Changeset View
Changeset View
Standalone View
Standalone View
sbin/ipfw/ipfw2.c
Show First 20 Lines • Show All 1,477 Lines • ▼ Show 20 Lines | for (l = rule->cmd_len - rule->act_ofs, cmd = ACTION_PTR(rule); | ||||
switch(cmd->opcode) { | switch(cmd->opcode) { | ||||
case O_CHECK_STATE: | case O_CHECK_STATE: | ||||
bprintf(bp, "check-state"); | bprintf(bp, "check-state"); | ||||
if (cmd->arg1 != 0) | if (cmd->arg1 != 0) | ||||
ename = object_search_ctlv(fo->tstate, | ename = object_search_ctlv(fo->tstate, | ||||
cmd->arg1, IPFW_TLV_STATE_NAME); | cmd->arg1, IPFW_TLV_STATE_NAME); | ||||
else | else | ||||
ename = NULL; | ename = NULL; | ||||
bprintf(bp, " %s", ename ? ename: "any"); | bprintf(bp, " :%s", ename ? ename: "any"); | ||||
/* avoid printing anything else */ | /* avoid printing anything else */ | ||||
flags = HAVE_PROTO | HAVE_SRCIP | | flags = HAVE_PROTO | HAVE_SRCIP | | ||||
HAVE_DSTIP | HAVE_IP; | HAVE_DSTIP | HAVE_IP; | ||||
break; | break; | ||||
case O_ACCEPT: | case O_ACCEPT: | ||||
bprintf(bp, "allow"); | bprintf(bp, "allow"); | ||||
break; | break; | ||||
▲ Show 20 Lines • Show All 576 Lines • ▼ Show 20 Lines | default: /*options ... */ | ||||
break; | break; | ||||
case O_NOP: | case O_NOP: | ||||
comment = (char *)(cmd + 1); | comment = (char *)(cmd + 1); | ||||
break; | break; | ||||
case O_KEEP_STATE: | case O_KEEP_STATE: | ||||
bprintf(bp, " keep-state"); | bprintf(bp, " keep-state"); | ||||
bprintf(bp, " %s", | bprintf(bp, " :%s", | ||||
object_search_ctlv(fo->tstate, cmd->arg1, | object_search_ctlv(fo->tstate, cmd->arg1, | ||||
IPFW_TLV_STATE_NAME)); | IPFW_TLV_STATE_NAME)); | ||||
break; | break; | ||||
case O_LIMIT: { | case O_LIMIT: { | ||||
struct _s_x *p = limit_masks; | struct _s_x *p = limit_masks; | ||||
ipfw_insn_limit *c = (ipfw_insn_limit *)cmd; | ipfw_insn_limit *c = (ipfw_insn_limit *)cmd; | ||||
uint8_t x = c->limit_mask; | uint8_t x = c->limit_mask; | ||||
char const *comma = " "; | char const *comma = " "; | ||||
bprintf(bp, " limit"); | bprintf(bp, " limit"); | ||||
for (; p->x != 0 ; p++) | for (; p->x != 0 ; p++) | ||||
if ((x & p->x) == p->x) { | if ((x & p->x) == p->x) { | ||||
x &= ~p->x; | x &= ~p->x; | ||||
bprintf(bp, "%s%s", comma,p->s); | bprintf(bp, "%s%s", comma,p->s); | ||||
comma = ","; | comma = ","; | ||||
} | } | ||||
bprint_uint_arg(bp, " ", c->conn_limit); | bprint_uint_arg(bp, " ", c->conn_limit); | ||||
bprintf(bp, " %s", | bprintf(bp, " :%s", | ||||
object_search_ctlv(fo->tstate, cmd->arg1, | object_search_ctlv(fo->tstate, cmd->arg1, | ||||
IPFW_TLV_STATE_NAME)); | IPFW_TLV_STATE_NAME)); | ||||
break; | break; | ||||
} | } | ||||
case O_IP6: | case O_IP6: | ||||
bprintf(bp, " ip6"); | bprintf(bp, " ip6"); | ||||
break; | break; | ||||
▲ Show 20 Lines • Show All 86 Lines • ▼ Show 20 Lines | show_dyn_state(struct cmdline_opts *co, struct format_opts *fo, | ||||
} else if (d->id.addr_type == 6) { | } else if (d->id.addr_type == 6) { | ||||
bprintf(bp, " %s %d", inet_ntop(AF_INET6, &d->id.src_ip6, buf, | bprintf(bp, " %s %d", inet_ntop(AF_INET6, &d->id.src_ip6, buf, | ||||
sizeof(buf)), d->id.src_port); | sizeof(buf)), d->id.src_port); | ||||
bprintf(bp, " <-> %s %d", inet_ntop(AF_INET6, &d->id.dst_ip6, | bprintf(bp, " <-> %s %d", inet_ntop(AF_INET6, &d->id.dst_ip6, | ||||
buf, sizeof(buf)), d->id.dst_port); | buf, sizeof(buf)), d->id.dst_port); | ||||
} else | } else | ||||
bprintf(bp, " UNKNOWN <-> UNKNOWN"); | bprintf(bp, " UNKNOWN <-> UNKNOWN"); | ||||
if (d->kidx != 0) | if (d->kidx != 0) | ||||
bprintf(bp, " %s", object_search_ctlv(fo->tstate, | bprintf(bp, " :%s", object_search_ctlv(fo->tstate, | ||||
d->kidx, IPFW_TLV_STATE_NAME)); | d->kidx, IPFW_TLV_STATE_NAME)); | ||||
} | } | ||||
static int | static int | ||||
do_range_cmd(int cmd, ipfw_range_tlv *rt) | do_range_cmd(int cmd, ipfw_range_tlv *rt) | ||||
{ | { | ||||
ipfw_range_header rh; | ipfw_range_header rh; | ||||
size_t sz; | size_t sz; | ||||
▲ Show 20 Lines • Show All 1,499 Lines • ▼ Show 20 Lines | #define CHECK_ACTLEN CHECK_LENGTH(ablen, action->len) | ||||
i = match_token(rule_actions, *av); | i = match_token(rule_actions, *av); | ||||
av++; | av++; | ||||
action->len = 1; /* default */ | action->len = 1; /* default */ | ||||
CHECK_ACTLEN; | CHECK_ACTLEN; | ||||
switch(i) { | switch(i) { | ||||
case TOK_CHECKSTATE: | case TOK_CHECKSTATE: | ||||
have_state = action; | have_state = action; | ||||
action->opcode = O_CHECK_STATE; | action->opcode = O_CHECK_STATE; | ||||
if (*av == NULL) { | if (*av == NULL || | ||||
match_token(rule_options, *av) == TOK_COMMENT) { | |||||
action->arg1 = pack_object(tstate, | action->arg1 = pack_object(tstate, | ||||
default_state_name, IPFW_TLV_STATE_NAME); | default_state_name, IPFW_TLV_STATE_NAME); | ||||
break; | break; | ||||
} | } | ||||
if (strcmp(*av, "any") == 0) | if (*av[0] == ':') { | ||||
if (strcmp(*av + 1, "any") == 0) | |||||
action->arg1 = 0; | action->arg1 = 0; | ||||
else if ((i = match_token(rule_options, *av)) != -1) { | else if (state_check_name(*av + 1) == 0) | ||||
action->arg1 = pack_object(tstate, | action->arg1 = pack_object(tstate, *av + 1, | ||||
default_state_name, IPFW_TLV_STATE_NAME); | |||||
if (i != TOK_COMMENT) | |||||
warn("Ambiguous state name '%s', '%s'" | |||||
" used instead.\n", *av, | |||||
default_state_name); | |||||
break; | |||||
} else if (state_check_name(*av) == 0) | |||||
action->arg1 = pack_object(tstate, *av, | |||||
IPFW_TLV_STATE_NAME); | IPFW_TLV_STATE_NAME); | ||||
else | else | ||||
errx(EX_DATAERR, "Invalid state name %s", *av); | errx(EX_DATAERR, "Invalid state name %s", | ||||
*av); | |||||
av++; | av++; | ||||
break; | break; | ||||
} | |||||
errx(EX_DATAERR, "Invalid state name %s", *av); | |||||
break; | |||||
case TOK_ACCEPT: | case TOK_ACCEPT: | ||||
action->opcode = O_ACCEPT; | action->opcode = O_ACCEPT; | ||||
break; | break; | ||||
case TOK_DENY: | case TOK_DENY: | ||||
action->opcode = O_DENY; | action->opcode = O_DENY; | ||||
action->arg1 = 0; | action->arg1 = 0; | ||||
▲ Show 20 Lines • Show All 825 Lines • ▼ Show 20 Lines | case TOK_KEEPSTATE: { | ||||
uint16_t uidx; | uint16_t uidx; | ||||
if (open_par) | if (open_par) | ||||
errx(EX_USAGE, "keep-state cannot be part " | errx(EX_USAGE, "keep-state cannot be part " | ||||
"of an or block"); | "of an or block"); | ||||
if (have_state) | if (have_state) | ||||
errx(EX_USAGE, "only one of keep-state " | errx(EX_USAGE, "only one of keep-state " | ||||
"and limit is allowed"); | "and limit is allowed"); | ||||
if (*av == NULL || | if (*av != NULL && *av[0] == ':') { | ||||
(i = match_token(rule_options, *av)) != -1) { | if (state_check_name(*av + 1) != 0) | ||||
if (*av != NULL && i != TOK_COMMENT) | |||||
warn("Ambiguous state name '%s'," | |||||
" '%s' used instead.\n", *av, | |||||
default_state_name); | |||||
uidx = pack_object(tstate, default_state_name, | |||||
IPFW_TLV_STATE_NAME); | |||||
} else { | |||||
if (state_check_name(*av) != 0) | |||||
errx(EX_DATAERR, | errx(EX_DATAERR, | ||||
"Invalid state name %s", *av); | "Invalid state name %s", *av); | ||||
uidx = pack_object(tstate, *av, | uidx = pack_object(tstate, *av + 1, | ||||
IPFW_TLV_STATE_NAME); | IPFW_TLV_STATE_NAME); | ||||
av++; | av++; | ||||
} | } else | ||||
uidx = pack_object(tstate, default_state_name, | |||||
IPFW_TLV_STATE_NAME); | |||||
have_state = cmd; | have_state = cmd; | ||||
fill_cmd(cmd, O_KEEP_STATE, 0, uidx); | fill_cmd(cmd, O_KEEP_STATE, 0, uidx); | ||||
break; | break; | ||||
} | } | ||||
case TOK_LIMIT: { | case TOK_LIMIT: { | ||||
ipfw_insn_limit *c = (ipfw_insn_limit *)cmd; | ipfw_insn_limit *c = (ipfw_insn_limit *)cmd; | ||||
int val; | int val; | ||||
Show All 20 Lines | case TOK_LIMIT: { | ||||
if (c->limit_mask == 0) | if (c->limit_mask == 0) | ||||
errx(EX_USAGE, "limit: missing limit mask"); | errx(EX_USAGE, "limit: missing limit mask"); | ||||
GET_UINT_ARG(c->conn_limit, IPFW_ARG_MIN, IPFW_ARG_MAX, | GET_UINT_ARG(c->conn_limit, IPFW_ARG_MIN, IPFW_ARG_MAX, | ||||
TOK_LIMIT, rule_options); | TOK_LIMIT, rule_options); | ||||
av++; | av++; | ||||
if (*av == NULL || | if (*av != NULL && *av[0] == ':') { | ||||
(i = match_token(rule_options, *av)) != -1) { | if (state_check_name(*av + 1) != 0) | ||||
if (*av != NULL && i != TOK_COMMENT) | |||||
warn("Ambiguous state name '%s'," | |||||
" '%s' used instead.\n", *av, | |||||
default_state_name); | |||||
cmd->arg1 = pack_object(tstate, | |||||
default_state_name, IPFW_TLV_STATE_NAME); | |||||
} else { | |||||
if (state_check_name(*av) != 0) | |||||
errx(EX_DATAERR, | errx(EX_DATAERR, | ||||
"Invalid state name %s", *av); | "Invalid state name %s", *av); | ||||
cmd->arg1 = pack_object(tstate, *av, | cmd->arg1 = pack_object(tstate, *av + 1, | ||||
IPFW_TLV_STATE_NAME); | IPFW_TLV_STATE_NAME); | ||||
av++; | av++; | ||||
} | } else | ||||
cmd->arg1 = pack_object(tstate, | |||||
default_state_name, IPFW_TLV_STATE_NAME); | |||||
break; | break; | ||||
} | } | ||||
case TOK_PROTO: | case TOK_PROTO: | ||||
NEED1("missing protocol"); | NEED1("missing protocol"); | ||||
if (add_proto(cmd, *av, &proto)) { | if (add_proto(cmd, *av, &proto)) { | ||||
av++; | av++; | ||||
} else | } else | ||||
▲ Show 20 Lines • Show All 753 Lines • Show Last 20 Lines |