summaryrefslogtreecommitdiffstats
path: root/sbin/ipfw
diff options
context:
space:
mode:
Diffstat (limited to 'sbin/ipfw')
-rw-r--r--sbin/ipfw/ipfw.814
-rw-r--r--sbin/ipfw/ipfw.c99
2 files changed, 73 insertions, 40 deletions
diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8
index 765fb3d..a64f290 100644
--- a/sbin/ipfw/ipfw.8
+++ b/sbin/ipfw/ipfw.8
@@ -478,9 +478,23 @@ or
.Cm all
keywords mean any protocol will match.
.It Ar src No and Ar dst :
+.Cm any
+|
+.Cm me
+|
+.Op Cm not
.Aq Ar address Ns / Ns Ar mask
.Op Ar ports
.Pp
+Specifying
+.Cm any
+makes the rule match any IP number.
+.Pp
+Specifying
+.Cm me
+makes the rule match any IP number configured on an interface in the system.
+This is an computationally semi-expensive check which should be used with care.
+.Pp
The
.Aq Ar address Ns / Ns Ar mask
may be specified as:
diff --git a/sbin/ipfw/ipfw.c b/sbin/ipfw/ipfw.c
index d8f4934..247b7a5 100644
--- a/sbin/ipfw/ipfw.c
+++ b/sbin/ipfw/ipfw.c
@@ -276,17 +276,20 @@ show_ipfw(struct ip_fw *chain, int pcwidth, int bcwidth)
else
printf(" %u", chain->fw_prot);
- printf(" from %s", chain->fw_flg & IP_FW_F_INVSRC ? "not " : "");
-
- adrt=ntohl(chain->fw_smsk.s_addr);
- if (adrt==ULONG_MAX && do_resolv) {
- adrt=(chain->fw_src.s_addr);
- he=gethostbyaddr((char *)&adrt,sizeof(u_long),AF_INET);
- if (he==NULL) {
- printf(inet_ntoa(chain->fw_src));
- } else
- printf("%s",he->h_name);
- } else {
+ if (chain->fw_flg & IP_FW_F_SME) {
+ printf(" from me");
+ } else {
+ printf(" from %s", chain->fw_flg & IP_FW_F_INVSRC ? "not " : "");
+
+ adrt=ntohl(chain->fw_smsk.s_addr);
+ if (adrt==ULONG_MAX && do_resolv) {
+ adrt=(chain->fw_src.s_addr);
+ he=gethostbyaddr((char *)&adrt,sizeof(u_long),AF_INET);
+ if (he==NULL) {
+ printf(inet_ntoa(chain->fw_src));
+ } else
+ printf("%s",he->h_name);
+ } else {
if (adrt!=ULONG_MAX) {
mb=mask_bits(chain->fw_smsk);
if (mb == 0) {
@@ -303,6 +306,7 @@ show_ipfw(struct ip_fw *chain, int pcwidth, int bcwidth)
}
} else
printf(inet_ntoa(chain->fw_src));
+ }
}
if (chain->fw_prot == IPPROTO_TCP || chain->fw_prot == IPPROTO_UDP) {
@@ -318,33 +322,37 @@ show_ipfw(struct ip_fw *chain, int pcwidth, int bcwidth)
}
}
- printf(" to %s", chain->fw_flg & IP_FW_F_INVDST ? "not " : "");
-
- adrt=ntohl(chain->fw_dmsk.s_addr);
- if (adrt==ULONG_MAX && do_resolv) {
- adrt=(chain->fw_dst.s_addr);
- he=gethostbyaddr((char *)&adrt,sizeof(u_long),AF_INET);
- if (he==NULL) {
- printf(inet_ntoa(chain->fw_dst));
- } else
- printf("%s",he->h_name);
- } else {
- if (adrt!=ULONG_MAX) {
- mb=mask_bits(chain->fw_dmsk);
- if (mb == 0) {
- printf("any");
- } else {
- if (mb > 0) {
- printf(inet_ntoa(chain->fw_dst));
- printf("/%d",mb);
+ if (chain->fw_flg & IP_FW_F_DME) {
+ printf(" to me");
+ } else {
+ printf(" to %s", chain->fw_flg & IP_FW_F_INVDST ? "not " : "");
+
+ adrt=ntohl(chain->fw_dmsk.s_addr);
+ if (adrt==ULONG_MAX && do_resolv) {
+ adrt=(chain->fw_dst.s_addr);
+ he=gethostbyaddr((char *)&adrt,sizeof(u_long),AF_INET);
+ if (he==NULL) {
+ printf(inet_ntoa(chain->fw_dst));
+ } else
+ printf("%s",he->h_name);
+ } else {
+ if (adrt!=ULONG_MAX) {
+ mb=mask_bits(chain->fw_dmsk);
+ if (mb == 0) {
+ printf("any");
} else {
- printf(inet_ntoa(chain->fw_dst));
- printf(":");
- printf(inet_ntoa(chain->fw_dmsk));
+ if (mb > 0) {
+ printf(inet_ntoa(chain->fw_dst));
+ printf("/%d",mb);
+ } else {
+ printf(inet_ntoa(chain->fw_dst));
+ printf(":");
+ printf(inet_ntoa(chain->fw_dmsk));
+ }
}
- }
- } else
- printf(inet_ntoa(chain->fw_dst));
+ } else
+ printf(inet_ntoa(chain->fw_dst));
+ }
}
if (chain->fw_prot == IPPROTO_TCP || chain->fw_prot == IPPROTO_UDP) {
@@ -857,8 +865,8 @@ show_usage(const char *fmt, ...)
" reset|count|skipto num|divert port|tee port|fwd ip|\n"
" pipe num} [log [logamount count]]\n"
" proto: {ip|tcp|udp|icmp|<number>}\n"
-" src: from [not] {any|ip[{/bits|:mask}]} [{port|port-port},[port],...]\n"
-" dst: to [not] {any|ip[{/bits|:mask}]} [{port|port-port},[port],...]\n"
+" src: from [not] {me|any|ip[{/bits|:mask}]} [{port|port-port},[port],...]\n"
+" dst: to [not] {me|any|ip[{/bits|:mask}]} [{port|port-port},[port],...]\n"
" extras:\n"
" uid {user id}\n"
" gid {group id}\n"
@@ -1792,7 +1800,12 @@ add(ac,av)
if (!ac)
show_usage("missing arguments");
- fill_ip(&rule.fw_src, &rule.fw_smsk, &ac, &av);
+ if (ac && !strncmp(*av,"me",strlen(*av))) {
+ rule.fw_flg |= IP_FW_F_SME;
+ av++; ac--;
+ } else {
+ fill_ip(&rule.fw_src, &rule.fw_smsk, &ac, &av);
+ }
if (ac && (isdigit(**av) || lookup_port(*av, rule.fw_prot, 1, 1) >= 0)) {
u_short nports = 0;
@@ -1819,7 +1832,13 @@ add(ac,av)
if (!ac)
show_usage("missing arguments");
- fill_ip(&rule.fw_dst, &rule.fw_dmsk, &ac, &av);
+
+ if (ac && !strncmp(*av,"me",strlen(*av))) {
+ rule.fw_flg |= IP_FW_F_DME;
+ av++; ac--;
+ } else {
+ fill_ip(&rule.fw_dst, &rule.fw_dmsk, &ac, &av);
+ }
if (ac && (isdigit(**av) || lookup_port(*av, rule.fw_prot, 1, 1) >= 0)) {
u_short nports = 0;
OpenPOWER on IntegriCloud