diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index fbc45e64e1a7..34e5012a7d5d 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -24,6 +24,12 @@ .Brq Cm delete | zero | resetlog .Op Cm set .Op Ar number ... +.Nm +.Cm enable +.Brq Cm firewall | one_pass | debug | verbose | dyn_keepalive +.Nm +.Cm disable +.Brq Cm firewall | one_pass | debug | verbose | dyn_keepalive .Pp .Nm .Cm set Oo Cm disable Ar number ... Oc Op Cm enable Ar number ... @@ -302,6 +308,16 @@ and commands are used to configure the traffic shaper, as shown in the .Sx TRAFFIC SHAPER (DUMMYNET) CONFIGURATION Section below. +.Pp +If the world and the kernel get out of sync the +.Nm +ABI may break, preventing you from being able to add any rules. This can +adversely effect the booting process. You can use +.Nm +.Cm disable +.Cm firewall +to temporarily disable the firewall to regain access to the network, +allowing you to fix the problem. .Sh PACKET FLOW A packet is checked against the active ruleset in multiple places in the protocol stack, under control of several sysctl variables. diff --git a/sbin/ipfw/ipfw2.c b/sbin/ipfw/ipfw2.c index 77863a591814..953c7f4a1261 100644 --- a/sbin/ipfw/ipfw2.c +++ b/sbin/ipfw/ipfw2.c @@ -1527,6 +1527,29 @@ sets_handler(int ac, char *av[]) errx(EX_USAGE, "invalid set command %s\n", *av); } +static void +sysctl_handler(int ac, char *av[], int which) +{ + ac--; + av++; + + if (*av == NULL) { + warnx("missing keyword to enable/disable\n"); + } else if (strncmp(*av, "firewall", strlen(*av)) == 0) { + sysctlbyname("net.inet.ip.fw.enable", NULL, 0, &which, sizeof(which)); + } else if (strncmp(*av, "one_pass", strlen(*av)) == 0) { + sysctlbyname("net.inet.ip.fw.one_pass", NULL, 0, &which, sizeof(which)); + } else if (strncmp(*av, "debug", strlen(*av)) == 0) { + sysctlbyname("net.inet.ip.fw.debug", NULL, 0, &which, sizeof(which)); + } else if (strncmp(*av, "verbose", strlen(*av)) == 0) { + sysctlbyname("net.inet.ip.fw.verbose", NULL, 0, &which, sizeof(which)); + } else if (strncmp(*av, "dyn_keepalive", strlen(*av)) == 0) { + sysctlbyname("net.inet.ip.fw.dyn_keepalive", NULL, 0, &which, sizeof(which)); + } else { + warnx("unrecognize enable/disable keyword: %s\n", *av); + } +} + static void list(int ac, char *av[]) { @@ -3407,6 +3430,10 @@ ipfw_main(int ac, char **av) list(ac, av); else if (!strncmp(*av, "set", strlen(*av))) sets_handler(ac, av); + else if (!strncmp(*av, "enable", strlen(*av))) + sysctl_handler(ac, av, 1); + else if (!strncmp(*av, "disable", strlen(*av))) + sysctl_handler(ac, av, 0); else if (!strncmp(*av, "show", strlen(*av))) { do_acct++; list(ac, av);