1 /* 2 * Copyright (c) 2014 - 2016 The DragonFly Project. All rights reserved. 3 * 4 * This code is derived from software contributed to The DragonFly Project 5 * by Bill Yuan <bycn82@dragonflybsd.org> 6 * 7 * Copyright (c) 2002 Luigi Rizzo 8 * Copyright (c) 1996 Alex Nash, Paul Traina, Poul-Henning Kamp 9 * Copyright (c) 1994 Ugen J.S.Antsilevich 10 * 11 * Idea and grammar partially left from: 12 * Copyright (c) 1993 Daniel Boulet 13 * 14 * 15 * Redistribution and use in source forms, with and without modification, 16 * are permitted provided that this entire comment appears intact. 17 * 18 * Redistribution in binary form may occur without any restrictions. 19 * Obviously, it would be nice if you gave credit where credit is due 20 * but requiring it would be too onerous. 21 * 22 * This software is provided ``AS IS'' without any warranties of any kind. 23 * 24 */ 25 26 #include <sys/param.h> 27 #include <sys/mbuf.h> 28 #include <sys/socket.h> 29 #include <sys/sockio.h> 30 #include <sys/sysctl.h> 31 #include <sys/time.h> 32 #include <sys/wait.h> 33 34 #include <arpa/inet.h> 35 #include <ctype.h> 36 #include <dlfcn.h> 37 #include <err.h> 38 #include <errno.h> 39 #include <grp.h> 40 #include <limits.h> 41 #include <netdb.h> 42 #include <pwd.h> 43 #include <sysexits.h> 44 #include <signal.h> 45 #include <stdio.h> 46 #include <stdlib.h> 47 #include <stdarg.h> 48 #include <string.h> 49 #include <timeconv.h> 50 #include <unistd.h> 51 52 #include <netinet/in.h> 53 #include <netinet/in_systm.h> 54 #include <netinet/ip.h> 55 #include <netinet/ip_icmp.h> 56 #include <netinet/tcp.h> 57 #include <net/if.h> 58 #include <net/if_dl.h> 59 #include <net/route.h> 60 #include <net/ethernet.h> 61 62 63 #include "../../sys/net/ipfw3/ip_fw3.h" 64 #include "../../sys/net/ipfw3/ip_fw3_table.h" 65 #include "../../sys/net/ipfw3/ip_fw3_sync.h" 66 #include "../../sys/net/dummynet3/ip_dummynet3.h" 67 #include "../../sys/net/libalias/alias.h" 68 #include "../../sys/net/ipfw3_basic/ip_fw3_basic.h" 69 #include "../../sys/net/ipfw3_nat/ip_fw3_nat.h" 70 71 #include "ipfw3.h" 72 #include "ipfw3sync.h" 73 #include "ipfw3nat.h" 74 75 76 #define KEYWORD_SIZE 256 77 #define MAPPING_SIZE 256 78 79 #define MAX_KEYWORD_LEN 20 80 #define MAX_ARGS 32 81 #define WHITESP " \t\f\v\n\r" 82 #define IPFW_LIB_PATH "/usr/lib/libipfw3%s.so" 83 #define IP_MASK_ALL 0xffffffff 84 /* 85 * we use IPPROTO_ETHERTYPE as a fake protocol id to call the print routines 86 * This is only used in this code. 87 */ 88 #define IPPROTO_ETHERTYPE 0x1000 89 90 /* 91 * show_rules() prints the body of an ipfw rule. 92 * Because the standard rule has at least proto src_ip dst_ip, we use 93 * a helper function to produce these entries if not provided explicitly. 94 * The first argument is the list of fields we have, the second is 95 * the list of fields we want to be printed. 96 * 97 * Special cases if we have provided a MAC header: 98 * + if the rule does not contain IP addresses/ports, do not print them; 99 * + if the rule does not contain an IP proto, print "all" instead of "ip"; 100 * 101 */ 102 #define HAVE_PROTO 0x0001 103 #define HAVE_SRCIP 0x0002 104 #define HAVE_DSTIP 0x0004 105 #define HAVE_MAC 0x0008 106 #define HAVE_MACTYPE 0x0010 107 #define HAVE_OPTIONS 0x8000 108 109 #define HAVE_IP (HAVE_PROTO | HAVE_SRCIP | HAVE_DSTIP) 110 111 112 int ipfw_socket = -1; /* main RAW socket */ 113 int do_resolv, /* Would try to resolve all */ 114 do_acct, /* Show packet/byte count */ 115 do_time, /* Show time stamps */ 116 do_quiet = 1, /* Be quiet , default is quiet*/ 117 do_force, /* Don't ask for confirmation */ 118 do_pipe, /* this cmd refers to a pipe */ 119 do_nat, /* Nat configuration. */ 120 do_sort, /* field to sort results (0 = no) */ 121 do_dynamic, /* display dynamic rules */ 122 do_expired, /* display expired dynamic rules */ 123 do_compact, /* show rules in compact mode */ 124 show_sets, /* display rule sets */ 125 verbose; 126 127 struct char_int_map dummynet_params[] = { 128 { "plr", TOK_PLR }, 129 { "noerror", TOK_NOERROR }, 130 { "buckets", TOK_BUCKETS }, 131 { "dst-ip", TOK_DSTIP }, 132 { "src-ip", TOK_SRCIP }, 133 { "dst-port", TOK_DSTPORT }, 134 { "src-port", TOK_SRCPORT }, 135 { "proto", TOK_PROTO }, 136 { "weight", TOK_WEIGHT }, 137 { "all", TOK_ALL }, 138 { "mask", TOK_MASK }, 139 { "droptail", TOK_DROPTAIL }, 140 { "red", TOK_RED }, 141 { "gred", TOK_GRED }, 142 { "bw", TOK_BW }, 143 { "bandwidth", TOK_BW }, 144 { "delay", TOK_DELAY }, 145 { "pipe", TOK_PIPE }, 146 { "queue", TOK_QUEUE }, 147 { "dummynet-params", TOK_NULL }, 148 { NULL, 0 } 149 }; 150 151 struct ipfw_keyword { 152 int type; 153 char word[MAX_KEYWORD_LEN]; 154 int module; 155 int opcode; 156 }; 157 158 struct ipfw_mapping { 159 int type; 160 int module; 161 int opcode; 162 parser_func parser; 163 shower_func shower; 164 }; 165 166 struct ipfw_keyword keywords[KEYWORD_SIZE]; 167 struct ipfw_mapping mappings[MAPPING_SIZE]; 168 169 int 170 match_token(struct char_int_map *table, char *string) 171 { 172 while (table->key) { 173 if (strcmp(table->key, string) == 0) { 174 return table->val; 175 } 176 table++; 177 } 178 return 0; 179 } 180 181 static void 182 get_modules(char *modules_str, int len) 183 { 184 if (do_get_x(IP_FW_MODULE, modules_str, &len) < 0) 185 errx(EX_USAGE, "ipfw3 not loaded."); 186 } 187 188 static void 189 list_modules(int ac, char *av[]) 190 { 191 void *module_str = NULL; 192 int len = 1024; 193 if ((module_str = realloc(module_str, len)) == NULL) 194 err(EX_OSERR, "realloc"); 195 196 get_modules(module_str, len); 197 printf("%s", (char *)module_str); 198 } 199 void 200 parse_accept(ipfw_insn **cmd, int *ac, char **av[]) 201 { 202 (*cmd)->opcode = O_BASIC_ACCEPT; 203 (*cmd)->module = MODULE_BASIC_ID; 204 (*cmd)->len = (*cmd)->len|LEN_OF_IPFWINSN; 205 NEXT_ARG1; 206 if (!strncmp(**av, "log", strlen(**av))) { 207 (*cmd)->arg3 = 1; 208 NEXT_ARG1; 209 if (isdigit(***av)) { 210 (*cmd)->arg1 = strtoul(**av, NULL, 10); 211 NEXT_ARG1; 212 } 213 } 214 } 215 216 void 217 parse_deny(ipfw_insn **cmd, int *ac, char **av[]) 218 { 219 (*cmd)->opcode = O_BASIC_DENY; 220 (*cmd)->module = MODULE_BASIC_ID; 221 (*cmd)->len = (*cmd)->len|LEN_OF_IPFWINSN; 222 NEXT_ARG1; 223 if (!strncmp(**av, "log", strlen(**av))) { 224 (*cmd)->arg3 = 1; 225 NEXT_ARG1; 226 if (isdigit(***av)) { 227 (*cmd)->arg1 = strtoul(**av, NULL, 10); 228 NEXT_ARG1; 229 } 230 } 231 } 232 233 void 234 show_accept(ipfw_insn *cmd, int show_or) 235 { 236 printf(" allow"); 237 if (cmd->arg3) { 238 printf(" log %d", cmd->arg1); 239 } 240 } 241 242 void 243 show_deny(ipfw_insn *cmd, int show_or) 244 { 245 printf(" deny"); 246 if (cmd->arg3) { 247 printf(" log %d", cmd->arg1); 248 } 249 } 250 251 static void 252 load_modules(void) 253 { 254 const char *error; 255 init_module mod_init_func; 256 void *module_lib; 257 char module_lib_file[50]; 258 void *module_str = NULL; 259 int len = 1024; 260 261 if ((module_str = realloc(module_str, len)) == NULL) 262 err(EX_OSERR, "realloc"); 263 264 get_modules(module_str, len); 265 266 const char s[2] = ","; 267 char *token; 268 token = strtok(module_str, s); 269 while (token != NULL) { 270 sprintf(module_lib_file, IPFW_LIB_PATH, token); 271 token = strtok(NULL, s); 272 module_lib = dlopen(module_lib_file, RTLD_LAZY); 273 if (!module_lib) { 274 fprintf(stderr, "Couldn't open %s: %s\n", 275 module_lib_file, dlerror()); 276 exit(EX_SOFTWARE); 277 } 278 mod_init_func = dlsym(module_lib, "load_module"); 279 if ((error = dlerror())) 280 { 281 fprintf(stderr, "Couldn't find init function: %s\n", error); 282 exit(EX_SOFTWARE); 283 } 284 (*mod_init_func)((register_func)register_ipfw_func, 285 (register_keyword)register_ipfw_keyword); 286 } 287 } 288 289 void 290 prepare_default_funcs(void) 291 { 292 /* register allow*/ 293 register_ipfw_keyword(MODULE_BASIC_ID, O_BASIC_ACCEPT, "allow", ACTION); 294 register_ipfw_keyword(MODULE_BASIC_ID, O_BASIC_ACCEPT, "accept", ACTION); 295 register_ipfw_func(MODULE_BASIC_ID, O_BASIC_ACCEPT, 296 (parser_func)parse_accept, (shower_func)show_accept); 297 /* register deny*/ 298 register_ipfw_keyword(MODULE_BASIC_ID, O_BASIC_DENY, "deny", ACTION); 299 register_ipfw_keyword(MODULE_BASIC_ID, O_BASIC_DENY, "reject", ACTION); 300 register_ipfw_func(MODULE_BASIC_ID, O_BASIC_DENY, 301 (parser_func)parse_deny, (shower_func)show_deny); 302 } 303 304 void 305 register_ipfw_keyword(int module, int opcode, char *word, int type) 306 { 307 struct ipfw_keyword *tmp; 308 309 tmp=keywords; 310 for(;;) { 311 if (tmp->type == NONE) { 312 strcpy(tmp->word, word); 313 tmp->module = module; 314 tmp->opcode = opcode; 315 tmp->type = type; 316 break; 317 } else { 318 if (strcmp(tmp->word, word) == 0) 319 errx(EX_USAGE, "keyword `%s' exists", word); 320 else 321 tmp++; 322 } 323 } 324 } 325 326 void 327 register_ipfw_func(int module, int opcode, parser_func parser, shower_func shower) 328 { 329 struct ipfw_mapping *tmp; 330 331 tmp = mappings; 332 while (1) { 333 if (tmp->type == NONE) { 334 tmp->module = module; 335 tmp->opcode = opcode; 336 tmp->parser = parser; 337 tmp->shower = shower; 338 tmp->type = IN_USE; 339 break; 340 } else { 341 if (tmp->opcode == opcode && tmp->module == module) { 342 errx(EX_USAGE, "func `%d' of module `%d' exists", 343 opcode, module); 344 break; 345 } else { 346 tmp++; 347 } 348 } 349 } 350 } 351 352 /* 353 * this func need to check whether 'or' need to be printed, 354 * when the filter is the first filter with 'or' when dont print 355 * when not first and same as previous, then print or and no filter name 356 * when not first but different from previous, print name without 'or' 357 * show_or = 1: show or and ignore filter name 358 * show_or = 0: show filter name ignore or 359 */ 360 void prev_show_chk(ipfw_insn *cmd, uint8_t *prev_module, uint8_t *prev_opcode, 361 int *show_or) 362 { 363 if (cmd->len & F_OR) { 364 if (*prev_module == 0 && *prev_opcode == 0) { 365 /* first cmd with 'or' flag */ 366 *show_or = 0; 367 *prev_module = cmd->module; 368 *prev_opcode = cmd->opcode; 369 } else if (cmd->module == *prev_module && 370 cmd->opcode == *prev_opcode) { 371 /* cmd same as previous, same module and opcode */ 372 *show_or = 1; 373 } else { 374 /* cmd different from prev*/ 375 *show_or = 0; 376 *prev_module = cmd->module; 377 *prev_opcode = cmd->opcode; 378 379 } 380 } else { 381 *show_or = 0; 382 *prev_module = 0; 383 *prev_opcode = 0; 384 } 385 } 386 387 /* 388 * word can be: proto from to other 389 * proto show proto 390 * from show from 391 * to show to 392 * other show all other filters 393 */ 394 int show_filter(ipfw_insn *cmd, char *word, int type) 395 { 396 struct ipfw_keyword *k; 397 struct ipfw_mapping *m; 398 shower_func fn; 399 int i, j, show_or; 400 uint8_t prev_module, prev_opcode; 401 402 k = keywords; 403 m = mappings; 404 for (i = 1; i < KEYWORD_SIZE; i++, k++) { 405 if (k->type == type) { 406 if (k->module == cmd->module && 407 k->opcode == cmd->opcode) { 408 for (j = 1; j < MAPPING_SIZE; j++, m++) { 409 if (m->type == IN_USE && 410 k->module == m->module && 411 k->opcode == m->opcode) { 412 prev_show_chk(cmd, &prev_module, 413 &prev_opcode, &show_or); 414 if (cmd->len & F_NOT) 415 printf(" not"); 416 417 fn = m->shower; 418 (*fn)(cmd, show_or); 419 return 1; 420 } 421 } 422 } 423 } 424 } 425 return 0; 426 } 427 428 static void 429 show_rules(struct ipfw_ioc_rule *rule, int pcwidth, int bcwidth) 430 { 431 static int twidth = 0; 432 ipfw_insn *cmd; 433 int l; 434 435 u_int32_t set_disable = rule->set_disable; 436 437 if (set_disable & (1 << rule->set)) { /* disabled */ 438 if (!show_sets) 439 return; 440 else 441 printf("# DISABLED "); 442 } 443 printf("%05u ", rule->rulenum); 444 445 if (do_acct) 446 printf("%*ju %*ju ", pcwidth, (uintmax_t)rule->pcnt, bcwidth, 447 (uintmax_t)rule->bcnt); 448 449 if (do_time == 1) { 450 char timestr[30]; 451 452 if (twidth == 0) { 453 strcpy(timestr, ctime((time_t *)&twidth)); 454 *strchr(timestr, '\n') = '\0'; 455 twidth = strlen(timestr); 456 } 457 if (rule->timestamp) { 458 time_t t = _long_to_time(rule->timestamp); 459 460 strcpy(timestr, ctime(&t)); 461 *strchr(timestr, '\n') = '\0'; 462 printf("%s ", timestr); 463 } else { 464 printf("%*s ", twidth, " "); 465 } 466 } else if (do_time == 2) { 467 printf( "%10u ", rule->timestamp); 468 } 469 470 if (show_sets) 471 printf("set %d ", rule->set); 472 473 474 struct ipfw_keyword *k; 475 struct ipfw_mapping *m; 476 shower_func fn, comment_fn = NULL; 477 ipfw_insn *comment_cmd; 478 int i, j, changed; 479 480 /* 481 * show others and actions 482 */ 483 for (l = rule->cmd_len - rule->act_ofs, cmd = ACTION_PTR(rule); 484 l > 0; l -= F_LEN(cmd), 485 cmd = (ipfw_insn *)((uint32_t *)cmd + F_LEN(cmd))) { 486 k = keywords; 487 m = mappings; 488 for (i = 1; i< KEYWORD_SIZE; i++, k++) { 489 if ( k->module == cmd->module && k->opcode == cmd->opcode ) { 490 for (j = 1; j< MAPPING_SIZE; j++, m++) { 491 if (m->type == IN_USE && 492 m->module == cmd->module && 493 m->opcode == cmd->opcode) { 494 if (cmd->module == MODULE_BASIC_ID && 495 cmd->opcode == O_BASIC_COMMENT) { 496 comment_fn = m->shower; 497 comment_cmd = cmd; 498 } else { 499 fn = m->shower; 500 (*fn)(cmd, 0); 501 } 502 if (cmd->module == MODULE_BASIC_ID && 503 cmd->opcode == 504 O_BASIC_CHECK_STATE) { 505 goto done; 506 } 507 break; 508 } 509 } 510 break; 511 } 512 } 513 } 514 515 /* 516 * show proto 517 */ 518 changed=0; 519 for (l = rule->act_ofs, cmd = rule->cmd; l > 0; l -= F_LEN(cmd), 520 cmd = (ipfw_insn *)((uint32_t *)cmd + F_LEN(cmd))) { 521 changed = show_filter(cmd, "proto", PROTO); 522 } 523 if (!changed && !do_quiet) 524 printf(" ip"); 525 526 /* 527 * show from 528 */ 529 changed = 0; 530 for (l = rule->act_ofs, cmd = rule->cmd; l > 0; l -= F_LEN(cmd), 531 cmd = (ipfw_insn *)((uint32_t *)cmd + F_LEN(cmd))) { 532 changed = show_filter(cmd, "from", FROM); 533 } 534 if (!changed && !do_quiet) 535 printf(" from any"); 536 537 /* 538 * show to 539 */ 540 changed = 0; 541 for (l = rule->act_ofs, cmd = rule->cmd; l > 0; l -= F_LEN(cmd), 542 cmd = (ipfw_insn *)((uint32_t *)cmd + F_LEN(cmd))) { 543 changed = show_filter(cmd, "to", TO); 544 } 545 if (!changed && !do_quiet) 546 printf(" to any"); 547 548 /* 549 * show other filters 550 */ 551 for (l = rule->act_ofs, cmd = rule->cmd, m = mappings; 552 l > 0; l -= F_LEN(cmd), 553 cmd=(ipfw_insn *)((uint32_t *)cmd + F_LEN(cmd))) { 554 show_filter(cmd, "other", FILTER); 555 } 556 557 /* show the comment in the end */ 558 if (comment_fn != NULL) { 559 (*comment_fn)(comment_cmd, 0); 560 } 561 done: 562 printf("\n"); 563 } 564 565 static void 566 show_states(struct ipfw_ioc_state *d, int pcwidth, int bcwidth) 567 { 568 struct protoent *pe; 569 struct in_addr a; 570 571 printf("%05u ", d->rulenum); 572 if (do_acct) { 573 printf("%*ju %*ju ", pcwidth, (uintmax_t)d->pcnt, 574 bcwidth, (uintmax_t)d->bcnt); 575 } 576 577 if (do_time == 1) { 578 /* state->timestamp */ 579 char timestr[30]; 580 time_t t = _long_to_time(d->timestamp); 581 strcpy(timestr, ctime(&t)); 582 *strchr(timestr, '\n') = '\0'; 583 printf(" (%s", timestr); 584 585 /* state->lifetime */ 586 printf(" %ds", d->lifetime); 587 588 /* state->expiry */ 589 if (d->expiry !=0) { 590 t = _long_to_time(d->expiry); 591 strcpy(timestr, ctime(&t)); 592 *strchr(timestr, '\n') = '\0'; 593 printf(" %s)", timestr); 594 } else { 595 printf(" 0)"); 596 } 597 598 } else if (do_time == 2) { 599 printf("(%u %ds %u) ", d->timestamp, d->lifetime, d->expiry); 600 } 601 602 if ((pe = getprotobynumber(d->flow_id.proto)) != NULL) 603 printf(" %s", pe->p_name); 604 else 605 printf(" proto %u", d->flow_id.proto); 606 607 a.s_addr = htonl(d->flow_id.src_ip); 608 printf(" %s %d", inet_ntoa(a), d->flow_id.src_port); 609 610 a.s_addr = htonl(d->flow_id.dst_ip); 611 printf(" <-> %s %d", inet_ntoa(a), d->flow_id.dst_port); 612 printf(" CPU %d", d->cpuid); 613 printf("\n"); 614 } 615 616 int 617 sort_q(const void *pa, const void *pb) 618 { 619 int rev = (do_sort < 0); 620 int field = rev ? -do_sort : do_sort; 621 long long res = 0; 622 const struct dn_ioc_flowqueue *a = pa; 623 const struct dn_ioc_flowqueue *b = pb; 624 625 switch(field) { 626 case 1: /* pkts */ 627 res = a->len - b->len; 628 break; 629 case 2: /* bytes */ 630 res = a->len_bytes - b->len_bytes; 631 break; 632 633 case 3: /* tot pkts */ 634 res = a->tot_pkts - b->tot_pkts; 635 break; 636 637 case 4: /* tot bytes */ 638 res = a->tot_bytes - b->tot_bytes; 639 break; 640 } 641 if (res < 0) 642 res = -1; 643 if (res > 0) 644 res = 1; 645 return (int)(rev ? res : -res); 646 } 647 648 static void 649 show_queues(struct dn_ioc_flowset *fs, struct dn_ioc_flowqueue *q) 650 { 651 int l; 652 653 printf("mask: 0x%02x 0x%08x/0x%04x -> 0x%08x/0x%04x\n", 654 fs->flow_mask.u.ip.proto, 655 fs->flow_mask.u.ip.src_ip, fs->flow_mask.u.ip.src_port, 656 fs->flow_mask.u.ip.dst_ip, fs->flow_mask.u.ip.dst_port); 657 if (fs->rq_elements == 0) 658 return; 659 660 printf("BKT Prot ___Source IP/port____ " 661 "____Dest. IP/port____ Tot_pkt/bytes Pkt/Byte Drp\n"); 662 if (do_sort != 0) 663 heapsort(q, fs->rq_elements, sizeof(*q), sort_q); 664 for (l = 0; l < fs->rq_elements; l++) { 665 struct in_addr ina; 666 struct protoent *pe; 667 668 ina.s_addr = htonl(q[l].id.u.ip.src_ip); 669 printf("%3d ", q[l].hash_slot); 670 pe = getprotobynumber(q[l].id.u.ip.proto); 671 if (pe) 672 printf("%-4s ", pe->p_name); 673 else 674 printf("%4u ", q[l].id.u.ip.proto); 675 printf("%15s/%-5d ", 676 inet_ntoa(ina), q[l].id.u.ip.src_port); 677 ina.s_addr = htonl(q[l].id.u.ip.dst_ip); 678 printf("%15s/%-5d ", 679 inet_ntoa(ina), q[l].id.u.ip.dst_port); 680 printf("%4ju %8ju %2u %4u %3u\n", 681 (uintmax_t)q[l].tot_pkts, (uintmax_t)q[l].tot_bytes, 682 q[l].len, q[l].len_bytes, q[l].drops); 683 if (verbose) 684 printf(" S %20ju F %20ju\n", 685 (uintmax_t)q[l].S, (uintmax_t)q[l].F); 686 } 687 } 688 689 static void 690 show_flowset_parms(struct dn_ioc_flowset *fs, char *prefix) 691 { 692 char qs[30]; 693 char plr[30]; 694 char red[90]; /* Display RED parameters */ 695 int l; 696 697 l = fs->qsize; 698 if (fs->flags_fs & DN_QSIZE_IS_BYTES) { 699 if (l >= 8192) 700 sprintf(qs, "%d KB", l / 1024); 701 else 702 sprintf(qs, "%d B", l); 703 } else 704 sprintf(qs, "%3d sl.", l); 705 if (fs->plr) 706 sprintf(plr, "plr %f", 1.0 * fs->plr / (double)(0x7fffffff)); 707 else 708 plr[0] = '\0'; 709 if (fs->flags_fs & DN_IS_RED) /* RED parameters */ 710 sprintf(red, 711 "\n\t %cRED w_q %f min_th %d max_th %d max_p %f", 712 (fs->flags_fs & DN_IS_GENTLE_RED) ? 'G' : ' ', 713 1.0 * fs->w_q / (double)(1 << SCALE_RED), 714 SCALE_VAL(fs->min_th), 715 SCALE_VAL(fs->max_th), 716 1.0 * fs->max_p / (double)(1 << SCALE_RED)); 717 else 718 sprintf(red, "droptail"); 719 720 printf("%s %s%s %d queues (%d buckets) %s\n", 721 prefix, qs, plr, fs->rq_elements, fs->rq_size, red); 722 } 723 724 static void 725 show_pipes(void *data, int nbytes, int ac, char *av[]) 726 { 727 u_long rulenum; 728 void *next = data; 729 struct dn_ioc_pipe *p = (struct dn_ioc_pipe *)data; 730 struct dn_ioc_flowset *fs; 731 struct dn_ioc_flowqueue *q; 732 int l; 733 734 if (ac > 0) 735 rulenum = strtoul(*av++, NULL, 10); 736 else 737 rulenum = 0; 738 for (; nbytes >= sizeof(*p); p = (struct dn_ioc_pipe *)next) { 739 double b = p->bandwidth; 740 char buf[30]; 741 char prefix[80]; 742 743 if (p->fs.fs_type != DN_IS_PIPE) 744 break; /* done with pipes, now queues */ 745 746 /* 747 * compute length, as pipe have variable size 748 */ 749 l = sizeof(*p) + p->fs.rq_elements * sizeof(*q); 750 next = (void *)p + l; 751 nbytes -= l; 752 753 if (rulenum != 0 && rulenum != p->pipe_nr) 754 continue; 755 756 /* 757 * Print rate 758 */ 759 if (b == 0) 760 sprintf(buf, "unlimited"); 761 else if (b >= 1000000) 762 sprintf(buf, "%7.3f Mbit/s", b/1000000); 763 else if (b >= 1000) 764 sprintf(buf, "%7.3f Kbit/s", b/1000); 765 else 766 sprintf(buf, "%7.3f bit/s ", b); 767 768 sprintf(prefix, "%05d: %s %4d ms ", 769 p->pipe_nr, buf, p->delay); 770 show_flowset_parms(&p->fs, prefix); 771 if (verbose) 772 printf(" V %20ju\n", (uintmax_t)p->V >> MY_M); 773 774 q = (struct dn_ioc_flowqueue *)(p+1); 775 show_queues(&p->fs, q); 776 } 777 778 for (fs = next; nbytes >= sizeof(*fs); fs = next) { 779 char prefix[80]; 780 781 if (fs->fs_type != DN_IS_QUEUE) 782 break; 783 l = sizeof(*fs) + fs->rq_elements * sizeof(*q); 784 next = (void *)fs + l; 785 nbytes -= l; 786 q = (struct dn_ioc_flowqueue *)(fs+1); 787 sprintf(prefix, "q%05d: weight %d pipe %d ", 788 fs->fs_nr, fs->weight, fs->parent_nr); 789 show_flowset_parms(fs, prefix); 790 show_queues(fs, q); 791 } 792 } 793 794 /* 795 * This one handles all set-related commands 796 * ipfw set { show | enable | disable } 797 * ipfw set swap X Y 798 * ipfw set move X to Y 799 * ipfw set move rule X to Y 800 */ 801 static void 802 sets_handler(int ac, char *av[]) 803 { 804 u_int32_t set_disable, masks[2]; 805 u_int16_t rulenum; 806 u_int8_t cmd, new_set; 807 int i, nbytes; 808 809 NEXT_ARG; 810 if (!ac) 811 errx(EX_USAGE, "set needs command"); 812 if (!strncmp(*av, "show", strlen(*av)) ) { 813 void *data = NULL; 814 char *msg; 815 int nalloc=1000; 816 nbytes = nalloc; 817 818 while (nbytes >= nalloc) { 819 nalloc = nalloc * 2+321; 820 nbytes = nalloc; 821 if (data == NULL) { 822 if ((data = malloc(nbytes)) == NULL) { 823 err(EX_OSERR, "malloc"); 824 } 825 } else if ((data = realloc(data, nbytes)) == NULL) { 826 err(EX_OSERR, "realloc"); 827 } 828 if (do_get_x(IP_FW_GET, data, &nbytes) < 0) { 829 err(EX_OSERR, "getsockopt(IP_FW_GET)"); 830 } 831 } 832 set_disable = ((struct ipfw_ioc_rule *)data)->set_disable; 833 for (i = 0, msg = "disable" ; i < 31; i++) 834 if ( (set_disable & (1<<i))) { 835 printf("%s %d", msg, i); 836 msg = ""; 837 } 838 msg = (set_disable) ? " enable" : "enable"; 839 for (i = 0; i < 31; i++) 840 if ( !(set_disable & (1<<i))) { 841 printf("%s %d", msg, i); 842 msg = ""; 843 } 844 printf("\n"); 845 } else if (!strncmp(*av, "swap", strlen(*av))) { 846 NEXT_ARG; 847 if (ac != 2) 848 errx(EX_USAGE, "set swap needs 2 set numbers\n"); 849 rulenum = atoi(av[0]); 850 new_set = atoi(av[1]); 851 if (!isdigit(*(av[0])) || rulenum > 30) 852 errx(EX_DATAERR, "invalid set number %s\n", av[0]); 853 if (!isdigit(*(av[1])) || new_set > 30) 854 errx(EX_DATAERR, "invalid set number %s\n", av[1]); 855 masks[0] = (4 << 24) | (new_set << 16) | (rulenum); 856 i = do_set_x(IP_FW_DEL, masks, sizeof(u_int32_t)); 857 } else if (!strncmp(*av, "move", strlen(*av))) { 858 NEXT_ARG; 859 if (ac && !strncmp(*av, "rule", strlen(*av))) { 860 cmd = 2; 861 NEXT_ARG; 862 } else 863 cmd = 3; 864 if (ac != 3 || strncmp(av[1], "to", strlen(*av))) 865 errx(EX_USAGE, "syntax: set move [rule] X to Y\n"); 866 rulenum = atoi(av[0]); 867 new_set = atoi(av[2]); 868 if (!isdigit(*(av[0])) || (cmd == 3 && rulenum > 30) || 869 (cmd == 2 && rulenum == 65535) ) 870 errx(EX_DATAERR, "invalid source number %s\n", av[0]); 871 if (!isdigit(*(av[2])) || new_set > 30) 872 errx(EX_DATAERR, "invalid dest. set %s\n", av[1]); 873 masks[0] = (cmd << 24) | (new_set << 16) | (rulenum); 874 i = do_set_x(IP_FW_DEL, masks, sizeof(u_int32_t)); 875 } else if (!strncmp(*av, "disable", strlen(*av)) || 876 !strncmp(*av, "enable", strlen(*av)) ) { 877 int which = !strncmp(*av, "enable", strlen(*av)) ? 1 : 0; 878 879 NEXT_ARG; 880 masks[0] = masks[1] = 0; 881 882 while (ac) { 883 if (isdigit(**av)) { 884 i = atoi(*av); 885 if (i < 0 || i > 30) 886 errx(EX_DATAERR, "invalid set number %d\n", i); 887 masks[which] |= (1<<i); 888 } else if (!strncmp(*av, "disable", strlen(*av))) 889 which = 0; 890 else if (!strncmp(*av, "enable", strlen(*av))) 891 which = 1; 892 else 893 errx(EX_DATAERR, "invalid set command %s\n", *av); 894 NEXT_ARG; 895 } 896 if ( (masks[0] & masks[1]) != 0 ) 897 errx(EX_DATAERR, "cannot enable and disable the same set\n"); 898 i = do_set_x(IP_FW_DEL, masks, sizeof(masks)); 899 if (i) 900 warn("set enable/disable: setsockopt(IP_FW_DEL)"); 901 } else 902 errx(EX_USAGE, "invalid set command %s\n", *av); 903 } 904 905 static void 906 add_state(int ac, char *av[]) 907 { 908 struct ipfw_ioc_state ioc_state; 909 ioc_state.expiry = 0; 910 ioc_state.lifetime = 0; 911 NEXT_ARG; 912 if (strcmp(*av, "rulenum") == 0) { 913 NEXT_ARG; 914 ioc_state.rulenum = atoi(*av); 915 } else { 916 errx(EX_USAGE, "ipfw state add rule"); 917 } 918 NEXT_ARG; 919 struct protoent *pe; 920 pe = getprotobyname(*av); 921 ioc_state.flow_id.proto = pe->p_proto; 922 923 NEXT_ARG; 924 ioc_state.flow_id.src_ip = inet_addr(*av); 925 926 NEXT_ARG; 927 ioc_state.flow_id.src_port = atoi(*av); 928 929 NEXT_ARG; 930 ioc_state.flow_id.dst_ip = inet_addr(*av); 931 932 NEXT_ARG; 933 ioc_state.flow_id.dst_port = atoi(*av); 934 935 NEXT_ARG; 936 if (strcmp(*av, "live") == 0) { 937 NEXT_ARG; 938 ioc_state.lifetime = atoi(*av); 939 NEXT_ARG; 940 } 941 942 if (strcmp(*av, "expiry") == 0) { 943 NEXT_ARG; 944 ioc_state.expiry = strtoul(*av, NULL, 10); 945 printf("ioc_state.expiry=%d\n", ioc_state.expiry); 946 } 947 948 if (do_set_x(IP_FW_STATE_ADD, &ioc_state, sizeof(struct ipfw_ioc_state)) < 0 ) { 949 err(EX_UNAVAILABLE, "do_set_x(IP_FW_STATE_ADD)"); 950 } 951 if (!do_quiet) { 952 printf("Flushed all states.\n"); 953 } 954 } 955 956 static void 957 delete_state(int ac, char *av[]) 958 { 959 int rulenum; 960 NEXT_ARG; 961 if (ac == 1 && isdigit(**av)) 962 rulenum = atoi(*av); 963 if (do_set_x(IP_FW_STATE_DEL, &rulenum, sizeof(int)) < 0 ) 964 err(EX_UNAVAILABLE, "do_set_x(IP_FW_STATE_DEL)"); 965 if (!do_quiet) 966 printf("Flushed all states.\n"); 967 } 968 969 static void 970 flush_state(int ac, char *av[]) 971 { 972 if (!do_force) { 973 int c; 974 975 printf("Are you sure? [yn] "); 976 fflush(stdout); 977 do { 978 c = toupper(getc(stdin)); 979 while (c != '\n' && getc(stdin) != '\n') 980 if (feof(stdin)) 981 return; /* and do not flush */ 982 } while (c != 'Y' && c != 'N'); 983 if (c == 'N') /* user said no */ 984 return; 985 } 986 if (do_set_x(IP_FW_STATE_FLUSH, NULL, 0) < 0 ) 987 err(EX_UNAVAILABLE, "do_set_x(IP_FW_STATE_FLUSH)"); 988 if (!do_quiet) 989 printf("Flushed all states.\n"); 990 } 991 992 static int 993 lookup_host (char *host, struct in_addr *ipaddr) 994 { 995 struct hostent *he; 996 997 if (!inet_aton(host, ipaddr)) { 998 if ((he = gethostbyname(host)) == NULL) 999 return(-1); 1000 *ipaddr = *(struct in_addr *)he->h_addr_list[0]; 1001 } 1002 return(0); 1003 } 1004 1005 static void 1006 table_append(int ac, char *av[]) 1007 { 1008 struct ipfw_ioc_table tbl; 1009 char *p; 1010 int size; 1011 1012 NEXT_ARG; 1013 if (isdigit(**av)) 1014 tbl.id = atoi(*av); 1015 else 1016 errx(EX_USAGE, "table id `%s' invalid", *av); 1017 1018 if (tbl.id < 0 || tbl.id > IPFW_TABLES_MAX - 1) 1019 errx(EX_USAGE, "table id `%d' invalid", tbl.id); 1020 1021 NEXT_ARG; 1022 if (strcmp(*av, "ip") == 0) 1023 tbl.type = 1; 1024 else if (strcmp(*av, "mac") == 0) 1025 tbl.type = 2; 1026 else 1027 errx(EX_USAGE, "table type `%s' not supported", *av); 1028 1029 NEXT_ARG; 1030 if (tbl.type == 1) { /* table type ipv4 */ 1031 struct ipfw_ioc_table_ip_entry ip_ent; 1032 if (!ac) 1033 errx(EX_USAGE, "IP address required"); 1034 1035 p = strchr(*av, '/'); 1036 if (p) { 1037 *p++ = '\0'; 1038 ip_ent.masklen = atoi(p); 1039 if (ip_ent.masklen > 32) 1040 errx(EX_DATAERR, "bad width ``%s''", p); 1041 } else { 1042 ip_ent.masklen = 32; 1043 } 1044 1045 if (lookup_host(*av, (struct in_addr *)&ip_ent.addr) != 0) 1046 errx(EX_NOHOST, "hostname ``%s'' unknown", *av); 1047 1048 tbl.ip_ent[0] = ip_ent; 1049 size = sizeof(tbl) + sizeof(ip_ent); 1050 } else if (tbl.type == 2) { /* table type mac */ 1051 struct ipfw_ioc_table_mac_entry mac_ent; 1052 if (!ac) 1053 errx(EX_USAGE, "MAC address required"); 1054 1055 mac_ent.addr = *ether_aton(*av); 1056 tbl.mac_ent[0] = mac_ent; 1057 size = sizeof(tbl) + sizeof(mac_ent); 1058 } 1059 if (do_set_x(IP_FW_TABLE_APPEND, &tbl, size) < 0 ) 1060 errx(EX_USAGE, "do_set_x(IP_FW_TABLE_APPEND) " 1061 "table `%d' append `%s' failed", tbl.id, *av); 1062 } 1063 1064 static void 1065 table_remove(int ac, char *av[]) 1066 { 1067 struct ipfw_ioc_table tbl; 1068 struct ipfw_ioc_table_ip_entry ip_ent; 1069 char *p; 1070 int size; 1071 1072 NEXT_ARG; 1073 if (isdigit(**av)) 1074 tbl.id = atoi(*av); 1075 else 1076 errx(EX_USAGE, "table id `%s' invalid", *av); 1077 1078 if (tbl.id < 0 || tbl.id > IPFW_TABLES_MAX - 1) 1079 errx(EX_USAGE, "table id `%d' invalid", tbl.id); 1080 1081 NEXT_ARG; 1082 if (strcmp(*av, "ip") == 0) 1083 tbl.type = 1; 1084 else if (strcmp(*av, "mac") == 0) 1085 tbl.type = 2; 1086 else 1087 errx(EX_USAGE, "table type `%s' not supported", *av); 1088 1089 NEXT_ARG; 1090 if (!ac) 1091 errx(EX_USAGE, "IP address required"); 1092 p = strchr(*av, '/'); 1093 if (p) { 1094 *p++ = '\0'; 1095 ip_ent.masklen = atoi(p); 1096 if (ip_ent.masklen > 32) 1097 errx(EX_DATAERR, "bad width ``%s''", p); 1098 } else { 1099 ip_ent.masklen = 32; 1100 } 1101 1102 if (lookup_host(*av, (struct in_addr *)&ip_ent.addr) != 0) 1103 errx(EX_NOHOST, "hostname ``%s'' unknown", *av); 1104 1105 tbl.ip_ent[0] = ip_ent; 1106 size = sizeof(tbl) + sizeof(ip_ent); 1107 if (do_set_x(IP_FW_TABLE_REMOVE, &tbl, size) < 0 ) { 1108 errx(EX_USAGE, "do_set_x(IP_FW_TABLE_REMOVE) " 1109 "table `%d' append `%s' failed", tbl.id, *av); 1110 } 1111 } 1112 1113 static void 1114 table_flush(int ac, char *av[]) 1115 { 1116 struct ipfw_ioc_table ioc_table; 1117 struct ipfw_ioc_table *t = &ioc_table; 1118 1119 NEXT_ARG; 1120 if (isdigit(**av)) { 1121 t->id = atoi(*av); 1122 if (t->id < 0 || t->id > IPFW_TABLES_MAX - 1) 1123 errx(EX_USAGE, "table id `%d' invalid", t->id); 1124 } else { 1125 errx(EX_USAGE, "table id `%s' invalid", *av); 1126 } 1127 if (do_set_x(IP_FW_TABLE_FLUSH, t, sizeof(struct ipfw_ioc_table)) < 0 ) 1128 errx(EX_USAGE, "do_set_x(IP_FW_TABLE_FLUSH) " 1129 "table `%s' flush failed", *av); 1130 } 1131 1132 static void 1133 table_list(int ac, char *av[]) 1134 { 1135 struct ipfw_ioc_table *ioc_table; 1136 int i, count, nbytes, nalloc = 1024; 1137 void *data = NULL; 1138 NEXT_ARG; 1139 if (strcmp(*av, "list") == 0) { 1140 nbytes = nalloc; 1141 while (nbytes >= nalloc) { 1142 nalloc = nalloc * 2 ; 1143 nbytes = nalloc; 1144 if ((data = realloc(data, nbytes)) == NULL) 1145 err(EX_OSERR, "realloc"); 1146 if (do_get_x(IP_FW_TABLE_LIST, data, &nbytes) < 0) 1147 err(EX_OSERR, "do_get_x(IP_FW_TABLE_LIST)"); 1148 } 1149 ioc_table = (struct ipfw_ioc_table *)data; 1150 count = nbytes / sizeof(struct ipfw_ioc_table); 1151 for (i = 0; i < count; i++, ioc_table++) { 1152 if (ioc_table->type > 0) { 1153 printf("table %d",ioc_table->id); 1154 if (ioc_table->type == 1) 1155 printf(" type ip"); 1156 else if (ioc_table->type == 2) 1157 printf(" type mac"); 1158 printf(" count %d",ioc_table->count); 1159 if (strlen(ioc_table->name) > 0) 1160 printf(" name %s",ioc_table->name); 1161 printf("\n"); 1162 1163 } 1164 } 1165 } else { 1166 errx(EX_USAGE, "ipfw3 table `%s' delete invalid", *av); 1167 } 1168 } 1169 1170 void 1171 print_table(struct ipfw_ioc_table * tbl) 1172 { 1173 int i; 1174 if (tbl->type == 0) 1175 errx(EX_USAGE, "table %d is not in use", tbl->id); 1176 1177 printf("table %d", tbl->id); 1178 if (tbl->type == 1) 1179 printf(" type ip"); 1180 else if (tbl->type == 2) 1181 printf(" type mac"); 1182 1183 printf(" count %d", tbl->count); 1184 if (strlen(tbl->name) > 0) 1185 printf(" name %s", tbl->name); 1186 1187 printf("\n"); 1188 1189 if (tbl->type == 1) { 1190 struct ipfw_ioc_table_ip_entry *ip_ent; 1191 ip_ent = tbl->ip_ent; 1192 for (i = 0; i < tbl->count; i++) { 1193 printf("%s", inet_ntoa(*(struct in_addr *)&ip_ent->addr)); 1194 printf("/%d ", ip_ent->masklen); 1195 printf("\n"); 1196 ip_ent++; 1197 } 1198 } else if (tbl->type == 2) { 1199 struct ipfw_ioc_table_mac_entry *mac_ent; 1200 mac_ent = tbl->mac_ent; 1201 for (i = 0; i < tbl->count; i++) { 1202 printf("%s", ether_ntoa(&mac_ent->addr)); 1203 printf("\n"); 1204 mac_ent++; 1205 } 1206 } 1207 } 1208 1209 static void 1210 table_show(int ac, char *av[]) 1211 { 1212 int nbytes, nalloc = 1024; 1213 void *data = NULL; 1214 NEXT_ARG; 1215 if (isdigit(**av)) { 1216 nbytes = nalloc; 1217 while (nbytes >= nalloc) { 1218 nalloc = nalloc * 2 + 256; 1219 nbytes = nalloc; 1220 if (data == NULL) { 1221 if ((data = malloc(nbytes)) == NULL) { 1222 err(EX_OSERR, "malloc"); 1223 } 1224 } else if ((data = realloc(data, nbytes)) == NULL) { 1225 err(EX_OSERR, "realloc"); 1226 } 1227 /* store table id in the header of data */ 1228 int *head = (int *)data; 1229 *head = atoi(*av); 1230 if (*head < 0 || *head > IPFW_TABLES_MAX - 1) 1231 errx(EX_USAGE, "table id `%d' invalid", *head); 1232 if (do_get_x(IP_FW_TABLE_SHOW, data, &nbytes) < 0) 1233 err(EX_OSERR, "do_get_x(IP_FW_TABLE_LIST)"); 1234 struct ipfw_ioc_table *tbl; 1235 tbl = (struct ipfw_ioc_table *)data; 1236 print_table(tbl); 1237 } 1238 } else { 1239 errx(EX_USAGE, "ipfw3 table `%s' show invalid", *av); 1240 } 1241 } 1242 1243 static void 1244 table_create(int ac, char *av[]) 1245 { 1246 struct ipfw_ioc_table ioc_table; 1247 struct ipfw_ioc_table *t = &ioc_table; 1248 1249 NEXT_ARG; 1250 if (ac < 2) 1251 errx(EX_USAGE, "table parameters invalid"); 1252 if (isdigit(**av)) { 1253 t->id = atoi(*av); 1254 if (t->id < 0 || t->id > IPFW_TABLES_MAX - 1) 1255 errx(EX_USAGE, "table id `%d' invalid", t->id); 1256 } else { 1257 errx(EX_USAGE, "table id `%s' invalid", *av); 1258 } 1259 NEXT_ARG; 1260 if (strcmp(*av, "ip") == 0) 1261 t->type = 1; 1262 else if (strcmp(*av, "mac") == 0) 1263 t->type = 2; 1264 else 1265 errx(EX_USAGE, "table type `%s' not supported", *av); 1266 1267 NEXT_ARG; 1268 memset(t->name, 0, IPFW_TABLE_NAME_LEN); 1269 if (ac == 2 && strcmp(*av, "name") == 0) { 1270 NEXT_ARG; 1271 if (strlen(*av) < IPFW_TABLE_NAME_LEN) { 1272 strncpy(t->name, *av, strlen(*av)); 1273 } else { 1274 errx(EX_USAGE, "table name `%s' too long", *av); 1275 } 1276 } else if (ac == 1) { 1277 errx(EX_USAGE, "table `%s' invalid", *av); 1278 } 1279 1280 if (do_set_x(IP_FW_TABLE_CREATE, t, sizeof(struct ipfw_ioc_table)) < 0) 1281 errx(EX_USAGE, "do_set_x(IP_FW_TABLE_CREATE) " 1282 "table `%d' in use", t->id); 1283 } 1284 1285 static void 1286 table_delete(int ac, char *av[]) 1287 { 1288 struct ipfw_ioc_table ioc_table; 1289 struct ipfw_ioc_table *t = &ioc_table; 1290 1291 NEXT_ARG; 1292 if (isdigit(**av)) { 1293 t->id = atoi(*av); 1294 if (t->id < 0 || t->id > IPFW_TABLES_MAX - 1) 1295 errx(EX_USAGE, "table id `%d' invalid", t->id); 1296 } else { 1297 errx(EX_USAGE, "table id `%s' invalid", *av); 1298 } 1299 if (t->id < 0 || t->id > IPFW_TABLES_MAX - 1) 1300 errx(EX_USAGE, "table id `%d' invalid", t->id); 1301 1302 if (do_set_x(IP_FW_TABLE_DELETE, t, sizeof(struct ipfw_ioc_table)) < 0) 1303 errx(EX_USAGE, "do_set_x(IP_FW_TABLE_DELETE) " 1304 "table `%s' delete failed", *av); 1305 } 1306 1307 static void 1308 table_test(int ac, char *av[]) 1309 { 1310 struct ipfw_ioc_table tbl; 1311 int size; 1312 1313 NEXT_ARG; 1314 if (isdigit(**av)) 1315 tbl.id = atoi(*av); 1316 else 1317 errx(EX_USAGE, "table id `%s' invalid", *av); 1318 1319 if (tbl.id < 0 || tbl.id > IPFW_TABLES_MAX - 1) 1320 errx(EX_USAGE, "table id `%d' invalid", tbl.id); 1321 1322 NEXT_ARG; 1323 if (strcmp(*av, "ip") == 0) 1324 tbl.type = 1; 1325 else if (strcmp(*av, "mac") == 0) 1326 tbl.type = 2; 1327 else 1328 errx(EX_USAGE, "table type `%s' not supported", *av); 1329 1330 NEXT_ARG; 1331 if (tbl.type == 1) { /* table type ipv4 */ 1332 struct ipfw_ioc_table_ip_entry ip_ent; 1333 if (lookup_host(*av, (struct in_addr *)&ip_ent.addr) != 0) 1334 errx(EX_NOHOST, "hostname ``%s'' unknown", *av); 1335 1336 tbl.ip_ent[0] = ip_ent; 1337 size = sizeof(tbl) + sizeof(ip_ent); 1338 } else if (tbl.type == 2) { /* table type mac */ 1339 struct ipfw_ioc_table_mac_entry mac_ent; 1340 if (!ac) 1341 errx(EX_USAGE, "MAC address required"); 1342 1343 mac_ent.addr = *ether_aton(*av); 1344 tbl.mac_ent[0] = mac_ent; 1345 size = sizeof(tbl) + sizeof(mac_ent); 1346 } 1347 if (do_set_x(IP_FW_TABLE_TEST, &tbl, size) < 0 ) { 1348 printf("NO, %s not exists in table %d\n", *av, tbl.id); 1349 } else { 1350 printf("YES, %s exists in table %d\n", *av, tbl.id); 1351 } 1352 } 1353 1354 static void 1355 table_rename(int ac, char *av[]) 1356 { 1357 struct ipfw_ioc_table tbl; 1358 int size; 1359 1360 bzero(&tbl, sizeof(tbl)); 1361 NEXT_ARG; 1362 if (isdigit(**av)) 1363 tbl.id = atoi(*av); 1364 else 1365 errx(EX_USAGE, "table id `%s' invalid", *av); 1366 1367 if (tbl.id < 0 || tbl.id > IPFW_TABLES_MAX - 1) 1368 errx(EX_USAGE, "table id `%d' invalid", tbl.id); 1369 1370 NEXT_ARG; 1371 strlcpy(tbl.name, *av, IPFW_TABLE_NAME_LEN); 1372 size = sizeof(tbl); 1373 if (do_set_x(IP_FW_TABLE_RENAME, &tbl, size) < 0 ) 1374 errx(EX_USAGE, "do_set_x(IP_FW_TABLE_RENAME) " 1375 "table `%d' not in use", tbl.id); 1376 } 1377 1378 static void 1379 list(int ac, char *av[]) 1380 { 1381 struct ipfw_ioc_state *dynrules, *d; 1382 struct ipfw_ioc_rule *r; 1383 1384 u_long rnum; 1385 void *data = NULL; 1386 int bcwidth, n, nbytes, nstat, ndyn, pcwidth, width; 1387 int exitval = EX_OK, lac; 1388 char **lav, *endptr; 1389 int seen = 0; 1390 int nalloc = 1024; 1391 1392 NEXT_ARG; 1393 1394 /* get rules or pipes from kernel, resizing array as necessary */ 1395 nbytes = nalloc; 1396 1397 while (nbytes >= nalloc) { 1398 nalloc = nalloc * 2 ; 1399 nbytes = nalloc; 1400 if ((data = realloc(data, nbytes)) == NULL) 1401 err(EX_OSERR, "realloc"); 1402 if (do_get_x(IP_FW_GET, data, &nbytes) < 0) 1403 err(EX_OSERR, "do_get_x(IP_FW_GET)"); 1404 } 1405 1406 /* 1407 * Count static rules. 1408 */ 1409 r = data; 1410 nstat = r->static_count; 1411 1412 /* 1413 * Count dynamic rules. This is easier as they have 1414 * fixed size. 1415 */ 1416 dynrules = (struct ipfw_ioc_state *)((void *)r + r->static_len); 1417 ndyn = (nbytes - r->static_len) / sizeof(*dynrules); 1418 1419 /* if showing stats, figure out column widths ahead of time */ 1420 bcwidth = pcwidth = 0; 1421 if (do_acct) { 1422 for (n = 0, r = data; n < nstat; 1423 n++, r = (void *)r + IOC_RULESIZE(r)) { 1424 /* packet counter */ 1425 width = snprintf(NULL, 0, "%ju", (uintmax_t)r->pcnt); 1426 if (width > pcwidth) 1427 pcwidth = width; 1428 1429 /* byte counter */ 1430 width = snprintf(NULL, 0, "%ju", (uintmax_t)r->bcnt); 1431 if (width > bcwidth) 1432 bcwidth = width; 1433 } 1434 } 1435 if (do_dynamic && ndyn) { 1436 for (n = 0, d = dynrules; n < ndyn; n++, d++) { 1437 width = snprintf(NULL, 0, "%ju", (uintmax_t)d->pcnt); 1438 if (width > pcwidth) 1439 pcwidth = width; 1440 1441 width = snprintf(NULL, 0, "%ju", (uintmax_t)d->bcnt); 1442 if (width > bcwidth) 1443 bcwidth = width; 1444 } 1445 } 1446 1447 /* if no rule numbers were specified, list all rules */ 1448 if (ac == 0) { 1449 if (do_dynamic != 2) { 1450 for (n = 0, r = data; n < nstat; n++, 1451 r = (void *)r + IOC_RULESIZE(r)) { 1452 show_rules(r, pcwidth, bcwidth); 1453 } 1454 } 1455 if (do_dynamic && ndyn) { 1456 if (do_dynamic != 2) { 1457 printf("## States (%d):\n", ndyn); 1458 } 1459 for (n = 0, d = dynrules; n < ndyn; n++, d++) 1460 show_states(d, pcwidth, bcwidth); 1461 } 1462 goto done; 1463 } 1464 1465 /* display specific rules requested on command line */ 1466 1467 if (do_dynamic != 2) { 1468 for (lac = ac, lav = av; lac != 0; lac--) { 1469 /* convert command line rule # */ 1470 rnum = strtoul(*lav++, &endptr, 10); 1471 if (*endptr) { 1472 exitval = EX_USAGE; 1473 warnx("invalid rule number: %s", *(lav - 1)); 1474 continue; 1475 } 1476 for (n = seen = 0, r = data; n < nstat; 1477 n++, r = (void *)r + IOC_RULESIZE(r) ) { 1478 if (r->rulenum > rnum) 1479 break; 1480 if (r->rulenum == rnum) { 1481 show_rules(r, pcwidth, bcwidth); 1482 seen = 1; 1483 } 1484 } 1485 if (!seen) { 1486 /* give precedence to other error(s) */ 1487 if (exitval == EX_OK) 1488 exitval = EX_UNAVAILABLE; 1489 warnx("rule %lu does not exist", rnum); 1490 } 1491 } 1492 } 1493 1494 if (do_dynamic && ndyn) { 1495 if (do_dynamic != 2) { 1496 printf("## States (%d):\n", ndyn); 1497 } 1498 for (lac = ac, lav = av; lac != 0; lac--) { 1499 rnum = strtoul(*lav++, &endptr, 10); 1500 if (*endptr) 1501 /* already warned */ 1502 continue; 1503 for (n = 0, d = dynrules; n < ndyn; n++, d++) { 1504 if (d->rulenum > rnum) 1505 break; 1506 if (d->rulenum == rnum) 1507 show_states(d, pcwidth, bcwidth); 1508 } 1509 } 1510 } 1511 1512 ac = 0; 1513 1514 done: 1515 free(data); 1516 1517 if (exitval != EX_OK) 1518 exit(exitval); 1519 } 1520 1521 static void 1522 show_dummynet(int ac, char *av[]) 1523 { 1524 void *data = NULL; 1525 int nbytes; 1526 int nalloc = 1024; /* start somewhere... */ 1527 1528 NEXT_ARG; 1529 1530 nbytes = nalloc; 1531 while (nbytes >= nalloc) { 1532 nalloc = nalloc * 2 + 200; 1533 nbytes = nalloc; 1534 if ((data = realloc(data, nbytes)) == NULL) 1535 err(EX_OSERR, "realloc"); 1536 if (do_get_x(IP_DUMMYNET_GET, data, &nbytes) < 0) { 1537 err(EX_OSERR, "do_get_x(IP_%s_GET)", 1538 do_pipe ? "DUMMYNET" : "FW"); 1539 } 1540 } 1541 1542 show_pipes(data, nbytes, ac, av); 1543 free(data); 1544 } 1545 1546 static void 1547 help(void) 1548 { 1549 fprintf(stderr, "usage: ipfw [options]\n" 1550 " ipfw add [rulenum] [set id] action filters\n" 1551 " ipfw delete [rulenum]\n" 1552 " ipfw flush\n" 1553 " ipfw list [rulenum]\n" 1554 " ipfw show [rulenum]\n" 1555 " ipfw zero [rulenum]\n" 1556 " ipfw set [show|enable|disable]\n" 1557 " ipfw module\n" 1558 " ipfw [enable|disable]\n" 1559 " ipfw log [reset|off|on]\n" 1560 " ipfw nat [config|show|delete]\n" 1561 " ipfw pipe [config|show|delete]\n" 1562 " ipfw state [add|delete|list|show]" 1563 "\nsee ipfw manpage for details\n"); 1564 exit(EX_USAGE); 1565 } 1566 1567 1568 static void 1569 delete_rules(int ac, char *av[]) 1570 { 1571 struct dn_ioc_pipe pipe; 1572 u_int32_t rulenum; 1573 int exitval = EX_OK; 1574 int do_set = 0; 1575 int i; 1576 1577 memset(&pipe, 0, sizeof pipe); 1578 1579 NEXT_ARG; 1580 if (ac > 0 && !strncmp(*av, "set", strlen(*av))) { 1581 do_set = 1; /* delete set */ 1582 NEXT_ARG; 1583 } 1584 1585 /* Rule number */ 1586 while (ac && isdigit(**av)) { 1587 i = atoi(*av); 1588 NEXT_ARG; 1589 if (do_pipe) { 1590 if (do_pipe == 1) 1591 pipe.pipe_nr = i; 1592 else 1593 pipe.fs.fs_nr = i; 1594 1595 i = do_set_x(IP_DUMMYNET_DEL, &pipe, sizeof pipe); 1596 if (i) { 1597 exitval = 1; 1598 warn("rule %u: setsockopt(IP_DUMMYNET_DEL)", 1599 do_pipe == 1 ? pipe.pipe_nr : 1600 pipe.fs.fs_nr); 1601 } 1602 } else { 1603 rulenum = (i & 0xffff) | (do_set << 24); 1604 i = do_set_x(IP_FW_DEL, &rulenum, sizeof rulenum); 1605 if (i) { 1606 exitval = EX_UNAVAILABLE; 1607 warn("rule %u: setsockopt(IP_FW_DEL)", 1608 rulenum); 1609 } 1610 } 1611 } 1612 if (exitval != EX_OK) 1613 exit(exitval); 1614 } 1615 1616 1617 static unsigned long 1618 getbw(const char *str, u_short *flags, int kb) 1619 { 1620 unsigned long val; 1621 int inbytes = 0; 1622 char *end; 1623 1624 val = strtoul(str, &end, 0); 1625 if (*end == 'k' || *end == 'K') { 1626 ++end; 1627 val *= kb; 1628 } else if (*end == 'm' || *end == 'M') { 1629 ++end; 1630 val *= kb * kb; 1631 } 1632 1633 /* 1634 * Deal with bits or bytes or b(bits) or B(bytes). If there is no 1635 * trailer assume bits. 1636 */ 1637 if (strncasecmp(end, "bit", 3) == 0) { 1638 ; 1639 } else if (strncasecmp(end, "byte", 4) == 0) { 1640 inbytes = 1; 1641 } else if (*end == 'b') { 1642 ; 1643 } else if (*end == 'B') { 1644 inbytes = 1; 1645 } 1646 1647 /* 1648 * Return in bits if flags is NULL, else flag bits 1649 * or bytes in flags and return the unconverted value. 1650 */ 1651 if (inbytes && flags) 1652 *flags |= DN_QSIZE_IS_BYTES; 1653 else if (inbytes && flags == NULL) 1654 val *= 8; 1655 1656 return(val); 1657 } 1658 1659 /* 1660 * config dummynet pipe/queue 1661 */ 1662 static void 1663 config_dummynet(int ac, char **av) 1664 { 1665 struct dn_ioc_pipe pipe; 1666 u_int32_t a; 1667 void *par = NULL; 1668 int i; 1669 char *end; 1670 1671 NEXT_ARG; 1672 memset(&pipe, 0, sizeof pipe); 1673 /* Pipe number */ 1674 if (ac && isdigit(**av)) { 1675 i = atoi(*av); 1676 NEXT_ARG; 1677 if (do_pipe == 1) 1678 pipe.pipe_nr = i; 1679 else 1680 pipe.fs.fs_nr = i; 1681 } 1682 1683 while (ac > 0) { 1684 double d; 1685 1686 int tok = match_token(dummynet_params, *av); 1687 NEXT_ARG; 1688 1689 switch(tok) { 1690 case TOK_NOERROR: 1691 pipe.fs.flags_fs |= DN_NOERROR; 1692 break; 1693 1694 case TOK_PLR: 1695 NEED1("plr needs argument 0..1\n"); 1696 d = strtod(av[0], NULL); 1697 if (d > 1) 1698 d = 1; 1699 else if (d < 0) 1700 d = 0; 1701 pipe.fs.plr = (int)(d*0x7fffffff); 1702 NEXT_ARG; 1703 break; 1704 1705 case TOK_QUEUE: 1706 NEED1("queue needs queue size\n"); 1707 end = NULL; 1708 pipe.fs.qsize = getbw(av[0], &pipe.fs.flags_fs, 1024); 1709 NEXT_ARG; 1710 break; 1711 1712 case TOK_BUCKETS: 1713 NEED1("buckets needs argument\n"); 1714 pipe.fs.rq_size = strtoul(av[0], NULL, 0); 1715 NEXT_ARG; 1716 break; 1717 1718 case TOK_MASK: 1719 NEED1("mask needs mask specifier\n"); 1720 /* 1721 * per-flow queue, mask is dst_ip, dst_port, 1722 * src_ip, src_port, proto measured in bits 1723 */ 1724 par = NULL; 1725 1726 pipe.fs.flow_mask.type = ETHERTYPE_IP; 1727 pipe.fs.flow_mask.u.ip.dst_ip = 0; 1728 pipe.fs.flow_mask.u.ip.src_ip = 0; 1729 pipe.fs.flow_mask.u.ip.dst_port = 0; 1730 pipe.fs.flow_mask.u.ip.src_port = 0; 1731 pipe.fs.flow_mask.u.ip.proto = 0; 1732 end = NULL; 1733 1734 while (ac >= 1) { 1735 u_int32_t *p32 = NULL; 1736 u_int16_t *p16 = NULL; 1737 1738 tok = match_token(dummynet_params, *av); 1739 NEXT_ARG; 1740 switch(tok) { 1741 case TOK_ALL: 1742 /* 1743 * special case, all bits significant 1744 */ 1745 pipe.fs.flow_mask.u.ip.dst_ip = ~0; 1746 pipe.fs.flow_mask.u.ip.src_ip = ~0; 1747 pipe.fs.flow_mask.u.ip.dst_port = ~0; 1748 pipe.fs.flow_mask.u.ip.src_port = ~0; 1749 pipe.fs.flow_mask.u.ip.proto = ~0; 1750 pipe.fs.flags_fs |= DN_HAVE_FLOW_MASK; 1751 goto end_mask; 1752 1753 case TOK_DSTIP: 1754 p32 = &pipe.fs.flow_mask.u.ip.dst_ip; 1755 break; 1756 1757 case TOK_SRCIP: 1758 p32 = &pipe.fs.flow_mask.u.ip.src_ip; 1759 break; 1760 1761 case TOK_DSTPORT: 1762 p16 = &pipe.fs.flow_mask.u.ip.dst_port; 1763 break; 1764 1765 case TOK_SRCPORT: 1766 p16 = &pipe.fs.flow_mask.u.ip.src_port; 1767 break; 1768 1769 case TOK_PROTO: 1770 break; 1771 1772 default: 1773 NEXT_ARG; 1774 goto end_mask; 1775 } 1776 if (ac < 1) 1777 errx(EX_USAGE, "mask: value missing"); 1778 if (*av[0] == '/') { 1779 a = strtoul(av[0]+1, &end, 0); 1780 a = (a == 32) ? ~0 : (1 << a) - 1; 1781 } else 1782 a = strtoul(av[0], &end, 0); 1783 if (p32 != NULL) 1784 *p32 = a; 1785 else if (p16 != NULL) { 1786 if (a > 65535) 1787 errx(EX_DATAERR, 1788 "mask: must be 16 bit"); 1789 *p16 = (u_int16_t)a; 1790 } else { 1791 if (a > 255) 1792 errx(EX_DATAERR, 1793 "mask: must be 8 bit"); 1794 pipe.fs.flow_mask.u.ip.proto = 1795 (uint8_t)a; 1796 } 1797 if (a != 0) 1798 pipe.fs.flags_fs |= DN_HAVE_FLOW_MASK; 1799 NEXT_ARG; 1800 } /* end while, config masks */ 1801 1802 end_mask: 1803 break; 1804 1805 case TOK_RED: 1806 case TOK_GRED: 1807 NEED1("red/gred needs w_q/min_th/max_th/max_p\n"); 1808 pipe.fs.flags_fs |= DN_IS_RED; 1809 if (tok == TOK_GRED) 1810 pipe.fs.flags_fs |= DN_IS_GENTLE_RED; 1811 /* 1812 * the format for parameters is w_q/min_th/max_th/max_p 1813 */ 1814 if ((end = strsep(&av[0], "/"))) { 1815 double w_q = strtod(end, NULL); 1816 if (w_q > 1 || w_q <= 0) 1817 errx(EX_DATAERR, "0 < w_q <= 1"); 1818 pipe.fs.w_q = (int) (w_q * (1 << SCALE_RED)); 1819 } 1820 if ((end = strsep(&av[0], "/"))) { 1821 pipe.fs.min_th = strtoul(end, &end, 0); 1822 if (*end == 'K' || *end == 'k') 1823 pipe.fs.min_th *= 1024; 1824 } 1825 if ((end = strsep(&av[0], "/"))) { 1826 pipe.fs.max_th = strtoul(end, &end, 0); 1827 if (*end == 'K' || *end == 'k') 1828 pipe.fs.max_th *= 1024; 1829 } 1830 if ((end = strsep(&av[0], "/"))) { 1831 double max_p = strtod(end, NULL); 1832 if (max_p > 1 || max_p <= 0) 1833 errx(EX_DATAERR, "0 < max_p <= 1"); 1834 pipe.fs.max_p = (int)(max_p * (1 << SCALE_RED)); 1835 } 1836 NEXT_ARG; 1837 break; 1838 1839 case TOK_DROPTAIL: 1840 pipe.fs.flags_fs &= ~(DN_IS_RED|DN_IS_GENTLE_RED); 1841 break; 1842 1843 case TOK_BW: 1844 NEED1("bw needs bandwidth\n"); 1845 if (do_pipe != 1) 1846 errx(EX_DATAERR, 1847 "bandwidth only valid for pipes"); 1848 /* 1849 * set bandwidth value 1850 */ 1851 pipe.bandwidth = getbw(av[0], NULL, 1000); 1852 if (pipe.bandwidth < 0) 1853 errx(EX_DATAERR, "bandwidth too large"); 1854 NEXT_ARG; 1855 break; 1856 1857 case TOK_DELAY: 1858 if (do_pipe != 1) 1859 errx(EX_DATAERR, "delay only valid for pipes"); 1860 NEED1("delay needs argument 0..10000ms\n"); 1861 pipe.delay = strtoul(av[0], NULL, 0); 1862 NEXT_ARG; 1863 break; 1864 1865 case TOK_WEIGHT: 1866 if (do_pipe == 1) 1867 errx(EX_DATAERR, 1868 "weight only valid for queues"); 1869 NEED1("weight needs argument 0..100\n"); 1870 pipe.fs.weight = strtoul(av[0], &end, 0); 1871 NEXT_ARG; 1872 break; 1873 1874 case TOK_PIPE: 1875 if (do_pipe == 1) 1876 errx(EX_DATAERR, "pipe only valid for queues"); 1877 NEED1("pipe needs pipe_number\n"); 1878 pipe.fs.parent_nr = strtoul(av[0], &end, 0); 1879 NEXT_ARG; 1880 break; 1881 1882 default: 1883 errx(EX_DATAERR, "unrecognised option ``%s''", *av); 1884 } 1885 } 1886 if (do_pipe == 1) { 1887 if (pipe.pipe_nr == 0) 1888 errx(EX_DATAERR, "pipe_nr must be > 0"); 1889 if (pipe.delay > 10000) 1890 errx(EX_DATAERR, "delay must be < 10000"); 1891 } else { /* do_pipe == 2, queue */ 1892 if (pipe.fs.parent_nr == 0) 1893 errx(EX_DATAERR, "pipe must be > 0"); 1894 if (pipe.fs.weight >100) 1895 errx(EX_DATAERR, "weight must be <= 100"); 1896 } 1897 if (pipe.fs.flags_fs & DN_QSIZE_IS_BYTES) { 1898 if (pipe.fs.qsize > 1024*1024) 1899 errx(EX_DATAERR, "queue size must be < 1MB"); 1900 } else { 1901 if (pipe.fs.qsize > 100) 1902 errx(EX_DATAERR, "2 <= queue size <= 100"); 1903 } 1904 if (pipe.fs.flags_fs & DN_IS_RED) { 1905 size_t len; 1906 int lookup_depth, avg_pkt_size; 1907 double s, idle, weight, w_q; 1908 int clock_hz; 1909 int t; 1910 1911 if (pipe.fs.min_th >= pipe.fs.max_th) 1912 errx(EX_DATAERR, "min_th %d must be < than max_th %d", 1913 pipe.fs.min_th, pipe.fs.max_th); 1914 if (pipe.fs.max_th == 0) 1915 errx(EX_DATAERR, "max_th must be > 0"); 1916 1917 len = sizeof(int); 1918 if (sysctlbyname("net.inet.ip.dummynet.red_lookup_depth", 1919 &lookup_depth, &len, NULL, 0) == -1) 1920 1921 errx(1, "sysctlbyname(\"%s\")", 1922 "net.inet.ip.dummynet.red_lookup_depth"); 1923 if (lookup_depth == 0) 1924 errx(EX_DATAERR, "net.inet.ip.dummynet.red_lookup_depth" 1925 " must be greater than zero"); 1926 1927 len = sizeof(int); 1928 if (sysctlbyname("net.inet.ip.dummynet.red_avg_pkt_size", 1929 &avg_pkt_size, &len, NULL, 0) == -1) 1930 1931 errx(1, "sysctlbyname(\"%s\")", 1932 "net.inet.ip.dummynet.red_avg_pkt_size"); 1933 if (avg_pkt_size == 0) 1934 errx(EX_DATAERR, 1935 "net.inet.ip.dummynet.red_avg_pkt_size must" 1936 " be greater than zero"); 1937 1938 len = sizeof(clock_hz); 1939 if (sysctlbyname("net.inet.ip.dummynet.hz", &clock_hz, &len, 1940 NULL, 0) == -1) { 1941 errx(1, "sysctlbyname(\"%s\")", 1942 "net.inet.ip.dummynet.hz"); 1943 } 1944 1945 /* 1946 * Ticks needed for sending a medium-sized packet. 1947 * Unfortunately, when we are configuring a WF2Q+ queue, we 1948 * do not have bandwidth information, because that is stored 1949 * in the parent pipe, and also we have multiple queues 1950 * competing for it. So we set s=0, which is not very 1951 * correct. But on the other hand, why do we want RED with 1952 * WF2Q+ ? 1953 */ 1954 if (pipe.bandwidth == 0) /* this is a WF2Q+ queue */ 1955 s = 0; 1956 else 1957 s = clock_hz * avg_pkt_size * 8 / pipe.bandwidth; 1958 1959 /* 1960 * max idle time (in ticks) before avg queue size becomes 0. 1961 * NOTA: (3/w_q) is approx the value x so that 1962 * (1-w_q)^x < 10^-3. 1963 */ 1964 w_q = ((double)pipe.fs.w_q) / (1 << SCALE_RED); 1965 idle = s * 3. / w_q; 1966 pipe.fs.lookup_step = (int)idle / lookup_depth; 1967 if (!pipe.fs.lookup_step) 1968 pipe.fs.lookup_step = 1; 1969 weight = 1 - w_q; 1970 for (t = pipe.fs.lookup_step; t > 0; --t) 1971 weight *= weight; 1972 pipe.fs.lookup_weight = (int)(weight * (1 << SCALE_RED)); 1973 } 1974 i = do_set_x(IP_DUMMYNET_CONFIGURE, &pipe, sizeof pipe); 1975 if (i) 1976 err(1, "do_set_x(%s)", "IP_DUMMYNET_CONFIGURE"); 1977 } 1978 1979 /* 1980 * helper function, updates the pointer to cmd with the length 1981 * of the current command, and also cleans up the first word of 1982 * the new command in case it has been clobbered before. 1983 */ 1984 static ipfw_insn* 1985 next_cmd(ipfw_insn *cmd) 1986 { 1987 cmd += F_LEN(cmd); 1988 bzero(cmd, sizeof(*cmd)); 1989 return cmd; 1990 } 1991 1992 /* 1993 * Parse arguments and assemble the microinstructions which make up a rule. 1994 * Rules are added into the 'rulebuf' and then copied in the correct order 1995 * into the actual rule. 1996 * 1997 * 1998 */ 1999 static void 2000 add(int ac, char *av[]) 2001 { 2002 /* 2003 * rules are added into the 'rulebuf' and then copied in 2004 * the correct order into the actual rule. 2005 * Some things that need to go out of order (prob, action etc.) 2006 * go into actbuf[]. 2007 */ 2008 static uint32_t rulebuf[IPFW_RULE_SIZE_MAX]; 2009 static uint32_t actbuf[IPFW_RULE_SIZE_MAX]; 2010 static uint32_t othbuf[IPFW_RULE_SIZE_MAX]; 2011 static uint32_t cmdbuf[IPFW_RULE_SIZE_MAX]; 2012 2013 ipfw_insn *src, *dst, *cmd, *action, *other; 2014 ipfw_insn *prev; 2015 char *prev_av; 2016 ipfw_insn *the_comment = NULL; 2017 struct ipfw_ioc_rule *rule; 2018 struct ipfw_keyword *key; 2019 struct ipfw_mapping *map; 2020 parser_func fn; 2021 int i, j; 2022 2023 bzero(actbuf, sizeof(actbuf)); /* actions go here */ 2024 bzero(othbuf, sizeof(actbuf)); /* others */ 2025 bzero(cmdbuf, sizeof(cmdbuf)); /* filters */ 2026 bzero(rulebuf, sizeof(rulebuf)); 2027 2028 rule = (struct ipfw_ioc_rule *)rulebuf; 2029 cmd = (ipfw_insn *)cmdbuf; 2030 action = (ipfw_insn *)actbuf; 2031 other = (ipfw_insn *)othbuf; 2032 2033 NEED2("need more parameters"); 2034 NEXT_ARG; 2035 2036 /* [rule N] -- Rule number optional */ 2037 if (ac && isdigit(**av)) { 2038 rule->rulenum = atoi(*av); 2039 NEXT_ARG; 2040 } 2041 2042 /* [set N] -- set number (0..30), optional */ 2043 if (ac > 1 && !strncmp(*av, "set", strlen(*av))) { 2044 int set = strtoul(av[1], NULL, 10); 2045 if (set < 0 || set > 30) 2046 errx(EX_DATAERR, "illegal set %s", av[1]); 2047 rule->set = set; 2048 av += 2; ac -= 2; 2049 } 2050 2051 /* 2052 * parse before 2053 */ 2054 for (;;) { 2055 for (i = 0, key = keywords; i < KEYWORD_SIZE; i++, key++) { 2056 if (key->type == BEFORE && 2057 strcmp(key->word, *av) == 0) { 2058 for (j = 0, map = mappings; 2059 j < MAPPING_SIZE; j++, map++) { 2060 if (map->type == IN_USE && 2061 map->module == key->module && 2062 map->opcode == key->opcode ) { 2063 fn = map->parser; 2064 (*fn)(&other, &ac, &av); 2065 break; 2066 } 2067 } 2068 break; 2069 } 2070 } 2071 if (i >= KEYWORD_SIZE) { 2072 break; 2073 } else if (F_LEN(other) > 0) { 2074 if (other->module == MODULE_BASIC_ID && 2075 other->opcode == O_BASIC_CHECK_STATE) { 2076 other = next_cmd(other); 2077 goto done; 2078 } 2079 other = next_cmd(other); 2080 } 2081 } 2082 2083 /* 2084 * parse actions 2085 * 2086 * only accept 1 action 2087 */ 2088 NEED1("missing action"); 2089 for (i = 0, key = keywords; i < KEYWORD_SIZE; i++, key++) { 2090 if (ac > 0 && key->type == ACTION && 2091 strcmp(key->word, *av) == 0) { 2092 for (j = 0, map = mappings; 2093 j < MAPPING_SIZE; j++, map++) { 2094 if (map->type == IN_USE && 2095 map->module == key->module && 2096 map->opcode == key->opcode) { 2097 fn = map->parser; 2098 (*fn)(&action, &ac, &av); 2099 break; 2100 } 2101 } 2102 break; 2103 } 2104 } 2105 if (F_LEN(action) > 0) 2106 action = next_cmd(action); 2107 2108 /* 2109 * parse protocol 2110 */ 2111 if (strcmp(*av, "proto") == 0){ 2112 NEXT_ARG; 2113 } 2114 2115 NEED1("missing protocol"); 2116 for (i = 0, key = keywords; i < KEYWORD_SIZE; i++, key++) { 2117 if (key->type == PROTO && 2118 strcmp(key->word, "proto") == 0) { 2119 for (j = 0, map = mappings; 2120 j < MAPPING_SIZE; j++, map++) { 2121 if (map->type == IN_USE && 2122 map->module == key->module && 2123 map->opcode == key->opcode ) { 2124 fn = map->parser; 2125 (*fn)(&cmd, &ac, &av); 2126 break; 2127 } 2128 } 2129 break; 2130 } 2131 } 2132 if (F_LEN(cmd) > 0) 2133 cmd = next_cmd(cmd); 2134 2135 /* 2136 * other filters 2137 */ 2138 while (ac > 0) { 2139 char *s, *cur; /* current filter */ 2140 ipfw_insn_u32 *cmd32; /* alias for cmd */ 2141 2142 s = *av; 2143 cmd32 = (ipfw_insn_u32 *)cmd; 2144 if (strcmp(*av, "or") == 0) { 2145 if (prev == NULL) 2146 errx(EX_USAGE, "'or' should" 2147 "between two filters\n"); 2148 prev->len |= F_OR; 2149 cmd->len = F_OR; 2150 *av = prev_av; 2151 } 2152 if (strcmp(*av, "not") == 0) { 2153 if (cmd->len & F_NOT) 2154 errx(EX_USAGE, "double \"not\" not allowed\n"); 2155 cmd->len = F_NOT; 2156 NEXT_ARG; 2157 continue; 2158 } 2159 cur = *av; 2160 for (i = 0, key = keywords; i < KEYWORD_SIZE; i++, key++) { 2161 if ((key->type == FILTER || 2162 key->type == AFTER || 2163 key->type == FROM || 2164 key->type == TO) && 2165 strcmp(key->word, cur) == 0) { 2166 for (j = 0, map = mappings; 2167 j< MAPPING_SIZE; j++, map++) { 2168 if (map->type == IN_USE && 2169 map->module == key->module && 2170 map->opcode == key->opcode ) { 2171 fn = map->parser; 2172 (*fn)(&cmd, &ac, &av); 2173 break; 2174 } 2175 } 2176 break; 2177 } else if (i == KEYWORD_SIZE - 1) { 2178 errx(EX_USAGE, "bad command `%s'", cur); 2179 } 2180 } 2181 if (i >= KEYWORD_SIZE) { 2182 break; 2183 } else if (F_LEN(cmd) > 0) { 2184 prev = cmd; 2185 prev_av = cur; 2186 cmd = next_cmd(cmd); 2187 } 2188 } 2189 2190 done: 2191 if (ac>0) 2192 errx(EX_USAGE, "bad command `%s'", *av); 2193 2194 /* 2195 * Now copy stuff into the rule. 2196 * [filters][others][action][comment] 2197 */ 2198 dst = (ipfw_insn *)rule->cmd; 2199 /* 2200 * copy all filters, except comment 2201 */ 2202 src = (ipfw_insn *)cmdbuf; 2203 for (src = (ipfw_insn *)cmdbuf; src != cmd; src += i) { 2204 /* pick comment out */ 2205 i = F_LEN(src); 2206 if (src->module == MODULE_BASIC_ID && 2207 src->opcode == O_BASIC_COMMENT) { 2208 the_comment=src; 2209 } else { 2210 bcopy(src, dst, i * sizeof(u_int32_t)); 2211 dst = (ipfw_insn *)((uint32_t *)dst + i); 2212 } 2213 } 2214 2215 /* 2216 * start action section, it begin with others 2217 */ 2218 rule->act_ofs = (uint32_t *)dst - (uint32_t *)(rule->cmd); 2219 2220 /* 2221 * copy all other others 2222 */ 2223 for (src = (ipfw_insn *)othbuf; src != other; src += i) { 2224 i = F_LEN(src); 2225 bcopy(src, dst, i * sizeof(u_int32_t)); 2226 dst = (ipfw_insn *)((uint32_t *)dst + i); 2227 } 2228 2229 /* copy the action to the end of rule */ 2230 src = (ipfw_insn *)actbuf; 2231 i = F_LEN(src); 2232 bcopy(src, dst, i * sizeof(u_int32_t)); 2233 dst = (ipfw_insn *)((uint32_t *)dst + i); 2234 2235 /* 2236 * comment place behind the action 2237 */ 2238 if (the_comment != NULL) { 2239 i = F_LEN(the_comment); 2240 bcopy(the_comment, dst, i * sizeof(u_int32_t)); 2241 dst = (ipfw_insn *)((uint32_t *)dst + i); 2242 } 2243 2244 rule->cmd_len = (u_int32_t *)dst - (u_int32_t *)(rule->cmd); 2245 i = (void *)dst - (void *)rule; 2246 if (do_set_x(IP_FW_ADD, (void *)rule, i) == -1) { 2247 err(EX_UNAVAILABLE, "getsockopt(%s)", "IP_FW_ADD"); 2248 } 2249 if (!do_quiet) 2250 show_rules(rule, 10, 10); 2251 } 2252 2253 static void 2254 zero(int ac, char *av[]) 2255 { 2256 int rulenum; 2257 int failed = EX_OK; 2258 2259 NEXT_ARG; 2260 2261 if (!ac) { 2262 /* clear all entries */ 2263 if (do_set_x(IP_FW_ZERO, NULL, 0) < 0) 2264 err(EX_UNAVAILABLE, "do_set_x(IP_FW_ZERO)"); 2265 if (!do_quiet) 2266 printf("Accounting cleared.\n"); 2267 return; 2268 } 2269 2270 while (ac) { 2271 /* Rule number */ 2272 if (isdigit(**av)) { 2273 rulenum = atoi(*av); 2274 NEXT_ARG; 2275 if (do_set_x(IP_FW_ZERO, &rulenum, sizeof rulenum)) { 2276 warn("rule %u: do_set_x(IP_FW_ZERO)", rulenum); 2277 failed = EX_UNAVAILABLE; 2278 } else if (!do_quiet) 2279 printf("Entry %d cleared\n", rulenum); 2280 } else { 2281 errx(EX_USAGE, "invalid rule number ``%s''", *av); 2282 } 2283 } 2284 if (failed != EX_OK) 2285 exit(failed); 2286 } 2287 2288 static void 2289 resetlog(int ac, char *av[]) 2290 { 2291 int rulenum; 2292 int failed = EX_OK; 2293 2294 NEXT_ARG; 2295 2296 if (!ac) { 2297 /* clear all entries */ 2298 if (setsockopt(ipfw_socket, IPPROTO_IP, 2299 IP_FW_RESETLOG, NULL, 0) < 0) 2300 err(EX_UNAVAILABLE, "setsockopt(IP_FW_RESETLOG)"); 2301 if (!do_quiet) 2302 printf("Logging counts reset.\n"); 2303 2304 return; 2305 } 2306 2307 while (ac) { 2308 /* Rule number */ 2309 if (isdigit(**av)) { 2310 rulenum = atoi(*av); 2311 NEXT_ARG; 2312 if (setsockopt(ipfw_socket, IPPROTO_IP, 2313 IP_FW_RESETLOG, &rulenum, sizeof rulenum)) { 2314 warn("rule %u: setsockopt(IP_FW_RESETLOG)", 2315 rulenum); 2316 failed = EX_UNAVAILABLE; 2317 } else if (!do_quiet) 2318 printf("Entry %d logging count reset\n", 2319 rulenum); 2320 } else { 2321 errx(EX_DATAERR, "invalid rule number ``%s''", *av); 2322 } 2323 } 2324 if (failed != EX_OK) 2325 exit(failed); 2326 } 2327 2328 static void 2329 flush(void) 2330 { 2331 int cmd = IP_FW_FLUSH; 2332 if (do_pipe) { 2333 cmd = IP_DUMMYNET_FLUSH; 2334 } 2335 if (!do_force) { 2336 int c; 2337 2338 printf("Are you sure? [yn] "); 2339 fflush(stdout); 2340 do { 2341 c = toupper(getc(stdin)); 2342 while (c != '\n' && getc(stdin) != '\n') 2343 if (feof(stdin)) 2344 return; /* and do not flush */ 2345 } while (c != 'Y' && c != 'N'); 2346 if (c == 'N') /* user said no */ 2347 return; 2348 } 2349 if (do_set_x(cmd, NULL, 0) < 0 ) { 2350 if (do_pipe) 2351 errx(EX_USAGE, "pipe/queue in use"); 2352 else 2353 errx(EX_USAGE, "do_set_x(IP_FW_FLUSH) failed"); 2354 } 2355 if (!do_quiet) { 2356 printf("Flushed all %s.\n", do_pipe ? "pipes" : "rules"); 2357 } 2358 } 2359 2360 /* 2361 * do_set_x - extended version og do_set 2362 * insert a x_header in the beginning of the rule buf 2363 * and call setsockopt() with IP_FW_X. 2364 */ 2365 int 2366 do_set_x(int optname, void *rule, int optlen) 2367 { 2368 int len, *newbuf; 2369 2370 ip_fw_x_header *x_header; 2371 if (ipfw_socket < 0) 2372 err(EX_UNAVAILABLE, "socket not avaialble"); 2373 len = optlen + sizeof(ip_fw_x_header); 2374 newbuf = malloc(len); 2375 if (newbuf == NULL) 2376 err(EX_OSERR, "malloc newbuf in do_set_x"); 2377 bzero(newbuf, len); 2378 x_header = (ip_fw_x_header *)newbuf; 2379 x_header->opcode = optname; 2380 /* copy the rule into the newbuf, just after the x_header*/ 2381 bcopy(rule, ++x_header, optlen); 2382 return setsockopt(ipfw_socket, IPPROTO_IP, IP_FW_X, newbuf, len); 2383 } 2384 2385 /* 2386 * same as do_set_x 2387 */ 2388 int 2389 do_get_x(int optname, void *rule, int *optlen) 2390 { 2391 int len, *newbuf, retval; 2392 2393 ip_fw_x_header *x_header; 2394 if (ipfw_socket < 0) 2395 err(EX_UNAVAILABLE, "socket not avaialble"); 2396 len = *optlen + sizeof(ip_fw_x_header); 2397 newbuf = malloc(len); 2398 if (newbuf == NULL) 2399 err(EX_OSERR, "malloc newbuf in do_get_x"); 2400 bzero(newbuf, len); 2401 x_header = (ip_fw_x_header *)newbuf; 2402 x_header->opcode = optname; 2403 /* copy the rule into the newbuf, just after the x_header*/ 2404 bcopy(rule, ++x_header, *optlen); 2405 retval = getsockopt(ipfw_socket, IPPROTO_IP, IP_FW_X, newbuf, &len); 2406 bcopy(newbuf, rule, len); 2407 *optlen=len; 2408 return retval; 2409 } 2410 2411 static int 2412 ipfw_main(int ac, char **av) 2413 { 2414 int ch; 2415 2416 if (ac == 1) 2417 help(); 2418 2419 /* Set the force flag for non-interactive processes */ 2420 do_force = !isatty(STDIN_FILENO); 2421 2422 optind = optreset = 1; 2423 while ((ch = getopt(ac, av, "hs:acdDefNStTv")) != -1) 2424 switch (ch) { 2425 case 'h': /* help */ 2426 help(); 2427 break; /* NOTREACHED */ 2428 2429 case 's': /* sort */ 2430 do_sort = atoi(optarg); 2431 break; 2432 case 'a': 2433 do_acct = 1; 2434 break; 2435 case 'c': 2436 do_compact = 1; 2437 break; 2438 case 'd': 2439 do_dynamic = 1; 2440 break; 2441 case 'D': 2442 do_dynamic = 2; 2443 break; 2444 case 'e': 2445 do_expired = 1; 2446 break; 2447 case 'f': 2448 do_force = 1; 2449 break; 2450 case 'N': 2451 do_resolv = 1; 2452 break; 2453 case 'S': 2454 show_sets = 1; 2455 break; 2456 case 't': 2457 do_time = 1; 2458 break; 2459 case 'T': 2460 do_time = 2; 2461 break; 2462 case 'v': 2463 do_quiet = 0; 2464 verbose++; 2465 break; 2466 default: 2467 help(); 2468 } 2469 2470 ac -= optind; 2471 av += optind; 2472 NEED1("bad arguments, for usage summary ``ipfw''"); 2473 2474 /* 2475 * optional: pipe or queue or nat 2476 */ 2477 do_nat = 0; 2478 do_pipe = 0; 2479 if (!strncmp(*av, "nat", strlen(*av))) 2480 do_nat = 1; 2481 else if (!strncmp(*av, "pipe", strlen(*av))) { 2482 do_pipe = 1; 2483 } else if (!strncmp(*av, "queue", strlen(*av))) { 2484 do_pipe = 2; 2485 } 2486 NEED1("missing command"); 2487 2488 /* 2489 * for pipes and queues and nat we normally say 'pipe NN config' 2490 * but the code is easier to parse as 'pipe config NN' 2491 * so we swap the two arguments. 2492 */ 2493 if ((do_pipe || do_nat) && ac > 2 && isdigit(*(av[1]))) { 2494 char *p = av[1]; 2495 av[1] = av[2]; 2496 av[2] = p; 2497 } 2498 2499 if (!strncmp(*av, "add", strlen(*av))) { 2500 load_modules(); 2501 add(ac, av); 2502 } else if (!strncmp(*av, "delete", strlen(*av))) { 2503 delete_rules(ac, av); 2504 } else if (!strncmp(*av, "flush", strlen(*av))) { 2505 flush(); 2506 } else if (!strncmp(*av, "list", strlen(*av))) { 2507 load_modules(); 2508 list(ac, av); 2509 } else if (!strncmp(*av, "show", strlen(*av))) { 2510 do_acct++; 2511 load_modules(); 2512 list(ac, av); 2513 } else if (!strncmp(*av, "zero", strlen(*av))) { 2514 zero(ac, av); 2515 } else if (!strncmp(*av, "set", strlen(*av))) { 2516 sets_handler(ac, av); 2517 } else if (!strncmp(*av, "module", strlen(*av))) { 2518 NEXT_ARG; 2519 if (!strncmp(*av, "show", strlen(*av)) || 2520 !strncmp(*av, "show", strlen(*av))) { 2521 list_modules(ac, av); 2522 } else { 2523 errx(EX_USAGE, "bad ipfw module command `%s'", *av); 2524 } 2525 } else if (!strncmp(*av, "resetlog", strlen(*av))) { 2526 resetlog(ac, av); 2527 } else if (!strncmp(*av, "log", strlen(*av))) { 2528 NEXT_ARG; 2529 if (!strncmp(*av, "reset", strlen(*av))) { 2530 resetlog(ac, av); 2531 } else if (!strncmp(*av, "off", strlen(*av))) { 2532 2533 } else if (!strncmp(*av, "on", strlen(*av))) { 2534 2535 } else { 2536 errx(EX_USAGE, "bad command `%s'", *av); 2537 } 2538 } else if (!strncmp(*av, "nat", strlen(*av))) { 2539 NEXT_ARG; 2540 nat_main(ac, av); 2541 } else if (!strncmp(*av, "pipe", strlen(*av)) || 2542 !strncmp(*av, "queue", strlen(*av))) { 2543 NEXT_ARG; 2544 if (!strncmp(*av, "config", strlen(*av))) { 2545 config_dummynet(ac, av); 2546 } else if (!strncmp(*av, "flush", strlen(*av))) { 2547 flush(); 2548 } else if (!strncmp(*av, "show", strlen(*av))) { 2549 show_dummynet(ac, av); 2550 } else { 2551 errx(EX_USAGE, "bad ipfw pipe command `%s'", *av); 2552 } 2553 } else if (!strncmp(*av, "state", strlen(*av))) { 2554 NEXT_ARG; 2555 if (!strncmp(*av, "add", strlen(*av))) { 2556 add_state(ac, av); 2557 } else if (!strncmp(*av, "delete", strlen(*av))) { 2558 delete_state(ac, av); 2559 } else if (!strncmp(*av, "flush", strlen(*av))) { 2560 flush_state(ac, av); 2561 } else if (!strncmp(*av, "list", strlen(*av))) { 2562 do_dynamic = 2; 2563 list(ac, av); 2564 } else if (!strncmp(*av, "show", strlen(*av))) { 2565 do_acct = 1; 2566 do_dynamic =2; 2567 list(ac, av); 2568 } else { 2569 errx(EX_USAGE, "bad ipfw state command `%s'", *av); 2570 } 2571 } else if (!strncmp(*av, "table", strlen(*av))) { 2572 if (ac > 2 && isdigit(*(av[1]))) { 2573 char *p = av[1]; 2574 av[1] = av[2]; 2575 av[2] = p; 2576 } 2577 NEXT_ARG; 2578 if (!strncmp(*av, "append", strlen(*av))) { 2579 table_append(ac, av); 2580 } else if (!strncmp(*av, "remove", strlen(*av))) { 2581 table_remove(ac, av); 2582 } else if (!strncmp(*av, "flush", strlen(*av))) { 2583 table_flush(ac, av); 2584 } else if (!strncmp(*av, "list", strlen(*av))) { 2585 table_list(ac, av); 2586 } else if (!strncmp(*av, "show", strlen(*av))) { 2587 table_show(ac, av); 2588 } else if (!strncmp(*av, "type", strlen(*av))) { 2589 table_create(ac, av); 2590 } else if (!strncmp(*av, "delete", strlen(*av))) { 2591 table_delete(ac, av); 2592 } else if (!strncmp(*av, "test", strlen(*av))) { 2593 table_test(ac,av); 2594 } else if (!strncmp(*av, "name", strlen(*av))) { 2595 table_rename(ac, av); 2596 } else { 2597 errx(EX_USAGE, "bad ipfw table command `%s'", *av); 2598 } 2599 } else if (!strncmp(*av, "sync", strlen(*av))) { 2600 NEXT_ARG; 2601 if (!strncmp(*av, "edge", strlen(*av))) { 2602 sync_config_edge(ac, av); 2603 } else if (!strncmp(*av, "centre", strlen(*av))) { 2604 sync_config_centre(ac, av); 2605 } else if (!strncmp(*av, "show", strlen(*av))) { 2606 NEXT_ARG; 2607 if (!strncmp(*av, "config", strlen(*av))) { 2608 sync_show_config(ac, av); 2609 } else if (!strncmp(*av, "status", strlen(*av))) { 2610 sync_show_status(ac, av); 2611 } else { 2612 errx(EX_USAGE, "bad show command `%s'", *av); 2613 } 2614 } else if (!strncmp(*av, "start", strlen(*av))) { 2615 NEXT_ARG; 2616 if (!strncmp(*av, "edge", strlen(*av))) { 2617 sync_edge_start(ac, av); 2618 } else if (!strncmp(*av, "centre", strlen(*av))) { 2619 sync_centre_start(ac, av); 2620 } 2621 } else if (!strncmp(*av, "stop", strlen(*av))) { 2622 NEXT_ARG; 2623 if (!strncmp(*av, "edge", strlen(*av))) { 2624 sync_edge_stop(ac, av); 2625 } else if (!strncmp(*av, "centre", strlen(*av))) { 2626 sync_centre_stop(ac, av); 2627 } 2628 } else if (!strncmp(*av, "clear", strlen(*av))) { 2629 NEXT_ARG; 2630 if (!strncmp(*av, "edge", strlen(*av))) { 2631 sync_edge_clear(ac, av); 2632 } else if (!strncmp(*av, "centre", strlen(*av))) { 2633 sync_centre_clear(ac, av); 2634 } 2635 } else if (!strncmp(*av, "test", strlen(*av))) { 2636 NEXT_ARG; 2637 if (!strncmp(*av, "edge", strlen(*av))) { 2638 sync_edge_test(ac, av); 2639 } else if (!strncmp(*av, "centre", strlen(*av))) { 2640 sync_centre_test(ac, av); 2641 } 2642 } else { 2643 errx(EX_USAGE, "bad ipfw sync command `%s'", *av); 2644 } 2645 } else { 2646 errx(EX_USAGE, "bad ipfw command `%s'", *av); 2647 } 2648 return 0; 2649 } 2650 2651 static void 2652 ipfw_readfile(int ac, char *av[]) 2653 { 2654 char buf[BUFSIZ]; 2655 char *a, *p, *args[MAX_ARGS], *cmd = NULL; 2656 char linename[17]; 2657 int i=0, lineno=0, qflag=0, pflag=0, status; 2658 FILE *f = NULL; 2659 pid_t preproc = 0; 2660 int c; 2661 2662 while ((c = getopt(ac, av, "D:U:p:q")) != -1) { 2663 switch (c) { 2664 case 'D': 2665 if (!pflag) 2666 errx(EX_USAGE, "-D requires -p"); 2667 if (i > MAX_ARGS - 2) 2668 errx(EX_USAGE, "too many -D or -U options"); 2669 args[i++] = "-D"; 2670 args[i++] = optarg; 2671 break; 2672 2673 case 'U': 2674 if (!pflag) 2675 errx(EX_USAGE, "-U requires -p"); 2676 if (i > MAX_ARGS - 2) 2677 errx(EX_USAGE, "too many -D or -U options"); 2678 args[i++] = "-U"; 2679 args[i++] = optarg; 2680 break; 2681 2682 case 'p': 2683 pflag = 1; 2684 cmd = optarg; 2685 args[0] = cmd; 2686 i = 1; 2687 break; 2688 2689 case 'q': 2690 qflag = 1; 2691 break; 2692 2693 default: 2694 errx(EX_USAGE, "bad arguments, for usage" 2695 " summary ``ipfw''"); 2696 } 2697 } 2698 2699 av += optind; 2700 ac -= optind; 2701 if (ac != 1) 2702 errx(EX_USAGE, "extraneous filename arguments"); 2703 2704 if ((f = fopen(av[0], "r")) == NULL) 2705 err(EX_UNAVAILABLE, "fopen: %s", av[0]); 2706 2707 if (pflag) { 2708 /* pipe through preprocessor (cpp or m4) */ 2709 int pipedes[2]; 2710 2711 args[i] = NULL; 2712 2713 if (pipe(pipedes) == -1) 2714 err(EX_OSERR, "cannot create pipe"); 2715 2716 switch ((preproc = fork())) { 2717 case -1: 2718 err(EX_OSERR, "cannot fork"); 2719 2720 case 0: 2721 /* child */ 2722 if (dup2(fileno(f), 0) == -1 || 2723 dup2(pipedes[1], 1) == -1) { 2724 err(EX_OSERR, "dup2()"); 2725 } 2726 fclose(f); 2727 close(pipedes[1]); 2728 close(pipedes[0]); 2729 execvp(cmd, args); 2730 err(EX_OSERR, "execvp(%s) failed", cmd); 2731 2732 default: 2733 /* parent */ 2734 fclose(f); 2735 close(pipedes[1]); 2736 if ((f = fdopen(pipedes[0], "r")) == NULL) { 2737 int savederrno = errno; 2738 2739 kill(preproc, SIGTERM); 2740 errno = savederrno; 2741 err(EX_OSERR, "fdopen()"); 2742 } 2743 } 2744 } 2745 2746 while (fgets(buf, BUFSIZ, f)) { 2747 lineno++; 2748 sprintf(linename, "Line %d", lineno); 2749 args[0] = linename; 2750 2751 if (*buf == '#') 2752 continue; 2753 if ((p = strchr(buf, '#')) != NULL) 2754 *p = '\0'; 2755 i = 1; 2756 if (qflag) 2757 args[i++] = "-q"; 2758 for (a = strtok(buf, WHITESP); a && i < MAX_ARGS; 2759 a = strtok(NULL, WHITESP), i++) { 2760 args[i] = a; 2761 } 2762 2763 if (i == (qflag? 2: 1)) 2764 continue; 2765 if (i == MAX_ARGS) 2766 errx(EX_USAGE, "%s: too many arguments", linename); 2767 2768 args[i] = NULL; 2769 ipfw_main(i, args); 2770 } 2771 fclose(f); 2772 if (pflag) { 2773 if (waitpid(preproc, &status, 0) == -1) 2774 errx(EX_OSERR, "waitpid()"); 2775 if (WIFEXITED(status) && WEXITSTATUS(status) != EX_OK) 2776 errx(EX_UNAVAILABLE, "preprocessor exited with status %d", 2777 WEXITSTATUS(status)); 2778 else if (WIFSIGNALED(status)) 2779 errx(EX_UNAVAILABLE, "preprocessor exited with signal %d", 2780 WTERMSIG(status)); 2781 } 2782 } 2783 2784 int 2785 main(int ac, char *av[]) 2786 { 2787 ipfw_socket = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); 2788 if (ipfw_socket < 0) 2789 err(EX_UNAVAILABLE, "socket"); 2790 2791 memset(keywords, 0, sizeof(struct ipfw_keyword) * KEYWORD_SIZE); 2792 memset(mappings, 0, sizeof(struct ipfw_mapping) * MAPPING_SIZE); 2793 2794 prepare_default_funcs(); 2795 2796 if (ac > 1 && av[ac - 1][0] == '/' && access(av[ac - 1], R_OK) == 0) 2797 ipfw_readfile(ac, av); 2798 else 2799 ipfw_main(ac, av); 2800 return EX_OK; 2801 } 2802