From 752ba4d26f2e94cc31940f50407a6b18b86ee0e8 Mon Sep 17 00:00:00 2001 From: adam Date: Thu, 16 Jan 1997 21:04:29 +0000 Subject: implement "not" keyword for inverting the address logic --- sbin/ipfw/ipfw.8 | 21 +++++++++++---------- sbin/ipfw/ipfw.c | 14 ++++++++++++-- 2 files changed, 23 insertions(+), 12 deletions(-) (limited to 'sbin') diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index 2a58708..957d976 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -22,16 +22,13 @@ list add .Op Ar number .Ar action -.Op Ar log +.Op log .Ar proto from .Ar src to .Ar dst -.Oo -via -.Ar name | ipno -.Oc +.Op via Ar name | ipno .Op Ar options .Sh DESCRIPTION If used as shown in the first synopsis line, the @@ -117,8 +114,7 @@ Divert packets that match this rule to the divert socket bound to port The search terminates. .El .Pp -When a packet matches a rule with the -.Ar log +When a packet matches a rule with the ``log'' keyword, a message will be printed on the console. If the kernel was compiled with the .Dv IP_FIREWALL_VERBOSE_LIMIT @@ -150,7 +146,8 @@ and .Ar dst : .Pp .Bl -hang -offset flag -.It
[ports] +.It Ar
+.Op Ar ports .El .Pp The @@ -168,10 +165,14 @@ An ipnumber with a mask width of the form 1.2.3.4:255.255.240.0. In this case all ip numbers from 1.2.0.0 to 1.2.15.255 will match. .El .Pp +The sense of the match can be inverted by preceding an address with the +``not'' modifier, causing all other addresses to be matched instead. This +does not affect the selection of port numbers. +.Pp With the TCP and UDP .Em protocols , -an optional -.Em port +optional +.Em ports may be specified as: .Pp .Bl -hang -offset flag diff --git a/sbin/ipfw/ipfw.c b/sbin/ipfw/ipfw.c index f1bb15a..fd1ab5d 100644 --- a/sbin/ipfw/ipfw.c +++ b/sbin/ipfw/ipfw.c @@ -162,7 +162,7 @@ show_ipfw(chain) else printf("%u", chain->fw_prot); - printf(" from "); + printf(" from %s", chain->fw_flg & IP_FW_F_INVSRC ? "not " : ""); adrt=ntohl(chain->fw_smsk.s_addr); if (adrt==ULONG_MAX && do_resolv) { @@ -202,7 +202,7 @@ show_ipfw(chain) } } - printf(" to "); + printf(" to %s", chain->fw_flg & IP_FW_F_INVDST ? "not " : ""); adrt=ntohl(chain->fw_dmsk.s_addr); if (adrt==ULONG_MAX && do_resolv) { @@ -685,6 +685,12 @@ add(ac,av) if (ac && !strncmp(*av,"from",strlen(*av))) { av++; ac--; } else show_usage("missing ``from''\n"); + if (ac && !strncmp(*av,"not",strlen(*av))) { + rule.fw_flag |= IP_FW_F_INVSRC; + av++; ac--; + } + if (!ac) show_usage("Missing arguments\n"); + fill_ip(&rule.fw_src, &rule.fw_smsk, &ac, &av); if (ac && isdigit(**av)) { @@ -697,6 +703,10 @@ add(ac,av) if (ac && !strncmp(*av,"to",strlen(*av))) { av++; ac--; } else show_usage("missing ``to''\n"); + if (ac && !strncmp(*av,"not",strlen(*av))) { + rule.fw_flag |= IP_FW_F_INVDST; + av++; ac--; + } if (!ac) show_usage("Missing arguments\n"); fill_ip(&rule.fw_dst, &rule.fw_dmsk, &ac, &av); -- cgit v1.1