diff options
author | ugen <ugen@FreeBSD.org> | 1995-03-03 12:28:34 +0000 |
---|---|---|
committer | ugen <ugen@FreeBSD.org> | 1995-03-03 12:28:34 +0000 |
commit | eae8a60e05b17df332f68b2e683fc3511e3f0b8e (patch) | |
tree | 782b5010a4fcb0c06f519319e5343e1817e797b0 /sbin | |
parent | d315780e7d3dcd93a7223254d052a16dc4e228a3 (diff) | |
download | FreeBSD-src-eae8a60e05b17df332f68b2e683fc3511e3f0b8e.zip FreeBSD-src-eae8a60e05b17df332f68b2e683fc3511e3f0b8e.tar.gz |
Ok..so everybody picking on me that ipfw syntacs
is a pain in ...wel.. trying to fix this
* from/to/via position indepenndant syntax
* "any" for 0/0 host address
* addf/addb default keyword in case you skip it..
* pass = accept new action, seems to be somewhat better
in particular cases
* on = via (as on ed0 instead of via ed0,loook at
reject tcp on ed0 from hacker )
Diffstat (limited to 'sbin')
-rw-r--r-- | sbin/ipfw/ipfw.c | 278 |
1 files changed, 172 insertions, 106 deletions
diff --git a/sbin/ipfw/ipfw.c b/sbin/ipfw/ipfw.c index 67f05e0..841d9e6 100644 --- a/sbin/ipfw/ipfw.c +++ b/sbin/ipfw/ipfw.c @@ -45,13 +45,15 @@ int ports_ok=0; /* flag allowing ports */ u_short flags=0; /* New entry flags */ -#define FW 1 /* Firewall action */ -#define AC 2 /* Accounting action */ +#define FW 0x001 /* Firewall action */ +#define AC 0x002 /* Accounting action */ +#define S_ANY "any" -#define S_SEP1 "fr" /* of "from" */ -#define S_SEP2 "to" /* of "to" */ -#define S_SEP3 "vi" /* of "via" */ +#define IS_TO(x) (!strcmp(x,"to")) +#define IS_FROM(x) (!strcmp(x,"from")) +#define IS_VIA(x) (!strcmp(x,"via") || !strcmp(x,"on")) +#define IS_TOKEN(x) (IS_TO(x) || IS_FROM(x) || IS_VIA(x)) #define P_AC "a" /* of "accept" for policy action */ #define P_DE "d" /* of "deny" for policy action */ @@ -86,24 +88,26 @@ char action_tab[][MAXSTR]={ char type_tab[][MAXSTR]={ -"ac", +"acc", #define T_ACCEPT 0 -"lo", -#define T_LOG 1 -"r", -#define T_REJECT 2 -"lr", -#define T_LREJECT 3 -"d", -#define T_DENY 4 -"ld", -#define T_LDENY 5 -"si", -#define T_SINGLE 6 -"bi", -#define T_BIDIR 7 +"pas", +#define T_PASS 1 +"log", +#define T_LOG 2 +"rej", +#define T_REJECT 3 +"lrej", +#define T_LREJECT 4 +"den", +#define T_DENY 5 +"lden", +#define T_LDENY 6 +"sin", +#define T_SINGLE 7 +"bid", +#define T_BIDIR 8 "", -#define T_NONE 8 +#define T_NONE 9 }; @@ -430,9 +434,14 @@ return i; -void show_usage() +void show_usage(str) +char *str; { - printf("%s: bad arguments\n",progname); + if (str) + fprintf(stderr,"%s: ERROR - %s\n",progname,str); + else + fprintf(stderr,"%s: ERROR - bad arguments\n",progname); + fprintf(stderr,"See man %s(8) for proper usage.\n",progname); } @@ -542,6 +551,13 @@ char *sm_bit,*sm_oct,*end; int n_bit; struct hostent *hptr; + if (!strncmp(str,S_ANY,strlen(S_ANY))) { + addr->s_addr=0L; + mask->s_addr=0L; + return; + } + + if (mask) { (void)strtok(str,"/"); sm_bit=strtok(NULL,""); @@ -575,11 +591,11 @@ struct hostent *hptr; if (sm_bit) { n_bit = strtol(sm_bit,&end,10); if (*end!='\0') { - show_usage(); + show_usage(NULL); exit(1); } if (n_bit<0 || n_bit>sizeof(u_long)*CHAR_BIT) { - show_usage(); + show_usage(NULL); exit(1); } if (n_bit>0) @@ -591,7 +607,7 @@ struct hostent *hptr; if (sm_oct) { if (!inet_aton(sm_oct,mask)) { - show_usage(); + show_usage(NULL); exit(1); } } @@ -613,16 +629,22 @@ short unit; int i; i=0; sptr=str; - while(isalpha(*sptr++)) + while(isalpha(*sptr++)) { i++; + } + + *sptr--; if (i==0) return 1; strncpy(name,str,i); + name[i]='\0'; + unit=(short)atoi(sptr); sprintf(buf,"%s%d",name,unit); +printf("%s %s\n",buf,str); if (strcmp(str,buf)) return 1; @@ -637,97 +659,127 @@ void set_entry(av,frwl) char **av; struct ip_fw * frwl; { -int p_num=0,ir=0; +int ir; +int got_from=0,got_to=0,got_via=0; +#define T_FROM 1 +#define T_TO 2 +#define T_VIA 3 +int token; + + /* + * This section actually creates + * generic entry which matches everything + * in this sorry world... + */ frwl->fw_nsp=0; frwl->fw_ndp=0; frwl->fw_via_ip.s_addr=0L; + frwl->fw_src.s_addr=0L; + frwl->fw_dst.s_addr=0L; + frwl->fw_smsk.s_addr=0L; + frwl->fw_dmsk.s_addr=0L; - if (strncmp(*av,S_SEP1,strlen(S_SEP1))) { - show_usage(); - exit(1); - } - if (*(++av)==NULL) { - show_usage(); +get_next: + + token = 0; + + if (IS_FROM(*av)) { + token = T_FROM; + + if (got_from) { + show_usage("Redefined 'from'."); exit(1); + } + if (*(++av)==NULL) { + show_usage("Missing 'from' specification."); + exit(1); + } + + set_entry_ip(*av,&(frwl->fw_src),&(frwl->fw_smsk)); + got_from=1; } - set_entry_ip(*av,&(frwl->fw_src),&(frwl->fw_smsk)); + if (IS_TO(*av)) { + token = T_TO; - if (*(++av)==NULL) { - show_usage(); + if (got_to) { + show_usage("Redefined 'to'."); + exit(1); + } + if (*(++av)==NULL) { + show_usage("Missing 'to' specification."); exit(1); + } + + set_entry_ip(*av,&(frwl->fw_dst),&(frwl->fw_dmsk)); + got_to = 1; } - if (!strncmp(*av,S_SEP2,strlen(S_SEP2))) - goto no_src_ports; - - if (ports_ok) { - frwl->fw_nsp= - set_entry_ports(*av,frwl->fw_pts,IP_FW_MAX_PORTS,&ir); - if (ir) - flags|=IP_FW_F_SRNG; + if (IS_VIA(*av)) { + token = T_VIA; + if (got_via) { + show_usage("Redefined 'via'."); + exit(1); + } if (*(++av)==NULL) { - show_usage(); - exit(1); + show_usage("Missing 'via' specification."); + exit(1); } - } -no_src_ports: + /* + * Try first to set interface name + * from arguments.set_entry_ip() will exit on + * wrong argument. + */ + if (set_entry_ifname(*av,frwl)) + set_entry_ip(*av,&(frwl->fw_via_ip),NULL); + else + flags |= IP_FW_F_IFNAME; - if (strncmp(*av,S_SEP2,strlen(S_SEP2))) { - show_usage(); - exit(1); + got_via = 1; } if (*(++av)==NULL) { - show_usage(); - exit(1); + return; } - - set_entry_ip(*av,&(frwl->fw_dst),&(frwl->fw_dmsk)); - if (*(++av)==NULL) - goto no_tail; + if (IS_TOKEN(*av)) + goto get_next; + + if (ports_ok && token == T_FROM) { + ir = 0; + frwl->fw_nsp= + set_entry_ports(*av,frwl->fw_pts,IP_FW_MAX_PORTS,&ir); + if (ir) + flags|=IP_FW_F_SRNG; - if (!strncmp(*av,S_SEP3,strlen(S_SEP3))) - goto no_dst_ports; + if (*(++av)==NULL) { + return; + } + } - if (ports_ok) { + if (ports_ok && token == T_TO) { + ir = 0; frwl->fw_ndp= set_entry_ports(*av,&(frwl->fw_pts[frwl->fw_nsp]), (IP_FW_MAX_PORTS-frwl->fw_nsp),&ir); if (ir) flags|=IP_FW_F_DRNG; - } - - if (*(++av)==NULL) - goto no_tail; -no_dst_ports: - if (strncmp(*av,S_SEP3,strlen(S_SEP3))) { - show_usage(); - exit(1); + if (*(++av)==NULL) { + return; + } } - if (*(++av)==NULL) { - show_usage(); - exit(1); + if (token == 0) { + show_usage("Unknown token."); + exit(1); } - /* - * Try first to set interface name - * from arguments.set_entry_ip() will exit on - * wrong argument. - */ - if (set_entry_ifname(*av,frwl)) - set_entry_ip(*av,&(frwl->fw_via_ip),NULL); - else - flags |= IP_FW_F_IFNAME; -no_tail: - + goto get_next; } @@ -842,7 +894,7 @@ char **av; char ch; extern int optind; -int ctl,int_t,is_check=0; +int ctl,int_t,is_check=0,int_notdef=0; struct ip_fw frwl; strcpy(progname,*av); @@ -853,7 +905,7 @@ struct ip_fw frwl; exit(1); } if ( ac == 1 ) { - show_usage(); + show_usage(NULL); exit(1); } @@ -870,12 +922,12 @@ struct ip_fw frwl; break; case '?': default: - show_usage(); + show_usage(NULL); exit(1); } if (*(av+=optind)==NULL) { - show_usage(); + show_usage(NULL); exit(1); } @@ -917,70 +969,84 @@ struct ip_fw frwl; policy(++av); exit(0); /* we never get here */ default: - show_usage(); - exit(1); + int_t=(AC|FW); + int_notdef=1; } /* main action switch */ if (is_check) goto proto_switch; - if (*(++av)==NULL) { - show_usage(); + if (!int_notdef) + if (*(++av)==NULL) { + show_usage(NULL); exit(1); - } + } switch(get_num(*av,type_tab)) { case T_LREJECT: flags|=IP_FW_F_PRN; case T_REJECT: flags|=IP_FW_F_ICMPRPL; - if (int_t!=FW) { - show_usage(); + if (!int_t&FW) { + show_usage(NULL); exit(1); } + int_t=FW; break; case T_LDENY: flags|=IP_FW_F_PRN; case T_DENY: flags|=0; /* just to show it related to flags */ - if (int_t!=FW) { - show_usage(); + if (!int_t&FW) { + show_usage(NULL); exit(1); } + int_t=FW; break; case T_LOG: flags|=IP_FW_F_PRN; case T_ACCEPT: + case T_PASS: flags|=IP_FW_F_ACCEPT; - if (int_t!=FW) { - show_usage(); + if (!int_t&FW) { + show_usage(NULL); exit(1); } + int_t=FW; break; case T_SINGLE: flags|=0; /* just to show it related to flags */ - if (int_t!=AC) { - show_usage(); + if (!int_t&AC) { + show_usage(NULL); exit(1); } + int_t=AC; break; case T_BIDIR: flags|=IP_FW_F_BIDIR; - if (int_t!=AC) { - show_usage(); + if (!int_t&AC) { + show_usage(NULL); exit(1); } + int_t=AC; break; default: - show_usage(); + show_usage(NULL); exit(1); } /* type of switch */ + if (int_notdef) { + if (int_t==FW) + ctl=IP_FW_ADD; + if (int_t==AC) + ctl=IP_ACCT_ADD; + } + proto_switch: if (*(++av)==NULL) { - show_usage(); + show_usage(NULL); exit(1); } @@ -1004,12 +1070,12 @@ proto_switch: strcpy(proto_name,"udp"); break; default: - show_usage(); + show_usage(NULL); exit(1); } if (*(++av)==NULL) { - show_usage(); + show_usage(NULL); exit(1); } |