Add a -n option that stops ip6fw making any changes to the rules

in the kernel.

Submitted by:	Orla McGann <orly@redbrick.dcu.ie>
MFC after:	3 weeks

2 files changed, 58 insertions, 29 deletions

diff --git a/sbin/ip6fw/ip6fw.8 b/sbin/ip6fw/ip6fw.8
index 2e4c777..c036c23 100644
--- a/sbin/ip6fw/ip6fw.8
+++ b/sbin/ip6fw/ip6fw.8
@@ -38,7 +38,7 @@
 .Nd controlling utility for IPv6 firewall
 .Sh SYNOPSIS
 .Nm
-.Op Fl q
+.Op Fl nq
 .Oo
 .Fl p Ar preproc
 .Oo Fl D
@@ -48,13 +48,15 @@
 .Oc
 .Ar pathname
 .Nm
+.Op Fl n
 .Op Fl f | Fl q
 flush
 .Nm
-.Op Fl q
+.Op Fl nq
 zero
 .Op Ar number ...
 .Nm
+.Op Fl n
 delete
 .Ar number ...
 .Nm
@@ -66,7 +68,7 @@ list
 show
 .Op Ar number ...
 .Nm
-.Op Fl q
+.Op Fl nq
 add
 .Op Ar number
 .Ar action
@@ -181,6 +183,9 @@ Don't ask for confirmation for commands that can cause problems if misused
 (ie; flush).
 .Ar Note ,
 if there is no tty associated with the process, this is implied.
+.It Fl n
+Only check syntax of the command strings,
+without actually passing them into the kernel.
 .It Fl q
 While adding, zeroing or flushing, be quiet about actions (implies '-f').
 This is useful for adjusting rules by executing multiple ip6fw commands in a
diff --git a/sbin/ip6fw/ip6fw.c b/sbin/ip6fw/ip6fw.c
index 9f00b0c..4946d77 100644
--- a/sbin/ip6fw/ip6fw.c
+++ b/sbin/ip6fw/ip6fw.c
@@ -90,6 +90,7 @@ int		do_acct=0;			/* Show packet/byte count  */
 int		do_time=0;			/* Show time stamps        */
 int		do_quiet=0;			/* Be quiet in add and flush  */
 int		do_force=0;			/* Don't ask for confirmation */
+int		do_test=0;			/* Don't load into Kernel */
 
 struct icmpcode {
 	int	code;
@@ -804,10 +805,12 @@ delete(ac,av)
 	/* Rule number */
 	while (ac && isdigit(**av)) {
 		rule.fw_number = atoi(*av); av++; ac--;
-		i = setsockopt(s, IPPROTO_IPV6, IPV6_FW_DEL, &rule, sizeof rule);
-		if (i) {
-			exitval = 1;
-			warn("rule %u: setsockopt(%s)", rule.fw_number, "IPV6_FW_DEL");
+		if (!do_test) {
+			i = setsockopt(s, IPPROTO_IPV6, IPV6_FW_DEL, &rule, sizeof rule);
+			if (i) {
+				exitval = 1;
+				warn("rule %u: setsockopt(%s)", rule.fw_number, "IPV6_FW_DEL");
+			}
 		}
 	}
 	if (exitval != 0)
@@ -1141,9 +1144,11 @@ badviacombo:
 
 	if (!do_quiet)
 		show_ip6fw(&rule);
-	i = setsockopt(s, IPPROTO_IPV6, IPV6_FW_ADD, &rule, sizeof rule);
-	if (i)
-		err(EX_UNAVAILABLE, "setsockopt(%s)", "IPV6_FW_ADD");
+	if (!do_test) {
+		i = setsockopt(s, IPPROTO_IPV6, IPV6_FW_ADD, &rule, sizeof rule);
+		if (i)
+			err(EX_UNAVAILABLE, "setsockopt(%s)", "IPV6_FW_ADD");
+	}
 }
 
 static void
@@ -1155,10 +1160,13 @@ zero (ac, av)
 
 	if (!ac) {
 		/* clear all entries */
-		if (setsockopt(s,IPPROTO_IPV6,IPV6_FW_ZERO,NULL,0)<0)
-			err(EX_UNAVAILABLE, "setsockopt(%s)", "IPV6_FW_ZERO");
-		if (!do_quiet)
-			printf("Accounting cleared.\n");
+		if (!do_test) {
+			if (setsockopt(s,IPPROTO_IPV6,IPV6_FW_ZERO,NULL,0)<0)
+				err(EX_UNAVAILABLE, "setsockopt(%s)", "IPV6_FW_ZERO");
+			if (!do_quiet)
+				printf("Accounting cleared.\n");
+		} else if (!do_quiet)
+			printf("Accounting not cleared.\n");
 	} else {
 		struct ip6_fw rule;
 		int failed = 0;
@@ -1168,15 +1176,19 @@ zero (ac, av)
 			/* Rule number */
 			if (isdigit(**av)) {
 				rule.fw_number = atoi(*av); av++; ac--;
-				if (setsockopt(s, IPPROTO_IPV6,
-				    IPV6_FW_ZERO, &rule, sizeof rule)) {
-					warn("rule %u: setsockopt(%s)", rule.fw_number,
-						 "IPV6_FW_ZERO");
-					failed = 1;
+				if (!do_test) {
+					if (setsockopt(s, IPPROTO_IPV6,
+				    		IPV6_FW_ZERO, &rule, sizeof rule)) {
+						warn("rule %u: setsockopt(%s)", rule.fw_number,"IPV6_FW_ZERO");
+						failed = 1;
+					}
+					if (!do_quiet)
+						printf("Entry %d cleared\n",
+					    		rule.fw_number);
 				}
 				else if (!do_quiet)
-					printf("Entry %d cleared\n",
-					    rule.fw_number);
+					printf("Entry %d not cleared\n",
+						rule.fw_number);
 			} else
 				show_usage("invalid rule number ``%s''", *av);
 		}
@@ -1202,7 +1214,7 @@ ip6fw_main(ac,av)
 	/* Set the force flag for non-interactive processes */
 	do_force = !isatty(STDIN_FILENO);
 
-	while ((ch = getopt(ac, av ,"afqtN")) != -1)
+	while ((ch = getopt(ac, av ,"afnqtN")) != -1)
 	switch(ch) {
 		case 'a':
 			do_acct=1;
@@ -1210,6 +1222,9 @@ ip6fw_main(ac,av)
 		case 'f':
 			do_force=1;
 			break;
+		case 'n':
+			do_test=1;
+			break;
 		case 'q':
 			do_quiet=1;
 			break;
@@ -1254,10 +1269,14 @@ ip6fw_main(ac,av)
 				do_flush = 1;
 		}
 		if ( do_flush ) {
-			if (setsockopt(s,IPPROTO_IPV6,IPV6_FW_FLUSH,NULL,0) < 0)
-				err(EX_UNAVAILABLE, "setsockopt(%s)", "IPV6_FW_FLUSH");
-			if (!do_quiet)
-				printf("Flushed all rules.\n");
+			if (!do_test) {
+				if (setsockopt(s,IPPROTO_IPV6,IPV6_FW_FLUSH,NULL,0) < 0)
+					err(EX_UNAVAILABLE, "setsockopt(%s)", "IPV6_FW_FLUSH");
+			
+				if (!do_quiet)
+					printf("Flushed all rules.\n");
+			} else if (!do_quiet)
+				printf("Rules not flushed.\n");
 		}
 	} else if (!strncmp(*av, "zero", strlen(*av))) {
 		zero(ac,av);
@@ -1284,7 +1303,7 @@ main(ac, av)
 	char	buf[BUFSIZ];
 	char	*a, *p, *args[MAX_ARGS], *cmd = NULL;
 	char	linename[10];
-	int 	i, c, lineno, qflag, pflag, status;
+	int 	i, c, lineno, nflag, qflag, pflag, status;
 	FILE	*f = NULL;
 	pid_t	preproc = 0;
 
@@ -1300,10 +1319,10 @@ main(ac, av)
 	 */
 
 	if (ac > 1 && av[ac - 1][0] == '/' && access(av[ac - 1], R_OK) == 0) {
-		qflag = pflag = i = 0;
+		nflag = qflag = pflag = i = 0;
 		lineno = 0;
 
-		while ((c = getopt(ac, av, "D:U:p:q")) != -1)
+		while ((c = getopt(ac, av, "D:U:np:q")) != -1)
 			switch(c) {
 			case 'D':
 				if (!pflag)
@@ -1325,6 +1344,10 @@ main(ac, av)
 				args[i++] = optarg;
 				break;
 
+			case 'n':
+				nflag = 1;
+				break;
+
 			case 'p':
 				pflag = 1;
 				cmd = optarg;
@@ -1397,6 +1420,7 @@ main(ac, av)
 				*p = '\0';
 			i=1;
 			if (qflag) args[i++]="-q";
+			if (nflag) args[i++]="-n";
 			for (a = strtok(buf, WHITESP);
 			    a && i < MAX_ARGS; a = strtok(NULL, WHITESP), i++)
 				args[i] = a;