Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 16 Jan 1997 18:38:35 +0000 (GMT)
From:      Adam David <adam@veda.is>
To:        proff@suburbia.net
Cc:        phk@critter.DK.tfs.COM, freebsd-current@freebsd.org
Subject:   Re: ipfw patches to test
Message-ID:  <199701161838.SAA20186@veda.is>
In-Reply-To: <19970116164447.5406.qmail@suburbia.net> from "proff@suburbia.net" at "Jan 17, 97 03:44:47 am"

next in thread | previous in thread | raw e-mail | index | archive | help
[I wrote earlier]
> > I would much prefer the following syntax:
> > 
> >     ipfw add deny from !192.168.23.0/30 to 140.145.230.0/24
> > 
> > and I am convinced that it would be a simpler modification to the code.

I have reviewed my previous musings and these patches, and have merged my
patches with Poul-Henning's to give the patches included below. The issues
of user syntax and the internal representation and manipulation of the data
are of course entirely separate.

Concerning the flow of control in the ipfw module, which of the two versions
is actually more streamlined? I think mine has less repetition and more
symmetry, but is it any faster in the real world?

> I wouldn't. I would prefer a "not from". Shell symbols should
> be avoided in the ipfw grammer, which is designed to be
> human readable in english.
> 
> Cheers,
> Julian <proff@iq.org>

It would be a simple matter to revise these patches to use "from [not] "
instead of "from [!]". Purists would complain that "from !192.168.23.0" is
ugly syntax anyway, just as I strongly dislike "!from 192.168.23.0".


--- sbin/ipfw/ipfw.c.old	Thu Jan 16 16:51:23 1997
+++ sbin/ipfw/ipfw.c	Thu Jan 16 17:24:01 1997
@@ -162,7 +162,7 @@
 	else
 		printf("%u", chain->fw_prot);
 
-	printf(" from ");
+	printf(" from %s", chain->fw_flg & IP_FW_F_INVSRC ? "!" : "");
 
 	adrt=ntohl(chain->fw_smsk.s_addr);
 	if (adrt==ULONG_MAX && do_resolv) {
@@ -202,7 +202,7 @@
 		}
 	}
 
-	printf(" to ");
+	printf(" to %s", chain->fw_flg & IP_FW_F_INVDST ? "!" : "");
 
 	adrt=ntohl(chain->fw_dmsk.s_addr);
 	if (adrt==ULONG_MAX && do_resolv) {
@@ -685,6 +685,9 @@
 	if (ac && !strncmp(*av,"from",strlen(*av))) { av++; ac--; }
 	else show_usage("missing ``from''\n");
 
+	if (!ac) show_usage("Missing arguments\n");
+
+	if (**av == '!') { ++*av; rule.fw_flag |= IP_FW_F_INVSRC; }
 	fill_ip(&rule.fw_src, &rule.fw_smsk, &ac, &av);
 
 	if (ac && isdigit(**av)) {
@@ -699,6 +702,7 @@
 
 	if (!ac) show_usage("Missing arguments\n");
 
+	if (**av == '!') { ++*av; rule.fw_flag |= IP_FW_F_INVDST; }
 	fill_ip(&rule.fw_dst, &rule.fw_dmsk, &ac, &av);
 
 	if (ac && isdigit(**av)) {
--- sys/netinet/ip_fw.c.old	Thu Jan 16 15:31:25 1997
+++ sys/netinet/ip_fw.c	Thu Jan 16 16:40:33 1997
@@ -320,11 +320,13 @@
 			continue;
 
 		/* If src-addr doesn't match, not this rule. */
-		if ((src.s_addr & f->fw_smsk.s_addr) != f->fw_src.s_addr)
+		if ((f->fw_flg & IP_FW_F_INVSRC) != 0
+		  ^ (src.s_addr & f->fw_smsk.s_addr) != f->fw_src.s_addr)
 			continue;
 
 		/* If dest-addr doesn't match, not this rule. */
-		if ((dst.s_addr & f->fw_dmsk.s_addr) != f->fw_dst.s_addr)
+		if ((f->fw_flg & IP_FW_F_INVDST) != 0
+		  ^ (dst.s_addr & f->fw_dmsk.s_addr) != f->fw_dst.s_addr)
 			continue;
 
 		/* If a i/f name was specified, and we don't know */
--- sys/netinet/ip_fw.h.old	Thu Jan 16 16:06:13 1997
+++ sys/netinet/ip_fw.h	Thu Jan 16 16:14:20 1997
@@ -64,6 +64,8 @@
 /*
  * Values for "flags" field .
  */
+#define IP_FW_F_INVSRC	0x0001	/* Invert sense of src check	      */
+#define IP_FW_F_INVDST	0x0002	/* Invert sense of dst check	      */
 #define IP_FW_F_IN	0x0004	/* Inbound 			      */
 #define IP_FW_F_OUT	0x0008	/* Outbound			      */
 

--
Adam David <adam@veda.is>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199701161838.SAA20186>