ipfw2.h revision 190633
1/* 2 * Copyright (c) 2002-2003 Luigi Rizzo 3 * Copyright (c) 1996 Alex Nash, Paul Traina, Poul-Henning Kamp 4 * Copyright (c) 1994 Ugen J.S.Antsilevich 5 * 6 * Idea and grammar partially left from: 7 * Copyright (c) 1993 Daniel Boulet 8 * 9 * Redistribution and use in source forms, with and without modification, 10 * are permitted provided that this entire comment appears intact. 11 * 12 * Redistribution in binary form may occur without any restrictions. 13 * Obviously, it would be nice if you gave credit where credit is due 14 * but requiring it would be too onerous. 15 * 16 * This software is provided ``AS IS'' without any warranties of any kind. 17 * 18 * NEW command line interface for IP firewall facility 19 * 20 * $FreeBSD: head/sbin/ipfw/ipfw2.h 190633 2009-04-01 20:23:47Z piso $ 21 */ 22 23/* 24 * Options that can be set on the command line. 25 * When reading commands from a file, a subset of the options can also 26 * be applied globally by specifying them before the file name. 27 * After that, each line can contain its own option that changes 28 * the global value. 29 * XXX The context is not restored after each line. 30 */ 31 32struct cmdline_opts { 33 /* boolean options: */ 34 int do_value_as_ip; /* show table value as IP */ 35 int do_resolv; /* try to resolve all ip to names */ 36 int do_time; /* Show time stamps */ 37 int do_quiet; /* Be quiet in add and flush */ 38 int do_pipe; /* this cmd refers to a pipe */ 39 int do_nat; /* this cmd refers to a nat config */ 40 int do_dynamic; /* display dynamic rules */ 41 int do_expired; /* display expired dynamic rules */ 42 int do_compact; /* show rules in compact mode */ 43 int do_force; /* do not ask for confirmation */ 44 int show_sets; /* display the set each rule belongs to */ 45 int test_only; /* only check syntax */ 46 int comment_only; /* only print action and comment */ 47 int verbose; /* be verbose on some commands */ 48 49 /* The options below can have multiple values. */ 50 51 int do_sort; /* field to sort results (0 = no) */ 52 /* valid fields are 1 and above */ 53 54 int use_set; /* work with specified set number */ 55 /* 0 means all sets, otherwise apply to set use_set - 1 */ 56 57}; 58 59extern struct cmdline_opts co; 60 61/* 62 * _s_x is a structure that stores a string <-> token pairs, used in 63 * various places in the parser. Entries are stored in arrays, 64 * with an entry with s=NULL as terminator. 65 * The search routines are match_token() and match_value(). 66 * Often, an element with x=0 contains an error string. 67 * 68 */ 69struct _s_x { 70 char const *s; 71 int x; 72}; 73 74enum tokens { 75 TOK_NULL=0, 76 77 TOK_OR, 78 TOK_NOT, 79 TOK_STARTBRACE, 80 TOK_ENDBRACE, 81 82 TOK_ACCEPT, 83 TOK_COUNT, 84 TOK_PIPE, 85 TOK_QUEUE, 86 TOK_DIVERT, 87 TOK_TEE, 88 TOK_NETGRAPH, 89 TOK_NGTEE, 90 TOK_FORWARD, 91 TOK_SKIPTO, 92 TOK_DENY, 93 TOK_REJECT, 94 TOK_RESET, 95 TOK_UNREACH, 96 TOK_CHECKSTATE, 97 TOK_NAT, 98 TOK_REASS, 99 100 TOK_ALTQ, 101 TOK_LOG, 102 TOK_TAG, 103 TOK_UNTAG, 104 105 TOK_TAGGED, 106 TOK_UID, 107 TOK_GID, 108 TOK_JAIL, 109 TOK_IN, 110 TOK_LIMIT, 111 TOK_KEEPSTATE, 112 TOK_LAYER2, 113 TOK_OUT, 114 TOK_DIVERTED, 115 TOK_DIVERTEDLOOPBACK, 116 TOK_DIVERTEDOUTPUT, 117 TOK_XMIT, 118 TOK_RECV, 119 TOK_VIA, 120 TOK_FRAG, 121 TOK_IPOPTS, 122 TOK_IPLEN, 123 TOK_IPID, 124 TOK_IPPRECEDENCE, 125 TOK_IPTOS, 126 TOK_IPTTL, 127 TOK_IPVER, 128 TOK_ESTAB, 129 TOK_SETUP, 130 TOK_TCPDATALEN, 131 TOK_TCPFLAGS, 132 TOK_TCPOPTS, 133 TOK_TCPSEQ, 134 TOK_TCPACK, 135 TOK_TCPWIN, 136 TOK_ICMPTYPES, 137 TOK_MAC, 138 TOK_MACTYPE, 139 TOK_VERREVPATH, 140 TOK_VERSRCREACH, 141 TOK_ANTISPOOF, 142 TOK_IPSEC, 143 TOK_COMMENT, 144 145 TOK_PLR, 146 TOK_NOERROR, 147 TOK_BUCKETS, 148 TOK_DSTIP, 149 TOK_SRCIP, 150 TOK_DSTPORT, 151 TOK_SRCPORT, 152 TOK_ALL, 153 TOK_MASK, 154 TOK_BW, 155 TOK_DELAY, 156 TOK_RED, 157 TOK_GRED, 158 TOK_DROPTAIL, 159 TOK_PROTO, 160 TOK_WEIGHT, 161 TOK_IP, 162 TOK_IF, 163 TOK_ALOG, 164 TOK_DENY_INC, 165 TOK_SAME_PORTS, 166 TOK_UNREG_ONLY, 167 TOK_RESET_ADDR, 168 TOK_ALIAS_REV, 169 TOK_PROXY_ONLY, 170 TOK_REDIR_ADDR, 171 TOK_REDIR_PORT, 172 TOK_REDIR_PROTO, 173 174 TOK_IPV6, 175 TOK_FLOWID, 176 TOK_ICMP6TYPES, 177 TOK_EXT6HDR, 178 TOK_DSTIP6, 179 TOK_SRCIP6, 180 181 TOK_IPV4, 182 TOK_UNREACH6, 183 TOK_RESET6, 184 185 TOK_FIB, 186 TOK_SETFIB, 187}; 188/* 189 * the following macro returns an error message if we run out of 190 * arguments. 191 */ 192#define NEED1(msg) {if (!ac) errx(EX_USAGE, msg);} 193 194unsigned long long align_uint64(const uint64_t *pll); 195 196/* memory allocation support */ 197void *safe_calloc(size_t number, size_t size); 198void *safe_realloc(void *ptr, size_t size); 199 200/* string comparison functions used for historical compatibility */ 201int _substrcmp(const char *str1, const char* str2); 202int _substrcmp2(const char *str1, const char* str2, const char* str3); 203 204/* utility functions */ 205int match_token(struct _s_x *table, char *string); 206char const *match_value(struct _s_x *p, int value); 207 208int do_cmd(int optname, void *optval, uintptr_t optlen); 209 210struct in6_addr; 211void n2mask(struct in6_addr *mask, int n); 212int contigmask(uint8_t *p, int len); 213 214/* 215 * Forward declarations to avoid include way too many headers. 216 * C does not allow duplicated typedefs, so we use the base struct 217 * that the typedef points to. 218 * Should the typedefs use a different type, the compiler will 219 * still detect the change when compiling the body of the 220 * functions involved, so we do not lose error checking. 221 */ 222struct _ipfw_insn; 223struct _ipfw_insn_altq; 224struct _ipfw_insn_u32; 225struct _ipfw_insn_ip6; 226struct _ipfw_insn_icmp6; 227 228/* 229 * The reserved set numer. This is a constant in ip_fw.h 230 * but we store it in a variable so other files do not depend 231 * in that header just for one constant. 232 */ 233extern int resvd_set_number; 234 235/* first-level command handlers */ 236void ipfw_add(int ac, char *av[]); 237void ipfw_show_nat(int ac, char **av); 238void ipfw_config_pipe(int ac, char **av); 239void ipfw_config_nat(int ac, char **av); 240void ipfw_sets_handler(int ac, char *av[]); 241void ipfw_table_handler(int ac, char *av[]); 242void ipfw_sysctl_handler(int ac, char *av[], int which); 243void ipfw_delete(int ac, char *av[]); 244void ipfw_flush(int force); 245void ipfw_zero(int ac, char *av[], int optname); 246void ipfw_list(int ac, char *av[], int show_counters); 247 248/* altq.c */ 249void altq_set_enabled(int enabled); 250u_int32_t altq_name_to_qid(const char *name); 251 252void print_altq_cmd(struct _ipfw_insn_altq *altqptr); 253 254/* dummynet.c */ 255void ipfw_list_pipes(void *data, uint nbytes, int ac, char *av[]); 256int ipfw_delete_pipe(int pipe_or_queue, int n); 257 258/* ipv6.c */ 259void print_unreach6_code(uint16_t code); 260void print_ip6(struct _ipfw_insn_ip6 *cmd, char const *s); 261void print_flow6id(struct _ipfw_insn_u32 *cmd); 262void print_icmp6types(struct _ipfw_insn_u32 *cmd); 263void print_ext6hdr(struct _ipfw_insn *cmd ); 264 265struct _ipfw_insn *add_srcip6(struct _ipfw_insn *cmd, char *av); 266struct _ipfw_insn *add_dstip6(struct _ipfw_insn *cmd, char *av); 267 268void fill_flow6(struct _ipfw_insn_u32 *cmd, char *av ); 269void fill_unreach6_code(u_short *codep, char *str); 270void fill_icmp6types(struct _ipfw_insn_icmp6 *cmd, char *av); 271int fill_ext6hdr(struct _ipfw_insn *cmd, char *av); 272