Date: Sun, 19 May 1996 17:19:44 -0500 (CDT) From: Alex Nash <alex@zen.nash.org> To: FreeBSD-gnats-submit@freebsd.org Cc: phk@freebsd.org Subject: bin/1220: IPFW: configuration utility enhancements Message-ID: <199605192219.RAA01316@zen.nash.org> Resent-Message-ID: <199605192230.PAA29780@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 1220
>Category: bin
>Synopsis: IPFW: configuration utility enhancements
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Sun May 19 15:30:08 PDT 1996
>Last-Modified:
>Originator: Alex Nash
>Organization:
>Release: FreeBSD 2.1-STABLE i386
>Environment:
FreeBSD 2.1.0-stable or FreeBSD 2.2-current with IPFW changes submitted
in PRs bin/1193 and kern/1192.
>Description:
ipfw.c:
- Allow filtering by ICMP type.
- Added URG tcpflag.
- Print usage if an unknown tcpflag is used.
- Ability to print date/time when the chain entry was last matched.
ipfw.8:
- Documented the -t (time display) option.
- Documented the *presence* of icmptypes.
>How-To-Repeat:
N/A
>Fix:
NOTE:
1. The version numbers shown in the diffs do *not* correspond
to version numbers in the FreeBSD CVS tree.
2. All diffs are applied after the changes made in bin/1193.
Complete sources for kernel and user-level code are available at:
ftp://ftp.fa.tdktca.com/pub/FreeBSD/ipfw
MD5 (ipfw.tar.gz) = f54888e0aa91745f8bb27f35c104e62e
*** ipfw.c 1996/05/18 15:38:41 1.1
--- ipfw.c 1996/05/19 18:28:45 1.4
***************
*** 27,32 ****
--- 27,33 ----
#include <stdlib.h>
#include <netdb.h>
#include <limits.h>
+ #include <time.h>
#include <sys/queue.h>
#include <sys/socket.h>
#include <netinet/in.h>
***************
*** 40,45 ****
--- 41,47 ----
int s; /* main RAW socket */
int do_resolv=0; /* Would try to resolv all */
int do_acct=0; /* Show packet/byte count */
+ int do_time=0; /* Show time stamps */
int
mask_bits(m_ad)
***************
*** 77,82 ****
--- 79,98 ----
if (do_acct)
printf("%10lu %10lu ",chain->fw_pcnt,chain->fw_bcnt);
+ if (do_time)
+ {
+ if (chain->timestamp)
+ {
+ char timestr[30];
+
+ strcpy(timestr, ctime((time_t *)&chain->timestamp));
+ *strchr(timestr, '\n') = '\0';
+ printf("%s ", timestr);
+ }
+ else
+ printf(" ");
+ }
+
if (chain->fw_flg & IP_FW_F_ACCEPT)
printf("allow");
else if (chain->fw_flg & IP_FW_F_ICMPRPL)
***************
*** 242,247 ****
--- 258,276 ----
if (chain->fw_tcpf & IP_FW_TCPF_URG) PRINTFLG("urg");
if (chain->fw_tcpnf & IP_FW_TCPF_URG) PRINTFLG("!urg");
}
+ if (chain->fw_flg & IP_FW_F_ICMPBIT) {
+ int type_index;
+ int first = 1;
+
+ printf(" icmptype");
+
+ for (type_index = 0; type_index < 256; ++type_index)
+ if (chain->fw_icmptypes[type_index / (sizeof(unsigned) * 8)] &
+ (1U << (type_index % (sizeof(unsigned) * 8)))) {
+ printf("%c%d", first == 1 ? ' ' : ',', type_index);
+ first = 0;
+ }
+ }
printf("\n");
}
***************
*** 288,295 ****
"\t\t{in|out|inout}\n"
"\t\tvia {ifname|ip}\n"
"\t\t{established|setup}\n"
! "\t\ttcpflags [!]{syn|fin|rst|ack|psh},...\n"
"\t\tipoptions [!]{ssrr|lsrr|rr|ts},...\n"
, progname
);
--- 317,325 ----
"\t\t{in|out|inout}\n"
"\t\tvia {ifname|ip}\n"
"\t\t{established|setup}\n"
! "\t\ttcpflags [!]{syn|fin|rst|ack|psh|urg},...\n"
"\t\tipoptions [!]{ssrr|lsrr|rr|ts},...\n"
+ "\t\ticmptypes {type},...\n"
, progname
);
***************
*** 385,390 ****
--- 415,433 ----
u_char *d;
while (p && *p) {
+ struct tpcflags {
+ char * name;
+ u_char value;
+ } flags[] = {
+ { "syn", IP_FW_TCPF_SYN },
+ { "fin", IP_FW_TCPF_FIN },
+ { "ack", IP_FW_TCPF_ACK },
+ { "psh", IP_FW_TCPF_PSH },
+ { "rst", IP_FW_TCPF_RST },
+ { "urg", IP_FW_TCPF_URG }
+ };
+ int i;
+
if (*p == '!') {
p++;
d = reset;
***************
*** 394,404 ****
q = strchr(p, ',');
if (q)
*q++ = '\0';
! if (!strncmp(p,"syn",strlen(p))) *d |= IP_FW_TCPF_SYN;
! if (!strncmp(p,"fin",strlen(p))) *d |= IP_FW_TCPF_FIN;
! if (!strncmp(p,"ack",strlen(p))) *d |= IP_FW_TCPF_ACK;
! if (!strncmp(p,"psh",strlen(p))) *d |= IP_FW_TCPF_PSH;
! if (!strncmp(p,"rst",strlen(p))) *d |= IP_FW_TCPF_RST;
p = q;
}
}
--- 437,452 ----
q = strchr(p, ',');
if (q)
*q++ = '\0';
!
! for (i = 0; i < sizeof(flags) / sizeof(flags[0]); ++i)
! if (!strncmp(p, flags[i].name, strlen(p))) {
! *d |= flags[i].value;
! break;
! }
!
! if (i == sizeof(flags) / sizeof(flags[0]))
! show_usage("invalid tcp flag\n");
!
p = q;
}
}
***************
*** 430,435 ****
--- 478,512 ----
}
void
+ fill_icmptypes(types, vp, fw_flg)
+ u_long *types;
+ char **vp;
+ u_short *fw_flg;
+ {
+ char *c = *vp;
+
+ while (*c)
+ {
+ unsigned long icmptype;
+
+ if ( *c == ',' )
+ ++c;
+
+ icmptype = strtoul(c, &c, 0);
+
+ if ( *c != ',' && *c != '\0' )
+ show_usage("invalid ICMP type");
+
+ if (icmptype > 255)
+ show_usage("ICMP types are between 0 and 255 inclusive");
+
+ types[icmptype / (sizeof(unsigned) * 8)] |=
+ 1 << (icmptype % (sizeof(unsigned) * 8));
+ *fw_flg |= IP_FW_F_ICMPBIT;
+ }
+ }
+
+ void
delete(ac,av)
int ac;
char **av;
***************
*** 579,584 ****
--- 656,668 ----
av++; ac--; continue;
}
}
+ if ((rule.fw_flg & IP_FW_F_KIND) == IP_FW_F_ICMP) {
+ if (ac > 1 && !strncmp(*av,"icmptypes",strlen(*av))) {
+ av++; ac--;
+ fill_icmptypes(rule.fw_icmptypes, av, &rule.fw_flg);
+ av++; ac--; continue;
+ }
+ }
printf("%d %s\n",ac,*av);
show_usage("Unknown argument\n");
}
***************
*** 637,646 ****
show_usage(NULL);
}
! while ((ch = getopt(ac, av ,"aN")) != EOF)
switch(ch) {
case 'a':
do_acct=1;
break;
case 'N':
do_resolv=1;
--- 721,733 ----
show_usage(NULL);
}
! while ((ch = getopt(ac, av ,"atN")) != EOF)
switch(ch) {
case 'a':
do_acct=1;
+ break;
+ case 't':
+ do_time=1;
break;
case 'N':
do_resolv=1;
*** ipfw.8 1996/05/18 15:38:41 1.1
--- ipfw.8 1996/05/19 18:27:05 1.3
***************
*** 19,25 ****
.Ar number
.Nm ipfw
.Oo
! .Fl aN
.Oc
list
.Nm ipfw
--- 19,25 ----
.Ar number
.Nm ipfw
.Oo
! .Fl atN
.Oc
list
.Nm ipfw
***************
*** 76,81 ****
--- 76,83 ----
.It Fl a
While listing, show counter values. This option is the only way to see
accounting records.
+ .It Fl t
+ While listing, show last match timestamp.
.It Fl N
Try to resolve addresses.
.El
***************
*** 173,178 ****
--- 175,183 ----
.It tcpflags Ar spec
Not yet documented. Look in the source: src/sys/netnet/ipfw.c.
TCP packets only.
+ .It icmptypes Ar types
+ Not yet documented. Look in the source: src/sys/netnet/ipfw.c.
+ ICMP packets only.
.El
.Sh CHECKLIST
Here are some important points to consider when designing your
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199605192219.RAA01316>