From owner-freebsd-bugs Sun May 12 12:50:10 1996 Return-Path: owner-bugs Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id MAA10448 for bugs-outgoing; Sun, 12 May 1996 12:50:10 -0700 (PDT) Received: (from gnats@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id MAA10432 Sun, 12 May 1996 12:50:07 -0700 (PDT) Resent-Date: Sun, 12 May 1996 12:50:07 -0700 (PDT) Resent-Message-Id: <199605121950.MAA10432@freefall.freebsd.org> Resent-From: gnats (GNATS Management) Resent-To: freebsd-bugs Resent-Reply-To: FreeBSD-gnats@freefall.FreeBSD.org, nash@mcs.com Received: from zen.nash.org (nash.pr.mcs.net [204.95.47.72]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id MAA09936 Sun, 12 May 1996 12:41:12 -0700 (PDT) Received: (from alex@localhost) by zen.nash.org (8.7.5/8.6.12) id OAA00746; Sun, 12 May 1996 14:40:28 -0500 (CDT) Message-Id: <199605121940.OAA00746@zen.nash.org> Date: Sun, 12 May 1996 14:40:28 -0500 (CDT) From: Alex Nash Reply-To: nash@mcs.com To: FreeBSD-gnats-submit@freebsd.org Cc: phk@freebsd.org X-Send-Pr-Version: 3.2 Subject: bin/1193: IPFW configuration program Sender: owner-bugs@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >Number: 1193 >Category: bin >Synopsis: Cleanup + ability to zero individual chain entries >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Class: change-request >Submitter-Id: current-users >Arrival-Date: Sun May 12 12:50:05 PDT 1996 >Last-Modified: >Originator: Alex Nash >Organization: >Release: FreeBSD 2.1-STABLE i386 >Environment: -current and -stable systems that use ipfw. >Description: ipfw.c: Make it clear in usage display that multiple port ranges are not allowed. Added ability to zero a single accounting entry. (See matching sys/netinet/ip_fw.c PR.) Spelling error corrected. ipfw.8: Document ability to accept a specific entry when using 'ipfw zero.' Document the 'allow' option (I've placed allow first to agree with the ipfw.c usage display). Document the IP_FIREWALL_VERBOSE_LIMIT option, how it relates to the log keyword and packet counter clearing. >How-To-Repeat: N/A >Fix: --- ipfw.c Sun May 12 13:28:12 1996 *************** *** 281,288 **** "\trule:\taction proto src dst extras...\n" "\t\taction: {allow|deny|reject|count} [log]\n" "\t\tproto: {ip|tcp|udp|icmp}}\n" ! "\t\tsrc: from {any|ip[{/bits|:mask}]} [{port|port-port},...]\n" ! "\t\tdst: to {any|ip[{/bits|:mask}]} [{port|port-port},...]\n" "\textras:\n" "\t\tfragment\n" "\t\t{in|out|inout}\n" --- 281,288 ---- "\trule:\taction proto src dst extras...\n" "\t\taction: {allow|deny|reject|count} [log]\n" "\t\tproto: {ip|tcp|udp|icmp}}\n" ! "\t\tsrc: from {any|ip[{/bits|:mask}]} [{port|port-port},[port],...]\n" ! "\t\tdst: to {any|ip[{/bits|:mask}]} [{port|port-port},[port],...]\n" "\textras:\n" "\t\tfragment\n" "\t\t{in|out|inout}\n" *************** *** 589,594 **** --- 589,628 ---- err(1,"setsockopt(IP_FW_ADD)"); } + void + zero (ac, av) + int ac; + char **av; + { + av++; ac--; + + if (!ac) { + /* clear all entries */ + if (setsockopt(s,IPPROTO_IP,IP_FW_ZERO,NULL,0)<0) { + fprintf(stderr,"%s: setsockopt failed.\n",progname); + exit(1); + } + printf("Accounting cleared.\n"); + } else { + /* clear a specific entry */ + struct ip_fw rule; + int i; + + memset(&rule, 0, sizeof rule); + + /* Rule number */ + if (isdigit(**av)) { + rule.fw_number = atoi(*av); av++; ac--; + + if (setsockopt(s, IPPROTO_IP, IP_FW_ZERO, &rule, sizeof rule)) + err(1, "setsockopt(Zero)"); + } + else { + show_usage("expected number"); + } + } + } + int ipfw_main(ac,av) int ac; *************** *** 632,642 **** } printf("Flushed all rules.\n"); } else if (!strncmp(*av, "zero", strlen(*av))) { ! if (setsockopt(s,IPPROTO_IP,IP_FW_ZERO,NULL,0)<0) { ! fprintf(stderr,"%s: setsockopt failed.\n",progname); ! exit(1); ! } ! printf("Accounting cleared.\n"); } else if (!strncmp(*av, "print", strlen(*av))) { list(--ac,++av); } else if (!strncmp(*av, "list", strlen(*av))) { --- 666,672 ---- } printf("Flushed all rules.\n"); } else if (!strncmp(*av, "zero", strlen(*av))) { ! zero(ac,av); } else if (!strncmp(*av, "print", strlen(*av))) { list(--ac,++av); } else if (!strncmp(*av, "list", strlen(*av))) { *************** *** 662,668 **** s = socket( AF_INET, SOCK_RAW, IPPROTO_RAW ); if ( s < 0 ) { fprintf(stderr,"%s: Can't open raw socket.\n" ! "Must be root to use this programm. \n",progname); exit(1); } --- 692,698 ---- s = socket( AF_INET, SOCK_RAW, IPPROTO_RAW ); if ( s < 0 ) { fprintf(stderr,"%s: Can't open raw socket.\n" ! "Must be root to use this program. \n",progname); exit(1); } --- ipfw.8 Sun May 12 13:44:42 1996 *************** *** 11,16 **** --- 11,19 ---- flush .Nm ipfw zero + .Oo + .Ar number + .Oc .Nm ipfw delete .Ar number *************** *** 79,89 **** .Pp .Ar action : .Bl -hang -offset flag -width 1234567890123456 ! .It Nm accept ! Accept packets that match rule. The search terminates. .It Nm pass ! same as accept. .It Nm count update counters for all packets that match rule. The search continues with next rule. --- 82,94 ---- .Pp .Ar action : .Bl -hang -offset flag -width 1234567890123456 ! .It Nm allow ! Allow packets that match rule. The search terminates. .It Nm pass ! same as allow. ! .It Nm accept ! same as allow. .It Nm count update counters for all packets that match rule. The search continues with next rule. *************** *** 98,103 **** --- 103,114 ---- When a packet matches a rule with the .Nm log keyword, a message will be printed on the console. + If the kernel was compiled with the + .Nm IP_FIREWALL_VERBOSE_LIMIT + option, then logging will cease after the number of packets + specified by the option are recieved for that particular + chain entry. Logging may then be re-enabled by clearing + the packet counter for that entry. .Pp .Ar proto : .Bl -hang -offset flag -width 1234567890123456 >Audit-Trail: >Unformatted: