Date: Wed, 15 Jan 1997 17:18:10 +0100 From: Poul-Henning Kamp <phk@critter.dk.tfs.com> To: current@freebsd.org Subject: ipfw patches to test Message-ID: <27547.853345090@critter.dk.tfs.com>
next in thread | raw e-mail | index | archive | help
Well, I needed this badly, so I looked at it, if somebody wants to try out this little patch, please report how it goes. Basically you can now say ipfw add deny !from 192.168.23.0/30 to 140.145.230.0/24 or "!to" for that matter. Give it a whirl... Poul-Henning Index: ipfw.c =================================================================== RCS file: /home/ncvs/src/sbin/ipfw/ipfw.c,v retrieving revision 1.34 diff -u -r1.34 ipfw.c --- ipfw.c 1996/10/17 01:05:03 1.34 +++ ipfw.c 1997/01/15 16:06:31 @@ -158,7 +158,7 @@ else printf("%u", chain->fw_prot); - printf(" from "); + printf(" %sfrom ", chain->fw_flg & IP_FW_F_INVSRC ? "!" : ""); adrt=ntohl(chain->fw_smsk.s_addr); if (adrt==ULONG_MAX && do_resolv) { @@ -198,7 +198,7 @@ } } - printf(" to "); + printf(" %sto ", chain->fw_flg & IP_FW_F_INVDST ? "!" : ""); adrt=ntohl(chain->fw_dmsk.s_addr); if (adrt==ULONG_MAX && do_resolv) { @@ -679,6 +679,7 @@ /* from */ if (ac && !strncmp(*av,"from",strlen(*av))) { av++; ac--; } + else if (ac && !strncmp(*av,"!from",strlen(*av))) { av++; ac--; rule.fw_flg |= IP_FW_F_INVSRC;} else show_usage("missing ``from''\n"); fill_ip(&rule.fw_src, &rule.fw_smsk, &ac, &av); @@ -691,6 +692,7 @@ /* to */ if (ac && !strncmp(*av,"to",strlen(*av))) { av++; ac--; } + else if (ac && !strncmp(*av,"!to",strlen(*av))) { av++; ac--; rule.fw_flg |= IP_FW_F_INVDST;} else show_usage("missing ``to''\n"); if (!ac) show_usage("Missing arguments\n"); Index: ip_fw.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v retrieving revision 1.51 diff -u -r1.51 ip_fw.c --- ip_fw.c 1996/10/12 19:49:36 1.51 +++ ip_fw.c 1997/01/15 15:58:18 @@ -290,6 +290,7 @@ struct ifaddr *ia = NULL, *ia_p; struct in_addr src, dst, ia_i; u_short src_port, dst_port, offset; + int i; src = ip->ip_src; dst = ip->ip_dst; @@ -320,11 +321,17 @@ continue; /* If src-addr doesn't match, not this rule. */ - if ((src.s_addr & f->fw_smsk.s_addr) != f->fw_src.s_addr) + i = (src.s_addr & f->fw_smsk.s_addr) != f->fw_src.s_addr; + if (i && !(f->fw_flg & IP_FW_F_INVSRC)) + continue; + if (!i && (f->fw_flg & IP_FW_F_INVSRC)) continue; /* If dest-addr doesn't match, not this rule. */ - if ((dst.s_addr & f->fw_dmsk.s_addr) != f->fw_dst.s_addr) + i = (dst.s_addr & f->fw_dmsk.s_addr) != f->fw_dst.s_addr; + if (i && !(f->fw_flg & IP_FW_F_INVDST)) + continue; + if (!i && (f->fw_flg & IP_FW_F_INVDST)) continue; /* If a i/f name was specified, and we don't know */ Index: ip_fw.h =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_fw.h,v retrieving revision 1.23 diff -u -r1.23 ip_fw.h --- ip_fw.h 1996/08/21 21:36:57 1.23 +++ ip_fw.h 1997/01/15 15:56:35 @@ -64,6 +64,8 @@ /* * Values for "flags" field . */ +#define IP_FW_F_INVSRC 0x0001 /* Invert sense of src check */ +#define IP_FW_F_INVDST 0x0002 /* Invert sense of dst check */ #define IP_FW_F_IN 0x0004 /* Inbound */ #define IP_FW_F_OUT 0x0008 /* Outbound */ -- Poul-Henning Kamp | phk@FreeBSD.ORG FreeBSD Core-team. http://www.freebsd.org/~phk | phk@login.dknet.dk Private mailbox. whois: [PHK] | phk@tfs.com TRW Financial Systems, Inc. Future will arrive by its own means, progress not so.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?27547.853345090>