Date: Sun, 5 May 2002 18:25:37 -0400 (EDT) From: Douglas Anestad <yotta@anestad.com> To: FreeBSD-gnats-submit@FreeBSD.org Cc: Douglas Anestad <yotta@anestad.com> Subject: bin/37778: [PATCH] add 'not me' to ipfw for src and dst Message-ID: <200205052225.g45MPbHC003192@anestad.com>
next in thread | raw e-mail | index | archive | help
>Number: 37778
>Category: bin
>Synopsis: [PATCH] add 'not me' to ipfw for src and dst
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Sun May 05 15:30:01 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator: Douglas Anestad
>Release: FreeBSD 4.6-PRERELEASE i386
>Organization:
>Environment:
System: FreeBSD anestad.com 4.6-PRERELEASE FreeBSD 4.6-PRERELEASE #0: Sun May 5 09:17:51 EDT 2002 root@anestad.com:/usr/obj/usr/src/sys/ANESTAD i386
>Description:
Change ipfw to allow [not] me in addition to me for the src and dst.
In other words, from the man perspective, change
src and dst:
any | me | [not] <address/mask> [ports]
to
src and dst:
any | [not] me | [not] <address/mask> [ports]
If you use ipfw with no parameters, it tells you the following:
src: from [not] {me|any|ip[{/bits|:mask}]} [{port[-port]}, [port], ...]
dst: to [not] {me|any|ip[{/bits|:mask}]} [{port[-port]}, [port], ...]
which implies that you can use not for me in addition to ip, which
is currently incorrect. not any is the same as saying false which means
never use this rule and is of little pratical value.
>How-To-Repeat:
>Fix:
Added support for not me in:
sbin/ipfw/ipfw.c
sbin/ipfw/ipfw.8
sys/netinet/ip_fw.c
Versions patched:
$FreeBSD: src/sbin/ipfw/ipfw.c,v 1.80.2.22 2001/11/22 22:29:01 luigi Exp $
$FreeBSD: src/sbin/ipfw/ipfw.8,v 1.63.2.23 2002/05/01 21:29:59 cjc Exp $
$FreeBSD: src/sys/netinet/ip_fw.c,v 1.131.2.33 2002/05/01 21:30:05 cjc Exp $
Patches are below:
diff -u sbin/ipfw/ipfw.c.orig sbin/ipfw/ipfw.c
diff -u sbin/ipfw/ipfw.8.orig sbin/ipfw/ipfw.8
diff -u sys/netinet/ip_fw.c.orig sys/netinet/ip_fw.c
--- sbin/ipfw/ipfw.c.orig Wed Feb 13 16:09:42 2002
+++ sbin/ipfw/ipfw.c Sun May 5 18:05:25 2002
@@ -275,12 +275,11 @@
else
printf(" %u", chain->fw_prot);
+ printf(" from %s", chain->fw_flg & IP_FW_F_INVSRC ? "not " : "");
+
if (chain->fw_flg & IP_FW_F_SME) {
- printf(" from me");
+ printf("me");
} else {
- printf(" from %s",
- chain->fw_flg & IP_FW_F_INVSRC ? "not " : "");
-
adrt = ntohl(chain->fw_smsk.s_addr);
if (adrt == ULONG_MAX && do_resolv) {
adrt = (chain->fw_src.s_addr);
@@ -321,11 +320,11 @@
}
}
+ printf(" to %s", chain->fw_flg & IP_FW_F_INVDST ? "not " : "");
+
if (chain->fw_flg & IP_FW_F_DME) {
- printf(" to me");
+ printf("me");
} else {
- printf(" to %s", chain->fw_flg & IP_FW_F_INVDST ? "not " : "");
-
adrt = ntohl(chain->fw_dmsk.s_addr);
if (adrt == ULONG_MAX && do_resolv) {
adrt = (chain->fw_dst.s_addr);
--- sbin/ipfw/ipfw.8.orig Sun May 5 17:56:15 2002
+++ sbin/ipfw/ipfw.8 Sun May 5 17:56:35 2002
@@ -474,7 +474,7 @@
.Cm all
keywords mean any protocol will match.
.It Ar src No and Ar dst :
-.Cm any | me | Op Cm not
+.Cm any | Oo not Oc me | Op Cm not
.Aq Ar address Ns / Ns Ar mask
.Op Ar ports
--- sys/netinet/ip_fw.c.orig Sun May 5 18:21:16 2002
+++ sys/netinet/ip_fw.c Sun May 5 18:21:58 2002
@@ -1230,13 +1230,23 @@
if (f->fw_flg & IP_FW_F_SME) {
INADDR_TO_IFP(src_ip, tif);
- if (tif == NULL)
- continue;
+ if (f->fw_flg & IP_FW_F_INVSRC) {
+ if (tif != NULL)
+ continue;
+ } else {
+ if (tif == NULL)
+ continue;
+ }
}
if (f->fw_flg & IP_FW_F_DME) {
INADDR_TO_IFP(dst_ip, tif);
- if (tif == NULL)
- continue;
+ if (f->fw_flg & IP_FW_F_INVDST) {
+ if (tif != NULL)
+ continue;
+ } else {
+ if (tif == NULL)
+ continue;
+ }
}
/* If src-addr doesn't match, not this rule. */
if (((f->fw_flg & IP_FW_F_INVSRC) != 0) ^ ((src_ip.s_addr
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200205052225.g45MPbHC003192>