[PATCH] sbin/ip6fw bring in -n option
Sepherosa Ziehau
sepherosa at gmail.com
Sat Apr 23 03:20:37 PDT 2005
These patch are based on my previous WARNS 6 cleanup.
FreeBSD ip6fw.c:
1.1.2.9 -> 1.1.2.10
-n option part is extracted and slightly changed, since I do not think
FreeBSD does the right thing in the portion I adjusted. We do not
need other parts, since we had ready done.
manpage is changed accordingly.
Best Regards
--
Live Free or Die
--- ip6fw.c 2005-04-24 02:05:46.000000000 +0800
+++ ip6fw.c 2005-04-24 01:55:04.000000000 +0800
@@ -89,6 +89,7 @@
int do_time=0; /* Show time stamps */
int do_quiet=0; /* Be quiet in add and flush */
int do_force=0; /* Don't ask for confirmation */
+int do_test=0; /* Don't load into Kernel */
struct icmpcode {
int code;
@@ -778,10 +779,13 @@
/* Rule number */
while (ac && isdigit(**av)) {
rule.fw_number = atoi(*av); av++; ac--;
- if (setsockopt(s, IPPROTO_IPV6, IPV6_FW_DEL,
- &rule, sizeof(rule)) < 0) {
- exitval = 1;
- warn("rule %u: setsockopt(IPV6_FW_DEL)", rule.fw_number);
+ if (!do_test) {
+ if (setsockopt(s, IPPROTO_IPV6, IPV6_FW_DEL,
+ &rule, sizeof(rule)) < 0) {
+ exitval = 1;
+ warn("rule %u: setsockopt(IPV6_FW_DEL)",
+ rule.fw_number);
+ }
}
}
if (exitval != 0)
@@ -1111,8 +1115,11 @@
if (!do_quiet)
show_ip6fw(&rule);
- if (setsockopt(s, IPPROTO_IPV6, IPV6_FW_ADD, &rule, sizeof rule) < 0)
- err(EX_UNAVAILABLE, "setsockopt(IPV6_FW_ADD)");
+ if (!do_test) {
+ if (setsockopt(s, IPPROTO_IPV6, IPV6_FW_ADD,
+ &rule, sizeof rule) < 0)
+ err(EX_UNAVAILABLE, "setsockopt(IPV6_FW_ADD)");
+ }
}
static void
@@ -1122,10 +1129,14 @@
if (!ac) {
/* clear all entries */
- if (setsockopt(s,IPPROTO_IPV6,IPV6_FW_ZERO,NULL,0)<0)
- err(EX_UNAVAILABLE, "setsockopt(IPV6_FW_ZERO)");
- if (!do_quiet)
- printf("Accounting cleared.\n");
+ if (!do_test) {
+ if (setsockopt(s,IPPROTO_IPV6,IPV6_FW_ZERO,NULL,0)<0)
+ err(EX_UNAVAILABLE, "setsockopt(IPV6_FW_ZERO)");
+ if (!do_quiet)
+ printf("Accounting cleared.\n");
+ } else if (!do_quiet) {
+ printf("Accounting not cleared.\n");
+ }
} else {
struct ip6_fw rule;
int failed = 0;
@@ -1135,13 +1146,19 @@
/* Rule number */
if (isdigit(**av)) {
rule.fw_number = atoi(*av); av++; ac--;
- if (setsockopt(s, IPPROTO_IPV6,
- IPV6_FW_ZERO, &rule, sizeof rule)) {
- warn("rule %u: setsockopt(IPV6_FW_ZERO)", rule.fw_number);
- failed = 1;
- } else if (!do_quiet)
- printf("Entry %d cleared\n",
- rule.fw_number);
+ if (!do_test) {
+ if (setsockopt(s, IPPROTO_IPV6,
+ IPV6_FW_ZERO, &rule, sizeof rule)) {
+ warn("rule %u: setsockopt(IPV6_FW_ZERO)", rule.fw_number);
+ failed = 1;
+ } else if (!do_quiet) {
+ printf("Entry %d cleared\n",
+ rule.fw_number);
+ }
+ } else if (!do_quiet) {
+ printf("Entry %d not cleared\n",
+ rule.fw_number);
+ }
} else
show_usage("invalid rule number ``%s''", *av);
}
@@ -1165,7 +1182,7 @@
/* Set the force flag for non-interactive processes */
do_force = !isatty(STDIN_FILENO);
- while ((ch = getopt(ac, av ,"afqtN")) != -1)
+ while ((ch = getopt(ac, av ,"afnqtN")) != -1)
switch(ch) {
case 'a':
do_acct=1;
@@ -1173,6 +1190,9 @@
case 'f':
do_force=1;
break;
+ case 'n':
+ do_test=1;
+ break;
case 'q':
do_quiet=1;
break;
@@ -1217,10 +1237,17 @@
do_flush = 1;
}
if ( do_flush ) {
- if (setsockopt(s,IPPROTO_IPV6,IPV6_FW_FLUSH,NULL,0) < 0)
- err(EX_UNAVAILABLE, "setsockopt(IPV6_FW_FLUSH)");
- if (!do_quiet)
- printf("Flushed all rules.\n");
+ if (!do_test) {
+ if (setsockopt(s, IPPROTO_IPV6, IPV6_FW_FLUSH,
+ NULL, 0) < 0) {
+ err(EX_UNAVAILABLE,
+ "setsockopt(IPV6_FW_FLUSH)");
+ }
+ if (!do_quiet)
+ printf("Flushed all rules.\n");
+ } else if (!do_quiet) {
+ printf("Rules not flushed.\n");
+ }
}
} else if (!strncmp(*av, "zero", strlen(*av))) {
zero(ac,av);
@@ -1244,8 +1271,8 @@
#define WHITESP " \t\f\v\n\r"
char buf[BUFSIZ];
char *a, *p, *args[MAX_ARGS], *cmd = NULL;
- char linename[10], q_opt[3];
- int i, c, lineno, qflag, pflag, status;
+ char linename[10], q_opt[3], n_opt[3];
+ int i, c, lineno, nflag, qflag, pflag, status;
FILE *f = NULL;
pid_t preproc = 0;
@@ -1261,11 +1288,12 @@
*/
strcpy(q_opt, "-q");
+ strcpy(n_opt, "-n");
if (ac > 1 && av[ac - 1][0] == '/' && access(av[ac - 1], R_OK) == 0) {
- qflag = pflag = i = 0;
+ nflag = qflag = pflag = i = 0;
lineno = 0;
- while ((c = getopt(ac, av, "D:U:p:q")) != -1)
+ while ((c = getopt(ac, av, "D:U:np:q")) != -1)
switch(c) {
case 'D':
if (!pflag)
@@ -1287,6 +1315,10 @@
args[i++] = optarg;
break;
+ case 'n':
+ nflag = 1;
+ break;
+
case 'p':
pflag = 1;
cmd = optarg;
@@ -1360,6 +1392,8 @@
i=1;
if (qflag)
args[i++] = q_opt;
+ if (nflag)
+ args[i++] = n_opt;
for (a = strtok(buf, WHITESP);
a && i < MAX_ARGS; a = strtok(NULL, WHITESP), i++)
args[i] = a;
Index: ip6fw.8
===================================================================
RCS file: /opt/df_cvs/src/sbin/ip6fw/ip6fw.8,v
retrieving revision 1.3
diff -u -r1.3 ip6fw.8
--- ip6fw.8 8 Aug 2003 04:18:38 -0000 1.3
+++ ip6fw.8 23 Apr 2005 10:13:29 -0000
@@ -39,7 +39,7 @@
.Nd controlling utility for IPv6 firewall
.Sh SYNOPSIS
.Nm
-.Op Fl q
+.Op Fl nq
.Oo
.Fl p Ar preproc
.Oo Fl D
@@ -49,13 +49,15 @@
.Oc
.Ar pathname
.Nm
+.Op Fl n
.Op Fl f | Fl q
flush
.Nm
-.Op Fl q
+.Op Fl nq
zero
.Op Ar number ...
.Nm
+.Op Fl n
delete
.Ar number ...
.Nm
@@ -67,7 +69,7 @@
show
.Op Ar number ...
.Nm
-.Op Fl q
+.Op Fl nq
add
.Op Ar number
.Ar action
@@ -182,6 +184,9 @@
(ie; flush).
.Ar Note ,
if there is no tty associated with the process, this is implied.
+.It Fl n
+Only check syntax of the command strings,
+without actually passing them into the kernel.
.It Fl q
While adding, zeroing or flushing, be quiet about actions (implies '-f').
This is useful for adjusting rules by executing multiple ip6fw commands in a
More information about the Submit
mailing list