Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 11 Jun 2004 14:23:51 +0300
From:      Ruslan Ermilov <ru@FreeBSD.org>
To:        Luigi Rizzo <rizzo@icir.org>
Cc:        ipfw@FreeBSD.org
Subject:   Re: wrong output syntax in ipfw(8)
Message-ID:  <20040611112351.GB434@ip.net.ua>
In-Reply-To: <20040611092900.GA434@ip.net.ua>
References:  <200406092010.i59KAcXH025699@repoman.freebsd.org> <20040610214059.GA3228@ip.net.ua> <200406110151.17372.max@love2party.net> <20040611072136.GB55472@ip.net.ua> <20040611021113.A73239@xorpc.icir.org> <20040611092900.GA434@ip.net.ua>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

--H1spWtNR+x+ondvy
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Jun 11, 2004 at 12:29:00PM +0300, Ruslan Ermilov wrote:
> Luigi,
>=20
> While we're on the IPFW2 topic, I noticed one glitch when
> printing IPFW2 rules:
>=20
> OK:
>=20
> # ipfw add 1 count ip from { 1 or 2 } to any
> 00001 count ip from { 0.0.0.1 or 0.0.0.2 } to any
>=20
> Wrong:
>=20
> # ipfw add 1 count ip from any to { 1 or 2 }
> 00001 count ip from any to { 0.0.0.1 or dst-ip 0.0.0.2 }
>=20
> This happens because when we get to printing the 0.0.0.2,
> all 3-tuple (proto, src-ip, and dst-ip) is already defined.
> As such, HAVE_OPTIONS is set, so " dst-ip" is prepended.
> Can you fix it, as I'm lost in debris of ipfw2.c?  ;)
>=20
> P.S.  Yes, I'm well aware of the first paragraph of the
> ipfw(8) manpage.  ;)
>=20
So far, I've come up with the following patch.  It's odd and
very hackish but seems to DTRT:

%%%
--- ipfw2.c~	Fri Jun 11 12:05:56 2004
+++ ipfw2.c	Fri Jun 11 13:01:13 2004
@@ -860,7 +860,7 @@ print_icmptypes(ipfw_insn_u32 *cmd)
 static void
 show_prerequisites(int *flags, int want, int cmd)
 {
-	if ( (*flags & HAVE_IP) =3D=3D HAVE_IP)
+	if ( !cmd && (*flags & HAVE_IP) =3D=3D HAVE_IP)
 		*flags |=3D HAVE_OPTIONS;
=20
 	if ( (*flags & (HAVE_MAC|HAVE_MACTYPE|HAVE_OPTIONS)) =3D=3D HAVE_MAC &&
@@ -1096,15 +1096,21 @@ show_ipfw(struct ip_fw *rule, int pcwidt
 		case O_IP_DST_MASK:
 		case O_IP_DST_ME:
 		case O_IP_DST_SET:
+		    {
+			int saved_flags =3D flags;
+
 			show_prerequisites(&flags, HAVE_PROTO|HAVE_SRCIP, 0);
 			if (!(flags & HAVE_DSTIP))
 				printf(" to");
 			if ((cmd->len & F_OR) && !or_block)
 				printf(" {");
+			if (or_block && !(saved_flags & HAVE_OPTIONS))
+				flags &=3D ~HAVE_OPTIONS;
 			print_ip((ipfw_insn_ip *)cmd,
 				(flags & HAVE_OPTIONS) ? " dst-ip" : "");
 			flags |=3D HAVE_DSTIP;
 			break;
+		    }
=20
 		case O_IP_DSTPORT:
 			show_prerequisites(&flags, HAVE_IP, 0);
%%%

If someone has a better fix, please let me know.  ;)


Cheers,
--=20
Ruslan Ermilov
ru@FreeBSD.org
FreeBSD committer

--H1spWtNR+x+ondvy
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)

iD8DBQFAyZZHqRfpzJluFF4RArGjAJ0bbLQ41C3jMjdhlfHtQVYqaXh8+QCbBS9Y
W2T7av7q6KhmO9Cmkjdg51o=
=n29m
-----END PGP SIGNATURE-----

--H1spWtNR+x+ondvy--



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20040611112351.GB434>