From danestad@anestad.com  Tue Apr 23 09:02:29 2002
Return-Path: <danestad@anestad.com>
Received: from anestad.com (pcp01510738pcs.malvrn01.pa.comcast.net [68.82.131.80])
	by hub.freebsd.org (Postfix) with ESMTP id C5E9A37B417
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 23 Apr 2002 09:02:28 -0700 (PDT)
Received: from anestad.com (anestad.com [64.67.201.200])
	by anestad.com (8.12.3/8.12.2) with ESMTP id g3NG2su9046809
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 23 Apr 2002 12:02:54 -0400 (EDT)
	(envelope-from danestad@anestad.com)
Received: (from danestad@localhost)
	by anestad.com (8.12.3/8.12.3/Submit) id g3NG2ngS046808;
	Tue, 23 Apr 2002 12:02:49 -0400 (EDT)
Message-Id: <200204231602.g3NG2ngS046808@anestad.com>
Date: Tue, 23 Apr 2002 12:02:49 -0400 (EDT)
From: Douglas Anestad <yotta@anestad.com>
Reply-To: Douglas Anestad <yotta@anestad.com>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject:
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         37381
>Category:       bin
>Synopsis:       add 'not me' to ipfw for src and dst
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Tue Apr 23 09:10:01 PDT 2002
>Closed-Date:    Sun May 05 20:13:49 PDT 2002
>Last-Modified:  Sun May 05 20:13:49 PDT 2002
>Originator:     Douglas Anestad
>Release:        FreeBSD 4.5-STABLE i386
>Organization:
>Environment:
System: FreeBSD anestad.com 4.5-STABLE FreeBSD 4.5-STABLE #0: Fri Apr 19 09:52:43 EDT 2002 root@anestad.com:/usr/obj/usr/src/sys/ANESTAD i386

>Description:

Change ipfw to allow [not] me in addition to me for the src and dst.

In other words, from the man perspective, change
     src and dst:
             any | me | [not] <address/mask> [ports]
to
     src and dst:
             any | [not] me | [not] <address/mask> [ports]             

If you use ipfw with no parameters, it tells you the following: 
    src: from [not] {me|any|ip[{/bits|:mask}]} [{port[-port]}, [port], ...]
    dst: to [not] {me|any|ip[{/bits|:mask}]} [{port[-port]}, [port], ...]
which implies that you can use not for me in addition to ip, which
is currently incorrect.  not any is the same as saying false which means
never use this rule and is of little pratical value.
    
>How-To-Repeat:
>Fix:

Added support for not me in:
	sbin/ipfw/ipfw.c
	sbin/ipfw/ipfw.8
	sys/netinet/ip_fw.c
for the FreeBSD 4.5-STABLE source branch synched as of April 23,2002

Patches are below:
diff -c sbin/ipfw/ipfw.c sbin/ipfw/ipfw.c.new
diff -c sbin/ipfw/ipfw.8 sbin/ipfw/ipfw.8.new
diff -c sys/netinet/ip_fw.c sys/netinet/ip_fw.new

-------------------------- cut here ---------------------------

*** sbin/ipfw/ipfw.c	Thu Nov 22 17:29:01 2001
--- sbin/ipfw/ipfw.c.new	Wed Feb 13 19:37:31 2002
***************
*** 275,286 ****
  	else
  		printf(" %u", chain->fw_prot);
  
  	if (chain->fw_flg & IP_FW_F_SME) {
! 		printf(" from me");
  	} else {
- 		printf(" from %s",
- 		    chain->fw_flg & IP_FW_F_INVSRC ? "not " : "");
- 
  		adrt = ntohl(chain->fw_smsk.s_addr);
  		if (adrt == ULONG_MAX && do_resolv) {
  			adrt = (chain->fw_src.s_addr);
--- 275,285 ----
  	else
  		printf(" %u", chain->fw_prot);
  
+ 	printf(" from %s", chain->fw_flg & IP_FW_F_INVSRC ? "not " : "");
+ 
  	if (chain->fw_flg & IP_FW_F_SME) {
! 		printf("me");
  	} else {
  		adrt = ntohl(chain->fw_smsk.s_addr);
  		if (adrt == ULONG_MAX && do_resolv) {
  			adrt = (chain->fw_src.s_addr);
***************
*** 321,331 ****
  		}
  	}
  
  	if (chain->fw_flg & IP_FW_F_DME) {
! 		printf(" to me");
  	} else {
- 		printf(" to %s", chain->fw_flg & IP_FW_F_INVDST ? "not " : "");
- 
  		adrt = ntohl(chain->fw_dmsk.s_addr);
  		if (adrt == ULONG_MAX && do_resolv) {
  			adrt = (chain->fw_dst.s_addr);
--- 320,330 ----
  		}
  	}
  
+ 	printf(" to %s", chain->fw_flg & IP_FW_F_INVDST ? "not " : "");
+ 
  	if (chain->fw_flg & IP_FW_F_DME) {
! 		printf("me");
  	} else {
  		adrt = ntohl(chain->fw_dmsk.s_addr);
  		if (adrt == ULONG_MAX && do_resolv) {
  			adrt = (chain->fw_dst.s_addr);


-------------------------- cut here ---------------------------


*** sbin/ipfw/ipfw.8	Tue Apr 23 11:39:01 2002
--- sbin/ipfw/ipfw.8.new	Tue Apr 23 11:37:25 2002
***************
*** 474,480 ****
  .Cm all
  keywords mean any protocol will match.
  .It Ar src No and Ar dst :
! .Cm any | me | Op Cm not
  .Aq Ar address Ns / Ns Ar mask
  .Op Ar ports
  .Pp
--- 474,480 ----
  .Cm all
  keywords mean any protocol will match.
  .It Ar src No and Ar dst :
! .Cm any | Oo not Oc me | Op Cm not
  .Aq Ar address Ns / Ns Ar mask
  .Op Ar ports
  .Pp

-------------------------- cut here ---------------------------

*** sys/netinet/ip_fw.c	Tue Apr 23 12:00:37 2002
--- sys/netinet/ip_fw.c.new	Tue Apr 23 11:49:35 2002
***************
*** 1230,1242 ****
  
  		if (f->fw_flg & IP_FW_F_SME) {
  			INADDR_TO_IFP(src_ip, tif);
! 			if (tif == NULL)
! 				continue;
  		}
  		if (f->fw_flg & IP_FW_F_DME) {
  			INADDR_TO_IFP(dst_ip, tif);
! 			if (tif == NULL)
! 				continue;
  		}
  		/* If src-addr doesn't match, not this rule. */
  		if (((f->fw_flg & IP_FW_F_INVSRC) != 0) ^ ((src_ip.s_addr
--- 1230,1252 ----
  
  		if (f->fw_flg & IP_FW_F_SME) {
  			INADDR_TO_IFP(src_ip, tif);
! 			if (f->fw_flg & IP_FW_F_INVSRC) {
! 				if (tif != NULL)
! 					continue;
! 			} else {
! 				if (tif == NULL)
! 					continue;
! 			}
  		}
  		if (f->fw_flg & IP_FW_F_DME) {
  			INADDR_TO_IFP(dst_ip, tif);
! 			if (f->fw_flg & IP_FW_F_INVDST) {
! 				if (tif != NULL)
! 					continue;
! 			} else {
! 				if (tif == NULL)
! 					continue;
! 			}
  		}
  		/* If src-addr doesn't match, not this rule. */
  		if (((f->fw_flg & IP_FW_F_INVSRC) != 0) ^ ((src_ip.s_addr
>Release-Note:
>Audit-Trail:

From: Doug Anestad <doug@anestad.com>
To: <freebsd-gnats-submit@freebsd.org>, <yotta@anestad.com>
Cc:  
Subject: Re: bin/37381:
Date: Tue, 23 Apr 2002 12:13:52 -0400

 Please change Synopsis to "Add not me to ipfw for src and dst"
 

From: Doug Anestad <doug@anestad.com>
To: <freebsd-gnats-submit@freebsd.org>, <yotta@anestad.com>
Cc:  
Subject: Re: bin/37381: add 'not me' to ipfw for src and dst
Date: Sun, 05 May 2002 18:49:38 -0400

 Please close this and link to pr 37778.
 
 37778 has a newer version of the patch which will work with the newest
 version of ipfw.
 
State-Changed-From-To: open->closed 
State-Changed-By: johan 
State-Changed-When: Sun May 5 20:12:11 PDT 2002 
State-Changed-Why:  
Superseeded by PR 37778. 

In the future, send new version of patches as follow-ups 
to the original PR, please. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=37381 
>Unformatted:
