sbrooksadd_dstip6(ipfw_insn *cmd, char *av)
145246Sbrooks{
145246Sbrooks
145246Sbrooks	fill_ip6((ipfw_insn_ip6 *)cmd, av);
187477Sluigi	if (F_LEN(cmd) == 0) {				/* any */
187477Sluigi	} else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn)) {	/* "me" */
145246Sbrooks		cmd->opcode = O_IP6_DST_ME;
145246Sbrooks	} else if (F_LEN(cmd) ==
145246Sbrooks	    (F_INSN_SIZE(struct in6_addr) + F_INSN_SIZE(ipfw_insn))) {
145246Sbrooks		/* single IP, no mask*/
145246Sbrooks		cmd->opcode = O_IP6_DST;
145246Sbrooks	} else {					/* addr/mask opt */
145246Sbrooks		cmd->opcode = O_IP6_DST_MASK;
145246Sbrooks	}
145246Sbrooks	return cmd;
145246Sbrooks}
145246Sbrooks
145246Sbrooks
145246Sbrooks/*
98943Sluigi * helper function to process a set of flags and set bits in the
98943Sluigi * appropriate masks.
98943Sluigi */
98943Sluigistatic void
98943Sluigifill_flags(ipfw_insn *cmd, enum ipfw_opcodes opcode,
98943Sluigi	struct _s_x *flags, char *p)
98943Sluigi{
117328Sluigi	uint8_t set=0, clear=0;
98943Sluigi
98943Sluigi	while (p && *p) {
98943Sluigi		char *q;	/* points to the separator */
98943Sluigi		int val;
117328Sluigi		uint8_t *which;	/* mask we are working on */
98943Sluigi
98943Sluigi		if (*p == '!') {
98943Sluigi			p++;
98943Sluigi			which = &clear;
98943Sluigi		} else
98943Sluigi			which = &set;
98943Sluigi		q = strchr(p, ',');
98943Sluigi		if (q)
98943Sluigi			*q++ = '\0';
98943Sluigi		val = match_token(flags, p);
98943Sluigi		if (val <= 0)
98943Sluigi			errx(EX_DATAERR, "invalid flag %s", p);
117328Sluigi		*which |= (uint8_t)val;
98943Sluigi		p = q;
98943Sluigi	}
98943Sluigi        cmd->opcode = opcode;
98943Sluigi        cmd->len =  (cmd->len & (F_NOT | F_OR)) | 1;
98943Sluigi        cmd->arg1 = (set & 0xff) | ( (clear & 0xff) << 8);
98943Sluigi}
98943Sluigi
98943Sluigi
98943Sluigistatic void
98943Sluigidelete(int ac, char *av[])
98943Sluigi{
117328Sluigi	uint32_t rulenum;
117469Sluigi	struct dn_pipe p;
98943Sluigi	int i;
98943Sluigi	int exitval = EX_OK;
101628Sluigi	int do_set = 0;
98943Sluigi
117469Sluigi	memset(&p, 0, sizeof p);
98943Sluigi
98943Sluigi	av++; ac--;
130013Scsjp	NEED1("missing rule specification");
140271Sbrooks	if (ac > 0 && _substrcmp(*av, "set") == 0) {
170923Smaxim		/* Do not allow using the following syntax:
170923Smaxim		 *	ipfw set N delete set M
170923Smaxim		 */
170923Smaxim		if (use_set)
170923Smaxim			errx(EX_DATAERR, "invalid syntax");
101978Sluigi		do_set = 1;	/* delete set */
101628Sluigi		ac--; av++;
101978Sluigi	}
98943Sluigi
98943Sluigi	/* Rule number */
98943Sluigi	while (ac && isdigit(**av)) {
98943Sluigi		i = atoi(*av); av++; ac--;
165648Spiso		if (do_nat) {
165648Spiso			exitval = do_cmd(IP_FW_NAT_DEL, &i, sizeof i);
165648Spiso			if (exitval) {
165648Spiso				exitval = EX_UNAVAILABLE;
165648Spiso				warn("rule %u not available", i);
165648Spiso			}
165648Spiso 		} else if (do_pipe) {
98943Sluigi			if (do_pipe == 1)
117469Sluigi				p.pipe_nr = i;
98943Sluigi			else
117469Sluigi				p.fs.fs_nr = i;
117469Sluigi			i = do_cmd(IP_DUMMYNET_DEL, &p, sizeof p);
98943Sluigi			if (i) {
98943Sluigi				exitval = 1;
98943Sluigi				warn("rule %u: setsockopt(IP_DUMMYNET_DEL)",
117469Sluigi				    do_pipe == 1 ? p.pipe_nr : p.fs.fs_nr);
98943Sluigi			}
98943Sluigi		} else {
170923Smaxim			if (use_set)
170923Smaxim				rulenum = (i & 0xffff) | (5 << 24) |
170923Smaxim				    ((use_set - 1) << 16);
170923Smaxim			else
101978Sluigi			rulenum =  (i & 0xffff) | (do_set << 24);
117328Sluigi			i = do_cmd(IP_FW_DEL, &rulenum, sizeof rulenum);
98943Sluigi			if (i) {
98943Sluigi				exitval = EX_UNAVAILABLE;
98943Sluigi				warn("rule %u: setsockopt(IP_FW_DEL)",
98943Sluigi				    rulenum);
98943Sluigi			}
98943Sluigi		}
98943Sluigi	}
98943Sluigi	if (exitval != EX_OK)
98943Sluigi		exit(exitval);
98943Sluigi}
98943Sluigi
98943Sluigi
98943Sluigi/*
98943Sluigi * fill the interface structure. We do not check the name as we can
98943Sluigi * create interfaces dynamically, so checking them at insert time
98943Sluigi * makes relatively little sense.
121816Sbrooks * Interface names containing '*', '?', or '[' are assumed to be shell
121816Sbrooks * patterns which match interfaces.
98943Sluigi */
98943Sluigistatic void
98943Sluigifill_iface(ipfw_insn_if *cmd, char *arg)
98943Sluigi{
98943Sluigi	cmd->name[0] = '\0';
98943Sluigi	cmd->o.len |= F_INSN_SIZE(ipfw_insn_if);
98943Sluigi
98943Sluigi	/* Parse the interface or address */
140271Sbrooks	if (strcmp(arg, "any") == 0)
98943Sluigi		cmd->o.len = 0;		/* effectively ignore this command */
98943Sluigi	else if (!isdigit(*arg)) {
121816Sbrooks		strlcpy(cmd->name, arg, sizeof(cmd->name));
121816Sbrooks		cmd->p.glob = strpbrk(arg, "*?[") != NULL ? 1 : 0;
98943Sluigi	} else if (!inet_aton(arg, &cmd->p.ip))
98943Sluigi		errx(EX_DATAERR, "bad ip address ``%s''", arg);
98943Sluigi}
98943Sluigi
165648Spiso/*
165648Spiso * Search for interface with name "ifn", and fill n accordingly:
165648Spiso *
165648Spiso * n->ip        ip address of interface "ifn"
165648Spiso * n->if_name   copy of interface name "ifn"
165648Spiso */
98943Sluigistatic void
165648Spisoset_addr_dynamic(const char *ifn, struct cfg_nat *n)
165648Spiso{
165648Spiso	size_t needed;
165648Spiso	int mib[6];
165648Spiso	char *buf, *lim, *next;
165648Spiso	struct if_msghdr *ifm;
165648Spiso	struct ifa_msghdr *ifam;
165648Spiso	struct sockaddr_dl *sdl;
165648Spiso	struct sockaddr_in *sin;
165648Spiso	int ifIndex, ifMTU;
165648Spiso
165648Spiso	mib[0] = CTL_NET;
165648Spiso	mib[1] = PF_ROUTE;
165648Spiso	mib[2] = 0;
165648Spiso	mib[3] = AF_INET;
165648Spiso	mib[4] = NET_RT_IFLIST;
165648Spiso	mib[5] = 0;
165648Spiso/*
165648Spiso * Get interface data.
165648Spiso */
165648Spiso	if (sysctl(mib, 6, NULL, &needed, NULL, 0) == -1)
165648Spiso		err(1, "iflist-sysctl-estimate");
187716Sluigi	buf = safe_calloc(1, needed);
165648Spiso	if (sysctl(mib, 6, buf, &needed, NULL, 0) == -1)
165648Spiso		err(1, "iflist-sysctl-get");
165648Spiso	lim = buf + needed;
165648Spiso/*
165648Spiso * Loop through interfaces until one with
165648Spiso * given name is found. This is done to
165648Spiso * find correct interface index for routing
165648Spiso * message processing.
165648Spiso */
165648Spiso	ifIndex	= 0;
165648Spiso	next = buf;
165648Spiso	while (next < lim) {
165648Spiso		ifm = (struct if_msghdr *)next;
165648Spiso		next += ifm->ifm_msglen;
165648Spiso		if (ifm->ifm_version != RTM_VERSION) {
165648Spiso			if (verbose)
165648Spiso				warnx("routing message version %d "
165648Spiso				    "not understood", ifm->ifm_version);
165648Spiso			continue;
165648Spiso		}
165648Spiso		if (ifm->ifm_type == RTM_IFINFO) {
165648Spiso			sdl = (struct sockaddr_dl *)(ifm + 1);
165648Spiso			if (strlen(ifn) == sdl->sdl_nlen &&
165648Spiso			    strncmp(ifn, sdl->sdl_data, sdl->sdl_nlen) == 0) {
165648Spiso				ifIndex = ifm->ifm_index;
165648Spiso				ifMTU = ifm->ifm_data.ifi_mtu;
165648Spiso				break;
165648Spiso			}
165648Spiso		}
165648Spiso	}
165648Spiso	if (!ifIndex)
165648Spiso		errx(1, "unknown interface name %s", ifn);
165648Spiso/*
165648Spiso * Get interface address.
165648Spiso */
165648Spiso	sin = NULL;
165648Spiso	while (next < lim) {
165648Spiso		ifam = (struct ifa_msghdr *)next;
165648Spiso		next += ifam->ifam_msglen;
165648Spiso		if (ifam->ifam_version != RTM_VERSION) {
165648Spiso			if (verbose)
165648Spiso				warnx("routing message version %d "
165648Spiso				    "not understood", ifam->ifam_version);
165648Spiso			continue;
165648Spiso		}
165648Spiso		if (ifam->ifam_type != RTM_NEWADDR)
165648Spiso			break;
165648Spiso		if (ifam->ifam_addrs & RTA_IFA) {
165648Spiso			int i;
165648Spiso			char *cp = (char *)(ifam + 1);
165648Spiso
165648Spiso			for (i = 1; i < RTA_IFA; i <<= 1) {
165648Spiso				if (ifam->ifam_addrs & i)
165648Spiso					cp += SA_SIZE((struct sockaddr *)cp);
165648Spiso			}
165648Spiso			if (((struct sockaddr *)cp)->sa_family == AF_INET) {
165648Spiso				sin = (struct sockaddr_in *)cp;
165648Spiso				break;
165648Spiso			}
165648Spiso		}
165648Spiso	}
165648Spiso	if (sin == NULL)
165648Spiso		errx(1, "%s: cannot get interface address", ifn);
165648Spiso
165648Spiso	n->ip = sin->sin_addr;
165648Spiso	strncpy(n->if_name, ifn, IF_NAMESIZE);
165648Spiso
165648Spiso	free(buf);
165648Spiso}
165648Spiso
165648Spiso/*
165648Spiso * XXX - The following functions, macros and definitions come from natd.c:
165648Spiso * it would be better to move them outside natd.c, in a file
165648Spiso * (redirect_support.[ch]?) shared by ipfw and natd, but for now i can live
165648Spiso * with it.
165648Spiso */
165648Spiso
165648Spiso/*
165648Spiso * Definition of a port range, and macros to deal with values.
165648Spiso * FORMAT:  HI 16-bits == first port in range, 0 == all ports.
165648Spiso *          LO 16-bits == number of ports in range
165648Spiso * NOTES:   - Port values are not stored in network byte order.
165648Spiso */
165648Spiso
165648Spiso#define port_range u_long
165648Spiso
165648Spiso#define GETLOPORT(x)     ((x) >> 0x10)
165648Spiso#define GETNUMPORTS(x)   ((x) & 0x0000ffff)
165648Spiso#define GETHIPORT(x)     (GETLOPORT((x)) + GETNUMPORTS((x)))
165648Spiso
165648Spiso/* Set y to be the low-port value in port_range variable x. */
165648Spiso#define SETLOPORT(x,y)   ((x) = ((x) & 0x0000ffff) | ((y) << 0x10))
165648Spiso
165648Spiso/* Set y to be the number of ports in port_range variable x. */
165648Spiso#define SETNUMPORTS(x,y) ((x) = ((x) & 0xffff0000) | (y))
165648Spiso
165648Spisostatic void
165648SpisoStrToAddr (const char* str, struct in_addr* addr)
165648Spiso{
165648Spiso	struct hostent* hp;
165648Spiso
165648Spiso	if (inet_aton (str, addr))
165648Spiso		return;
165648Spiso
165648Spiso	hp = gethostbyname (str);
165648Spiso	if (!hp)
165648Spiso		errx (1, "unknown host %s", str);
165648Spiso
165648Spiso	memcpy (addr, hp->h_addr, sizeof (struct in_addr));
165648Spiso}
165648Spiso
165648Spisostatic int
165648SpisoStrToPortRange (const char* str, const char* proto, port_range *portRange)
165648Spiso{
165648Spiso	char*           sep;
165648Spiso	struct servent*	sp;
165648Spiso	char*		end;
165648Spiso	u_short         loPort;
165648Spiso	u_short         hiPort;
165648Spiso
165648Spiso	/* First see if this is a service, return corresponding port if so. */
165648Spiso	sp = getservbyname (str,proto);
165648Spiso	if (sp) {
165648Spiso	        SETLOPORT(*portRange, ntohs(sp->s_port));
165648Spiso		SETNUMPORTS(*portRange, 1);
165648Spiso		return 0;
165648Spiso	}
165648Spiso
165648Spiso	/* Not a service, see if it's a single port or port range. */
165648Spiso	sep = strchr (str, '-');
165648Spiso	if (sep == NULL) {
165648Spiso	        SETLOPORT(*portRange, strtol(str, &end, 10));
165648Spiso		if (end != str) {
165648Spiso		        /* Single port. */
165648Spiso		        SETNUMPORTS(*portRange, 1);
165648Spiso			return 0;
165648Spiso		}
165648Spiso
165648Spiso		/* Error in port range field. */
165648Spiso		errx (EX_DATAERR, "%s/%s: unknown service", str, proto);
165648Spiso	}
165648Spiso
165648Spiso	/* Port range, get the values and sanity check. */
165648Spiso	sscanf (str, "%hu-%hu", &loPort, &hiPort);
165648Spiso	SETLOPORT(*portRange, loPort);
165648Spiso	SETNUMPORTS(*portRange, 0);	/* Error by default */
165648Spiso	if (loPort <= hiPort)
165648Spiso	        SETNUMPORTS(*portRange, hiPort - loPort + 1);
165648Spiso
165648Spiso	if (GETNUMPORTS(*portRange) == 0)
165648Spiso	        errx (EX_DATAERR, "invalid port range %s", str);
165648Spiso
165648Spiso	return 0;
165648Spiso}
165648Spiso
165648Spisostatic int
165648SpisoStrToProto (const char* str)
165648Spiso{
165648Spiso	if (!strcmp (str, "tcp"))
165648Spiso		return IPPROTO_TCP;
165648Spiso
165648Spiso	if (!strcmp (str, "udp"))
165648Spiso		return IPPROTO_UDP;
165648Spiso
165648Spiso	errx (EX_DATAERR, "unknown protocol %s. Expected tcp or udp", str);
165648Spiso}
165648Spiso
165648Spisostatic int
165648SpisoStrToAddrAndPortRange (const char* str, struct in_addr* addr, char* proto,
165648Spiso		       port_range *portRange)
165648Spiso{
165648Spiso	char*	ptr;
165648Spiso
165648Spiso	ptr = strchr (str, ':');
165648Spiso	if (!ptr)
165648Spiso		errx (EX_DATAERR, "%s is missing port number", str);
165648Spiso
165648Spiso	*ptr = '\0';
165648Spiso	++ptr;
165648Spiso
165648Spiso	StrToAddr (str, addr);
165648Spiso	return StrToPortRange (ptr, proto, portRange);
165648Spiso}
165648Spiso
165648Spiso/* End of stuff taken from natd.c. */
165648Spiso
165648Spiso#define INC_ARGCV() do {        \
165648Spiso	(*_av)++;               \
165648Spiso	(*_ac)--;               \
165648Spiso	av = *_av;              \
165648Spiso	ac = *_ac;              \
165648Spiso} while(0)
165648Spiso
165648Spiso/*
165648Spiso * The next 3 functions add support for the addr, port and proto redirect and
165648Spiso * their logic is loosely based on SetupAddressRedirect(), SetupPortRedirect()
165648Spiso * and SetupProtoRedirect() from natd.c.
165648Spiso *
165648Spiso * Every setup_* function fills at least one redirect entry
165648Spiso * (struct cfg_redir) and zero or more server pool entry (struct cfg_spool)
165648Spiso * in buf.
165648Spiso *
165648Spiso * The format of data in buf is:
165648Spiso *
165648Spiso *
165648Spiso *     cfg_nat    cfg_redir    cfg_spool    ......  cfg_spool
165648Spiso *
165648Spiso *    -------------------------------------        ------------
165648Spiso *   |          | .....X ... |          |         |           |  .....
165648Spiso *    ------------------------------------- ...... ------------
165648Spiso *                     ^
165648Spiso *                spool_cnt       n=0       ......   n=(X-1)
165648Spiso *
165648Spiso * len points to the amount of available space in buf
165648Spiso * space counts the memory consumed by every function
165648Spiso *
165648Spiso * XXX - Every function get all the argv params so it
165648Spiso * has to check, in optional parameters, that the next
165648Spiso * args is a valid option for the redir entry and not
165648Spiso * another token. Only redir_port and redir_proto are
165648Spiso * affected by this.
165648Spiso */
165648Spiso
165648Spisostatic int
165648Spisosetup_redir_addr(char *spool_buf, int len,
165648Spiso		 int *_ac, char ***_av)
165648Spiso{
165648Spiso	char **av, *sep; /* Token separator. */
165648Spiso	/* Temporary buffer used to hold server pool ip's. */
165648Spiso	char tmp_spool_buf[NAT_BUF_LEN];
183208Srik	int ac, space, lsnat;
165648Spiso	struct cfg_redir *r;
165648Spiso	struct cfg_spool *tmp;
165648Spiso
165648Spiso	av = *_av;
165648Spiso	ac = *_ac;
165648Spiso	space = 0;
165648Spiso	lsnat = 0;
165648Spiso	if (len >= SOF_REDIR) {
165648Spiso		r = (struct cfg_redir *)spool_buf;
165648Spiso		/* Skip cfg_redir at beginning of buf. */
165648Spiso		spool_buf = &spool_buf[SOF_REDIR];
165648Spiso		space = SOF_REDIR;
165648Spiso		len -= SOF_REDIR;
165648Spiso	} else
165648Spiso		goto nospace;
165648Spiso	r->mode = REDIR_ADDR;
165648Spiso	/* Extract local address. */
165648Spiso	if (ac == 0)
165648Spiso		errx(EX_DATAERR, "redirect_addr: missing local address");
165648Spiso	sep = strchr(*av, ',');
165648Spiso	if (sep) {		/* LSNAT redirection syntax. */
165648Spiso		r->laddr.s_addr = INADDR_NONE;
165648Spiso		/* Preserve av, copy spool servers to tmp_spool_buf. */
165648Spiso		strncpy(tmp_spool_buf, *av, strlen(*av)+1);
165648Spiso		lsnat = 1;
165648Spiso	} else
165648Spiso		StrToAddr(*av, &r->laddr);
165648Spiso	INC_ARGCV();
165648Spiso
165648Spiso	/* Extract public address. */
165648Spiso	if (ac == 0)
165648Spiso		errx(EX_DATAERR, "redirect_addr: missing public address");
165648Spiso	StrToAddr(*av, &r->paddr);
165648Spiso	INC_ARGCV();
165648Spiso
165648Spiso	/* Setup LSNAT server pool. */
165648Spiso	if (sep) {
165648Spiso		sep = strtok(tmp_spool_buf, ",");
165648Spiso		while (sep != NULL) {
165648Spiso			tmp = (struct cfg_spool *)spool_buf;
165648Spiso			if (len < SOF_SPOOL)
165648Spiso				goto nospace;
165648Spiso			len -= SOF_SPOOL;
165648Spiso			space += SOF_SPOOL;
165648Spiso			StrToAddr(sep, &tmp->addr);
165648Spiso			tmp->port = ~0;
165648Spiso			r->spool_cnt++;
165648Spiso			/* Point to the next possible cfg_spool. */
165648Spiso			spool_buf = &spool_buf[SOF_SPOOL];
165648Spiso			sep = strtok(NULL, ",");
165648Spiso		}
165648Spiso	}
165648Spiso	return(space);
165648Spisonospace:
165648Spiso	errx(EX_DATAERR, "redirect_addr: buf is too small\n");
165648Spiso}
165648Spiso
165648Spisostatic int
165648Spisosetup_redir_port(char *spool_buf, int len,
165648Spiso		 int *_ac, char ***_av)
165648Spiso{
165648Spiso	char **av, *sep, *protoName;
165648Spiso	char tmp_spool_buf[NAT_BUF_LEN];
165648Spiso	int ac, space, lsnat;
165648Spiso	struct cfg_redir *r;
165648Spiso	struct cfg_spool *tmp;
165648Spiso	u_short numLocalPorts;
165648Spiso	port_range portRange;
165648Spiso
165648Spiso	av = *_av;
165648Spiso	ac = *_ac;
165648Spiso	space = 0;
165648Spiso	lsnat = 0;
165648Spiso	numLocalPorts = 0;
165648Spiso
165648Spiso	if (len >= SOF_REDIR) {
165648Spiso		r = (struct cfg_redir *)spool_buf;
165648Spiso		/* Skip cfg_redir at beginning of buf. */
165648Spiso		spool_buf = &spool_buf[SOF_REDIR];
165648Spiso		space = SOF_REDIR;
165648Spiso		len -= SOF_REDIR;
165648Spiso	} else
165648Spiso		goto nospace;
165648Spiso	r->mode = REDIR_PORT;
165648Spiso	/*
165648Spiso	 * Extract protocol.
165648Spiso	 */
165648Spiso	if (ac == 0)
165648Spiso		errx (EX_DATAERR, "redirect_port: missing protocol");
165648Spiso	r->proto = StrToProto(*av);
165648Spiso	protoName = *av;
165648Spiso	INC_ARGCV();
165648Spiso
165648Spiso	/*
165648Spiso	 * Extract local address.
165648Spiso	 */
165648Spiso	if (ac == 0)
165648Spiso		errx (EX_DATAERR, "redirect_port: missing local address");
165648Spiso
165648Spiso	sep = strchr(*av, ',');
165648Spiso	/* LSNAT redirection syntax. */
165648Spiso	if (sep) {
165648Spiso		r->laddr.s_addr = INADDR_NONE;
165648Spiso		r->lport = ~0;
165648Spiso		numLocalPorts = 1;
165648Spiso		/* Preserve av, copy spool servers to tmp_spool_buf. */
165648Spiso		strncpy(tmp_spool_buf, *av, strlen(*av)+1);
165648Spiso		lsnat = 1;
165648Spiso	} else {
165648Spiso		if (StrToAddrAndPortRange (*av, &r->laddr, protoName,
165648Spiso		    &portRange) != 0)
165648Spiso			errx(EX_DATAERR, "redirect_port:"
165648Spiso			    "invalid local port range");
165648Spiso
165648Spiso		r->lport = GETLOPORT(portRange);
165648Spiso		numLocalPorts = GETNUMPORTS(portRange);
165648Spiso	}
165648Spiso	INC_ARGCV();
165648Spiso
165648Spiso	/*
165648Spiso	 * Extract public port and optionally address.
165648Spiso	 */
165648Spiso	if (ac == 0)
165648Spiso		errx (EX_DATAERR, "redirect_port: missing public port");
165648Spiso
165648Spiso	sep = strchr (*av, ':');
165648Spiso	if (sep) {
165648Spiso	        if (StrToAddrAndPortRange (*av, &r->paddr, protoName,
165648Spiso		    &portRange) != 0)
165648Spiso		        errx(EX_DATAERR, "redirect_port:"
165648Spiso			    "invalid public port range");
165648Spiso	} else {
165648Spiso		r->paddr.s_addr = INADDR_ANY;
165648Spiso		if (StrToPortRange (*av, protoName, &portRange) != 0)
165648Spiso		        errx(EX_DATAERR, "redirect_port:"
165648Spiso			    "invalid public port range");
165648Spiso	}
165648Spiso
165648Spiso	r->pport = GETLOPORT(portRange);
165648Spiso	r->pport_cnt = GETNUMPORTS(portRange);
165648Spiso	INC_ARGCV();
165648Spiso
165648Spiso	/*
165648Spiso	 * Extract remote address and optionally port.
165648Spiso	 */
165648Spiso	/*
165648Spiso	 * NB: isalpha(**av) => we've to check that next parameter is really an
165648Spiso	 * option for this redirect entry, else stop here processing arg[cv].
165648Spiso	 */
165648Spiso	if (ac != 0 && !isalpha(**av)) {
165648Spiso		sep = strchr (*av, ':');
165648Spiso		if (sep) {
165648Spiso		        if (StrToAddrAndPortRange (*av, &r->raddr, protoName,
165648Spiso			    &portRange) != 0)
165648Spiso				errx(EX_DATAERR, "redirect_port:"
165648Spiso				    "invalid remote port range");
165648Spiso		} else {
165648Spiso		        SETLOPORT(portRange, 0);
165648Spiso			SETNUMPORTS(portRange, 1);
165648Spiso			StrToAddr (*av, &r->raddr);
165648Spiso		}
165648Spiso		INC_ARGCV();
165648Spiso	} else {
165648Spiso		SETLOPORT(portRange, 0);
165648Spiso		SETNUMPORTS(portRange, 1);
165648Spiso		r->raddr.s_addr = INADDR_ANY;
165648Spiso	}
165648Spiso	r->rport = GETLOPORT(portRange);
165648Spiso	r->rport_cnt = GETNUMPORTS(portRange);
165648Spiso
165648Spiso	/*
165648Spiso	 * Make sure port ranges match up, then add the redirect ports.
165648Spiso	 */
165648Spiso	if (numLocalPorts != r->pport_cnt)
165648Spiso	        errx(EX_DATAERR, "redirect_port:"
165648Spiso		    "port ranges must be equal in size");
165648Spiso
165648Spiso	/* Remote port range is allowed to be '0' which means all ports. */
165648Spiso	if (r->rport_cnt != numLocalPorts &&
165648Spiso	    (r->rport_cnt != 1 || r->rport != 0))
165648Spiso	        errx(EX_DATAERR, "redirect_port: remote port must"
165648Spiso		    "be 0 or equal to local port range in size");
165648Spiso
165648Spiso	/*
165648Spiso	 * Setup LSNAT server pool.
165648Spiso	 */
165648Spiso	if (lsnat) {
165648Spiso		sep = strtok(tmp_spool_buf, ",");
165648Spiso		while (sep != NULL) {
165648Spiso			tmp = (struct cfg_spool *)spool_buf;
165648Spiso			if (len < SOF_SPOOL)
165648Spiso				goto nospace;
165648Spiso			len -= SOF_SPOOL;
165648Spiso			space += SOF_SPOOL;
165648Spiso			if (StrToAddrAndPortRange(sep, &tmp->addr, protoName,
165648Spiso			    &portRange) != 0)
165648Spiso				errx(EX_DATAERR, "redirect_port:"
165648Spiso				    "invalid local port range");
165648Spiso			if (GETNUMPORTS(portRange) != 1)
165648Spiso				errx(EX_DATAERR, "redirect_port: local port"
165648Spiso				    "must be single in this context");
165648Spiso			tmp->port = GETLOPORT(portRange);
165648Spiso			r->spool_cnt++;
165648Spiso			/* Point to the next possible cfg_spool. */
165648Spiso			spool_buf = &spool_buf[SOF_SPOOL];
165648Spiso			sep = strtok(NULL, ",");
165648Spiso		}
165648Spiso	}
165648Spiso	return (space);
165648Spisonospace:
165648Spiso	errx(EX_DATAERR, "redirect_port: buf is too small\n");
165648Spiso}
165648Spiso
165648Spisostatic int
165648Spisosetup_redir_proto(char *spool_buf, int len,
165648Spiso		 int *_ac, char ***_av)
165648Spiso{
165648Spiso	char **av;
183208Srik	int ac, space;
165648Spiso	struct protoent *protoent;
165648Spiso	struct cfg_redir *r;
165648Spiso
165648Spiso	av = *_av;
165648Spiso	ac = *_ac;
165648Spiso	if (len >= SOF_REDIR) {
165648Spiso		r = (struct cfg_redir *)spool_buf;
165648Spiso		/* Skip cfg_redir at beginning of buf. */
165648Spiso		spool_buf = &spool_buf[SOF_REDIR];
165648Spiso		space = SOF_REDIR;
165648Spiso		len -= SOF_REDIR;
165648Spiso	} else
165648Spiso		goto nospace;
165648Spiso	r->mode = REDIR_PROTO;
165648Spiso	/*
165648Spiso	 * Extract protocol.
165648Spiso	 */
165648Spiso	if (ac == 0)
165648Spiso		errx(EX_DATAERR, "redirect_proto: missing protocol");
165648Spiso
165648Spiso	protoent = getprotobyname(*av);
165648Spiso	if (protoent == NULL)
165648Spiso		errx(EX_DATAERR, "redirect_proto: unknown protocol %s", *av);
165648Spiso	else
165648Spiso		r->proto = protoent->p_proto;
165648Spiso
165648Spiso	INC_ARGCV();
165648Spiso
165648Spiso	/*
165648Spiso	 * Extract local address.
165648Spiso	 */
165648Spiso	if (ac == 0)
165648Spiso		errx(EX_DATAERR, "redirect_proto: missing local address");
165648Spiso	else
165648Spiso		StrToAddr(*av, &r->laddr);
165648Spiso
165648Spiso	INC_ARGCV();
165648Spiso
165648Spiso	/*
165648Spiso	 * Extract optional public address.
165648Spiso	 */
165648Spiso	if (ac == 0) {
165648Spiso		r->paddr.s_addr = INADDR_ANY;
165648Spiso		r->raddr.s_addr = INADDR_ANY;
165648Spiso	} else {
165648Spiso		/* see above in setup_redir_port() */
165648Spiso		if (!isalpha(**av)) {
165648Spiso			StrToAddr(*av, &r->paddr);
165648Spiso			INC_ARGCV();
165648Spiso
165648Spiso			/*
165648Spiso			 * Extract optional remote address.
165648Spiso			 */
165648Spiso			/* see above in setup_redir_port() */
165648Spiso			if (ac!=0 && !isalpha(**av)) {
165648Spiso				StrToAddr(*av, &r->raddr);
165648Spiso				INC_ARGCV();
165648Spiso			}
165648Spiso		}
165648Spiso	}
165648Spiso	return (space);
165648Spisonospace:
165648Spiso	errx(EX_DATAERR, "redirect_proto: buf is too small\n");
165648Spiso}
165648Spiso
165648Spisostatic void
183890Smaximshow_nat(int ac, char **av);
183890Smaxim
183890Smaximstatic void
187477Sluigiprint_nat_config(unsigned char *buf)
187477Sluigi{
165648Spiso	struct cfg_nat *n;
165648Spiso	int i, cnt, flag, off;
165648Spiso	struct cfg_redir *t;
165648Spiso	struct cfg_spool *s;
165648Spiso	struct protoent *p;
165648Spiso
165648Spiso	n = (struct cfg_nat *)buf;
165648Spiso	flag = 1;
165648Spiso	off  = sizeof(*n);
165648Spiso	printf("ipfw nat %u config", n->id);
165648Spiso	if (strlen(n->if_name) != 0)
165648Spiso		printf(" if %s", n->if_name);
165648Spiso	else if (n->ip.s_addr != 0)
165648Spiso		printf(" ip %s", inet_ntoa(n->ip));
165648Spiso	while (n->mode != 0) {
165648Spiso		if (n->mode & PKT_ALIAS_LOG) {
165648Spiso			printf(" log");
165648Spiso			n->mode &= ~PKT_ALIAS_LOG;
165648Spiso		} else if (n->mode & PKT_ALIAS_DENY_INCOMING) {
165648Spiso			printf(" deny_in");
165648Spiso			n->mode &= ~PKT_ALIAS_DENY_INCOMING;
165648Spiso		} else if (n->mode & PKT_ALIAS_SAME_PORTS) {
165648Spiso			printf(" same_ports");
165648Spiso			n->mode &= ~PKT_ALIAS_SAME_PORTS;
165648Spiso		} else if (n->mode & PKT_ALIAS_UNREGISTERED_ONLY) {
165648Spiso			printf(" unreg_only");
165648Spiso			n->mode &= ~PKT_ALIAS_UNREGISTERED_ONLY;
165648Spiso		} else if (n->mode & PKT_ALIAS_RESET_ON_ADDR_CHANGE) {
165648Spiso			printf(" reset");
165648Spiso			n->mode &= ~PKT_ALIAS_RESET_ON_ADDR_CHANGE;
165648Spiso		} else if (n->mode & PKT_ALIAS_REVERSE) {
165648Spiso			printf(" reverse");
165648Spiso			n->mode &= ~PKT_ALIAS_REVERSE;
165648Spiso		} else if (n->mode & PKT_ALIAS_PROXY_ONLY) {
165648Spiso			printf(" proxy_only");
165648Spiso			n->mode &= ~PKT_ALIAS_PROXY_ONLY;
165648Spiso		}
165648Spiso	}
165648Spiso	/* Print all the redirect's data configuration. */
165648Spiso	for (cnt = 0; cnt < n->redir_cnt; cnt++) {
165648Spiso		t = (struct cfg_redir *)&buf[off];
165648Spiso		off += SOF_REDIR;
165648Spiso		switch (t->mode) {
165648Spiso		case REDIR_ADDR:
165648Spiso			printf(" redirect_addr");
165648Spiso			if (t->spool_cnt == 0)
165648Spiso				printf(" %s", inet_ntoa(t->laddr));
165648Spiso			else
165648Spiso				for (i = 0; i < t->spool_cnt; i++) {
165648Spiso					s = (struct cfg_spool *)&buf[off];
165648Spiso					if (i)
165648Spiso						printf(",");
165648Spiso					else
165648Spiso						printf(" ");
165648Spiso					printf("%s", inet_ntoa(s->addr));
165648Spiso					off += SOF_SPOOL;
165648Spiso				}
165648Spiso			printf(" %s", inet_ntoa(t->paddr));
165648Spiso			break;
165648Spiso		case REDIR_PORT:
165648Spiso			p = getprotobynumber(t->proto);
165648Spiso			printf(" redirect_port %s ", p->p_name);
165648Spiso			if (!t->spool_cnt) {
165648Spiso				printf("%s:%u", inet_ntoa(t->laddr), t->lport);
165648Spiso				if (t->pport_cnt > 1)
165648Spiso					printf("-%u", t->lport +
165648Spiso					    t->pport_cnt - 1);
165648Spiso			} else
165648Spiso				for (i=0; i < t->spool_cnt; i++) {
165648Spiso					s = (struct cfg_spool *)&buf[off];
165648Spiso					if (i)
165648Spiso						printf(",");
165648Spiso					printf("%s:%u", inet_ntoa(s->addr),
165648Spiso					    s->port);
165648Spiso					off += SOF_SPOOL;
165648Spiso				}
165648Spiso
165648Spiso			printf(" ");
165648Spiso			if (t->paddr.s_addr)
165648Spiso				printf("%s:", inet_ntoa(t->paddr));
165648Spiso			printf("%u", t->pport);
165648Spiso			if (!t->spool_cnt && t->pport_cnt > 1)
165648Spiso				printf("-%u", t->pport + t->pport_cnt - 1);
165648Spiso
165648Spiso			if (t->raddr.s_addr) {
165648Spiso				printf(" %s", inet_ntoa(t->raddr));
165648Spiso				if (t->rport) {
165648Spiso					printf(":%u", t->rport);
165648Spiso					if (!t->spool_cnt && t->rport_cnt > 1)
165648Spiso						printf("-%u", t->rport +
165648Spiso						    t->rport_cnt - 1);
165648Spiso				}
165648Spiso			}
165648Spiso			break;
165648Spiso		case REDIR_PROTO:
165648Spiso			p = getprotobynumber(t->proto);
165648Spiso			printf(" redirect_proto %s %s", p->p_name,
165648Spiso			    inet_ntoa(t->laddr));
165648Spiso			if (t->paddr.s_addr != 0) {
165648Spiso				printf(" %s", inet_ntoa(t->paddr));
165648Spiso				if (t->raddr.s_addr)
165648Spiso					printf(" %s", inet_ntoa(t->raddr));
165648Spiso			}
165648Spiso			break;
165648Spiso		default:
165648Spiso			errx(EX_DATAERR, "unknown redir mode");
165648Spiso			break;
165648Spiso		}
165648Spiso	}
165648Spiso	printf("\n");
165648Spiso}
165648Spiso
165648Spisostatic void
165648Spisoconfig_nat(int ac, char **av)
165648Spiso{
165648Spiso	struct cfg_nat *n;              /* Nat instance configuration. */
165648Spiso	int i, len, off, tok;
165648Spiso	char *id, buf[NAT_BUF_LEN]; 	/* Buffer for serialized data. */
165648Spiso
165648Spiso	len = NAT_BUF_LEN;
165648Spiso	/* Offset in buf: save space for n at the beginning. */
165648Spiso	off = sizeof(*n);
165648Spiso	memset(buf, 0, sizeof(buf));
165648Spiso	n = (struct cfg_nat *)buf;
165648Spiso
165648Spiso	av++; ac--;
165648Spiso	/* Nat id. */
165648Spiso	if (ac && isdigit(**av)) {
165648Spiso		id = *av;
165648Spiso		i = atoi(*av);
165648Spiso		ac--; av++;
165648Spiso		n->id = i;
165648Spiso	} else
165648Spiso		errx(EX_DATAERR, "missing nat id");
165648Spiso	if (ac == 0)
165648Spiso		errx(EX_DATAERR, "missing option");
165648Spiso
165648Spiso	while (ac > 0) {
165648Spiso		tok = match_token(nat_params, *av);
165648Spiso		ac--; av++;
165648Spiso		switch (tok) {
165648Spiso		case TOK_IP:
165648Spiso			if (ac == 0)
165648Spiso				errx(EX_DATAERR, "missing option");
165648Spiso			if (!inet_aton(av[0], &(n->ip)))
165648Spiso				errx(EX_DATAERR, "bad ip address ``%s''",
165648Spiso				    av[0]);
165648Spiso			ac--; av++;
165648Spiso			break;
165648Spiso		case TOK_IF:
175511Smaxim			if (ac == 0)
175511Smaxim				errx(EX_DATAERR, "missing option");
165648Spiso			set_addr_dynamic(av[0], n);
165648Spiso			ac--; av++;
165648Spiso			break;
165648Spiso		case TOK_ALOG:
165648Spiso			n->mode |= PKT_ALIAS_LOG;
165648Spiso			break;
165648Spiso		case TOK_DENY_INC:
165648Spiso			n->mode |= PKT_ALIAS_DENY_INCOMING;
165648Spiso			break;
165648Spiso		case TOK_SAME_PORTS:
165648Spiso			n->mode |= PKT_ALIAS_SAME_PORTS;
165648Spiso			break;
165648Spiso		case TOK_UNREG_ONLY:
165648Spiso			n->mode |= PKT_ALIAS_UNREGISTERED_ONLY;
165648Spiso			break;
165648Spiso		case TOK_RESET_ADDR:
165648Spiso			n->mode |= PKT_ALIAS_RESET_ON_ADDR_CHANGE;
165648Spiso			break;
165648Spiso		case TOK_ALIAS_REV:
165648Spiso			n->mode |= PKT_ALIAS_REVERSE;
165648Spiso			break;
165648Spiso		case TOK_PROXY_ONLY:
165648Spiso			n->mode |= PKT_ALIAS_PROXY_ONLY;
165648Spiso			break;
165648Spiso			/*
165648Spiso			 * All the setup_redir_* functions work directly in the final
165648Spiso			 * buffer, see above for details.
165648Spiso			 */
165648Spiso		case TOK_REDIR_ADDR:
165648Spiso		case TOK_REDIR_PORT:
165648Spiso		case TOK_REDIR_PROTO:
165648Spiso			switch (tok) {
165648Spiso			case TOK_REDIR_ADDR:
165648Spiso				i = setup_redir_addr(&buf[off], len, &ac, &av);
165648Spiso				break;
165648Spiso			case TOK_REDIR_PORT:
165648Spiso				i = setup_redir_port(&buf[off], len, &ac, &av);
165648Spiso				break;
165648Spiso			case TOK_REDIR_PROTO:
165648Spiso				i = setup_redir_proto(&buf[off], len, &ac, &av);
165648Spiso				break;
165648Spiso			}
165648Spiso			n->redir_cnt++;
165648Spiso			off += i;
165648Spiso			len -= i;
165648Spiso			break;
165648Spiso		default:
165648Spiso			errx(EX_DATAERR, "unrecognised option ``%s''", av[-1]);
165648Spiso		}
165648Spiso	}
165648Spiso
165648Spiso	i = do_cmd(IP_FW_NAT_CFG, buf, off);
165648Spiso	if (i)
165648Spiso		err(1, "setsockopt(%s)", "IP_FW_NAT_CFG");
183890Smaxim
186297Spiso	if (!do_quiet) {
186297Spiso		/* After every modification, we show the resultant rule. */
186297Spiso		int _ac = 3;
186297Spiso		char *_av[] = {"show", "config", id};
186297Spiso		show_nat(_ac, _av);
186297Spiso	}
165648Spiso}
165648Spiso
165648Spisostatic void
98943Sluigiconfig_pipe(int ac, char **av)
98943Sluigi{
117469Sluigi	struct dn_pipe p;
98943Sluigi	int i;
98943Sluigi	char *end;
98943Sluigi	void *par = NULL;
98943Sluigi
117469Sluigi	memset(&p, 0, sizeof p);
98943Sluigi
98943Sluigi	av++; ac--;
98943Sluigi	/* Pipe number */
98943Sluigi	if (ac && isdigit(**av)) {
98943Sluigi		i = atoi(*av); av++; ac--;
98943Sluigi		if (do_pipe == 1)
117469Sluigi			p.pipe_nr = i;
98943Sluigi		else
117469Sluigi			p.fs.fs_nr = i;
98943Sluigi	}
99475Sluigi	while (ac > 0) {
98943Sluigi		double d;
98943Sluigi		int tok = match_token(dummynet_params, *av);
98943Sluigi		ac--; av++;
98943Sluigi
98943Sluigi		switch(tok) {
101978Sluigi		case TOK_NOERROR:
117469Sluigi			p.fs.flags_fs |= DN_NOERROR;
101978Sluigi			break;
101978Sluigi
98943Sluigi		case TOK_PLR:
98943Sluigi			NEED1("plr needs argument 0..1\n");
98943Sluigi			d = strtod(av[0], NULL);
98943Sluigi			if (d > 1)
98943Sluigi				d = 1;
98943Sluigi			else if (d < 0)
98943Sluigi				d = 0;
117469Sluigi			p.fs.plr = (int)(d*0x7fffffff);
98943Sluigi			ac--; av++;
98943Sluigi			break;
98943Sluigi
98943Sluigi		case TOK_QUEUE:
98943Sluigi			NEED1("queue needs queue size\n");
98943Sluigi			end = NULL;
117469Sluigi			p.fs.qsize = strtoul(av[0], &end, 0);
98943Sluigi			if (*end == 'K' || *end == 'k') {
117469Sluigi				p.fs.flags_fs |= DN_QSIZE_IS_BYTES;
117469Sluigi				p.fs.qsize *= 1024;
140271Sbrooks			} else if (*end == 'B' ||
140271Sbrooks			    _substrcmp2(end, "by", "bytes") == 0) {
117469Sluigi				p.fs.flags_fs |= DN_QSIZE_IS_BYTES;
98943Sluigi			}
98943Sluigi			ac--; av++;
98943Sluigi			break;
98943Sluigi
98943Sluigi		case TOK_BUCKETS:
98943Sluigi			NEED1("buckets needs argument\n");
117469Sluigi			p.fs.rq_size = strtoul(av[0], NULL, 0);
98943Sluigi			ac--; av++;
98943Sluigi			break;
98943Sluigi
98943Sluigi		case TOK_MASK:
98943Sluigi			NEED1("mask needs mask specifier\n");
98943Sluigi			/*
98943Sluigi			 * per-flow queue, mask is dst_ip, dst_port,
98943Sluigi			 * src_ip, src_port, proto measured in bits
98943Sluigi			 */
98943Sluigi			par = NULL;
98943Sluigi
145246Sbrooks			bzero(&p.fs.flow_mask, sizeof(p.fs.flow_mask));
98943Sluigi			end = NULL;
98943Sluigi
98943Sluigi			while (ac >= 1) {
117328Sluigi			    uint32_t *p32 = NULL;
117328Sluigi			    uint16_t *p16 = NULL;
145246Sbrooks			    uint32_t *p20 = NULL;
145246Sbrooks			    struct in6_addr *pa6 = NULL;
145246Sbrooks			    uint32_t a;
98943Sluigi
98943Sluigi			    tok = match_token(dummynet_params, *av);
98943Sluigi			    ac--; av++;
98943Sluigi			    switch(tok) {
98943Sluigi			    case TOK_ALL:
98943Sluigi				    /*
98943Sluigi				     * special case, all bits significant
98943Sluigi				     */
117469Sluigi				    p.fs.flow_mask.dst_ip = ~0;
117469Sluigi				    p.fs.flow_mask.src_ip = ~0;
117469Sluigi				    p.fs.flow_mask.dst_port = ~0;
117469Sluigi				    p.fs.flow_mask.src_port = ~0;
117469Sluigi				    p.fs.flow_mask.proto = ~0;
145246Sbrooks				    n2mask(&(p.fs.flow_mask.dst_ip6), 128);
145246Sbrooks				    n2mask(&(p.fs.flow_mask.src_ip6), 128);
145246Sbrooks				    p.fs.flow_mask.flow_id6 = ~0;
117469Sluigi				    p.fs.flags_fs |= DN_HAVE_FLOW_MASK;
98943Sluigi				    goto end_mask;
98943Sluigi
98943Sluigi			    case TOK_DSTIP:
117469Sluigi				    p32 = &p.fs.flow_mask.dst_ip;
98943Sluigi				    break;
98943Sluigi
98943Sluigi			    case TOK_SRCIP:
117469Sluigi				    p32 = &p.fs.flow_mask.src_ip;
98943Sluigi				    break;
98943Sluigi
145246Sbrooks			    case TOK_DSTIP6:
145246Sbrooks				    pa6 = &(p.fs.flow_mask.dst_ip6);
145246Sbrooks				    break;
145246Sbrooks
145246Sbrooks			    case TOK_SRCIP6:
145246Sbrooks				    pa6 = &(p.fs.flow_mask.src_ip6);
145246Sbrooks				    break;
145246Sbrooks
145246Sbrooks			    case TOK_FLOWID:
145246Sbrooks				    p20 = &p.fs.flow_mask.flow_id6;
145246Sbrooks				    break;
145246Sbrooks
98943Sluigi			    case TOK_DSTPORT:
117469Sluigi				    p16 = &p.fs.flow_mask.dst_port;
98943Sluigi				    break;
98943Sluigi
98943Sluigi			    case TOK_SRCPORT:
117469Sluigi				    p16 = &p.fs.flow_mask.src_port;
98943Sluigi				    break;
98943Sluigi
98943Sluigi			    case TOK_PROTO:
98943Sluigi				    break;
98943Sluigi
98943Sluigi			    default:
98943Sluigi				    ac++; av--; /* backtrack */
98943Sluigi				    goto end_mask;
98943Sluigi			    }
98943Sluigi			    if (ac < 1)
98943Sluigi				    errx(EX_USAGE, "mask: value missing");
98943Sluigi			    if (*av[0] == '/') {
98943Sluigi				    a = strtoul(av[0]+1, &end, 0);
145246Sbrooks				    if (pa6 == NULL)
145246Sbrooks					    a = (a == 32) ? ~0 : (1 << a) - 1;
106505Smaxim			    } else
99909Sluigi				    a = strtoul(av[0], &end, 0);
98943Sluigi			    if (p32 != NULL)
98943Sluigi				    *p32 = a;
98943Sluigi			    else if (p16 != NULL) {
139821Sbrooks				    if (a > 0xFFFF)
98943Sluigi					    errx(EX_DATAERR,
144687Sbrooks						"port mask must be 16 bit");
117328Sluigi				    *p16 = (uint16_t)a;
145246Sbrooks			    } else if (p20 != NULL) {
145246Sbrooks				    if (a > 0xfffff)
145246Sbrooks					errx(EX_DATAERR,
145246Sbrooks					    "flow_id mask must be 20 bit");
145246Sbrooks				    *p20 = (uint32_t)a;
145246Sbrooks			    } else if (pa6 != NULL) {
187477Sluigi				    if (a > 128)
145246Sbrooks					errx(EX_DATAERR,
145246Sbrooks					    "in6addr invalid mask len");
145246Sbrooks				    else
145246Sbrooks					n2mask(pa6, a);
98943Sluigi			    } else {
139821Sbrooks				    if (a > 0xFF)
98943Sluigi					    errx(EX_DATAERR,
144687Sbrooks						"proto mask must be 8 bit");
117469Sluigi				    p.fs.flow_mask.proto = (uint8_t)a;
98943Sluigi			    }
98943Sluigi			    if (a != 0)
117469Sluigi				    p.fs.flags_fs |= DN_HAVE_FLOW_MASK;
98943Sluigi			    ac--; av++;
98943Sluigi			} /* end while, config masks */
98943Sluigiend_mask:
98943Sluigi			break;
98943Sluigi
98943Sluigi		case TOK_RED:
98943Sluigi		case TOK_GRED:
98943Sluigi			NEED1("red/gred needs w_q/min_th/max_th/max_p\n");
117469Sluigi			p.fs.flags_fs |= DN_IS_RED;
98943Sluigi			if (tok == TOK_GRED)
117469Sluigi				p.fs.flags_fs |= DN_IS_GENTLE_RED;
98943Sluigi			/*
98943Sluigi			 * the format for parameters is w_q/min_th/max_th/max_p
98943Sluigi			 */
98943Sluigi			if ((end = strsep(&av[0], "/"))) {
98943Sluigi			    double w_q = strtod(end, NULL);
98943Sluigi			    if (w_q > 1 || w_q <= 0)
98943Sluigi				errx(EX_DATAERR, "0 < w_q <= 1");
117469Sluigi			    p.fs.w_q = (int) (w_q * (1 << SCALE_RED));
98943Sluigi			}
98943Sluigi			if ((end = strsep(&av[0], "/"))) {
117469Sluigi			    p.fs.min_th = strtoul(end, &end, 0);
98943Sluigi			    if (*end == 'K' || *end == 'k')
117469Sluigi				p.fs.min_th *= 1024;
98943Sluigi			}
98943Sluigi			if ((end = strsep(&av[0], "/"))) {
117469Sluigi			    p.fs.max_th = strtoul(end, &end, 0);
98943Sluigi			    if (*end == 'K' || *end == 'k')
117469Sluigi				p.fs.max_th *= 1024;
98943Sluigi			}
98943Sluigi			if ((end = strsep(&av[0], "/"))) {
98943Sluigi			    double max_p = strtod(end, NULL);
98943Sluigi			    if (max_p > 1 || max_p <= 0)
98943Sluigi				errx(EX_DATAERR, "0 < max_p <= 1");
117469Sluigi			    p.fs.max_p = (int)(max_p * (1 << SCALE_RED));
98943Sluigi			}
98943Sluigi			ac--; av++;
98943Sluigi			break;
98943Sluigi
98943Sluigi		case TOK_DROPTAIL:
117469Sluigi			p.fs.flags_fs &= ~(DN_IS_RED|DN_IS_GENTLE_RED);
98943Sluigi			break;
106505Smaxim
98943Sluigi		case TOK_BW:
98943Sluigi			NEED1("bw needs bandwidth or interface\n");
98943Sluigi			if (do_pipe != 1)
98943Sluigi			    errx(EX_DATAERR, "bandwidth only valid for pipes");
98943Sluigi			/*
98943Sluigi			 * set clocking interface or bandwidth value
98943Sluigi			 */
98943Sluigi			if (av[0][0] >= 'a' && av[0][0] <= 'z') {
117469Sluigi			    int l = sizeof(p.if_name)-1;
98943Sluigi			    /* interface name */
117469Sluigi			    strncpy(p.if_name, av[0], l);
117469Sluigi			    p.if_name[l] = '\0';
117469Sluigi			    p.bandwidth = 0;
98943Sluigi			} else {
117469Sluigi			    p.if_name[0] = '\0';
117469Sluigi			    p.bandwidth = strtoul(av[0], &end, 0);
98943Sluigi			    if (*end == 'K' || *end == 'k') {
98943Sluigi				end++;
117469Sluigi				p.bandwidth *= 1000;
98943Sluigi			    } else if (*end == 'M') {
98943Sluigi				end++;
117469Sluigi				p.bandwidth *= 1000000;
98943Sluigi			    }
161550Sdwmalone			    if ((*end == 'B' &&
161550Sdwmalone				  _substrcmp2(end, "Bi", "Bit/s") != 0) ||
140271Sbrooks			        _substrcmp2(end, "by", "bytes") == 0)
117469Sluigi				p.bandwidth *= 8;
117469Sluigi			    if (p.bandwidth < 0)
98943Sluigi				errx(EX_DATAERR, "bandwidth too large");
98943Sluigi			}
98943Sluigi			ac--; av++;
98943Sluigi			break;
98943Sluigi
98943Sluigi		case TOK_DELAY:
98943Sluigi			if (do_pipe != 1)
98943Sluigi				errx(EX_DATAERR, "delay only valid for pipes");
98943Sluigi			NEED1("delay needs argument 0..10000ms\n");
117469Sluigi			p.delay = strtoul(av[0], NULL, 0);
98943Sluigi			ac--; av++;
98943Sluigi			break;
98943Sluigi
98943Sluigi		case TOK_WEIGHT:
98943Sluigi			if (do_pipe == 1)
98943Sluigi				errx(EX_DATAERR,"weight only valid for queues");
98943Sluigi			NEED1("weight needs argument 0..100\n");
117469Sluigi			p.fs.weight = strtoul(av[0], &end, 0);
98943Sluigi			ac--; av++;
98943Sluigi			break;
98943Sluigi
98943Sluigi		case TOK_PIPE:
98943Sluigi			if (do_pipe == 1)
98943Sluigi				errx(EX_DATAERR,"pipe only valid for queues");
98943Sluigi			NEED1("pipe needs pipe_number\n");
117469Sluigi			p.fs.parent_nr = strtoul(av[0], &end, 0);
98943Sluigi			ac--; av++;
98943Sluigi			break;
98943Sluigi
98943Sluigi		default:
124924Smaxim			errx(EX_DATAERR, "unrecognised option ``%s''", av[-1]);
98943Sluigi		}
98943Sluigi	}
98943Sluigi	if (do_pipe == 1) {
117469Sluigi		if (p.pipe_nr == 0)
98943Sluigi			errx(EX_DATAERR, "pipe_nr must be > 0");
117469Sluigi		if (p.delay > 10000)
98943Sluigi			errx(EX_DATAERR, "delay must be < 10000");
98943Sluigi	} else { /* do_pipe == 2, queue */
117469Sluigi		if (p.fs.parent_nr == 0)
98943Sluigi			errx(EX_DATAERR, "pipe must be > 0");
117469Sluigi		if (p.fs.weight >100)
98943Sluigi			errx(EX_DATAERR, "weight must be <= 100");
98943Sluigi	}
117469Sluigi	if (p.fs.flags_fs & DN_QSIZE_IS_BYTES) {
176626Sdwmalone		size_t len;
176626Sdwmalone		long limit;
176626Sdwmalone
176626Sdwmalone		len = sizeof(limit);
176626Sdwmalone		if (sysctlbyname("net.inet.ip.dummynet.pipe_byte_limit",
176626Sdwmalone			&limit, &len, NULL, 0) == -1)
176626Sdwmalone			limit = 1024*1024;
176626Sdwmalone		if (p.fs.qsize > limit)
176626Sdwmalone			errx(EX_DATAERR, "queue size must be < %ldB", limit);
98943Sluigi	} else {
176626Sdwmalone		size_t len;
176626Sdwmalone		long limit;
176626Sdwmalone
176626Sdwmalone		len = sizeof(limit);
176626Sdwmalone		if (sysctlbyname("net.inet.ip.dummynet.pipe_slot_limit",
176626Sdwmalone			&limit, &len, NULL, 0) == -1)
176626Sdwmalone			limit = 100;
176626Sdwmalone		if (p.fs.qsize > limit)
176626Sdwmalone			errx(EX_DATAERR, "2 <= queue size <= %ld", limit);
98943Sluigi	}
117469Sluigi	if (p.fs.flags_fs & DN_IS_RED) {
98943Sluigi		size_t len;
98943Sluigi		int lookup_depth, avg_pkt_size;
98943Sluigi		double s, idle, weight, w_q;
117469Sluigi		struct clockinfo ck;
98943Sluigi		int t;
98943Sluigi
117469Sluigi		if (p.fs.min_th >= p.fs.max_th)
98943Sluigi		    errx(EX_DATAERR, "min_th %d must be < than max_th %d",
117469Sluigi			p.fs.min_th, p.fs.max_th);
117469Sluigi		if (p.fs.max_th == 0)
98943Sluigi		    errx(EX_DATAERR, "max_th must be > 0");
98943Sluigi
98943Sluigi		len = sizeof(int);
98943Sluigi		if (sysctlbyname("net.inet.ip.dummynet.red_lookup_depth",
98943Sluigi			&lookup_depth, &len, NULL, 0) == -1)
98943Sluigi		    errx(1, "sysctlbyname(\"%s\")",
98943Sluigi			"net.inet.ip.dummynet.red_lookup_depth");
98943Sluigi		if (lookup_depth == 0)
98943Sluigi		    errx(EX_DATAERR, "net.inet.ip.dummynet.red_lookup_depth"
98943Sluigi			" must be greater than zero");
98943Sluigi
98943Sluigi		len = sizeof(int);
98943Sluigi		if (sysctlbyname("net.inet.ip.dummynet.red_avg_pkt_size",
98943Sluigi			&avg_pkt_size, &len, NULL, 0) == -1)
98943Sluigi
98943Sluigi		    errx(1, "sysctlbyname(\"%s\")",
98943Sluigi			"net.inet.ip.dummynet.red_avg_pkt_size");
98943Sluigi		if (avg_pkt_size == 0)
98943Sluigi			errx(EX_DATAERR,
98943Sluigi			    "net.inet.ip.dummynet.red_avg_pkt_size must"
98943Sluigi			    " be greater than zero");
98943Sluigi
98943Sluigi		len = sizeof(struct clockinfo);
117469Sluigi		if (sysctlbyname("kern.clockrate", &ck, &len, NULL, 0) == -1)
98943Sluigi			errx(1, "sysctlbyname(\"%s\")", "kern.clockrate");
98943Sluigi
98943Sluigi		/*
98943Sluigi		 * Ticks needed for sending a medium-sized packet.
98943Sluigi		 * Unfortunately, when we are configuring a WF2Q+ queue, we
98943Sluigi		 * do not have bandwidth information, because that is stored
98943Sluigi		 * in the parent pipe, and also we have multiple queues
98943Sluigi		 * competing for it. So we set s=0, which is not very
98943Sluigi		 * correct. But on the other hand, why do we want RED with
98943Sluigi		 * WF2Q+ ?
98943Sluigi		 */
117469Sluigi		if (p.bandwidth==0) /* this is a WF2Q+ queue */
98943Sluigi			s = 0;
98943Sluigi		else
174713Soleg			s = (double)ck.hz * avg_pkt_size * 8 / p.bandwidth;
98943Sluigi
98943Sluigi		/*
98943Sluigi		 * max idle time (in ticks) before avg queue size becomes 0.
98943Sluigi		 * NOTA:  (3/w_q) is approx the value x so that
98943Sluigi		 * (1-w_q)^x < 10^-3.
98943Sluigi		 */
117469Sluigi		w_q = ((double)p.fs.w_q) / (1 << SCALE_RED);
98943Sluigi		idle = s * 3. / w_q;
117469Sluigi		p.fs.lookup_step = (int)idle / lookup_depth;
117469Sluigi		if (!p.fs.lookup_step)
117469Sluigi			p.fs.lookup_step = 1;
98943Sluigi		weight = 1 - w_q;
174713Soleg		for (t = p.fs.lookup_step; t > 1; --t)
174713Soleg			weight *= 1 - w_q;
117469Sluigi		p.fs.lookup_weight = (int)(weight * (1 << SCALE_RED));
98943Sluigi	}
117469Sluigi	i = do_cmd(IP_DUMMYNET_CONFIGURE, &p, sizeof p);
98943Sluigi	if (i)
98943Sluigi		err(1, "setsockopt(%s)", "IP_DUMMYNET_CONFIGURE");
98943Sluigi}
98943Sluigi
98943Sluigistatic void
169424Smaximget_mac_addr_mask(const char *p, uint8_t *addr, uint8_t *mask)
98943Sluigi{
98943Sluigi	int i, l;
169424Smaxim	char *ap, *ptr, *optr;
169424Smaxim	struct ether_addr *mac;
169424Smaxim	const char *macset = "0123456789abcdefABCDEF:";
98943Sluigi
169424Smaxim	if (strcmp(p, "any") == 0) {
169424Smaxim		for (i = 0; i < ETHER_ADDR_LEN; i++)
169424Smaxim			addr[i] = mask[i] = 0;
98943Sluigi		return;
169424Smaxim	}
98943Sluigi
169424Smaxim	optr = ptr = strdup(p);
169424Smaxim	if ((ap = strsep(&ptr, "&/")) != NULL && *ap != 0) {
169424Smaxim		l = strlen(ap);
169424Smaxim		if (strspn(ap, macset) != l || (mac = ether_aton(ap)) == NULL)
169424Smaxim			errx(EX_DATAERR, "Incorrect MAC address");
169424Smaxim		bcopy(mac, addr, ETHER_ADDR_LEN);
169424Smaxim	} else
169424Smaxim		errx(EX_DATAERR, "Incorrect MAC address");
169424Smaxim
169424Smaxim	if (ptr != NULL) { /* we have mask? */
169424Smaxim		if (p[ptr - optr - 1] == '/') { /* mask len */
169424Smaxim			l = strtol(ptr, &ap, 10);
169424Smaxim			if (*ap != 0 || l > ETHER_ADDR_LEN * 8 || l < 0)
169424Smaxim				errx(EX_DATAERR, "Incorrect mask length");
169424Smaxim			for (i = 0; l > 0 && i < ETHER_ADDR_LEN; l -= 8, i++)
169424Smaxim				mask[i] = (l >= 8) ? 0xff: (~0) << (8 - l);
169424Smaxim		} else { /* mask */
169424Smaxim			l = strlen(ptr);
169424Smaxim			if (strspn(ptr, macset) != l ||
169424Smaxim			    (mac = ether_aton(ptr)) == NULL)
169424Smaxim				errx(EX_DATAERR, "Incorrect mask");
169424Smaxim			bcopy(mac, mask, ETHER_ADDR_LEN);
98943Sluigi		}
169424Smaxim	} else { /* default mask: ff:ff:ff:ff:ff:ff */
169424Smaxim		for (i = 0; i < ETHER_ADDR_LEN; i++)
98943Sluigi			mask[i] = 0xff;
98943Sluigi	}
169424Smaxim	for (i = 0; i < ETHER_ADDR_LEN; i++)
98943Sluigi		addr[i] &= mask[i];
169424Smaxim
169424Smaxim	free(optr);
98943Sluigi}
98943Sluigi
98943Sluigi/*
98943Sluigi * helper function, updates the pointer to cmd with the length
98943Sluigi * of the current command, and also cleans up the first word of
98943Sluigi * the new command in case it has been clobbered before.
98943Sluigi */
98943Sluigistatic ipfw_insn *
98943Sluiginext_cmd(ipfw_insn *cmd)
98943Sluigi{
98943Sluigi	cmd += F_LEN(cmd);
98943Sluigi	bzero(cmd, sizeof(*cmd));
98943Sluigi	return cmd;
98943Sluigi}
98943Sluigi
98943Sluigi/*
117469Sluigi * Takes arguments and copies them into a comment
117469Sluigi */
117469Sluigistatic void
117469Sluigifill_comment(ipfw_insn *cmd, int ac, char **av)
117469Sluigi{
117469Sluigi	int i, l;
117469Sluigi	char *p = (char *)(cmd + 1);
117577Sluigi
117469Sluigi	cmd->opcode = O_NOP;
117469Sluigi	cmd->len =  (cmd->len & (F_NOT | F_OR));
117469Sluigi
117469Sluigi	/* Compute length of comment string. */
117469Sluigi	for (i = 0, l = 0; i < ac; i++)
117469Sluigi		l += strlen(av[i]) + 1;
117469Sluigi	if (l == 0)
117469Sluigi		return;
117469Sluigi	if (l > 84)
117469Sluigi		errx(EX_DATAERR,
117469Sluigi		    "comment too long (max 80 chars)");
117469Sluigi	l = 1 + (l+3)/4;
117469Sluigi	cmd->len =  (cmd->len & (F_NOT | F_OR)) | l;
117469Sluigi	for (i = 0; i < ac; i++) {
117469Sluigi		strcpy(p, av[i]);
117469Sluigi		p += strlen(av[i]);
117469Sluigi		*p++ = ' ';
117469Sluigi	}
117469Sluigi	*(--p) = '\0';
117469Sluigi}
117577Sluigi
117469Sluigi/*
98943Sluigi * A function to fill simple commands of size 1.
98943Sluigi * Existing flags are preserved.
98943Sluigi */
98943Sluigistatic void
117328Sluigifill_cmd(ipfw_insn *cmd, enum ipfw_opcodes opcode, int flags, uint16_t arg)
98943Sluigi{
98943Sluigi	cmd->opcode = opcode;
98943Sluigi	cmd->len =  ((cmd->len | flags) & (F_NOT | F_OR)) | 1;
98943Sluigi	cmd->arg1 = arg;
98943Sluigi}
98943Sluigi
98943Sluigi/*
98943Sluigi * Fetch and add the MAC address and type, with masks. This generates one or
98943Sluigi * two microinstructions, and returns the pointer to the last one.
98943Sluigi */
98943Sluigistatic ipfw_insn *
98943Sluigiadd_mac(ipfw_insn *cmd, int ac, char *av[])
98943Sluigi{
102087Sluigi	ipfw_insn_mac *mac;
98943Sluigi
102087Sluigi	if (ac < 2)
102098Sluigi		errx(EX_DATAERR, "MAC dst src");
98943Sluigi
98943Sluigi	cmd->opcode = O_MACADDR2;
98943Sluigi	cmd->len = (cmd->len & (F_NOT | F_OR)) | F_INSN_SIZE(ipfw_insn_mac);
98943Sluigi
98943Sluigi	mac = (ipfw_insn_mac *)cmd;
101978Sluigi	get_mac_addr_mask(av[0], mac->addr, mac->mask);	/* dst */
169424Smaxim	get_mac_addr_mask(av[1], &(mac->addr[ETHER_ADDR_LEN]),
169424Smaxim	    &(mac->mask[ETHER_ADDR_LEN])); /* src */
102087Sluigi	return cmd;
102087Sluigi}
98943Sluigi
102087Sluigistatic ipfw_insn *
102087Sluigiadd_mactype(ipfw_insn *cmd, int ac, char *av)
102087Sluigi{
102087Sluigi	if (ac < 1)
102087Sluigi		errx(EX_DATAERR, "missing MAC type");
102087Sluigi	if (strcmp(av, "any") != 0) { /* we have a non-null type */
102087Sluigi		fill_newports((ipfw_insn_u16 *)cmd, av, IPPROTO_ETHERTYPE);
98943Sluigi		cmd->opcode = O_MAC_TYPE;
102087Sluigi		return cmd;
102087Sluigi	} else
102087Sluigi		return NULL;
102087Sluigi}
98943Sluigi
102087Sluigistatic ipfw_insn *
152923Sumeadd_proto0(ipfw_insn *cmd, char *av, u_char *protop)
102087Sluigi{
102087Sluigi	struct protoent *pe;
152923Sume	char *ep;
152923Sume	int proto;
102087Sluigi
156315Sume	proto = strtol(av, &ep, 10);
156315Sume	if (*ep != '\0' || proto <= 0) {
152923Sume		if ((pe = getprotobyname(av)) == NULL)
152923Sume			return NULL;
152923Sume		proto = pe->p_proto;
152923Sume	}
145246Sbrooks
152923Sume	fill_cmd(cmd, O_PROTO, 0, proto);
152923Sume	*protop = proto;
152923Sume	return cmd;
152923Sume}
152923Sume
152923Sumestatic ipfw_insn *
152923Sumeadd_proto(ipfw_insn *cmd, char *av, u_char *protop)
152923Sume{
152923Sume	u_char proto = IPPROTO_IP;
152923Sume
156315Sume	if (_substrcmp(av, "all") == 0 || strcmp(av, "ip") == 0)
146894Smlaier		; /* do not set O_IP4 nor O_IP6 */
152923Sume	else if (strcmp(av, "ip4") == 0)
152923Sume		/* explicit "just IPv4" rule */
152923Sume		fill_cmd(cmd, O_IP4, 0, 0);
152923Sume	else if (strcmp(av, "ip6") == 0) {
152923Sume		/* explicit "just IPv6" rule */
152923Sume		proto = IPPROTO_IPV6;
152923Sume		fill_cmd(cmd, O_IP6, 0, 0);
152923Sume	} else
152923Sume		return add_proto0(cmd, av, protop);
152923Sume
152923Sume	*protop = proto;
152923Sume	return cmd;
152923Sume}
152923Sume
152923Sumestatic ipfw_insn *
152923Sumeadd_proto_compat(ipfw_insn *cmd, char *av, u_char *protop)
152923Sume{
152923Sume	u_char proto = IPPROTO_IP;
152923Sume
152923Sume	if (_substrcmp(av, "all") == 0 || strcmp(av, "ip") == 0)
152923Sume		; /* do not set O_IP4 nor O_IP6 */
146894Smlaier	else if (strcmp(av, "ipv4") == 0 || strcmp(av, "ip4") == 0)
146894Smlaier		/* explicit "just IPv4" rule */
146894Smlaier		fill_cmd(cmd, O_IP4, 0, 0);
146894Smlaier	else if (strcmp(av, "ipv6") == 0 || strcmp(av, "ip6") == 0) {
146894Smlaier		/* explicit "just IPv6" rule */
152923Sume		proto = IPPROTO_IPV6;
146894Smlaier		fill_cmd(cmd, O_IP6, 0, 0);
152923Sume	} else
152923Sume		return add_proto0(cmd, av, protop);
145246Sbrooks
152923Sume	*protop = proto;
98943Sluigi	return cmd;
98943Sluigi}
98943Sluigi
102087Sluigistatic ipfw_insn *
102087Sluigiadd_srcip(ipfw_insn *cmd, char *av)
102087Sluigi{
102087Sluigi	fill_ip((ipfw_insn_ip *)cmd, av);
102087Sluigi	if (cmd->opcode == O_IP_DST_SET)			/* set */
102087Sluigi		cmd->opcode = O_IP_SRC_SET;
130281Sru	else if (cmd->opcode == O_IP_DST_LOOKUP)		/* table */
130281Sru		cmd->opcode = O_IP_SRC_LOOKUP;
102087Sluigi	else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn))		/* me */
102087Sluigi		cmd->opcode = O_IP_SRC_ME;
102087Sluigi	else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn_u32))	/* one IP */
102087Sluigi		cmd->opcode = O_IP_SRC;
117328Sluigi	else							/* addr/mask */
102087Sluigi		cmd->opcode = O_IP_SRC_MASK;
102087Sluigi	return cmd;
102087Sluigi}
102087Sluigi
102087Sluigistatic ipfw_insn *
102087Sluigiadd_dstip(ipfw_insn *cmd, char *av)
102087Sluigi{
102087Sluigi	fill_ip((ipfw_insn_ip *)cmd, av);
102087Sluigi	if (cmd->opcode == O_IP_DST_SET)			/* set */
102087Sluigi		;
130281Sru	else if (cmd->opcode == O_IP_DST_LOOKUP)		/* table */
130281Sru		;
102087Sluigi	else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn))		/* me */
102087Sluigi		cmd->opcode = O_IP_DST_ME;
102087Sluigi	else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn_u32))	/* one IP */
102087Sluigi		cmd->opcode = O_IP_DST;
117328Sluigi	else							/* addr/mask */
102087Sluigi		cmd->opcode = O_IP_DST_MASK;
102087Sluigi	return cmd;
102087Sluigi}
102087Sluigi
102087Sluigistatic ipfw_insn *
102087Sluigiadd_ports(ipfw_insn *cmd, char *av, u_char proto, int opcode)
102087Sluigi{
140271Sbrooks	if (_substrcmp(av, "any") == 0) {
102087Sluigi		return NULL;
102087Sluigi	} else if (fill_newports((ipfw_insn_u16 *)cmd, av, proto)) {
102087Sluigi		/* XXX todo: check that we have a protocol with ports */
102087Sluigi		cmd->opcode = opcode;
102087Sluigi		return cmd;
102087Sluigi	}
102087Sluigi	return NULL;
102087Sluigi}
102087Sluigi
145246Sbrooksstatic ipfw_insn *
145246Sbrooksadd_src(ipfw_insn *cmd, char *av, u_char proto)
145246Sbrooks{
145246Sbrooks	struct in6_addr a;
158553Smlaier	char *host, *ch;
158553Smlaier	ipfw_insn *ret = NULL;
145246Sbrooks
158553Smlaier	if ((host = strdup(av)) == NULL)
158553Smlaier		return NULL;
158553Smlaier	if ((ch = strrchr(host, '/')) != NULL)
158553Smlaier		*ch = '\0';
158553Smlaier
145246Sbrooks	if (proto == IPPROTO_IPV6  || strcmp(av, "me6") == 0 ||
158553Smlaier	    inet_pton(AF_INET6, host, &a))
158553Smlaier		ret = add_srcip6(cmd, av);
145246Sbrooks	/* XXX: should check for IPv4, not !IPv6 */
161483Sdwmalone	if (ret == NULL && (proto == IPPROTO_IP || strcmp(av, "me") == 0 ||
161483Sdwmalone	    !inet_pton(AF_INET6, host, &a)))
158553Smlaier		ret = add_srcip(cmd, av);
161483Sdwmalone	if (ret == NULL && strcmp(av, "any") != 0)
158553Smlaier		ret = cmd;
145246Sbrooks
158553Smlaier	free(host);
158553Smlaier	return ret;
145246Sbrooks}
145246Sbrooks
145246Sbrooksstatic ipfw_insn *
145246Sbrooksadd_dst(ipfw_insn *cmd, char *av, u_char proto)
145246Sbrooks{
145246Sbrooks	struct in6_addr a;
158553Smlaier	char *host, *ch;
158553Smlaier	ipfw_insn *ret = NULL;
145246Sbrooks
158553Smlaier	if ((host = strdup(av)) == NULL)
158553Smlaier		return NULL;
158553Smlaier	if ((ch = strrchr(host, '/')) != NULL)
158553Smlaier		*ch = '\0';
158553Smlaier
145246Sbrooks	if (proto == IPPROTO_IPV6  || strcmp(av, "me6") == 0 ||
158553Smlaier	    inet_pton(AF_INET6, host, &a))
158553Smlaier		ret = add_dstip6(cmd, av);
145246Sbrooks	/* XXX: should check for IPv4, not !IPv6 */
161483Sdwmalone	if (ret == NULL && (proto == IPPROTO_IP || strcmp(av, "me") == 0 ||
161483Sdwmalone	    !inet_pton(AF_INET6, host, &a)))
158553Smlaier		ret = add_dstip(cmd, av);
161483Sdwmalone	if (ret == NULL && strcmp(av, "any") != 0)
158553Smlaier		ret = cmd;
145246Sbrooks
158553Smlaier	free(host);
158553Smlaier	return ret;
145246Sbrooks}
145246Sbrooks
98943Sluigi/*
98943Sluigi * Parse arguments and assemble the microinstructions which make up a rule.
98943Sluigi * Rules are added into the 'rulebuf' and then copied in the correct order
98943Sluigi * into the actual rule.
98943Sluigi *
136071Sgreen * The syntax for a rule starts with the action, followed by
136071Sgreen * optional action parameters, and the various match patterns.
108533Sschweikh * In the assembled microcode, the first opcode must be an O_PROBE_STATE
98943Sluigi * (generated if the rule includes a keep-state option), then the
136071Sgreen * various match patterns, log/altq actions, and the actual action.
106505Smaxim *
98943Sluigi */
98943Sluigistatic void
98943Sluigiadd(int ac, char *av[])
98943Sluigi{
98943Sluigi	/*
98943Sluigi	 * rules are added into the 'rulebuf' and then copied in
98943Sluigi	 * the correct order into the actual rule.
98943Sluigi	 * Some things that need to go out of order (prob, action etc.)
98943Sluigi	 * go into actbuf[].
98943Sluigi	 */
117328Sluigi	static uint32_t rulebuf[255], actbuf[255], cmdbuf[255];
98943Sluigi
117469Sluigi	ipfw_insn *src, *dst, *cmd, *action, *prev=NULL;
102087Sluigi	ipfw_insn *first_cmd;	/* first match pattern */
98943Sluigi
98943Sluigi	struct ip_fw *rule;
98943Sluigi
98943Sluigi	/*
98943Sluigi	 * various flags used to record that we entered some fields.
98943Sluigi	 */
101116Sluigi	ipfw_insn *have_state = NULL;	/* check-state or keep-state */
158879Soleg	ipfw_insn *have_log = NULL, *have_altq = NULL, *have_tag = NULL;
134475Smaxim	size_t len;
98943Sluigi
98943Sluigi	int i;
98943Sluigi
98943Sluigi	int open_par = 0;	/* open parenthesis ( */
98943Sluigi
98943Sluigi	/* proto is here because it is used to fetch ports */
98943Sluigi	u_char proto = IPPROTO_IP;	/* default protocol */
98943Sluigi
107289Sluigi	double match_prob = 1; /* match probability, default is always match */
107289Sluigi
98943Sluigi	bzero(actbuf, sizeof(actbuf));		/* actions go here */
98943Sluigi	bzero(cmdbuf, sizeof(cmdbuf));
98943Sluigi	bzero(rulebuf, sizeof(rulebuf));
98943Sluigi
98943Sluigi	rule = (struct ip_fw *)rulebuf;
98943Sluigi	cmd = (ipfw_insn *)cmdbuf;
98943Sluigi	action = (ipfw_insn *)actbuf;
98943Sluigi
98943Sluigi	av++; ac--;
98943Sluigi
98943Sluigi	/* [rule N]	-- Rule number optional */
98943Sluigi	if (ac && isdigit(**av)) {
98943Sluigi		rule->rulenum = atoi(*av);
98943Sluigi		av++;
98943Sluigi		ac--;
98943Sluigi	}
98943Sluigi
117655Sluigi	/* [set N]	-- set number (0..RESVD_SET), optional */
140271Sbrooks	if (ac > 1 && _substrcmp(*av, "set") == 0) {
101628Sluigi		int set = strtoul(av[1], NULL, 10);
117655Sluigi		if (set < 0 || set > RESVD_SET)
101628Sluigi			errx(EX_DATAERR, "illegal set %s", av[1]);
101628Sluigi		rule->set = set;
101628Sluigi		av += 2; ac -= 2;
101628Sluigi	}
101628Sluigi
98943Sluigi	/* [prob D]	-- match probability, optional */
140271Sbrooks	if (ac > 1 && _substrcmp(*av, "prob") == 0) {
107289Sluigi		match_prob = strtod(av[1], NULL);
98943Sluigi
107289Sluigi		if (match_prob <= 0 || match_prob > 1)
98943Sluigi			errx(EX_DATAERR, "illegal match prob. %s", av[1]);
98943Sluigi		av += 2; ac -= 2;
98943Sluigi	}
98943Sluigi
98943Sluigi	/* action	-- mandatory */
98943Sluigi	NEED1("missing action");
98943Sluigi	i = match_token(rule_actions, *av);
98943Sluigi	ac--; av++;
98943Sluigi	action->len = 1;	/* default */
98943Sluigi	switch(i) {
98943Sluigi	case TOK_CHECKSTATE:
101116Sluigi		have_state = action;
98943Sluigi		action->opcode = O_CHECK_STATE;
98943Sluigi		break;
98943Sluigi
98943Sluigi	case TOK_ACCEPT:
98943Sluigi		action->opcode = O_ACCEPT;
98943Sluigi		break;
98943Sluigi
98943Sluigi	case TOK_DENY:
98943Sluigi		action->opcode = O_DENY;
99475Sluigi		action->arg1 = 0;
98943Sluigi		break;
98943Sluigi
99475Sluigi	case TOK_REJECT:
99475Sluigi		action->opcode = O_REJECT;
99475Sluigi		action->arg1 = ICMP_UNREACH_HOST;
99475Sluigi		break;
99475Sluigi
99475Sluigi	case TOK_RESET:
99475Sluigi		action->opcode = O_REJECT;
99475Sluigi		action->arg1 = ICMP_REJECT_RST;
99475Sluigi		break;
99475Sluigi
149020Sbz	case TOK_RESET6:
149020Sbz		action->opcode = O_UNREACH6;
149020Sbz		action->arg1 = ICMP6_UNREACH_RST;
149020Sbz		break;
149020Sbz
99475Sluigi	case TOK_UNREACH:
99475Sluigi		action->opcode = O_REJECT;
99475Sluigi		NEED1("missing reject code");
99475Sluigi		fill_reject_code(&action->arg1, *av);
99475Sluigi		ac--; av++;
99475Sluigi		break;
99475Sluigi
149020Sbz	case TOK_UNREACH6:
149020Sbz		action->opcode = O_UNREACH6;
149020Sbz		NEED1("missing unreach code");
149020Sbz		fill_unreach6_code(&action->arg1, *av);
149020Sbz		ac--; av++;
149020Sbz		break;
149020Sbz
98943Sluigi	case TOK_COUNT:
98943Sluigi		action->opcode = O_COUNT;
98943Sluigi		break;
98943Sluigi
176517Spiso	case TOK_NAT:
176517Spiso 		action->opcode = O_NAT;
176517Spiso 		action->len = F_INSN_SIZE(ipfw_insn_nat);
176517Spiso		goto chkarg;
178888Sjulian
98943Sluigi	case TOK_QUEUE:
153374Sglebius		action->opcode = O_QUEUE;
153374Sglebius		goto chkarg;
98943Sluigi	case TOK_PIPE:
153374Sglebius		action->opcode = O_PIPE;
153374Sglebius		goto chkarg;
98943Sluigi	case TOK_SKIPTO:
153374Sglebius		action->opcode = O_SKIPTO;
153374Sglebius		goto chkarg;
153374Sglebius	case TOK_NETGRAPH:
153374Sglebius		action->opcode = O_NETGRAPH;
153374Sglebius		goto chkarg;
153374Sglebius	case TOK_NGTEE:
153374Sglebius		action->opcode = O_NGTEE;
153374Sglebius		goto chkarg;
98943Sluigi	case TOK_DIVERT:
153374Sglebius		action->opcode = O_DIVERT;
153374Sglebius		goto chkarg;
98943Sluigi	case TOK_TEE:
153374Sglebius		action->opcode = O_TEE;
153374Sglebiuschkarg:
153374Sglebius		if (!ac)
153374Sglebius			errx(EX_USAGE, "missing argument for %s", *(av - 1));
153374Sglebius		if (isdigit(**av)) {
153374Sglebius			action->arg1 = strtoul(*av, NULL, 10);
153374Sglebius			if (action->arg1 <= 0 || action->arg1 >= IP_FW_TABLEARG)
153374Sglebius				errx(EX_DATAERR, "illegal argument for %s",
153374Sglebius				    *(av - 1));
153374Sglebius		} else if (_substrcmp(*av, TABLEARG) == 0) {
153374Sglebius			action->arg1 = IP_FW_TABLEARG;
153374Sglebius		} else if (i == TOK_DIVERT || i == TOK_TEE) {
98943Sluigi			struct servent *s;
98943Sluigi			setservent(1);
98943Sluigi			s = getservbyname(av[0], "divert");
98943Sluigi			if (s != NULL)
98943Sluigi				action->arg1 = ntohs(s->s_port);
98943Sluigi			else
98943Sluigi				errx(EX_DATAERR, "illegal divert/tee port");
153374Sglebius		} else
153374Sglebius			errx(EX_DATAERR, "illegal argument for %s", *(av - 1));
98943Sluigi		ac--; av++;
98943Sluigi		break;
98943Sluigi
98943Sluigi	case TOK_FORWARD: {
98943Sluigi		ipfw_insn_sa *p = (ipfw_insn_sa *)action;
98943Sluigi		char *s, *end;
98943Sluigi
98943Sluigi		NEED1("missing forward address[:port]");
98943Sluigi
98943Sluigi		action->opcode = O_FORWARD_IP;
98943Sluigi		action->len = F_INSN_SIZE(ipfw_insn_sa);
98943Sluigi
98943Sluigi		p->sa.sin_len = sizeof(struct sockaddr_in);
98943Sluigi		p->sa.sin_family = AF_INET;
98943Sluigi		p->sa.sin_port = 0;
98943Sluigi		/*
98943Sluigi		 * locate the address-port separator (':' or ',')
98943Sluigi		 */
98943Sluigi		s = strchr(*av, ':');
98943Sluigi		if (s == NULL)
98943Sluigi			s = strchr(*av, ',');
98943Sluigi		if (s != NULL) {
98943Sluigi			*(s++) = '\0';
98943Sluigi			i = strtoport(s, &end, 0 /* base */, 0 /* proto */);
98943Sluigi			if (s == end)
98943Sluigi				errx(EX_DATAERR,
98943Sluigi				    "illegal forwarding port ``%s''", s);
103241Sluigi			p->sa.sin_port = (u_short)i;
98943Sluigi		}
161456Sjulian		if (_substrcmp(*av, "tablearg") == 0)
161456Sjulian			p->sa.sin_addr.s_addr = INADDR_ANY;
161456Sjulian		else
161424Sjulian			lookup_host(*av, &(p->sa.sin_addr));
98943Sluigi		ac--; av++;
98943Sluigi		break;
161424Sjulian	    }
117469Sluigi	case TOK_COMMENT:
117469Sluigi		/* pretend it is a 'count' rule followed by the comment */
117469Sluigi		action->opcode = O_COUNT;
117469Sluigi		ac++; av--;	/* go back... */
117469Sluigi		break;
178888Sjulian
178888Sjulian	case TOK_SETFIB:
178888Sjulian	    {
178888Sjulian		int numfibs;
178916Sjulian		size_t intsize = sizeof(int);
178888Sjulian
178888Sjulian		action->opcode = O_SETFIB;
178888Sjulian 		NEED1("missing fib number");
178888Sjulian 	        action->arg1 = strtoul(*av, NULL, 10);
178916Sjulian		if (sysctlbyname("net.fibs", &numfibs, &intsize, NULL, 0) == -1)
178888Sjulian			errx(EX_DATAERR, "fibs not suported.\n");
178888Sjulian		if (action->arg1 >= numfibs)  /* Temporary */
178888Sjulian			errx(EX_DATAERR, "fib too large.\n");
178888Sjulian 		ac--; av++;
178888Sjulian 		break;
178888Sjulian	    }
165648Spiso
98943Sluigi	default:
102087Sluigi		errx(EX_DATAERR, "invalid action %s\n", av[-1]);
98943Sluigi	}
98943Sluigi	action = next_cmd(action);
98943Sluigi
98943Sluigi	/*
136071Sgreen	 * [altq queuename] -- altq tag, optional
98943Sluigi	 * [log [logamount N]]	-- log, optional
98943Sluigi	 *
136071Sgreen	 * If they exist, it go first in the cmdbuf, but then it is
98943Sluigi	 * skipped in the copy section to the end of the buffer.
98943Sluigi	 */
136071Sgreen	while (ac != 0 && (i = match_token(rule_action_params, *av)) != -1) {
136071Sgreen		ac--; av++;
136071Sgreen		switch (i) {
136071Sgreen		case TOK_LOG:
136071Sgreen		    {
136071Sgreen			ipfw_insn_log *c = (ipfw_insn_log *)cmd;
136071Sgreen			int l;
98943Sluigi
136071Sgreen			if (have_log)
136071Sgreen				errx(EX_DATAERR,
136071Sgreen				    "log cannot be specified more than once");
136071Sgreen			have_log = (ipfw_insn *)c;
136071Sgreen			cmd->len = F_INSN_SIZE(ipfw_insn_log);
136071Sgreen			cmd->opcode = O_LOG;
140271Sbrooks			if (ac && _substrcmp(*av, "logamount") == 0) {
136071Sgreen				ac--; av++;
136071Sgreen				NEED1("logamount requires argument");
136071Sgreen				l = atoi(*av);
136071Sgreen				if (l < 0)
136071Sgreen					errx(EX_DATAERR,
136071Sgreen					    "logamount must be positive");
136071Sgreen				c->max_log = l;
136071Sgreen				ac--; av++;
136071Sgreen			} else {
136071Sgreen				len = sizeof(c->max_log);
136071Sgreen				if (sysctlbyname("net.inet.ip.fw.verbose_limit",
136071Sgreen				    &c->max_log, &len, NULL, 0) == -1)
136071Sgreen					errx(1, "sysctlbyname(\"%s\")",
136071Sgreen					    "net.inet.ip.fw.verbose_limit");
136071Sgreen			}
136071Sgreen		    }
136071Sgreen			break;
136071Sgreen
136071Sgreen		case TOK_ALTQ:
136071Sgreen		    {
136071Sgreen			ipfw_insn_altq *a = (ipfw_insn_altq *)cmd;
136071Sgreen
136071Sgreen			NEED1("missing altq queue name");
136071Sgreen			if (have_altq)
136071Sgreen				errx(EX_DATAERR,
136071Sgreen				    "altq cannot be specified more than once");
136071Sgreen			have_altq = (ipfw_insn *)a;
136071Sgreen			cmd->len = F_INSN_SIZE(ipfw_insn_altq);
136071Sgreen			cmd->opcode = O_ALTQ;
136071Sgreen			fill_altq_qid(&a->qid, *av);
98943Sluigi			ac--; av++;
136071Sgreen		    }
136071Sgreen			break;
136071Sgreen
158879Soleg		case TOK_TAG:
159636Soleg		case TOK_UNTAG: {
159636Soleg			uint16_t tag;
159636Soleg
158879Soleg			if (have_tag)
159636Soleg				errx(EX_USAGE, "tag and untag cannot be "
159636Soleg				    "specified more than once");
182823Srik			GET_UINT_ARG(tag, 1, IPFW_DEFAULT_RULE - 1, i,
182823Srik			   rule_action_params);
158879Soleg			have_tag = cmd;
159636Soleg			fill_cmd(cmd, O_TAG, (i == TOK_TAG) ? 0: F_NOT, tag);
158879Soleg			ac--; av++;
158879Soleg			break;
159636Soleg		}
158879Soleg
136071Sgreen		default:
136071Sgreen			abort();
98943Sluigi		}
98943Sluigi		cmd = next_cmd(cmd);
98943Sluigi	}
98943Sluigi
101116Sluigi	if (have_state)	/* must be a check-state, we are done */
98943Sluigi		goto done;
98943Sluigi
98943Sluigi#define OR_START(target)					\
98943Sluigi	if (ac && (*av[0] == '(' || *av[0] == '{')) {		\
98943Sluigi		if (open_par)					\
98943Sluigi			errx(EX_USAGE, "nested \"(\" not allowed\n"); \
101641Sluigi		prev = NULL;					\
98943Sluigi		open_par = 1;					\
98943Sluigi		if ( (av[0])[1] == '\0') {			\
98943Sluigi			ac--; av++;				\
98943Sluigi		} else						\
98943Sluigi			(*av)++;				\
98943Sluigi	}							\
98943Sluigi	target:							\
98943Sluigi
98943Sluigi
98943Sluigi#define	CLOSE_PAR						\
98943Sluigi	if (open_par) {						\
98943Sluigi		if (ac && (					\
140271Sbrooks		    strcmp(*av, ")") == 0 ||			\
140271Sbrooks		    strcmp(*av, "}") == 0)) {			\
101641Sluigi			prev = NULL;				\
98943Sluigi			open_par = 0;				\
98943Sluigi			ac--; av++;				\
98943Sluigi		} else						\
98943Sluigi			errx(EX_USAGE, "missing \")\"\n");	\
98943Sluigi	}
106505Smaxim
98943Sluigi#define NOT_BLOCK						\
140271Sbrooks	if (ac && _substrcmp(*av, "not") == 0) {		\
98943Sluigi		if (cmd->len & F_NOT)				\
98943Sluigi			errx(EX_USAGE, "double \"not\" not allowed\n"); \
98943Sluigi		cmd->len |= F_NOT;				\
98943Sluigi		ac--; av++;					\
98943Sluigi	}
98943Sluigi
98943Sluigi#define OR_BLOCK(target)					\
140271Sbrooks	if (ac && _substrcmp(*av, "or") == 0) {		\
98943Sluigi		if (prev == NULL || open_par == 0)		\
98943Sluigi			errx(EX_DATAERR, "invalid OR block");	\
98943Sluigi		prev->len |= F_OR;				\
98943Sluigi		ac--; av++;					\
98943Sluigi		goto target;					\
98943Sluigi	}							\
98943Sluigi	CLOSE_PAR;
98943Sluigi
102087Sluigi	first_cmd = cmd;
102098Sluigi
102098Sluigi#if 0
98943Sluigi	/*
102087Sluigi	 * MAC addresses, optional.
102087Sluigi	 * If we have this, we skip the part "proto from src to dst"
102087Sluigi	 * and jump straight to the option parsing.
102087Sluigi	 */
102087Sluigi	NOT_BLOCK;
102087Sluigi	NEED1("missing protocol");
140271Sbrooks	if (_substrcmp(*av, "MAC") == 0 ||
140271Sbrooks	    _substrcmp(*av, "mac") == 0) {
102087Sluigi		ac--; av++;	/* the "MAC" keyword */
102087Sluigi		add_mac(cmd, ac, av); /* exits in case of errors */
102087Sluigi		cmd = next_cmd(cmd);
102087Sluigi		ac -= 2; av += 2;	/* dst-mac and src-mac */
102087Sluigi		NOT_BLOCK;
102087Sluigi		NEED1("missing mac type");
102087Sluigi		if (add_mactype(cmd, ac, av[0]))
102087Sluigi			cmd = next_cmd(cmd);
102087Sluigi		ac--; av++;	/* any or mac-type */
102087Sluigi		goto read_options;
102087Sluigi	}
102098Sluigi#endif
102087Sluigi
102087Sluigi	/*
98943Sluigi	 * protocol, mandatory
98943Sluigi	 */
98943Sluigi    OR_START(get_proto);
98943Sluigi	NOT_BLOCK;
98943Sluigi	NEED1("missing protocol");
152923Sume	if (add_proto_compat(cmd, *av, &proto)) {
102087Sluigi		av++; ac--;
147105Smlaier		if (F_LEN(cmd) != 0) {
102087Sluigi			prev = cmd;
102087Sluigi			cmd = next_cmd(cmd);
102087Sluigi		}
102098Sluigi	} else if (first_cmd != cmd) {
116438Smaxim		errx(EX_DATAERR, "invalid protocol ``%s''", *av);
102098Sluigi	} else
102098Sluigi		goto read_options;
98943Sluigi    OR_BLOCK(get_proto);
98943Sluigi
98943Sluigi	/*
102087Sluigi	 * "from", mandatory
98943Sluigi	 */
140271Sbrooks	if (!ac || _substrcmp(*av, "from") != 0)
98943Sluigi		errx(EX_USAGE, "missing ``from''");
98943Sluigi	ac--; av++;
98943Sluigi
98943Sluigi	/*
98943Sluigi	 * source IP, mandatory
98943Sluigi	 */
98943Sluigi    OR_START(source_ip);
98943Sluigi	NOT_BLOCK;	/* optional "not" */
98943Sluigi	NEED1("missing source address");
145246Sbrooks	if (add_src(cmd, *av, proto)) {
102087Sluigi		ac--; av++;
102087Sluigi		if (F_LEN(cmd) != 0) {	/* ! any */
102087Sluigi			prev = cmd;
102087Sluigi			cmd = next_cmd(cmd);
102087Sluigi		}
145246Sbrooks	} else
145246Sbrooks		errx(EX_USAGE, "bad source address %s", *av);
98943Sluigi    OR_BLOCK(source_ip);
98943Sluigi
98943Sluigi	/*
98943Sluigi	 * source ports, optional
98943Sluigi	 */
98943Sluigi	NOT_BLOCK;	/* optional "not" */
101641Sluigi	if (ac) {
140271Sbrooks		if (_substrcmp(*av, "any") == 0 ||
102087Sluigi		    add_ports(cmd, *av, proto, O_IP_SRCPORT)) {
102087Sluigi			ac--; av++;
102087Sluigi			if (F_LEN(cmd) != 0)
102087Sluigi				cmd = next_cmd(cmd);
101641Sluigi		}
98943Sluigi	}
98943Sluigi
98943Sluigi	/*
102087Sluigi	 * "to", mandatory
98943Sluigi	 */
140271Sbrooks	if (!ac || _substrcmp(*av, "to") != 0)
98943Sluigi		errx(EX_USAGE, "missing ``to''");
98943Sluigi	av++; ac--;
98943Sluigi
98943Sluigi	/*
98943Sluigi	 * destination, mandatory
98943Sluigi	 */
98943Sluigi    OR_START(dest_ip);
98943Sluigi	NOT_BLOCK;	/* optional "not" */
98943Sluigi	NEED1("missing dst address");
145246Sbrooks	if (add_dst(cmd, *av, proto)) {
102087Sluigi		ac--; av++;
102087Sluigi		if (F_LEN(cmd) != 0) {	/* ! any */
102087Sluigi			prev = cmd;
102087Sluigi			cmd = next_cmd(cmd);
102087Sluigi		}
145246Sbrooks	} else
145246Sbrooks		errx( EX_USAGE, "bad destination address %s", *av);
98943Sluigi    OR_BLOCK(dest_ip);
98943Sluigi
98943Sluigi	/*
98943Sluigi	 * dest. ports, optional
98943Sluigi	 */
98943Sluigi	NOT_BLOCK;	/* optional "not" */
101641Sluigi	if (ac) {
140271Sbrooks		if (_substrcmp(*av, "any") == 0 ||
102087Sluigi		    add_ports(cmd, *av, proto, O_IP_DSTPORT)) {
102087Sluigi			ac--; av++;
102087Sluigi			if (F_LEN(cmd) != 0)
102087Sluigi				cmd = next_cmd(cmd);
101641Sluigi		}
98943Sluigi	}
98943Sluigi
98943Sluigiread_options:
102087Sluigi	if (ac && first_cmd == cmd) {
102087Sluigi		/*
102087Sluigi		 * nothing specified so far, store in the rule to ease
102087Sluigi		 * printout later.
102087Sluigi		 */
102087Sluigi		 rule->_pad = 1;
102087Sluigi	}
98943Sluigi	prev = NULL;
98943Sluigi	while (ac) {
101641Sluigi		char *s;
101641Sluigi		ipfw_insn_u32 *cmd32;	/* alias for cmd */
98943Sluigi
101641Sluigi		s = *av;
101641Sluigi		cmd32 = (ipfw_insn_u32 *)cmd;
101641Sluigi
98943Sluigi		if (*s == '!') {	/* alternate syntax for NOT */
98943Sluigi			if (cmd->len & F_NOT)
98943Sluigi				errx(EX_USAGE, "double \"not\" not allowed\n");
98943Sluigi			cmd->len = F_NOT;
98943Sluigi			s++;
98943Sluigi		}
98943Sluigi		i = match_token(rule_options, s);
98943Sluigi		ac--; av++;
98943Sluigi		switch(i) {
98943Sluigi		case TOK_NOT:
98943Sluigi			if (cmd->len & F_NOT)
98943Sluigi				errx(EX_USAGE, "double \"not\" not allowed\n");
98943Sluigi			cmd->len = F_NOT;
98943Sluigi			break;
98943Sluigi
98943Sluigi		case TOK_OR:
101641Sluigi			if (open_par == 0 || prev == NULL)
98943Sluigi				errx(EX_USAGE, "invalid \"or\" block\n");
98943Sluigi			prev->len |= F_OR;
98943Sluigi			break;
101641Sluigi
101641Sluigi		case TOK_STARTBRACE:
101641Sluigi			if (open_par)
101641Sluigi				errx(EX_USAGE, "+nested \"(\" not allowed\n");
101641Sluigi			open_par = 1;
101641Sluigi			break;
101641Sluigi
101641Sluigi		case TOK_ENDBRACE:
101641Sluigi			if (!open_par)
101641Sluigi				errx(EX_USAGE, "+missing \")\"\n");
101641Sluigi			open_par = 0;
102087Sluigi			prev = NULL;
101641Sluigi        		break;
101641Sluigi
98943Sluigi		case TOK_IN:
98943Sluigi			fill_cmd(cmd, O_IN, 0, 0);
98943Sluigi			break;
98943Sluigi
98943Sluigi		case TOK_OUT:
98943Sluigi			cmd->len ^= F_NOT; /* toggle F_NOT */
98943Sluigi			fill_cmd(cmd, O_IN, 0, 0);
98943Sluigi			break;
98943Sluigi
136073Sgreen		case TOK_DIVERTED:
136073Sgreen			fill_cmd(cmd, O_DIVERTED, 0, 3);
136073Sgreen			break;
136073Sgreen
136073Sgreen		case TOK_DIVERTEDLOOPBACK:
136073Sgreen			fill_cmd(cmd, O_DIVERTED, 0, 1);
136073Sgreen			break;
136073Sgreen
136073Sgreen		case TOK_DIVERTEDOUTPUT:
136073Sgreen			fill_cmd(cmd, O_DIVERTED, 0, 2);
136073Sgreen			break;
136073Sgreen
98943Sluigi		case TOK_FRAG:
98943Sluigi			fill_cmd(cmd, O_FRAG, 0, 0);
98943Sluigi			break;
98943Sluigi
98943Sluigi		case TOK_LAYER2:
98943Sluigi			fill_cmd(cmd, O_LAYER2, 0, 0);
98943Sluigi			break;
98943Sluigi
98943Sluigi		case TOK_XMIT:
98943Sluigi		case TOK_RECV:
98943Sluigi		case TOK_VIA:
98943Sluigi			NEED1("recv, xmit, via require interface name"
98943Sluigi				" or address");
98943Sluigi			fill_iface((ipfw_insn_if *)cmd, av[0]);
98943Sluigi			ac--; av++;
98943Sluigi			if (F_LEN(cmd) == 0)	/* not a valid address */
98943Sluigi				break;
98943Sluigi			if (i == TOK_XMIT)
98943Sluigi				cmd->opcode = O_XMIT;
98943Sluigi			else if (i == TOK_RECV)
98943Sluigi				cmd->opcode = O_RECV;
98943Sluigi			else if (i == TOK_VIA)
98943Sluigi				cmd->opcode = O_VIA;
98943Sluigi			break;
98943Sluigi
99475Sluigi		case TOK_ICMPTYPES:
99475Sluigi			NEED1("icmptypes requires list of types");
99475Sluigi			fill_icmptypes((ipfw_insn_u32 *)cmd, *av);
99475Sluigi			av++; ac--;
99475Sluigi			break;
145246Sbrooks
145246Sbrooks		case TOK_ICMP6TYPES:
145246Sbrooks			NEED1("icmptypes requires list of types");
145246Sbrooks			fill_icmp6types((ipfw_insn_icmp6 *)cmd, *av);
145246Sbrooks			av++; ac--;
145246Sbrooks			break;
99475Sluigi
98943Sluigi		case TOK_IPTTL:
98943Sluigi			NEED1("ipttl requires TTL");
116690Sluigi			if (strpbrk(*av, "-,")) {
116690Sluigi			    if (!add_ports(cmd, *av, 0, O_IPTTL))
116690Sluigi				errx(EX_DATAERR, "invalid ipttl %s", *av);
116690Sluigi			} else
116690Sluigi			    fill_cmd(cmd, O_IPTTL, 0, strtoul(*av, NULL, 0));
98943Sluigi			ac--; av++;
98943Sluigi			break;
98943Sluigi
98943Sluigi		case TOK_IPID:
116690Sluigi			NEED1("ipid requires id");
116690Sluigi			if (strpbrk(*av, "-,")) {
116690Sluigi			    if (!add_ports(cmd, *av, 0, O_IPID))
116690Sluigi				errx(EX_DATAERR, "invalid ipid %s", *av);
116690Sluigi			} else
116690Sluigi			    fill_cmd(cmd, O_IPID, 0, strtoul(*av, NULL, 0));
98943Sluigi			ac--; av++;
98943Sluigi			break;
98943Sluigi
98943Sluigi		case TOK_IPLEN:
98943Sluigi			NEED1("iplen requires length");
116690Sluigi			if (strpbrk(*av, "-,")) {
116690Sluigi			    if (!add_ports(cmd, *av, 0, O_IPLEN))
116690Sluigi				errx(EX_DATAERR, "invalid ip len %s", *av);
116690Sluigi			} else
116690Sluigi			    fill_cmd(cmd, O_IPLEN, 0, strtoul(*av, NULL, 0));
98943Sluigi			ac--; av++;
98943Sluigi			break;
98943Sluigi
98943Sluigi		case TOK_IPVER:
98943Sluigi			NEED1("ipver requires version");
98943Sluigi			fill_cmd(cmd, O_IPVER, 0, strtoul(*av, NULL, 0));
98943Sluigi			ac--; av++;
98943Sluigi			break;
98943Sluigi
99475Sluigi		case TOK_IPPRECEDENCE:
99475Sluigi			NEED1("ipprecedence requires value");
99475Sluigi			fill_cmd(cmd, O_IPPRECEDENCE, 0,
99475Sluigi			    (strtoul(*av, NULL, 0) & 7) << 5);
99475Sluigi			ac--; av++;
99475Sluigi			break;
99475Sluigi
98943Sluigi		case TOK_IPOPTS:
98943Sluigi			NEED1("missing argument for ipoptions");
101116Sluigi			fill_flags(cmd, O_IPOPT, f_ipopts, *av);
98943Sluigi			ac--; av++;
98943Sluigi			break;
98943Sluigi
99475Sluigi		case TOK_IPTOS:
99475Sluigi			NEED1("missing argument for iptos");
101116Sluigi			fill_flags(cmd, O_IPTOS, f_iptos, *av);
99475Sluigi			ac--; av++;
99475Sluigi			break;
99475Sluigi
98943Sluigi		case TOK_UID:
98943Sluigi			NEED1("uid requires argument");
98943Sluigi		    {
98943Sluigi			char *end;
98943Sluigi			uid_t uid;
98943Sluigi			struct passwd *pwd;
98943Sluigi
98943Sluigi			cmd->opcode = O_UID;
98943Sluigi			uid = strtoul(*av, &end, 0);
98943Sluigi			pwd = (*end == '\0') ? getpwuid(uid) : getpwnam(*av);
98943Sluigi			if (pwd == NULL)
98943Sluigi				errx(EX_DATAERR, "uid \"%s\" nonexistent", *av);
106504Smaxim			cmd32->d[0] = pwd->pw_uid;
135089Scsjp			cmd->len |= F_INSN_SIZE(ipfw_insn_u32);
98943Sluigi			ac--; av++;
98943Sluigi		    }
98943Sluigi			break;
98943Sluigi
98943Sluigi		case TOK_GID:
98943Sluigi			NEED1("gid requires argument");
98943Sluigi		    {
98943Sluigi			char *end;
98943Sluigi			gid_t gid;
98943Sluigi			struct group *grp;
98943Sluigi
98943Sluigi			cmd->opcode = O_GID;
98943Sluigi			gid = strtoul(*av, &end, 0);
98943Sluigi			grp = (*end == '\0') ? getgrgid(gid) : getgrnam(*av);
98943Sluigi			if (grp == NULL)
98943Sluigi				errx(EX_DATAERR, "gid \"%s\" nonexistent", *av);
106504Smaxim			cmd32->d[0] = grp->gr_gid;
135089Scsjp			cmd->len |= F_INSN_SIZE(ipfw_insn_u32);
98943Sluigi			ac--; av++;
98943Sluigi		    }
98943Sluigi			break;
98943Sluigi
133600Scsjp		case TOK_JAIL:
133600Scsjp			NEED1("jail requires argument");
133600Scsjp		    {
133600Scsjp			char *end;
133600Scsjp			int jid;
133600Scsjp
133600Scsjp			cmd->opcode = O_JAIL;
133600Scsjp			jid = (int)strtol(*av, &end, 0);
133600Scsjp			if (jid < 0 || *end != '\0')
133600Scsjp				errx(EX_DATAERR, "jail requires prison ID");
135554Scsjp			cmd32->d[0] = (uint32_t)jid;
135089Scsjp			cmd->len |= F_INSN_SIZE(ipfw_insn_u32);
133600Scsjp			ac--; av++;
133600Scsjp		    }
133600Scsjp			break;
133600Scsjp
98943Sluigi		case TOK_ESTAB:
98943Sluigi			fill_cmd(cmd, O_ESTAB, 0, 0);
98943Sluigi			break;
98943Sluigi
98943Sluigi		case TOK_SETUP:
98943Sluigi			fill_cmd(cmd, O_TCPFLAGS, 0,
98943Sluigi				(TH_SYN) | ( (TH_ACK) & 0xff) <<8 );
98943Sluigi			break;
98943Sluigi
136075Sgreen		case TOK_TCPDATALEN:
136075Sgreen			NEED1("tcpdatalen requires length");
136075Sgreen			if (strpbrk(*av, "-,")) {
136075Sgreen			    if (!add_ports(cmd, *av, 0, O_TCPDATALEN))
136075Sgreen				errx(EX_DATAERR, "invalid tcpdata len %s", *av);
136075Sgreen			} else
136075Sgreen			    fill_cmd(cmd, O_TCPDATALEN, 0,
136075Sgreen				    strtoul(*av, NULL, 0));
136075Sgreen			ac--; av++;
136075Sgreen			break;
136075Sgreen
98943Sluigi		case TOK_TCPOPTS:
98943Sluigi			NEED1("missing argument for tcpoptions");
98943Sluigi			fill_flags(cmd, O_TCPOPTS, f_tcpopts, *av);
98943Sluigi			ac--; av++;
98943Sluigi			break;
98943Sluigi
98943Sluigi		case TOK_TCPSEQ:
98943Sluigi		case TOK_TCPACK:
98943Sluigi			NEED1("tcpseq/tcpack requires argument");
98943Sluigi			cmd->len = F_INSN_SIZE(ipfw_insn_u32);
98943Sluigi			cmd->opcode = (i == TOK_TCPSEQ) ? O_TCPSEQ : O_TCPACK;
98943Sluigi			cmd32->d[0] = htonl(strtoul(*av, NULL, 0));
98943Sluigi			ac--; av++;
98943Sluigi			break;
98943Sluigi
98943Sluigi		case TOK_TCPWIN:
98943Sluigi			NEED1("tcpwin requires length");
98943Sluigi			fill_cmd(cmd, O_TCPWIN, 0,
98943Sluigi			    htons(strtoul(*av, NULL, 0)));
98943Sluigi			ac--; av++;
98943Sluigi			break;
98943Sluigi
98943Sluigi		case TOK_TCPFLAGS:
98943Sluigi			NEED1("missing argument for tcpflags");
98943Sluigi			cmd->opcode = O_TCPFLAGS;
98943Sluigi			fill_flags(cmd, O_TCPFLAGS, f_tcpflags, *av);
98943Sluigi			ac--; av++;
98943Sluigi			break;
98943Sluigi
98943Sluigi		case TOK_KEEPSTATE:
101641Sluigi			if (open_par)
101641Sluigi				errx(EX_USAGE, "keep-state cannot be part "
101641Sluigi				    "of an or block");
99909Sluigi			if (have_state)
101116Sluigi				errx(EX_USAGE, "only one of keep-state "
99909Sluigi					"and limit is allowed");
101116Sluigi			have_state = cmd;
98943Sluigi			fill_cmd(cmd, O_KEEP_STATE, 0, 0);
98943Sluigi			break;
98943Sluigi
159636Soleg		case TOK_LIMIT: {
159636Soleg			ipfw_insn_limit *c = (ipfw_insn_limit *)cmd;
159636Soleg			int val;
159636Soleg
101641Sluigi			if (open_par)
159636Soleg				errx(EX_USAGE,
159636Soleg				    "limit cannot be part of an or block");
99909Sluigi			if (have_state)
168819Smaxim				errx(EX_USAGE, "only one of keep-state and "
159636Soleg				    "limit is allowed");
101116Sluigi			have_state = cmd;
98943Sluigi
98943Sluigi			cmd->len = F_INSN_SIZE(ipfw_insn_limit);
98943Sluigi			cmd->opcode = O_LIMIT;
159636Soleg			c->limit_mask = c->conn_limit = 0;
98943Sluigi
159636Soleg			while (ac > 0) {
159636Soleg				if ((val = match_token(limit_masks, *av)) <= 0)
98943Sluigi					break;
98943Sluigi				c->limit_mask |= val;
98943Sluigi				ac--; av++;
98943Sluigi			}
159636Soleg
98943Sluigi			if (c->limit_mask == 0)
159636Soleg				errx(EX_USAGE, "limit: missing limit mask");
159636Soleg
182823Srik			GET_UINT_ARG(c->conn_limit, 1, IPFW_DEFAULT_RULE - 1,
182823Srik			    TOK_LIMIT, rule_options);
159636Soleg
98943Sluigi			ac--; av++;
98943Sluigi			break;
159636Soleg		}
98943Sluigi
102087Sluigi		case TOK_PROTO:
102087Sluigi			NEED1("missing protocol");
145246Sbrooks			if (add_proto(cmd, *av, &proto)) {
102087Sluigi				ac--; av++;
102098Sluigi			} else
116438Smaxim				errx(EX_DATAERR, "invalid protocol ``%s''",
116438Smaxim				    *av);
102087Sluigi			break;
106505Smaxim
102087Sluigi		case TOK_SRCIP:
102087Sluigi			NEED1("missing source IP");
102087Sluigi			if (add_srcip(cmd, *av)) {
102087Sluigi				ac--; av++;
102087Sluigi			}
102087Sluigi			break;
102087Sluigi
102087Sluigi		case TOK_DSTIP:
102087Sluigi			NEED1("missing destination IP");
102087Sluigi			if (add_dstip(cmd, *av)) {
102087Sluigi				ac--; av++;
102087Sluigi			}
102087Sluigi			break;
102087Sluigi
145246Sbrooks		case TOK_SRCIP6:
145246Sbrooks			NEED1("missing source IP6");
145246Sbrooks			if (add_srcip6(cmd, *av)) {
145246Sbrooks				ac--; av++;
145246Sbrooks			}
145246Sbrooks			break;
145246Sbrooks
145246Sbrooks		case TOK_DSTIP6:
145246Sbrooks			NEED1("missing destination IP6");
145246Sbrooks			if (add_dstip6(cmd, *av)) {
145246Sbrooks				ac--; av++;
145246Sbrooks			}
145246Sbrooks			break;
145246Sbrooks
102087Sluigi		case TOK_SRCPORT:
102087Sluigi			NEED1("missing source port");
140271Sbrooks			if (_substrcmp(*av, "any") == 0 ||
102087Sluigi			    add_ports(cmd, *av, proto, O_IP_SRCPORT)) {
102087Sluigi				ac--; av++;
102087Sluigi			} else
102087Sluigi				errx(EX_DATAERR, "invalid source port %s", *av);
102087Sluigi			break;
102087Sluigi
102087Sluigi		case TOK_DSTPORT:
102087Sluigi			NEED1("missing destination port");
140271Sbrooks			if (_substrcmp(*av, "any") == 0 ||
102087Sluigi			    add_ports(cmd, *av, proto, O_IP_DSTPORT)) {
102087Sluigi				ac--; av++;
102087Sluigi			} else
102087Sluigi				errx(EX_DATAERR, "invalid destination port %s",
102087Sluigi				    *av);
102087Sluigi			break;
102087Sluigi
102087Sluigi		case TOK_MAC:
102087Sluigi			if (add_mac(cmd, ac, av)) {
102087Sluigi				ac -= 2; av += 2;
102087Sluigi			}
102087Sluigi			break;
102087Sluigi
102087Sluigi		case TOK_MACTYPE:
102087Sluigi			NEED1("missing mac type");
102087Sluigi			if (!add_mactype(cmd, ac, *av))
116438Smaxim				errx(EX_DATAERR, "invalid mac type %s", *av);
102087Sluigi			ac--; av++;
102087Sluigi			break;
102087Sluigi
112250Scjc		case TOK_VERREVPATH:
112250Scjc			fill_cmd(cmd, O_VERREVPATH, 0, 0);
112250Scjc			break;
116919Sluigi
128575Sandre		case TOK_VERSRCREACH:
128575Sandre			fill_cmd(cmd, O_VERSRCREACH, 0, 0);
128575Sandre			break;
128575Sandre
133387Sandre		case TOK_ANTISPOOF:
133387Sandre			fill_cmd(cmd, O_ANTISPOOF, 0, 0);
133387Sandre			break;
133387Sandre
117241Sluigi		case TOK_IPSEC:
117241Sluigi			fill_cmd(cmd, O_IPSEC, 0, 0);
117241Sluigi			break;
117241Sluigi
145246Sbrooks		case TOK_IPV6:
145246Sbrooks			fill_cmd(cmd, O_IP6, 0, 0);
145246Sbrooks			break;
145246Sbrooks
146894Smlaier		case TOK_IPV4:
146894Smlaier			fill_cmd(cmd, O_IP4, 0, 0);
146894Smlaier			break;
146894Smlaier
145246Sbrooks		case TOK_EXT6HDR:
145246Sbrooks			fill_ext6hdr( cmd, *av );
145246Sbrooks			ac--; av++;
145246Sbrooks			break;
145246Sbrooks
145246Sbrooks		case TOK_FLOWID:
145246Sbrooks			if (proto != IPPROTO_IPV6 )
145246Sbrooks				errx( EX_USAGE, "flow-id filter is active "
145246Sbrooks				    "only for ipv6 protocol\n");
145246Sbrooks			fill_flow6( (ipfw_insn_u32 *) cmd, *av );
145246Sbrooks			ac--; av++;
145246Sbrooks			break;
145246Sbrooks
117469Sluigi		case TOK_COMMENT:
117469Sluigi			fill_comment(cmd, ac, av);
117469Sluigi			av += ac;
117469Sluigi			ac = 0;
117469Sluigi			break;
117469Sluigi
158879Soleg		case TOK_TAGGED:
159636Soleg			if (ac > 0 && strpbrk(*av, "-,")) {
158879Soleg				if (!add_ports(cmd, *av, 0, O_TAGGED))
159636Soleg					errx(EX_DATAERR, "tagged: invalid tag"
159636Soleg					    " list: %s", *av);
158879Soleg			}
159636Soleg			else {
159636Soleg				uint16_t tag;
159636Soleg
182823Srik				GET_UINT_ARG(tag, 1, IPFW_DEFAULT_RULE - 1,
182823Srik				    TOK_TAGGED, rule_options);
159636Soleg				fill_cmd(cmd, O_TAGGED, 0, tag);
159636Soleg			}
158879Soleg			ac--; av++;
158879Soleg			break;
158879Soleg
178888Sjulian		case TOK_FIB:
178888Sjulian			NEED1("fib requires fib number");
178888Sjulian			fill_cmd(cmd, O_FIB, 0, strtoul(*av, NULL, 0));
178888Sjulian			ac--; av++;
178888Sjulian			break;
178888Sjulian
98943Sluigi		default:
98943Sluigi			errx(EX_USAGE, "unrecognised option [%d] %s\n", i, s);
98943Sluigi		}
98943Sluigi		if (F_LEN(cmd) > 0) {	/* prepare to advance */
98943Sluigi			prev = cmd;
98943Sluigi			cmd = next_cmd(cmd);
98943Sluigi		}
98943Sluigi	}
98943Sluigi
98943Sluigidone:
98943Sluigi	/*
98943Sluigi	 * Now copy stuff into the rule.
98943Sluigi	 * If we have a keep-state option, the first instruction
98943Sluigi	 * must be a PROBE_STATE (which is generated here).
98943Sluigi	 * If we have a LOG option, it was stored as the first command,
98943Sluigi	 * and now must be moved to the top of the action part.
98943Sluigi	 */
98943Sluigi	dst = (ipfw_insn *)rule->cmd;
98943Sluigi
98943Sluigi	/*
107289Sluigi	 * First thing to write into the command stream is the match probability.
107289Sluigi	 */
107289Sluigi	if (match_prob != 1) { /* 1 means always match */
107289Sluigi		dst->opcode = O_PROB;
107289Sluigi		dst->len = 2;
107289Sluigi		*((int32_t *)(dst+1)) = (int32_t)(match_prob * 0x7fffffff);
107289Sluigi		dst += dst->len;
107289Sluigi	}
107289Sluigi
107289Sluigi	/*
98943Sluigi	 * generate O_PROBE_STATE if necessary
98943Sluigi	 */
101116Sluigi	if (have_state && have_state->opcode != O_CHECK_STATE) {
98943Sluigi		fill_cmd(dst, O_PROBE_STATE, 0, 0);
98943Sluigi		dst = next_cmd(dst);
98943Sluigi	}
158879Soleg
158879Soleg	/* copy all commands but O_LOG, O_KEEP_STATE, O_LIMIT, O_ALTQ, O_TAG */
98943Sluigi	for (src = (ipfw_insn *)cmdbuf; src != cmd; src += i) {
98943Sluigi		i = F_LEN(src);
98943Sluigi
101116Sluigi		switch (src->opcode) {
101116Sluigi		case O_LOG:
101116Sluigi		case O_KEEP_STATE:
101116Sluigi		case O_LIMIT:
136071Sgreen		case O_ALTQ:
158879Soleg		case O_TAG:
101116Sluigi			break;
101116Sluigi		default:
117328Sluigi			bcopy(src, dst, i * sizeof(uint32_t));
98943Sluigi			dst += i;
98943Sluigi		}
98943Sluigi	}
98943Sluigi
98943Sluigi	/*
101116Sluigi	 * put back the have_state command as last opcode
101116Sluigi	 */
101295Sluigi	if (have_state && have_state->opcode != O_CHECK_STATE) {
101116Sluigi		i = F_LEN(have_state);
117328Sluigi		bcopy(have_state, dst, i * sizeof(uint32_t));
101116Sluigi		dst += i;
101116Sluigi	}
101116Sluigi	/*
98943Sluigi	 * start action section
98943Sluigi	 */
98943Sluigi	rule->act_ofs = dst - rule->cmd;
98943Sluigi
158879Soleg	/* put back O_LOG, O_ALTQ, O_TAG if necessary */
136071Sgreen	if (have_log) {
136071Sgreen		i = F_LEN(have_log);
136071Sgreen		bcopy(have_log, dst, i * sizeof(uint32_t));
98943Sluigi		dst += i;
98943Sluigi	}
136071Sgreen	if (have_altq) {
136071Sgreen		i = F_LEN(have_altq);
136071Sgreen		bcopy(have_altq, dst, i * sizeof(uint32_t));
136071Sgreen		dst += i;
136071Sgreen	}
158879Soleg	if (have_tag) {
158879Soleg		i = F_LEN(have_tag);
158879Soleg		bcopy(have_tag, dst, i * sizeof(uint32_t));
158879Soleg		dst += i;
158879Soleg	}
98943Sluigi	/*
98943Sluigi	 * copy all other actions
98943Sluigi	 */
98943Sluigi	for (src = (ipfw_insn *)actbuf; src != action; src += i) {
98943Sluigi		i = F_LEN(src);
117328Sluigi		bcopy(src, dst, i * sizeof(uint32_t));
98943Sluigi		dst += i;
98943Sluigi	}
98943Sluigi
117328Sluigi	rule->cmd_len = (uint32_t *)dst - (uint32_t *)(rule->cmd);
117469Sluigi	i = (char *)dst - (char *)rule;
119740Stmm	if (do_cmd(IP_FW_ADD, rule, (uintptr_t)&i) == -1)
98943Sluigi		err(EX_UNAVAILABLE, "getsockopt(%s)", "IP_FW_ADD");
98943Sluigi	if (!do_quiet)
117469Sluigi		show_ipfw(rule, 0, 0);
98943Sluigi}
98943Sluigi
98943Sluigistatic void
117328Sluigizero(int ac, char *av[], int optname /* IP_FW_ZERO or IP_FW_RESETLOG */)
98943Sluigi{
170923Smaxim	uint32_t arg, saved_arg;
98943Sluigi	int failed = EX_OK;
117469Sluigi	char const *name = optname == IP_FW_ZERO ?  "ZERO" : "RESETLOG";
170923Smaxim	char const *errstr;
98943Sluigi
98943Sluigi	av++; ac--;
98943Sluigi
98943Sluigi	if (!ac) {
98943Sluigi		/* clear all entries */
117328Sluigi		if (do_cmd(optname, NULL, 0) < 0)
117328Sluigi			err(EX_UNAVAILABLE, "setsockopt(IP_FW_%s)", name);
98943Sluigi		if (!do_quiet)
117328Sluigi			printf("%s.\n", optname == IP_FW_ZERO ?
117328Sluigi			    "Accounting cleared":"Logging counts reset");
98943Sluigi
98943Sluigi		return;
98943Sluigi	}
98943Sluigi
98943Sluigi	while (ac) {
98943Sluigi		/* Rule number */
98943Sluigi		if (isdigit(**av)) {
170923Smaxim			arg = strtonum(*av, 0, 0xffff, &errstr);
170923Smaxim			if (errstr)
170923Smaxim				errx(EX_DATAERR,
170923Smaxim				    "invalid rule number %s\n", *av);
170923Smaxim			saved_arg = arg;
170923Smaxim			if (use_set)
170923Smaxim				arg |= (1 << 24) | ((use_set - 1) << 16);
98943Sluigi			av++;
98943Sluigi			ac--;
170923Smaxim			if (do_cmd(optname, &arg, sizeof(arg))) {
117328Sluigi				warn("rule %u: setsockopt(IP_FW_%s)",
170923Smaxim				    saved_arg, name);
98943Sluigi				failed = EX_UNAVAILABLE;
98943Sluigi			} else if (!do_quiet)
170923Smaxim				printf("Entry %d %s.\n", saved_arg,
117328Sluigi				    optname == IP_FW_ZERO ?
117328Sluigi					"cleared" : "logging count reset");
98943Sluigi		} else {
98943Sluigi			errx(EX_USAGE, "invalid rule number ``%s''", *av);
98943Sluigi		}
98943Sluigi	}
98943Sluigi	if (failed != EX_OK)
98943Sluigi		exit(failed);
98943Sluigi}
98943Sluigi
98943Sluigistatic void
117544Sluigiflush(int force)
98943Sluigi{
98943Sluigi	int cmd = do_pipe ? IP_DUMMYNET_FLUSH : IP_FW_FLUSH;
98943Sluigi
117544Sluigi	if (!force && !do_quiet) { /* need to ask user */
98943Sluigi		int c;
98943Sluigi
98943Sluigi		printf("Are you sure? [yn] ");
98943Sluigi		fflush(stdout);
98943Sluigi		do {
98943Sluigi			c = toupper(getc(stdin));
98943Sluigi			while (c != '\n' && getc(stdin) != '\n')
98943Sluigi				if (feof(stdin))
98943Sluigi					return; /* and do not flush */
98943Sluigi		} while (c != 'Y' && c != 'N');
98943Sluigi		printf("\n");
98943Sluigi		if (c == 'N')	/* user said no */
98943Sluigi			return;
98943Sluigi	}
170923Smaxim	/* `ipfw set N flush` - is the same that `ipfw delete set N` */
170923Smaxim	if (use_set) {
170923Smaxim		uint32_t arg = ((use_set - 1) & 0xffff) | (1 << 24);
170923Smaxim		if (do_cmd(IP_FW_DEL, &arg, sizeof(arg)) < 0)
170923Smaxim			err(EX_UNAVAILABLE, "setsockopt(IP_FW_DEL)");
170923Smaxim	} else if (do_cmd(cmd, NULL, 0) < 0)
98943Sluigi		err(EX_UNAVAILABLE, "setsockopt(IP_%s_FLUSH)",
98943Sluigi		    do_pipe ? "DUMMYNET" : "FW");
98943Sluigi	if (!do_quiet)
98943Sluigi		printf("Flushed all %s.\n", do_pipe ? "pipes" : "rules");
98943Sluigi}
98943Sluigi
117469Sluigi/*
117544Sluigi * Free a the (locally allocated) copy of command line arguments.
117469Sluigi */
117544Sluigistatic void
117544Sluigifree_args(int ac, char **av)
117544Sluigi{
117544Sluigi	int i;
117544Sluigi
117544Sluigi	for (i=0; i < ac; i++)
117544Sluigi		free(av[i]);
117544Sluigi	free(av);
117544Sluigi}
117544Sluigi
183407Srikstatic void table_list(ipfw_table_entry ent, int need_header);
183228Srik
117544Sluigi/*
130281Sru * This one handles all table-related commands
130281Sru * 	ipfw table N add addr[/masklen] [value]
130281Sru * 	ipfw table N delete addr[/masklen]
183407Srik * 	ipfw table {N | all} flush
183407Srik * 	ipfw table {N | all} list
130281Sru */
130281Srustatic void
130281Srutable_handler(int ac, char *av[])
130281Sru{
130281Sru	ipfw_table_entry ent;
130281Sru	int do_add;
183407Srik	int is_all;
183241Srik	size_t len;
130281Sru	char *p;
183407Srik	uint32_t a;
183241Srik	uint32_t tables_max;
130281Sru
183263Skeramida	len = sizeof(tables_max);
183241Srik	if (sysctlbyname("net.inet.ip.fw.tables_max", &tables_max, &len,
183241Srik		NULL, 0) == -1) {
183241Srik#ifdef IPFW_TABLES_MAX
183241Srik		warn("Warn: Failed to get the max tables number via sysctl. "
183241Srik		     "Using the compiled in defaults. \nThe reason was");
183241Srik		tables_max = IPFW_TABLES_MAX;
183241Srik#else
183241Srik		errx(1, "Failed sysctlbyname(\"net.inet.ip.fw.tables_max\")");
183241Srik#endif
183241Srik	}
183241Srik
130281Sru	ac--; av++;
130281Sru	if (ac && isdigit(**av)) {
130281Sru		ent.tbl = atoi(*av);
183407Srik		is_all = 0;
130281Sru		ac--; av++;
183407Srik	} else if (ac && _substrcmp(*av, "all") == 0) {
183407Srik		ent.tbl = 0;
183407Srik		is_all = 1;
183407Srik		ac--; av++;
130281Sru	} else
183407Srik		errx(EX_USAGE, "table number or 'all' keyword required");
183241Srik	if (ent.tbl >= tables_max)
183241Srik		errx(EX_USAGE, "The table number exceeds the maximum allowed "
183241Srik			"value (%d)", tables_max - 1);
130281Sru	NEED1("table needs command");
183407Srik	if (is_all && _substrcmp(*av, "list") != 0
183407Srik		   && _substrcmp(*av, "flush") != 0)
183407Srik		errx(EX_USAGE, "table number required");
183407Srik
140271Sbrooks	if (_substrcmp(*av, "add") == 0 ||
140271Sbrooks	    _substrcmp(*av, "delete") == 0) {
130281Sru		do_add = **av == 'a';
130281Sru		ac--; av++;
130281Sru		if (!ac)
130281Sru			errx(EX_USAGE, "IP address required");
130281Sru		p = strchr(*av, '/');
130281Sru		if (p) {
130281Sru			*p++ = '\0';
130281Sru			ent.masklen = atoi(p);
130281Sru			if (ent.masklen > 32)
130281Sru				errx(EX_DATAERR, "bad width ``%s''", p);
130281Sru		} else
130281Sru			ent.masklen = 32;
130281Sru		if (lookup_host(*av, (struct in_addr *)&ent.addr) != 0)
130298Sru			errx(EX_NOHOST, "hostname ``%s'' unknown", *av);
130281Sru		ac--; av++;
161424Sjulian		if (do_add && ac) {
161424Sjulian			unsigned int tval;
161424Sjulian			/* isdigit is a bit of a hack here.. */
161424Sjulian			if (strchr(*av, (int)'.') == NULL && isdigit(**av))  {
161424Sjulian				ent.value = strtoul(*av, NULL, 0);
161424Sjulian			} else {
161424Sjulian		        	if (lookup_host(*av, (struct in_addr *)&tval) == 0) {
161424Sjulian					/* The value must be stored in host order	 *
161424Sjulian					 * so that the values < 65k can be distinguished */
161424Sjulian		       			ent.value = ntohl(tval);
161424Sjulian				} else {
161424Sjulian					errx(EX_NOHOST, "hostname ``%s'' unknown", *av);
161424Sjulian				}
161424Sjulian			}
161424Sjulian		} else
130281Sru			ent.value = 0;
130281Sru		if (do_cmd(do_add ? IP_FW_TABLE_ADD : IP_FW_TABLE_DEL,
157335Sjulian		    &ent, sizeof(ent)) < 0) {
155639Sjulian			/* If running silent, don't bomb out on these errors. */
155639Sjulian			if (!(do_quiet && (errno == (do_add ? EEXIST : ESRCH))))
155639Sjulian				err(EX_OSERR, "setsockopt(IP_FW_TABLE_%s)",
155639Sjulian				    do_add ? "ADD" : "DEL");
155639Sjulian			/* In silent mode, react to a failed add by deleting */
157332Sjulian			if (do_add) {
155639Sjulian				do_cmd(IP_FW_TABLE_DEL, &ent, sizeof(ent));
155639Sjulian				if (do_cmd(IP_FW_TABLE_ADD,
155639Sjulian				    &ent, sizeof(ent)) < 0)
155639Sjulian					err(EX_OSERR,
155639Sjulian				            "setsockopt(IP_FW_TABLE_ADD)");
157332Sjulian			}
157335Sjulian		}
140271Sbrooks	} else if (_substrcmp(*av, "flush") == 0) {
183407Srik		a = is_all ? tables_max : (ent.tbl + 1);
183407Srik		do {
183407Srik			if (do_cmd(IP_FW_TABLE_FLUSH, &ent.tbl,
183407Srik			    sizeof(ent.tbl)) < 0)
183407Srik				err(EX_OSERR, "setsockopt(IP_FW_TABLE_FLUSH)");
183407Srik		} while (++ent.tbl < a);
140271Sbrooks	} else if (_substrcmp(*av, "list") == 0) {
183407Srik		a = is_all ? tables_max : (ent.tbl + 1);
183407Srik		do {
183415Srik			table_list(ent, is_all);
183407Srik		} while (++ent.tbl < a);
183228Srik	} else
183228Srik		errx(EX_USAGE, "invalid table command %s", *av);
183228Srik}
183205Srik
183228Srikstatic void
183407Sriktable_list(ipfw_table_entry ent, int need_header)
183228Srik{
183228Srik	ipfw_table *tbl;
183228Srik	socklen_t l;
183228Srik	uint32_t a;
183205Srik
183228Srik	a = ent.tbl;
183228Srik	l = sizeof(a);
183228Srik	if (do_cmd(IP_FW_TABLE_GETSIZE, &a, (uintptr_t)&l) < 0)
183228Srik		err(EX_OSERR, "getsockopt(IP_FW_TABLE_GETSIZE)");
183228Srik
183228Srik	/* If a is zero we have nothing to do, the table is empty. */
183228Srik	if (a == 0)
183228Srik		return;
183228Srik
183228Srik	l = sizeof(*tbl) + a * sizeof(ipfw_table_entry);
187716Sluigi	tbl = safe_calloc(1, l);
183228Srik	tbl->tbl = ent.tbl;
183228Srik	if (do_cmd(IP_FW_TABLE_LIST, tbl, (uintptr_t)&l) < 0)
183228Srik		err(EX_OSERR, "getsockopt(IP_FW_TABLE_LIST)");
183407Srik	if (tbl->cnt && need_header)
183407Srik		printf("---table(%d)---\n", tbl->tbl);
183228Srik	for (a = 0; a < tbl->cnt; a++) {
183228Srik		unsigned int tval;
183228Srik		tval = tbl->ent[a].value;
183228Srik		if (do_value_as_ip) {
183228Srik			char tbuf[128];
183228Srik			strncpy(tbuf, inet_ntoa(*(struct in_addr *)
161456Sjulian				&tbl->ent[a].addr), 127);
183228Srik			/* inet_ntoa expects network order */
183228Srik			tval = htonl(tval);
183228Srik			printf("%s/%u %s\n", tbuf, tbl->ent[a].masklen,
183228Srik				inet_ntoa(*(struct in_addr *)&tval));
183228Srik		} else {
183228Srik			printf("%s/%u %u\n",
183228Srik				inet_ntoa(*(struct in_addr *)&tbl->ent[a].addr),
183228Srik				tbl->ent[a].masklen, tval);
130281Sru		}
183228Srik	}
183228Srik	free(tbl);
130281Sru}
130281Sru
165648Spisostatic void
183206Srikshow_nat(int ac, char **av)
183206Srik{
165648Spiso	struct cfg_nat *n;
165648Spiso	struct cfg_redir *e;
165648Spiso	int cmd, i, nbytes, do_cfg, do_rule, frule, lrule, nalloc, size;
176393Spiso	int nat_cnt, redir_cnt, r;
165648Spiso	uint8_t *data, *p;
183208Srik	char *endptr;
165648Spiso
165648Spiso	do_rule = 0;
165648Spiso	nalloc = 1024;
165648Spiso	size = 0;
165648Spiso	data = NULL;
176445Spiso	frule = 0;
182823Srik	lrule = IPFW_DEFAULT_RULE; /* max ipfw rule number */
165648Spiso	ac--; av++;
165648Spiso
183889Smaxim	if (test_only)
183889Smaxim		return;
183889Smaxim
165648Spiso	/* Parse parameters. */
165648Spiso	for (cmd = IP_FW_NAT_GET_LOG, do_cfg = 0; ac != 0; ac--, av++) {
165648Spiso		if (!strncmp(av[0], "config", strlen(av[0]))) {
165648Spiso			cmd = IP_FW_NAT_GET_CONFIG, do_cfg = 1;
165648Spiso			continue;
165648Spiso		}
165648Spiso		/* Convert command line rule #. */
165648Spiso		frule = lrule = strtoul(av[0], &endptr, 10);
165648Spiso		if (*endptr == '-')
165648Spiso			lrule = strtoul(endptr+1, &endptr, 10);
165648Spiso		if (lrule == 0)
165648Spiso			err(EX_USAGE, "invalid rule number: %s", av[0]);
165648Spiso		do_rule = 1;
165648Spiso	}
165648Spiso
165648Spiso	nbytes = nalloc;
165648Spiso	while (nbytes >= nalloc) {
165648Spiso		nalloc = nalloc * 2;
165648Spiso		nbytes = nalloc;
187716Sluigi		data = safe_realloc(data, nbytes);
165648Spiso		if (do_cmd(cmd, data, (uintptr_t)&nbytes) < 0)
165648Spiso			err(EX_OSERR, "getsockopt(IP_FW_GET_%s)",
165648Spiso			    (cmd == IP_FW_NAT_GET_LOG) ? "LOG" : "CONFIG");
165648Spiso	}
165648Spiso	if (nbytes == 0)
176445Spiso		exit(0);
165648Spiso	if (do_cfg) {
165648Spiso		nat_cnt = *((int *)data);
165648Spiso		for (i = sizeof(nat_cnt); nat_cnt; nat_cnt--) {
165648Spiso			n = (struct cfg_nat *)&data[i];
176445Spiso			if (frule <= n->id && lrule >= n->id)
176445Spiso				print_nat_config(&data[i]);
165648Spiso			i += sizeof(struct cfg_nat);
176393Spiso			for (redir_cnt = 0; redir_cnt < n->redir_cnt; redir_cnt++) {
176393Spiso				e = (struct cfg_redir *)&data[i];
165648Spiso				i += sizeof(struct cfg_redir) + e->spool_cnt *
165648Spiso				    sizeof(struct cfg_spool);
176393Spiso			}
165648Spiso		}
165648Spiso	} else {
165648Spiso		for (i = 0; 1; i += LIBALIAS_BUF_SIZE + sizeof(int)) {
165648Spiso			p = &data[i];
165648Spiso			if (p == data + nbytes)
165648Spiso				break;
165648Spiso			bcopy(p, &r, sizeof(int));
165648Spiso			if (do_rule) {
165648Spiso				if (!(frule <= r && lrule >= r))
165648Spiso					continue;
165648Spiso			}
165648Spiso			printf("nat %u: %s\n", r, p+sizeof(int));
165648Spiso		}
165648Spiso	}
165648Spiso}
165648Spiso
130281Sru/*
187713Sluigi * Called with the arguments, including program name because getopt
187713Sluigi * wants it to be present.
117544Sluigi * Returns 0 if successful, 1 if empty command, errx() in case of errors.
117544Sluigi */
98943Sluigistatic int
117328Sluigiipfw_main(int oldac, char **oldav)
98943Sluigi{
117469Sluigi	int ch, ac, save_ac;
170923Smaxim	const char *errstr;
117469Sluigi	char **av, **save_av;
117469Sluigi	int do_acct = 0;		/* Show packet/byte count */
117469Sluigi
117469Sluigi#define WHITESP		" \t\f\v\n\r"
187713Sluigi	if (oldac < 2)
187713Sluigi		return 1;	/* need at least one argument */
187713Sluigi	if (oldac == 2) {
117328Sluigi		/*
117328Sluigi		 * If we are called with a single string, try to split it into
117328Sluigi		 * arguments for subsequent parsing.
117328Sluigi		 * But first, remove spaces after a ',', by copying the string
117328Sluigi		 * in-place.
117328Sluigi		 */
187713Sluigi		char *arg = oldav[1];	/* The string is the first arg. */
117328Sluigi		int l = strlen(arg);
117328Sluigi		int copy = 0;		/* 1 if we need to copy, 0 otherwise */
117328Sluigi		int i, j;
117469Sluigi		for (i = j = 0; i < l; i++) {
117469Sluigi			if (arg[i] == '#')	/* comment marker */
117469Sluigi				break;
117328Sluigi			if (copy) {
117328Sluigi				arg[j++] = arg[i];
117469Sluigi				copy = !index("," WHITESP, arg[i]);
117328Sluigi			} else {
117469Sluigi				copy = !index(WHITESP, arg[i]);
117328Sluigi				if (copy)
117328Sluigi					arg[j++] = arg[i];
117328Sluigi			}
117469Sluigi		}
117328Sluigi		if (!copy && j > 0)	/* last char was a 'blank', remove it */
117328Sluigi			j--;
117328Sluigi		l = j;			/* the new argument length */
117328Sluigi		arg[j++] = '\0';
117469Sluigi		if (l == 0)		/* empty string! */
117544Sluigi			return 1;
117328Sluigi
117328Sluigi		/*
117328Sluigi		 * First, count number of arguments. Because of the previous
117469Sluigi		 * processing, this is just the number of blanks plus 1.
117328Sluigi		 */
117469Sluigi		for (i = 0, ac = 1; i < l; i++)
117469Sluigi			if (index(WHITESP, arg[i]) != NULL)
117328Sluigi				ac++;
117328Sluigi
187713Sluigi		/*
187713Sluigi		 * Allocate the argument list, including one entry for
187713Sluigi		 * the program name because getopt expects it.
187713Sluigi		 */
187716Sluigi		av = safe_calloc(ac + 1, sizeof(char *));
117328Sluigi
117328Sluigi		/*
187713Sluigi		 * Second, copy arguments from arg[] to av[]. For each one,
117328Sluigi		 * j is the initial character, i is the one past the end.
117328Sluigi		 */
187713Sluigi		for (ac = 1, i = j = 0; i < l; i++)
117469Sluigi			if (index(WHITESP, arg[i]) != NULL || i == l-1) {
117328Sluigi				if (i == l-1)
117328Sluigi					i++;
187716Sluigi				av[ac] = safe_calloc(i-j+1, 1);
117328Sluigi				bcopy(arg+j, av[ac], i-j);
117328Sluigi				ac++;
117328Sluigi				j = i + 1;
117328Sluigi			}
117328Sluigi	} else {
117328Sluigi		/*
117328Sluigi		 * If an argument ends with ',' join with the next one.
117328Sluigi		 */
117328Sluigi		int first, i, l;
117328Sluigi
187716Sluigi		av = safe_calloc(oldac, sizeof(char *));
187713Sluigi		for (first = i = ac = 1, l = 0; i < oldac; i++) {
117328Sluigi			char *arg = oldav[i];
117328Sluigi			int k = strlen(arg);
117328Sluigi
117328Sluigi			l += k;
117328Sluigi			if (arg[k-1] != ',' || i == oldac-1) {
117328Sluigi				/* Time to copy. */
187716Sluigi				av[ac] = safe_calloc(l+1, 1);
117328Sluigi				for (l=0; first <= i; first++) {
117328Sluigi					strcat(av[ac]+l, oldav[first]);
117328Sluigi					l += strlen(oldav[first]);
117328Sluigi				}
117328Sluigi				ac++;
117328Sluigi				l = 0;
117328Sluigi				first = i+1;
117328Sluigi			}
117328Sluigi		}
117328Sluigi	}
117328Sluigi
187713Sluigi	av[0] = strdup(oldav[0]);	/* copy progname from the caller */
98943Sluigi	/* Set the force flag for non-interactive processes */
123804Smaxim	if (!do_force)
123804Smaxim		do_force = !isatty(STDIN_FILENO);
98943Sluigi
117469Sluigi	/* Save arguments for final freeing of memory. */
117469Sluigi	save_ac = ac;
117469Sluigi	save_av = av;
117469Sluigi
187713Sluigi	optind = optreset = 1;	/* restart getopt() */
176391Sjulian	while ((ch = getopt(ac, av, "abcdefhinNqs:STtv")) != -1)
98943Sluigi		switch (ch) {
98943Sluigi		case 'a':
98943Sluigi			do_acct = 1;
98943Sluigi			break;
117328Sluigi
123495Sluigi		case 'b':
123495Sluigi			comment_only = 1;
123495Sluigi			do_compact = 1;
123495Sluigi			break;
123495Sluigi
102098Sluigi		case 'c':
102098Sluigi			do_compact = 1;
102098Sluigi			break;
117328Sluigi
98943Sluigi		case 'd':
98943Sluigi			do_dynamic = 1;
98943Sluigi			break;
117328Sluigi
98943Sluigi		case 'e':
98943Sluigi			do_expired = 1;
98943Sluigi			break;
117328Sluigi
98943Sluigi		case 'f':
98943Sluigi			do_force = 1;
98943Sluigi			break;
117328Sluigi
117328Sluigi		case 'h': /* help */
117544Sluigi			free_args(save_ac, save_av);
117328Sluigi			help();
117328Sluigi			break;	/* NOTREACHED */
117328Sluigi
176391Sjulian		case 'i':
176391Sjulian			do_value_as_ip = 1;
176391Sjulian			break;
176391Sjulian
117328Sluigi		case 'n':
117328Sluigi			test_only = 1;
117328Sluigi			break;
117328Sluigi
98943Sluigi		case 'N':
98943Sluigi			do_resolv = 1;
98943Sluigi			break;
117328Sluigi
98943Sluigi		case 'q':
98943Sluigi			do_quiet = 1;
98943Sluigi			break;
117328Sluigi
117328Sluigi		case 's': /* sort */
117328Sluigi			do_sort = atoi(optarg);
117328Sluigi			break;
117328Sluigi
101628Sluigi		case 'S':
101628Sluigi			show_sets = 1;
101628Sluigi			break;
117328Sluigi
98943Sluigi		case 't':
98943Sluigi			do_time = 1;
98943Sluigi			break;
117328Sluigi
117472Sluigi		case 'T':
117472Sluigi			do_time = 2;	/* numeric timestamp */
117472Sluigi			break;
117472Sluigi
98943Sluigi		case 'v': /* verbose */
117328Sluigi			verbose = 1;
98943Sluigi			break;
117328Sluigi
98943Sluigi		default:
117544Sluigi			free_args(save_ac, save_av);
117544Sluigi			return 1;
98943Sluigi		}
98943Sluigi
98943Sluigi	ac -= optind;
98943Sluigi	av += optind;
98943Sluigi	NEED1("bad arguments, for usage summary ``ipfw''");
98943Sluigi
98943Sluigi	/*
117544Sluigi	 * An undocumented behaviour of ipfw1 was to allow rule numbers first,
117544Sluigi	 * e.g. "100 add allow ..." instead of "add 100 allow ...".
117544Sluigi	 * In case, swap first and second argument to get the normal form.
117544Sluigi	 */
117544Sluigi	if (ac > 1 && isdigit(*av[0])) {
117544Sluigi		char *p = av[0];
117544Sluigi
117544Sluigi		av[0] = av[1];
117544Sluigi		av[1] = p;
117544Sluigi	}
117544Sluigi
117544Sluigi	/*
165648Spiso	 * Optional: pipe, queue or nat.
98943Sluigi	 */
165648Spiso	do_nat = 0;
117821Smaxim	do_pipe = 0;
165648Spiso	if (!strncmp(*av, "nat", strlen(*av)))
165648Spiso 	        do_nat = 1;
165648Spiso 	else if (!strncmp(*av, "pipe", strlen(*av)))
98943Sluigi		do_pipe = 1;
140271Sbrooks	else if (_substrcmp(*av, "queue") == 0)
98943Sluigi		do_pipe = 2;
170923Smaxim	else if (!strncmp(*av, "set", strlen(*av))) {
170923Smaxim		if (ac > 1 && isdigit(av[1][0])) {
170923Smaxim			use_set = strtonum(av[1], 0, RESVD_SET, &errstr);
170923Smaxim			if (errstr)
170923Smaxim				errx(EX_DATAERR,
170923Smaxim				    "invalid set number %s\n", av[1]);
170923Smaxim			ac -= 2; av += 2; use_set++;
170923Smaxim		}
170923Smaxim	}
170923Smaxim
165648Spiso	if (do_pipe || do_nat) {
98943Sluigi		ac--;
98943Sluigi		av++;
98943Sluigi	}
98943Sluigi	NEED1("missing command");
98943Sluigi
98943Sluigi	/*
165648Spiso	 * For pipes, queues and nats we normally say 'nat|pipe NN config'
165648Spiso	 * but the code is easier to parse as 'nat|pipe config NN'
98943Sluigi	 * so we swap the two arguments.
98943Sluigi	 */
165648Spiso	if ((do_pipe || do_nat) && ac > 1 && isdigit(*av[0])) {
98943Sluigi		char *p = av[0];
117544Sluigi
98943Sluigi		av[0] = av[1];
98943Sluigi		av[1] = p;
98943Sluigi	}
117328Sluigi
170923Smaxim	int try_next = 0;
170923Smaxim	if (use_set == 0) {
170923Smaxim		if (_substrcmp(*av, "add") == 0)
170923Smaxim			add(ac, av);
170923Smaxim		else if (do_nat && _substrcmp(*av, "show") == 0)
170923Smaxim 			show_nat(ac, av);
170923Smaxim		else if (do_pipe && _substrcmp(*av, "config") == 0)
170923Smaxim			config_pipe(ac, av);
170923Smaxim		else if (do_nat && _substrcmp(*av, "config") == 0)
170923Smaxim 			config_nat(ac, av);
173080Smaxim		else if (_substrcmp(*av, "set") == 0)
173080Smaxim			sets_handler(ac, av);
173080Smaxim		else if (_substrcmp(*av, "table") == 0)
173080Smaxim			table_handler(ac, av);
173080Smaxim		else if (_substrcmp(*av, "enable") == 0)
173080Smaxim			sysctl_handler(ac, av, 1);
173080Smaxim		else if (_substrcmp(*av, "disable") == 0)
173080Smaxim			sysctl_handler(ac, av, 0);
173080Smaxim		else
173080Smaxim			try_next = 1;
170923Smaxim	}
117469Sluigi
170923Smaxim	if (use_set || try_next) {
170923Smaxim		if (_substrcmp(*av, "delete") == 0)
170923Smaxim			delete(ac, av);
170923Smaxim		else if (_substrcmp(*av, "flush") == 0)
170923Smaxim			flush(do_force);
170923Smaxim		else if (_substrcmp(*av, "zero") == 0)
170923Smaxim			zero(ac, av, IP_FW_ZERO);
170923Smaxim		else if (_substrcmp(*av, "resetlog") == 0)
170923Smaxim			zero(ac, av, IP_FW_RESETLOG);
170923Smaxim		else if (_substrcmp(*av, "print") == 0 ||
170923Smaxim		         _substrcmp(*av, "list") == 0)
170923Smaxim			list(ac, av, do_acct);
170923Smaxim		else if (_substrcmp(*av, "show") == 0)
170923Smaxim			list(ac, av, 1 /* show counters */);
170923Smaxim		else
170923Smaxim			errx(EX_USAGE, "bad command `%s'", *av);
170923Smaxim	}
170923Smaxim
117469Sluigi	/* Free memory allocated in the argument parsing. */
117544Sluigi	free_args(save_ac, save_av);
98943Sluigi	return 0;
98943Sluigi}
98943Sluigi
98943Sluigi
98943Sluigistatic void
106505Smaximipfw_readfile(int ac, char *av[])
98943Sluigi{
98943Sluigi#define MAX_ARGS	32
98943Sluigi	char	buf[BUFSIZ];
187716Sluigi	char *progname = av[0];		/* original program name */
187713Sluigi	const char *cmd = NULL;		/* preprocessor name, if any */
187713Sluigi	const char *filename = av[ac-1]; /* file to read */
117469Sluigi	int	c, lineno=0;
98943Sluigi	FILE	*f = NULL;
98943Sluigi	pid_t	preproc = 0;
98943Sluigi
123804Smaxim	while ((c = getopt(ac, av, "cfNnp:qS")) != -1) {
98943Sluigi		switch(c) {
117469Sluigi		case 'c':
117469Sluigi			do_compact = 1;
117469Sluigi			break;
117469Sluigi
123804Smaxim		case 'f':
123804Smaxim			do_force = 1;
123804Smaxim			break;
123804Smaxim
117469Sluigi		case 'N':
117469Sluigi			do_resolv = 1;
117469Sluigi			break;
117469Sluigi
117328Sluigi		case 'n':
117328Sluigi			test_only = 1;
117328Sluigi			break;
117328Sluigi
98943Sluigi		case 'p':
117469Sluigi			/*
187713Sluigi			 * ipfw -p cmd [args] filename
187713Sluigi			 *
187713Sluigi			 * We are done with getopt(). All arguments
187713Sluigi			 * except the filename go to the preprocessor,
187713Sluigi			 * so we need to do the following:
187713Sluigi			 * - check that a filename is actually present;
187713Sluigi			 * - advance av by optind-1 to skip arguments
187713Sluigi			 *   already processed;
187713Sluigi			 * - decrease ac by optind, to remove the args
187713Sluigi			 *   already processed and the final filename;
187713Sluigi			 * - set the last entry in av[] to NULL so
187713Sluigi			 *   popen() can detect the end of the array;
187713Sluigi			 * - set optind=ac to let getopt() terminate.
117469Sluigi			 */
187713Sluigi			if (optind == ac)
162773Smaxim				errx(EX_USAGE, "no filename argument");
187713Sluigi			cmd = optarg;
117469Sluigi			av[ac-1] = NULL;
187713Sluigi			av += optind - 1;
187713Sluigi			ac -= optind;
187713Sluigi			optind = ac;
98943Sluigi			break;
98943Sluigi
98943Sluigi		case 'q':
117469Sluigi			do_quiet = 1;
98943Sluigi			break;
98943Sluigi
117469Sluigi		case 'S':
117469Sluigi			show_sets = 1;
117469Sluigi			break;
117469Sluigi
98943Sluigi		default:
98943Sluigi			errx(EX_USAGE, "bad arguments, for usage"
98943Sluigi			     " summary ``ipfw''");
98943Sluigi		}
98943Sluigi
108231Skbyanc	}
108231Skbyanc
117469Sluigi	if (cmd == NULL && ac != optind + 1) {
117469Sluigi		fprintf(stderr, "ac %d, optind %d\n", ac, optind);
117469Sluigi		errx(EX_USAGE, "extraneous filename arguments");
108231Skbyanc	}
108231Skbyanc
117469Sluigi	if ((f = fopen(filename, "r")) == NULL)
117469Sluigi		err(EX_UNAVAILABLE, "fopen: %s", filename);
98943Sluigi
117469Sluigi	if (cmd != NULL) {			/* pipe through preprocessor */
98943Sluigi		int pipedes[2];
98943Sluigi
98943Sluigi		if (pipe(pipedes) == -1)
98943Sluigi			err(EX_OSERR, "cannot create pipe");
98943Sluigi
117469Sluigi		preproc = fork();
117469Sluigi		if (preproc == -1)
98943Sluigi			err(EX_OSERR, "cannot fork");
98943Sluigi
117577Sluigi		if (preproc == 0) {
117469Sluigi			/*
117469Sluigi			 * Child, will run the preprocessor with the
117469Sluigi			 * file on stdin and the pipe on stdout.
117469Sluigi			 */
98943Sluigi			if (dup2(fileno(f), 0) == -1
98943Sluigi			    || dup2(pipedes[1], 1) == -1)
98943Sluigi				err(EX_OSERR, "dup2()");
98943Sluigi			fclose(f);
98943Sluigi			close(pipedes[1]);
98943Sluigi			close(pipedes[0]);
117469Sluigi			execvp(cmd, av);
98943Sluigi			err(EX_OSERR, "execvp(%s) failed", cmd);
117469Sluigi		} else { /* parent, will reopen f as the pipe */
98943Sluigi			fclose(f);
98943Sluigi			close(pipedes[1]);
98943Sluigi			if ((f = fdopen(pipedes[0], "r")) == NULL) {
98943Sluigi				int savederrno = errno;
98943Sluigi
98943Sluigi				(void)kill(preproc, SIGTERM);
98943Sluigi				errno = savederrno;
98943Sluigi				err(EX_OSERR, "fdopen()");
98943Sluigi			}
98943Sluigi		}
98943Sluigi	}
98943Sluigi
117469Sluigi	while (fgets(buf, BUFSIZ, f)) {		/* read commands */
117469Sluigi		char linename[10];
187713Sluigi		char *args[2];
117469Sluigi
98943Sluigi		lineno++;
98943Sluigi		sprintf(linename, "Line %d", lineno);
117328Sluigi		setprogname(linename); /* XXX */
187716Sluigi		args[0] = progname;
187713Sluigi		args[1] = buf;
187713Sluigi		ipfw_main(2, args);
98943Sluigi	}
98943Sluigi	fclose(f);
117469Sluigi	if (cmd != NULL) {
117469Sluigi		int status;
117469Sluigi
98943Sluigi		if (waitpid(preproc, &status, 0) == -1)
98943Sluigi			errx(EX_OSERR, "waitpid()");
98943Sluigi		if (WIFEXITED(status) && WEXITSTATUS(status) != EX_OK)
98943Sluigi			errx(EX_UNAVAILABLE,
98943Sluigi			    "preprocessor exited with status %d",
98943Sluigi			    WEXITSTATUS(status));
98943Sluigi		else if (WIFSIGNALED(status))
98943Sluigi			errx(EX_UNAVAILABLE,
98943Sluigi			    "preprocessor exited with signal %d",
98943Sluigi			    WTERMSIG(status));
98943Sluigi	}
98943Sluigi}
98943Sluigi
98943Sluigiint
98943Sluigimain(int ac, char *av[])
98943Sluigi{
98943Sluigi	/*
98943Sluigi	 * If the last argument is an absolute pathname, interpret it
98943Sluigi	 * as a file to be preprocessed.
98943Sluigi	 */
98943Sluigi
98943Sluigi	if (ac > 1 && av[ac - 1][0] == '/' && access(av[ac - 1], R_OK) == 0)
98943Sluigi		ipfw_readfile(ac, av);
117544Sluigi	else {
187713Sluigi		if (ipfw_main(ac, av))
117544Sluigi			show_usage();
117544Sluigi	}
98943Sluigi	return EX_OK;
98943Sluigi}