From owner-freebsd-current Thu Jan 16 10:31:02 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.4/8.8.4) id KAA04884 for current-outgoing; Thu, 16 Jan 1997 10:31:02 -0800 (PST) Received: from veda.is (ubiq.veda.is [193.4.230.60]) by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id KAA04878 for ; Thu, 16 Jan 1997 10:30:56 -0800 (PST) Received: (from adam@localhost) by veda.is (8.8.4/8.7.3) id SAA20186; Thu, 16 Jan 1997 18:38:37 GMT From: Adam David Message-Id: <199701161838.SAA20186@veda.is> Subject: Re: ipfw patches to test In-Reply-To: <19970116164447.5406.qmail@suburbia.net> from "proff@suburbia.net" at "Jan 17, 97 03:44:47 am" To: proff@suburbia.net Date: Thu, 16 Jan 1997 18:38:35 +0000 (GMT) Cc: phk@critter.DK.tfs.COM, freebsd-current@freebsd.org X-Mailer: ELM [version 2.4ME+ PL30 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-current@freebsd.org X-Loop: FreeBSD.org Precedence: bulk [I wrote earlier] > > I would much prefer the following syntax: > > > > ipfw add deny from !192.168.23.0/30 to 140.145.230.0/24 > > > > and I am convinced that it would be a simpler modification to the code. I have reviewed my previous musings and these patches, and have merged my patches with Poul-Henning's to give the patches included below. The issues of user syntax and the internal representation and manipulation of the data are of course entirely separate. Concerning the flow of control in the ipfw module, which of the two versions is actually more streamlined? I think mine has less repetition and more symmetry, but is it any faster in the real world? > I wouldn't. I would prefer a "not from". Shell symbols should > be avoided in the ipfw grammer, which is designed to be > human readable in english. > > Cheers, > Julian It would be a simple matter to revise these patches to use "from [not] " instead of "from [!]". Purists would complain that "from !192.168.23.0" is ugly syntax anyway, just as I strongly dislike "!from 192.168.23.0". --- sbin/ipfw/ipfw.c.old Thu Jan 16 16:51:23 1997 +++ sbin/ipfw/ipfw.c Thu Jan 16 17:24:01 1997 @@ -162,7 +162,7 @@ else printf("%u", chain->fw_prot); - printf(" from "); + printf(" from %s", chain->fw_flg & IP_FW_F_INVSRC ? "!" : ""); adrt=ntohl(chain->fw_smsk.s_addr); if (adrt==ULONG_MAX && do_resolv) { @@ -202,7 +202,7 @@ } } - printf(" to "); + printf(" to %s", chain->fw_flg & IP_FW_F_INVDST ? "!" : ""); adrt=ntohl(chain->fw_dmsk.s_addr); if (adrt==ULONG_MAX && do_resolv) { @@ -685,6 +685,9 @@ if (ac && !strncmp(*av,"from",strlen(*av))) { av++; ac--; } else show_usage("missing ``from''\n"); + if (!ac) show_usage("Missing arguments\n"); + + if (**av == '!') { ++*av; rule.fw_flag |= IP_FW_F_INVSRC; } fill_ip(&rule.fw_src, &rule.fw_smsk, &ac, &av); if (ac && isdigit(**av)) { @@ -699,6 +702,7 @@ if (!ac) show_usage("Missing arguments\n"); + if (**av == '!') { ++*av; rule.fw_flag |= IP_FW_F_INVDST; } fill_ip(&rule.fw_dst, &rule.fw_dmsk, &ac, &av); if (ac && isdigit(**av)) { --- sys/netinet/ip_fw.c.old Thu Jan 16 15:31:25 1997 +++ sys/netinet/ip_fw.c Thu Jan 16 16:40:33 1997 @@ -320,11 +320,13 @@ continue; /* If src-addr doesn't match, not this rule. */ - if ((src.s_addr & f->fw_smsk.s_addr) != f->fw_src.s_addr) + if ((f->fw_flg & IP_FW_F_INVSRC) != 0 + ^ (src.s_addr & f->fw_smsk.s_addr) != f->fw_src.s_addr) continue; /* If dest-addr doesn't match, not this rule. */ - if ((dst.s_addr & f->fw_dmsk.s_addr) != f->fw_dst.s_addr) + if ((f->fw_flg & IP_FW_F_INVDST) != 0 + ^ (dst.s_addr & f->fw_dmsk.s_addr) != f->fw_dst.s_addr) continue; /* If a i/f name was specified, and we don't know */ --- sys/netinet/ip_fw.h.old Thu Jan 16 16:06:13 1997 +++ sys/netinet/ip_fw.h Thu Jan 16 16:14:20 1997 @@ -64,6 +64,8 @@ /* * Values for "flags" field . */ +#define IP_FW_F_INVSRC 0x0001 /* Invert sense of src check */ +#define IP_FW_F_INVDST 0x0002 /* Invert sense of dst check */ #define IP_FW_F_IN 0x0004 /* Inbound */ #define IP_FW_F_OUT 0x0008 /* Outbound */ -- Adam David