From 4a80a9f04177ddab5edf74e5aaa0de6198176414 Mon Sep 17 00:00:00 2001 From: dwmalone Date: Wed, 18 Feb 2004 15:56:53 +0000 Subject: Add a -n option that stops ip6fw making any changes to the rules in the kernel. Submitted by: Orla McGann MFC after: 3 weeks --- sbin/ip6fw/ip6fw.8 | 11 +++++--- sbin/ip6fw/ip6fw.c | 76 +++++++++++++++++++++++++++++++++++------------------- 2 files changed, 58 insertions(+), 29 deletions(-) diff --git a/sbin/ip6fw/ip6fw.8 b/sbin/ip6fw/ip6fw.8 index 2e4c777..c036c23 100644 --- a/sbin/ip6fw/ip6fw.8 +++ b/sbin/ip6fw/ip6fw.8 @@ -38,7 +38,7 @@ .Nd controlling utility for IPv6 firewall .Sh SYNOPSIS .Nm -.Op Fl q +.Op Fl nq .Oo .Fl p Ar preproc .Oo Fl D @@ -48,13 +48,15 @@ .Oc .Ar pathname .Nm +.Op Fl n .Op Fl f | Fl q flush .Nm -.Op Fl q +.Op Fl nq zero .Op Ar number ... .Nm +.Op Fl n delete .Ar number ... .Nm @@ -66,7 +68,7 @@ list show .Op Ar number ... .Nm -.Op Fl q +.Op Fl nq add .Op Ar number .Ar action @@ -181,6 +183,9 @@ Don't ask for confirmation for commands that can cause problems if misused (ie; flush). .Ar Note , if there is no tty associated with the process, this is implied. +.It Fl n +Only check syntax of the command strings, +without actually passing them into the kernel. .It Fl q While adding, zeroing or flushing, be quiet about actions (implies '-f'). This is useful for adjusting rules by executing multiple ip6fw commands in a diff --git a/sbin/ip6fw/ip6fw.c b/sbin/ip6fw/ip6fw.c index 9f00b0c..4946d77 100644 --- a/sbin/ip6fw/ip6fw.c +++ b/sbin/ip6fw/ip6fw.c @@ -90,6 +90,7 @@ int do_acct=0; /* Show packet/byte count */ int do_time=0; /* Show time stamps */ int do_quiet=0; /* Be quiet in add and flush */ int do_force=0; /* Don't ask for confirmation */ +int do_test=0; /* Don't load into Kernel */ struct icmpcode { int code; @@ -804,10 +805,12 @@ delete(ac,av) /* Rule number */ while (ac && isdigit(**av)) { rule.fw_number = atoi(*av); av++; ac--; - i = setsockopt(s, IPPROTO_IPV6, IPV6_FW_DEL, &rule, sizeof rule); - if (i) { - exitval = 1; - warn("rule %u: setsockopt(%s)", rule.fw_number, "IPV6_FW_DEL"); + if (!do_test) { + i = setsockopt(s, IPPROTO_IPV6, IPV6_FW_DEL, &rule, sizeof rule); + if (i) { + exitval = 1; + warn("rule %u: setsockopt(%s)", rule.fw_number, "IPV6_FW_DEL"); + } } } if (exitval != 0) @@ -1141,9 +1144,11 @@ badviacombo: if (!do_quiet) show_ip6fw(&rule); - i = setsockopt(s, IPPROTO_IPV6, IPV6_FW_ADD, &rule, sizeof rule); - if (i) - err(EX_UNAVAILABLE, "setsockopt(%s)", "IPV6_FW_ADD"); + if (!do_test) { + i = setsockopt(s, IPPROTO_IPV6, IPV6_FW_ADD, &rule, sizeof rule); + if (i) + err(EX_UNAVAILABLE, "setsockopt(%s)", "IPV6_FW_ADD"); + } } static void @@ -1155,10 +1160,13 @@ zero (ac, av) if (!ac) { /* clear all entries */ - if (setsockopt(s,IPPROTO_IPV6,IPV6_FW_ZERO,NULL,0)<0) - err(EX_UNAVAILABLE, "setsockopt(%s)", "IPV6_FW_ZERO"); - if (!do_quiet) - printf("Accounting cleared.\n"); + if (!do_test) { + if (setsockopt(s,IPPROTO_IPV6,IPV6_FW_ZERO,NULL,0)<0) + err(EX_UNAVAILABLE, "setsockopt(%s)", "IPV6_FW_ZERO"); + if (!do_quiet) + printf("Accounting cleared.\n"); + } else if (!do_quiet) + printf("Accounting not cleared.\n"); } else { struct ip6_fw rule; int failed = 0; @@ -1168,15 +1176,19 @@ zero (ac, av) /* Rule number */ if (isdigit(**av)) { rule.fw_number = atoi(*av); av++; ac--; - if (setsockopt(s, IPPROTO_IPV6, - IPV6_FW_ZERO, &rule, sizeof rule)) { - warn("rule %u: setsockopt(%s)", rule.fw_number, - "IPV6_FW_ZERO"); - failed = 1; + if (!do_test) { + if (setsockopt(s, IPPROTO_IPV6, + IPV6_FW_ZERO, &rule, sizeof rule)) { + warn("rule %u: setsockopt(%s)", rule.fw_number,"IPV6_FW_ZERO"); + failed = 1; + } + if (!do_quiet) + printf("Entry %d cleared\n", + rule.fw_number); } else if (!do_quiet) - printf("Entry %d cleared\n", - rule.fw_number); + printf("Entry %d not cleared\n", + rule.fw_number); } else show_usage("invalid rule number ``%s''", *av); } @@ -1202,7 +1214,7 @@ ip6fw_main(ac,av) /* Set the force flag for non-interactive processes */ do_force = !isatty(STDIN_FILENO); - while ((ch = getopt(ac, av ,"afqtN")) != -1) + while ((ch = getopt(ac, av ,"afnqtN")) != -1) switch(ch) { case 'a': do_acct=1; @@ -1210,6 +1222,9 @@ ip6fw_main(ac,av) case 'f': do_force=1; break; + case 'n': + do_test=1; + break; case 'q': do_quiet=1; break; @@ -1254,10 +1269,14 @@ ip6fw_main(ac,av) do_flush = 1; } if ( do_flush ) { - if (setsockopt(s,IPPROTO_IPV6,IPV6_FW_FLUSH,NULL,0) < 0) - err(EX_UNAVAILABLE, "setsockopt(%s)", "IPV6_FW_FLUSH"); - if (!do_quiet) - printf("Flushed all rules.\n"); + if (!do_test) { + if (setsockopt(s,IPPROTO_IPV6,IPV6_FW_FLUSH,NULL,0) < 0) + err(EX_UNAVAILABLE, "setsockopt(%s)", "IPV6_FW_FLUSH"); + + if (!do_quiet) + printf("Flushed all rules.\n"); + } else if (!do_quiet) + printf("Rules not flushed.\n"); } } else if (!strncmp(*av, "zero", strlen(*av))) { zero(ac,av); @@ -1284,7 +1303,7 @@ main(ac, av) char buf[BUFSIZ]; char *a, *p, *args[MAX_ARGS], *cmd = NULL; char linename[10]; - int i, c, lineno, qflag, pflag, status; + int i, c, lineno, nflag, qflag, pflag, status; FILE *f = NULL; pid_t preproc = 0; @@ -1300,10 +1319,10 @@ main(ac, av) */ if (ac > 1 && av[ac - 1][0] == '/' && access(av[ac - 1], R_OK) == 0) { - qflag = pflag = i = 0; + nflag = qflag = pflag = i = 0; lineno = 0; - while ((c = getopt(ac, av, "D:U:p:q")) != -1) + while ((c = getopt(ac, av, "D:U:np:q")) != -1) switch(c) { case 'D': if (!pflag) @@ -1325,6 +1344,10 @@ main(ac, av) args[i++] = optarg; break; + case 'n': + nflag = 1; + break; + case 'p': pflag = 1; cmd = optarg; @@ -1397,6 +1420,7 @@ main(ac, av) *p = '\0'; i=1; if (qflag) args[i++]="-q"; + if (nflag) args[i++]="-n"; for (a = strtok(buf, WHITESP); a && i < MAX_ARGS; a = strtok(NULL, WHITESP), i++) args[i] = a; -- cgit v1.1