It turns out that we do not need to add a new ioctl to unbreak a

default-to-deny firewall.  Simply turning off IPFW via a preexisting
sysctl does the job.  To make it more apparent (since nobody picked up
on this in a week's worth of flames), the boolean sysctl's have been
integrated into the /sbin/ipfw command set in an obvious and straightforward
manner.  For example, you can now do 'ipfw disable firewall' or
'ipfw enable firewall'.  This is far easier to remember then the
net.inet.ip.fw.enable sysctl.

Reviewed by:	imp
MFC after:	3 days

2 files changed, 43 insertions, 0 deletions

diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8
index fbc45e6..34e5012 100644
--- a/sbin/ipfw/ipfw.8
+++ b/sbin/ipfw/ipfw.8
@@ -24,6 +24,12 @@
 .Brq Cm delete | zero | resetlog
 .Op Cm set
 .Op Ar number ...
+.Nm
+.Cm enable
+.Brq Cm firewall | one_pass | debug | verbose | dyn_keepalive
+.Nm
+.Cm disable
+.Brq Cm firewall | one_pass | debug | verbose | dyn_keepalive
 .Pp
 .Nm
 .Cm set Oo Cm disable Ar number ... Oc Op Cm enable Ar number ...
@@ -302,6 +308,16 @@ and
 commands are used to configure the traffic shaper, as shown in the
 .Sx TRAFFIC SHAPER (DUMMYNET) CONFIGURATION
 Section below.
+.Pp
+If the world and the kernel get out of sync the
+.Nm
+ABI may break, preventing you from being able to add any rules.  This can
+adversely effect the booting process.  You can use
+.Nm
+.Cm disable
+.Cm firewall
+to temporarily disable the firewall to regain access to the network,
+allowing you to fix the problem.
 .Sh PACKET FLOW
 A packet is checked against the active ruleset in multiple places
 in the protocol stack, under control of several sysctl variables.
diff --git a/sbin/ipfw/ipfw2.c b/sbin/ipfw/ipfw2.c
index 77863a5..953c7f4 100644
--- a/sbin/ipfw/ipfw2.c
+++ b/sbin/ipfw/ipfw2.c
@@ -1528,6 +1528,29 @@ sets_handler(int ac, char *av[])
 }
 
 static void
+sysctl_handler(int ac, char *av[], int which)
+{
+	ac--;
+	av++;
+
+	if (*av == NULL) {
+		warnx("missing keyword to enable/disable\n");
+	} else if (strncmp(*av, "firewall", strlen(*av)) == 0) {
+		sysctlbyname("net.inet.ip.fw.enable", NULL, 0, &which, sizeof(which));
+	} else if (strncmp(*av, "one_pass", strlen(*av)) == 0) {
+		sysctlbyname("net.inet.ip.fw.one_pass", NULL, 0, &which, sizeof(which));
+	} else if (strncmp(*av, "debug", strlen(*av)) == 0) {
+		sysctlbyname("net.inet.ip.fw.debug", NULL, 0, &which, sizeof(which));
+	} else if (strncmp(*av, "verbose", strlen(*av)) == 0) {
+		sysctlbyname("net.inet.ip.fw.verbose", NULL, 0, &which, sizeof(which));
+	} else if (strncmp(*av, "dyn_keepalive", strlen(*av)) == 0) {
+		sysctlbyname("net.inet.ip.fw.dyn_keepalive", NULL, 0, &which, sizeof(which));
+	} else {
+		warnx("unrecognize enable/disable keyword: %s\n", *av);
+	}
+}
+
+static void
 list(int ac, char *av[])
 {
 	struct ip_fw *r;
@@ -3407,6 +3430,10 @@ ipfw_main(int ac, char **av)
 		list(ac, av);
 	else if (!strncmp(*av, "set", strlen(*av)))
 		sets_handler(ac, av);
+	else if (!strncmp(*av, "enable", strlen(*av)))
+		sysctl_handler(ac, av, 1);
+	else if (!strncmp(*av, "disable", strlen(*av)))
+		sysctl_handler(ac, av, 0);
 	else if (!strncmp(*av, "show", strlen(*av))) {
 		do_acct++;
 		list(ac, av);