Date: Sun, 12 May 1996 14:40:28 -0500 (CDT) From: Alex Nash <alex@zen.nash.org> To: FreeBSD-gnats-submit@freebsd.org Cc: phk@freebsd.org Subject: bin/1193: IPFW configuration program Message-ID: <199605121940.OAA00746@zen.nash.org> Resent-Message-ID: <199605121950.MAA10432@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 1193
>Category: bin
>Synopsis: Cleanup + ability to zero individual chain entries
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Sun May 12 12:50:05 PDT 1996
>Last-Modified:
>Originator: Alex Nash
>Organization:
>Release: FreeBSD 2.1-STABLE i386
>Environment:
-current and -stable systems that use ipfw.
>Description:
ipfw.c:
Make it clear in usage display that multiple port ranges are not allowed.
Added ability to zero a single accounting entry. (See matching
sys/netinet/ip_fw.c PR.)
Spelling error corrected.
ipfw.8:
Document ability to accept a specific entry when using 'ipfw zero.'
Document the 'allow' option (I've placed allow first to agree with the
ipfw.c usage display).
Document the IP_FIREWALL_VERBOSE_LIMIT option, how it relates to
the log keyword and packet counter clearing.
>How-To-Repeat:
N/A
>Fix:
--- ipfw.c Sun May 12 13:28:12 1996
***************
*** 281,288 ****
"\trule:\taction proto src dst extras...\n"
"\t\taction: {allow|deny|reject|count} [log]\n"
"\t\tproto: {ip|tcp|udp|icmp}}\n"
! "\t\tsrc: from {any|ip[{/bits|:mask}]} [{port|port-port},...]\n"
! "\t\tdst: to {any|ip[{/bits|:mask}]} [{port|port-port},...]\n"
"\textras:\n"
"\t\tfragment\n"
"\t\t{in|out|inout}\n"
--- 281,288 ----
"\trule:\taction proto src dst extras...\n"
"\t\taction: {allow|deny|reject|count} [log]\n"
"\t\tproto: {ip|tcp|udp|icmp}}\n"
! "\t\tsrc: from {any|ip[{/bits|:mask}]} [{port|port-port},[port],...]\n"
! "\t\tdst: to {any|ip[{/bits|:mask}]} [{port|port-port},[port],...]\n"
"\textras:\n"
"\t\tfragment\n"
"\t\t{in|out|inout}\n"
***************
*** 589,594 ****
--- 589,628 ----
err(1,"setsockopt(IP_FW_ADD)");
}
+ void
+ zero (ac, av)
+ int ac;
+ char **av;
+ {
+ av++; ac--;
+
+ if (!ac) {
+ /* clear all entries */
+ if (setsockopt(s,IPPROTO_IP,IP_FW_ZERO,NULL,0)<0) {
+ fprintf(stderr,"%s: setsockopt failed.\n",progname);
+ exit(1);
+ }
+ printf("Accounting cleared.\n");
+ } else {
+ /* clear a specific entry */
+ struct ip_fw rule;
+ int i;
+
+ memset(&rule, 0, sizeof rule);
+
+ /* Rule number */
+ if (isdigit(**av)) {
+ rule.fw_number = atoi(*av); av++; ac--;
+
+ if (setsockopt(s, IPPROTO_IP, IP_FW_ZERO, &rule, sizeof rule))
+ err(1, "setsockopt(Zero)");
+ }
+ else {
+ show_usage("expected number");
+ }
+ }
+ }
+
int
ipfw_main(ac,av)
int ac;
***************
*** 632,642 ****
}
printf("Flushed all rules.\n");
} else if (!strncmp(*av, "zero", strlen(*av))) {
! if (setsockopt(s,IPPROTO_IP,IP_FW_ZERO,NULL,0)<0) {
! fprintf(stderr,"%s: setsockopt failed.\n",progname);
! exit(1);
! }
! printf("Accounting cleared.\n");
} else if (!strncmp(*av, "print", strlen(*av))) {
list(--ac,++av);
} else if (!strncmp(*av, "list", strlen(*av))) {
--- 666,672 ----
}
printf("Flushed all rules.\n");
} else if (!strncmp(*av, "zero", strlen(*av))) {
! zero(ac,av);
} else if (!strncmp(*av, "print", strlen(*av))) {
list(--ac,++av);
} else if (!strncmp(*av, "list", strlen(*av))) {
***************
*** 662,668 ****
s = socket( AF_INET, SOCK_RAW, IPPROTO_RAW );
if ( s < 0 ) {
fprintf(stderr,"%s: Can't open raw socket.\n"
! "Must be root to use this programm. \n",progname);
exit(1);
}
--- 692,698 ----
s = socket( AF_INET, SOCK_RAW, IPPROTO_RAW );
if ( s < 0 ) {
fprintf(stderr,"%s: Can't open raw socket.\n"
! "Must be root to use this program. \n",progname);
exit(1);
}
--- ipfw.8 Sun May 12 13:44:42 1996
***************
*** 11,16 ****
--- 11,19 ----
flush
.Nm ipfw
zero
+ .Oo
+ .Ar number
+ .Oc
.Nm ipfw
delete
.Ar number
***************
*** 79,89 ****
.Pp
.Ar action :
.Bl -hang -offset flag -width 1234567890123456
! .It Nm accept
! Accept packets that match rule.
The search terminates.
.It Nm pass
! same as accept.
.It Nm count
update counters for all packets that match rule.
The search continues with next rule.
--- 82,94 ----
.Pp
.Ar action :
.Bl -hang -offset flag -width 1234567890123456
! .It Nm allow
! Allow packets that match rule.
The search terminates.
.It Nm pass
! same as allow.
! .It Nm accept
! same as allow.
.It Nm count
update counters for all packets that match rule.
The search continues with next rule.
***************
*** 98,103 ****
--- 103,114 ----
When a packet matches a rule with the
.Nm log
keyword, a message will be printed on the console.
+ If the kernel was compiled with the
+ .Nm IP_FIREWALL_VERBOSE_LIMIT
+ option, then logging will cease after the number of packets
+ specified by the option are recieved for that particular
+ chain entry. Logging may then be re-enabled by clearing
+ the packet counter for that entry.
.Pp
.Ar proto :
.Bl -hang -offset flag -width 1234567890123456
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199605121940.OAA00746>