Date: Fri, 15 Feb 2008 23:42:16 +0700 (KRAT) From: Eugene Grosbein <eugen@kuzbass.ru> To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/120720: [patch] [ipfw] unbreak POLA for ipfw table list Message-ID: <200802151642.m1FGgGfQ002038@grosbein.pp.ru> Resent-Message-ID: <200802151700.m1FH08es013378@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 120720
>Category: bin
>Synopsis: [patch] [ipfw] unbreak POLA for ipfw table list
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Fri Feb 15 17:00:07 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: Eugene Grosbein
>Release: FreeBSD 7.0-PRERELEASE i386
>Organization:
Svyaz-Service JSC
>Environment:
System: FreeBSD grosbein.pp.ru 7.0-PRERELEASE FreeBSD 7.0-PRERELEASE #7: Mon Feb 11 23:05:33 KRAT 2008 eu@grosbein.pp.ru:/usr/local/obj/usr/local/src/sys/DADV i386
>Description:
The command "ipfw table 1 list" used to format table values
associated with network addresses as 32-bit unsigned integers
until 6.3-RELEASE. Since 6.3-RELEASE, it interprets values
that are greater than 65535 as IP-addresses.
This change breaks many existing applications that expect the format
to be an integer, as it used to be since RELENG_4.
This change is not even documented. So, it breaks POLA and should be
corrected.
>How-To-Repeat:
ipfw table 1 add 1.1.1.1 $(date +%s)
ipfw table 1 list
This used to show something like "1.1.1.1/32 1203093427" before change
but now it shows something like "1.1.1.1/32 71.181.191.179" instead.
>Fix:
The following patch does three things:
1) revert default behavour to match 6.2-RELEASE and earlier;
2) offer new way to format value as IP with new switch "ipfw -i":
ipfw -i table 1 list
3) document both variants in the ipfw(8) manual page.
The patch applies to both of RELENG_6 and RELENG_7.
--- sbin/ipfw/ipfw.8.orig 2008-02-15 23:18:10.000000000 +0700
+++ sbin/ipfw/ipfw.8 2008-02-15 23:18:04.000000000 +0700
@@ -210,6 +210,12 @@
if misused,
.No i.e. Cm flush .
If there is no tty associated with the process, this is implied.
+.It Fl i
+While
+.Cm list Ns ing table (see the
+.Sx LOOKUP TABLES
+section below for more information on lookup tables), format values
+as IP addresses. By default, values are shown as integers.
.It Fl n
Only check syntax of the command strings, without actually passing
them to the kernel.
--- sbin/ipfw/ipfw2.c.orig 2008-02-15 17:26:53.000000000 +0700
+++ sbin/ipfw/ipfw2.c 2008-02-15 23:24:30.000000000 +0700
@@ -62,6 +62,7 @@
#include <arpa/inet.h>
int
+ do_value_as_ip, /* show table value as IP */
do_resolv, /* Would try to resolve all */
do_time, /* Show time stamps */
do_quiet, /* Be quiet in add and flush */
@@ -5028,7 +5029,7 @@
/* values < 64k are printed as numbers */
unsigned int tval;
tval = tbl->ent[a].value;
- if (tval > 0xffff) {
+ if (do_value_as_ip) {
char tbuf[128];
strncpy(tbuf, inet_ntoa(*(struct in_addr *)
&tbl->ent[a].addr), 127);
@@ -5039,7 +5040,7 @@
} else {
printf("%s/%u %u\n",
inet_ntoa(*(struct in_addr *)&tbl->ent[a].addr),
- tbl->ent[a].masklen, tbl->ent[a].value);
+ tbl->ent[a].masklen, tval);
}
}
} else
@@ -5148,7 +5149,7 @@
save_av = av;
optind = optreset = 0;
- while ((ch = getopt(ac, av, "abcdefhnNqs:STtv")) != -1)
+ while ((ch = getopt(ac, av, "abcdefhinNqs:STtv")) != -1)
switch (ch) {
case 'a':
do_acct = 1;
@@ -5180,6 +5181,10 @@
help();
break; /* NOTREACHED */
+ case 'i':
+ do_value_as_ip = 1;
+ break;
+
case 'n':
test_only = 1;
break;
Eugene Grosbein
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200802151642.m1FGgGfQ002038>