got \"%s\"\n", *argv); exit (1); } if (*argv == NULL) { if (do_setsockopt (kind == IPF_BLOCKING ? "checkblocking" : "checkforwarding", socket_fd, IPPROTO_IP, kind == IPF_BLOCKING ? IP_FW_CHK_BLK : IP_FW_CHK_FWD, packet, sizeof (struct iphdr) + sizeof (struct tcphdr), EACCES ) == 0 ) { printf ("packet accepted by %s firewall\n", kind == IPF_BLOCKING ? "blocking" : "forwarding"); } else { printf ("packet rejected by %s firewall\n", kind == IPF_BLOCKING ? "blocking" : "forwarding"); } return; } else { fprintf (stderr, "ipfirewall: extra parameters at end of command ("); show_parms (argv); fprintf (stderr, ")\n"); exit (1); } } void add_usage (ipf_kind kind) { fprintf (stderr, "usage: ipfirewall add%s ...\n", ipf_names[kind]); } void add (ipf_kind kind, int socket_fd, char **argv) { int protocol, accept_firewall, src_range, dst_range; struct ip_fw firewall; char *proto_name; printf ("add%s ", ipf_names[kind]); show_parms (argv); printf ("\n"); if (kind != IPF_ACCOUNTING) { if (*argv == NULL) { fprintf (stderr, "ipfirewall: missing \"accept\" or \"deny\" keyword\n"); exit (1); } if (strcmp (*argv, "deny") == 0) { accept_firewall = 0; } else if (strcmp (*argv, "accept") == 0) { accept_firewall = IP_FW_F_ACCEPT; } else { fprintf (stderr, "ipfirewall: expected \"accept\" or \"deny\", got \"%s\"\n", *argv); exit (1); } argv += 1; } else accept_firewall = 0; proto_name = *argv++; protocol = get_protocol (proto_name, add_usage, kind); if (*argv == NULL) { fprintf (stderr, "ipfirewall: missing \"from\" keyword\n"); exit (1); } if (strcmp (*argv, "from") == 0) { argv++; get_ipaddr (*argv++, &firewall.src, &firewall.src_mask, add_usage, kind); if (protocol == IP_FW_F_TCP || protocol == IP_FW_F_UDP) { int cnt; cnt = get_ports (&argv, &firewall.ports[0], 0, IP_FW_MAX_PORTS, add_usage, kind, proto_name); if (cnt < 0) { src_range = IP_FW_F_SRNG; cnt = -cnt; } else { src_range = 0; } firewall.n_src_p = cnt; } else { firewall.n_src_p = 0; src_range = 0; } } else { fprintf (stderr, "ipfirewall: expected \"from\", got \"%s\"\n", *argv); exit (1); } if (*argv == NULL) { fprintf (stderr, "ipfirewall: missing \"to\" keyword\n"); exit (1); } if (strcmp (*argv, "to") == 0) { argv++; get_ipaddr (*argv++, &firewall.dst, &firewall.dst_mask, add_usage, kind); if (protocol == IP_FW_F_TCP || protocol == IP_FW_F_UDP) { int cnt; cnt = get_ports (&argv, &firewall.ports[firewall.n_src_p], 0, IP_FW_MAX_PORTS - firewall.n_src_p, add_usage, kind, proto_name); if (cnt < 0) { dst_range = IP_FW_F_DRNG; cnt = -cnt; } else { dst_range = 0; } firewall.n_dst_p = cnt; } else { firewall.n_dst_p = 0; dst_range = 0; } } else { fprintf (stderr, "ipfirewall: expected \"to\", got \"%s\"\n", *argv); exit (1); } if (*argv == NULL) { firewall.flags = protocol | accept_firewall | src_range | dst_range; (void) do_setsockopt (ipf_names[kind], socket_fd, IPPROTO_IP, ipf_addfunc[kind], &firewall, sizeof (firewall), 0 ); } else { fprintf (stderr, "ipfire