From eugen@grosbein.pp.ru  Fri Feb 15 16:57:12 2008
Return-Path: <eugen@grosbein.pp.ru>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id CCA6F16A419
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 15 Feb 2008 16:57:12 +0000 (UTC)
	(envelope-from eugen@grosbein.pp.ru)
Received: from grosbein.pp.ru (grgw.svzserv.kemerovo.su [213.184.64.166])
	by mx1.freebsd.org (Postfix) with ESMTP id D950B13C4DD
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 15 Feb 2008 16:57:11 +0000 (UTC)
	(envelope-from eugen@grosbein.pp.ru)
Received: from grosbein.pp.ru (localhost [127.0.0.1])
	by grosbein.pp.ru (8.14.2/8.14.2) with ESMTP id m1FGgHkx002039
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 15 Feb 2008 23:42:17 +0700 (KRAT)
	(envelope-from eugen@grosbein.pp.ru)
Received: (from eugen@localhost)
	by grosbein.pp.ru (8.14.2/8.14.2/Submit) id m1FGgGfQ002038;
	Fri, 15 Feb 2008 23:42:16 +0700 (KRAT)
	(envelope-from eugen)
Message-Id: <200802151642.m1FGgGfQ002038@grosbein.pp.ru>
Date: Fri, 15 Feb 2008 23:42:16 +0700 (KRAT)
From: Eugene Grosbein <eugen@kuzbass.ru>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: [patch] [ipfw] unbreak POLA for ipfw table list
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         120720
>Category:       bin
>Synopsis:       [patch] [ipfw] unbreak POLA for ipfw table list
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ipfw
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Fri Feb 15 17:00:07 UTC 2008
>Closed-Date:    Mon Feb 18 11:52:42 PST 2008
>Last-Modified:  Sat Apr  5 07:10:01 UTC 2008
>Originator:     Eugene Grosbein
>Release:        FreeBSD 7.0-PRERELEASE i386
>Organization:
Svyaz-Service JSC
>Environment:
System: FreeBSD grosbein.pp.ru 7.0-PRERELEASE FreeBSD 7.0-PRERELEASE #7: Mon Feb 11 23:05:33 KRAT 2008 eu@grosbein.pp.ru:/usr/local/obj/usr/local/src/sys/DADV i386

>Description:
	The command "ipfw table 1 list" used to format table values
	associated with network addresses as 32-bit unsigned integers
	until 6.3-RELEASE. Since 6.3-RELEASE, it interprets values
	that are greater than 65535 as IP-addresses.

	This change breaks many existing applications that expect the format
	to be an integer, as it used to be since RELENG_4.
	This change is not even documented. So, it breaks POLA and should be
	corrected.	

>How-To-Repeat:

ipfw table 1 add 1.1.1.1 $(date +%s)
ipfw table 1 list

	This used to show something like "1.1.1.1/32 1203093427" before change
	but now it shows something like "1.1.1.1/32 71.181.191.179" instead.

>Fix:

	The following patch does three things:

	1) revert default behavour to match 6.2-RELEASE and earlier;
	2) offer new way to format value as IP with new switch "ipfw -i":
	
ipfw -i table 1 list

	3) document both variants in the ipfw(8) manual page.
	The patch applies to both of RELENG_6 and RELENG_7.


--- sbin/ipfw/ipfw.8.orig	2008-02-15 23:18:10.000000000 +0700
+++ sbin/ipfw/ipfw.8	2008-02-15 23:18:04.000000000 +0700
@@ -210,6 +210,12 @@
 if misused,
 .No i.e. Cm flush .
 If there is no tty associated with the process, this is implied.
+.It Fl i
+While
+.Cm list Ns ing table (see the
+.Sx LOOKUP TABLES
+section below for more information on lookup tables), format values
+as IP addresses. By default, values are shown as integers.
 .It Fl n
 Only check syntax of the command strings, without actually passing
 them to the kernel.
--- sbin/ipfw/ipfw2.c.orig	2008-02-15 17:26:53.000000000 +0700
+++ sbin/ipfw/ipfw2.c	2008-02-15 23:24:30.000000000 +0700
@@ -62,6 +62,7 @@
 #include <arpa/inet.h>
 
 int
+		do_value_as_ip,		/* show table value as IP */
 		do_resolv,		/* Would try to resolve all */
 		do_time,		/* Show time stamps */
 		do_quiet,		/* Be quiet in add and flush */
@@ -5028,7 +5029,7 @@
 			/* values < 64k are printed as numbers */
 			unsigned int tval;
 			tval = tbl->ent[a].value;
-			if (tval > 0xffff) {
+			if (do_value_as_ip) {
 			    char tbuf[128];
 			    strncpy(tbuf, inet_ntoa(*(struct in_addr *)
 				&tbl->ent[a].addr), 127);
@@ -5039,7 +5040,7 @@
 			} else {
 			    printf("%s/%u %u\n",
 			        inet_ntoa(*(struct in_addr *)&tbl->ent[a].addr),
-			        tbl->ent[a].masklen, tbl->ent[a].value);
+			        tbl->ent[a].masklen, tval);
 			}
 		}
 	} else
@@ -5148,7 +5149,7 @@
 	save_av = av;
 
 	optind = optreset = 0;
-	while ((ch = getopt(ac, av, "abcdefhnNqs:STtv")) != -1)
+	while ((ch = getopt(ac, av, "abcdefhinNqs:STtv")) != -1)
 		switch (ch) {
 		case 'a':
 			do_acct = 1;
@@ -5180,6 +5181,10 @@
 			help();
 			break;	/* NOTREACHED */
 
+		case 'i':
+			do_value_as_ip = 1;
+			break;
+
 		case 'n':
 			test_only = 1;
 			break;


Eugene Grosbein
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Fri Feb 15 21:43:17 UTC 2008 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=120720 

From: "Vadim Goncharov" <vadim_nuclight@mail.ru>
To: "Eugene Grosbein" <eugen@kuzbass.ru>
Cc: bug-followup@freebsd.org, freebsd-ipfw@freebsd.org
Subject: Re: bin/120720: [patch] [ipfw] unbreak POLA for ipfw table list
Date: Mon, 18 Feb 2008 12:47:43 +0600

 In-Reply-To: <200802151642.m1FGgGfQ002038@grosbein.pp.ru>	
 References: <200802151642.m1FGgGfQ002038@grosbein.pp.ru>
 
 Hi Eugene Grosbein!
 
 On Fri, 15 Feb 2008 23:42:16 +0700 (KRAT); Eugene Grosbein  
 <eugen@kuzbass.ru> wrote:
 
 > The command "ipfw table 1 list" used to format table values
 > associated with network addresses as 32-bit unsigned integers
 > until 6.3-RELEASE. Since 6.3-RELEASE, it interprets values
 > that are greater than 65535 as IP-addresses.
 
 > This change breaks many existing applications that expect the format
 > to be an integer, as it used to be since RELENG_4.
 > This change is not even documented. So, it breaks POLA and should be
 > corrected.
 
 >> How-To-Repeat:
 
 > ipfw table 1 add 1.1.1.1 $(date +%s)
 > ipfw table 1 list
 
 > This used to show something like "1.1.1.1/32 1203093427" before change
 > but now it shows something like "1.1.1.1/32 71.181.191.179" instead.
 
 Confirming. This breaks UNIX-time using scripts for many systems and was
 introduced by ``ipfw fwd tablearg'' handling commit to 6.2-STABLE in May  
 2007.
 
 POLA should be unbroken as far as possible.
 
 -- 
 WBR, Vadim Goncharov. ICQ#166852181       mailto:vadim_nuclight@mail.ru
 [Moderator of RU.ANTI-ECOLOGY][FreeBSD][http://antigreen.org][LJ:/nuclight]

From: Julian Elischer <julian@elischer.org>
To: Vadim Goncharov <vadim_nuclight@mail.ru>
Cc: Eugene Grosbein <eugen@kuzbass.ru>, freebsd-ipfw@freebsd.org, 
 bug-followup@freebsd.org
Subject: Re: bin/120720: [patch] [ipfw] unbreak POLA for ipfw table list
Date: Mon, 18 Feb 2008 10:32:32 -0800

 Vadim Goncharov wrote:
 > In-Reply-To: <200802151642.m1FGgGfQ002038@grosbein.pp.ru>   
 > References: <200802151642.m1FGgGfQ002038@grosbein.pp.ru>
 > 
 > Hi Eugene Grosbein!
 > 
 > On Fri, 15 Feb 2008 23:42:16 +0700 (KRAT); Eugene Grosbein 
 > <eugen@kuzbass.ru> wrote:
 > 
 >> The command "ipfw table 1 list" used to format table values
 >> associated with network addresses as 32-bit unsigned integers
 >> until 6.3-RELEASE. Since 6.3-RELEASE, it interprets values
 >> that are greater than 65535 as IP-addresses.
 > 
 >> This change breaks many existing applications that expect the format
 >> to be an integer, as it used to be since RELENG_4.
 >> This change is not even documented. So, it breaks POLA and should be
 >> corrected.
 > 
 >>> How-To-Repeat:
 > 
 >> ipfw table 1 add 1.1.1.1 $(date +%s)
 >> ipfw table 1 list
 > 
 >> This used to show something like "1.1.1.1/32 1203093427" before change
 >> but now it shows something like "1.1.1.1/32 71.181.191.179" instead.
 > 
 > Confirming. This breaks UNIX-time using scripts for many systems and was
 > introduced by ``ipfw fwd tablearg'' handling commit to 6.2-STABLE in May 
 > 2007.
 > 
 > POLA should be unbroken as far as possible.
 
 
 that was me..
 It is my memory that
 before that time tableargs were only used in 16 bit form.
 there were no users in ipfw of the full 32 bit field.
 
 I did not consider that someone would put a 32 bit number
 in there just to print it out again.
 (what would you do that for?)
 
 It shows that even if you were involved in writing code
 you can never predict what your users will do with it.
 
 I'll add an argument to force the interpretation.
 
State-Changed-From-To: open->closed 
State-Changed-By: julian 
State-Changed-When: Mon Feb 18 11:27:58 PST 2008 
State-Changed-Why:  
Patch committed to -current and scheduled for MFC. 


http://www.freebsd.org/cgi/query-pr.cgi?pr=120720 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/120720: commit references a PR
Date: Mon, 18 Feb 2008 19:56:17 +0000 (UTC)

 julian      2008-02-18 19:56:10 UTC
 
   FreeBSD src repository
 
   Modified files:
     sbin/ipfw            ipfw.8 ipfw2.c 
   Log:
   Instead of using a heuristic to decide whether to display
   table 'values' as IP addresses, use an explicit argument (-i).
   This is a 'POLA' issue. This is a low risk change and should be MFC'd
   to RELENG_6 and RELENG 7. it might be put as an errata item for 6.3.
   (not sure about 6.2).
   
   Fix suggested by: Eugene Grosbein
   PR:     120720
   MFC After: 3 days
   
   Revision  Changes    Path
   1.209     +5 -0      src/sbin/ipfw/ipfw.8
   1.114     +9 -6      src/sbin/ipfw/ipfw2.c
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 

From: Eugene Grosbein <eugen@kuzbass.ru>
To: Julian Elischer <julian@elischer.org>
Cc: Vadim Goncharov <vadim_nuclight@mail.ru>, freebsd-ipfw@freebsd.org,
        bug-followup@freebsd.org
Subject: Re: bin/120720: [patch] [ipfw] unbreak POLA for ipfw table list
Date: Tue, 19 Feb 2008 11:10:37 +0700

 On Mon, Feb 18, 2008 at 10:32:32AM -0800, Julian Elischer wrote:
 
 > that was me..
 > It is my memory that
 > before that time tableargs were only used in 16 bit form.
 > there were no users in ipfw of the full 32 bit field.
 
 In RELENG_4, they are 32bit.
 
 > I did not consider that someone would put a 32 bit number
 > in there just to print it out again.
 > (what would you do that for?)
 
 It's very suitable for automatic time-bounded blocking.
 A trigger adds IP being blocked to ipfw table with 32-bit value
 that is "time-to-live" value for this table entry, and there is a rule
 like this:
 
 ipfw add 1000 deny ip from 'table(1)' to any
 
 Cron periodically runs another script that lists the table
 and removes entries with time in the past.
 
 Thank you for fixing that!
 
 Eugene Grosbein

From: Eugene Grosbein <eugen@kuzbass.ru>
To: bug-followup@freebsd.org
Cc: net@freebsd.org, julian@freebsd.org
Subject: Re: bin/120720: [patch] [ipfw] unbreak POLA for ipfw table list
Date: Fri, 4 Apr 2008 22:12:08 +0800

 Hi!
 
 This PR was closed 6 weeks ago and had a record "MFC After: 3 days".
 http://www.freebsd.org/cgi/query-pr.cgi?pr=120720
 
 There is still no MFC to RELENG_7 nor to RELENG_6 where POLA was broken.
 Please do it.
 
 Eugene Grosbein

From: Julian Elischer <julian@elischer.org>
To: bug-followup@FreeBSD.org, eugen@kuzbass.ru
Cc:  
Subject: Re: bin/120720: [patch] [ipfw] unbreak POLA for ipfw table list
Date: Fri, 04 Apr 2008 11:12:39 -0700

 The change has been MFC'd to RELENG_6 and RELENG_7
 

From: Eugene Grosbein <eugen@kuzbass.ru>
To: Julian Elischer <julian@elischer.org>
Cc: bug-followup@FreeBSD.org
Subject: Re: bin/120720: [patch] [ipfw] unbreak POLA for ipfw table list
Date: Sat, 5 Apr 2008 15:00:09 +0800

 On Fri, Apr 04, 2008 at 11:12:39AM -0700, Julian Elischer wrote:
 
 > The change has been MFC'd to RELENG_6 and RELENG_7
 
 Thank you!
>Unformatted:
