IPFWCMP(8) BSD System Manager's Manual IPFWCMP(8)NAMEipfwcmp - compile a BSD IP Filter
SYNOPSISipfwcmp [-cpS] [-s] [-o output] file
DESCRIPTION
The ipfwcmp utility compiles the BSD IP Filter program stored in file. If
output is specified by the -o option, the resulting bpf machine code is
written into the file names output. If not specified, the machine code is
written to file.filter (after stripping any .ipfw suffix from file.)
If the -s flag is specified, the output written is bpf assembly code (see
ipfwasm(8)). In this case, if the -o flag is not specified, the output
is written to standard output. If -s is not specified, the ipfwasm(8)
assembler will optimize the program. The optimization may be turned off
by use of the -S option. In addition, the -c option may be specified to
request ipfwasm(8) to try and cache memory loads (may take a long time to
compute). The -p option is also passed to ipfwasm(8) to request a pro-
file of possible paths to be displayed.
Before compiling the program, ipfwcmp preprocesses the program with
cpp(1). Line comments are introduces by the character sequence // and
extend to the end of the line. C style comments may also be used.
Programs may contain lines of bpf assembly code (see ipfwasm(8)). Be-
cause of this, ipfwcmp may be used to assemble BSD IP Filter assembly
programs as well as compile BSD IP Filter programs.
A BSD IP Fitler program must follow the following BNF:
program
: statement ... list of statements
statement
: asm-statement any statement accepted by ipfwasm(8)
: break; break out of the current case
must be the last statement of a case if the case
does not end with a rejection or acceptance of
the packet
: deny; reject the packet. The synonym reject may be
used in place of deny in all forms.
: deny [number]; reject the packet and report up to number bytes
of the packet to the user level daemon (see
ipfwlog(8)) If number is 0, report the entire
packet.
: deny [number : user-defined];
Same as above with the addition that the speci-
fied user-defined bits are also returned to the
user level daemon.
: next; Continue on with the next filter in the chain,
or reject the packet if this is the last filter
in the chain.
: permit; accept the packet for normal processing The syn-
onym accept may be used in place of permit in
all forms.
: permit [number]; accept the packet for normal processing, and re-
port up to number bytes of the packet to the us-
er level daemon (see ipfwlog(8)). If number is
0, report the entire packet.
: permit [number : user-defined];
Same as above with the addition that the speci-
fied user-defined bits are also returned to the
user level daemon.
: return; Return from a call or rate filter with the value
stored in the A register .
: implicit deny;
: return [value]; Return from a call or rate filter with value.
: implicit deny; If the end of the filter is reached, reject the
packet
: implicit deny [number];
If the end of the filter is reached, reject the
packet and report up to number bytes of the
packet to the user level daemon (see
ipfwlog(8)). If number is 0, report the entire
packet.
: implicit next; If the end of the filter is reached go on to the
next filter in the chain or reject the packet if
this is the last filter in the chain.
: implicit deny [number : user-defined];
Same as above with the addition that the speci-
fied user-defined bits are also returned to the
user level daemon.
: implicit permit; If the end of the filter is reached, accept the
packet (the default)
: implicit permit [number];
If the end of the filter is reached, accept the
packet (the default) and report up to number
bytes of the packet to the user level daemon
(see ipfwlog(8)). If number is 0, report the
entire packet.
: implicit permit [number : user-defined];
Same as above with the addition that the speci-
fied user-defined bits are also returned to the
user level daemon.
: chain (Ar tag Nm );
Chain to the filter from the call chain with the
specified tag.
: conditional { program }
execute program if conditional evaluates as true
: conditional { program } else { program }
execute the first program if conditional evalu-
ates as true else execute the second program
: filter identifier { program }
store program as a filter with the name of
identifier for later use by bind
: bind identifier; use the filter previously defined with the name
of identifier
statements following a bind will not be reached
: block { case conditional : program [case conditional : ...] [de-
fault : program] }
execute program associated with first true case
if no case evaluates true execute program asso-
ciated with default
: switch conditional { case range : program [case range : ...] [de-
fault : program] }
execute program associated with the first case
which is in range
if no case is in range execute program associat-
ed with default
a case with no program falls through to the next
case with a program
range may not contain a list of ranges (i.e.,
range1 , range2)
conditional
: ! conditional
: NOT conditional reverse meanings of true and false for
conditional
note that ! binds tighter than either || or &&.
: (conditional) grouping of conditionals
: conditional || conditional
: conditional OR conditional
true if either conditional is true
: conditional && conditional
: conditional AND conditional
true if both conditionals are true
note that && binds tighter than ||.
: accumulator (range)
evaluate as true if the contents of the accumu-
lator (A) is within range
provided for use with embedded bpf assembly in-
structions
: broadcast evaluate as true if this packet is a broadcast
packet
: call (Ar tag Nm )
: call (Ar tag Nm : number)
Call filter with the specified tag from the call
list. Evaluate as true if the IPFW_ACCEPT bit
is set in the return value from the filter. If
number is specified then it is passed to the
fitler as filter specific data.
: chksrc evaluate as true if the input interface and the
return interface are the same.
: data [number] (range)
evaluate as true if the byte located number
bytes into the packet is within range
: data [number:size] (range)
evaluate as true if the word of size (1, 2 or 4)
bytes located number bytes into the packet is
within range
the data will be retrieved from the packet in
host byte order
: decapsulated evaluate as true if this packed was decapsulated
from a tunnel, only useful for input and pre-in-
put filters.
: dstaddr (range) evaluate as true if the destination ip address
is within range
: dstport (range) evaluate as true if the destination port is
within range (should only be used on tcp and udp
packets)
: established evaluate as true if this (tcp) packet is part of
an established connection (either the ACK or RST
bit is set)
: forwarding evaluate as true if this packet is being for-
warded
: icmpcode (range) evaluate as true if the icmp code is within
range (should only be used on icmp packets)
: icmptype (range) evaluate as true if the icmp type is within
range (should only be used on icmp packets)
: direction interface (ifacelist)
evaluate as true if the direction interface is
specified in ifacelist
: ipdata [number] (range)
evaluate as true if the byte located number
bytes into the ip data section of the packet is
within range
: ipdata [number:size] (range)
evaluate as true if the word of size (1, 2 or 4)
bytes located number bytes into the ip data sec-
tion of the packet is within range
the data will be retrieved from the packet in
host byte order
: ipdontfrag evaluate as true if the don't fragment bit is
set
: ipfirstfrag evaluate as true if this is the first fragment
of a fragmented packet
: ipfrag evalute as true if this is a fragment of a pack-
et
: iphlen (range) evalute as true if the ip header length is with-
in range
: ipmorefrag evaluate as true if more fragments are to follow
: ipoffset (range) evaluate as true if the ip version number is
within range
: ipprotocol (range)
evaluate as true if the ip protocol is within
range
: ip-protocol evalue as true if this packet of the specified
ip protocol
: ipv4 evaluate as true if this is an IP version 4
packet
: ipv6 evaluate as true if this is an IP version 6
packet
: ipversion (range)
evaluate as true if the ip version number is
within range
: packetlength (range)
evalute as true if the over all packet length is
within range
: preheader (range)
evaluate as true if the number of bytes in front
of this IP header is within range. This will on-
ly be non-zero for packets which have been de-
capsulated and is only useful for input and pre-
input filters.
: srcaddr (range) evaluate as true if the source ip address is
within range
: srcport (range) evaluate as true if the source port is within
range (should only be used on tcp and udp pack-
ets)
: tcpflags (range) evaluate as true if any of the specified flags
are set (should only be used on tcp packets)
: toobig evaluate as true if this fragment would cause
the packet to be larger than 65535 bytes.
range
: number evaluate as true if the value is equal to the
specified number
: number - number evaluate as true if the value is between the
specified numbers, inclusive
: number / number evaluate as true if the value matches the first
number using a netmask of the second number of
bits
dotted quads are treated as networks (ala KA9Q)
rather than IP addresses
this implies 127.1 is 127.0.0.1 while 127.1/24
is 127.1.0.0 & 0xffffff00
: number & number evaluate as true if the value anded with the
second number equals the first number
: < number evaluate as true if the value is less than num-
ber
: <= number evaluate as true if the value is less than or
equal to number
: > number evaluate as true if the value is greater than
number
: >= number evaluate as true if the value is greater than or
equal to number
: range , range a series of ranges, any of which may be matched
to evaluate as true
number
: decimal-number a series of digits starting with 1-9
: octal-number a series of digit ([0-7]) starting with 0
: hexadecimal-number
a series of digit ([0-9a-f]) starting with 0x
: dotted-quad an ip address in dotted quad format
: service (name/proto)
port number returned by getservbyname(3) by
looking up name with proto in the /etc/services
file
: hostname (name) the ip address associated with name
: tcp-flag One of the following tcp flags: ack, fin, push,
rst, syn, urg
: ip-protocol One of the following IP protocols: ah, dstopts,
egp, encap, eon, esp, fragment, ggp, icmp,
icmpv6, idp, igmp, ip, ipip, none, pup, routing,
tcp, tp, udp
: icmp-type One of the following ICMP message types: echo,
echoreply, ireq, ireqreply, maskreply, maskreq,
paramprob, redirect, routeradvert,
routersolicit, sourcequench, timxceed, tstamp,
tstampreply, unreach
: icmp-code One of the following ICMP message sub-codes:
paramprob_optabsent, redirect_host,
redirect_net, redirect_toshost, redirect_tosnet,
timxceed_intrans, timxceed_reass, unreach_host,
unreach_host_prohib, unreach_host_unknown,
unreach_isolated, unreach_needfrag, unreach_net,
unreach_net_prohib, unreach_net_unknown,
unreach_port, unreach_protocol, unreach_srcfail,
unreach_toshost, unreach_tosnet
direction
: input the index of the interface this packet came in
on
: output the index of the interface this packet is going
out on
: return the index of the interface to which we would re-
turn this packet
ifacelist
: interface-name the name of a network interface (e.g., ef0)
: ifacelist , ifacelist
a list of interfaces that can be matched
identifier
one or more characters, optionally enclosed in double quotes (")
the identifier must begin with an alphabetic character or an under-
score (_)
the following characters may also include digits (0-9), dashes (-),
at signs (@), slashes (/) and dots (.)
if not enclosed in quotes the identifier must not match any key
words
user-defined
: userN [...] User defined value N in the range of 0 - 255,
inclusive.
: userbtN [...] User defined bit N in the range of 0 - 7, inclu-
sive.
SEE ALSOcpp(1), ipfw(8), ipfwasm(8), ipfwdis(8), ipfwlog(8)
June 12, 1997 7