FreeBSD Mail Archives

Date:      Sun, 19 May 1996 17:19:44 -0500 (CDT)
From:      Alex Nash <alex@zen.nash.org>
To:        FreeBSD-gnats-submit@freebsd.org
Cc:        phk@freebsd.org
Subject:   bin/1220: IPFW: configuration utility enhancements
Message-ID:  <199605192219.RAA01316@zen.nash.org>
Resent-Message-ID: <199605192230.PAA29780@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help


>Number:         1220
>Category:       bin
>Synopsis:       IPFW: configuration utility enhancements
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sun May 19 15:30:08 PDT 1996
>Last-Modified:
>Originator:     Alex Nash
>Organization:
>Release:        FreeBSD 2.1-STABLE i386
>Environment:

FreeBSD 2.1.0-stable or FreeBSD 2.2-current with IPFW changes submitted
in PRs bin/1193 and kern/1192.

>Description:

  ipfw.c:

    - Allow filtering by ICMP type.

    - Added URG tcpflag.

    - Print usage if an unknown tcpflag is used.

    - Ability to print date/time when the chain entry was last matched.

  ipfw.8:

    - Documented the -t (time display) option.

    - Documented the *presence* of icmptypes.

>How-To-Repeat:

N/A

>Fix:

  NOTE:
  1. The version numbers shown in the diffs do *not* correspond
     to version numbers in the FreeBSD CVS tree.

  2. All diffs are applied after the changes made in bin/1193.

Complete sources for kernel and user-level code are available at:

    ftp://ftp.fa.tdktca.com/pub/FreeBSD/ipfw
    MD5 (ipfw.tar.gz) = f54888e0aa91745f8bb27f35c104e62e



*** ipfw.c	1996/05/18 15:38:41	1.1
--- ipfw.c	1996/05/19 18:28:45	1.4
***************
*** 27,32 ****
--- 27,33 ----
  #include <stdlib.h>
  #include <netdb.h>
  #include <limits.h>
+ #include <time.h>
  #include <sys/queue.h>
  #include <sys/socket.h>
  #include <netinet/in.h>
***************
*** 40,45 ****
--- 41,47 ----
  int 		s;				/* main RAW socket 	   */
  int 		do_resolv=0;			/* Would try to resolv all */
  int		do_acct=0;			/* Show packet/byte count  */
+ int		do_time=0;			/* Show time stamps        */
  
  int
  mask_bits(m_ad)
***************
*** 77,82 ****
--- 79,98 ----
  	if (do_acct) 
  		printf("%10lu %10lu ",chain->fw_pcnt,chain->fw_bcnt);
  
+ 	if (do_time)
+ 	{
+ 		if (chain->timestamp)
+ 		{
+ 			char timestr[30];
+ 
+ 			strcpy(timestr, ctime((time_t *)&chain->timestamp));
+ 			*strchr(timestr, '\n') = '\0';
+ 			printf("%s ", timestr);
+ 		}
+ 		else
+ 			printf("                         ");
+ 	}
+ 
  	if (chain->fw_flg & IP_FW_F_ACCEPT)
  		printf("allow");
  	else if (chain->fw_flg & IP_FW_F_ICMPRPL)
***************
*** 242,247 ****
--- 258,276 ----
  		if (chain->fw_tcpf  & IP_FW_TCPF_URG)  PRINTFLG("urg");
  		if (chain->fw_tcpnf & IP_FW_TCPF_URG)  PRINTFLG("!urg");
  	} 
+ 	if (chain->fw_flg & IP_FW_F_ICMPBIT) {
+ 		int type_index;
+ 		int first = 1;
+ 
+ 		printf(" icmptype");
+ 
+ 		for (type_index = 0; type_index < 256; ++type_index)
+ 			if (chain->fw_icmptypes[type_index / (sizeof(unsigned) * 8)] & 
+ 				(1U << (type_index % (sizeof(unsigned) * 8)))) {
+ 				printf("%c%d", first == 1 ? ' ' : ',', type_index);
+ 				first = 0;
+ 			}
+ 	}
  	printf("\n");
  }
  
***************
*** 288,295 ****
  "\t\t{in|out|inout}\n"
  "\t\tvia {ifname|ip}\n"
  "\t\t{established|setup}\n"
! "\t\ttcpflags [!]{syn|fin|rst|ack|psh},...\n"
  "\t\tipoptions [!]{ssrr|lsrr|rr|ts},...\n"
  , progname
  );
  
--- 317,325 ----
  "\t\t{in|out|inout}\n"
  "\t\tvia {ifname|ip}\n"
  "\t\t{established|setup}\n"
! "\t\ttcpflags [!]{syn|fin|rst|ack|psh|urg},...\n"
  "\t\tipoptions [!]{ssrr|lsrr|rr|ts},...\n"
+ "\t\ticmptypes {type},...\n"
  , progname
  );
  
***************
*** 385,390 ****
--- 415,433 ----
  	u_char *d;
  
  	while (p && *p) {
+ 		struct tpcflags {
+ 			char * name;
+ 			u_char value;
+ 		} flags[] = {
+ 			{ "syn", IP_FW_TCPF_SYN },
+ 			{ "fin", IP_FW_TCPF_FIN },
+ 			{ "ack", IP_FW_TCPF_ACK },
+ 			{ "psh", IP_FW_TCPF_PSH },
+ 			{ "rst", IP_FW_TCPF_RST },
+ 			{ "urg", IP_FW_TCPF_URG }
+ 		};
+ 		int i;
+ 
  		if (*p == '!') {
  			p++;
  			d = reset;
***************
*** 394,404 ****
  		q = strchr(p, ',');
  		if (q) 
  			*q++ = '\0';
! 		if (!strncmp(p,"syn",strlen(p))) *d |= IP_FW_TCPF_SYN;
! 		if (!strncmp(p,"fin",strlen(p))) *d |= IP_FW_TCPF_FIN;
! 		if (!strncmp(p,"ack",strlen(p))) *d |= IP_FW_TCPF_ACK;
! 		if (!strncmp(p,"psh",strlen(p))) *d |= IP_FW_TCPF_PSH;
! 		if (!strncmp(p,"rst",strlen(p))) *d |= IP_FW_TCPF_RST;
  		p = q;
  	}
  }
--- 437,452 ----
  		q = strchr(p, ',');
  		if (q) 
  			*q++ = '\0';
! 
! 		for (i = 0; i < sizeof(flags) / sizeof(flags[0]); ++i)
! 			if (!strncmp(p, flags[i].name, strlen(p))) {
! 				*d |= flags[i].value;
! 				break;
! 			}
! 
! 		if (i == sizeof(flags) / sizeof(flags[0]))
! 			show_usage("invalid tcp flag\n");
! 
  		p = q;
  	}
  }
***************
*** 430,435 ****
--- 478,512 ----
  }
  
  void
+ fill_icmptypes(types, vp, fw_flg)
+ 	u_long *types;
+ 	char **vp;
+ 	u_short *fw_flg;
+ {
+ 	char *c = *vp;
+ 
+ 	while (*c)
+ 	{
+ 		unsigned long icmptype;
+ 
+ 		if ( *c == ',' )
+ 			++c;
+ 
+ 		icmptype = strtoul(c, &c, 0);
+ 
+ 		if ( *c != ',' && *c != '\0' )
+ 			show_usage("invalid ICMP type");
+ 
+ 		if (icmptype > 255)
+ 			show_usage("ICMP types are between 0 and 255 inclusive");
+ 
+ 		types[icmptype / (sizeof(unsigned) * 8)] |= 
+ 			1 << (icmptype % (sizeof(unsigned) * 8));
+ 		*fw_flg |= IP_FW_F_ICMPBIT;
+ 	}
+ }
+ 
+ void
  delete(ac,av)
  	int ac;
  	char **av;
***************
*** 579,584 ****
--- 656,668 ----
  				av++; ac--; continue;
  			}
  		}
+ 		if ((rule.fw_flg & IP_FW_F_KIND) == IP_FW_F_ICMP) {
+ 			if (ac > 1 && !strncmp(*av,"icmptypes",strlen(*av))) {
+ 				av++; ac--;
+ 				fill_icmptypes(rule.fw_icmptypes, av, &rule.fw_flg);
+ 				av++; ac--; continue;
+ 			}
+ 		}
  		printf("%d %s\n",ac,*av);
  		show_usage("Unknown argument\n");
  	}
***************
*** 637,646 ****
  		show_usage(NULL);
  	}
  
! 	while ((ch = getopt(ac, av ,"aN")) != EOF)
  	switch(ch) {
  		case 'a':
  			do_acct=1;
  			break;
  		case 'N':
  	 		do_resolv=1;
--- 721,733 ----
  		show_usage(NULL);
  	}
  
! 	while ((ch = getopt(ac, av ,"atN")) != EOF)
  	switch(ch) {
  		case 'a':
  			do_acct=1;
+ 			break;
+ 		case 't':
+ 			do_time=1;
  			break;
  		case 'N':
  	 		do_resolv=1;


	
*** ipfw.8	1996/05/18 15:38:41	1.1
--- ipfw.8	1996/05/19 18:27:05	1.3
***************
*** 19,25 ****
  .Ar number
  .Nm ipfw
  .Oo
! .Fl aN
  .Oc
  list
  .Nm ipfw
--- 19,25 ----
  .Ar number
  .Nm ipfw
  .Oo
! .Fl atN
  .Oc
  list
  .Nm ipfw
***************
*** 76,81 ****
--- 76,83 ----
  .It Fl a
  While listing, show counter values. This option is the only way to see
  accounting records.
+ .It Fl t
+ While listing, show last match timestamp.
  .It Fl N
  Try to resolve addresses.
  .El
***************
*** 173,178 ****
--- 175,183 ----
  .It tcpflags Ar spec
  Not yet documented.  Look in the source: src/sys/netnet/ipfw.c.
  TCP packets only.
+ .It icmptypes Ar types
+ Not yet documented.  Look in the source: src/sys/netnet/ipfw.c.
+ ICMP packets only.
  .El
  .Sh CHECKLIST
  Here are some important points to consider when designing your


>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199605192219.RAA01316>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation