2 * Copyright (c) 2014 - 2018 The DragonFly Project. All rights reserved.
4 * This code is derived from software contributed to The DragonFly Project
5 * by Bill Yuan <bycn82@dragonflybsd.org>
7 * Copyright (c) 2002 Luigi Rizzo
8 * Copyright (c) 1996 Alex Nash, Paul Traina, Poul-Henning Kamp
9 * Copyright (c) 1994 Ugen J.S.Antsilevich
11 * Idea and grammar partially left from:
12 * Copyright (c) 1993 Daniel Boulet
15 * Redistribution and use in source forms, with and without modification,
16 * are permitted provided that this entire comment appears intact.
18 * Redistribution in binary form may occur without any restrictions.
19 * Obviously, it would be nice if you gave credit where credit is due
20 * but requiring it would be too onerous.
22 * This software is provided ``AS IS'' without any warranties of any kind.
26 #include <sys/param.h>
28 #include <sys/socket.h>
29 #include <sys/sockio.h>
30 #include <sys/sysctl.h>
34 #include <arpa/inet.h>
52 #include <netinet/in.h>
53 #include <netinet/in_systm.h>
54 #include <netinet/ip.h>
55 #include <netinet/ip_icmp.h>
56 #include <netinet/tcp.h>
58 #include <net/if_dl.h>
59 #include <net/route.h>
60 #include <net/ethernet.h>
63 #include <net/ipfw3/ip_fw3.h>
64 #include <net/ipfw3_basic/ip_fw3_table.h>
65 #include <net/ipfw3_basic/ip_fw3_state.h>
66 #include <net/ipfw3_basic/ip_fw3_sync.h>
67 #include <net/ipfw3_basic/ip_fw3_basic.h>
68 #include <net/ipfw3_nat/ip_fw3_nat.h>
69 #include <net/dummynet3/ip_dummynet3.h>
72 #include "ipfw3basic.h"
75 #include "ipfw3table.h"
76 #include "ipfw3dummynet.h"
77 #include "ipfw3state.h"
78 #include "ipfw3sync.h"
82 #define WHITESP " \t\f\v\n\r"
83 #define IPFW3_LIB_PATH "/usr/lib/libipfw3%s.so"
85 int fw3_socket = -1; /* main RAW socket */
86 int do_acct, /* Show packet/byte count */
87 do_time, /* Show time stamps */
88 do_quiet = 1, /* Be quiet , default is quiet*/
89 do_force, /* Don't ask for confirmation */
90 do_pipe, /* this cmd refers to a pipe */
91 do_nat, /* Nat configuration. */
92 do_sort, /* field to sort results (0 = no) */
93 do_expired, /* display expired dynamic rules */
94 do_compact, /* show rules in compact mode */
95 show_sets, /* display rule sets */
98 struct ipfw3_keyword keywords[KEYWORD_SIZE];
99 struct ipfw3_mapping mappings[MAPPING_SIZE];
102 match_token(struct char_int_map *table, char *string)
105 if (strcmp(table->key, string) == 0) {
114 module_get(char *modules_str, int len)
116 if (do_get_x(IP_FW_MODULE, modules_str, &len) < 0)
117 errx(EX_USAGE, "ipfw3 not loaded.");
121 module_list(int ac, char *av[])
123 void *module_str = NULL;
125 if ((module_str = realloc(module_str, len)) == NULL)
126 err(EX_OSERR, "realloc");
128 module_get(module_str, len);
129 printf("%s\n", (char *)module_str);
136 init_module mod_init_func;
138 char module_lib_file[50];
139 void *module_str = NULL;
142 if ((module_str = realloc(module_str, len)) == NULL)
143 err(EX_OSERR, "realloc");
145 module_get(module_str, len);
147 const char s[2] = ",";
149 token = strtok(module_str, s);
150 while (token != NULL) {
151 sprintf(module_lib_file, IPFW3_LIB_PATH, token);
152 token = strtok(NULL, s);
153 module_lib = dlopen(module_lib_file, RTLD_LAZY);
155 fprintf(stderr, "Couldn't open %s: %s\n",
156 module_lib_file, dlerror());
159 mod_init_func = dlsym(module_lib, "load_module");
160 if ((error = dlerror()))
162 fprintf(stderr, "Couldn't find init function: %s\n", error);
165 (*mod_init_func)((register_func)register_ipfw_func,
166 (register_keyword)register_ipfw_keyword);
171 register_ipfw_keyword(int module, int opcode, char *word, int type)
173 struct ipfw3_keyword *tmp;
177 if (tmp->type == NONE) {
178 strcpy(tmp->word, word);
179 tmp->module = module;
180 tmp->opcode = opcode;
184 if (strcmp(tmp->word, word) == 0)
185 errx(EX_USAGE, "keyword `%s' exists", word);
193 register_ipfw_func(int module, int opcode, parser_func parser, shower_func shower)
195 struct ipfw3_mapping *tmp;
199 if (tmp->type == NONE) {
200 tmp->module = module;
201 tmp->opcode = opcode;
202 tmp->parser = parser;
203 tmp->shower = shower;
207 if (tmp->opcode == opcode && tmp->module == module) {
208 errx(EX_USAGE, "func `%d' of module `%d' exists",
219 * this func need to check whether 'or' need to be printed,
220 * when the filter is the first filter with 'or' when dont print
221 * when not first and same as previous, then print or and no filter name
222 * when not first but different from previous, print name without 'or'
223 * show_or = 1: show or and ignore filter name
224 * show_or = 0: show filter name ignore or
226 void prev_show_chk(ipfw_insn *cmd, uint8_t *prev_module, uint8_t *prev_opcode,
229 if (cmd->len & F_OR) {
230 if (*prev_module == 0 && *prev_opcode == 0) {
231 /* first cmd with 'or' flag */
233 *prev_module = cmd->module;
234 *prev_opcode = cmd->opcode;
235 } else if (cmd->module == *prev_module &&
236 cmd->opcode == *prev_opcode) {
237 /* cmd same as previous, same module and opcode */
240 /* cmd different from prev*/
242 *prev_module = cmd->module;
243 *prev_opcode = cmd->opcode;
254 * word can be: proto from to other
258 * other show all other filters
260 int show_filter(ipfw_insn *cmd, char *word, int type)
262 struct ipfw3_keyword *k;
263 struct ipfw3_mapping *m;
266 uint8_t prev_module, prev_opcode;
270 for (i = 1; i < KEYWORD_SIZE; i++, k++) {
271 if (k->type == type) {
272 if (k->module == cmd->module &&
273 k->opcode == cmd->opcode) {
274 for (j = 1; j < MAPPING_SIZE; j++, m++) {
275 if (m->type == IN_USE &&
276 k->module == m->module &&
277 k->opcode == m->opcode) {
278 prev_show_chk(cmd, &prev_module,
279 &prev_opcode, &show_or);
280 if (cmd->len & F_NOT)
297 fprintf(stderr, "usage: ipfw3 [options]\n"
298 " ipfw3 add [rulenum] [set id] action filters\n"
299 " ipfw3 delete [rulenum]\n"
301 " ipfw3 list [rulenum]\n"
302 " ipfw3 show [rulenum]\n"
303 " ipfw3 zero [rulenum]\n"
304 " ipfw3 set [show|enable|disable]\n"
306 " ipfw3 [enable|disable]\n"
307 " ipfw3 log [reset|off|on]\n"
308 " ipfw3 nat [config|show|delete]\n"
309 " ipfw3 pipe [config|show|delete]\n"
310 " ipfw3 state [add|delete|list|show]\n"
311 " ipfw3 nat [config|show]\n"
312 "\nsee ipfw3 manpage for details\n");
317 rule_delete(int ac, char *av[])
323 while (ac && isdigit(**av)) {
325 error = do_set_x(IP_FW_DEL, &rulenum, sizeof(int));
327 err(EX_OSERR, "do_get_x(IP_FW_DEL)");
334 * helper function, updates the pointer to cmd with the length
335 * of the current command, and also cleans up the first word of
336 * the new command in case it has been clobbered before.
339 next_cmd(ipfw_insn *cmd)
342 bzero(cmd, sizeof(*cmd));
347 * Parse arguments and assemble the microinstructions which make up a rule.
348 * Rules are added into the 'rulebuf' and then copied in the correct order
349 * into the actual rule.
354 rule_add(int ac, char *av[], uint8_t insert)
357 * rules are added into the 'rulebuf' and then copied in
358 * the correct order into the actual rule.
359 * Some things that need to go out of order (prob, action etc.)
362 static uint32_t rulebuf[IPFW_RULE_SIZE_MAX];
363 static uint32_t actbuf[IPFW_RULE_SIZE_MAX];
364 static uint32_t othbuf[IPFW_RULE_SIZE_MAX];
365 static uint32_t cmdbuf[IPFW_RULE_SIZE_MAX];
367 ipfw_insn *src, *dst, *cmd, *action, *other;
370 ipfw_insn *the_comment = NULL;
371 struct ipfw_ioc_rule *rule;
372 struct ipfw3_keyword *key;
373 struct ipfw3_mapping *map;
377 bzero(actbuf, sizeof(actbuf)); /* actions go here */
378 bzero(othbuf, sizeof(actbuf)); /* others */
379 bzero(cmdbuf, sizeof(cmdbuf)); /* filters */
380 bzero(rulebuf, sizeof(rulebuf));
382 rule = (struct ipfw_ioc_rule *)rulebuf;
383 cmd = (ipfw_insn *)cmdbuf;
384 action = (ipfw_insn *)actbuf;
385 other = (ipfw_insn *)othbuf;
387 rule->insert = insert;
389 NEED2("need more parameters");
392 /* [rule N] -- Rule number optional */
393 if (ac && isdigit(**av)) {
394 rule->rulenum = atoi(*av);
398 /* [set N] -- set number (0..30), optional */
399 if (ac > 1 && !strncmp(*av, "set", strlen(*av))) {
400 int set = strtoul(av[1], NULL, 10);
401 if (set < 0 || set > 30)
402 errx(EX_DATAERR, "illegal set %s", av[1]);
411 for (i = 0, key = keywords; i < KEYWORD_SIZE; i++, key++) {
412 if (key->type == BEFORE &&
413 strcmp(key->word, *av) == 0) {
414 for (j = 0, map = mappings;
415 j < MAPPING_SIZE; j++, map++) {
416 if (map->type == IN_USE &&
417 map->module == key->module &&
418 map->opcode == key->opcode ) {
420 (*fn)(&other, &ac, &av);
427 if (i >= KEYWORD_SIZE) {
429 } else if (F_LEN(other) > 0) {
430 if (other->module == MODULE_BASIC_ID &&
431 other->opcode == O_BASIC_CHECK_STATE) {
432 other = next_cmd(other);
435 other = next_cmd(other);
442 * only accept 1 action
444 NEED1("missing action");
445 for (i = 0, key = keywords; i < KEYWORD_SIZE; i++, key++) {
446 if (ac > 0 && key->type == ACTION &&
447 strcmp(key->word, *av) == 0) {
448 for (j = 0, map = mappings;
449 j < MAPPING_SIZE; j++, map++) {
450 if (map->type == IN_USE &&
451 map->module == key->module &&
452 map->opcode == key->opcode) {
454 (*fn)(&action, &ac, &av);
461 if (F_LEN(action) > 0)
462 action = next_cmd(action);
467 if (strcmp(*av, "proto") == 0){
471 NEED1("missing protocol");
472 for (i = 0, key = keywords; i < KEYWORD_SIZE; i++, key++) {
473 if (key->type == PROTO &&
474 strcmp(key->word, "proto") == 0) {
475 for (j = 0, map = mappings;
476 j < MAPPING_SIZE; j++, map++) {
477 if (map->type == IN_USE &&
478 map->module == key->module &&
479 map->opcode == key->opcode ) {
481 (*fn)(&cmd, &ac, &av);
495 char *s, *cur; /* current filter */
496 ipfw_insn_u32 *cmd32; /* alias for cmd */
499 cmd32 = (ipfw_insn_u32 *)cmd;
500 if (strcmp(*av, "or") == 0) {
502 errx(EX_USAGE, "'or' should"
503 "between two filters\n");
508 if (strcmp(*av, "not") == 0) {
509 if (cmd->len & F_NOT)
510 errx(EX_USAGE, "double \"not\" not allowed\n");
516 for (i = 0, key = keywords; i < KEYWORD_SIZE; i++, key++) {
517 if ((key->type == FILTER ||
518 key->type == AFTER ||
521 strcmp(key->word, cur) == 0) {
522 for (j = 0, map = mappings;
523 j< MAPPING_SIZE; j++, map++) {
524 if (map->type == IN_USE &&
525 map->module == key->module &&
526 map->opcode == key->opcode ) {
528 (*fn)(&cmd, &ac, &av);
533 } else if (i == KEYWORD_SIZE - 1) {
534 errx(EX_USAGE, "bad command `%s'", cur);
537 if (i >= KEYWORD_SIZE) {
539 } else if (F_LEN(cmd) > 0) {
548 errx(EX_USAGE, "bad command `%s'", *av);
551 * Now copy stuff into the rule.
552 * [filters][others][action][comment]
554 dst = (ipfw_insn *)rule->cmd;
556 * copy all filters, except comment
558 src = (ipfw_insn *)cmdbuf;
559 for (src = (ipfw_insn *)cmdbuf; src != cmd; src += i) {
560 /* pick comment out */
562 if (src->module == MODULE_BASIC_ID &&
563 src->opcode == O_BASIC_COMMENT) {
566 bcopy(src, dst, i * sizeof(u_int32_t));
567 dst = (ipfw_insn *)((uint32_t *)dst + i);
572 * start action section, it begin with others
574 rule->act_ofs = (uint32_t *)dst - (uint32_t *)(rule->cmd);
577 * copy all other others
579 for (src = (ipfw_insn *)othbuf; src != other; src += i) {
581 bcopy(src, dst, i * sizeof(u_int32_t));
582 dst = (ipfw_insn *)((uint32_t *)dst + i);
585 /* copy the action to the end of rule */
586 src = (ipfw_insn *)actbuf;
588 bcopy(src, dst, i * sizeof(u_int32_t));
589 dst = (ipfw_insn *)((uint32_t *)dst + i);
592 * comment place behind the action
594 if (the_comment != NULL) {
595 i = F_LEN(the_comment);
596 bcopy(the_comment, dst, i * sizeof(u_int32_t));
597 dst = (ipfw_insn *)((uint32_t *)dst + i);
600 rule->cmd_len = (u_int32_t *)dst - (u_int32_t *)(rule->cmd);
601 i = (void *)dst - (void *)rule;
602 if (do_set_x(IP_FW_ADD, (void *)rule, i) == -1) {
603 err(EX_UNAVAILABLE, "getsockopt(%s)", "IP_FW_ADD");
606 rule_show(rule, 10, 10);
610 rule_zero(int ac, char *av[])
618 /* clear all entries */
619 if (do_set_x(IP_FW_ZERO, NULL, 0) < 0)
620 err(EX_UNAVAILABLE, "do_set_x(IP_FW_ZERO)");
622 printf("Accounting cleared.\n");
631 if (do_set_x(IP_FW_ZERO, &rulenum, sizeof rulenum)) {
632 warn("rule %u: do_set_x(IP_FW_ZERO)", rulenum);
633 failed = EX_UNAVAILABLE;
634 } else if (!do_quiet)
635 printf("Entry %d cleared\n", rulenum);
637 errx(EX_USAGE, "invalid rule number ``%s''", *av);
647 int cmd = IP_FW_FLUSH;
649 cmd = IP_DUMMYNET_FLUSH;
654 printf("Are you sure? [yn] ");
657 c = toupper(getc(stdin));
658 while (c != '\n' && getc(stdin) != '\n')
660 return; /* and do not flush */
661 } while (c != 'Y' && c != 'N');
662 if (c == 'N') /* user said no */
665 if (do_set_x(cmd, NULL, 0) < 0 ) {
667 errx(EX_USAGE, "pipe/queue in use");
669 errx(EX_USAGE, "do_set_x(IP_FW_FLUSH) failed");
672 printf("Flushed all %s.\n", do_pipe ? "pipes" : "rules");
677 rule_list(int ac, char *av[])
679 struct ipfw_ioc_rule *rule;
682 int bcwidth, nbytes, pcwidth, width;
684 int the_rule_num = 0;
689 /* get rules or pipes from kernel, resizing array as necessary */
692 while (nbytes >= nalloc) {
693 nalloc = nalloc * 2 ;
695 if ((data = realloc(data, nbytes)) == NULL)
696 err(EX_OSERR, "realloc");
697 if (do_get_x(IP_FW_GET, data, &nbytes) < 0)
698 err(EX_OSERR, "do_get_x(IP_FW_GET)");
702 * Count static rules.
705 bcwidth = pcwidth = 0;
708 for (rule = data; rule != NULL; rule = (void *)rule + IOC_RULESIZE(rule)) {
710 width = snprintf(NULL, 0, "%ju", (uintmax_t)rule->pcnt);
715 width = snprintf(NULL, 0, "%ju", (uintmax_t)rule->bcnt);
719 total_len += IOC_RULESIZE(rule);
720 if (total_len == nbytes) {
728 the_rule_num = atoi(*av);
732 for (rule = data; rule != NULL; rule = (void *)rule + IOC_RULESIZE(rule)) {
733 if(the_rule_num == 0 || rule->rulenum == the_rule_num) {
734 rule_show(rule, pcwidth, bcwidth);
736 total_len += IOC_RULESIZE(rule);
737 if (total_len == nbytes) {
745 rule_show(struct ipfw_ioc_rule *rule, int pcwidth, int bcwidth)
747 static int twidth = 0;
751 u_int32_t set_disable = rule->sets;
753 if (set_disable & (1 << rule->set)) { /* disabled */
757 printf("# DISABLED ");
760 printf("%u", rule->rulenum);
762 printf("%05u", rule->rulenum);
767 printf(" %ju %ju", (uintmax_t)rule->pcnt,
768 (uintmax_t)rule->bcnt);
770 printf(" %*ju %*ju", pcwidth, (uintmax_t)rule->pcnt,
771 bcwidth, (uintmax_t)rule->bcnt);
779 strcpy(timestr, ctime((time_t *)&twidth));
780 *strchr(timestr, '\n') = '\0';
781 twidth = strlen(timestr);
783 if (rule->timestamp) {
784 time_t t = _long_to_time(rule->timestamp);
786 strcpy(timestr, ctime(&t));
787 *strchr(timestr, '\n') = '\0';
788 printf(" %s", timestr);
790 printf(" %*s", twidth, " ");
792 } else if (do_time == 2) {
793 printf( " %10u", rule->timestamp);
797 printf(" set %d", rule->set);
800 struct ipfw3_keyword *k;
801 struct ipfw3_mapping *m;
802 shower_func fn, comment_fn = NULL;
803 ipfw_insn *comment_cmd;
807 * show others and actions
809 for (l = rule->cmd_len - rule->act_ofs, cmd = ACTION_PTR(rule);
810 l > 0; l -= F_LEN(cmd),
811 cmd = (ipfw_insn *)((uint32_t *)cmd + F_LEN(cmd))) {
814 for (i = 1; i< KEYWORD_SIZE; i++, k++) {
815 if ( k->module == cmd->module && k->opcode == cmd->opcode ) {
816 for (j = 1; j< MAPPING_SIZE; j++, m++) {
817 if (m->type == IN_USE &&
818 m->module == cmd->module &&
819 m->opcode == cmd->opcode) {
820 if (cmd->module == MODULE_BASIC_ID &&
821 cmd->opcode == O_BASIC_COMMENT) {
822 comment_fn = m->shower;
828 if (cmd->module == MODULE_BASIC_ID &&
830 O_BASIC_CHECK_STATE) {
845 for (l = rule->act_ofs, cmd = rule->cmd; l > 0; l -= F_LEN(cmd),
846 cmd = (ipfw_insn *)((uint32_t *)cmd + F_LEN(cmd))) {
847 changed = show_filter(cmd, "proto", PROTO);
849 if (!changed && !do_quiet)
856 for (l = rule->act_ofs, cmd = rule->cmd; l > 0; l -= F_LEN(cmd),
857 cmd = (ipfw_insn *)((uint32_t *)cmd + F_LEN(cmd))) {
858 changed = show_filter(cmd, "from", FROM);
860 if (!changed && !do_quiet)
867 for (l = rule->act_ofs, cmd = rule->cmd; l > 0; l -= F_LEN(cmd),
868 cmd = (ipfw_insn *)((uint32_t *)cmd + F_LEN(cmd))) {
869 changed = show_filter(cmd, "to", TO);
871 if (!changed && !do_quiet)
881 show_filter(cmd, "other", FILTER);
883 cmd=(ipfw_insn *)((uint32_t *)cmd + F_LEN(cmd));
886 /* show the comment in the end */
887 if (comment_fn != NULL) {
888 (*comment_fn)(comment_cmd, 0);
895 * do_set_x - extended version og do_set
896 * insert a x_header in the beginning of the rule buf
897 * and call setsockopt() with IP_FW_X.
900 do_set_x(int optname, void *rule, int optlen)
902 int len, *newbuf, retval;
903 ip_fw_x_header *x_header;
906 err(EX_UNAVAILABLE, "socket not avaialble");
908 len = optlen + sizeof(ip_fw_x_header);
909 newbuf = malloc(len);
911 err(EX_OSERR, "malloc newbuf in do_set_x");
914 x_header = (ip_fw_x_header *)newbuf;
915 x_header->opcode = optname;
916 /* copy the rule into the newbuf, just after the x_header*/
917 bcopy(rule, ++x_header, optlen);
918 retval = setsockopt(fw3_socket, IPPROTO_IP, IP_FW_X, newbuf, len);
927 do_get_x(int optname, void *rule, int *optlen)
929 int len, *newbuf, retval;
930 ip_fw_x_header *x_header;
933 err(EX_UNAVAILABLE, "socket not avaialble");
935 len = *optlen + sizeof(ip_fw_x_header);
936 newbuf = malloc(len);
938 err(EX_OSERR, "malloc newbuf in do_get_x");
941 x_header = (ip_fw_x_header *)newbuf;
942 x_header->opcode = optname;
943 /* copy the rule into the newbuf, just after the x_header*/
944 bcopy(rule, ++x_header, *optlen);
945 retval = getsockopt(fw3_socket, IPPROTO_IP, IP_FW_X, newbuf, &len);
946 bcopy(newbuf, rule, len);
953 ipfw3_main(int ac, char **av)
960 /* Set the force flag for non-interactive processes */
961 do_force = !isatty(STDIN_FILENO);
963 optind = optreset = 1;
964 while ((ch = getopt(ac, av, "hs:acefStTv")) != -1)
968 break; /* NOTREACHED */
971 do_sort = atoi(optarg);
1004 NEED1("bad arguments, for usage summary ``ipfw3''");
1007 * optional: pipe or queue or nat
1011 if (!strncmp(*av, "nat", strlen(*av)))
1013 else if (!strncmp(*av, "pipe", strlen(*av))) {
1015 } else if (!strncmp(*av, "queue", strlen(*av))) {
1018 NEED1("missing command");
1021 * for pipes and queues and nat we normally say 'pipe NN config'
1022 * but the code is easier to parse as 'pipe config NN'
1023 * so we swap the two arguments.
1025 if ((do_pipe || do_nat) && ac > 2 && isdigit(*(av[1]))) {
1031 if (!strncmp(*av, "add", strlen(*av))) {
1033 rule_add(ac, av, 0);
1034 } else if (!strncmp(*av, "insert", strlen(*av))) {
1036 rule_add(ac, av, 1);
1037 } else if (!strncmp(*av, "delete", strlen(*av))) {
1038 rule_delete(ac, av);
1039 } else if (!strncmp(*av, "flush", strlen(*av))) {
1041 } else if (!strncmp(*av, "list", strlen(*av))) {
1044 } else if (!strncmp(*av, "show", strlen(*av))) {
1048 } else if (!strncmp(*av, "zero", strlen(*av))) {
1050 } else if (!strncmp(*av, "set", strlen(*av))) {
1052 } else if (!strncmp(*av, "module", strlen(*av))) {
1054 if (!strncmp(*av, "list", strlen(*av))) {
1055 module_list(ac, av);
1057 errx(EX_USAGE, "bad ipfw3 module command `%s'", *av);
1059 } else if (!strncmp(*av, "log", strlen(*av))) {
1062 } else if (!strncmp(*av, "nat", strlen(*av))) {
1065 } else if (!strncmp(*av, "pipe", strlen(*av)) ||
1066 !strncmp(*av, "queue", strlen(*av))) {
1068 dummynet_main(ac, av);
1069 } else if (!strncmp(*av, "state", strlen(*av))) {
1072 } else if (!strncmp(*av, "table", strlen(*av))) {
1073 if (ac > 2 && isdigit(*(av[1]))) {
1080 } else if (!strncmp(*av, "sync", strlen(*av))) {
1084 errx(EX_USAGE, "bad ipfw3 command `%s'", *av);
1090 ipfw3_readfile(int ac, char *av[])
1093 char *a, *p, *args[MAX_ARGS], *cmd = NULL;
1095 int i=0, lineno=0, qflag=0, pflag=0, status;
1100 while ((c = getopt(ac, av, "D:U:p:q")) != -1) {
1104 errx(EX_USAGE, "-D requires -p");
1105 if (i > MAX_ARGS - 2)
1106 errx(EX_USAGE, "too many -D or -U options");
1113 errx(EX_USAGE, "-U requires -p");
1114 if (i > MAX_ARGS - 2)
1115 errx(EX_USAGE, "too many -D or -U options");
1132 errx(EX_USAGE, "bad arguments, for usage"
1133 " summary ``ipfw''");
1140 errx(EX_USAGE, "extraneous filename arguments");
1142 if ((f = fopen(av[0], "r")) == NULL)
1143 err(EX_UNAVAILABLE, "fopen: %s", av[0]);
1146 /* pipe through preprocessor (cpp or m4) */
1151 if (pipe(pipedes) == -1)
1152 err(EX_OSERR, "cannot create pipe");
1154 switch ((preproc = fork())) {
1156 err(EX_OSERR, "cannot fork");
1160 if (dup2(fileno(f), 0) == -1 ||
1161 dup2(pipedes[1], 1) == -1) {
1162 err(EX_OSERR, "dup2()");
1168 err(EX_OSERR, "execvp(%s) failed", cmd);
1174 if ((f = fdopen(pipedes[0], "r")) == NULL) {
1175 int savederrno = errno;
1177 kill(preproc, SIGTERM);
1179 err(EX_OSERR, "fdopen()");
1184 while (fgets(buf, BUFSIZ, f)) {
1186 sprintf(linename, "Line %d", lineno);
1191 if ((p = strchr(buf, '#')) != NULL)
1196 for (a = strtok(buf, WHITESP); a && i < MAX_ARGS;
1197 a = strtok(NULL, WHITESP), i++) {
1201 if (i == (qflag? 2: 1))
1204 errx(EX_USAGE, "%s: too many arguments", linename);
1207 ipfw3_main(i, args);
1211 if (waitpid(preproc, &status, 0) == -1)
1212 errx(EX_OSERR, "waitpid()");
1213 if (WIFEXITED(status) && WEXITSTATUS(status) != EX_OK)
1214 errx(EX_UNAVAILABLE, "preprocessor exited with status %d",
1215 WEXITSTATUS(status));
1216 else if (WIFSIGNALED(status))
1217 errx(EX_UNAVAILABLE, "preprocessor exited with signal %d",
1223 main(int ac, char *av[])
1225 fw3_socket = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
1227 err(EX_UNAVAILABLE, "socket");
1229 memset(keywords, 0, LEN_FW3_KEYWORD * KEYWORD_SIZE);
1230 memset(mappings, 0, LEN_FW3_MAPPING * MAPPING_SIZE);
1232 prepare_default_funcs();
1234 if (ac > 1 && av[ac - 1][0] == '/' && access(av[ac - 1], R_OK) == 0)
1235 ipfw3_readfile(ac, av);