xref: /dflybsd-src/sbin/ipfw3/ipfw3basic.c (revision 4408d5485757eef6e44859025e931d1c1b6746c4) 
1*4408d548SBill Yuan /*
2*4408d548SBill Yuan  * Copyright (c) 2014 - 2018 The DragonFly Project.  All rights reserved.
3*4408d548SBill Yuan  *
4*4408d548SBill Yuan  * This code is derived from software contributed to The DragonFly Project
5*4408d548SBill Yuan  * by Bill Yuan <bycn82@dragonflybsd.org>
6*4408d548SBill Yuan  *
7*4408d548SBill Yuan  * Redistribution and use in source and binary forms, with or without
8*4408d548SBill Yuan  * modification, are permitted provided that the following conditions
9*4408d548SBill Yuan  * are met:
10*4408d548SBill Yuan  *
11*4408d548SBill Yuan  * 1. Redistributions of source code must retain the above copyright
12*4408d548SBill Yuan  *    notice, this list of conditions and the following disclaimer.
13*4408d548SBill Yuan  * 2. Redistributions in binary form must reproduce the above copyright
14*4408d548SBill Yuan  *    notice, this list of conditions and the following disclaimer in
15*4408d548SBill Yuan  *    the documentation and/or other materials provided with the
16*4408d548SBill Yuan  *    distribution.
17*4408d548SBill Yuan  * 3. Neither the name of The DragonFly Project nor the names of its
18*4408d548SBill Yuan  *    contributors may be used to endorse or promote products derived
19*4408d548SBill Yuan  *    from this software without specific, prior written permission.
20*4408d548SBill Yuan  *
21*4408d548SBill Yuan  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
22*4408d548SBill Yuan  * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
23*4408d548SBill Yuan  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
24*4408d548SBill Yuan  * FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE
25*4408d548SBill Yuan  * COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
26*4408d548SBill Yuan  * INCIDENTAL, SPECIAL, EXEMPLARY OR CONSEQUENTIAL DAMAGES (INCLUDING,
27*4408d548SBill Yuan  * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
28*4408d548SBill Yuan  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED
29*4408d548SBill Yuan  * AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
30*4408d548SBill Yuan  * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
31*4408d548SBill Yuan  * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32*4408d548SBill Yuan  * SUCH DAMAGE.
33*4408d548SBill Yuan  */
34*4408d548SBill Yuan 
35*4408d548SBill Yuan #include <sys/param.h>
36*4408d548SBill Yuan #include <sys/mbuf.h>
37*4408d548SBill Yuan #include <sys/socket.h>
38*4408d548SBill Yuan #include <sys/sockio.h>
39*4408d548SBill Yuan #include <sys/sysctl.h>
40*4408d548SBill Yuan #include <sys/time.h>
41*4408d548SBill Yuan #include <sys/wait.h>
42*4408d548SBill Yuan 
43*4408d548SBill Yuan #include <arpa/inet.h>
44*4408d548SBill Yuan #include <ctype.h>
45*4408d548SBill Yuan #include <dlfcn.h>
46*4408d548SBill Yuan #include <err.h>
47*4408d548SBill Yuan #include <errno.h>
48*4408d548SBill Yuan #include <grp.h>
49*4408d548SBill Yuan #include <limits.h>
50*4408d548SBill Yuan #include <netdb.h>
51*4408d548SBill Yuan #include <pwd.h>
52*4408d548SBill Yuan #include <sysexits.h>
53*4408d548SBill Yuan #include <signal.h>
54*4408d548SBill Yuan #include <stdio.h>
55*4408d548SBill Yuan #include <stdlib.h>
56*4408d548SBill Yuan #include <stdarg.h>
57*4408d548SBill Yuan #include <string.h>
58*4408d548SBill Yuan #include <timeconv.h>
59*4408d548SBill Yuan #include <unistd.h>
60*4408d548SBill Yuan 
61*4408d548SBill Yuan #include <netinet/in.h>
62*4408d548SBill Yuan #include <netinet/in_systm.h>
63*4408d548SBill Yuan #include <netinet/ip.h>
64*4408d548SBill Yuan #include <netinet/ip_icmp.h>
65*4408d548SBill Yuan #include <netinet/tcp.h>
66*4408d548SBill Yuan #include <net/if.h>
67*4408d548SBill Yuan #include <net/if_dl.h>
68*4408d548SBill Yuan #include <net/route.h>
69*4408d548SBill Yuan #include <net/ethernet.h>
70*4408d548SBill Yuan 
71*4408d548SBill Yuan #include <net/ipfw3/ip_fw3.h>
72*4408d548SBill Yuan #include <net/ipfw3_basic/ip_fw3_table.h>
73*4408d548SBill Yuan #include <net/ipfw3_basic/ip_fw3_sync.h>
74*4408d548SBill Yuan #include <net/ipfw3_basic/ip_fw3_basic.h>
75*4408d548SBill Yuan #include <net/ipfw3_nat/ip_fw3_nat.h>
76*4408d548SBill Yuan #include <net/dummynet3/ip_dummynet3.h>
77*4408d548SBill Yuan 
78*4408d548SBill Yuan #include "ipfw3.h"
79*4408d548SBill Yuan #include "ipfw3basic.h"
80*4408d548SBill Yuan 
81*4408d548SBill Yuan 
82*4408d548SBill Yuan void
parse_accept(ipfw_insn ** cmd,int * ac,char ** av[])83*4408d548SBill Yuan parse_accept(ipfw_insn **cmd, int *ac, char **av[])
84*4408d548SBill Yuan {
85*4408d548SBill Yuan 	(*cmd)->opcode = O_BASIC_ACCEPT;
86*4408d548SBill Yuan 	(*cmd)->module = MODULE_BASIC_ID;
87*4408d548SBill Yuan 	(*cmd)->len = (*cmd)->len|LEN_OF_IPFWINSN;
88*4408d548SBill Yuan 	NEXT_ARG1;
89*4408d548SBill Yuan 	if (!strncmp(**av, "log", strlen(**av))) {
90*4408d548SBill Yuan 		(*cmd)->arg3 = 1;
91*4408d548SBill Yuan 		NEXT_ARG1;
92*4408d548SBill Yuan 		if (isdigit(***av)) {
93*4408d548SBill Yuan 			(*cmd)->arg1 = strtoul(**av, NULL, 10);
94*4408d548SBill Yuan 			NEXT_ARG1;
95*4408d548SBill Yuan 		}
96*4408d548SBill Yuan 	}
97*4408d548SBill Yuan }
98*4408d548SBill Yuan 
99*4408d548SBill Yuan void
parse_deny(ipfw_insn ** cmd,int * ac,char ** av[])100*4408d548SBill Yuan parse_deny(ipfw_insn **cmd, int *ac, char **av[])
101*4408d548SBill Yuan {
102*4408d548SBill Yuan 	(*cmd)->opcode = O_BASIC_DENY;
103*4408d548SBill Yuan 	(*cmd)->module = MODULE_BASIC_ID;
104*4408d548SBill Yuan 	(*cmd)->len = (*cmd)->len|LEN_OF_IPFWINSN;
105*4408d548SBill Yuan 	NEXT_ARG1;
106*4408d548SBill Yuan 	if (!strncmp(**av, "log", strlen(**av))) {
107*4408d548SBill Yuan 		(*cmd)->arg3 = 1;
108*4408d548SBill Yuan 		NEXT_ARG1;
109*4408d548SBill Yuan 		if (isdigit(***av)) {
110*4408d548SBill Yuan 			(*cmd)->arg1 = strtoul(**av, NULL, 10);
111*4408d548SBill Yuan 			NEXT_ARG1;
112*4408d548SBill Yuan 		}
113*4408d548SBill Yuan 	}
114*4408d548SBill Yuan }
115*4408d548SBill Yuan 
116*4408d548SBill Yuan void
show_accept(ipfw_insn * cmd,int show_or)117*4408d548SBill Yuan show_accept(ipfw_insn *cmd, int show_or)
118*4408d548SBill Yuan {
119*4408d548SBill Yuan 	printf(" allow");
120*4408d548SBill Yuan 	if (cmd->arg3) {
121*4408d548SBill Yuan 		printf(" log %d", cmd->arg1);
122*4408d548SBill Yuan 	}
123*4408d548SBill Yuan }
124*4408d548SBill Yuan 
125*4408d548SBill Yuan void
show_deny(ipfw_insn * cmd,int show_or)126*4408d548SBill Yuan show_deny(ipfw_insn *cmd, int show_or)
127*4408d548SBill Yuan {
128*4408d548SBill Yuan 	printf(" deny");
129*4408d548SBill Yuan 	if (cmd->arg3) {
130*4408d548SBill Yuan 		printf(" log %d", cmd->arg1);
131*4408d548SBill Yuan 	}
132*4408d548SBill Yuan }
133*4408d548SBill Yuan 
134*4408d548SBill Yuan void
prepare_default_funcs(void)135*4408d548SBill Yuan prepare_default_funcs(void)
136*4408d548SBill Yuan {
137*4408d548SBill Yuan 	/* register allow */
138*4408d548SBill Yuan 	register_ipfw_keyword(MODULE_BASIC_ID, O_BASIC_ACCEPT, "allow", ACTION);
139*4408d548SBill Yuan 	register_ipfw_keyword(MODULE_BASIC_ID, O_BASIC_ACCEPT, "accept", ACTION);
140*4408d548SBill Yuan 	register_ipfw_func(MODULE_BASIC_ID, O_BASIC_ACCEPT,
141*4408d548SBill Yuan 			(parser_func)parse_accept, (shower_func)show_accept);
142*4408d548SBill Yuan 	/* register deny */
143*4408d548SBill Yuan 	register_ipfw_keyword(MODULE_BASIC_ID, O_BASIC_DENY, "deny", ACTION);
144*4408d548SBill Yuan 	register_ipfw_keyword(MODULE_BASIC_ID, O_BASIC_DENY, "reject", ACTION);
145*4408d548SBill Yuan 	register_ipfw_func(MODULE_BASIC_ID, O_BASIC_DENY,
146*4408d548SBill Yuan 			(parser_func)parse_deny, (shower_func)show_deny);
147*4408d548SBill Yuan }
148*4408d548SBill Yuan 
149