Date: Thu, 16 Jan 1997 18:38:35 +0000 (GMT) From: Adam David <adam@veda.is> To: proff@suburbia.net Cc: phk@critter.DK.tfs.COM, freebsd-current@freebsd.org Subject: Re: ipfw patches to test Message-ID: <199701161838.SAA20186@veda.is> In-Reply-To: <19970116164447.5406.qmail@suburbia.net> from "proff@suburbia.net" at "Jan 17, 97 03:44:47 am"
next in thread | previous in thread | raw e-mail | index | archive | help
[I wrote earlier]
> > I would much prefer the following syntax:
> >
> > ipfw add deny from !192.168.23.0/30 to 140.145.230.0/24
> >
> > and I am convinced that it would be a simpler modification to the code.
I have reviewed my previous musings and these patches, and have merged my
patches with Poul-Henning's to give the patches included below. The issues
of user syntax and the internal representation and manipulation of the data
are of course entirely separate.
Concerning the flow of control in the ipfw module, which of the two versions
is actually more streamlined? I think mine has less repetition and more
symmetry, but is it any faster in the real world?
> I wouldn't. I would prefer a "not from". Shell symbols should
> be avoided in the ipfw grammer, which is designed to be
> human readable in english.
>
> Cheers,
> Julian <proff@iq.org>
It would be a simple matter to revise these patches to use "from [not] "
instead of "from [!]". Purists would complain that "from !192.168.23.0" is
ugly syntax anyway, just as I strongly dislike "!from 192.168.23.0".
--- sbin/ipfw/ipfw.c.old Thu Jan 16 16:51:23 1997
+++ sbin/ipfw/ipfw.c Thu Jan 16 17:24:01 1997
@@ -162,7 +162,7 @@
else
printf("%u", chain->fw_prot);
- printf(" from ");
+ printf(" from %s", chain->fw_flg & IP_FW_F_INVSRC ? "!" : "");
adrt=ntohl(chain->fw_smsk.s_addr);
if (adrt==ULONG_MAX && do_resolv) {
@@ -202,7 +202,7 @@
}
}
- printf(" to ");
+ printf(" to %s", chain->fw_flg & IP_FW_F_INVDST ? "!" : "");
adrt=ntohl(chain->fw_dmsk.s_addr);
if (adrt==ULONG_MAX && do_resolv) {
@@ -685,6 +685,9 @@
if (ac && !strncmp(*av,"from",strlen(*av))) { av++; ac--; }
else show_usage("missing ``from''\n");
+ if (!ac) show_usage("Missing arguments\n");
+
+ if (**av == '!') { ++*av; rule.fw_flag |= IP_FW_F_INVSRC; }
fill_ip(&rule.fw_src, &rule.fw_smsk, &ac, &av);
if (ac && isdigit(**av)) {
@@ -699,6 +702,7 @@
if (!ac) show_usage("Missing arguments\n");
+ if (**av == '!') { ++*av; rule.fw_flag |= IP_FW_F_INVDST; }
fill_ip(&rule.fw_dst, &rule.fw_dmsk, &ac, &av);
if (ac && isdigit(**av)) {
--- sys/netinet/ip_fw.c.old Thu Jan 16 15:31:25 1997
+++ sys/netinet/ip_fw.c Thu Jan 16 16:40:33 1997
@@ -320,11 +320,13 @@
continue;
/* If src-addr doesn't match, not this rule. */
- if ((src.s_addr & f->fw_smsk.s_addr) != f->fw_src.s_addr)
+ if ((f->fw_flg & IP_FW_F_INVSRC) != 0
+ ^ (src.s_addr & f->fw_smsk.s_addr) != f->fw_src.s_addr)
continue;
/* If dest-addr doesn't match, not this rule. */
- if ((dst.s_addr & f->fw_dmsk.s_addr) != f->fw_dst.s_addr)
+ if ((f->fw_flg & IP_FW_F_INVDST) != 0
+ ^ (dst.s_addr & f->fw_dmsk.s_addr) != f->fw_dst.s_addr)
continue;
/* If a i/f name was specified, and we don't know */
--- sys/netinet/ip_fw.h.old Thu Jan 16 16:06:13 1997
+++ sys/netinet/ip_fw.h Thu Jan 16 16:14:20 1997
@@ -64,6 +64,8 @@
/*
* Values for "flags" field .
*/
+#define IP_FW_F_INVSRC 0x0001 /* Invert sense of src check */
+#define IP_FW_F_INVDST 0x0002 /* Invert sense of dst check */
#define IP_FW_F_IN 0x0004 /* Inbound */
#define IP_FW_F_OUT 0x0008 /* Outbound */
--
Adam David <adam@veda.is>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199701161838.SAA20186>