From owner-freebsd-bugs Tue Apr 23 9:10:41 2002 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id BD76F37B405 for ; Tue, 23 Apr 2002 09:10:01 -0700 (PDT) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g3NGA1d09702; Tue, 23 Apr 2002 09:10:01 -0700 (PDT) (envelope-from gnats) Received: from anestad.com (pcp01510738pcs.malvrn01.pa.comcast.net [68.82.131.80]) by hub.freebsd.org (Postfix) with ESMTP id C5E9A37B417 for ; Tue, 23 Apr 2002 09:02:28 -0700 (PDT) Received: from anestad.com (anestad.com [64.67.201.200]) by anestad.com (8.12.3/8.12.2) with ESMTP id g3NG2su9046809 for ; Tue, 23 Apr 2002 12:02:54 -0400 (EDT) (envelope-from danestad@anestad.com) Received: (from danestad@localhost) by anestad.com (8.12.3/8.12.3/Submit) id g3NG2ngS046808; Tue, 23 Apr 2002 12:02:49 -0400 (EDT) Message-Id: <200204231602.g3NG2ngS046808@anestad.com> Date: Tue, 23 Apr 2002 12:02:49 -0400 (EDT) From: Douglas Anestad Reply-To: Douglas Anestad To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Subject: bin/37381: Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 37381 >Category: bin >Synopsis: >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Tue Apr 23 09:10:01 PDT 2002 >Closed-Date: >Last-Modified: >Originator: Douglas Anestad >Release: FreeBSD 4.5-STABLE i386 >Organization: >Environment: System: FreeBSD anestad.com 4.5-STABLE FreeBSD 4.5-STABLE #0: Fri Apr 19 09:52:43 EDT 2002 root@anestad.com:/usr/obj/usr/src/sys/ANESTAD i386 >Description: Change ipfw to allow [not] me in addition to me for the src and dst. In other words, from the man perspective, change src and dst: any | me | [not]
[ports] to src and dst: any | [not] me | [not]
[ports] If you use ipfw with no parameters, it tells you the following: src: from [not] {me|any|ip[{/bits|:mask}]} [{port[-port]}, [port], ...] dst: to [not] {me|any|ip[{/bits|:mask}]} [{port[-port]}, [port], ...] which implies that you can use not for me in addition to ip, which is currently incorrect. not any is the same as saying false which means never use this rule and is of little pratical value. >How-To-Repeat: >Fix: Added support for not me in: sbin/ipfw/ipfw.c sbin/ipfw/ipfw.8 sys/netinet/ip_fw.c for the FreeBSD 4.5-STABLE source branch synched as of April 23,2002 Patches are below: diff -c sbin/ipfw/ipfw.c sbin/ipfw/ipfw.c.new diff -c sbin/ipfw/ipfw.8 sbin/ipfw/ipfw.8.new diff -c sys/netinet/ip_fw.c sys/netinet/ip_fw.new -------------------------- cut here --------------------------- *** sbin/ipfw/ipfw.c Thu Nov 22 17:29:01 2001 --- sbin/ipfw/ipfw.c.new Wed Feb 13 19:37:31 2002 *************** *** 275,286 **** else printf(" %u", chain->fw_prot); if (chain->fw_flg & IP_FW_F_SME) { ! printf(" from me"); } else { - printf(" from %s", - chain->fw_flg & IP_FW_F_INVSRC ? "not " : ""); - adrt = ntohl(chain->fw_smsk.s_addr); if (adrt == ULONG_MAX && do_resolv) { adrt = (chain->fw_src.s_addr); --- 275,285 ---- else printf(" %u", chain->fw_prot); + printf(" from %s", chain->fw_flg & IP_FW_F_INVSRC ? "not " : ""); + if (chain->fw_flg & IP_FW_F_SME) { ! printf("me"); } else { adrt = ntohl(chain->fw_smsk.s_addr); if (adrt == ULONG_MAX && do_resolv) { adrt = (chain->fw_src.s_addr); *************** *** 321,331 **** } } if (chain->fw_flg & IP_FW_F_DME) { ! printf(" to me"); } else { - printf(" to %s", chain->fw_flg & IP_FW_F_INVDST ? "not " : ""); - adrt = ntohl(chain->fw_dmsk.s_addr); if (adrt == ULONG_MAX && do_resolv) { adrt = (chain->fw_dst.s_addr); --- 320,330 ---- } } + printf(" to %s", chain->fw_flg & IP_FW_F_INVDST ? "not " : ""); + if (chain->fw_flg & IP_FW_F_DME) { ! printf("me"); } else { adrt = ntohl(chain->fw_dmsk.s_addr); if (adrt == ULONG_MAX && do_resolv) { adrt = (chain->fw_dst.s_addr); -------------------------- cut here --------------------------- *** sbin/ipfw/ipfw.8 Tue Apr 23 11:39:01 2002 --- sbin/ipfw/ipfw.8.new Tue Apr 23 11:37:25 2002 *************** *** 474,480 **** .Cm all keywords mean any protocol will match. .It Ar src No and Ar dst : ! .Cm any | me | Op Cm not .Aq Ar address Ns / Ns Ar mask .Op Ar ports .Pp --- 474,480 ---- .Cm all keywords mean any protocol will match. .It Ar src No and Ar dst : ! .Cm any | Oo not Oc me | Op Cm not .Aq Ar address Ns / Ns Ar mask .Op Ar ports .Pp -------------------------- cut here --------------------------- *** sys/netinet/ip_fw.c Tue Apr 23 12:00:37 2002 --- sys/netinet/ip_fw.c.new Tue Apr 23 11:49:35 2002 *************** *** 1230,1242 **** if (f->fw_flg & IP_FW_F_SME) { INADDR_TO_IFP(src_ip, tif); ! if (tif == NULL) ! continue; } if (f->fw_flg & IP_FW_F_DME) { INADDR_TO_IFP(dst_ip, tif); ! if (tif == NULL) ! continue; } /* If src-addr doesn't match, not this rule. */ if (((f->fw_flg & IP_FW_F_INVSRC) != 0) ^ ((src_ip.s_addr --- 1230,1252 ---- if (f->fw_flg & IP_FW_F_SME) { INADDR_TO_IFP(src_ip, tif); ! if (f->fw_flg & IP_FW_F_INVSRC) { ! if (tif != NULL) ! continue; ! } else { ! if (tif == NULL) ! continue; ! } } if (f->fw_flg & IP_FW_F_DME) { INADDR_TO_IFP(dst_ip, tif); ! if (f->fw_flg & IP_FW_F_INVDST) { ! if (tif != NULL) ! continue; ! } else { ! if (tif == NULL) ! continue; ! } } /* If src-addr doesn't match, not this rule. */ if (((f->fw_flg & IP_FW_F_INVSRC) != 0) ^ ((src_ip.s_addr >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message