mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2024-11-16 23:57:54 +01:00
Add '-q' quiet flag for flush/add/zero commands; add 'show' command as
synonym for '-a list'; stop SEGV when specifying 'via' with no interface; change 2 instances of strcpy() to strncpy(). This is a candidate for 2.2
This commit is contained in:
Daniel O'Callaghan
parent
4b93480b2a
commit
f607e2c314
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=22535
@ -8,8 +8,16 @@
|
||||
.Nm
|
||||
.Ar file
|
||||
.Nm ipfw
|
||||
.Oo
|
||||
.Fl f
|
||||
|
|
||||
.Fl q
|
||||
.Oc
|
||||
flush
|
||||
.Nm ipfw
|
||||
.Oo
|
||||
.Fl q
|
||||
.Oc
|
||||
zero
|
||||
.Op Ar number
|
||||
.Nm ipfw
|
||||
@ -19,6 +27,14 @@ delete
|
||||
.Op Fl aftN
|
||||
list
|
||||
.Nm ipfw
|
||||
.Oo
|
||||
.Fl ftN
|
||||
.Oc
|
||||
show
|
||||
.Nm ipfw
|
||||
.Oo
|
||||
.Fl q
|
||||
.Oc
|
||||
add
|
||||
.Op Ar number
|
||||
.Ar action
|
||||
@ -61,6 +77,8 @@ if any.
|
||||
.Pp
|
||||
The list command prints out the current rule set.
|
||||
.Pp
|
||||
The show command is equivalent to `ipfw -a list'.
|
||||
.Pp
|
||||
The zero operation zeroes the counters associated with rule number
|
||||
.Ar number .
|
||||
.Pp
|
||||
@ -72,7 +90,8 @@ One rule is always present:
|
||||
.Ed
|
||||
.Pp
|
||||
This rule is the default policy, i.e., don't allow anything at all.
|
||||
Your job in setting up rules is to modify this policy to match your needs.
|
||||
Your job in setting up rules is to modify this policy to match your
|
||||
needs.
|
||||
.Pp
|
||||
The following options are available:
|
||||
.Bl -tag -width flag
|
||||
@ -84,6 +103,15 @@ Don't ask for confirmation for commands that can cause problems if misused
|
||||
(ie; flush).
|
||||
.Ar Note ,
|
||||
if there is no tty associated with the process, this is implied.
|
||||
.It Fl q
|
||||
While adding or flushing, be quiet about actions (implies '-f'). This is
|
||||
useful for adjusting rules by executing multiple ipfw commands in a script
|
||||
(e.g. sh /etc/rc.firewall), or by processing a file of many ipfw rules,
|
||||
across a remote login session. If a flush is performed in normal
|
||||
(verbose) mode, it prints a message. Because all rules are flushed, the
|
||||
message cannot be delivered to the login session, the login session is
|
||||
closed and the remainder of the ruleset is not processed. Access to the
|
||||
console is required to recover.
|
||||
.It Fl t
|
||||
While listing, show last match timestamp.
|
||||
.It Fl N
|
||||
|
||||
@ -49,6 +49,7 @@ int s; /* main RAW socket */
|
||||
int do_resolv=0; /* Would try to resolv all */
|
||||
int do_acct=0; /* Show packet/byte count */
|
||||
int do_time=0; /* Show time stamps */
|
||||
int do_quiet=0; /* Be quiet in add and flush */
|
||||
int do_force=0; /* Don't ask for confirmation */
|
||||
|
||||
int
|
||||
@ -354,6 +355,7 @@ show_usage(str)
|
||||
"\t\tadd [number] rule\n"
|
||||
"\t\tdelete number\n"
|
||||
"\t\tlist [number]\n"
|
||||
"\t\tshow [number]\n"
|
||||
"\t\tzero [number]\n"
|
||||
"\trule:\taction proto src dst extras...\n"
|
||||
"\t\taction: {allow|deny|reject|count|divert port} [log]\n"
|
||||
@ -730,10 +732,13 @@ add(ac,av)
|
||||
}
|
||||
|
||||
av++; ac--;
|
||||
if (!ac) {
|
||||
show_usage("'via' option specified with no interface.");
|
||||
}
|
||||
if (!isdigit(**av)) {
|
||||
char *q;
|
||||
|
||||
strcpy(rule.fw_via_name, *av);
|
||||
strncpy(rule.fw_via_name, *av, sizeof(rule.fw_via_name));
|
||||
for (q = rule.fw_via_name; *q && !isdigit(*q) && *q != '*'; q++)
|
||||
continue;
|
||||
if (*q == '*')
|
||||
@ -791,7 +796,8 @@ add(ac,av)
|
||||
show_usage("Unknown argument\n");
|
||||
}
|
||||
|
||||
show_ipfw(&rule);
|
||||
if (!do_quiet)
|
||||
show_ipfw(&rule);
|
||||
i = setsockopt(s, IPPROTO_IP, IP_FW_ADD, &rule, sizeof rule);
|
||||
if (i)
|
||||
err(1,"setsockopt(IP_FW_ADD)");
|
||||
@ -810,7 +816,8 @@ zero (ac, av)
|
||||
fprintf(stderr,"%s: setsockopt failed.\n",progname);
|
||||
exit(1);
|
||||
}
|
||||
printf("Accounting cleared.\n");
|
||||
if (!do_quiet)
|
||||
printf("Accounting cleared.\n");
|
||||
} else {
|
||||
/* clear a specific entry */
|
||||
struct ip_fw rule;
|
||||
@ -848,7 +855,7 @@ ipfw_main(ac,av)
|
||||
/* Set the force flag for non-interactive processes */
|
||||
do_force = !isatty(STDIN_FILENO);
|
||||
|
||||
while ((ch = getopt(ac, av ,"aftN")) != EOF)
|
||||
while ((ch = getopt(ac, av ,"afqtN")) != EOF)
|
||||
switch(ch) {
|
||||
case 'a':
|
||||
do_acct=1;
|
||||
@ -856,6 +863,9 @@ ipfw_main(ac,av)
|
||||
case 'f':
|
||||
do_force=1;
|
||||
break;
|
||||
case 'q':
|
||||
do_quiet=1;
|
||||
break;
|
||||
case 't':
|
||||
do_time=1;
|
||||
break;
|
||||
@ -878,7 +888,7 @@ ipfw_main(ac,av)
|
||||
} else if (!strncmp(*av, "flush", strlen(*av))) {
|
||||
int do_flush = 0;
|
||||
|
||||
if ( do_force )
|
||||
if ( do_force || do_quiet )
|
||||
do_flush = 1;
|
||||
else {
|
||||
int c;
|
||||
@ -901,7 +911,8 @@ ipfw_main(ac,av)
|
||||
fprintf(stderr,"%s: setsockopt failed.\n",progname);
|
||||
exit(1);
|
||||
}
|
||||
printf("Flushed all rules.\n");
|
||||
if (!do_quiet)
|
||||
printf("Flushed all rules.\n");
|
||||
}
|
||||
} else if (!strncmp(*av, "zero", strlen(*av))) {
|
||||
zero(ac,av);
|
||||
@ -909,6 +920,9 @@ ipfw_main(ac,av)
|
||||
list(--ac,++av);
|
||||
} else if (!strncmp(*av, "list", strlen(*av))) {
|
||||
list(--ac,++av);
|
||||
} else if (!strncmp(*av, "show", strlen(*av))) {
|
||||
do_acct++;
|
||||
list(--ac,++av);
|
||||
} else {
|
||||
show_usage("Bad arguments");
|
||||
}
|
||||
@ -927,7 +941,7 @@ main(ac, av)
|
||||
int i;
|
||||
FILE *f;
|
||||
|
||||
strcpy(progname,*av);
|
||||
strncpy(progname,*av, sizeof(progname));
|
||||
|
||||
s = socket( AF_INET, SOCK_RAW, IPPROTO_RAW );
|
||||
if ( s < 0 ) {
|
||||
|
||||
Loading…
Reference in New Issue
Block a user