From alex@cichlids.com  Fri May 26 05:00:08 2000
Return-Path: <alex@cichlids.com>
Received: from mail.surf1.de (mail.surf1.de [194.25.165.21])
	by hub.freebsd.org (Postfix) with ESMTP
	id C0DC237BA96; Fri, 26 May 2000 05:00:06 -0700 (PDT)
	(envelope-from alex@cichlids.com)
Received: from cichlids.com (p3E9D38A5.dip0.t-ipconnect.de [62.157.56.165])
	by mail.surf1.de (8.9.3/8.9.3) with ESMTP id NAA03443;
	Fri, 26 May 2000 13:59:40 +0200
Received: from cichlids.cichlids.com (cichlids.cichlids.com [192.168.0.10])
	by cichlids.com (Postfix) with ESMTP
	id 74116AC30; Fri, 26 May 2000 14:00:11 +0200 (CEST)
Received: (from root@localhost)
	by cichlids.cichlids.com (8.9.3/8.9.3) id OAA07787;
	Fri, 26 May 2000 14:00:05 +0200 (CEST)
	(envelope-from alex)
Message-Id: <200005261200.OAA07787@cichlids.cichlids.com>
Date: Fri, 26 May 2000 14:00:05 +0200 (CEST)
From: alex@big.endian.de
Sender: alex@cichlids.com
To: FreeBSD-gnats-submit@freebsd.org
Cc: billf@freebsd.org
Subject: add IP_FW_GETRULE to ipfw, in order to get single rules
X-Send-Pr-Version: 3.2

>Number:         18830
>Category:       kern
>Synopsis:       add IP_FW_GETRULE to ipfw, in order to get single rules
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    luigi
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Fri May 26 05:10:01 PDT 2000
>Closed-Date:    Mon Sep 3 13:35:06 PDT 2001
>Last-Modified:  Mon Sep 03 13:36:59 PDT 2001
>Originator:     Alexander Langer
>Release:        FreeBSD 5.0-CURRENT i386
>Organization:
none
>Environment:


>Description:

while IP_FW_GET gets the complete chain, which is complete overhead for
some stuff, IP_FW_GETRULE gets only a single rule.
That makes stuff much more easy.

In fact, on billf's and ps's request I have implemented ipfw move and ipfw swap
in order to move/swap rules. These uses IP_FW_GETRULE:

root:~ $ ipfw show 200 ; ipfw move 200 300 ; ipfw show 300
00200 16 3217 allow tcp from any to any
00200 allow tcp from any to any
00300  0    0 allow tcp from any to any

>How-To-Repeat:


>Fix:

cvs diff: Diffing .
Index: in.h
===================================================================
RCS file: /home/ncvs/src/sys/netinet/in.h,v
retrieving revision 1.49
diff -u -r1.49 in.h
--- in.h	2000/05/06 18:19:58	1.49
+++ in.h	2000/05/25 19:48:11
@@ -337,6 +337,7 @@
 #define	IP_FW_ZERO    		53   /* clear single/all firewall counter(s) */
 #define	IP_FW_GET     		54   /* get entire firewall rule chain */
 #define	IP_FW_RESETLOG		55   /* reset logging counters */
+#define	IP_FW_GETRULE		56   /* get a single rule */
 
 #define	IP_DUMMYNET_CONFIGURE	60   /* add/configure a dummynet pipe */
 #define	IP_DUMMYNET_DEL		61   /* delete a dummynet pipe from chain */
Index: ip_fw.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet/ip_fw.c,v
retrieving revision 1.135
diff -u -r1.135 ip_fw.c
--- ip_fw.c	2000/05/23 20:38:16	1.135
+++ ip_fw.c	2000/05/26 11:52:34
@@ -1818,6 +1818,23 @@
 		}
 		break;
 
+	case IP_FW_GETRULE:
+		error = sooptcopyin(sopt, &frwl, sizeof frwl, sizeof frwl);
+		if (error)
+			break;
+		for (fcp = LIST_FIRST(&ip_fw_chain);
+			fcp && fcp->rule && fcp->rule->fw_number != frwl.fw_number;
+			fcp = LIST_NEXT(fcp, chain))
+			; /* nothing */
+
+		if (!(fcp || fcp->rule)) {
+			error = EINVAL;
+			break;
+		}
+		memcpy(&frwl, fcp->rule, sizeof frwl);
+		error = sooptcopyout(sopt, &frwl, sizeof frwl);
+		break;
+
 	default:
 		printf("ip_fw_ctl invalid option %d\n", sopt->sopt_name);
 		error = EINVAL ;

Index: raw_ip.c
===================================================================
RCS file: /home/ncvs/src/sys/netinet/raw_ip.c,v
retrieving revision 1.64
diff -u -r1.64 raw_ip.c
--- raw_ip.c	1999/12/22 19:13:23	1.64
+++ raw_ip.c	2000/05/25 20:29:13
@@ -261,6 +261,7 @@
 			break;
 
 		case IP_FW_GET:
+		case IP_FW_GETRULE:
 			if (ip_fw_ctl_ptr == 0)
 				error = ENOPROTOOPT;
 			else

>Release-Note:
>Audit-Trail:

From: Alexander Langer <alex@big.endian.de>
To: FreeBSD-gnats-submit@FreeBSD.ORG
Cc:  
Subject: Re: kern/18830: add IP_FW_GETRULE to ipfw, in order to get single rules
Date: Fri, 26 May 2000 14:21:16 +0200

 Thus spake alex@big.endian.de (alex@big.endian.de):
 
 > +		if (!(fcp || fcp->rule)) {
 > +			error = EINVAL;
 > +			break;
 > +		}
 
 Of _course_, that must be !(fcp && fcp->rule)
 
 (urks, boolean logic...)
 
 Alex
 
 -- 
 I need a new ~/.sig.
 
State-Changed-From-To: open->feedback 
State-Changed-By: green 
State-Changed-When: Thu Jun 1 14:49:18 PDT 2000 
State-Changed-Why:  
There are a couple problems I have with it.  The big problem is that 
you don't copy the entire chain of a specific rule number out, but only 
the very first one. 


http://www.freebsd.org/cgi/query-pr.cgi?pr=18830 
Responsible-Changed-From-To: freebsd-bugs->luigi 
Responsible-Changed-By: luigi 
Responsible-Changed-When: Sun Feb 11 15:25:27 PST 2001 
Responsible-Changed-Why:  
i am working on the code... but the proposed patch is not general enough, 
as you can have multiple rules with the same number, and the 
proposed patch does not support well that case. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=18830 
State-Changed-From-To: feedback->closed 
State-Changed-By: luigi 
State-Changed-When: Mon Sep 3 13:35:06 PDT 2001 
State-Changed-Why:  
The more i think of it, the more i find it unnecessary to 
grab single ipfw rules from the kernel. This can be done 
very easily in userland (ipfw|grep) and besides the 
proposed patch does not work when there are multiple rules with 
the same rule number. 


http://www.FreeBSD.org/cgi/query-pr.cgi?pr=18830 
>Unformatted:
