Adding changes to ipfw and the kernel to support ip packet diversion..

This stuff should not be too destructive if the IPDIVERT is not compiled in..
 be aware that this changes the size of the ip_fw struct
so ipfw needs to be recompiled to use it.. more changes coming to clean this up.

2 files changed, 80 insertions, 32 deletions

diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8
index a217131..a430113 100644
--- a/sbin/ipfw/ipfw.8
+++ b/sbin/ipfw/ipfw.8
@@ -52,24 +52,38 @@ command.
 .Pp
 The ipfw code works by going through the rule-list for each packet,
 until a match is found.
-All rules have two counters associated with them, a packet count and
+All rules have two associated counters, a packet count and
 a byte count.
 These counters are updated when a packet matches the rule.
 .Pp
-The rules are ordered by a ``line-number'' that is used to order and
-delete rules.
-If a rule is added without a number, it is put at the end, just before
-the terminal ``policy-rule'', and numbered 100 higher than the previous
-rule.
+The rules are ordered by a ``line-number'' from 1 to 65534 that is used
+to order and delete rules. Rules are tried in increasing order, and the
+first rule that matches a packet applies.
+Multiple rules may share the same number and apply in
+the order in which they were added.
+.Pp
+If a rule is added without a number, it numbered 100 higher
+than the previous rule. If the highest defined rule number is
+greater than 65434, new rules are appended to the last rule.
+.Pp
+The delete operation deletes the first rule with number
+.Ar number ,
+if any.
+.Pp
+The list command prints out the current rule set.
+.Pp
+The zero operation zeroes the counters associated with rule number
+.Ar number .
+.Pp
+The flush operation removes all rules.
 .Pp
 One rule is always present:
 .Bd -literal -offset center
 65535 deny all from any to any
 .Ed
 
-this rule is the default policy, ie. don't allow anything at all.
-Your job in setting up rules is to modify this policy to match your
-needs.
+This rule is the default policy, i.e., don't allow anything at all.
+Your job in setting up rules is to modify this policy to match your needs.
 .Pp
 The following options are available:
 .Bl -tag -width flag
@@ -93,12 +107,16 @@ Same as allow.
 Same as allow.
 .It Nm count
 Update counters for all packets that match rule.
-The search continues with next rule.
+The search continues with the next rule.
 .It Nm deny
 Discard packets that match this rule.
 The search terminates.
 .It Nm reject
-Discard packets that match this rule, try to send ICMP notice.
+Discard packets that match this rule, and try to send an ICMP notice.
+The search terminates.
+.It Nm divert port
+Divert packets that match this rule to the divert socket bound to port
+.Ar port .
 The search terminates.
 .El
 .Pp
@@ -145,7 +163,7 @@ Only this exact ip number match the rule.
 An ipnumber with a mask width of the form 1.2.3.4/24.
 In this case all ip numbers from 1.2.3.0 to 1.2.3.255 will match.
 .It Ar ipno:mask
-An ipnumber with a mask width of the form 1.2.3.4:255.255.240.0
+An ipnumber with a mask width of the form 1.2.3.4:255.255.240.0.
 In this case all ip numbers from 1.2.0.0 to 1.2.15.255 will match.
 .El
 .Pp
@@ -270,6 +288,12 @@ ipfw flush
 .Ed
 
 in similar surroundings is also a bad idea.
+.Sh PACKET DIVERSION
+A divert socket bound to the specified port will receive all packets diverted
+to that port; see
+.Xr divert 4 .
+If no socket is bound to the destination port, or if the kernel
+wasn't compiled with divert socket support, diverted packets are dropped.
 .Sh EXAMPLES
 This command adds an entry which denies all tcp packets from
 .Em hacker.evil.org
@@ -292,12 +316,16 @@ or in short form
 .Pp
 .Dl ipfw -a l
 .Pp
+This rule diverts all incoming packets from 192.168.2.0/24 to divert port 5000:
+.Pp
+.Dl ipfw divert 5000 all from 192.168.2.0/24 to any in
 .Sh SEE ALSO
 .Xr gethostbyname 3 ,
 .Xr getservbyport 3 ,
 .Xr ip 4 ,
 .Xr ipfirewall 4 ,
 .Xr ipaccounting 4 ,
+.Xr divert 4 ,
 .Xr reboot 8 ,
 .Xr syslogd 8
 .Sh BUGS
@@ -323,3 +351,5 @@ The FreeBSD version is written completely by:
 .Pp
 This has all been extensively rearranged by Poul-Henning Kamp and
 Alex Nash.
+.Pp
+Packet diversion added by Archie Cobbs <archie@whistle.com>.
diff --git a/sbin/ipfw/ipfw.c b/sbin/ipfw/ipfw.c
index 63dc4c3..6a49587 100644
--- a/sbin/ipfw/ipfw.c
+++ b/sbin/ipfw/ipfw.c
@@ -16,7 +16,7 @@
  *
  * NEW command line interface for IP firewall facility
  *
- * $Id: ipfw.c,v 1.27 1996/06/23 20:47:51 alex Exp $
+ * $Id: ipfw.c,v 1.28 1996/06/29 01:28:19 alex Exp $
  *
  */
 
@@ -130,14 +130,27 @@ show_ipfw(chain)
 			printf("                         ");
 	}
 
-	if (chain->fw_flg & IP_FW_F_ACCEPT)
-		printf("allow");
-	else if (chain->fw_flg & IP_FW_F_ICMPRPL)
-		printf("reject");
-	else if (chain->fw_flg & IP_FW_F_COUNT)
-		printf("count");
-	else
-		printf("deny");
+	switch (chain->fw_flg & IP_FW_F_COMMAND)
+	{
+		case IP_FW_F_ACCEPT:
+			printf("allow");
+			break;
+		case IP_FW_F_DIVERT:
+			printf("divert %u", chain->fw_divert_port);
+			break;
+		case IP_FW_F_COUNT:
+			printf("count");
+			break;
+		case IP_FW_F_DENY:
+			if (chain->fw_flg & IP_FW_F_ICMPRPL)
+				printf("reject");
+			else
+				printf("deny");
+			break;
+		default:
+			errx(1, "impossible");
+	}
+   
 	if (chain->fw_flg & IP_FW_F_PRN)
 		printf(" log");
 
@@ -330,7 +343,6 @@ list(ac, av)
 	i = getsockopt(s, IPPROTO_IP, IP_FW_GET, rules, &l);
 	if (i < 0)
 		err(2,"getsockopt(IP_FW_GET)");
-	printf("FireWall chain entries: %d %d\n",l,i);
 	for (r=rules; l >= sizeof rules[0]; r++, l-=sizeof rules[0])
 		show_ipfw(r);
 }
@@ -350,7 +362,7 @@ show_usage(str)
 "\t\tlist [number]\n"
 "\t\tzero [number]\n"
 "\trule:\taction proto src dst extras...\n"
-"\t\taction: {allow|deny|reject|count} [log]\n"
+"\t\taction: {allow|deny|reject|count|divert port} [log]\n"
 "\t\tproto: {ip|tcp|udp|icmp}}\n"
 "\t\tsrc: from {any|ip[{/bits|:mask}]} [{port|port-port},[port],...]\n"
 "\t\tdst: to {any|ip[{/bits|:mask}]} [{port|port-port},[port],...]\n"
@@ -611,20 +623,26 @@ add(ac,av)
 	}
 
 	/* Action */
-	if (ac && !strncmp(*av,"accept",strlen(*av))) {
-		rule.fw_flg |= IP_FW_F_ACCEPT; av++; ac--;
-	} else if (ac && !strncmp(*av,"allow",strlen(*av))) {
-		rule.fw_flg |= IP_FW_F_ACCEPT; av++; ac--;
-	} else if (ac && !strncmp(*av,"pass",strlen(*av))) {
+	if (ac && (!strncmp(*av,"accept",strlen(*av))
+		    || !strncmp(*av,"pass",strlen(*av))
+		    || !strncmp(*av,"allow",strlen(*av))
+		    || !strncmp(*av,"permit",strlen(*av)))) {
 		rule.fw_flg |= IP_FW_F_ACCEPT; av++; ac--;
 	} else if (ac && !strncmp(*av,"count",strlen(*av))) {
 		rule.fw_flg |= IP_FW_F_COUNT; av++; ac--;
-	} else if (ac && !strncmp(*av,"deny",strlen(*av))) {
-		av++; ac--;
+	} else if (ac && !strncmp(*av,"divert",strlen(*av))) {
+		rule.fw_flg |= IP_FW_F_DIVERT; av++; ac--;
+		if (!ac)
+			show_usage("missing divert port");
+		rule.fw_divert_port = strtoul(*av, NULL, 0); av++; ac--;
+		if (rule.fw_divert_port == 0)
+			show_usage("illegal divert port");
+	} else if (ac && (!strncmp(*av,"deny",strlen(*av)))) {
+		rule.fw_flg |= IP_FW_F_DENY; av++; ac--;
 	} else if (ac && !strncmp(*av,"reject",strlen(*av))) {
-		rule.fw_flg |= IP_FW_F_ICMPRPL; av++; ac--;
+		rule.fw_flg |= IP_FW_F_DENY|IP_FW_F_ICMPRPL; av++; ac--;
 	} else {
-		show_usage("missing action\n");
+		show_usage("missing/unrecognized action\n");
 	}
 
 	/* [log] */