From lyndon@orthanc.ab.ca  Sun May 14 12:40:47 2000
Return-Path: <lyndon@orthanc.ab.ca>
Received: from orthanc.ab.ca (orthanc.ab.ca [207.167.3.130])
	by hub.freebsd.org (Postfix) with ESMTP id 162AA37B6F8
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 14 May 2000 12:40:46 -0700 (PDT)
	(envelope-from lyndon@orthanc.ab.ca)
Received: (from lyndon@localhost)
	by orthanc.ab.ca (8.10.0.Beta11/8.10.0.Beta6) id e4EJeim48039;
	Sun, 14 May 2000 13:40:44 -0600 (MDT)
Message-Id: <200005141940.e4EJeim48039@orthanc.ab.ca>
Date: Sun, 14 May 2000 13:40:44 -0600 (MDT)
From: Lyndon Nerenberg <lyndon@orthanc.ab.ca>
Reply-To: lyndon@orthanc.ab.ca
To: FreeBSD-gnats-submit@freebsd.org
Subject: ipfw list|show too verbose (+FIX)
X-Send-Pr-Version: 3.2

>Number:         18550
>Category:       bin
>Synopsis:       ipfw list|show always shows dynamic rules (+FIX)
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    des
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sun May 14 12:50:01 PDT 2000
>Closed-Date:    Tue Nov 27 05:40:38 PST 2001
>Last-Modified:  Tue Nov 27 05:41:55 PST 2001
>Originator:     Lyndon Nerenberg
>Release:        FreeBSD 4.0-STABLE i386
>Organization:
The Frobozz Magic Homing Pigeon Company
>Environment:

Any ipfw configuration using dynamic rules (keep-state).

>Description:

IF you use dynamic firewall rules (via keep-state), when listing rules
you always see the dynamic rules. There should be an option to suppress
printing of those rules.

Also, when issuing 'ipfw list|show <rulenumber>' you also see all the
dynamic rules. This seems to violate POLA: if I'm asking for one
rule, I really only want to see that rule, and not all the dynamic
rules.

>How-To-Repeat:

>Fix:

The attached patch adds a -d flag that suppresses printing of
dynamic rules. It also modifies the behaviour of the list and
show subcommands to not display the dynamic rules if the subcommand
specifies a rule number.

# This is a shell archive.  Save it in a file, remove anything before
# this line, and then unpack it by entering "sh file".  Note, it may
# create directories; files and directories will be owned by you and
# have default permissions.
#
# This archive contains:
#
#	ipfw.diff
#
echo x - ipfw.diff
sed 's/^X//' >ipfw.diff << 'END-of-ipfw.diff'
X--- ipfw.c	2000/05/11 23:02:35	1.1
X+++ ipfw.c	2000/05/11 23:19:43
X@@ -69,6 +69,7 @@
X int		do_force=0;			/* Don't ask for confirmation */
X int		do_pipe=0;                      /* this cmd refers to a pipe */
X int		do_sort=0;                      /* field to sort results (0=no) */
X+int             do_dynamic=1;			/* display dynamic rules */
X 
X struct icmpcode {
X 	int	code;
X@@ -656,6 +657,7 @@
X 				warnx("invalid rule number: %s", *(av - 1));
X 				continue;
X 			}
X+			do_dynamic = 0;
X 			for (seen = n = 0; n < num; n++) {
X 				struct ip_fw *const r = &rules[n];
X 
X@@ -679,7 +681,7 @@
X         /*
X          * show dynamic rules
X          */
X-        if (num * sizeof (rules[0]) != nbytes ) {
X+        if (do_dynamic && num * sizeof (rules[0]) != nbytes ) {
X             struct ipfw_dyn_rule *d =
X                     (struct ipfw_dyn_rule *)&rules[num] ;
X             struct in_addr a ;
X@@ -1791,13 +1793,16 @@
X 	do_force = !isatty(STDIN_FILENO);
X 
X 	optind = optreset = 1;
X-	while ((ch = getopt(ac, av, "s:afqtN")) != -1)
X+	while ((ch = getopt(ac, av, "s:adfqtN")) != -1)
X 	switch(ch) {
X 		case 's': /* sort */
X 			do_sort= atoi(optarg);
X 			break;
X 		case 'a':
X 			do_acct=1;
X+			break;
X+	        case 'd':
X+		        do_dynamic=0;
X 			break;
X 		case 'f':
X 			do_force=1;
X--- ipfw.8	2000/05/11 23:27:51	1.1
X+++ ipfw.8	2000/05/11 23:28:08
X@@ -31,7 +31,7 @@
X .Op Ar number ...
X .Nm ipfw
X .Op Fl s Op Ar field
X-.Op Fl aftN
X+.Op Fl adftN
X .Es \&{ \&}
X .En Cm list | show
X .Op Ar number ...
X@@ -146,6 +146,8 @@
X See also the
X .Cm show
X command.
X+.It Fl d
X+While listing, do not print the dynamic rules.
X .It Fl f
X Don't ask for confirmation for commands that can cause problems
X if misused,
END-of-ipfw.diff
exit




>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->luigi 
Responsible-Changed-By: johan 
Responsible-Changed-When: Thu Aug 24 05:40:37 PDT 2000 
Responsible-Changed-Why:  
Over to ipfw maintainer. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=18550 
Responsible-Changed-From-To: luigi->dwmalone 
Responsible-Changed-By: dwmalone 
Responsible-Changed-When: Fri May 18 12:13:43 PDT 2001 
Responsible-Changed-Why:  
Luigi - the patch in this PR looks sensible. I'll test it and commit it 
if you have no objections. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=18550 

From: Dag-Erling Smorgrav <des@ofug.org>
To: freebsd-gnats-submit@freebsd.org
Cc:  
Subject: Re: bin/18550
Date: 31 May 2001 21:30:02 +0200

 There are a couple of problems with this patch:
 
  - the default should be to *not* list dynamic rules, and the -d
    option should enable showing them.
 
  - when dynamic rules are shown, rules with a ttl of 0 should be
    omitted unless an additional option is specified (or -d is
    specified twice); they're mostly just noise.
 
  - when a specific rule is requested and the -d option is specified,
    dynamic rules matching the specified rule number *should* be shown.
 
 Expect a patch shortly.
 
 DES
 -- 
 Dag-Erling Smorgrav - des@ofug.org
State-Changed-From-To: open->feedback 
State-Changed-By: des 
State-Changed-When: Wed Jun 13 08:39:31 PDT 2001 
State-Changed-Why:  
Fixed in -CURRENT, awaiting MFC. 


Responsible-Changed-From-To: dwmalone->des 
Responsible-Changed-By: des 
Responsible-Changed-When: Wed Jun 13 08:39:31 PDT 2001 
Responsible-Changed-Why:  
I'll handle the MFC. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=18550 
State-Changed-From-To: feedback->closed 
State-Changed-By: des 
State-Changed-When: Tue Nov 27 05:40:38 PST 2001 
State-Changed-Why:  
Josef Karthauser MFCed this a month ago. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=18550 
>Unformatted:
