[PATCH] sbin/ip6fw bring in -n option

Sepherosa Ziehau sepherosa at gmail.com
Sat Apr 23 03:20:37 PDT 2005


These patch are based on my previous WARNS 6 cleanup.

FreeBSD ip6fw.c:
1.1.2.9 -> 1.1.2.10

-n option part is extracted and slightly changed, since I do not think
FreeBSD does the right thing in the portion I adjusted.  We do not
need other parts, since we had ready done.
manpage is changed accordingly.

Best Regards

-- 
Live Free or Die
--- ip6fw.c	2005-04-24 02:05:46.000000000 +0800
+++ ip6fw.c	2005-04-24 01:55:04.000000000 +0800
@@ -89,6 +89,7 @@
 int		do_time=0;			/* Show time stamps        */
 int		do_quiet=0;			/* Be quiet in add and flush  */
 int		do_force=0;			/* Don't ask for confirmation */
+int		do_test=0;			/* Don't load into Kernel */
 
 struct icmpcode {
 	int		 code;
@@ -778,10 +779,13 @@
 	/* Rule number */
 	while (ac && isdigit(**av)) {
 		rule.fw_number = atoi(*av); av++; ac--;
-		if (setsockopt(s, IPPROTO_IPV6, IPV6_FW_DEL,
-			       &rule, sizeof(rule)) < 0) {
-			exitval = 1;
-			warn("rule %u: setsockopt(IPV6_FW_DEL)", rule.fw_number);
+		if (!do_test) {
+			if (setsockopt(s, IPPROTO_IPV6, IPV6_FW_DEL,
+				       &rule, sizeof(rule)) < 0) {
+				exitval = 1;
+				warn("rule %u: setsockopt(IPV6_FW_DEL)",
+				     rule.fw_number);
+			}
 		}
 	}
 	if (exitval != 0)
@@ -1111,8 +1115,11 @@
 
 	if (!do_quiet)
 		show_ip6fw(&rule);
-	if (setsockopt(s, IPPROTO_IPV6, IPV6_FW_ADD, &rule, sizeof rule) < 0)
-		err(EX_UNAVAILABLE, "setsockopt(IPV6_FW_ADD)");
+	if (!do_test) {
+		if (setsockopt(s, IPPROTO_IPV6, IPV6_FW_ADD,
+			       &rule, sizeof rule) < 0)
+			err(EX_UNAVAILABLE, "setsockopt(IPV6_FW_ADD)");
+	}
 }
 
 static void
@@ -1122,10 +1129,14 @@
 
 	if (!ac) {
 		/* clear all entries */
-		if (setsockopt(s,IPPROTO_IPV6,IPV6_FW_ZERO,NULL,0)<0)
-			err(EX_UNAVAILABLE, "setsockopt(IPV6_FW_ZERO)");
-		if (!do_quiet)
-			printf("Accounting cleared.\n");
+		if (!do_test) {
+			if (setsockopt(s,IPPROTO_IPV6,IPV6_FW_ZERO,NULL,0)<0)
+				err(EX_UNAVAILABLE, "setsockopt(IPV6_FW_ZERO)");
+			if (!do_quiet)
+				printf("Accounting cleared.\n");
+		} else if (!do_quiet) {
+			printf("Accounting not cleared.\n");
+		}
 	} else {
 		struct ip6_fw rule;
 		int failed = 0;
@@ -1135,13 +1146,19 @@
 			/* Rule number */
 			if (isdigit(**av)) {
 				rule.fw_number = atoi(*av); av++; ac--;
-				if (setsockopt(s, IPPROTO_IPV6,
-				    IPV6_FW_ZERO, &rule, sizeof rule)) {
-					warn("rule %u: setsockopt(IPV6_FW_ZERO)", rule.fw_number);
-					failed = 1;
-				} else if (!do_quiet)
-					printf("Entry %d cleared\n",
-					    rule.fw_number);
+				if (!do_test) {
+					if (setsockopt(s, IPPROTO_IPV6,
+					    IPV6_FW_ZERO, &rule, sizeof rule)) {
+						warn("rule %u: setsockopt(IPV6_FW_ZERO)", rule.fw_number);
+						failed = 1;
+					} else if (!do_quiet) {
+						printf("Entry %d cleared\n",
+						       rule.fw_number);
+					}
+				} else if (!do_quiet) {
+					printf("Entry %d not cleared\n",
+					       rule.fw_number);
+				}
 			} else
 				show_usage("invalid rule number ``%s''", *av);
 		}
@@ -1165,7 +1182,7 @@
 	/* Set the force flag for non-interactive processes */
 	do_force = !isatty(STDIN_FILENO);
 
-	while ((ch = getopt(ac, av ,"afqtN")) != -1)
+	while ((ch = getopt(ac, av ,"afnqtN")) != -1)
 	switch(ch) {
 		case 'a':
 			do_acct=1;
@@ -1173,6 +1190,9 @@
 		case 'f':
 			do_force=1;
 			break;
+		case 'n':
+			do_test=1;
+			break;
 		case 'q':
 			do_quiet=1;
 			break;
@@ -1217,10 +1237,17 @@
 				do_flush = 1;
 		}
 		if ( do_flush ) {
-			if (setsockopt(s,IPPROTO_IPV6,IPV6_FW_FLUSH,NULL,0) < 0)
-				err(EX_UNAVAILABLE, "setsockopt(IPV6_FW_FLUSH)");
-			if (!do_quiet)
-				printf("Flushed all rules.\n");
+			if (!do_test) {
+				if (setsockopt(s, IPPROTO_IPV6, IPV6_FW_FLUSH,
+					       NULL, 0) < 0) {
+					err(EX_UNAVAILABLE,
+					    "setsockopt(IPV6_FW_FLUSH)");
+				}
+				if (!do_quiet)
+					printf("Flushed all rules.\n");
+			} else if (!do_quiet) {
+				printf("Rules not flushed.\n");
+			}
 		}
 	} else if (!strncmp(*av, "zero", strlen(*av))) {
 		zero(ac,av);
@@ -1244,8 +1271,8 @@
 #define	WHITESP		" \t\f\v\n\r"
 	char	buf[BUFSIZ];
 	char	*a, *p, *args[MAX_ARGS], *cmd = NULL;
-	char	linename[10], q_opt[3];
-	int 	i, c, lineno, qflag, pflag, status;
+	char	linename[10], q_opt[3], n_opt[3];
+	int 	i, c, lineno, nflag, qflag, pflag, status;
 	FILE	*f = NULL;
 	pid_t	preproc = 0;
 
@@ -1261,11 +1288,12 @@
 	 */
 
 	strcpy(q_opt, "-q");
+	strcpy(n_opt, "-n");
 	if (ac > 1 && av[ac - 1][0] == '/' && access(av[ac - 1], R_OK) == 0) {
-		qflag = pflag = i = 0;
+		nflag = qflag = pflag = i = 0;
 		lineno = 0;
 
-		while ((c = getopt(ac, av, "D:U:p:q")) != -1)
+		while ((c = getopt(ac, av, "D:U:np:q")) != -1)
 			switch(c) {
 			case 'D':
 				if (!pflag)
@@ -1287,6 +1315,10 @@
 				args[i++] = optarg;
 				break;
 
+			case 'n':
+				nflag = 1;
+				break;
+
 			case 'p':
 				pflag = 1;
 				cmd = optarg;
@@ -1360,6 +1392,8 @@
 			i=1;
 			if (qflag)
 				args[i++] = q_opt;
+			if (nflag)
+				args[i++] = n_opt;
 			for (a = strtok(buf, WHITESP);
 			    a && i < MAX_ARGS; a = strtok(NULL, WHITESP), i++)
 				args[i] = a;
Index: ip6fw.8
===================================================================
RCS file: /opt/df_cvs/src/sbin/ip6fw/ip6fw.8,v
retrieving revision 1.3
diff -u -r1.3 ip6fw.8
--- ip6fw.8	8 Aug 2003 04:18:38 -0000	1.3
+++ ip6fw.8	23 Apr 2005 10:13:29 -0000
@@ -39,7 +39,7 @@
 .Nd controlling utility for IPv6 firewall
 .Sh SYNOPSIS
 .Nm
-.Op Fl q
+.Op Fl nq
 .Oo
 .Fl p Ar preproc
 .Oo Fl D
@@ -49,13 +49,15 @@
 .Oc
 .Ar pathname
 .Nm
+.Op Fl n
 .Op Fl f | Fl q
 flush
 .Nm
-.Op Fl q
+.Op Fl nq
 zero
 .Op Ar number ...
 .Nm
+.Op Fl n
 delete
 .Ar number ...
 .Nm
@@ -67,7 +69,7 @@
 show
 .Op Ar number ...
 .Nm
-.Op Fl q
+.Op Fl nq
 add
 .Op Ar number
 .Ar action
@@ -182,6 +184,9 @@
 (ie; flush).
 .Ar Note ,
 if there is no tty associated with the process, this is implied.
+.It Fl n
+Only check syntax of the command strings,
+without actually passing them into the kernel.
 .It Fl q
 While adding, zeroing or flushing, be quiet about actions (implies '-f').
 This is useful for adjusting rules by executing multiple ip6fw commands in a




More information about the Submit mailing list