close pr 10889:

+ add a missing call to dn_rule_delete() when flushing firewall rules, thus preventing possible panics due to dangling pointers (this was already done for single rule deletes). + improve "usage" output in ipfw(8) + add a few checks to ipfw pipe parameters and make it a bit more tolerant of common mistakes (such as specifying kbit instead of Kbit) PR: kern/10889 Submitted by: Ruslan Ermilov
1999-05-24 10:01:22 +00:00 · 1999-05-24 10:01:22 +00:00 · e142fadecb
commit e142fadecb
parent 26e64ed9d4
2 changed files with 31 additions and 14 deletions
--- a/sbin/ipfw/ipfw.c
+++ b/sbin/ipfw/ipfw.c
@ -16,7 +16,7 @@
 *
 * NEW command line interface for IP firewall facility
 *
- * $Id: ipfw.c,v 1.64 1998/12/27 11:23:05 luigi Exp $
+ * $Id: ipfw.c,v 1.65 1999/01/22 01:46:32 archie Exp $
 *
 */

@ -572,16 +572,18 @@ show_usage(const char *fmt, ...)
 		warnx("error: %s", buf);
 	}
 	fprintf(stderr, "usage: ipfw [options]\n"
-"    flush\n"
+"    [pipe] flush\n"
 "    add [number] rule\n"
-"    delete number ...\n"
-"    list [number ...]\n"
-"    show [number ...]\n"
+"    [pipe] delete number ...\n"
+"    [pipe] list [number ...]\n"
+"    [pipe] show [number ...]\n"
 "    zero [number ...]\n"
+"    pipe number config [pipeconfig\n"
 "  rule:  action proto src dst extras...\n"
 "    action:\n"
 "      {allow|permit|accept|pass|deny|drop|reject|unreach code|\n"
-"       reset|count|skipto num|divert port|tee port|fwd ip} [log]\n"
+"       reset|count|skipto num|divert port|tee port|fwd ip|\n"
+"       pipe num} [log]\n"
 "    proto: {ip|tcp|udp|icmp|<number>}\n"
 "    src: from [not] {any|ip[{/bits|:mask}]} [{port|port-port},[port],...]\n"
 "    dst: to [not] {any|ip[{/bits|:mask}]} [{port|port-port},[port],...]\n"
@ -593,7 +595,13 @@ show_usage(const char *fmt, ...)
 "    {established|setup}\n"
 "    tcpflags [!]{syn|fin|rst|ack|psh|urg},...\n"
 "    ipoptions [!]{ssrr|lsrr|rr|ts},...\n"
-"    icmptypes {type[,type]}...\n");
+"    icmptypes {type[,type]}...\n"
+"  pipecfg:\n"
+"    {bw|bandwidth} <number>{bit/s|Kbit/s|Mbit/s|Bytes/s|KBytes/s|MBytes/s}\n"
+"    delay <milliseconds>\n"
+"    queue <size>{packets|Bytes|KBytes}\n"
+"    plr <fraction>\n"
+);

 	exit(EX_USAGE);
 }
@ -952,11 +960,11 @@ config_pipe(int ac, char **av)
            if (!strncmp(*av,"bw",strlen(*av)) ||
                ! strncmp(*av,"bandwidth",strlen(*av))) {
                pipe.bandwidth = strtoul(av[1], &end, 0);
-                if (*end == 'K')
+                if (*end == 'K' || *end == 'k' )
                        end++, pipe.bandwidth *= 1000 ;
                else if (*end == 'M')
                        end++, pipe.bandwidth *= 1000000 ;
-                if (*end == 'B')
+                if ( *end == 'B' || !strncmp(end, "by", 2) )
                        pipe.bandwidth *= 8 ;
                av+=2; ac-=2;
            } else if (!strncmp(*av,"delay",strlen(*av)) ) {
@ -965,15 +973,19 @@ config_pipe(int ac, char **av)
            } else if (!strncmp(*av,"plr",strlen(*av)) ) {
                
                double d = strtod(av[1], NULL);
+		if (d > 1)
+		    d = 1 ;
+		else if (d < 0)
+		    d = 0 ;
                pipe.plr = (int)(d*0x7fffffff) ;
                av+=2; ac-=2;
            } else if (!strncmp(*av,"queue",strlen(*av)) ) {
                end = NULL ;
                pipe.queue_size = strtoul(av[1], &end, 0);
-                if (*end == 'K') {
+                if (*end == 'K' || *end == 'k') {
                    pipe.queue_size_bytes = pipe.queue_size*1024 ;
                    pipe.queue_size = 0 ;
-                } else if (*end == 'B') {
+                } else if (*end == 'B' || !strncmp(end, "by", 2)) {
                    pipe.queue_size_bytes = pipe.queue_size ;
                    pipe.queue_size = 0 ;
                }
@ -1439,8 +1451,10 @@ ipfw_main(ac,av)
 				do_flush = 1;
 		}
 		if ( do_flush ) {
-			if (setsockopt(s,IPPROTO_IP,IP_FW_FLUSH,NULL,0) < 0)
-				err(EX_UNAVAILABLE, "setsockopt(%s)", "IP_FW_FLUSH");
+			if (setsockopt(s, IPPROTO_IP,
+				do_pipe ? IP_DUMMYNET_FLUSH : IP_FW_FLUSH, NULL, 0) < 0)
+			    err(EX_UNAVAILABLE, "setsockopt(IP_%s_FLUSH)",
+				do_pipe ? "DUMMYNET" : "FW");
 			if (!do_quiet)
 				printf("Flushed all rules.\n");
 		}
--- a/sys/netinet/ip_fw.c
+++ b/sys/netinet/ip_fw.c
@ -12,7 +12,7 @@
 *
 * This software is provided ``AS IS'' without any warranties of any kind.
 *
- *	$Id: ip_fw.c,v 1.110 1999/04/26 14:57:24 luigi Exp $
+ *	$Id: ip_fw.c,v 1.111 1999/05/03 23:57:28 billf Exp $
 */

 /*
@ -1175,6 +1175,9 @@ ip_fw_ctl(struct sockopt *sopt)
 		     fcp = ip_fw_chain.lh_first) {
 			s = splnet();
 			LIST_REMOVE(fcp, chain);
+#ifdef DUMMYNET
+			dn_rule_delete(fcp);
+#endif
 			FREE(fcp->rule, M_IPFW);
 			FREE(fcp, M_IPFW);
 			splx(s);