From alex@zen.nash.org  Sun May 12 12:41:23 1996
Received: from zen.nash.org (nash.pr.mcs.net [204.95.47.72])
          by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id MAA09936
          Sun, 12 May 1996 12:41:12 -0700 (PDT)
Received: (from alex@localhost) by zen.nash.org (8.7.5/8.6.12) id OAA00746; Sun, 12 May 1996 14:40:28 -0500 (CDT)
Message-Id: <199605121940.OAA00746@zen.nash.org>
Date: Sun, 12 May 1996 14:40:28 -0500 (CDT)
From: Alex Nash <alex@zen.nash.org>
Reply-To: nash@mcs.com
To: FreeBSD-gnats-submit@freebsd.org
Cc: phk@freebsd.org
Subject: IPFW configuration program
X-Send-Pr-Version: 3.2

>Number:         1193
>Category:       bin
>Synopsis:       Cleanup + ability to zero individual chain entries
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    alex
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sun May 12 12:50:05 PDT 1996
>Closed-Date:    Sun Jun 9 16:48:48 PDT 1996
>Last-Modified:  Sun Jun  9 16:49:10 PDT 1996
>Originator:     Alex Nash
>Release:        FreeBSD 2.1-STABLE i386
>Organization:
>Environment:

-current and -stable systems that use ipfw.

>Description:

ipfw.c:

  Make it clear in usage display that multiple port ranges are not allowed.

  Added ability to zero a single accounting entry.  (See matching
  sys/netinet/ip_fw.c PR.)

  Spelling error corrected.

ipfw.8:

  Document ability to accept a specific entry when using 'ipfw zero.'

  Document the 'allow' option (I've placed allow first to agree with the
  ipfw.c usage display).

  Document the IP_FIREWALL_VERBOSE_LIMIT option, how it relates to
  the log keyword and packet counter clearing.

>How-To-Repeat:

N/A

>Fix:
	
--- ipfw.c	Sun May 12 13:28:12 1996
***************
*** 281,288 ****
  "\trule:\taction proto src dst extras...\n"
  "\t\taction: {allow|deny|reject|count} [log]\n"
  "\t\tproto: {ip|tcp|udp|icmp}}\n"
! "\t\tsrc: from {any|ip[{/bits|:mask}]} [{port|port-port},...]\n"
! "\t\tdst: to {any|ip[{/bits|:mask}]} [{port|port-port},...]\n"
  "\textras:\n"
  "\t\tfragment\n"
  "\t\t{in|out|inout}\n"
--- 281,288 ----
  "\trule:\taction proto src dst extras...\n"
  "\t\taction: {allow|deny|reject|count} [log]\n"
  "\t\tproto: {ip|tcp|udp|icmp}}\n"
! "\t\tsrc: from {any|ip[{/bits|:mask}]} [{port|port-port},[port],...]\n"
! "\t\tdst: to {any|ip[{/bits|:mask}]} [{port|port-port},[port],...]\n"
  "\textras:\n"
  "\t\tfragment\n"
  "\t\t{in|out|inout}\n"
***************
*** 589,594 ****
--- 589,628 ----
  		err(1,"setsockopt(IP_FW_ADD)");
  }
  
+ void
+ zero (ac, av)
+ 	int ac;
+ 	char **av;
+ {
+ 	av++; ac--;
+ 
+ 	if (!ac) {
+ 		/* clear all entries */
+ 		if (setsockopt(s,IPPROTO_IP,IP_FW_ZERO,NULL,0)<0) {
+ 			fprintf(stderr,"%s: setsockopt failed.\n",progname);
+ 			exit(1);
+ 		} 
+ 		printf("Accounting cleared.\n");
+ 	} else {
+ 		/* clear a specific entry */
+ 		struct ip_fw rule;
+ 		int i;
+ 
+ 		memset(&rule, 0, sizeof rule);
+ 
+ 		/* Rule number */
+ 		if (isdigit(**av)) {
+ 			rule.fw_number = atoi(*av); av++; ac--;
+ 
+ 			if (setsockopt(s, IPPROTO_IP, IP_FW_ZERO, &rule, sizeof rule))
+ 				err(1, "setsockopt(Zero)");
+ 		}
+ 		else {
+ 			show_usage("expected number");
+ 		}
+ 	}
+ }
+ 
  int
  ipfw_main(ac,av)
  	int 	ac;
***************
*** 632,642 ****
  		} 
  		printf("Flushed all rules.\n");
  	} else if (!strncmp(*av, "zero", strlen(*av))) {
! 		if (setsockopt(s,IPPROTO_IP,IP_FW_ZERO,NULL,0)<0) {
! 			fprintf(stderr,"%s: setsockopt failed.\n",progname);
! 			exit(1);
! 		} 
! 		printf("Accounting cleared.\n");
  	} else if (!strncmp(*av, "print", strlen(*av))) {
  		list(--ac,++av);
  	} else if (!strncmp(*av, "list", strlen(*av))) {
--- 666,672 ----
  		} 
  		printf("Flushed all rules.\n");
  	} else if (!strncmp(*av, "zero", strlen(*av))) {
! 		zero(ac,av);
  	} else if (!strncmp(*av, "print", strlen(*av))) {
  		list(--ac,++av);
  	} else if (!strncmp(*av, "list", strlen(*av))) {
***************
*** 662,668 ****
  	s = socket( AF_INET, SOCK_RAW, IPPROTO_RAW );
  	if ( s < 0 ) {
  		fprintf(stderr,"%s: Can't open raw socket.\n"
! 			"Must be root to use this programm. \n",progname);
  		exit(1);
  	}
  
--- 692,698 ----
  	s = socket( AF_INET, SOCK_RAW, IPPROTO_RAW );
  	if ( s < 0 ) {
  		fprintf(stderr,"%s: Can't open raw socket.\n"
! 			"Must be root to use this program. \n",progname);
  		exit(1);
  	}
  


--- ipfw.8	Sun May 12 13:44:42 1996
***************
*** 11,16 ****
--- 11,19 ----
  flush
  .Nm ipfw
  zero
+ .Oo
+ .Ar number
+ .Oc
  .Nm ipfw
  delete
  .Ar number
***************
*** 79,89 ****
  .Pp
  .Ar action :
  .Bl -hang -offset flag -width 1234567890123456
! .It Nm accept
! Accept packets that match rule.
  The search terminates.
  .It Nm pass
! same as accept.
  .It Nm count
  update counters for all packets that match rule.
  The search continues with next rule.
--- 82,94 ----
  .Pp
  .Ar action :
  .Bl -hang -offset flag -width 1234567890123456
! .It Nm allow
! Allow packets that match rule.
  The search terminates.
  .It Nm pass
! same as allow.
! .It Nm accept
! same as allow.
  .It Nm count
  update counters for all packets that match rule.
  The search continues with next rule.
***************
*** 98,103 ****
--- 103,114 ----
  When a packet matches a rule with the
  .Nm log
  keyword, a message will be printed on the console.
+ If the kernel was compiled with the
+ .Nm IP_FIREWALL_VERBOSE_LIMIT
+ option, then logging will cease after the number of packets
+ specified by the option are recieved for that particular
+ chain entry.  Logging may then be re-enabled by clearing
+ the packet counter for that entry.
  .Pp
  .Ar proto :
  .Bl -hang -offset flag -width 1234567890123456
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->alex 
Responsible-Changed-By: alex 
Responsible-Changed-When: Wed May 29 16:36:01 PDT 1996 
Responsible-Changed-Why:  
I now have a chance to fix the things I complained about :) 
State-Changed-From-To: open->closed 
State-Changed-By: alex 
State-Changed-When: Sun Jun 9 16:48:48 PDT 1996 
State-Changed-Why:  
Changes entered into -current under the following versions: 

src/sbin/ipfw.c:         1.25 
src/sys/netinet/ip_fw.c: 1.37 
src/sys/netinet/ip_fw.h: 1.20 

>Unformatted:
