d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Interface changes to support additions to firewall.

Browse Source
This commit is contained in:
Ugen J.S. Antsilevich 1994-11-28 12:34:37 +00:00
parent 6313f15402
commit 7985370449
Notes: svn2git 2020-12-20 02:59:44 +00:00 
svn path=/head/; revision=4848
1 changed files with 88 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

119
sbin/ipfw/ipfw.c
View File

@ -91,14 +91,22 @@ char action_tab[][MAXSTR]={
char type_tab[][MAXSTR]={ char type_tab[][MAXSTR]={
"ac", "ac",
#define T_ACCEPT 0 #define T_ACCEPT 0
"de", "lo",
#define T_DENY 1 #define T_LOG 1
"r",
#define T_REJECT 2
"lr",
#define T_LREJECT 3
"d",
#define T_DENY 4
"ld",
#define T_LDENY 5
"si", "si",
#define T_SINGLE 2 #define T_SINGLE 6
"bi", "bi",
#define T_BIDIR 3 #define T_BIDIR 7
"", "",
#define T_NONE 4 #define T_NONE 8
}; };
@ -109,10 +117,12 @@ char proto_tab[][MAXSTR]={
#define P_ICMP 1 #define P_ICMP 1
"tcp", "tcp",
#define P_TCP 2 #define P_TCP 2
"syn",
#define P_SYN 3
"udp", "udp",
#define P_UDP 3 #define P_UDP 4
"" ""
#define P_NONE 4 #define P_NONE 5
}; };
struct nlist nlf[]={ struct nlist nlf[]={
@ -174,21 +184,45 @@ if (do_verbose) {
if (do_verbose) if (do_verbose)
if (c_t==FW) { if (c_t==FW) {
if (chain->flags & IP_FW_F_ACCEPT) if (chain->flags & IP_FW_F_ACCEPT)
printf("A"); if (chain->flags & IP_FW_F_PRN)
printf("l");
else
printf("a");
else else
printf("D"); if (chain->flags & IP_FW_F_PRN)
if (chain->flags & IP_FW_F_ICMPRPL)
printf("R");
else
printf("D");
else
if (chain->flags & IP_FW_F_ICMPRPL)
printf("r");
else
printf("d");
} else { } else {
if (chain->flags & IP_FW_F_BIDIR) if (chain->flags & IP_FW_F_BIDIR)
printf("B"); printf("b");
else else
printf("S"); printf("s");
} }
else else
if (c_t==FW) { if (c_t==FW) {
if (chain->flags & IP_FW_F_ACCEPT) if (chain->flags & IP_FW_F_ACCEPT)
printf("accept "); if (chain->flags & IP_FW_F_PRN)
printf("log ");
else
printf("accept ");
else else
printf("deny "); if (chain->flags & IP_FW_F_PRN)
if (chain->flags & IP_FW_F_ICMPRPL)
printf("lreject ");
else
printf("ldeny ");
else
if (chain->flags & IP_FW_F_ICMPRPL)
printf("reject ");
else
printf("deny ");
} else { } else {
if (chain->flags & IP_FW_F_BIDIR) if (chain->flags & IP_FW_F_BIDIR)
printf("bidir "); printf("bidir ");
@ -202,7 +236,10 @@ if (do_verbose)
printf("I "); printf("I ");
break; break;
case IP_FW_F_TCP: case IP_FW_F_TCP:
printf("T "); if (chain->flags&IP_FW_F_TCPSYN)
printf("S ");
else
printf("T ");
break; break;
case IP_FW_F_UDP: case IP_FW_F_UDP:
printf("U "); printf("U ");
@ -219,7 +256,10 @@ else
printf("icmp "); printf("icmp ");
break; break;
case IP_FW_F_TCP: case IP_FW_F_TCP:
printf("tcp "); if (chain->flags&IP_FW_F_TCPSYN)
printf("syn ");
else
printf("tcp ");
break; break;
case IP_FW_F_UDP: case IP_FW_F_UDP:
printf("udp "); printf("udp ");
@ -536,8 +576,11 @@ struct hostent *hptr;
show_usage(); show_usage();
exit(1); exit(1);
} }
mask->s_addr= if (n_bit>0)
mask->s_addr=
htonl(ULONG_MAX<<(sizeof(u_long)*CHAR_BIT-n_bit)); htonl(ULONG_MAX<<(sizeof(u_long)*CHAR_BIT-n_bit));
else
mask->s_addr=0L;
} }
if (sm_oct) { if (sm_oct) {
@ -670,13 +713,11 @@ char **av;
void policy(av) void policy(av)
char **av; char **av;
{ {
int p; u_short p=0,b;
kvm_t *kd; kvm_t *kd;
static char errb[_POSIX2_LINE_MAX]; static char errb[_POSIX2_LINE_MAX];
int b;
if (*av==NULL || strlen(*av)<=0) if (*av==NULL || strlen(*av)<=0) {
{
if ( (kd=kvm_openfiles(NULL,NULL,NULL,O_RDONLY,errb)) == NULL) { if ( (kd=kvm_openfiles(NULL,NULL,NULL,O_RDONLY,errb)) == NULL) {
fprintf(stderr,"%s: kvm_openfiles: %s\n",progname,kvm_geterr(kd)); fprintf(stderr,"%s: kvm_openfiles: %s\n",progname,kvm_geterr(kd));
exit(1); exit(1);
@ -685,24 +726,22 @@ if (*av==NULL || strlen(*av)<=0)
fprintf(stderr,"%s: kvm_nlist: no namelist in %s\n", fprintf(stderr,"%s: kvm_nlist: no namelist in %s\n",
progname,getbootfile()); progname,getbootfile());
exit(1); exit(1);
} }
kvm_read(kd,(u_long)nlf[N_POLICY].n_value,&b,sizeof(int)); kvm_read(kd,(u_long)nlf[N_POLICY].n_value,&b,sizeof(int));
if (b==1) if (b&IP_FW_P_DENY)
printf("Default policy: ACCEPT\n");
if (b==0)
printf("Default policy: DENY\n"); printf("Default policy: DENY\n");
if (b!=0 && b!=1) else
printf("Wrong policy value\n"); printf("Default policy: ACCEPT\n");
exit(1); exit(1);
} }
if (!strncmp(*av,P_DE,strlen(P_DE))) if (!strncmp(*av,P_DE,strlen(P_DE)))
p=0; p|=IP_FW_P_DENY;
else else
if (!strncmp(*av,P_AC,strlen(P_AC))) if (!strncmp(*av,P_AC,strlen(P_AC)))
p=1; p&=~IP_FW_P_DENY;
else { else {
fprintf(stderr,"%s: bad policy value.\n",progname); fprintf(stderr,"%s: bad policy value.\n",progname);
exit(1); exit(1);
@ -712,10 +751,10 @@ if (setsockopt(s,IPPROTO_IP,IP_FW_POLICY,&p,sizeof(p))<0) {
fprintf(stderr,"%s: setsockopt failed.\n",progname); fprintf(stderr,"%s: setsockopt failed.\n",progname);
exit(1); exit(1);
} else { } else {
if (p) if (p&IP_FW_P_DENY)
printf("Policy set to ACCEPT.\n");
else
printf("Policy set to DENY.\n"); printf("Policy set to DENY.\n");
else
printf("Policy set to ACCEPT.\n");
exit(0); exit(0);
} }
} }
@ -835,6 +874,17 @@ struct ip_fw frwl;
} }
switch(get_num(*av,type_tab)) { switch(get_num(*av,type_tab)) {
case T_LREJECT:
flags|=IP_FW_F_PRN;
case T_REJECT:
flags|=IP_FW_F_ICMPRPL;
if (int_t!=FW) {
show_usage();
exit(1);
}
break;
case T_LDENY:
flags|=IP_FW_F_PRN;
case T_DENY: case T_DENY:
flags|=0; /* just to show it related to flags */ flags|=0; /* just to show it related to flags */
if (int_t!=FW) { if (int_t!=FW) {
@ -842,6 +892,8 @@ struct ip_fw frwl;
exit(1); exit(1);
} }
break; break;
case T_LOG:
flags|=IP_FW_F_PRN;
case T_ACCEPT: case T_ACCEPT:
flags|=IP_FW_F_ACCEPT; flags|=IP_FW_F_ACCEPT;
if (int_t!=FW) { if (int_t!=FW) {
@ -863,6 +915,9 @@ struct ip_fw frwl;
exit(1); exit(1);
} }
break; break;
default:
show_usage();
exit(1);
} /* type of switch */ } /* type of switch */
@ -880,6 +935,8 @@ struct ip_fw frwl;
case P_ICMP: case P_ICMP:
flags|=IP_FW_F_ICMP; flags|=IP_FW_F_ICMP;
break; break;
case P_SYN:
flags|=IP_FW_F_TCPSYN;
case P_TCP: case P_TCP:
flags|=IP_FW_F_TCP; flags|=IP_FW_F_TCP;
ports_ok=1; ports_ok=1;