Add '-q' quiet flag for flush/add/zero commands; add 'show' command as

synonym for '-a list'; stop SEGV when specifying 'via' with no interface;
change 2 instances of strcpy() to strncpy().

This is a candidate for 2.2

2 files changed, 50 insertions, 8 deletions

diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8
index 957d976..7411b8c 100644
--- a/sbin/ipfw/ipfw.8
+++ b/sbin/ipfw/ipfw.8
@@ -8,8 +8,16 @@
 .Nm
 .Ar file
 .Nm ipfw
+.Oo
+.Fl f
+|
+.Fl q
+.Oc
 flush
 .Nm ipfw
+.Oo
+.Fl q
+.Oc
 zero
 .Op Ar number
 .Nm ipfw
@@ -19,6 +27,14 @@ delete
 .Op Fl aftN
 list
 .Nm ipfw
+.Oo
+.Fl ftN
+.Oc
+show
+.Nm ipfw
+.Oo
+.Fl q
+.Oc
 add
 .Op Ar number
 .Ar action 
@@ -61,6 +77,8 @@ if any.
 .Pp
 The list command prints out the current rule set.
 .Pp
+The show command is equivalent to `ipfw -a list'.
+.Pp
 The zero operation zeroes the counters associated with rule number
 .Ar number .
 .Pp
@@ -72,7 +90,8 @@ One rule is always present:
 .Ed
 .Pp
 This rule is the default policy, i.e., don't allow anything at all.
-Your job in setting up rules is to modify this policy to match your needs.
+Your job in setting up rules is to modify this policy to match your
+needs.
 .Pp
 The following options are available:
 .Bl -tag -width flag
@@ -84,6 +103,15 @@ Don't ask for confirmation for commands that can cause problems if misused
 (ie; flush).
 .Ar Note ,
 if there is no tty associated with the process, this is implied.
+.It Fl q
+While adding or flushing, be quiet about actions (implies '-f').  This is
+useful for adjusting rules by executing multiple ipfw commands in a script
+(e.g. sh /etc/rc.firewall), or by processing a file of many ipfw rules,
+across a remote login session.  If a flush is performed in normal
+(verbose) mode, it prints a message.  Because all rules are flushed, the
+message cannot be delivered to the login session, the login session is
+closed and the remainder of the ruleset is not processed.  Access to the
+console is required to recover. 
 .It Fl t
 While listing, show last match timestamp.
 .It Fl N
diff --git a/sbin/ipfw/ipfw.c b/sbin/ipfw/ipfw.c
index e8a9c80..4145d67 100644
--- a/sbin/ipfw/ipfw.c
+++ b/sbin/ipfw/ipfw.c
@@ -49,6 +49,7 @@ int 		s;				/* main RAW socket 	   */
 int 		do_resolv=0;			/* Would try to resolv all */
 int		do_acct=0;			/* Show packet/byte count  */
 int		do_time=0;			/* Show time stamps        */
+int		do_quiet=0;			/* Be quiet in add and flush  */
 int		do_force=0;			/* Don't ask for confirmation */
 
 int
@@ -354,6 +355,7 @@ show_usage(str)
 "\t\tadd [number] rule\n"
 "\t\tdelete number\n"
 "\t\tlist [number]\n"
+"\t\tshow [number]\n"
 "\t\tzero [number]\n"
 "\trule:\taction proto src dst extras...\n"
 "\t\taction: {allow|deny|reject|count|divert port} [log]\n"
@@ -730,10 +732,13 @@ add(ac,av)
 			}
 
 			av++; ac--; 
+			if (!ac) {
+				show_usage("'via' option specified with no interface.");
+			}
 			if (!isdigit(**av)) {
 				char *q;
 
-				strcpy(rule.fw_via_name, *av);
+				strncpy(rule.fw_via_name, *av, sizeof(rule.fw_via_name));
 				for (q = rule.fw_via_name; *q && !isdigit(*q) && *q != '*'; q++)
 					continue;
 				if (*q == '*')
@@ -791,7 +796,8 @@ add(ac,av)
 		show_usage("Unknown argument\n");
 	}
 
-	show_ipfw(&rule);
+	if (!do_quiet)
+		show_ipfw(&rule);
 	i = setsockopt(s, IPPROTO_IP, IP_FW_ADD, &rule, sizeof rule);
 	if (i)
 		err(1,"setsockopt(IP_FW_ADD)");
@@ -810,7 +816,8 @@ zero (ac, av)
 			fprintf(stderr,"%s: setsockopt failed.\n",progname);
 			exit(1);
 		} 
-		printf("Accounting cleared.\n");
+		if (!do_quiet)
+			printf("Accounting cleared.\n");
 	} else {
 		/* clear a specific entry */
 		struct ip_fw rule;
@@ -848,7 +855,7 @@ ipfw_main(ac,av)
 	/* Set the force flag for non-interactive processes */
 	do_force = !isatty(STDIN_FILENO);
 
-	while ((ch = getopt(ac, av ,"aftN")) != EOF)
+	while ((ch = getopt(ac, av ,"afqtN")) != EOF)
 	switch(ch) {
 		case 'a':
 			do_acct=1;
@@ -856,6 +863,9 @@ ipfw_main(ac,av)
 		case 'f':
 			do_force=1;
 			break;
+		case 'q':
+			do_quiet=1;
+			break;
 		case 't':
 			do_time=1;
 			break;
@@ -878,7 +888,7 @@ ipfw_main(ac,av)
 	} else if (!strncmp(*av, "flush", strlen(*av))) {
 		int do_flush = 0;
 
-		if ( do_force )
+		if ( do_force || do_quiet )
 			do_flush = 1;
 		else {
 			int c;
@@ -901,7 +911,8 @@ ipfw_main(ac,av)
 				fprintf(stderr,"%s: setsockopt failed.\n",progname);
 				exit(1);
 			}
-			printf("Flushed all rules.\n");
+			if (!do_quiet)
+				printf("Flushed all rules.\n");
 		}
 	} else if (!strncmp(*av, "zero", strlen(*av))) {
 		zero(ac,av);
@@ -909,6 +920,9 @@ ipfw_main(ac,av)
 		list(--ac,++av);
 	} else if (!strncmp(*av, "list", strlen(*av))) {
 		list(--ac,++av);
+	} else if (!strncmp(*av, "show", strlen(*av))) {
+		do_acct++;
+		list(--ac,++av);
 	} else {
 		show_usage("Bad arguments");
 	}
@@ -927,7 +941,7 @@ main(ac, av)
 	int 	i;
 	FILE	*f;
 
-	strcpy(progname,*av);
+	strncpy(progname,*av, sizeof(progname));
 
 	s = socket( AF_INET, SOCK_RAW, IPPROTO_RAW );
 	if ( s < 0 ) {