sbin/ipfw/ipfw2.c

98943Sluigi/*
117328Sluigi * Copyright (c) 2002-2003 Luigi Rizzo
98943Sluigi * Copyright (c) 1996 Alex Nash, Paul Traina, Poul-Henning Kamp
98943Sluigi * Copyright (c) 1994 Ugen J.S.Antsilevich
98943Sluigi *
98943Sluigi * Idea and grammar partially left from:
98943Sluigi * Copyright (c) 1993 Daniel Boulet
98943Sluigi *
98943Sluigi * Redistribution and use in source forms, with and without modification,
98943Sluigi * are permitted provided that this entire comment appears intact.
98943Sluigi *
98943Sluigi * Redistribution in binary form may occur without any restrictions.
98943Sluigi * Obviously, it would be nice if you gave credit where credit is due
98943Sluigi * but requiring it would be too onerous.
98943Sluigi *
98943Sluigi * This software is provided ``AS IS'' without any warranties of any kind.
98943Sluigi *
98943Sluigi * NEW command line interface for IP firewall facility
98943Sluigi *
98943Sluigi * $FreeBSD: head/sbin/ipfw/ipfw2.c 220802 2011-04-18 21:18:22Z glebius $
98943Sluigi */
98943Sluigi
187604Sluigi#include <sys/types.h>
98943Sluigi#include <sys/socket.h>
98943Sluigi#include <sys/sockio.h>
98943Sluigi#include <sys/sysctl.h>
98943Sluigi
187767Sluigi#include "ipfw2.h"
187767Sluigi
98943Sluigi#include <ctype.h>
98943Sluigi#include <err.h>
98943Sluigi#include <errno.h>
98943Sluigi#include <grp.h>
98943Sluigi#include <netdb.h>
98943Sluigi#include <pwd.h>
98943Sluigi#include <stdio.h>
98943Sluigi#include <stdlib.h>
98943Sluigi#include <string.h>
98943Sluigi#include <sysexits.h>
187983Sluigi#include <time.h>	/* ctime */
187604Sluigi#include <timeconv.h>	/* _long_to_time */
136071Sgreen#include <unistd.h>
136071Sgreen#include <fcntl.h>
98943Sluigi
169424Smaxim#include <net/ethernet.h>
187983Sluigi#include <net/if.h>		/* only IFNAMSIZ */
98943Sluigi#include <netinet/in.h>
187983Sluigi#include <netinet/in_systm.h>	/* only n_short, n_long */
98943Sluigi#include <netinet/ip.h>
98943Sluigi#include <netinet/ip_icmp.h>
98943Sluigi#include <netinet/ip_fw.h>
98943Sluigi#include <netinet/tcp.h>
98943Sluigi#include <arpa/inet.h>
98943Sluigi
187767Sluigistruct cmdline_opts co;	/* global options */
98943Sluigi
187767Sluigiint resvd_set_number = RESVD_SET;
187764Sluigi
159636Soleg#define GET_UINT_ARG(arg, min, max, tok, s_x) do {			\
204591Sluigi	if (!av[0])							\
159636Soleg		errx(EX_USAGE, "%s: missing argument", match_value(s_x, tok)); \
159636Soleg	if (_substrcmp(*av, "tablearg") == 0) {				\
159636Soleg		arg = IP_FW_TABLEARG;					\
159636Soleg		break;							\
159636Soleg	}								\
159636Soleg									\
159636Soleg	{								\
204591Sluigi	long _xval;							\
159636Soleg	char *end;							\
159636Soleg									\
204591Sluigi	_xval = strtol(*av, &end, 10);					\
159636Soleg									\
204591Sluigi	if (!isdigit(**av) || *end != '\0' || (_xval == 0 && errno == EINVAL)) \
159636Soleg		errx(EX_DATAERR, "%s: invalid argument: %s",		\
159636Soleg		    match_value(s_x, tok), *av);			\
159636Soleg									\
204591Sluigi	if (errno == ERANGE || _xval < min || _xval > max)		\
159636Soleg		errx(EX_DATAERR, "%s: argument is out of range (%u..%u): %s", \
159636Soleg		    match_value(s_x, tok), min, max, *av);		\
159636Soleg									\
204591Sluigi	if (_xval == IP_FW_TABLEARG)					\
159636Soleg		errx(EX_DATAERR, "%s: illegal argument value: %s",	\
159636Soleg		    match_value(s_x, tok), *av);			\
204591Sluigi	arg = _xval;							\
159636Soleg	}								\
158879Soleg} while (0)
158879Soleg
187762Sluigistatic void
187762SluigiPRINT_UINT_ARG(const char *str, uint32_t arg)
187762Sluigi{
187762Sluigi	if (str != NULL)
187762Sluigi		printf("%s",str);
187762Sluigi	if (arg == IP_FW_TABLEARG)
187762Sluigi		printf("tablearg");
187762Sluigi	else
187762Sluigi		printf("%u", arg);
187762Sluigi}
159636Soleg
98943Sluigistatic struct _s_x f_tcpflags[] = {
98943Sluigi	{ "syn", TH_SYN },
98943Sluigi	{ "fin", TH_FIN },
98943Sluigi	{ "ack", TH_ACK },
98943Sluigi	{ "psh", TH_PUSH },
98943Sluigi	{ "rst", TH_RST },
98943Sluigi	{ "urg", TH_URG },
98943Sluigi	{ "tcp flag", 0 },
98943Sluigi	{ NULL,	0 }
98943Sluigi};
98943Sluigi
98943Sluigistatic struct _s_x f_tcpopts[] = {
98943Sluigi	{ "mss",	IP_FW_TCPOPT_MSS },
98943Sluigi	{ "maxseg",	IP_FW_TCPOPT_MSS },
98943Sluigi	{ "window",	IP_FW_TCPOPT_WINDOW },
98943Sluigi	{ "sack",	IP_FW_TCPOPT_SACK },
98943Sluigi	{ "ts",		IP_FW_TCPOPT_TS },
98943Sluigi	{ "timestamp",	IP_FW_TCPOPT_TS },
98943Sluigi	{ "cc",		IP_FW_TCPOPT_CC },
98943Sluigi	{ "tcp option",	0 },
98943Sluigi	{ NULL,	0 }
98943Sluigi};
98943Sluigi
98943Sluigi/*
98943Sluigi * IP options span the range 0 to 255 so we need to remap them
98943Sluigi * (though in fact only the low 5 bits are significant).
98943Sluigi */
98943Sluigistatic struct _s_x f_ipopts[] = {
98943Sluigi	{ "ssrr",	IP_FW_IPOPT_SSRR},
98943Sluigi	{ "lsrr",	IP_FW_IPOPT_LSRR},
98943Sluigi	{ "rr",		IP_FW_IPOPT_RR},
98943Sluigi	{ "ts",		IP_FW_IPOPT_TS},
98943Sluigi	{ "ip option",	0 },
98943Sluigi	{ NULL,	0 }
98943Sluigi};
98943Sluigi
98943Sluigistatic struct _s_x f_iptos[] = {
98943Sluigi	{ "lowdelay",	IPTOS_LOWDELAY},
98943Sluigi	{ "throughput",	IPTOS_THROUGHPUT},
98943Sluigi	{ "reliability", IPTOS_RELIABILITY},
98943Sluigi	{ "mincost",	IPTOS_MINCOST},
172801Srpaulo	{ "congestion",	IPTOS_ECN_CE},
172801Srpaulo	{ "ecntransport", IPTOS_ECN_ECT0},
98943Sluigi	{ "ip tos option", 0},
98943Sluigi	{ NULL,	0 }
98943Sluigi};
98943Sluigi
98943Sluigistatic struct _s_x limit_masks[] = {
98943Sluigi	{"all",		DYN_SRC_ADDR|DYN_SRC_PORT|DYN_DST_ADDR|DYN_DST_PORT},
98943Sluigi	{"src-addr",	DYN_SRC_ADDR},
98943Sluigi	{"src-port",	DYN_SRC_PORT},
98943Sluigi	{"dst-addr",	DYN_DST_ADDR},
98943Sluigi	{"dst-port",	DYN_DST_PORT},
98943Sluigi	{NULL,		0}
98943Sluigi};
98943Sluigi
98943Sluigi/*
98943Sluigi * we use IPPROTO_ETHERTYPE as a fake protocol id to call the print routines
98943Sluigi * This is only used in this code.
98943Sluigi */
98943Sluigi#define IPPROTO_ETHERTYPE	0x1000
98943Sluigistatic struct _s_x ether_types[] = {
98943Sluigi    /*
98943Sluigi     * Note, we cannot use "-:&/" in the names because they are field
98943Sluigi     * separators in the type specifications. Also, we use s = NULL as
98943Sluigi     * end-delimiter, because a type of 0 can be legal.
98943Sluigi     */
98943Sluigi	{ "ip",		0x0800 },
98943Sluigi	{ "ipv4",	0x0800 },
98943Sluigi	{ "ipv6",	0x86dd },
98943Sluigi	{ "arp",	0x0806 },
98943Sluigi	{ "rarp",	0x8035 },
98943Sluigi	{ "vlan",	0x8100 },
98943Sluigi	{ "loop",	0x9000 },
98943Sluigi	{ "trail",	0x1000 },
98943Sluigi	{ "at",		0x809b },
98943Sluigi	{ "atalk",	0x809b },
98943Sluigi	{ "aarp",	0x80f3 },
98943Sluigi	{ "pppoe_disc",	0x8863 },
98943Sluigi	{ "pppoe_sess",	0x8864 },
98943Sluigi	{ "ipx_8022",	0x00E0 },
98943Sluigi	{ "ipx_8023",	0x0000 },
98943Sluigi	{ "ipx_ii",	0x8137 },
98943Sluigi	{ "ipx_snap",	0x8137 },
98943Sluigi	{ "ipx",	0x8137 },
98943Sluigi	{ "ns",		0x0600 },
98943Sluigi	{ NULL,		0 }
98943Sluigi};
98943Sluigi
98943Sluigi
187769Sluigistatic struct _s_x rule_actions[] = {
98943Sluigi	{ "accept",		TOK_ACCEPT },
98943Sluigi	{ "pass",		TOK_ACCEPT },
98943Sluigi	{ "allow",		TOK_ACCEPT },
98943Sluigi	{ "permit",		TOK_ACCEPT },
98943Sluigi	{ "count",		TOK_COUNT },
98943Sluigi	{ "pipe",		TOK_PIPE },
98943Sluigi	{ "queue",		TOK_QUEUE },
98943Sluigi	{ "divert",		TOK_DIVERT },
98943Sluigi	{ "tee",		TOK_TEE },
141351Sglebius	{ "netgraph",		TOK_NETGRAPH },
141351Sglebius	{ "ngtee",		TOK_NGTEE },
98943Sluigi	{ "fwd",		TOK_FORWARD },
98943Sluigi	{ "forward",		TOK_FORWARD },
98943Sluigi	{ "skipto",		TOK_SKIPTO },
98943Sluigi	{ "deny",		TOK_DENY },
98943Sluigi	{ "drop",		TOK_DENY },
98943Sluigi	{ "reject",		TOK_REJECT },
149020Sbz	{ "reset6",		TOK_RESET6 },
98943Sluigi	{ "reset",		TOK_RESET },
149020Sbz	{ "unreach6",		TOK_UNREACH6 },
99475Sluigi	{ "unreach",		TOK_UNREACH },
98943Sluigi	{ "check-state",	TOK_CHECKSTATE },
117469Sluigi	{ "//",			TOK_COMMENT },
220802Sglebius	{ "nat",		TOK_NAT },
190633Spiso	{ "reass",		TOK_REASS },
178888Sjulian	{ "setfib",		TOK_SETFIB },
117328Sluigi	{ NULL, 0 }	/* terminator */
98943Sluigi};
98943Sluigi
187769Sluigistatic struct _s_x rule_action_params[] = {
136071Sgreen	{ "altq",		TOK_ALTQ },
136071Sgreen	{ "log",		TOK_LOG },
158879Soleg	{ "tag",		TOK_TAG },
158879Soleg	{ "untag",		TOK_UNTAG },
136071Sgreen	{ NULL, 0 }	/* terminator */
136071Sgreen};
136071Sgreen
200567Sluigi/*
200567Sluigi * The 'lookup' instruction accepts one of the following arguments.
200567Sluigi * -1 is a terminator for the list.
200567Sluigi * Arguments are passed as v[1] in O_DST_LOOKUP options.
200567Sluigi */
200567Sluigistatic int lookup_key[] = {
200567Sluigi	TOK_DSTIP, TOK_SRCIP, TOK_DSTPORT, TOK_SRCPORT,
205169Sluigi	TOK_UID, TOK_JAIL, TOK_DSCP, -1 };
200567Sluigi
187769Sluigistatic struct _s_x rule_options[] = {
158879Soleg	{ "tagged",		TOK_TAGGED },
98943Sluigi	{ "uid",		TOK_UID },
98943Sluigi	{ "gid",		TOK_GID },
133600Scsjp	{ "jail",		TOK_JAIL },
98943Sluigi	{ "in",			TOK_IN },
98943Sluigi	{ "limit",		TOK_LIMIT },
98943Sluigi	{ "keep-state",		TOK_KEEPSTATE },
98943Sluigi	{ "bridged",		TOK_LAYER2 },
98943Sluigi	{ "layer2",		TOK_LAYER2 },
98943Sluigi	{ "out",		TOK_OUT },
136073Sgreen	{ "diverted",		TOK_DIVERTED },
136073Sgreen	{ "diverted-loopback",	TOK_DIVERTEDLOOPBACK },
136073Sgreen	{ "diverted-output",	TOK_DIVERTEDOUTPUT },
98943Sluigi	{ "xmit",		TOK_XMIT },
98943Sluigi	{ "recv",		TOK_RECV },
98943Sluigi	{ "via",		TOK_VIA },
98943Sluigi	{ "fragment",		TOK_FRAG },
98943Sluigi	{ "frag",		TOK_FRAG },
178888Sjulian	{ "fib",		TOK_FIB },
98943Sluigi	{ "ipoptions",		TOK_IPOPTS },
98943Sluigi	{ "ipopts",		TOK_IPOPTS },
98943Sluigi	{ "iplen",		TOK_IPLEN },
98943Sluigi	{ "ipid",		TOK_IPID },
98943Sluigi	{ "ipprecedence",	TOK_IPPRECEDENCE },
205169Sluigi	{ "dscp",		TOK_DSCP },
98943Sluigi	{ "iptos",		TOK_IPTOS },
98943Sluigi	{ "ipttl",		TOK_IPTTL },
98943Sluigi	{ "ipversion",		TOK_IPVER },
98943Sluigi	{ "ipver",		TOK_IPVER },
98943Sluigi	{ "estab",		TOK_ESTAB },
98943Sluigi	{ "established",	TOK_ESTAB },
98943Sluigi	{ "setup",		TOK_SETUP },
215179Sluigi	{ "sockarg",		TOK_SOCKARG },
136075Sgreen	{ "tcpdatalen",		TOK_TCPDATALEN },
98943Sluigi	{ "tcpflags",		TOK_TCPFLAGS },
98943Sluigi	{ "tcpflgs",		TOK_TCPFLAGS },
98943Sluigi	{ "tcpoptions",		TOK_TCPOPTS },
98943Sluigi	{ "tcpopts",		TOK_TCPOPTS },
98943Sluigi	{ "tcpseq",		TOK_TCPSEQ },
98943Sluigi	{ "tcpack",		TOK_TCPACK },
98943Sluigi	{ "tcpwin",		TOK_TCPWIN },
99909Sluigi	{ "icmptype",		TOK_ICMPTYPES },
98943Sluigi	{ "icmptypes",		TOK_ICMPTYPES },
102087Sluigi	{ "dst-ip",		TOK_DSTIP },
102087Sluigi	{ "src-ip",		TOK_SRCIP },
102087Sluigi	{ "dst-port",		TOK_DSTPORT },
102087Sluigi	{ "src-port",		TOK_SRCPORT },
102087Sluigi	{ "proto",		TOK_PROTO },
102087Sluigi	{ "MAC",		TOK_MAC },
102087Sluigi	{ "mac",		TOK_MAC },
102087Sluigi	{ "mac-type",		TOK_MACTYPE },
112250Scjc	{ "verrevpath",		TOK_VERREVPATH },
128575Sandre	{ "versrcreach",	TOK_VERSRCREACH },
133387Sandre	{ "antispoof",		TOK_ANTISPOOF },
117241Sluigi	{ "ipsec",		TOK_IPSEC },
145246Sbrooks	{ "icmp6type",		TOK_ICMP6TYPES },
145246Sbrooks	{ "icmp6types",		TOK_ICMP6TYPES },
145246Sbrooks	{ "ext6hdr",		TOK_EXT6HDR},
145246Sbrooks	{ "flow-id",		TOK_FLOWID},
145246Sbrooks	{ "ipv6",		TOK_IPV6},
145246Sbrooks	{ "ip6",		TOK_IPV6},
146894Smlaier	{ "ipv4",		TOK_IPV4},
146894Smlaier	{ "ip4",		TOK_IPV4},
145246Sbrooks	{ "dst-ipv6",		TOK_DSTIP6},
145246Sbrooks	{ "dst-ip6",		TOK_DSTIP6},
145246Sbrooks	{ "src-ipv6",		TOK_SRCIP6},
145246Sbrooks	{ "src-ip6",		TOK_SRCIP6},
200567Sluigi	{ "lookup",		TOK_LOOKUP},
117469Sluigi	{ "//",			TOK_COMMENT },
98943Sluigi
98943Sluigi	{ "not",		TOK_NOT },		/* pseudo option */
98943Sluigi	{ "!", /* escape ? */	TOK_NOT },		/* pseudo option */
98943Sluigi	{ "or",			TOK_OR },		/* pseudo option */
98943Sluigi	{ "|", /* escape */	TOK_OR },		/* pseudo option */
101641Sluigi	{ "{",			TOK_STARTBRACE },	/* pseudo option */
101641Sluigi	{ "(",			TOK_STARTBRACE },	/* pseudo option */
101641Sluigi	{ "}",			TOK_ENDBRACE },		/* pseudo option */
101641Sluigi	{ ")",			TOK_ENDBRACE },		/* pseudo option */
117328Sluigi	{ NULL, 0 }	/* terminator */
98943Sluigi};
98943Sluigi
206843Sluigi/*
206843Sluigi * Helper routine to print a possibly unaligned uint64_t on
206843Sluigi * various platform. If width > 0, print the value with
206843Sluigi * the desired width, followed by a space;
206843Sluigi * otherwise, return the required width.
187787Sluigi */
206843Sluigiint
206843Sluigipr_u64(uint64_t *pd, int width)
187787Sluigi{
206843Sluigi#ifdef TCC
206843Sluigi#define U64_FMT "I64"
206843Sluigi#else
206843Sluigi#define U64_FMT "llu"
206843Sluigi#endif
206846Sluigi	uint64_t u;
206846Sluigi	unsigned long long d;
115793Sticso
206846Sluigi	bcopy (pd, &u, sizeof(u));
206846Sluigi	d = u;
206843Sluigi	return (width > 0) ?
206843Sluigi		printf("%*" U64_FMT " ", width, d) :
206843Sluigi		snprintf(NULL, 0, "%" U64_FMT, d) ;
206843Sluigi#undef U64_FMT
129389Sstefanf}
115793Sticso
187767Sluigivoid *
187716Sluigisafe_calloc(size_t number, size_t size)
187716Sluigi{
187716Sluigi	void *ret = calloc(number, size);
187716Sluigi
187716Sluigi	if (ret == NULL)
187716Sluigi		err(EX_OSERR, "calloc");
187716Sluigi	return ret;
187716Sluigi}
187716Sluigi
187767Sluigivoid *
187716Sluigisafe_realloc(void *ptr, size_t size)
187716Sluigi{
187716Sluigi	void *ret = realloc(ptr, size);
187716Sluigi
187716Sluigi	if (ret == NULL)
187716Sluigi		err(EX_OSERR, "realloc");
187716Sluigi	return ret;
187716Sluigi}
187716Sluigi
117328Sluigi/*
117328Sluigi * conditionally runs the command.
204591Sluigi * Selected options or negative -> getsockopt
117328Sluigi */
187769Sluigiint
119740Stmmdo_cmd(int optname, void *optval, uintptr_t optlen)
117328Sluigi{
117328Sluigi	static int s = -1;	/* the socket */
117328Sluigi	int i;
117577Sluigi
187764Sluigi	if (co.test_only)
117328Sluigi		return 0;
117328Sluigi
117328Sluigi	if (s == -1)
117328Sluigi		s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
117328Sluigi	if (s < 0)
117328Sluigi		err(EX_UNAVAILABLE, "socket");
117328Sluigi
117328Sluigi	if (optname == IP_FW_GET || optname == IP_DUMMYNET_GET ||
130281Sru	    optname == IP_FW_ADD || optname == IP_FW_TABLE_LIST ||
220802Sglebius	    optname == IP_FW_TABLE_GETSIZE ||
220802Sglebius	    optname == IP_FW_NAT_GET_CONFIG ||
204591Sluigi	    optname < 0 ||
204591Sluigi	    optname == IP_FW_NAT_GET_LOG) {
204591Sluigi		if (optname < 0)
204591Sluigi			optname = -optname;
117328Sluigi		i = getsockopt(s, IPPROTO_IP, optname, optval,
117328Sluigi			(socklen_t *)optlen);
204591Sluigi	} else {
117328Sluigi		i = setsockopt(s, IPPROTO_IP, optname, optval, optlen);
204591Sluigi	}
117328Sluigi	return i;
117328Sluigi}
117328Sluigi
98943Sluigi/**
98943Sluigi * match_token takes a table and a string, returns the value associated
117328Sluigi * with the string (-1 in case of failure).
98943Sluigi */
187769Sluigiint
98943Sluigimatch_token(struct _s_x *table, char *string)
98943Sluigi{
98943Sluigi	struct _s_x *pt;
117469Sluigi	uint i = strlen(string);
98943Sluigi
98943Sluigi	for (pt = table ; i && pt->s != NULL ; pt++)
98943Sluigi		if (strlen(pt->s) == i && !bcmp(string, pt->s, i))
98943Sluigi			return pt->x;
98943Sluigi	return -1;
129389Sstefanf}
98943Sluigi
117328Sluigi/**
117328Sluigi * match_value takes a table and a value, returns the string associated
117328Sluigi * with the value (NULL in case of failure).
117328Sluigi */
187770Sluigichar const *
117469Sluigimatch_value(struct _s_x *p, int value)
98943Sluigi{
98943Sluigi	for (; p->s != NULL; p++)
98943Sluigi		if (p->x == value)
98943Sluigi			return p->s;
98943Sluigi	return NULL;
98943Sluigi}
98943Sluigi
98943Sluigi/*
140271Sbrooks * _substrcmp takes two strings and returns 1 if they do not match,
140271Sbrooks * and 0 if they match exactly or the first string is a sub-string
140271Sbrooks * of the second.  A warning is printed to stderr in the case that the
140271Sbrooks * first string is a sub-string of the second.
140271Sbrooks *
140271Sbrooks * This function will be removed in the future through the usual
140271Sbrooks * deprecation process.
140271Sbrooks */
187767Sluigiint
140271Sbrooks_substrcmp(const char *str1, const char* str2)
140271Sbrooks{
140271Sbrooks
140271Sbrooks	if (strncmp(str1, str2, strlen(str1)) != 0)
140271Sbrooks		return 1;
140271Sbrooks
140271Sbrooks	if (strlen(str1) != strlen(str2))
140271Sbrooks		warnx("DEPRECATED: '%s' matched '%s' as a sub-string",
140271Sbrooks		    str1, str2);
140271Sbrooks	return 0;
140271Sbrooks}
140271Sbrooks
140271Sbrooks/*
140271Sbrooks * _substrcmp2 takes three strings and returns 1 if the first two do not match,
140271Sbrooks * and 0 if they match exactly or the second string is a sub-string
140271Sbrooks * of the first.  A warning is printed to stderr in the case that the
140271Sbrooks * first string does not match the third.
140271Sbrooks *
140271Sbrooks * This function exists to warn about the bizzare construction
140271Sbrooks * strncmp(str, "by", 2) which is used to allow people to use a shotcut
140271Sbrooks * for "bytes".  The problem is that in addition to accepting "by",
140271Sbrooks * "byt", "byte", and "bytes", it also excepts "by_rabid_dogs" and any
140271Sbrooks * other string beginning with "by".
140271Sbrooks *
140271Sbrooks * This function will be removed in the future through the usual
140271Sbrooks * deprecation process.
140271Sbrooks */
187769Sluigiint
140271Sbrooks_substrcmp2(const char *str1, const char* str2, const char* str3)
140271Sbrooks{
140271Sbrooks
140271Sbrooks	if (strncmp(str1, str2, strlen(str2)) != 0)
140271Sbrooks		return 1;
140271Sbrooks
140271Sbrooks	if (strcmp(str1, str3) != 0)
140271Sbrooks		warnx("DEPRECATED: '%s' matched '%s'",
140271Sbrooks		    str1, str3);
140271Sbrooks	return 0;
140271Sbrooks}
140271Sbrooks
140271Sbrooks/*
98943Sluigi * prints one port, symbolic or numeric
98943Sluigi */
98943Sluigistatic void
117328Sluigiprint_port(int proto, uint16_t port)
98943Sluigi{
98943Sluigi
98943Sluigi	if (proto == IPPROTO_ETHERTYPE) {
117469Sluigi		char const *s;
98943Sluigi
187764Sluigi		if (co.do_resolv && (s = match_value(ether_types, port)) )
98943Sluigi			printf("%s", s);
98943Sluigi		else
98943Sluigi			printf("0x%04x", port);
98943Sluigi	} else {
98943Sluigi		struct servent *se = NULL;
187764Sluigi		if (co.do_resolv) {
98943Sluigi			struct protoent *pe = getprotobynumber(proto);
98943Sluigi
98943Sluigi			se = getservbyport(htons(port), pe ? pe->p_name : NULL);
98943Sluigi		}
98943Sluigi		if (se)
98943Sluigi			printf("%s", se->s_name);
98943Sluigi		else
98943Sluigi			printf("%d", port);
98943Sluigi	}
98943Sluigi}
98943Sluigi
187769Sluigistatic struct _s_x _port_name[] = {
117328Sluigi	{"dst-port",	O_IP_DSTPORT},
117328Sluigi	{"src-port",	O_IP_SRCPORT},
117328Sluigi	{"ipid",	O_IPID},
117328Sluigi	{"iplen",	O_IPLEN},
117328Sluigi	{"ipttl",	O_IPTTL},
117328Sluigi	{"mac-type",	O_MAC_TYPE},
136075Sgreen	{"tcpdatalen",	O_TCPDATALEN},
158879Soleg	{"tagged",	O_TAGGED},
117328Sluigi	{NULL,		0}
117328Sluigi};
117328Sluigi
98943Sluigi/*
117328Sluigi * Print the values in a list 16-bit items of the types above.
98943Sluigi * XXX todo: add support for mask.
98943Sluigi */
98943Sluigistatic void
102087Sluigiprint_newports(ipfw_insn_u16 *cmd, int proto, int opcode)
98943Sluigi{
117328Sluigi	uint16_t *p = cmd->ports;
98943Sluigi	int i;
117469Sluigi	char const *sep;
98943Sluigi
116690Sluigi	if (opcode != 0) {
117328Sluigi		sep = match_value(_port_name, opcode);
117328Sluigi		if (sep == NULL)
116690Sluigi			sep = "???";
116690Sluigi		printf (" %s", sep);
116690Sluigi	}
116690Sluigi	sep = " ";
98943Sluigi	for (i = F_LEN((ipfw_insn *)cmd) - 1; i > 0; i--, p += 2) {
193702Sluigi		printf("%s", sep);
98943Sluigi		print_port(proto, p[0]);
98943Sluigi		if (p[0] != p[1]) {
98943Sluigi			printf("-");
98943Sluigi			print_port(proto, p[1]);
98943Sluigi		}
98943Sluigi		sep = ",";
98943Sluigi	}
98943Sluigi}
98943Sluigi
98943Sluigi/*
98943Sluigi * Like strtol, but also translates service names into port numbers
98943Sluigi * for some protocols.
98943Sluigi * In particular:
98943Sluigi *	proto == -1 disables the protocol check;
98943Sluigi *	proto == IPPROTO_ETHERTYPE looks up an internal table
98943Sluigi *	proto == <some value in /etc/protocols> matches the values there.
101628Sluigi * Returns *end == s in case the parameter is not found.
98943Sluigi */
98943Sluigistatic int
98943Sluigistrtoport(char *s, char **end, int base, int proto)
98943Sluigi{
101628Sluigi	char *p, *buf;
101628Sluigi	char *s1;
98943Sluigi	int i;
98943Sluigi
101628Sluigi	*end = s;		/* default - not found */
117577Sluigi	if (*s == '\0')
101628Sluigi		return 0;	/* not found */
106505Smaxim
98943Sluigi	if (isdigit(*s))
98943Sluigi		return strtol(s, end, base);
98943Sluigi
98943Sluigi	/*
101628Sluigi	 * find separator. '\\' escapes the next char.
98943Sluigi	 */
101628Sluigi	for (s1 = s; *s1 && (isalnum(*s1) || *s1 == '\\') ; s1++)
101628Sluigi		if (*s1 == '\\' && s1[1] != '\0')
101628Sluigi			s1++;
98943Sluigi
187716Sluigi	buf = safe_calloc(s1 - s + 1, 1);
101628Sluigi
101628Sluigi	/*
101628Sluigi	 * copy into a buffer skipping backslashes
101628Sluigi	 */
101628Sluigi	for (p = s, i = 0; p != s1 ; p++)
117577Sluigi		if (*p != '\\')
101628Sluigi			buf[i++] = *p;
101628Sluigi	buf[i++] = '\0';
101628Sluigi
98943Sluigi	if (proto == IPPROTO_ETHERTYPE) {
101628Sluigi		i = match_token(ether_types, buf);
101628Sluigi		free(buf);
101628Sluigi		if (i != -1) {	/* found */
98943Sluigi			*end = s1;
98943Sluigi			return i;
98943Sluigi		}
98943Sluigi	} else {
98943Sluigi		struct protoent *pe = NULL;
98943Sluigi		struct servent *se;
98943Sluigi
98943Sluigi		if (proto != 0)
98943Sluigi			pe = getprotobynumber(proto);
98943Sluigi		setservent(1);
101628Sluigi		se = getservbyname(buf, pe ? pe->p_name : NULL);
101628Sluigi		free(buf);
98943Sluigi		if (se != NULL) {
98943Sluigi			*end = s1;
98943Sluigi			return ntohs(se->s_port);
98943Sluigi		}
98943Sluigi	}
101628Sluigi	return 0;	/* not found */
98943Sluigi}
98943Sluigi
98943Sluigi/*
117328Sluigi * Fill the body of the command with the list of port ranges.
98943Sluigi */
98943Sluigistatic int
98943Sluigifill_newports(ipfw_insn_u16 *cmd, char *av, int proto)
98943Sluigi{
117328Sluigi	uint16_t a, b, *p = cmd->ports;
98943Sluigi	int i = 0;
102087Sluigi	char *s = av;
98943Sluigi
102087Sluigi	while (*s) {
98943Sluigi		a = strtoport(av, &s, 0, proto);
159636Soleg		if (s == av) 			/* empty or invalid argument */
159636Soleg			return (0);
159636Soleg
159636Soleg		switch (*s) {
159636Soleg		case '-':			/* a range */
159636Soleg			av = s + 1;
98943Sluigi			b = strtoport(av, &s, 0, proto);
159636Soleg			/* Reject expressions like '1-abc' or '1-2-3'. */
159636Soleg			if (s == av || (*s != ',' && *s != '\0'))
159636Soleg				return (0);
98943Sluigi			p[0] = a;
98943Sluigi			p[1] = b;
159636Soleg			break;
159636Soleg		case ',':			/* comma separated list */
159636Soleg		case '\0':
98943Sluigi			p[0] = p[1] = a;
159636Soleg			break;
159636Soleg		default:
159636Soleg			warnx("port list: invalid separator <%c> in <%s>",
101978Sluigi				*s, av);
159636Soleg			return (0);
159636Soleg		}
159636Soleg
102087Sluigi		i++;
102087Sluigi		p += 2;
159636Soleg		av = s + 1;
98943Sluigi	}
98943Sluigi	if (i > 0) {
159636Soleg		if (i + 1 > F_LEN_MASK)
102087Sluigi			errx(EX_DATAERR, "too many ports/ranges\n");
159636Soleg		cmd->o.len |= i + 1;	/* leave F_NOT and F_OR untouched */
98943Sluigi	}
159636Soleg	return (i);
98943Sluigi}
98943Sluigi
98943Sluigistatic struct _s_x icmpcodes[] = {
98943Sluigi      { "net",			ICMP_UNREACH_NET },
98943Sluigi      { "host",			ICMP_UNREACH_HOST },
98943Sluigi      { "protocol",		ICMP_UNREACH_PROTOCOL },
98943Sluigi      { "port",			ICMP_UNREACH_PORT },
98943Sluigi      { "needfrag",		ICMP_UNREACH_NEEDFRAG },
98943Sluigi      { "srcfail",		ICMP_UNREACH_SRCFAIL },
98943Sluigi      { "net-unknown",		ICMP_UNREACH_NET_UNKNOWN },
98943Sluigi      { "host-unknown",		ICMP_UNREACH_HOST_UNKNOWN },
98943Sluigi      { "isolated",		ICMP_UNREACH_ISOLATED },
98943Sluigi      { "net-prohib",		ICMP_UNREACH_NET_PROHIB },
98943Sluigi      { "host-prohib",		ICMP_UNREACH_HOST_PROHIB },
98943Sluigi      { "tosnet",		ICMP_UNREACH_TOSNET },
98943Sluigi      { "toshost",		ICMP_UNREACH_TOSHOST },
98943Sluigi      { "filter-prohib",	ICMP_UNREACH_FILTER_PROHIB },
98943Sluigi      { "host-precedence",	ICMP_UNREACH_HOST_PRECEDENCE },
98943Sluigi      { "precedence-cutoff",	ICMP_UNREACH_PRECEDENCE_CUTOFF },
98943Sluigi      { NULL, 0 }
98943Sluigi};
98943Sluigi
98943Sluigistatic void
98943Sluigifill_reject_code(u_short *codep, char *str)
98943Sluigi{
98943Sluigi	int val;
98943Sluigi	char *s;
98943Sluigi
98943Sluigi	val = strtoul(str, &s, 0);
98943Sluigi	if (s == str || *s != '\0' || val >= 0x100)
98943Sluigi		val = match_token(icmpcodes, str);
102087Sluigi	if (val < 0)
98943Sluigi		errx(EX_DATAERR, "unknown ICMP unreachable code ``%s''", str);
98943Sluigi	*codep = val;
98943Sluigi	return;
98943Sluigi}
98943Sluigi
98943Sluigistatic void
117328Sluigiprint_reject_code(uint16_t code)
98943Sluigi{
117469Sluigi	char const *s = match_value(icmpcodes, code);
98943Sluigi
98943Sluigi	if (s != NULL)
99475Sluigi		printf("unreach %s", s);
98943Sluigi	else
99475Sluigi		printf("unreach %u", code);
98943Sluigi}
98943Sluigi
98943Sluigi/*
98943Sluigi * Returns the number of bits set (from left) in a contiguous bitmask,
98943Sluigi * or -1 if the mask is not contiguous.
98943Sluigi * XXX this needs a proper fix.
98943Sluigi * This effectively works on masks in big-endian (network) format.
98943Sluigi * when compiled on little endian architectures.
98943Sluigi *
98943Sluigi * First bit is bit 7 of the first byte -- note, for MAC addresses,
98943Sluigi * the first bit on the wire is bit 0 of the first byte.
98943Sluigi * len is the max length in bits.
98943Sluigi */
187770Sluigiint
117577Sluigicontigmask(uint8_t *p, int len)
98943Sluigi{
98943Sluigi	int i, n;
117577Sluigi
98943Sluigi	for (i=0; i<len ; i++)
98943Sluigi		if ( (p[i/8] & (1 << (7 - (i%8)))) == 0) /* first bit unset */
98943Sluigi			break;
98943Sluigi	for (n=i+1; n < len; n++)
98943Sluigi		if ( (p[n/8] & (1 << (7 - (n%8)))) != 0)
98943Sluigi			return -1; /* mask not contiguous */
98943Sluigi	return i;
98943Sluigi}
98943Sluigi
98943Sluigi/*
98943Sluigi * print flags set/clear in the two bitmasks passed as parameters.
98943Sluigi * There is a specialized check for f_tcpflags.
98943Sluigi */
98943Sluigistatic void
117469Sluigiprint_flags(char const *name, ipfw_insn *cmd, struct _s_x *list)
98943Sluigi{
117469Sluigi	char const *comma = "";
98943Sluigi	int i;
117577Sluigi	uint8_t set = cmd->arg1 & 0xff;
117577Sluigi	uint8_t clear = (cmd->arg1 >> 8) & 0xff;
98943Sluigi
98943Sluigi	if (list == f_tcpflags && set == TH_SYN && clear == TH_ACK) {
98943Sluigi		printf(" setup");
98943Sluigi		return;
98943Sluigi	}
98943Sluigi
98943Sluigi	printf(" %s ", name);
98943Sluigi	for (i=0; list[i].x != 0; i++) {
98943Sluigi		if (set & list[i].x) {
98943Sluigi			set &= ~list[i].x;
98943Sluigi			printf("%s%s", comma, list[i].s);
98943Sluigi			comma = ",";
98943Sluigi		}
98943Sluigi		if (clear & list[i].x) {
98943Sluigi			clear &= ~list[i].x;
98943Sluigi			printf("%s!%s", comma, list[i].s);
98943Sluigi			comma = ",";
98943Sluigi		}
98943Sluigi	}
98943Sluigi}
98943Sluigi
98943Sluigi/*
98943Sluigi * Print the ip address contained in a command.
98943Sluigi */
98943Sluigistatic void
117469Sluigiprint_ip(ipfw_insn_ip *cmd, char const *s)
98943Sluigi{
98943Sluigi	struct hostent *he = NULL;
204591Sluigi	uint32_t len = F_LEN((ipfw_insn *)cmd);
117328Sluigi	uint32_t *a = ((ipfw_insn_u32 *)cmd)->d;
98943Sluigi
200567Sluigi	if (cmd->o.opcode == O_IP_DST_LOOKUP && len > F_INSN_SIZE(ipfw_insn_u32)) {
200567Sluigi		uint32_t d = a[1];
200567Sluigi		const char *arg = "<invalid>";
200567Sluigi
200567Sluigi		if (d < sizeof(lookup_key)/sizeof(lookup_key[0]))
200567Sluigi			arg = match_value(rule_options, lookup_key[d]);
200567Sluigi		printf("%s lookup %s %d", cmd->o.len & F_NOT ? " not": "",
200567Sluigi			arg, cmd->o.arg1);
200567Sluigi		return;
200567Sluigi	}
102087Sluigi	printf("%s%s ", cmd->o.len & F_NOT ? " not": "", s);
98943Sluigi
98943Sluigi	if (cmd->o.opcode == O_IP_SRC_ME || cmd->o.opcode == O_IP_DST_ME) {
98943Sluigi		printf("me");
98943Sluigi		return;
98943Sluigi	}
130281Sru	if (cmd->o.opcode == O_IP_SRC_LOOKUP ||
130281Sru	    cmd->o.opcode == O_IP_DST_LOOKUP) {
130281Sru		printf("table(%u", ((ipfw_insn *)cmd)->arg1);
130281Sru		if (len == F_INSN_SIZE(ipfw_insn_u32))
130281Sru			printf(",%u", *a);
130281Sru		printf(")");
130281Sru		return;
130281Sru	}
98943Sluigi	if (cmd->o.opcode == O_IP_SRC_SET || cmd->o.opcode == O_IP_DST_SET) {
117328Sluigi		uint32_t x, *map = (uint32_t *)&(cmd->mask);
116716Sluigi		int i, j;
98943Sluigi		char comma = '{';
98943Sluigi
98943Sluigi		x = cmd->o.arg1 - 1;
98943Sluigi		x = htonl( ~x );
98943Sluigi		cmd->addr.s_addr = htonl(cmd->addr.s_addr);
98943Sluigi		printf("%s/%d", inet_ntoa(cmd->addr),
117577Sluigi			contigmask((uint8_t *)&x, 32));
98943Sluigi		x = cmd->addr.s_addr = htonl(cmd->addr.s_addr);
98943Sluigi		x &= 0xff; /* base */
116716Sluigi		/*
116716Sluigi		 * Print bits and ranges.
116716Sluigi		 * Locate first bit set (i), then locate first bit unset (j).
116716Sluigi		 * If we have 3+ consecutive bits set, then print them as a
116716Sluigi		 * range, otherwise only print the initial bit and rescan.
116716Sluigi		 */
98943Sluigi		for (i=0; i < cmd->o.arg1; i++)
117328Sluigi			if (map[i/32] & (1<<(i & 31))) {
116716Sluigi				for (j=i+1; j < cmd->o.arg1; j++)
117328Sluigi					if (!(map[ j/32] & (1<<(j & 31))))
116716Sluigi						break;
98943Sluigi				printf("%c%d", comma, i+x);
116716Sluigi				if (j>i+2) { /* range has at least 3 elements */
116716Sluigi					printf("-%d", j-1+x);
116716Sluigi					i = j-1;
116716Sluigi				}
98943Sluigi				comma = ',';
98943Sluigi			}
98943Sluigi		printf("}");
98943Sluigi		return;
98943Sluigi	}
117328Sluigi	/*
117328Sluigi	 * len == 2 indicates a single IP, whereas lists of 1 or more
117328Sluigi	 * addr/mask pairs have len = (2n+1). We convert len to n so we
117328Sluigi	 * use that to count the number of entries.
117328Sluigi	 */
117328Sluigi    for (len = len / 2; len > 0; len--, a += 2) {
117328Sluigi	int mb =	/* mask length */
117328Sluigi	    (cmd->o.opcode == O_IP_SRC || cmd->o.opcode == O_IP_DST) ?
117577Sluigi		32 : contigmask((uint8_t *)&(a[1]), 32);
187764Sluigi	if (mb == 32 && co.do_resolv)
117328Sluigi		he = gethostbyaddr((char *)&(a[0]), sizeof(u_long), AF_INET);
98943Sluigi	if (he != NULL)		/* resolved to name */
98943Sluigi		printf("%s", he->h_name);
98943Sluigi	else if (mb == 0)	/* any */
98943Sluigi		printf("any");
98943Sluigi	else {		/* numeric IP followed by some kind of mask */
117328Sluigi		printf("%s", inet_ntoa( *((struct in_addr *)&a[0]) ) );
98943Sluigi		if (mb < 0)
117328Sluigi			printf(":%s", inet_ntoa( *((struct in_addr *)&a[1]) ) );
98943Sluigi		else if (mb < 32)
98943Sluigi			printf("/%d", mb);
98943Sluigi	}
117328Sluigi	if (len > 1)
117328Sluigi		printf(",");
117328Sluigi    }
98943Sluigi}
98943Sluigi
98943Sluigi/*
98943Sluigi * prints a MAC address/mask pair
98943Sluigi */
98943Sluigistatic void
117577Sluigiprint_mac(uint8_t *addr, uint8_t *mask)
98943Sluigi{
98943Sluigi	int l = contigmask(mask, 48);
98943Sluigi
98943Sluigi	if (l == 0)
98943Sluigi		printf(" any");
98943Sluigi	else {
98943Sluigi		printf(" %02x:%02x:%02x:%02x:%02x:%02x",
98943Sluigi		    addr[0], addr[1], addr[2], addr[3], addr[4], addr[5]);
98943Sluigi		if (l == -1)
98943Sluigi			printf("&%02x:%02x:%02x:%02x:%02x:%02x",
98943Sluigi			    mask[0], mask[1], mask[2],
98943Sluigi			    mask[3], mask[4], mask[5]);
98943Sluigi		else if (l < 48)
98943Sluigi			printf("/%d", l);
98943Sluigi	}
98943Sluigi}
98943Sluigi
99475Sluigistatic void
99475Sluigifill_icmptypes(ipfw_insn_u32 *cmd, char *av)
99475Sluigi{
117328Sluigi	uint8_t type;
98943Sluigi
99475Sluigi	cmd->d[0] = 0;
99475Sluigi	while (*av) {
99475Sluigi		if (*av == ',')
99475Sluigi			av++;
99475Sluigi
99475Sluigi		type = strtoul(av, &av, 0);
99475Sluigi
99475Sluigi		if (*av != ',' && *av != '\0')
99475Sluigi			errx(EX_DATAERR, "invalid ICMP type");
99475Sluigi
99475Sluigi		if (type > 31)
99475Sluigi			errx(EX_DATAERR, "ICMP type out of range");
99475Sluigi
99475Sluigi		cmd->d[0] |= 1 << type;
99475Sluigi	}
99475Sluigi	cmd->o.opcode = O_ICMPTYPE;
99475Sluigi	cmd->o.len |= F_INSN_SIZE(ipfw_insn_u32);
99475Sluigi}
99475Sluigi
99475Sluigistatic void
99475Sluigiprint_icmptypes(ipfw_insn_u32 *cmd)
99475Sluigi{
99475Sluigi	int i;
99475Sluigi	char sep= ' ';
99475Sluigi
99475Sluigi	printf(" icmptypes");
99475Sluigi	for (i = 0; i < 32; i++) {
99475Sluigi		if ( (cmd->d[0] & (1 << (i))) == 0)
99475Sluigi			continue;
99475Sluigi		printf("%c%d", sep, i);
99475Sluigi		sep = ',';
99475Sluigi	}
99475Sluigi}
99475Sluigi
98943Sluigi/*
98943Sluigi * show_ipfw() prints the body of an ipfw rule.
98943Sluigi * Because the standard rule has at least proto src_ip dst_ip, we use
98943Sluigi * a helper function to produce these entries if not provided explicitly.
102087Sluigi * The first argument is the list of fields we have, the second is
102087Sluigi * the list of fields we want to be printed.
101978Sluigi *
102087Sluigi * Special cases if we have provided a MAC header:
102087Sluigi *   + if the rule does not contain IP addresses/ports, do not print them;
102087Sluigi *   + if the rule does not contain an IP proto, print "all" instead of "ip";
102087Sluigi *
102087Sluigi * Once we have 'have_options', IP header fields are printed as options.
98943Sluigi */
101978Sluigi#define	HAVE_PROTO	0x0001
101978Sluigi#define	HAVE_SRCIP	0x0002
101978Sluigi#define	HAVE_DSTIP	0x0004
169139Smaxim#define	HAVE_PROTO4	0x0008
169139Smaxim#define	HAVE_PROTO6	0x0010
205179Sluigi#define	HAVE_IP		0x0100
102087Sluigi#define	HAVE_OPTIONS	0x8000
98943Sluigi
98943Sluigistatic void
187477Sluigishow_prerequisites(int *flags, int want, int cmd __unused)
98943Sluigi{
187764Sluigi	if (co.comment_only)
123495Sluigi		return;
102087Sluigi	if ( (*flags & HAVE_IP) == HAVE_IP)
102087Sluigi		*flags |= HAVE_OPTIONS;
102087Sluigi
102087Sluigi	if ( !(*flags & HAVE_OPTIONS)) {
187477Sluigi		if ( !(*flags & HAVE_PROTO) && (want & HAVE_PROTO)) {
146894Smlaier			if ( (*flags & HAVE_PROTO4))
146894Smlaier				printf(" ip4");
146894Smlaier			else if ( (*flags & HAVE_PROTO6))
146894Smlaier				printf(" ip6");
146894Smlaier			else
146894Smlaier				printf(" ip");
187477Sluigi		}
102087Sluigi		if ( !(*flags & HAVE_SRCIP) && (want & HAVE_SRCIP))
102087Sluigi			printf(" from any");
102087Sluigi		if ( !(*flags & HAVE_DSTIP) && (want & HAVE_DSTIP))
102087Sluigi			printf(" to any");
102087Sluigi	}
98943Sluigi	*flags |= want;
98943Sluigi}
98943Sluigi
98943Sluigistatic void
112189Smaximshow_ipfw(struct ip_fw *rule, int pcwidth, int bcwidth)
98943Sluigi{
107291Skeramida	static int twidth = 0;
98943Sluigi	int l;
158879Soleg	ipfw_insn *cmd, *tagptr = NULL;
187477Sluigi	const char *comment = NULL;	/* ptr to comment if we have one */
98943Sluigi	int proto = 0;		/* default */
98943Sluigi	int flags = 0;	/* prerequisites */
98943Sluigi	ipfw_insn_log *logptr = NULL; /* set if we find an O_LOG */
136071Sgreen	ipfw_insn_altq *altqptr = NULL; /* set if we find an O_ALTQ */
98943Sluigi	int or_block = 0;	/* we are in an or block */
117328Sluigi	uint32_t set_disable;
98943Sluigi
115793Sticso	bcopy(&rule->next_rule, &set_disable, sizeof(set_disable));
101628Sluigi
101628Sluigi	if (set_disable & (1 << rule->set)) { /* disabled */
187764Sluigi		if (!co.show_sets)
101628Sluigi			return;
101628Sluigi		else
101628Sluigi			printf("# DISABLED ");
101628Sluigi	}
98943Sluigi	printf("%05u ", rule->rulenum);
98943Sluigi
206843Sluigi	if (pcwidth > 0 || bcwidth > 0) {
206843Sluigi		pr_u64(&rule->pcnt, pcwidth);
206843Sluigi		pr_u64(&rule->bcnt, bcwidth);
206843Sluigi	}
98943Sluigi
187764Sluigi	if (co.do_time == 2)
117472Sluigi		printf("%10u ", rule->timestamp);
187764Sluigi	else if (co.do_time == 1) {
107291Skeramida		char timestr[30];
107291Skeramida		time_t t = (time_t)0;
107291Skeramida
107291Skeramida		if (twidth == 0) {
107291Skeramida			strcpy(timestr, ctime(&t));
107291Skeramida			*strchr(timestr, '\n') = '\0';
107291Skeramida			twidth = strlen(timestr);
107291Skeramida		}
98943Sluigi		if (rule->timestamp) {
107291Skeramida			t = _long_to_time(rule->timestamp);
98943Sluigi
98943Sluigi			strcpy(timestr, ctime(&t));
98943Sluigi			*strchr(timestr, '\n') = '\0';
98943Sluigi			printf("%s ", timestr);
98943Sluigi		} else {
107291Skeramida			printf("%*s", twidth, " ");
98943Sluigi		}
98943Sluigi	}
98943Sluigi
187764Sluigi	if (co.show_sets)
101628Sluigi		printf("set %d ", rule->set);
101628Sluigi
98943Sluigi	/*
107289Sluigi	 * print the optional "match probability"
107289Sluigi	 */
107289Sluigi	if (rule->cmd_len > 0) {
107289Sluigi		cmd = rule->cmd ;
107289Sluigi		if (cmd->opcode == O_PROB) {
107289Sluigi			ipfw_insn_u32 *p = (ipfw_insn_u32 *)cmd;
107289Sluigi			double d = 1.0 * p->d[0];
107289Sluigi
107289Sluigi			d = (d / 0x7fffffff);
107289Sluigi			printf("prob %f ", d);
107289Sluigi		}
107289Sluigi	}
107289Sluigi
107289Sluigi	/*
98943Sluigi	 * first print actions
98943Sluigi	 */
220802Sglebius	for (l = rule->cmd_len - rule->act_ofs, cmd = ACTION_PTR(rule);
98943Sluigi			l > 0 ; l -= F_LEN(cmd), cmd += F_LEN(cmd)) {
98943Sluigi		switch(cmd->opcode) {
98943Sluigi		case O_CHECK_STATE:
98943Sluigi			printf("check-state");
205179Sluigi			/* avoid printing anything else */
205179Sluigi			flags = HAVE_PROTO | HAVE_SRCIP |
205179Sluigi				HAVE_DSTIP | HAVE_IP;
98943Sluigi			break;
98943Sluigi
98943Sluigi		case O_ACCEPT:
98943Sluigi			printf("allow");
98943Sluigi			break;
98943Sluigi
98943Sluigi		case O_COUNT:
98943Sluigi			printf("count");
98943Sluigi			break;
98943Sluigi
98943Sluigi		case O_DENY:
98943Sluigi			printf("deny");
98943Sluigi			break;
98943Sluigi
99475Sluigi		case O_REJECT:
99475Sluigi			if (cmd->arg1 == ICMP_REJECT_RST)
99475Sluigi				printf("reset");
99475Sluigi			else if (cmd->arg1 == ICMP_UNREACH_HOST)
99475Sluigi				printf("reject");
99475Sluigi			else
99475Sluigi				print_reject_code(cmd->arg1);
99475Sluigi			break;
99475Sluigi
149020Sbz		case O_UNREACH6:
149020Sbz			if (cmd->arg1 == ICMP6_UNREACH_RST)
149020Sbz				printf("reset6");
149020Sbz			else
149020Sbz				print_unreach6_code(cmd->arg1);
149020Sbz			break;
149020Sbz
159636Soleg		case O_SKIPTO:
159636Soleg			PRINT_UINT_ARG("skipto ", cmd->arg1);
98943Sluigi			break;
98943Sluigi
98943Sluigi		case O_PIPE:
159636Soleg			PRINT_UINT_ARG("pipe ", cmd->arg1);
159636Soleg			break;
159636Soleg
98943Sluigi		case O_QUEUE:
159636Soleg			PRINT_UINT_ARG("queue ", cmd->arg1);
159636Soleg			break;
159636Soleg
98943Sluigi		case O_DIVERT:
159636Soleg			PRINT_UINT_ARG("divert ", cmd->arg1);
159636Soleg			break;
159636Soleg
98943Sluigi		case O_TEE:
159636Soleg			PRINT_UINT_ARG("tee ", cmd->arg1);
159636Soleg			break;
159636Soleg
141351Sglebius		case O_NETGRAPH:
159636Soleg			PRINT_UINT_ARG("netgraph ", cmd->arg1);
159636Soleg			break;
159636Soleg
141351Sglebius		case O_NGTEE:
159636Soleg			PRINT_UINT_ARG("ngtee ", cmd->arg1);
159636Soleg			break;
141351Sglebius
98943Sluigi		case O_FORWARD_IP:
98943Sluigi		    {
98943Sluigi			ipfw_insn_sa *s = (ipfw_insn_sa *)cmd;
98943Sluigi
161424Sjulian			if (s->sa.sin_addr.s_addr == INADDR_ANY) {
161424Sjulian				printf("fwd tablearg");
161424Sjulian			} else {
161424Sjulian				printf("fwd %s", inet_ntoa(s->sa.sin_addr));
161424Sjulian			}
98943Sluigi			if (s->sa.sin_port)
103241Sluigi				printf(",%d", s->sa.sin_port);
98943Sluigi		    }
98943Sluigi			break;
98943Sluigi
98943Sluigi		case O_LOG: /* O_LOG is printed last */
98943Sluigi			logptr = (ipfw_insn_log *)cmd;
98943Sluigi			break;
98943Sluigi
136071Sgreen		case O_ALTQ: /* O_ALTQ is printed after O_LOG */
136071Sgreen			altqptr = (ipfw_insn_altq *)cmd;
136071Sgreen			break;
136071Sgreen
158879Soleg		case O_TAG:
158879Soleg			tagptr = cmd;
158879Soleg			break;
158879Soleg
165648Spiso		case O_NAT:
176517Spiso			PRINT_UINT_ARG("nat ", cmd->arg1);
165648Spiso 			break;
165648Spiso
178888Sjulian		case O_SETFIB:
178888Sjulian			PRINT_UINT_ARG("setfib ", cmd->arg1);
178888Sjulian 			break;
190633Spiso
190633Spiso		case O_REASS:
190633Spiso			printf("reass");
190633Spiso			break;
178888Sjulian
98943Sluigi		default:
136071Sgreen			printf("** unrecognized action %d len %d ",
98943Sluigi				cmd->opcode, cmd->len);
98943Sluigi		}
98943Sluigi	}
98943Sluigi	if (logptr) {
98943Sluigi		if (logptr->max_log > 0)
99909Sluigi			printf(" log logamount %d", logptr->max_log);
98943Sluigi		else
99909Sluigi			printf(" log");
98943Sluigi	}
204591Sluigi#ifndef NO_ALTQ
136071Sgreen	if (altqptr) {
187983Sluigi		print_altq_cmd(altqptr);
136071Sgreen	}
204591Sluigi#endif
158879Soleg	if (tagptr) {
158879Soleg		if (tagptr->len & F_NOT)
159636Soleg			PRINT_UINT_ARG(" untag ", tagptr->arg1);
158879Soleg		else
159636Soleg			PRINT_UINT_ARG(" tag ", tagptr->arg1);
158879Soleg	}
136071Sgreen
98943Sluigi	/*
102087Sluigi	 * then print the body.
98943Sluigi	 */
220802Sglebius	for (l = rule->act_ofs, cmd = rule->cmd ;
146894Smlaier			l > 0 ; l -= F_LEN(cmd) , cmd += F_LEN(cmd)) {
146894Smlaier		if ((cmd->len & F_OR) || (cmd->len & F_NOT))
146894Smlaier			continue;
146894Smlaier		if (cmd->opcode == O_IP4) {
146894Smlaier			flags |= HAVE_PROTO4;
146894Smlaier			break;
146894Smlaier		} else if (cmd->opcode == O_IP6) {
146894Smlaier			flags |= HAVE_PROTO6;
146894Smlaier			break;
146894Smlaier		}
146894Smlaier	}
102087Sluigi	if (rule->_pad & 1) {	/* empty rules before options */
187764Sluigi		if (!co.do_compact) {
146894Smlaier			show_prerequisites(&flags, HAVE_PROTO, 0);
146894Smlaier			printf(" from any to any");
146894Smlaier		}
205179Sluigi		flags |= HAVE_IP | HAVE_OPTIONS | HAVE_PROTO |
205179Sluigi			 HAVE_SRCIP | HAVE_DSTIP;
102087Sluigi	}
102087Sluigi
187764Sluigi	if (co.comment_only)
123495Sluigi		comment = "...";
123495Sluigi
220802Sglebius	for (l = rule->act_ofs, cmd = rule->cmd ;
98943Sluigi			l > 0 ; l -= F_LEN(cmd) , cmd += F_LEN(cmd)) {
99475Sluigi		/* useful alias */
99475Sluigi		ipfw_insn_u32 *cmd32 = (ipfw_insn_u32 *)cmd;
98943Sluigi
187764Sluigi		if (co.comment_only) {
123495Sluigi			if (cmd->opcode != O_NOP)
123495Sluigi				continue;
123495Sluigi			printf(" // %s\n", (char *)(cmd + 1));
123495Sluigi			return;
123495Sluigi		}
123495Sluigi
102087Sluigi		show_prerequisites(&flags, 0, cmd->opcode);
102087Sluigi
98943Sluigi		switch(cmd->opcode) {
117577Sluigi		case O_PROB:
107289Sluigi			break;	/* done already */
107289Sluigi
98943Sluigi		case O_PROBE_STATE:
98943Sluigi			break; /* no need to print anything here */
98943Sluigi
98943Sluigi		case O_IP_SRC:
130281Sru		case O_IP_SRC_LOOKUP:
98943Sluigi		case O_IP_SRC_MASK:
98943Sluigi		case O_IP_SRC_ME:
98943Sluigi		case O_IP_SRC_SET:
102087Sluigi			show_prerequisites(&flags, HAVE_PROTO, 0);
98943Sluigi			if (!(flags & HAVE_SRCIP))
98943Sluigi				printf(" from");
98943Sluigi			if ((cmd->len & F_OR) && !or_block)
98943Sluigi				printf(" {");
102087Sluigi			print_ip((ipfw_insn_ip *)cmd,
102087Sluigi				(flags & HAVE_OPTIONS) ? " src-ip" : "");
98943Sluigi			flags |= HAVE_SRCIP;
98943Sluigi			break;
98943Sluigi
98943Sluigi		case O_IP_DST:
130281Sru		case O_IP_DST_LOOKUP:
98943Sluigi		case O_IP_DST_MASK:
98943Sluigi		case O_IP_DST_ME:
98943Sluigi		case O_IP_DST_SET:
102087Sluigi			show_prerequisites(&flags, HAVE_PROTO|HAVE_SRCIP, 0);
98943Sluigi			if (!(flags & HAVE_DSTIP))
98943Sluigi				printf(" to");
98943Sluigi			if ((cmd->len & F_OR) && !or_block)
98943Sluigi				printf(" {");
102087Sluigi			print_ip((ipfw_insn_ip *)cmd,
102087Sluigi				(flags & HAVE_OPTIONS) ? " dst-ip" : "");
98943Sluigi			flags |= HAVE_DSTIP;
98943Sluigi			break;
98943Sluigi
145246Sbrooks		case O_IP6_SRC:
145246Sbrooks		case O_IP6_SRC_MASK:
145246Sbrooks		case O_IP6_SRC_ME:
147105Smlaier			show_prerequisites(&flags, HAVE_PROTO, 0);
145246Sbrooks			if (!(flags & HAVE_SRCIP))
145246Sbrooks				printf(" from");
145246Sbrooks			if ((cmd->len & F_OR) && !or_block)
145246Sbrooks				printf(" {");
145246Sbrooks			print_ip6((ipfw_insn_ip6 *)cmd,
145246Sbrooks			    (flags & HAVE_OPTIONS) ? " src-ip6" : "");
145246Sbrooks			flags |= HAVE_SRCIP | HAVE_PROTO;
145246Sbrooks			break;
145246Sbrooks
145246Sbrooks		case O_IP6_DST:
145246Sbrooks		case O_IP6_DST_MASK:
145246Sbrooks		case O_IP6_DST_ME:
145246Sbrooks			show_prerequisites(&flags, HAVE_PROTO|HAVE_SRCIP, 0);
145246Sbrooks			if (!(flags & HAVE_DSTIP))
145246Sbrooks				printf(" to");
145246Sbrooks			if ((cmd->len & F_OR) && !or_block)
145246Sbrooks				printf(" {");
145246Sbrooks			print_ip6((ipfw_insn_ip6 *)cmd,
145246Sbrooks			    (flags & HAVE_OPTIONS) ? " dst-ip6" : "");
145246Sbrooks			flags |= HAVE_DSTIP;
145246Sbrooks			break;
145246Sbrooks
145246Sbrooks		case O_FLOW6ID:
145246Sbrooks		print_flow6id( (ipfw_insn_u32 *) cmd );
145246Sbrooks		flags |= HAVE_OPTIONS;
145246Sbrooks		break;
145246Sbrooks
98943Sluigi		case O_IP_DSTPORT:
205179Sluigi			show_prerequisites(&flags,
205179Sluigi				HAVE_PROTO | HAVE_SRCIP |
205179Sluigi				HAVE_DSTIP | HAVE_IP, 0);
98943Sluigi		case O_IP_SRCPORT:
205179Sluigi			show_prerequisites(&flags,
205179Sluigi				HAVE_PROTO | HAVE_SRCIP, 0);
101641Sluigi			if ((cmd->len & F_OR) && !or_block)
101641Sluigi				printf(" {");
172306Smaxim			if (cmd->len & F_NOT)
172306Smaxim				printf(" not");
102087Sluigi			print_newports((ipfw_insn_u16 *)cmd, proto,
102087Sluigi				(flags & HAVE_OPTIONS) ? cmd->opcode : 0);
98943Sluigi			break;
98943Sluigi
98943Sluigi		case O_PROTO: {
145246Sbrooks			struct protoent *pe = NULL;
98943Sluigi
98943Sluigi			if ((cmd->len & F_OR) && !or_block)
98943Sluigi				printf(" {");
98943Sluigi			if (cmd->len & F_NOT)
98943Sluigi				printf(" not");
98943Sluigi			proto = cmd->arg1;
145567Sbrooks			pe = getprotobynumber(cmd->arg1);
146894Smlaier			if ((flags & (HAVE_PROTO4 | HAVE_PROTO6)) &&
146894Smlaier			    !(flags & HAVE_PROTO))
146894Smlaier				show_prerequisites(&flags,
205179Sluigi				    HAVE_PROTO | HAVE_IP | HAVE_SRCIP |
205179Sluigi				    HAVE_DSTIP | HAVE_OPTIONS, 0);
102087Sluigi			if (flags & HAVE_OPTIONS)
102087Sluigi				printf(" proto");
98943Sluigi			if (pe)
98943Sluigi				printf(" %s", pe->p_name);
98943Sluigi			else
98943Sluigi				printf(" %u", cmd->arg1);
98943Sluigi			}
98943Sluigi			flags |= HAVE_PROTO;
98943Sluigi			break;
106505Smaxim
98943Sluigi		default: /*options ... */
146894Smlaier			if (!(cmd->len & (F_OR|F_NOT)))
146894Smlaier				if (((cmd->opcode == O_IP6) &&
146894Smlaier				    (flags & HAVE_PROTO6)) ||
146894Smlaier				    ((cmd->opcode == O_IP4) &&
146894Smlaier				    (flags & HAVE_PROTO4)))
146894Smlaier					break;
205179Sluigi			show_prerequisites(&flags, HAVE_PROTO | HAVE_SRCIP |
205179Sluigi				    HAVE_DSTIP | HAVE_IP | HAVE_OPTIONS, 0);
98943Sluigi			if ((cmd->len & F_OR) && !or_block)
98943Sluigi				printf(" {");
98943Sluigi			if (cmd->len & F_NOT && cmd->opcode != O_IN)
98943Sluigi				printf(" not");
98943Sluigi			switch(cmd->opcode) {
169139Smaxim			case O_MACADDR2: {
169139Smaxim				ipfw_insn_mac *m = (ipfw_insn_mac *)cmd;
169139Smaxim
169139Smaxim				printf(" MAC");
169139Smaxim				print_mac(m->addr, m->mask);
169139Smaxim				print_mac(m->addr + 6, m->mask + 6);
169139Smaxim				}
169139Smaxim				break;
169139Smaxim
169139Smaxim			case O_MAC_TYPE:
169139Smaxim				print_newports((ipfw_insn_u16 *)cmd,
169139Smaxim						IPPROTO_ETHERTYPE, cmd->opcode);
169139Smaxim				break;
169139Smaxim
169139Smaxim
98943Sluigi			case O_FRAG:
98943Sluigi				printf(" frag");
98943Sluigi				break;
98943Sluigi
178888Sjulian			case O_FIB:
178888Sjulian				printf(" fib %u", cmd->arg1 );
178888Sjulian				break;
215179Sluigi			case O_SOCKARG:
215179Sluigi				printf(" sockarg");
215179Sluigi				break;
178888Sjulian
98943Sluigi			case O_IN:
98943Sluigi				printf(cmd->len & F_NOT ? " out" : " in");
98943Sluigi				break;
98943Sluigi
136073Sgreen			case O_DIVERTED:
136073Sgreen				switch (cmd->arg1) {
136073Sgreen				case 3:
136073Sgreen					printf(" diverted");
136073Sgreen					break;
136073Sgreen				case 1:
136073Sgreen					printf(" diverted-loopback");
136073Sgreen					break;
136073Sgreen				case 2:
136073Sgreen					printf(" diverted-output");
136073Sgreen					break;
136073Sgreen				default:
136073Sgreen					printf(" diverted-?<%u>", cmd->arg1);
136073Sgreen					break;
136073Sgreen				}
136073Sgreen				break;
136073Sgreen
98943Sluigi			case O_LAYER2:
98943Sluigi				printf(" layer2");
98943Sluigi				break;
98943Sluigi			case O_XMIT:
98943Sluigi			case O_RECV:
140423Sglebius			case O_VIA:
140423Sglebius			    {
117469Sluigi				char const *s;
98943Sluigi				ipfw_insn_if *cmdif = (ipfw_insn_if *)cmd;
98943Sluigi
98943Sluigi				if (cmd->opcode == O_XMIT)
98943Sluigi					s = "xmit";
98943Sluigi				else if (cmd->opcode == O_RECV)
98943Sluigi					s = "recv";
117469Sluigi				else /* if (cmd->opcode == O_VIA) */
98943Sluigi					s = "via";
98943Sluigi				if (cmdif->name[0] == '\0')
99475Sluigi					printf(" %s %s", s,
99475Sluigi					    inet_ntoa(cmdif->p.ip));
140423Sglebius				else
140423Sglebius					printf(" %s %s", s, cmdif->name);
140423Sglebius
98943Sluigi				break;
140423Sglebius			    }
98943Sluigi			case O_IPID:
116690Sluigi				if (F_LEN(cmd) == 1)
116690Sluigi				    printf(" ipid %u", cmd->arg1 );
116690Sluigi				else
116690Sluigi				    print_newports((ipfw_insn_u16 *)cmd, 0,
116690Sluigi					O_IPID);
98943Sluigi				break;
98943Sluigi
98943Sluigi			case O_IPTTL:
116690Sluigi				if (F_LEN(cmd) == 1)
116690Sluigi				    printf(" ipttl %u", cmd->arg1 );
116690Sluigi				else
116690Sluigi				    print_newports((ipfw_insn_u16 *)cmd, 0,
116690Sluigi					O_IPTTL);
98943Sluigi				break;
98943Sluigi
98943Sluigi			case O_IPVER:
98943Sluigi				printf(" ipver %u", cmd->arg1 );
98943Sluigi				break;
98943Sluigi
99475Sluigi			case O_IPPRECEDENCE:
99475Sluigi				printf(" ipprecedence %u", (cmd->arg1) >> 5 );
99475Sluigi				break;
99475Sluigi
98943Sluigi			case O_IPLEN:
116690Sluigi				if (F_LEN(cmd) == 1)
116690Sluigi				    printf(" iplen %u", cmd->arg1 );
116690Sluigi				else
116690Sluigi				    print_newports((ipfw_insn_u16 *)cmd, 0,
116690Sluigi					O_IPLEN);
98943Sluigi				break;
98943Sluigi
101116Sluigi			case O_IPOPT:
98943Sluigi				print_flags("ipoptions", cmd, f_ipopts);
98943Sluigi				break;
98943Sluigi
99475Sluigi			case O_IPTOS:
99475Sluigi				print_flags("iptos", cmd, f_iptos);
99475Sluigi				break;
99475Sluigi
99475Sluigi			case O_ICMPTYPE:
99475Sluigi				print_icmptypes((ipfw_insn_u32 *)cmd);
99475Sluigi				break;
99475Sluigi
98943Sluigi			case O_ESTAB:
98943Sluigi				printf(" established");
98943Sluigi				break;
98943Sluigi
136075Sgreen			case O_TCPDATALEN:
136075Sgreen				if (F_LEN(cmd) == 1)
136075Sgreen				    printf(" tcpdatalen %u", cmd->arg1 );
136075Sgreen				else
136075Sgreen				    print_newports((ipfw_insn_u16 *)cmd, 0,
136075Sgreen					O_TCPDATALEN);
136075Sgreen				break;
136075Sgreen
98943Sluigi			case O_TCPFLAGS:
98943Sluigi				print_flags("tcpflags", cmd, f_tcpflags);
98943Sluigi				break;
98943Sluigi
98943Sluigi			case O_TCPOPTS:
98943Sluigi				print_flags("tcpoptions", cmd, f_tcpopts);
98943Sluigi				break;
98943Sluigi
98943Sluigi			case O_TCPWIN:
98943Sluigi				printf(" tcpwin %d", ntohs(cmd->arg1));
98943Sluigi				break;
98943Sluigi
98943Sluigi			case O_TCPACK:
98943Sluigi				printf(" tcpack %d", ntohl(cmd32->d[0]));
98943Sluigi				break;
98943Sluigi
98943Sluigi			case O_TCPSEQ:
98943Sluigi				printf(" tcpseq %d", ntohl(cmd32->d[0]));
98943Sluigi				break;
98943Sluigi
98943Sluigi			case O_UID:
98943Sluigi			    {
98943Sluigi				struct passwd *pwd = getpwuid(cmd32->d[0]);
98943Sluigi
98943Sluigi				if (pwd)
98943Sluigi					printf(" uid %s", pwd->pw_name);
98943Sluigi				else
98943Sluigi					printf(" uid %u", cmd32->d[0]);
98943Sluigi			    }
98943Sluigi				break;
98943Sluigi
98943Sluigi			case O_GID:
98943Sluigi			    {
98943Sluigi				struct group *grp = getgrgid(cmd32->d[0]);
98943Sluigi
98943Sluigi				if (grp)
98943Sluigi					printf(" gid %s", grp->gr_name);
98943Sluigi				else
98943Sluigi					printf(" gid %u", cmd32->d[0]);
98943Sluigi			    }
98943Sluigi				break;
98943Sluigi
133600Scsjp			case O_JAIL:
133600Scsjp				printf(" jail %d", cmd32->d[0]);
133600Scsjp				break;
133600Scsjp
112250Scjc			case O_VERREVPATH:
112250Scjc				printf(" verrevpath");
112250Scjc				break;
116919Sluigi
128575Sandre			case O_VERSRCREACH:
128575Sandre				printf(" versrcreach");
128575Sandre				break;
128575Sandre
133387Sandre			case O_ANTISPOOF:
133387Sandre				printf(" antispoof");
133387Sandre				break;
133387Sandre
117241Sluigi			case O_IPSEC:
117241Sluigi				printf(" ipsec");
117241Sluigi				break;
117241Sluigi
117469Sluigi			case O_NOP:
117626Sluigi				comment = (char *)(cmd + 1);
117469Sluigi				break;
117469Sluigi
98943Sluigi			case O_KEEP_STATE:
98943Sluigi				printf(" keep-state");
98943Sluigi				break;
98943Sluigi
159636Soleg			case O_LIMIT: {
98943Sluigi				struct _s_x *p = limit_masks;
98943Sluigi				ipfw_insn_limit *c = (ipfw_insn_limit *)cmd;
117328Sluigi				uint8_t x = c->limit_mask;
117469Sluigi				char const *comma = " ";
98943Sluigi
98943Sluigi				printf(" limit");
117577Sluigi				for (; p->x != 0 ; p++)
99909Sluigi					if ((x & p->x) == p->x) {
98943Sluigi						x &= ~p->x;
98943Sluigi						printf("%s%s", comma, p->s);
98943Sluigi						comma = ",";
98943Sluigi					}
159636Soleg				PRINT_UINT_ARG(" ", c->conn_limit);
98943Sluigi				break;
159636Soleg			}
98943Sluigi
146894Smlaier			case O_IP6:
152923Sume				printf(" ip6");
145246Sbrooks				break;
145246Sbrooks
146894Smlaier			case O_IP4:
152923Sume				printf(" ip4");
146894Smlaier				break;
146894Smlaier
145246Sbrooks			case O_ICMP6TYPE:
145246Sbrooks				print_icmp6types((ipfw_insn_u32 *)cmd);
145246Sbrooks				break;
145246Sbrooks
145246Sbrooks			case O_EXT_HDR:
145246Sbrooks				print_ext6hdr( (ipfw_insn *) cmd );
145246Sbrooks				break;
145246Sbrooks
158879Soleg			case O_TAGGED:
158879Soleg				if (F_LEN(cmd) == 1)
159636Soleg					PRINT_UINT_ARG(" tagged ", cmd->arg1);
158879Soleg				else
159636Soleg					print_newports((ipfw_insn_u16 *)cmd, 0,
159636Soleg					    O_TAGGED);
158879Soleg				break;
158879Soleg
98943Sluigi			default:
98943Sluigi				printf(" [opcode %d len %d]",
98943Sluigi				    cmd->opcode, cmd->len);
98943Sluigi			}
98943Sluigi		}
98943Sluigi		if (cmd->len & F_OR) {
98943Sluigi			printf(" or");
98943Sluigi			or_block = 1;
98943Sluigi		} else if (or_block) {
98943Sluigi			printf(" }");
98943Sluigi			or_block = 0;
98943Sluigi		}
98943Sluigi	}
205179Sluigi	show_prerequisites(&flags, HAVE_PROTO | HAVE_SRCIP | HAVE_DSTIP
220802Sglebius					      | HAVE_IP, 0);
117626Sluigi	if (comment)
117626Sluigi		printf(" // %s", comment);
98943Sluigi	printf("\n");
98943Sluigi}
98943Sluigi
98943Sluigistatic void
112189Smaximshow_dyn_ipfw(ipfw_dyn_rule *d, int pcwidth, int bcwidth)
98943Sluigi{
98943Sluigi	struct protoent *pe;
98943Sluigi	struct in_addr a;
115793Sticso	uint16_t rulenum;
159160Smlaier	char buf[INET6_ADDRSTRLEN];
98943Sluigi
187764Sluigi	if (!co.do_expired) {
98943Sluigi		if (!d->expire && !(d->dyn_type == O_LIMIT_PARENT))
98943Sluigi			return;
98943Sluigi	}
115793Sticso	bcopy(&d->rule, &rulenum, sizeof(rulenum));
117328Sluigi	printf("%05d", rulenum);
206843Sluigi	if (pcwidth > 0 || bcwidth > 0) {
206843Sluigi		printf(" ");
206843Sluigi		pr_u64(&d->pcnt, pcwidth);
206843Sluigi		pr_u64(&d->bcnt, bcwidth);
206843Sluigi		printf("(%ds)", d->expire);
206843Sluigi	}
98943Sluigi	switch (d->dyn_type) {
98943Sluigi	case O_LIMIT_PARENT:
98943Sluigi		printf(" PARENT %d", d->count);
98943Sluigi		break;
98943Sluigi	case O_LIMIT:
98943Sluigi		printf(" LIMIT");
98943Sluigi		break;
98943Sluigi	case O_KEEP_STATE: /* bidir, no mask */
106505Smaxim		printf(" STATE");
98943Sluigi		break;
98943Sluigi	}
98943Sluigi
98943Sluigi	if ((pe = getprotobynumber(d->id.proto)) != NULL)
98943Sluigi		printf(" %s", pe->p_name);
98943Sluigi	else
98943Sluigi		printf(" proto %u", d->id.proto);
98943Sluigi
159160Smlaier	if (d->id.addr_type == 4) {
159160Smlaier		a.s_addr = htonl(d->id.src_ip);
159160Smlaier		printf(" %s %d", inet_ntoa(a), d->id.src_port);
98943Sluigi
159160Smlaier		a.s_addr = htonl(d->id.dst_ip);
159160Smlaier		printf(" <-> %s %d", inet_ntoa(a), d->id.dst_port);
159160Smlaier	} else if (d->id.addr_type == 6) {
159160Smlaier		printf(" %s %d", inet_ntop(AF_INET6, &d->id.src_ip6, buf,
159160Smlaier		    sizeof(buf)), d->id.src_port);
159160Smlaier		printf(" <-> %s %d", inet_ntop(AF_INET6, &d->id.dst_ip6, buf,
159160Smlaier		    sizeof(buf)), d->id.dst_port);
159160Smlaier	} else
159160Smlaier		printf(" UNKNOWN <-> UNKNOWN\n");
159160Smlaier
98943Sluigi	printf("\n");
98943Sluigi}
98943Sluigi
101978Sluigi/*
101978Sluigi * This one handles all set-related commands
101978Sluigi * 	ipfw set { show | enable | disable }
101978Sluigi * 	ipfw set swap X Y
101978Sluigi * 	ipfw set move X to Y
101978Sluigi * 	ipfw set move rule X to Y
101978Sluigi */
187767Sluigivoid
204591Sluigiipfw_sets_handler(char *av[])
101978Sluigi{
117328Sluigi	uint32_t set_disable, masks[2];
101978Sluigi	int i, nbytes;
117328Sluigi	uint16_t rulenum;
117328Sluigi	uint8_t cmd, new_set;
101978Sluigi
101978Sluigi	av++;
101978Sluigi
204591Sluigi	if (av[0] == NULL)
101978Sluigi		errx(EX_USAGE, "set needs command");
140271Sbrooks	if (_substrcmp(*av, "show") == 0) {
204717Sluigi		void *data = NULL;
117469Sluigi		char const *msg;
204717Sluigi		int nalloc;
101978Sluigi
204717Sluigi		nalloc = nbytes = sizeof(struct ip_fw);
204717Sluigi		while (nbytes >= nalloc) {
204717Sluigi			if (data)
204717Sluigi				free(data);
204717Sluigi			nalloc = nalloc * 2 + 200;
204717Sluigi			nbytes = nalloc;
206843Sluigi			data = safe_calloc(1, nbytes);
206843Sluigi			if (do_cmd(IP_FW_GET, data, (uintptr_t)&nbytes) < 0)
206843Sluigi				err(EX_OSERR, "getsockopt(IP_FW_GET)");
204717Sluigi		}
204717Sluigi
115793Sticso		bcopy(&((struct ip_fw *)data)->next_rule,
115793Sticso			&set_disable, sizeof(set_disable));
101978Sluigi
117655Sluigi		for (i = 0, msg = "disable" ; i < RESVD_SET; i++)
117577Sluigi			if ((set_disable & (1<<i))) {
101978Sluigi				printf("%s %d", msg, i);
101978Sluigi				msg = "";
101978Sluigi			}
101978Sluigi		msg = (set_disable) ? " enable" : "enable";
117655Sluigi		for (i = 0; i < RESVD_SET; i++)
117577Sluigi			if (!(set_disable & (1<<i))) {
101978Sluigi				printf("%s %d", msg, i);
101978Sluigi				msg = "";
101978Sluigi			}
101978Sluigi		printf("\n");
140271Sbrooks	} else if (_substrcmp(*av, "swap") == 0) {
204591Sluigi		av++;
204591Sluigi		if ( av[0] == NULL || av[1] == NULL )
101978Sluigi			errx(EX_USAGE, "set swap needs 2 set numbers\n");
101978Sluigi		rulenum = atoi(av[0]);
101978Sluigi		new_set = atoi(av[1]);
117655Sluigi		if (!isdigit(*(av[0])) || rulenum > RESVD_SET)
101978Sluigi			errx(EX_DATAERR, "invalid set number %s\n", av[0]);
117655Sluigi		if (!isdigit(*(av[1])) || new_set > RESVD_SET)
101978Sluigi			errx(EX_DATAERR, "invalid set number %s\n", av[1]);
101978Sluigi		masks[0] = (4 << 24) | (new_set << 16) | (rulenum);
117328Sluigi		i = do_cmd(IP_FW_DEL, masks, sizeof(uint32_t));
140271Sbrooks	} else if (_substrcmp(*av, "move") == 0) {
204591Sluigi		av++;
204717Sluigi		if (av[0] && _substrcmp(*av, "rule") == 0) {
101978Sluigi			cmd = 2;
204591Sluigi			av++;
101978Sluigi		} else
101978Sluigi			cmd = 3;
204591Sluigi		if (av[0] == NULL || av[1] == NULL || av[2] == NULL ||
204591Sluigi				av[3] != NULL ||  _substrcmp(av[1], "to") != 0)
101978Sluigi			errx(EX_USAGE, "syntax: set move [rule] X to Y\n");
101978Sluigi		rulenum = atoi(av[0]);
101978Sluigi		new_set = atoi(av[2]);
117655Sluigi		if (!isdigit(*(av[0])) || (cmd == 3 && rulenum > RESVD_SET) ||
182823Srik			(cmd == 2 && rulenum == IPFW_DEFAULT_RULE) )
101978Sluigi			errx(EX_DATAERR, "invalid source number %s\n", av[0]);
117655Sluigi		if (!isdigit(*(av[2])) || new_set > RESVD_SET)
101978Sluigi			errx(EX_DATAERR, "invalid dest. set %s\n", av[1]);
101978Sluigi		masks[0] = (cmd << 24) | (new_set << 16) | (rulenum);
117328Sluigi		i = do_cmd(IP_FW_DEL, masks, sizeof(uint32_t));
140271Sbrooks	} else if (_substrcmp(*av, "disable") == 0 ||
140271Sbrooks		   _substrcmp(*av, "enable") == 0 ) {
140271Sbrooks		int which = _substrcmp(*av, "enable") == 0 ? 1 : 0;
101978Sluigi
204591Sluigi		av++;
101978Sluigi		masks[0] = masks[1] = 0;
101978Sluigi
204717Sluigi		while (av[0]) {
101978Sluigi			if (isdigit(**av)) {
101978Sluigi				i = atoi(*av);
117655Sluigi				if (i < 0 || i > RESVD_SET)
101978Sluigi					errx(EX_DATAERR,
101978Sluigi					    "invalid set number %d\n", i);
101978Sluigi				masks[which] |= (1<<i);
140271Sbrooks			} else if (_substrcmp(*av, "disable") == 0)
101978Sluigi				which = 0;
140271Sbrooks			else if (_substrcmp(*av, "enable") == 0)
101978Sluigi				which = 1;
101978Sluigi			else
101978Sluigi				errx(EX_DATAERR,
101978Sluigi					"invalid set command %s\n", *av);
204591Sluigi			av++;
101978Sluigi		}
101978Sluigi		if ( (masks[0] & masks[1]) != 0 )
101978Sluigi			errx(EX_DATAERR,
101978Sluigi			    "cannot enable and disable the same set\n");
101978Sluigi
117328Sluigi		i = do_cmd(IP_FW_DEL, masks, sizeof(masks));
101978Sluigi		if (i)
101978Sluigi			warn("set enable/disable: setsockopt(IP_FW_DEL)");
101978Sluigi	} else
101978Sluigi		errx(EX_USAGE, "invalid set command %s\n", *av);
101978Sluigi}
101978Sluigi
187767Sluigivoid
204591Sluigiipfw_sysctl_handler(char *av[], int which)
109126Sdillon{
109126Sdillon	av++;
109126Sdillon
204591Sluigi	if (av[0] == NULL) {
109126Sdillon		warnx("missing keyword to enable/disable\n");
140271Sbrooks	} else if (_substrcmp(*av, "firewall") == 0) {
116770Sluigi		sysctlbyname("net.inet.ip.fw.enable", NULL, 0,
116770Sluigi		    &which, sizeof(which));
206266Sume		sysctlbyname("net.inet6.ip6.fw.enable", NULL, 0,
206266Sume		    &which, sizeof(which));
140271Sbrooks	} else if (_substrcmp(*av, "one_pass") == 0) {
116770Sluigi		sysctlbyname("net.inet.ip.fw.one_pass", NULL, 0,
116770Sluigi		    &which, sizeof(which));
140271Sbrooks	} else if (_substrcmp(*av, "debug") == 0) {
116770Sluigi		sysctlbyname("net.inet.ip.fw.debug", NULL, 0,
116770Sluigi		    &which, sizeof(which));
140271Sbrooks	} else if (_substrcmp(*av, "verbose") == 0) {
116770Sluigi		sysctlbyname("net.inet.ip.fw.verbose", NULL, 0,
116770Sluigi		    &which, sizeof(which));
140271Sbrooks	} else if (_substrcmp(*av, "dyn_keepalive") == 0) {
116770Sluigi		sysctlbyname("net.inet.ip.fw.dyn_keepalive", NULL, 0,
116770Sluigi		    &which, sizeof(which));
204591Sluigi#ifndef NO_ALTQ
140271Sbrooks	} else if (_substrcmp(*av, "altq") == 0) {
136071Sgreen		altq_set_enabled(which);
204591Sluigi#endif
109126Sdillon	} else {
109126Sdillon		warnx("unrecognize enable/disable keyword: %s\n", *av);
109126Sdillon	}
109126Sdillon}
109126Sdillon
187767Sluigivoid
187767Sluigiipfw_list(int ac, char *av[], int show_counters)
98943Sluigi{
98943Sluigi	struct ip_fw *r;
98943Sluigi	ipfw_dyn_rule *dynrules, *d;
98943Sluigi
117469Sluigi#define NEXT(r)	((struct ip_fw *)((char *)r + RULESIZE(r)))
117469Sluigi	char *lim;
117469Sluigi	void *data = NULL;
112189Smaxim	int bcwidth, n, nbytes, nstat, ndyn, pcwidth, width;
98943Sluigi	int exitval = EX_OK;
98943Sluigi	int lac;
98943Sluigi	char **lav;
117469Sluigi	u_long rnum, last;
98943Sluigi	char *endptr;
98943Sluigi	int seen = 0;
170923Smaxim	uint8_t set;
98943Sluigi
187764Sluigi	const int ocmd = co.do_pipe ? IP_DUMMYNET_GET : IP_FW_GET;
98943Sluigi	int nalloc = 1024;	/* start somewhere... */
98943Sluigi
135036Smaxim	last = 0;
135036Smaxim
187764Sluigi	if (co.test_only) {
117328Sluigi		fprintf(stderr, "Testing only, list disabled\n");
117328Sluigi		return;
117328Sluigi	}
204591Sluigi	if (co.do_pipe) {
204591Sluigi		dummynet_list(ac, av, show_counters);
204591Sluigi		return;
204591Sluigi	}
117328Sluigi
98943Sluigi	ac--;
98943Sluigi	av++;
98943Sluigi
98943Sluigi	/* get rules or pipes from kernel, resizing array as necessary */
98943Sluigi	nbytes = nalloc;
98943Sluigi
98943Sluigi	while (nbytes >= nalloc) {
98943Sluigi		nalloc = nalloc * 2 + 200;
98943Sluigi		nbytes = nalloc;
187716Sluigi		data = safe_realloc(data, nbytes);
119740Stmm		if (do_cmd(ocmd, data, (uintptr_t)&nbytes) < 0)
98943Sluigi			err(EX_OSERR, "getsockopt(IP_%s_GET)",
187764Sluigi				co.do_pipe ? "DUMMYNET" : "FW");
98943Sluigi	}
98943Sluigi
98943Sluigi	/*
98943Sluigi	 * Count static rules. They have variable size so we
98943Sluigi	 * need to scan the list to count them.
98943Sluigi	 */
117469Sluigi	for (nstat = 1, r = data, lim = (char *)data + nbytes;
182823Srik		    r->rulenum < IPFW_DEFAULT_RULE && (char *)r < lim;
117469Sluigi		    ++nstat, r = NEXT(r) )
98943Sluigi		; /* nothing */
98943Sluigi
98943Sluigi	/*
98943Sluigi	 * Count dynamic rules. This is easier as they have
98943Sluigi	 * fixed size.
98943Sluigi	 */
117469Sluigi	r = NEXT(r);
98943Sluigi	dynrules = (ipfw_dyn_rule *)r ;
117469Sluigi	n = (char *)r - (char *)data;
98943Sluigi	ndyn = (nbytes - n) / sizeof *dynrules;
98943Sluigi
112189Smaxim	/* if showing stats, figure out column widths ahead of time */
112189Smaxim	bcwidth = pcwidth = 0;
117469Sluigi	if (show_counters) {
117469Sluigi		for (n = 0, r = data; n < nstat; n++, r = NEXT(r)) {
170923Smaxim			/* skip rules from another set */
187764Sluigi			if (co.use_set && r->set != co.use_set - 1)
170923Smaxim				continue;
170923Smaxim
112189Smaxim			/* packet counter */
206843Sluigi			width = pr_u64(&r->pcnt, 0);
112189Smaxim			if (width > pcwidth)
112189Smaxim				pcwidth = width;
112189Smaxim
112189Smaxim			/* byte counter */
206843Sluigi			width = pr_u64(&r->bcnt, 0);
112189Smaxim			if (width > bcwidth)
112189Smaxim				bcwidth = width;
112189Smaxim		}
112189Smaxim	}
187764Sluigi	if (co.do_dynamic && ndyn) {
112189Smaxim		for (n = 0, d = dynrules; n < ndyn; n++, d++) {
187764Sluigi			if (co.use_set) {
170923Smaxim				/* skip rules from another set */
171989Smaxim				bcopy((char *)&d->rule + sizeof(uint16_t),
170923Smaxim				      &set, sizeof(uint8_t));
187764Sluigi				if (set != co.use_set - 1)
170923Smaxim					continue;
170923Smaxim			}
206843Sluigi			width = pr_u64(&d->pcnt, 0);
112189Smaxim			if (width > pcwidth)
112189Smaxim				pcwidth = width;
112189Smaxim
206843Sluigi			width = pr_u64(&d->bcnt, 0);
112189Smaxim			if (width > bcwidth)
112189Smaxim				bcwidth = width;
112189Smaxim		}
112189Smaxim	}
98943Sluigi	/* if no rule numbers were specified, list all rules */
98943Sluigi	if (ac == 0) {
170923Smaxim		for (n = 0, r = data; n < nstat; n++, r = NEXT(r)) {
187764Sluigi			if (co.use_set && r->set != co.use_set - 1)
170923Smaxim				continue;
112189Smaxim			show_ipfw(r, pcwidth, bcwidth);
170923Smaxim		}
98943Sluigi
187764Sluigi		if (co.do_dynamic && ndyn) {
98943Sluigi			printf("## Dynamic rules (%d):\n", ndyn);
170923Smaxim			for (n = 0, d = dynrules; n < ndyn; n++, d++) {
187764Sluigi				if (co.use_set) {
171989Smaxim					bcopy((char *)&d->rule + sizeof(uint16_t),
170923Smaxim					      &set, sizeof(uint8_t));
187764Sluigi					if (set != co.use_set - 1)
170923Smaxim						continue;
170923Smaxim				}
112189Smaxim				show_dyn_ipfw(d, pcwidth, bcwidth);
98943Sluigi		}
170923Smaxim		}
98943Sluigi		goto done;
98943Sluigi	}
98943Sluigi
98943Sluigi	/* display specific rules requested on command line */
98943Sluigi
98943Sluigi	for (lac = ac, lav = av; lac != 0; lac--) {
98943Sluigi		/* convert command line rule # */
117469Sluigi		last = rnum = strtoul(*lav++, &endptr, 10);
117469Sluigi		if (*endptr == '-')
117469Sluigi			last = strtoul(endptr+1, &endptr, 10);
98943Sluigi		if (*endptr) {
98943Sluigi			exitval = EX_USAGE;
98943Sluigi			warnx("invalid rule number: %s", *(lav - 1));
98943Sluigi			continue;
98943Sluigi		}
117469Sluigi		for (n = seen = 0, r = data; n < nstat; n++, r = NEXT(r) ) {
117469Sluigi			if (r->rulenum > last)
98943Sluigi				break;
187764Sluigi			if (co.use_set && r->set != co.use_set - 1)
170923Smaxim				continue;
117469Sluigi			if (r->rulenum >= rnum && r->rulenum <= last) {
112189Smaxim				show_ipfw(r, pcwidth, bcwidth);
98943Sluigi				seen = 1;
98943Sluigi			}
98943Sluigi		}
98943Sluigi		if (!seen) {
98943Sluigi			/* give precedence to other error(s) */
98943Sluigi			if (exitval == EX_OK)
98943Sluigi				exitval = EX_UNAVAILABLE;
98943Sluigi			warnx("rule %lu does not exist", rnum);
98943Sluigi		}
98943Sluigi	}
98943Sluigi
187764Sluigi	if (co.do_dynamic && ndyn) {
98943Sluigi		printf("## Dynamic rules:\n");
98943Sluigi		for (lac = ac, lav = av; lac != 0; lac--) {
145246Sbrooks			last = rnum = strtoul(*lav++, &endptr, 10);
117469Sluigi			if (*endptr == '-')
117469Sluigi				last = strtoul(endptr+1, &endptr, 10);
98943Sluigi			if (*endptr)
98943Sluigi				/* already warned */
98943Sluigi				continue;
98943Sluigi			for (n = 0, d = dynrules; n < ndyn; n++, d++) {
115793Sticso				uint16_t rulenum;
115793Sticso
115793Sticso				bcopy(&d->rule, &rulenum, sizeof(rulenum));
115793Sticso				if (rulenum > rnum)
98943Sluigi					break;
187764Sluigi				if (co.use_set) {
171989Smaxim					bcopy((char *)&d->rule + sizeof(uint16_t),
170923Smaxim					      &set, sizeof(uint8_t));
187764Sluigi					if (set != co.use_set - 1)
170923Smaxim						continue;
170923Smaxim				}
117469Sluigi				if (r->rulenum >= rnum && r->rulenum <= last)
112189Smaxim					show_dyn_ipfw(d, pcwidth, bcwidth);
98943Sluigi			}
98943Sluigi		}
98943Sluigi	}
98943Sluigi
98943Sluigi	ac = 0;
98943Sluigi
98943Sluigidone:
98943Sluigi	free(data);
98943Sluigi
98943Sluigi	if (exitval != EX_OK)
98943Sluigi		exit(exitval);
117469Sluigi#undef NEXT
98943Sluigi}
98943Sluigi
98943Sluigistatic int
98943Sluigilookup_host (char *host, struct in_addr *ipaddr)
98943Sluigi{
98943Sluigi	struct hostent *he;
98943Sluigi
98943Sluigi	if (!inet_aton(host, ipaddr)) {
98943Sluigi		if ((he = gethostbyname(host)) == NULL)
98943Sluigi			return(-1);
98943Sluigi		*ipaddr = *(struct in_addr *)he->h_addr_list[0];
98943Sluigi	}
98943Sluigi	return(0);
98943Sluigi}
98943Sluigi
98943Sluigi/*
98943Sluigi * fills the addr and mask fields in the instruction as appropriate from av.
98943Sluigi * Update length as appropriate.
98943Sluigi * The following formats are allowed:
98943Sluigi *	me	returns O_IP_*_ME
98943Sluigi *	1.2.3.4		single IP address
98943Sluigi *	1.2.3.4:5.6.7.8	address:mask
98943Sluigi *	1.2.3.4/24	address/mask
98943Sluigi *	1.2.3.4/26{1,6,5,4,23}	set of addresses in a subnet
117328Sluigi * We can have multiple comma-separated address/mask entries.
98943Sluigi */
98943Sluigistatic void
98943Sluigifill_ip(ipfw_insn_ip *cmd, char *av)
98943Sluigi{
117328Sluigi	int len = 0;
117328Sluigi	uint32_t *d = ((ipfw_insn_u32 *)cmd)->d;
98943Sluigi
98943Sluigi	cmd->o.len &= ~F_LEN_MASK;	/* zero len */
98943Sluigi
140271Sbrooks	if (_substrcmp(av, "any") == 0)
98943Sluigi		return;
98943Sluigi
140271Sbrooks	if (_substrcmp(av, "me") == 0) {
98943Sluigi		cmd->o.len |= F_INSN_SIZE(ipfw_insn);
98943Sluigi		return;
98943Sluigi	}
98943Sluigi
140271Sbrooks	if (strncmp(av, "table(", 6) == 0) {
130281Sru		char *p = strchr(av + 6, ',');
130281Sru
130281Sru		if (p)
130281Sru			*p++ = '\0';
130281Sru		cmd->o.opcode = O_IP_DST_LOOKUP;
130281Sru		cmd->o.arg1 = strtoul(av + 6, NULL, 0);
130281Sru		if (p) {
130281Sru			cmd->o.len |= F_INSN_SIZE(ipfw_insn_u32);
130281Sru			d[0] = strtoul(p, NULL, 0);
130281Sru		} else
130281Sru			cmd->o.len |= F_INSN_SIZE(ipfw_insn);
130281Sru		return;
130281Sru	}
130281Sru
117328Sluigi    while (av) {
117328Sluigi	/*
117328Sluigi	 * After the address we can have '/' or ':' indicating a mask,
117328Sluigi	 * ',' indicating another address follows, '{' indicating a
117328Sluigi	 * set of addresses of unspecified size.
117328Sluigi	 */
165851Smlaier	char *t = NULL, *p = strpbrk(av, "/:,{");
117328Sluigi	int masklen;
187477Sluigi	char md, nd = '\0';
117328Sluigi
98943Sluigi	if (p) {
98943Sluigi		md = *p;
98943Sluigi		*p++ = '\0';
165851Smlaier		if ((t = strpbrk(p, ",{")) != NULL) {
165851Smlaier			nd = *t;
165851Smlaier			*t = '\0';
165851Smlaier		}
117328Sluigi	} else
117328Sluigi		md = '\0';
98943Sluigi
117328Sluigi	if (lookup_host(av, (struct in_addr *)&d[0]) != 0)
98943Sluigi		errx(EX_NOHOST, "hostname ``%s'' unknown", av);
98943Sluigi	switch (md) {
98943Sluigi	case ':':
117328Sluigi		if (!inet_aton(p, (struct in_addr *)&d[1]))
98943Sluigi			errx(EX_DATAERR, "bad netmask ``%s''", p);
98943Sluigi		break;
98943Sluigi	case '/':
117328Sluigi		masklen = atoi(p);
117328Sluigi		if (masklen == 0)
117328Sluigi			d[1] = htonl(0);	/* mask */
117328Sluigi		else if (masklen > 32)
98943Sluigi			errx(EX_DATAERR, "bad width ``%s''", p);
98943Sluigi		else
117328Sluigi			d[1] = htonl(~0 << (32 - masklen));
98943Sluigi		break;
117328Sluigi	case '{':	/* no mask, assume /24 and put back the '{' */
117328Sluigi		d[1] = htonl(~0 << (32 - 24));
117328Sluigi		*(--p) = md;
117328Sluigi		break;
117328Sluigi
117328Sluigi	case ',':	/* single address plus continuation */
117328Sluigi		*(--p) = md;
117328Sluigi		/* FALLTHROUGH */
117328Sluigi	case 0:		/* initialization value */
98943Sluigi	default:
117328Sluigi		d[1] = htonl(~0);	/* force /32 */
98943Sluigi		break;
98943Sluigi	}
117328Sluigi	d[0] &= d[1];		/* mask base address with mask */
165851Smlaier	if (t)
165851Smlaier		*t = nd;
117328Sluigi	/* find next separator */
98943Sluigi	if (p)
117328Sluigi		p = strpbrk(p, ",{");
117328Sluigi	if (p && *p == '{') {
117328Sluigi		/*
117328Sluigi		 * We have a set of addresses. They are stored as follows:
117328Sluigi		 *   arg1	is the set size (powers of 2, 2..256)
117328Sluigi		 *   addr	is the base address IN HOST FORMAT
117328Sluigi		 *   mask..	is an array of arg1 bits (rounded up to
117328Sluigi		 *		the next multiple of 32) with bits set
117328Sluigi		 *		for each host in the map.
117328Sluigi		 */
117328Sluigi		uint32_t *map = (uint32_t *)&cmd->mask;
98943Sluigi		int low, high;
117577Sluigi		int i = contigmask((uint8_t *)&(d[1]), 32);
98943Sluigi
117328Sluigi		if (len > 0)
117328Sluigi			errx(EX_DATAERR, "address set cannot be in a list");
117328Sluigi		if (i < 24 || i > 31)
117328Sluigi			errx(EX_DATAERR, "invalid set with mask %d\n", i);
117328Sluigi		cmd->o.arg1 = 1<<(32-i);	/* map length		*/
117328Sluigi		d[0] = ntohl(d[0]);		/* base addr in host format */
98943Sluigi		cmd->o.opcode = O_IP_DST_SET;	/* default */
98943Sluigi		cmd->o.len |= F_INSN_SIZE(ipfw_insn_u32) + (cmd->o.arg1+31)/32;
101117Sluigi		for (i = 0; i < (cmd->o.arg1+31)/32 ; i++)
117328Sluigi			map[i] = 0;	/* clear map */
98943Sluigi
117328Sluigi		av = p + 1;
117328Sluigi		low = d[0] & 0xff;
98943Sluigi		high = low + cmd->o.arg1 - 1;
117328Sluigi		/*
117328Sluigi		 * Here, i stores the previous value when we specify a range
117328Sluigi		 * of addresses within a mask, e.g. 45-63. i = -1 means we
117328Sluigi		 * have no previous value.
117328Sluigi		 */
116716Sluigi		i = -1;	/* previous value in a range */
98943Sluigi		while (isdigit(*av)) {
98943Sluigi			char *s;
117328Sluigi			int a = strtol(av, &s, 0);
98943Sluigi
117328Sluigi			if (s == av) { /* no parameter */
117328Sluigi			    if (*av != '}')
117328Sluigi				errx(EX_DATAERR, "set not closed\n");
117328Sluigi			    if (i != -1)
117328Sluigi				errx(EX_DATAERR, "incomplete range %d-", i);
117328Sluigi			    break;
117328Sluigi			}
117328Sluigi			if (a < low || a > high)
117328Sluigi			    errx(EX_DATAERR, "addr %d out of range [%d-%d]\n",
98943Sluigi				a, low, high);
98943Sluigi			a -= low;
116716Sluigi			if (i == -1)	/* no previous in range */
116716Sluigi			    i = a;
116716Sluigi			else {		/* check that range is valid */
116716Sluigi			    if (i > a)
116716Sluigi				errx(EX_DATAERR, "invalid range %d-%d",
116716Sluigi					i+low, a+low);
116716Sluigi			    if (*s == '-')
116716Sluigi				errx(EX_DATAERR, "double '-' in range");
116716Sluigi			}
116716Sluigi			for (; i <= a; i++)
117328Sluigi			    map[i/32] |= 1<<(i & 31);
116716Sluigi			i = -1;
116716Sluigi			if (*s == '-')
116716Sluigi			    i = a;
117328Sluigi			else if (*s == '}')
116716Sluigi			    break;
98943Sluigi			av = s+1;
98943Sluigi		}
98943Sluigi		return;
98943Sluigi	}
117328Sluigi	av = p;
117328Sluigi	if (av)			/* then *av must be a ',' */
117328Sluigi		av++;
98943Sluigi
117328Sluigi	/* Check this entry */
117328Sluigi	if (d[1] == 0) { /* "any", specified as x.x.x.x/0 */
117328Sluigi		/*
117328Sluigi		 * 'any' turns the entire list into a NOP.
117328Sluigi		 * 'not any' never matches, so it is removed from the
117328Sluigi		 * list unless it is the only item, in which case we
117328Sluigi		 * report an error.
117328Sluigi		 */
117328Sluigi		if (cmd->o.len & F_NOT) {	/* "not any" never matches */
117328Sluigi			if (av == NULL && len == 0) /* only this entry */
117328Sluigi				errx(EX_DATAERR, "not any never matches");
117328Sluigi		}
117328Sluigi		/* else do nothing and skip this entry */
128067Smaxim		return;
117328Sluigi	}
117328Sluigi	/* A single IP can be stored in an optimized format */
204591Sluigi	if (d[1] == (uint32_t)~0 && av == NULL && len == 0) {
98943Sluigi		cmd->o.len |= F_INSN_SIZE(ipfw_insn_u32);
117328Sluigi		return;
117328Sluigi	}
117328Sluigi	len += 2;	/* two words... */
117328Sluigi	d += 2;
117328Sluigi    } /* end while */
162363Sjhay    if (len + 1 > F_LEN_MASK)
162363Sjhay	errx(EX_DATAERR, "address list too long");
117328Sluigi    cmd->o.len |= len+1;
98943Sluigi}
98943Sluigi
98943Sluigi
145246Sbrooks/* n2mask sets n bits of the mask */
187769Sluigivoid
145246Sbrooksn2mask(struct in6_addr *mask, int n)
145246Sbrooks{
145246Sbrooks	static int	minimask[9] =
145246Sbrooks	    { 0x00, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe, 0xff };
145246Sbrooks	u_char		*p;
145246Sbrooks
145246Sbrooks	memset(mask, 0, sizeof(struct in6_addr));
145246Sbrooks	p = (u_char *) mask;
145246Sbrooks	for (; n > 0; p++, n -= 8) {
145246Sbrooks		if (n >= 8)
145246Sbrooks			*p = 0xff;
145246Sbrooks		else
145246Sbrooks			*p = minimask[n];
145246Sbrooks	}
145246Sbrooks	return;
145246Sbrooks}
145246Sbrooks
98943Sluigi/*
98943Sluigi * helper function to process a set of flags and set bits in the
98943Sluigi * appropriate masks.
98943Sluigi */
98943Sluigistatic void
98943Sluigifill_flags(ipfw_insn *cmd, enum ipfw_opcodes opcode,
98943Sluigi	struct _s_x *flags, char *p)
98943Sluigi{
117328Sluigi	uint8_t set=0, clear=0;
98943Sluigi
98943Sluigi	while (p && *p) {
98943Sluigi		char *q;	/* points to the separator */
98943Sluigi		int val;
117328Sluigi		uint8_t *which;	/* mask we are working on */
98943Sluigi
98943Sluigi		if (*p == '!') {
98943Sluigi			p++;
98943Sluigi			which = &clear;
98943Sluigi		} else
98943Sluigi			which = &set;
98943Sluigi		q = strchr(p, ',');
98943Sluigi		if (q)
98943Sluigi			*q++ = '\0';
98943Sluigi		val = match_token(flags, p);
98943Sluigi		if (val <= 0)
98943Sluigi			errx(EX_DATAERR, "invalid flag %s", p);
117328Sluigi		*which |= (uint8_t)val;
98943Sluigi		p = q;
98943Sluigi	}
220802Sglebius	cmd->opcode = opcode;
220802Sglebius	cmd->len =  (cmd->len & (F_NOT | F_OR)) | 1;
220802Sglebius	cmd->arg1 = (set & 0xff) | ( (clear & 0xff) << 8);
98943Sluigi}
98943Sluigi
98943Sluigi
187767Sluigivoid
204591Sluigiipfw_delete(char *av[])
98943Sluigi{
117328Sluigi	uint32_t rulenum;
98943Sluigi	int i;
98943Sluigi	int exitval = EX_OK;
101628Sluigi	int do_set = 0;
98943Sluigi
204591Sluigi	av++;
130013Scsjp	NEED1("missing rule specification");
204591Sluigi	if ( *av && _substrcmp(*av, "set") == 0) {
170923Smaxim		/* Do not allow using the following syntax:
170923Smaxim		 *	ipfw set N delete set M
170923Smaxim		 */
187764Sluigi		if (co.use_set)
170923Smaxim			errx(EX_DATAERR, "invalid syntax");
101978Sluigi		do_set = 1;	/* delete set */
204591Sluigi		av++;
101978Sluigi	}
98943Sluigi
98943Sluigi	/* Rule number */
204591Sluigi	while (*av && isdigit(**av)) {
204591Sluigi		i = atoi(*av); av++;
187764Sluigi		if (co.do_nat) {
165648Spiso			exitval = do_cmd(IP_FW_NAT_DEL, &i, sizeof i);
165648Spiso			if (exitval) {
165648Spiso				exitval = EX_UNAVAILABLE;
165648Spiso				warn("rule %u not available", i);
165648Spiso			}
187764Sluigi 		} else if (co.do_pipe) {
187769Sluigi			exitval = ipfw_delete_pipe(co.do_pipe, i);
98943Sluigi		} else {
187764Sluigi			if (co.use_set)
170923Smaxim				rulenum = (i & 0xffff) | (5 << 24) |
187764Sluigi				    ((co.use_set - 1) << 16);
170923Smaxim			else
101978Sluigi			rulenum =  (i & 0xffff) | (do_set << 24);
117328Sluigi			i = do_cmd(IP_FW_DEL, &rulenum, sizeof rulenum);
98943Sluigi			if (i) {
98943Sluigi				exitval = EX_UNAVAILABLE;
98943Sluigi				warn("rule %u: setsockopt(IP_FW_DEL)",
98943Sluigi				    rulenum);
98943Sluigi			}
98943Sluigi		}
98943Sluigi	}
98943Sluigi	if (exitval != EX_OK)
98943Sluigi		exit(exitval);
98943Sluigi}
98943Sluigi
98943Sluigi
98943Sluigi/*
98943Sluigi * fill the interface structure. We do not check the name as we can
98943Sluigi * create interfaces dynamically, so checking them at insert time
98943Sluigi * makes relatively little sense.
220802Sglebius * Interface names containing '*', '?', or '[' are assumed to be shell
121816Sbrooks * patterns which match interfaces.
98943Sluigi */
98943Sluigistatic void
98943Sluigifill_iface(ipfw_insn_if *cmd, char *arg)
98943Sluigi{
98943Sluigi	cmd->name[0] = '\0';
98943Sluigi	cmd->o.len |= F_INSN_SIZE(ipfw_insn_if);
98943Sluigi
98943Sluigi	/* Parse the interface or address */
140271Sbrooks	if (strcmp(arg, "any") == 0)
98943Sluigi		cmd->o.len = 0;		/* effectively ignore this command */
98943Sluigi	else if (!isdigit(*arg)) {
121816Sbrooks		strlcpy(cmd->name, arg, sizeof(cmd->name));
121816Sbrooks		cmd->p.glob = strpbrk(arg, "*?[") != NULL ? 1 : 0;
98943Sluigi	} else if (!inet_aton(arg, &cmd->p.ip))
98943Sluigi		errx(EX_DATAERR, "bad ip address ``%s''", arg);
98943Sluigi}
98943Sluigi
98943Sluigistatic void
169424Smaximget_mac_addr_mask(const char *p, uint8_t *addr, uint8_t *mask)
98943Sluigi{
204591Sluigi	int i;
204591Sluigi	size_t l;
169424Smaxim	char *ap, *ptr, *optr;
169424Smaxim	struct ether_addr *mac;
169424Smaxim	const char *macset = "0123456789abcdefABCDEF:";
98943Sluigi
169424Smaxim	if (strcmp(p, "any") == 0) {
169424Smaxim		for (i = 0; i < ETHER_ADDR_LEN; i++)
169424Smaxim			addr[i] = mask[i] = 0;
98943Sluigi		return;
169424Smaxim	}
98943Sluigi
169424Smaxim	optr = ptr = strdup(p);
169424Smaxim	if ((ap = strsep(&ptr, "&/")) != NULL && *ap != 0) {
169424Smaxim		l = strlen(ap);
169424Smaxim		if (strspn(ap, macset) != l || (mac = ether_aton(ap)) == NULL)
169424Smaxim			errx(EX_DATAERR, "Incorrect MAC address");
169424Smaxim		bcopy(mac, addr, ETHER_ADDR_LEN);
169424Smaxim	} else
169424Smaxim		errx(EX_DATAERR, "Incorrect MAC address");
169424Smaxim
169424Smaxim	if (ptr != NULL) { /* we have mask? */
169424Smaxim		if (p[ptr - optr - 1] == '/') { /* mask len */
204591Sluigi			long ml = strtol(ptr, &ap, 10);
204591Sluigi			if (*ap != 0 || ml > ETHER_ADDR_LEN * 8 || ml < 0)
169424Smaxim				errx(EX_DATAERR, "Incorrect mask length");
204591Sluigi			for (i = 0; ml > 0 && i < ETHER_ADDR_LEN; ml -= 8, i++)
204591Sluigi				mask[i] = (ml >= 8) ? 0xff: (~0) << (8 - ml);
169424Smaxim		} else { /* mask */
169424Smaxim			l = strlen(ptr);
169424Smaxim			if (strspn(ptr, macset) != l ||
169424Smaxim			    (mac = ether_aton(ptr)) == NULL)
169424Smaxim				errx(EX_DATAERR, "Incorrect mask");
169424Smaxim			bcopy(mac, mask, ETHER_ADDR_LEN);
98943Sluigi		}
169424Smaxim	} else { /* default mask: ff:ff:ff:ff:ff:ff */
169424Smaxim		for (i = 0; i < ETHER_ADDR_LEN; i++)
98943Sluigi			mask[i] = 0xff;
98943Sluigi	}
169424Smaxim	for (i = 0; i < ETHER_ADDR_LEN; i++)
98943Sluigi		addr[i] &= mask[i];
169424Smaxim
169424Smaxim	free(optr);
98943Sluigi}
98943Sluigi
98943Sluigi/*
98943Sluigi * helper function, updates the pointer to cmd with the length
98943Sluigi * of the current command, and also cleans up the first word of
98943Sluigi * the new command in case it has been clobbered before.
98943Sluigi */
98943Sluigistatic ipfw_insn *
98943Sluiginext_cmd(ipfw_insn *cmd)
98943Sluigi{
98943Sluigi	cmd += F_LEN(cmd);
98943Sluigi	bzero(cmd, sizeof(*cmd));
98943Sluigi	return cmd;
98943Sluigi}
98943Sluigi
98943Sluigi/*
117469Sluigi * Takes arguments and copies them into a comment
117469Sluigi */
117469Sluigistatic void
204591Sluigifill_comment(ipfw_insn *cmd, char **av)
117469Sluigi{
117469Sluigi	int i, l;
117469Sluigi	char *p = (char *)(cmd + 1);
117577Sluigi
117469Sluigi	cmd->opcode = O_NOP;
117469Sluigi	cmd->len =  (cmd->len & (F_NOT | F_OR));
117469Sluigi
117469Sluigi	/* Compute length of comment string. */
204591Sluigi	for (i = 0, l = 0; av[i] != NULL; i++)
117469Sluigi		l += strlen(av[i]) + 1;
117469Sluigi	if (l == 0)
117469Sluigi		return;
117469Sluigi	if (l > 84)
117469Sluigi		errx(EX_DATAERR,
117469Sluigi		    "comment too long (max 80 chars)");
117469Sluigi	l = 1 + (l+3)/4;
117469Sluigi	cmd->len =  (cmd->len & (F_NOT | F_OR)) | l;
204591Sluigi	for (i = 0; av[i] != NULL; i++) {
117469Sluigi		strcpy(p, av[i]);
117469Sluigi		p += strlen(av[i]);
117469Sluigi		*p++ = ' ';
117469Sluigi	}
117469Sluigi	*(--p) = '\0';
117469Sluigi}
117577Sluigi
117469Sluigi/*
98943Sluigi * A function to fill simple commands of size 1.
98943Sluigi * Existing flags are preserved.
98943Sluigi */
98943Sluigistatic void
117328Sluigifill_cmd(ipfw_insn *cmd, enum ipfw_opcodes opcode, int flags, uint16_t arg)
98943Sluigi{
98943Sluigi	cmd->opcode = opcode;
98943Sluigi	cmd->len =  ((cmd->len | flags) & (F_NOT | F_OR)) | 1;
98943Sluigi	cmd->arg1 = arg;
98943Sluigi}
98943Sluigi
98943Sluigi/*
98943Sluigi * Fetch and add the MAC address and type, with masks. This generates one or
98943Sluigi * two microinstructions, and returns the pointer to the last one.
98943Sluigi */
98943Sluigistatic ipfw_insn *
204591Sluigiadd_mac(ipfw_insn *cmd, char *av[])
98943Sluigi{
102087Sluigi	ipfw_insn_mac *mac;
98943Sluigi
204591Sluigi	if ( ( av[0] == NULL ) || ( av[1] == NULL ) )
102098Sluigi		errx(EX_DATAERR, "MAC dst src");
98943Sluigi
98943Sluigi	cmd->opcode = O_MACADDR2;
98943Sluigi	cmd->len = (cmd->len & (F_NOT | F_OR)) | F_INSN_SIZE(ipfw_insn_mac);
98943Sluigi
98943Sluigi	mac = (ipfw_insn_mac *)cmd;
101978Sluigi	get_mac_addr_mask(av[0], mac->addr, mac->mask);	/* dst */
169424Smaxim	get_mac_addr_mask(av[1], &(mac->addr[ETHER_ADDR_LEN]),
169424Smaxim	    &(mac->mask[ETHER_ADDR_LEN])); /* src */
102087Sluigi	return cmd;
102087Sluigi}
98943Sluigi
102087Sluigistatic ipfw_insn *
204591Sluigiadd_mactype(ipfw_insn *cmd, char *av)
102087Sluigi{
204591Sluigi	if (!av)
102087Sluigi		errx(EX_DATAERR, "missing MAC type");
102087Sluigi	if (strcmp(av, "any") != 0) { /* we have a non-null type */
102087Sluigi		fill_newports((ipfw_insn_u16 *)cmd, av, IPPROTO_ETHERTYPE);
98943Sluigi		cmd->opcode = O_MAC_TYPE;
102087Sluigi		return cmd;
102087Sluigi	} else
102087Sluigi		return NULL;
102087Sluigi}
98943Sluigi
102087Sluigistatic ipfw_insn *
152923Sumeadd_proto0(ipfw_insn *cmd, char *av, u_char *protop)
102087Sluigi{
102087Sluigi	struct protoent *pe;
152923Sume	char *ep;
152923Sume	int proto;
102087Sluigi
156315Sume	proto = strtol(av, &ep, 10);
156315Sume	if (*ep != '\0' || proto <= 0) {
152923Sume		if ((pe = getprotobyname(av)) == NULL)
152923Sume			return NULL;
152923Sume		proto = pe->p_proto;
152923Sume	}
145246Sbrooks
152923Sume	fill_cmd(cmd, O_PROTO, 0, proto);
152923Sume	*protop = proto;
152923Sume	return cmd;
152923Sume}
152923Sume
152923Sumestatic ipfw_insn *
152923Sumeadd_proto(ipfw_insn *cmd, char *av, u_char *protop)
152923Sume{
152923Sume	u_char proto = IPPROTO_IP;
152923Sume
156315Sume	if (_substrcmp(av, "all") == 0 || strcmp(av, "ip") == 0)
146894Smlaier		; /* do not set O_IP4 nor O_IP6 */
152923Sume	else if (strcmp(av, "ip4") == 0)
152923Sume		/* explicit "just IPv4" rule */
152923Sume		fill_cmd(cmd, O_IP4, 0, 0);
152923Sume	else if (strcmp(av, "ip6") == 0) {
152923Sume		/* explicit "just IPv6" rule */
152923Sume		proto = IPPROTO_IPV6;
152923Sume		fill_cmd(cmd, O_IP6, 0, 0);
152923Sume	} else
152923Sume		return add_proto0(cmd, av, protop);
152923Sume
152923Sume	*protop = proto;
152923Sume	return cmd;
152923Sume}
152923Sume
152923Sumestatic ipfw_insn *
152923Sumeadd_proto_compat(ipfw_insn *cmd, char *av, u_char *protop)
152923Sume{
152923Sume	u_char proto = IPPROTO_IP;
152923Sume
152923Sume	if (_substrcmp(av, "all") == 0 || strcmp(av, "ip") == 0)
152923Sume		; /* do not set O_IP4 nor O_IP6 */
146894Smlaier	else if (strcmp(av, "ipv4") == 0 || strcmp(av, "ip4") == 0)
146894Smlaier		/* explicit "just IPv4" rule */
146894Smlaier		fill_cmd(cmd, O_IP4, 0, 0);
146894Smlaier	else if (strcmp(av, "ipv6") == 0 || strcmp(av, "ip6") == 0) {
146894Smlaier		/* explicit "just IPv6" rule */
152923Sume		proto = IPPROTO_IPV6;
146894Smlaier		fill_cmd(cmd, O_IP6, 0, 0);
152923Sume	} else
152923Sume		return add_proto0(cmd, av, protop);
145246Sbrooks
152923Sume	*protop = proto;
98943Sluigi	return cmd;
98943Sluigi}
98943Sluigi
102087Sluigistatic ipfw_insn *
102087Sluigiadd_srcip(ipfw_insn *cmd, char *av)
102087Sluigi{
102087Sluigi	fill_ip((ipfw_insn_ip *)cmd, av);
102087Sluigi	if (cmd->opcode == O_IP_DST_SET)			/* set */
102087Sluigi		cmd->opcode = O_IP_SRC_SET;
130281Sru	else if (cmd->opcode == O_IP_DST_LOOKUP)		/* table */
130281Sru		cmd->opcode = O_IP_SRC_LOOKUP;
102087Sluigi	else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn))		/* me */
102087Sluigi		cmd->opcode = O_IP_SRC_ME;
102087Sluigi	else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn_u32))	/* one IP */
102087Sluigi		cmd->opcode = O_IP_SRC;
117328Sluigi	else							/* addr/mask */
102087Sluigi		cmd->opcode = O_IP_SRC_MASK;
102087Sluigi	return cmd;
102087Sluigi}
102087Sluigi
102087Sluigistatic ipfw_insn *
102087Sluigiadd_dstip(ipfw_insn *cmd, char *av)
102087Sluigi{
102087Sluigi	fill_ip((ipfw_insn_ip *)cmd, av);
102087Sluigi	if (cmd->opcode == O_IP_DST_SET)			/* set */
102087Sluigi		;
130281Sru	else if (cmd->opcode == O_IP_DST_LOOKUP)		/* table */
130281Sru		;
102087Sluigi	else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn))		/* me */
102087Sluigi		cmd->opcode = O_IP_DST_ME;
102087Sluigi	else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn_u32))	/* one IP */
102087Sluigi		cmd->opcode = O_IP_DST;
117328Sluigi	else							/* addr/mask */
102087Sluigi		cmd->opcode = O_IP_DST_MASK;
102087Sluigi	return cmd;
102087Sluigi}
102087Sluigi
102087Sluigistatic ipfw_insn *
102087Sluigiadd_ports(ipfw_insn *cmd, char *av, u_char proto, int opcode)
102087Sluigi{
204591Sluigi	/* XXX "any" is trapped before. Perhaps "to" */
140271Sbrooks	if (_substrcmp(av, "any") == 0) {
102087Sluigi		return NULL;
102087Sluigi	} else if (fill_newports((ipfw_insn_u16 *)cmd, av, proto)) {
102087Sluigi		/* XXX todo: check that we have a protocol with ports */
102087Sluigi		cmd->opcode = opcode;
102087Sluigi		return cmd;
102087Sluigi	}
102087Sluigi	return NULL;
102087Sluigi}
102087Sluigi
145246Sbrooksstatic ipfw_insn *
145246Sbrooksadd_src(ipfw_insn *cmd, char *av, u_char proto)
145246Sbrooks{
145246Sbrooks	struct in6_addr a;
158553Smlaier	char *host, *ch;
158553Smlaier	ipfw_insn *ret = NULL;
145246Sbrooks
158553Smlaier	if ((host = strdup(av)) == NULL)
158553Smlaier		return NULL;
158553Smlaier	if ((ch = strrchr(host, '/')) != NULL)
158553Smlaier		*ch = '\0';
158553Smlaier
145246Sbrooks	if (proto == IPPROTO_IPV6  || strcmp(av, "me6") == 0 ||
204591Sluigi	    inet_pton(AF_INET6, host, &a) == 1)
158553Smlaier		ret = add_srcip6(cmd, av);
145246Sbrooks	/* XXX: should check for IPv4, not !IPv6 */
161483Sdwmalone	if (ret == NULL && (proto == IPPROTO_IP || strcmp(av, "me") == 0 ||
204591Sluigi	    inet_pton(AF_INET6, host, &a) != 1))
158553Smlaier		ret = add_srcip(cmd, av);
161483Sdwmalone	if (ret == NULL && strcmp(av, "any") != 0)
158553Smlaier		ret = cmd;
145246Sbrooks
158553Smlaier	free(host);
158553Smlaier	return ret;
145246Sbrooks}
145246Sbrooks
145246Sbrooksstatic ipfw_insn *
145246Sbrooksadd_dst(ipfw_insn *cmd, char *av, u_char proto)
145246Sbrooks{
145246Sbrooks	struct in6_addr a;
158553Smlaier	char *host, *ch;
158553Smlaier	ipfw_insn *ret = NULL;
145246Sbrooks
158553Smlaier	if ((host = strdup(av)) == NULL)
158553Smlaier		return NULL;
158553Smlaier	if ((ch = strrchr(host, '/')) != NULL)
158553Smlaier		*ch = '\0';
158553Smlaier
145246Sbrooks	if (proto == IPPROTO_IPV6  || strcmp(av, "me6") == 0 ||
204591Sluigi	    inet_pton(AF_INET6, host, &a) == 1)
158553Smlaier		ret = add_dstip6(cmd, av);
145246Sbrooks	/* XXX: should check for IPv4, not !IPv6 */
161483Sdwmalone	if (ret == NULL && (proto == IPPROTO_IP || strcmp(av, "me") == 0 ||
204591Sluigi	    inet_pton(AF_INET6, host, &a) != 1))
158553Smlaier		ret = add_dstip(cmd, av);
161483Sdwmalone	if (ret == NULL && strcmp(av, "any") != 0)
158553Smlaier		ret = cmd;
145246Sbrooks
158553Smlaier	free(host);
158553Smlaier	return ret;
145246Sbrooks}
145246Sbrooks
98943Sluigi/*
98943Sluigi * Parse arguments and assemble the microinstructions which make up a rule.
98943Sluigi * Rules are added into the 'rulebuf' and then copied in the correct order
98943Sluigi * into the actual rule.
98943Sluigi *
136071Sgreen * The syntax for a rule starts with the action, followed by
136071Sgreen * optional action parameters, and the various match patterns.
108533Sschweikh * In the assembled microcode, the first opcode must be an O_PROBE_STATE
98943Sluigi * (generated if the rule includes a keep-state option), then the
136071Sgreen * various match patterns, log/altq actions, and the actual action.
106505Smaxim *
98943Sluigi */
187767Sluigivoid
204591Sluigiipfw_add(char *av[])
98943Sluigi{
98943Sluigi	/*
98943Sluigi	 * rules are added into the 'rulebuf' and then copied in
98943Sluigi	 * the correct order into the actual rule.
98943Sluigi	 * Some things that need to go out of order (prob, action etc.)
98943Sluigi	 * go into actbuf[].
98943Sluigi	 */
117328Sluigi	static uint32_t rulebuf[255], actbuf[255], cmdbuf[255];
98943Sluigi
117469Sluigi	ipfw_insn *src, *dst, *cmd, *action, *prev=NULL;
102087Sluigi	ipfw_insn *first_cmd;	/* first match pattern */
98943Sluigi
98943Sluigi	struct ip_fw *rule;
98943Sluigi
98943Sluigi	/*
98943Sluigi	 * various flags used to record that we entered some fields.
98943Sluigi	 */
101116Sluigi	ipfw_insn *have_state = NULL;	/* check-state or keep-state */
158879Soleg	ipfw_insn *have_log = NULL, *have_altq = NULL, *have_tag = NULL;
134475Smaxim	size_t len;
98943Sluigi
98943Sluigi	int i;
98943Sluigi
98943Sluigi	int open_par = 0;	/* open parenthesis ( */
98943Sluigi
98943Sluigi	/* proto is here because it is used to fetch ports */
98943Sluigi	u_char proto = IPPROTO_IP;	/* default protocol */
98943Sluigi
107289Sluigi	double match_prob = 1; /* match probability, default is always match */
107289Sluigi
98943Sluigi	bzero(actbuf, sizeof(actbuf));		/* actions go here */
98943Sluigi	bzero(cmdbuf, sizeof(cmdbuf));
98943Sluigi	bzero(rulebuf, sizeof(rulebuf));
98943Sluigi
98943Sluigi	rule = (struct ip_fw *)rulebuf;
98943Sluigi	cmd = (ipfw_insn *)cmdbuf;
98943Sluigi	action = (ipfw_insn *)actbuf;
98943Sluigi
204591Sluigi	av++;
98943Sluigi
98943Sluigi	/* [rule N]	-- Rule number optional */
204591Sluigi	if (av[0] && isdigit(**av)) {
98943Sluigi		rule->rulenum = atoi(*av);
98943Sluigi		av++;
98943Sluigi	}
98943Sluigi
117655Sluigi	/* [set N]	-- set number (0..RESVD_SET), optional */
205631Sluigi	if (av[0] && av[1] && _substrcmp(*av, "set") == 0) {
101628Sluigi		int set = strtoul(av[1], NULL, 10);
117655Sluigi		if (set < 0 || set > RESVD_SET)
101628Sluigi			errx(EX_DATAERR, "illegal set %s", av[1]);
101628Sluigi		rule->set = set;
204591Sluigi		av += 2;
101628Sluigi	}
101628Sluigi
98943Sluigi	/* [prob D]	-- match probability, optional */
204591Sluigi	if (av[0] && av[1] && _substrcmp(*av, "prob") == 0) {
107289Sluigi		match_prob = strtod(av[1], NULL);
98943Sluigi
107289Sluigi		if (match_prob <= 0 || match_prob > 1)
98943Sluigi			errx(EX_DATAERR, "illegal match prob. %s", av[1]);
204591Sluigi		av += 2;
98943Sluigi	}
98943Sluigi
98943Sluigi	/* action	-- mandatory */
98943Sluigi	NEED1("missing action");
98943Sluigi	i = match_token(rule_actions, *av);
204591Sluigi	av++;
98943Sluigi	action->len = 1;	/* default */
98943Sluigi	switch(i) {
98943Sluigi	case TOK_CHECKSTATE:
101116Sluigi		have_state = action;
98943Sluigi		action->opcode = O_CHECK_STATE;
98943Sluigi		break;
98943Sluigi
98943Sluigi	case TOK_ACCEPT:
98943Sluigi		action->opcode = O_ACCEPT;
98943Sluigi		break;
98943Sluigi
98943Sluigi	case TOK_DENY:
98943Sluigi		action->opcode = O_DENY;
99475Sluigi		action->arg1 = 0;
98943Sluigi		break;
98943Sluigi
99475Sluigi	case TOK_REJECT:
99475Sluigi		action->opcode = O_REJECT;
99475Sluigi		action->arg1 = ICMP_UNREACH_HOST;
99475Sluigi		break;
99475Sluigi
99475Sluigi	case TOK_RESET:
99475Sluigi		action->opcode = O_REJECT;
99475Sluigi		action->arg1 = ICMP_REJECT_RST;
99475Sluigi		break;
99475Sluigi
149020Sbz	case TOK_RESET6:
149020Sbz		action->opcode = O_UNREACH6;
149020Sbz		action->arg1 = ICMP6_UNREACH_RST;
149020Sbz		break;
149020Sbz
99475Sluigi	case TOK_UNREACH:
99475Sluigi		action->opcode = O_REJECT;
99475Sluigi		NEED1("missing reject code");
99475Sluigi		fill_reject_code(&action->arg1, *av);
204591Sluigi		av++;
99475Sluigi		break;
99475Sluigi
149020Sbz	case TOK_UNREACH6:
149020Sbz		action->opcode = O_UNREACH6;
149020Sbz		NEED1("missing unreach code");
149020Sbz		fill_unreach6_code(&action->arg1, *av);
204591Sluigi		av++;
149020Sbz		break;
149020Sbz
98943Sluigi	case TOK_COUNT:
98943Sluigi		action->opcode = O_COUNT;
98943Sluigi		break;
98943Sluigi
176517Spiso	case TOK_NAT:
176517Spiso 		action->opcode = O_NAT;
176517Spiso 		action->len = F_INSN_SIZE(ipfw_insn_nat);
176517Spiso		goto chkarg;
178888Sjulian
98943Sluigi	case TOK_QUEUE:
153374Sglebius		action->opcode = O_QUEUE;
153374Sglebius		goto chkarg;
98943Sluigi	case TOK_PIPE:
153374Sglebius		action->opcode = O_PIPE;
153374Sglebius		goto chkarg;
98943Sluigi	case TOK_SKIPTO:
153374Sglebius		action->opcode = O_SKIPTO;
153374Sglebius		goto chkarg;
153374Sglebius	case TOK_NETGRAPH:
153374Sglebius		action->opcode = O_NETGRAPH;
153374Sglebius		goto chkarg;
153374Sglebius	case TOK_NGTEE:
153374Sglebius		action->opcode = O_NGTEE;
153374Sglebius		goto chkarg;
98943Sluigi	case TOK_DIVERT:
153374Sglebius		action->opcode = O_DIVERT;
153374Sglebius		goto chkarg;
98943Sluigi	case TOK_TEE:
153374Sglebius		action->opcode = O_TEE;
153374Sglebiuschkarg:
204591Sluigi		if (!av[0])
153374Sglebius			errx(EX_USAGE, "missing argument for %s", *(av - 1));
153374Sglebius		if (isdigit(**av)) {
153374Sglebius			action->arg1 = strtoul(*av, NULL, 10);
153374Sglebius			if (action->arg1 <= 0 || action->arg1 >= IP_FW_TABLEARG)
153374Sglebius				errx(EX_DATAERR, "illegal argument for %s",
153374Sglebius				    *(av - 1));
187762Sluigi		} else if (_substrcmp(*av, "tablearg") == 0) {
153374Sglebius			action->arg1 = IP_FW_TABLEARG;
153374Sglebius		} else if (i == TOK_DIVERT || i == TOK_TEE) {
98943Sluigi			struct servent *s;
98943Sluigi			setservent(1);
98943Sluigi			s = getservbyname(av[0], "divert");
98943Sluigi			if (s != NULL)
98943Sluigi				action->arg1 = ntohs(s->s_port);
98943Sluigi			else
98943Sluigi				errx(EX_DATAERR, "illegal divert/tee port");
153374Sglebius		} else
153374Sglebius			errx(EX_DATAERR, "illegal argument for %s", *(av - 1));
204591Sluigi		av++;
98943Sluigi		break;
98943Sluigi
98943Sluigi	case TOK_FORWARD: {
98943Sluigi		ipfw_insn_sa *p = (ipfw_insn_sa *)action;
98943Sluigi		char *s, *end;
98943Sluigi
98943Sluigi		NEED1("missing forward address[:port]");
98943Sluigi
98943Sluigi		action->opcode = O_FORWARD_IP;
98943Sluigi		action->len = F_INSN_SIZE(ipfw_insn_sa);
98943Sluigi
188005Sluigi		/*
188005Sluigi		 * In the kernel we assume AF_INET and use only
200183Sluigi		 * sin_port and sin_addr. Remember to set sin_len as
200183Sluigi		 * the routing code seems to use it too.
188005Sluigi		 */
98943Sluigi		p->sa.sin_family = AF_INET;
200183Sluigi		p->sa.sin_len = sizeof(struct sockaddr_in);
98943Sluigi		p->sa.sin_port = 0;
98943Sluigi		/*
98943Sluigi		 * locate the address-port separator (':' or ',')
98943Sluigi		 */
98943Sluigi		s = strchr(*av, ':');
98943Sluigi		if (s == NULL)
98943Sluigi			s = strchr(*av, ',');
98943Sluigi		if (s != NULL) {
98943Sluigi			*(s++) = '\0';
98943Sluigi			i = strtoport(s, &end, 0 /* base */, 0 /* proto */);
98943Sluigi			if (s == end)
98943Sluigi				errx(EX_DATAERR,
98943Sluigi				    "illegal forwarding port ``%s''", s);
103241Sluigi			p->sa.sin_port = (u_short)i;
98943Sluigi		}
220802Sglebius		if (_substrcmp(*av, "tablearg") == 0)
161456Sjulian			p->sa.sin_addr.s_addr = INADDR_ANY;
161456Sjulian		else
161424Sjulian			lookup_host(*av, &(p->sa.sin_addr));
204591Sluigi		av++;
98943Sluigi		break;
161424Sjulian	    }
117469Sluigi	case TOK_COMMENT:
117469Sluigi		/* pretend it is a 'count' rule followed by the comment */
117469Sluigi		action->opcode = O_COUNT;
204591Sluigi		av--;		/* go back... */
117469Sluigi		break;
178888Sjulian
178888Sjulian	case TOK_SETFIB:
178888Sjulian	    {
178888Sjulian		int numfibs;
178916Sjulian		size_t intsize = sizeof(int);
178888Sjulian
178888Sjulian		action->opcode = O_SETFIB;
178888Sjulian 		NEED1("missing fib number");
220802Sglebius 		action->arg1 = strtoul(*av, NULL, 10);
178916Sjulian		if (sysctlbyname("net.fibs", &numfibs, &intsize, NULL, 0) == -1)
178888Sjulian			errx(EX_DATAERR, "fibs not suported.\n");
178888Sjulian		if (action->arg1 >= numfibs)  /* Temporary */
178888Sjulian			errx(EX_DATAERR, "fib too large.\n");
204591Sluigi 		av++;
178888Sjulian 		break;
178888Sjulian	    }
190633Spiso
190633Spiso	case TOK_REASS:
190633Spiso		action->opcode = O_REASS;
190633Spiso		break;
165648Spiso
98943Sluigi	default:
102087Sluigi		errx(EX_DATAERR, "invalid action %s\n", av[-1]);
98943Sluigi	}
98943Sluigi	action = next_cmd(action);
98943Sluigi
98943Sluigi	/*
136071Sgreen	 * [altq queuename] -- altq tag, optional
98943Sluigi	 * [log [logamount N]]	-- log, optional
98943Sluigi	 *
136071Sgreen	 * If they exist, it go first in the cmdbuf, but then it is
98943Sluigi	 * skipped in the copy section to the end of the buffer.
98943Sluigi	 */
204591Sluigi	while (av[0] != NULL && (i = match_token(rule_action_params, *av)) != -1) {
204591Sluigi		av++;
136071Sgreen		switch (i) {
136071Sgreen		case TOK_LOG:
136071Sgreen		    {
136071Sgreen			ipfw_insn_log *c = (ipfw_insn_log *)cmd;
136071Sgreen			int l;
98943Sluigi
136071Sgreen			if (have_log)
136071Sgreen				errx(EX_DATAERR,
136071Sgreen				    "log cannot be specified more than once");
136071Sgreen			have_log = (ipfw_insn *)c;
136071Sgreen			cmd->len = F_INSN_SIZE(ipfw_insn_log);
136071Sgreen			cmd->opcode = O_LOG;
204591Sluigi			if (av[0] && _substrcmp(*av, "logamount") == 0) {
204591Sluigi				av++;
136071Sgreen				NEED1("logamount requires argument");
136071Sgreen				l = atoi(*av);
136071Sgreen				if (l < 0)
136071Sgreen					errx(EX_DATAERR,
136071Sgreen					    "logamount must be positive");
136071Sgreen				c->max_log = l;
204591Sluigi				av++;
136071Sgreen			} else {
136071Sgreen				len = sizeof(c->max_log);
136071Sgreen				if (sysctlbyname("net.inet.ip.fw.verbose_limit",
136071Sgreen				    &c->max_log, &len, NULL, 0) == -1)
136071Sgreen					errx(1, "sysctlbyname(\"%s\")",
136071Sgreen					    "net.inet.ip.fw.verbose_limit");
136071Sgreen			}
136071Sgreen		    }
136071Sgreen			break;
136071Sgreen
204591Sluigi#ifndef NO_ALTQ
136071Sgreen		case TOK_ALTQ:
136071Sgreen		    {
136071Sgreen			ipfw_insn_altq *a = (ipfw_insn_altq *)cmd;
136071Sgreen
136071Sgreen			NEED1("missing altq queue name");
136071Sgreen			if (have_altq)
136071Sgreen				errx(EX_DATAERR,
136071Sgreen				    "altq cannot be specified more than once");
136071Sgreen			have_altq = (ipfw_insn *)a;
136071Sgreen			cmd->len = F_INSN_SIZE(ipfw_insn_altq);
136071Sgreen			cmd->opcode = O_ALTQ;
187983Sluigi			a->qid = altq_name_to_qid(*av);
204591Sluigi			av++;
136071Sgreen		    }
136071Sgreen			break;
204591Sluigi#endif
136071Sgreen
158879Soleg		case TOK_TAG:
159636Soleg		case TOK_UNTAG: {
159636Soleg			uint16_t tag;
159636Soleg
158879Soleg			if (have_tag)
159636Soleg				errx(EX_USAGE, "tag and untag cannot be "
159636Soleg				    "specified more than once");
193516Sluigi			GET_UINT_ARG(tag, IPFW_ARG_MIN, IPFW_ARG_MAX, i,
182823Srik			   rule_action_params);
158879Soleg			have_tag = cmd;
159636Soleg			fill_cmd(cmd, O_TAG, (i == TOK_TAG) ? 0: F_NOT, tag);
204591Sluigi			av++;
158879Soleg			break;
159636Soleg		}
158879Soleg
136071Sgreen		default:
136071Sgreen			abort();
98943Sluigi		}
98943Sluigi		cmd = next_cmd(cmd);
98943Sluigi	}
98943Sluigi
101116Sluigi	if (have_state)	/* must be a check-state, we are done */
98943Sluigi		goto done;
98943Sluigi
98943Sluigi#define OR_START(target)					\
204591Sluigi	if (av[0] && (*av[0] == '(' || *av[0] == '{')) { 	\
98943Sluigi		if (open_par)					\
98943Sluigi			errx(EX_USAGE, "nested \"(\" not allowed\n"); \
101641Sluigi		prev = NULL;					\
98943Sluigi		open_par = 1;					\
98943Sluigi		if ( (av[0])[1] == '\0') {			\
204591Sluigi			av++;					\
98943Sluigi		} else						\
98943Sluigi			(*av)++;				\
98943Sluigi	}							\
98943Sluigi	target:							\
98943Sluigi
98943Sluigi
98943Sluigi#define	CLOSE_PAR						\
98943Sluigi	if (open_par) {						\
204591Sluigi		if (av[0] && (					\
140271Sbrooks		    strcmp(*av, ")") == 0 ||			\
140271Sbrooks		    strcmp(*av, "}") == 0)) {			\
101641Sluigi			prev = NULL;				\
98943Sluigi			open_par = 0;				\
204591Sluigi			av++;					\
98943Sluigi		} else						\
98943Sluigi			errx(EX_USAGE, "missing \")\"\n");	\
98943Sluigi	}
106505Smaxim
98943Sluigi#define NOT_BLOCK						\
204591Sluigi	if (av[0] && _substrcmp(*av, "not") == 0) {		\
98943Sluigi		if (cmd->len & F_NOT)				\
98943Sluigi			errx(EX_USAGE, "double \"not\" not allowed\n"); \
98943Sluigi		cmd->len |= F_NOT;				\
204591Sluigi		av++;						\
98943Sluigi	}
98943Sluigi
98943Sluigi#define OR_BLOCK(target)					\
204591Sluigi	if (av[0] && _substrcmp(*av, "or") == 0) {		\
98943Sluigi		if (prev == NULL || open_par == 0)		\
98943Sluigi			errx(EX_DATAERR, "invalid OR block");	\
98943Sluigi		prev->len |= F_OR;				\
204591Sluigi		av++;					\
98943Sluigi		goto target;					\
98943Sluigi	}							\
98943Sluigi	CLOSE_PAR;
98943Sluigi
102087Sluigi	first_cmd = cmd;
102098Sluigi
102098Sluigi#if 0
98943Sluigi	/*
102087Sluigi	 * MAC addresses, optional.
102087Sluigi	 * If we have this, we skip the part "proto from src to dst"
102087Sluigi	 * and jump straight to the option parsing.
102087Sluigi	 */
102087Sluigi	NOT_BLOCK;
102087Sluigi	NEED1("missing protocol");
140271Sbrooks	if (_substrcmp(*av, "MAC") == 0 ||
140271Sbrooks	    _substrcmp(*av, "mac") == 0) {
204591Sluigi		av++;			/* the "MAC" keyword */
204591Sluigi		add_mac(cmd, av);	/* exits in case of errors */
102087Sluigi		cmd = next_cmd(cmd);
204591Sluigi		av += 2;		/* dst-mac and src-mac */
102087Sluigi		NOT_BLOCK;
102087Sluigi		NEED1("missing mac type");
204591Sluigi		if (add_mactype(cmd, av[0]))
102087Sluigi			cmd = next_cmd(cmd);
204591Sluigi		av++;			/* any or mac-type */
102087Sluigi		goto read_options;
102087Sluigi	}
102098Sluigi#endif
102087Sluigi
102087Sluigi	/*
98943Sluigi	 * protocol, mandatory
98943Sluigi	 */
98943Sluigi    OR_START(get_proto);
98943Sluigi	NOT_BLOCK;
98943Sluigi	NEED1("missing protocol");
152923Sume	if (add_proto_compat(cmd, *av, &proto)) {
204591Sluigi		av++;
147105Smlaier		if (F_LEN(cmd) != 0) {
102087Sluigi			prev = cmd;
102087Sluigi			cmd = next_cmd(cmd);
102087Sluigi		}
102098Sluigi	} else if (first_cmd != cmd) {
116438Smaxim		errx(EX_DATAERR, "invalid protocol ``%s''", *av);
102098Sluigi	} else
102098Sluigi		goto read_options;
98943Sluigi    OR_BLOCK(get_proto);
98943Sluigi
98943Sluigi	/*
102087Sluigi	 * "from", mandatory
98943Sluigi	 */
204591Sluigi	if ((av[0] == NULL) || _substrcmp(*av, "from") != 0)
98943Sluigi		errx(EX_USAGE, "missing ``from''");
204591Sluigi	av++;
98943Sluigi
98943Sluigi	/*
98943Sluigi	 * source IP, mandatory
98943Sluigi	 */
98943Sluigi    OR_START(source_ip);
98943Sluigi	NOT_BLOCK;	/* optional "not" */
98943Sluigi	NEED1("missing source address");
145246Sbrooks	if (add_src(cmd, *av, proto)) {
204591Sluigi		av++;
102087Sluigi		if (F_LEN(cmd) != 0) {	/* ! any */
102087Sluigi			prev = cmd;
102087Sluigi			cmd = next_cmd(cmd);
102087Sluigi		}
145246Sbrooks	} else
145246Sbrooks		errx(EX_USAGE, "bad source address %s", *av);
98943Sluigi    OR_BLOCK(source_ip);
98943Sluigi
98943Sluigi	/*
98943Sluigi	 * source ports, optional
98943Sluigi	 */
98943Sluigi	NOT_BLOCK;	/* optional "not" */
204591Sluigi	if ( av[0] != NULL ) {
140271Sbrooks		if (_substrcmp(*av, "any") == 0 ||
102087Sluigi		    add_ports(cmd, *av, proto, O_IP_SRCPORT)) {
204591Sluigi			av++;
102087Sluigi			if (F_LEN(cmd) != 0)
102087Sluigi				cmd = next_cmd(cmd);
101641Sluigi		}
98943Sluigi	}
98943Sluigi
98943Sluigi	/*
102087Sluigi	 * "to", mandatory
98943Sluigi	 */
204591Sluigi	if ( (av[0] == NULL) || _substrcmp(*av, "to") != 0 )
98943Sluigi		errx(EX_USAGE, "missing ``to''");
204591Sluigi	av++;
98943Sluigi
98943Sluigi	/*
98943Sluigi	 * destination, mandatory
98943Sluigi	 */
98943Sluigi    OR_START(dest_ip);
98943Sluigi	NOT_BLOCK;	/* optional "not" */
98943Sluigi	NEED1("missing dst address");
145246Sbrooks	if (add_dst(cmd, *av, proto)) {
204591Sluigi		av++;
102087Sluigi		if (F_LEN(cmd) != 0) {	/* ! any */
102087Sluigi			prev = cmd;
102087Sluigi			cmd = next_cmd(cmd);
102087Sluigi		}
145246Sbrooks	} else
145246Sbrooks		errx( EX_USAGE, "bad destination address %s", *av);
98943Sluigi    OR_BLOCK(dest_ip);
98943Sluigi
98943Sluigi	/*
98943Sluigi	 * dest. ports, optional
98943Sluigi	 */
98943Sluigi	NOT_BLOCK;	/* optional "not" */
204591Sluigi	if (av[0]) {
140271Sbrooks		if (_substrcmp(*av, "any") == 0 ||
102087Sluigi		    add_ports(cmd, *av, proto, O_IP_DSTPORT)) {
204591Sluigi			av++;
102087Sluigi			if (F_LEN(cmd) != 0)
102087Sluigi				cmd = next_cmd(cmd);
101641Sluigi		}
98943Sluigi	}
98943Sluigi
98943Sluigiread_options:
204591Sluigi	if (av[0] && first_cmd == cmd) {
102087Sluigi		/*
102087Sluigi		 * nothing specified so far, store in the rule to ease
102087Sluigi		 * printout later.
102087Sluigi		 */
102087Sluigi		 rule->_pad = 1;
102087Sluigi	}
98943Sluigi	prev = NULL;
204591Sluigi	while ( av[0] != NULL ) {
101641Sluigi		char *s;
101641Sluigi		ipfw_insn_u32 *cmd32;	/* alias for cmd */
98943Sluigi
101641Sluigi		s = *av;
101641Sluigi		cmd32 = (ipfw_insn_u32 *)cmd;
101641Sluigi
98943Sluigi		if (*s == '!') {	/* alternate syntax for NOT */
98943Sluigi			if (cmd->len & F_NOT)
98943Sluigi				errx(EX_USAGE, "double \"not\" not allowed\n");
98943Sluigi			cmd->len = F_NOT;
98943Sluigi			s++;
98943Sluigi		}
98943Sluigi		i = match_token(rule_options, s);
204591Sluigi		av++;
98943Sluigi		switch(i) {
98943Sluigi		case TOK_NOT:
98943Sluigi			if (cmd->len & F_NOT)
98943Sluigi				errx(EX_USAGE, "double \"not\" not allowed\n");
98943Sluigi			cmd->len = F_NOT;
98943Sluigi			break;
98943Sluigi
98943Sluigi		case TOK_OR:
101641Sluigi			if (open_par == 0 || prev == NULL)
98943Sluigi				errx(EX_USAGE, "invalid \"or\" block\n");
98943Sluigi			prev->len |= F_OR;
98943Sluigi			break;
101641Sluigi
101641Sluigi		case TOK_STARTBRACE:
101641Sluigi			if (open_par)
101641Sluigi				errx(EX_USAGE, "+nested \"(\" not allowed\n");
101641Sluigi			open_par = 1;
101641Sluigi			break;
101641Sluigi
101641Sluigi		case TOK_ENDBRACE:
101641Sluigi			if (!open_par)
101641Sluigi				errx(EX_USAGE, "+missing \")\"\n");
101641Sluigi			open_par = 0;
102087Sluigi			prev = NULL;
220802Sglebius			break;
101641Sluigi
98943Sluigi		case TOK_IN:
98943Sluigi			fill_cmd(cmd, O_IN, 0, 0);
98943Sluigi			break;
98943Sluigi
98943Sluigi		case TOK_OUT:
98943Sluigi			cmd->len ^= F_NOT; /* toggle F_NOT */
98943Sluigi			fill_cmd(cmd, O_IN, 0, 0);
98943Sluigi			break;
98943Sluigi
136073Sgreen		case TOK_DIVERTED:
136073Sgreen			fill_cmd(cmd, O_DIVERTED, 0, 3);
136073Sgreen			break;
136073Sgreen
136073Sgreen		case TOK_DIVERTEDLOOPBACK:
136073Sgreen			fill_cmd(cmd, O_DIVERTED, 0, 1);
136073Sgreen			break;
136073Sgreen
136073Sgreen		case TOK_DIVERTEDOUTPUT:
136073Sgreen			fill_cmd(cmd, O_DIVERTED, 0, 2);
136073Sgreen			break;
136073Sgreen
98943Sluigi		case TOK_FRAG:
98943Sluigi			fill_cmd(cmd, O_FRAG, 0, 0);
98943Sluigi			break;
98943Sluigi
98943Sluigi		case TOK_LAYER2:
98943Sluigi			fill_cmd(cmd, O_LAYER2, 0, 0);
98943Sluigi			break;
98943Sluigi
98943Sluigi		case TOK_XMIT:
98943Sluigi		case TOK_RECV:
98943Sluigi		case TOK_VIA:
98943Sluigi			NEED1("recv, xmit, via require interface name"
98943Sluigi				" or address");
98943Sluigi			fill_iface((ipfw_insn_if *)cmd, av[0]);
204591Sluigi			av++;
98943Sluigi			if (F_LEN(cmd) == 0)	/* not a valid address */
98943Sluigi				break;
98943Sluigi			if (i == TOK_XMIT)
98943Sluigi				cmd->opcode = O_XMIT;
98943Sluigi			else if (i == TOK_RECV)
98943Sluigi				cmd->opcode = O_RECV;
98943Sluigi			else if (i == TOK_VIA)
98943Sluigi				cmd->opcode = O_VIA;
98943Sluigi			break;
98943Sluigi
99475Sluigi		case TOK_ICMPTYPES:
99475Sluigi			NEED1("icmptypes requires list of types");
99475Sluigi			fill_icmptypes((ipfw_insn_u32 *)cmd, *av);
204591Sluigi			av++;
99475Sluigi			break;
145246Sbrooks
145246Sbrooks		case TOK_ICMP6TYPES:
145246Sbrooks			NEED1("icmptypes requires list of types");
145246Sbrooks			fill_icmp6types((ipfw_insn_icmp6 *)cmd, *av);
204591Sluigi			av++;
145246Sbrooks			break;
99475Sluigi
98943Sluigi		case TOK_IPTTL:
98943Sluigi			NEED1("ipttl requires TTL");
116690Sluigi			if (strpbrk(*av, "-,")) {
116690Sluigi			    if (!add_ports(cmd, *av, 0, O_IPTTL))
116690Sluigi				errx(EX_DATAERR, "invalid ipttl %s", *av);
116690Sluigi			} else
116690Sluigi			    fill_cmd(cmd, O_IPTTL, 0, strtoul(*av, NULL, 0));
204591Sluigi			av++;
98943Sluigi			break;
98943Sluigi
98943Sluigi		case TOK_IPID:
116690Sluigi			NEED1("ipid requires id");
116690Sluigi			if (strpbrk(*av, "-,")) {
116690Sluigi			    if (!add_ports(cmd, *av, 0, O_IPID))
116690Sluigi				errx(EX_DATAERR, "invalid ipid %s", *av);
116690Sluigi			} else
116690Sluigi			    fill_cmd(cmd, O_IPID, 0, strtoul(*av, NULL, 0));
204591Sluigi			av++;
98943Sluigi			break;
98943Sluigi
98943Sluigi		case TOK_IPLEN:
98943Sluigi			NEED1("iplen requires length");
116690Sluigi			if (strpbrk(*av, "-,")) {
116690Sluigi			    if (!add_ports(cmd, *av, 0, O_IPLEN))
116690Sluigi				errx(EX_DATAERR, "invalid ip len %s", *av);
116690Sluigi			} else
116690Sluigi			    fill_cmd(cmd, O_IPLEN, 0, strtoul(*av, NULL, 0));
204591Sluigi			av++;
98943Sluigi			break;
98943Sluigi
98943Sluigi		case TOK_IPVER:
98943Sluigi			NEED1("ipver requires version");
98943Sluigi			fill_cmd(cmd, O_IPVER, 0, strtoul(*av, NULL, 0));
204591Sluigi			av++;
98943Sluigi			break;
98943Sluigi
99475Sluigi		case TOK_IPPRECEDENCE:
99475Sluigi			NEED1("ipprecedence requires value");
99475Sluigi			fill_cmd(cmd, O_IPPRECEDENCE, 0,
99475Sluigi			    (strtoul(*av, NULL, 0) & 7) << 5);
204591Sluigi			av++;
99475Sluigi			break;
99475Sluigi
98943Sluigi		case TOK_IPOPTS:
98943Sluigi			NEED1("missing argument for ipoptions");
101116Sluigi			fill_flags(cmd, O_IPOPT, f_ipopts, *av);
204591Sluigi			av++;
98943Sluigi			break;
98943Sluigi
99475Sluigi		case TOK_IPTOS:
99475Sluigi			NEED1("missing argument for iptos");
101116Sluigi			fill_flags(cmd, O_IPTOS, f_iptos, *av);
204591Sluigi			av++;
99475Sluigi			break;
99475Sluigi
98943Sluigi		case TOK_UID:
98943Sluigi			NEED1("uid requires argument");
98943Sluigi		    {
98943Sluigi			char *end;
98943Sluigi			uid_t uid;
98943Sluigi			struct passwd *pwd;
98943Sluigi
98943Sluigi			cmd->opcode = O_UID;
98943Sluigi			uid = strtoul(*av, &end, 0);
98943Sluigi			pwd = (*end == '\0') ? getpwuid(uid) : getpwnam(*av);
98943Sluigi			if (pwd == NULL)
98943Sluigi				errx(EX_DATAERR, "uid \"%s\" nonexistent", *av);
106504Smaxim			cmd32->d[0] = pwd->pw_uid;
135089Scsjp			cmd->len |= F_INSN_SIZE(ipfw_insn_u32);
204591Sluigi			av++;
98943Sluigi		    }
98943Sluigi			break;
98943Sluigi
98943Sluigi		case TOK_GID:
98943Sluigi			NEED1("gid requires argument");
98943Sluigi		    {
98943Sluigi			char *end;
98943Sluigi			gid_t gid;
98943Sluigi			struct group *grp;
98943Sluigi
98943Sluigi			cmd->opcode = O_GID;
98943Sluigi			gid = strtoul(*av, &end, 0);
98943Sluigi			grp = (*end == '\0') ? getgrgid(gid) : getgrnam(*av);
98943Sluigi			if (grp == NULL)
98943Sluigi				errx(EX_DATAERR, "gid \"%s\" nonexistent", *av);
106504Smaxim			cmd32->d[0] = grp->gr_gid;
135089Scsjp			cmd->len |= F_INSN_SIZE(ipfw_insn_u32);
204591Sluigi			av++;
98943Sluigi		    }
98943Sluigi			break;
98943Sluigi
133600Scsjp		case TOK_JAIL:
133600Scsjp			NEED1("jail requires argument");
133600Scsjp		    {
133600Scsjp			char *end;
133600Scsjp			int jid;
133600Scsjp
133600Scsjp			cmd->opcode = O_JAIL;
133600Scsjp			jid = (int)strtol(*av, &end, 0);
133600Scsjp			if (jid < 0 || *end != '\0')
133600Scsjp				errx(EX_DATAERR, "jail requires prison ID");
135554Scsjp			cmd32->d[0] = (uint32_t)jid;
135089Scsjp			cmd->len |= F_INSN_SIZE(ipfw_insn_u32);
204591Sluigi			av++;
133600Scsjp		    }
133600Scsjp			break;
133600Scsjp
98943Sluigi		case TOK_ESTAB:
98943Sluigi			fill_cmd(cmd, O_ESTAB, 0, 0);
98943Sluigi			break;
98943Sluigi
98943Sluigi		case TOK_SETUP:
98943Sluigi			fill_cmd(cmd, O_TCPFLAGS, 0,
98943Sluigi				(TH_SYN) | ( (TH_ACK) & 0xff) <<8 );
98943Sluigi			break;
98943Sluigi
136075Sgreen		case TOK_TCPDATALEN:
136075Sgreen			NEED1("tcpdatalen requires length");
136075Sgreen			if (strpbrk(*av, "-,")) {
136075Sgreen			    if (!add_ports(cmd, *av, 0, O_TCPDATALEN))
136075Sgreen				errx(EX_DATAERR, "invalid tcpdata len %s", *av);
136075Sgreen			} else
136075Sgreen			    fill_cmd(cmd, O_TCPDATALEN, 0,
136075Sgreen				    strtoul(*av, NULL, 0));
204591Sluigi			av++;
136075Sgreen			break;
136075Sgreen
98943Sluigi		case TOK_TCPOPTS:
98943Sluigi			NEED1("missing argument for tcpoptions");
98943Sluigi			fill_flags(cmd, O_TCPOPTS, f_tcpopts, *av);
204591Sluigi			av++;
98943Sluigi			break;
98943Sluigi
98943Sluigi		case TOK_TCPSEQ:
98943Sluigi		case TOK_TCPACK:
98943Sluigi			NEED1("tcpseq/tcpack requires argument");
98943Sluigi			cmd->len = F_INSN_SIZE(ipfw_insn_u32);
98943Sluigi			cmd->opcode = (i == TOK_TCPSEQ) ? O_TCPSEQ : O_TCPACK;
98943Sluigi			cmd32->d[0] = htonl(strtoul(*av, NULL, 0));
204591Sluigi			av++;
98943Sluigi			break;
98943Sluigi
98943Sluigi		case TOK_TCPWIN:
98943Sluigi			NEED1("tcpwin requires length");
98943Sluigi			fill_cmd(cmd, O_TCPWIN, 0,
98943Sluigi			    htons(strtoul(*av, NULL, 0)));
204591Sluigi			av++;
98943Sluigi			break;
98943Sluigi
98943Sluigi		case TOK_TCPFLAGS:
98943Sluigi			NEED1("missing argument for tcpflags");
98943Sluigi			cmd->opcode = O_TCPFLAGS;
98943Sluigi			fill_flags(cmd, O_TCPFLAGS, f_tcpflags, *av);
204591Sluigi			av++;
98943Sluigi			break;
98943Sluigi
98943Sluigi		case TOK_KEEPSTATE:
101641Sluigi			if (open_par)
101641Sluigi				errx(EX_USAGE, "keep-state cannot be part "
101641Sluigi				    "of an or block");
99909Sluigi			if (have_state)
101116Sluigi				errx(EX_USAGE, "only one of keep-state "
99909Sluigi					"and limit is allowed");
101116Sluigi			have_state = cmd;
98943Sluigi			fill_cmd(cmd, O_KEEP_STATE, 0, 0);
98943Sluigi			break;
98943Sluigi
159636Soleg		case TOK_LIMIT: {
159636Soleg			ipfw_insn_limit *c = (ipfw_insn_limit *)cmd;
159636Soleg			int val;
159636Soleg
101641Sluigi			if (open_par)
159636Soleg				errx(EX_USAGE,
159636Soleg				    "limit cannot be part of an or block");
99909Sluigi			if (have_state)
168819Smaxim				errx(EX_USAGE, "only one of keep-state and "
159636Soleg				    "limit is allowed");
101116Sluigi			have_state = cmd;
98943Sluigi
98943Sluigi			cmd->len = F_INSN_SIZE(ipfw_insn_limit);
98943Sluigi			cmd->opcode = O_LIMIT;
159636Soleg			c->limit_mask = c->conn_limit = 0;
98943Sluigi
204591Sluigi			while ( av[0] != NULL ) {
159636Soleg				if ((val = match_token(limit_masks, *av)) <= 0)
98943Sluigi					break;
98943Sluigi				c->limit_mask |= val;
204591Sluigi				av++;
98943Sluigi			}
159636Soleg
98943Sluigi			if (c->limit_mask == 0)
159636Soleg				errx(EX_USAGE, "limit: missing limit mask");
159636Soleg
193516Sluigi			GET_UINT_ARG(c->conn_limit, IPFW_ARG_MIN, IPFW_ARG_MAX,
182823Srik			    TOK_LIMIT, rule_options);
159636Soleg
204591Sluigi			av++;
98943Sluigi			break;
159636Soleg		}
98943Sluigi
102087Sluigi		case TOK_PROTO:
102087Sluigi			NEED1("missing protocol");
145246Sbrooks			if (add_proto(cmd, *av, &proto)) {
204591Sluigi				av++;
102098Sluigi			} else
116438Smaxim				errx(EX_DATAERR, "invalid protocol ``%s''",
116438Smaxim				    *av);
102087Sluigi			break;
106505Smaxim
102087Sluigi		case TOK_SRCIP:
102087Sluigi			NEED1("missing source IP");
102087Sluigi			if (add_srcip(cmd, *av)) {
204591Sluigi				av++;
102087Sluigi			}
102087Sluigi			break;
102087Sluigi
102087Sluigi		case TOK_DSTIP:
102087Sluigi			NEED1("missing destination IP");
102087Sluigi			if (add_dstip(cmd, *av)) {
204591Sluigi				av++;
102087Sluigi			}
102087Sluigi			break;
102087Sluigi
145246Sbrooks		case TOK_SRCIP6:
145246Sbrooks			NEED1("missing source IP6");
145246Sbrooks			if (add_srcip6(cmd, *av)) {
204591Sluigi				av++;
145246Sbrooks			}
145246Sbrooks			break;
145246Sbrooks
145246Sbrooks		case TOK_DSTIP6:
145246Sbrooks			NEED1("missing destination IP6");
145246Sbrooks			if (add_dstip6(cmd, *av)) {
204591Sluigi				av++;
145246Sbrooks			}
145246Sbrooks			break;
145246Sbrooks
102087Sluigi		case TOK_SRCPORT:
102087Sluigi			NEED1("missing source port");
140271Sbrooks			if (_substrcmp(*av, "any") == 0 ||
102087Sluigi			    add_ports(cmd, *av, proto, O_IP_SRCPORT)) {
204591Sluigi				av++;
102087Sluigi			} else
102087Sluigi				errx(EX_DATAERR, "invalid source port %s", *av);
102087Sluigi			break;
102087Sluigi
102087Sluigi		case TOK_DSTPORT:
102087Sluigi			NEED1("missing destination port");
140271Sbrooks			if (_substrcmp(*av, "any") == 0 ||
102087Sluigi			    add_ports(cmd, *av, proto, O_IP_DSTPORT)) {
204591Sluigi				av++;
102087Sluigi			} else
102087Sluigi				errx(EX_DATAERR, "invalid destination port %s",
102087Sluigi				    *av);
102087Sluigi			break;
102087Sluigi
102087Sluigi		case TOK_MAC:
204591Sluigi			if (add_mac(cmd, av))
204591Sluigi				av += 2;
102087Sluigi			break;
102087Sluigi
102087Sluigi		case TOK_MACTYPE:
102087Sluigi			NEED1("missing mac type");
204591Sluigi			if (!add_mactype(cmd, *av))
116438Smaxim				errx(EX_DATAERR, "invalid mac type %s", *av);
204591Sluigi			av++;
102087Sluigi			break;
102087Sluigi
112250Scjc		case TOK_VERREVPATH:
112250Scjc			fill_cmd(cmd, O_VERREVPATH, 0, 0);
112250Scjc			break;
116919Sluigi
128575Sandre		case TOK_VERSRCREACH:
128575Sandre			fill_cmd(cmd, O_VERSRCREACH, 0, 0);
128575Sandre			break;
128575Sandre
133387Sandre		case TOK_ANTISPOOF:
133387Sandre			fill_cmd(cmd, O_ANTISPOOF, 0, 0);
133387Sandre			break;
133387Sandre
117241Sluigi		case TOK_IPSEC:
117241Sluigi			fill_cmd(cmd, O_IPSEC, 0, 0);
117241Sluigi			break;
117241Sluigi
145246Sbrooks		case TOK_IPV6:
145246Sbrooks			fill_cmd(cmd, O_IP6, 0, 0);
145246Sbrooks			break;
145246Sbrooks
146894Smlaier		case TOK_IPV4:
146894Smlaier			fill_cmd(cmd, O_IP4, 0, 0);
146894Smlaier			break;
146894Smlaier
145246Sbrooks		case TOK_EXT6HDR:
145246Sbrooks			fill_ext6hdr( cmd, *av );
204591Sluigi			av++;
145246Sbrooks			break;
145246Sbrooks
145246Sbrooks		case TOK_FLOWID:
145246Sbrooks			if (proto != IPPROTO_IPV6 )
145246Sbrooks				errx( EX_USAGE, "flow-id filter is active "
145246Sbrooks				    "only for ipv6 protocol\n");
145246Sbrooks			fill_flow6( (ipfw_insn_u32 *) cmd, *av );
204591Sluigi			av++;
145246Sbrooks			break;
145246Sbrooks
117469Sluigi		case TOK_COMMENT:
204591Sluigi			fill_comment(cmd, av);
204591Sluigi			av[0]=NULL;
117469Sluigi			break;
117469Sluigi
158879Soleg		case TOK_TAGGED:
204591Sluigi			if (av[0] && strpbrk(*av, "-,")) {
158879Soleg				if (!add_ports(cmd, *av, 0, O_TAGGED))
159636Soleg					errx(EX_DATAERR, "tagged: invalid tag"
159636Soleg					    " list: %s", *av);
158879Soleg			}
159636Soleg			else {
159636Soleg				uint16_t tag;
159636Soleg
193516Sluigi				GET_UINT_ARG(tag, IPFW_ARG_MIN, IPFW_ARG_MAX,
182823Srik				    TOK_TAGGED, rule_options);
159636Soleg				fill_cmd(cmd, O_TAGGED, 0, tag);
159636Soleg			}
204591Sluigi			av++;
158879Soleg			break;
158879Soleg
178888Sjulian		case TOK_FIB:
178888Sjulian			NEED1("fib requires fib number");
178888Sjulian			fill_cmd(cmd, O_FIB, 0, strtoul(*av, NULL, 0));
204591Sluigi			av++;
178888Sjulian			break;
215179Sluigi		case TOK_SOCKARG:
215179Sluigi			fill_cmd(cmd, O_SOCKARG, 0, 0);
215179Sluigi			break;
178888Sjulian
200567Sluigi		case TOK_LOOKUP: {
200567Sluigi			ipfw_insn_u32 *c = (ipfw_insn_u32 *)cmd;
200567Sluigi			char *p;
200567Sluigi			int j;
200567Sluigi
205169Sluigi			if (!av[0] || !av[1])
200567Sluigi				errx(EX_USAGE, "format: lookup argument tablenum");
200567Sluigi			cmd->opcode = O_IP_DST_LOOKUP;
200567Sluigi			cmd->len |= F_INSN_SIZE(ipfw_insn) + 2;
200567Sluigi			i = match_token(rule_options, *av);
200567Sluigi			for (j = 0; lookup_key[j] >= 0 ; j++) {
200567Sluigi				if (i == lookup_key[j])
200567Sluigi					break;
200567Sluigi			}
200567Sluigi			if (lookup_key[j] <= 0)
200567Sluigi				errx(EX_USAGE, "format: cannot lookup on %s", *av);
200567Sluigi			c->d[1] = j; // i converted to option
204591Sluigi			av++;
200567Sluigi			cmd->arg1 = strtoul(*av, &p, 0);
200567Sluigi			if (p && *p)
200567Sluigi				errx(EX_USAGE, "format: lookup argument tablenum");
204591Sluigi			av++;
200567Sluigi		    }
200567Sluigi			break;
200567Sluigi
98943Sluigi		default:
98943Sluigi			errx(EX_USAGE, "unrecognised option [%d] %s\n", i, s);
98943Sluigi		}
98943Sluigi		if (F_LEN(cmd) > 0) {	/* prepare to advance */
98943Sluigi			prev = cmd;
98943Sluigi			cmd = next_cmd(cmd);
98943Sluigi		}
98943Sluigi	}
98943Sluigi
98943Sluigidone:
98943Sluigi	/*
98943Sluigi	 * Now copy stuff into the rule.
98943Sluigi	 * If we have a keep-state option, the first instruction
98943Sluigi	 * must be a PROBE_STATE (which is generated here).
98943Sluigi	 * If we have a LOG option, it was stored as the first command,
98943Sluigi	 * and now must be moved to the top of the action part.
98943Sluigi	 */
98943Sluigi	dst = (ipfw_insn *)rule->cmd;
98943Sluigi
98943Sluigi	/*
107289Sluigi	 * First thing to write into the command stream is the match probability.
107289Sluigi	 */
107289Sluigi	if (match_prob != 1) { /* 1 means always match */
107289Sluigi		dst->opcode = O_PROB;
107289Sluigi		dst->len = 2;
107289Sluigi		*((int32_t *)(dst+1)) = (int32_t)(match_prob * 0x7fffffff);
107289Sluigi		dst += dst->len;
107289Sluigi	}
107289Sluigi
107289Sluigi	/*
98943Sluigi	 * generate O_PROBE_STATE if necessary
98943Sluigi	 */
101116Sluigi	if (have_state && have_state->opcode != O_CHECK_STATE) {
98943Sluigi		fill_cmd(dst, O_PROBE_STATE, 0, 0);
98943Sluigi		dst = next_cmd(dst);
98943Sluigi	}
158879Soleg
158879Soleg	/* copy all commands but O_LOG, O_KEEP_STATE, O_LIMIT, O_ALTQ, O_TAG */
98943Sluigi	for (src = (ipfw_insn *)cmdbuf; src != cmd; src += i) {
98943Sluigi		i = F_LEN(src);
98943Sluigi
101116Sluigi		switch (src->opcode) {
101116Sluigi		case O_LOG:
101116Sluigi		case O_KEEP_STATE:
101116Sluigi		case O_LIMIT:
136071Sgreen		case O_ALTQ:
158879Soleg		case O_TAG:
101116Sluigi			break;
101116Sluigi		default:
117328Sluigi			bcopy(src, dst, i * sizeof(uint32_t));
98943Sluigi			dst += i;
98943Sluigi		}
98943Sluigi	}
98943Sluigi
98943Sluigi	/*
101116Sluigi	 * put back the have_state command as last opcode
101116Sluigi	 */
101295Sluigi	if (have_state && have_state->opcode != O_CHECK_STATE) {
101116Sluigi		i = F_LEN(have_state);
117328Sluigi		bcopy(have_state, dst, i * sizeof(uint32_t));
101116Sluigi		dst += i;
101116Sluigi	}
101116Sluigi	/*
98943Sluigi	 * start action section
98943Sluigi	 */
98943Sluigi	rule->act_ofs = dst - rule->cmd;
98943Sluigi
158879Soleg	/* put back O_LOG, O_ALTQ, O_TAG if necessary */
136071Sgreen	if (have_log) {
136071Sgreen		i = F_LEN(have_log);
136071Sgreen		bcopy(have_log, dst, i * sizeof(uint32_t));
98943Sluigi		dst += i;
98943Sluigi	}
136071Sgreen	if (have_altq) {
136071Sgreen		i = F_LEN(have_altq);
136071Sgreen		bcopy(have_altq, dst, i * sizeof(uint32_t));
136071Sgreen		dst += i;
136071Sgreen	}
158879Soleg	if (have_tag) {
158879Soleg		i = F_LEN(have_tag);
158879Soleg		bcopy(have_tag, dst, i * sizeof(uint32_t));
158879Soleg		dst += i;
158879Soleg	}
98943Sluigi	/*
98943Sluigi	 * copy all other actions
98943Sluigi	 */
98943Sluigi	for (src = (ipfw_insn *)actbuf; src != action; src += i) {
98943Sluigi		i = F_LEN(src);
117328Sluigi		bcopy(src, dst, i * sizeof(uint32_t));
98943Sluigi		dst += i;
98943Sluigi	}
98943Sluigi
117328Sluigi	rule->cmd_len = (uint32_t *)dst - (uint32_t *)(rule->cmd);
117469Sluigi	i = (char *)dst - (char *)rule;
119740Stmm	if (do_cmd(IP_FW_ADD, rule, (uintptr_t)&i) == -1)
98943Sluigi		err(EX_UNAVAILABLE, "getsockopt(%s)", "IP_FW_ADD");
187764Sluigi	if (!co.do_quiet)
117469Sluigi		show_ipfw(rule, 0, 0);
98943Sluigi}
98943Sluigi
187767Sluigi/*
187767Sluigi * clear the counters or the log counters.
187767Sluigi */
187767Sluigivoid
187767Sluigiipfw_zero(int ac, char *av[], int optname /* 0 = IP_FW_ZERO, 1 = IP_FW_RESETLOG */)
98943Sluigi{
170923Smaxim	uint32_t arg, saved_arg;
98943Sluigi	int failed = EX_OK;
170923Smaxim	char const *errstr;
187767Sluigi	char const *name = optname ? "RESETLOG" : "ZERO";
98943Sluigi
187767Sluigi	optname = optname ? IP_FW_RESETLOG : IP_FW_ZERO;
187767Sluigi
98943Sluigi	av++; ac--;
98943Sluigi
98943Sluigi	if (!ac) {
98943Sluigi		/* clear all entries */
117328Sluigi		if (do_cmd(optname, NULL, 0) < 0)
117328Sluigi			err(EX_UNAVAILABLE, "setsockopt(IP_FW_%s)", name);
187764Sluigi		if (!co.do_quiet)
117328Sluigi			printf("%s.\n", optname == IP_FW_ZERO ?
117328Sluigi			    "Accounting cleared":"Logging counts reset");
98943Sluigi
98943Sluigi		return;
98943Sluigi	}
98943Sluigi
98943Sluigi	while (ac) {
98943Sluigi		/* Rule number */
98943Sluigi		if (isdigit(**av)) {
170923Smaxim			arg = strtonum(*av, 0, 0xffff, &errstr);
170923Smaxim			if (errstr)
170923Smaxim				errx(EX_DATAERR,
170923Smaxim				    "invalid rule number %s\n", *av);
170923Smaxim			saved_arg = arg;
187764Sluigi			if (co.use_set)
187764Sluigi				arg |= (1 << 24) | ((co.use_set - 1) << 16);
98943Sluigi			av++;
98943Sluigi			ac--;
170923Smaxim			if (do_cmd(optname, &arg, sizeof(arg))) {
117328Sluigi				warn("rule %u: setsockopt(IP_FW_%s)",
170923Smaxim				    saved_arg, name);
98943Sluigi				failed = EX_UNAVAILABLE;
187764Sluigi			} else if (!co.do_quiet)
170923Smaxim				printf("Entry %d %s.\n", saved_arg,
117328Sluigi				    optname == IP_FW_ZERO ?
117328Sluigi					"cleared" : "logging count reset");
98943Sluigi		} else {
98943Sluigi			errx(EX_USAGE, "invalid rule number ``%s''", *av);
98943Sluigi		}
98943Sluigi	}
98943Sluigi	if (failed != EX_OK)
98943Sluigi		exit(failed);
98943Sluigi}
98943Sluigi
187767Sluigivoid
187767Sluigiipfw_flush(int force)
98943Sluigi{
187764Sluigi	int cmd = co.do_pipe ? IP_DUMMYNET_FLUSH : IP_FW_FLUSH;
98943Sluigi
187764Sluigi	if (!force && !co.do_quiet) { /* need to ask user */
98943Sluigi		int c;
98943Sluigi
98943Sluigi		printf("Are you sure? [yn] ");
98943Sluigi		fflush(stdout);
98943Sluigi		do {
98943Sluigi			c = toupper(getc(stdin));
98943Sluigi			while (c != '\n' && getc(stdin) != '\n')
98943Sluigi				if (feof(stdin))
98943Sluigi					return; /* and do not flush */
98943Sluigi		} while (c != 'Y' && c != 'N');
98943Sluigi		printf("\n");
98943Sluigi		if (c == 'N')	/* user said no */
98943Sluigi			return;
98943Sluigi	}
204591Sluigi	if (co.do_pipe) {
204591Sluigi		dummynet_flush();
204591Sluigi		return;
204591Sluigi	}
170923Smaxim	/* `ipfw set N flush` - is the same that `ipfw delete set N` */
187764Sluigi	if (co.use_set) {
187764Sluigi		uint32_t arg = ((co.use_set - 1) & 0xffff) | (1 << 24);
170923Smaxim		if (do_cmd(IP_FW_DEL, &arg, sizeof(arg)) < 0)
170923Smaxim			err(EX_UNAVAILABLE, "setsockopt(IP_FW_DEL)");
170923Smaxim	} else if (do_cmd(cmd, NULL, 0) < 0)
98943Sluigi		err(EX_UNAVAILABLE, "setsockopt(IP_%s_FLUSH)",
187764Sluigi		    co.do_pipe ? "DUMMYNET" : "FW");
187764Sluigi	if (!co.do_quiet)
187764Sluigi		printf("Flushed all %s.\n", co.do_pipe ? "pipes" : "rules");
98943Sluigi}
98943Sluigi
117544Sluigi
183407Srikstatic void table_list(ipfw_table_entry ent, int need_header);
183228Srik
117544Sluigi/*
130281Sru * This one handles all table-related commands
130281Sru * 	ipfw table N add addr[/masklen] [value]
130281Sru * 	ipfw table N delete addr[/masklen]
183407Srik * 	ipfw table {N | all} flush
183407Srik * 	ipfw table {N | all} list
130281Sru */
187767Sluigivoid
187767Sluigiipfw_table_handler(int ac, char *av[])
130281Sru{
130281Sru	ipfw_table_entry ent;
130281Sru	int do_add;
183407Srik	int is_all;
183241Srik	size_t len;
130281Sru	char *p;
183407Srik	uint32_t a;
183241Srik	uint32_t tables_max;
130281Sru
183263Skeramida	len = sizeof(tables_max);
183241Srik	if (sysctlbyname("net.inet.ip.fw.tables_max", &tables_max, &len,
183241Srik		NULL, 0) == -1) {
183241Srik#ifdef IPFW_TABLES_MAX
183241Srik		warn("Warn: Failed to get the max tables number via sysctl. "
183241Srik		     "Using the compiled in defaults. \nThe reason was");
183241Srik		tables_max = IPFW_TABLES_MAX;
183241Srik#else
183241Srik		errx(1, "Failed sysctlbyname(\"net.inet.ip.fw.tables_max\")");
183241Srik#endif
183241Srik	}
183241Srik
130281Sru	ac--; av++;
130281Sru	if (ac && isdigit(**av)) {
130281Sru		ent.tbl = atoi(*av);
183407Srik		is_all = 0;
130281Sru		ac--; av++;
183407Srik	} else if (ac && _substrcmp(*av, "all") == 0) {
183407Srik		ent.tbl = 0;
183407Srik		is_all = 1;
183407Srik		ac--; av++;
130281Sru	} else
183407Srik		errx(EX_USAGE, "table number or 'all' keyword required");
183241Srik	if (ent.tbl >= tables_max)
183241Srik		errx(EX_USAGE, "The table number exceeds the maximum allowed "
183241Srik			"value (%d)", tables_max - 1);
130281Sru	NEED1("table needs command");
183407Srik	if (is_all && _substrcmp(*av, "list") != 0
183407Srik		   && _substrcmp(*av, "flush") != 0)
183407Srik		errx(EX_USAGE, "table number required");
183407Srik
140271Sbrooks	if (_substrcmp(*av, "add") == 0 ||
140271Sbrooks	    _substrcmp(*av, "delete") == 0) {
130281Sru		do_add = **av == 'a';
130281Sru		ac--; av++;
130281Sru		if (!ac)
130281Sru			errx(EX_USAGE, "IP address required");
130281Sru		p = strchr(*av, '/');
130281Sru		if (p) {
130281Sru			*p++ = '\0';
130281Sru			ent.masklen = atoi(p);
130281Sru			if (ent.masklen > 32)
130281Sru				errx(EX_DATAERR, "bad width ``%s''", p);
130281Sru		} else
130281Sru			ent.masklen = 32;
130281Sru		if (lookup_host(*av, (struct in_addr *)&ent.addr) != 0)
130298Sru			errx(EX_NOHOST, "hostname ``%s'' unknown", *av);
130281Sru		ac--; av++;
161424Sjulian		if (do_add && ac) {
161424Sjulian			unsigned int tval;
161424Sjulian			/* isdigit is a bit of a hack here.. */
161424Sjulian			if (strchr(*av, (int)'.') == NULL && isdigit(**av))  {
161424Sjulian				ent.value = strtoul(*av, NULL, 0);
161424Sjulian			} else {
220802Sglebius				if (lookup_host(*av, (struct in_addr *)&tval) == 0) {
161424Sjulian					/* The value must be stored in host order	 *
161424Sjulian					 * so that the values < 65k can be distinguished */
220802Sglebius		       			ent.value = ntohl(tval);
161424Sjulian				} else {
161424Sjulian					errx(EX_NOHOST, "hostname ``%s'' unknown", *av);
161424Sjulian				}
161424Sjulian			}
161424Sjulian		} else
130281Sru			ent.value = 0;
130281Sru		if (do_cmd(do_add ? IP_FW_TABLE_ADD : IP_FW_TABLE_DEL,
157335Sjulian		    &ent, sizeof(ent)) < 0) {
155639Sjulian			/* If running silent, don't bomb out on these errors. */
187764Sluigi			if (!(co.do_quiet && (errno == (do_add ? EEXIST : ESRCH))))
155639Sjulian				err(EX_OSERR, "setsockopt(IP_FW_TABLE_%s)",
155639Sjulian				    do_add ? "ADD" : "DEL");
155639Sjulian			/* In silent mode, react to a failed add by deleting */
157332Sjulian			if (do_add) {
155639Sjulian				do_cmd(IP_FW_TABLE_DEL, &ent, sizeof(ent));
155639Sjulian				if (do_cmd(IP_FW_TABLE_ADD,
155639Sjulian				    &ent, sizeof(ent)) < 0)
155639Sjulian					err(EX_OSERR,
220802Sglebius					    "setsockopt(IP_FW_TABLE_ADD)");
157332Sjulian			}
157335Sjulian		}
140271Sbrooks	} else if (_substrcmp(*av, "flush") == 0) {
204591Sluigi		a = is_all ? tables_max : (uint32_t)(ent.tbl + 1);
183407Srik		do {
183407Srik			if (do_cmd(IP_FW_TABLE_FLUSH, &ent.tbl,
183407Srik			    sizeof(ent.tbl)) < 0)
183407Srik				err(EX_OSERR, "setsockopt(IP_FW_TABLE_FLUSH)");
183407Srik		} while (++ent.tbl < a);
140271Sbrooks	} else if (_substrcmp(*av, "list") == 0) {
204591Sluigi		a = is_all ? tables_max : (uint32_t)(ent.tbl + 1);
183407Srik		do {
183415Srik			table_list(ent, is_all);
183407Srik		} while (++ent.tbl < a);
183228Srik	} else
183228Srik		errx(EX_USAGE, "invalid table command %s", *av);
183228Srik}
183205Srik
183228Srikstatic void
183407Sriktable_list(ipfw_table_entry ent, int need_header)
183228Srik{
183228Srik	ipfw_table *tbl;
183228Srik	socklen_t l;
183228Srik	uint32_t a;
183205Srik
183228Srik	a = ent.tbl;
183228Srik	l = sizeof(a);
183228Srik	if (do_cmd(IP_FW_TABLE_GETSIZE, &a, (uintptr_t)&l) < 0)
183228Srik		err(EX_OSERR, "getsockopt(IP_FW_TABLE_GETSIZE)");
183228Srik
183228Srik	/* If a is zero we have nothing to do, the table is empty. */
183228Srik	if (a == 0)
183228Srik		return;
183228Srik
183228Srik	l = sizeof(*tbl) + a * sizeof(ipfw_table_entry);
187716Sluigi	tbl = safe_calloc(1, l);
183228Srik	tbl->tbl = ent.tbl;
183228Srik	if (do_cmd(IP_FW_TABLE_LIST, tbl, (uintptr_t)&l) < 0)
183228Srik		err(EX_OSERR, "getsockopt(IP_FW_TABLE_LIST)");
183407Srik	if (tbl->cnt && need_header)
183407Srik		printf("---table(%d)---\n", tbl->tbl);
183228Srik	for (a = 0; a < tbl->cnt; a++) {
183228Srik		unsigned int tval;
183228Srik		tval = tbl->ent[a].value;
187764Sluigi		if (co.do_value_as_ip) {
183228Srik			char tbuf[128];
183228Srik			strncpy(tbuf, inet_ntoa(*(struct in_addr *)
161456Sjulian				&tbl->ent[a].addr), 127);
183228Srik			/* inet_ntoa expects network order */
183228Srik			tval = htonl(tval);
183228Srik			printf("%s/%u %s\n", tbuf, tbl->ent[a].masklen,
183228Srik				inet_ntoa(*(struct in_addr *)&tval));
183228Srik		} else {
183228Srik			printf("%s/%u %u\n",
183228Srik				inet_ntoa(*(struct in_addr *)&tbl->ent[a].addr),
183228Srik				tbl->ent[a].masklen, tval);
130281Sru		}
183228Srik	}
183228Srik	free(tbl);
130281Sru}