sbin/ipfw/ipfw2.c

226046Sdes/*
224638Sbrooks * Copyright (c) 2002-2003 Luigi Rizzo
57429Smarkm * Copyright (c) 1996 Alex Nash, Paul Traina, Poul-Henning Kamp
57429Smarkm * Copyright (c) 1994 Ugen J.S.Antsilevich
57429Smarkm *
57429Smarkm * Idea and grammar partially left from:
57429Smarkm * Copyright (c) 1993 Daniel Boulet
57429Smarkm *
57429Smarkm * Redistribution and use in source forms, with and without modification,
60573Skris * are permitted provided that this entire comment appears intact.
65668Skris *
65668Skris * Redistribution in binary form may occur without any restrictions.
65668Skris * Obviously, it would be nice if you gave credit where credit is due
65668Skris * but requiring it would be too onerous.
65668Skris *
65668Skris * This software is provided ``AS IS'' without any warranties of any kind.
60573Skris *
92559Sdes * NEW command line interface for IP firewall facility
65668Skris *
65668Skris * $FreeBSD: head/sbin/ipfw/ipfw2.c 129058 2004-05-09 01:53:31Z csjp $
65668Skris */
65668Skris
65668Skris#include <sys/param.h>
65668Skris#include <sys/mbuf.h>
65668Skris#include <sys/socket.h>
65668Skris#include <sys/sockio.h>
65668Skris#include <sys/sysctl.h>
65668Skris#include <sys/time.h>
65668Skris#include <sys/wait.h>
65668Skris
65668Skris#include <ctype.h>
65668Skris#include <err.h>
65668Skris#include <errno.h>
65668Skris#include <grp.h>
65668Skris#include <limits.h>
65668Skris#include <netdb.h>
65668Skris#include <pwd.h>
65668Skris#include <signal.h>
65668Skris#include <stdio.h>
65668Skris#include <stdlib.h>
57429Smarkm#include <stdarg.h>
57429Smarkm#include <string.h>
57429Smarkm#include <timeconv.h>	/* XXX do we need this ? */
57429Smarkm#include <unistd.h>
162856Sdes#include <sysexits.h>
162856Sdes
162856Sdes#include <net/if.h>
162856Sdes#include <netinet/in.h>
162856Sdes#include <netinet/in_systm.h>
162856Sdes#include <netinet/ip.h>
162856Sdes#include <netinet/ip_icmp.h>
162856Sdes#include <netinet/ip_fw.h>
162856Sdes#include <netinet/ip_dummynet.h>
162856Sdes#include <netinet/tcp.h>
162856Sdes#include <arpa/inet.h>
162856Sdes
204917Sdesint
162856Sdes		do_resolv,		/* Would try to resolve all */
162856Sdes		do_time,		/* Show time stamps */
162856Sdes		do_quiet,		/* Be quiet in add and flush */
162856Sdes		do_pipe,		/* this cmd refers to a pipe */
162856Sdes		do_sort,		/* field to sort results (0 = no) */
162856Sdes		do_dynamic,		/* display dynamic rules */
162856Sdes		do_expired,		/* display expired dynamic rules */
162856Sdes		do_compact,		/* show rules in compact mode */
181111Sdes		do_force,		/* do not ask for confirmation */
162856Sdes		show_sets,		/* display rule sets */
57429Smarkm		test_only,		/* only check syntax */
76262Sgreen		comment_only,		/* only print action and comment */
76262Sgreen		verbose;
57429Smarkm
76262Sgreen#define	IP_MASK_ALL	0xffffffff
76262Sgreen
162856Sdes/*
57429Smarkm * _s_x is a structure that stores a string <-> token pairs, used in
57429Smarkm * various places in the parser. Entries are stored in arrays,
76262Sgreen * with an entry with s=NULL as terminator.
65668Skris * The search routines are match_token() and match_value().
65668Skris * Often, an element with x=0 contains an error string.
92559Sdes *
65668Skris */
92559Sdesstruct _s_x {
57429Smarkm	char const *s;
57429Smarkm	int x;
57429Smarkm};
57429Smarkm
57429Smarkmstatic struct _s_x f_tcpflags[] = {
92559Sdes	{ "syn", TH_SYN },
57429Smarkm	{ "fin", TH_FIN },
57429Smarkm	{ "ack", TH_ACK },
57429Smarkm	{ "psh", TH_PUSH },
92559Sdes	{ "rst", TH_RST },
57429Smarkm	{ "urg", TH_URG },
137019Sdes	{ "tcp flag", 0 },
57429Smarkm	{ NULL,	0 }
57429Smarkm};
57429Smarkm
92559Sdesstatic struct _s_x f_tcpopts[] = {
57429Smarkm	{ "mss",	IP_FW_TCPOPT_MSS },
76262Sgreen	{ "maxseg",	IP_FW_TCPOPT_MSS },
57429Smarkm	{ "window",	IP_FW_TCPOPT_WINDOW },
57429Smarkm	{ "sack",	IP_FW_TCPOPT_SACK },
92559Sdes	{ "ts",		IP_FW_TCPOPT_TS },
57429Smarkm	{ "timestamp",	IP_FW_TCPOPT_TS },
57429Smarkm	{ "cc",		IP_FW_TCPOPT_CC },
57429Smarkm	{ "tcp option",	0 },
57429Smarkm	{ NULL,	0 }
57429Smarkm};
57429Smarkm
57429Smarkm/*
57429Smarkm * IP options span the range 0 to 255 so we need to remap them
60573Skris * (though in fact only the low 5 bits are significant).
60573Skris */
60573Skrisstatic struct _s_x f_ipopts[] = {
57429Smarkm	{ "ssrr",	IP_FW_IPOPT_SSRR},
57429Smarkm	{ "lsrr",	IP_FW_IPOPT_LSRR},
162856Sdes	{ "rr",		IP_FW_IPOPT_RR},
215116Sdes	{ "ts",		IP_FW_IPOPT_TS},
92559Sdes	{ "ip option",	0 },
162856Sdes	{ NULL,	0 }
215116Sdes};
162856Sdes
162856Sdesstatic struct _s_x f_iptos[] = {
57429Smarkm	{ "lowdelay",	IPTOS_LOWDELAY},
162856Sdes	{ "throughput",	IPTOS_THROUGHPUT},
162856Sdes	{ "reliability", IPTOS_RELIABILITY},
162856Sdes	{ "mincost",	IPTOS_MINCOST},
162856Sdes	{ "congestion",	IPTOS_CE},
57429Smarkm	{ "ecntransport", IPTOS_ECT},
57429Smarkm	{ "ip tos option", 0},
57429Smarkm	{ NULL,	0 }
57429Smarkm};
57429Smarkm
57429Smarkmstatic struct _s_x limit_masks[] = {
57429Smarkm	{"all",		DYN_SRC_ADDR|DYN_SRC_PORT|DYN_DST_ADDR|DYN_DST_PORT},
57429Smarkm	{"src-addr",	DYN_SRC_ADDR},
92559Sdes	{"src-port",	DYN_SRC_PORT},
92559Sdes	{"dst-addr",	DYN_DST_ADDR},
92559Sdes	{"dst-port",	DYN_DST_PORT},
92559Sdes	{NULL,		0}
92559Sdes};
149753Sdes
149753Sdes/*
149753Sdes * we use IPPROTO_ETHERTYPE as a fake protocol id to call the print routines
92559Sdes * This is only used in this code.
92559Sdes */
92559Sdes#define IPPROTO_ETHERTYPE	0x1000
92559Sdesstatic struct _s_x ether_types[] = {
92559Sdes    /*
92559Sdes     * Note, we cannot use "-:&/" in the names because they are field
92559Sdes     * separators in the type specifications. Also, we use s = NULL as
92559Sdes     * end-delimiter, because a type of 0 can be legal.
92559Sdes     */
92559Sdes	{ "ip",		0x0800 },
92559Sdes	{ "ipv4",	0x0800 },
162856Sdes	{ "ipv6",	0x86dd },
92559Sdes	{ "arp",	0x0806 },
92559Sdes	{ "rarp",	0x8035 },
92559Sdes	{ "vlan",	0x8100 },
92559Sdes	{ "loop",	0x9000 },
92559Sdes	{ "trail",	0x1000 },
92559Sdes	{ "at",		0x809b },
92559Sdes	{ "atalk",	0x809b },
76262Sgreen	{ "aarp",	0x80f3 },
98941Sdes	{ "pppoe_disc",	0x8863 },
76262Sgreen	{ "pppoe_sess",	0x8864 },
92559Sdes	{ "ipx_8022",	0x00E0 },
92559Sdes	{ "ipx_8023",	0x0000 },
76262Sgreen	{ "ipx_ii",	0x8137 },
181111Sdes	{ "ipx_snap",	0x8137 },
181111Sdes	{ "ipx",	0x8137 },
181111Sdes	{ "ns",		0x0600 },
181111Sdes	{ NULL,		0 }
224638Sbrooks};
224638Sbrooks
224638Sbrooksstatic void show_usage(void);
224638Sbrooks
224638Sbrooksenum tokens {
92559Sdes	TOK_NULL=0,
57429Smarkm
60573Skris	TOK_OR,
157019Sdes	TOK_NOT,
60573Skris	TOK_STARTBRACE,
60573Skris	TOK_ENDBRACE,
92559Sdes
137019Sdes	TOK_ACCEPT,
157019Sdes	TOK_COUNT,
60573Skris	TOK_PIPE,
60573Skris	TOK_QUEUE,
92559Sdes	TOK_DIVERT,
92559Sdes	TOK_TEE,
157019Sdes	TOK_FORWARD,
60573Skris	TOK_SKIPTO,
60573Skris	TOK_DENY,
60573Skris	TOK_REJECT,
60573Skris	TOK_RESET,
60573Skris	TOK_UNREACH,
57429Smarkm	TOK_CHECKSTATE,
157019Sdes
157019Sdes	TOK_UID,
157019Sdes	TOK_GID,
157019Sdes	TOK_IN,
157019Sdes	TOK_LIMIT,
157019Sdes	TOK_KEEPSTATE,
157019Sdes	TOK_LAYER2,
157019Sdes	TOK_OUT,
157019Sdes	TOK_XMIT,
157019Sdes	TOK_RECV,
157019Sdes	TOK_VIA,
162856Sdes	TOK_FRAG,
157019Sdes	TOK_IPOPTS,
157019Sdes	TOK_IPLEN,
157019Sdes	TOK_IPID,
157019Sdes	TOK_IPPRECEDENCE,
157019Sdes	TOK_IPTOS,
157019Sdes	TOK_IPTTL,
157019Sdes	TOK_IPVER,
157019Sdes	TOK_ESTAB,
157019Sdes	TOK_SETUP,
157019Sdes	TOK_TCPFLAGS,
157019Sdes	TOK_TCPOPTS,
157019Sdes	TOK_TCPSEQ,
157019Sdes	TOK_TCPACK,
157019Sdes	TOK_TCPWIN,
157019Sdes	TOK_ICMPTYPES,
60573Skris	TOK_MAC,
60573Skris	TOK_MACTYPE,
60573Skris	TOK_VERREVPATH,
92559Sdes	TOK_VERSRCREACH,
69587Sgreen	TOK_IPSEC,
181111Sdes	TOK_COMMENT,
60573Skris
60573Skris	TOK_PLR,
76262Sgreen	TOK_NOERROR,
76262Sgreen	TOK_BUCKETS,
76262Sgreen	TOK_DSTIP,
76262Sgreen	TOK_SRCIP,
204917Sdes	TOK_DSTPORT,
204917Sdes	TOK_SRCPORT,
204917Sdes	TOK_ALL,
204917Sdes	TOK_MASK,
204917Sdes	TOK_BW,
204917Sdes	TOK_DELAY,
60573Skris	TOK_RED,
60573Skris	TOK_GRED,
60573Skris	TOK_DROPTAIL,
60573Skris	TOK_PROTO,
60573Skris	TOK_WEIGHT,
60573Skris};
69587Sgreen
181111Sdesstruct _s_x dummynet_params[] = {
124207Sdes	{ "plr",		TOK_PLR },
181111Sdes	{ "noerror",		TOK_NOERROR },
74500Sgreen	{ "buckets",		TOK_BUCKETS },
69587Sgreen	{ "dst-ip",		TOK_DSTIP },
69587Sgreen	{ "src-ip",		TOK_SRCIP },
69587Sgreen	{ "dst-port",		TOK_DSTPORT },
69587Sgreen	{ "src-port",		TOK_SRCPORT },
69587Sgreen	{ "proto",		TOK_PROTO },
69587Sgreen	{ "weight",		TOK_WEIGHT },
69587Sgreen	{ "all",		TOK_ALL },
69587Sgreen	{ "mask",		TOK_MASK },
69587Sgreen	{ "droptail",		TOK_DROPTAIL },
60573Skris	{ "red",		TOK_RED },
60573Skris	{ "gred",		TOK_GRED },
60573Skris	{ "bw",			TOK_BW },
57429Smarkm	{ "bandwidth",		TOK_BW },
57429Smarkm	{ "delay",		TOK_DELAY },
57429Smarkm	{ "pipe",		TOK_PIPE },
92559Sdes	{ "queue",		TOK_QUEUE },
60573Skris	{ "dummynet-params",	TOK_NULL },
99063Sdes	{ NULL, 0 }	/* terminator */
57429Smarkm};
137019Sdes
137019Sdesstruct _s_x rule_actions[] = {
57429Smarkm	{ "accept",		TOK_ACCEPT },
57429Smarkm	{ "pass",		TOK_ACCEPT },
57429Smarkm	{ "allow",		TOK_ACCEPT },
57429Smarkm	{ "permit",		TOK_ACCEPT },
57429Smarkm	{ "count",		TOK_COUNT },
162856Sdes	{ "pipe",		TOK_PIPE },
57429Smarkm	{ "queue",		TOK_QUEUE },
92559Sdes	{ "divert",		TOK_DIVERT },
57429Smarkm	{ "tee",		TOK_TEE },
57429Smarkm	{ "fwd",		TOK_FORWARD },
57429Smarkm	{ "forward",		TOK_FORWARD },
92559Sdes	{ "skipto",		TOK_SKIPTO },
57429Smarkm	{ "deny",		TOK_DENY },
137019Sdes	{ "drop",		TOK_DENY },
57429Smarkm	{ "reject",		TOK_REJECT },
57429Smarkm	{ "reset",		TOK_RESET },
137019Sdes	{ "unreach",		TOK_UNREACH },
57429Smarkm	{ "check-state",	TOK_CHECKSTATE },
57429Smarkm	{ "//",			TOK_COMMENT },
99063Sdes	{ NULL, 0 }	/* terminator */
99063Sdes};
99063Sdes
162856Sdesstruct _s_x rule_options[] = {
162856Sdes	{ "uid",		TOK_UID },
120489Sjoe	{ "gid",		TOK_GID },
69587Sgreen	{ "in",			TOK_IN },
57429Smarkm	{ "limit",		TOK_LIMIT },
92559Sdes	{ "keep-state",		TOK_KEEPSTATE },
57429Smarkm	{ "bridged",		TOK_LAYER2 },
92559Sdes	{ "layer2",		TOK_LAYER2 },
162856Sdes	{ "out",		TOK_OUT },
57429Smarkm	{ "xmit",		TOK_XMIT },
57429Smarkm	{ "recv",		TOK_RECV },
60573Skris	{ "via",		TOK_VIA },
192595Sdes	{ "fragment",		TOK_FRAG },
92559Sdes	{ "frag",		TOK_FRAG },
92559Sdes	{ "ipoptions",		TOK_IPOPTS },
92559Sdes	{ "ipopts",		TOK_IPOPTS },
181111Sdes	{ "iplen",		TOK_IPLEN },
57429Smarkm	{ "ipid",		TOK_IPID },
57429Smarkm	{ "ipprecedence",	TOK_IPPRECEDENCE },
60573Skris	{ "iptos",		TOK_IPTOS },
224638Sbrooks	{ "ipttl",		TOK_IPTTL },
60573Skris	{ "ipversion",		TOK_IPVER },
60573Skris	{ "ipver",		TOK_IPVER },
60573Skris	{ "estab",		TOK_ESTAB },
60573Skris	{ "established",	TOK_ESTAB },
57429Smarkm	{ "setup",		TOK_SETUP },
124207Sdes	{ "tcpflags",		TOK_TCPFLAGS },
60573Skris	{ "tcpflgs",		TOK_TCPFLAGS },
60573Skris	{ "tcpoptions",		TOK_TCPOPTS },
92559Sdes	{ "tcpopts",		TOK_TCPOPTS },
92559Sdes	{ "tcpseq",		TOK_TCPSEQ },
92559Sdes	{ "tcpack",		TOK_TCPACK },
157019Sdes	{ "tcpwin",		TOK_TCPWIN },
181111Sdes	{ "icmptype",		TOK_ICMPTYPES },
181111Sdes	{ "icmptypes",		TOK_ICMPTYPES },
65668Skris	{ "dst-ip",		TOK_DSTIP },
157019Sdes	{ "src-ip",		TOK_SRCIP },
181111Sdes	{ "dst-port",		TOK_DSTPORT },
181111Sdes	{ "src-port",		TOK_SRCPORT },
204917Sdes	{ "proto",		TOK_PROTO },
204917Sdes	{ "MAC",		TOK_MAC },
204917Sdes	{ "mac",		TOK_MAC },
215116Sdes	{ "mac-type",		TOK_MACTYPE },
204917Sdes	{ "verrevpath",		TOK_VERREVPATH },
181111Sdes	{ "versrcreach",	TOK_VERSRCREACH },
57429Smarkm	{ "ipsec",		TOK_IPSEC },
92559Sdes	{ "//",			TOK_COMMENT },
57429Smarkm
92559Sdes	{ "not",		TOK_NOT },		/* pseudo option */
92559Sdes	{ "!", /* escape ? */	TOK_NOT },		/* pseudo option */
92559Sdes	{ "or",			TOK_OR },		/* pseudo option */
92559Sdes	{ "|", /* escape */	TOK_OR },		/* pseudo option */
137019Sdes	{ "{",			TOK_STARTBRACE },	/* pseudo option */
137019Sdes	{ "(",			TOK_STARTBRACE },	/* pseudo option */
92559Sdes	{ "}",			TOK_ENDBRACE },		/* pseudo option */
92559Sdes	{ ")",			TOK_ENDBRACE },		/* pseudo option */
92559Sdes	{ NULL, 0 }	/* terminator */
92559Sdes};
92559Sdes
92559Sdesstatic __inline uint64_t
92559Sdesalign_uint64(uint64_t *pll) {
92559Sdes	uint64_t ret;
92559Sdes
92559Sdes	bcopy (pll, &ret, sizeof(ret));
92559Sdes	return ret;
92559Sdes};
92559Sdes
60573Skris/*
92559Sdes * conditionally runs the command.
60573Skris */
92559Sdesstatic int
92559Sdesdo_cmd(int optname, void *optval, uintptr_t optlen)
92559Sdes{
92559Sdes	static int s = -1;	/* the socket */
92559Sdes	int i;
92559Sdes
92559Sdes	if (test_only)
92559Sdes		return 0;
92559Sdes
60573Skris	if (s == -1)
57429Smarkm		s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
60573Skris	if (s < 0)
92559Sdes		err(EX_UNAVAILABLE, "socket");
60573Skris
57429Smarkm	if (optname == IP_FW_GET || optname == IP_DUMMYNET_GET ||
92559Sdes	    optname == IP_FW_ADD)
92559Sdes		i = getsockopt(s, IPPROTO_IP, optname, optval,
92559Sdes			(socklen_t *)optlen);
92559Sdes	else
60573Skris		i = setsockopt(s, IPPROTO_IP, optname, optval, optlen);
57429Smarkm	return i;
60573Skris}
60573Skris
92559Sdes/**
60573Skris * match_token takes a table and a string, returns the value associated
92559Sdes * with the string (-1 in case of failure).
137019Sdes */
181111Sdesstatic int
76262Sgreenmatch_token(struct _s_x *table, char *string)
92559Sdes{
92559Sdes	struct _s_x *pt;
92559Sdes	uint i = strlen(string);
137019Sdes
92559Sdes	for (pt = table ; i && pt->s != NULL ; pt++)
92559Sdes		if (strlen(pt->s) == i && !bcmp(string, pt->s, i))
92559Sdes			return pt->x;
124207Sdes	return -1;
76262Sgreen};
76262Sgreen
60573Skris/**
60573Skris * match_value takes a table and a value, returns the string associated
60573Skris * with the value (NULL in case of failure).
60573Skris */
60573Skrisstatic char const *
60573Skrismatch_value(struct _s_x *p, int value)
60573Skris{
60573Skris	for (; p->s != NULL; p++)
60573Skris		if (p->x == value)
60573Skris			return p->s;
192595Sdes	return NULL;
192595Sdes}
192595Sdes
192595Sdes/*
181111Sdes * prints one port, symbolic or numeric
181111Sdes */
181111Sdesstatic void
181111Sdesprint_port(int proto, uint16_t port)
181111Sdes{
181111Sdes
181111Sdes	if (proto == IPPROTO_ETHERTYPE) {
181111Sdes		char const *s;
181111Sdes
92559Sdes		if (do_resolv && (s = match_value(ether_types, port)) )
92559Sdes			printf("%s", s);
57429Smarkm		else
57429Smarkm			printf("0x%04x", port);
92559Sdes	} else {
92559Sdes		struct servent *se = NULL;
92559Sdes		if (do_resolv) {
137019Sdes			struct protoent *pe = getprotobynumber(proto);
92559Sdes
92559Sdes			se = getservbyport(htons(port), pe ? pe->p_name : NULL);
92559Sdes		}
92559Sdes		if (se)
92559Sdes			printf("%s", se->s_name);
92559Sdes		else
57429Smarkm			printf("%d", port);
92559Sdes	}
92559Sdes}
92559Sdes
92559Sdesstruct _s_x _port_name[] = {
92559Sdes	{"dst-port",	O_IP_DSTPORT},
92559Sdes	{"src-port",	O_IP_SRCPORT},
137019Sdes	{"ipid",	O_IPID},
92559Sdes	{"iplen",	O_IPLEN},
92559Sdes	{"ipttl",	O_IPTTL},
92559Sdes	{"mac-type",	O_MAC_TYPE},
92559Sdes	{NULL,		0}
92559Sdes};
92559Sdes
92559Sdes/*
92559Sdes * Print the values in a list 16-bit items of the types above.
92559Sdes * XXX todo: add support for mask.
92559Sdes */
92559Sdesstatic void
92559Sdesprint_newports(ipfw_insn_u16 *cmd, int proto, int opcode)
137019Sdes{
92559Sdes	uint16_t *p = cmd->ports;
92559Sdes	int i;
92559Sdes	char const *sep;
92559Sdes
92559Sdes	if (cmd->o.len & F_NOT)
92559Sdes		printf(" not");
92559Sdes	if (opcode != 0) {
92559Sdes		sep = match_value(_port_name, opcode);
92559Sdes		if (sep == NULL)
92559Sdes			sep = "???";
92559Sdes		printf (" %s", sep);
92559Sdes	}
92559Sdes	sep = " ";
92559Sdes	for (i = F_LEN((ipfw_insn *)cmd) - 1; i > 0; i--, p += 2) {
92559Sdes		printf(sep);
92559Sdes		print_port(proto, p[0]);
92559Sdes		if (p[0] != p[1]) {
92559Sdes			printf("-");
92559Sdes			print_port(proto, p[1]);
92559Sdes		}
92559Sdes		sep = ",";
92559Sdes	}
92559Sdes}
92559Sdes
92559Sdes/*
92559Sdes * Like strtol, but also translates service names into port numbers
92559Sdes * for some protocols.
92559Sdes * In particular:
92559Sdes *	proto == -1 disables the protocol check;
92559Sdes *	proto == IPPROTO_ETHERTYPE looks up an internal table
92559Sdes *	proto == <some value in /etc/protocols> matches the values there.
92559Sdes * Returns *end == s in case the parameter is not found.
92559Sdes */
92559Sdesstatic int
113911Sdesstrtoport(char *s, char **end, int base, int proto)
92559Sdes{
92559Sdes	char *p, *buf;
92559Sdes	char *s1;
92559Sdes	int i;
92559Sdes
124207Sdes	*end = s;		/* default - not found */
92559Sdes	if (*s == '\0')
92559Sdes		return 0;	/* not found */
92559Sdes
92559Sdes	if (isdigit(*s))
92559Sdes		return strtol(s, end, base);
92559Sdes
92559Sdes	/*
92559Sdes	 * find separator. '\\' escapes the next char.
92559Sdes	 */
92559Sdes	for (s1 = s; *s1 && (isalnum(*s1) || *s1 == '\\') ; s1++)
92559Sdes		if (*s1 == '\\' && s1[1] != '\0')
92559Sdes			s1++;
92559Sdes
137019Sdes	buf = malloc(s1 - s + 1);
92559Sdes	if (buf == NULL)
92559Sdes		return 0;
92559Sdes
92559Sdes	/*
92559Sdes	 * copy into a buffer skipping backslashes
92559Sdes	 */
92559Sdes	for (p = s, i = 0; p != s1 ; p++)
92559Sdes		if (*p != '\\')
92559Sdes			buf[i++] = *p;
92559Sdes	buf[i++] = '\0';
204917Sdes
92559Sdes	if (proto == IPPROTO_ETHERTYPE) {
92559Sdes		i = match_token(ether_types, buf);
92559Sdes		free(buf);
92559Sdes		if (i != -1) {	/* found */
92559Sdes			*end = s1;
92559Sdes			return i;
92559Sdes		}
92559Sdes	} else {
92559Sdes		struct protoent *pe = NULL;
92559Sdes		struct servent *se;
92559Sdes
92559Sdes		if (proto != 0)
92559Sdes			pe = getprotobynumber(proto);
204917Sdes		setservent(1);
92559Sdes		se = getservbyname(buf, pe ? pe->p_name : NULL);
92559Sdes		free(buf);
92559Sdes		if (se != NULL) {
92559Sdes			*end = s1;
92559Sdes			return ntohs(se->s_port);
92559Sdes		}
92559Sdes	}
92559Sdes	return 0;	/* not found */
92559Sdes}
92559Sdes
92559Sdes/*
92559Sdes * Fill the body of the command with the list of port ranges.
92559Sdes */
92559Sdesstatic int
92559Sdesfill_newports(ipfw_insn_u16 *cmd, char *av, int proto)
92559Sdes{
92559Sdes	uint16_t a, b, *p = cmd->ports;
92559Sdes	int i = 0;
137019Sdes	char *s = av;
92559Sdes
92559Sdes	while (*s) {
92559Sdes		a = strtoport(av, &s, 0, proto);
92559Sdes		if (s == av) /* no parameter */
137019Sdes			break;
92559Sdes		if (*s == '-') { /* a range */
92559Sdes			av = s+1;
92559Sdes			b = strtoport(av, &s, 0, proto);
92559Sdes			if (s == av) /* no parameter */
92559Sdes				break;
92559Sdes			p[0] = a;
92559Sdes			p[1] = b;
204917Sdes		} else if (*s == ',' || *s == '\0' )
204917Sdes			p[0] = p[1] = a;
92559Sdes		else 	/* invalid separator */
92559Sdes			errx(EX_DATAERR, "invalid separator <%c> in <%s>\n",
92559Sdes				*s, av);
92559Sdes		i++;
92559Sdes		p += 2;
92559Sdes		av = s+1;
92559Sdes	}
92559Sdes	if (i > 0) {
92559Sdes		if (i+1 > F_LEN_MASK)
92559Sdes			errx(EX_DATAERR, "too many ports/ranges\n");
92559Sdes		cmd->o.len |= i+1; /* leave F_NOT and F_OR untouched */
92559Sdes	}
92559Sdes	return i;
92559Sdes}
92559Sdes
92559Sdesstatic struct _s_x icmpcodes[] = {
92559Sdes      { "net",			ICMP_UNREACH_NET },
92559Sdes      { "host",			ICMP_UNREACH_HOST },
92559Sdes      { "protocol",		ICMP_UNREACH_PROTOCOL },
92559Sdes      { "port",			ICMP_UNREACH_PORT },
92559Sdes      { "needfrag",		ICMP_UNREACH_NEEDFRAG },
92559Sdes      { "srcfail",		ICMP_UNREACH_SRCFAIL },
92559Sdes      { "net-unknown",		ICMP_UNREACH_NET_UNKNOWN },
92559Sdes      { "host-unknown",		ICMP_UNREACH_HOST_UNKNOWN },
92559Sdes      { "isolated",		ICMP_UNREACH_ISOLATED },
92559Sdes      { "net-prohib",		ICMP_UNREACH_NET_PROHIB },
92559Sdes      { "host-prohib",		ICMP_UNREACH_HOST_PROHIB },
92559Sdes      { "tosnet",		ICMP_UNREACH_TOSNET },
92559Sdes      { "toshost",		ICMP_UNREACH_TOSHOST },
92559Sdes      { "filter-prohib",	ICMP_UNREACH_FILTER_PROHIB },
92559Sdes      { "host-precedence",	ICMP_UNREACH_HOST_PRECEDENCE },
92559Sdes      { "precedence-cutoff",	ICMP_UNREACH_PRECEDENCE_CUTOFF },
92559Sdes      { NULL, 0 }
92559Sdes};
137019Sdes
92559Sdesstatic void
92559Sdesfill_reject_code(u_short *codep, char *str)
92559Sdes{
92559Sdes	int val;
92559Sdes	char *s;
92559Sdes
92559Sdes	val = strtoul(str, &s, 0);
92559Sdes	if (s == str || *s != '\0' || val >= 0x100)
92559Sdes		val = match_token(icmpcodes, str);
92559Sdes	if (val < 0)
92559Sdes		errx(EX_DATAERR, "unknown ICMP unreachable code ``%s''", str);
92559Sdes	*codep = val;
92559Sdes	return;
92559Sdes}
92559Sdes
204917Sdesstatic void
204917Sdesprint_reject_code(uint16_t code)
92559Sdes{
92559Sdes	char const *s = match_value(icmpcodes, code);
92559Sdes
92559Sdes	if (s != NULL)
92559Sdes		printf("unreach %s", s);
92559Sdes	else
92559Sdes		printf("unreach %u", code);
92559Sdes}
92559Sdes
137019Sdes/*
204917Sdes * Returns the number of bits set (from left) in a contiguous bitmask,
92559Sdes * or -1 if the mask is not contiguous.
92559Sdes * XXX this needs a proper fix.
92559Sdes * This effectively works on masks in big-endian (network) format.
92559Sdes * when compiled on little endian architectures.
204917Sdes *
92559Sdes * First bit is bit 7 of the first byte -- note, for MAC addresses,
92559Sdes * the first bit on the wire is bit 0 of the first byte.
92559Sdes * len is the max length in bits.
92559Sdes */
92559Sdesstatic int
92559Sdescontigmask(uint8_t *p, int len)
92559Sdes{
92559Sdes	int i, n;
92559Sdes
92559Sdes	for (i=0; i<len ; i++)
92559Sdes		if ( (p[i/8] & (1 << (7 - (i%8)))) == 0) /* first bit unset */
92559Sdes			break;
92559Sdes	for (n=i+1; n < len; n++)
92559Sdes		if ( (p[n/8] & (1 << (7 - (n%8)))) != 0)
92559Sdes			return -1; /* mask not contiguous */
92559Sdes	return i;
92559Sdes}
106130Sdes
92559Sdes/*
124207Sdes * print flags set/clear in the two bitmasks passed as parameters.
92559Sdes * There is a specialized check for f_tcpflags.
92559Sdes */
113911Sdesstatic void
92559Sdesprint_flags(char const *name, ipfw_insn *cmd, struct _s_x *list)
92559Sdes{
92559Sdes	char const *comma = "";
92559Sdes	int i;
92559Sdes	uint8_t set = cmd->arg1 & 0xff;
92559Sdes	uint8_t clear = (cmd->arg1 >> 8) & 0xff;
92559Sdes
92559Sdes	if (list == f_tcpflags && set == TH_SYN && clear == TH_ACK) {
92559Sdes		printf(" setup");
113911Sdes		return;
92559Sdes	}
113911Sdes
106130Sdes	printf(" %s ", name);
92559Sdes	for (i=0; list[i].x != 0; i++) {
124207Sdes		if (set & list[i].x) {
92559Sdes			set &= ~list[i].x;
92559Sdes			printf("%s%s", comma, list[i].s);
137019Sdes			comma = ",";
92559Sdes		}
92559Sdes		if (clear & list[i].x) {
92559Sdes			clear &= ~list[i].x;
92559Sdes			printf("%s!%s", comma, list[i].s);
92559Sdes			comma = ",";
162856Sdes		}
92559Sdes	}
181111Sdes}
181111Sdes
92559Sdes/*
181111Sdes * Print the ip address contained in a command.
181111Sdes */
181111Sdesstatic void
181111Sdesprint_ip(ipfw_insn_ip *cmd, char const *s)
181111Sdes{
181111Sdes	struct hostent *he = NULL;
181111Sdes	int len = F_LEN((ipfw_insn *)cmd);
181111Sdes	uint32_t *a = ((ipfw_insn_u32 *)cmd)->d;
181111Sdes
181111Sdes	printf("%s%s ", cmd->o.len & F_NOT ? " not": "", s);
181111Sdes
181111Sdes	if (cmd->o.opcode == O_IP_SRC_ME || cmd->o.opcode == O_IP_DST_ME) {
181111Sdes		printf("me");
181111Sdes		return;
215116Sdes	}
181111Sdes	if (cmd->o.opcode == O_IP_SRC_SET || cmd->o.opcode == O_IP_DST_SET) {
92559Sdes		uint32_t x, *map = (uint32_t *)&(cmd->mask);
106130Sdes		int i, j;
92559Sdes		char comma = '{';
192595Sdes
92559Sdes		x = cmd->o.arg1 - 1;
92559Sdes		x = htonl( ~x );
181111Sdes		cmd->addr.s_addr = htonl(cmd->addr.s_addr);
181111Sdes		printf("%s/%d", inet_ntoa(cmd->addr),
92559Sdes			contigmask((uint8_t *)&x, 32));
162856Sdes		x = cmd->addr.s_addr = htonl(cmd->addr.s_addr);
92559Sdes		x &= 0xff; /* base */
157019Sdes		/*
92559Sdes		 * Print bits and ranges.
157019Sdes		 * Locate first bit set (i), then locate first bit unset (j).
106130Sdes		 * If we have 3+ consecutive bits set, then print them as a
92559Sdes		 * range, otherwise only print the initial bit and rescan.
124207Sdes		 */
92559Sdes		for (i=0; i < cmd->o.arg1; i++)
92559Sdes			if (map[i/32] & (1<<(i & 31))) {
92559Sdes				for (j=i+1; j < cmd->o.arg1; j++)
157019Sdes					if (!(map[ j/32] & (1<<(j & 31))))
92559Sdes						break;
162856Sdes				printf("%c%d", comma, i+x);
92559Sdes				if (j>i+2) { /* range has at least 3 elements */
92559Sdes					printf("-%d", j-1+x);
92559Sdes					i = j-1;
157019Sdes				}
106130Sdes				comma = ',';
92559Sdes			}
124207Sdes		printf("}");
92559Sdes		return;
92559Sdes	}
92559Sdes	/*
157019Sdes	 * len == 2 indicates a single IP, whereas lists of 1 or more
92559Sdes	 * addr/mask pairs have len = (2n+1). We convert len to n so we
162856Sdes	 * use that to count the number of entries.
92559Sdes	 */
157019Sdes    for (len = len / 2; len > 0; len--, a += 2) {
181111Sdes	int mb =	/* mask length */
92559Sdes	    (cmd->o.opcode == O_IP_SRC || cmd->o.opcode == O_IP_DST) ?
92559Sdes		32 : contigmask((uint8_t *)&(a[1]), 32);
106130Sdes	if (mb == 32 && do_resolv)
92559Sdes		he = gethostbyaddr((char *)&(a[0]), sizeof(u_long), AF_INET);
124207Sdes	if (he != NULL)		/* resolved to name */
92559Sdes		printf("%s", he->h_name);
92559Sdes	else if (mb == 0)	/* any */
157019Sdes		printf("any");
157019Sdes	else {		/* numeric IP followed by some kind of mask */
181111Sdes		printf("%s", inet_ntoa( *((struct in_addr *)&a[0]) ) );
181111Sdes		if (mb < 0)
92559Sdes			printf(":%s", inet_ntoa( *((struct in_addr *)&a[1]) ) );
92559Sdes		else if (mb < 32)
92559Sdes			printf("/%d", mb);
92559Sdes	}
181111Sdes	if (len > 1)
92559Sdes		printf(",");
92559Sdes    }
106130Sdes}
92559Sdes
92559Sdes/*
181111Sdes * prints a MAC address/mask pair
92559Sdes */
92559Sdesstatic void
92559Sdesprint_mac(uint8_t *addr, uint8_t *mask)
92559Sdes{
92559Sdes	int l = contigmask(mask, 48);
92559Sdes
92559Sdes	if (l == 0)
92559Sdes		printf(" any");
92559Sdes	else {
60573Skris		printf(" %02x:%02x:%02x:%02x:%02x:%02x",
60573Skris		    addr[0], addr[1], addr[2], addr[3], addr[4], addr[5]);
57429Smarkm		if (l == -1)
60573Skris			printf("&%02x:%02x:%02x:%02x:%02x:%02x",
60573Skris			    mask[0], mask[1], mask[2],
60573Skris			    mask[3], mask[4], mask[5]);
60573Skris		else if (l < 48)
162856Sdes			printf("/%d", l);
60573Skris	}
60573Skris}
57429Smarkm
162856Sdesstatic void
92559Sdesfill_icmptypes(ipfw_insn_u32 *cmd, char *av)
162856Sdes{
57429Smarkm	uint8_t type;
60573Skris
60573Skris	cmd->d[0] = 0;
60573Skris	while (*av) {
162856Sdes		if (*av == ',')
92559Sdes			av++;
162856Sdes
76262Sgreen		type = strtoul(av, &av, 0);
76262Sgreen
76262Sgreen		if (*av != ',' && *av != '\0')
76262Sgreen			errx(EX_DATAERR, "invalid ICMP type");
76262Sgreen
92559Sdes		if (type > 31)
162856Sdes			errx(EX_DATAERR, "ICMP type out of range");
60573Skris
60573Skris		cmd->d[0] |= 1 << type;
60573Skris	}
60573Skris	cmd->o.opcode = O_ICMPTYPE;
60573Skris	cmd->o.len |= F_INSN_SIZE(ipfw_insn_u32);
60573Skris}
60573Skris
224638Sbrooksstatic void
224638Sbrooksprint_icmptypes(ipfw_insn_u32 *cmd)
224638Sbrooks{
224638Sbrooks	int i;
224638Sbrooks	char sep= ' ';
224638Sbrooks
224638Sbrooks	printf(" icmptypes");
224638Sbrooks	for (i = 0; i < 32; i++) {
224638Sbrooks		if ( (cmd->d[0] & (1 << (i))) == 0)
224638Sbrooks			continue;
224638Sbrooks		printf("%c%d", sep, i);
224638Sbrooks		sep = ',';
224638Sbrooks	}
224638Sbrooks}
224638Sbrooks
224638Sbrooks/*
224638Sbrooks * show_ipfw() prints the body of an ipfw rule.
224638Sbrooks * Because the standard rule has at least proto src_ip dst_ip, we use
224638Sbrooks * a helper function to produce these entries if not provided explicitly.
224638Sbrooks * The first argument is the list of fields we have, the second is
224638Sbrooks * the list of fields we want to be printed.
224638Sbrooks *
224638Sbrooks * Special cases if we have provided a MAC header:
224638Sbrooks *   + if the rule does not contain IP addresses/ports, do not print them;
224638Sbrooks *   + if the rule does not contain an IP proto, print "all" instead of "ip";
224638Sbrooks *
224638Sbrooks * Once we have 'have_options', IP header fields are printed as options.
224638Sbrooks */
92559Sdes#define	HAVE_PROTO	0x0001
162856Sdes#define	HAVE_SRCIP	0x0002
60573Skris#define	HAVE_DSTIP	0x0004
224638Sbrooks#define	HAVE_MAC	0x0008
60573Skris#define	HAVE_MACTYPE	0x0010
224638Sbrooks#define	HAVE_OPTIONS	0x8000
224638Sbrooks
224638Sbrooks#define	HAVE_IP		(HAVE_PROTO | HAVE_SRCIP | HAVE_DSTIP)
224638Sbrooksstatic void
224638Sbrooksshow_prerequisites(int *flags, int want, int cmd)
224638Sbrooks{
224638Sbrooks	if (comment_only)
60573Skris		return;
92559Sdes	if ( (*flags & HAVE_IP) == HAVE_IP)
162856Sdes		*flags |= HAVE_OPTIONS;
162856Sdes
60573Skris	if ( (*flags & (HAVE_MAC|HAVE_MACTYPE|HAVE_OPTIONS)) == HAVE_MAC &&
60573Skris	     cmd != O_MAC_TYPE) {
60573Skris		/*
60573Skris		 * mac-type was optimized out by the compiler,
60573Skris		 * restore it
60573Skris		 */
98684Sdes		printf(" any");
149753Sdes		*flags |= HAVE_MACTYPE | HAVE_OPTIONS;
149753Sdes		return;
98684Sdes	}
98684Sdes	if ( !(*flags & HAVE_OPTIONS)) {
60573Skris		if ( !(*flags & HAVE_PROTO) && (want & HAVE_PROTO))
60573Skris			printf(" ip");
60573Skris		if ( !(*flags & HAVE_SRCIP) && (want & HAVE_SRCIP))
181111Sdes			printf(" from any");
181111Sdes		if ( !(*flags & HAVE_DSTIP) && (want & HAVE_DSTIP))
60573Skris			printf(" to any");
60573Skris	}
60573Skris	*flags |= want;
215116Sdes}
215116Sdes
215116Sdesstatic void
60573Skrisshow_ipfw(struct ip_fw *rule, int pcwidth, int bcwidth)
60573Skris{
60573Skris	static int twidth = 0;
137019Sdes	int l;
60573Skris	ipfw_insn *cmd;
60573Skris	char *comment = NULL;	/* ptr to comment if we have one */
162856Sdes	int proto = 0;		/* default */
92559Sdes	int flags = 0;	/* prerequisites */
162856Sdes	ipfw_insn_log *logptr = NULL; /* set if we find an O_LOG */
60573Skris	int or_block = 0;	/* we are in an or block */
60573Skris	uint32_t set_disable;
60573Skris
60573Skris	bcopy(&rule->next_rule, &set_disable, sizeof(set_disable));
60573Skris
60573Skris	if (set_disable & (1 << rule->set)) { /* disabled */
124207Sdes		if (!show_sets)
60573Skris			return;
60573Skris		else
60573Skris			printf("# DISABLED ");
162856Sdes	}
92559Sdes	printf("%05u ", rule->rulenum);
162856Sdes
60573Skris	if (pcwidth>0 || bcwidth>0)
60573Skris		printf("%*llu %*llu ", pcwidth, align_uint64(&rule->pcnt),
92559Sdes		    bcwidth, align_uint64(&rule->bcnt));
60573Skris
60573Skris	if (do_time == 2)
60573Skris		printf("%10u ", rule->timestamp);
60573Skris	else if (do_time == 1) {
60573Skris		char timestr[30];
60573Skris		time_t t = (time_t)0;
60573Skris
60573Skris		if (twidth == 0) {
60573Skris			strcpy(timestr, ctime(&t));
60573Skris			*strchr(timestr, '\n') = '\0';
60573Skris			twidth = strlen(timestr);
92559Sdes		}
60573Skris		if (rule->timestamp) {
92559Sdes#if _FreeBSD_version < 500000 /* XXX check */
92559Sdes#define	_long_to_time(x)	(time_t)(x)
60573Skris#endif
76262Sgreen			t = _long_to_time(rule->timestamp);
76262Sgreen
57429Smarkm			strcpy(timestr, ctime(&t));
60573Skris			*strchr(timestr, '\n') = '\0';
92559Sdes			printf("%s ", timestr);
60573Skris		} else {
57429Smarkm			printf("%*s", twidth, " ");
60573Skris		}
92559Sdes	}
60573Skris
60573Skris	if (show_sets)
60573Skris		printf("set %d ", rule->set);
60573Skris
60573Skris	/*
60573Skris	 * print the optional "match probability"
60573Skris	 */
124207Sdes	if (rule->cmd_len > 0) {
92559Sdes		cmd = rule->cmd ;
60573Skris		if (cmd->opcode == O_PROB) {
60573Skris			ipfw_insn_u32 *p = (ipfw_insn_u32 *)cmd;
57429Smarkm			double d = 1.0 * p->d[0];
60573Skris
92559Sdes			d = (d / 0x7fffffff);
60573Skris			printf("prob %f ", d);
60573Skris		}
57429Smarkm	}
60573Skris
60573Skris	/*
60573Skris	 * first print actions
124207Sdes	 */
60573Skris        for (l = rule->cmd_len - rule->act_ofs, cmd = ACTION_PTR(rule);
60573Skris			l > 0 ; l -= F_LEN(cmd), cmd += F_LEN(cmd)) {
60573Skris		switch(cmd->opcode) {
60573Skris		case O_CHECK_STATE:
215116Sdes			printf("check-state");
60573Skris			flags = HAVE_IP; /* avoid printing anything else */
124207Sdes			break;
60573Skris
60573Skris		case O_ACCEPT:
60573Skris			printf("allow");
60573Skris			break;
60573Skris
60573Skris		case O_COUNT:
60573Skris			printf("count");
60573Skris			break;
60573Skris
60573Skris		case O_DENY:
60573Skris			printf("deny");
60573Skris			break;
60573Skris
60573Skris		case O_REJECT:
60573Skris			if (cmd->arg1 == ICMP_REJECT_RST)
60573Skris				printf("reset");
60573Skris			else if (cmd->arg1 == ICMP_UNREACH_HOST)
57429Smarkm				printf("reject");
92559Sdes			else
162856Sdes				print_reject_code(cmd->arg1);
60573Skris			break;
92559Sdes
106130Sdes		case O_SKIPTO:
60573Skris			printf("skipto %u", cmd->arg1);
60573Skris			break;
60573Skris
60573Skris		case O_PIPE:
60573Skris			printf("pipe %u", cmd->arg1);
60573Skris			break;
60573Skris
60573Skris		case O_QUEUE:
60573Skris			printf("queue %u", cmd->arg1);
124207Sdes			break;
60573Skris
60573Skris		case O_DIVERT:
92559Sdes			printf("divert %u", cmd->arg1);
60573Skris			break;
60573Skris
60573Skris		case O_TEE:
60573Skris			printf("tee %u", cmd->arg1);
60573Skris			break;
60573Skris
60573Skris		case O_FORWARD_IP:
57429Smarkm		    {
92559Sdes			ipfw_insn_sa *s = (ipfw_insn_sa *)cmd;
162856Sdes
60573Skris			printf("fwd %s", inet_ntoa(s->sa.sin_addr));
92559Sdes			if (s->sa.sin_port)
92559Sdes				printf(",%d", s->sa.sin_port);
92559Sdes		    }
92559Sdes			break;
60573Skris
60573Skris		case O_LOG: /* O_LOG is printed last */
92559Sdes			logptr = (ipfw_insn_log *)cmd;
92559Sdes			break;
124207Sdes
124207Sdes		default:
92559Sdes			printf("** unrecognized action %d len %d",
92559Sdes				cmd->opcode, cmd->len);
92559Sdes		}
92559Sdes	}
92559Sdes	if (logptr) {
60573Skris		if (logptr->max_log > 0)
92559Sdes			printf(" log logamount %d", logptr->max_log);
60573Skris		else
92559Sdes			printf(" log");
124207Sdes	}
60573Skris
60573Skris	/*
57429Smarkm	 * then print the body.
204917Sdes	 */
204917Sdes	if (rule->_pad & 1) {	/* empty rules before options */
204917Sdes		if (!do_compact)
215116Sdes			printf(" ip from any to any");
204917Sdes		flags |= HAVE_IP | HAVE_OPTIONS;
204917Sdes	}
204917Sdes
204917Sdes	if (comment_only)
204917Sdes		comment = "...";
204917Sdes
204917Sdes        for (l = rule->act_ofs, cmd = rule->cmd ;
204917Sdes			l > 0 ; l -= F_LEN(cmd) , cmd += F_LEN(cmd)) {
204917Sdes		/* useful alias */
204917Sdes		ipfw_insn_u32 *cmd32 = (ipfw_insn_u32 *)cmd;
204917Sdes
204917Sdes		if (comment_only) {
204917Sdes			if (cmd->opcode != O_NOP)
204917Sdes				continue;
204917Sdes			printf(" // %s\n", (char *)(cmd + 1));
204917Sdes			return;
204917Sdes		}
204917Sdes
76262Sgreen		show_prerequisites(&flags, 0, cmd->opcode);
162856Sdes
92559Sdes		switch(cmd->opcode) {
162856Sdes		case O_PROB:
76262Sgreen			break;	/* done already */
106130Sdes
192595Sdes		case O_PROBE_STATE:
92559Sdes			break; /* no need to print anything here */
76262Sgreen
76262Sgreen		case O_MACADDR2: {
76262Sgreen			ipfw_insn_mac *m = (ipfw_insn_mac *)cmd;
76262Sgreen
76262Sgreen			if ((cmd->len & F_OR) && !or_block)
76262Sgreen				printf(" {");
76262Sgreen			if (cmd->len & F_NOT)
76262Sgreen				printf(" not");
76262Sgreen			printf(" MAC");
76262Sgreen			flags |= HAVE_MAC;
76262Sgreen			print_mac(m->addr, m->mask);
76262Sgreen			print_mac(m->addr + 6, m->mask + 6);
76262Sgreen			}
76262Sgreen			break;
192595Sdes
192595Sdes		case O_MAC_TYPE:
192595Sdes			if ((cmd->len & F_OR) && !or_block)
192595Sdes				printf(" {");
192595Sdes			print_newports((ipfw_insn_u16 *)cmd, IPPROTO_ETHERTYPE,
192595Sdes				(flags & HAVE_OPTIONS) ? cmd->opcode : 0);
192595Sdes			flags |= HAVE_MAC | HAVE_MACTYPE | HAVE_OPTIONS;
192595Sdes			break;
192595Sdes
76262Sgreen		case O_IP_SRC:
76262Sgreen		case O_IP_SRC_MASK:
192595Sdes		case O_IP_SRC_ME:
192595Sdes		case O_IP_SRC_SET:
192595Sdes			show_prerequisites(&flags, HAVE_PROTO, 0);
76262Sgreen			if (!(flags & HAVE_SRCIP))
76262Sgreen				printf(" from");
76262Sgreen			if ((cmd->len & F_OR) && !or_block)
76262Sgreen				printf(" {");
76262Sgreen			print_ip((ipfw_insn_ip *)cmd,
76262Sgreen				(flags & HAVE_OPTIONS) ? " src-ip" : "");
76262Sgreen			flags |= HAVE_SRCIP;
76262Sgreen			break;
192595Sdes
76262Sgreen		case O_IP_DST:
76262Sgreen		case O_IP_DST_MASK:
76262Sgreen		case O_IP_DST_ME:
76262Sgreen		case O_IP_DST_SET:
76262Sgreen			show_prerequisites(&flags, HAVE_PROTO|HAVE_SRCIP, 0);
76262Sgreen			if (!(flags & HAVE_DSTIP))
76262Sgreen				printf(" to");
76262Sgreen			if ((cmd->len & F_OR) && !or_block)
76262Sgreen				printf(" {");
192595Sdes			print_ip((ipfw_insn_ip *)cmd,
76262Sgreen				(flags & HAVE_OPTIONS) ? " dst-ip" : "");
76262Sgreen			flags |= HAVE_DSTIP;
76262Sgreen			break;
76262Sgreen
76262Sgreen		case O_IP_DSTPORT:
76262Sgreen			show_prerequisites(&flags, HAVE_IP, 0);
192595Sdes		case O_IP_SRCPORT:
192595Sdes			show_prerequisites(&flags, HAVE_PROTO|HAVE_SRCIP, 0);
192595Sdes			if ((cmd->len & F_OR) && !or_block)
192595Sdes				printf(" {");
192595Sdes			print_newports((ipfw_insn_u16 *)cmd, proto,
192595Sdes				(flags & HAVE_OPTIONS) ? cmd->opcode : 0);
192595Sdes			break;
192595Sdes
192595Sdes		case O_PROTO: {
192595Sdes			struct protoent *pe;
192595Sdes
192595Sdes			if ((cmd->len & F_OR) && !or_block)
192595Sdes				printf(" {");
192595Sdes			if (cmd->len & F_NOT)
192595Sdes				printf(" not");
192595Sdes			proto = cmd->arg1;
192595Sdes			pe = getprotobynumber(cmd->arg1);
192595Sdes			if (flags & HAVE_OPTIONS)
192595Sdes				printf(" proto");
192595Sdes			if (pe)
192595Sdes				printf(" %s", pe->p_name);
192595Sdes			else
192595Sdes				printf(" %u", cmd->arg1);
192595Sdes			}
192595Sdes			flags |= HAVE_PROTO;
76262Sgreen			break;
92559Sdes
124207Sdes		default: /*options ... */
192595Sdes			show_prerequisites(&flags, HAVE_IP | HAVE_OPTIONS, 0);
76262Sgreen			if ((cmd->len & F_OR) && !or_block)
76262Sgreen				printf(" {");
192595Sdes			if (cmd->len & F_NOT && cmd->opcode != O_IN)
192595Sdes				printf(" not");
76262Sgreen			switch(cmd->opcode) {
76262Sgreen			case O_FRAG:
76262Sgreen				printf(" frag");
76262Sgreen				break;
76262Sgreen
76262Sgreen			case O_IN:
162856Sdes				printf(cmd->len & F_NOT ? " out" : " in");
76262Sgreen				break;
76262Sgreen
76262Sgreen			case O_LAYER2:
124207Sdes				printf(" layer2");
124207Sdes				break;
124207Sdes			case O_XMIT:
124207Sdes			case O_RECV:
124207Sdes			case O_VIA: {
124207Sdes				char const *s;
124207Sdes				ipfw_insn_if *cmdif = (ipfw_insn_if *)cmd;
124207Sdes
124207Sdes				if (cmd->opcode == O_XMIT)
162856Sdes					s = "xmit";
124207Sdes				else if (cmd->opcode == O_RECV)
162856Sdes					s = "recv";
124207Sdes				else /* if (cmd->opcode == O_VIA) */
124207Sdes					s = "via";
124207Sdes				if (cmdif->name[0] == '\0')
124207Sdes					printf(" %s %s", s,
124207Sdes					    inet_ntoa(cmdif->p.ip));
124207Sdes				printf(" %s %s", s, cmdif->name);
124207Sdes				}
124207Sdes				break;
192595Sdes
162856Sdes			case O_IPID:
124207Sdes				if (F_LEN(cmd) == 1)
124207Sdes				    printf(" ipid %u", cmd->arg1 );
124207Sdes				else
124207Sdes				    print_newports((ipfw_insn_u16 *)cmd, 0,
124207Sdes					O_IPID);
124207Sdes				break;
124207Sdes
124207Sdes			case O_IPTTL:
126273Sdes				if (F_LEN(cmd) == 1)
124207Sdes				    printf(" ipttl %u", cmd->arg1 );
124207Sdes				else
124207Sdes				    print_newports((ipfw_insn_u16 *)cmd, 0,
124207Sdes					O_IPTTL);
124207Sdes				break;
181111Sdes
162856Sdes			case O_IPVER:
124207Sdes				printf(" ipver %u", cmd->arg1 );
124207Sdes				break;
124207Sdes
124207Sdes			case O_IPPRECEDENCE:
124207Sdes				printf(" ipprecedence %u", (cmd->arg1) >> 5 );
124207Sdes				break;
124207Sdes
124207Sdes			case O_IPLEN:
124207Sdes				if (F_LEN(cmd) == 1)
124207Sdes				    printf(" iplen %u", cmd->arg1 );
124207Sdes				else
124207Sdes				    print_newports((ipfw_insn_u16 *)cmd, 0,
124207Sdes					O_IPLEN);
124207Sdes				break;
124207Sdes
124207Sdes			case O_IPOPT:
124207Sdes				print_flags("ipoptions", cmd, f_ipopts);
124207Sdes				break;
124207Sdes
124207Sdes			case O_IPTOS:
162856Sdes				print_flags("iptos", cmd, f_iptos);
124207Sdes				break;
124207Sdes
124207Sdes			case O_ICMPTYPE:
124207Sdes				print_icmptypes((ipfw_insn_u32 *)cmd);
124207Sdes				break;
124207Sdes
147005Sdes			case O_ESTAB:
124207Sdes				printf(" established");
124207Sdes				break;
124207Sdes
124207Sdes			case O_TCPFLAGS:
124207Sdes				print_flags("tcpflags", cmd, f_tcpflags);
124207Sdes				break;
124207Sdes
124207Sdes			case O_TCPOPTS:
124207Sdes				print_flags("tcpoptions", cmd, f_tcpopts);
124207Sdes				break;
124207Sdes
124207Sdes			case O_TCPWIN:
124207Sdes				printf(" tcpwin %d", ntohs(cmd->arg1));
124207Sdes				break;
124207Sdes
124207Sdes			case O_TCPACK:
162856Sdes				printf(" tcpack %d", ntohl(cmd32->d[0]));
162856Sdes				break;
162856Sdes
162856Sdes			case O_TCPSEQ:
124207Sdes				printf(" tcpseq %d", ntohl(cmd32->d[0]));
124207Sdes				break;
124207Sdes
124207Sdes			case O_UID:
124207Sdes			    {
124207Sdes				struct passwd *pwd = getpwuid(cmd32->d[0]);
124207Sdes
192595Sdes				if (pwd)
192595Sdes					printf(" uid %s", pwd->pw_name);
192595Sdes				else
192595Sdes					printf(" uid %u", cmd32->d[0]);
192595Sdes			    }
192595Sdes				break;
192595Sdes
192595Sdes			case O_GID:
192595Sdes			    {
192595Sdes				struct group *grp = getgrgid(cmd32->d[0]);
192595Sdes
192595Sdes				if (grp)
192595Sdes					printf(" gid %s", grp->gr_name);
192595Sdes				else
192595Sdes					printf(" gid %u", cmd32->d[0]);
192595Sdes			    }
124207Sdes				break;
126273Sdes
124207Sdes			case O_VERREVPATH:
124207Sdes				printf(" verrevpath");
124207Sdes				break;
124207Sdes
124207Sdes			case O_VERSRCREACH:
124207Sdes				printf(" versrcreach");
124207Sdes				break;
124207Sdes
124207Sdes			case O_IPSEC:
124207Sdes				printf(" ipsec");
162856Sdes				break;
162856Sdes
162856Sdes			case O_NOP:
124207Sdes				comment = (char *)(cmd + 1);
124207Sdes				break;
124207Sdes
204917Sdes			case O_KEEP_STATE:
204917Sdes				printf(" keep-state");
204917Sdes				break;
204917Sdes
204917Sdes			case O_LIMIT:
204917Sdes			    {
204917Sdes				struct _s_x *p = limit_masks;
204917Sdes				ipfw_insn_limit *c = (ipfw_insn_limit *)cmd;
204917Sdes				uint8_t x = c->limit_mask;
204917Sdes				char const *comma = " ";
204917Sdes
204917Sdes				printf(" limit");
204917Sdes				for (; p->x != 0 ; p++)
204917Sdes					if ((x & p->x) == p->x) {
204917Sdes						x &= ~p->x;
204917Sdes						printf("%s%s", comma, p->s);
204917Sdes						comma = ",";
204917Sdes					}
204917Sdes				printf(" %d", c->conn_limit);
204917Sdes			    }
204917Sdes				break;
204917Sdes
204917Sdes			default:
204917Sdes				printf(" [opcode %d len %d]",
76262Sgreen				    cmd->opcode, cmd->len);
92559Sdes			}
162856Sdes		}
76262Sgreen		if (cmd->len & F_OR) {
76262Sgreen			printf(" or");
149753Sdes			or_block = 1;
149753Sdes		} else if (or_block) {
76262Sgreen			printf(" }");
76262Sgreen			or_block = 0;
76262Sgreen		}
76262Sgreen	}
76262Sgreen	show_prerequisites(&flags, HAVE_IP, 0);
124207Sdes	if (comment)
76262Sgreen		printf(" // %s", comment);
76262Sgreen	printf("\n");
76262Sgreen}
76262Sgreen
76262Sgreenstatic void
76262Sgreenshow_dyn_ipfw(ipfw_dyn_rule *d, int pcwidth, int bcwidth)
76262Sgreen{
76262Sgreen	struct protoent *pe;
76262Sgreen	struct in_addr a;
76262Sgreen	uint16_t rulenum;
124207Sdes
124207Sdes	if (!do_expired) {
124207Sdes		if (!d->expire && !(d->dyn_type == O_LIMIT_PARENT))
76262Sgreen			return;
76262Sgreen	}
76262Sgreen	bcopy(&d->rule, &rulenum, sizeof(rulenum));
76262Sgreen	printf("%05d", rulenum);
76262Sgreen	if (pcwidth>0 || bcwidth>0)
92559Sdes	    printf(" %*llu %*llu (%ds)", pcwidth,
76262Sgreen		align_uint64(&d->pcnt), bcwidth,
76262Sgreen		align_uint64(&d->bcnt), d->expire);
76262Sgreen	switch (d->dyn_type) {
76262Sgreen	case O_LIMIT_PARENT:
76262Sgreen		printf(" PARENT %d", d->count);
76262Sgreen		break;
76262Sgreen	case O_LIMIT:
76262Sgreen		printf(" LIMIT");
76262Sgreen		break;
76262Sgreen	case O_KEEP_STATE: /* bidir, no mask */
76262Sgreen		printf(" STATE");
60573Skris		break;
162856Sdes	}
92559Sdes
162856Sdes	if ((pe = getprotobynumber(d->id.proto)) != NULL)
60573Skris		printf(" %s", pe->p_name);
92559Sdes	else
181111Sdes		printf(" proto %u", d->id.proto);
92559Sdes
60573Skris	a.s_addr = htonl(d->id.src_ip);
76262Sgreen	printf(" %s %d", inet_ntoa(a), d->id.src_port);
60573Skris
57429Smarkm	a.s_addr = htonl(d->id.dst_ip);
60573Skris	printf(" <-> %s %d", inet_ntoa(a), d->id.dst_port);
60573Skris	printf("\n");
60573Skris}
181111Sdes
92559Sdesstatic int
124207Sdessort_q(const void *pa, const void *pb)
92559Sdes{
92559Sdes	int rev = (do_sort < 0);
92559Sdes	int field = rev ? -do_sort : do_sort;
60573Skris	long long res = 0;
60573Skris	const struct dn_flow_queue *a = pa;
60573Skris	const struct dn_flow_queue *b = pb;
60573Skris
92559Sdes	switch (field) {
76262Sgreen	case 1: /* pkts */
60573Skris		res = a->len - b->len;
60573Skris		break;
76262Sgreen	case 2: /* bytes */
57429Smarkm		res = a->len_bytes - b->len_bytes;
92559Sdes		break;
60573Skris
124207Sdes	case 3: /* tot pkts */
60573Skris		res = a->tot_pkts - b->tot_pkts;
60573Skris		break;
60573Skris
92559Sdes	case 4: /* tot bytes */
92559Sdes		res = a->tot_bytes - b->tot_bytes;
92559Sdes		break;
76262Sgreen	}
76262Sgreen	if (res < 0)
60573Skris		res = -1;
124207Sdes	if (res > 0)
57429Smarkm		res = 1;
60573Skris	return (int)(rev ? res : -res);
57429Smarkm}
60573Skris
60573Skrisstatic void
60573Skrislist_queues(struct dn_flow_set *fs, struct dn_flow_queue *q)
92559Sdes{
92559Sdes	int l;
92559Sdes
92559Sdes	printf("    mask: 0x%02x 0x%08x/0x%04x -> 0x%08x/0x%04x\n",
60573Skris	    fs->flow_mask.proto,
57429Smarkm	    fs->flow_mask.src_ip, fs->flow_mask.src_port,
76262Sgreen	    fs->flow_mask.dst_ip, fs->flow_mask.dst_port);
57429Smarkm	if (fs->rq_elements == 0)
57429Smarkm		return;
57429Smarkm
92559Sdes	printf("BKT Prot ___Source IP/port____ "
76262Sgreen	    "____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp\n");
76262Sgreen	if (do_sort != 0)
76262Sgreen		heapsort(q, fs->rq_elements, sizeof *q, sort_q);
76262Sgreen	for (l = 0; l < fs->rq_elements; l++) {
76262Sgreen		struct in_addr ina;
149753Sdes		struct protoent *pe;
76262Sgreen
204917Sdes		ina.s_addr = htonl(q[l].id.src_ip);
204917Sdes		printf("%3d ", q[l].hash_slot);
204917Sdes		pe = getprotobynumber(q[l].id.proto);
204917Sdes		if (pe)
204917Sdes			printf("%-4s ", pe->p_name);
204917Sdes		else
204917Sdes			printf("%4u ", q[l].id.proto);
76262Sgreen		printf("%15s/%-5d ",
76262Sgreen		    inet_ntoa(ina), q[l].id.src_port);
76262Sgreen		ina.s_addr = htonl(q[l].id.dst_ip);
76262Sgreen		printf("%15s/%-5d ",
76262Sgreen		    inet_ntoa(ina), q[l].id.dst_port);
76262Sgreen		printf("%4qu %8qu %2u %4u %3u\n",
76262Sgreen		    q[l].tot_pkts, q[l].tot_bytes,
76262Sgreen		    q[l].len, q[l].len_bytes, q[l].drops);
76262Sgreen		if (verbose)
76262Sgreen			printf("   S %20qd  F %20qd\n",
76262Sgreen			    q[l].S, q[l].F);
76262Sgreen	}
76262Sgreen}
76262Sgreen
76262Sgreenstatic void
76262Sgreenprint_flowset_parms(struct dn_flow_set *fs, char *prefix)
76262Sgreen{
76262Sgreen	int l;
76262Sgreen	char qs[30];
76262Sgreen	char plr[30];
76262Sgreen	char red[90];	/* Display RED parameters */
76262Sgreen
76262Sgreen	l = fs->qsize;
76262Sgreen	if (fs->flags_fs & DN_QSIZE_IS_BYTES) {
76262Sgreen		if (l >= 8192)
76262Sgreen			sprintf(qs, "%d KB", l / 1024);
76262Sgreen		else
76262Sgreen			sprintf(qs, "%d B", l);
149753Sdes	} else
76262Sgreen		sprintf(qs, "%3d sl.", l);
76262Sgreen	if (fs->plr)
76262Sgreen		sprintf(plr, "plr %f", 1.0 * fs->plr / (double)(0x7fffffff));
76262Sgreen	else
76262Sgreen		plr[0] = '\0';
76262Sgreen	if (fs->flags_fs & DN_IS_RED)	/* RED parameters */
92559Sdes		sprintf(red,
92559Sdes		    "\n\t  %cRED w_q %f min_th %d max_th %d max_p %f",
76262Sgreen		    (fs->flags_fs & DN_IS_GENTLE_RED) ? 'G' : ' ',
76262Sgreen		    1.0 * fs->w_q / (double)(1 << SCALE_RED),
76262Sgreen		    SCALE_VAL(fs->min_th),
76262Sgreen		    SCALE_VAL(fs->max_th),
76262Sgreen		    1.0 * fs->max_p / (double)(1 << SCALE_RED));
76262Sgreen	else
157019Sdes		sprintf(red, "droptail");
157019Sdes
157019Sdes	printf("%s %s%s %d queues (%d buckets) %s\n",
157019Sdes	    prefix, qs, plr, fs->rq_elements, fs->rq_size, red);
157019Sdes}
157019Sdes
157019Sdesstatic void
157019Sdeslist_pipes(void *data, uint nbytes, int ac, char *av[])
157019Sdes{
157019Sdes	int rulenum;
157019Sdes	void *next = data;
157019Sdes	struct dn_pipe *p = (struct dn_pipe *) data;
157019Sdes	struct dn_flow_set *fs;
57429Smarkm	struct dn_flow_queue *q;
60573Skris	int l;
57429Smarkm
162856Sdes	if (ac > 0)
92559Sdes		rulenum = strtoul(*av++, NULL, 10);
162856Sdes	else
57429Smarkm		rulenum = 0;
76262Sgreen	for (; nbytes >= sizeof *p; p = (struct dn_pipe *)next) {
181111Sdes		double b = p->bandwidth;
92559Sdes		char buf[30];
57429Smarkm		char prefix[80];
76262Sgreen
57429Smarkm		if (p->next != (struct dn_pipe *)DN_IS_PIPE)
60573Skris			break;	/* done with pipes, now queues */
60573Skris
60573Skris		/*
60573Skris		 * compute length, as pipe have variable size
76262Sgreen		 */
92559Sdes		l = sizeof(*p) + p->fs.rq_elements * sizeof(*q);
92559Sdes		next = (char *)p + l;
92559Sdes		nbytes -= l;
92559Sdes
92559Sdes		if (rulenum != 0 && rulenum != p->pipe_nr)
92559Sdes			continue;
92559Sdes
92559Sdes		/*
92559Sdes		 * Print rate (or clocking interface)
92559Sdes		 */
92559Sdes		if (p->if_name[0] != '\0')
92559Sdes			sprintf(buf, "%s", p->if_name);
76262Sgreen		else if (b == 0)
60573Skris			sprintf(buf, "unlimited");
181111Sdes		else if (b >= 1000000)
60573Skris			sprintf(buf, "%7.3f Mbit/s", b/1000000);
60573Skris		else if (b >= 1000)
60573Skris			sprintf(buf, "%7.3f Kbit/s", b/1000);
60573Skris		else
92559Sdes			sprintf(buf, "%7.3f bit/s ", b);
124207Sdes
124207Sdes		sprintf(prefix, "%05d: %s %4d ms ",
76262Sgreen		    p->pipe_nr, buf, p->delay);
76262Sgreen		print_flowset_parms(&(p->fs), prefix);
192595Sdes		if (verbose)
192595Sdes			printf("   V %20qd\n", p->V >> MY_M);
76262Sgreen
204917Sdes		q = (struct dn_flow_queue *)(p+1);
76262Sgreen		list_queues(&(p->fs), q);
60573Skris	}
60573Skris	for (fs = next; nbytes >= sizeof *fs; fs = next) {
57429Smarkm		char prefix[80];
60573Skris
60573Skris		if (fs->next != (struct dn_flow_set *)DN_IS_QUEUE)
60573Skris			break;
60573Skris		l = sizeof(*fs) + fs->rq_elements * sizeof(*q);
162856Sdes		next = (char *)fs + l;
92559Sdes		nbytes -= l;
162856Sdes		q = (struct dn_flow_queue *)(fs+1);
60573Skris		sprintf(prefix, "q%05d: weight %d pipe %d ",
92559Sdes		    fs->fs_nr, fs->weight, fs->parent_nr);
92559Sdes		print_flowset_parms(fs, prefix);
181111Sdes		list_queues(fs, q);
60573Skris	}
57429Smarkm}
60573Skris
60573Skris/*
181111Sdes * This one handles all set-related commands
60573Skris * 	ipfw set { show | enable | disable }
60573Skris * 	ipfw set swap X Y
60573Skris * 	ipfw set move X to Y
60573Skris * 	ipfw set move rule X to Y
92559Sdes */
76262Sgreenstatic void
76262Sgreensets_handler(int ac, char *av[])
124207Sdes{
76262Sgreen	uint32_t set_disable, masks[2];
76262Sgreen	int i, nbytes;
76262Sgreen	uint16_t rulenum;
92559Sdes	uint8_t cmd, new_set;
76262Sgreen
76262Sgreen	ac--;
76262Sgreen	av++;
76262Sgreen
92559Sdes	if (!ac)
76262Sgreen		errx(EX_USAGE, "set needs command");
60573Skris	if (!strncmp(*av, "show", strlen(*av)) ) {
60573Skris		void *data;
60573Skris		char const *msg;
57429Smarkm
162856Sdes		nbytes = sizeof(struct ip_fw);
92559Sdes		if ((data = calloc(1, nbytes)) == NULL)
162856Sdes			err(EX_OSERR, "calloc");
76262Sgreen		if (do_cmd(IP_FW_GET, data, (uintptr_t)&nbytes) < 0)
181111Sdes			err(EX_OSERR, "getsockopt(IP_FW_GET)");
92559Sdes		bcopy(&((struct ip_fw *)data)->next_rule,
92559Sdes			&set_disable, sizeof(set_disable));
76262Sgreen
92559Sdes		for (i = 0, msg = "disable" ; i < RESVD_SET; i++)
92559Sdes			if ((set_disable & (1<<i))) {
92559Sdes				printf("%s %d", msg, i);
92559Sdes				msg = "";
92559Sdes			}
181111Sdes		msg = (set_disable) ? " enable" : "enable";
181111Sdes		for (i = 0; i < RESVD_SET; i++)
181111Sdes			if (!(set_disable & (1<<i))) {
92559Sdes				printf("%s %d", msg, i);
92559Sdes				msg = "";
92559Sdes			}
92559Sdes		printf("\n");
92559Sdes	} else if (!strncmp(*av, "swap", strlen(*av))) {
92559Sdes		ac--; av++;
92559Sdes		if (ac != 2)
92559Sdes			errx(EX_USAGE, "set swap needs 2 set numbers\n");
92559Sdes		rulenum = atoi(av[0]);
92559Sdes		new_set = atoi(av[1]);
92559Sdes		if (!isdigit(*(av[0])) || rulenum > RESVD_SET)
92559Sdes			errx(EX_DATAERR, "invalid set number %s\n", av[0]);
76262Sgreen		if (!isdigit(*(av[1])) || new_set > RESVD_SET)
181111Sdes			errx(EX_DATAERR, "invalid set number %s\n", av[1]);
92559Sdes		masks[0] = (4 << 24) | (new_set << 16) | (rulenum);
181111Sdes		i = do_cmd(IP_FW_DEL, masks, sizeof(uint32_t));
181111Sdes	} else if (!strncmp(*av, "move", strlen(*av))) {
181111Sdes		ac--; av++;
181111Sdes		if (ac && !strncmp(*av, "rule", strlen(*av))) {
181111Sdes			cmd = 2;
181111Sdes			ac--; av++;
181111Sdes		} else
181111Sdes			cmd = 3;
181111Sdes		if (ac != 3 || strncmp(av[1], "to", strlen(*av)))
181111Sdes			errx(EX_USAGE, "syntax: set move [rule] X to Y\n");
181111Sdes		rulenum = atoi(av[0]);
92559Sdes		new_set = atoi(av[2]);
92559Sdes		if (!isdigit(*(av[0])) || (cmd == 3 && rulenum > RESVD_SET) ||
92559Sdes			(cmd == 2 && rulenum == 65535) )
92559Sdes			errx(EX_DATAERR, "invalid source number %s\n", av[0]);
92559Sdes		if (!isdigit(*(av[2])) || new_set > RESVD_SET)
92559Sdes			errx(EX_DATAERR, "invalid dest. set %s\n", av[1]);
92559Sdes		masks[0] = (cmd << 24) | (new_set << 16) | (rulenum);
92559Sdes		i = do_cmd(IP_FW_DEL, masks, sizeof(uint32_t));
76262Sgreen	} else if (!strncmp(*av, "disable", strlen(*av)) ||
92559Sdes		   !strncmp(*av, "enable",  strlen(*av)) ) {
92559Sdes		int which = !strncmp(*av, "enable",  strlen(*av)) ? 1 : 0;
76262Sgreen
92559Sdes		ac--; av++;
76262Sgreen		masks[0] = masks[1] = 0;
92559Sdes
76262Sgreen		while (ac) {
76262Sgreen			if (isdigit(**av)) {
76262Sgreen				i = atoi(*av);
162856Sdes				if (i < 0 || i > RESVD_SET)
92559Sdes					errx(EX_DATAERR,
162856Sdes					    "invalid set number %d\n", i);
60573Skris				masks[which] |= (1<<i);
147005Sdes			} else if (!strncmp(*av, "disable", strlen(*av)))
181111Sdes				which = 0;
57429Smarkm			else if (!strncmp(*av, "enable", strlen(*av)))
181111Sdes				which = 1;
181111Sdes			else
162856Sdes				errx(EX_DATAERR,
60573Skris					"invalid set command %s\n", *av);
181111Sdes			av++; ac--;
181111Sdes		}
60573Skris		if ( (masks[0] & masks[1]) != 0 )
162856Sdes			errx(EX_DATAERR,
78827Sgreen			    "cannot enable and disable the same set\n");
162856Sdes
162856Sdes		i = do_cmd(IP_FW_DEL, masks, sizeof(masks));
162856Sdes		if (i)
162856Sdes			warn("set enable/disable: setsockopt(IP_FW_DEL)");
124207Sdes	} else
60573Skris		errx(EX_USAGE, "invalid set command %s\n", *av);
76262Sgreen}
124207Sdes
92559Sdesstatic void
76262Sgreensysctl_handler(int ac, char *av[], int which)
76262Sgreen{
92559Sdes	ac--;
60573Skris	av++;
124207Sdes
60573Skris	if (ac == 0) {
60573Skris		warnx("missing keyword to enable/disable\n");
57429Smarkm	} else if (strncmp(*av, "firewall", strlen(*av)) == 0) {
60573Skris		sysctlbyname("net.inet.ip.fw.enable", NULL, 0,
60573Skris		    &which, sizeof(which));
92559Sdes	} else if (strncmp(*av, "one_pass", strlen(*av)) == 0) {
65668Skris		sysctlbyname("net.inet.ip.fw.one_pass", NULL, 0,
124207Sdes		    &which, sizeof(which));
65668Skris	} else if (strncmp(*av, "debug", strlen(*av)) == 0) {
65668Skris		sysctlbyname("net.inet.ip.fw.debug", NULL, 0,
157019Sdes		    &which, sizeof(which));
157019Sdes	} else if (strncmp(*av, "verbose", strlen(*av)) == 0) {
65668Skris		sysctlbyname("net.inet.ip.fw.verbose", NULL, 0,
65668Skris		    &which, sizeof(which));
65668Skris	} else if (strncmp(*av, "dyn_keepalive", strlen(*av)) == 0) {
60573Skris		sysctlbyname("net.inet.ip.fw.dyn_keepalive", NULL, 0,
60573Skris		    &which, sizeof(which));
60573Skris	} else {
162856Sdes		warnx("unrecognize enable/disable keyword: %s\n", *av);
162856Sdes	}
92559Sdes}
162856Sdes
60573Skrisstatic void
76262Sgreenlist(int ac, char *av[], int show_counters)
157019Sdes{
215116Sdes	struct ip_fw *r;
60573Skris	ipfw_dyn_rule *dynrules, *d;
60573Skris
60573Skris#define NEXT(r)	((struct ip_fw *)((char *)r + RULESIZE(r)))
60573Skris	char *lim;
60573Skris	void *data = NULL;
60573Skris	int bcwidth, n, nbytes, nstat, ndyn, pcwidth, width;
215116Sdes	int exitval = EX_OK;
157019Sdes	int lac;
157019Sdes	char **lav;
157019Sdes	u_long rnum, last;
157019Sdes	char *endptr;
157019Sdes	int seen = 0;
157019Sdes
157019Sdes	const int ocmd = do_pipe ? IP_DUMMYNET_GET : IP_FW_GET;
157019Sdes	int nalloc = 1024;	/* start somewhere... */
157019Sdes
157019Sdes	if (test_only) {
157019Sdes		fprintf(stderr, "Testing only, list disabled\n");
157019Sdes		return;
157019Sdes	}
157019Sdes
157019Sdes	ac--;
157019Sdes	av++;
157019Sdes
157019Sdes	/* get rules or pipes from kernel, resizing array as necessary */
157019Sdes	nbytes = nalloc;
157019Sdes
181111Sdes	while (nbytes >= nalloc) {
181111Sdes		nalloc = nalloc * 2 + 200;
157019Sdes		nbytes = nalloc;
157019Sdes		if ((data = realloc(data, nbytes)) == NULL)
157019Sdes			err(EX_OSERR, "realloc");
157019Sdes		if (do_cmd(ocmd, data, (uintptr_t)&nbytes) < 0)
157019Sdes			err(EX_OSERR, "getsockopt(IP_%s_GET)",
157019Sdes				do_pipe ? "DUMMYNET" : "FW");
157019Sdes	}
157019Sdes
215116Sdes	if (do_pipe) {
157019Sdes		list_pipes(data, nbytes, ac, av);
106130Sdes		goto done;
126273Sdes	}
126273Sdes
126273Sdes	/*
106130Sdes	 * Count static rules. They have variable size so we
157019Sdes	 * need to scan the list to count them.
157019Sdes	 */
181111Sdes	for (nstat = 1, r = data, lim = (char *)data + nbytes;
181111Sdes		    r->rulenum < 65535 && (char *)r < lim;
60573Skris		    ++nstat, r = NEXT(r) )
60573Skris		; /* nothing */
76262Sgreen
124207Sdes	/*
92559Sdes	 * Count dynamic rules. This is easier as they have
76262Sgreen	 * fixed size.
76262Sgreen	 */
92559Sdes	r = NEXT(r);
124207Sdes	dynrules = (ipfw_dyn_rule *)r ;
60573Skris	n = (char *)r - (char *)data;
60573Skris	ndyn = (nbytes - n) / sizeof *dynrules;
60573Skris
57429Smarkm	/* if showing stats, figure out column widths ahead of time */
60573Skris	bcwidth = pcwidth = 0;
60573Skris	if (show_counters) {
197679Sdes		for (n = 0, r = data; n < nstat; n++, r = NEXT(r)) {
157019Sdes			/* packet counter */
74500Sgreen			width = snprintf(NULL, 0, "%llu",
74500Sgreen			    align_uint64(&r->pcnt));
74500Sgreen			if (width > pcwidth)
74500Sgreen				pcwidth = width;
76262Sgreen
76262Sgreen			/* byte counter */
157019Sdes			width = snprintf(NULL, 0, "%llu",
74500Sgreen			    align_uint64(&r->bcnt));
76262Sgreen			if (width > bcwidth)
74500Sgreen				bcwidth = width;
74500Sgreen		}
74500Sgreen	}
197679Sdes	if (do_dynamic && ndyn) {
60573Skris		for (n = 0, d = dynrules; n < ndyn; n++, d++) {
60573Skris			width = snprintf(NULL, 0, "%llu",
215116Sdes			    align_uint64(&d->pcnt));
215116Sdes			if (width > pcwidth)
215116Sdes				pcwidth = width;
60573Skris
60573Skris			width = snprintf(NULL, 0, "%llu",
162856Sdes			    align_uint64(&d->bcnt));
92559Sdes			if (width > bcwidth)
162856Sdes				bcwidth = width;
60573Skris		}
147005Sdes	}
60573Skris	/* if no rule numbers were specified, list all rules */
57429Smarkm	if (ac == 0) {
60573Skris		for (n = 0, r = data; n < nstat; n++, r = NEXT(r) )
60573Skris			show_ipfw(r, pcwidth, bcwidth);
60573Skris
60573Skris		if (do_dynamic && ndyn) {
60573Skris			printf("## Dynamic rules (%d):\n", ndyn);
60573Skris			for (n = 0, d = dynrules; n < ndyn; n++, d++)
60573Skris				show_dyn_ipfw(d, pcwidth, bcwidth);
69587Sgreen		}
60573Skris		goto done;
181111Sdes	}
181111Sdes
76262Sgreen	/* display specific rules requested on command line */
76262Sgreen
76262Sgreen	for (lac = ac, lav = av; lac != 0; lac--) {
76262Sgreen		/* convert command line rule # */
92559Sdes		last = rnum = strtoul(*lav++, &endptr, 10);
76262Sgreen		if (*endptr == '-')
60573Skris			last = strtoul(endptr+1, &endptr, 10);
60573Skris		if (*endptr) {
57429Smarkm			exitval = EX_USAGE;
215116Sdes			warnx("invalid rule number: %s", *(lav - 1));
215116Sdes			continue;
215116Sdes		}
181111Sdes		for (n = seen = 0, r = data; n < nstat; n++, r = NEXT(r) ) {
60573Skris			if (r->rulenum > last)
69587Sgreen				break;
92559Sdes			if (r->rulenum >= rnum && r->rulenum <= last) {
181111Sdes				show_ipfw(r, pcwidth, bcwidth);
181111Sdes				seen = 1;
76262Sgreen			}
76262Sgreen		}
76262Sgreen		if (!seen) {
60573Skris			/* give precedence to other error(s) */
92559Sdes			if (exitval == EX_OK)
76262Sgreen				exitval = EX_UNAVAILABLE;
215116Sdes			warnx("rule %lu does not exist", rnum);
215116Sdes		}
215116Sdes	}
215116Sdes
215116Sdes	if (do_dynamic && ndyn) {
76262Sgreen		printf("## Dynamic rules:\n");
60573Skris		for (lac = ac, lav = av; lac != 0; lac--) {
60573Skris			rnum = strtoul(*lav++, &endptr, 10);
60573Skris			if (*endptr == '-')
60573Skris				last = strtoul(endptr+1, &endptr, 10);
162856Sdes			if (*endptr)
92559Sdes				/* already warned */
76262Sgreen				continue;
60573Skris			for (n = 0, d = dynrules; n < ndyn; n++, d++) {
76262Sgreen				uint16_t rulenum;
76262Sgreen
181111Sdes				bcopy(&d->rule, &rulenum, sizeof(rulenum));
181111Sdes				if (rulenum > rnum)
181111Sdes					break;
60573Skris				if (r->rulenum >= rnum && r->rulenum <= last)
224638Sbrooks					show_dyn_ipfw(d, pcwidth, bcwidth);
224638Sbrooks			}
224638Sbrooks		}
224638Sbrooks	}
224638Sbrooks
224638Sbrooks	ac = 0;
224638Sbrooks
224638Sbrooksdone:
224638Sbrooks	free(data);
224638Sbrooks
224638Sbrooks	if (exitval != EX_OK)
60573Skris		exit(exitval);
60573Skris#undef NEXT
224638Sbrooks}
60573Skris
69587Sgreenstatic void
60573Skrisshow_usage(void)
60573Skris{
224638Sbrooks	fprintf(stderr, "usage: ipfw [options]\n"
60573Skris"do \"ipfw -h\" or see ipfw manpage for details\n"
60573Skris);
60573Skris	exit(EX_USAGE);
60573Skris}
57429Smarkm
92559Sdesstatic void
162856Sdeshelp(void)
60573Skris{
60573Skris	fprintf(stderr,
60573Skris"ipfw syntax summary (but please do read the ipfw(8) manpage):\n"
92559Sdes"ipfw [-abcdefhnNqStTv] <command> where <command> is one of:\n"
92559Sdes"add [num] [set N] [prob x] RULE-BODY\n"
60573Skris"{pipe|queue} N config PIPE-BODY\n"
76262Sgreen"[pipe|queue] {zero|delete|show} [N{,N}]\n"
60573Skris"set [disable N... enable N...] | move [rule] X to Y | swap X Y | show\n"
60573Skris"\n"
204917Sdes"RULE-BODY:	check-state [LOG] | ACTION [LOG] ADDR [OPTION_LIST]\n"
204917Sdes"ACTION:	check-state | allow | count | deny | reject | skipto N |\n"
204917Sdes"		{divert|tee} PORT | forward ADDR | pipe N | queue N\n"
204917Sdes"ADDR:		[ MAC dst src ether_type ] \n"
204917Sdes"		[ from IPADDR [ PORT ] to IPADDR [ PORTLIST ] ]\n"
204917Sdes"IPADDR:	[not] { any | me | ip/bits{x,y,z} | IPLIST }\n"
204917Sdes"IPLIST:	{ ip | ip/bits | ip:mask }[,IPLIST]\n"
204917Sdes"OPTION_LIST:	OPTION [OPTION_LIST]\n"
204917Sdes"OPTION:	bridged | {dst-ip|src-ip} ADDR | {dst-port|src-port} LIST |\n"
204917Sdes"	estab | frag | {gid|uid} N | icmptypes LIST | in | out | ipid LIST |\n"
204917Sdes"	iplen LIST | ipoptions SPEC | ipprecedence | ipsec | iptos SPEC |\n"
204917Sdes"	ipttl LIST | ipversion VER | keep-state | layer2 | limit ... |\n"
204917Sdes"	mac ... | mac-type LIST | proto LIST | {recv|xmit|via} {IF|IPADDR} |\n"
204917Sdes"	setup | {tcpack|tcpseq|tcpwin} NN | tcpflags SPEC | tcpoptions SPEC |\n"
204917Sdes"	verrevpath | versrcreach\n"
204917Sdes);
204917Sdesexit(0);
204917Sdes}
204917Sdes
204917Sdes
204917Sdesstatic int
204917Sdeslookup_host (char *host, struct in_addr *ipaddr)
204917Sdes{
204917Sdes	struct hostent *he;
204917Sdes
204917Sdes	if (!inet_aton(host, ipaddr)) {
204917Sdes		if ((he = gethostbyname(host)) == NULL)
204917Sdes			return(-1);
204917Sdes		*ipaddr = *(struct in_addr *)he->h_addr_list[0];
204917Sdes	}
204917Sdes	return(0);
204917Sdes}
215116Sdes
204917Sdes/*
204917Sdes * fills the addr and mask fields in the instruction as appropriate from av.
204917Sdes * Update length as appropriate.
204917Sdes * The following formats are allowed:
204917Sdes *	any	matches any IP. Actually returns an empty instruction.
204917Sdes *	me	returns O_IP_*_ME
204917Sdes *	1.2.3.4		single IP address
204917Sdes *	1.2.3.4:5.6.7.8	address:mask
204917Sdes *	1.2.3.4/24	address/mask
204917Sdes *	1.2.3.4/26{1,6,5,4,23}	set of addresses in a subnet
204917Sdes * We can have multiple comma-separated address/mask entries.
204917Sdes */
204917Sdesstatic void
204917Sdesfill_ip(ipfw_insn_ip *cmd, char *av)
204917Sdes{
204917Sdes	int len = 0;
204917Sdes	uint32_t *d = ((ipfw_insn_u32 *)cmd)->d;
204917Sdes
204917Sdes	cmd->o.len &= ~F_LEN_MASK;	/* zero len */
204917Sdes
204917Sdes	if (!strncmp(av, "any", strlen(av)))
204917Sdes		return;
204917Sdes
204917Sdes	if (!strncmp(av, "me", strlen(av))) {
204917Sdes		cmd->o.len |= F_INSN_SIZE(ipfw_insn);
204917Sdes		return;
204917Sdes	}
204917Sdes
204917Sdes    while (av) {
204917Sdes	/*
204917Sdes	 * After the address we can have '/' or ':' indicating a mask,
204917Sdes	 * ',' indicating another address follows, '{' indicating a
204917Sdes	 * set of addresses of unspecified size.
204917Sdes	 */
204917Sdes	char *p = strpbrk(av, "/:,{");
204917Sdes	int masklen;
204917Sdes	char md;
204917Sdes
204917Sdes	if (p) {
204917Sdes		md = *p;
204917Sdes		*p++ = '\0';
204917Sdes	} else
204917Sdes		md = '\0';
204917Sdes
204917Sdes	if (lookup_host(av, (struct in_addr *)&d[0]) != 0)
204917Sdes		errx(EX_NOHOST, "hostname ``%s'' unknown", av);
204917Sdes	switch (md) {
204917Sdes	case ':':
204917Sdes		if (!inet_aton(p, (struct in_addr *)&d[1]))
204917Sdes			errx(EX_DATAERR, "bad netmask ``%s''", p);
204917Sdes		break;
204917Sdes	case '/':
204917Sdes		masklen = atoi(p);
204917Sdes		if (masklen == 0)
204917Sdes			d[1] = htonl(0);	/* mask */
204917Sdes		else if (masklen > 32)
204917Sdes			errx(EX_DATAERR, "bad width ``%s''", p);
204917Sdes		else
204917Sdes			d[1] = htonl(~0 << (32 - masklen));
204917Sdes		break;
204917Sdes	case '{':	/* no mask, assume /24 and put back the '{' */
204917Sdes		d[1] = htonl(~0 << (32 - 24));
204917Sdes		*(--p) = md;
204917Sdes		break;
204917Sdes
204917Sdes	case ',':	/* single address plus continuation */
204917Sdes		*(--p) = md;
204917Sdes		/* FALLTHROUGH */
204917Sdes	case 0:		/* initialization value */
204917Sdes	default:
204917Sdes		d[1] = htonl(~0);	/* force /32 */
204917Sdes		break;
204917Sdes	}
204917Sdes	d[0] &= d[1];		/* mask base address with mask */
204917Sdes	/* find next separator */
204917Sdes	if (p)
204917Sdes		p = strpbrk(p, ",{");
204917Sdes	if (p && *p == '{') {
204917Sdes		/*
204917Sdes		 * We have a set of addresses. They are stored as follows:
204917Sdes		 *   arg1	is the set size (powers of 2, 2..256)
204917Sdes		 *   addr	is the base address IN HOST FORMAT
204917Sdes		 *   mask..	is an array of arg1 bits (rounded up to
204917Sdes		 *		the next multiple of 32) with bits set
204917Sdes		 *		for each host in the map.
204917Sdes		 */
204917Sdes		uint32_t *map = (uint32_t *)&cmd->mask;
204917Sdes		int low, high;
204917Sdes		int i = contigmask((uint8_t *)&(d[1]), 32);
162856Sdes
92559Sdes		if (len > 0)
162856Sdes			errx(EX_DATAERR, "address set cannot be in a list");
60573Skris		if (i < 24 || i > 31)
60573Skris			errx(EX_DATAERR, "invalid set with mask %d\n", i);
106130Sdes		cmd->o.arg1 = 1<<(32-i);	/* map length		*/
60573Skris		d[0] = ntohl(d[0]);		/* base addr in host format */
60573Skris		cmd->o.opcode = O_IP_DST_SET;	/* default */
60573Skris		cmd->o.len |= F_INSN_SIZE(ipfw_insn_u32) + (cmd->o.arg1+31)/32;
60573Skris		for (i = 0; i < (cmd->o.arg1+31)/32 ; i++)
60573Skris			map[i] = 0;	/* clear map */
92559Sdes
60573Skris		av = p + 1;
60573Skris		low = d[0] & 0xff;
60573Skris		high = low + cmd->o.arg1 - 1;
60573Skris		/*
60573Skris		 * Here, i stores the previous value when we specify a range
92559Sdes		 * of addresses within a mask, e.g. 45-63. i = -1 means we
60573Skris		 * have no previous value.
60573Skris		 */
92559Sdes		i = -1;	/* previous value in a range */
60573Skris		while (isdigit(*av)) {
60573Skris			char *s;
76262Sgreen			int a = strtol(av, &s, 0);
60573Skris
76262Sgreen			if (s == av) { /* no parameter */
76262Sgreen			    if (*av != '}')
76262Sgreen				errx(EX_DATAERR, "set not closed\n");
204917Sdes			    if (i != -1)
204917Sdes				errx(EX_DATAERR, "incomplete range %d-", i);
60573Skris			    break;
92559Sdes			}
60573Skris			if (a < low || a > high)
76262Sgreen			    errx(EX_DATAERR, "addr %d out of range [%d-%d]\n",
60573Skris				a, low, high);
76262Sgreen			a -= low;
76262Sgreen			if (i == -1)	/* no previous in range */
92559Sdes			    i = a;
204917Sdes			else {		/* check that range is valid */
204917Sdes			    if (i > a)
60573Skris				errx(EX_DATAERR, "invalid range %d-%d",
60573Skris					i+low, a+low);
92559Sdes			    if (*s == '-')
60573Skris				errx(EX_DATAERR, "double '-' in range");
60573Skris			}
60573Skris			for (; i <= a; i++)
60573Skris			    map[i/32] |= 1<<(i & 31);
60573Skris			i = -1;
60573Skris			if (*s == '-')
60573Skris			    i = a;
60573Skris			else if (*s == '}')
60573Skris			    break;
76262Sgreen			av = s+1;
76262Sgreen		}
60573Skris		return;
92559Sdes	}
60573Skris	av = p;
60573Skris	if (av)			/* then *av must be a ',' */
60573Skris		av++;
60573Skris
76262Sgreen	/* Check this entry */
92559Sdes	if (d[1] == 0) { /* "any", specified as x.x.x.x/0 */
60573Skris		/*
60573Skris		 * 'any' turns the entire list into a NOP.
92559Sdes		 * 'not any' never matches, so it is removed from the
60573Skris		 * list unless it is the only item, in which case we
60573Skris		 * report an error.
92559Sdes		 */
60573Skris		if (cmd->o.len & F_NOT) {	/* "not any" never matches */
60573Skris			if (av == NULL && len == 0) /* only this entry */
60573Skris				errx(EX_DATAERR, "not any never matches");
60573Skris		}
76262Sgreen		/* else do nothing and skip this entry */
76262Sgreen		return;
60573Skris	}
60573Skris	/* A single IP can be stored in an optimized format */
60573Skris	if (d[1] == IP_MASK_ALL && av == NULL && len == 0) {
60573Skris		cmd->o.len |= F_INSN_SIZE(ipfw_insn_u32);
92559Sdes		return;
76262Sgreen	}
92559Sdes	len += 2;	/* two words... */
60573Skris	d += 2;
60573Skris    } /* end while */
92559Sdes    cmd->o.len |= len+1;
60573Skris}
60573Skris
60573Skris
106130Sdes/*
92559Sdes * helper function to process a set of flags and set bits in the
60573Skris * appropriate masks.
60573Skris */
60573Skrisstatic void
60573Skrisfill_flags(ipfw_insn *cmd, enum ipfw_opcodes opcode,
60573Skris	struct _s_x *flags, char *p)
60573Skris{
60573Skris	uint8_t set=0, clear=0;
60573Skris
60573Skris	while (p && *p) {
60573Skris		char *q;	/* points to the separator */
60573Skris		int val;
92559Sdes		uint8_t *which;	/* mask we are working on */
92559Sdes
92559Sdes		if (*p == '!') {
92559Sdes			p++;
92559Sdes			which = &clear;
92559Sdes		} else
92559Sdes			which = &set;
157019Sdes		q = strchr(p, ',');
92559Sdes		if (q)
124207Sdes			*q++ = '\0';
92559Sdes		val = match_token(flags, p);
92559Sdes		if (val <= 0)
92559Sdes			errx(EX_DATAERR, "invalid flag %s", p);
92559Sdes		*which |= (uint8_t)val;
124207Sdes		p = q;
92559Sdes	}
92559Sdes        cmd->opcode = opcode;
92559Sdes        cmd->len =  (cmd->len & (F_NOT | F_OR)) | 1;
124207Sdes        cmd->arg1 = (set & 0xff) | ( (clear & 0xff) << 8);
92559Sdes}
92559Sdes
92559Sdes
92559Sdesstatic void
162856Sdesdelete(int ac, char *av[])
60573Skris{
60573Skris	uint32_t rulenum;
204917Sdes	struct dn_pipe p;
60573Skris	int i;
60573Skris	int exitval = EX_OK;
60573Skris	int do_set = 0;
60573Skris
60573Skris	memset(&p, 0, sizeof p);
60573Skris
204917Sdes	av++; ac--;
92559Sdes	if (ac > 0 && !strncmp(*av, "set", strlen(*av))) {
92559Sdes		do_set = 1;	/* delete set */
57429Smarkm		ac--; av++;
204917Sdes	}
204917Sdes
204917Sdes	/* Rule number */
204917Sdes	while (ac && isdigit(**av)) {
204917Sdes		i = atoi(*av); av++; ac--;
204917Sdes		if (do_pipe) {
92559Sdes			if (do_pipe == 1)
92559Sdes				p.pipe_nr = i;
92559Sdes			else
57429Smarkm				p.fs.fs_nr = i;
57429Smarkm			i = do_cmd(IP_DUMMYNET_DEL, &p, sizeof p);
57429Smarkm			if (i) {
92559Sdes				exitval = 1;
92559Sdes				warn("rule %u: setsockopt(IP_DUMMYNET_DEL)",
92559Sdes				    do_pipe == 1 ? p.pipe_nr : p.fs.fs_nr);
92559Sdes			}
60573Skris		} else {
76262Sgreen			rulenum =  (i & 0xffff) | (do_set << 24);
137019Sdes			i = do_cmd(IP_FW_DEL, &rulenum, sizeof rulenum);
60573Skris			if (i) {
162856Sdes				exitval = EX_UNAVAILABLE;
76262Sgreen				warn("rule %u: setsockopt(IP_FW_DEL)",
76262Sgreen				    rulenum);
76262Sgreen			}
162856Sdes		}
162856Sdes	}
162856Sdes	if (exitval != EX_OK)
162856Sdes		exit(exitval);
162856Sdes}
162856Sdes
92559Sdes
92559Sdes/*
162856Sdes * fill the interface structure. We do not check the name as we can
162856Sdes * create interfaces dynamically, so checking them at insert time
92559Sdes * makes relatively little sense.
76262Sgreen * Interface names containing '*', '?', or '[' are assumed to be shell
92559Sdes * patterns which match interfaces.
76262Sgreen */
76262Sgreenstatic void
76262Sgreenfill_iface(ipfw_insn_if *cmd, char *arg)
76262Sgreen{
76262Sgreen	cmd->name[0] = '\0';
60573Skris	cmd->o.len |= F_INSN_SIZE(ipfw_insn_if);
60573Skris
92559Sdes	/* Parse the interface or address */
92559Sdes	if (!strcmp(arg, "any"))
92559Sdes		cmd->o.len = 0;		/* effectively ignore this command */
92559Sdes	else if (!isdigit(*arg)) {
60573Skris		strlcpy(cmd->name, arg, sizeof(cmd->name));
162856Sdes		cmd->p.glob = strpbrk(arg, "*?[") != NULL ? 1 : 0;
60573Skris	} else if (!inet_aton(arg, &cmd->p.ip))
60573Skris		errx(EX_DATAERR, "bad ip address ``%s''", arg);
60573Skris}
60573Skris
92559Sdes/*
76262Sgreen * the following macro returns an error message if we run out of
60573Skris * arguments.
92559Sdes */
57429Smarkm#define	NEED1(msg)	{if (!ac) errx(EX_USAGE, msg);}
60573Skris
137019Sdesstatic void
57429Smarkmconfig_pipe(int ac, char **av)
57429Smarkm{
92559Sdes	struct dn_pipe p;
92559Sdes	int i;
92559Sdes	char *end;
57429Smarkm	uint32_t a;
92559Sdes	void *par = NULL;
92559Sdes
92559Sdes	memset(&p, 0, sizeof p);
92559Sdes
57429Smarkm	av++; ac--;
60573Skris	/* Pipe number */
60573Skris	if (ac && isdigit(**av)) {
57429Smarkm		i = atoi(*av); av++; ac--;
57429Smarkm		if (do_pipe == 1)
60573Skris			p.pipe_nr = i;
57429Smarkm		else
57429Smarkm			p.fs.fs_nr = i;
60573Skris	}
60573Skris	while (ac > 0) {
76262Sgreen		double d;
92559Sdes		int tok = match_token(dummynet_params, *av);
60573Skris		ac--; av++;
60573Skris
57429Smarkm		switch(tok) {
57429Smarkm		case TOK_NOERROR:
76262Sgreen			p.fs.flags_fs |= DN_NOERROR;
76262Sgreen			break;
76262Sgreen
157019Sdes		case TOK_PLR:
157019Sdes			NEED1("plr needs argument 0..1\n");
157019Sdes			d = strtod(av[0], NULL);
157019Sdes			if (d > 1)
157019Sdes				d = 1;
157019Sdes			else if (d < 0)
157019Sdes				d = 0;
215116Sdes			p.fs.plr = (int)(d*0x7fffffff);
215116Sdes			ac--; av++;
215116Sdes			break;
215116Sdes
215116Sdes		case TOK_QUEUE:
215116Sdes			NEED1("queue needs queue size\n");
215116Sdes			end = NULL;
215116Sdes			p.fs.qsize = strtoul(av[0], &end, 0);
157019Sdes			if (*end == 'K' || *end == 'k') {
157019Sdes				p.fs.flags_fs |= DN_QSIZE_IS_BYTES;
157019Sdes				p.fs.qsize *= 1024;
157019Sdes			} else if (*end == 'B' || !strncmp(end, "by", 2)) {
157019Sdes				p.fs.flags_fs |= DN_QSIZE_IS_BYTES;
157019Sdes			}
157019Sdes			ac--; av++;
157019Sdes			break;
157019Sdes
92559Sdes		case TOK_BUCKETS:
92559Sdes			NEED1("buckets needs argument\n");
92559Sdes			p.fs.rq_size = strtoul(av[0], NULL, 0);
92559Sdes			ac--; av++;
60573Skris			break;
60573Skris
60573Skris		case TOK_MASK:
60573Skris			NEED1("mask needs mask specifier\n");
60573Skris			/*
57429Smarkm			 * per-flow queue, mask is dst_ip, dst_port,
60573Skris			 * src_ip, src_port, proto measured in bits
60573Skris			 */
60573Skris			par = NULL;
60573Skris
60573Skris			p.fs.flow_mask.dst_ip = 0;
60573Skris			p.fs.flow_mask.src_ip = 0;
60573Skris			p.fs.flow_mask.dst_port = 0;
60573Skris			p.fs.flow_mask.src_port = 0;
57429Smarkm			p.fs.flow_mask.proto = 0;
60573Skris			end = NULL;
60573Skris
60573Skris			while (ac >= 1) {
60573Skris			    uint32_t *p32 = NULL;
60573Skris			    uint16_t *p16 = NULL;
60573Skris
60573Skris			    tok = match_token(dummynet_params, *av);
60573Skris			    ac--; av++;
60573Skris			    switch(tok) {
60573Skris			    case TOK_ALL:
57429Smarkm				    /*
57429Smarkm				     * special case, all bits significant
57429Smarkm				     */
57429Smarkm				    p.fs.flow_mask.dst_ip = ~0;
98684Sdes				    p.fs.flow_mask.src_ip = ~0;
98684Sdes				    p.fs.flow_mask.dst_port = ~0;
57429Smarkm				    p.fs.flow_mask.src_port = ~0;
98684Sdes				    p.fs.flow_mask.proto = ~0;
149753Sdes				    p.fs.flags_fs |= DN_HAVE_FLOW_MASK;
149753Sdes				    goto end_mask;
98684Sdes
98684Sdes			    case TOK_DSTIP:
57429Smarkm				    p32 = &p.fs.flow_mask.dst_ip;
60573Skris				    break;
60573Skris
98684Sdes			    case TOK_SRCIP:
60573Skris				    p32 = &p.fs.flow_mask.src_ip;
60573Skris				    break;
60573Skris
99063Sdes			    case TOK_DSTPORT:
76262Sgreen				    p16 = &p.fs.flow_mask.dst_port;
76262Sgreen				    break;
60573Skris
60573Skris			    case TOK_SRCPORT:
60573Skris				    p16 = &p.fs.flow_mask.src_port;
60573Skris				    break;
60573Skris
60573Skris			    case TOK_PROTO:
60573Skris				    break;
60573Skris
60573Skris			    default:
60573Skris				    ac++; av--; /* backtrack */
60573Skris				    goto end_mask;
76262Sgreen			    }
60573Skris			    if (ac < 1)
57429Smarkm				    errx(EX_USAGE, "mask: value missing");
57429Smarkm			    if (*av[0] == '/') {
57429Smarkm				    a = strtoul(av[0]+1, &end, 0);
57429Smarkm				    a = (a == 32) ? ~0 : (1 << a) - 1;
92559Sdes			    } else
92559Sdes				    a = strtoul(av[0], &end, 0);
162856Sdes			    if (p32 != NULL)
60573Skris				    *p32 = a;
92559Sdes			    else if (p16 != NULL) {
57429Smarkm				    if (a > 65535)
57429Smarkm					    errx(EX_DATAERR,
57429Smarkm						"mask: must be 16 bit");
215116Sdes				    *p16 = (uint16_t)a;
60573Skris			    } else {
57429Smarkm				    if (a > 255)
57429Smarkm					    errx(EX_DATAERR,
57429Smarkm						"mask: must be 8 bit");
60573Skris				    p.fs.flow_mask.proto = (uint8_t)a;
60573Skris			    }
57429Smarkm			    if (a != 0)
57429Smarkm				    p.fs.flags_fs |= DN_HAVE_FLOW_MASK;
57429Smarkm			    ac--; av++;
60573Skris			} /* end while, config masks */
60573Skrisend_mask:
57429Smarkm			break;
57429Smarkm
57429Smarkm		case TOK_RED:
181111Sdes		case TOK_GRED:
215116Sdes			NEED1("red/gred needs w_q/min_th/max_th/max_p\n");
215116Sdes			p.fs.flags_fs |= DN_IS_RED;
215116Sdes			if (tok == TOK_GRED)
60573Skris				p.fs.flags_fs |= DN_IS_GENTLE_RED;
126273Sdes			/*
126273Sdes			 * the format for parameters is w_q/min_th/max_th/max_p
126273Sdes			 */
126273Sdes			if ((end = strsep(&av[0], "/"))) {
126273Sdes			    double w_q = strtod(end, NULL);
126273Sdes			    if (w_q > 1 || w_q <= 0)
126273Sdes				errx(EX_DATAERR, "0 < w_q <= 1");
126273Sdes			    p.fs.w_q = (int) (w_q * (1 << SCALE_RED));
126273Sdes			}
215116Sdes			if ((end = strsep(&av[0], "/"))) {
215116Sdes			    p.fs.min_th = strtoul(end, &end, 0);
126273Sdes			    if (*end == 'K' || *end == 'k')
126273Sdes				p.fs.min_th *= 1024;
126273Sdes			}
126273Sdes			if ((end = strsep(&av[0], "/"))) {
92559Sdes			    p.fs.max_th = strtoul(end, &end, 0);
215116Sdes			    if (*end == 'K' || *end == 'k')
124207Sdes				p.fs.max_th *= 1024;
215116Sdes			}
60573Skris			if ((end = strsep(&av[0], "/"))) {
215116Sdes			    double max_p = strtod(end, NULL);
124207Sdes			    if (max_p > 1 || max_p <= 0)
215116Sdes				errx(EX_DATAERR, "0 < max_p <= 1");
60573Skris			    p.fs.max_p = (int)(max_p * (1 << SCALE_RED));
60573Skris			}
215116Sdes			ac--; av++;
60573Skris			break;
157019Sdes
157019Sdes		case TOK_DROPTAIL:
157019Sdes			p.fs.flags_fs &= ~(DN_IS_RED|DN_IS_GENTLE_RED);
157019Sdes			break;
181111Sdes
57429Smarkm		case TOK_BW:
92559Sdes			NEED1("bw needs bandwidth or interface\n");
162856Sdes			if (do_pipe != 1)
60573Skris			    errx(EX_DATAERR, "bandwidth only valid for pipes");
92559Sdes			/*
60573Skris			 * set clocking interface or bandwidth value
60573Skris			 */
60573Skris			if (av[0][0] >= 'a' && av[0][0] <= 'z') {
99063Sdes			    int l = sizeof(p.if_name)-1;
60573Skris			    /* interface name */
57429Smarkm			    strncpy(p.if_name, av[0], l);
60573Skris			    p.if_name[l] = '\0';
60573Skris			    p.bandwidth = 0;
60573Skris			} else {
60573Skris			    p.if_name[0] = '\0';
60573Skris			    p.bandwidth = strtoul(av[0], &end, 0);
60573Skris			    if (*end == 'K' || *end == 'k') {
60573Skris				end++;
124207Sdes				p.bandwidth *= 1000;
60573Skris			    } else if (*end == 'M') {
60573Skris				end++;
98684Sdes				p.bandwidth *= 1000000;
98684Sdes			    }
98684Sdes			    if (*end == 'B' || !strncmp(end, "by", 2))
98684Sdes				p.bandwidth *= 8;
98684Sdes			    if (p.bandwidth < 0)
98684Sdes				errx(EX_DATAERR, "bandwidth too large");
98684Sdes			}
60573Skris			ac--; av++;
60573Skris			break;
60573Skris
60573Skris		case TOK_DELAY:
124207Sdes			if (do_pipe != 1)
60573Skris				errx(EX_DATAERR, "delay only valid for pipes");
60573Skris			NEED1("delay needs argument 0..10000ms\n");
60573Skris			p.delay = strtoul(av[0], NULL, 0);
92559Sdes			ac--; av++;
60573Skris			break;
124207Sdes
60573Skris		case TOK_WEIGHT:
60573Skris			if (do_pipe == 1)
60573Skris				errx(EX_DATAERR,"weight only valid for queues");
60573Skris			NEED1("weight needs argument 0..100\n");
69587Sgreen			p.fs.weight = strtoul(av[0], &end, 0);
60573Skris			ac--; av++;
60573Skris			break;
60573Skris
60573Skris		case TOK_PIPE:
60573Skris			if (do_pipe == 1)
162856Sdes				errx(EX_DATAERR,"pipe only valid for queues");
60573Skris			NEED1("pipe needs pipe_number\n");
92559Sdes			p.fs.parent_nr = strtoul(av[0], &end, 0);
60573Skris			ac--; av++;
60573Skris			break;
60573Skris
57429Smarkm		default:
60573Skris			errx(EX_DATAERR, "unrecognised option ``%s''", av[-1]);
92559Sdes		}
60573Skris	}
60573Skris	if (do_pipe == 1) {
60573Skris		if (p.pipe_nr == 0)
60573Skris			errx(EX_DATAERR, "pipe_nr must be > 0");
92559Sdes		if (p.delay > 10000)
92559Sdes			errx(EX_DATAERR, "delay must be < 10000");
92559Sdes	} else { /* do_pipe == 2, queue */
92559Sdes		if (p.fs.parent_nr == 0)
92559Sdes			errx(EX_DATAERR, "pipe must be > 0");
92559Sdes		if (p.fs.weight >100)
92559Sdes			errx(EX_DATAERR, "weight must be <= 100");
92559Sdes	}
92559Sdes	if (p.fs.flags_fs & DN_QSIZE_IS_BYTES) {
60573Skris		if (p.fs.qsize > 1024*1024)
60573Skris			errx(EX_DATAERR, "queue size must be < 1MB");
162856Sdes	} else {
60573Skris		if (p.fs.qsize > 100)
92559Sdes			errx(EX_DATAERR, "2 <= queue size <= 100");
57429Smarkm	}
60573Skris	if (p.fs.flags_fs & DN_IS_RED) {
60573Skris		size_t len;
57429Smarkm		int lookup_depth, avg_pkt_size;
60573Skris		double s, idle, weight, w_q;
92559Sdes		struct clockinfo ck;
60573Skris		int t;
60573Skris
60573Skris		if (p.fs.min_th >= p.fs.max_th)
57429Smarkm		    errx(EX_DATAERR, "min_th %d must be < than max_th %d",
57429Smarkm			p.fs.min_th, p.fs.max_th);
57429Smarkm		if (p.fs.max_th == 0)
57429Smarkm		    errx(EX_DATAERR, "max_th must be > 0");
57429Smarkm
57429Smarkm		len = sizeof(int);
60573Skris		if (sysctlbyname("net.inet.ip.dummynet.red_lookup_depth",
57429Smarkm			&lookup_depth, &len, NULL, 0) == -1)
57429Smarkm
57429Smarkm		    errx(1, "sysctlbyname(\"%s\")",
57429Smarkm			"net.inet.ip.dummynet.red_lookup_depth");
57429Smarkm		if (lookup_depth == 0)
57429Smarkm		    errx(EX_DATAERR, "net.inet.ip.dummynet.red_lookup_depth"
57429Smarkm			" must be greater than zero");
57429Smarkm
57429Smarkm		len = sizeof(int);
60573Skris		if (sysctlbyname("net.inet.ip.dummynet.red_avg_pkt_size",
57429Smarkm			&avg_pkt_size, &len, NULL, 0) == -1)
57429Smarkm
57429Smarkm		    errx(1, "sysctlbyname(\"%s\")",
57429Smarkm			"net.inet.ip.dummynet.red_avg_pkt_size");
92559Sdes		if (avg_pkt_size == 0)
60573Skris			errx(EX_DATAERR,
57429Smarkm			    "net.inet.ip.dummynet.red_avg_pkt_size must"
57429Smarkm			    " be greater than zero");
57429Smarkm
60573Skris		len = sizeof(struct clockinfo);
162856Sdes		if (sysctlbyname("kern.clockrate", &ck, &len, NULL, 0) == -1)
60573Skris			errx(1, "sysctlbyname(\"%s\")", "kern.clockrate");
92559Sdes
60573Skris		/*
60573Skris		 * Ticks needed for sending a medium-sized packet.
60573Skris		 * Unfortunately, when we are configuring a WF2Q+ queue, we
92559Sdes		 * do not have bandwidth information, because that is stored
92559Sdes		 * in the parent pipe, and also we have multiple queues
60573Skris		 * competing for it. So we set s=0, which is not very
60573Skris		 * correct. But on the other hand, why do we want RED with
60573Skris		 * WF2Q+ ?
60573Skris		 */
57429Smarkm		if (p.bandwidth==0) /* this is a WF2Q+ queue */
162856Sdes			s = 0;
60573Skris		else
92559Sdes			s = ck.hz * avg_pkt_size * 8 / p.bandwidth;
57429Smarkm
60573Skris		/*
60573Skris		 * max idle time (in ticks) before avg queue size becomes 0.
57429Smarkm		 * NOTA:  (3/w_q) is approx the value x so that
92559Sdes		 * (1-w_q)^x < 10^-3.
60573Skris		 */
60573Skris		w_q = ((double)p.fs.w_q) / (1 << SCALE_RED);
60573Skris		idle = s * 3. / w_q;
60573Skris		p.fs.lookup_step = (int)idle / lookup_depth;
60573Skris		if (!p.fs.lookup_step)
60573Skris			p.fs.lookup_step = 1;
92559Sdes		weight = 1 - w_q;
60573Skris		for (t = p.fs.lookup_step; t > 0; --t)
57429Smarkm			weight *= weight;
162856Sdes		p.fs.lookup_weight = (int)(weight * (1 << SCALE_RED));
60573Skris	}
92559Sdes	i = do_cmd(IP_DUMMYNET_CONFIGURE, &p, sizeof p);
60573Skris	if (i)
60573Skris		err(1, "setsockopt(%s)", "IP_DUMMYNET_CONFIGURE");
60573Skris}
60573Skris
60573Skrisstatic void
60573Skrisget_mac_addr_mask(char *p, uint8_t *addr, uint8_t *mask)
60573Skris{
60573Skris	int i, l;
60573Skris
60573Skris	for (i=0; i<6; i++)
60573Skris		addr[i] = mask[i] = 0;
60573Skris	if (!strcmp(p, "any"))
60573Skris		return;
60573Skris
60573Skris	for (i=0; *p && i<6;i++, p++) {
60573Skris		addr[i] = strtol(p, &p, 16);
60573Skris		if (*p != ':') /* we start with the mask */
60573Skris			break;
181111Sdes	}
69587Sgreen	if (*p == '/') { /* mask len */
215116Sdes		l = strtol(p+1, &p, 0);
69587Sgreen		for (i=0; l>0; l -=8, i++)
60573Skris			mask[i] = (l >=8) ? 0xff : (~0) << (8-l);
124207Sdes	} else if (*p == '&') { /* mask */
60573Skris		for (i=0, p++; *p && i<6;i++, p++) {
57429Smarkm			mask[i] = strtol(p, &p, 16);
92559Sdes			if (*p != ':')
57429Smarkm				break;
57429Smarkm		}
92559Sdes	} else if (*p == '\0') {
92559Sdes		for (i=0; i<6; i++)
92559Sdes			mask[i] = 0xff;
92559Sdes	}
92559Sdes	for (i=0; i<6; i++)
92559Sdes		addr[i] &= mask[i];
92559Sdes}
92559Sdes
92559Sdes/*
92559Sdes * helper function, updates the pointer to cmd with the length
92559Sdes * of the current command, and also cleans up the first word of
92559Sdes * the new command in case it has been clobbered before.
92559Sdes */
92559Sdesstatic ipfw_insn *
92559Sdesnext_cmd(ipfw_insn *cmd)
92559Sdes{
162856Sdes	cmd += F_LEN(cmd);
60573Skris	bzero(cmd, sizeof(*cmd));
92559Sdes	return cmd;
57429Smarkm}
76262Sgreen
76262Sgreen/*
60573Skris * Takes arguments and copies them into a comment
57429Smarkm */
60573Skrisstatic void
60573Skrisfill_comment(ipfw_insn *cmd, int ac, char **av)
57429Smarkm{
60573Skris	int i, l;
60573Skris	char *p = (char *)(cmd + 1);
60573Skris
60573Skris	cmd->opcode = O_NOP;
76262Sgreen	cmd->len =  (cmd->len & (F_NOT | F_OR));
92559Sdes
76262Sgreen	/* Compute length of comment string. */
76262Sgreen	for (i = 0, l = 0; i < ac; i++)
76262Sgreen		l += strlen(av[i]) + 1;
124207Sdes	if (l == 0)
92559Sdes		return;
76262Sgreen	if (l > 84)
76262Sgreen		errx(EX_DATAERR,
76262Sgreen		    "comment too long (max 80 chars)");
76262Sgreen	l = 1 + (l+3)/4;
215116Sdes	cmd->len =  (cmd->len & (F_NOT | F_OR)) | l;
215116Sdes	for (i = 0; i < ac; i++) {
215116Sdes		strcpy(p, av[i]);
215116Sdes		p += strlen(av[i]);
215116Sdes		*p++ = ' ';
60573Skris	}
92559Sdes	*(--p) = '\0';
192595Sdes}
192595Sdes
57429Smarkm/*
57429Smarkm * A function to fill simple commands of size 1.
162856Sdes * Existing flags are preserved.
60573Skris */
92559Sdesstatic void
60573Skrisfill_cmd(ipfw_insn *cmd, enum ipfw_opcodes opcode, int flags, uint16_t arg)
60573Skris{
99063Sdes	cmd->opcode = opcode;
99063Sdes	cmd->len =  ((cmd->len | flags) & (F_NOT | F_OR)) | 1;
57429Smarkm	cmd->arg1 = arg;
60573Skris}
60573Skris
60573Skris/*
57429Smarkm * Fetch and add the MAC address and type, with masks. This generates one or
60573Skris * two microinstructions, and returns the pointer to the last one.
60573Skris */
57429Smarkmstatic ipfw_insn *
157019Sdesadd_mac(ipfw_insn *cmd, int ac, char *av[])
157019Sdes{
60573Skris	ipfw_insn_mac *mac;
60573Skris
60573Skris	if (ac < 2)
92559Sdes		errx(EX_DATAERR, "MAC dst src");
99063Sdes
60573Skris	cmd->opcode = O_MACADDR2;
57429Smarkm	cmd->len = (cmd->len & (F_NOT | F_OR)) | F_INSN_SIZE(ipfw_insn_mac);
57429Smarkm
162856Sdes	mac = (ipfw_insn_mac *)cmd;
60573Skris	get_mac_addr_mask(av[0], mac->addr, mac->mask);	/* dst */
92559Sdes	get_mac_addr_mask(av[1], &(mac->addr[6]), &(mac->mask[6])); /* src */
57429Smarkm	return cmd;
92559Sdes}
92559Sdes
92559Sdesstatic ipfw_insn *
181111Sdesadd_mactype(ipfw_insn *cmd, int ac, char *av)
57429Smarkm{
92559Sdes	if (ac < 1)
92559Sdes		errx(EX_DATAERR, "missing MAC type");
92559Sdes	if (strcmp(av, "any") != 0) { /* we have a non-null type */
57429Smarkm		fill_newports((ipfw_insn_u16 *)cmd, av, IPPROTO_ETHERTYPE);
92559Sdes		cmd->opcode = O_MAC_TYPE;
92559Sdes		return cmd;
92559Sdes	} else
92559Sdes		return NULL;
92559Sdes}
92559Sdes
181111Sdesstatic ipfw_insn *
181111Sdesadd_proto(ipfw_insn *cmd, char *av)
124207Sdes{
181111Sdes	struct protoent *pe;
92559Sdes	u_char proto = 0;
92559Sdes
92559Sdes	if (!strncmp(av, "all", strlen(av)))
92559Sdes		; /* same as "ip" */
181111Sdes	else if ((proto = atoi(av)) > 0)
181111Sdes		; /* all done! */
57429Smarkm	else if ((pe = getprotobyname(av)) != NULL)
57429Smarkm		proto = pe->p_proto;
181111Sdes	else
181111Sdes		return NULL;
181111Sdes	if (proto != IPPROTO_IP)
181111Sdes		fill_cmd(cmd, O_PROTO, 0, proto);
181111Sdes	return cmd;
181111Sdes}
192595Sdes
57429Smarkmstatic ipfw_insn *
181111Sdesadd_srcip(ipfw_insn *cmd, char *av)
197679Sdes{
181111Sdes	fill_ip((ipfw_insn_ip *)cmd, av);
192595Sdes	if (cmd->opcode == O_IP_DST_SET)			/* set */
181111Sdes		cmd->opcode = O_IP_SRC_SET;
181111Sdes	else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn))		/* me */
192595Sdes		cmd->opcode = O_IP_SRC_ME;
181111Sdes	else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn_u32))	/* one IP */
192595Sdes		cmd->opcode = O_IP_SRC;
192595Sdes	else							/* addr/mask */
181111Sdes		cmd->opcode = O_IP_SRC_MASK;
181111Sdes	return cmd;
181111Sdes}
181111Sdes
181111Sdesstatic ipfw_insn *
181111Sdesadd_dstip(ipfw_insn *cmd, char *av)
181111Sdes{
181111Sdes	fill_ip((ipfw_insn_ip *)cmd, av);
181111Sdes	if (cmd->opcode == O_IP_DST_SET)			/* set */
181111Sdes		;
181111Sdes	else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn))		/* me */
92559Sdes		cmd->opcode = O_IP_DST_ME;
57429Smarkm	else if (F_LEN(cmd) == F_INSN_SIZE(ipfw_insn_u32))	/* one IP */
92559Sdes		cmd->opcode = O_IP_DST;
92559Sdes	else							/* addr/mask */
76262Sgreen		cmd->opcode = O_IP_DST_MASK;
92559Sdes	return cmd;
76262Sgreen}
76262Sgreen
224638Sbrooksstatic ipfw_insn *
224638Sbrooksadd_ports(ipfw_insn *cmd, char *av, u_char proto, int opcode)
224638Sbrooks{
224638Sbrooks	if (!strncmp(av, "any", strlen(av))) {
224638Sbrooks		return NULL;
224638Sbrooks	} else if (fill_newports((ipfw_insn_u16 *)cmd, av, proto)) {
224638Sbrooks		/* XXX todo: check that we have a protocol with ports */
224638Sbrooks		cmd->opcode = opcode;
224638Sbrooks		return cmd;
92559Sdes	}
192595Sdes	return NULL;
192595Sdes}
92559Sdes
57429Smarkm/*
92559Sdes * Parse arguments and assemble the microinstructions which make up a rule.
157019Sdes * Rules are added into the 'rulebuf' and then copied in the correct order
57429Smarkm * into the actual rule.
147005Sdes *
57429Smarkm * The syntax for a rule starts with the action, followed by an
192595Sdes * optional log action, and the various match patterns.
57429Smarkm * In the assembled microcode, the first opcode must be an O_PROBE_STATE
92559Sdes * (generated if the rule includes a keep-state option), then the
92559Sdes * various match patterns, the "log" action, and the actual action.
147005Sdes *
57429Smarkm */
92559Sdesstatic void
92559Sdesadd(int ac, char *av[])
149753Sdes{
76262Sgreen	/*
192595Sdes	 * rules are added into the 'rulebuf' and then copied in
76262Sgreen	 * the correct order into the actual rule.
149753Sdes	 * Some things that need to go out of order (prob, action etc.)
76262Sgreen	 * go into actbuf[].
76262Sgreen	 */
57429Smarkm	static uint32_t rulebuf[255], actbuf[255], cmdbuf[255];
147005Sdes
147005Sdes	ipfw_insn *src, *dst, *cmd, *action, *prev=NULL;
147005Sdes	ipfw_insn *first_cmd;	/* first match pattern */
147005Sdes
147005Sdes	struct ip_fw *rule;
147005Sdes
147005Sdes	/*
147005Sdes	 * various flags used to record that we entered some fields.
147005Sdes	 */
147005Sdes	ipfw_insn *have_state = NULL;	/* check-state or keep-state */
147005Sdes
147005Sdes	int i;
147005Sdes
147005Sdes	int open_par = 0;	/* open parenthesis ( */
147005Sdes
147005Sdes	/* proto is here because it is used to fetch ports */
147005Sdes	u_char proto = IPPROTO_IP;	/* default protocol */
147005Sdes
147005Sdes	double match_prob = 1; /* match probability, default is always match */
147005Sdes
147005Sdes	bzero(actbuf, sizeof(actbuf));		/* actions go here */
181111Sdes	bzero(cmdbuf, sizeof(cmdbuf));
147005Sdes	bzero(rulebuf, sizeof(rulebuf));
147005Sdes
147005Sdes	rule = (struct ip_fw *)rulebuf;
147005Sdes	cmd = (ipfw_insn *)cmdbuf;
147005Sdes	action = (ipfw_insn *)actbuf;
147005Sdes
147005Sdes	av++; ac--;
147005Sdes
147005Sdes	/* [rule N]	-- Rule number optional */
147005Sdes	if (ac && isdigit(**av)) {
147005Sdes		rule->rulenum = atoi(*av);
57429Smarkm		av++;
57429Smarkm		ac--;
57429Smarkm	}
57429Smarkm
57429Smarkm	/* [set N]	-- set number (0..RESVD_SET), optional */
147005Sdes	if (ac > 1 && !strncmp(*av, "set", strlen(*av))) {
57429Smarkm		int set = strtoul(av[1], NULL, 10);
76262Sgreen		if (set < 0 || set > RESVD_SET)
147005Sdes			errx(EX_DATAERR, "illegal set %s", av[1]);
147005Sdes		rule->set = set;
147005Sdes		av += 2; ac -= 2;
147005Sdes	}
181111Sdes
147005Sdes	/* [prob D]	-- match probability, optional */
149753Sdes	if (ac > 1 && !strncmp(*av, "prob", strlen(*av))) {
181111Sdes		match_prob = strtod(av[1], NULL);
181111Sdes
147005Sdes		if (match_prob <= 0 || match_prob > 1)
149753Sdes			errx(EX_DATAERR, "illegal match prob. %s", av[1]);
147005Sdes		av += 2; ac -= 2;
192595Sdes	}
192595Sdes
57429Smarkm	/* action	-- mandatory */
192595Sdes	NEED1("missing action");
192595Sdes	i = match_token(rule_actions, *av);
192595Sdes	ac--; av++;
192595Sdes	action->len = 1;	/* default */
192595Sdes	switch(i) {
192595Sdes	case TOK_CHECKSTATE:
192595Sdes		have_state = action;
192595Sdes		action->opcode = O_CHECK_STATE;
192595Sdes		break;
192595Sdes
57429Smarkm	case TOK_ACCEPT:
192595Sdes		action->opcode = O_ACCEPT;
192595Sdes		break;
192595Sdes
192595Sdes	case TOK_DENY:
192595Sdes		action->opcode = O_DENY;
192595Sdes		action->arg1 = 0;
192595Sdes		break;
192595Sdes
192595Sdes	case TOK_REJECT:
57429Smarkm		action->opcode = O_REJECT;
57429Smarkm		action->arg1 = ICMP_UNREACH_HOST;
92559Sdes		break;
57429Smarkm
57429Smarkm	case TOK_RESET:
57429Smarkm		action->opcode = O_REJECT;
124207Sdes		action->arg1 = ICMP_REJECT_RST;
57429Smarkm		break;
57429Smarkm
57429Smarkm	case TOK_UNREACH:
57429Smarkm		action->opcode = O_REJECT;
57429Smarkm		NEED1("missing reject code");
106130Sdes		fill_reject_code(&action->arg1, *av);
157019Sdes		ac--; av++;
204917Sdes		break;
204917Sdes
157019Sdes	case TOK_COUNT:
192595Sdes		action->opcode = O_COUNT;
192595Sdes		break;
57429Smarkm
57429Smarkm	case TOK_QUEUE:
57429Smarkm	case TOK_PIPE:
57429Smarkm		action->len = F_INSN_SIZE(ipfw_insn_pipe);
98941Sdes	case TOK_SKIPTO:
98941Sdes		if (i == TOK_QUEUE)
98941Sdes			action->opcode = O_QUEUE;
98941Sdes		else if (i == TOK_PIPE)
98941Sdes			action->opcode = O_PIPE;
57429Smarkm		else if (i == TOK_SKIPTO)
57429Smarkm			action->opcode = O_SKIPTO;
57429Smarkm		NEED1("missing skipto/pipe/queue number");
57429Smarkm		action->arg1 = strtoul(*av, NULL, 10);
126273Sdes		av++; ac--;
57429Smarkm		break;
57429Smarkm
57429Smarkm	case TOK_DIVERT:
57429Smarkm	case TOK_TEE:
192595Sdes		action->opcode = (i == TOK_DIVERT) ? O_DIVERT : O_TEE;
192595Sdes		NEED1("missing divert/tee port");
192595Sdes		action->arg1 = strtoul(*av, NULL, 0);
192595Sdes		if (action->arg1 == 0) {
192595Sdes			struct servent *s;
192595Sdes			setservent(1);
192595Sdes			s = getservbyname(av[0], "divert");
192595Sdes			if (s != NULL)
192595Sdes				action->arg1 = ntohs(s->s_port);
192595Sdes			else
192595Sdes				errx(EX_DATAERR, "illegal divert/tee port");
192595Sdes		}
192595Sdes		ac--; av++;
224638Sbrooks		break;
224638Sbrooks
224638Sbrooks	case TOK_FORWARD: {
224638Sbrooks		ipfw_insn_sa *p = (ipfw_insn_sa *)action;
224638Sbrooks		char *s, *end;
224638Sbrooks
224638Sbrooks		NEED1("missing forward address[:port]");
224638Sbrooks
224638Sbrooks		action->opcode = O_FORWARD_IP;
224638Sbrooks		action->len = F_INSN_SIZE(ipfw_insn_sa);
224638Sbrooks
224638Sbrooks		p->sa.sin_len = sizeof(struct sockaddr_in);
192595Sdes		p->sa.sin_family = AF_INET;
92559Sdes		p->sa.sin_port = 0;
92559Sdes		/*
57429Smarkm		 * locate the address-port separator (':' or ',')
57429Smarkm		 */
57429Smarkm		s = strchr(*av, ':');
92559Sdes		if (s == NULL)
76262Sgreen			s = strchr(*av, ',');
57429Smarkm		if (s != NULL) {
76262Sgreen			*(s++) = '\0';
57429Smarkm			i = strtoport(s, &end, 0 /* base */, 0 /* proto */);
57429Smarkm			if (s == end)
137019Sdes				errx(EX_DATAERR,
137019Sdes				    "illegal forwarding port ``%s''", s);
137019Sdes			p->sa.sin_port = (u_short)i;
137019Sdes		}
137019Sdes		lookup_host(*av, &(p->sa.sin_addr));
137019Sdes		}
147005Sdes		ac--; av++;
137019Sdes		break;
137019Sdes
137019Sdes	case TOK_COMMENT:
192595Sdes		/* pretend it is a 'count' rule followed by the comment */
147005Sdes		action->opcode = O_COUNT;
137019Sdes		ac++; av--;	/* go back... */
137019Sdes		break;
137019Sdes
137019Sdes	default:
137019Sdes		errx(EX_DATAERR, "invalid action %s\n", av[-1]);
137019Sdes	}
137019Sdes	action = next_cmd(action);
137019Sdes
92559Sdes	/*
92559Sdes	 * [log [logamount N]]	-- log, optional
147005Sdes	 *
92559Sdes	 * If exists, it goes first in the cmdbuf, but then it is
92559Sdes	 * skipped in the copy section to the end of the buffer.
92559Sdes	 */
192595Sdes	if (ac && !strncmp(*av, "log", strlen(*av))) {
147005Sdes		ipfw_insn_log *c = (ipfw_insn_log *)cmd;
92559Sdes		int l;
92559Sdes
92559Sdes		cmd->len = F_INSN_SIZE(ipfw_insn_log);
92559Sdes		cmd->opcode = O_LOG;
92559Sdes		av++; ac--;
192595Sdes		if (ac && !strncmp(*av, "logamount", strlen(*av))) {
92559Sdes			ac--; av++;
92559Sdes			NEED1("logamount requires argument");
192595Sdes			l = atoi(*av);
192595Sdes			if (l < 0)
92559Sdes				errx(EX_DATAERR, "logamount must be positive");
92559Sdes			c->max_log = l;
57429Smarkm			ac--; av++;
57429Smarkm		}
57429Smarkm		cmd = next_cmd(cmd);
57429Smarkm	}
57429Smarkm
162856Sdes	if (have_state)	/* must be a check-state, we are done */
147005Sdes		goto done;
76262Sgreen
57429Smarkm#define OR_START(target)					\
92559Sdes	if (ac && (*av[0] == '(' || *av[0] == '{')) {		\
76262Sgreen		if (open_par)					\
57429Smarkm			errx(EX_USAGE, "nested \"(\" not allowed\n"); \
60573Skris		prev = NULL;					\
147005Sdes		open_par = 1;					\
181111Sdes		if ( (av[0])[1] == '\0') {			\
181111Sdes			ac--; av++;				\
181111Sdes		} else						\
181111Sdes			(*av)++;				\
181111Sdes	}							\
181111Sdes	target:							\
181111Sdes
181111Sdes
181111Sdes#define	CLOSE_PAR						\
181111Sdes	if (open_par) {						\
181111Sdes		if (ac && (					\
181111Sdes		    !strncmp(*av, ")", strlen(*av)) ||		\
147005Sdes		    !strncmp(*av, "}", strlen(*av)) )) {	\
147005Sdes			prev = NULL;				\
60573Skris			open_par = 0;				\
60573Skris			ac--; av++;				\
98684Sdes		} else						\
60573Skris			errx(EX_USAGE, "missing \")\"\n");	\
60573Skris	}
76262Sgreen
76262Sgreen#define NOT_BLOCK						\
76262Sgreen	if (ac && !strncmp(*av, "not", strlen(*av))) {		\
76262Sgreen		if (cmd->len & F_NOT)				\
60573Skris			errx(EX_USAGE, "double \"not\" not allowed\n"); \
60573Skris		cmd->len |= F_NOT;				\
60573Skris		ac--; av++;					\
60573Skris	}
60573Skris
60573Skris#define OR_BLOCK(target)					\
60573Skris	if (ac && !strncmp(*av, "or", strlen(*av))) {		\
76262Sgreen		if (prev == NULL || open_par == 0)		\
76262Sgreen			errx(EX_DATAERR, "invalid OR block");	\
92559Sdes		prev->len |= F_OR;				\
76262Sgreen		ac--; av++;					\
76262Sgreen		goto target;					\
76262Sgreen	}							\
76262Sgreen	CLOSE_PAR;
76262Sgreen
76262Sgreen	first_cmd = cmd;
76262Sgreen
76262Sgreen#if 0
76262Sgreen	/*
76262Sgreen	 * MAC addresses, optional.
76262Sgreen	 * If we have this, we skip the part "proto from src to dst"
60573Skris	 * and jump straight to the option parsing.
76262Sgreen	 */
215116Sdes	NOT_BLOCK;
215116Sdes	NEED1("missing protocol");
215116Sdes	if (!strncmp(*av, "MAC", strlen(*av)) ||
76262Sgreen	    !strncmp(*av, "mac", strlen(*av))) {
76262Sgreen		ac--; av++;	/* the "MAC" keyword */
76262Sgreen		add_mac(cmd, ac, av); /* exits in case of errors */
76262Sgreen		cmd = next_cmd(cmd);
76262Sgreen		ac -= 2; av += 2;	/* dst-mac and src-mac */
162856Sdes		NOT_BLOCK;
57429Smarkm		NEED1("missing mac type");
57429Smarkm		if (add_mactype(cmd, ac, av[0]))
57429Smarkm			cmd = next_cmd(cmd);
137019Sdes		ac--; av++;	/* any or mac-type */
137019Sdes		goto read_options;
137019Sdes	}
137019Sdes#endif
147005Sdes
137019Sdes	/*
137019Sdes	 * protocol, mandatory
137019Sdes	 */
137019Sdes    OR_START(get_proto);
137019Sdes	NOT_BLOCK;
137019Sdes	NEED1("missing protocol");
137019Sdes	if (add_proto(cmd, *av)) {
137019Sdes		av++; ac--;
137019Sdes		if (F_LEN(cmd) == 0)	/* plain IP */
137019Sdes			proto = 0;
137019Sdes		else {
137019Sdes			proto = cmd->arg1;
137019Sdes			prev = cmd;
137019Sdes			cmd = next_cmd(cmd);
137019Sdes		}
137019Sdes	} else if (first_cmd != cmd) {
137019Sdes		errx(EX_DATAERR, "invalid protocol ``%s''", *av);
137019Sdes	} else
147005Sdes		goto read_options;
137019Sdes    OR_BLOCK(get_proto);
137019Sdes
137019Sdes	/*
137019Sdes	 * "from", mandatory
137019Sdes	 */
157019Sdes	if (!ac || strncmp(*av, "from", strlen(*av)))
137019Sdes		errx(EX_USAGE, "missing ``from''");
137019Sdes	ac--; av++;
137019Sdes
137019Sdes	/*
57429Smarkm	 * source IP, mandatory
57429Smarkm	 */
162856Sdes    OR_START(source_ip);
57429Smarkm	NOT_BLOCK;	/* optional "not" */
162856Sdes	NEED1("missing source address");
60573Skris	if (add_srcip(cmd, *av)) {
57429Smarkm		ac--; av++;
57429Smarkm		if (F_LEN(cmd) != 0) {	/* ! any */
162856Sdes			prev = cmd;
57429Smarkm			cmd = next_cmd(cmd);
57429Smarkm		}
57429Smarkm	}
57429Smarkm    OR_BLOCK(source_ip);
57429Smarkm
57429Smarkm	/*
57429Smarkm	 * source ports, optional
98941Sdes	 */
57429Smarkm	NOT_BLOCK;	/* optional "not" */
57429Smarkm	if (ac) {
57429Smarkm		if (!strncmp(*av, "any", strlen(*av)) ||
57429Smarkm		    add_ports(cmd, *av, proto, O_IP_SRCPORT)) {
57429Smarkm			ac--; av++;
124207Sdes			if (F_LEN(cmd) != 0)
124207Sdes				cmd = next_cmd(cmd);
124207Sdes		}
124207Sdes	}
124207Sdes
98941Sdes	/*
124207Sdes	 * "to", mandatory
76262Sgreen	 */
162856Sdes	if (!ac || strncmp(*av, "to", strlen(*av)))
147005Sdes		errx(EX_USAGE, "missing ``to''");
57429Smarkm	av++; ac--;
57429Smarkm
57429Smarkm	/*
162856Sdes	 * destination, mandatory
162856Sdes	 */
57429Smarkm    OR_START(dest_ip);
57429Smarkm	NOT_BLOCK;	/* optional "not" */
76262Sgreen	NEED1("missing dst address");
76262Sgreen	if (add_dstip(cmd, *av)) {
76262Sgreen		ac--; av++;
76262Sgreen		if (F_LEN(cmd) != 0) {	/* ! any */
76262Sgreen			prev = cmd;
76262Sgreen			cmd = next_cmd(cmd);
92559Sdes		}
76262Sgreen	}
76262Sgreen    OR_BLOCK(dest_ip);
76262Sgreen
76262Sgreen	/*
76262Sgreen	 * dest. ports, optional
76262Sgreen	 */
76262Sgreen	NOT_BLOCK;	/* optional "not" */
76262Sgreen	if (ac) {
76262Sgreen		if (!strncmp(*av, "any", strlen(*av)) ||
76262Sgreen		    add_ports(cmd, *av, proto, O_IP_DSTPORT)) {
215116Sdes			ac--; av++;
215116Sdes			if (F_LEN(cmd) != 0)
76262Sgreen				cmd = next_cmd(cmd);
76262Sgreen		}
76262Sgreen	}
76262Sgreen
76262Sgreenread_options:
76262Sgreen	if (ac && first_cmd == cmd) {
76262Sgreen		/*
162856Sdes		 * nothing specified so far, store in the rule to ease
162856Sdes		 * printout later.
162856Sdes		 */
162856Sdes		 rule->_pad = 1;
162856Sdes	}
215116Sdes	prev = NULL;
215116Sdes	while (ac) {
162856Sdes		char *s;
162856Sdes		ipfw_insn_u32 *cmd32;	/* alias for cmd */
162856Sdes
162856Sdes		s = *av;
162856Sdes		cmd32 = (ipfw_insn_u32 *)cmd;
162856Sdes
76262Sgreen		if (*s == '!') {	/* alternate syntax for NOT */
76262Sgreen			if (cmd->len & F_NOT)
76262Sgreen				errx(EX_USAGE, "double \"not\" not allowed\n");
76262Sgreen			cmd->len = F_NOT;
76262Sgreen			s++;
76262Sgreen		}
137019Sdes		i = match_token(rule_options, s);
137019Sdes		ac--; av++;
215116Sdes		switch(i) {
215116Sdes		case TOK_NOT:
215116Sdes			if (cmd->len & F_NOT)
215116Sdes				errx(EX_USAGE, "double \"not\" not allowed\n");
76262Sgreen			cmd->len = F_NOT;
162856Sdes			break;
76262Sgreen
162856Sdes		case TOK_OR:
162856Sdes			if (open_par == 0 || prev == NULL)
162856Sdes				errx(EX_USAGE, "invalid \"or\" block\n");
162856Sdes			prev->len |= F_OR;
162856Sdes			break;
162856Sdes
162856Sdes		case TOK_STARTBRACE:
162856Sdes			if (open_par)
215116Sdes				errx(EX_USAGE, "+nested \"(\" not allowed\n");
215116Sdes			open_par = 1;
215116Sdes			break;
215116Sdes
162856Sdes		case TOK_ENDBRACE:
76262Sgreen			if (!open_par)
76262Sgreen				errx(EX_USAGE, "+missing \")\"\n");
181111Sdes			open_par = 0;
181111Sdes			prev = NULL;
181111Sdes        		break;
181111Sdes
181111Sdes		case TOK_IN:
192595Sdes			fill_cmd(cmd, O_IN, 0, 0);
192595Sdes			break;
192595Sdes
192595Sdes		case TOK_OUT:
192595Sdes			cmd->len ^= F_NOT; /* toggle F_NOT */
181111Sdes			fill_cmd(cmd, O_IN, 0, 0);
181111Sdes			break;
181111Sdes
181111Sdes		case TOK_FRAG:
192595Sdes			fill_cmd(cmd, O_FRAG, 0, 0);
181111Sdes			break;
181111Sdes
181111Sdes		case TOK_LAYER2:
92559Sdes			fill_cmd(cmd, O_LAYER2, 0, 0);
181111Sdes			break;
60573Skris
181111Sdes		case TOK_XMIT:
60573Skris		case TOK_RECV:
60573Skris		case TOK_VIA:
181111Sdes			NEED1("recv, xmit, via require interface name"
181111Sdes				" or address");
181111Sdes			fill_iface((ipfw_insn_if *)cmd, av[0]);
60573Skris			ac--; av++;
181111Sdes			if (F_LEN(cmd) == 0)	/* not a valid address */
181111Sdes				break;
181111Sdes			if (i == TOK_XMIT)
181111Sdes				cmd->opcode = O_XMIT;
60573Skris			else if (i == TOK_RECV)
60573Skris				cmd->opcode = O_RECV;
181111Sdes			else if (i == TOK_VIA)
181111Sdes				cmd->opcode = O_VIA;
181111Sdes			break;
113911Sdes
113911Sdes		case TOK_ICMPTYPES:
113911Sdes			NEED1("icmptypes requires list of types");
60573Skris			fill_icmptypes((ipfw_insn_u32 *)cmd, *av);
60573Skris			av++; ac--;
137019Sdes			break;
137019Sdes
181111Sdes		case TOK_IPTTL:
181111Sdes			NEED1("ipttl requires TTL");
181111Sdes			if (strpbrk(*av, "-,")) {
181111Sdes			    if (!add_ports(cmd, *av, 0, O_IPTTL))
60573Skris				errx(EX_DATAERR, "invalid ipttl %s", *av);
181111Sdes			} else
60573Skris			    fill_cmd(cmd, O_IPTTL, 0, strtoul(*av, NULL, 0));
181111Sdes			ac--; av++;
76262Sgreen			break;
60573Skris
181111Sdes		case TOK_IPID:
181111Sdes			NEED1("ipid requires id");
181111Sdes			if (strpbrk(*av, "-,")) {
181111Sdes			    if (!add_ports(cmd, *av, 0, O_IPID))
181111Sdes				errx(EX_DATAERR, "invalid ipid %s", *av);
181111Sdes			} else
181111Sdes			    fill_cmd(cmd, O_IPID, 0, strtoul(*av, NULL, 0));
181111Sdes			ac--; av++;
60573Skris			break;
181111Sdes
181111Sdes		case TOK_IPLEN:
181111Sdes			NEED1("iplen requires length");
181111Sdes			if (strpbrk(*av, "-,")) {
181111Sdes			    if (!add_ports(cmd, *av, 0, O_IPLEN))
181111Sdes				errx(EX_DATAERR, "invalid ip len %s", *av);
181111Sdes			} else
181111Sdes			    fill_cmd(cmd, O_IPLEN, 0, strtoul(*av, NULL, 0));
181111Sdes			ac--; av++;
181111Sdes			break;
181111Sdes
181111Sdes		case TOK_IPVER:
181111Sdes			NEED1("ipver requires version");
181111Sdes			fill_cmd(cmd, O_IPVER, 0, strtoul(*av, NULL, 0));
181111Sdes			ac--; av++;
181111Sdes			break;
181111Sdes
181111Sdes		case TOK_IPPRECEDENCE:
181111Sdes			NEED1("ipprecedence requires value");
181111Sdes			fill_cmd(cmd, O_IPPRECEDENCE, 0,
181111Sdes			    (strtoul(*av, NULL, 0) & 7) << 5);
181111Sdes			ac--; av++;
181111Sdes			break;
181111Sdes
181111Sdes		case TOK_IPOPTS:
181111Sdes			NEED1("missing argument for ipoptions");
181111Sdes			fill_flags(cmd, O_IPOPT, f_ipopts, *av);
181111Sdes			ac--; av++;
181111Sdes			break;
181111Sdes
181111Sdes		case TOK_IPTOS:
60573Skris			NEED1("missing argument for iptos");
181111Sdes			fill_flags(cmd, O_IPTOS, f_iptos, *av);
181111Sdes			ac--; av++;
181111Sdes			break;
181111Sdes
181111Sdes		case TOK_UID:
181111Sdes			NEED1("uid requires argument");
181111Sdes		    {
181111Sdes			char *end;
181111Sdes			uid_t uid;
181111Sdes			struct passwd *pwd;
60573Skris
181111Sdes			cmd->opcode = O_UID;
181111Sdes			uid = strtoul(*av, &end, 0);
181111Sdes			pwd = (*end == '\0') ? getpwuid(uid) : getpwnam(*av);
181111Sdes			if (pwd == NULL)
60573Skris				errx(EX_DATAERR, "uid \"%s\" nonexistent", *av);
76262Sgreen			cmd32->d[0] = pwd->pw_uid;
181111Sdes			cmd->len = F_INSN_SIZE(ipfw_insn_u32);
181111Sdes			ac--; av++;
76262Sgreen		    }
76262Sgreen			break;
76262Sgreen
181111Sdes		case TOK_GID:
137019Sdes			NEED1("gid requires argument");
181111Sdes		    {
76262Sgreen			char *end;
76262Sgreen			gid_t gid;
181111Sdes			struct group *grp;
181111Sdes
181111Sdes			cmd->opcode = O_GID;
76262Sgreen			gid = strtoul(*av, &end, 0);
76262Sgreen			grp = (*end == '\0') ? getgrgid(gid) : getgrnam(*av);
181111Sdes			if (grp == NULL)
76262Sgreen				errx(EX_DATAERR, "gid \"%s\" nonexistent", *av);
76262Sgreen			cmd32->d[0] = grp->gr_gid;
76262Sgreen			cmd->len = F_INSN_SIZE(ipfw_insn_u32);
181111Sdes			ac--; av++;
181111Sdes		    }
76262Sgreen			break;
162856Sdes
76262Sgreen		case TOK_ESTAB:
76262Sgreen			fill_cmd(cmd, O_ESTAB, 0, 0);
76262Sgreen			break;
76262Sgreen
137019Sdes		case TOK_SETUP:
137019Sdes			fill_cmd(cmd, O_TCPFLAGS, 0,
76262Sgreen				(TH_SYN) | ( (TH_ACK) & 0xff) <<8 );
76262Sgreen			break;
162856Sdes
76262Sgreen		case TOK_TCPOPTS:
162856Sdes			NEED1("missing argument for tcpoptions");
162856Sdes			fill_flags(cmd, O_TCPOPTS, f_tcpopts, *av);
162856Sdes			ac--; av++;
162856Sdes			break;
162856Sdes
162856Sdes		case TOK_TCPSEQ:
162856Sdes		case TOK_TCPACK:
162856Sdes			NEED1("tcpseq/tcpack requires argument");
76262Sgreen			cmd->len = F_INSN_SIZE(ipfw_insn_u32);
162856Sdes			cmd->opcode = (i == TOK_TCPSEQ) ? O_TCPSEQ : O_TCPACK;
162856Sdes			cmd32->d[0] = htonl(strtoul(*av, NULL, 0));
124207Sdes			ac--; av++;
76262Sgreen			break;
181111Sdes
76262Sgreen		case TOK_TCPWIN:
181111Sdes			NEED1("tcpwin requires length");
76262Sgreen			fill_cmd(cmd, O_TCPWIN, 0,
76262Sgreen			    htons(strtoul(*av, NULL, 0)));
137019Sdes			ac--; av++;
137019Sdes			break;
137019Sdes
137019Sdes		case TOK_TCPFLAGS:
137019Sdes			NEED1("missing argument for tcpflags");
137019Sdes			cmd->opcode = O_TCPFLAGS;
137019Sdes			fill_flags(cmd, O_TCPFLAGS, f_tcpflags, *av);
147005Sdes			ac--; av++;
137019Sdes			break;
137019Sdes
137019Sdes		case TOK_KEEPSTATE:
137019Sdes			if (open_par)
137019Sdes				errx(EX_USAGE, "keep-state cannot be part "
162856Sdes				    "of an or block");
162856Sdes			if (have_state)
162856Sdes				errx(EX_USAGE, "only one of keep-state "
162856Sdes					"and limit is allowed");
137019Sdes			have_state = cmd;
137019Sdes			fill_cmd(cmd, O_KEEP_STATE, 0, 0);
137019Sdes			break;
137019Sdes
92559Sdes		case TOK_LIMIT:
57429Smarkm			if (open_par)
57429Smarkm				errx(EX_USAGE, "limit cannot be part "
57429Smarkm				    "of an or block");
99063Sdes			if (have_state)
99063Sdes				errx(EX_USAGE, "only one of keep-state "
57429Smarkm					"and limit is allowed");
92559Sdes			NEED1("limit needs mask and # of connections");
92559Sdes			have_state = cmd;
149753Sdes		    {
57429Smarkm			ipfw_insn_limit *c = (ipfw_insn_limit *)cmd;
92559Sdes
57429Smarkm			cmd->len = F_INSN_SIZE(ipfw_insn_limit);
57429Smarkm			cmd->opcode = O_LIMIT;
57429Smarkm			c->limit_mask = 0;
57429Smarkm			c->conn_limit = 0;
57429Smarkm			for (; ac >1 ;) {
57429Smarkm				int val;
157019Sdes
157019Sdes				val = match_token(limit_masks, *av);
157019Sdes				if (val <= 0)
57429Smarkm					break;
92559Sdes				c->limit_mask |= val;
92559Sdes				ac--; av++;
57429Smarkm			}
57429Smarkm			c->conn_limit = atoi(*av);
57429Smarkm			if (c->conn_limit == 0)
92559Sdes				errx(EX_USAGE, "limit: limit must be >0");
57429Smarkm			if (c->limit_mask == 0)
57429Smarkm				errx(EX_USAGE, "missing limit mask");
57429Smarkm			ac--; av++;
181111Sdes		    }
92559Sdes			break;
57429Smarkm
57429Smarkm		case TOK_PROTO:
57429Smarkm			NEED1("missing protocol");
57429Smarkm			if (add_proto(cmd, *av)) {
124207Sdes				proto = cmd->arg1;
124207Sdes				ac--; av++;
57429Smarkm			} else
207319Sdes				errx(EX_DATAERR, "invalid protocol ``%s''",
207319Sdes				    *av);
207319Sdes			break;
207319Sdes
207319Sdes		case TOK_SRCIP:
98941Sdes			NEED1("missing source IP");
137019Sdes			if (add_srcip(cmd, *av)) {
98941Sdes				ac--; av++;
98941Sdes			}
98941Sdes			break;
98941Sdes
98941Sdes		case TOK_DSTIP:
98941Sdes			NEED1("missing destination IP");
57429Smarkm			if (add_dstip(cmd, *av)) {
204917Sdes				ac--; av++;
204917Sdes			}
181111Sdes			break;
181111Sdes
57429Smarkm		case TOK_SRCPORT:
124207Sdes			NEED1("missing source port");
57429Smarkm			if (!strncmp(*av, "any", strlen(*av)) ||
98941Sdes			    add_ports(cmd, *av, proto, O_IP_SRCPORT)) {
57429Smarkm				ac--; av++;
57429Smarkm			} else
57429Smarkm				errx(EX_DATAERR, "invalid source port %s", *av);
57429Smarkm			break;
57429Smarkm
57429Smarkm		case TOK_DSTPORT:
57429Smarkm			NEED1("missing destination port");
57429Smarkm			if (!strncmp(*av, "any", strlen(*av)) ||
57429Smarkm			    add_ports(cmd, *av, proto, O_IP_DSTPORT)) {
57429Smarkm				ac--; av++;
76262Sgreen			} else
57429Smarkm				errx(EX_DATAERR, "invalid destination port %s",
57429Smarkm				    *av);
57429Smarkm			break;
57429Smarkm
57429Smarkm		case TOK_MAC:
92559Sdes			if (add_mac(cmd, ac, av)) {
57429Smarkm				ac -= 2; av += 2;
57429Smarkm			}
57429Smarkm			break;
57429Smarkm
126273Sdes		case TOK_MACTYPE:
57429Smarkm			NEED1("missing mac type");
57429Smarkm			if (!add_mactype(cmd, ac, *av))
92559Sdes				errx(EX_DATAERR, "invalid mac type %s", *av);
57429Smarkm			ac--; av++;
57429Smarkm			break;
57429Smarkm
57429Smarkm		case TOK_VERREVPATH:
162856Sdes			fill_cmd(cmd, O_VERREVPATH, 0, 0);
57429Smarkm			break;
57429Smarkm
224638Sbrooks		case TOK_VERSRCREACH:
224638Sbrooks			fill_cmd(cmd, O_VERSRCREACH, 0, 0);
224638Sbrooks			break;
224638Sbrooks
224638Sbrooks		case TOK_IPSEC:
224638Sbrooks			fill_cmd(cmd, O_IPSEC, 0, 0);
224638Sbrooks			break;
224638Sbrooks
224638Sbrooks		case TOK_COMMENT:
224638Sbrooks			fill_comment(cmd, ac, av);
92559Sdes			av += ac;
157019Sdes			ac = 0;
57429Smarkm			break;
157019Sdes
57429Smarkm		default:
92559Sdes			errx(EX_USAGE, "unrecognised option [%d] %s\n", i, s);
99063Sdes		}
99063Sdes		if (F_LEN(cmd) > 0) {	/* prepare to advance */
57429Smarkm			prev = cmd;
57429Smarkm			cmd = next_cmd(cmd);
92559Sdes		}
192595Sdes	}
57429Smarkm
57429Smarkmdone:
57429Smarkm	/*
57429Smarkm	 * Now copy stuff into the rule.
92559Sdes	 * If we have a keep-state option, the first instruction
92559Sdes	 * must be a PROBE_STATE (which is generated here).
92559Sdes	 * If we have a LOG option, it was stored as the first command,
92559Sdes	 * and now must be moved to the top of the action part.
92559Sdes	 */
192595Sdes	dst = (ipfw_insn *)rule->cmd;
162856Sdes
92559Sdes	/*
92559Sdes	 * First thing to write into the command stream is the match probability.
57429Smarkm	 */
57429Smarkm	if (match_prob != 1) { /* 1 means always match */
57429Smarkm		dst->opcode = O_PROB;
57429Smarkm		dst->len = 2;
192595Sdes		*((int32_t *)(dst+1)) = (int32_t)(match_prob * 0x7fffffff);
192595Sdes		dst += dst->len;
192595Sdes	}
192595Sdes
192595Sdes	/*
192595Sdes	 * generate O_PROBE_STATE if necessary
192595Sdes	 */
192595Sdes	if (have_state && have_state->opcode != O_CHECK_STATE) {
60573Skris		fill_cmd(dst, O_PROBE_STATE, 0, 0);
60573Skris		dst = next_cmd(dst);
57429Smarkm	}
162856Sdes	/*
57429Smarkm	 * copy all commands but O_LOG, O_KEEP_STATE, O_LIMIT
60573Skris	 */
57429Smarkm	for (src = (ipfw_insn *)cmdbuf; src != cmd; src += i) {
57429Smarkm		i = F_LEN(src);
162856Sdes
57429Smarkm		switch (src->opcode) {
57429Smarkm		case O_LOG:
57429Smarkm		case O_KEEP_STATE:
57429Smarkm		case O_LIMIT:
57429Smarkm			break;
60573Skris		default:
57429Smarkm			bcopy(src, dst, i * sizeof(uint32_t));
57429Smarkm			dst += i;
57429Smarkm		}
57429Smarkm	}
57429Smarkm
57429Smarkm	/*
192595Sdes	 * put back the have_state command as last opcode
192595Sdes	 */
192595Sdes	if (have_state && have_state->opcode != O_CHECK_STATE) {
192595Sdes		i = F_LEN(have_state);
192595Sdes		bcopy(have_state, dst, i * sizeof(uint32_t));
192595Sdes		dst += i;
192595Sdes	}
192595Sdes	/*
192595Sdes	 * start action section
192595Sdes	 */
192595Sdes	rule->act_ofs = dst - rule->cmd;
57429Smarkm
57429Smarkm	/*
57429Smarkm	 * put back O_LOG if necessary
57429Smarkm	 */
57429Smarkm	src = (ipfw_insn *)cmdbuf;
57429Smarkm	if (src->opcode == O_LOG) {
57429Smarkm		i = F_LEN(src);
162856Sdes		bcopy(src, dst, i * sizeof(uint32_t));
57429Smarkm		dst += i;
92559Sdes	}
60573Skris	/*
57429Smarkm	 * copy all other actions
57429Smarkm	 */
57429Smarkm	for (src = (ipfw_insn *)actbuf; src != action; src += i) {
57429Smarkm		i = F_LEN(src);
60573Skris		bcopy(src, dst, i * sizeof(uint32_t));
57429Smarkm		dst += i;
57429Smarkm	}
60573Skris
57429Smarkm	rule->cmd_len = (uint32_t *)dst - (uint32_t *)(rule->cmd);
57429Smarkm	i = (char *)dst - (char *)rule;
57429Smarkm	if (do_cmd(IP_FW_ADD, rule, (uintptr_t)&i) == -1)
57429Smarkm		err(EX_UNAVAILABLE, "getsockopt(%s)", "IP_FW_ADD");
57429Smarkm	if (!do_quiet)
92559Sdes		show_ipfw(rule, 0, 0);
57429Smarkm}
57429Smarkm
57429Smarkmstatic void
60573Skriszero(int ac, char *av[], int optname /* IP_FW_ZERO or IP_FW_RESETLOG */)
57429Smarkm{
57429Smarkm	int rulenum;
57429Smarkm	int failed = EX_OK;
162856Sdes	char const *name = optname == IP_FW_ZERO ?  "ZERO" : "RESETLOG";
57429Smarkm
92559Sdes	av++; ac--;
60573Skris
57429Smarkm	if (!ac) {
57429Smarkm		/* clear all entries */
57429Smarkm		if (do_cmd(optname, NULL, 0) < 0)
57429Smarkm			err(EX_UNAVAILABLE, "setsockopt(IP_FW_%s)", name);
57429Smarkm		if (!do_quiet)
57429Smarkm			printf("%s.\n", optname == IP_FW_ZERO ?
162856Sdes			    "Accounting cleared":"Logging counts reset");
57429Smarkm
181111Sdes		return;
181111Sdes	}
60573Skris
57429Smarkm	while (ac) {
57429Smarkm		/* Rule number */
57429Smarkm		if (isdigit(**av)) {
124207Sdes			rulenum = atoi(*av);
57429Smarkm			av++;
124207Sdes			ac--;
60573Skris			if (do_cmd(optname, &rulenum, sizeof rulenum)) {
60573Skris				warn("rule %u: setsockopt(IP_FW_%s)",
60573Skris				    rulenum, name);
60573Skris				failed = EX_UNAVAILABLE;
162856Sdes			} else if (!do_quiet)
60573Skris				printf("Entry %d %s.\n", rulenum,
60573Skris				    optname == IP_FW_ZERO ?
60573Skris					"cleared" : "logging count reset");
60573Skris		} else {
60573Skris			errx(EX_USAGE, "invalid rule number ``%s''", *av);
60573Skris		}
57429Smarkm	}
57429Smarkm	if (failed != EX_OK)
57429Smarkm		exit(failed);
162856Sdes}
57429Smarkm
60573Skrisstatic void
57429Smarkmflush(int force)
92559Sdes{
60573Skris	int cmd = do_pipe ? IP_DUMMYNET_FLUSH : IP_FW_FLUSH;
60573Skris
57429Smarkm	if (!force && !do_quiet) { /* need to ask user */
60573Skris		int c;
60573Skris
60573Skris		printf("Are you sure? [yn] ");
60573Skris		fflush(stdout);
60573Skris		do {
57429Smarkm			c = toupper(getc(stdin));
162856Sdes			while (c != '\n' && getc(stdin) != '\n')
60573Skris				if (feof(stdin))
92559Sdes					return; /* and do not flush */
60573Skris		} while (c != 'Y' && c != 'N');
92559Sdes		printf("\n");
92559Sdes		if (c == 'N')	/* user said no */
60573Skris			return;
57429Smarkm	}
92559Sdes	if (do_cmd(cmd, NULL, 0) < 0)
57429Smarkm		err(EX_UNAVAILABLE, "setsockopt(IP_%s_FLUSH)",
92559Sdes		    do_pipe ? "DUMMYNET" : "FW");
92559Sdes	if (!do_quiet)
92559Sdes		printf("Flushed all %s.\n", do_pipe ? "pipes" : "rules");
92559Sdes}
60573Skris
60573Skris/*
60573Skris * Free a the (locally allocated) copy of command line arguments.
92559Sdes */
60573Skrisstatic void
60573Skrisfree_args(int ac, char **av)
60573Skris{
92559Sdes	int i;
92559Sdes
92559Sdes	for (i=0; i < ac; i++)
92559Sdes		free(av[i]);
92559Sdes	free(av);
92559Sdes}
92559Sdes
92559Sdes/*
124207Sdes * Called with the arguments (excluding program name).
92559Sdes * Returns 0 if successful, 1 if empty command, errx() in case of errors.
60573Skris */
60573Skrisstatic int
92559Sdesipfw_main(int oldac, char **oldav)
60573Skris{
60573Skris	int ch, ac, save_ac;
60573Skris	char **av, **save_av;
92559Sdes	int do_acct = 0;		/* Show packet/byte count */
92559Sdes
60573Skris#define WHITESP		" \t\f\v\n\r"
92559Sdes	if (oldac == 0)
57429Smarkm		return 1;
57429Smarkm	else if (oldac == 1) {
69587Sgreen		/*
162856Sdes		 * If we are called with a single string, try to split it into
69587Sgreen		 * arguments for subsequent parsing.
92559Sdes		 * But first, remove spaces after a ',', by copying the string
69587Sgreen		 * in-place.
69587Sgreen		 */
106130Sdes		char *arg = oldav[0];	/* The string... */
92559Sdes		int l = strlen(arg);
69587Sgreen		int copy = 0;		/* 1 if we need to copy, 0 otherwise */
69587Sgreen		int i, j;
69587Sgreen		for (i = j = 0; i < l; i++) {
69587Sgreen			if (arg[i] == '#')	/* comment marker */
69587Sgreen				break;
69587Sgreen			if (copy) {
69587Sgreen				arg[j++] = arg[i];
92559Sdes				copy = !index("," WHITESP, arg[i]);
69587Sgreen			} else {
69587Sgreen				copy = !index(WHITESP, arg[i]);
157019Sdes				if (copy)
69587Sgreen					arg[j++] = arg[i];
69587Sgreen			}
69587Sgreen		}
69587Sgreen		if (!copy && j > 0)	/* last char was a 'blank', remove it */
69587Sgreen			j--;
57429Smarkm		l = j;			/* the new argument length */
57429Smarkm		arg[j++] = '\0';
57429Smarkm		if (l == 0)		/* empty string! */
92559Sdes			return 1;
57429Smarkm
60573Skris		/*
149753Sdes		 * First, count number of arguments. Because of the previous
226046Sdes		 * processing, this is just the number of blanks plus 1.
57429Smarkm		 */
76262Sgreen		for (i = 0, ac = 1; i < l; i++)
149753Sdes			if (index(WHITESP, arg[i]) != NULL)
57429Smarkm				ac++;
57429Smarkm
57429Smarkm		av = calloc(ac, sizeof(char *));
137019Sdes
57429Smarkm		/*
149753Sdes		 * Second, copy arguments from cmd[] to av[]. For each one,
149753Sdes		 * j is the initial character, i is the one past the end.
149753Sdes		 */
149753Sdes		for (ac = 0, i = j = 0; i < l; i++)
149753Sdes			if (index(WHITESP, arg[i]) != NULL || i == l-1) {
149753Sdes				if (i == l-1)
149753Sdes					i++;
149753Sdes				av[ac] = calloc(i-j+1, 1);
162856Sdes				bcopy(arg+j, av[ac], i-j);
57429Smarkm				ac++;
57429Smarkm				j = i + 1;
57429Smarkm			}
162856Sdes	} else {
57429Smarkm		/*
57429Smarkm		 * If an argument ends with ',' join with the next one.
57429Smarkm		 */
149753Sdes		int first, i, l;
149753Sdes
149753Sdes		av = calloc(oldac, sizeof(char *));
149753Sdes		for (first = i = ac = 0, l = 0; i < oldac; i++) {
149753Sdes			char *arg = oldav[i];
149753Sdes			int k = strlen(arg);
149753Sdes
149753Sdes			l += k;
149753Sdes			if (arg[k-1] != ',' || i == oldac-1) {
149753Sdes				/* Time to copy. */
149753Sdes				av[ac] = calloc(l+1, 1);
149753Sdes				for (l=0; first <= i; first++) {
149753Sdes					strcat(av[ac]+l, oldav[first]);
149753Sdes					l += strlen(oldav[first]);
149753Sdes				}
149753Sdes				ac++;
149753Sdes				l = 0;
149753Sdes				first = i+1;
149753Sdes			}
149753Sdes		}
149753Sdes	}
57429Smarkm
57429Smarkm	/* Set the force flag for non-interactive processes */
57429Smarkm	if (!do_force)
149753Sdes		do_force = !isatty(STDIN_FILENO);
57429Smarkm
57429Smarkm	/* Save arguments for final freeing of memory. */
60573Skris	save_ac = ac;
226046Sdes	save_av = av;
60573Skris
60573Skris	optind = optreset = 0;
60573Skris	while ((ch = getopt(ac, av, "abcdefhnNqs:STtv")) != -1)
60573Skris		switch (ch) {
60573Skris		case 'a':
60573Skris			do_acct = 1;
57429Smarkm			break;
57429Smarkm
57429Smarkm		case 'b':
57429Smarkm			comment_only = 1;
57429Smarkm			do_compact = 1;
57429Smarkm			break;
92559Sdes
92559Sdes		case 'c':
92559Sdes			do_compact = 1;
57429Smarkm			break;
57429Smarkm
60573Skris		case 'd':
92559Sdes			do_dynamic = 1;
57429Smarkm			break;
57429Smarkm
57429Smarkm		case 'e':
57429Smarkm			do_expired = 1;
57429Smarkm			break;

		case 'f':
			do_force = 1;
			break;

		case 'h': /* help */
			free_args(save_ac, save_av);
			help();
			break;	/* NOTREACHED */

		case 'n':
			test_only = 1;
			break;

		case 'N':
			do_resolv = 1;
			break;

		case 'q':
			do_quiet = 1;
			break;

		case 's': /* sort */
			do_sort = atoi(optarg);
			break;

		case 'S':
			show_sets = 1;
			break;

		case 't':
			do_time = 1;
			break;

		case 'T':
			do_time = 2;	/* numeric timestamp */
			break;

		case 'v': /* verbose */
			verbose = 1;
			break;

		default:
			free_args(save_ac, save_av);
			return 1;
		}

	ac -= optind;
	av += optind;
	NEED1("bad arguments, for usage summary ``ipfw''");

	/*
	 * An undocumented behaviour of ipfw1 was to allow rule numbers first,
	 * e.g. "100 add allow ..." instead of "add 100 allow ...".
	 * In case, swap first and second argument to get the normal form.
	 */
	if (ac > 1 && isdigit(*av[0])) {
		char *p = av[0];

		av[0] = av[1];
		av[1] = p;
	}

	/*
	 * optional: pipe or queue
	 */
	do_pipe = 0;
	if (!strncmp(*av, "pipe", strlen(*av)))
		do_pipe = 1;
	else if (!strncmp(*av, "queue", strlen(*av)))
		do_pipe = 2;
	if (do_pipe) {
		ac--;
		av++;
	}
	NEED1("missing command");

	/*
	 * For pipes and queues we normally say 'pipe NN config'
	 * but the code is easier to parse as 'pipe config NN'
	 * so we swap the two arguments.
	 */
	if (do_pipe > 0 && ac > 1 && isdigit(*av[0])) {
		char *p = av[0];

		av[0] = av[1];
		av[1] = p;
	}

	if (!strncmp(*av, "add", strlen(*av)))
		add(ac, av);
	else if (do_pipe && !strncmp(*av, "config", strlen(*av)))
		config_pipe(ac, av);
	else if (!strncmp(*av, "delete", strlen(*av)))
		delete(ac, av);
	else if (!strncmp(*av, "flush", strlen(*av)))
		flush(do_force);
	else if (!strncmp(*av, "zero", strlen(*av)))
		zero(ac, av, IP_FW_ZERO);
	else if (!strncmp(*av, "resetlog", strlen(*av)))
		zero(ac, av, IP_FW_RESETLOG);
	else if (!strncmp(*av, "print", strlen(*av)) ||
	         !strncmp(*av, "list", strlen(*av)))
		list(ac, av, do_acct);
	else if (!strncmp(*av, "set", strlen(*av)))
		sets_handler(ac, av);
	else if (!strncmp(*av, "enable", strlen(*av)))
		sysctl_handler(ac, av, 1);
	else if (!strncmp(*av, "disable", strlen(*av)))
		sysctl_handler(ac, av, 0);
	else if (!strncmp(*av, "show", strlen(*av)))
		list(ac, av, 1 /* show counters */);
	else
		errx(EX_USAGE, "bad command `%s'", *av);

	/* Free memory allocated in the argument parsing. */
	free_args(save_ac, save_av);
	return 0;
}


static void
ipfw_readfile(int ac, char *av[])
{
#define MAX_ARGS	32
	char	buf[BUFSIZ];
	char	*cmd = NULL, *filename = av[ac-1];
	int	c, lineno=0;
	FILE	*f = NULL;
	pid_t	preproc = 0;

	filename = av[ac-1];

	while ((c = getopt(ac, av, "cfNnp:qS")) != -1) {
		switch(c) {
		case 'c':
			do_compact = 1;
			break;

		case 'f':
			do_force = 1;
			break;

		case 'N':
			do_resolv = 1;
			break;

		case 'n':
			test_only = 1;
			break;

		case 'p':
			cmd = optarg;
			/*
			 * Skip previous args and delete last one, so we
			 * pass all but the last argument to the preprocessor
			 * via av[optind-1]
			 */
			av += optind - 1;
			ac -= optind - 1;
			av[ac-1] = NULL;
			fprintf(stderr, "command is %s\n", av[0]);
			break;

		case 'q':
			do_quiet = 1;
			break;

		case 'S':
			show_sets = 1;
			break;

		default:
			errx(EX_USAGE, "bad arguments, for usage"
			     " summary ``ipfw''");
		}

		if (cmd != NULL)
			break;
	}

	if (cmd == NULL && ac != optind + 1) {
		fprintf(stderr, "ac %d, optind %d\n", ac, optind);
		errx(EX_USAGE, "extraneous filename arguments");
	}

	if ((f = fopen(filename, "r")) == NULL)
		err(EX_UNAVAILABLE, "fopen: %s", filename);

	if (cmd != NULL) {			/* pipe through preprocessor */
		int pipedes[2];

		if (pipe(pipedes) == -1)
			err(EX_OSERR, "cannot create pipe");

		preproc = fork();
		if (preproc == -1)
			err(EX_OSERR, "cannot fork");

		if (preproc == 0) {
			/*
			 * Child, will run the preprocessor with the
			 * file on stdin and the pipe on stdout.
			 */
			if (dup2(fileno(f), 0) == -1
			    || dup2(pipedes[1], 1) == -1)
				err(EX_OSERR, "dup2()");
			fclose(f);
			close(pipedes[1]);
			close(pipedes[0]);
			execvp(cmd, av);
			err(EX_OSERR, "execvp(%s) failed", cmd);
		} else { /* parent, will reopen f as the pipe */
			fclose(f);
			close(pipedes[1]);
			if ((f = fdopen(pipedes[0], "r")) == NULL) {
				int savederrno = errno;

				(void)kill(preproc, SIGTERM);
				errno = savederrno;
				err(EX_OSERR, "fdopen()");
			}
		}
	}

	while (fgets(buf, BUFSIZ, f)) {		/* read commands */
		char linename[10];
		char *args[1];

		lineno++;
		sprintf(linename, "Line %d", lineno);
		setprogname(linename); /* XXX */
		args[0] = buf;
		ipfw_main(1, args);
	}
	fclose(f);
	if (cmd != NULL) {
		int status;

		if (waitpid(preproc, &status, 0) == -1)
			errx(EX_OSERR, "waitpid()");
		if (WIFEXITED(status) && WEXITSTATUS(status) != EX_OK)
			errx(EX_UNAVAILABLE,
			    "preprocessor exited with status %d",
			    WEXITSTATUS(status));
		else if (WIFSIGNALED(status))
			errx(EX_UNAVAILABLE,
			    "preprocessor exited with signal %d",
			    WTERMSIG(status));
	}
}

int
main(int ac, char *av[])
{
	/*
	 * If the last argument is an absolute pathname, interpret it
	 * as a file to be preprocessed.
	 */

	if (ac > 1 && av[ac - 1][0] == '/' && access(av[ac - 1], R_OK) == 0)
		ipfw_readfile(ac, av);
	else {
		if (ipfw_main(ac-1, av+1))
			show_usage();
	}
	return EX_OK;
}