Stop ipfw from aborting when asked to delete a table entry that

doesn't exist or add one that is already present, if the -q flag
is set. Useful for "ipfw -q /dev/stdin" when the command above is
invoked from  something like python or TCL to feed commands
down the throat of ipfw.
MFC in: 1 week

2 files changed, 13 insertions, 1 deletions

diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8
index 8ba94e0..911af5c 100644
--- a/sbin/ipfw/ipfw.8
+++ b/sbin/ipfw/ipfw.8
@@ -232,7 +232,8 @@ commands in a script
 .Ql sh\ /etc/rc.firewall ) ,
 or by processing a file of many
 .Nm
-rules across a remote login session.
+rules across a remote login session. It also stops a table add or delete
+from failing if the entry already exists or is not present.
 If a
 .Cm flush
 is performed in normal (verbose) mode (with the default kernel
diff --git a/sbin/ipfw/ipfw2.c b/sbin/ipfw/ipfw2.c
index 13e1df3..f88ce70 100644
--- a/sbin/ipfw/ipfw2.c
+++ b/sbin/ipfw/ipfw2.c
@@ -4815,6 +4815,17 @@ table_handler(int ac, char *av[])
 			ent.value = 0;
 		if (do_cmd(do_add ? IP_FW_TABLE_ADD : IP_FW_TABLE_DEL,
 		    &ent, sizeof(ent)) < 0)
+			/* If running silent, don't bomb out on these errors. */
+			if (!(do_quiet && (errno == (do_add ? EEXIST : ESRCH))))
+				err(EX_OSERR, "setsockopt(IP_FW_TABLE_%s)",
+				    do_add ? "ADD" : "DEL");
+			/* In silent mode, react to a failed add by deleting */
+			if (do_add)
+				do_cmd(IP_FW_TABLE_DEL, &ent, sizeof(ent));
+				if (do_cmd(IP_FW_TABLE_ADD,
+				    &ent, sizeof(ent)) < 0)
+					err(EX_OSERR,
+				            "setsockopt(IP_FW_TABLE_ADD)");
 			err(EX_OSERR, "setsockopt(IP_FW_TABLE_%s)",
 			    do_add ? "ADD" : "DEL");
 	} else if (_substrcmp(*av, "flush") == 0) {