ipfw2.h revision 190633 
1/*
2 * Copyright (c) 2002-2003 Luigi Rizzo
3 * Copyright (c) 1996 Alex Nash, Paul Traina, Poul-Henning Kamp
4 * Copyright (c) 1994 Ugen J.S.Antsilevich
5 *
6 * Idea and grammar partially left from:
7 * Copyright (c) 1993 Daniel Boulet
8 *
9 * Redistribution and use in source forms, with and without modification,
10 * are permitted provided that this entire comment appears intact.
11 *
12 * Redistribution in binary form may occur without any restrictions.
13 * Obviously, it would be nice if you gave credit where credit is due
14 * but requiring it would be too onerous.
15 *
16 * This software is provided ``AS IS'' without any warranties of any kind.
17 *
18 * NEW command line interface for IP firewall facility
19 *
20 * $FreeBSD: head/sbin/ipfw/ipfw2.h 190633 2009-04-01 20:23:47Z piso $
21 */
22
23/*
24 * Options that can be set on the command line.
25 * When reading commands from a file, a subset of the options can also
26 * be applied globally by specifying them before the file name.
27 * After that, each line can contain its own option that changes
28 * the global value.
29 * XXX The context is not restored after each line.
30 */
31
32struct cmdline_opts {
33	/* boolean options: */
34	int	do_value_as_ip;	/* show table value as IP */
35	int	do_resolv;	/* try to resolve all ip to names */
36	int	do_time;	/* Show time stamps */
37	int	do_quiet;	/* Be quiet in add and flush */
38	int	do_pipe;	/* this cmd refers to a pipe */
39	int	do_nat; 	/* this cmd refers to a nat config */
40	int	do_dynamic;	/* display dynamic rules */
41	int	do_expired;	/* display expired dynamic rules */
42	int	do_compact;	/* show rules in compact mode */
43	int	do_force;	/* do not ask for confirmation */
44	int	show_sets;	/* display the set each rule belongs to */
45	int	test_only;	/* only check syntax */
46	int	comment_only;	/* only print action and comment */
47	int	verbose;	/* be verbose on some commands */
48
49	/* The options below can have multiple values. */
50
51	int	do_sort;	/* field to sort results (0 = no) */
52		/* valid fields are 1 and above */
53
54	int	use_set;	/* work with specified set number */
55		/* 0 means all sets, otherwise apply to set use_set - 1 */
56
57};
58
59extern struct cmdline_opts co;
60
61/*
62 * _s_x is a structure that stores a string <-> token pairs, used in
63 * various places in the parser. Entries are stored in arrays,
64 * with an entry with s=NULL as terminator.
65 * The search routines are match_token() and match_value().
66 * Often, an element with x=0 contains an error string.
67 *
68 */
69struct _s_x {
70	char const *s;
71	int x;
72};
73
74enum tokens {
75	TOK_NULL=0,
76
77	TOK_OR,
78	TOK_NOT,
79	TOK_STARTBRACE,
80	TOK_ENDBRACE,
81
82	TOK_ACCEPT,
83	TOK_COUNT,
84	TOK_PIPE,
85	TOK_QUEUE,
86	TOK_DIVERT,
87	TOK_TEE,
88	TOK_NETGRAPH,
89	TOK_NGTEE,
90	TOK_FORWARD,
91	TOK_SKIPTO,
92	TOK_DENY,
93	TOK_REJECT,
94	TOK_RESET,
95	TOK_UNREACH,
96	TOK_CHECKSTATE,
97	TOK_NAT,
98	TOK_REASS,
99
100	TOK_ALTQ,
101	TOK_LOG,
102	TOK_TAG,
103	TOK_UNTAG,
104
105	TOK_TAGGED,
106	TOK_UID,
107	TOK_GID,
108	TOK_JAIL,
109	TOK_IN,
110	TOK_LIMIT,
111	TOK_KEEPSTATE,
112	TOK_LAYER2,
113	TOK_OUT,
114	TOK_DIVERTED,
115	TOK_DIVERTEDLOOPBACK,
116	TOK_DIVERTEDOUTPUT,
117	TOK_XMIT,
118	TOK_RECV,
119	TOK_VIA,
120	TOK_FRAG,
121	TOK_IPOPTS,
122	TOK_IPLEN,
123	TOK_IPID,
124	TOK_IPPRECEDENCE,
125	TOK_IPTOS,
126	TOK_IPTTL,
127	TOK_IPVER,
128	TOK_ESTAB,
129	TOK_SETUP,
130	TOK_TCPDATALEN,
131	TOK_TCPFLAGS,
132	TOK_TCPOPTS,
133	TOK_TCPSEQ,
134	TOK_TCPACK,
135	TOK_TCPWIN,
136	TOK_ICMPTYPES,
137	TOK_MAC,
138	TOK_MACTYPE,
139	TOK_VERREVPATH,
140	TOK_VERSRCREACH,
141	TOK_ANTISPOOF,
142	TOK_IPSEC,
143	TOK_COMMENT,
144
145	TOK_PLR,
146	TOK_NOERROR,
147	TOK_BUCKETS,
148	TOK_DSTIP,
149	TOK_SRCIP,
150	TOK_DSTPORT,
151	TOK_SRCPORT,
152	TOK_ALL,
153	TOK_MASK,
154	TOK_BW,
155	TOK_DELAY,
156	TOK_RED,
157	TOK_GRED,
158	TOK_DROPTAIL,
159	TOK_PROTO,
160	TOK_WEIGHT,
161	TOK_IP,
162	TOK_IF,
163 	TOK_ALOG,
164 	TOK_DENY_INC,
165 	TOK_SAME_PORTS,
166 	TOK_UNREG_ONLY,
167 	TOK_RESET_ADDR,
168 	TOK_ALIAS_REV,
169 	TOK_PROXY_ONLY,
170	TOK_REDIR_ADDR,
171	TOK_REDIR_PORT,
172	TOK_REDIR_PROTO,
173
174	TOK_IPV6,
175	TOK_FLOWID,
176	TOK_ICMP6TYPES,
177	TOK_EXT6HDR,
178	TOK_DSTIP6,
179	TOK_SRCIP6,
180
181	TOK_IPV4,
182	TOK_UNREACH6,
183	TOK_RESET6,
184
185	TOK_FIB,
186	TOK_SETFIB,
187};
188/*
189 * the following macro returns an error message if we run out of
190 * arguments.
191 */
192#define NEED1(msg)      {if (!ac) errx(EX_USAGE, msg);}
193
194unsigned long long align_uint64(const uint64_t *pll);
195
196/* memory allocation support */
197void *safe_calloc(size_t number, size_t size);
198void *safe_realloc(void *ptr, size_t size);
199
200/* string comparison functions used for historical compatibility */
201int _substrcmp(const char *str1, const char* str2);
202int _substrcmp2(const char *str1, const char* str2, const char* str3);
203
204/* utility functions */
205int match_token(struct _s_x *table, char *string);
206char const *match_value(struct _s_x *p, int value);
207
208int do_cmd(int optname, void *optval, uintptr_t optlen);
209
210struct in6_addr;
211void n2mask(struct in6_addr *mask, int n);
212int contigmask(uint8_t *p, int len);
213
214/*
215 * Forward declarations to avoid include way too many headers.
216 * C does not allow duplicated typedefs, so we use the base struct
217 * that the typedef points to.
218 * Should the typedefs use a different type, the compiler will
219 * still detect the change when compiling the body of the
220 * functions involved, so we do not lose error checking.
221 */
222struct _ipfw_insn;
223struct _ipfw_insn_altq;
224struct _ipfw_insn_u32;
225struct _ipfw_insn_ip6;
226struct _ipfw_insn_icmp6;
227
228/*
229 * The reserved set numer. This is a constant in ip_fw.h
230 * but we store it in a variable so other files do not depend
231 * in that header just for one constant.
232 */
233extern int resvd_set_number;
234
235/* first-level command handlers */
236void ipfw_add(int ac, char *av[]);
237void ipfw_show_nat(int ac, char **av);
238void ipfw_config_pipe(int ac, char **av);
239void ipfw_config_nat(int ac, char **av);
240void ipfw_sets_handler(int ac, char *av[]);
241void ipfw_table_handler(int ac, char *av[]);
242void ipfw_sysctl_handler(int ac, char *av[], int which);
243void ipfw_delete(int ac, char *av[]);
244void ipfw_flush(int force);
245void ipfw_zero(int ac, char *av[], int optname);
246void ipfw_list(int ac, char *av[], int show_counters);
247
248/* altq.c */
249void altq_set_enabled(int enabled);
250u_int32_t altq_name_to_qid(const char *name);
251
252void print_altq_cmd(struct _ipfw_insn_altq *altqptr);
253
254/* dummynet.c */
255void ipfw_list_pipes(void *data, uint nbytes, int ac, char *av[]);
256int ipfw_delete_pipe(int pipe_or_queue, int n);
257
258/* ipv6.c */
259void print_unreach6_code(uint16_t code);
260void print_ip6(struct _ipfw_insn_ip6 *cmd, char const *s);
261void print_flow6id(struct _ipfw_insn_u32 *cmd);
262void print_icmp6types(struct _ipfw_insn_u32 *cmd);
263void print_ext6hdr(struct _ipfw_insn *cmd );
264
265struct _ipfw_insn *add_srcip6(struct _ipfw_insn *cmd, char *av);
266struct _ipfw_insn *add_dstip6(struct _ipfw_insn *cmd, char *av);
267
268void fill_flow6(struct _ipfw_insn_u32 *cmd, char *av );
269void fill_unreach6_code(u_short *codep, char *str);
270void fill_icmp6types(struct _ipfw_insn_icmp6 *cmd, char *av);
271int fill_ext6hdr(struct _ipfw_insn *cmd, char *av);
272