freebsd-nq/sbin/ipfw
Luigi Rizzo 5a155b405e One more (hopefully the last one) step in cleaning up the syntax,
following Julian's good suggestion: since you can specify any match
pattern as an option, rules now have the following format:

	[<proto> from <src> to <dst>] [options]

i.e. the first part is now entirely optional (and left there just
for compatibility with ipfw1 rulesets).

Add a "-c" flag to show/list rules in the compact form
(i.e. without the "ip from any to any" part) when possible.
The default is to include it so that scripts processing ipfw's
canonical output will still work.
Note that as part of this cleanup (and to remove ambiguity), MAC
fields now can only be specified in the options part.

Update the manpage to reflect the syntax.

Clarify the behaviour when a match is attempted on fields which
are not present in the packet, e.g. port numbers on non TCP/UDP
packets, and the "not" operator is specified. E.g.

	ipfw add allow not src-port 80

will match also ICMP packets because they do not have port numbers, so
"src-port 80" will fail and "not src-port 80" will succeed. For such
cases it is advised to insert further options to prevent undesired results
(e.g. in the case above, "ipfw add allow proto tcp not src-port 80").

We definitely need to rewrite the parser using lex and yacc!
2002-08-19 12:36:54 +00:00
..
ipfw2.c One more (hopefully the last one) step in cleaning up the syntax, 2002-08-19 12:36:54 +00:00
ipfw.8 One more (hopefully the last one) step in cleaning up the syntax, 2002-08-19 12:36:54 +00:00
ipfw.c Handle symbolic names for common ethernet types (ip, arp etc.) 2002-05-13 10:19:59 +00:00
Makefile Uncommented WARNS=0. ipfw2.c is full of printf format errors that are 2002-07-11 17:33:37 +00:00