From danestad@anestad.com  Sun May  5 15:25:43 2002
Return-Path: <danestad@anestad.com>
Received: from anestad.com (pcp01510738pcs.malvrn01.pa.comcast.net [68.82.131.80])
	by hub.freebsd.org (Postfix) with ESMTP id BB7E337B401
	for <FreeBSD-gnats-submit@freebsd.org>; Sun,  5 May 2002 15:25:42 -0700 (PDT)
Received: from anestad.com (anestad.com [64.67.201.200])
	by anestad.com (8.12.3/8.12.2) with ESMTP id g45MPhfr003193;
	Sun, 5 May 2002 18:25:43 -0400 (EDT)
	(envelope-from danestad@anestad.com)
Received: (from danestad@localhost)
	by anestad.com (8.12.3/8.12.3/Submit) id g45MPbHC003192;
	Sun, 5 May 2002 18:25:37 -0400 (EDT)
Message-Id: <200205052225.g45MPbHC003192@anestad.com>
Date: Sun, 5 May 2002 18:25:37 -0400 (EDT)
From: Douglas Anestad <yotta@anestad.com>
Reply-To: Douglas Anestad <yotta@anestad.com>
To: FreeBSD-gnats-submit@freebsd.org
Cc: Douglas Anestad <yotta@anestad.com>
Subject: [PATCH] add 'not me' to ipfw for src and dst
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         37778
>Category:       bin
>Synopsis:       [PATCH] add 'not me' to ipfw for src and dst
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    luigi
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sun May 05 15:30:01 PDT 2002
>Closed-Date:    Mon May 13 06:06:13 PDT 2002
>Last-Modified:  Mon May 13 06:06:13 PDT 2002
>Originator:     Douglas Anestad
>Release:        FreeBSD 4.6-PRERELEASE i386
>Organization:
>Environment:
System: FreeBSD anestad.com 4.6-PRERELEASE FreeBSD 4.6-PRERELEASE #0: Sun May 5 09:17:51 EDT 2002 root@anestad.com:/usr/obj/usr/src/sys/ANESTAD i386

>Description:

Change ipfw to allow [not] me in addition to me for the src and dst.

In other words, from the man perspective, change
     src and dst:
             any | me | [not] <address/mask> [ports]
to
     src and dst:
             any | [not] me | [not] <address/mask> [ports]             

If you use ipfw with no parameters, it tells you the following: 
    src: from [not] {me|any|ip[{/bits|:mask}]} [{port[-port]}, [port], ...]
    dst: to [not] {me|any|ip[{/bits|:mask}]} [{port[-port]}, [port], ...]
which implies that you can use not for me in addition to ip, which
is currently incorrect.  not any is the same as saying false which means
never use this rule and is of little pratical value.

>How-To-Repeat:
>Fix:

Added support for not me in:
	sbin/ipfw/ipfw.c
	sbin/ipfw/ipfw.8
	sys/netinet/ip_fw.c

Versions patched:
$FreeBSD: src/sbin/ipfw/ipfw.c,v 1.80.2.22 2001/11/22 22:29:01 luigi Exp $
$FreeBSD: src/sbin/ipfw/ipfw.8,v 1.63.2.23 2002/05/01 21:29:59 cjc Exp $
$FreeBSD: src/sys/netinet/ip_fw.c,v 1.131.2.33 2002/05/01 21:30:05 cjc Exp $

Patches are below:
diff -u sbin/ipfw/ipfw.c.orig sbin/ipfw/ipfw.c
diff -u sbin/ipfw/ipfw.8.orig sbin/ipfw/ipfw.8
diff -u sys/netinet/ip_fw.c.orig sys/netinet/ip_fw.c


--- sbin/ipfw/ipfw.c.orig       Wed Feb 13 16:09:42 2002
+++ sbin/ipfw/ipfw.c    Sun May  5 18:05:25 2002
@@ -275,12 +275,11 @@
        else
                printf(" %u", chain->fw_prot);
 
+       printf(" from %s", chain->fw_flg & IP_FW_F_INVSRC ? "not " : "");
+
        if (chain->fw_flg & IP_FW_F_SME) {
-               printf(" from me");
+               printf("me");
        } else {
-               printf(" from %s",
-                   chain->fw_flg & IP_FW_F_INVSRC ? "not " : "");
-
                adrt = ntohl(chain->fw_smsk.s_addr);
                if (adrt == ULONG_MAX && do_resolv) {
                        adrt = (chain->fw_src.s_addr);
@@ -321,11 +320,11 @@
                }
        }
 
+       printf(" to %s", chain->fw_flg & IP_FW_F_INVDST ? "not " : "");
+
        if (chain->fw_flg & IP_FW_F_DME) {
-               printf(" to me");
+               printf("me");
        } else {
-               printf(" to %s", chain->fw_flg & IP_FW_F_INVDST ? "not " : "");
-
                adrt = ntohl(chain->fw_dmsk.s_addr);
                if (adrt == ULONG_MAX && do_resolv) {
                        adrt = (chain->fw_dst.s_addr);



--- sbin/ipfw/ipfw.8.orig       Sun May  5 17:56:15 2002
+++ sbin/ipfw/ipfw.8    Sun May  5 17:56:35 2002
@@ -474,7 +474,7 @@
 .Cm all
 keywords mean any protocol will match.
 .It Ar src No and Ar dst :
-.Cm any | me | Op Cm not
+.Cm any | Oo not Oc me | Op Cm not
 .Aq Ar address Ns / Ns Ar mask
 .Op Ar ports


--- sys/netinet/ip_fw.c.orig    Sun May  5 18:21:16 2002
+++ sys/netinet/ip_fw.c Sun May  5 18:21:58 2002
@@ -1230,13 +1230,23 @@
 
                if (f->fw_flg & IP_FW_F_SME) {
                        INADDR_TO_IFP(src_ip, tif);
-                       if (tif == NULL)
-                               continue;
+                       if (f->fw_flg & IP_FW_F_INVSRC) {
+                               if (tif != NULL)
+                                       continue;
+                       } else {
+                               if (tif == NULL)
+                                       continue;
+                       }
                }
                if (f->fw_flg & IP_FW_F_DME) {
                        INADDR_TO_IFP(dst_ip, tif);
-                       if (tif == NULL)
-                               continue;
+                       if (f->fw_flg & IP_FW_F_INVDST) {
+                               if (tif != NULL)
+                                       continue;
+                       } else {
+                               if (tif == NULL)
+                                       continue;
+                       }
                }
                /* If src-addr doesn't match, not this rule. */
                if (((f->fw_flg & IP_FW_F_INVSRC) != 0) ^ ((src_ip.s_addr


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->luigi 
Responsible-Changed-By: johan 
Responsible-Changed-When: Mon May 6 19:21:41 PDT 2002 
Responsible-Changed-Why:  
over to ipfw maintainer. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=37778 
State-Changed-From-To: open->closed 
State-Changed-By: luigi 
State-Changed-When: Mon May 13 06:05:36 PDT 2002 
State-Changed-Why:  
implemented in -current (the code in the patch was slightly incorrect). 
Thanks for the suggestion. 


http://www.freebsd.org/cgi/query-pr.cgi?pr=37778 
>Unformatted:
