It turns out that we do not need to add a new ioctl to unbreak a
default-to-deny firewall. Simply turning off IPFW via a preexisting sysctl does the job. To make it more apparent (since nobody picked up on this in a week's worth of flames), the boolean sysctl's have been integrated into the /sbin/ipfw command set in an obvious and straightforward manner. For example, you can now do 'ipfw disable firewall' or 'ipfw enable firewall'. This is far easier to remember then the net.inet.ip.fw.enable sysctl. Reviewed by: imp MFC after: 3 days
This commit is contained in:
Matthew Dillon
parent
7a6794e9c4
commit
6690be9efa
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=109126
@ -24,6 +24,12 @@
|
||||
.Brq Cm delete | zero | resetlog
|
||||
.Op Cm set
|
||||
.Op Ar number ...
|
||||
.Nm
|
||||
.Cm enable
|
||||
.Brq Cm firewall | one_pass | debug | verbose | dyn_keepalive
|
||||
.Nm
|
||||
.Cm disable
|
||||
.Brq Cm firewall | one_pass | debug | verbose | dyn_keepalive
|
||||
.Pp
|
||||
.Nm
|
||||
.Cm set Oo Cm disable Ar number ... Oc Op Cm enable Ar number ...
|
||||
@ -302,6 +308,16 @@ and
|
||||
commands are used to configure the traffic shaper, as shown in the
|
||||
.Sx TRAFFIC SHAPER (DUMMYNET) CONFIGURATION
|
||||
Section below.
|
||||
.Pp
|
||||
If the world and the kernel get out of sync the
|
||||
.Nm
|
||||
ABI may break, preventing you from being able to add any rules. This can
|
||||
adversely effect the booting process. You can use
|
||||
.Nm
|
||||
.Cm disable
|
||||
.Cm firewall
|
||||
to temporarily disable the firewall to regain access to the network,
|
||||
allowing you to fix the problem.
|
||||
.Sh PACKET FLOW
|
||||
A packet is checked against the active ruleset in multiple places
|
||||
in the protocol stack, under control of several sysctl variables.
|
||||
|
||||
@ -1527,6 +1527,29 @@ sets_handler(int ac, char *av[])
|
||||
errx(EX_USAGE, "invalid set command %s\n", *av);
|
||||
}
|
||||
|
||||
static void
|
||||
sysctl_handler(int ac, char *av[], int which)
|
||||
{
|
||||
ac--;
|
||||
av++;
|
||||
|
||||
if (*av == NULL) {
|
||||
warnx("missing keyword to enable/disable\n");
|
||||
} else if (strncmp(*av, "firewall", strlen(*av)) == 0) {
|
||||
sysctlbyname("net.inet.ip.fw.enable", NULL, 0, &which, sizeof(which));
|
||||
} else if (strncmp(*av, "one_pass", strlen(*av)) == 0) {
|
||||
sysctlbyname("net.inet.ip.fw.one_pass", NULL, 0, &which, sizeof(which));
|
||||
} else if (strncmp(*av, "debug", strlen(*av)) == 0) {
|
||||
sysctlbyname("net.inet.ip.fw.debug", NULL, 0, &which, sizeof(which));
|
||||
} else if (strncmp(*av, "verbose", strlen(*av)) == 0) {
|
||||
sysctlbyname("net.inet.ip.fw.verbose", NULL, 0, &which, sizeof(which));
|
||||
} else if (strncmp(*av, "dyn_keepalive", strlen(*av)) == 0) {
|
||||
sysctlbyname("net.inet.ip.fw.dyn_keepalive", NULL, 0, &which, sizeof(which));
|
||||
} else {
|
||||
warnx("unrecognize enable/disable keyword: %s\n", *av);
|
||||
}
|
||||
}
|
||||
|
||||
static void
|
||||
list(int ac, char *av[])
|
||||
{
|
||||
@ -3407,6 +3430,10 @@ ipfw_main(int ac, char **av)
|
||||
list(ac, av);
|
||||
else if (!strncmp(*av, "set", strlen(*av)))
|
||||
sets_handler(ac, av);
|
||||
else if (!strncmp(*av, "enable", strlen(*av)))
|
||||
sysctl_handler(ac, av, 1);
|
||||
else if (!strncmp(*av, "disable", strlen(*av)))
|
||||
sysctl_handler(ac, av, 0);
|
||||
else if (!strncmp(*av, "show", strlen(*av))) {
|
||||
do_acct++;
|
||||
list(ac, av);
|
||||
|
||||
Loading…
Reference in New Issue
Block a user