2 * Copyright (c) 2014 - 2018 The DragonFly Project. All rights reserved.
4 * This code is derived from software contributed to The DragonFly Project
5 * by Bill Yuan <bycn82@dragonflybsd.org>
7 * Copyright (c) 2002 Luigi Rizzo
8 * Copyright (c) 1996 Alex Nash, Paul Traina, Poul-Henning Kamp
9 * Copyright (c) 1994 Ugen J.S.Antsilevich
11 * Idea and grammar partially left from:
12 * Copyright (c) 1993 Daniel Boulet
15 * Redistribution and use in source forms, with and without modification,
16 * are permitted provided that this entire comment appears intact.
18 * Redistribution in binary form may occur without any restrictions.
19 * Obviously, it would be nice if you gave credit where credit is due
20 * but requiring it would be too onerous.
22 * This software is provided ``AS IS'' without any warranties of any kind.
26 #include <sys/param.h>
28 #include <sys/socket.h>
29 #include <sys/sockio.h>
30 #include <sys/sysctl.h>
34 #include <arpa/inet.h>
52 #include <netinet/in.h>
53 #include <netinet/in_systm.h>
54 #include <netinet/ip.h>
55 #include <netinet/ip_icmp.h>
56 #include <netinet/tcp.h>
58 #include <net/if_dl.h>
59 #include <net/route.h>
60 #include <net/ethernet.h>
63 #include <net/ipfw3/ip_fw3.h>
64 #include <net/ipfw3_basic/ip_fw3_table.h>
65 #include <net/ipfw3_basic/ip_fw3_state.h>
66 #include <net/ipfw3_basic/ip_fw3_sync.h>
67 #include <net/ipfw3_basic/ip_fw3_basic.h>
68 #include <net/ipfw3_nat/ip_fw3_nat.h>
69 #include <net/dummynet3/ip_dummynet3.h>
72 #include "ipfw3basic.h"
75 #include "ipfw3table.h"
76 #include "ipfw3dummynet.h"
77 #include "ipfw3state.h"
78 #include "ipfw3sync.h"
82 #define WHITESP " \t\f\v\n\r"
83 #define IPFW3_LIB_PATH "/usr/lib/libipfw3%s.so"
85 int fw3_socket = -1; /* main RAW socket */
86 int do_acct, /* Show packet/byte count */
87 do_time, /* Show time stamps */
88 do_quiet = 1, /* Be quiet , default is quiet*/
89 do_force, /* Don't ask for confirmation */
90 do_pipe, /* this cmd refers to a pipe */
91 do_nat, /* Nat configuration. */
92 do_sort, /* field to sort results (0 = no) */
93 do_expired, /* display expired dynamic rules */
94 do_compact, /* show rules in compact mode */
95 show_sets, /* display rule sets */
98 struct ipfw3_keyword keywords[KEYWORD_SIZE];
99 struct ipfw3_mapping mappings[MAPPING_SIZE];
102 match_token(struct char_int_map *table, char *string)
105 if (strcmp(table->key, string) == 0) {
114 module_get(char *modules_str, int len)
116 if (do_get_x(IP_FW_MODULE, modules_str, &len) < 0)
117 errx(EX_USAGE, "ipfw3 not loaded.");
121 module_list(int ac, char *av[])
123 void *module_str = NULL;
125 if ((module_str = realloc(module_str, len)) == NULL)
126 err(EX_OSERR, "realloc");
128 module_get(module_str, len);
129 printf("%s\n", (char *)module_str);
136 init_module mod_init_func;
138 char module_lib_file[50];
139 void *module_str = NULL;
142 if ((module_str = realloc(module_str, len)) == NULL)
143 err(EX_OSERR, "realloc");
145 module_get(module_str, len);
147 const char s[2] = ",";
149 token = strtok(module_str, s);
150 while (token != NULL) {
151 sprintf(module_lib_file, IPFW3_LIB_PATH, token);
152 token = strtok(NULL, s);
153 module_lib = dlopen(module_lib_file, RTLD_LAZY);
155 fprintf(stderr, "Couldn't open %s: %s\n",
156 module_lib_file, dlerror());
159 mod_init_func = dlsym(module_lib, "load_module");
160 if ((error = dlerror()))
162 fprintf(stderr, "Couldn't find init function: %s\n", error);
165 (*mod_init_func)((register_func)register_ipfw_func,
166 (register_keyword)register_ipfw_keyword);
171 register_ipfw_keyword(int module, int opcode, char *word, int type)
173 struct ipfw3_keyword *tmp;
177 if (tmp->type == NONE) {
178 strcpy(tmp->word, word);
179 tmp->module = module;
180 tmp->opcode = opcode;
184 if (strcmp(tmp->word, word) == 0)
185 errx(EX_USAGE, "keyword `%s' exists", word);
193 register_ipfw_func(int module, int opcode, parser_func parser, shower_func shower)
195 struct ipfw3_mapping *tmp;
199 if (tmp->type == NONE) {
200 tmp->module = module;
201 tmp->opcode = opcode;
202 tmp->parser = parser;
203 tmp->shower = shower;
207 if (tmp->opcode == opcode && tmp->module == module) {
208 errx(EX_USAGE, "func `%d' of module `%d' exists",
219 * this func need to check whether 'or' need to be printed,
220 * when the filter is the first filter with 'or' when dont print
221 * when not first and same as previous, then print or and no filter name
222 * when not first but different from previous, print name without 'or'
223 * show_or = 1: show or and ignore filter name
224 * show_or = 0: show filter name ignore or
226 void prev_show_chk(ipfw_insn *cmd, uint8_t *prev_module, uint8_t *prev_opcode,
229 if (cmd->len & F_OR) {
230 if (*prev_module == 0 && *prev_opcode == 0) {
231 /* first cmd with 'or' flag */
233 *prev_module = cmd->module;
234 *prev_opcode = cmd->opcode;
235 } else if (cmd->module == *prev_module &&
236 cmd->opcode == *prev_opcode) {
237 /* cmd same as previous, same module and opcode */
240 /* cmd different from prev*/
242 *prev_module = cmd->module;
243 *prev_opcode = cmd->opcode;
254 * word can be: proto from to other
258 * other show all other filters
260 int show_filter(ipfw_insn *cmd, char *word, int type)
262 struct ipfw3_keyword *k;
263 struct ipfw3_mapping *m;
266 uint8_t prev_module, prev_opcode;
270 for (i = 1; i < KEYWORD_SIZE; i++, k++) {
271 if (k->type == type) {
272 if (k->module == cmd->module &&
273 k->opcode == cmd->opcode) {
274 for (j = 1; j < MAPPING_SIZE; j++, m++) {
275 if (m->type == IN_USE &&
276 k->module == m->module &&
277 k->opcode == m->opcode) {
278 prev_show_chk(cmd, &prev_module,
279 &prev_opcode, &show_or);
280 if (cmd->len & F_NOT)
297 fprintf(stderr, "usage: ipfw3 [options]\n"
298 " ipfw3 add [rulenum] [set id] action filters\n"
299 " ipfw3 delete [rulenum]\n"
301 " ipfw3 list [rulenum]\n"
302 " ipfw3 show [rulenum]\n"
303 " ipfw3 zero [rulenum]\n"
304 " ipfw3 set [show|enable|disable]\n"
306 " ipfw3 [enable|disable]\n"
307 " ipfw3 log [reset|off|on]\n"
308 " ipfw3 nat [config|show|delete]\n"
309 " ipfw3 pipe [config|show|delete]\n"
310 " ipfw3 state [add|delete|list|show]\n"
311 " ipfw3 nat [config|show]\n"
312 "\nsee ipfw3 manpage for details\n");
317 rule_delete(int ac, char *av[])
323 while (ac && isdigit(**av)) {
325 error = do_set_x(IP_FW_DEL, &rulenum, sizeof(int));
327 err(EX_OSERR, "do_get_x(IP_FW_DEL)");
334 * helper function, updates the pointer to cmd with the length
335 * of the current command, and also cleans up the first word of
336 * the new command in case it has been clobbered before.
339 next_cmd(ipfw_insn *cmd)
342 bzero(cmd, sizeof(*cmd));
347 * Parse arguments and assemble the microinstructions which make up a rule.
348 * Rules are added into the 'rulebuf' and then copied in the correct order
349 * into the actual rule.
354 rule_add(int ac, char *av[])
357 * rules are added into the 'rulebuf' and then copied in
358 * the correct order into the actual rule.
359 * Some things that need to go out of order (prob, action etc.)
362 static uint32_t rulebuf[IPFW_RULE_SIZE_MAX];
363 static uint32_t actbuf[IPFW_RULE_SIZE_MAX];
364 static uint32_t othbuf[IPFW_RULE_SIZE_MAX];
365 static uint32_t cmdbuf[IPFW_RULE_SIZE_MAX];
367 ipfw_insn *src, *dst, *cmd, *action, *other;
370 ipfw_insn *the_comment = NULL;
371 struct ipfw_ioc_rule *rule;
372 struct ipfw3_keyword *key;
373 struct ipfw3_mapping *map;
377 bzero(actbuf, sizeof(actbuf)); /* actions go here */
378 bzero(othbuf, sizeof(actbuf)); /* others */
379 bzero(cmdbuf, sizeof(cmdbuf)); /* filters */
380 bzero(rulebuf, sizeof(rulebuf));
382 rule = (struct ipfw_ioc_rule *)rulebuf;
383 cmd = (ipfw_insn *)cmdbuf;
384 action = (ipfw_insn *)actbuf;
385 other = (ipfw_insn *)othbuf;
387 NEED2("need more parameters");
390 /* [rule N] -- Rule number optional */
391 if (ac && isdigit(**av)) {
392 rule->rulenum = atoi(*av);
396 /* [set N] -- set number (0..30), optional */
397 if (ac > 1 && !strncmp(*av, "set", strlen(*av))) {
398 int set = strtoul(av[1], NULL, 10);
399 if (set < 0 || set > 30)
400 errx(EX_DATAERR, "illegal set %s", av[1]);
409 for (i = 0, key = keywords; i < KEYWORD_SIZE; i++, key++) {
410 if (key->type == BEFORE &&
411 strcmp(key->word, *av) == 0) {
412 for (j = 0, map = mappings;
413 j < MAPPING_SIZE; j++, map++) {
414 if (map->type == IN_USE &&
415 map->module == key->module &&
416 map->opcode == key->opcode ) {
418 (*fn)(&other, &ac, &av);
425 if (i >= KEYWORD_SIZE) {
427 } else if (F_LEN(other) > 0) {
428 if (other->module == MODULE_BASIC_ID &&
429 other->opcode == O_BASIC_CHECK_STATE) {
430 other = next_cmd(other);
433 other = next_cmd(other);
440 * only accept 1 action
442 NEED1("missing action");
443 for (i = 0, key = keywords; i < KEYWORD_SIZE; i++, key++) {
444 if (ac > 0 && key->type == ACTION &&
445 strcmp(key->word, *av) == 0) {
446 for (j = 0, map = mappings;
447 j < MAPPING_SIZE; j++, map++) {
448 if (map->type == IN_USE &&
449 map->module == key->module &&
450 map->opcode == key->opcode) {
452 (*fn)(&action, &ac, &av);
459 if (F_LEN(action) > 0)
460 action = next_cmd(action);
465 if (strcmp(*av, "proto") == 0){
469 NEED1("missing protocol");
470 for (i = 0, key = keywords; i < KEYWORD_SIZE; i++, key++) {
471 if (key->type == PROTO &&
472 strcmp(key->word, "proto") == 0) {
473 for (j = 0, map = mappings;
474 j < MAPPING_SIZE; j++, map++) {
475 if (map->type == IN_USE &&
476 map->module == key->module &&
477 map->opcode == key->opcode ) {
479 (*fn)(&cmd, &ac, &av);
493 char *s, *cur; /* current filter */
494 ipfw_insn_u32 *cmd32; /* alias for cmd */
497 cmd32 = (ipfw_insn_u32 *)cmd;
498 if (strcmp(*av, "or") == 0) {
500 errx(EX_USAGE, "'or' should"
501 "between two filters\n");
506 if (strcmp(*av, "not") == 0) {
507 if (cmd->len & F_NOT)
508 errx(EX_USAGE, "double \"not\" not allowed\n");
514 for (i = 0, key = keywords; i < KEYWORD_SIZE; i++, key++) {
515 if ((key->type == FILTER ||
516 key->type == AFTER ||
519 strcmp(key->word, cur) == 0) {
520 for (j = 0, map = mappings;
521 j< MAPPING_SIZE; j++, map++) {
522 if (map->type == IN_USE &&
523 map->module == key->module &&
524 map->opcode == key->opcode ) {
526 (*fn)(&cmd, &ac, &av);
531 } else if (i == KEYWORD_SIZE - 1) {
532 errx(EX_USAGE, "bad command `%s'", cur);
535 if (i >= KEYWORD_SIZE) {
537 } else if (F_LEN(cmd) > 0) {
546 errx(EX_USAGE, "bad command `%s'", *av);
549 * Now copy stuff into the rule.
550 * [filters][others][action][comment]
552 dst = (ipfw_insn *)rule->cmd;
554 * copy all filters, except comment
556 src = (ipfw_insn *)cmdbuf;
557 for (src = (ipfw_insn *)cmdbuf; src != cmd; src += i) {
558 /* pick comment out */
560 if (src->module == MODULE_BASIC_ID &&
561 src->opcode == O_BASIC_COMMENT) {
564 bcopy(src, dst, i * sizeof(u_int32_t));
565 dst = (ipfw_insn *)((uint32_t *)dst + i);
570 * start action section, it begin with others
572 rule->act_ofs = (uint32_t *)dst - (uint32_t *)(rule->cmd);
575 * copy all other others
577 for (src = (ipfw_insn *)othbuf; src != other; src += i) {
579 bcopy(src, dst, i * sizeof(u_int32_t));
580 dst = (ipfw_insn *)((uint32_t *)dst + i);
583 /* copy the action to the end of rule */
584 src = (ipfw_insn *)actbuf;
586 bcopy(src, dst, i * sizeof(u_int32_t));
587 dst = (ipfw_insn *)((uint32_t *)dst + i);
590 * comment place behind the action
592 if (the_comment != NULL) {
593 i = F_LEN(the_comment);
594 bcopy(the_comment, dst, i * sizeof(u_int32_t));
595 dst = (ipfw_insn *)((uint32_t *)dst + i);
598 rule->cmd_len = (u_int32_t *)dst - (u_int32_t *)(rule->cmd);
599 i = (void *)dst - (void *)rule;
600 if (do_set_x(IP_FW_ADD, (void *)rule, i) == -1) {
601 err(EX_UNAVAILABLE, "getsockopt(%s)", "IP_FW_ADD");
604 rule_show(rule, 10, 10);
608 rule_zero(int ac, char *av[])
616 /* clear all entries */
617 if (do_set_x(IP_FW_ZERO, NULL, 0) < 0)
618 err(EX_UNAVAILABLE, "do_set_x(IP_FW_ZERO)");
620 printf("Accounting cleared.\n");
629 if (do_set_x(IP_FW_ZERO, &rulenum, sizeof rulenum)) {
630 warn("rule %u: do_set_x(IP_FW_ZERO)", rulenum);
631 failed = EX_UNAVAILABLE;
632 } else if (!do_quiet)
633 printf("Entry %d cleared\n", rulenum);
635 errx(EX_USAGE, "invalid rule number ``%s''", *av);
645 int cmd = IP_FW_FLUSH;
647 cmd = IP_DUMMYNET_FLUSH;
652 printf("Are you sure? [yn] ");
655 c = toupper(getc(stdin));
656 while (c != '\n' && getc(stdin) != '\n')
658 return; /* and do not flush */
659 } while (c != 'Y' && c != 'N');
660 if (c == 'N') /* user said no */
663 if (do_set_x(cmd, NULL, 0) < 0 ) {
665 errx(EX_USAGE, "pipe/queue in use");
667 errx(EX_USAGE, "do_set_x(IP_FW_FLUSH) failed");
670 printf("Flushed all %s.\n", do_pipe ? "pipes" : "rules");
675 rule_list(int ac, char *av[])
677 struct ipfw_ioc_rule *rule;
680 int bcwidth, nbytes, pcwidth, width;
682 int the_rule_num = 0;
687 /* get rules or pipes from kernel, resizing array as necessary */
690 while (nbytes >= nalloc) {
691 nalloc = nalloc * 2 ;
693 if ((data = realloc(data, nbytes)) == NULL)
694 err(EX_OSERR, "realloc");
695 if (do_get_x(IP_FW_GET, data, &nbytes) < 0)
696 err(EX_OSERR, "do_get_x(IP_FW_GET)");
700 * Count static rules.
703 bcwidth = pcwidth = 0;
706 for (rule = data; rule != NULL; rule = (void *)rule + IOC_RULESIZE(rule)) {
708 width = snprintf(NULL, 0, "%ju", (uintmax_t)rule->pcnt);
713 width = snprintf(NULL, 0, "%ju", (uintmax_t)rule->bcnt);
717 total_len += IOC_RULESIZE(rule);
718 if (total_len == nbytes) {
726 the_rule_num = atoi(*av);
730 for (rule = data; rule != NULL; rule = (void *)rule + IOC_RULESIZE(rule)) {
731 if(the_rule_num == 0 || rule->rulenum == the_rule_num) {
732 rule_show(rule, pcwidth, bcwidth);
734 total_len += IOC_RULESIZE(rule);
735 if (total_len == nbytes) {
743 rule_show(struct ipfw_ioc_rule *rule, int pcwidth, int bcwidth)
745 static int twidth = 0;
749 u_int32_t set_disable = rule->sets;
751 if (set_disable & (1 << rule->set)) { /* disabled */
755 printf("# DISABLED ");
758 printf("%u", rule->rulenum);
760 printf("%05u", rule->rulenum);
765 printf(" %ju %ju", (uintmax_t)rule->pcnt,
766 (uintmax_t)rule->bcnt);
768 printf(" %*ju %*ju", pcwidth, (uintmax_t)rule->pcnt,
769 bcwidth, (uintmax_t)rule->bcnt);
777 strcpy(timestr, ctime((time_t *)&twidth));
778 *strchr(timestr, '\n') = '\0';
779 twidth = strlen(timestr);
781 if (rule->timestamp) {
782 time_t t = _long_to_time(rule->timestamp);
784 strcpy(timestr, ctime(&t));
785 *strchr(timestr, '\n') = '\0';
786 printf(" %s", timestr);
788 printf(" %*s", twidth, " ");
790 } else if (do_time == 2) {
791 printf( " %10u", rule->timestamp);
795 printf(" set %d", rule->set);
798 struct ipfw3_keyword *k;
799 struct ipfw3_mapping *m;
800 shower_func fn, comment_fn = NULL;
801 ipfw_insn *comment_cmd;
805 * show others and actions
807 for (l = rule->cmd_len - rule->act_ofs, cmd = ACTION_PTR(rule);
808 l > 0; l -= F_LEN(cmd),
809 cmd = (ipfw_insn *)((uint32_t *)cmd + F_LEN(cmd))) {
812 for (i = 1; i< KEYWORD_SIZE; i++, k++) {
813 if ( k->module == cmd->module && k->opcode == cmd->opcode ) {
814 for (j = 1; j< MAPPING_SIZE; j++, m++) {
815 if (m->type == IN_USE &&
816 m->module == cmd->module &&
817 m->opcode == cmd->opcode) {
818 if (cmd->module == MODULE_BASIC_ID &&
819 cmd->opcode == O_BASIC_COMMENT) {
820 comment_fn = m->shower;
826 if (cmd->module == MODULE_BASIC_ID &&
828 O_BASIC_CHECK_STATE) {
843 for (l = rule->act_ofs, cmd = rule->cmd; l > 0; l -= F_LEN(cmd),
844 cmd = (ipfw_insn *)((uint32_t *)cmd + F_LEN(cmd))) {
845 changed = show_filter(cmd, "proto", PROTO);
847 if (!changed && !do_quiet)
854 for (l = rule->act_ofs, cmd = rule->cmd; l > 0; l -= F_LEN(cmd),
855 cmd = (ipfw_insn *)((uint32_t *)cmd + F_LEN(cmd))) {
856 changed = show_filter(cmd, "from", FROM);
858 if (!changed && !do_quiet)
865 for (l = rule->act_ofs, cmd = rule->cmd; l > 0; l -= F_LEN(cmd),
866 cmd = (ipfw_insn *)((uint32_t *)cmd + F_LEN(cmd))) {
867 changed = show_filter(cmd, "to", TO);
869 if (!changed && !do_quiet)
879 show_filter(cmd, "other", FILTER);
881 cmd=(ipfw_insn *)((uint32_t *)cmd + F_LEN(cmd));
884 /* show the comment in the end */
885 if (comment_fn != NULL) {
886 (*comment_fn)(comment_cmd, 0);
893 * do_set_x - extended version og do_set
894 * insert a x_header in the beginning of the rule buf
895 * and call setsockopt() with IP_FW_X.
898 do_set_x(int optname, void *rule, int optlen)
900 int len, *newbuf, retval;
901 ip_fw_x_header *x_header;
904 err(EX_UNAVAILABLE, "socket not avaialble");
906 len = optlen + sizeof(ip_fw_x_header);
907 newbuf = malloc(len);
909 err(EX_OSERR, "malloc newbuf in do_set_x");
912 x_header = (ip_fw_x_header *)newbuf;
913 x_header->opcode = optname;
914 /* copy the rule into the newbuf, just after the x_header*/
915 bcopy(rule, ++x_header, optlen);
916 retval = setsockopt(fw3_socket, IPPROTO_IP, IP_FW_X, newbuf, len);
925 do_get_x(int optname, void *rule, int *optlen)
927 int len, *newbuf, retval;
928 ip_fw_x_header *x_header;
931 err(EX_UNAVAILABLE, "socket not avaialble");
933 len = *optlen + sizeof(ip_fw_x_header);
934 newbuf = malloc(len);
936 err(EX_OSERR, "malloc newbuf in do_get_x");
939 x_header = (ip_fw_x_header *)newbuf;
940 x_header->opcode = optname;
941 /* copy the rule into the newbuf, just after the x_header*/
942 bcopy(rule, ++x_header, *optlen);
943 retval = getsockopt(fw3_socket, IPPROTO_IP, IP_FW_X, newbuf, &len);
944 bcopy(newbuf, rule, len);
951 ipfw3_main(int ac, char **av)
958 /* Set the force flag for non-interactive processes */
959 do_force = !isatty(STDIN_FILENO);
961 optind = optreset = 1;
962 while ((ch = getopt(ac, av, "hs:acefStTv")) != -1)
966 break; /* NOTREACHED */
969 do_sort = atoi(optarg);
1002 NEED1("bad arguments, for usage summary ``ipfw3''");
1005 * optional: pipe or queue or nat
1009 if (!strncmp(*av, "nat", strlen(*av)))
1011 else if (!strncmp(*av, "pipe", strlen(*av))) {
1013 } else if (!strncmp(*av, "queue", strlen(*av))) {
1016 NEED1("missing command");
1019 * for pipes and queues and nat we normally say 'pipe NN config'
1020 * but the code is easier to parse as 'pipe config NN'
1021 * so we swap the two arguments.
1023 if ((do_pipe || do_nat) && ac > 2 && isdigit(*(av[1]))) {
1029 if (!strncmp(*av, "add", strlen(*av))) {
1032 } else if (!strncmp(*av, "delete", strlen(*av))) {
1033 rule_delete(ac, av);
1034 } else if (!strncmp(*av, "flush", strlen(*av))) {
1036 } else if (!strncmp(*av, "list", strlen(*av))) {
1039 } else if (!strncmp(*av, "show", strlen(*av))) {
1043 } else if (!strncmp(*av, "zero", strlen(*av))) {
1045 } else if (!strncmp(*av, "set", strlen(*av))) {
1047 } else if (!strncmp(*av, "module", strlen(*av))) {
1049 if (!strncmp(*av, "list", strlen(*av))) {
1050 module_list(ac, av);
1052 errx(EX_USAGE, "bad ipfw3 module command `%s'", *av);
1054 } else if (!strncmp(*av, "log", strlen(*av))) {
1057 } else if (!strncmp(*av, "nat", strlen(*av))) {
1060 } else if (!strncmp(*av, "pipe", strlen(*av)) ||
1061 !strncmp(*av, "queue", strlen(*av))) {
1063 dummynet_main(ac, av);
1064 } else if (!strncmp(*av, "state", strlen(*av))) {
1067 } else if (!strncmp(*av, "table", strlen(*av))) {
1068 if (ac > 2 && isdigit(*(av[1]))) {
1075 } else if (!strncmp(*av, "sync", strlen(*av))) {
1079 errx(EX_USAGE, "bad ipfw3 command `%s'", *av);
1085 ipfw3_readfile(int ac, char *av[])
1088 char *a, *p, *args[MAX_ARGS], *cmd = NULL;
1090 int i=0, lineno=0, qflag=0, pflag=0, status;
1095 while ((c = getopt(ac, av, "D:U:p:q")) != -1) {
1099 errx(EX_USAGE, "-D requires -p");
1100 if (i > MAX_ARGS - 2)
1101 errx(EX_USAGE, "too many -D or -U options");
1108 errx(EX_USAGE, "-U requires -p");
1109 if (i > MAX_ARGS - 2)
1110 errx(EX_USAGE, "too many -D or -U options");
1127 errx(EX_USAGE, "bad arguments, for usage"
1128 " summary ``ipfw''");
1135 errx(EX_USAGE, "extraneous filename arguments");
1137 if ((f = fopen(av[0], "r")) == NULL)
1138 err(EX_UNAVAILABLE, "fopen: %s", av[0]);
1141 /* pipe through preprocessor (cpp or m4) */
1146 if (pipe(pipedes) == -1)
1147 err(EX_OSERR, "cannot create pipe");
1149 switch ((preproc = fork())) {
1151 err(EX_OSERR, "cannot fork");
1155 if (dup2(fileno(f), 0) == -1 ||
1156 dup2(pipedes[1], 1) == -1) {
1157 err(EX_OSERR, "dup2()");
1163 err(EX_OSERR, "execvp(%s) failed", cmd);
1169 if ((f = fdopen(pipedes[0], "r")) == NULL) {
1170 int savederrno = errno;
1172 kill(preproc, SIGTERM);
1174 err(EX_OSERR, "fdopen()");
1179 while (fgets(buf, BUFSIZ, f)) {
1181 sprintf(linename, "Line %d", lineno);
1186 if ((p = strchr(buf, '#')) != NULL)
1191 for (a = strtok(buf, WHITESP); a && i < MAX_ARGS;
1192 a = strtok(NULL, WHITESP), i++) {
1196 if (i == (qflag? 2: 1))
1199 errx(EX_USAGE, "%s: too many arguments", linename);
1202 ipfw3_main(i, args);
1206 if (waitpid(preproc, &status, 0) == -1)
1207 errx(EX_OSERR, "waitpid()");
1208 if (WIFEXITED(status) && WEXITSTATUS(status) != EX_OK)
1209 errx(EX_UNAVAILABLE, "preprocessor exited with status %d",
1210 WEXITSTATUS(status));
1211 else if (WIFSIGNALED(status))
1212 errx(EX_UNAVAILABLE, "preprocessor exited with signal %d",
1218 main(int ac, char *av[])
1220 fw3_socket = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
1222 err(EX_UNAVAILABLE, "socket");
1224 memset(keywords, 0, LEN_FW3_KEYWORD * KEYWORD_SIZE);
1225 memset(mappings, 0, LEN_FW3_MAPPING * MAPPING_SIZE);
1227 prepare_default_funcs();
1229 if (ac > 1 && av[ac - 1][0] == '/' && access(av[ac - 1], R_OK) == 0)
1230 ipfw3_readfile(ac, av);