Date: Sun, 19 May 1996 17:19:44 -0500 (CDT) From: Alex Nash <alex@zen.nash.org> To: FreeBSD-gnats-submit@freebsd.org Cc: phk@freebsd.org Subject: bin/1220: IPFW: configuration utility enhancements Message-ID: <199605192219.RAA01316@zen.nash.org> Resent-Message-ID: <199605192230.PAA29780@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 1220 >Category: bin >Synopsis: IPFW: configuration utility enhancements >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Class: change-request >Submitter-Id: current-users >Arrival-Date: Sun May 19 15:30:08 PDT 1996 >Last-Modified: >Originator: Alex Nash >Organization: >Release: FreeBSD 2.1-STABLE i386 >Environment: FreeBSD 2.1.0-stable or FreeBSD 2.2-current with IPFW changes submitted in PRs bin/1193 and kern/1192. >Description: ipfw.c: - Allow filtering by ICMP type. - Added URG tcpflag. - Print usage if an unknown tcpflag is used. - Ability to print date/time when the chain entry was last matched. ipfw.8: - Documented the -t (time display) option. - Documented the *presence* of icmptypes. >How-To-Repeat: N/A >Fix: NOTE: 1. The version numbers shown in the diffs do *not* correspond to version numbers in the FreeBSD CVS tree. 2. All diffs are applied after the changes made in bin/1193. Complete sources for kernel and user-level code are available at: ftp://ftp.fa.tdktca.com/pub/FreeBSD/ipfw MD5 (ipfw.tar.gz) = f54888e0aa91745f8bb27f35c104e62e *** ipfw.c 1996/05/18 15:38:41 1.1 --- ipfw.c 1996/05/19 18:28:45 1.4 *************** *** 27,32 **** --- 27,33 ---- #include <stdlib.h> #include <netdb.h> #include <limits.h> + #include <time.h> #include <sys/queue.h> #include <sys/socket.h> #include <netinet/in.h> *************** *** 40,45 **** --- 41,47 ---- int s; /* main RAW socket */ int do_resolv=0; /* Would try to resolv all */ int do_acct=0; /* Show packet/byte count */ + int do_time=0; /* Show time stamps */ int mask_bits(m_ad) *************** *** 77,82 **** --- 79,98 ---- if (do_acct) printf("%10lu %10lu ",chain->fw_pcnt,chain->fw_bcnt); + if (do_time) + { + if (chain->timestamp) + { + char timestr[30]; + + strcpy(timestr, ctime((time_t *)&chain->timestamp)); + *strchr(timestr, '\n') = '\0'; + printf("%s ", timestr); + } + else + printf(" "); + } + if (chain->fw_flg & IP_FW_F_ACCEPT) printf("allow"); else if (chain->fw_flg & IP_FW_F_ICMPRPL) *************** *** 242,247 **** --- 258,276 ---- if (chain->fw_tcpf & IP_FW_TCPF_URG) PRINTFLG("urg"); if (chain->fw_tcpnf & IP_FW_TCPF_URG) PRINTFLG("!urg"); } + if (chain->fw_flg & IP_FW_F_ICMPBIT) { + int type_index; + int first = 1; + + printf(" icmptype"); + + for (type_index = 0; type_index < 256; ++type_index) + if (chain->fw_icmptypes[type_index / (sizeof(unsigned) * 8)] & + (1U << (type_index % (sizeof(unsigned) * 8)))) { + printf("%c%d", first == 1 ? ' ' : ',', type_index); + first = 0; + } + } printf("\n"); } *************** *** 288,295 **** "\t\t{in|out|inout}\n" "\t\tvia {ifname|ip}\n" "\t\t{established|setup}\n" ! "\t\ttcpflags [!]{syn|fin|rst|ack|psh},...\n" "\t\tipoptions [!]{ssrr|lsrr|rr|ts},...\n" , progname ); --- 317,325 ---- "\t\t{in|out|inout}\n" "\t\tvia {ifname|ip}\n" "\t\t{established|setup}\n" ! "\t\ttcpflags [!]{syn|fin|rst|ack|psh|urg},...\n" "\t\tipoptions [!]{ssrr|lsrr|rr|ts},...\n" + "\t\ticmptypes {type},...\n" , progname ); *************** *** 385,390 **** --- 415,433 ---- u_char *d; while (p && *p) { + struct tpcflags { + char * name; + u_char value; + } flags[] = { + { "syn", IP_FW_TCPF_SYN }, + { "fin", IP_FW_TCPF_FIN }, + { "ack", IP_FW_TCPF_ACK }, + { "psh", IP_FW_TCPF_PSH }, + { "rst", IP_FW_TCPF_RST }, + { "urg", IP_FW_TCPF_URG } + }; + int i; + if (*p == '!') { p++; d = reset; *************** *** 394,404 **** q = strchr(p, ','); if (q) *q++ = '\0'; ! if (!strncmp(p,"syn",strlen(p))) *d |= IP_FW_TCPF_SYN; ! if (!strncmp(p,"fin",strlen(p))) *d |= IP_FW_TCPF_FIN; ! if (!strncmp(p,"ack",strlen(p))) *d |= IP_FW_TCPF_ACK; ! if (!strncmp(p,"psh",strlen(p))) *d |= IP_FW_TCPF_PSH; ! if (!strncmp(p,"rst",strlen(p))) *d |= IP_FW_TCPF_RST; p = q; } } --- 437,452 ---- q = strchr(p, ','); if (q) *q++ = '\0'; ! ! for (i = 0; i < sizeof(flags) / sizeof(flags[0]); ++i) ! if (!strncmp(p, flags[i].name, strlen(p))) { ! *d |= flags[i].value; ! break; ! } ! ! if (i == sizeof(flags) / sizeof(flags[0])) ! show_usage("invalid tcp flag\n"); ! p = q; } } *************** *** 430,435 **** --- 478,512 ---- } void + fill_icmptypes(types, vp, fw_flg) + u_long *types; + char **vp; + u_short *fw_flg; + { + char *c = *vp; + + while (*c) + { + unsigned long icmptype; + + if ( *c == ',' ) + ++c; + + icmptype = strtoul(c, &c, 0); + + if ( *c != ',' && *c != '\0' ) + show_usage("invalid ICMP type"); + + if (icmptype > 255) + show_usage("ICMP types are between 0 and 255 inclusive"); + + types[icmptype / (sizeof(unsigned) * 8)] |= + 1 << (icmptype % (sizeof(unsigned) * 8)); + *fw_flg |= IP_FW_F_ICMPBIT; + } + } + + void delete(ac,av) int ac; char **av; *************** *** 579,584 **** --- 656,668 ---- av++; ac--; continue; } } + if ((rule.fw_flg & IP_FW_F_KIND) == IP_FW_F_ICMP) { + if (ac > 1 && !strncmp(*av,"icmptypes",strlen(*av))) { + av++; ac--; + fill_icmptypes(rule.fw_icmptypes, av, &rule.fw_flg); + av++; ac--; continue; + } + } printf("%d %s\n",ac,*av); show_usage("Unknown argument\n"); } *************** *** 637,646 **** show_usage(NULL); } ! while ((ch = getopt(ac, av ,"aN")) != EOF) switch(ch) { case 'a': do_acct=1; break; case 'N': do_resolv=1; --- 721,733 ---- show_usage(NULL); } ! while ((ch = getopt(ac, av ,"atN")) != EOF) switch(ch) { case 'a': do_acct=1; + break; + case 't': + do_time=1; break; case 'N': do_resolv=1; *** ipfw.8 1996/05/18 15:38:41 1.1 --- ipfw.8 1996/05/19 18:27:05 1.3 *************** *** 19,25 **** .Ar number .Nm ipfw .Oo ! .Fl aN .Oc list .Nm ipfw --- 19,25 ---- .Ar number .Nm ipfw .Oo ! .Fl atN .Oc list .Nm ipfw *************** *** 76,81 **** --- 76,83 ---- .It Fl a While listing, show counter values. This option is the only way to see accounting records. + .It Fl t + While listing, show last match timestamp. .It Fl N Try to resolve addresses. .El *************** *** 173,178 **** --- 175,183 ---- .It tcpflags Ar spec Not yet documented. Look in the source: src/sys/netnet/ipfw.c. TCP packets only. + .It icmptypes Ar types + Not yet documented. Look in the source: src/sys/netnet/ipfw.c. + ICMP packets only. .El .Sh CHECKLIST Here are some important points to consider when designing your >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199605192219.RAA01316>