proposed ipfw2 patch

Luigi Rizzo rizzo at icir.org
Mon Sep 15 03:54:05 PDT 2003 

Hi,
the following code implements a '-b'
flag for ipfw so that it only prints rule numbers, counters,
action and comment -- basically it skips the body of the rule,
which can be extremely long if you use extensively address lists or sets.
In these cases, a comment might prove more useful to read.

I believe we do not have time to put this in 4.9 but maybe someone
will find it useful.

	cheers
	luigi

Index: ipfw2.c
===================================================================
RCS file: /home/ncvs/src/sbin/ipfw/ipfw2.c,v
retrieving revision 1.4.2.18
diff -u -r1.4.2.18 ipfw2.c
--- ipfw2.c	15 Sep 2003 10:27:03 -0000	1.4.2.18
+++ ipfw2.c	15 Sep 2003 10:48:02 -0000
@@ -65,6 +65,7 @@
 		do_compact,		/* show rules in compact mode */
 		show_sets,		/* display rule sets */
 		test_only,		/* only check syntax */
+		comment_only,		/* only print action and comment */
 		verbose;
 
 #define	IP_MASK_ALL	0xffffffff
@@ -850,6 +851,8 @@
 static void
 show_prerequisites(int *flags, int want, int cmd)
 {
+	if (comment_only)
+		return;
 	if ( (*flags & HAVE_IP) == HAVE_IP)
 		*flags |= HAVE_OPTIONS;
 
@@ -880,7 +883,7 @@
 	static int twidth = 0;
 	int l;
 	ipfw_insn *cmd;
-	char *comment = NULL;	/* ptr to comment if we have one */
+	const char * comment = NULL;	/* ptr to comment if we have one */
 	int proto = 0;		/* default */
 	int flags = 0;	/* prerequisites */
 	ipfw_insn_log *logptr = NULL; /* set if we find an O_LOG */
@@ -1030,11 +1033,21 @@
 		flags |= HAVE_IP | HAVE_OPTIONS;
 	}
 
+	if (comment_only)
+		comment = "...";
+
         for (l = rule->act_ofs, cmd = rule->cmd ;
 			l > 0 ; l -= F_LEN(cmd) , cmd += F_LEN(cmd)) {
 		/* useful alias */
 		ipfw_insn_u32 *cmd32 = (ipfw_insn_u32 *)cmd;
 
+		if (comment_only) {
+			if (cmd->opcode != O_NOP)
+				continue;
+			printf(" // %s\n", (char *)(cmd + 1));
+			return;
+		}
+
 		show_prerequisites(&flags, 0, cmd->opcode);
 
 		switch(cmd->opcode) {
@@ -3682,10 +3695,15 @@
 	save_av = av;
 
 	optind = optreset = 0;
-	while ((ch = getopt(ac, av, "acdefhnNqs:STtv")) != -1)
+	while ((ch = getopt(ac, av, "abcdefhnNqs:STtv")) != -1)
 		switch (ch) {
 		case 'a':
 			do_acct = 1;
+			break;
+
+		case 'b':
+			comment_only = 1;
+			do_compact = 1;
 			break;
 
 		case 'c':

More information about the freebsd-ipfw mailing list